Total CVEs

141,249

Critical Severity

3,795

High Severity

13,708

Last 7 Days

2,217
Quick preset (or use dates below)
Clear Filters
📅 Showing Year: 2026 (January 1 - December 31, 2026) View All Years →
Showing 2,721 - 2,740 of 3,131 CVEs

In the Linux kernel, the following vulnerability has been resolved: arm64/fpsimd: ptrace: Fix SVE writes on !SME systems When SVE is supported but SME is not supported, a ptrace write to the NT_ARM_SVE regset can place the tracee into an invalid state where (non-streaming) SVE register data is sto...

Vendor: Linux
Product: Linux
Published: Feb 14, 2026
Source: NVD

In the Linux kernel, the following vulnerability has been resolved: io_uring/io-wq: check IO_WQ_BIT_EXIT inside work run loop Currently this is checked before running the pending work. Normally this is quite fine, as work items either end up blocking (which will create a new worker for other items...

Vendor: Linux
Product: Linux
Published: Feb 14, 2026
Source: NVD

In the Linux kernel, the following vulnerability has been resolved: mmc: sdhci-of-dwcmshc: Prevent illegal clock reduction in HS200/HS400 mode When operating in HS200 or HS400 timing modes, reducing the clock frequency below 52MHz will lead to link broken as the Rockchip DWC MSHC controller requir...

Vendor: Linux
Product: Linux
Published: Feb 14, 2026
Source: NVD

In the Linux kernel, the following vulnerability has been resolved: nvmet-tcp: add bounds checks in nvmet_tcp_build_pdu_iovec nvmet_tcp_build_pdu_iovec() could walk past cmd->req.sg when a PDU length or offset exceeds sg_cnt and then use bogus sg->length/offset values, leading to _copy_to_it...

Vendor: Linux
Product: Linux
Published: Feb 13, 2026
Source: NVD

In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: fix inverted genmask check in nft_map_catchall_activate() nft_map_catchall_activate() has an inverted element activity check compared to its non-catchall counterpart nft_mapelem_activate() and compared to wha...

Vendor: Linux
Product: Linux
Published: Feb 13, 2026
Source: NVD

emp3r0r is a stealth-focused C2 designed by Linux users for Linux environments. Prior to 3.21.1, untrusted agent metadata (Transport, Hostname) is accepted during check-in and later interpolated into tmux shell command strings executed via /bin/sh -c. This enables command injection and remote code e...

Vendor: jm33-m0
Product: emp3r0r
Published: Feb 12, 2026
Source: NVD
CVE-2026-25828 MEDIUM - 5.4

grub-btrfs through 2026-01-31 (on Arch Linux and derivative distributions) allows initramfs OS command injection because it does not sanitize the $root parameter to resolve_device().

Published: Feb 12, 2026
Source: NVD

Inspektor Gadget is a set of tools and framework for data collection and system inspection on Kubernetes clusters and Linux hosts using eBPF. String fields from eBPF events in columns output mode are rendered to the terminal without any sanitization of control characters or ANSI escape sequences. Th...

Vendor: inspektor-gadget
Product: inspektor-gadget
Published: Feb 12, 2026
Source: NVD
CVE-2026-23856 HIGH - 7.8

Dell iDRAC Service Module (iSM) for Windows, versions prior to 6.0.3.1, and Dell iDRAC Service Module (iSM) for Linux, versions prior to 5.4.1.1, contain an Improper Access Control vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Ele...

Vendor: Dell
Product: iDRAC Service Module, iDRAC Service Module for Linux
Published: Feb 12, 2026
Source: NVD
CVE-2026-26158 HIGH - 7.0

A flaw was found in BusyBox. This vulnerability allows an attacker to modify files outside of the intended extraction directory by crafting a malicious tar archive containing unvalidated hardlink or symlink entries. If the tar archive is extracted with elevated privileges, this flaw can lead to priv...

Vendor: Red Hat
Product: Red Hat Enterprise Linux 6
Published: Feb 11, 2026
Source: NVD
CVE-2026-26157 HIGH - 7.0

A flaw was found in BusyBox. Incomplete path sanitization in its archive extraction utilities allows an attacker to craft malicious archives that when extracted, and under specific conditions, may write to files outside the intended directory. This can lead to arbitrary file overwrite, potentially e...

Vendor: Red Hat
Product: Red Hat Enterprise Linux 6
Published: Feb 11, 2026
Source: NVD
CVE-2026-2303 MEDIUM - 6.5

The mongo-go-driver repository contains CGo bindings for GSSAPI (Kerberos) authentication on Linux and macOS. The C wrapper implementation contains a heap out-of-bounds read vulnerability due to incorrect assumptions about string termination in the GSSAPI standard. Since GSSAPI buffers are not guara...

Published: Feb 10, 2026
Source: NVD
CVE-2026-21537 HIGH - 8.8

Improper control of generation of code ('code injection') in Microsoft Defender for Linux allows an unauthorized attacker to execute code over an adjacent network.

Vendor: microsoft
Product: defender_for_endpoint
Published: Feb 10, 2026
Source: NVD
CVE-2026-21242 HIGH - 7.0

Use after free in Windows Subsystem for Linux allows an authorized attacker to elevate privileges locally.

Vendor: microsoft
Product: windows_10_21h2
Published: Feb 10, 2026
Source: NVD
CVE-2026-21237 HIGH - 7.0

Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Subsystem for Linux allows an authorized attacker to elevate privileges locally.

Vendor: microsoft
Product: windows_10_21h2
Published: Feb 10, 2026
Source: NVD
CVE-2025-14831 MEDIUM - 5.3

A flaw was found in GnuTLS. This vulnerability allows a denial of service (DoS) by excessive CPU (Central Processing Unit) and memory consumption via specially crafted malicious certificates containing a large number of name constraints and subject alternative names (SANs).

Vendor: Red Hat
Product: Red Hat Enterprise Linux 10, Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7, Red Hat Enterprise Linux 8, Red Hat Enterprise Linux 9, Red Hat OpenShift Container Platform 4
Published: Feb 09, 2026
Source: NVD

Asterisk is an open source private branch exchange and telephony toolkit. Prior to versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2, when ast_coredumper writes its gdb init and output files to a directory that is world-writable (for example /tmp), an attacker with write permission(which is ...

Vendor: asterisk
Product: asterisk
Published: Feb 06, 2026
Source: NVD
CVE-2019-25299 HIGH - 7.1

RimbaLinux AhadPOS 1.11 contains a SQL injection vulnerability in the 'alamatCustomer' parameter that allows attackers to manipulate database queries through crafted POST requests. Attackers can exploit time-based and boolean-based blind SQL injection techniques to extract information or p...

Vendor: rimbalinux
Product: AhadPOS
Published: Feb 06, 2026
Source: NVD

Moxa Arm-based industrial computers running Moxa Industrial Linux Secure use a device-unique bootloader password provided on the device. An attacker with physical access to the device could use this information to access the bootloader menu via a serial interface.  Access to the bootloader menu does...

Published: Feb 05, 2026
Source: NVD

A physical attack vulnerability exists in certain Moxa industrial computers using TPM-backed LUKS full-disk encryption on Moxa Industrial Linux 3, where the discrete TPM is connected to the CPU via an SPI bus. Exploitation requires invasive physical access, including opening the device and attaching...

Published: Feb 05, 2026
Source: NVD