By weakness (CWE)

CWE-416: related vulnerabilities

CVEs classified under CWE-416. Understanding the weakness class helps prioritize systemic fixes over one-off patches.

8 published vulnerabilities

  • CVE-2026-46113HIGH 8.8

    A use-after-free vulnerability exists in the Linux kernel's KVM (Kernel Virtual Machine) shadow page table management. The issue arises when guest page tables are modified between VM entries, causing KVM to track memory references incorrectly. This can lead to the kernel accessing freed memory structures, potentially allowing a local attacker with guest access to crash the system or execute code with elevated privileges. The vulnerability requires local access and affects systems running KVM with shadow paging enabled.

  • CVE-2026-46125HIGH 8.8

    CVE-2026-46125 is a memory safety bug in Linux kernel WiFi driver code that can cause system crashes or privilege escalation. When the kernel attempts to establish a multi-link WiFi connection and that setup fails, the code incorrectly retains station references that should have been cleaned up. This leaves dangling pointers in memory that can be exploited or cause the system to crash when the kernel debugfs interface tries to access them later. The vulnerability requires local network access and affects systems with WiFi enabled.

  • CVE-2026-46166HIGH 8.8

    A memory safety flaw exists in the Linux kernel's Wi-Fi driver subsystem (mac80211). When the kernel performs radar detection checks on wireless channels, it can inadvertently access memory that has already been freed, potentially causing a system crash or enabling privilege escalation. The issue stems from unsafe iteration over a list of wireless channel contexts that can be modified during the operation.

  • CVE-2026-46111HIGH 7.8

    A use-after-free vulnerability exists in the Linux kernel's Bluetooth connection handling code. When creating a Broadcast Isochronous Group (BIG) connection, the kernel can attempt to access a connection object that has already been freed. This occurs because the code doesn't properly validate that a connection still exists before operating on it, and doesn't keep a reference to the connection object while asynchronous operations are in flight. A local attacker with limited privileges could exploit this to crash the system or potentially execute code with elevated privileges.

  • CVE-2026-46116HIGH 7.8

    A memory safety bug exists in the Linux kernel's IPsec implementation where the xfrm_state subsystem can encounter use-after-free errors when network security policies are deleted or when network namespaces are torn down. The kernel's code was using inconsistent methods to track whether data structures were properly removed from internal lists, causing the same memory region to sometimes be deleted twice. This corrupts kernel memory and can lead to privilege escalation or denial of service on affected systems.

  • CVE-2026-46120HIGH 7.8

    A flaw in the Linux kernel's IPv6 GRE tunnel implementation allows a local attacker with unprivileged user namespace capabilities to trigger memory corruption. The vulnerability stems from inconsistent netns (network namespace) handling in the ip6erspan_changelink() function, which fails to use the correct cached network namespace context when reconfiguring an ERSPAN tunnel after it has been migrated between namespaces. This can lead to kernel crashes and potential privilege escalation.

  • CVE-2026-46121HIGH 7.8

    A use-after-free vulnerability exists in the Linux kernel's DAMON (Data Access Monitoring) subsystem, specifically in how it manages memory cgroup path strings through its sysfs interface. When users read and write the 'memcg_path' file concurrently using separate file handles, a race condition can occur where one process reads a pointer to memory that another process has already freed. This allows an attacker with local access to crash the system or potentially execute code with kernel privileges.

  • CVE-2026-46154HIGH 7.0

    A race condition exists in the Linux kernel's scheduler extension (sched_ext) cgroup interface that can lead to use-after-free memory access. When system administrators adjust cgroup scheduling parameters like weight, idle status, or bandwidth, the kernel reads a pointer to the scheduler without proper synchronization. If another process simultaneously disables and re-enables a different scheduler, the cached pointer becomes stale and points to freed memory. When the original operation tries to use this pointer, it dereferences already-freed kernel memory, potentially allowing local privilege escalation.