By vendor

Linux vulnerabilities

Known CVEs affecting Linux products, prioritized by severity, with SEC.co remediation and detection guidance.

62 published vulnerabilities

  • CVE-2026-46113HIGH 8.8

    A use-after-free vulnerability exists in the Linux kernel's KVM (Kernel Virtual Machine) shadow page table management. The issue arises when guest page tables are modified between VM entries, causing KVM to track memory references incorrectly. This can lead to the kernel accessing freed memory structures, potentially allowing a local attacker with guest access to crash the system or execute code with elevated privileges. The vulnerability requires local access and affects systems running KVM with shadow paging enabled.

  • CVE-2026-46125HIGH 8.8

    CVE-2026-46125 is a memory safety bug in Linux kernel WiFi driver code that can cause system crashes or privilege escalation. When the kernel attempts to establish a multi-link WiFi connection and that setup fails, the code incorrectly retains station references that should have been cleaned up. This leaves dangling pointers in memory that can be exploited or cause the system to crash when the kernel debugfs interface tries to access them later. The vulnerability requires local network access and affects systems with WiFi enabled.

  • CVE-2026-46152HIGH 8.8

    A vulnerability in the Linux kernel's WiFi driver (mac80211) allows concurrent network packet processing threads to interfere with each other. The issue stems from a shared variable that should have been unique to each processing thread. When multiple packets arrive simultaneously, one thread's processing result can be overwritten by another, causing packets to be misrouted or incorrectly marked as already processed. This can lead to dropped packets, incorrect packet handling, or exposure of network data.

  • CVE-2026-46166HIGH 8.8

    A memory safety flaw exists in the Linux kernel's Wi-Fi driver subsystem (mac80211). When the kernel performs radar detection checks on wireless channels, it can inadvertently access memory that has already been freed, potentially causing a system crash or enabling privilege escalation. The issue stems from unsafe iteration over a list of wireless channel contexts that can be modified during the operation.

  • CVE-2026-46138HIGH 8.1

    A flaw in the Linux kernel's Bluetooth event handler can cause the kernel to read memory beyond the bounds of a data structure and enter an infinite loop. The vulnerability occurs when a Bluetooth controller sends a specific event (LE_Create_BIG_Complete) with mismatched or insufficient data. An attacker with local or adjacent network access to a vulnerable system could exploit this to cause a denial of service by freezing the kernel with a lock held, making the system unresponsive.

  • CVE-2026-46105HIGH 7.8

    A flaw in the Linux kernel's mpt3sas driver allows NVMe storage controllers to accept I/O requests larger than the driver can safely handle. The driver allocates a fixed 4 KB buffer that can hold at most 512 entries in its request queue (PRP list), limiting safe transfers to 2 MiB. However, the firmware may advertise support for larger transfers based on the drive's capabilities. When oversized requests are issued, the kernel can crash. This vulnerability requires local access and valid user privileges to exploit.

  • CVE-2026-46107HIGH 7.8

    A bug in the Linux kernel's device mapper thin provisioning layer can cause reference counting errors when managing shared metadata trees. When the kernel tries to reorganize a btree node that has been shared across multiple data structures, it fails to properly track pointers to child nodes, leading to crashes and data unavailability. The flaw occurs specifically in the rebalance_children function during metadata tree operations.

  • CVE-2026-46111HIGH 7.8

    A use-after-free vulnerability exists in the Linux kernel's Bluetooth connection handling code. When creating a Broadcast Isochronous Group (BIG) connection, the kernel can attempt to access a connection object that has already been freed. This occurs because the code doesn't properly validate that a connection still exists before operating on it, and doesn't keep a reference to the connection object while asynchronous operations are in flight. A local attacker with limited privileges could exploit this to crash the system or potentially execute code with elevated privileges.

  • CVE-2026-46112HIGH 7.8

    A locking bug exists in the Linux kernel's RDMA HNS driver when creating queue pairs. During error recovery in queue pair creation, the code attempts to clean up resources without holding required synchronization locks. This unlocked cleanup can corrupt internal kernel memory structures, potentially allowing a local attacker to escalate privileges or crash the system. The vulnerability affects the error handling path specifically—the normal operation path uses proper locking.

