The Linux kernel project published 5 CVEs in the week of 4 to 11 July 2026. This is a low-volume week. All five are already fixed in a stable release, and there is no 0-day and no exploit code here. The only action you need to take is to update your kernel to the fixed version for your branch. The minimum safe version per branch is 6.1.177, 6.6.144, 6.12.95, 6.18.38, 7.0.13, 7.1.3, or mainline 7.2-rc1. The 5.10 and 5.15 LTS branches were not affected by any CVE in this window.
Five CVEs is a small number by the usual standard, but the mix is unusually serious. Every one of them is either a guest-to-host issue in KVM, a memory-corruption bug in core networking code that an unprivileged local user can reach, or a race in a socket subsystem that runs on every Linux system. There are no low-impact entries this week. Two of the five are in KVM and x86 virtualization, and the other three are in the network stack: af_unix, ipv6, and the IPsec IP-TFS path.
This advisory gives the version to install first. It then lists which CVEs matter for mobile and automotive, embedded and IoT, and cloud and datacenter builds.
The one action: update to the fixed version for your branch
Run uname -r to see your current kernel version. Compare it with the target for your branch in the table below. If your version is equal to or higher than the target, all of this week’s CVEs are already fixed on your system. If your version is lower, update to the target. That is the full fix.
| Stable branch | Update to at least | Cleared by |
|---|---|---|
| 6.1 LTS | 6.1.177 | CVE-2026-53359, CVE-2026-53362 |
| 6.6 LTS | 6.6.144 | CVE-2026-53359, CVE-2026-53361, CVE-2026-53362 |
| 6.12 LTS | 6.12.95 | CVE-2026-53359, CVE-2026-53360, CVE-2026-53361, CVE-2026-53362 |
| 6.18 stable | 6.18.38 | All five |
| 7.0 stable | 7.0.13 | CVE-2026-53360, CVE-2026-53363 |
| 7.1 stable | 7.1.3 | All five |
| mainline | 7.2-rc1 | All five, already merged |
The 5.10 and 5.15 LTS branches are not in the table because no CVE in this window affects them. If you run a long-life product on one of those branches, you have nothing to do for this week’s list.
Mobile and automotive
There are no radio, display or SoC-driver CVEs this week, so the work here is smaller than usual. What applies to mobile and automotive devices is the networking set, and it applies regardless of which SoC you ship.
CVE-2026-53362 is the one to apply first. An unprivileged local user can open a UDPv6 socket and combine MSG_MORE with MSG_SPLICE_PAGES to make the kernel write past the end of a socket buffer. This is a heap out-of-bounds write in the IPv6 output path in net/ipv6/ip6_output.c. It needs no special privilege, and the IPv6 output path is exercised on any device that sends IPv6 traffic. On a phone, an infotainment head unit, or a telematics box, any code running as a normal user reaches it. Kernels from 6.0 onward are affected.
CVE-2026-53361 applies to every device as well. It is a race in the AF_UNIX garbage collector in net/unix/garbage.c, where gc_in_progress can stay false while a collection pass is still running. Code that peeks at queued file descriptors with MSG_PEEK depends on that flag. AF_UNIX carries most local IPC on an Android or automotive stack, so this code runs constantly. Kernels from 6.9 onward are affected.
Automotive gateways that terminate an IPsec tunnel should also read the iptfs entry in the embedded section below. The two KVM CVEs do not apply unless you run virtual machines on the device, which some automotive hypervisor designs do.
Embedded and IoT
The good news for long-life embedded products is that the 5.10 and 5.15 LTS branches are untouched this week. Devices frozen on those branches need no action at all.
For everything on 6.1 and later, the ipv6 and af_unix fixes described above apply. Both are built into almost every configuration, so treat them as universal. A headless gateway with a normal shell account is exposed to CVE-2026-53362 in the same way a phone is.
The one CVE specific to this category is CVE-2026-53363, in the IPsec IP-TFS code at net/xfrm/xfrm_iptfs.c. When the kernel moves page fragments between socket buffers, it failed to carry over the marker that says a fragment is backed by a shared, read-only page. Without that marker, the ESP code can decide it is safe to encrypt the buffer in place, which is not safe when the page is shared. This is the same class of bug as CVE-2026-46300, in a different code path.
