Linux Kernel vulnerabilities

CVE-2026-23231 [HIGH] CWE-416 CVE-2026-23231: In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: fix use-a In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: fix use-after-free in nf_tables_addchain() nf_tables_addchain() publishes the chain to table->chains via list_add_tail_rcu() (in nft_chain_add()) before registering hooks. If nf_tables_register_hook() then fails, the error path calls nft_chain_del() (list_del_r

CVE-2026-23233 [HIGH] CWE-787 CVE-2026-23233: In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to avoid mapping wron In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to avoid mapping wrong physical block for swapfile Xiaolong Guo reported a f2fs bug in bugzilla [1] [1] https://bugzilla.kernel.org/show_bug.cgi?id=220951 Quoted: "When using stress-ng's swap stress test on F2FS filesystem with kernel 6.6+, the system experiences data c

CVE-2026-23235 [HIGH] CWE-125 CVE-2026-23235: In the Linux kernel, the following vulnerability has been resolved: f2fs: fix out-of-bounds access In the Linux kernel, the following vulnerability has been resolved: f2fs: fix out-of-bounds access in sysfs attribute read/write Some f2fs sysfs attributes suffer from out-of-bounds memory access and incorrect handling of integer values whose size is not 4 bytes. For example: vm:~# echo 65537 > /sys/fs/f2fs/vde/carve_out vm:~# cat /sys/fs/f2fs/vde/c

CVE-2026-23234 [HIGH] CWE-416 CVE-2026-23234: In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to avoid UAF in f2fs_ In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to avoid UAF in f2fs_write_end_io() As syzbot reported an use-after-free issue in f2fs_write_end_io(). It is caused by below race condition: loop device umount - worker_thread - loop_process_work - do_req_filebacked - lo_rw_aio - lo_rw_aio_complete - blk_mq_end_request -

CVE-2025-71238 [HIGH] CWE-415 CVE-2025-71238: In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Fix bsg_done() c In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Fix bsg_done() causing double free Kernel panic observed on system, [5353358.825191] BUG: unable to handle page fault for address: ff5f5e897b024000 [5353358.825194] #PF: supervisor write access in kernel mode [5353358.825195] #PF: error_code(0x0002) - not-present pag

CVE-2026-23237 [MEDIUM] CWE-476 CVE-2026-23237: In the Linux kernel, the following vulnerability has been resolved: platform/x86: classmate-laptop: In the Linux kernel, the following vulnerability has been resolved: platform/x86: classmate-laptop: Add missing NULL pointer checks In a few places in the Classmate laptop driver, code using the accel object may run before that object's address is stored in the driver data of the input device using it. For example, cmpc_accel_sensitivity_store_v4

CVE-2026-23238 [MEDIUM] CWE-617 CVE-2026-23238: In the Linux kernel, the following vulnerability has been resolved: romfs: check sb_set_blocksize() In the Linux kernel, the following vulnerability has been resolved: romfs: check sb_set_blocksize() return value romfs_fill_super() ignores the return value of sb_set_blocksize(), which can fail if the requested block size is incompatible with the block device's configuration. This can be triggered by setting a loop device's block size larger tha

CVE-2026-23232 [MEDIUM] CWE-667 CVE-2026-23232: In the Linux kernel, the following vulnerability has been resolved: Revert "f2fs: block cache/dio w In the Linux kernel, the following vulnerability has been resolved: Revert "f2fs: block cache/dio write during f2fs_enable_checkpoint()" This reverts commit 196c81fdd438f7ac429d5639090a9816abb9760a. Original patch may cause below deadlock, revert it. write remount - write_begin - lock_page --- lock A - prepare_write_begin - f2fs_map_lock - f2fs_

CVE-2026-23236 [HIGH] CVE-2026-23236: In the Linux kernel, the following vulnerability has been resolved: fbdev: smscufx: properly copy i In the Linux kernel, the following vulnerability has been resolved: fbdev: smscufx: properly copy ioctl memory to kernelspace The UFX_IOCTL_REPORT_DAMAGE ioctl does not properly copy data from userspace to kernelspace, and instead directly references the memory, which can cause problems if invalid data is passed from userspace. Fix this all up by correctly

CVE-2026-23221 [HIGH] CWE-416 CVE-2026-23221: In the Linux kernel, the following vulnerability has been resolved: bus: fsl-mc: fix use-after-free In the Linux kernel, the following vulnerability has been resolved: bus: fsl-mc: fix use-after-free in driver_override_show() The driver_override_show() function reads the driver_override string without holding the device_lock. However, driver_override_store() uses driver_set_override(), which modifies and frees the string while holding the device_l

CVE-2025-71231 [HIGH] CWE-125 CVE-2025-71231: In the Linux kernel, the following vulnerability has been resolved: crypto: iaa - Fix out-of-bounds In the Linux kernel, the following vulnerability has been resolved: crypto: iaa - Fix out-of-bounds index in find_empty_iaa_compression_mode The local variable 'i' is initialized with -EINVAL, but the for loop immediately overwrites it and -EINVAL is never returned. If no empty compression mode can be found, the function would return the out-of-bou

