These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.
CVE-2026-52909 is a Linux kernel vulnerability affecting the ip6_vti (IPv6 Virtual Tunnel Interface) implementation. The issue arises because the netns_immutable flag is not set on the per-netns fallback tunnel device (ip6_vti0). This flag is crucial as it prevents the device from being moved to another network namespace, which could lead to unintended exposure or manipulation. The vulnerability was repor [truncated]
CVE-2026-52908 is a Linux kernel vulnerability affecting the RDMA subsystem. The issue arises during the reregistration of Memory Regions (MRs) and involves ensuring compatibility with REREG_ACCESS. If the IB_MR_REREG_ACCESS changes from Read-Only (RO) to Read-Write (RW), the umem (user memory) must be re-evaluated to ensure it is properly pinned as RW. This requires adding a function, ib_umem_check_rereg [truncated]
A vulnerability was found in the Linux kernel, specifically in the net/sched component. The issue is related to the pedit partial COW leading to page cache corruption. The tcf_pedit_act() function computes the COW range for skb_ensure_writable() once before the key loop using tcfp_off_max_hint. However, the hint does not account for the runtime header offset added by typed keys, which can leave part of th [truncated]
A vulnerability in the Linux kernel's network stack allows the SKBFL_SHARED_FRAG marker to be lost during socket buffer coalescing in skb_try_coalesce(). When TCP receive coalescing transfers paged fragments from one skb to another, the shared-frag marker indicating externally-owned or page-cache-backed memory is not propagated. This breaks an invariant relied upon by in-place writers, specifically ESP (E [truncated]
CVE-2026-43284 is a Linux kernel flaw in XFRM ESP processing for UDP-encapsulated traffic. When IPv4/IPv6 datagram splice paths failed to mark pipe-backed pages as shared, ESP input could decrypt data in place on skbs that were not privately owned, creating a high-impact memory corruption risk. NVD rates the issue 8.8 High and lists fixed stable kernel branches.
A vulnerability in the Linux kernel has been identified and resolved. The issue relates to the io_uring/waitid functionality, where the waitid information is not properly cleared before being copied to userspace. This can lead to stale bytes from the reused io_kiocb command storage being exposed.
CVE-2026-46314 is a vulnerability in the Linux kernel's drm/v3d component. A local user can trigger an infinite loop by providing a specially crafted multisync extension with zero in_sync_count and out_sync_count, bypassing the existing duplicate-extension guard. The vulnerability has been resolved by rejecting empty multisync extensions.
A vulnerability has been resolved in the Linux kernel related to the media: intel/ipu6 module. The vulnerability is caused by a potential error pointer dereference in the ipu6_pci_probe() function. In an error path, isp->psys is confirmed to be an error pointer, not NULL, and is subsequently dereferenced. To fix this issue, isp->psys should be set to NULL before going to out_ipu6_bus_del_devices.
A vulnerability was found in the Linux kernel's videobuf2 module. The vulnerability occurs when the `vb2_dma_sg_mmap` function does not set the `VM_DONTEXPAND` and `VM_DONTDUMP` flags, which can cause a warning in the `drm_gem_mmap_obj` function during the mmap operation of an imported dma-buf from the out-of-tree Apple ISP camera capture driver.
A vulnerability was found in the Linux kernel's drm/amdgpu/userq component. The issue arises from improper access to stale wptr mapping data. This can occur when the wptr_obj is unmapped during queue creation, and another buffer object (bo) is passed to the same address. The fix involves using drm_exec to take both locks, i.e., vm root bo and wptr_obj bo, to properly access the mapping data.
A vulnerability has been resolved in the Linux kernel, specifically in the media: renesas: vsp1 module. When unloading the module on gen 4, a NULL pointer dereference occurs due to the cleanup code calling the incorrect function. The fix involves checking the IP version and calling the correct drm or vspx function.
A vulnerability has been resolved in the Linux kernel, specifically in the drm/xe/uapi component. The vulnerability arises from the use of coh_none PAT index for CPU cached memory in madvise. This can lead to a security issue where the GPU with coh_none can bypass CPU caches and read stale sensitive data directly from DRAM, potentially leaking data from previously freed pages of other processes.
