CVE-2026-23369

CVE-2026-23369 (i2c i801) Summary: The vulnerability affects the Linux kernel i2c/i801 driver. Under rare boot-time race conditions, multiple udev threads may access i801_acpi_io_handler concurrently, leading to a scenario where an area is deregistered and a subsequent access uses an unregistered...

CVE-2026-23374

CVE-2026-23374 affects the Linux kernel blktrace path. The root cause is tracing_record_cmdline() using __this_cpu_read()/__this_cpu_write() on a per-CPU variable while preemption is enabled, which is unsafe and triggers a kernel BUG in preemptible code through __blk_add_trace() paths. Public wri...

CVE-2026-23391

CVE-2026-23391 affects the Linux kernel netfilter xt_CT feature. The issue arises when templates reference nfqueue objects (e.g., helper, nfnetlink_cttimeout) that can be removed while packets are queued, potentially leaving pending packets. The vulnerability has been resolved by flushing enqueue...

CVE-2026-23397

CVE-2026-23397 affects the Linux kernel nfnetlink_osf fingerprint matching. The issue arises when parsing TCP option fingerprints: add-time checks for option lengths are insufficient, allowing a zero-length option to bypass bounds checks and potentially trigger a fault in nf_osf_match_one() (kern...

CVE-2026-23402

CVE-2026-23402 affects the Linux kernel KVM MMU on x86. The issue arises when overwriting a shadow-present SPTE with a different PFN, where KVM’s sanity check could allow harmful state changes in direct MMUs (i.e., MMUs without shadowed gPTEs). The problem is tracked in KVM’s mmu_set_spte path, a...

CVE-2026-23413

The CVE-2026-23413 entry concerns the Linux kernel: a use-after-free in the clsact qdisc during init/destroy rollback caused by asymmetrical initialization between ingress and egress sides. A failed replacement during clsact_init() (e.g., via tcf_block_get_ext()) could leave both ingress and egre...

CVE-2026-23421

The CVE-2026-23421 issue is a Linux kernel memory-leak in drm/xe/configfs where ctx_restore_mid_bb is allocated in wa_bb_store() but freed only partially by xe_config_device_release(), leaving ctx_restore_mid_bb[0].cs undisposed when a configfs device is removed. The vulnerability is described as...

CVE-2026-23434

CVE-2026-23434 affects the Linux kernel MTD NAND driver (mtd: rawnand) where nand_lock()/nand_unlock() call into chip->ops.lock_area/unlock_area without holding the NAND device lock. The fix introduces serialisation by wrapping those lock/unlock calls with nand_get_device()/nand_release_device...

CVE-2026-23439

The CVE-2026-23439 entry describes a Linux kernel issue in udp_tunnel where, if CONFIG_IPV6 is disabled, udp_sock_create6() can return success without creating a socket. This leads to a NULL pointer dereference when callers like fou_create() dereference the uninitialized socket pointer, causing a...

CVE-2026-23443

CVE-2026-23443 refers to a Linux kernel ACPI processor errata handling flaw (piix4). A use-after-free could occur from dereferencing device pointers after their objects were freed, stemming from a NULL-pointer dereference in acpi_processor_errata_piix4(). The fix moves diagnostic message printing...

CVE-2026-23445

Summary of CVE-2026-23445 (Linux kernel igc driver) Affected component: igc network driver in the Linux kernel, specifically the XDP TX timestamping path. Root cause: during shutdown of the TX ring, the code leaves behind stale xsk_meta pointers, causing the IRQ handler to touch invalid pointers ...

CVE-2026-23460

CVE-2026-23460 (Linux kernel) affects the Rose (net/rose) path. The bug occurs when a second connect() is issued while a first connect is in progress (state TCP_SYN_SENT); rose_get_neigh() may return NULL, leaving rose->state ROSE_STATE_1 with neighbour NULL, and on socket close rose_transmit_...

CVE-2026-23465

CVE-2026-23465 affects the Linux kernel (btrfs) where logging the parent directory of a no-longer-existing conflicting inode could skip logging the directory’s new dentries, causing missing dentries after a power loss when an fsync occurs. The issue is resolved by logging new dir dentries wheneve...

CVE-2026-23469

CVE-2026-23469 concerns the Linux kernel’s drm/imagination driver, where a race between the Runtime PM suspend callback and the IRQ handler could let the IRQ thread access GPU registers while the GPU is suspended. The description in multiple sources states that synchronize_irq() should be awaited...

CVE-2026-23474

CVE-2026-23474 concerns a Linux kernel issue related to RedBoot partition table parsing that could trigger a buffer overflow when Fortify-derived checks mis-handle dynamic allocation sizing. The connected OSV/Nessus data indicate this vulnerability has been addressed in multiple distros via patch...

CVE-2026-23475

CVE-2026-23475 affects the Linux kernel SPI subsystem. The issue was a NULL pointer dereference window in per‑CPU controller statistics: stats were allocated only after controller registration with driver core, so early sysfs access could dereference NULL. The fix moves statistics allocation to t...

