CVE-2026-23378

In the Linux kernel, the following vulnerability has been resolved: net/sched: actife: Fix metalist update behavior Whenever an ife action replace changes the metalist, instead of replacing the old data on the metalist, the current ife code is appending the new metadata. Aside from being...

CVE-2026-23376

In the Linux kernel, the following vulnerability has been resolved: nvmet-fcloop: Check remoteport portstate before calling done callback In nvmefchandlelsrqstwork, the lsrsp-done callback is only set when remoteport-portstate is FCOBJSTATEONLINE. Otherwise, the nvmefcxmtlsrsp's LLDD call to...

CVE-2026-23374

In the Linux kernel, the following vulnerability has been resolved: blktrace: fix thiscpuread/write in preemptible context tracingrecordcmdline internally uses thiscpuread and thiscpuwrite on the per-CPU variable tracecmdlinesave, and tracesavecmdline explicitly asserts preemption is disabled via...

CVE-2026-23375

In the Linux kernel, the following vulnerability has been resolved: mm: thp: deny THP for files on anonymous inodes filethpenabled incorrectly allows THP for files on anonymous inodes e.g. guestmemfd and secretmem. These files are created via allocfilepseudo, which does not call getwriteaccess an...

CVE-2026-23373

In the Linux kernel, the following vulnerability has been resolved: wifi: rsi: Don't default to -EOPNOTSUPP in rsimac80211config This triggers a WARNON in ieee80211hwconfinit and isn't the expected behavior from the driver - other drivers default to 0 too...

CVE-2026-23372

In the Linux kernel, the following vulnerability has been resolved: nfc: rawsock: cancel txwork before socket teardown In rawsockrelease, cancel any pending txwork and purge the write queue before orphaning the socket. rawsocktxwork runs on the system workqueue and calls nfcdataexchange which...

CVE-2026-23371

In the Linux kernel, the following vulnerability has been resolved: sched/deadline: Fix missing ENQUEUEREPLENISH during PI de-boosting Running stress-ng --schedpolicy 0 on an RT kernel on a big machine might lead to the following WARNINGs edited. sched: DL de-boosted task PID 22725: REPLENISH fla...

CVE-2026-23370

In the Linux kernel, the following vulnerability has been resolved: platform/x86: dell-wmi-sysman: Don't hex dump plaintext password data setnewpassword hex dumps the entire buffer, which contains plaintext password data, including current and new passwords. Remove the hex dump to avoid leaking...

CVE-2026-23369

In the Linux kernel, the following vulnerability has been resolved: i2c: i801: Revert "i2c: i801: replace acpilock with I2C bus lock" This reverts commit f707d6b9e7c18f669adfdb443906d46cfbaaa0c1. Under rare circumstances, multiple udev threads can collect i801 device info on boot and walk...

CVE-2026-23368

In the Linux kernel, the following vulnerability has been resolved: net: phy: register phy ledtriggers during probe to avoid AB-BA deadlock There is an AB-BA deadlock when both LEDSTRIGGERNETDEV and LEDTRIGGERPHY are enabled: 1362.049207 ledtriggerregister+0x5c/0x1fc...

CVE-2026-23367

In the Linux kernel, the following vulnerability has been resolved: wifi: radiotap: reject radiotap with unknown bits The radiotap parser is currently only used with the radiotap namespace not with vendor namespaces, but if the undefined field 18 is used, the alignment/size is unknown as well. In...

CVE-2026-23366

In the Linux kernel, the following vulnerability has been resolved: drm/client: Do not destroy NULL modes 'modes' in drmclientmodesetprobe may fail to kcalloc. If this occurs, we jump to 'out', calling modesdestroy on it, which dereferences it. This may result in a NULL pointer dereference in the...

CVE-2026-23365

In the Linux kernel, the following vulnerability has been resolved: net: usb: kalmia: validate USB endpoints The kalmia driver should validate that the device it is probing has the proper number and types of USB endpoints it is expecting before it binds to it. If a malicious device were to not ha...

CVE-2026-23363

In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: mt7925: Fix possible oob access in mt7925macwritetxwi80211 Check frame length before accessing the mgmt fields in mt7925macwritetxwi80211 in order to avoid a possible oob access...

CVE-2026-23364

In the Linux kernel, the following vulnerability has been resolved: ksmbd: Compare MACs in constant time To prevent timing attacks, MAC comparisons need to be constant-time. Replace the memcmp with the correct function, cryptomemneq...

CVE-2026-23362

In the Linux kernel, the following vulnerability has been resolved: can: bcm: fix locking for bcmop runtime updates Commit c2aba69d0c36 "can: bcm: add locking for bcmop runtime updates" added a locking for some variables that can be modified at runtime when updating the sending bcmop with a new...

