CVE-2026-23438

In the Linux kernel, the following vulnerability has been resolved: net: mvpp2: guard flow control update with globaltxfc in buffer switching mvpp2bmswitchbuffers unconditionally calls mvpp2bmpoolupdateprivfc when switching between per-cpu and shared buffer pool modes. This function programs CM3...

CVE-2026-23457

In the Linux kernel, the following vulnerability has been resolved: netfilter: nfconntracksip: fix Content-Length u32 truncation in siphelptcp siphelptcp parses the SIP Content-Length header with simplestrtoul, which returns unsigned long, but stores the result in unsigned int clen. On 64-bit...

CVE-2026-23433

In the Linux kernel, the following vulnerability has been resolved: armmpam: Fix null pointer dereference when restoring bandwidth counters When an MSC supporting memory bandwidth monitoring is brought offline and then online, mpamrestorembwustate calls rismsmonread via ipi to restore the...

CVE-2026-23427

In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix use-after-free in durable v2 replay of active file handles parsedurablehandlecontext unconditionally assigns dhinfo-fp-conn to the current connection when handling a DURABLEREQV2 context with SMB2FLAGSREPLAYOPERATION...

CVE-2026-23437

In the Linux kernel, the following vulnerability has been resolved: net: shaper: protect late read accesses to the hierarchy We look up a netdev during prep of Netlink ops pre- callbacks and take a ref to it. Then later in the body of the callback we take its lock or RCU which are the actual...

CVE-2026-23432

In the Linux kernel, the following vulnerability has been resolved: mshv: Fix use-after-free in mshvmapusermemory error path In the error path of mshvmapusermemory, calling vfree directly on the region leaves the MMU notifier registered. When userspace later unmaps the memory, the notifier fires...

CVE-2026-23467

In the Linux kernel, the following vulnerability has been resolved: drm/i915/dmc: Fix an unlikely NULL pointer deference at probe inteldmcupdatedc6allowedcount oopses when DMC hasn't been initialized, and dmc is thus NULL. That would be the case when the call path is intelpowerdomainsinithw -...

CVE-2026-23430

In the Linux kernel, the following vulnerability has been resolved: drm/vmwgfx: Don't overwrite KMS surface dirty tracker We were overwriting the surface's dirty tracker here causing a memory leak...

CVE-2026-23439

In the Linux kernel, the following vulnerability has been resolved: udptunnel: fix NULL deref caused by udpsockcreate6 when CONFIGIPV6=n When CONFIGIPV6 is disabled, the udpsockcreate6 function returns 0 success without actually creating a socket. Callers such as foucreate then proceed to...

CVE-2026-23466

In the Linux kernel, the following vulnerability has been resolved: drm/xe: Open-code GGTT MMIO access protection GGTT MMIO access is currently protected by hotplug drmdeventer, which works correctly when the driver loads successfully and is later unbound or unloaded. However, if driver load fail...

CVE-2026-31391

In the Linux kernel, the following vulnerability has been resolved: crypto: atmel-sha204a - Fix OOM -tfmcount leak If memory allocation fails, decrement -tfmcount to avoid blocking future reads...

CVE-2026-31395

In the Linux kernel, the following vulnerability has been resolved: bnxten: fix OOB access in DBGBUFPRODUCER async event handler The ASYNCEVENTCMPLEVENTIDDBGBUFPRODUCER handler in bnxtasynceventprocess uses a firmware-supplied 'type' field directly as an index into bp-bstrace without bounds...

CVE-2026-23440

In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Fix race condition during IPSec ESN update In IPSec full offload mode, the device reports an ESN Extended Sequence Number wrap event to the driver. The driver validates this event by querying the IPSec ASO and checking...

CVE-2026-23450

In the Linux kernel, the following vulnerability has been resolved: net/smc: fix NULL dereference and UAF in smctcpsynrecvsock Syzkaller reported a panic in smctcpsynrecvsock 1. smctcpsynrecvsock is called in the TCP receive path softirq via icskafops-synrecvsock on the clcsock TCP listening...

CVE-2026-23464

In the Linux kernel, the following vulnerability has been resolved: soc: microchip: mpfs: Fix memory leak in mpfssyscontrollerprobe In mpfssyscontrollerprobe, if ofgetmtddevicebynode fails, the function returns immediately without freeing the allocated memory for syscontroller, leading to a memor...

CVE-2025-68153

Juju is an open source application orchestration engine that enables any application operation on any infrastructure at any scale through special operators called ‘charms’. From versions 2.9 to before 2.9.56 and 3.6 to before 3.6.19, any authenticated user, machine or controller under a Juju...

