Linux Kernel vulnerabilities

CVE-2026-23116 [MEDIUM] CVE-2026-23116: In the Linux kernel, the following vulnerability has been resolved: pmdomain: imx8m-blk-ctrl: Remov In the Linux kernel, the following vulnerability has been resolved: pmdomain: imx8m-blk-ctrl: Remove separate rst and clk mask for 8mq vpu For i.MX8MQ platform, the ADB in the VPUMIX domain has no separate reset and clock enable bits, but is ungated and reset together with the VPUs. So we can't reset G1 or G2 separately, it may led to the system hang. Rem

CVE-2026-23131 [MEDIUM] CVE-2026-23131: In the Linux kernel, the following vulnerability has been resolved: platform/x86: hp-bioscfg: Fix k In the Linux kernel, the following vulnerability has been resolved: platform/x86: hp-bioscfg: Fix kobject warnings for empty attribute names The hp-bioscfg driver attempts to register kobjects with empty names when the HP BIOS returns attributes with empty name strings. This causes multiple kernel warnings: kobject: (00000000135fb5e6): attempted to be re

CVE-2026-23210 [MEDIUM] CWE-476 CVE-2026-23210: In the Linux kernel, the following vulnerability has been resolved: ice: Fix PTP NULL pointer deref In the Linux kernel, the following vulnerability has been resolved: ice: Fix PTP NULL pointer dereference during VSI rebuild Fix race condition where PTP periodic work runs while VSI is being rebuilt, accessing NULL vsi->rx_rings. The sequence was: 1. ice_ptp_prepare_for_reset() cancels PTP work 2. ice_ptp_rebuild() immediately queues PTP work 3.

CVE-2026-23137 [MEDIUM] CWE-401 CVE-2026-23137: In the Linux kernel, the following vulnerability has been resolved: of: unittest: Fix memory leak i In the Linux kernel, the following vulnerability has been resolved: of: unittest: Fix memory leak in unittest_data_add() In unittest_data_add(), if of_resolve_phandles() fails, the allocated unittest_data is not freed, leading to a memory leak. Fix this by using scope-based cleanup helper __free(kfree) for automatic resource cleanup. This ensures

CVE-2026-23170 [MEDIUM] CWE-401 CVE-2026-23170: In the Linux kernel, the following vulnerability has been resolved: drm/imx/tve: fix probe device l In the Linux kernel, the following vulnerability has been resolved: drm/imx/tve: fix probe device leak Make sure to drop the reference taken to the DDC device during probe on probe failure (e.g. probe deferral) and on driver unbind.

CVE-2026-23135 [MEDIUM] CVE-2026-23135: In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: fix dma_free_cohe In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: fix dma_free_coherent() pointer dma_alloc_coherent() allocates a DMA mapped buffer and stores the addresses in XXX_unaligned fields. Those should be reused when freeing the buffer rather than the aligned addresses.

CVE-2026-23149 [MEDIUM] CVE-2026-23149: In the Linux kernel, the following vulnerability has been resolved: drm: Do not allow userspace to In the Linux kernel, the following vulnerability has been resolved: drm: Do not allow userspace to trigger kernel warnings in drm_gem_change_handle_ioctl() Since GEM bo handles are u32 in the uapi and the internal implementation uses idr_alloc() which uses int ranges, passing a new handle larger than INT_MAX trivially triggers a kernel warning: idr_alloc(

CVE-2026-23129 [MEDIUM] CVE-2026-23129: In the Linux kernel, the following vulnerability has been resolved: dpll: Prevent duplicate registr In the Linux kernel, the following vulnerability has been resolved: dpll: Prevent duplicate registrations Modify the internal registration helpers dpll_xa_ref_{dpll,pin}_add() to reject duplicate registration attempts. Previously, if a caller attempted to register the same pin multiple times (with the same ops, priv, and cookie) on the same device, the c

CVE-2026-23160 [MEDIUM] CWE-401 CVE-2026-23160: In the Linux kernel, the following vulnerability has been resolved: octeon_ep: Fix memory leak in o In the Linux kernel, the following vulnerability has been resolved: octeon_ep: Fix memory leak in octep_device_setup() In octep_device_setup(), if octep_ctrl_net_init() fails, the function returns directly without unmapping the mapped resources and freeing the allocated configuration memory. Fix this by jumping to the unsupported_dev label, which

CVE-2026-23168 [MEDIUM] CVE-2026-23168: In the Linux kernel, the following vulnerability has been resolved: flex_proportions: make fprop_ne In the Linux kernel, the following vulnerability has been resolved: flex_proportions: make fprop_new_period() hardirq safe Bernd has reported a lockdep splat from flexible proportions code that is essentially complaining about the following race: run_timer_softirq - we are in softirq context call_timer_fn writeout_period fprop_new_period write_seqcount_

