Nebula Security

Vega vulnerability research · continuously updated

Buglist

Validated security findings across kernels, browsers, runtimes, and application software. Entries are disclosed when possible and redacted when details would create avoidable risk.

698

Linux kernel

9

Chrome

23

Other findings

90

Public CVEs

698 rows
1CVE-2026-23274`idletimer_tg_checkentry()` (revision 0 path) reuses existing timers by label without validating `timer_type`, and unconditionally calls `mod_timer(&info->timer->timer, ...)`. In `idletimer_tg_create_v1()`, when `timer_type` is `XT_IDLETIMER_ALARM`, only `alarm_init()` is done and `timer_setup()` is never called for `info->timer->timer`. This allows mixing a rev1 ALARM rule and a rev0 rule with the same label, causing rev0 code paths (`idletimer_tg_checkentry()`, `idletimer_tg_target()`, and potentially `idletimer_tg_destroy()`) to operate on an uninitialized `timer_list`, which can corrupt timer internals (memory corruption) and may be exploitable from CAP_NET_ADMIN context.fixedunknownCVSS 7.8v5.6-rc5+namespace_required
2CVE-2026-31418`mtype_del()` can shrink a bucket with `n->size == AHASH_INIT_SIZE` down to `tmp->size = 0` (`n->size - AHASH_INIT_SIZE`) while leaving an empty bucket object installed. Later, if the set is full and forceadd is enabled, `mtype_add()` takes the `reuse || forceadd` branch before the grow-path, forces `j = 0`, and computes `data = ahash_data(n, j, set->dsize)` even when `n->size == 0` and `n->pos == 0`. It then calls `ip_set_ext_destroy(set, data)` and eventually `memcpy(data, d, sizeof(struct mtype_elem))`, causing out-of-bounds heap access/write past the zero-element bucket allocation.fixedout-of-bounds-writeCVSS 5.5v5.6+namespace_required
3CVE-2026-31634`rxrpc_server_keyring()` stores a newly looked-up keyring in `rx->securities` without releasing any previously stored reference. In the userspace path, `rxrpc_setsockopt()` for `RXRPC_SECURITY_KEYRING` checks `rx->key` but not `rx->securities`, so repeated setsockopt calls on an unbound RxRPC socket are permitted and overwrite `rx->securities` each time. Only the final pointer is dropped in socket teardown (`key_put(rx->securities)` once), leaking all prior key references and allowing local memory/resource exhaustion via repeated calls.fixedmemory-leakCVSS 5.5v2.6.22+unprivileged
4CVE-2026-31637`rxkad_decrypt_ticket()` never checks the return value of `crypto_skcipher_decrypt()`. `rxkad_verify_response()` only constrains `ticket_len` to 4..1024, so a non-block-aligned ticket can make decryption fail while the function continues parsing attacker-controlled bytes as if they were a plaintext ticket and session key. An attacker can then craft the RESPONSE body around that chosen session key and bypass the server secret.fixedpolicy-bypassCVSS 9.8v2.6.22-rc1+unprivileged
5CVE-2026-31638`rxrpc_input_packet_on_conn()` can pass a NULL call pointer into `rxrpc_put_call()` on the client-directed error path. If `chan->call` is NULL (so `rxrpc_try_get_call()` returns NULL) and an incoming packet has `callNumber > chan->call_id` with `rxrpc_to_client(sp)` true, the function executes `rxrpc_put_call(call, ...)` unconditionally. In this tree, `rxrpc_put_call()` asserts `call != NULL` and BUGs; without assertions it still dereferences NULL. A malicious peer (or spoofed packet matching an existing client connection) can trigger a kernel crash (remote DoS).fixedunknownCVSS 7.5v6.2-rc1+unprivileged
6CVE-2026-31657`struct batadv_bla_claim` protects `backbone_gw` with `backbone_lock`, but `batadv_bla_claim_dump_entry()` and `batadv_bla_check_claim()` dereference `claim->backbone_gw` directly. A concurrent `batadv_bla_add_claim()` can swap the owner and drop the old backbone gateway's last reference, so these readers can lock and dereference a freed `struct batadv_bla_backbone_gw`.fixeduse-after-freeCVSS 9.8v4.8+namespace_required
7CVE-2026-31659`batadv_tt_prepare_tvlv_global_data()` stores the allocation size in `u16 tvlv_len` and truncates `*tt_len` before `kmalloc()`. In `batadv_send_other_tt_response()`, the full untruncated `tt_len` is then passed to `batadv_tt_tvlv_generate()` or used by `memcpy()` before the later packet-size check runs. A sufficiently large remote global TT can therefore make the function allocate a too-small buffer and overflow it while building a TT response.fixedout-of-bounds-writeCVSS 9.8v3.13+namespace_required