  • CVE-2026-46116HIGH 7.8

    A memory safety bug exists in the Linux kernel's IPsec implementation where the xfrm_state subsystem can encounter use-after-free errors when network security policies are deleted or when network namespaces are torn down. The kernel's code was using inconsistent methods to track whether data structures were properly removed from internal lists, causing the same memory region to sometimes be deleted twice. This corrupts kernel memory and can lead to privilege escalation or denial of service on affected systems.

  • CVE-2026-46117HIGH 7.8

    A flaw in the Linux kernel's RDMA/mana driver allows unprivileged local users to trigger a kernel warning and corrupt memory by creating queue pairs (QPs) that share the same completion queue (CQ) through the user-space API. The vulnerability bypasses validation logic that should reject this invalid configuration, leading to kernel memory corruption. The fix enforces proper validation to reject such requests at creation time rather than allowing them to proceed and corrupt state.

  • CVE-2026-46120HIGH 7.8

    A flaw in the Linux kernel's IPv6 GRE tunnel implementation allows a local attacker with unprivileged user namespace capabilities to trigger memory corruption. The vulnerability stems from inconsistent netns (network namespace) handling in the ip6erspan_changelink() function, which fails to use the correct cached network namespace context when reconfiguring an ERSPAN tunnel after it has been migrated between namespaces. This can lead to kernel crashes and potential privilege escalation.

  • CVE-2026-46121HIGH 7.8

    A use-after-free vulnerability exists in the Linux kernel's DAMON (Data Access Monitoring) subsystem, specifically in how it manages memory cgroup path strings through its sysfs interface. When users read and write the 'memcg_path' file concurrently using separate file handles, a race condition can occur where one process reads a pointer to memory that another process has already freed. This allows an attacker with local access to crash the system or potentially execute code with kernel privileges.

  • CVE-2026-46122HIGH 7.8

    A flaw exists in the Linux kernel's b43 wireless driver that can allow a local attacker to read memory outside the bounds of an internal array. The issue stems from insufficient validation of a firmware-supplied index value used to access encryption keys. When the firmware provides an invalid index—one larger than the 58-entry key array—the driver does not properly reject it in production systems, leading to an out-of-bounds read. An attacker with local system access could exploit this to leak sensitive kernel memory.

  • CVE-2026-46129HIGH 7.8

    A double-free memory corruption bug exists in the Linux kernel's Btrfs filesystem implementation. When the kernel initializes and registers filesystem space information objects with the sysfs interface, a failure in that registration process can cause the same memory block to be freed twice. This happens because the error recovery code doesn't account for cleanup already performed by the object release callback. A local attacker with unprivileged user access could trigger this condition and gain kernel-level privileges.

  • CVE-2026-46136HIGH 7.8

    A flaw in the Linux kernel's MT7921 Wi-Fi driver can cause a buffer length counter to drop below zero under specific conditions when the driver processes country power settings from the Carrier List Configuration (CLC). This underflow triggers either an excessive loop that nearly hangs the system or applies an invalid power setting, preventing the driver from initializing properly. An attacker with local access could exploit this to degrade Wi-Fi functionality or trigger a denial of service.

  • CVE-2026-46145HIGH 7.8

    CVE-2026-46145 is a memory corruption vulnerability in the Linux kernel's RDMA/mana driver. An unprivileged local user can manipulate a parameter called rx_hash_key_len from user space to cause an unbounded memory copy operation, corrupting kernel memory. The vulnerability stems from insufficient validation of user-supplied input before it is passed to a memory copy function, creating a path for local privilege escalation or system crash.

  • CVE-2026-46157HIGH 7.8

    A concurrency bug exists in the Linux kernel's ALSA (Advanced Linux Sound Architecture) OSS (Open Sound System) compatibility layer. When multiple processes try to access and modify the trigger control bit simultaneously, the kernel lacks proper synchronization, allowing writes to corrupt not just the intended trigger flag but adjacent bit fields in memory. This confusion can destabilize audio subsystem behavior. The vulnerability requires local access and privileges to trigger.

  • CVE-2026-46162HIGH 7.8

    A flaw in the Linux kernel's ice (Intel ice) network driver creates a double-free memory corruption condition in the auxiliary device activation error handler. When the driver attempts to activate a subfunction Ethernet device but the operation fails partway through, the error handling code frees the same memory region twice, corrupting the kernel heap. An attacker with local access and unprivileged user privileges can trigger this condition to escalate privileges or crash the system.