CVE-2026-31398

Summary (CVE-2026-31398) : A Linux kernel MMU issue in the rmap code affects lazyfree folios during batch unmapping. When a folio’s pages have a mix of writable and non-writable PTEs, the batch restoration path could mark the entire batch writable, breaking CoW semantics and potentially causing a...

CVE-2026-31416

CVE-2026-31416 (Linux kernel) : Affected component is netfilter nfnetlink_log. The issue is caused by not accounting for the netlink header size when processing NL messages, which can lead to a WARN splat and potential drop of the affected netlink message, with no other ill effects reported in th...

CVE-2026-31417

The CVE-2026-31417 issue affects the Linux kernel’s net/x25 implementation. Affected component: x25_sock.fraglen can overflow during packet accumulation, with the root cause involving missing overflow checks and an incorrect fraglen reset when fragment_queue is purged in x25_clear_queues(). The p...

CVE-2026-31423

The CVE-2026-31423 issue affects the Linux kernel’s net/sched sch_hfsc; rtsc_min() can divide by a value derived from the difference of large u64 slopes, risking a divide-by-zero when the difference equals 2^32. The fix widens the internal counter to u64 and replaces do_div() with div64_u64() to ...

CVE-2026-31425

The CVE-2026-31425 issue concerns a Linux kernel RDS path (rds_ib_get_mr/rds_ib_post_reg_frmr) where FRWR/memory registration could dereference a NULL i_cm_id/qp on outgoing connections before rdma_cm_id is established. Connected docs confirm the vulnerability is addressed by patches in several d...

CVE-2026-31433

CVE-2026-31433 affects the Linux kernel ksmbd module. A vulnerability arises when processing a compound SMB request of QUERY_DIRECTORY + QUERY_INFO (FILE_ALL_INFORMATION): the code lacked a validation check on the client-provided OutputBufferLength before copying a filename into the smb2_file_all...

CVE-2026-31440

CVE-2026-31440 affects the Linux kernel’s dmaengine idxd driver. The issue arises during device removal when a reset clears configuration registers, causing the prior check for event log support to fail if evl is no longer valid. The propagated fixes remove the check for “evl” enabled state and i...

CVE-2026-31441

CVE-2026-31441 affects the Linux kernel in the dmaengine: idxd component, where a memory leak occurs on workqueue reset. Root cause: idxd_wq_disable_cleanup() resets the wq type to NONE before resources are released. The upstream patch fixes the leak by ensuring resources are released before clea...

CVE-2026-31442

CVE-2026-31442 affects the Linux kernel in the dmaengine: idxd component. The issue occurs during a Function Level Reset (FLR): if the first FLR succeeds but the second FLR cannot allocate the scratch area for the saved configuration, an invalid memory access can occur. Reports from multiple vend...

CVE-2026-31443

CVE-2026-31443 : Linux kernel, dmaengine: idxd driver fix. When hardware does not support event logging and a Function Level Reset (FLR) occurs, the driver previously attempted to restore the event log even if it was never allocated, and may crash. The fix ensures the event log is only freed if i...

CVE-2026-31452

CVE-2026-31452 affects the Linux kernel ext4 filesystem. Connected sources confirm a concrete vulnerability in inline data storage: when truncate() increases a file beyond the inline capacity, ext4 currently risks the inode inline flag and the file size becoming inconsistent. The fix introduces a...

CVE-2026-31459

CVE-2026-31459 affects the Linux kernel DAMON_SYSFS path. The vulnerability is a memory leak: when damon_sysfs_new_test_ctx() fails inside damon_sysfs_commit_input(), param_ctx is leaked because the cleanup at the out label is skipped. The patch series “mm/damon/sysfs: fix memory leak and NULL de...

CVE-2026-31464

Summary (CVE-2026-31464): In the Linux kernel, the scsi: ibmvfc driver is fixed to cure an out-of-bounds access during target discovery. A malicious or compromised VIO server can return a num_written value in the discover targets MAD response that exceeds max_targets. This value is stored directl...

CVE-2026-31477

In CVE-2026-31477, the Linux kernel ksmbd component smb2_lock() had three error-handling issues after detaching smb_lock from lock_list: (1) non-UNLOCK path leaks smb_lock and its flock when vfs_lock_file() returns an unexpected error, (2) UNLOCK path leaks on -ENOENT with stale error code, and (...

CVE-2026-31481

CVE-2026-31481 affects the Linux kernel tracing code. The issue arises from boot-time trigger frees not being drained when kthread creation fails, causing boot-time deferred entries to leak and a NULL pointer dereference that crashes the system. The fix drains the entire queued list synchronously...

CVE-2026-31492

The CVE-2026-31492 entry concerns the Linux kernel RDMA irdma driver. Root cause: in irdma_create_qp, if ib_copy_to_udata fails, irdma_destroy_qp cleanup waits on free_qp completion that has not been initialized yet. The fix is to initialize the free_qp completion before the ib_copy_to_udata call...

CVE-2026-31494

Technical details for CVE-2026-31494 are not publicly provided in the supplied documents; monitor for updates.

