MontaVista CVE List and Response

MontaVista continually monitors the security community and customers for threats. We follow the community on CVE scoring (NVD) and set fix priority accordingly for affected products. Please view the following CVEs that have been remediated or are in process by clicking the CVE Year to the left or use the CVE Filters below.

For inquiries regarding Security Vulnerabilities, please see our Vulnerability Response Policy or email our PSIRT team security@mvista.com. Email messages and attachments can be encrypted using PGP and a MontaVista PSIRT PGP key, which is available for download here.

Year
Product
Score
Severity
Status
CVE
CVE Score Severity Package Description Published
CVE-2026-35334
7.5 (i)
HIGHstrongswan ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. 2026-07-06
CVE-2026-53309
9.8 (i)
CRITICALkernel In the Linux kernel, the following vulnerability has been resolved:ocfs2/dlm: fix off-by-one in dlm_match_regions() region comparisonThe local-vs-remote region comparison loop uses '<=' instead of '<',causing it to read one entry past the valid range of qr_regions. Theother loops in the same function correctly use '<'.Fix the loop condition to use '<' for consistency and correctness. 2026-06-26
CVE-2026-48930
5.3 (i)
MEDIUMnode.js A flaw in Node.js TLS hostname handling can cause Embedded-nul hostnames can lead to silent authority rebinding due to c-string truncation in resolver bindings.This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**. 2026-06-26
CVE-2026-53247
5.5 (i)
MEDIUMkernel In the Linux kernel, the following vulnerability has been resolved:net: ethernet: mtk_eth_soc: Fix use-after-free in metadata dst teardownmtk_free_dev() calls metadata_dst_free() which frees the metadata_dstwith kfree() immediately, bypassing the RCU grace period.In the RX path, skb_dst_set_noref() sets a non-refcounted pointer fromthe skb to the metadata_dst. This function requires RCU read-sideprotection and the dst must remain valid until all RCU readers complete.Since metadata_dst_free() calls kfree() directly, a use-after-free canoccur if any skb still holds a noref pointer to the dst when the drivertears it down.Replace metadata_dst_free() with dst_release() which properly goesthrough the refcount path: when the refcount drops to zero, it schedulesthe actual free via call_rcu_hurry(), ensuring all RCU readers havecompleted before the memory is freed. 2026-06-25
CVE-2026-53216
6.7 (i)
MEDIUMkernel In the Linux kernel, the following vulnerability has been resolved:net: mvpp2: limit XDP frame size to the RX buffermvpp2 has short and long BM pools, and short pool buffers can be smallerthan PAGE_SIZE. The XDP path nevertheless initializes every xdp_buff withPAGE_SIZE as frame size.XDP helpers use frame_sz to validate tail growth and to derive the hardend of the data area. Advertising PAGE_SIZE for short buffers can letbpf_xdp_adjust_tail() grow a packet past the real allocation, corruptingmemory or later tripping skb tailroom checks.Initialize the XDP buffer with bm_pool->frag_size so XDP tailroom matchesthe actual buffer backing the packet. 2026-06-25
CVE-2026-53215
5.5 (i)
MEDIUMkernel In the Linux kernel, the following vulnerability has been resolved:net: mvpp2: refill RX buffers before XDP or skb useThe RX error path returns the current descriptor buffer to the hardwareBM pool. That is only valid while the driver still owns the buffer.mvpp2_rx_refill() can fail after the current buffer has been handed toXDP or attached to an skb. In those cases mvpp2_run_xdp() may haverecycled, redirected, or queued the page for XDP_TX, and an skb free alsoretires the data buffer. Returning such a buffer to BM lets hardware DMAinto memory that is no longer owned by the RX ring.Refill the BM pool before handing the current buffer to XDP or to theskb. If the allocation fails there, drop the packet and return thestill-owned current buffer to BM, preserving the pool depth. Once therefill succeeds, later local drops retire/free the current buffer insteadof returning it to BM. 2026-06-25
CVE-2026-53055
9.8 (i)
CRITICALkernel In the Linux kernel, the following vulnerability has been resolved:crypto: hisilicon/sec2 - prevent req used-after-free for secDuring packet transmission, if the system is under heavy load,the hardware might complete processing the packet and free therequest memory (req) before the transmission function finishes.If the software subsequently accesses this req, a use-after-freeerror will occur. The qp_ctx memory exists throughout the packetsending process, so replace the req with the qp_ctx. 2026-06-24
CVE-2026-53046
8.1 (i)
HIGHkernel In the Linux kernel, the following vulnerability has been resolved:ksmbd: fix use-after-free from async crypto on Qualcomm crypto engineksmbd_crypt_message() sets a NULL completion callback on AEAD requestsand does not handle the -EINPROGRESS return code from async hardwarecrypto engines like the Qualcomm Crypto Engine (QCE). When QCE returns-EINPROGRESS, ksmbd treats it as an error and immediately frees therequest while the hardware DMA operation is still in flight. The DMAcompletion callback then dereferences freed memory, causing a NULLpointer crash: pc : qce_skcipher_done+0x24/0x174 lr : vchan_complete+0x230/0x27c ... el1h_64_irq+0x68/0x6c ksmbd_free_work_struct+0x20/0x118 [ksmbd] ksmbd_exit_file_cache+0x694/0xa4c [ksmbd]Use the standard crypto_wait_req() pattern with crypto_req_done() asthe completion callback, matching the approach used by the SMB clientin fs/smb/client/smb2ops.c. This properly handles both synchronousengines (immediate return) and async engines (-EINPROGRESS followedby callback notification). 2026-06-24
CVE-2026-53045
9.8 (i)
CRITICALkernel In the Linux kernel, the following vulnerability has been resolved:memory: tegra124-emc: Fix dll_change checkThe code checking whether the specified memory timing enables DLLin the EMRS register was reversed. DLL is enabled if bit A0 is low.Fix the check. 2026-06-24
CVE-2026-53043
9.1 (i)
CRITICALkernel In the Linux kernel, the following vulnerability has been resolved:ocfs2/dlm: validate qr_numregions in dlm_match_regions()Patch series "ocfs2/dlm: fix two bugs in dlm_match_regions()".In dlm_match_regions(), the qr_numregions field from a DLM_QUERY_REGIONnetwork message is used to drive loops over the qr_regions buffer withoutsufficient validation. This series fixes two issues:- Patch 1 adds a bounds check to reject messages where qr_numregions exceeds O2NM_MAX_REGIONS. The o2net layer only validates message byte length; it does not constrain field values, so a crafted message can set qr_numregions up to 255 and trigger out-of-bounds reads past the 1024-byte qr_regions buffer.- Patch 2 fixes an off-by-one in the local-vs-remote comparison loop, which uses '<=' instead of '<', reading one entry past the valid range even when qr_numregions is within bounds.This patch (of 2):The qr_numregions field from a DLM_QUERY_REGION network message is useddirectly as loop bounds in dlm_match_regions() without checking againstO2NM_MAX_REGIONS. Since qr_regions is sized for at most O2NM_MAX_REGIONS(32) entries, a crafted message with qr_numregions > 32 causesout-of-bounds reads past the qr_regions buffer.Add a bounds check for qr_numregions before entering the loops. 2026-06-24