8CVE-2026-31670`rfkill_send_events()` allocates a fresh `struct rfkill_int_event` for every ADD/DEL/CHANGE notification and appends it to every open `/dev/rfkill` file's `data->events` list. There is no queue-length limit, backpressure, or memory accounting for these per-fd lists. A local process that can trigger rfkill state changes (for example via `rfkill_fop_write()`/sysfs) can keep descriptors unread and fan out each state change across many open fds, causing unbounded kernel heap growth and eventual OOM.fixedresource-exhaustionCVSS 5.5v2.6.31-rc1+namespace_required
9CVE-2026-31673`unix_diag_get_exact()` only pins the socket and drops the hash-bucket lock before calling `sk_diag_fill()`. When `UDIAG_SHOW_VFS` is requested, `sk_diag_dump_vfs()` reads `unix_sk(sk)->path.dentry` without taking a path reference or state lock. A concurrent `unix_release_sock()` can clear `u->path` and `path_put()` the last dentry reference after lookup, so the diag path can dereference freed dentry/superblock memory and crash or leak stale data.fixeduse-after-freeCVSS 7.8v3.3-rc1+unprivileged
10CVE-2026-31674`struct ip6t_rt` stores routing addresses in a fixed `addrs[16]` array (`IP6T_RT_HOPS`), but `rt_mt6()` uses `rtinfo->addrnr` as loop bound and indexes `rtinfo->addrs[i]` / `rtinfo->addrs[temp]` without validating `addrnr` against 16. `rt_mt6_check()` does not enforce this bound. With a malformed rule and a suitably sized Routing Header packet, matching code reads past the end of `addrs`, causing out-of-bounds kernel reads and possible crash/info-leak behavior.fixedunknownCVSS 7.1v2.6.12-rc2+namespace_required
11CVE-2026-31675`netem_enqueue()` corrupts a random byte using `skb->data[get_random_u32_below(skb_headlen(skb))]`. There is no guard for `skb_headlen(skb) == 0`. In that case, `get_random_u32_below(0)` takes the variable-ceil path and returns an unconstrained 32-bit value, so the byte index is effectively unbounded. If a zero-linear-headlen skb reaches this corruption path, this becomes an out-of-bounds kernel write from qdisc context.fixedout-of-bounds-writeCVSS 7.8v6.2-rc1+namespace_required
12CVE-2026-31676`rxrpc_process_event()` accepts `RXRPC_PACKET_TYPE_RESPONSE` packets even after the connection is already in `RXRPC_CONN_SERVICE`. Each successful replay reruns `verify_response()` and `init_connection_security()`, while `rxrpc_get_server_data_key()` overwrites `conn->key` and `rxkad_init_connection_security()` overwrites `conn->rxkad.cipher` without releasing the previous objects. A peer that can replay a valid RESPONSE can drive unbounded kernel memory growth.fixedmemory-leakCVSS 7.5v2.6.22-rc1+unprivileged
13CVE-2026-31677`af_alg_get_rsgl()` is meant to honor `ctx->rcvused`/`sk_rcvbuf` accounting, but it only checks `af_alg_readable(sk)` as a boolean gate before each iteration. Once that check passes, it sets `seglen = min(maxsize - len, msg_data_left(msg))` without capping it to the remaining `af_alg_rcvbuf(sk)`, then lets `extract_iter_to_sg()` pin up to `ALG_MAX_PAGES` pages and only afterward increments `ctx->rcvused`. When only one page of receive budget remains, a single iteration can still pin roughly 64 KiB of pages, bypassing the intended per-socket memory limit and allowing unprivileged users to over-pin memory and drive local resource-exhaustion DoS with many sockets/requests.fixedunknownCVSS 5.5v4.14-rc1+unprivileged
14CVE-2026-31678`ovs_netdev_tunnel_destroy()` can run in a path where the vport was already detached by NETDEV_UNREGISTER handling, so it skips `ovs_netdev_detach_dev()` (and its `synchronize_net()` grace period). It then does `netdev_put(vport->dev)` and `vport->dev = NULL` immediately after RCU hash removal in `ovs_dp_detach_port()`. Concurrent RCU readers that already obtained this vport (for example datapath output paths dereferencing `vport->dev`) can hit stale/null `vport->dev`, creating a race that can lead to use-after-free/null-deref during packet processing.fixeduse-after-freeCVSS 7.8v4.3+namespace_required
