本页列出影响 linux linux_kernel 的已公开 CVE 漏洞(通过 NVD CPE 关联)。每行包含严重程度评分、摘要与发布日期,便于识别与分析安全问题。
| CVE | 摘要 | 来源 | 最高 CVSS | EPSS % | 公开时间 | 更新时间 |
|---|---|---|---|---|---|---|
| CVE-2026-46253 | In the Linux kernel, the following vulnerability has been resolved: pstore/ram: fix buffer overflow in persistent_ram_save_old() persistent_ram_save_old() can be called multiple times for the same persistent_ram_zone (e.g., via ramoops_pstore_read -> ramoops_get_next_prz for PSTORE_TYPE_DMESG records). Currently, the function only allocates prz->old_log when it is NULL, but it unconditionally updates prz->old_log_size to the current buffer size and then performs memcpy_fromio() using this new | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | 7.8 | 0.03% | 2026-06-03 | 2026-06-09 |
| CVE-2026-46252 | In the Linux kernel, the following vulnerability has been resolved: regulator: core: fix locking in regulator_resolve_supply() error path If late enabling of a supply regulator fails in regulator_resolve_supply(), the code currently triggers a lockdep warning: WARNING: drivers/regulator/core.c:2649 at _regulator_put+0x80/0xa0, CPU#6: kworker/u32:4/596 ... Call trace: _regulator_put+0x80/0xa0 (P) regulator_resolve_supply+0x7cc/0xbe0 regulator_register_resolve_supply+ | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | 5.5 | 0.02% | 2026-06-03 | 2026-06-09 |
| CVE-2026-46251 | In the Linux kernel, the following vulnerability has been resolved: btrfs: fix block_group_tree dirty_list corruption When the incompat flag EXTENT_TREE_V2 is set, we unconditionally add the block group tree to the switch_commits list before calling switch_commit_roots, as we do for the tree root and the chunk root. However, the block group tree uses normal root dirty tracking and in any transaction that does an allocation and dirties a block group, the block group root will already be linked | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | 8.4 | 0.02% | 2026-06-03 | 2026-06-09 |
| CVE-2026-46250 | In the Linux kernel, the following vulnerability has been resolved: MIPS: Work around LLVM bug when gp is used as global register variable On MIPS, __current_thread_info is defined as global register variable locating in $gp, and is simply assigned with new address during kernel relocation. This however is broken with LLVM, which always restores $gp if it finds $gp is clobbered in any form, including when intentionally through a global register variable. This is against GCC's documentation[1] | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | 7.3 | 0.02% | 2026-06-03 | 2026-06-09 |
| CVE-2026-46249 | In the Linux kernel, the following vulnerability has been resolved: octeontx2-af: Fix PF driver crash with kexec kernel booting During a kexec reboot the hardware is not power-cycled, so AF state from the old kernel can persist into the new kernel. When AF and PF drivers are built as modules, the PF driver may probe before AF reinitializes the hardware. The PF driver treats the RVUM block revision as an indication that AF initialization is complete. If this value is left uncleared at shutdown | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | 5.5 | 0.02% | 2026-06-03 | 2026-06-09 |
| CVE-2026-46248 | In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: clear stale link mapping of ahvif->links_map When an arvif is initialized in non-AP STA mode but MLO connection preparation fails before the arvif is created (arvif->is_created remains false), the error path attempts to delete all links. However, link deletion only executes when arvif->is_created is true. As a result, ahvif retains a stale entry of arvif that is initialized but not created. When a new arvif is i | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | 5.5 | 0.02% | 2026-06-03 | 2026-06-09 |
| CVE-2026-46247 | In the Linux kernel, the following vulnerability has been resolved: clk: qcom: gfx3d: add parent to parent request map After commit d228ece36345 ("clk: divider: remove round_rate() in favor of determine_rate()") determining GFX3D clock rate crashes, because the passed parent map doesn't provide the expected best_parent_hw clock (with the roundd_rate path before the offending commit the best_parent_hw was ignored). Set the field in parent_req in addition to setting it in the req, fixing the cr | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | 5.5 | 0.02% | 2026-06-03 | 2026-06-09 |
| CVE-2026-46246 | In the Linux kernel, the following vulnerability has been resolved: power: supply: pm8916_lbc: Fix use-after-free for extcon in IRQ handler Using the `devm_` variant for requesting IRQ _before_ the `devm_` variant for allocating/registering the `extcon` handle, means that the `extcon` handle will be deallocated/unregistered _before_ the interrupt handler (since `devm_` naturally deallocates in reverse allocation order). This means that during removal, there is a race condition where an interru | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | 7.8 | 0.02% | 2026-06-03 | 2026-06-09 |
| CVE-2026-46245 | In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix dc_link NULL handling in HPD init amdgpu_dm_hpd_init() may see connectors without a valid dc_link. The code already checks dc_link for the polling decision, but later unconditionally dereferences it when setting up HPD interrupts. Assign dc_link early and skip connectors where it is NULL. Fixes the below: drivers/gpu/drm/amd/amdgpu/../display/amdgpu_dm/amdgpu_dm_irq.c:940 amdgpu_dm_hpd_init() error: we | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | 5.5 | 0.02% | 2026-06-03 | 2026-06-09 |