CVE-2026-31502

CVE-2026-31502 : The connected sources detail a Linux kernel vulnerability involving a type confusion in the team network device’s header_ops for non-Ethernet ports. The root cause is that team_setup_by_port() can copy port_dev->header_ops and later callbacks (dev_hard_header/dev_parse_header)...

CVE-2026-31526

Summary: CVE-2026-31526 concerns the Linux kernel BPF verifier. A defect in exception exits for BPF subprograms allowed ORC unwinding to proceed without releasing user-held locks, risking resource leaks and instability. The root cause: process_bpf_exit_full() could set check_lock=false for except...

CVE-2026-31529

The CVE-2026-31529 issue affects the Linux kernel in the cxl/region code path. The vulnerability is a leakage (resource/memory) in __construct_region(): if sysfs_update_group() fails, the resource isn’t explicitly freed, which can lead to leakage. Several sources confirm the fix and describe the ...

CVE-2026-31537

In the Linux kernel SMB server, CVE-2026-31537 arises from improper handling of smbdirect_socket.send_io.bcredits, which can corrupt the stream of reassembled data transfer messages when triggering an immediate (empty) send. The fix introduces a single batch credit per connection; code obtaining ...

CVE-2026-31540

CVE-2026-31540 affects the Linux kernel i915 graphics driver. The vulnerability occurs when the i915 firmware binaries are absent and the set_default_submission pointer is not initialized, which can be dereferenced during suspend, causing a kernel NULL pointer dereference and a potential DoS. The...

CVE-2026-31541

CVE-2026-31541: In the Linux kernel tracing subsystem, when copy_trace_marker is enabled, deleting a tracing instance could bypass synchronization and leave a Use-After-Free (UAF) due to incorrect ordering of flag clearing and marker list updates. The fix moves clearing of all flags below the upd...

CVE-2026-31546

The CVE-2026-31546 fix applies to the Linux kernel bonding driver: bond_debug_rlb_hash_show could dereference a NULL slave, leading to a kernel NULL pointer dereference and potential DoS. The mitigation is to add a NULL check and print "(none)" for entries with no assigned slave; other code paths...

CVE-2026-31547

CVE-2026-31547 affects the Linux kernel DRM/xe driver. The flaw is a missing outer runtime PM reference in ccs_mode_store, where ccs_mode_store() calls xe_gt_reset() which invokes xe_pm_runtime_get_noresume() that requires an outer runtime PM reference. The result is a runtime PM protection warni...

CVE-2026-31553

CVE-2026-31553 affects the Linux kernel KVM on arm64. The issue stems from computing descriptor addresses in __kvm_at_swap_desc() using (u64 __user )hva + offset, which miscomputes when offset ≠ 0, effectively performing offset 8. The correction is to use hva + offset to obtain the correct S1/S2 ...

CVE-2026-31560

CVE-2026-31560 affects the Linux kernel spi-dw-dma path. When completing an SPI transaction, an error in handling a missing device message can lead to a system crash; the recommended fix is to obtain the device from the struct spi_controller* (dev from the controller). The vulnerability has been ...

CVE-2026-31561

CVE-2026-31561 affects the Linux kernel: the fix removes the X86_CR4_FRED bit from the CR4 pinning mask to avoid a boot-time window where exceptions cannot be handled. The vulnerability is detailed as a problem where FRED was temporarily disabled during AP boot, which could let an attacker modify...

CVE-2026-31565

Summary: CVE-2026-31565 affects the Linux kernel RDMA/irdma component, where a netdev reset with active RDMA applications can deadlock during device/client removal (cma/uverbs paths). The root cause is a circular dependency between iWARP-related clients and references held during device reset, le...

CVE-2026-31575

The CVE-2026-31575 issue affects the Linux kernel mm/userfaultfd code, where hugetlb fault mutex hashing used linear_page_index() (PAGE_SIZE units) instead of huge-page units, causing different mutexes to be used for addresses within the same huge page. The mismatch can allow races between faulti...

CVE-2026-31599

CVE-2026-31599 concerns a flaw in the Linux kernel vidtv driver where vidtv_pmt_stream_init can return NULL and the caller (vidtv_channel_pmt_match_sections) does not check for this, leading to a NULL pointer dereference in vidtv_psi_desc_assign and a general protection fault. The fixes add a NUL...

CVE-2026-31609

CVE-2026-31609 affects the Linux kernel SMB client; the double-free occurs in smbd_free_send_io() after smbd_send_batch_flush() because smbd_send_batch_flush() already frees via smbd_free_send_io() and has been moved to the batch list. The issue has been addressed in multiple advisories and patch...

CVE-2026-31611

CVE-2026-31611 affects the Linux kernel's ksmbd path. The flaw occurs in parse_dacl() when comparing ACE SIDs to sid_unix_NFS_mode and subsequently reading sid.sub_auth[2] as the file mode. If the SID has only two sub-authorities, an ACE placed at the end of the ACL can cause sid.sub_auth[2] to r...

CVE-2026-31625

CVE-2026-31625 concerns the Linux kernel HID alps driver, where a NULL pointer dereference could occur when processing raw events. The root cause was insufficient verification of device claiming before handling a raw event, which could lead to system instability. The fixed trajectory includes com...