CVE-2026-23361

In the Linux kernel, the following vulnerability has been resolved: PCI: dwc: ep: Flush MSI-X write before unmapping its ATU entry Endpoint drivers use dwpcieepraisemsixirq to raise an MSI-X interrupt to the host using a writel, which generates a PCI posted write transaction. There's no completio...

CVE-2026-23359

In the Linux kernel, the following vulnerability has been resolved: bpf: Fix stack-out-of-bounds write in devmap getupperifindexes iterates over all upper devices and writes their indices into an array without checking bounds. Also the callers assume that the max number of upper devices is...

CVE-2026-23360

In the Linux kernel, the following vulnerability has been resolved: nvme: fix admin queue leak on controller reset When nvmeallocadmintagset is called during a controller reset, a previous admin queue may still exist. Release it properly before allocating a new one to avoid orphaning the old queu...

CVE-2026-23358

In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Fix error handling in slot reset If the device has not recovered after slot reset is called, it goes to out label for error handling. There it could make decision based on uninitialized hive pointer and could result i...

CVE-2026-23357

In the Linux kernel, the following vulnerability has been resolved: can: mcp251x: fix deadlock in error path of mcp251xopen The mcp251xopen function call freeirq in its error path with the mpclock mutex held. But if an interrupt already occurred the interrupt handler will be waiting for the mpclo...

CVE-2026-23356

In the Linux kernel, the following vulnerability has been resolved: drbd: fix "LOGIC BUG" in drbdalbeginiononblock Even though we check that we "should" be able to do lcgetcumulative while holding the device-allock spinlock, it may still fail, if some other code path decided to do lctrylock with...

CVE-2026-23355

In the Linux kernel, the following vulnerability has been resolved: ata: libata: cancel pending work after clearing deferredqc Syzbot reported a WARNON in atascsideferredqcwork, caused by ap-ops-qcdefer returning non-zero before issuing the deferred qc. atascsischeduledeferredqc is called during...

CVE-2026-23353

In the Linux kernel, the following vulnerability has been resolved: ice: fix crash in ethtool offline loopback test Since the conversion of ice to page pool, the ethtool loopback test crashes: BUG: kernel NULL pointer dereference, address: 000000000000000c PF: supervisor write access in kernel mo...

CVE-2026-23354

In the Linux kernel, the following vulnerability has been resolved: x86/fred: Correct speculative safety in fredextint arrayindexnospec is no use if the result gets spilled to the stack, as it makes the believed safe-under-speculation value subject to memory predictions. For all practical purpose...

CVE-2026-23352

In the Linux kernel, the following vulnerability has been resolved: x86/efi: defer freeing of boot services memory efifreebootservices frees memory occupied by EFIBOOTSERVICESCODE and EFIBOOTSERVICESDATA using memblockfreelate. There are two issue with that: memblockfreelate should be used for...

CVE-2026-23350

In the Linux kernel, the following vulnerability has been resolved: drm/xe/queue: Call fini on exec queue creation fail Every call to queue init should have a corresponding fini call. Skipping this would mean skipping removal of the queue from GuC list which is part of gucid allocation. A damaged...

CVE-2026-23351

In the Linux kernel, the following vulnerability has been resolved: netfilter: nftsetpipapo: split gc into unlink and reclaim phase Yiming Qian reports Use-after-free in the pipapo set type: Under a large number of expired elements, commit-time GC can run for a very long time in a non-preemptible...

CVE-2026-23349

In the Linux kernel, the following vulnerability has been resolved: HID: pidff: Fix condition effect bit clearing As reported by MPDarkGuy on discord, NULL pointer dereferences were happening because not all the conditional effects bits were cleared. Properly clear all conditional effect bits fro...

CVE-2026-23348

In the Linux kernel, the following vulnerability has been resolved: cxl: Fix race of nvdimmbus object when creating nvdimm objects Found issue during running of cxl-translate.sh unit test. Adding a 3s sleep right before the test seems to make the issue reproduce fairly consistently. The...

CVE-2026-23346

In the Linux kernel, the following vulnerability has been resolved: arm64: io: Extract user memory type in ioremapprot The only caller of ioremapprot outside of the generic ioremap implementation is genericaccessphys, which passes a 'pgprott' value determined from the user mapping of the target...

CVE-2026-23347

In the Linux kernel, the following vulnerability has been resolved: can: usb: f81604: correctly anchor the urb in the read bulk callback When submitting an urb, that is using the anchor pattern, it needs to be anchored before submitting it otherwise it could be leaked if usbkillanchoredurbs is...

CVE-2026-23345

In the Linux kernel, the following vulnerability has been resolved: arm64: gcs: Do not set PTESHARED on GCS mappings if FEATLPA2 is enabled When FEATLPA2 is enabled, bits 8-9 of the PTE replace the shareability attribute with bits 50-51 of the output address. The PAGEGCS,RO definitions include th...

