Linux Kernel: 25 CVEs Land in a Single Day, Spanning Bluetooth to Memory Management

Key findings

• 25 CVEs disclosed in a single batch on June 26, 2026
• Bluetooth RFCOMM and BNEP bugs allow remote out-of-bounds reads
• Netfilter nft_fib leak can expose kernel stack data to userspace
• XSK TX metadata TOCTOU race lets userspace corrupt checksum state
• dm-cache, USB serial, and Thunderbolt drivers have memory safety flaws
• No in-the-wild exploitation reported; all fixes in latest stable kernels

On June 26, 2026, the Linux kernel community released a batch of 25 security fixes addressing memory safety issues, use-after-free bugs, buffer overflows, and data leaks across the kernel's networking, Bluetooth, memory management, GPU drivers, and storage subsystems. The breadth of the batch underscores the ongoing challenge of hardening a codebase that powers everything from embedded devices to cloud servers.

Networking and Bluetooth

Several of the most serious flaws reside in the networking stack. CVE-2026-53254 and CVE-2026-53253 affect the Bluetooth RFCOMM and BNEP protocol handlers respectively. The RFCOMM vulnerability allows a malicious remote device to send truncated MCC frames, triggering out-of-bounds reads, while the BNEP issue lets a peer send short SDUs that can lead to out-of-bounds access. CVE-2026-53239 is a use-after-free in the XFRM (IPsec) policy subsystem, where a race condition in xfrm_policy_bysel_ctx() can be exploited to access freed memory. CVE-2026-53223 addresses a flaw in the timestamp CMSG handling for AF_PACKET sockets, where skb_is_err_queue() misidentifies outgoing packet taps as error-queue skbs, potentially leaking sensitive data. CVE-2026-53250 fixes a TOCTOU (time-of-check/time-of-use) race in the XSK (AF_XDP) TX metadata path, where userspace can concurrently modify csum_start and csum_offset values in the shared UMEM buffer. CVE-2026-53157 corrects a use-after-free in the Phonet network layer where phonet_device_destroy() frees a device before RCU readers have finished with it. CVE-2026-53216 limits the XDP frame size in the Marvell PP2 (mvpp2) driver to the actual RX buffer size, preventing out-of-bounds reads. CVE-2026-53132 addresses an unbounded skb queue in virtio-vsock that could lead to memory exhaustion.

Netfilter

Two netfilter bugs were fixed. CVE-2026-53134 involves a stale stack leak in nft_fib where the OIFNAME register is not properly cleared on lookup-fail paths, potentially leaking kernel stack data to userspace. CVE-2026-53218 fixes register tracking for the F_PRESENT flag in nft_exthdr, where the register bitmap marks more bytes as initialized than actually written, which could lead to information disclosure.

GPU Drivers

Three fixes target the AMD display driver. CVE-2026-53137 clamps the HDMI HDCP 2.x rx_id_list read to the actual buffer size, preventing an out-of-bounds read when a sink reports a message size larger than the allocated buffer. CVE-2026-53136 similarly clamps VBIOS HDMI retimer register counts to the array size, preventing out-of-bounds writes when copying retimer I2C register settings. CVE-2026-53140 fixes a virtual address leak in the Broadcom V3D GPU driver when indirect compute shader dispatch has zeroed workgroup counts.

Memory Management

Three memory management bugs were patched. CVE-2026-53153 fixes a race in memcg_reparent_list_lrus() where the xarray entry is cleared before per-node lists are reparented, allowing a concurrent list_lru walk to access freed memory. CVE-2026-53154 restores the hugetlb reservation on error in the folio copy paths, preventing a resource leak. CVE-2026-53155 corrects the flags used for device-private PMD entries in huge_memory, fixing a regression introduced in an earlier commit.

Storage and Other Subsystems

CVE-2026-53265 fixes a missing lock in the dm-cache SMQ policy's allocation check, which could lead to a data race. CVE-2026-53152 adds missing private data initialization for very old Rockchip MMC controllers (rk2928, rk3066, rk3188) that lack UHS support, preventing a NULL pointer dereference. CVE-2026-53195 is a heap overflow in the USB serial io_ti driver's firmware header builder, where an unvalidated length field can overflow a fixed-size buffer. CVE-2026-53177 fixes a NULL pointer dereference in the Broadcom bnxt_en driver when PCIe error recovery runs on administratively down devices. CVE-2026-53146 limits XDomain response copies in the Thunderbolt driver to the actual frame size, preventing out-of-bounds reads. CVE-2026-53170 rejects DMA commands with uninitialized length in the Arm Ethos-U NPU accelerator driver, preventing undefined behavior. CVE-2026-53210 fixes a shared memory leak in the TEE subsystem when iov_iter_npages() returns zero. CVE-2026-53231 prevents a deadlock in the PHY layer when trying to set up PHY-driven SFP cages with the generic PHY driver. CVE-2026-53163 fixes a NULL pointer dereference in the rtmutex code triggered via FUTEX_CMP_REQUEUE_PI.

Patch Status

All 25 CVEs are fixed in the latest Linux kernel stable releases. Users and distributors should update to the most recent kernel version for their distribution. No in-the-wild exploitation has been reported for any of these CVEs at the time of disclosure.

Why This Batch Matters

This batch is a reminder of the kernel's enormous attack surface. The fixes span Bluetooth, Wi-Fi, Ethernet, GPU, storage, memory management, and virtualization — reflecting the reality that a single kernel powers everything from phones to servers. While none of these bugs carry a critical CVSS score individually, many are remotely triggerable (Bluetooth, netfilter, XFRM) and could be chained in local privilege escalation exploits. System administrators should prioritize patching, especially for systems exposed to untrusted network or Bluetooth peers.