CVE-2026-23227 [HIGH] CWE-416 CVE-2026-23227: In the Linux kernel, the following vulnerability has been resolved: drm/exynos: vidi: use ctx->lock In the Linux kernel, the following vulnerability has been resolved: drm/exynos: vidi: use ctx->lock to protect struct vidi_context member variables related to memory alloc/free Exynos Virtual Display driver performs memory alloc/free operations without lock protection, which easily causes concurrency problem. For example, use-after-free can occur i

CVE-2025-71234 [HIGH] CWE-787 CVE-2025-71234: In the Linux kernel, the following vulnerability has been resolved: wifi: rtl8xxxu: fix slab-out-of In the Linux kernel, the following vulnerability has been resolved: wifi: rtl8xxxu: fix slab-out-of-bounds in rtl8xxxu_sta_add The driver does not set hw->sta_data_size, which causes mac80211 to allocate insufficient space for driver private station data in __sta_info_alloc(). When rtl8xxxu_sta_add() accesses members of struct rtl8xxxu_sta_info thro

CVE-2026-23216 [HIGH] CWE-416 CVE-2026-23216: In the Linux kernel, the following vulnerability has been resolved: scsi: target: iscsi: Fix use-af In the Linux kernel, the following vulnerability has been resolved: scsi: target: iscsi: Fix use-after-free in iscsit_dec_conn_usage_count() In iscsit_dec_conn_usage_count(), the function calls complete() while holding the conn->conn_usage_lock. As soon as complete() is invoked, the waiter (such as iscsit_close_connection()) may wake up and proceed

CVE-2026-23223 [HIGH] CWE-416 CVE-2026-23223: In the Linux kernel, the following vulnerability has been resolved: xfs: fix UAF in xchk_btree_chec In the Linux kernel, the following vulnerability has been resolved: xfs: fix UAF in xchk_btree_check_block_owner We cannot dereference bs->cur when trying to determine if bs->cur aliases bs->sc->sa.{bno,rmap}_cur after the latter has been freed. Fix this by sampling before type before any freeing could happen. The correct temporal ordering was broke

CVE-2026-23226 [HIGH] CWE-416 CVE-2026-23226: In the Linux kernel, the following vulnerability has been resolved: ksmbd: add chann_lock to protec In the Linux kernel, the following vulnerability has been resolved: ksmbd: add chann_lock to protect ksmbd_chann_list xarray ksmbd_chann_list xarray lacks synchronization, allowing use-after-free in multi-channel sessions (between lookup_chann_list() and ksmbd_chann_del). Adds rw_semaphore chann_lock to struct ksmbd_session and protects all xa_load

CVE-2026-23224 [HIGH] CWE-416 CVE-2026-23224: In the Linux kernel, the following vulnerability has been resolved: erofs: fix UAF issue for file-b In the Linux kernel, the following vulnerability has been resolved: erofs: fix UAF issue for file-backed mounts w/ directio option [ 9.269940][ T3222] Call trace: [ 9.269948][ T3222] ext4_file_read_iter+0xac/0x108 [ 9.269979][ T3222] vfs_iocb_iter_read+0xac/0x198 [ 9.269993][ T3222] erofs_fileio_rq_submit+0x12c/0x180 [ 9.270008][ T3222] erofs_fileio

CVE-2026-23212 [MEDIUM] CWE-367 CVE-2026-23212: In the Linux kernel, the following vulnerability has been resolved: bonding: annotate data-races ar In the Linux kernel, the following vulnerability has been resolved: bonding: annotate data-races around slave->last_rx slave->last_rx and slave->target_last_arp_rx[...] can be read and written locklessly. Add READ_ONCE() and WRITE_ONCE() annotations. syzbot reported: BUG: KCSAN: data-race in bond_rcv_validate / bond_rcv_validate write to 0xffff

CVE-2025-71232 [MEDIUM] CWE-772 CVE-2025-71232: In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Free sp in error In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Free sp in error path to fix system crash System crash seen during load/unload test in a loop, [61110.449331] qla2xxx [0000:27:00.0]-0042:0: Disabled MSI-X. [61110.467494] ============================================================================= [61110.467498]

CVE-2026-23217 [MEDIUM] CWE-667 CVE-2026-23217: In the Linux kernel, the following vulnerability has been resolved: riscv: trace: fix snapshot dead In the Linux kernel, the following vulnerability has been resolved: riscv: trace: fix snapshot deadlock with sbi ecall If sbi_ecall.c's functions are traceable, echo "__sbi_ecall:snapshot" > /sys/kernel/tracing/set_ftrace_filter may get the kernel into a deadlock. (Functions in sbi_ecall.c are excluded from tracing if CONFIG_RISCV_ALTERNATIVE_E