CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST — in English
CISA KEV catalog updated: (v2026.07.07)
In the Linux kernel, a vulnerability in the RDS (Reliable Datagram Sockets) subsystem for InfiniBand (IB) was found where the i_sends pointer is not cleared during setup unwind. After a failed rds_ib_setup_qp() call, the i_sends memory is freed but the pointer remains stale, potentially leading to a use-after-free condition on subsequent connection teardown attempts.
A vulnerability was found in the Linux kernel for ARM64 CPUs where a TLBI;DSB sequence may complete before global observation of writes translated by an invalidated TLB entry. The issue is mitigated by adding an extra TLBI;DSB sequence.
In the Linux kernel, the WARN_ONCE() in hsr_addr_is_self() has been removed. The warning was triggered when the HSR node had no self_node pointer set, which is a normal condition during HSR interface removal. The issue was reported by syzbot.
A race condition in the Linux kernel's zap_other_threads() function fails to clear JOBCTL_PENDING_MASK for the calling thread during execve(). This causes a stale stop signal after execve completes, triggering a kernel warning and potential instability.
In the Linux kernel, a vulnerability was found in the ptrace mechanism for RISC-V architecture, causing a warning during core dump. The issue involves using an incorrect note type for the CFI register set, potentially disrupting the elf_core_dump function.
In the Linux kernel, a vulnerability was found in the wm_adsp driver where a NULL pointer dereference can occur when removing firmware controls. The issue happens when private control data was not created (e.g., for SYSTEM controls or when a codec driver's callback hides the control), and wm_adsp_control_remove() attempts to clean it up without checking the pointer.
In the Linux kernel netfilter nf_conntrack subsystem, a dangling pointer to an expectation function (expectfn) can point to freed module code after module unload. This causes a kernel Oops when the expected connection arrives, leading to system crash.
In the Linux kernel, a NULL pointer dereference was found in the ASoC SDCA driver during function unregistration. The issue occurs when function registration fails partially or device cleanup races with probe deferral, leaving func_dev entries NULL and causing a kernel oops in device_del().
In the Linux kernel, a vulnerability was found in the virtio-gpu driver. When the driver is built with KMS (Kernel Mode Setting) disabled, it does not initialize DRM atomic and modesetting structures. This leads to accessing uninitialized data during driver removal or unbinding, causing a kernel crash.
A bug in the Rust compiler causes the -Cforce-unwind-tables=y flag to emit uwtable annotation only for functions, not for the module. This leads to incorrect DWARF information for KASAN constructors, causing boot failures when CONFIG_UNWIND_PATCH_PAC_INTO_SCS is enabled.
A vulnerability in the Linux kernel's KVM caused a false WARN when marking a page as dirty while the VM is dying. This primarily affects SEV-ES guests where KVM keeps a writable mapping of a guest page after an exit to userspace and tries to unmap it during vCPU destruction, triggering the warning. The fix modifies the WARN condition to only trigger when the VM is still alive.
In the Linux kernel pinctrl mcp23s08 driver, a NULL pointer dereference vulnerability occurs during probe. The issue is caused by uninitialized mcp->dev and mcp->addr fields before regmap_init, leading to a NULL pointer dereference during SPI read.
In the Linux kernel, a vulnerability was found in the KASAN mechanism for ARM architecture. Incorrect use of ldr instruction (instead of ldrb) for reading the VMAP stack shadow causes an alignment fault on ARMv5, leading to a system crash before initialization.
In the Linux kernel for ARM64, the pagetable_dtor() call was missing when freeing hot-removed page table pages. This caused bad page states, PTL allocation leaks, and incorrect NR_PAGETABLE statistics.
A use-after-free (UAF) vulnerability was found in the Linux kernel's may_decode_fh() function in the fhandle mechanism. The issue arises from reading the mount::mnt_ns field without proper locking, allowing a race condition during unmounting and freeing of the mount namespace. An attacker could exploit this to leak data, cause an infinite loop, or crash the kernel.
In the Linux kernel, the i2c-imx driver has a clock and pinctrl state inconsistency in runtime PM. If pinctrl sleep state transition fails during suspend, the clock remains disabled, causing a system crash on subsequent hardware access.
In the i2c-qcom-cci driver for the Qualcomm CCI controller, a NULL pointer dereference occurs during device unbinding or driver removal when only one of the two I2C masters is initialized. The cci_remove() function calls cci_halt() on all masters, but the completion object is only initialized for the enabled master, leading to a kernel crash.
In the Linux kernel, a vulnerability was found in the airoha network driver where airoha_qdma_init_hfwd_queues() calls of_reserved_mem_lookup() without checking for NULL return. This can lead to a NULL pointer dereference and system crash.
In the Linux kernel bonding driver, a NULL pointer dereference vulnerability exists in bond_do_ioctl(). The slave_dbg() call before the NULL check on slave_dev causes a kernel panic when a non-existent slave interface is used via ioctl.
In the Linux kernel, a vulnerability in the nvmem driver for ONIE-TLV layouts causes an infinite loop hang when encountering an unknown entry type (e.g., 0x41). The fix ensures offset incrementation for unknown types to break the loop.

