Linux Kernel vulnerabilities

CVE-2026-23212 [MEDIUM] CWE-367 CVE-2026-23212: In the Linux kernel, the following vulnerability has been resolved: bonding: annotate data-races ar In the Linux kernel, the following vulnerability has been resolved: bonding: annotate data-races around slave->last_rx slave->last_rx and slave->target_last_arp_rx[...] can be read and written locklessly. Add READ_ONCE() and WRITE_ONCE() annotations. syzbot reported: BUG: KCSAN: data-race in bond_rcv_validate / bond_rcv_validate write to 0xffff

CVE-2026-23228 [MEDIUM] CWE-401 CVE-2026-23228: In the Linux kernel, the following vulnerability has been resolved: smb: server: fix leak of active In the Linux kernel, the following vulnerability has been resolved: smb: server: fix leak of active_num_conn in ksmbd_tcp_new_connection() On kthread_run() failure in ksmbd_tcp_new_connection(), the transport is freed via free_transport(), which does not decrement active_num_conn, leaking this counter. Replace free_transport() with ksmbd_tcp_disc

CVE-2025-71232 [MEDIUM] CWE-772 CVE-2025-71232: In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Free sp in error In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Free sp in error path to fix system crash System crash seen during load/unload test in a loop, [61110.449331] qla2xxx [0000:27:00.0]-0042:0: Disabled MSI-X. [61110.467494] ============================================================================= [61110.467498]

CVE-2026-23217 [MEDIUM] CWE-667 CVE-2026-23217: In the Linux kernel, the following vulnerability has been resolved: riscv: trace: fix snapshot dead In the Linux kernel, the following vulnerability has been resolved: riscv: trace: fix snapshot deadlock with sbi ecall If sbi_ecall.c's functions are traceable, echo "__sbi_ecall:snapshot" > /sys/kernel/tracing/set_ftrace_filter may get the kernel into a deadlock. (Functions in sbi_ecall.c are excluded from tracing if CONFIG_RISCV_ALTERNATIVE_E

CVE-2025-71230 [MEDIUM] CVE-2025-71230: In the Linux kernel, the following vulnerability has been resolved: hfs: ensure sb->s_fs_info is al In the Linux kernel, the following vulnerability has been resolved: hfs: ensure sb->s_fs_info is always cleaned up When hfs was converted to the new mount api a bug was introduced by changing the allocation pattern of sb->s_fs_info. If setup_bdev_super() fails after a new superblock has been allocated by sget_fc(), but before hfs_fill_super() takes owners

CVE-2026-23230 [MEDIUM] CVE-2026-23230: In the Linux kernel, the following vulnerability has been resolved: smb: client: split cached_fid b In the Linux kernel, the following vulnerability has been resolved: smb: client: split cached_fid bitfields to avoid shared-byte RMW races is_open, has_lease and on_list are stored in the same bitfield byte in struct cached_fid but are updated in different code paths that may run concurrently. Bitfield assignments generate byte read–modify–write operation

CVE-2025-71229 [MEDIUM] CVE-2025-71229: In the Linux kernel, the following vulnerability has been resolved: wifi: rtw88: Fix alignment faul In the Linux kernel, the following vulnerability has been resolved: wifi: rtw88: Fix alignment fault in rtw_core_enable_beacon() rtw_core_enable_beacon() reads 4 bytes from an address that is not a multiple of 4. This results in a crash on some systems. Do 1 byte reads/writes instead. Unable to handle kernel paging request at virtual address ffff8000827

CVE-2026-23229 [MEDIUM] CVE-2026-23229: In the Linux kernel, the following vulnerability has been resolved: crypto: virtio - Add spinlock p In the Linux kernel, the following vulnerability has been resolved: crypto: virtio - Add spinlock protection with virtqueue notification When VM boots with one virtio-crypto PCI device and builtin backend, run openssl benchmark command with multiple processes, such as openssl speed -evp aes-128-cbc -engine afalg -seconds 10 -multi 32 openssl processes wi

CVE-2026-23211 [MEDIUM] CVE-2026-23211: In the Linux kernel, the following vulnerability has been resolved: mm, swap: restore swap_space at In the Linux kernel, the following vulnerability has been resolved: mm, swap: restore swap_space attr aviod kernel panic commit 8b47299a411a ("mm, swap: mark swap address space ro and add context debug check") made the swap address space read-only. It may lead to kernel panic if arch_prepare_to_swap returns a failure under heavy memory pressure as follows

CVE-2025-71235 [MEDIUM] CVE-2025-71235: In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Delay module unl In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Delay module unload while fabric scan in progress System crash seen during load/unload test in a loop. [105954.384919] RBP: ffff914589838dc0 R08: 0000000000000000 R09: 0000000000000086 [105954.384920] R10: 000000000000000f R11: ffffa31240904be5 R12: ffff914605f868e0 [10595

