[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fP2H9DhFgPkId4F8YQXZsY7HysMKEHIWAQunzygsaNho":3},{"report":4,"cves":23,"nav":269},{"id":5,"week_start":6,"week_end":7,"week_label":8,"year":9,"week_number":10,"total_cves":11,"critical_count":12,"high_count":13,"medium_count":14,"low_count":15,"kev_count":15,"top_products":16,"summary_en":20,"is_published":21,"created_at":22},"ca8e009e-1d18-4332-b7cf-eacd46f593bd","2026-06-22","2026-06-28","2026-W26",2026,26,58,1,17,40,0,[17],{"name":18,"slug":19,"count":11},"Linux","linux",null,true,"2026-07-17T07:23:51.750683+00:00",{"critical":24,"high":194,"medium":266,"low":267,"kev":268},[25,35,41,47,53,58,64,70,75,81,86,92,97,103,108,113,118,124,130,136,142,147,152,159,166,171,177,183,188],{"cveId":26,"severity":27,"cvssScore":28,"description":29,"publishedAt":30,"url":31,"productSlug":19,"productName":18,"productLogo":32,"cycle":33,"isKev":34},"CVE-2026-52914","CRITICAL",9.8,"In the Linux kernel, the following vulnerability has been resolved:\n\nbatman-adv: fix fragment reassembly length accounting\n\nbatman-adv keeps a running payload length for queued fragments and uses it\nto validate a fragment chain before reassembly.\n\nThat accounting currently allows the accumulated fragment length to be\ntruncated during updates. As a result, malformed fragment chains can\nbypass the intended validation and drive reassembly with inconsistent\nlength state, leading to a local denial of","2026-06-24T08:16:21.213+00:00","https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2026-52914","https:\u002F\u002Fcdn.simpleicons.org\u002Flinux","6.19",false,{"cveId":36,"severity":27,"cvssScore":28,"description":37,"publishedAt":38,"url":39,"productSlug":19,"productName":18,"productLogo":32,"cycle":40,"isKev":34},"CVE-2026-52924","In the Linux kernel, the following vulnerability has been resolved:\n\nsctp: purge outqueue on stale COOKIE-ECHO handling\n\nsctp_stream_update() is only invoked when the association is moved into\nCOOKIE_WAIT during association setup\u002Freconfiguration. In this path, the\noutbound stream scheduler state (stream->out_curr) is expected to be\nclean, since no user data should have been transmitted yet unless the\nstate machine has already partially progressed.\n\nHowever, a corner case exists in sctp_sf_do_5_2","2026-06-24T08:16:22.43+00:00","https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2026-52924","6.1",{"cveId":42,"severity":27,"cvssScore":28,"description":43,"publishedAt":44,"url":45,"productSlug":19,"productName":18,"productLogo":32,"cycle":46,"isKev":34},"CVE-2026-53010","In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix use-after-free in smb2_open during durable reconnect\n\nIn smb2_open, the call to ksmbd_put_durable_fd(fp) drops the reference\nto the durable file descriptor early during the durable reconnect\nprocess. If an error occurs subsequently (eg, ksmbd_iov_pin_rsp fails)\nor a scavenger accesses the file, it leads to a use-after-free when\naccessing fp properties (eg fp->create_time).\n\nMove the single put to the end of the funct","2026-06-24T17:17:12.21+00:00","https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2026-53010","6.7",{"cveId":48,"severity":27,"cvssScore":28,"description":49,"publishedAt":50,"url":51,"productSlug":19,"productName":18,"productLogo":32,"cycle":52,"isKev":34},"CVE-2026-52955","In the Linux kernel, the following vulnerability has been resolved:\n\nlibceph: Fix potential out-of-bounds access in crush_decode()\n\nA message of type CEPH_MSG_OSD_MAP containing a crush map with at least\none bucket has two fields holding the bucket algorithm. If the values\nin these two fields differ, an out-of-bounds access can occur. This is\nthe case because the first algorithm field (alg) is used to allocate\nthe correct amount of memory for a bucket of this type, while the second\nalgorithm fie","2026-06-24T17:17:05.67+00:00","https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2026-52955","6.16",{"cveId":54,"severity":27,"cvssScore":28,"description":55,"publishedAt":56,"url":57,"productSlug":19,"productName":18,"productLogo":32,"cycle":52,"isKev":34},"CVE-2026-53176","In the Linux kernel, the following vulnerability has been resolved:\n\nIB\u002Fisert: Reject login PDUs shorter than ISER_HEADERS_LEN\n\nIn drivers\u002Finfiniband\u002Fulp\u002Fisert\u002Fib_isert.c, isert_login_recv_done()\ncomputes the login request payload length as wc->byte_len minus\nISER_HEADERS_LEN with no lower bound, and login_req_len is a signed int.