CVE-2025-71144

The CVE-2025-71144 issue is in the Linux kernel’s MPTCP code path, where after a commit, if the MPC subflow is already TCP_CLOSE or falls back to TCP, mptcp_do_fastclose() may skip setting the send_fastclose flag, causing __mptcp_close_ssk() to stop resetting the subflow context. Consequently, a ...

CVE-2025-71153

Technical details for CVE-2025-71153 are not publicly available in the provided connected documents. Monitor for updates from security advisories and vendor PSNs to obtain affected products, impact, and remediation.

CVE-2025-71155

CVE-2025-71155 concerns the Linux kernel KVM on s390 where gmap_helper_zap_one_page() had missing checks that could lead to memory corruption in a guest under specific circumstances. The connected documents confirm the vulnerability and describe the root cause as incomplete validation within that...

CVE-2025-71222

CVE-2025-71222 (Linux kernel) : Affects the wifi wlcore path. The issue arises from an insufficient skb headroom check before skb_push, causing an skb_under_panic Oops in wl1271_tx_work when headroom is insufficient (typical 110 vs 94, leaving 16 bytes). The fix ensures proper headroom before skb...

CVE-2025-71237

CVE-2025-71237 corresponds to a Linux kernel nilfs2 issue where an underflow during FITRIM end_block calculation can produce a negative nblocks, turning into a large positive value and causing the block layer to hang while processing a discard. The description and connected advisories confirm the...

CVE-2025-71268

The CVE-2025-71268 issue is a Linux kernel vulnerability in btrfs where a reservation leak can occur on some error paths when inserting an inline extent. The root cause is that __cow_file_range_inline() may exit without freeing reserved qgroup data if allocation of a path or join of a transaction...

CVE-2025-71286

The CVE-2025-71286 issue concerns the Linux kernel’s ALSA SOF ipc4-topology component, where memory allocation for bytes controls was miscalculated. This could allow local memory corruption due to under-allocating space behind scontrol->ipc_control_data; fixes request allocating additional mem...

CVE-2025-71291

The CVE-2025-71291 issue affects the Linux kernel bcm_vk_read() function, where a NULL entry dereference could occur if entry is NULL and rc is -EMSGSIZE, potentially causing system instability or DoS. The fix copies fields (to_h_msg, usr_msg_id, to_h_blks) from the iterator into temporary variab...

CVE-2025-71293

CVE-2025-71293 concerns the Linux kernel amdgpu ras issue where, if eeprom contained only invalid addresses, allocation could be skipped and lead to a NULL pointer dereference when reading bad pages. The fix moves the ras data allocation before the bad-page check, resolving a NULL pointer derefer...

CVE-2025-71302

The CVE-2025-71302 issue affects the Linux kernel in the drm/panthor component, tied to dma-fence safe access rules. The root cause is a race between drm_sched_fence_get_timeline_name and group_free_queue, which can lead to unsafe fence handling. Affected area is the dma-fence safe access mechani...

CVE-2026-22988

CVE-2026-22988 affects the Linux kernel’s arp handling, specifically the assumption that skb->head remains unchanged after dev_hard_header() in arp_create(). The issue arises when a recent commit altered skb->head, breaking that assumption. The publicly provided description and OpenVAS/Ness...

CVE-2026-22989

CVE-2026-22989 affects the Linux kernel NFS server (nfsd). The issue occurs when unlocking the filesystem via an administrative interface while nfsd is not running, causing nfsd4_revoke_states() to access freed state structures (eg conf_id_hashtbl) during server shutdown and potentially crash. Th...

CVE-2026-23014

The CVE-2026-23014 issue concerns the Linux kernel perf subsystem, specifically the swevent hrtimer. The root cause is that after changing hrtimer_try_to_cancel() in perf_swevent_cancel_hrtimer(), the hrtimer could remain active when the event is freed. The fix adds a full hrtimer_cancel() on the...

