CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST — in English
CISA KEV catalog updated: (v2026.07.07)
A vulnerability was found in the Linux kernel's BPF sockmap mechanism for AF_UNIX sockets. During a sockmap update by a BPF iterator program, a race condition causes the `peer` pointer to become stale in `unix_stream_bpf_update_proto()`, leading to a use-after-free. The fix adds a state lock during iteration.
A vulnerability was found in the Linux kernel in the arena_alloc_pages() function of the BPF subsystem. The function accepts a node_id as a plain int and forwards it without any bounds checking. Lack of validation may lead to incorrect memory allocation behavior.
In the Linux kernel's NFSD subsystem, a bug in nfsd4_add_rdaccess_to_wrdeleg causes an unnecessary increment of the nfs4_file access count. When another thread has already set read access, calling __nfs4_file_get_access again leads to an extra count, preventing the nfsd_file object from being freed. This triggers a BUG when stopping the NFS service.
A use-after-free vulnerability was found in the Linux kernel's greybus raw driver. When a raw bundle is disconnected but its character device (cdev) is still open by an application, releasing the cdev accesses freed memory, potentially causing a system crash.
A use-after-free vulnerability was found in the Greybus RAW driver of the Linux kernel. If a user writes to the character device after disconnect has been called, a NULL pointer dereference occurs causing a kernel panic. The issue is due to missing synchronization between write operations and connection destruction.
A potential race condition was found in the Linux kernel during TLB synchronization. The issue arises from missing proper locking when traversing and modifying page tables. To simplify the fix, split page table locking has been disabled.
In the Linux kernel, a vulnerability was found in the CCP (crypto: ccp) driver. The ccp_aes_complete() function restored 16 bytes (AES_BLOCK_SIZE) into the IV buffer, while the RFC3686 algorithm uses an 8-byte IV, causing a buffer overrun.
A use-after-free vulnerability was found in the Linux kernel's taprio network scheduler. The bug occurs in advance_sched() during schedule switching, where the 'next' pointer still references the old schedule after it has been freed via call_rcu().
In the Linux kernel, the ice driver has a double-free vulnerability of the skb buffer when ice_tso() or ice_tx_csum() fail. The pointer to skb remains in tx_buf, causing a second free when the interface is brought down.
A vulnerability was found in the Linux kernel's SOCKMAP mechanism for AF_UNIX sockets. SOCKMAP can hide an inflight file descriptor from the AF_UNIX garbage collector (GC), leading to memory leaks. Additionally, skb redirection by SOCKMAP breaks the Tarjan-based GC's assumptions, causing a use-after-free condition.
A vulnerability was found in the Linux kernel's PPPoE driver that drops frames with Protocol Field Compression (PFC). An attacker can send a crafted frame with a 1-byte protocol field, shifting the payload by one byte and potentially causing unaligned access exceptions on some architectures.
In the Linux kernel, a vulnerability in the netfilter NAT subsystem was found where nf_hook_ops structures are not properly deferred when freed. This can lead to memory leaks or use-after-free when dumping active hooks via nfnetlink_hook.
In the Linux kernel, a vulnerability was found in the netfilter nfnetlink_osf module, where the nf_osf_ttl() function accessed the network interface pointer (skb->dev) without validation, potentially causing a NULL pointer dereference. The TTL check logic also relied on incorrect assumptions about local subnet addresses, which could fail in containerized or virtual switching environments.
A race condition was found in the Linux kernel between pressure file write and cgroup file release, leading to a use-after-free vulnerability. An attacker could exploit this to cause a system crash or potentially escalate privileges.
In the Linux kernel netfilter/nf_tables subsystem, a vulnerability was found due to unsafe publishing of new hooks in the basechain/flowtable list during the commit phase. The lack of splice_list_rcu() can cause a race condition between concurrent netlink dump traversal and ruleset updates.
In the Linux kernel, the amdgpu driver has a double call to drm_exec_fini() in the userq validation function. When new_addition is true, exec is finalized first, and then on error from amdgpu_ttm_tt_get_user_pages(), drm_exec_fini() is called again, causing a double free. The issue was found by a static analysis tool and confirmed by code review.
In the Linux kernel, a vulnerability in the airoha network driver causes a BQL (Byte Queue Limits) imbalance in the TX path. The issue arises from incorrect TX queue indexing, where inflight packets are accounted only for a subset of queues while completions are accounted for all queues.
In the Linux kernel, the neigh_xmit function leaks an skb when called for an uninitialized neighbor table (e.g., NEIGH_ND_TABLE with IPv6 disabled). The function does not free the packet, and its return value is ignored by the caller (e.g., MPLS). The patch ensures neigh_xmit always takes ownership of the skb and frees or transmits it.
In the Linux kernel DRM/XE driver, two error handling flaws were found in xe_exec_queue_create_ioctl(). The first causes a dangling pointer by skipping xe_exec_queue_kill() when xe_hw_engine_group_add_exec_queue() fails. The second leads to a use-after-free when xa_alloc() fails after the queue was added to the hw engine group.
A data race was found in the Linux kernel's bonding 802.3ad (LACP) implementation due to missing RCU protection for the port->aggregator pointer. The fix adds the __rcu qualifier and proper RCU API usage.

