Linux Kernel vulnerabilities

CVE-2026-23120 [MEDIUM] CVE-2026-23120: In the Linux kernel, the following vulnerability has been resolved: l2tp: avoid one data-race in l2 In the Linux kernel, the following vulnerability has been resolved: l2tp: avoid one data-race in l2tp_tunnel_del_work() We should read sk->sk_socket only when dealing with kernel sockets. syzbot reported the following data-race: BUG: KCSAN: data-race in l2tp_tunnel_del_work / sk_common_release write to 0xffff88811c182b20 of 8 bytes by task 5365 on cpu

CVE-2026-23113 [MEDIUM] CVE-2026-23113: In the Linux kernel, the following vulnerability has been resolved: io_uring/io-wq: check IO_WQ_BIT In the Linux kernel, the following vulnerability has been resolved: io_uring/io-wq: check IO_WQ_BIT_EXIT inside work run loop Currently this is checked before running the pending work. Normally this is quite fine, as work items either end up blocking (which will create a new worker for other items), or they complete fairly quickly. But syzbot reports an i

CVE-2026-23150 [MEDIUM] CWE-401 CVE-2026-23150: In the Linux kernel, the following vulnerability has been resolved: nfc: llcp: Fix memleak in nfc_l In the Linux kernel, the following vulnerability has been resolved: nfc: llcp: Fix memleak in nfc_llcp_send_ui_frame(). syzbot reported various memory leaks related to NFC, struct nfc_llcp_sock, sk_buff, nfc_dev, etc. [0] The leading log hinted that nfc_llcp_send_ui_frame() failed to allocate skb due to sock_error(sk) being -ENXIO. ENXIO is set

CVE-2026-23143 [MEDIUM] CVE-2026-23143: In the Linux kernel, the following vulnerability has been resolved: virtio_net: Fix misalignment bu In the Linux kernel, the following vulnerability has been resolved: virtio_net: Fix misalignment bug in struct virtnet_info Use the new TRAILING_OVERLAP() helper to fix a misalignment bug along with the following warning: drivers/net/virtio_net.c:429:46: warning: structure containing a flexible array member is not at the end of another structure [-Wflex-

CVE-2026-23186 [MEDIUM] CWE-667 CVE-2026-23186: In the Linux kernel, the following vulnerability has been resolved: hwmon: (acpi_power_meter) Fix d In the Linux kernel, the following vulnerability has been resolved: hwmon: (acpi_power_meter) Fix deadlocks related to acpi_power_meter_notify() The acpi_power_meter driver's .notify() callback function, acpi_power_meter_notify(), calls hwmon_device_unregister() under a lock that is also acquired by callbacks in sysfs attributes of the device bein

CVE-2026-23146 [MEDIUM] CWE-476 CVE-2026-23146: In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_uart: fix null-p In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_uart: fix null-ptr-deref in hci_uart_write_work hci_uart_set_proto() sets HCI_UART_PROTO_INIT before calling hci_uart_register_dev(), which calls proto->open() to initialize hu->priv. However, if a TTY write wakeup occurs during this window, hci_uart_tx_wakeup() may

CVE-2026-23199 [MEDIUM] CWE-667 CVE-2026-23199: In the Linux kernel, the following vulnerability has been resolved: procfs: avoid fetching build ID In the Linux kernel, the following vulnerability has been resolved: procfs: avoid fetching build ID while holding VMA lock Fix PROCMAP_QUERY to fetch optional build ID only after dropping mmap_lock or per-VMA lock, whichever was used to lock VMA under question, to avoid deadlock reported by syzbot: -> #1 (&mm->mmap_lock){++++}-{4:4}: __might_faul

CVE-2026-23155 [MEDIUM] CWE-476 CVE-2026-23155: In the Linux kernel, the following vulnerability has been resolved: can: gs_usb: gs_usb_receive_bul In the Linux kernel, the following vulnerability has been resolved: can: gs_usb: gs_usb_receive_bulk_callback(): fix error message Sinc commit 79a6d1bfe114 ("can: gs_usb: gs_usb_receive_bulk_callback(): unanchor URL on usb_submit_urb() error") a failing resubmit URB will print an info message. In the case of a short read where netdev has not yet

CVE-2026-23139 [MEDIUM] CVE-2026-23139: In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conncount: update In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conncount: update last_gc only when GC has been performed Currently last_gc is being updated everytime a new connection is tracked, that means that it is updated even if a GC wasn't performed. With a sufficiently high packet rate, it is possible to always bypass the GC, caus

CVE-2026-23114 [MEDIUM] CVE-2026-23114: In the Linux kernel, the following vulnerability has been resolved: arm64/fpsimd: ptrace: Fix SVE w In the Linux kernel, the following vulnerability has been resolved: arm64/fpsimd: ptrace: Fix SVE writes on !SME systems When SVE is supported but SME is not supported, a ptrace write to the NT_ARM_SVE regset can place the tracee into an invalid state where (non-streaming) SVE register data is stored in FP_STATE_SVE format but TIF_SVE is clear. This can r

