CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST — in English

CISA KEV catalog updated: (v2026.07.07)

CVE-2026-53026
High

In the Linux kernel's NFSD subsystem, a bug in nfsd4_add_rdaccess_to_wrdeleg causes an unnecessary increment of the nfs4_file access count. When another thread has already set read access, calling __nfs4_file_get_access again leads to an extra count, preventing the nfsd_file object from being freed. This triggers a BUG when stopping the NFS service.

CVE-2026-53025
High

A use-after-free vulnerability was found in the Linux kernel's greybus raw driver. When a raw bundle is disconnected but its character device (cdev) is still open by an application, releasing the cdev accesses freed memory, potentially causing a system crash.

CVE-2026-53024
High

A use-after-free vulnerability was found in the Greybus RAW driver of the Linux kernel. If a user writes to the character device after disconnect has been called, a NULL pointer dereference occurs causing a kernel panic. The issue is due to missing synchronization between write operations and connection destruction.

CVE-2026-53020
High

A potential race condition was found in the Linux kernel during TLB synchronization. The issue arises from missing proper locking when traversing and modifying page tables. To simplify the fix, split page table locking has been disabled.

CVE-2026-53016
High

In the Linux kernel, a vulnerability was found in the CCP (crypto: ccp) driver. The ccp_aes_complete() function restored 16 bytes (AES_BLOCK_SIZE) into the IV buffer, while the RFC3686 algorithm uses an 8-byte IV, causing a buffer overrun.

CVE-2026-53011
High

A use-after-free vulnerability was found in the Linux kernel's taprio network scheduler. The bug occurs in advance_sched() during schedule switching, where the 'next' pointer still references the old schedule after it has been freed via call_rcu().

CVE-2026-53009
High

In the Linux kernel, the ice driver has a double-free vulnerability of the skb buffer when ice_tso() or ice_tx_csum() fail. The pointer to skb remains in tx_buf, causing a second free when the interface is brought down.

CVE-2026-53005
High

A vulnerability was found in the Linux kernel's SOCKMAP mechanism for AF_UNIX sockets. SOCKMAP can hide an inflight file descriptor from the AF_UNIX garbage collector (GC), leading to memory leaks. Additionally, skb redirection by SOCKMAP breaks the Tarjan-based GC's assumptions, causing a use-after-free condition.

CVE-2026-53003
High

A vulnerability was found in the Linux kernel's PPPoE driver that drops frames with Protocol Field Compression (PFC). An attacker can send a crafted frame with a 1-byte protocol field, shifting the payload by one byte and potentially causing unaligned access exceptions on some architectures.

CVE-2026-53000
High

In the Linux kernel, a vulnerability in the netfilter NAT subsystem was found where nf_hook_ops structures are not properly deferred when freed. This can lead to memory leaks or use-after-free when dumping active hooks via nfnetlink_hook.

CVE-2026-52998
High

In the Linux kernel, a vulnerability was found in the netfilter nfnetlink_osf module, where the nf_osf_ttl() function accessed the network interface pointer (skb->dev) without validation, potentially causing a NULL pointer dereference. The TTL check logic also relied on incorrect assumptions about local subnet addresses, which could fail in containerized or virtual switching environments.

CVE-2026-52991
High

A race condition was found in the Linux kernel between pressure file write and cgroup file release, leading to a use-after-free vulnerability. An attacker could exploit this to cause a system crash or potentially escalate privileges.

CVE-2026-52988
High

In the Linux kernel netfilter/nf_tables subsystem, a vulnerability was found due to unsafe publishing of new hooks in the basechain/flowtable list during the commit phase. The lack of splice_list_rcu() can cause a race condition between concurrent netlink dump traversal and ruleset updates.

CVE-2026-52987
High

In the Linux kernel, the amdgpu driver has a double call to drm_exec_fini() in the userq validation function. When new_addition is true, exec is finalized first, and then on error from amdgpu_ttm_tt_get_user_pages(), drm_exec_fini() is called again, causing a double free. The issue was found by a static analysis tool and confirmed by code review.

CVE-2026-52983
High

In the Linux kernel, a vulnerability in the airoha network driver causes a BQL (Byte Queue Limits) imbalance in the TX path. The issue arises from incorrect TX queue indexing, where inflight packets are accounted only for a subset of queues while completions are accounted for all queues.

CVE-2026-52981
High

In the Linux kernel, the neigh_xmit function leaks an skb when called for an uninitialized neighbor table (e.g., NEIGH_ND_TABLE with IPv6 disabled). The function does not free the packet, and its return value is ignored by the caller (e.g., MPLS). The patch ensures neigh_xmit always takes ownership of the skb and frees or transmits it.

CVE-2026-52976
High

In the Linux kernel DRM/XE driver, two error handling flaws were found in xe_exec_queue_create_ioctl(). The first causes a dangling pointer by skipping xe_exec_queue_kill() when xe_hw_engine_group_add_exec_queue() fails. The second leads to a use-after-free when xa_alloc() fails after the queue was added to the hw engine group.

CVE-2026-52975
High

A data race was found in the Linux kernel's bonding 802.3ad (LACP) implementation due to missing RCU protection for the port->aggregator pointer. The fix adds the __rcu qualifier and proper RCU API usage.

CVE-2026-52974
High

A memory leak in the Linux kernel's TLS subsystem occurs when hardware TLS offload setup fails for an incoming connection. The cleanup path fails to free the anchor skb allocated by the strparser. This issue was introduced after a change to the strparser implementation.

CVE-2026-52973
High

In the Linux kernel, a vulnerability was found in the futex mechanism where need_futex_hash_allocate_default() incorrectly required the CLONE_THREAD flag for default hash allocation. This caused use-after-free bugs when sharing memory (mm) in ways other than threads, e.g., via child processes.

PreviousPage 70 of 3345Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS