Fri, Apr 03 · 04:16 PM CDTCVE-2026-31402
9.8/10 · Must read/watchNVDvuln
Summary
In the Linux kernel, the following vulnerability has been resolved: nfsd: fix heap overflow in NFSv4.0 LOCK replay cache The NFSv4.0 replay cache uses a fixed 112-byte inline buffer (rp_ibuf[NFSD4_REPLAY_ISIZE]) to store encoded operation responses. This size was calculated based on OPEN responses and does not account
CVECVE-2026-31402
SeverityCRITICAL
TypeUPDATED
PublishedFri, Apr 03 · 04:16 PM CDT
ModifiedFri, Jun 19 · 01:16 PM CDT
Fri, May 08 · 02:16 PM CDTCVE-2026-43341
9.8/10 · Must read/watchNVDvuln
Summary
In the Linux kernel, the following vulnerability has been resolved: net/ipv6: ioam6: prevent schema length wraparound in trace fill ioam6_fill_trace_data() stores the schema contribution to the trace length in a u8. With bit 22 enabled and the largest schema payload, sclen becomes 1 + 1020 / 4, wraps from 256 to 0, and
CVECVE-2026-43341
SeverityCRITICAL
TypeUPDATED
PublishedFri, May 08 · 02:16 PM CDT
ModifiedFri, Jun 19 · 01:16 PM CDT
Thu, May 28 · 10:16 AM CDTCVE-2026-46137
9.8/10 · Must read/watchNVDvuln
Summary
In the Linux kernel, the following vulnerability has been resolved: mptcp: pm: ADD_ADDR rtx: fix potential data-race This mptcp_pm_add_timer() helper is executed as a timer callback in softirq context. To avoid any data races, the socket lock needs to be held with bh_lock_sock(). If the socket is in use, retry again so
CVECVE-2026-46137
SeverityCRITICAL
TypeUPDATED
PublishedThu, May 28 · 10:16 AM CDT
ModifiedFri, Jun 19 · 01:16 PM CDT
Thu, May 28 · 10:16 AM CDTCVE-2026-46195
9.8/10 · Must read/watchNVDvuln
Summary
In the Linux kernel, the following vulnerability has been resolved: smb: client: validate dacloffset before building DACL pointers parse_sec_desc(), build_sec_desc(), and the chown path in id_mode_to_cifs_acl() all add the server-supplied dacloffset to pntsd before proving a DACL header fits inside the returned securit
CVECVE-2026-46195
SeverityCRITICAL
TypeUPDATED
PublishedThu, May 28 · 10:16 AM CDT
ModifiedFri, Jun 19 · 01:16 PM CDT
Fri, May 08 · 03:16 PM CDTCVE-2026-43383
9.4/10 · Must read/watchNVDvuln
Summary
In the Linux kernel, the following vulnerability has been resolved: net/tcp-md5: Fix MAC comparison to be constant-time To prevent timing attacks, MACs need to be compared in constant time. Use the appropriate helper function for this.
CVECVE-2026-43383
SeverityCRITICAL
TypeUPDATED
PublishedFri, May 08 · 03:16 PM CDT
ModifiedFri, Jun 19 · 01:16 PM CDT
Wed, Apr 22 · 09:16 AM CDTCVE-2026-31432
8.8/10 · Worth your timeNVDvuln
Summary
In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix OOB write in QUERY_INFO for compound requests When a compound request such as READ + QUERY_INFO(Security) is received, and the first command (READ) consumes most of the response buffer, ksmbd could write beyond the allocated buffer while bui
CVECVE-2026-31432
SeverityHIGH
TypeUPDATED
PublishedWed, Apr 22 · 09:16 AM CDT
ModifiedFri, Jun 19 · 01:16 PM CDT
Fri, May 01 · 02:16 PM CDTCVE-2026-31709
8.8/10 · Worth your timeNVDvuln
Summary
In the Linux kernel, the following vulnerability has been resolved: smb: client: validate the whole DACL before rewriting it in cifsacl build_sec_desc() and id_mode_to_cifs_acl() derive a DACL pointer from a server-supplied dacloffset and then use the incoming ACL to rebuild the chmod/chown security descriptor. The ori
CVECVE-2026-31709
SeverityHIGH
TypeUPDATED
PublishedFri, May 01 · 02:16 PM CDT
ModifiedFri, Jun 19 · 01:16 PM CDT
Thu, May 21 · 01:16 PM CDTCVE-2026-43495
8.8/10 · Worth your timeNVDvuln
Summary
In the Linux kernel, the following vulnerability has been resolved: net: wwan: t7xx: validate port_count against message length in t7xx_port_enum_msg_handler t7xx_port_enum_msg_handler() uses the modem-supplied port_count field as a loop bound over port_msg->data[] without checking that the message buffer contains suff
CVECVE-2026-43495
SeverityHIGH
TypeUPDATED
PublishedThu, May 21 · 01:16 PM CDT
ModifiedFri, Jun 19 · 01:16 PM CDT
Wed, May 27 · 02:17 PM CDTCVE-2026-46056
8.8/10 · Worth your timeNVDvuln
Summary
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_event: fix potential UAF in SSP passkey handlers hci_conn lookup and field access must be covered by hdev lock in hci_user_passkey_notify_evt() and hci_keypress_notify_evt(), otherwise the connection can be freed concurrently. Extend the
CVECVE-2026-46056
SeverityHIGH
TypeUPDATED
PublishedWed, May 27 · 02:17 PM CDT