| CVE-2026-46244 | In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_inner: Fix IPv6 inner_thoff desync In nft_inner_parse_l2l3(), when processing inner IPv6 packets, ipv6_find_hdr() correctly computes the transport header offset traversing all extension headers, but the result is immediately overwritten with nhoff + sizeof(_ip6h) (40 bytes), which only accounts for the IPv6 base header. This creates a desync between inner_thoff (wrong — points to extension header start) and l4pr | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | 9.1 | 0.02% | 2026-06-03 | 2026-06-09 |
| CVE-2025-71314 | In the Linux kernel, the following vulnerability has been resolved: drm/panthor: Recover from panthor_gpu_flush_caches() failures We have seen a few cases where the whole memory subsystem is blocked and flush operations never complete. When that happens, we want to: - schedule a reset, so we can recover from this situation - in the reset path, we need to reset the pending_reqs so we can send new commands after the reset - if more panthor_gpu_flush_caches() operations are queued after the | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | 5.5 | 0.02% | 2026-06-03 | 2026-06-09 |
| CVE-2025-71313 | In the Linux kernel, the following vulnerability has been resolved: PCI: endpoint: Add missing NULL check for alloc_workqueue() alloc_workqueue() can return NULL on memory allocation failure. Without proper error checking, this may lead to a NULL pointer dereference when queue_work() is later called with the NULL workqueue pointer in epf_ntb_epc_init(). Add a NULL check immediately after alloc_workqueue() and return -ENOMEM on failure to prevent the driver from loading with an invalid workque | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | 5.5 | 0.02% | 2026-06-03 | 2026-06-09 |
| CVE-2026-46243 | In the Linux kernel, the following vulnerability has been resolved: smb: client: reject userspace cifs.spnego descriptions cifs.spnego key descriptions contain authority-bearing fields such as pid, uid, creduid, and upcall_target that cifs.upcall treats as kernel-originating inputs. However, userspace can also create keys of this type through request_key(2) or add_key(2), allowing those fields to be supplied without CIFS origin. Only accept cifs.spnego descriptions while CIFS is using its pri | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | 7.1 | 0.02% | 2026-06-01 | 2026-06-09 |
| CVE-2026-46242 | In the Linux kernel, the following vulnerability has been resolved: eventpoll: fix ep_remove struct eventpoll / struct file UAF ep_remove() (via ep_remove_file()) cleared file->f_ep under file->f_lock but then kept using @file inside the critical section (is_file_epoll(), hlist_del_rcu() through the head, spin_unlock). A concurrent __fput() taking the eventpoll_release() fastpath in that window observed the transient NULL, skipped eventpoll_release_file() and ran to f_op->release / file_free() | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | 7.8 | 0.02% | 2026-05-30 | 2026-06-10 |
| CVE-2026-46241 | In the Linux kernel, the following vulnerability has been resolved: spi: mpc52xx: fix use-after-free on registration failure Make sure to disable and free the interrupts in case controller registration fails to avoid a potential use-after-free and resource leak. This issue was flagged by Sashiko when reviewing a controller deregistration fix. | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | 7.8 | 0.02% | 2026-05-28 | 2026-06-10 |
| CVE-2026-46240 | In the Linux kernel, the following vulnerability has been resolved: media: iris: Fix use-after-free in iris_release_internal_buffers() The recent change in commit 1dabf00ee206 ("media: iris: gen1: Destroy internal buffers after FW releases") introduced a regression where session_release_buf() may free the buffer. The caller, iris_release_internal_buffers(), continued to access `buffer` after the call, leading to a potential use-after-free. Fix this by setting BUF_ATTR_PENDING_RELEASE before c | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | 7.8 | 0.02% | 2026-05-28 | 2026-06-10 |
| CVE-2026-46239 | In the Linux kernel, the following vulnerability has been resolved: media: i2c: ov5647: Fix runtime PM refcount leak in s_ctrl Three control cases (AUTOGAIN, EXPOSURE_AUTO, ANALOGUE_GAIN) directly return without calling pm_runtime_put(), causing runtime PM reference count leaks. Change these cases from 'return' to 'ret = ... break' pattern to ensure pm_runtime_put() is always called before function exit. | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | 5.5 | 0.02% | 2026-05-28 | 2026-06-10 |
| CVE-2026-46238 | In the Linux kernel, the following vulnerability has been resolved: batman-adv: stop caching unowned originator pointers in BAT IV BAT IV keeps the last-hop neighbor address in each neigh_node, but some paths also cache an originator pointer derived from a temporary lookup. That pointer is not owned by the neigh_node and may no longer refer to a live originator entry after purge handling runs. Stop storing the auxiliary originator pointer in the BAT IV neighbor state. When BAT IV needs the ne | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | 8.8 | 0.02% | 2026-05-28 | 2026-06-10 |
| CVE-2026-46237 | In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu/vcn3: Avoid overflow on msg bound check As pointed out by SDL, the previous condition may be vulnerable to overflow. (cherry picked from commit db00257ac9e4a51eb2515aaea161a019f7125e10) | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | 7.1 | 0.02% | 2026-05-28 | 2026-06-10 |
| CVE-2026-46236 | In the Linux kernel, the following vulnerability has been resolved: media: rc: xbox_remote: heed DMA restrictions The buffer for IO must not be part of the device structure because that violates the DMA coherency rules. | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | 5.5 | 0.02% | 2026-05-28 | 2026-06-10 |