CVE-2026-23344

In the Linux kernel, the following vulnerability has been resolved: crypto: ccp - Fix use-after-free on error path In the error path of sevtsminitlocked, the code dereferences 't' after it has been freed with kfree. The prerr statement attempts to access t-tioen and t-tioinitdone after the memory...

CVE-2026-23343

In the Linux kernel, the following vulnerability has been resolved: xdp: produce a warning when calculated tailroom is negative Many ethernet drivers report xdp Rx queue frag size as being the same as DMA write size. However, the only user of this field, namely bpfxdpfragsincreasetail, clearly...

CVE-2026-23342

In the Linux kernel, the following vulnerability has been resolved: bpf: Fix race in cpumap on PREEMPTRT On PREEMPTRT kernels, the per-CPU xdpbulkqueue bq can be accessed concurrently by multiple preemptible tasks on the same CPU. The original code assumes bqenqueue and cpumapflush run atomically...

CVE-2026-23341

In the Linux kernel, the following vulnerability has been resolved: accel/amdxdna: Fix crash when destroying a suspended hardware context If userspace issues an ioctl to destroy a hardware context that has already been automatically suspended, the driver may crash because the mailbox channel...

CVE-2026-23339

In the Linux kernel, the following vulnerability has been resolved: nfc: nci: free skb on ncitransceive early error paths ncitransceive takes ownership of the skb passed by the caller, but the -EPROTO, -EINVAL, and -EBUSY error paths return without freeing it. Due to issues clearing NCIDATAEXCHAN...

CVE-2026-23340

In the Linux kernel, the following vulnerability has been resolved: net: sched: avoid qdiscresetalltxgt vs dequeue race for lockless qdiscs When shrinking the number of real tx queues, netifsetrealnumtxqueues calls qdiscresetalltxgt to flush qdiscs for queues which will no longer be used...

CVE-2026-23338

In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu/userq: Do not allow userspace to trivially triger kernel warnings Userspace can either deliberately pass in the too small numfences, or the required number can legitimately grow between the two calls to the userq wait...

CVE-2026-23337

In the Linux kernel, the following vulnerability has been resolved: pinctrl: pinconf-generic: Fix memory leak in pinconfgenericparsedtconfig In pinconfgenericparsedtconfig, if parsedtcfg fails, it returns directly. This bypasses the cleanup logic and results in a memory leak of the cfg buffer. Fi...

CVE-2026-23336

In the Linux kernel, the following vulnerability has been resolved: wifi: cfg80211: cancel rfkillblock work in wiphyunregister There is a use-after-free error in cfg80211shutdownallinterfaces found by syzkaller: BUG: KASAN: use-after-free in cfg80211shutdownallinterfaces+0x213/0x220 Read of size ...

CVE-2026-23335

In the Linux kernel, the following vulnerability has been resolved: RDMA/irdma: Fix kernel stack leak in irdmacreateuserah struct irdmacreateahresp // 8 bytes, no padding u32 ahid; // offset 0 - SET uresp.ahid = ah-scah.ahinfo.ahidx u8 rsvd4; // offset 4 - NEVER SET - LEAK ; rsvd4: 4 bytes of sta...

CVE-2026-23334

In the Linux kernel, the following vulnerability has been resolved: can: usb: f81604: handle short interrupt urb messages properly If an interrupt urb is received that is not the correct length, properly detect it and don't attempt to treat the data as valid...

CVE-2026-23332

In the Linux kernel, the following vulnerability has been resolved: cpufreq: intelpstate: Fix crash during turbo disable When the system is booted with kernel command line argument "nosmt" or "maxcpus" to limit the number of CPUs, disabling turbo via: echo 1...

CVE-2026-23333

Removed by vendor...

CVE-2026-23331

In the Linux kernel, the following vulnerability has been resolved: udp: Unhash auto-bound connected sk from 4-tuple hash table when disconnected. Let's say we bind an UDP socket to the wildcard address with a non-zero port, connect it to an address, and disconnect it from the address. bind sets...

CVE-2026-23329

In the Linux kernel, the following vulnerability has been resolved: libie: don't unroll if fwlog isn't supported The libiefwlogdeinit function can be called during driver unload even when firmware logging was never properly initialized. This led to call trace: 148.576156 Oops: Oops: 0000 1 SMP...

CVE-2026-23330

In the Linux kernel, the following vulnerability has been resolved: nfc: nci: complete pending data exchange on device close In nciclosedevice, complete any pending data exchange before closing. The data exchange callback e.g. rawsockdataexchangecomplete holds a socket reference. NIPA occasionall...

CVE-2026-23328

In the Linux kernel, the following vulnerability has been resolved: accel/amdxdna: Fix NULL pointer dereference of mgmtchann mgmtchann may be set to NULL if the firmware returns an unexpected error in aie2sendmgmtmsgwait. This can later lead to a NULL pointer dereference in aie2hwstop. Fix this b...