\nA remote iSER initiator can post a login Send work request carrying\nfewer than ISER_HEADERS_LEN (76) bytes, so the subtraction underflows\nand login_req_len becomes neg","2026-06-25T09:16:34.953+00:00","https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2026-53176",{"cveId":59,"severity":27,"cvssScore":28,"description":60,"publishedAt":61,"url":62,"productSlug":19,"productName":18,"productLogo":32,"cycle":63,"isKev":34},"CVE-2026-52989","In the Linux kernel, the following vulnerability has been resolved:\n\nnvmet-tcp: propagate nvmet_tcp_build_pdu_iovec() errors to its callers\n\nCurrently, when nvmet_tcp_build_pdu_iovec() detects an out-of-bounds\nPDU length or offset, it triggers nvmet_tcp_fatal_error(cmd->queue)\nand returns early. However, because the function returns void, the\ncallers are entirely unaware that a fatal error has occurred and\nthat the cmd->recv_msg.msg_iter was left uninitialized.\n\nCallers such as nvmet_tcp_handle_","2026-06-24T17:17:09.707+00:00","https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2026-52989","7.1",{"cveId":65,"severity":27,"cvssScore":28,"description":66,"publishedAt":67,"url":68,"productSlug":19,"productName":18,"productLogo":32,"cycle":69,"isKev":34},"CVE-2026-52986","In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_conntrack_sip: don't use simple_strtoul\n\nReplace unsafe port parsing in epaddr_len(), ct_sip_parse_header_uri(),\nand ct_sip_parse_request() with a new sip_parse_port() helper that\nvalidates each digit against the buffer limit, eliminating the use of\nsimple_strtoul() which assumes NUL-terminated strings.\n\nThe previous code dereferenced pointers without bounds checks after\nsip_parse_addr() and relied on simple_strto","2026-06-24T17:17:09.383+00:00","https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2026-52986","6.12",{"cveId":71,"severity":27,"cvssScore":28,"description":72,"publishedAt":73,"url":74,"productSlug":19,"productName":18,"productLogo":32,"cycle":63,"isKev":34},"CVE-2026-53246","In the Linux kernel, the following vulnerability has been resolved:\n\nsctp: validate cached peer INIT chunk length in COOKIE_ECHO processing\n\nWhen a listening SCTP server processes a COOKIE_ECHO chunk, the cached\npeer INIT chunk embedded after the cookie is parsed and its parameters\nare later walked by sctp_process_init() using sctp_walk_params().\n\nHowever, the chunk header length of this cached INIT chunk was not\nvalidated against the remaining buffer in the COOKIE_ECHO payload. If\nthe length fi","2026-06-25T09:16:42.567+00:00","https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2026-53246",{"cveId":76,"severity":27,"cvssScore":28,"description":77,"publishedAt":78,"url":79,"productSlug":19,"productName":18,"productLogo":32,"cycle":80,"isKev":34},"CVE-2026-52931","In the Linux kernel, the following vulnerability has been resolved:\n\nbatman-adv: tp_meter: avoid use of uninit sender vars\n\nbatadv_tp_recv_ack() and batadv_tp_stop() are only valid for tp_vars in the\nBATADV_TP_SENDER role. When called with a BATADV_TP_RECEIVER role, it\nproceeds to read sender-only members that were never initialized, leading\nto undefined behavior.\n\nThis can be triggered when a node that is currently acting as a receiver in\nan ongoing tp_meter session receives a malicious ACK pac","2026-06-24T08:16:23.273+00:00","https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2026-52931","6.13",{"cveId":82,"severity":27,"cvssScore":28,"description":83,"publishedAt":84,"url":85,"productSlug":19,"productName":18,"productLogo":32,"cycle":80,"isKev":34},"CVE-2026-53002","In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: conntrack: remove sprintf usage\n\nReplace it with scnprintf, the buffer sizes are expected to be large enough\nto hold the result, no need for snprintf+overflow check.\n\nIncrease buffer size in mangle_content_len() while at it.\n\nBUG: KASAN: stack-out-of-bounds in vsnprintf+0xea5\u002F0x1270\nWrite of size 1 at addr [..]\n vsnprintf+0xea5\u002F0x1270\n sprintf+0xb1\u002F0xe0\n mangle_content_len+0x1ac\u002F0x280\n nf_nat_sdp_session+0x1cc\u002F0x240\n","2026-06-24T17:17:11.263+00:00","https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2026-53002",{"cveId":87,"severity":27,"cvssScore":28,"description":88,"publishedAt":89,"url":90,"productSlug":19,"productName":18,"productLogo":32,"cycle":91,"isKev":34},"CVE-2026-53309","In the Linux kernel, the following vulnerability has been resolved:\n\nocfs2\u002Fdlm: fix off-by-one in dlm_match_regions() region comparison\n\nThe local-vs-remote region comparison loop uses '\u003C=' instead of '\u003C',\ncausing it to read one entry past the valid range of qr_regions.  The\nother loops in the same function correctly use '\u003C'.\n\nFix the loop condition to use '\u003C' for consistency and correctness.","2026-06-26T20:17:24.203+00:00","https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2026-53309","5.16",{"cveId":93,"severity":27,"cvssScore":28,"description":94,"publishedAt":95,"url":96,"productSlug":19,"productName":18,"productLogo":32,"cycle":69,"isKev":34},"CVE-2026-53175","In the Linux kernel, the following vulnerability has been resolved:\n\ninet: frags: fix use-after-free caused by the fqdir_pre_exit() flush\n\nOn netns teardown, fqdir_pre_exit() walks the fqdir rhashtable and\nflushes every fragment queue that is not yet complete using\ninet_frag_queue_flush(). That helper frees all the skbs queued on the\nfragment queue but does not set INET_FRAG_COMPLETE, and leaves\nq->fragments_tail and q->last_run_head pointing at the freed skbs.\nThe queue itself stays in the rhas","2026-06-25T09:16:34.84+00:00","https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2026-53175",{"cveId":98,"severity":27,"cvssScore":28,"description":99,"publishedAt":100,"url":101,"productSlug":19,"productName":18,"productLogo":32,"cycle":102,"isKev":34},"CVE-2026-53151","In the Linux kernel, the following vulnerability has been resolved:\n\nrxrpc: Fix the ACK parser to extract the SACK table for parsing\n\nFix modification of the received skbuff in rxrpc_input_soft_acks() and a\npotential incorrect access of the buffer in a fragmented UDP packet (the\npacket would probably have to be deliberately pre-generated as fragmented)\nwhen AF_RXRPC tries to extract the contents of the SACK table by copying\nout the contents of the SACK table into a buffer before attempting to pa","2026-06-25T09:16:32.48+00:00","https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2026-53151","6.14",{"cveId":104,"severity":27,"cvssScore":28,"description":105,"publishedAt":106,"url":107,"productSlug":19,"productName":18,"productLogo":32,"cycle":69,"isKev":34},"CVE-2026-52982","In the Linux kernel, the following vulnerability has been resolved:\n\nnet: usb: rtl8150: fix use-after-free in rtl8150_start_xmit()\n\nsyzbot reported a KASAN slab-use-after-free read in rtl8150_start_xmit()\nwhen accessing skb->len for tx statistics after usb_submit_urb() has\nbeen called:\n\n  BUG: KASAN: slab-use-after-free in rtl8150_start_xmit+0x71f\u002F0x760\n    drivers\u002Fnet\u002Fusb\u002Frtl8150.c:712\n  Read of size 4 at addr ffff88810eb7a930 by task kworker\u002F0:4\u002F5226\n\nThe URB completion handler write_bulk_call","2026-06-24T17:17:08.887+00:00","https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2026-52982",{"cveId":109,"severity":27,"cvssScore":28,"description":110,"publishedAt":111,"url":112,"productSlug":19,"productName":18,"productLogo":32,"cycle":52,"isKev":34},"CVE-2026-53006","In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: fix possible UAF in icmpv6_rcv()\n\nCaching saddr and daddr before pskb_pull() is problematic\nsince skb->head can change.\n\nRemove these temporary variables:\n\n- We only access &ipv6_hdr(skb)->saddr and &ipv6_hdr(skb)->daddr\n  when net_dbg_ratelimited() is called in the slow path.\n\n- Avoid potential future misuse after pskb_pull() call.","2026-06-24T17:17:11.75+00:00","https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2026-53006",{"cveId":114,"severity":27,"cvssScore":28,"description":115,"publishedAt":116,"url":117,"productSlug":19,"productName":18,"productLogo":32,"cycle":69,"isKev":34},"CVE-2026-53247","In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ethernet: mtk_eth_soc: Fix use-after-free in metadata dst teardown\n\nmtk_free_dev() calls metadata_dst_free() which frees the metadata_dst\nwith kfree() immediately, bypassing the RCU grace period.\nIn the RX path, skb_dst_set_noref() sets a non-refcounted pointer from\nthe skb to the metadata_dst. This function requires RCU read-side\nprotection and the dst must remain valid until all RCU readers complete.\nSince metadata_dst_f","2026-06-25T09:16:42.657+00:00","https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2026-53247",{"cveId":119,"severity":27,"cvssScore":28,"description":120,"publishedAt":121,"url":122,"productSlug":19,"productName":18,"productLogo":32,"cycle":123,"isKev":34},"CVE-2026-52993","In the Linux kernel, the following vulnerability has been resolved:\n\ntipc: fix double-free in tipc_buf_append()\n\ntipc_msg_validate() can potentially reallocate the skb it is validating,\nfreeing the old one.  In tipc_buf_append(), it was being called with a\npointer to a local variable which was a copy of the caller's skb\npointer.\n\nIf the skb was reallocated and validation subsequently failed, the error\nhandling path would free the original skb pointer, which had already\nbeen freed, leading to dou","2026-06-24T17:17:10.203+00:00","https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2026-52993","7.0",{"cveId":125,"severity":27,"cvssScore":28,"description":126,"publishedAt":127,"url":128,"productSlug":19,"productName":18,"productLogo":32,"cycle":129,"isKev":34},"CVE-2026-53228","In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: sit: reload inner IPv6 header after GSO offloads\n\nipip6_tunnel_xmit() caches the inner IPv6 header pointer at function\nentry and continues using it after iptunnel_handle_offloads().\n\nFor GSO skbs, iptunnel_handle_offloads() calls skb_header_unclone().\nWhen the skb header is cloned, skb_header_unclone() can call\npskb_expand_head(), which may move the skb head. The pskb_expand_head()\ncontract requires pointers into the skb ","2026-06-25T09:16:40.657+00:00","https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2026-53228","5.11",{"cveId":131,"severity":27,"cvssScore":28,"description":132,"publishedAt":133,"url":134,"productSlug":19,"productName":18,"productLogo":32,"cycle":135,"isKev":34},"CVE-2026-53221","In the Linux kernel, the following vulnerability has been resolved:\n\nip6_vti: fix incorrect tunnel matching in vti6_tnl_lookup()\n\nIn vti6_tnl_lookup(), when an exact match for a tunnel fails,\nthe code falls back to searching for wildcard tunnels:\n\n- Tunnels matching the packet's local address, with any remote address\n  wildcard remote).\n\n- Tunnels matching the packet's remote address, with any local address\n  (wildcard local).\n\nHowever, vti6 stores all these different types of tunnels in the sam","2026-06-25T09:16:39.863+00:00","https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2026-53221","5.10",{"cveId":137,"severity":27,"cvssScore":28,"description":138,"publishedAt":139,"url":140,"productSlug":19,"productName":18,"productLogo":32,"cycle":141,"isKev":34},"CVE-2026-53215","In the Linux kernel, the following vulnerability has been resolved:\n\nnet: mvpp2: refill RX buffers before XDP or skb use\n\nThe RX error path returns the current descriptor buffer to the hardware\nBM pool. That is only valid while the driver still owns the buffer.\n\nmvpp2_rx_refill() can fail after the current buffer has been handed to\nXDP or attached to an skb. In those cases mvpp2_run_xdp() may have\nrecycled, redirected, or queued the page for XDP_TX, and an skb free also\nretires the data buffer. ","2026-06-25T09:16:39.16+00:00","https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2026-53215","6.0",{"cveId":143,"severity":27,"cvssScore":28,"description":144,"publishedAt":145,"url":146,"productSlug":19,"productName":18,"productLogo":32,"cycle":46,"isKev":34},"CVE-2026-53216","In the Linux kernel, the following vulnerability has been resolved:\n\nnet: mvpp2: limit XDP frame size to the RX buffer\n\nmvpp2 has short and long BM pools, and short pool buffers can be smaller\nthan PAGE_SIZE. The XDP path nevertheless initializes every xdp_buff with\nPAGE_SIZE as frame size.\n\nXDP helpers use frame_sz to validate tail growth and to derive the hard\nend of the data area. Advertising PAGE_SIZE for short buffers can let\nbpf_xdp_adjust_tail() grow a packet past the real allocation, cor","2026-06-25T09:16:39.28+00:00","https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2026-53216",{"cveId":148,"severity":27,"cvssScore":28,"description":149,"publishedAt":150,"url":151,"productSlug":19,"productName":18,"productLogo":32,"cycle":63,"isKev":34},"CVE-2026-53260","In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: Add preempt_{disable,enable}_nested() in reqsk_queue_hash_req().\n\nsyzbot reported a weird reqsk->rsk_refcnt underflow in\n__inet_csk_reqsk_queue_drop().\n\nThe captured reqsk_put() in __inet_csk_reqsk_queue_drop()\nis called only when it successfully removes reqsk from ehash.\n\nMoreover, reqsk_timer_handler() calls another reqsk_put()\nafter that.\n\nThis indicates that the reqsk was missing both refcnts for\nehash and the timer it","2026-06-25T09:16:43.993+00:00","https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2026-53260",{"cveId":153,"severity":27,"cvssScore":154,"description":155,"publishedAt":156,"url":157,"productSlug":19,"productName":18,"productLogo":32,"cycle":158,"isKev":34},"CVE-2026-53131",9.4,"In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: require Ethernet MAC header before using eth_hdr()\n\n`ip6t_eui64`, `xt_mac`, the `bitmap:ip,mac`, `hash:ip,mac`, and\n`hash:mac` ipset types, and `nf_log_syslog` access `eth_hdr(skb)`\nafter either assuming that the skb is associated with an Ethernet\ndevice or checking only that the `ETH_HLEN` bytes at\n`skb_mac_header(skb)` lie between `skb->head` and `skb->data`.\n\nMake these paths first verify that the skb is associate","2026-06-25T09:16:30.307+00:00","https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2026-53131","4.19",{"cveId":160,"severity":27,"cvssScore":161,"description":162,"publishedAt":163,"url":164,"productSlug":19,"productName":18,"productLogo":32,"cycle":165,"isKev":34},"CVE-2026-53043",9.1,"In the Linux kernel, the following vulnerability has been resolved:\n\nocfs2\u002Fdlm: validate qr_numregions in dlm_match_regions()\n\nPatch series \"ocfs2\u002Fdlm: fix two bugs in dlm_match_regions()\".\n\nIn dlm_match_regions(), the qr_numregions field from a DLM_QUERY_REGION\nnetwork message is used to drive loops over the qr_regions buffer without\nsufficient validation.  This series fixes two issues:\n\n- Patch 1 adds a bounds check to reject messages where qr_numregions\n  exceeds O2NM_MAX_REGIONS. The o2net l","2026-06-24T17:17:16.063+00:00","https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2026-53043","5.15",{"cveId":167,"severity":27,"cvssScore":161,"description":168,"publishedAt":169,"url":170,"productSlug":19,"productName":18,"productLogo":32,"cycle":33,"isKev":34},"CVE-2026-52958","In the Linux kernel, the following vulnerability has been resolved:\n\nlibceph: Fix potential out-of-bounds access in osdmap_decode()\n\nWhen decoding osd_state and osd_weight from an incoming osdmap in\nosdmap_decode(), both are decoded for each osd, i.e., map->max_osd\ntimes. The ceph_decode_need() check only accounts for\nsizeof(*map->osd_weight) once. This can potentially result in an\nout-of-bounds memory access if the incoming message is corrupted such\nthat the max_osd value exceeds the actual con","2026-06-24T17:17:06.033+00:00","https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2026-52958",{"cveId":172,"severity":27,"cvssScore":161,"description":173,"publishedAt":174,"url":175,"productSlug":19,"productName":18,"productLogo":32,"cycle":176,"isKev":34},"CVE-2026-53186","In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA\u002Fsrp: bound SRP_RSP sense copy by the received length\n\nsrp_process_rsp() copies sense data from rsp->data + resp_data_len,\nwhere resp_data_len is the full 32-bit value supplied by the SRP target\nand is never checked against the number of bytes actually received\n(wc->byte_len). The copy length is bounded to SCSI_SENSE_BUFFERSIZE, so\nat most 96 bytes are copied, but the source offset is not bounded.