ModifiedFri, Jun 19 · 01:16 PM CDT
Thu, May 28 · 10:16 AM CDTCVE-2026-46125
8.8/10 · Worth your timeNVDvuln
Summary
In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: remove station if connection prep fails If connection preparation fails for MLO connections, then the interface is completely reset to non-MLD. In this case, we must not keep the station since it's related to the link of the vif being r
CVECVE-2026-46125
SeverityHIGH
TypeUPDATED
PublishedThu, May 28 · 10:16 AM CDT
ModifiedFri, Jun 19 · 01:16 PM CDT
Fri, May 01 · 02:16 PM CDTCVE-2026-31712
8.3/10 · Worth your timeNVDvuln
Summary
In the Linux kernel, the following vulnerability has been resolved: ksmbd: require minimum ACE size in smb_check_perm_dacl() Both ACE-walk loops in smb_check_perm_dacl() only guard against an under-sized remaining buffer, not against an ACE whose declared `ace->size` is smaller than the struct it claims to describe: if
CVECVE-2026-31712
SeverityHIGH
TypeUPDATED
PublishedFri, May 01 · 02:16 PM CDT
ModifiedFri, Jun 19 · 01:16 PM CDT
Sun, May 17 · 06:16 PM CDTCVE-2026-46720
8.2/10 · Worth your timeNVDvuln
Summary
Net::Statsd::Tiny versions before 0.3.8 for Perl allowed metric injections. The metric names and set values were not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics.
CVECVE-2026-46720
SeverityHIGH
TypeUPDATED
PublishedSun, May 17 · 06:16 PM CDT
ModifiedFri, Jun 19 · 04:16 PM CDT
Fri, Jul 09 · 03:15 PM CDTCVE-2021-27033
8.1/10 · Worth your timeNVDvuln
Summary
A maliciously crafted PDF file, when opened by a user in Autodesk Design Review, can trigger a Double Free vulnerability in the Autodesk Design Review application. A malicious actor may leverage this vulnerability to cause memory corruption and execute arbitrary code in the context of the current process.
CVECVE-2021-27033
SeverityHIGH
TypeUPDATED
PublishedFri, Jul 09 · 03:15 PM CDT
ModifiedFri, Jun 19 · 02:16 PM CDT
Fri, May 01 · 02:16 PM CDTCVE-2026-31708
8.1/10 · Worth your timeNVDvuln
Summary
In the Linux kernel, the following vulnerability has been resolved: smb: client: fix OOB read in smb2_ioctl_query_info QUERY_INFO path smb2_ioctl_query_info() has two response-copy branches: PASSTHRU_FSCTL and the default QUERY_INFO path. The QUERY_INFO branch clamps qi.input_buffer_length to the server-reported Output
CVECVE-2026-31708
SeverityHIGH
TypeUPDATED
PublishedFri, May 01 · 02:16 PM CDT
ModifiedFri, Jun 19 · 01:16 PM CDT
Wed, Mar 12 · 10:15 AM CDTCVE-2025-21863
7.8/10 · Worth your timeNVDvuln
Summary
In the Linux kernel, the following vulnerability has been resolved: io_uring: prevent opcode speculation sqe->opcode is used for different tables, make sure we santitise it against speculations.
CVECVE-2025-21863
SeverityHIGH
TypeUPDATED
PublishedWed, Mar 12 · 10:15 AM CDT
ModifiedFri, Jun 19 · 01:16 PM CDT
Thu, Jul 03 · 09:15 AM CDTCVE-2025-38129
7.8/10 · Worth your timeNVDvuln
Summary
In the Linux kernel, the following vulnerability has been resolved: page_pool: Fix use-after-free in page_pool_recycle_in_ring syzbot reported a uaf in page_pool_recycle_in_ring: BUG: KASAN: slab-use-after-free in lock_release+0x151/0xa30 kernel/locking/lockdep.c:5862 Read of size 8 at addr ffff8880286045a0 by task syz
CVECVE-2025-38129
SeverityHIGH
TypeUPDATED
PublishedThu, Jul 03 · 09:15 AM CDT
ModifiedFri, Jun 19 · 01:16 PM CDT
Wed, Jul 09 · 11:15 AM CDTCVE-2025-38250
7.8/10 · Worth your timeNVDvuln
Summary
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_core: Fix use-after-free in vhci_flush() syzbot reported use-after-free in vhci_flush() without repro. [0] From the splat, a thread close()d a vhci file descriptor while its device was being used by iotcl() on another thread. Once the la
CVECVE-2025-38250
SeverityHIGH
TypeUPDATED
PublishedWed, Jul 09 · 11:15 AM CDT
ModifiedFri, Jun 19 · 01:16 PM CDT
Fri, Sep 19 · 04:15 PM CDTCVE-2025-39863
7.8/10 · Worth your timeNVDvuln
Summary
In the Linux kernel, the following vulnerability has been resolved: wifi: brcmfmac: fix use-after-free when rescheduling brcmf_btcoex_info work The brcmf_btcoex_detach() only shuts down the btcoex timer, if the flag timer_on is false. However, the brcmf_btcoex_timerfunc(), which runs as timer handler, sets timer_on to
CVECVE-2025-39863
SeverityHIGH
TypeUPDATED
PublishedFri, Sep 19 · 04:15 PM CDT
ModifiedFri, Jun 19 · 01:16 PM CDT
Tue, Mar 10 · 06:18 PM CDTCVE-2026-24289
7.8/10 · Worth your timeNVDvuln
Summary
Use after free in Windows Kernel allows an authorized attacker to elevate privileges locally.
