Linux Kernel vulnerabilities

CVE-2026-23102 [HIGH] CWE-125 CVE-2026-23102: In the Linux kernel, the following vulnerability has been resolved: arm64/fpsimd: signal: Fix resto In the Linux kernel, the following vulnerability has been resolved: arm64/fpsimd: signal: Fix restoration of SVE context When SME is supported, Restoring SVE signal context can go wrong in a few ways, including placing the task into an invalid state where the kernel may read from out-of-bounds memory (and may potentially take a fatal fault) and/or m

CVE-2026-23068 [HIGH] CWE-415 CVE-2026-23068: In the Linux kernel, the following vulnerability has been resolved: spi: spi-sprd-adi: Fix double f In the Linux kernel, the following vulnerability has been resolved: spi: spi-sprd-adi: Fix double free in probe error path The driver currently uses spi_alloc_host() to allocate the controller but registers it using devm_spi_register_controller(). If devm_register_restart_handler() fails, the code jumps to the put_ctlr label and calls spi_controlle

CVE-2026-23099 [HIGH] CWE-125 CVE-2026-23099: In the Linux kernel, the following vulnerability has been resolved: bonding: limit BOND_MODE_8023AD In the Linux kernel, the following vulnerability has been resolved: bonding: limit BOND_MODE_8023AD to Ethernet devices BOND_MODE_8023AD makes sense for ARPHRD_ETHER only. syzbot reported: BUG: KASAN: global-out-of-bounds in __hw_addr_create net/core/dev_addr_lists.c:63 [inline] BUG: KASAN: global-out-of-bounds in __hw_addr_add_ex+0x25d/0x760 net/

CVE-2026-23074 [HIGH] CWE-416 CVE-2026-23074: In the Linux kernel, the following vulnerability has been resolved: net/sched: Enforce that teql ca In the Linux kernel, the following vulnerability has been resolved: net/sched: Enforce that teql can only be used as root qdisc Design intent of teql is that it is only supposed to be used as root qdisc. We need to check for that constraint. Although not important, I will describe the scenario that unearthed this issue for the curious. GangMin Kim

CVE-2026-23077 [HIGH] CWE-416 CVE-2026-23077: In the Linux kernel, the following vulnerability has been resolved: mm/vma: fix anon_vma UAF on mre In the Linux kernel, the following vulnerability has been resolved: mm/vma: fix anon_vma UAF on mremap() faulted, unfaulted merge Patch series "mm/vma: fix anon_vma UAF on mremap() faulted, unfaulted merge", v2. Commit 879bca0a2c4f ("mm/vma: fix incorrectly disallowed anonymous VMA merges") introduced the ability to merge previously unavailable VMA

CVE-2026-23073 [HIGH] CWE-787 CVE-2026-23073: In the Linux kernel, the following vulnerability has been resolved: wifi: rsi: Fix memory corruptio In the Linux kernel, the following vulnerability has been resolved: wifi: rsi: Fix memory corruption due to not set vif driver data size The struct ieee80211_vif contains trailing space for vif driver data, when struct ieee80211_vif is allocated, the total memory size that is allocated is sizeof(struct ieee80211_vif) + size of vif driver data. The s

CVE-2026-23063 [MEDIUM] CWE-476 CVE-2026-23063: In the Linux kernel, the following vulnerability has been resolved: uacce: ensure safe queue releas In the Linux kernel, the following vulnerability has been resolved: uacce: ensure safe queue release with state management Directly calling `put_queue` carries risks since it cannot guarantee that resources of `uacce_queue` have been fully released beforehand. So adding a `stop_queue` operation for the UACCE_CMD_PUT_Q command and leaving the `put_

CVE-2026-23093 [MEDIUM] CVE-2026-23093: In the Linux kernel, the following vulnerability has been resolved: ksmbd: smbd: fix dma_unmap_sg() In the Linux kernel, the following vulnerability has been resolved: ksmbd: smbd: fix dma_unmap_sg() nents The dma_unmap_sg() functions should be called with the same nents as the dma_map_sg(), not the value the map function returned.

CVE-2026-23070 [MEDIUM] CVE-2026-23070: In the Linux kernel, the following vulnerability has been resolved: Octeontx2-af: Add proper checks In the Linux kernel, the following vulnerability has been resolved: Octeontx2-af: Add proper checks for fwdata firmware populates MAC address, link modes (supported, advertised) and EEPROM data in shared firmware structure which kernel access via MAC block(CGX/RPM). Accessing fwdata, on boards booted with out MAC block leading to kernel panics. Internal

CVE-2026-23079 [MEDIUM] CWE-401 CVE-2026-23079: In the Linux kernel, the following vulnerability has been resolved: gpio: cdev: Fix resource leaks In the Linux kernel, the following vulnerability has been resolved: gpio: cdev: Fix resource leaks on errors in lineinfo_changed_notify() On error handling paths, lineinfo_changed_notify() doesn't free the allocated resources which results leaks. Fix it.