CVE-2026-23077

CVE-2026-23077 concerns a Linux kernel mm/vma anon_vma UAF during mremap() of faulted adjacent VMAs. The issue spanned three adjacency cases (prev/next both unfaulted, and combos with faulted adjacent), and the patch series fixes incorrect anon_vma merging and missing fork checks, including self-...

CVE-2026-23095

CVE-2026-23095 affects the Linux kernel Gue (GUE) path. It describes a skb memory leak when inner IP protocol is 0, triggered by a GUE repro. The issue arises because gue_udp_recv() may propagate a zero protocol, causing a memory leak; the fix drops such packets. The description notes that 0 is a...

CVE-2026-23118

The CVE-2026-23118 entry concerns a Linux kernel rxrpc data-race: rxrpc_peer_keepalive_worker and rxrpc_send_data_packet access peer->last_tx_at without synchronization, and the 64-bit last_tx_at risking 32-bit tearing. The fix changes last_tx_at to unsigned int and stores only the least-signi...

CVE-2026-23144

CVE-2026-23144 affects the Linux kernel in mm/damon/sysfs where, on context dir setup failure, subdirectories under attrs/ aren’t cleaned up. This leaves the DAMON sysfs interface effectively broken until reboot and leaks memory from unremoved directories. The issue is fixed by cleaning up those ...

CVE-2026-23150

Technical details about CVE-2026-23150 are not publicly provided in the supplied documents. The description mentions a memory leak fix in NFC LLCP, but no vendor/product/version specifics or remediation steps are included here. Monitor for updates.

CVE-2026-23151

CVE-2026-23151 in the Linux kernel Bluetooth MGMT path fixes a memory leak in set_ssp_complete due to missing mgmt_pending_free(cmd) calls (and similarly in set_advertising_complete).Root cause: mgmt_pending_cmd structures and their data were not freed after SSP commands completed, after a prior ...

CVE-2026-23241

CVE-2026-23241 affects the Linux kernel audit subsystem: the read class was missing getxattrat()/listxattrat() syscalls, enabling bypass of audit rules (e.g., -w /tmp/test -p rwa). Upstream patches add the missing syscalls to the audit read class. Connected OSV entries report Root:Ubuntu-24.04 an...

CVE-2026-23257

CVE-2026-23257 is a Linux kernel off-by-one cleanup bug affecting PF setup_nic_devices() in the liquidio path, linked to a memory leak. Connected advisories indicate Root:Ubuntu:24.04 and Ubuntu:22.04 have patched this CVE in the rootio-linux package, with multiple fixed versions available. The p...

CVE-2026-23281

In CVE-2026-23281, the Linux kernel Libertus wifi driver (lbs_free_adapter) uses non‑synchronous timer_delete() for command_timer and tx_lockup_timer, risking use‑after‑free if a timer callback runs during free. The callbacks (lbs_cmd_timeout_handler, lbs_tx_lockup_handler) access freed fields, c...

CVE-2026-23283

The vulnerability CVE-2026-23283 affects the Linux kernel regulator fp9931 component. In fp9931_hwmon_read(), when regmap_read() fails, the function returns the error without calling pm_runtime_put_autosuspend(), causing a PM runtime reference leak. This can lead to resource exhaustion and system...

CVE-2026-23289

CVE-2026-23289 affects the Linux kernel (IB/mthca path) in which a missed mthca_unmap_user_db() for mthca_create_srq can trigger a leak on a failed system call. The vulnerability, with local attack vector and low privileges required, may lead to privilege escalation, DoS, or information leaks as ...

CVE-2026-23292

CVE-2026-23292 : Linux kernel scsi: target: Fix recursive locking in __configfs_open_file(). The root cause was target_core_item_dbroot_store() attempting to open the file path (which is the same configfs file already held) using filp_open(), leading to potential nested frag_sem locking. The fix ...