CVE-2026-23470

In the Linux kernel, the following vulnerability has been resolved: drm/imagination: Fix deadlock in soft reset sequence The soft reset sequence is currently executed from the threaded IRQ handler, hence it cannot call disableirq which internally waits for IRQ handlers, i.e. itself, to complete...

CVE-2026-23441

In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Prevent concurrent access to IPSec ASO context The query or updating IPSec offload object is through Access ASO WQE. The driver uses a single mlx5eipsecaso struct for each PF, which contains a shared DMA-mapped context...

CVE-2026-23431

In the Linux kernel, the following vulnerability has been resolved: spi: amlogic-spisg: Fix memory leak in amlspisgprobe In amlspisgprobe, ctlr is allocated by spialloctarget/spiallochost, but fails to call spicontrollerput in several error paths. This leads to a memory leak whenever the driver...

CVE-2026-23468

In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Limit BO list entry count to prevent resource exhaustion Userspace can pass an arbitrary number of BO list entries via the bonumber field. Although the previous multiplication overflow check prevents out-of-bounds...

CVE-2026-31392

In the Linux kernel, the following vulnerability has been resolved: smb: client: fix krb5 mount with username option Customer reported that some of their krb5 mounts were failing against a single server as the client was trying to mount the shares with wrong credentials. It turned out the client...

CVE-2026-23465

In the Linux kernel, the following vulnerability has been resolved: btrfs: log new dentries when logging parent dir of a conflicting inode If we log the parent directory of a conflicting inode, we are not logging the new dentries of the directory, so when we finish we have the parent directory's...

CVE-2026-23434

In the Linux kernel, the following vulnerability has been resolved: mtd: rawnand: serialize lock/unlock against other NAND operations nandlock and nandunlock call into chip-ops.lockarea/unlockarea without holding the NAND device lock. On controllers that implement SETFEATURES via multiple low-lev...

CVE-2026-23435

In the Linux kernel, the following vulnerability has been resolved: perf/x86: Move event pointer setup earlier in x86pmuenable A production AMD EPYC system crashed with a NULL pointer dereference in the PMU NMI handler: BUG: kernel NULL pointer dereference, address: 0000000000000198 RIP:...

CVE-2026-23471

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority...

CVE-2026-23459

In the Linux kernel, the following vulnerability has been resolved: iptunnel: adapt iptunnelxmitstats to NETDEVPCPUSTATDSTATS Blamed commits forgot that vxlan/geneve use udptunnel6xmitskb which call iptunnelxmitstats. iptunnelxmitstats was assuming tunnels were only using NETDEVPCPUSTATTSTATS...

CVE-2026-23462

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: HIDP: Fix possible UAF This fixes the following trace caused by not dropping l2capconn reference when user-remove callback is called: 97.809249 l2capconnfree: freeing conn ffff88810a171c00 97.809907 CPU: 1 UID: 0 PID:...

CVE-2026-23458

In the Linux kernel, the following vulnerability has been resolved: netfilter: ctnetlink: fix use-after-free in ctnetlinkdumpexpct ctnetlinkdumpexpct stores a conntrack pointer in cb-data for the netlink dump callback ctnetlinkexpctdumptable, but drops the conntrack reference immediately after...

CVE-2026-23428

In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix use-after-free of shareconf in compound request smb2getksmbdtcon reuses work-tcon in compound requests without validating tcon-tstate. ksmbdtreeconnlookup checks tstate == TREECONNECTED on the initial lookup path, but...

CVE-2026-23461

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix use-after-free in l2capunregisteruser After commit ab4eedb790ca "Bluetooth: L2CAP: Fix corrupted list in hcichandel", l2capconndel uses conn-lock to protect access to conn-users. However, l2capregisteruser a...

CVE-2026-31396

In the Linux kernel, the following vulnerability has been resolved: net: macb: fix use-after-free access to PTP clock PTP clock is registered on every opening of the interface and destroyed on every closing. However it may be accessed via gettsinfo ethtool call which is possible while the interfa...

CVE-2026-23453

In the Linux kernel, the following vulnerability has been resolved: net: ti: icssg-prueth: Fix memory leak in XDPDROP for non-zero-copy mode Page recycling was removed from the XDPDROP path in emacrunxdp to avoid conflicts with AFXDP zero-copy mode, which uses xskbufffree instead. However, this...

CVE-2026-23429

In the Linux kernel, the following vulnerability has been resolved: iommu/sva: Fix crash in iommusvaunbinddevice domain-mm-iommumm can be freed by iommudomainfree: iommudomainfree mmdrop mmdrop mmpasiddrop After iommudomainfree returns, accessing domain-mm-iommumm may dereference a freed mm...

