The Linux kernel project published 38 CVEs in the week of 27 June to 4 July 2026. All of them are already fixed in a stable release. There is no 0-day and no exploit code here. The only action you need to take is to update your kernel to the fixed version for your branch. The minimum safe version per branch is 5.10.260, 5.15.211, 6.1.177, 6.6.144, 6.12.95, 6.18.38, 7.0.14, 7.1.3, or mainline 7.2-rc1.
Most of the 38 fixes are small NULL-dereference and warning fixes. They only trigger on specific hardware or specific kernel configurations. About thirteen of them matter to device engineers. Which ones apply to you depends on what your product uses: a radio, a hypervisor, a specific SoC bus, or a normal login shell that any local user can access. This advisory gives the version to install first. It then lists which CVEs matter for mobile and automotive, embedded and IoT, and cloud and datacenter builds.
The one action: update to the fixed version for your branch
Run uname -r to see your current kernel version. Compare it with the target for your branch in the table below. If your version is equal to or higher than the target, all of this week’s CVEs are already fixed on your system. If your version is lower, update to the target. That is the full fix.
| Stable branch | Update to at least | Notes |
|---|---|---|
| 5.10 LTS | 5.10.260 | Only some of this week’s CVEs affect this branch |
| 5.15 LTS | 5.15.211 | Only some of this week’s CVEs affect this branch |
| 6.1 LTS | 6.1.177 | Includes the KVM shadow-paging and ipv6 fixes |
| 6.6 LTS | 6.6.144 | Includes the Bluetooth, af_unix and ipv6 fixes |
| 6.12 LTS | 6.12.95 | Contains all fixes for this branch |
| 6.18 stable | 6.18.38 | Most of the new bugs were fixed here first |
| 7.0 stable | 7.0.14 | Contains all fixes for this branch |
| 7.1 stable | 7.1.3 | Contains all fixes for this branch |
| mainline | 7.2-rc1 | Contains the few fixes not yet in a 7.1.x release |
If your branch is not in the table, it was either not affected this week, or the fix was made before this week. In that case you do not need to do anything.
Mobile and automotive
Mobile and automotive devices usually include radios, Qualcomm and NXP SoC buses, and AMD display hardware. This week’s most reachable bugs are in those areas, so update these devices first.
The two fixes to apply first are the Bluetooth L2CAP fixes, CVE-2026-53357 and CVE-2026-53358. A remote device that forces a Bluetooth disconnect can run at the same time as local socket cleanup. This causes a use-after-free and a related lock-ordering deadlock. Both affect any build where CONFIG_BT is enabled. Because a remote peer can trigger them, they are the highest priority here.
CVE-2026-53354 fixes a TLB-invalidation ordering problem on some Arm CPUs. It applies if your SoC is listed in the kernel file silicon-errata.rst.
Several driver fixes affect Snapdragon and i.MX designs: CVE-2026-53339 (camera CCI i2c), CVE-2026-53331 and CVE-2026-53332 (SLIMbus audio), and CVE-2026-53340 (i.MX i2c). These fix crashes during driver unbind or subsystem restart. They only apply if those drivers are built.
On the display side, CVE-2026-53329 and CVE-2026-53330 fix out-of-bounds memory access in the AMD display and DisplayPort code. The access is controlled by data that a connected monitor or repeater sends. They apply to any build with CONFIG_DRM_AMD_DC.
Embedded and IoT
Embedded and IoT devices are usually headless, run for a long time, and often use older LTS branches. This week their main risk is boot reliability and driver stability, not remote attack.
The clearest example is CVE-2026-53336. When the ONIE-TLV EEPROM contains an unknown or bad entry, the parser stops moving forward and the boot process loops forever. This affects networking and whitebox hardware built with CONFIG_NVMEM_LAYOUT_ONIE_TLV.
CVE-2026-53338 causes a NULL-dereference crash when a device-tree reserved-memory region is missing. It affects routers and CPE devices that use Airoha SoCs. CVE-2026-53343 fixes an unaligned-access fault that stops 32-bit ARMv5 KASAN builds from booting. This mainly affects development and CI images.
Two more driver fixes apply here: CVE-2026-53340 (i.MX i2c) and CVE-2026-53344, a NULL dereference during probe in the MCP23S08 GPIO expander driver. Embedded gateways that also handle networking should also apply the Bluetooth fixes and the two local memory fixes described in the cloud section, because those apply wherever the code is built.
Cloud and datacenter
On shared, multi-tenant hosts the main risk is guest-to-host escape and local memory corruption.
The most serious fix this week is CVE-2026-53360. A malicious SEV-SNP guest can set a scratch-buffer size that the page-state-change code does not check. This lets the guest corrupt nearby host kernel memory. Update confidential-compute hosts built with CONFIG_KVM_AMD_SEV first.
CVE-2026-53359 is a guest-to-host use-after-free in the x86 shadow-paging code. It mainly affects nested guests, or hosts that do not use TDP or EPT.
Two more fixes apply to every host. CVE-2026-53362 is in ipv6 and CVE-2026-53361 is in af_unix. Both are local memory-corruption bugs. Any local user with a shell can trigger them, and both are enabled in almost every configuration. Apply them everywhere.
Container hosts that use user namespaces should also apply CVE-2026-53341, a use-after-free in the file-handle decode code. CVE-2026-53349 in netfilter conntrack needs module-load permission to trigger, so it mainly matters to hosts that load and unload conntrack helpers.
How to check if a CVE applies to you
There are three questions.
First, version. Compare uname -r with the table above. If your version is equal to or higher than the target, you are already fixed.
Second, configuration. To see which CVEs ever applied, check your kernel config, for example zcat /proc/config.gz | grep CONFIG_BT. If a driver was not built, that CVE cannot affect you.
Third, reachability, which sets the order of work. Remote paths such as Bluetooth are the highest priority. Local unprivileged bugs such as the ipv6 and af_unix fixes come next. Guest-to-host bugs on shared hosts come after that. Bugs that need extra permission or a specific config are the lowest priority.
Key takeaways
- Updating to the fixed version for your branch (5.10.260, 5.15.211, 6.1.177, 6.6.144, 6.12.95, 6.18.38, 7.0.14, 7.1.3, or mainline 7.2-rc1) fixes all 38 CVEs in one step.
- Apply the Bluetooth L2CAP fixes first on any device with a radio,
CVE-2026-53360first on SEV-SNP hosts, and the ipv6 and af_unix fixes on all systems. - Older LTS branches only receive the CVEs that affect them. Several of this week’s bugs exist only on 6.18 and later.
- None of these are 0-days. All fixes are already in stable. The correct action is a planned update that you test on your own hardware.
Frequently asked questions
What is the one thing I should do?
Update to the minimum version listed for your branch. That fixes all of this week’s CVEs.
Are any of these being used in real attacks?
There are no public reports of attacks, and no exploit code is shown here. Treat this as normal, ordered maintenance.
I am on 5.15 or 6.1. Am I affected by all of them?
No. Older LTS branches only get the fixes that apply to them, and several new bugs exist only on 6.18 and later. Updating to your branch target still covers you.
We use TDP or EPT only, with no nested guests. Does the shadow-paging use-after-free affect us?
The risk is much lower, because CVE-2026-53359 is in the shadow-paging code, which these hosts do not use. Update it during your normal schedule.




