Linux Kernel vulnerabilities

CVE-2026-23198 [MEDIUM] CWE-476 CVE-2026-23198: In the Linux kernel, the following vulnerability has been resolved: KVM: Don't clobber irqfd routin In the Linux kernel, the following vulnerability has been resolved: KVM: Don't clobber irqfd routing type when deassigning irqfd When deassigning a KVM_IRQFD, don't clobber the irqfd's copy of the IRQ's routing entry as doing so breaks kvm_arch_irq_bypass_del_producer() on x86 and arm64, which explicitly look for KVM_IRQ_ROUTING_MSI. Instead, to h

CVE-2026-23165 [MEDIUM] CWE-667 CVE-2026-23165: In the Linux kernel, the following vulnerability has been resolved: sfc: fix deadlock in RSS config In the Linux kernel, the following vulnerability has been resolved: sfc: fix deadlock in RSS config read Since cited commit, core locks the net_device's rss_lock when handling ethtool -x command, so driver's implementation should not lock it again. Remove the latter.

CVE-2026-23153 [MEDIUM] CWE-362 CVE-2026-23153: In the Linux kernel, the following vulnerability has been resolved: firewire: core: fix race condit In the Linux kernel, the following vulnerability has been resolved: firewire: core: fix race condition against transaction list The list of transaction is enumerated without acquiring card lock when processing AR response event. This causes a race condition bug when processing AT request completion event concurrently. This commit fixes the bug by

CVE-2026-23196 [MEDIUM] CWE-476 CVE-2026-23196: In the Linux kernel, the following vulnerability has been resolved: HID: Intel-thc-hid: Intel-thc: In the Linux kernel, the following vulnerability has been resolved: HID: Intel-thc-hid: Intel-thc: Add safety check for reading DMA buffer Add DMA buffer readiness check before reading DMA buffer to avoid unexpected NULL pointer accessing.

CVE-2026-23183 cgroup/dmem: fix NULL pointer dereference when setting max cgroup/dmem: fix NULL pointer dereference when setting max In the Linux kernel, the following vulnerability has been resolved: cgroup/dmem: fix NULL pointer dereference when setting max An issue was triggered: BUG: kernel NULL pointer dereference, address: 0000000000000000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: Oops: 0000 [#1] SMP NOPTI CPU: 15 UID: 0 PID

CVE-2026-23174 CVE-2026-23174: In the Linux kernel, the following vulnerability has been resolved: nvme-pci: handle changing device dma map requirements The initial state of dma_nee In the Linux kernel, the following vulnerability has been resolved: nvme-pci: handle changing device dma map requirements The initial state of dma_needs_unmap may be false, but change to true while mapping the data iterator. Enabling swiotlb is one such case that can change the result. The nvme driver needs to save t

CVE-2025-71224 CVE-2025-71224: In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: ocb: skip rx_no_sta when interface is not joined ieee80211_ocb_rx_ In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: ocb: skip rx_no_sta when interface is not joined ieee80211_ocb_rx_no_sta() assumes a valid channel context, which is only present after JOIN_OCB. RX may run before JOIN_OCB is executed, in which case the OCB interface is not operation

CVE-2026-23179 CVE-2026-23179: In the Linux kernel, the following vulnerability has been resolved: nvmet-tcp: fixup hang in nvmet_tcp_listen_data_ready() When the socket is closed w In the Linux kernel, the following vulnerability has been resolved: nvmet-tcp: fixup hang in nvmet_tcp_listen_data_ready() When the socket is closed while in TCP_LISTEN a callback is run to flush all outstanding packets, which in turns calls nvmet_tcp_listen_data_ready() with the sk_callback_lock held. So we need to

CVE-2026-23177 mm, shmem: prevent infinite loop on truncate race mm, shmem: prevent infinite loop on truncate race In the Linux kernel, the following vulnerability has been resolved: mm, shmem: prevent infinite loop on truncate race When truncating a large swap entry, shmem_free_swap() returns 0 when the entry's index doesn't match the given index due to lookup alignment. The failure fallback path checks if the entry crosses the end border and aborts when it happens, so truncate won't erase a

CVE-2026-23182 spi: tegra: Fix a memory leak in tegra_slink_probe() spi: tegra: Fix a memory leak in tegra_slink_probe() In the Linux kernel, the following vulnerability has been resolved: spi: tegra: Fix a memory leak in tegra_slink_probe() In tegra_slink_probe(), when platform_get_irq() fails, it directly returns from the function with an error code, which causes a memory leak. Replace it with a goto label to ensure proper cleanup.

