Linux Kernel vulnerabilities

CVE-2026-23162 [HIGH] CWE-415 CVE-2026-23162: In the Linux kernel, the following vulnerability has been resolved: drm/xe/nvm: Fix double-free on In the Linux kernel, the following vulnerability has been resolved: drm/xe/nvm: Fix double-free on aux add failure After a successful auxiliary_device_init(), aux_dev->dev.release (xe_nvm_release_dev()) is responsible for the kfree(nvm). When there is failure with auxiliary_device_add(), driver will call auxiliary_device_uninit(), which call put_devi

CVE-2026-23195 [HIGH] CWE-416 CVE-2026-23195: In the Linux kernel, the following vulnerability has been resolved: cgroup/dmem: avoid pool UAF An In the Linux kernel, the following vulnerability has been resolved: cgroup/dmem: avoid pool UAF An UAF issue was observed: BUG: KASAN: slab-use-after-free in page_counter_uncharge+0x65/0x150 Write of size 8 at addr ffff888106715440 by task insmod/527 CPU: 4 UID: 0 PID: 527 Comm: insmod 6.19.0-rc7-next-20260129+ #11 Tainted: [O]=OOT_MODULE Call Tra

CVE-2026-23192 [HIGH] CWE-416 CVE-2026-23192: In the Linux kernel, the following vulnerability has been resolved: linkwatch: use __dev_put() in c In the Linux kernel, the following vulnerability has been resolved: linkwatch: use __dev_put() in callers to prevent UAF After linkwatch_do_dev() calls __dev_put() to release the linkwatch reference, the device refcount may drop to 1. At this point, netdev_run_todo() can proceed (since linkwatch_sync_dev() sees an empty list and returns without bloc

CVE-2025-71221 [HIGH] CWE-362 CVE-2025-71221: In the Linux kernel, the following vulnerability has been resolved: dmaengine: mmp_pdma: Fix race c In the Linux kernel, the following vulnerability has been resolved: dmaengine: mmp_pdma: Fix race condition in mmp_pdma_residue() Add proper locking in mmp_pdma_residue() to prevent use-after-free when accessing descriptor list and descriptor contents. The race occurs when multiple threads call tx_status() while the tasklet on another CPU is freein

CVE-2026-23180 [HIGH] dpaa2-switch: add bounds check for if_id in IRQ handler dpaa2-switch: add bounds check for if_id in IRQ handler In the Linux kernel, the following vulnerability has been resolved: dpaa2-switch: add bounds check for if_id in IRQ handler The IRQ handler extracts if_id from the upper 16 bits of the hardware status register and uses it to index into ethsw->ports[] without validation. Since if_id can be any 16-bit value (0-65535) but the ports array is only allocated with sw_

CVE-2026-23197 [MEDIUM] CWE-476 CVE-2026-23197: In the Linux kernel, the following vulnerability has been resolved: i2c: imx: preserve error state In the Linux kernel, the following vulnerability has been resolved: i2c: imx: preserve error state in block data length handler When a block read returns an invalid length, zero or >I2C_SMBUS_BLOCK_MAX, the length handler sets the state to IMX_I2C_STATE_FAILED. However, i2c_imx_master_isr() unconditionally overwrites this with IMX_I2C_STATE_READ_CO

CVE-2026-23164 [MEDIUM] CWE-401 CVE-2026-23164: In the Linux kernel, the following vulnerability has been resolved: rocker: fix memory leak in rock In the Linux kernel, the following vulnerability has been resolved: rocker: fix memory leak in rocker_world_port_post_fini() In rocker_world_port_pre_init(), rocker_port->wpriv is allocated with kzalloc(wops->port_priv_size, GFP_KERNEL). However, in rocker_world_port_post_fini(), the memory is only freed when wops->port_post_fini callback is set:

CVE-2026-23132 [MEDIUM] CVE-2026-23132: In the Linux kernel, the following vulnerability has been resolved: drm/bridge: synopsys: dw-dp: fi In the Linux kernel, the following vulnerability has been resolved: drm/bridge: synopsys: dw-dp: fix error paths of dw_dp_bind Fix several issues in dw_dp_bind() error handling: 1. Missing return after drm_bridge_attach() failure - the function continued execution instead of returning an error. 2. Resource leak: drm_dp_aux_register() is not a devm funct

CVE-2026-23133 [MEDIUM] CVE-2026-23133: In the Linux kernel, the following vulnerability has been resolved: wifi: ath10k: fix dma_free_cohe In the Linux kernel, the following vulnerability has been resolved: wifi: ath10k: fix dma_free_coherent() pointer dma_alloc_coherent() allocates a DMA mapped buffer and stores the addresses in XXX_unaligned fields. Those should be reused when freeing the buffer rather than the aligned addresses.