CVE-2026-23151 [MEDIUM] CWE-401 CVE-2026-23151: In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: Fix memory lea In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: Fix memory leak in set_ssp_complete Fix memory leak in set_ssp_complete() where mgmt_pending_cmd structures are not freed after being removed from the pending list. Commit 302a1f674c00 ("Bluetooth: MGMT: Fix possible UAFs") replaced mgmt_pending_foreach() calls w

CVE-2025-71222 [MEDIUM] CVE-2025-71222: In the Linux kernel, the following vulnerability has been resolved: wifi: wlcore: ensure skb headro In the Linux kernel, the following vulnerability has been resolved: wifi: wlcore: ensure skb headroom before skb_push This avoids occasional skb_under_panic Oops from wl1271_tx_work. In this case, headroom is less than needed (typically 110 - 94 = 16 bytes).

CVE-2026-23203 [MEDIUM] CVE-2026-23203: In the Linux kernel, the following vulnerability has been resolved: net: cpsw_new: Execute ndo_set_ In the Linux kernel, the following vulnerability has been resolved: net: cpsw_new: Execute ndo_set_rx_mode callback in a work queue Commit 1767bb2d47b7 ("ipv6: mcast: Don't hold RTNL for IPV6_ADD_MEMBERSHIP and MCAST_JOIN_GROUP.") removed the RTNL lock for IPV6_ADD_MEMBERSHIP and MCAST_JOIN_GROUP operations. However, this change triggered the following ca

CVE-2026-23118 [MEDIUM] CWE-362 CVE-2026-23118: In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix data-race warning an In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix data-race warning and potential load/store tearing Fix the following: BUG: KCSAN: data-race in rxrpc_peer_keepalive_worker / rxrpc_send_data_packet which is reporting an issue with the reads and writes to ->last_tx_at in: conn->peer->last_tx_at = ktime_get_seconds();

CVE-2026-23148 [MEDIUM] CWE-476 CVE-2026-23148: In the Linux kernel, the following vulnerability has been resolved: nvmet: fix race in nvmet_bio_do In the Linux kernel, the following vulnerability has been resolved: nvmet: fix race in nvmet_bio_done() leading to NULL pointer dereference There is a race condition in nvmet_bio_done() that can cause a NULL pointer dereference in blk_cgroup_bio_start(): 1. nvmet_bio_done() is called when a bio completes 2. nvmet_req_complete() is called, which i

CVE-2025-71204 [MEDIUM] CVE-2025-71204: In the Linux kernel, the following vulnerability has been resolved: smb/server: fix refcount leak i In the Linux kernel, the following vulnerability has been resolved: smb/server: fix refcount leak in parse_durable_handle_context() When the command is a replay operation and -ENOEXEC is returned, the refcount of ksmbd_file must be released.

CVE-2026-23115 [MEDIUM] CWE-362 CVE-2026-23115: In the Linux kernel, the following vulnerability has been resolved: serial: Fix not set tty->port r In the Linux kernel, the following vulnerability has been resolved: serial: Fix not set tty->port race condition Revert commit bfc467db60b7 ("serial: remove redundant tty_port_link_device()") because the tty_port_link_device() is not redundant: the tty->port has to be confured before we call uart_configure_port(), otherwise user-space can open con

CVE-2026-23136 [MEDIUM] CVE-2026-23136: In the Linux kernel, the following vulnerability has been resolved: libceph: reset sparse-read stat In the Linux kernel, the following vulnerability has been resolved: libceph: reset sparse-read state in osd_fault() When a fault occurs, the connection is abandoned, reestablished, and any pending operations are retried. The OSD client tracks the progress of a sparse-read reply using a separate state machine, largely independent of the messenger's state.

CVE-2026-23163 [MEDIUM] CWE-476 CVE-2026-23163: In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: fix NULL pointer de In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: fix NULL pointer dereference in amdgpu_gmc_filter_faults_remove On APUs such as Raven and Renoir (GC 9.1.0, 9.2.2, 9.3.0), the ih1 and ih2 interrupt ring buffers are not initialized. This is by design, as these secondary IH rings are only available on discrete GPUs. Se

CVE-2026-23142 [MEDIUM] CVE-2026-23142: In the Linux kernel, the following vulnerability has been resolved: mm/damon/sysfs-scheme: cleanup In the Linux kernel, the following vulnerability has been resolved: mm/damon/sysfs-scheme: cleanup access_pattern subdirs on scheme dir setup failure When a DAMOS-scheme DAMON sysfs directory setup fails after setup of access_pattern/ directory, subdirectories of access_pattern/ directory are not cleaned up. As a result, DAMON sysfs interface is nearly bro