Linux Kernel vulnerabilities

CVE-2026-23117 [MEDIUM] CWE-476 CVE-2026-23117: In the Linux kernel, the following vulnerability has been resolved: ice: add missing ice_deinit_hw( In the Linux kernel, the following vulnerability has been resolved: ice: add missing ice_deinit_hw() in devlink reinit path devlink-reload results in ice_init_hw failed error, and then removing the ice driver causes a NULL pointer dereference. [ +0.102213] ice 0000:ca:00.0: ice_init_hw failed: -16 ... [ +0.000001] Call Trace: [ +0.000003] [ +0.00

CVE-2026-23125 [MEDIUM] CWE-476 CVE-2026-23125: In the Linux kernel, the following vulnerability has been resolved: sctp: move SCTP_CMD_ASSOC_SHKEY In the Linux kernel, the following vulnerability has been resolved: sctp: move SCTP_CMD_ASSOC_SHKEY right after SCTP_CMD_PEER_INIT A null-ptr-deref was reported in the SCTP transmit path when SCTP-AUTH key initialization fails: KASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f] CPU: 0 PID: 16 Comm: ksoftirqd/0 Tainted: G W 6.6

CVE-2025-71223 [MEDIUM] CVE-2025-71223: In the Linux kernel, the following vulnerability has been resolved: smb/server: fix refcount leak i In the Linux kernel, the following vulnerability has been resolved: smb/server: fix refcount leak in smb2_open() When ksmbd_vfs_getattr() fails, the reference count of ksmbd_file must be released.

CVE-2026-23138 [MEDIUM] CVE-2026-23138: In the Linux kernel, the following vulnerability has been resolved: tracing: Add recursion protecti In the Linux kernel, the following vulnerability has been resolved: tracing: Add recursion protection in kernel stack trace recording A bug was reported about an infinite recursion caused by tracing the rcu events with the kernel stack trace trigger enabled. The stack trace code called back into RCU which then called the stack trace again. Expand the ftr

CVE-2026-23161 [MEDIUM] CWE-362 CVE-2026-23161: In the Linux kernel, the following vulnerability has been resolved: mm/shmem, swap: fix race of tru In the Linux kernel, the following vulnerability has been resolved: mm/shmem, swap: fix race of truncate and swap entry split The helper for shmem swap freeing is not handling the order of swap entries correctly. It uses xa_cmpxchg_irq to erase the swap entry, but it gets the entry order before that using xa_get_order without lock protection, and

CVE-2026-23124 [MEDIUM] CVE-2026-23124: In the Linux kernel, the following vulnerability has been resolved: ipv6: annotate data-race in ndi In the Linux kernel, the following vulnerability has been resolved: ipv6: annotate data-race in ndisc_router_discovery() syzbot found that ndisc_router_discovery() could read and write in6_dev->ra_mtu without holding a lock [1] This looks fine, IFLA_INET6_RA_MTU is best effort. Add READ_ONCE()/WRITE_ONCE() to document the race. Note that we might also

CVE-2026-23121 [MEDIUM] CVE-2026-23121: In the Linux kernel, the following vulnerability has been resolved: mISDN: annotate data-race aroun In the Linux kernel, the following vulnerability has been resolved: mISDN: annotate data-race around dev->work dev->work can re read locklessly in mISDN_read() and mISDN_poll(). Add READ_ONCE()/WRITE_ONCE() annotations. BUG: KCSAN: data-race in mISDN_ioctl / mISDN_read write to 0xffff88812d848280 of 4 bytes by task 10864 on cpu 1: misdn_add_timer driver

CVE-2026-23190 [MEDIUM] CWE-401 CVE-2026-23190: In the Linux kernel, the following vulnerability has been resolved: ASoC: amd: fix memory leak in a In the Linux kernel, the following vulnerability has been resolved: ASoC: amd: fix memory leak in acp3x pdm dma ops

CVE-2026-23159 [MEDIUM] CWE-476 CVE-2026-23159: In the Linux kernel, the following vulnerability has been resolved: perf: sched: Fix perf crash wit In the Linux kernel, the following vulnerability has been resolved: perf: sched: Fix perf crash with new is_user_task() helper In order to do a user space stacktrace the current task needs to be a user task that has executed in user space. It use to be possible to test if a task is a user task or not by simply checking the task_struct mm field. If

CVE-2026-23200 [MEDIUM] CWE-476 CVE-2026-23200: In the Linux kernel, the following vulnerability has been resolved: ipv6: Fix ECMP sibling count mi In the Linux kernel, the following vulnerability has been resolved: ipv6: Fix ECMP sibling count mismatch when clearing RTF_ADDRCONF syzbot reported a kernel BUG in fib6_add_rt2node() when adding an IPv6 route. [0] Commit f72514b3c569 ("ipv6: clear RA flags when adding a static route") introduced logic to clear RTF_ADDRCONF from existing routes w