CVE-2026-23126 [MEDIUM] CWE-362 CVE-2026-23126: In the Linux kernel, the following vulnerability has been resolved: netdevsim: fix a race issue rel In the Linux kernel, the following vulnerability has been resolved: netdevsim: fix a race issue related to the operation on bpf_bound_progs list The netdevsim driver lacks a protection mechanism for operations on the bpf_bound_progs list. When the nsim_bpf_create_prog() performs list_add_tail, it is possible that nsim_bpf_destroy_prog() is simulta

CVE-2026-23169 [MEDIUM] CWE-362 CVE-2026-23169: In the Linux kernel, the following vulnerability has been resolved: mptcp: fix race in mptcp_pm_nl_ In the Linux kernel, the following vulnerability has been resolved: mptcp: fix race in mptcp_pm_nl_flush_addrs_doit() syzbot and Eulgyu Kim reported crashes in mptcp_pm_nl_get_local_id() and/or mptcp_pm_nl_is_backup() Root cause is list_splice_init() in mptcp_pm_nl_flush_addrs_doit() which is not RCU ready. list_splice_init_rcu() can not be call

CVE-2026-23172 [MEDIUM] CWE-401 CVE-2026-23172: In the Linux kernel, the following vulnerability has been resolved: net: wwan: t7xx: fix potential In the Linux kernel, the following vulnerability has been resolved: net: wwan: t7xx: fix potential skb->frags overflow in RX path When receiving data in the DPMAIF RX path, the t7xx_dpmaif_set_frag_to_skb() function adds page fragments to an skb without checking if the number of fragments has exceeded MAX_SKB_FRAGS. This could lead to a buffer over

CVE-2026-23205 [MEDIUM] CWE-401 CVE-2026-23205: In the Linux kernel, the following vulnerability has been resolved: smb/client: fix memory leak in In the Linux kernel, the following vulnerability has been resolved: smb/client: fix memory leak in smb2_open_file() Reproducer: 1. server: directories are exported read-only 2. client: mount -t cifs //${server_ip}/export /mnt 3. client: dd if=/dev/zero of=/mnt/file bs=512 count=1000 oflag=direct 4. client: umount /mnt 5. client: sleep 1 6. client:

CVE-2026-23147 [MEDIUM] CWE-401 CVE-2026-23147: In the Linux kernel, the following vulnerability has been resolved: btrfs: zlib: fix the folio leak In the Linux kernel, the following vulnerability has been resolved: btrfs: zlib: fix the folio leak on S390 hardware acceleration [BUG] After commit aa60fe12b4f4 ("btrfs: zlib: refactor S390x HW acceleration buffer preparation"), we no longer release the folio of the page cache of folio returned by btrfs_compress_filemap_get_folio() for S390 hardw

CVE-2026-23189 [MEDIUM] CWE-476 CVE-2026-23189: In the Linux kernel, the following vulnerability has been resolved: ceph: fix NULL pointer derefere In the Linux kernel, the following vulnerability has been resolved: ceph: fix NULL pointer dereference in ceph_mds_auth_match() The CephFS kernel client has regression starting from 6.18-rc1. We have issue in ceph_mds_auth_match() if fs_name == NULL: const char fs_name = mdsc->fsc->mount_options->mds_namespace; ... if (auth->match.fs_name && strc

CVE-2026-23145 [MEDIUM] CWE-401 CVE-2026-23145: In the Linux kernel, the following vulnerability has been resolved: ext4: fix iloc.bh leak in ext4_ In the Linux kernel, the following vulnerability has been resolved: ext4: fix iloc.bh leak in ext4_xattr_inode_update_ref The error branch for ext4_xattr_inode_update_ref forget to release the refcount for iloc.bh. Find this when review code.

CVE-2026-23134 [MEDIUM] CVE-2026-23134: In the Linux kernel, the following vulnerability has been resolved: slab: fix kmalloc_nolock() cont In the Linux kernel, the following vulnerability has been resolved: slab: fix kmalloc_nolock() context check for PREEMPT_RT On PREEMPT_RT kernels, local_lock becomes a sleeping lock. The current check in kmalloc_nolock() only verifies we're not in NMI or hard IRQ context, but misses the case where preemption is disabled. When a BPF program runs from a tr

CVE-2026-23202 [MEDIUM] CWE-476 CVE-2026-23202: In the Linux kernel, the following vulnerability has been resolved: spi: tegra210-quad: Protect cur In the Linux kernel, the following vulnerability has been resolved: spi: tegra210-quad: Protect curr_xfer in tegra_qspi_combined_seq_xfer The curr_xfer field is read by the IRQ handler without holding the lock to check if a transfer is in progress. When clearing curr_xfer in the combined sequence transfer loop, protect it with the spinlock to prev

CVE-2026-23206 [MEDIUM] CWE-476 CVE-2026-23206: In the Linux kernel, the following vulnerability has been resolved: dpaa2-switch: prevent ZERO_SIZE In the Linux kernel, the following vulnerability has been resolved: dpaa2-switch: prevent ZERO_SIZE_PTR dereference when num_ifs is zero The driver allocates arrays for ports, FDBs, and filter blocks using kcalloc() with ethsw->sw_attr.num_ifs as the element count. When the device reports zero interfaces (either due to hardware configuration or fi