CVE-2026-46307 is a HIGH severity vulnerability in the Linux kernel, with a CVSS score of 8.3. The vulnerability is related to an out-of-bounds array access in the ath5k driver. The issue arises from the fact that 'ts->ts_final_idx' can be 3 on 5212, causing an out-of-bounds access when setting 'info->status.rates[ts->ts_final_idx + 1].idx = -1;'. The array 'rates' is defined as 'struct ieee80211_tx_rate [truncated]
A vulnerability has been resolved in the Linux kernel related to the flow dissector and PPPoE PFC frames. RFC 2516 Section 7 states that Protocol Field Compression (PFC) is NOT RECOMMENDED for PPPoE. The flow dissector driver has assumed an uncompressed frame until a specific commit. However, having a compressed (1-byte) protocol field means the subsequent PPP payload is shifted by one byte, causing 4-byt [truncated]
A vulnerability has been resolved in the Linux kernel, specifically in the staging: rtl8723bs: os_dep module. The vulnerability is related to a potential NULL pointer dereference in the rtw_cbuf_alloc function. The issue arises from the return value of kzalloc_flex() being used without ensuring that the allocation succeeded, and the pointer being dereferenced unconditionally. To mitigate this vulnerabilit [truncated]
A vulnerability was found in the Linux kernel, specifically in the nvmet subsystem. This vulnerability could lead to a recursive locking warning due to a flawed teardown path in the nvmet_ctrl_free function. The issue arises when nvmet_tcp_release_queue_work runs on nvmet-wq and drops the final controller reference through nvmet_cq_put, potentially triggering nvmet_ctrl_free. This triggers a flush of ctrl [truncated]
A vulnerability was found in the Linux kernel's isofs module. The vulnerability is caused by a lack of validation for the Rock Ridge CE continuation extent, which can lead to an out-of-range block or blocks belonging to an adjacent filesystem being accessed. This can result in an information leak. The vulnerability has been resolved by adding an ISOFS_SB(sb)->s_nzones bounds check to rock_continue().
A vulnerability in the Linux kernel has been resolved, specifically in the SELinux (Security-Enhanced Linux) subsystem. The issue was related to the /sys/fs/selinux/policy file, which previously could only be opened once at any given time. This limitation allowed any process to block other processes from reading the kernel policy, potentially causing inconsistencies or denial of service. The original moti [truncated]
A use-after-free vulnerability was discovered in the Linux kernel's spi: topcliff-pch driver. The vulnerability occurs when the driver unbinds, allowing a chance to flush its queue before releasing the DMA buffers.
CVE-2026-46299 is a HIGH severity vulnerability in the Linux kernel. The vulnerability is caused by a held lock being freed in the hfsplus_fill_super() function. This occurs when the function calls hfs_find_init() to initialize a search structure, which acquires tree->tree_lock. If the subsequent call to hfsplus_cat_build_key() fails, the function jumps to the out_put_root error label without releasing th [truncated]
A vulnerability in the Linux kernel's pseries/papr-hvpipe has been identified, which could lead to a deadlock when an interrupt fires on the same CPU while executing the ->ioctl handler or ->release handler. This is due to a race condition that can occur when the interrupt handler is executed concurrently with the handlers. To address this issue, a patch has been applied to take spin_lock_irq{save|restore [truncated]
A vulnerability in the Linux kernel has been resolved. The issue was caused by using request_threaded_irq() with a primary handler but a NULL threaded handler, while also setting the IRQF_ONESHOT flag. This combination triggered a WARNING since the commit aef30c8d569c (genirq: Warn about using IRQF_ONESHOT without a threaded handler). The fix involves switching to request_irq(), which is the appropriate i [truncated]
A vulnerability was found in the Linux kernel, specifically in the spi: s3c64xx driver. The issue arises from a change that moved DMA channel allocation from the probe() function back to s3c64xx_spi_prepare_transfer(), but failed to remove the corresponding deallocation from the remove() function. This results in a NULL-pointer dereference when the driver is unbound.
A vulnerability was found in the Linux kernel, specifically in the KVM x86 module. The vulnerability occurs when the IRR scan is not performed correctly in the __kvm_apic_update_irr function, even if the PIR is empty. This can lead to a spurious WARNING and a wasted L2 VM-Enter/VM-Exit cycle. The root cause of the issue is a race between vmx_sync_pir_to_irr() on the target vCPU and __vmx_deliver_posted_in [truncated]
CVE-2026-46294 is a buffer overflow vulnerability in the Linux kernel's device mapper (dm) subsystem. The vulnerability exists in the `retrieve_status` function of `dm-ioctl`. An attacker can cause a buffer overflow by exploiting an alignment feature. However, this vulnerability has no security implications as only root can issue device mapper ioctls and commonly used libraries communicate with device map [truncated]
A Linux kernel vulnerability, CVE-2026-46293, was identified in clk: microchip: mpfs-ccc. The issue involves an out of bounds access during output registration. According to the description, UBSAN reported an out of bounds access during registration of the last two outputs. This occurs because space is only allocated in the hws array for two PLLs and the four output dividers that each has, but the defined [truncated]
A vulnerability was discovered in the Linux kernel's pmdomain core. The issue arises from a missing call to pm_runtime_disable() in genpd_dev_pm_detach(), which can cause runtime PM to remain enabled for virtual devices after they are detached from their genpd. This can lead to critical errors, such as a NULL pointer dereference bug in genpd_runtime_suspend(), or unnecessary performance state votes for devices.
