CVE-2026-23442

A flaw was found in the Linux kernel. Missing null pointer checks in the IPv6 Segment Routing SRv6 implementation, specifically within the seg6hmacvalidateskb and ipv6srhrcv functions, can occur when an IPv6 device lacks proper configuration. This oversight may allow an attacker to trigger a null...

CVE-2026-23438

A flaw was found in the Linux kernel's mvpp2 driver. A local privileged user could cause a system crash, leading to a Denial of Service DoS, by triggering a null pointer dereference. This occurs when changing the Maximum Transmission Unit MTU on systems where the CM3 SRAM resource is not present,...

CVE-2026-31394

A flaw was found in the Linux kernel's mac80211 component. This vulnerability occurs when processing stations on APVLAN interfaces, such as 4-address Wireless Distribution System WDS clients. An attacker could trigger a null pointer dereference during Channel Switch Announcement CSA operations,...

CVE-2026-23460

A flaw was found in the Linux kernel's net/rose component. A local user can trigger a NULL pointer dereference by calling connect a second time while a connection attempt is already in progress. This improper handling of concurrent connection attempts can lead to a system crash, resulting in a...

EUVD-2026-18770

In the Linux kernel, the following vulnerability has been resolved: mac80211: fix crash in ieee80211chanbwchange for APVLAN stations ieee80211chanbwchange iterates all stations and accesses link-reserved.oper via sta-sdata-linklinkid. For stations on APVLAN interfaces e.g. 4addr WDS clients,...

EUVD-2026-18720

In the Linux kernel, the following vulnerability has been resolved: net/rose: fix NULL pointer dereference in rosetransmitlink on reconnect syzkaller reported a bug 1, and the reproducer is available at 2. ROSE sockets use four sk-skstate values: TCPCLOSE, TCPLISTEN, TCPSYNSENT, and TCPESTABLISHE...

EUVD-2026-18750

In the Linux kernel, the following vulnerability has been resolved: spi: fix statistics allocation The controller per-cpu statistics is not allocated until after the controller has been registered with driver core, which leaves a window where accessing the sysfs attributes can trigger a...

EUVD-2026-18671

In the Linux kernel, the following vulnerability has been resolved: armmpam: Fix null pointer dereference when restoring bandwidth counters When an MSC supporting memory bandwidth monitoring is brought offline and then online, mpamrestorembwustate calls rismsmonread via ipi to restore the...

EUVD-2026-18675

In the Linux kernel, the following vulnerability has been resolved: perf/x86: Move event pointer setup earlier in x86pmuenable A production AMD EPYC system crashed with a NULL pointer dereference in the PMU NMI handler: BUG: kernel NULL pointer dereference, address: 0000000000000198 RIP:...

EUVD-2026-18679

In the Linux kernel, the following vulnerability has been resolved: net: mvpp2: guard flow control update with globaltxfc in buffer switching mvpp2bmswitchbuffers unconditionally calls mvpp2bmpoolupdateprivfc when switching between per-cpu and shared buffer pool modes. This function programs CM3...

EUVD-2026-18684

In the Linux kernel, the following vulnerability has been resolved: ipv6: add NULL checks for idev in SRv6 paths in6devget can return NULL when the device has no IPv6 configuration e.g. MTU IPV6MINMTU or after NETDEVUNREGISTER. Add NULL checks for idev returned by in6devget in both...

EUVD-2026-18686

In the Linux kernel, the following vulnerability has been resolved: ACPI: processor: Fix previous acpiprocessorerratapiix4 fix After commi f132e089fe89 "ACPI: processor: Fix NULL-pointer dereference in acpiprocessorerratapiix4", device pointers may be dereferenced after dropping references to the...

EUVD-2026-18700

In the Linux kernel, the following vulnerability has been resolved: net/smc: fix NULL dereference and UAF in smctcpsynrecvsock Syzkaller reported a panic in smctcpsynrecvsock 1. smctcpsynrecvsock is called in the TCP receive path softirq via icskafops-synrecvsock on the clcsock TCP listening...

CVE-2026-23447

A flaw was found in the USB CDC NCM Network Control Model driver in the Linux kernel. This vulnerability, a bounds-check bug, occurs when processing NCM Datagram Pointer NDP32 frames. It fails to correctly account for the ndpoffset, which can lead to out-of-bounds reads. This could result in...

CVE-2026-23475

A flaw was found in the Linux kernel's Serial Peripheral Interface SPI component. The system's per-CPU statistics for the SPI controller were not allocated until after the controller was registered. This created a window where a local user or process could access system files sysfs attributes...

CVE-2026-23467

A flaw was found in the Linux kernel's drm/i915/dmc driver. Under specific, unlikely conditions during system startup, an uninitialized component can be accessed, leading to a null pointer dereference. This can be triggered if the Display Controller 6 DC6 hardware state is unintentionally enabled...

CVE-2026-31404

A flaw was found in the Linux kernel's Network File System Daemon NFSD component. This vulnerability occurs because certain sub-objects are freed prematurely while still being accessed by other parts of the system. A local attacker could potentially trigger a Use-After-Free UAF condition, leading...

CVE-2026-23435

A flaw was found in the Linux kernel's performance monitoring unit PMU subsystem. A race condition can occur during the unthrottling of performance events, leading to a mismatch between active performance counters and their corresponding event pointers. This can result in a NULL pointer dereferen...

CVE-2026-31394

In the Linux kernel, the following vulnerability has been resolved: mac80211: fix crash in ieee80211chanbwchange for APVLAN stations ieee80211chanbwchange iterates all stations and accesses link-reserved.oper via sta-sdata-linklinkid. For stations on APVLAN interfaces e.g. 4addr WDS clients,...

CVE-2026-23475

In the Linux kernel, the following vulnerability has been resolved: spi: fix statistics allocation The controller per-cpu statistics is not allocated until after the controller has been registered with driver core, which leaves a window where accessing the sysfs attributes can trigger a...