The Linux kernel project published 3 CVEs in the week of 11 to 18 July 2026. All three are fixed in mainline and in current stable releases, and there is no 0-day and no exploit code here. The only action you need to take is to update your kernel to the fixed version for your branch. The one version that clears all three is 6.18.38, 7.1.3, or mainline 7.2-rc1. On the LTS branches the picture is mixed this week: 6.6.144 and 6.12.95 carry the IPv4 memory-safety fix, but the 6.1 and 7.0 branches, and the vsock fix on 6.12, do not have a shipped backport yet, so watch for the next stable release on those branches. The 5.10 and 5.15 LTS branches are not affected.
Three is a small number of Linux kernel CVEs for one week, but one of them matters on almost every device. CVE-2026-53366 is a local memory-safety bug in the IPv4 output path, scored 7.8 (high). The other two are resource leaks: a Bluetooth memory leak that a nearby device can drive, and a vsock pinned-page leak that a guest can drive on a virtualization host. Most fixes are narrow, and which CVEs matter to you depends on what your product uses: an IPv4 network path that every device has, a Bluetooth LE Audio broadcast, or a virtual-machine socket channel.
None of this week’s CVEs appeared in the previous edition. This is a fresh set.
The one action: update to the fixed version for your branch
Run uname -r to see your current kernel version. Compare it with the target for your branch in the table below. If your version is equal to or higher than the target, the CVEs listed for your branch are already fixed on your system. If your version is lower, update to the target.
| Stable branch | Update to at least | Notes |
|---|---|---|
| 6.1 LTS | No shipped fix yet | Only CVE-2026-53366 affects it; the 6.1 backport has not shipped in this window |
| 6.6 LTS | 6.6.144 | Clears CVE-2026-53366; the other two do not affect 6.6 |
| 6.12 LTS | 6.12.95 | Clears CVE-2026-53366; CVE-2026-53365 also affects 6.12 but has no 6.12 backport yet |
| 6.18 stable | 6.18.38 | Clears all three |
| 7.0 stable | 7.0.12 | Clears CVE-2026-53364 and CVE-2026-53365; CVE-2026-53366 has no 7.0 backport yet |
| 7.1 stable | 7.1.3 | Clears all three |
| mainline | 7.2-rc1 | All three merged |
The 5.10 and 5.15 LTS branches are not in the table because no CVE in this window affects them. All three bugs are in code that was added in 6.0 or later. Any branch not listed was either not affected, or its fix predates this window. Where a cell says the backport has not shipped, the branch is still affected by that CVE today; plan to take the next stable release on that branch when it appears.
Mobile and automotive
The fix to apply first on phones, head units, and telematics boxes is CVE-2026-53366. It is an out-of-bounds write in the IPv4 output path in net/ipv4/ip_output.c. On the paged-allocation path the new socket buffer’s linear area is undersized, and carry-over bytes from the previous buffer are then copied into it. A low-privileged local process can reach it, and IPv4 is built into every one of these devices through CONFIG_INET. Kernels from 6.0 onward are affected, so almost every shipping mobile or automotive kernel is in range. If your device runs a 6.6 or 6.12 build, update to 6.6.144 or 6.12.95. If it runs 6.1, there is no shipped 6.1 fix yet, so track the next 6.1 stable release.
The Bluetooth memory leak, CVE-2026-53364, applies only if two things are true: the build has CONFIG_BT with LE Audio broadcast, and the kernel is 6.17 or newer (or the 6.16.4 backport). It is in the LE Audio Broadcast Isochronous Group termination path in net/bluetooth/hci_conn.c. A nearby device can drive the terminate path, and each pass on the buggy branch leaks a small kernel allocation, so repeated triggering wears the device down over time. Most mobile and automotive products today still ship on 5.15, 6.1, or 6.6, and those are not affected. Only newer 6.17-and-later builds need this fix, which is in 6.18.35, 7.0.12, and 7.1.
The vsock CVE does not apply unless the device runs virtual machines that use the virtio vsock channel, which is uncommon on these products.
Embedded and IoT
The 5.10 and 5.15 LTS branches are untouched this week, so long-life products frozen on those branches have nothing to do.
For everything on 6.6 and later, CVE-2026-53366 is the one that matters. A headless gateway with a normal shell account is exposed to the IPv4 out-of-bounds write in the same way a phone is, because the IPv4 output path runs on any device that sends IPv4 traffic. Update to 6.6.144 or 6.12.95 where those branches apply. On 6.1 the fix has not shipped yet, so watch for the next 6.1 release.
CVE-2026-53364 reaches only the narrow set of embedded products that use Bluetooth LE Audio broadcast on a 6.17-or-later kernel. Check with zcat /proc/config.gz | grep CONFIG_BT; if Bluetooth is not built, or the kernel is older than 6.17, this CVE cannot affect you.
CVE-2026-53365 only matters if the device runs virtual machines and an in-guest or host agent uses the virtio vsock transport with MSG_ZEROCOPY. That is rare on embedded hardware. If it applies, note that only 6.18.34, 7.0.11, and 7.1 carry the fix; a 6.12 device is affected with no backport yet.
Cloud and datacenter
On shared, multi-tenant hosts two CVEs matter.
CVE-2026-53366 is the priority. Any local user with a shell can reach the IPv4 out-of-bounds write, and it is enabled on every host through CONFIG_INET. Apply it everywhere. Hosts on 6.18 or 7.1 get it at 6.18.38 or 7.1.3. A 7.0 host is affected but has no 7.0 backport yet, so if you run 7.0 in production, track the next 7.0 release and consider moving affected hosts to 7.1.3.
