Linux Kernel vulnerabilities

CVE-2025-71225 [MEDIUM] CWE-367 CVE-2025-71225: In the Linux kernel, the following vulnerability has been resolved: md: suspend array while updatin In the Linux kernel, the following vulnerability has been resolved: md: suspend array while updating raid_disks via sysfs In raid1_reshape(), freeze_array() is called before modifying the r1bio memory pool (conf->r1bio_pool) and conf->raid_disks, and unfreeze_array() is called after the update is completed. However, freeze_array() only waits unti

CVE-2025-71226 CVE-2025-71226: In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: Implement settime64 as stub for MVM/MLD PTP Since commit dfb073d32c In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: Implement settime64 as stub for MVM/MLD PTP Since commit dfb073d32cac ("ptp: Return -EINVAL on ptp_clock_register if required ops are NULL"), PTP clock registered through ptp_clock_register is required to have ptp_clock_info.settime64

CVE-2025-71228 LoongArch: Set correct protection_map[] for VM_NONE/VM_SHARED LoongArch: Set correct protection_map[] for VM_NONE/VM_SHARED In the Linux kernel, the following vulnerability has been resolved: LoongArch: Set correct protection_map[] for VM_NONE/VM_SHARED For 32BIT platform _PAGE_PROTNONE is 0, so set a VMA to be VM_NONE or VM_SHARED will make pages non-present, then cause Oops with kernel page fault. Fix it by set correct protection_map[] for VM_NONE/VM_SHARED, replacing _PAGE_

CVE-2026-23175 [HIGH] net: cpsw: Execute ndo_set_rx_mode callback in a work queue net: cpsw: Execute ndo_set_rx_mode callback in a work queue In the Linux kernel, the following vulnerability has been resolved: net: cpsw: Execute ndo_set_rx_mode callback in a work queue Commit 1767bb2d47b7 ("ipv6: mcast: Don't hold RTNL for IPV6_ADD_MEMBERSHIP and MCAST_JOIN_GROUP.") removed the RTNL lock for IPV6_ADD_MEMBERSHIP and MCAST_JOIN_GROUP operations. However, this change triggered the following call

CVE-2026-23191 [HIGH] CWE-416 CVE-2026-23191: In the Linux kernel, the following vulnerability has been resolved: ALSA: aloop: Fix racy access at In the Linux kernel, the following vulnerability has been resolved: ALSA: aloop: Fix racy access at PCM trigger The PCM trigger callback of aloop driver tries to check the PCM state and stop the stream of the tied substream in the corresponding cable. Since both check and stop operations are performed outside the cable lock, this may result in UAF w

CVE-2026-23158 [HIGH] CWE-416 CVE-2026-23158: In the Linux kernel, the following vulnerability has been resolved: gpio: virtuser: fix UAF in conf In the Linux kernel, the following vulnerability has been resolved: gpio: virtuser: fix UAF in configfs release path The gpio-virtuser configfs release path uses guard(mutex) to protect the device structure. However, the device is freed before the guard cleanup runs, causing mutex_unlock() to operate on freed memory. Specifically, gpio_virtuser_dev

CVE-2025-71220 [HIGH] CVE-2025-71220: In the Linux kernel, the following vulnerability has been resolved: smb/server: call ksmbd_session_ In the Linux kernel, the following vulnerability has been resolved: smb/server: call ksmbd_session_rpc_close() on error path in create_smb2_pipe() When ksmbd_iov_pin_rsp() fails, we should call ksmbd_session_rpc_close().

CVE-2026-23184 [HIGH] CWE-416 CVE-2026-23184: In the Linux kernel, the following vulnerability has been resolved: binder: fix UAF in binder_netli In the Linux kernel, the following vulnerability has been resolved: binder: fix UAF in binder_netlink_report() Oneway transactions sent to frozen targets via binder_proc_transaction() return a BR_TRANSACTION_PENDING_FROZEN error but they are still treated as successful since the target is expected to thaw at some point. It is then not safe to access

CVE-2026-23156 [HIGH] CVE-2026-23156: In the Linux kernel, the following vulnerability has been resolved: efivarfs: fix error propagation In the Linux kernel, the following vulnerability has been resolved: efivarfs: fix error propagation in efivar_entry_get() efivar_entry_get() always returns success even if the underlying __efivar_entry_get() fails, masking errors. This may result in uninitialized heap memory being copied to userspace in the efivarfs_file_read() path. Fix it by returning t

CVE-2025-71203 [HIGH] CWE-129 CVE-2025-71203: In the Linux kernel, the following vulnerability has been resolved: riscv: Sanitize syscall table i In the Linux kernel, the following vulnerability has been resolved: riscv: Sanitize syscall table indexing under speculation The syscall number is a user-controlled value used to index into the syscall table. Use array_index_nospec() to clamp this value after the bounds check to prevent speculative out-of-bounds access and subsequent data leakage vi