CVE-2026-23293

CVE-2026-23293 affects the Linux kernel net/vxlan code. Root cause: when IPv6 is disabled (ipv6.disable=1), nd_tbl is not initialized, leading to a NULL pointer dereference in neigh_lookup() invoked by route_shortcircuit() when an IPv6 packet is injected. Impact is local: a crafted, locally deliv...

CVE-2026-23312

CVE-2026-23312 concerns the Linux kernel: the net: usb: kaweth driver did not validate USB endpoint counts/types when probing a device. The root cause is lack of validation before binding, which could allow a malicious device to cause a crash by accessing endpoints that aren’t present or correctl...

CVE-2026-23319

Summary (CVE-2026-23319) : In the Linux kernel, a use-after-free (UAF) vulnerability in bpf_trampoline_link_cgroup_shim was fixed. The root cause was a race window where, after bpf_link_put reduces the refcount of shim_link->link.link to zero, the resource is considered released but may still ...

CVE-2026-23321

CVE-2026-23321 relates to the Linux kernel MPTCP subsystem (mptcp: pm: in-kernel: always mark signal+subflow endp as used). The vulnerability was addressed in the upstream kernel by patching endp handling in the PM code, reducing warning/usage inconsistencies when signaling ADD_ADDRs and subflows...

CVE-2026-23335

CVE-2026-23335: Linux kernel RDMA/irdma create_user_ah() leak resolved. Root cause: the irdma_create_ah_resp struct contained 4 bytes (rsvd) that were never zeroed, leaking stack memory prior to ib_respond_udata(). Affected code paths thus exposed uninitialized stack content (4 bytes) in the resp...

CVE-2026-23346

CVE-2026-23346 affects the Linux kernel (arm64) in the ioremap_prot pathway. The root cause is that ioremap_prot() may extract non-address bits from a user mapping’s pgprot_t (including permissions) and generate a new user mapping, which can be accessed by the kernel when PAN is enabled. This can...

CVE-2026-23350

CVE-2026-23350 is a Linux kernel vulnerability in the drm/xe/queue path. The issue arises when an exec queue creation fails and is not properly finalized, leaving a damaged queue in exec_queue_lookup which can cause an invalid memory reference. The fix adds a finalization call (fini) for each que...

CVE-2026-23357

CVE-2026-23357 affects the Linux kernel can/mcp251x driver. The deadlock occurred when free_irq() was called in the error path of mcp251x_open while mpc_lock was still held, potentially waiting for an IRQ handler. The fix moves free_irq() to after releasing the lock, and sets priv->force_quit ...

CVE-2026-23362

CVE-2026-23362 affects the Linux kernel component can/bcm locking during bcm_op runtime updates (bcm_tx_setup/bcm_rx_setup). Connected OSV records show Root (rootio-linux) has patched this CVE in Root:Debian:11/12/13 with multiple fixed versions across Debian/Ubuntu and Mageia advisories, indicat...

CVE-2026-23364

CVE-2026-23364 concerns the Linux kernel’s ksmbd path, where MAC comparisons were not performed in constant time. The underlying issue is a timing-attack-prone memcmp() usage; the recommended fix is to replace memcmp() with crypto_memneq() to ensure constant-time comparisons. The vulnerability is...

CVE-2026-23367

CVE-2026-23367 – Linux kernel (wifi: radiotap: reject radiotap with unknown bits) The issue arises in the radiotap parser used for the radiotap namespace. If an undefined field (field 18) is present, the alignment/size is unknown and iterator->_next_ns_data is not initialized for non-visible v...

CVE-2026-23382

The CVE-2026-23382 entry concerns the Linux kernel HID subsystem. The issue arises when raw HID event callbacks can fire for a device that has not been claimed, potentially leading to a crash due to a missing HID_CLAIMED_INPUT guard. The fix, described in the upstream commit 2ff5baa9b527, adds th...

CVE-2026-23383

CVE-2026-23383 affects the Linux kernel’s BPF JIT path on arm64. The root cause was 4-byte alignment in bpf_jit_binary_pack_alloc() causing the JIT buffer’s base to be only 4-byte aligned, which could misalign the 64-bit target field in struct bpf_plt. Consequences include UBSAN misaligned-access...

