6.5
CVE-2026-42474 - SQL Injection in MixPHP BuildHelper Data Function
SQL injection vulnerability in MixPHP Framework 2.x thru 2.2.17 via crafted `data` array to the data function in BuildHelper.php.
8.4
CVE-2026-37552 - Unsafe Deserialization in MixPHP Framework 2.x Allows Arbitrary Code Execution via TCP
Unsafe deserialization vulnerability in MixPHP Framework 2.x thru 2.2.17. The sync-invoke TCP server (Server.php:87) receives data from a TCP socket, passes it directly to Opis\Closure\unserialize(), then executes the result via call_user_func(). No authentication or signature verification exists oβ¦
7.8
CVE-2026-31780 - wifi: wilc1000: fix u8 overflow in SSID scan buffer size calculation
In the Linux kernel, the following vulnerability has been resolved: wifi: wilc1000: fix u8 overflow in SSID scan buffer size calculation The variable valuesize is declared as u8 but accumulates the total length of all SSIDs to scan. Each SSID contributes up to 33 bytes (IEEE80211_MAX_SSID_LEN + 1β¦
8.1
CVE-2026-31771 - Bluetooth: hci_event: move wake reason storage into validated event handlers
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_event: move wake reason storage into validated event handlers hci_store_wake_reason() is called from hci_event_packet() immediately after stripping the HCI event header but before hci_event_func() enforces the per-β¦
7.8
CVE-2026-31769 - gpib: fix use-after-free in IO ioctl handlers
In the Linux kernel, the following vulnerability has been resolved: gpib: fix use-after-free in IO ioctl handlers The IBRD, IBWRT, IBCMD, and IBWAIT ioctl handlers use a gpib_descriptor pointer after board->big_gpib_mutex has been released. A concurrent IBCLOSEDEV ioctl can free the descriptor vβ¦
7.8
CVE-2026-31748 - comedi: me_daq: Fix potential overrun of firmware buffer
In the Linux kernel, the following vulnerability has been resolved: comedi: me_daq: Fix potential overrun of firmware buffer `me2600_xilinx_download()` loads the firmware that was requested by `request_firmware()`. It is possible for it to overrun the source buffer because it blindly trusts the β¦
5.5
CVE-2026-31737 - net: ftgmac100: fix ring allocation unwind on open failure
In the Linux kernel, the following vulnerability has been resolved: net: ftgmac100: fix ring allocation unwind on open failure ftgmac100_alloc_rings() allocates rx_skbs, tx_skbs, rxdes, txdes, and rx_scratch in stages. On intermediate failures it returned -ENOMEM directly, leaking resources allocβ¦
9.8
CVE-2026-31718 - ksmbd: fix use-after-free in __ksmbd_close_fd() via durable scavenger
In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix use-after-free in __ksmbd_close_fd() via durable scavenger When a durable file handle survives session disconnect (TCP close without SMB2_LOGOFF), session_fd_check() sets fp->conn = NULL to preserve the handle for lateβ¦
8.3
CVE-2026-31712 - ksmbd: require minimum ACE size in smb_check_perm_dacl()
In the Linux kernel, the following vulnerability has been resolved: ksmbd: require minimum ACE size in smb_check_perm_dacl() Both ACE-walk loops in smb_check_perm_dacl() only guard against an under-sized remaining buffer, not against an ACE whose declared `ace->size` is smaller than the struct itβ¦
7.8
CVE-2026-31694 - fuse: reject oversized dirents in page cache
In the Linux kernel, the following vulnerability has been resolved: fuse: reject oversized dirents in page cache fuse_add_dirent_to_cache() computes a serialized dirent size from the server-controlled namelen field and copies the dirent into a single page-cache page. The existing logic only checkβ¦