● Live advisory feed
Security Advisory Fusion for CSIRTs, SOCs & Defenders
Security advisories from 24 sources — CISA, CERT-EU, NCSC-UK, BSI, CERT-FR, NCSC-NL, JPCERT/CC, JVN, HKCERT, the Canadian Cyber Centre, NVD, GitHub, Microsoft, Cisco, Fortinet, Palo Alto Networks and more — normalized, translated to English and flagged against the CISA KEV catalog. One global feed for CSIRTs, SOCs and defenders.
CVE-2026-52962: ceph: fix a buffer leak in __ceph_setxattr()
CVE-2026-52935: xfrm: espintcp: do not reuse an in-progress partial send
CVE-2026-52985: netdevsim: zero initialize struct iphdr in dummy sk_buff
CVE-2026-53184: udp: clear skb->dev before running a sockmap verdict
CVE-2026-53070: sctp: disable BH before calling udp_tunnel_xmit_skb()
CVE-2026-52944: ksmbd: fix FSCTL permission bypass by adding a permission check for FSCTL_SET_SPARSE
CVE-2026-53156: nvmem: core: fix use-after-free bugs in error paths
CVE-2026-12030: Chromium: CVE-2026-12031 Inappropriate implementation Views
This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.
CVE-2026-53252: Bluetooth: fix memory leak in error path of hci_alloc_dev()
CVE-2026-53320: nilfs2: reject zero bd_oblocknr in nilfs_ioctl_mark_blocks_dirty()
CVE-2026-53296: mailbox: mailbox-test: free channels on probe error
CVE-2026-53292: net: phonet: do not BUG_ON() in pn_socket_autobind() on failed bind
CVE-2026-53284: btrfs: only release the dirty pages io tree after successful writes
CVE-2026-53309: ocfs2/dlm: fix off-by-one in dlm_match_regions() region comparison
CVE-2026-53304: scsi: sg: Resolve soft lockup issue when opening /dev/sgX
CVE-2025-15661: libssh2 - Heap Buffer Over-read via sftp_symlink() in sftp.c
CVE-2026-53306: tty: hvc_iucv: fix off-by-one in number of supported devices
CVE-2026-53018: f2fs: avoid reading already updated pages during GC
CVE-2026-53297: net: mana: Guard mana_remove against double invocation
CVE-2026-53107: wifi: libertas: don't kill URBs in interrupt context
CVE-2026-53294: mailbox: mailbox-test: don't free the reused channel
CVE-2026-53289: ice: fix NULL pointer dereference in ice_reset_all_vfs()
CVE-2026-53287: audit: fix incorrect inheritable capability in CAPSET records
CVE-2026-47241: Net::IMAP: Denial of Service via incomplete raw argument validation
CVE-2026-53314: padata: Put CPU offline callback in ONLINE section to allow failure
CVE-2026-44889: WebOb: Location header normalization during redirect leads to open redirect
CVE-2026-53295: mailbox: add sanity check for channel array
CVE-2026-53181: vsock/vmci: fix sk_ack_backlog leak on failed handshake
CVE-2026-53655: node-tar applies PAX size override to intermediary GNU long-name/long-link headers, causing tar parser interpretation differential (file smuggling)
CVE-2026-52909: ip6_vti: set netns_immutable on the fallback device.
CVE-2026-58055: nghttp2 nghttpx - HTTP Request/Response Smuggling via Upgrade Request with Content-Length
CVE-2026-11647: Chromium: CVE-2026-11647 Use after free in Printing
This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.
CVE-2026-54371: attr < 2.6.0 Symlink Traversal Privilege Escalation via getfattr/setfattr
CVE-2026-41992: Global Buffer Overflow in GNU gzip
CVE-2026-11979: Stack-Based Buffer Overflow in libxml2
CVE-2026-53149: thunderbolt: Bound root directory content to block size
CVE-2026-57231: Podman: Malformed Image can trick podman run into leaking host environment variables into the container
CVE-2026-11703: Missing SNI/ALPN binding on stateful (session-ID) TLS session resumption
CVE-2026-55967: AES-GCM streaming APIs do not reject >64 GiB cumulative single messages, enabling counter wrap and keystream reuse
CVE-2026-53150: thunderbolt: Reject zero-length property entries in validator
CVE-2026-11999: X.509 trust-chain bypass via path-depth exhaustion in wolfSSL_X509_verify_cert()
CVE-2026-7511: PKCS7_verify signer confusion allows forged signatures to be accepted
CVE-2026-6091: Partial-chain verification accepts untrusted intermediate as trust anchor
CVE-2026-12340: Out-of-bounds heap read in SM2/SM3 certificate Subject Key Identifier computation
CVE-2026-6092: Encrypt-then-MAC could fall back to MAC-then-Encrypt when HAVE_ENCRYPT_THEN_MAC is configured
CVE-2026-6412: Continued acceptance of SHA-1/MD5 digests in certificate processing
CVE-2026-7531: Use-after-free in PQC hybrid key-share handling
CVE-2026-12028: Chromium: CVE-2026-12028 Use after free GPU
This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.