CVE-2026-23309

A flaw was found in the Linux kernel. When the 'triggerdataalloc' function fails to allocate memory and returns a null pointer, the subsequent 'triggerdatafree' function attempts to access this null pointer. This null pointer dereference can lead to a system crash, resulting in a Denial of Servic...

CVE-2026-23369

A flaw was found in the Linux kernel's i2c i801 driver. Under rare circumstances, multiple udev threads can concurrently access the i801acpiiohandler during system boot. This can lead to a null pointer dereference when the i2clockbus attempts to use an unregistered memory area. A local attacker...

CVE-2026-23349

A flaw was found in the Linux kernel's Human Interface Device HID subsystem, specifically within the pidff module. This vulnerability occurs because not all conditional effect bits were properly cleared, leading to null pointer dereferences. A local attacker could potentially exploit this flaw to...

CVE-2026-23328

A flaw was found in the Linux kernel's accel/amdxdna component. An unexpected firmware error during message handling can cause a critical communication variable mgmtchann to be set to NULL. This can lead to a NULL pointer dereference when the system attempts to stop hardware operations, resulting...

CVE-2026-23300

A flaw was found in the Linux kernel's IPv6 networking stack. When a standalone IPv6 nexthop object is created with a loopback device, it is misclassified as a reject route, leading to an unallocated pointer. If an IPv4 route then attempts to reference this nexthop, it causes a NULL pointer...

CVE-2026-23366

A flaw was found in the Linux kernel's Direct Rendering Manager DRM client component. This vulnerability occurs when the system attempts to destroy an uninitialized memory pointer, specifically the 'modes' variable within the drmclientmodesetprobe function, after a memory allocation failure. This...

CVE-2026-23348

A flaw was found in the Linux kernel, specifically within the CXL Compute Express Link and NVDIMM Non-Volatile Dual In-line Memory Module subsystems. A race condition can occur when NVDIMM objects attempt to reprobe after the cxlacpi module is removed, while the nvdimmbus object is missing. This...

EUVD-2026-15348

In the Linux kernel, the following vulnerability has been resolved: drm/client: Do not destroy NULL modes 'modes' in drmclientmodesetprobe may fail to kcalloc. If this occurs, we jump to 'out', calling modesdestroy on it, which dereferences it. This may result in a NULL pointer dereference in the...

EUVD-2026-15374

In the Linux kernel, the following vulnerability has been resolved: net: bridge: fix ndtbl NULL dereference when IPv6 is disabled When booting with the 'ipv6.disable=1' parameter, the ndtbl is never initialized because inet6init exits before ndiscinit is called which initializes it. Then, if...

EUVD-2026-15292

In the Linux kernel, the following vulnerability has been resolved: cpufreq: intelpstate: Fix crash during turbo disable When the system is booted with kernel command line argument "nosmt" or "maxcpus" to limit the number of CPUs, disabling turbo via: echo 1...

EUVD-2026-15319

In the Linux kernel, the following vulnerability has been resolved: HID: pidff: Fix condition effect bit clearing As reported by MPDarkGuy on discord, NULL pointer dereferences were happening because not all the conditional effects bits were cleared. Properly clear all conditional effect bits fro...

EUVD-2026-15317

In the Linux kernel, the following vulnerability has been resolved: cxl: Fix race of nvdimmbus object when creating nvdimm objects Found issue during running of cxl-translate.sh unit test. Adding a 3s sleep right before the test seems to make the issue reproduce fairly consistently. The...

EUVD-2026-15251

In the Linux kernel, the following vulnerability has been resolved: tracing: Add NULL pointer check to triggerdatafree If triggerdataalloc fails and returns NULL, eventhisttriggerparse jumps to the outfree error path. While kfree safely handles a NULL pointer, triggerdatafree does not. This cause...

EUVD-2026-15271

In the Linux kernel, the following vulnerability has been resolved: usb: gadget: fncm: align netdevice lifecycle with bind/unbind Currently, the netdevice is allocated in ncmallocinst and freed in ncmfreeinst. This ties the network interface's lifetime to the configuration instance rather than th...

EUVD-2026-15242

In the Linux kernel, the following vulnerability has been resolved: ipv6: fix NULL pointer deref in ip6rtgetdevrcu l3mdevmasterdevrcu can return NULL when the slave device is being un-slaved from a VRF. All other callers deal with this, but we lost the fallback to loopback in ip6rtpcpualloc -...

EUVD-2026-15224

In the Linux kernel, the following vulnerability has been resolved: net: vxlan: fix ndtbl NULL dereference when IPv6 is disabled When booting with the 'ipv6.disable=1' parameter, the ndtbl is never initialized because inet6init exits before ndiscinit is called which initializes it. If an IPv6...

EUVD-2026-15284

In the Linux kernel, the following vulnerability has been resolved: accel/amdxdna: Fix NULL pointer dereference of mgmtchann mgmtchann may be set to NULL if the firmware returns an unexpected error in aie2sendmgmtmsgwait. This can later lead to a NULL pointer dereference in aie2hwstop. Fix this b...

EUVD-2026-15198

In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: fix NULL pointer dereference in meshrxcsaframe In meshrxcsaframe, elems-meshchanswparamsie is dereferenced at lines 1638 and 1642 without a prior NULL check: ifmsh-chswttl = elems-meshchanswparamsie-meshttl;...

EUVD-2026-15212

In the Linux kernel, the following vulnerability has been resolved: atm: lec: fix null-ptr-deref in lecarpclearvccs syzkaller reported a null-ptr-deref in lecarpclearvccs. This issue can be easily reproduced using the syzkaller reproducer. In the ATM LANE LAN Emulation module, the same atmvcc can...

EUVD-2026-15211

In the Linux kernel, the following vulnerability has been resolved: drbd: fix null-pointer dereference on local read error In drbdrequestendio, READCOMPLETEDWITHERROR is passed to reqmod with a NULL peerdevice: reqmodreq, what, NULL, &m; The READCOMPLETEDWITHERROR handler then unconditionally...