  • CVE-2026-46163HIGH 7.8

    A flaw exists in the Linux kernel's b43legacy wireless driver that fails to properly validate array index bounds when processing incoming wireless frames. The firmware supplies a key index value that the driver uses to access a cryptographic key array, but there is no enforcing check to ensure this index stays within valid bounds. In production builds, this allows an attacker with local access to trigger an out-of-bounds memory read by crafting malicious wireless traffic, potentially exposing sensitive kernel memory or causing a system crash.

  • CVE-2026-46123HIGH 7.7

    A vulnerability in the Linux kernel's Bluetooth virtio backend driver allows a malicious or buggy virtual device to expose uninitialized kernel memory to unprivileged processes. The driver fails to properly validate the length of data reported by the virtual device, permitting reads beyond the intended 1000-byte receive buffer. An attacker with the ability to control a virtio Bluetooth backend—such as a compromised hypervisor or malicious VM—can leak sensitive kernel heap data or trigger denial of service. This is a local attack requiring some form of device emulation control, but it directly compromises memory isolation guarantees in virtualized environments.

  • CVE-2026-46110HIGH 7.5

    CVE-2026-46110 is a NULL pointer dereference vulnerability in the Linux kernel's stmmac network driver that can crash a system when memory becomes exhausted during packet reception. The driver manages a circular ring of descriptors to coordinate DMA transfers between the CPU and network hardware. When the driver runs out of memory to allocate new receive buffers, it can incorrectly process already-used descriptors as if they were fresh, leading to a kernel panic. This occurs because the driver doesn't properly distinguish between descriptors that are waiting to be refilled versus those that have already been processed.

  • CVE-2026-46114HIGH 7.5

    A memory leak vulnerability exists in the Linux kernel's RDMA over Converged Ethernet (RoCE) driver. An attacker on the network can send specially crafted RDMA ATOMIC_WRITE requests with zero-length payloads to trigger the responder into reading uninitialized kernel memory and inadvertently leaking it back to the attacker. The vulnerability specifically affects how the kernel validates packet lengths before dereferencing memory, allowing 8 bytes of sensitive kernel data (including kernel strings and pointer information) to be extracted per malicious probe.

  • CVE-2026-46124HIGH 7.5

    A vulnerability in the Linux kernel's ISO 9660 filesystem (isofs) allows an attacker to read arbitrary blocks from a storage device when the filesystem is exported over NFS. An authenticated attacker can craft a malicious NFS file handle that causes the kernel to interpret unrelated data on the underlying block device as if it were part of the ISO filesystem, leaking that data to the NFS client. While this does not cause memory corruption or system crashes, it exposes sensitive information from adjacent partitions or disk regions. The issue affects systems that export ISO images (typically loop-mounted) over NFS, which is a narrower deployment scenario but still represents a data confidentiality risk.

  • CVE-2026-46133HIGH 7.5

    A flaw in the Linux kernel's RDMA/rxe (Soft RoCE) driver allows an unauthenticated attacker to crash the system by sending a specially crafted UDP packet with an invalid opcode. The vulnerability exists in how the driver validates incoming packets before processing checksums. When a packet uses an undefined opcode value, the driver fails to properly validate packet length, leading to an out-of-bounds memory read that triggers a kernel panic. An attacker needs only network access to the RDMA port and can exploit this without authentication, credentials, or any prior connection setup.

  • CVE-2026-46130HIGH 7.1

    A bug in the Linux kernel's dm-verity-fec (forward error correction) component can cause it to read data from outside the intended memory buffer. This occurs when parity bytes used to verify disk integrity are split across storage blocks in a specific way. Under certain non-default configurations and low-memory conditions, the code attempts to access more data than is available, leading to potential information disclosure or system instability. The issue only manifests with particular combinations of error correction parameters and buffer allocation scenarios.

  • CVE-2026-46140HIGH 7.1

    A flaw in the Linux kernel's Bluetooth driver (btmtk) fails to verify that incoming firmware responses contain sufficient data before reading from them. If a Bluetooth device sends a truncated or malformed response, the kernel code will read beyond the valid data boundaries, potentially exposing sensitive kernel memory. A local attacker with Bluetooth access could exploit this to leak information or crash the system.

