Linux Kernel: 25 Vulnerabilities Disclosed in Single Batch on June 8, 2026
Twenty-five vulnerabilities affecting the Linux kernel were disclosed on June 8, 2026, spanning various subsystems including graphics, media, networking, and storage.
Key findings
- 25 Linux kernel vulnerabilities disclosed simultaneously on June 8, 2026.
- Vulnerabilities span multiple subsystems including graphics, media, networking, and storage.
- Issues include infinite loops, NULL pointer dereferences, buffer overflows, and use-after-free errors.
- Specific drivers and components affected include v3d, intel/ipu6, ath5k, nvmet, and dm.
- Fixes are expected in upcoming kernel releases; prompt patching is advised.
On June 8, 2026, a significant batch of 25 vulnerabilities was disclosed, all affecting the Linux kernel. These vulnerabilities, disclosed simultaneously, touch upon a wide array of kernel subsystems, including graphics (DRM, v3d), media (intel/ipu6, vsp1), networking (ath5k, flow_dissector, libwx), and storage (nvmet, isofs, dm).
The disclosures highlight a diverse set of issues, ranging from potential infinite loops and NULL pointer dereferences to buffer overflows and use-after-free errors. For instance, CVE-2026-46314 in the drm/v3d driver addresses an infinite loop vulnerability caused by processing unbounded extension lists. Similarly, CVE-2026-46313 in the media: intel/ipu6 driver and CVE-2026-46305 in staging: rtl8723bs involve NULL pointer dereferences that could lead to system instability or crashes.
Several vulnerabilities relate to memory management and data handling. CVE-2026-46308 in pmdomain: mediatek describes a use-after-free error, while CVE-2026-46312 in media: videobuf2 aims to prevent issues by correctly setting VMA flags. The dm subsystem is affected by CVE-2026-46294, a buffer overflow in ioctl processing, and isofs has CVE-2026-46303, which involves validating Rock Ridge CE continuation extents against volume size to prevent out-of-bounds reads.
Networking components are also impacted. CVE-2026-46309 in flow_dissector addresses potential issues with PPPoE PFC frames, and CVE-2026-46304 in nvmet aims to prevent recursive flushes that could lead to issues during controller freeing. The wifi: ath5k driver has CVE-2026-46307, which prevents an array index out-of-bounds access.
Security-sensitive areas like SELinux and crypto are not overlooked. CVE-2026-46302 in selinux allows for multiple opens of the policy file, potentially resolving a previous limitation where a single open could block others. CVE-2026-46293 in crypto: caam guards HMAC key hex dumps to prevent runtime secrets leakage when CONFIG_DYNAMIC_DEBUG is enabled.
Other vulnerabilities include race conditions (CVE-2026-46298), incorrect interrupt handling (CVE-2026-46297), and issues with fault handling after FPU softirq changes (CVE-2026-46290). The KVM subsystem has CVE-2026-46295, which ensures correct IRR scanning in nested virtual machine scenarios.
This large, coordinated disclosure suggests a thorough review or audit of specific kernel components. Users of systems running the Linux kernel are advised to monitor for kernel updates that address these vulnerabilities. The fixes are expected to be integrated into upcoming kernel releases, and users should apply patches as soon as they become available to mitigate potential risks.
While no specific threat actor or in-the-wild exploitation was mentioned in the initial disclosures, the breadth of affected subsystems underscores the importance of timely patching. Maintaining an updated kernel is crucial for system security and stability, especially given the potential impact of these diverse vulnerabilities.