CVE-2026-53365 is a guest-driven host-side resource leak in the virtio vsock transport in net/vmw_vsock/virtio_transport_common.c. When a guest sends a large MSG_ZEROCOPY message that splits into several socket buffers, the kernel pins user pages without completion tracking and can leak those pinned pages. A guest that repeats this can slowly consume host memory. It needs CONFIG_VIRTIO_VSOCKETS and a sender that uses zerocopy. Kernels from 6.7 onward are affected. The fix is in 6.18.34, 7.0.11, and 7.1; a 6.12 host is affected with no backport yet.
The Bluetooth CVE does not normally apply to datacenter hosts, which do not run Bluetooth.
Medical devices
Two of this week’s CVEs are relevant to connected clinical devices.
CVE-2026-53366 is the important one. Any device that sends IPv4 traffic runs the affected code in net/ipv4/ip_output.c. Connected clinical equipment does this constantly: patient monitors and infusion pumps that report to a central station, imaging systems that move DICOM studies to a PACS server, and gateways that carry HL7 or FHIR messages. The bug is an out-of-bounds heap write that a local low-privileged process can trigger. On a device that also runs a third-party application, a vendor agent, or a service account, that is a real path to memory corruption. It is gated by CONFIG_INET, which is always set, and kernels from 6.0 onward are affected.
CVE-2026-53364 applies to newer wearable and bedside devices that use Bluetooth LE Audio broadcast, such as broadcast-capable hearing devices, but only where the kernel is 6.17 or later. It is a memory leak, not memory corruption, so the effect is a device that degrades over time rather than an immediate compromise. Most fielded medical devices run older LTS kernels and are not affected. The vsock CVE applies only if the device runs virtual machines, which is uncommon on endpoint equipment.
Patching a medical device is not the same as patching a server. A kernel change usually requires software validation and, depending on the device and the market, regulatory revalidation under the US FDA postmarket cybersecurity guidance, the EU MDR, and IEC 62304. The action here is to plan the stable-branch update through the manufacturer’s change-control process, with the risk assessment recorded, rather than to push a kernel update directly to fielded devices.
How to check if a Linux kernel CVE applies to you
There are three questions.
First, version. Compare uname -r with the table above. If your version is equal to or higher than the target for your branch, the CVEs listed for that branch are already fixed. If you are on 5.10 or 5.15, you are not affected this week.
Second, configuration. Check your kernel config, for example zcat /proc/config.gz | grep CONFIG_BT for the Bluetooth CVE or grep CONFIG_VIRTIO_VSOCKETS for the vsock CVE. If a feature was not built, that CVE cannot affect you. The IPv4 CVE is gated by CONFIG_INET, which is set almost everywhere.
Third, reachability, which sets the order of work. The wireless-reachable Bluetooth leak comes first where it applies, because a nearby device can drive it. Local unprivileged memory corruption comes next, and the IPv4 out-of-bounds write is the one to apply on every system. Guest-to-host resource leaks on shared hosts, such as the vsock CVE, come after that. Bugs that need a specific config or hardware come last.
Key takeaways
- Updating to 6.18.38, 7.1.3, or mainline 7.2-rc1 fixes all 3 CVEs in one step.
- The backport picture is mixed this week. The 6.1 and 7.0 branches are affected by
CVE-2026-53366with no shipped fix yet, and 6.12 is affected byCVE-2026-53365with no shipped fix yet. Watch for the next release on those branches. - Apply
CVE-2026-53366(ipv4) everywhere. It is a local memory-safety bug, scored 7.8, and built into nearly every configuration. CVE-2026-53364(Bluetooth) only affects 6.17-and-later kernels with LE Audio broadcast. Most fielded devices on older LTS branches are not affected.CVE-2026-53365(vsock) only matters on virtualization hosts where a guest usesMSG_ZEROCOPYover virtio vsock.- The 5.10 and 5.15 LTS branches were not affected by any CVE this week.
- None of these are 0-days. The correct action is a planned update that you test on your own hardware.
Frequently asked questions
What is the one thing I should do?
Update to 6.18.38, 7.1.3, or mainline 7.2-rc1, which clears all three CVEs. If you are on an LTS branch, use the target in the table and check the note, because a few branches do not have a shipped fix yet this week.
Only three CVEs. Is this a quiet week?
The count is low, but one CVE is not minor. CVE-2026-53366 is a local memory-safety bug in the IPv4 path, scored 7.8, and it reaches almost every device. The other two are resource leaks with narrower conditions.
I am on 5.10 or 5.15. Am I affected?
No. All three bugs are in code added in 6.0 or later, so those branches are not affected. You do not need to act on this list.
I run 6.1 or 7.0. Why is there no fixed version for my branch?
Both branches are affected by CVE-2026-53366, but the backport had not shipped in this window. Track the next stable release on your branch, and in the meantime treat the IPv4 CVE as open on those hosts.
We do not use Bluetooth. Do we need the Bluetooth fix?
No. CVE-2026-53364 is gated by CONFIG_BT and the LE Audio broadcast path, and it only affects 6.17-and-later kernels. If Bluetooth is not built, or your kernel is older than 6.17, the bug cannot affect you.
Our product is a regulated medical device. Do we have to patch immediately?
The IPv4 CVE applies to you, but a kernel change on a regulated device needs validation and, in many cases, regulatory revalidation. Plan the stable-branch update through your change-control process and record the risk assessment.