CVE-2026-23166 [MEDIUM] CWE-476 CVE-2026-23166: In the Linux kernel, the following vulnerability has been resolved: ice: Fix NULL pointer dereferen In the Linux kernel, the following vulnerability has been resolved: ice: Fix NULL pointer dereference in ice_vsi_set_napi_queues Add NULL pointer checks in ice_vsi_set_napi_queues() to prevent crashes during resume from suspend when rings[q_idx]->q_vector is NULL. Tested adaptor: 60:00.0 Ethernet controller [0200]: Intel Corporation Ethernet Cont

CVE-2026-23188 [MEDIUM] CWE-667 CVE-2026-23188: In the Linux kernel, the following vulnerability has been resolved: net: usb: r8152: fix resume res In the Linux kernel, the following vulnerability has been resolved: net: usb: r8152: fix resume reset deadlock rtl8152 can trigger device reset during reset which potentially can result in a deadlock: **** DPM device timeout after 10 seconds; 15 seconds until panic **** Call Trace: schedule+0x483/0x1370 schedule_preempt_disabled+0x15/0x30 __mute

CVE-2025-71202 [MEDIUM] CVE-2025-71202: In the Linux kernel, the following vulnerability has been resolved: iommu/sva: invalidate stale IOT In the Linux kernel, the following vulnerability has been resolved: iommu/sva: invalidate stale IOTLB entries for kernel address space Introduce a new IOMMU interface to flush IOTLB paging cache entries for the CPU kernel address space. This interface is invoked from the x86 architecture code that manages combined user and kernel page tables, specifically

CVE-2026-23207 [MEDIUM] CWE-362 CVE-2026-23207: In the Linux kernel, the following vulnerability has been resolved: spi: tegra210-quad: Protect cur In the Linux kernel, the following vulnerability has been resolved: spi: tegra210-quad: Protect curr_xfer check in IRQ handler Now that all other accesses to curr_xfer are done under the lock, protect the curr_xfer NULL check in tegra_qspi_isr_thread() with the spinlock. Without this protection, the following race can occur: CPU0 (ISR thread) CPU

CVE-2026-23128 [MEDIUM] CVE-2026-23128: In the Linux kernel, the following vulnerability has been resolved: arm64: Set __nocfi on swsusp_ar In the Linux kernel, the following vulnerability has been resolved: arm64: Set __nocfi on swsusp_arch_resume() A DABT is reported[1] on an android based system when resume from hiberate. This happens because swsusp_arch_suspend_exit() is marked with SYM_CODE_*() and does not have a CFI hash, but swsusp_arch_resume() will attempt to verify the CFI hash whe

CVE-2026-23167 [MEDIUM] CWE-362 CVE-2026-23167: In the Linux kernel, the following vulnerability has been resolved: nfc: nci: Fix race between rfki In the Linux kernel, the following vulnerability has been resolved: nfc: nci: Fix race between rfkill and nci_unregister_device(). syzbot reported the splat below [0] without a repro. It indicates that struct nci_dev.cmd_wq had been destroyed before nci_close_device() was called via rfkill. nci_dev.cmd_wq is only destroyed in nci_unregister_devi

CVE-2026-23173 [MEDIUM] CWE-476 CVE-2026-23173: In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: TC, delete flows onl In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: TC, delete flows only for existing peers When deleting TC steering flows, iterate only over actual devcom peers instead of assuming all possible ports exist. This avoids touching non-existent peers and ensures cleanup is limited to devices the driver is currently connec

CVE-2026-23140 [MEDIUM] CVE-2026-23140: In the Linux kernel, the following vulnerability has been resolved: bpf, test_run: Subtract size of In the Linux kernel, the following vulnerability has been resolved: bpf, test_run: Subtract size of xdp_frame from allowed metadata size The xdp_frame structure takes up part of the XDP frame headroom, limiting the size of the metadata. However, in bpf_test_run, we don't take this into account, which makes it possible for userspace to supply a metadata si

CVE-2026-23123 [MEDIUM] CWE-908 CVE-2026-23123: In the Linux kernel, the following vulnerability has been resolved: interconnect: debugfs: initiali In the Linux kernel, the following vulnerability has been resolved: interconnect: debugfs: initialize src_node and dst_node to empty strings The debugfs_create_str() API assumes that the string pointer is either NULL or points to valid kmalloc() memory. Leaving the pointer uninitialized can cause problems. Initialize src_node and dst_node to empt

CVE-2026-23116 [MEDIUM] CVE-2026-23116: In the Linux kernel, the following vulnerability has been resolved: pmdomain: imx8m-blk-ctrl: Remov In the Linux kernel, the following vulnerability has been resolved: pmdomain: imx8m-blk-ctrl: Remove separate rst and clk mask for 8mq vpu For i.MX8MQ platform, the ADB in the VPUMIX domain has no separate reset and clock enable bits, but is ungated and reset together with the VPUs. So we can't reset G1 or G2 separately, it may led to the system hang. Rem