Debian Linux vulnerabilities

CVE-2026-23112 [CRITICAL] CVE-2026-23112: linux - In the Linux kernel, the following vulnerability has been resolved: nvmet-tcp: ... In the Linux kernel, the following vulnerability has been resolved: nvmet-tcp: add bounds checks in nvmet_tcp_build_pdu_iovec nvmet_tcp_build_pdu_iovec() could walk past cmd->req.sg when a PDU length or offset exceeds sg_cnt and then use bogus sg->length/offset values, leading to _copy_to_iter() GPF/KASAN. Guard sg_idx, remaining entries, and sg->length/offset bef

CVE-2026-23240 [CRITICAL] CVE-2026-23240: linux - In the Linux kernel, the following vulnerability has been resolved: tls: Fix ra... In the Linux kernel, the following vulnerability has been resolved: tls: Fix race condition in tls_sw_cancel_work_tx() This issue was discovered during a code audit. After cancel_delayed_work_sync() is called from tls_sk_proto_close(), tx_work_handler() can still be scheduled from paths such as the Delayed ACK handler or ksoftirqd. As a result, the tx_work_handler

CVE-2026-23391 [HIGH] CVE-2026-23391: linux - In the Linux kernel, the following vulnerability has been resolved: netfilter: ... In the Linux kernel, the following vulnerability has been resolved: netfilter: xt_CT: drop pending enqueued packets on template removal Templates refer to objects that can go away while packets are sitting in nfqueue refer to: - helper, this can be an issue on module removal. - timeout policy, nfnetlink_cttimeout might remove it. The use of templates with zone and eve

CVE-2026-23066 [HIGH] CVE-2026-23066: linux - In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix ... In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix recvmsg() unconditional requeue If rxrpc_recvmsg() fails because MSG_DONTWAIT was specified but the call at the front of the recvmsg queue already has its mutex locked, it requeues the call - whether or not the call is already queued. The call may be on the queue because MSG_PEEK was also p

CVE-2026-23172 [HIGH] CVE-2026-23172: linux - In the Linux kernel, the following vulnerability has been resolved: net: wwan: ... In the Linux kernel, the following vulnerability has been resolved: net: wwan: t7xx: fix potential skb->frags overflow in RX path When receiving data in the DPMAIF RX path, the t7xx_dpmaif_set_frag_to_skb() function adds page fragments to an skb without checking if the number of fragments has exceeded MAX_SKB_FRAGS. This could lead to a buffer overflow in skb_shinfo(s

CVE-2026-23139 [HIGH] CVE-2026-23139: linux - In the Linux kernel, the following vulnerability has been resolved: netfilter: ... In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conncount: update last_gc only when GC has been performed Currently last_gc is being updated everytime a new connection is tracked, that means that it is updated even if a GC wasn't performed. With a sufficiently high packet rate, it is possible to always bypass the GC, causing the list

CVE-2026-23383 [HIGH] CVE-2026-23383: linux - In the Linux kernel, the following vulnerability has been resolved: bpf, arm64:... In the Linux kernel, the following vulnerability has been resolved: bpf, arm64: Force 8-byte alignment for JIT buffer to prevent atomic tearing struct bpf_plt contains a u64 target field. Currently, the BPF JIT allocator requests an alignment of 4 bytes (sizeof(u32)) for the JIT buffer. Because the base address of the JIT buffer can be 4-byte aligned (e.g., ending in

CVE-2026-23191 [HIGH] CVE-2026-23191: linux - In the Linux kernel, the following vulnerability has been resolved: ALSA: aloop... In the Linux kernel, the following vulnerability has been resolved: ALSA: aloop: Fix racy access at PCM trigger The PCM trigger callback of aloop driver tries to check the PCM state and stop the stream of the tied substream in the corresponding cable. Since both check and stop operations are performed outside the cable lock, this may result in UAF when a program attem

CVE-2026-23317 [HIGH] CVE-2026-23317: linux - In the Linux kernel, the following vulnerability has been resolved: drm/vmwgfx:... In the Linux kernel, the following vulnerability has been resolved: drm/vmwgfx: Return the correct value in vmw_translate_ptr functions Before the referenced fixes these functions used a lookup function that returned a pointer. This was changed to another lookup function that returned an error code with the pointer becoming an out parameter. The error path when the lo

CVE-2026-23274 [HIGH] CVE-2026-23274: linux - In the Linux kernel, the following vulnerability has been resolved: netfilter: ... In the Linux kernel, the following vulnerability has been resolved: netfilter: xt_IDLETIMER: reject rev0 reuse of ALARM timer labels IDLETIMER revision 0 rules reuse existing timers by label and always call mod_timer() on timer->timer. If the label was created first by revision 1 with XT_IDLETIMER_ALARM, the object uses alarm timer semantics and timer->timer is never