  • CVE-2026-46149HIGH 7.1

    A vulnerability in the Linux kernel's SCSI target subsystem allows a local attacker with low privileges to read sensitive kernel memory and potentially crash the system. The issue occurs in the configfs interface where storage path group membership information is displayed. When a storage fabric's name is unusually long, the kernel writes more data than expected to a temporary buffer, and then copies that overrun data to a user-readable sysfs file. On systems with fortify checks enabled, this causes a kernel panic; on others, it leaks kernel memory to unprivileged users.

  • CVE-2026-46150HIGH 7.1

    A flaw in the Linux kernel's fanotify file monitoring subsystem can allow a local user with minimal privileges to bypass permission checks on file access events. The vulnerability stems from a logic error where the kernel incorrectly returns false for marks belonging to unrelated monitoring groups, causing permission event validation to be skipped. An attacker with local access could exploit this to circumvent intended file access restrictions.

  • CVE-2026-46154HIGH 7.0

    A race condition exists in the Linux kernel's scheduler extension (sched_ext) cgroup interface that can lead to use-after-free memory access. When system administrators adjust cgroup scheduling parameters like weight, idle status, or bandwidth, the kernel reads a pointer to the scheduler without proper synchronization. If another process simultaneously disables and re-enables a different scheduler, the cached pointer becomes stale and points to freed memory. When the original operation tries to use this pointer, it dereferences already-freed kernel memory, potentially allowing local privilege escalation.

  • CVE-2026-46164HIGH 7.0

    A memory management bug in the Linux kernel's Btrfs filesystem can cause the same memory region to be freed twice when a sysfs initialization step fails. This double-free condition can lead to memory corruption and potentially allow an attacker with local access to crash the system or execute code with elevated privileges. The issue occurs in error handling code that wasn't properly coordinated between two layers of the filesystem's initialization logic.

  • CVE-2026-46104MEDIUM 5.5

    A flaw exists in how the Linux kernel's SELinux security module accesses socket security data when multiple security modules are stacked together. The vulnerability occurs because SELinux directly reads socket security information from a hardcoded memory location, assuming it will always find its own data there. When another security module is loaded first, SELinux reads the wrong data instead, potentially using invalid security identifiers in permission checks. This can cause the kernel to crash due to invalid memory access or improper security decisions.

  • CVE-2026-46106MEDIUM 5.5

    A race condition in the Linux kernel's eventfs subsystem can cause memory corruption or system crashes when users simultaneously remount the tracefs filesystem (which hosts performance monitoring tools) while creating or deleting tracepoints. The vulnerability arises because the kernel walks through a list of event structures during remount without proper synchronization, allowing concurrent operations to corrupt data structures or access freed memory. This is a local issue affecting only users with permission to remount filesystems and modify tracing events.

  • CVE-2026-46108MEDIUM 5.5

    A flaw in the Linux kernel's IPMI serial interface (SI) driver can leave the system in an abnormal state when message allocation fails. Normally, failed operations trigger cleanup routines that reset the driver to a ready state. This vulnerability occurs because certain error paths skip that reset logic, potentially causing the driver to remain hung or unresponsive. An attacker with local system access could trigger memory allocation failures under specific conditions, degrading system availability until the driver is manually restarted or the system reboots.

  • CVE-2026-46109MEDIUM 5.5

    A memory leak exists in the Linux kernel's USB ULPI (UTMI Low Pin Interface) driver registration code. When certain initialization steps fail early in the device registration process, allocated memory is not properly freed, allowing memory to accumulate over repeated failures. This is a residual issue from a prior fix that addressed a different memory safety problem. The vulnerability requires local access and elevated privileges to trigger.

  • CVE-2026-46118MEDIUM 5.5

    A flaw in the Linux kernel's PAPR hypervisor pipe driver can cause the kernel to crash when attempting to create a device handle. The issue stems from a recent code refactoring that changed how the driver manages memory allocation and cleanup. When the driver tries to reuse a data structure after it has been cleared, the kernel attempts to access invalid memory, leading to a null pointer dereference and system panic. An unprivileged local user with ioctl access can trigger this crash, resulting in a denial of service.