CVE-2026-23386

CVE-2026-23386 concerns the Linux kernel gve driver in QPL mode, where gve_tx_clean_pending_packets() could misinterpret the dma_addr_t array as buffer IDs, causing out-of-bounds/unmap errors. The root cause was an improper buffer cleanup path in gve_tx_clean_pending_packets() that could referenc...

CVE-2026-23387

The CVE-2026-23387 issue concerns the Linux kernel fix for a double-put in pinctrl/cirrus cs42l43 handling during cs42l43_pin_probe, caused by an explicit put after devm_add_action_or_reset() already performing an action on failure. Connected OSV entries (ROOT-OS-DEBIAN-13-CVE-2026-23387 and ROOT...

CVE-2026-23393

CVE-2026-23393 – Linux kernel (bridge/cfm) race fix : A race during peer MEP deletion could occur because br_cfm_frame_rx() could re-schedule ccm_rx_dwork while peer_mep is freed under RCU, risking use-after-free. The fix replaces cancel_delayed_work_sync() with disable_delayed_work_sync() in bot...

CVE-2026-23394

CVE-2026-23394 – af_unix GC race with MSG_PEEK (Linux kernel) : A race between MSG_PEEK and garbage collection can cause the GC to incorrectly GC dead sockets, since MSG_PEEK silently bumps a file refcount. The issue originates from a change in the current GC algorithm and the removal of the lock...

CVE-2026-23409

The CVE-2026-23409 issue is in the Linux kernel AppArmor differential encoding verification. It describes two bugs: (1) mixing states that have already been verified with those currently being checked, which can cause loops in the current chain to be treated as verified, and (2) an incorrect bail...

CVE-2026-23411

CVE-2026-23411 corresponds to a Linux kernel AppArmor race condition: freeing i_private data can race with filesystem access because the inode may outlive references. The issue is resolved by moving the put of i_private referenced data to the correct place during inode eviction. Affects AppArmor ...

CVE-2026-23414

CVE-2026-23414 is addressed in the Linux kernel TLS code. The vulnerability involved the async_hold queue that pins encrypted input skbs while AEAD operations reference scatterlist data. The fix centralizes purge of async_hold in tls_decrypt_async_wait(), ensuring all callers (recvmsg drain path,...

CVE-2026-23424

The CVE-2026-23424 vulnerability affects the Linux kernel’s accel/amdxdna component, caused by insufficient validation of the command buffer payload count. The count field in the command header determines the payload size, and the data must not exceed the remaining buffer space. If not properly c...

CVE-2026-23437

CVE-2026-23437 (Linux kernel) concerns the net: shaper module. A missing liveness check occurs when a netdev is looked up during prep of Netlink operations, a reference is taken, and later the code uses the netdev’s lock or RCU protections. The conversion from a ref to a locked netdev may proceed...

CVE-2026-23464

CVE-2026-23464 concerns the Linux kernel vulnerability in the Microchip PolarFire SoC mpfs driver. The issue is a memory leak in mpfs_sys_controller_probe(): if of_get_mtd_device_by_node() fails, the function returns early without freeing allocated memory for sys_controller. The fix routes error ...

CVE-2026-31410

CVE-2026-31410 has concrete patch evidence across multiple OSV entries. Root-OS shows Root:Ubuntu-24.04 and Root:Ubuntu-22.04 patched in the rootio-linux package, with multiple fixed versions available. Debian-backed advisories also indicate Linux kernel vulnerabilities including CVE-2026-31410 a...

CVE-2026-31420

CVE-2026-31420 affects Linux kernel bridge MRP interval handling. Vulerability arises when br_mrp_start_test/br_mrp_start_in_test accept a user-supplied interval from netlink with no validation; if interval is 0, the delay becomes zero and a tight loop can exhaust memory, causing an OOM kernel pa...