Vega vulnerability research · continuously updated
Buglist
Validated security findings across kernels, browsers, runtimes, and application software. Entries are disclosed when possible and redacted when details would create avoidable risk.
698
Linux kernel
9
Chrome
23
Other findings
90
Public CVEs
698 rows
| 1 | CVE-2026-23274 | `idletimer_tg_checkentry()` (revision 0 path) reuses existing timers by label without validating `timer_type`, and unconditionally calls `mod_timer(&info->timer->timer, ...)`. In `idletimer_tg_create_v1()`, when `timer_type` is `XT_IDLETIMER_ALARM`, only `alarm_init()` is done and `timer_setup()` is never called for `info->timer->timer`. This allows mixing a rev1 ALARM rule and a rev0 rule with the same label, causing rev0 code paths (`idletimer_tg_checkentry()`, `idletimer_tg_target()`, and potentially `idletimer_tg_destroy()`) to operate on an uninitialized `timer_list`, which can corrupt timer internals (memory corruption) and may be exploitable from CAP_NET_ADMIN context. | fixed | unknown | CVSS 7.8 | v5.6-rc5+ | namespace_required |
| 2 | CVE-2026-31418 | `mtype_del()` can shrink a bucket with `n->size == AHASH_INIT_SIZE` down to `tmp->size = 0` (`n->size - AHASH_INIT_SIZE`) while leaving an empty bucket object installed. Later, if the set is full and forceadd is enabled, `mtype_add()` takes the `reuse || forceadd` branch before the grow-path, forces `j = 0`, and computes `data = ahash_data(n, j, set->dsize)` even when `n->size == 0` and `n->pos == 0`. It then calls `ip_set_ext_destroy(set, data)` and eventually `memcpy(data, d, sizeof(struct mtype_elem))`, causing out-of-bounds heap access/write past the zero-element bucket allocation. | fixed | out-of-bounds-write | CVSS 5.5 | v5.6+ | namespace_required |
| 3 | CVE-2026-31634 | `rxrpc_server_keyring()` stores a newly looked-up keyring in `rx->securities` without releasing any previously stored reference. In the userspace path, `rxrpc_setsockopt()` for `RXRPC_SECURITY_KEYRING` checks `rx->key` but not `rx->securities`, so repeated setsockopt calls on an unbound RxRPC socket are permitted and overwrite `rx->securities` each time. Only the final pointer is dropped in socket teardown (`key_put(rx->securities)` once), leaking all prior key references and allowing local memory/resource exhaustion via repeated calls. | fixed | memory-leak | CVSS 5.5 | v2.6.22+ | unprivileged |
| 4 | CVE-2026-31637 | `rxkad_decrypt_ticket()` never checks the return value of `crypto_skcipher_decrypt()`. `rxkad_verify_response()` only constrains `ticket_len` to 4..1024, so a non-block-aligned ticket can make decryption fail while the function continues parsing attacker-controlled bytes as if they were a plaintext ticket and session key. An attacker can then craft the RESPONSE body around that chosen session key and bypass the server secret. | fixed | policy-bypass | CVSS 9.8 | v2.6.22-rc1+ | unprivileged |
| 5 | CVE-2026-31638 | `rxrpc_input_packet_on_conn()` can pass a NULL call pointer into `rxrpc_put_call()` on the client-directed error path. If `chan->call` is NULL (so `rxrpc_try_get_call()` returns NULL) and an incoming packet has `callNumber > chan->call_id` with `rxrpc_to_client(sp)` true, the function executes `rxrpc_put_call(call, ...)` unconditionally. In this tree, `rxrpc_put_call()` asserts `call != NULL` and BUGs; without assertions it still dereferences NULL. A malicious peer (or spoofed packet matching an existing client connection) can trigger a kernel crash (remote DoS). | fixed | unknown | CVSS 7.5 | v6.2-rc1+ | unprivileged |
| 6 | CVE-2026-31657 | `struct batadv_bla_claim` protects `backbone_gw` with `backbone_lock`, but `batadv_bla_claim_dump_entry()` and `batadv_bla_check_claim()` dereference `claim->backbone_gw` directly. A concurrent `batadv_bla_add_claim()` can swap the owner and drop the old backbone gateway's last reference, so these readers can lock and dereference a freed `struct batadv_bla_backbone_gw`. | fixed | use-after-free | CVSS 9.8 | v4.8+ | namespace_required |
| 7 | CVE-2026-31659 | `batadv_tt_prepare_tvlv_global_data()` stores the allocation size in `u16 tvlv_len` and truncates `*tt_len` before `kmalloc()`. In `batadv_send_other_tt_response()`, the full untruncated `tt_len` is then passed to `batadv_tt_tvlv_generate()` or used by `memcpy()` before the later packet-size check runs. A sufficiently large remote global TT can therefore make the function allocate a too-small buffer and overflow it while building a TT response. | fixed | out-of-bounds-write | CVSS 9.8 | v3.13+ | namespace_required |