CVE-2026-23463

In the Linux kernel, the following vulnerability has been resolved: soc: fsl: qbman: fix race condition in qmandestroyfq When QMANFQFLAGDYNAMICFQID is set, there's a race condition between fqtablefq-idx state and freeing/allocating from the pool and WARNONfqtablefq-idx in qmancreatefq gets...

CVE-2026-23447

In the Linux kernel, the following vulnerability has been resolved: net: usb: cdcncm: add ndpoffset to NDP32 nframes bounds check The same bounds-check bug fixed for NDP16 in the previous patch also exists in cdcncmrxverifyndp32. The DPE array size is validated against the total skb length withou...

CVE-2026-23456

In the Linux kernel, the following vulnerability has been resolved: netfilter: nfconntrackh323: fix OOB read in decodeint CONS case In decodeint, the CONS case calls getbitsbs, 2 to read a length value, then calls getuintbs, len without checking that len bytes remain in the buffer. The existing...

CVE-2026-23451

In the Linux kernel, the following vulnerability has been resolved: bonding: prevent potential infinite loop in bondheaderparse bondheaderparse can loop if a stack of two bonding devices is setup, because skb-dev always points to the hierarchy top. Add new "const struct netdevice dev" parameter t...

CVE-2026-23460

In the Linux kernel, the following vulnerability has been resolved: net/rose: fix NULL pointer dereference in rosetransmitlink on reconnect syzkaller reported a bug 1, and the reproducer is available at 2. ROSE sockets use four sk-skstate values: TCPCLOSE, TCPLISTEN, TCPSYNSENT, and TCPESTABLISHE...

CVE-2026-23472

In the Linux kernel, the following vulnerability has been resolved: serial: core: fix infinite loop in handletx for PORTUNKNOWN uartwriteroom and uartwrite behave inconsistently when xmitbuf is NULL which happens for PORTUNKNOWN ports that were never properly initialized: - uartwriteroom returns...

CVE-2026-23442

In the Linux kernel, the following vulnerability has been resolved: ipv6: add NULL checks for idev in SRv6 paths in6devget can return NULL when the device has no IPv6 configuration e.g. MTU IPV6MINMTU or after NETDEVUNREGISTER. Add NULL checks for idev returned by in6devget in both...

CVE-2026-23452

In the Linux kernel, the following vulnerability has been resolved: PM: runtime: Fix a race condition related to device removal The following code in pmruntimework may dereference the dev-parent pointer after the parent device has been freed: / Maybe the parent is now able to suspend. / if parent...

CVE-2026-23473

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority...

CVE-2026-23474

In the Linux kernel, the following vulnerability has been resolved: mtd: Avoid boot crash in RedBoot partition table parser Given CONFIGFORTIFYSOURCE=y and a recent compiler, commit 439a1bcac648 "fortify: Use builtindynamicobjectsize when available" produces the warning below and an oops. Searchi...

CVE-2026-31394

In the Linux kernel, the following vulnerability has been resolved: mac80211: fix crash in ieee80211chanbwchange for APVLAN stations ieee80211chanbwchange iterates all stations and accesses link-reserved.oper via sta-sdata-linklinkid. For stations on APVLAN interfaces e.g. 4addr WDS clients,...

CVE-2026-23444

In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: always free skb on ieee80211txprepareskb failure ieee80211txprepareskb has three error paths, but only two of them free the skb. The first error path ieee80211txprepare returning TXDROP does not free it, while...

CVE-2025-68152

Juju is an open source application orchestration engine that enables any application operation on any infrastructure at any scale through special operators called ‘charms’. From versions 2.9 to before 2.9.56 and 3.6 to before 3.6.19, it is possible that a compromised workload machine under a Juju...

CVE-2026-23454

In the Linux kernel, the following vulnerability has been resolved: net: mana: fix use-after-free in manahwcdestroychannel by reordering teardown A potential race condition exists in manahwcdestroychannel where hwc-callerctx is freed before the HWC's Completion Queue CQ and Event Queue EQ are...

CVE-2026-23448

In the Linux kernel, the following vulnerability has been resolved: net: usb: cdcncm: add ndpoffset to NDP16 nframes bounds check cdcncmrxverifyndp16 validates that the NDP header and its DPE entries fit within the skb. The first check correctly accounts for ndpoffset: if ndpoffset + sizeofstruct...

CVE-2026-31389

In the Linux kernel, the following vulnerability has been resolved: spi: fix use-after-free on controller registration failure Make sure to deregister from driver core also in the unlikely event that per-cpu statistics allocation fails during controller registration to avoid use-after-free of...

CVE-2026-23455

In the Linux kernel, the following vulnerability has been resolved: netfilter: nfconntrackh323: check for zero length in DecodeQ931 In DecodeQ931, the UserUserIE code path reads a 16-bit length from the packet, then decrements it by 1 to skip the protocol discriminator byte before passing it to...