CVE-2026-23181 btrfs: sync read disk super and set block size btrfs: sync read disk super and set block size In the Linux kernel, the following vulnerability has been resolved: btrfs: sync read disk super and set block size When the user performs a btrfs mount, the block device is not set correctly. The user sets the block size of the block device to 0x4000 by executing the BLKBSZSET command. Since the block size change also changes the mapping->flags value, this further affects the result of

CVE-2026-23176 CVE-2026-23176: In the Linux kernel, the following vulnerability has been resolved: platform/x86: toshiba_haps: Fix memory leaks in add/remove routines toshiba_haps_a In the Linux kernel, the following vulnerability has been resolved: platform/x86: toshiba_haps: Fix memory leaks in add/remove routines toshiba_haps_add() leaks the haps object allocated by it if it returns an error after allocating that object successfully. toshiba_haps_remove() does not free the object pointed to b

CVE-2026-23112 [CRITICAL] CWE-787 CVE-2026-23112: In the Linux kernel, the following vulnerability has been resolved: nvmet-tcp: add bounds checks in In the Linux kernel, the following vulnerability has been resolved: nvmet-tcp: add bounds checks in nvmet_tcp_build_pdu_iovec nvmet_tcp_build_pdu_iovec() could walk past cmd->req.sg when a PDU length or offset exceeds sg_cnt and then use bogus sg->length/offset values, leading to _copy_to_iter() GPF/KASAN. Guard sg_idx, remaining entries, and sg

CVE-2026-23111 [HIGH] CWE-416 CVE-2026-23111: In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: fix inver In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: fix inverted genmask check in nft_map_catchall_activate() nft_map_catchall_activate() has an inverted element activity check compared to its non-catchall counterpart nft_mapelem_activate() and compared to what is logically required. nft_map_catchall_activate()

CVE-2026-23089 [HIGH] CWE-416 CVE-2026-23089: In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Fix use-after- In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Fix use-after-free in snd_usb_mixer_free() When snd_usb_create_mixer() fails, snd_usb_mixer_free() frees mixer->id_elems but the controls already added to the card still reference the freed memory. Later when snd_card_register() runs, the OSS mixer layer calls their

CVE-2026-23078 [HIGH] CWE-787 CVE-2026-23078: In the Linux kernel, the following vulnerability has been resolved: ALSA: scarlett2: Fix buffer ove In the Linux kernel, the following vulnerability has been resolved: ALSA: scarlett2: Fix buffer overflow in config retrieval The scarlett2_usb_get_config() function has a logic error in the endianness conversion code that can cause buffer overflows when count > 1. The code checks `if (size == 2)` where `size` is the total buffer size in bytes, then

CVE-2026-23076 [HIGH] CWE-125 CVE-2026-23076: In the Linux kernel, the following vulnerability has been resolved: ALSA: ctxfi: Fix potential OOB In the Linux kernel, the following vulnerability has been resolved: ALSA: ctxfi: Fix potential OOB access in audio mixer handling In the audio mixer handling code of ctxfi driver, the conf field is used as a kind of loop index, and it's referred in the index callbacks (amixer_index() and sum_index()). As spotted recently by fuzzers, the current code

CVE-2026-23098 [HIGH] CWE-415 CVE-2026-23098: In the Linux kernel, the following vulnerability has been resolved: netrom: fix double-free in nr_r In the Linux kernel, the following vulnerability has been resolved: netrom: fix double-free in nr_route_frame() In nr_route_frame(), old_skb is immediately freed without checking if nr_neigh->ax25 pointer is NULL. Therefore, if nr_neigh->ax25 is NULL, the caller function will free old_skb again, causing a double-free bug. Therefore, to prevent this

CVE-2026-23092 [HIGH] CWE-787 CVE-2026-23092: In the Linux kernel, the following vulnerability has been resolved: iio: dac: ad3552r-hs: fix out-o In the Linux kernel, the following vulnerability has been resolved: iio: dac: ad3552r-hs: fix out-of-bound write in ad3552r_hs_write_data_source When simple_write_to_buffer() succeeds, it returns the number of bytes actually copied to the buffer. The code incorrectly uses 'count' as the index for null termination instead of the actual bytes copied.

CVE-2026-23083 [HIGH] CVE-2026-23083: In the Linux kernel, the following vulnerability has been resolved: fou: Don't allow 0 for FOU_ATTR In the Linux kernel, the following vulnerability has been resolved: fou: Don't allow 0 for FOU_ATTR_IPPROTO. fou_udp_recv() has the same problem mentioned in the previous patch. If FOU_ATTR_IPPROTO is set to 0, skb is not freed by fou_udp_recv() nor "resubmit"-ted in ip_protocol_deliver_rcu(). Let's forbid 0 for FOU_ATTR_IPPROTO.