15CVE-2026-31679`validate_set()` accepts `OVS_KEY_ATTR_MPLS` as variable-length (via `ovs_key_lens[OVS_KEY_ATTR_MPLS] = OVS_ATTR_VARIABLE`) and does not enforce a minimum payload for SET/SET_MASKED actions. A crafted MPLS set action with too-short payload can pass validation, but `execute_masked_set_action()` always calls `set_mpls()` with `__be32` key/mask pointers. `set_mpls()` dereferences 32-bit key/mask values unconditionally, so short payloads cause out-of-bounds reads from adjacent action memory.fixedout-of-bounds-readCVSS 7.1v5.5+namespace_required
16CVE-2026-31680`/proc/net/ip6_flowlabel` walks the flowlabel hash table under RCU and `ip6fl_seq_show()` prints `fl->opt ? fl->opt->opt_nflen : 0` without taking `ip6_fl_lock` or any extra reference on `fl->opt`. But `fl_release()` frees `fl->opt` immediately for `IPV6_FL_S_EXCL` labels when the last user drops the refcount to zero, while the surrounding `struct ip6_flowlabel` remains RCU-visible in the hash until later GC. A proc reader can therefore race the release path and dereference freed option memory.fixeduse-after-freeCVSS 7.8v3.9+unprivileged
17CVE-2026-31681`ports_match_v1()` treats any entry with `pflags[i] != 0` as a range and unconditionally fetches the end port with `minfo->ports[++i]`. `multiport_mt_check()` only validates `count <= XT_MULTI_PORTS`, so if the last logical slot is marked as a range endpoint, the code reads one element past `ports[]` and consumes adjacent struct bytes as the range end.fixedout-of-bounds-readCVSS 5.5v2.6.11+namespace_required
18CVE-2026-31682`br_is_nd_neigh_msg()` fetches only `sizeof(struct nd_msg)` via `skb_header_pointer()` (24 bytes, no options), but `br_nd_send()` later walks `ns->opt[]` using `request->len` and direct indexing/pointer arithmetic. For non-linear packets (or when only the fixed ND header was copied), this option walk can read past the copied buffer / linear area without additional pulls or safe accessors, resulting in out-of-bounds read of kernel memory.fixedout-of-bounds-readCVSS 9.1v4.15-rc1+namespace_required
19CVE-2026-31683`batadv_iv_ogm_aggregate_new()` sizes the skb based on `aggregated_ogms` at allocation time (exact `packet_len` when disabled), but `batadv_iv_ogm_queue_add()` decides whether to aggregate using the current atomic `aggregated_ogms` value, which can be changed at runtime via netlink. After toggling aggregation on, queued packets that were allocated without spare tailroom can still be selected for aggregation, and `batadv_iv_ogm_aggregate()` blindly calls `skb_put_data()`. This can overrun skb bounds (triggering `skb_put` overflow panic/OOB write condition).fixedunknownCVSS 7.8v5.1-rc1+namespace_required
20CVE-2026-31684When walking stacked VLAN headers, `tcf_csum_act()` reads `((struct vlan_hdr *)skb->data)->h_vlan_encapsulated_proto` and then pulls `VLAN_HLEN` without first ensuring that the in-payload VLAN header is present and linear. A short or non-linear VLAN-tagged skb can therefore make the checksum action read past available header bytes and advance parsing based on invalid data.fixedout-of-bounds-readCVSS 5.5v5.1+namespace_required
21CVE-2026-31685`eui64_mt6()` only rejects an invalid or unset MAC header when `par->fragoff != 0`. For non-fragment packets, it still reaches `eth_hdr(skb)` and dereferences `h_proto`/`h_source` even if `skb_mac_header(skb)` does not describe a valid Ethernet header. A crafted skb on the matcher's `PRE_ROUTING`/`LOCAL_IN`/`FORWARD` hooks can therefore trigger out-of-bounds reads from skb headroom or unrelated memory.fixedout-of-bounds-readCVSS 9.4v2.6.12-rc2+namespace_required
22CVE-2026-43042`resize_platform_label_table()` updates `net->mpls.platform_labels` before publishing the new `net->mpls.platform_label` pointer. Concurrent RX path code (`mpls_forward()` -> `mpls_route_input_rcu()`) is lockless (RCU-only) and first checks `index < platform_labels`, then dereferences `platform_label[index]`. During resize, readers can observe mismatched `(platform_labels, platform_label)` and index the old/smaller (or NULL) table out of bounds, leading to OOB read / crash and potentially attacker-influenced pointer dereference via packet label index.fixedout-of-bounds-readCVSS 7.1v4.1-rc1+namespace_required