| 8 | CVE-2026-31670 | `rfkill_send_events()` allocates a fresh `struct rfkill_int_event` for every ADD/DEL/CHANGE notification and appends it to every open `/dev/rfkill` file's `data->events` list. There is no queue-length limit, backpressure, or memory accounting for these per-fd lists. A local process that can trigger rfkill state changes (for example via `rfkill_fop_write()`/sysfs) can keep descriptors unread and fan out each state change across many open fds, causing unbounded kernel heap growth and eventual OOM. | fixed | resource-exhaustion | CVSS 5.5 | v2.6.31-rc1+ | namespace_required |
| 9 | CVE-2026-31673 | `unix_diag_get_exact()` only pins the socket and drops the hash-bucket lock before calling `sk_diag_fill()`. When `UDIAG_SHOW_VFS` is requested, `sk_diag_dump_vfs()` reads `unix_sk(sk)->path.dentry` without taking a path reference or state lock. A concurrent `unix_release_sock()` can clear `u->path` and `path_put()` the last dentry reference after lookup, so the diag path can dereference freed dentry/superblock memory and crash or leak stale data. | fixed | use-after-free | CVSS 7.8 | v3.3-rc1+ | unprivileged |
| 10 | CVE-2026-31674 | `struct ip6t_rt` stores routing addresses in a fixed `addrs[16]` array (`IP6T_RT_HOPS`), but `rt_mt6()` uses `rtinfo->addrnr` as loop bound and indexes `rtinfo->addrs[i]` / `rtinfo->addrs[temp]` without validating `addrnr` against 16. `rt_mt6_check()` does not enforce this bound. With a malformed rule and a suitably sized Routing Header packet, matching code reads past the end of `addrs`, causing out-of-bounds kernel reads and possible crash/info-leak behavior. | fixed | unknown | CVSS 7.1 | v2.6.12-rc2+ | namespace_required |
| 11 | CVE-2026-31675 | `netem_enqueue()` corrupts a random byte using `skb->data[get_random_u32_below(skb_headlen(skb))]`. There is no guard for `skb_headlen(skb) == 0`. In that case, `get_random_u32_below(0)` takes the variable-ceil path and returns an unconstrained 32-bit value, so the byte index is effectively unbounded. If a zero-linear-headlen skb reaches this corruption path, this becomes an out-of-bounds kernel write from qdisc context. | fixed | out-of-bounds-write | CVSS 7.8 | v6.2-rc1+ | namespace_required |
| 12 | CVE-2026-31676 | `rxrpc_process_event()` accepts `RXRPC_PACKET_TYPE_RESPONSE` packets even after the connection is already in `RXRPC_CONN_SERVICE`. Each successful replay reruns `verify_response()` and `init_connection_security()`, while `rxrpc_get_server_data_key()` overwrites `conn->key` and `rxkad_init_connection_security()` overwrites `conn->rxkad.cipher` without releasing the previous objects. A peer that can replay a valid RESPONSE can drive unbounded kernel memory growth. | fixed | memory-leak | CVSS 7.5 | v2.6.22-rc1+ | unprivileged |
| 13 | CVE-2026-31677 | `af_alg_get_rsgl()` is meant to honor `ctx->rcvused`/`sk_rcvbuf` accounting, but it only checks `af_alg_readable(sk)` as a boolean gate before each iteration. Once that check passes, it sets `seglen = min(maxsize - len, msg_data_left(msg))` without capping it to the remaining `af_alg_rcvbuf(sk)`, then lets `extract_iter_to_sg()` pin up to `ALG_MAX_PAGES` pages and only afterward increments `ctx->rcvused`. When only one page of receive budget remains, a single iteration can still pin roughly 64 KiB of pages, bypassing the intended per-socket memory limit and allowing unprivileged users to over-pin memory and drive local resource-exhaustion DoS with many sockets/requests. | fixed | unknown | CVSS 5.5 | v4.14-rc1+ | unprivileged |
| 14 | CVE-2026-31678 | `ovs_netdev_tunnel_destroy()` can run in a path where the vport was already detached by NETDEV_UNREGISTER handling, so it skips `ovs_netdev_detach_dev()` (and its `synchronize_net()` grace period). It then does `netdev_put(vport->dev)` and `vport->dev = NULL` immediately after RCU hash removal in `ovs_dp_detach_port()`. Concurrent RCU readers that already obtained this vport (for example datapath output paths dereferencing `vport->dev`) can hit stale/null `vport->dev`, creating a race that can lead to use-after-free/null-deref during packet processing. | fixed | use-after-free | CVSS 7.8 | v4.3+ | namespace_required |