It is gated by CONFIG_XFRM_IPTFS and only affects kernels from 6.14 onward, so it reaches a narrow set of products: VPN concentrators, routers, and industrial gateways that use IP-TFS tunnel mode. Check with zcat /proc/config.gz | grep CONFIG_XFRM_IPTFS. If it is not set, this CVE cannot affect you. If it is set, update to 6.18.36, 7.0.13, or later.
Cloud and datacenter
On shared, multi-tenant hosts the two KVM CVEs are the priority, and both are guest-to-host.
CVE-2026-53360 is the most serious fix this week. A malicious SEV-SNP guest can make the host allocate an undersized scratch buffer and then read and write past the end of it. That gives the guest a way to read host kernel heap memory and to corrupt host kernel heap memory. The fix is in arch/x86/kvm/svm/sev.c and requires the scratch area to be inside the GHCB when GHCB v2 or later is in use. Kernels from 6.10 onward are affected. Update confidential-compute hosts that run AMD SEV-SNP virtual machines first.
CVE-2026-53359 is a guest-to-host use-after-free in the x86 shadow-paging code in arch/x86/kvm/mmu/mmu.c. A guest remaps a page table entry and then causes the host to delete a memory slot, which can leave a stale reference-map entry pointing at host memory that has already been freed. Host code that later walks that reference, for example during dirty-page logging, then uses freed memory. The affected range goes back to 2.6.36, so treat every maintained branch as affected. The practical risk is highest on hosts that run nested guests or that do not use TDP or EPT, because those are the hosts that use shadow paging.
The ipv6 and af_unix fixes apply to every host as well. Any local user with a shell can reach CVE-2026-53362, and both bugs are enabled in almost every configuration. Apply them everywhere, not only on virtualization hosts.
How to check if a CVE applies to you
There are three questions.
First, version. Compare uname -r with the table above. If your version is equal to or higher than the target, you are already fixed. If you are on 5.10 or 5.15, you are not affected this week.
Second, configuration. Check your kernel config, for example zcat /proc/config.gz | grep CONFIG_XFRM_IPTFS. If a feature was not built, that CVE cannot affect you. This week only the iptfs CVE is gated in a meaningful way; ipv6, af_unix and KVM are built almost everywhere they are relevant.
Third, reachability, which sets the order of work. Local unprivileged memory corruption comes first: the ipv6 out-of-bounds write is reachable by any user on any system. Guest-to-host bugs on shared hosts come next, with SEV-SNP ahead of shadow paging. Configuration-gated bugs such as iptfs come last, and only if the config is set.
Key takeaways
- Updating to the fixed version for your branch (6.1.177, 6.6.144, 6.12.95, 6.18.38, 7.0.13, 7.1.3, or mainline 7.2-rc1) fixes all 5 CVEs in one step.
- The 5.10 and 5.15 LTS branches were not affected by any CVE this week. Products frozen on those branches need no action.
- Apply
CVE-2026-53362(ipv6) andCVE-2026-53361(af_unix) everywhere. They are unprivileged-local and built into nearly every configuration. - Apply
CVE-2026-53360first on AMD SEV-SNP confidential-compute hosts, andCVE-2026-53359on hosts that run nested guests or shadow paging. CVE-2026-53363only matters ifCONFIG_XFRM_IPTFSis set and you use IP-TFS tunnel mode.- None of these are 0-days. All fixes are already in stable. The correct action is a planned update that you test on your own hardware.
Frequently asked questions
What is the one thing I should do?
Update to the minimum version listed for your branch. That fixes all of this week’s CVEs in a single step.
Only five CVEs. Is this a quiet week?
The count is low, but the severity is not. All five are guest-to-host, unprivileged-local memory corruption, or a race in a core socket subsystem. There are no minor entries to skip this week.
I am on 5.10 or 5.15. Am I affected?
No. No CVE published in this window affects those branches. You do not need to act on this list.
We do not use IPsec. Do we need to worry about the iptfs CVE?
No. CVE-2026-53363 is gated by CONFIG_XFRM_IPTFS and only affects IP-TFS tunnel mode. If that option is not set in your kernel config, the code is not built and the bug cannot affect you.
We use TDP or EPT only, with no nested guests. Does the shadow-paging use-after-free affect us?
The risk is much lower, because CVE-2026-53359 is in the shadow-paging code, which these hosts do not use. Update it during your normal schedule.