\n\nA malicious or compromise","2026-06-25T09:16:36.02+00:00","https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2026-53186","6.9",{"cveId":178,"severity":27,"cvssScore":161,"description":179,"publishedAt":180,"url":181,"productSlug":19,"productName":18,"productLogo":32,"cycle":182,"isKev":34},"CVE-2026-53224","In the Linux kernel, the following vulnerability has been resolved:\n\nsctp: validate embedded INIT chunk and address list lengths in cookie\n\nsctp_unpack_cookie() only checked that the embedded INIT chunk length\ndid not exceed the remaining cookie payload, but did not ensure that the\nINIT chunk is large enough to contain a complete INIT header.\n\nA malformed COOKIE_ECHO can therefore carry a truncated INIT chunk whose\nlength field is smaller than sizeof(struct sctp_init_chunk).  Later,\nsctp_process","2026-06-25T09:16:40.2+00:00","https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2026-53224","5.18",{"cveId":184,"severity":27,"cvssScore":161,"description":185,"publishedAt":186,"url":187,"productSlug":19,"productName":18,"productLogo":32,"cycle":135,"isKev":34},"CVE-2026-52999","In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nfnetlink_osf: fix out-of-bounds read on option matching\n\nIn nf_osf_match(), the nf_osf_hdr_ctx structure is initialized once\nand passed by reference to nf_osf_match_one() for each fingerprint\nchecked. During TCP option parsing, nf_osf_match_one() advances the\nshared ctx->optp pointer.\n\nIf a fingerprint perfectly matches, the function returns early without\nrestoring ctx->optp to its initial state. If the user has con","2026-06-24T17:17:10.913+00:00","https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2026-52999",{"cveId":189,"severity":27,"cvssScore":161,"description":190,"publishedAt":191,"url":192,"productSlug":19,"productName":18,"productLogo":32,"cycle":193,"isKev":34},"CVE-2026-53225","In the Linux kernel, the following vulnerability has been resolved:\n\nsctp: fix uninit-value in __sctp_rcv_asconf_lookup()\n\n__sctp_rcv_asconf_lookup() in net\u002Fsctp\u002Finput.c only checks that the ASCONF\nchunk can hold the ADDIP header and a parameter header, then calls\naf->from_addr_param(), which reads the full address (16 bytes for IPv6)\ntrusting the parameter's declared length.\n\nAn unauthenticated peer can send a truncated trailing ASCONF chunk that\ndeclares an IPv6 address parameter but stops aft","2026-06-25T09:16:40.297+00:00","https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2026-53225","6.11",[195,202,208,214,219,224,229,234,239,244,250,255,260],{"cveId":196,"severity":197,"cvssScore":198,"description":199,"publishedAt":200,"url":201,"productSlug":19,"productName":18,"productLogo":32,"cycle":63,"isKev":34},"CVE-2026-52934","HIGH",8.8,"In the Linux kernel, the following vulnerability has been resolved:\n\nbatman-adv: tvlv: reject oversized TVLV packets\n\nbatadv_tvlv_container_ogm_append() builds a TVLV packet section from\nthe tvlv.container_list. The total size of this section is computed by\nbatadv_tvlv_container_list_size(), which sums the sizes of all registered\ncontainers.\n\nThe return type and accumulator in batadv_tvlv_container_list_size() were\nu16. If the accumulated size exceeds U16_MAX, the value wraps around,\ncausing the","2026-06-24T08:16:23.62+00:00","https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2026-52934",{"cveId":203,"severity":197,"cvssScore":198,"description":204,"publishedAt":205,"url":206,"productSlug":19,"productName":18,"productLogo":32,"cycle":207,"isKev":34},"CVE-2026-53266","In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: bridge: make ebt_snat ARP rewrite writable\n\nThe ebtables SNAT target keeps the Ethernet source address rewrite\nbehind skb_ensure_writable(skb, 0).  This is intentional: at the bridge\nebtables hooks the Ethernet header is addressed through\nskb_mac_header()\u002Feth_hdr(), while skb->data points at the Ethernet\npayload.  