| 15 | CVE-2026-31679 | `validate_set()` accepts `OVS_KEY_ATTR_MPLS` as variable-length (via `ovs_key_lens[OVS_KEY_ATTR_MPLS] = OVS_ATTR_VARIABLE`) and does not enforce a minimum payload for SET/SET_MASKED actions. A crafted MPLS set action with too-short payload can pass validation, but `execute_masked_set_action()` always calls `set_mpls()` with `__be32` key/mask pointers. `set_mpls()` dereferences 32-bit key/mask values unconditionally, so short payloads cause out-of-bounds reads from adjacent action memory. | fixed | out-of-bounds-read | CVSS 7.1 | v5.5+ | namespace_required |
| 16 | CVE-2026-31680 | `/proc/net/ip6_flowlabel` walks the flowlabel hash table under RCU and `ip6fl_seq_show()` prints `fl->opt ? fl->opt->opt_nflen : 0` without taking `ip6_fl_lock` or any extra reference on `fl->opt`. But `fl_release()` frees `fl->opt` immediately for `IPV6_FL_S_EXCL` labels when the last user drops the refcount to zero, while the surrounding `struct ip6_flowlabel` remains RCU-visible in the hash until later GC. A proc reader can therefore race the release path and dereference freed option memory. | fixed | use-after-free | CVSS 7.8 | v3.9+ | unprivileged |
| 17 | CVE-2026-31681 | `ports_match_v1()` treats any entry with `pflags[i] != 0` as a range and unconditionally fetches the end port with `minfo->ports[++i]`. `multiport_mt_check()` only validates `count <= XT_MULTI_PORTS`, so if the last logical slot is marked as a range endpoint, the code reads one element past `ports[]` and consumes adjacent struct bytes as the range end. | fixed | out-of-bounds-read | CVSS 5.5 | v2.6.11+ | namespace_required |
| 18 | CVE-2026-31682 | `br_is_nd_neigh_msg()` fetches only `sizeof(struct nd_msg)` via `skb_header_pointer()` (24 bytes, no options), but `br_nd_send()` later walks `ns->opt[]` using `request->len` and direct indexing/pointer arithmetic. For non-linear packets (or when only the fixed ND header was copied), this option walk can read past the copied buffer / linear area without additional pulls or safe accessors, resulting in out-of-bounds read of kernel memory. | fixed | out-of-bounds-read | CVSS 9.1 | v4.15-rc1+ | namespace_required |
| 19 | CVE-2026-31683 | `batadv_iv_ogm_aggregate_new()` sizes the skb based on `aggregated_ogms` at allocation time (exact `packet_len` when disabled), but `batadv_iv_ogm_queue_add()` decides whether to aggregate using the current atomic `aggregated_ogms` value, which can be changed at runtime via netlink. After toggling aggregation on, queued packets that were allocated without spare tailroom can still be selected for aggregation, and `batadv_iv_ogm_aggregate()` blindly calls `skb_put_data()`. This can overrun skb bounds (triggering `skb_put` overflow panic/OOB write condition). | fixed | unknown | CVSS 7.8 | v5.1-rc1+ | namespace_required |
| 20 | CVE-2026-31684 | When walking stacked VLAN headers, `tcf_csum_act()` reads `((struct vlan_hdr *)skb->data)->h_vlan_encapsulated_proto` and then pulls `VLAN_HLEN` without first ensuring that the in-payload VLAN header is present and linear. A short or non-linear VLAN-tagged skb can therefore make the checksum action read past available header bytes and advance parsing based on invalid data. | fixed | out-of-bounds-read | CVSS 5.5 | v5.1+ | namespace_required |
| 21 | CVE-2026-31685 | `eui64_mt6()` only rejects an invalid or unset MAC header when `par->fragoff != 0`. For non-fragment packets, it still reaches `eth_hdr(skb)` and dereferences `h_proto`/`h_source` even if `skb_mac_header(skb)` does not describe a valid Ethernet header. A crafted skb on the matcher's `PRE_ROUTING`/`LOCAL_IN`/`FORWARD` hooks can therefore trigger out-of-bounds reads from skb headroom or unrelated memory. | fixed | out-of-bounds-read | CVSS 9.4 | v2.6.12-rc2+ | namespace_required |
| 22 | CVE-2026-43042 | `resize_platform_label_table()` updates `net->mpls.platform_labels` before publishing the new `net->mpls.platform_label` pointer. Concurrent RX path code (`mpls_forward()` -> `mpls_route_input_rcu()`) is lockless (RCU-only) and first checks `index < platform_labels`, then dereferences `platform_label[index]`. During resize, readers can observe mismatched `(platform_labels, platform_label)` and index the old/smaller (or NULL) table out of bounds, leading to OOB read / crash and potentially attacker-influenced pointer dereference via packet label index. | fixed | out-of-bounds-read | CVSS 7.1 | v4.1-rc1+ | namespace_required |
