CVE-2026-23467

CVE-2026-23467 affects the Linux kernel drm/i915/dmc driver. The vulnerability is a NULL pointer dereference that can occur during probe when DC6 is unexpectedly enabled, due to intel_power_domains_init_hw() calling intel_dmc_update_dc6_allowed_count() before intel_dmc_init(). The root cause is u...

CVE-2026-23460

In the Linux kernel, the following vulnerability has been resolved: net/rose: fix NULL pointer dereference in rosetransmitlink on reconnect syzkaller reported a bug 1, and the reproducer is available at 2. ROSE sockets use four sk-skstate values: TCPCLOSE, TCPLISTEN, TCPSYNSENT, and TCPESTABLISHE...

CVE-2026-23460 net/rose: fix NULL pointer dereference in rose_transmit_link on reconnect

In the Linux kernel, the following vulnerability has been resolved: net/rose: fix NULL pointer dereference in rosetransmitlink on reconnect syzkaller reported a bug 1, and the reproducer is available at 2. ROSE sockets use four sk-skstate values: TCPCLOSE, TCPLISTEN, TCPSYNSENT, and TCPESTABLISHE...

CVE-2026-23460

CVE-2026-23460 (Linux kernel) affects the Rose (net/rose) path. The bug occurs when a second connect() is issued while a first connect is in progress (state TCP_SYN_SENT); rose_get_neigh() may return NULL, leaving rose->state ROSE_STATE_1 with neighbour NULL, and on socket close rose_transmit_...

CVE-2026-23450

In the Linux kernel, the following vulnerability has been resolved: net/smc: fix NULL dereference and UAF in smctcpsynrecvsock Syzkaller reported a panic in smctcpsynrecvsock 1. smctcpsynrecvsock is called in the TCP receive path softirq via icskafops-synrecvsock on the clcsock TCP listening...

CVE-2026-23450 net/smc: fix NULL dereference and UAF in smc_tcp_syn_recv_sock()

In the Linux kernel, the following vulnerability has been resolved: net/smc: fix NULL dereference and UAF in smctcpsynrecvsock Syzkaller reported a panic in smctcpsynrecvsock 1. smctcpsynrecvsock is called in the TCP receive path softirq via icskafops-synrecvsock on the clcsock TCP listening...

CVE-2026-23443 ACPI: processor: Fix previous acpi_processor_errata_piix4() fix

In the Linux kernel, the following vulnerability has been resolved: ACPI: processor: Fix previous acpiprocessorerratapiix4 fix After commi f132e089fe89 "ACPI: processor: Fix NULL-pointer dereference in acpiprocessorerratapiix4", device pointers may be dereferenced after dropping references to the...

CVE-2026-23443

CVE-2026-23443 refers to a Linux kernel ACPI processor errata handling flaw (piix4). A use-after-free could occur from dereferencing device pointers after their objects were freed, stemming from a NULL-pointer dereference in acpi_processor_errata_piix4(). The fix moves diagnostic message printing...

CVE-2026-23442 ipv6: add NULL checks for idev in SRv6 paths

In the Linux kernel, the following vulnerability has been resolved: ipv6: add NULL checks for idev in SRv6 paths in6devget can return NULL when the device has no IPv6 configuration e.g. MTU IPV6MINMTU or after NETDEVUNREGISTER. Add NULL checks for idev returned by in6devget in both...

CVE-2026-23442

In the Linux kernel, the following vulnerability has been resolved: ipv6: add NULL checks for idev in SRv6 paths in6devget can return NULL when the device has no IPv6 configuration e.g. MTU IPV6MINMTU or after NETDEVUNREGISTER. Add NULL checks for idev returned by in6devget in both...

CVE-2026-23438

In the Linux kernel, the following vulnerability has been resolved: net: mvpp2: guard flow control update with globaltxfc in buffer switching mvpp2bmswitchbuffers unconditionally calls mvpp2bmpoolupdateprivfc when switching between per-cpu and shared buffer pool modes. This function programs CM3...

CVE-2026-23438

In the Linux kernel mvpp2 driver, CVE-2026-23438 arises from an unconditional access to CM3 flow control via mvpp2_cm3_read()/mvpp2_cm3_write() in mvpp2_bm_switch_buffers(), when priv->cm3_base is NULL (e.g., CM3 SRAM not present in device tree). This can crash the kernel on MTU changes that c...

CVE-2026-23435

The CVE-2026-23435 entries describe a Linux kernel PMU/X86 perf vulnerability that was resolved. The root cause was a commit that moved cpuc->events[idx] assignment out of x86_pmu_start() into step 2 of x86_pmu_enable(), after PERF_HES_ARCH checks. This could allow a path that calls pmu->st...

CVE-2026-23435

In the Linux kernel, the following vulnerability has been resolved: perf/x86: Move event pointer setup earlier in x86pmuenable A production AMD EPYC system crashed with a NULL pointer dereference in the PMU NMI handler: BUG: kernel NULL pointer dereference, address: 0000000000000198 RIP:...

CVE-2026-23435 perf/x86: Move event pointer setup earlier in x86_pmu_enable()

In the Linux kernel, the following vulnerability has been resolved: perf/x86: Move event pointer setup earlier in x86pmuenable A production AMD EPYC system crashed with a NULL pointer dereference in the PMU NMI handler: BUG: kernel NULL pointer dereference, address: 0000000000000198 RIP:...

CVE-2026-23433 arm_mpam: Fix null pointer dereference when restoring bandwidth counters

In the Linux kernel, the following vulnerability has been resolved: armmpam: Fix null pointer dereference when restoring bandwidth counters When an MSC supporting memory bandwidth monitoring is brought offline and then online, mpamrestorembwustate calls rismsmonread via ipi to restore the...

CVE-2026-23433

In the Linux kernel, the following vulnerability has been resolved: armmpam: Fix null pointer dereference when restoring bandwidth counters When an MSC supporting memory bandwidth monitoring is brought offline and then online, mpamrestorembwustate calls rismsmonread via ipi to restore the...

CVE-2026-23433

CVE-2026-23433 concerns the Linux kernel arm_mpam component and memory bandwidth monitoring. The root cause is a null pointer dereference in mpam_restore_mbwu_state: when an MSC is offline then online, __ris_msmon_read() is invoked via IPIs to restore bandwidth-counter configuration, but mbwu_arg...

K000160611: Linux kernel vulnerabilities CVE-2026-23279, CVE-2026-23281, and CVE-2026-23367

Security Advisory Description CVE-2026-23279 In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: fix NULL pointer dereference in meshrxcsaframe In meshrxcsaframe, elems-meshchanswparamsie is dereferenced at lines 1638 and 1642 without a prior NULL check:...

Linux kernel 安全漏洞

The Linux kernel is the core of the open-source operating system Linux, developed by the Linux Foundation in the United States. There is a security vulnerability in the Linux kernel, which stems from the mana.hwc.destroychannel function’s ability to re-use memory after release, potentially leadin...