23CVE-2026-43088`pfkey_send_new_mapping()` constructs `SADB_X_NAT_T_NEW_MAPPING` messages with `sadb_address` payload size based on `pfkey_sockaddr_size()`. On IPv6 this reserves 32 bytes per sockaddr but only 28 bytes are initialized by `pfkey_sockaddr_fill()`, so uninitialized tail bytes are exposed in outbound PF_KEY notifications.fixedmemory-leakCVSS 5.5v2.6.12-rc2+namespace_required
24CVE-2026-43499`rt_mutex_start_proxy_lock()` can operate on a proxy `task` that is different from `current` (e.g., futex requeue path). On non-zero return it calls `remove_waiter()`, but `remove_waiter()` clears `current->pi_blocked_on` instead of the proxy waiter's task (`waiter->task->pi_blocked_on`). When the proxy waiter had been enqueued via `task_blocks_on_rt_mutex()`, this leaves the target task's `pi_blocked_on` stale and still pointing at the waiter object. That waiter is tied to futex waiter lifetime (often stack-backed in the waiting syscall path), so after it goes away the stale `pi_blocked_on` can be dereferenced by PI/rtmutex paths, leading to use-after-free and potential memory corruption.fixeduse-after-freeCVSS 7.8v2.6.39+unprivileged
25CVE-2026-43501In `ipv6_rpl_srh_rcv()` (type-3 RPL routing header handling), the code recompresses the SRH into `chdr` and then does `skb_push(skb, ((chdr->hdrlen + 1) << 3) + sizeof(struct ipv6hdr))`. Headroom expansion via `pskb_expand_head()` is only done when `hdr->segments_left` becomes 0. For non-zero `segments_left`, attacker-controlled RPL-SRH fields (`cmpri/cmpre/pad/segment data`) can produce a recompressed header larger than the removed one, so the push can exceed available headroom. The following `memmove()`/`memcpy()` then write before `skb->head`, causing an out-of-bounds write (memory corruption).fixedout-of-bounds-writeCVSS 9.8pendingnamespace_required
26CVE-2026-43502`rds_message_zcopy_from_user()` pins user pages and stores `rm->data.op_mmp_znotifier` before the message is attached to a socket. If `rds_sendmsg()` later fails before `rds_send_queue_rm()` sets `rm->m_rs`, `rds_message_put()` reaches `rds_message_purge()` with `rm->m_rs == NULL`. The purge path only treats the message as zerocopy when `rm->m_rs` is set, so it skips `mm_unaccount_pinned_pages()` and releases each pinned user page with `__free_page()` instead of `put_page()`. Any post-copy send error therefore turns user memory pins into invalid frees / memory corruption and leaks the mmpin accounting state.fixedinvalid-freeCVSS 7.8v4.17-rc1+unprivileged
27CVE-2026-46027When a received CLC DECLINE has `SMC_FIRST_CONTACT_MASK` set, `smc_clc_wait_msg()` unconditionally writes `smc->conn.lgr->sync_err` and calls `smc_lgr_terminate_sched(smc->conn.lgr)`. Both connect-side and listen-side callers invoke `smc_clc_wait_msg()` before `smc_conn_create()` has installed a link group, so a peer can send a first-contact decline and trigger a NULL-pointer dereference.fixednull-dereferenceCVSS 7.5v5.16+namespace_required
28CVE-2026-46028`_aead_recvmsg()` binds each AEAD request to the socket-wide IV buffer with `aead_request_set_crypt(..., ctx->iv)`. In the async path, the request can still be executing after `recvmsg()` returns `-EIOCBQUEUED`, but the same socket remains writable and a later `aead_sendmsg()` can overwrite `ctx->iv` from a new `ALG_SET_IV` control message. That creates a TOCTOU race on in-flight AEAD state. The race is security-relevant because some AEAD implementations re-read or reinterpret `req->iv` after submission or during completion; with AF_ALG AIO this can corrupt the request state and propagate into downstream memory-safety faults in affected algorithms.fixedunknownCVSS 5.5v4.7-rc1+unprivileged
Legend

Status

  • fixed Fix merged to mainline
  • fixing Patch submitted and under review
  • backlog Not yet submitted or lower priority

Trigger

  • unprivileged Reachable from unprivileged user or network
  • namespace_required Requires unprivileged user namespace support
  • root Requires elevated privileges to trigger

Score

  • 9.0-10 Critical
  • 7.0-8.9 High
  • 4.0-6.9 Medium