| 23 | CVE-2026-43088 | `pfkey_send_new_mapping()` constructs `SADB_X_NAT_T_NEW_MAPPING` messages with `sadb_address` payload size based on `pfkey_sockaddr_size()`. On IPv6 this reserves 32 bytes per sockaddr but only 28 bytes are initialized by `pfkey_sockaddr_fill()`, so uninitialized tail bytes are exposed in outbound PF_KEY notifications. | fixed | memory-leak | CVSS 5.5 | v2.6.12-rc2+ | namespace_required |
| 24 | CVE-2026-43499 | `rt_mutex_start_proxy_lock()` can operate on a proxy `task` that is different from `current` (e.g., futex requeue path). On non-zero return it calls `remove_waiter()`, but `remove_waiter()` clears `current->pi_blocked_on` instead of the proxy waiter's task (`waiter->task->pi_blocked_on`). When the proxy waiter had been enqueued via `task_blocks_on_rt_mutex()`, this leaves the target task's `pi_blocked_on` stale and still pointing at the waiter object. That waiter is tied to futex waiter lifetime (often stack-backed in the waiting syscall path), so after it goes away the stale `pi_blocked_on` can be dereferenced by PI/rtmutex paths, leading to use-after-free and potential memory corruption. | fixed | use-after-free | CVSS 7.8 | v2.6.39+ | unprivileged |
| 25 | CVE-2026-43501 | In `ipv6_rpl_srh_rcv()` (type-3 RPL routing header handling), the code recompresses the SRH into `chdr` and then does `skb_push(skb, ((chdr->hdrlen + 1) << 3) + sizeof(struct ipv6hdr))`. Headroom expansion via `pskb_expand_head()` is only done when `hdr->segments_left` becomes 0. For non-zero `segments_left`, attacker-controlled RPL-SRH fields (`cmpri/cmpre/pad/segment data`) can produce a recompressed header larger than the removed one, so the push can exceed available headroom. The following `memmove()`/`memcpy()` then write before `skb->head`, causing an out-of-bounds write (memory corruption). | fixed | out-of-bounds-write | CVSS 9.8 | pending | namespace_required |
| 26 | CVE-2026-43502 | `rds_message_zcopy_from_user()` pins user pages and stores `rm->data.op_mmp_znotifier` before the message is attached to a socket. If `rds_sendmsg()` later fails before `rds_send_queue_rm()` sets `rm->m_rs`, `rds_message_put()` reaches `rds_message_purge()` with `rm->m_rs == NULL`. The purge path only treats the message as zerocopy when `rm->m_rs` is set, so it skips `mm_unaccount_pinned_pages()` and releases each pinned user page with `__free_page()` instead of `put_page()`. Any post-copy send error therefore turns user memory pins into invalid frees / memory corruption and leaks the mmpin accounting state. | fixed | invalid-free | CVSS 7.8 | v4.17-rc1+ | unprivileged |
| 27 | CVE-2026-46027 | When a received CLC DECLINE has `SMC_FIRST_CONTACT_MASK` set, `smc_clc_wait_msg()` unconditionally writes `smc->conn.lgr->sync_err` and calls `smc_lgr_terminate_sched(smc->conn.lgr)`. Both connect-side and listen-side callers invoke `smc_clc_wait_msg()` before `smc_conn_create()` has installed a link group, so a peer can send a first-contact decline and trigger a NULL-pointer dereference. | fixed | null-dereference | CVSS 7.5 | v5.16+ | namespace_required |
| 28 | CVE-2026-46028 | `_aead_recvmsg()` binds each AEAD request to the socket-wide IV buffer with `aead_request_set_crypt(..., ctx->iv)`. In the async path, the request can still be executing after `recvmsg()` returns `-EIOCBQUEUED`, but the same socket remains writable and a later `aead_sendmsg()` can overwrite `ctx->iv` from a new `ALG_SET_IV` control message. That creates a TOCTOU race on in-flight AEAD state. The race is security-relevant because some AEAD implementations re-read or reinterpret `req->iv` after submission or during completion; with AF_ALG AIO this can corrupt the request state and propagate into downstream memory-safety faults in affected algorithms. | fixed | unknown | CVSS 5.5 | v4.7-rc1+ | unprivileged |
Legend
Status
- fixed Fix merged to mainline
- fixing Patch submitted and under review
- backlog Not yet submitted or lower priority
Trigger
- unprivileged Reachable from unprivileged user or network
- namespace_required Requires unprivileged user namespace support
- root Requires elevated privileges to trigger
Score
- 9.0-10 Critical
- 7.0-8.9 High
- 4.0-6.9 Medium