CVE-2025-71236 [MEDIUM] CWE-476 CVE-2025-71236: In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Validate sp befo In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Validate sp before freeing associated memory System crash with the following signature [154563.214890] nvme nvme2: NVME-FC{1}: controller connect complete [154564.169363] qla2xxx [0000:b0:00.1]-3002:2: nvme: Sched: Set ZIO exchange threshold to 3. [154564.169405] ql

CVE-2025-71227 [MEDIUM] CVE-2025-71227: In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: don't WARN for In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: don't WARN for connections on invalid channels It's not clear (to me) how exactly syzbot managed to hit this, but it seems conceivable that e.g. regulatory changed and has disabled a channel between scanning (channel is checked to be usable by cfg80211_get_ies_channel_numbe

CVE-2026-23222 [MEDIUM] CVE-2026-23222: In the Linux kernel, the following vulnerability has been resolved: crypto: omap - Allocate OMAP_CR In the Linux kernel, the following vulnerability has been resolved: crypto: omap - Allocate OMAP_CRYPTO_FORCE_COPY scatterlists correctly The existing allocation of scatterlists in omap_crypto_copy_sg_lists() was allocating an array of scatterlist pointers, not scatterlist objects, resulting in a 4x too small allocation. Use sizeof(*new_sg) to get the co

CVE-2026-23219 [MEDIUM] CWE-772 CVE-2026-23219: In the Linux kernel, the following vulnerability has been resolved: mm/slab: Add alloc_tagging_slab In the Linux kernel, the following vulnerability has been resolved: mm/slab: Add alloc_tagging_slab_free_hook for memcg_alloc_abort_single When CONFIG_MEM_ALLOC_PROFILING_DEBUG is enabled, the following warning may be noticed: [ 3959.023862] ------------[ cut here ]------------ [ 3959.023891] alloc_tag was not cleared (got tag for lib/xarray.c:37

CVE-2025-71237 [MEDIUM] CVE-2025-71237: In the Linux kernel, the following vulnerability has been resolved: nilfs2: Fix potential block ove In the Linux kernel, the following vulnerability has been resolved: nilfs2: Fix potential block overflow that cause system hang When a user executes the FITRIM command, an underflow can occur when calculating nblocks if end_block is too small. Since nblocks is of type sector_t, which is u64, a negative nblocks value will become a very large positive integ

CVE-2026-23214 [MEDIUM] CVE-2026-23214: In the Linux kernel, the following vulnerability has been resolved: btrfs: reject new transactions In the Linux kernel, the following vulnerability has been resolved: btrfs: reject new transactions if the fs is fully read-only [BUG] There is a bug report where a heavily fuzzed fs is mounted with all rescue mount options, which leads to the following warnings during unmount: BTRFS: Transaction aborted (error -22) Modules linked in: CPU: 0 UID: 0 PID: 97

CVE-2025-71233 [MEDIUM] CWE-476 CVE-2025-71233: In the Linux kernel, the following vulnerability has been resolved: PCI: endpoint: Avoid creating s In the Linux kernel, the following vulnerability has been resolved: PCI: endpoint: Avoid creating sub-groups asynchronously The asynchronous creation of sub-groups by a delayed work could lead to a NULL pointer dereference when the driver directory is removed before the work completes. The crash can be easily reproduced with the following command

CVE-2026-23220 [MEDIUM] CWE-835 CVE-2026-23220: In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix infinite loop caused In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix infinite loop caused by next_smb2_rcv_hdr_off reset in error paths The problem occurs when a signed request fails smb2 signature verification check. In __process_request(), if check_sign_req() returns an error, set_smb2_rsp_status(work, STATUS_ACCESS_DENIED) is called.

CVE-2026-23215 [MEDIUM] CVE-2026-23215: In the Linux kernel, the following vulnerability has been resolved: x86/vmware: Fix hypercall clobb In the Linux kernel, the following vulnerability has been resolved: x86/vmware: Fix hypercall clobbers Fedora QA reported the following panic: BUG: unable to handle page fault for address: 0000000040003e54 #PF: supervisor write access in kernel mode #PF: error_code(0x0002) - not-present page Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS edk2-2

CVE-2026-23218 [MEDIUM] CWE-476 CVE-2026-23218: In the Linux kernel, the following vulnerability has been resolved: gpio: loongson-64bit: Fix incor In the Linux kernel, the following vulnerability has been resolved: gpio: loongson-64bit: Fix incorrect NULL check after devm_kcalloc() Fix incorrect NULL check in loongson_gpio_init_irqchip(). The function checks chip->parent instead of chip->irq.parents.