CVE-2026-23204 [HIGH] CWE-125 CVE-2026-23204: In the Linux kernel, the following vulnerability has been resolved: net/sched: cls_u32: use skb_hea In the Linux kernel, the following vulnerability has been resolved: net/sched: cls_u32: use skb_header_pointer_careful() skb_header_pointer() does not fully validate negative @offset values. Use skb_header_pointer_careful() instead. GangMin Kim provided a report and a repro fooling u32_classify(): BUG: KASAN: slab-out-of-bounds in u32_classify+0x

CVE-2026-23187 [HIGH] CWE-125 CVE-2026-23187: In the Linux kernel, the following vulnerability has been resolved: pmdomain: imx8m-blk-ctrl: fix o In the Linux kernel, the following vulnerability has been resolved: pmdomain: imx8m-blk-ctrl: fix out-of-range access of bc->domains Fix out-of-range access of bc->domains in imx8m_blk_ctrl_remove().

CVE-2026-23209 [HIGH] CWE-416 CVE-2026-23209: In the Linux kernel, the following vulnerability has been resolved: macvlan: fix error recovery in In the Linux kernel, the following vulnerability has been resolved: macvlan: fix error recovery in macvlan_common_newlink() valis provided a nice repro to crash the kernel: ip link add p1 type veth peer p2 ip link set address 00:00:00:00:00:20 dev p1 ip link set up dev p1 ip link set up dev p2 ip link add mv0 link p2 type macvlan mode source ip lin

CVE-2026-23171 [HIGH] CWE-416 CVE-2026-23171: In the Linux kernel, the following vulnerability has been resolved: bonding: fix use-after-free due In the Linux kernel, the following vulnerability has been resolved: bonding: fix use-after-free due to enslave fail after slave array update Fix a use-after-free which happens due to enslave failure after the new slave has been added to the array. Since the new slave can be used for Tx immediately, we can use it after it has been freed by the enslav

CVE-2026-23185 [HIGH] CWE-416 CVE-2026-23185: In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: mld: cancel mlo_ In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: mld: cancel mlo_scan_start_wk mlo_scan_start_wk is not canceled on disconnection. In fact, it is not canceled anywhere except in the restart cleanup, where we don't really have to. This can cause an init-after-queue issue: if, for example, the work was queued and the

CVE-2025-71201 [HIGH] CWE-125 CVE-2025-71201: In the Linux kernel, the following vulnerability has been resolved: netfs: Fix early read unlock of In the Linux kernel, the following vulnerability has been resolved: netfs: Fix early read unlock of page with EOF in middle The read result collection for buffered reads seems to run ahead of the completion of subrequests under some circumstances, as can be seen in the following log snippet: 9p_client_res: client 18446612686390831168 response P9_TR

CVE-2026-23194 [HIGH] CWE-787 CVE-2026-23194: In the Linux kernel, the following vulnerability has been resolved: rust_binder: correctly handle F In the Linux kernel, the following vulnerability has been resolved: rust_binder: correctly handle FDA objects of length zero Fix a bug where an empty FDA (fd array) object with 0 fds would cause an out-of-bounds error. The previous implementation used `skip == 0` to mean "this is a pointer fixup", but 0 is also the correct skip length for an empty F

CVE-2026-23208 [HIGH] CWE-787 CVE-2026-23208: In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Prevent excess In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Prevent excessive number of frames In this case, the user constructed the parameters with maxpacksize 40 for rate 22050 / pps 1000, and packsize[0] 22 packsize[1] 23. The buffer size for each data URB is maxpacksize * packets, which in this example is 40 * 6 = 240;

CVE-2026-23193 [HIGH] CWE-416 CVE-2026-23193: In the Linux kernel, the following vulnerability has been resolved: scsi: target: iscsi: Fix use-af In the Linux kernel, the following vulnerability has been resolved: scsi: target: iscsi: Fix use-after-free in iscsit_dec_session_usage_count() In iscsit_dec_session_usage_count(), the function calls complete() while holding the sess->session_usage_lock. Similar to the connection usage count logic, the waiter signaled by complete() (e.g., in the ses

CVE-2026-23178 [HIGH] CVE-2026-23178: In the Linux kernel, the following vulnerability has been resolved: HID: i2c-hid: fix potential buffer overflow in i2c_hid_get_report() `i2c_hid_xfer` In the Linux kernel, the following vulnerability has been resolved: HID: i2c-hid: fix potential buffer overflow in i2c_hid_get_report() `i2c_hid_xfer` is used to read `recv_len + sizeof(__le16)` bytes of data into `ihid->rawbuf`. The former can come from the userspace in the hidraw driver and is only bounded b