CVE-2026-23122 [MEDIUM] CVE-2026-23122: In the Linux kernel, the following vulnerability has been resolved: igc: Reduce TSN TX packet buffe In the Linux kernel, the following vulnerability has been resolved: igc: Reduce TSN TX packet buffer from 7KB to 5KB per queue The previous 7 KB per queue caused TX unit hangs under heavy timestamping load. Reducing to 5 KB avoids these hangs and matches the TSN recommendation in I225/I226 SW User Manual Section 7.5.4. The 8 KB "freed" by this change is

CVE-2025-71200 [MEDIUM] CVE-2025-71200: In the Linux kernel, the following vulnerability has been resolved: mmc: sdhci-of-dwcmshc: Prevent In the Linux kernel, the following vulnerability has been resolved: mmc: sdhci-of-dwcmshc: Prevent illegal clock reduction in HS200/HS400 mode When operating in HS200 or HS400 timing modes, reducing the clock frequency below 52MHz will lead to link broken as the Rockchip DWC MSHC controller requires maintaining a minimum clock of 52MHz in these modes. Add

CVE-2026-23141 [MEDIUM] CVE-2026-23141: In the Linux kernel, the following vulnerability has been resolved: btrfs: send: check for inline e In the Linux kernel, the following vulnerability has been resolved: btrfs: send: check for inline extents in range_is_hole_in_parent() Before accessing the disk_bytenr field of a file extent item we need to check if we are dealing with an inline extent. This is because for inline extents their data starts at the offset of the disk_bytenr field. So accessi

CVE-2026-23130 [MEDIUM] CWE-667 CVE-2026-23130: In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: fix dead lock whi In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: fix dead lock while flushing management frames Commit [1] converted the management transmission work item into a wiphy work. Since a wiphy work can only run under wiphy lock protection, a race condition happens in below scenario: 1. a management frame is queued for

CVE-2026-23157 [MEDIUM] CWE-667 CVE-2026-23157: In the Linux kernel, the following vulnerability has been resolved: btrfs: do not strictly require In the Linux kernel, the following vulnerability has been resolved: btrfs: do not strictly require dirty metadata threshold for metadata writepages [BUG] There is an internal report that over 1000 processes are waiting at the io_schedule_timeout() of balance_dirty_pages(), causing a system hang and trigger a kernel coredump. The kernel is v6.4 ker

CVE-2026-23119 [MEDIUM] CVE-2026-23119: In the Linux kernel, the following vulnerability has been resolved: bonding: provide a net pointer In the Linux kernel, the following vulnerability has been resolved: bonding: provide a net pointer to __skb_flow_dissect() After 3cbf4ffba5ee ("net: plumb network namespace into __skb_flow_dissect") we have to provide a net pointer to __skb_flow_dissect(), either via skb->dev, skb->sk, or a user provided pointer. In the following case, syzbot was able to

CVE-2026-23144 [MEDIUM] CVE-2026-23144: In the Linux kernel, the following vulnerability has been resolved: mm/damon/sysfs: cleanup attrs s In the Linux kernel, the following vulnerability has been resolved: mm/damon/sysfs: cleanup attrs subdirs on context dir setup failure When a context DAMON sysfs directory setup is failed after setup of attrs/ directory, subdirectories of attrs/ directory are not cleaned up. As a result, DAMON sysfs interface is nearly broken until the system reboots, and

CVE-2026-23127 [MEDIUM] CVE-2026-23127: In the Linux kernel, the following vulnerability has been resolved: perf: Fix refcount warning on e In the Linux kernel, the following vulnerability has been resolved: perf: Fix refcount warning on event->mmap_count increment When calling refcount_inc(&event->mmap_count) inside perf_mmap_rb(), the following warning is triggered: refcount_t: addition on 0; use-after-free. WARNING: lib/refcount.c:25 PoC: struct perf_event_attr attr = {0}; int fd = sysc

CVE-2026-23152 [MEDIUM] CVE-2026-23152: In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: correctly decod In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: correctly decode TTLM with default link map TID-To-Link Mapping (TTLM) elements do not contain any link mapping presence indicator if a default mapping is used and parsing needs to be skipped. Note that access points should not explicitly report an advertised TTLM with a

CVE-2026-23201 [MEDIUM] CWE-476 CVE-2026-23201: In the Linux kernel, the following vulnerability has been resolved: ceph: fix oops due to invalid p In the Linux kernel, the following vulnerability has been resolved: ceph: fix oops due to invalid pointer for kfree() in parse_longname() This fixes a kernel oops when reading ceph snapshot directories (.snap), for example by simply running `ls /mnt/my_ceph/.snap`. The variable str is guarded by __free(kfree), but advanced by one for skipping the

CVE-2026-23154 [MEDIUM] CVE-2026-23154: In the Linux kernel, the following vulnerability has been resolved: net: fix segmentation of forwar In the Linux kernel, the following vulnerability has been resolved: net: fix segmentation of forwarding fraglist GRO This patch enhances GSO segment handling by properly checking the SKB_GSO_DODGY flag for frag_list GSO packets, addressing low throughput issues observed when a station accesses IPv4 servers via hotspots with an IPv6-only upstream interface