CVE-2026-23075 [MEDIUM] CWE-401 CVE-2026-23075: In the Linux kernel, the following vulnerability has been resolved: can: esd_usb: esd_usb_read_bulk In the Linux kernel, the following vulnerability has been resolved: can: esd_usb: esd_usb_read_bulk_callback(): fix URB memory leak Fix similar memory leak as in commit 7352e1d5932a ("can: gs_usb: gs_usb_receive_bulk_callback(): fix URB memory leak"). In esd_usb_open(), the URBs for USB-in transfers are allocated, added to the dev->rx_submitted a

CVE-2026-23107 [MEDIUM] CWE-476 CVE-2026-23107: In the Linux kernel, the following vulnerability has been resolved: arm64/fpsimd: signal: Allocate In the Linux kernel, the following vulnerability has been resolved: arm64/fpsimd: signal: Allocate SSVE storage when restoring ZA The code to restore a ZA context doesn't attempt to allocate the task's sve_state before setting TIF_SME. Consequently, restoring a ZA context can place a task into an invalid state where TIF_SME is set but the task's sv

CVE-2026-23064 [MEDIUM] CWE-476 CVE-2026-23064: In the Linux kernel, the following vulnerability has been resolved: net/sched: act_ife: avoid possi In the Linux kernel, the following vulnerability has been resolved: net/sched: act_ife: avoid possible NULL deref tcf_ife_encode() must make sure ife_encode() does not return NULL. syzbot reported: Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x00

CVE-2026-23097 [MEDIUM] CVE-2026-23097: In the Linux kernel, the following vulnerability has been resolved: migrate: correct lock ordering In the Linux kernel, the following vulnerability has been resolved: migrate: correct lock ordering for hugetlb file folios Syzbot has found a deadlock (analyzed by Lance Yang): 1) Task (5749): Holds folio_lock, then tries to acquire i_mmap_rwsem(read lock). 2) Task (5754): Holds i_mmap_rwsem(write lock), then tries to acquire folio_lock. migrate_pages()

CVE-2026-23060 [MEDIUM] CWE-476 CVE-2026-23060: In the Linux kernel, the following vulnerability has been resolved: crypto: authencesn - reject too In the Linux kernel, the following vulnerability has been resolved: crypto: authencesn - reject too-short AAD (assoclen<8) to match ESP/ESN spec authencesn assumes an ESP/ESN-formatted AAD. When assoclen is shorter than the minimum expected length, crypto_authenc_esn_decrypt() can advance past the end of the destination scatterlist and trigger a N

CVE-2026-23096 [MEDIUM] CVE-2026-23096: In the Linux kernel, the following vulnerability has been resolved: uacce: fix cdev handling in the In the Linux kernel, the following vulnerability has been resolved: uacce: fix cdev handling in the cleanup path When cdev_device_add fails, it internally releases the cdev memory, and if cdev_device_del is then executed, it will cause a hang error. To fix it, we check the return value of cdev_device_add() and clear uacce->cdev to avoid calling cdev_devic

CVE-2026-23094 [MEDIUM] CVE-2026-23094: In the Linux kernel, the following vulnerability has been resolved: uacce: fix isolate sysfs check In the Linux kernel, the following vulnerability has been resolved: uacce: fix isolate sysfs check condition uacce supports the device isolation feature. If the driver implements the isolate_err_threshold_read and isolate_err_threshold_write callback functions, uacce will create sysfs files now. Users can read and configure the isolation policy through sys

CVE-2026-23104 [MEDIUM] CVE-2026-23104: In the Linux kernel, the following vulnerability has been resolved: ice: fix devlink reload call tr In the Linux kernel, the following vulnerability has been resolved: ice: fix devlink reload call trace Commit 4da71a77fc3b ("ice: read internal temperature sensor") introduced internal temperature sensor reading via HWMON. ice_hwmon_init() was added to ice_init_feature() and ice_hwmon_exit() was added to ice_remove(). As a result if devlink reload is used

CVE-2026-23081 [MEDIUM] CVE-2026-23081: In the Linux kernel, the following vulnerability has been resolved: net: phy: intel-xway: fix OF no In the Linux kernel, the following vulnerability has been resolved: net: phy: intel-xway: fix OF node refcount leakage Automated review spotted am OF node reference count leakage when checking if the 'leds' child node exists. Call of_put_node() to correctly maintain the refcount.

CVE-2026-23109 [MEDIUM] CWE-835 CVE-2026-23109: In the Linux kernel, the following vulnerability has been resolved: fs/writeback: skip AS_NO_DATA_I In the Linux kernel, the following vulnerability has been resolved: fs/writeback: skip AS_NO_DATA_INTEGRITY mappings in wait_sb_inodes() Above the while() loop in wait_sb_inodes(), we document that we must wait for all pages under writeback for data integrity. Consequently, if a mapping, like fuse, traditionally does not have data integrity semant