  • CVE-2026-46126MEDIUM 5.5

    CVE-2026-46126 is a memory cleanup bug in the Linux kernel's RDMA/mana driver that occurs during queue pair creation with RSS (Receive Side Scaling) support. When certain operations fail during setup, the kernel fails to properly release allocated work queue objects, leaving dangling resources. An unprivileged local user can trigger this condition to cause a denial of service by exhausting kernel resources or crashing the system.

  • CVE-2026-46127MEDIUM 5.5

    A local memory safety issue exists in the Linux kernel's RDMA over Converged Ethernet (OCRDMA) driver. During certain error conditions in the protection domain setup function, the code attempts to dereference a null pointer instead of using a valid reference, potentially crashing the system. The vulnerability requires local access and specific user privileges to trigger, making it a moderate-severity issue affecting system stability rather than confidentiality or integrity.

  • CVE-2026-46128MEDIUM 5.5

    A vulnerability in the Linux kernel's IPMI (Intelligent Platform Management Interface) subsystem allows local authenticated users to cause a denial of service. The issue stems from insufficient validation of event message buffer responses from Baseboard Management Controllers (BMCs). Some BMCs may return empty or malformed event messages instead of proper error responses, which the kernel fails to validate immediately. This can lead to kernel crashes or hangs when processing these invalid responses. The vulnerability requires local access and authenticated privileges to trigger, limiting its immediate blast radius but requiring attention in environments where untrusted local users have system access.

  • CVE-2026-46131MEDIUM 5.5

    A flaw exists in the Linux kernel's virtualization layer (KVM) where the hypervisor incorrectly validates guest memory operations in nested virtual machines. The vulnerability occurs when checking whether a guest is running nested virtualization—the code currently checks only whether an L2 guest exists, but fails to verify that nested EPT (Extended Page Tables) or NPT (Nested Page Tables) is actually enabled. This mismatch allows a local process running inside a nested guest to trigger denial-of-service conditions by invoking hypercalls that attempt invalid memory translations. The impact is limited to availability; an attacker cannot read or modify data.

  • CVE-2026-46132MEDIUM 5.5

    CVE-2026-46132 is a kernel memory leak in the Linux networking subsystem that allows unprivileged local users to read up to 26 bytes of uninitialized kernel stack memory per virtual function (VF) per request. The vulnerability exists in the rtnetlink interface handler that reports virtual NIC configuration. When a user requests virtual function information, the kernel fails to zero-initialize a buffer before partially filling it with MAC broadcast data, leaving residual stack contents exposed to userspace. An attacker needs only basic local network namespace access to trigger repeated information leaks.

  • CVE-2026-46134MEDIUM 5.5

    A Linux kernel vulnerability in the Chrome OS Embedded Controller (cros_ec) Thunderbolt registration code fails to initialize a mutex lock, causing the system to crash when the uninitialized lock is later accessed. This affects devices that use the affected kernel code path during Thunderbolt device registration and mode switching. An unprivileged local user can trigger the crash by interacting with Thunderbolt/USB-C functionality, resulting in a denial of service.

  • CVE-2026-46139MEDIUM 5.5

    A flaw in the Linux kernel's SMB client code leaves a security descriptor buffer partially uninitialized when building access control lists. Specifically, a 2-byte reserved field in the ACL structure—which must be zero according to the SMB protocol specification—is left containing whatever garbage data happened to be in that heap memory. When Samba or other SMB servers validate the descriptor, they reject it if those bytes are non-zero, causing file permission operations like chmod to fail with an invalid argument error. The fix is straightforward: replace the memory allocation function with one that zeroes the buffer before use.

  • CVE-2026-46141MEDIUM 5.5

    A memory leak vulnerability exists in the Linux kernel's PowerPC XIVE interrupt handling code. When allocating MSI-X interrupt vectors for NVMe devices, the kernel creates interrupt data structures but fails to properly clean them up when the interrupt domain is freed. This occurs because the code looks for the data in the wrong place during cleanup, causing allocated memory to be abandoned. While this is a localized memory management issue, repeated device allocation and deallocation cycles could gradually consume system memory and degrade performance.