A vulnerability in the Linux kernel has been resolved. The vulnerability is related to the crypto: caam module, specifically in the hash_digest_key function, where HMAC key bytes were being dumped using print_hex_dump, potentially leaking secrets at runtime when CONFIG_DYNAMIC_DEBUG is enabled. The fix replaces print_hex_dump with print_hex_dump_devel to prevent this issue.
A vulnerability in the Linux kernel's x86/efi component has been identified. The issue arises from a change in kernel_fpu_begin() calls fpregs_lock(), which uses local_bh_disable() instead of preempt_disable(). This causes in_interrupt() to return true in normal task context, leading the graceful page fault handler efi_crash_gracefully_on_page_fault() to bail out and escalate to die(), resulting in a hard [truncated]
A vulnerability was discovered in the Linux kernel's lib/scatterlist, specifically in the extract_kvec_to_sg function. The bug allowed the length of an sglist entry to exceed the number of bytes in a page when extracting from a kvec. Additionally, when extracting a user buffer, the sglist was temporarily used as a scratch buffer for extracted page pointers, potentially overlapping with existing entries. T [truncated]
A high-severity vulnerability, CVE-2026-46288, was found in the Linux kernel. This vulnerability is caused by a use-after-free in the of_unittest_changeset() function. The function assigns the value of 'nchangeset' to the variable 'parent' early on, causing both to point to the same struct device_node. When of_node_put(nchangeset) is called, it can reduce the reference count to zero and free the node if t [truncated]
A vulnerability has been identified in the Linux kernel, specifically in the txgbe module. When the module is removed, an RTNL assertion warning occurs due to a missing lock around the phylink_disconnect_phy() function. This issue arises for copper NICs with external PHYs, where the driver calls phylink_connect_phy() during probe and phylink_disconnect_phy() during removal. To resolve this, the patch adds [truncated]
A vulnerability has been resolved in the Linux kernel, specifically in the leds: qcom-lpg module. The issue arises from an array overflow when selecting high resolution values. The FIELD_GET() function is used to pull from a 3-bit register, but the array being indexed only has 5 values. To prevent potential issues, proper checks have been added to ensure that the array index is within bounds.
A use-after-free vulnerability was discovered in the Linux kernel's mtd: docg3 module. The vulnerability occurs in the docg3_release() function where the docg3 pointer is obtained from cascade->floors[0]->priv before a loop that calls doc_release_device() on each floor. The doc_release_device() function frees the docg3 struct via kfree(docg3). After the loop, docg3->cascade->bch dereferences the already-f [truncated]
CVE-2026-46284 is a vulnerability in the Linux kernel that can cause an early boot crash when hugepages, hugepagesz, or default_hugepagesz are specified on the kernel command line without the '=' separator. This is due to early parameter parsing passing NULL to hugetlb_add_param(), which dereferences it in strlen() and can crash the system during early boot. The vulnerability has been resolved by rejectin [truncated]
CVE-2026-46283 is an information disclosure vulnerability in the Linux kernel. The tpm_dev_release() function uses kfree() to free sensitive data, potentially leaving sensitive cryptographic material in freed slab memory. This issue has been resolved by using kfree_sensitive() to ensure session keys are scrubbed during device teardown.
A NULL pointer dereference vulnerability was found in the Linux kernel's iio: frequency: admv1013 driver. When device_property_read_string() fails, the code falls through to strcmp(), dereferencing a garbage pointer. This issue has been resolved by replacing manual read/strcmp with device_property_match_property_string().