Asking skb_ensure_writable() for ETH_HLEN bytes would check\nthe payload, not the Ethernet header, and wo","2026-06-25T09:16:44.643+00:00","https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2026-53266","6.5",{"cveId":209,"severity":197,"cvssScore":198,"description":210,"publishedAt":211,"url":212,"productSlug":19,"productName":18,"productLogo":32,"cycle":213,"isKev":34},"CVE-2026-52918","In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: serialize accept_q access\n\nbt_sock_poll() walks the accept queue without synchronization, while\nchild teardown can unlink the same socket and drop its last reference.\nThe unsynchronized accept queue walk has existed since the initial\nBluetooth import.\n\nProtect accept_q with a dedicated lock for queue updates and polling.\nAlso rework bt_accept_dequeue() to take temporary child references under\nthe queue lock before dr","2026-06-24T08:16:21.713+00:00","https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2026-52918","6.15",{"cveId":215,"severity":197,"cvssScore":198,"description":216,"publishedAt":217,"url":218,"productSlug":19,"productName":18,"productLogo":32,"cycle":193,"isKev":34},"CVE-2026-53198","In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix use-after-free of a deferred file_lock on double SMB2_CANCEL\n\nA deferred byte-range lock (an SMB2_LOCK that blocks) registers an async work on\nconn->async_requests via setup_async_work(), with cancel_fn =\nsmb2_remove_blocked_lock and cancel_argv[0] pointing at the struct file_lock.\n\nWhen the request is cancelled, the worker frees the file_lock with\nlocks_free_lock() and takes the cancelled early-exit, which \"goto out","2026-06-25T09:16:37.323+00:00","https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2026-53198",{"cveId":220,"severity":197,"cvssScore":198,"description":221,"publishedAt":222,"url":223,"productSlug":19,"productName":18,"productLogo":32,"cycle":123,"isKev":34},"CVE-2026-53171","In the Linux kernel, the following vulnerability has been resolved:\n\naccel\u002Fethosu: fix arithmetic issues in dma_length()\n\ndma_length() derives DMA region usage from command stream values and\nupdates region_size[]:\n\n    len = ((len + stride[0]) * size0 + stride[1]) * size1\n    region_size[region] = max(..., len + dma->offset)\n\nSeveral arithmetic issues can corrupt the derived region size:\n\n- signed stride values may underflow when added to len\n- intermediate multiplications may overflow\n- len + d","2026-06-25T09:16:34.457+00:00","https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2026-53171",{"cveId":225,"severity":197,"cvssScore":198,"description":226,"publishedAt":227,"url":228,"productSlug":19,"productName":18,"productLogo":32,"cycle":33,"isKev":34},"CVE-2026-53200","In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: arm64: nv: Fix handling of XN[0] when !FEAT_XNX\n\nXN has already been extracted from its bitfield position so using\nFIELD_PREP() on the mask that clears XN[0] is completely broken, having\nthe effect of unconditionally granting execute permissions...\n\nFix the obvious mistake by manipulating the right bit.","2026-06-25T09:16:37.577+00:00","https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2026-53200",{"cveId":230,"severity":197,"cvssScore":198,"description":231,"publishedAt":232,"url":233,"productSlug":19,"productName":18,"productLogo":32,"cycle":123,"isKev":34},"CVE-2026-52952","In the Linux kernel, the following vulnerability has been resolved:\n\niommu: Fix WARN_ON in __iommu_group_set_domain_nofail() due to reset\n\nIn __iommu_group_set_domain_internal(), concurrent domain attachments are\nrejected when any device in the group is recovering. This is necessary to\nfence concurrent attachments to a multi-device group where devices might\nshare the same RID due to PCI DMA alias quirks, but triggers the WARN_ON in\n__iommu_group_set_domain_nofail().\n\nOther IOMMU_SET_DOMAIN_MUST_","2026-06-24T17:17:05.333+00:00","https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2026-52952",{"cveId":235,"severity":197,"cvssScore":198,"description":236,"publishedAt":237,"url":238,"productSlug":19,"productName":18,"productLogo":32,"cycle":80,"isKev":34},"CVE-2026-53275","In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: mcast: Fix use-after-free when processing MLD queries\n\nWhen processing an MLD query, a pointer to the multicast group address\nis retrieved when initially parsing the packet. This pointer is later\ndereferenced without being reloaded despite the fact that the skb header\nmight have been reallocated following the pskb_may_pull() calls, leading\nto a use-after-free [1].