CVECVE-2026-24289
SeverityHIGH
TypeUPDATED
PublishedTue, Mar 10 · 06:18 PM CDT
ModifiedFri, Jun 19 · 07:16 PM CDT
Tue, Mar 10 · 06:18 PM CDTCVE-2026-24293
7.8/10 · Worth your timeNVDvuln
Summary
Null pointer dereference in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally.
CVECVE-2026-24293
SeverityHIGH
TypeUPDATED
PublishedTue, Mar 10 · 06:18 PM CDT
ModifiedFri, Jun 19 · 07:16 PM CDT
Mon, Apr 13 · 02:16 PM CDTCVE-2026-31419
7.8/10 · Worth your timeNVDvuln
Summary
In the Linux kernel, the following vulnerability has been resolved: net: bonding: fix use-after-free in bond_xmit_broadcast() bond_xmit_broadcast() reuses the original skb for the last slave (determined by bond_is_last_slave()) and clones it for others. Concurrent slave enslave/release can mutate the slave list during
CVECVE-2026-31419
SeverityHIGH
TypeUPDATED
PublishedMon, Apr 13 · 02:16 PM CDT
ModifiedFri, Jun 19 · 01:16 PM CDT
Wed, Apr 22 · 02:16 PM CDTCVE-2026-31449
7.8/10 · Worth your timeNVDvuln
Summary
In the Linux kernel, the following vulnerability has been resolved: ext4: validate p_idx bounds in ext4_ext_correct_indexes ext4_ext_correct_indexes() walks up the extent tree correcting index entries when the first extent in a leaf is modified. Before accessing path[k].p_idx->ei_block, there is no validation that p_id
CVECVE-2026-31449
SeverityHIGH
TypeUPDATED
PublishedWed, Apr 22 · 02:16 PM CDT
ModifiedFri, Jun 19 · 01:16 PM CDT
Wed, Apr 22 · 02:16 PM CDTCVE-2026-31489
7.8/10 · Worth your timeNVDvuln
Summary
In the Linux kernel, the following vulnerability has been resolved: spi: meson-spicc: Fix double-put in remove path meson_spicc_probe() registers the controller with devm_spi_register_controller(), so teardown already drops the controller reference via devm cleanup. Calling spi_controller_put() again in meson_spicc_rem
CVECVE-2026-31489
SeverityHIGH
TypeUPDATED
PublishedWed, Apr 22 · 02:16 PM CDT
ModifiedFri, Jun 19 · 01:16 PM CDT
Fri, Apr 24 · 03:16 PM CDTCVE-2026-31663
7.8/10 · Worth your timeNVDvuln
Summary
In the Linux kernel, the following vulnerability has been resolved: xfrm: hold dev ref until after transport_finish NF_HOOK After async crypto completes, xfrm_input_resume() calls dev_put() immediately on re-entry before the skb reaches transport_finish. The skb->dev pointer is then used inside NF_HOOK and its okfn, wh
CVECVE-2026-31663
SeverityHIGH
TypeUPDATED
PublishedFri, Apr 24 · 03:16 PM CDT
ModifiedFri, Jun 19 · 01:16 PM CDT
Fri, May 01 · 02:16 PM CDTCVE-2026-31700
7.8/10 · Worth your timeNVDvuln
Summary
In the Linux kernel, the following vulnerability has been resolved: net/packet: fix TOCTOU race on mmap'd vnet_hdr in tpacket_snd() In tpacket_snd(), when PACKET_VNET_HDR is enabled, vnet_hdr points directly into the mmap'd TX ring buffer shared with userspace. The kernel validates the header via __packet_snd_vnet_pars
CVECVE-2026-31700
SeverityHIGH
TypeUPDATED
PublishedFri, May 01 · 02:16 PM CDT
ModifiedFri, Jun 19 · 01:16 PM CDT