  • CVE-2026-46142MEDIUM 5.5

    A flaw in the Linux kernel's libwx network driver allows a virtual machine or container running as a non-privileged user to trigger a system hang by reading a hardware register that should only be accessible to the physical device owner. During virtual function (VF) initialization, the driver incorrectly attempts to access a restricted register (WX_CFG_PORT_ST), causing the system to hang. The issue stems from the driver not properly distinguishing between physical function (PF) and virtual function device contexts when accessing low-level hardware state.

  • CVE-2026-46143MEDIUM 5.5

    CVE-2026-46143 is a memory leak vulnerability in the Linux kernel's QCOM audio subsystem. The issue occurs in the ASoC (ALSA System on Chip) driver for QCOM Q6APM LPASS audio interfaces, where the prepare function can be invoked multiple times. Each invocation opens a new graph for the playback path without checking if one is already open, resulting in cumulative resource exhaustion. While the vulnerability requires local access and low-privilege execution context, the impact is availability disruption through memory exhaustion.

  • CVE-2026-46144MEDIUM 5.5

    A memory cleanup issue exists in the Linux kernel's RDMA/mana driver when creating RSS (Receive-Side Scaling) queue pairs. If an error occurs during queue pair creation, a virtual port steering configuration is not properly freed, leading to a resource leak. While this is a memory management issue rather than a direct data breach risk, it can degrade system stability under error conditions or be exploited to exhaust kernel memory resources on systems with RDMA/mana network adapters.

  • CVE-2026-46146MEDIUM 5.5

    A vulnerability exists in the Linux kernel's USB audio driver that could cause the system to hang indefinitely when processing a specially crafted USB device descriptor. The flaw is in the convert_chmap_v3() function, which processes audio channel mapping information without properly validating the descriptor size field. An attacker with local access could trigger this endless loop, causing a denial of service. The issue affects multiple versions of the Linux kernel and requires local access to exploit.

  • CVE-2026-46147MEDIUM 5.5

    A flaw in the Linux kernel's ARM64 KVM (virtualization) implementation can cause system resource leaks and expose partially initialized virtual CPU objects to concurrent access. When vCPU initialization encounters an error partway through, cleanup code fails to release pinned memory references, accumulating leak over time. Additionally, the vCPU object is published to shared state without proper synchronization barriers, risking observers seeing an incompletely initialized structure. This affects hypervisor deployments using ARM64-based KVM virtualization.

  • CVE-2026-46148MEDIUM 5.5

    A flaw in the Linux kernel's Microchip CoreQSPI SPI controller driver causes incorrect chip select (CS) line management when multiple SPI devices are connected. The hardware's built-in CS is automatically controlled by design, but this automatic behavior conflicts with proper operation when GPIO-based chip selects are also in use. The driver was modified to manually control the CS line instead, allowing correct behavior for both active-low and active-high devices, and preventing the built-in CS from being asserted while other GPIO-controlled devices are being accessed.

  • CVE-2026-46151MEDIUM 5.5

    A flaw in the Linux kernel's USB printer driver (usblp) allows a malicious or malfunctioning printer to leak uninitialized kernel memory to local users. When a printer responds to a device ID request with fewer bytes than claimed in its length header, the driver fails to zero out the remaining buffer before exposing it via sysfs or an ioctl. An attacker with local access could craft a printer (or intercept USB traffic) to trigger this and read sensitive kernel memory.

  • CVE-2026-46153MEDIUM 5.5

    A memory leak exists in the Linux kernel's VLAN (802.1Q) network driver. When network administrators repeatedly configure and then clear egress QoS priority mappings on VLAN interfaces, the kernel fails to properly delete the cleared mappings. Instead, it retains them as empty placeholders (tombstones) in memory. Over time, this causes memory to accumulate and leak, eventually exhausting system resources when the VLAN device is torn down. The fix involves properly deleting these cleared mappings after a safe grace period rather than leaving them in place.

  • CVE-2026-46156MEDIUM 5.5

    A flaw in the Linux kernel's Loongson GPU driver can cause a system crash when the code attempts to read from an invalid memory address during hardware initialization. The vulnerability occurs in the `loongson_gpu_fixup_dma_hang()` function, which uses incorrect logic to identify and configure GPU devices on certain Loongarch-based systems. When a discrete GPU is present in a non-standard PCI slot configuration, the driver may try to access memory at a random address, triggering a kernel panic. This is a local issue that requires prior system access and affects the stability and availability of affected systems.