A buffer overflow vulnerability exists in the Linux kernel's vmalloc function, specifically in the vrealloc_node_align function. This function is used to reallocate memory and can lead to an out-of-bounds write if the requested size is smaller than the original size. The vulnerability was introduced by a commit that allowed forcing a new allocation if the current pointer is on the wrong NUMA node or if an [truncated]
A use-after-free vulnerability was discovered in the Linux kernel's test_hmm module. The vulnerability occurs when the dmirror_fops_release() function is called, which frees the dmirror struct without migrating device private pages back to system memory. This leaves the pages with a dangling zone_device_data pointer to the freed dmirror. If a subsequent fault occurs on those pages, the dmirror_devmem_faul [truncated]
A vulnerability was found in the Linux kernel, specifically in the mm/alloc_tag component. The issue arises due to the initialization ordering of page_ext, which is allocated and initialized relatively late during boot. Some pages have already been allocated and freed before page_ext becomes available, leaving their codetag uninitialized. This can cause a warning to trigger when these pages are later recl [truncated]
A vulnerability was discovered in the Linux kernel, specifically in the drm/imagination component. The issue occurs when updating the ftrace mask, leading to a segmentation fault due to invalid data access. The problem arises from passing incorrect data to a debugfs entry. This vulnerability can be triggered by writing to a debugfs attribute, which causes the kernel to attempt to access a null pointer, re [truncated]
A HIGH severity vulnerability was found in the Linux kernel, with a CVSS score of 7.8. The vulnerability is related to the handling of device folios in the mm/zone_device module. Specifically, the issue arises when trying to access a device folio after it has been freed, which can lead to unexpected behavior. The vulnerability has been resolved by using a local stack variable instead of touching the folio [truncated]
A vulnerability was discovered in the Linux kernel related to the initialization of zero-size GDS range on RDNA4 hardware. The RDNA4 (GFX 12) hardware removes the GDS, GWS, and OA on-chip memory resources. However, the gfx_v12_0 initialization code correctly sets the sizes of these resources to zero to reflect this. The issue arises when amdgpu_ttm_init() unconditionally calls amdgpu_ttm_init_on_chip() fo [truncated]
CVE-2026-46275 is a HIGH severity vulnerability in the Linux kernel Bluetooth HCI UART implementation. The vulnerability allows for Use-After-Free (UAF) and Null Pointer Dereference (NPD) conditions due to improper lifecycle management of hci_uart. The primary issue arises from the workqueues (init_ready and write_work) only being flushed/cancelled if the HCI_UART_PROTO_READY flag is set during TTY close. [truncated]
A use-after-free vulnerability was discovered in the Linux kernel's io-wq subsystem. The io_wq_remove_pending function did not properly check if the predecessor work was hashed before updating the hash_tail array. This could lead to a dangling pointer being stored in the hash_tail array, allowing for remote code execution.
A vulnerability in the Linux kernel has been resolved. The vulnerability was related to the drm/vkms module, which has been converted to use DRM's vblank timer. This change replaces vkms' vblank timer with the DRM implementation, which is identical in concept but differs in implementation. The vblank timer calls vkms' custom timeout code via handle_vblank_timeout in struct drm_crtc_helper_funcs.
A local privilege escalation vulnerability in the Linux kernel's SMB client (CIFS) subsystem allows unprivileged users to forge cifs.spnego key descriptions, potentially leading to authentication bypass or elevated privileges. The flaw exists because userspace processes could create cifs.spnego keys via request_key(2) or add_key(2) with attacker-controlled authority-bearing fields (pid, uid, creduid, upca [truncated]
A use-after-free (UAF) vulnerability in the Linux kernel's eventpoll (epoll) subsystem allows concurrent operations to trigger memory corruption. The flaw exists in ep_remove() where a struct file pointer is used after its reference count may have dropped to zero, enabling writes to freed kmalloc-192 memory and potential attacker-controllable kmem_cache_free() against incorrect slab caches. The vulnerabil [truncated]
A use-after-free vulnerability exists in the Linux kernel's MPC52xx SPI controller driver. When SPI controller registration fails, the driver previously failed to properly disable and free allocated interrupts, leading to potential use-after-free conditions and resource leaks. The vulnerability was identified during review of a related controller deregistration fix. The fix ensures proper cleanup of inter [truncated]
A use-after-free vulnerability in the Linux kernel's Qualcomm IRIS video driver (media: iris) was introduced by a regression in commit 1dabf00ee206. The flaw occurs in iris_release_internal_buffers() where session_release_buf() may free a buffer, but the caller continues to access the buffer pointer afterward. The fix sets BUF_ATTR_PENDING_RELEASE before calling session_release_buf() and reverts the flag [truncated]