PatchSiren

Linux Kernel CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

MEDIUM Linux Kernel CVE published 2026-06-24

CVE-2026-52913

A vulnerability in the Linux kernel's batman-adv module has been addressed. The issue involves stopping OGMv2 on disabled interfaces to prevent NULL pointer dereferences. This vulnerability could impact Linux kernel users and administrators who need to ensure their systems are updated to prevent potential exploitation. The vulnerability class is related to improper handling of disabled interfaces in the b [truncated]

CRITICAL Linux kernel CVE published 2026-05-08

CVE-2026-43414

A critical vulnerability was found in the Linux kernel, specifically in the qla2xxx driver. The vulnerability is related to a double free of fcport, which can lead to a crash or potentially allow an attacker to execute arbitrary code. The vulnerability has been resolved by the Linux kernel maintainers. Affected product deployments should be identified, and owners assigned for follow-up. The vulnerability [truncated]

HIGH Linux kernel CVE published 2026-05-08

CVE-2026-43350

CVE-2026-43350 is a Linux kernel SMB/CIFS client memory-safety issue in the DACL parsing path. A malicious server can return an ACE whose SID is short enough to match the special NFS mode SID check, but still lacks the third subauthority that the code later reads. That can drive an out-of-bounds read past the end of the ACE when mode bits are recovered.

HIGH Linux kernel CVE published 2026-05-08

CVE-2026-43345

CVE-2026-43345 is a Linux kernel availability issue in the IPA/GSI path for IPA v5.0+. A register-definition mistake left the event ring index unprogrammed, so transfer completions could stop signaling entirely. In practice, that could make gsi_channel_trans_quiesce() wait forever and hang runtime suspend, system suspend, remoteproc stop, and the IPA data path itself.

HIGH Linux kernel CVE published 2026-05-08

CVE-2026-43339

CVE-2026-43339 is a Linux kernel IPv6 use-after-free issue in addrconf_permanent_addr(). According to the published description, the helper tried to warn about an exceptional condition, but the warning was issued too late and accessed the ipv6 data after it may already have been deleted. The fix reorders the logic and moves the warning outside idev->lock, reducing the chance of dereferencing freed memory.

HIGH Linux kernel CVE published 2026-02-04

CVE-2026-23099

CVE-2026-23099 is a high-severity vulnerability in the Linux kernel's bonding module, specifically in the 8023AD mode. This vulnerability is caused by a lack of restriction on the network device type that can be used with BOND_MODE_8023AD, leading to a potential global out-of-bounds access. The vulnerability has a CVSS score of 7.1 and is considered high severity. The affected products include various ver [truncated]