CVE-2026-23025 [HIGH] CVE-2026-23025: linux - In the Linux kernel, the following vulnerability has been resolved: mm/page_all... In the Linux kernel, the following vulnerability has been resolved: mm/page_alloc: prevent pcp corruption with SMP=n The kernel test robot has reported: BUG: spinlock trylock failure on UP on CPU#0, kcompactd0/28 lock: 0xffff888807e35ef0, .magic: dead4ead, .owner: kcompactd0/28, .owner_cpu: 0 CPU: 0 UID: 0 PID: 28 Comm: kcompactd0 Not tainted 6.18.0-rc5-00127-ga061578

CVE-2026-23074 [HIGH] CVE-2026-23074: linux - In the Linux kernel, the following vulnerability has been resolved: net/sched: ... In the Linux kernel, the following vulnerability has been resolved: net/sched: Enforce that teql can only be used as root qdisc Design intent of teql is that it is only supposed to be used as root qdisc. We need to check for that constraint. Although not important, I will describe the scenario that unearthed this issue for the curious. GangMin Kim managed to concot a

CVE-2026-23253 [HIGH] CVE-2026-23253: linux - In the Linux kernel, the following vulnerability has been resolved: media: dvb-... In the Linux kernel, the following vulnerability has been resolved: media: dvb-core: fix wrong reinitialization of ringbuffer on reopen dvb_dvr_open() calls dvb_ringbuffer_init() when a new reader opens the DVR device. dvb_ringbuffer_init() calls init_waitqueue_head(), which reinitializes the waitqueue list head to empty. Since dmxdev->dvr_buffer.queue is a shared wai

CVE-2026-23336 [HIGH] CVE-2026-23336: linux - In the Linux kernel, the following vulnerability has been resolved: wifi: cfg80... In the Linux kernel, the following vulnerability has been resolved: wifi: cfg80211: cancel rfkill_block work in wiphy_unregister() There is a use-after-free error in cfg80211_shutdown_all_interfaces found by syzkaller: BUG: KASAN: use-after-free in cfg80211_shutdown_all_interfaces+0x213/0x220 Read of size 8 at addr ffff888112a78d98 by task kworker/0:5/5326 CPU: 0 UID:

CVE-2026-23216 [HIGH] CVE-2026-23216: linux - In the Linux kernel, the following vulnerability has been resolved: scsi: targe... In the Linux kernel, the following vulnerability has been resolved: scsi: target: iscsi: Fix use-after-free in iscsit_dec_conn_usage_count() In iscsit_dec_conn_usage_count(), the function calls complete() while holding the conn->conn_usage_lock. As soon as complete() is invoked, the waiter (such as iscsit_close_connection()) may wake up and proceed to free the iscsit_

CVE-2026-23180 [HIGH] CVE-2026-23180: linux - In the Linux kernel, the following vulnerability has been resolved: dpaa2-switc... In the Linux kernel, the following vulnerability has been resolved: dpaa2-switch: add bounds check for if_id in IRQ handler The IRQ handler extracts if_id from the upper 16 bits of the hardware status register and uses it to index into ethsw->ports[] without validation. Since if_id can be any 16-bit value (0-65535) but the ports array is only allocated with sw_attr.nu

CVE-2026-23395 [HIGH] CVE-2026-23395: linux - In the Linux kernel, the following vulnerability has been resolved: Bluetooth: ... In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix accepting multiple L2CAP_ECRED_CONN_REQ Currently the code attempts to accept requests regardless of the command identifier which may cause multiple requests to be marked as pending (FLAG_DEFER_SETUP) which can cause more than L2CAP_ECRED_MAX_CID(5) to be allocated in l2cap_ecred

CVE-2026-23230 [HIGH] CVE-2026-23230: linux - In the Linux kernel, the following vulnerability has been resolved: smb: client... In the Linux kernel, the following vulnerability has been resolved: smb: client: split cached_fid bitfields to avoid shared-byte RMW races is_open, has_lease and on_list are stored in the same bitfield byte in struct cached_fid but are updated in different code paths that may run concurrently. Bitfield assignments generate byte read–modify–write operations (e.g. `orb

CVE-2026-23269 [HIGH] CVE-2026-23269: linux - In the Linux kernel, the following vulnerability has been resolved: apparmor: v... In the Linux kernel, the following vulnerability has been resolved: apparmor: validate DFA start states are in bounds in unpack_pdb Start states are read from untrusted data and used as indexes into the DFA state tables. The aa_dfa_next() function call in unpack_pdb() will access dfa->tables[YYTD_ID_BASE][start], and if the start state exceeds the number of states in

CVE-2026-23209 [HIGH] CVE-2026-23209: linux - In the Linux kernel, the following vulnerability has been resolved: macvlan: fi... In the Linux kernel, the following vulnerability has been resolved: macvlan: fix error recovery in macvlan_common_newlink() valis provided a nice repro to crash the kernel: ip link add p1 type veth peer p2 ip link set address 00:00:00:00:00:20 dev p1 ip link set up dev p1 ip link set up dev p2 ip link add mv0 link p2 type macvlan mode source ip link add invalid% link