  • CVE-2026-46158MEDIUM 5.5

    CVE-2026-46158 is a resource leak in the Linux kernel's MPTCP (Multipath TCP) protocol implementation. When the kernel retransmits an ADD_ADDR control message, it fails to properly release a reference to a socket object in certain error paths, allowing the socket's memory to remain allocated longer than necessary. This leak occurs only when specific unlikely conditions are met during ADD_ADDR retransmission, making it a localized but real availability concern on systems handling MPTCP traffic.

  • CVE-2026-46160MEDIUM 5.5

    A flaw in the Linux kernel's Btrfs filesystem can corrupt the transaction log during recovery if a directory is removed while a process still holds an open file descriptor to it and performs an fsync operation. When the system crashes after this sequence, the filesystem becomes inconsistent and fails to mount, resulting in data loss or extended downtime. This is a local issue requiring user-level access and specific conditions to trigger.

  • CVE-2026-46161MEDIUM 5.5

    A divide-by-zero vulnerability exists in the Linux kernel's RAID10 disk management code. When a user configures RAID10 with a "far_copies" value of zero, the kernel crashes instead of rejecting the invalid configuration. This requires local access and root-level privileges to trigger, making it a local denial-of-service risk rather than a remote compromise threat.

  • CVE-2026-46165MEDIUM 5.5

    A self-deadlock vulnerability exists in the Linux kernel's Open vSwitch module when tunnel ports are released. The issue occurs because the code attempts to clean up network device references while holding locks that prevent the cleanup from completing, causing the system to hang during tunnel port deletion. This is a local denial-of-service condition that affects systems running vulnerable kernel versions with Open vSwitch configured.

  • CVE-2026-46167MEDIUM 5.5

    A flaw in the Linux kernel's USB printer driver (usblp) allows uninitialized kernel memory to leak to user-space applications through the LPGETSTATUS ioctl command. When a USB printer responds with fewer bytes than expected, the driver fails to initialize the response buffer properly, potentially exposing stale heap memory to callers. This can occur even with standard-behaving printers; the vulnerability is particularly concerning in multi-user environments where one user's application could inadvertently receive residual kernel memory from prior operations.

  • CVE-2026-46168MEDIUM 5.5

    A vulnerability in the Linux kernel's multipath TCP (MPTCP) implementation allows a local attacker with standard user privileges to trigger a denial-of-service condition. The issue stems from improper locking during socket option handling for timestamps. When the kernel attempts to set timestamp options, it uses a fast atomic lock that cannot safely call functions designed to sleep, resulting in a kernel panic. An unprivileged user can exploit this by making specific socket option calls, causing the system to crash or become unresponsive.

  • CVE-2026-46169MEDIUM 5.5

    CVE-2026-46169 is a memory initialization bug in the Linux kernel's HFS+ filesystem driver. When mounting a corrupted HFS+ filesystem, the kernel may read incomplete catalog records and fail to detect that the data is truncated. This leaves portions of a kernel data structure uninitialized. Later, when the filesystem code attempts to process the incomplete record—such as performing case-insensitive string comparison—it uses the uninitialized memory as array indices, triggering a kernel warning. An unprivileged local attacker with the ability to mount a crafted filesystem image could trigger this condition, potentially causing a denial of service or information disclosure.

  • CVE-2026-46170MEDIUM 5.5

    A flaw in the Linux kernel's MPTCP (Multipath TCP) path manager can cause a denial of service when certain network protocol messages are retransmitted. Specifically, when an ADD_ADDR message is resent, the kernel may mismanage internal reference counting for a socket object, potentially leading to a deadlock or crash. An unprivileged local user can trigger this condition, causing the affected system to become unresponsive.

  • CVE-2026-46159MEDIUM 4.7

    A race condition in the Linux kernel's btrfs filesystem driver can leak uninitialized kernel memory to unprivileged local users. The vulnerability exists in the ioctl handler that reports storage space information. When block groups are concurrently removed by the system during the space query operation, the kernel copies more data to userspace than it actually wrote, exposing sensitive kernel memory. An attacker with local access can exploit this timing window to read information that should not be accessible.