\n\nFix by copying the multicast group address when the packe","2026-06-25T09:16:45.687+00:00","https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2026-53275",{"cveId":240,"severity":197,"cvssScore":198,"description":241,"publishedAt":242,"url":243,"productSlug":19,"productName":18,"productLogo":32,"cycle":63,"isKev":34},"CVE-2026-53277","In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: arm64: Take the SRCU lock for page table walks in fault injection and AT emulation\n\nwalk_s1() and kvm_walk_nested_s2() expect to be called while holding\nkvm->srcu to guard against memslot changes. While this is generally\nthe case, __kvm_at_s12() and __kvm_find_s1_desc_level() call into the\nrespective walkers without taking kvm->srcu.\n\nFix by acquiring kvm->srcu prior to the table walk in both instances.","2026-06-25T09:16:45.897+00:00","https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2026-53277",{"cveId":245,"severity":197,"cvssScore":198,"description":246,"publishedAt":247,"url":248,"productSlug":19,"productName":18,"productLogo":32,"cycle":249,"isKev":34},"CVE-2026-53188","In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA\u002Fcore: Validate the passed in fops for ib_get_ucaps()\n\nSashiko pointed out it is not safe to rely only on the devt because\nchar\u002Fblock alias so if the user finds a block device with the same dev_t\nit can masquerade as a ucap cdev fd.\n\nTest the f_ops to only accept authentic cdevs.","2026-06-25T09:16:36.237+00:00","https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2026-53188","6.17",{"cveId":251,"severity":197,"cvssScore":198,"description":252,"publishedAt":253,"url":254,"productSlug":19,"productName":18,"productLogo":32,"cycle":33,"isKev":34},"CVE-2026-53322","In the Linux kernel, the following vulnerability has been resolved:\n\nvfio\u002Fpci: Clean up DMABUFs before disabling function\n\nOn device shutdown, make vfio_pci_core_close_device() call\nvfio_pci_dma_buf_cleanup() before the function is disabled via\nvfio_pci_core_disable().  This ensures that all access via DMABUFs is\nrevoked before the function's BARs become inaccessible.\n\nThis fixes an issue where, if the function is disabled first, a tiny\nwindow exists in which the function's MSE is cleared and ye","2026-06-26T20:17:25.56+00:00","https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2026-53322",{"cveId":256,"severity":197,"cvssScore":198,"description":257,"publishedAt":258,"url":259,"productSlug":19,"productName":18,"productLogo":32,"cycle":63,"isKev":34},"CVE-2026-53281","In the Linux kernel, the following vulnerability has been resolved:\n\niommu\u002Fvt-d: Avoid NULL pointer dereference or refcount corruption\n\nCommit 60f030f7418d (\"iommu\u002Fvt-d: Avoid use of NULL after WARN_ON_ONCE\")\nfixed a NULL pointer dereference in an unlikely situation partly.\n\nIf dev_pasid is not found in the dev_pasids list, it remains NULL.\nHowever, the teardown operations are executed unconditionally, this lead\nto a NULL pointer dereference or refcount corruption.\n\nIf the domain was never attac","2026-06-26T20:17:19.6+00:00","https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2026-53281",{"cveId":261,"severity":197,"cvssScore":198,"description":262,"publishedAt":263,"url":264,"productSlug":19,"productName":18,"productLogo":32,"cycle":265,"isKev":34},"CVE-2026-53240","In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm: iptfs: fix use-after-free on first_skb in __input_process_payload\n\n__input_process_payload() stores first_skb into xtfs->ra_newskb under\ndrop_lock when starting partial reassembly, then unlocks and breaks out\nof the processing loop. The post-loop check reads xtfs->ra_newskb\nwithout the lock to decide whether first_skb is still owned:\n\n    if (first_skb && first_iplen && !defer && first_skb != xtfs->ra_newskb)\n\nBetween spi","2026-06-25T09:16:41.96+00:00","https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2026-53240","6.18",[],[],[],{"prev":270,"next":271},"2026-W25","2026-W27"]