Linux Kernel vulnerabilities

CVE-2026-23018 [MEDIUM] CVE-2026-23018: In the Linux kernel, the following vulnerability has been resolved: btrfs: release path before init In the Linux kernel, the following vulnerability has been resolved: btrfs: release path before initializing extent tree in btrfs_read_locked_inode() In btrfs_read_locked_inode() we are calling btrfs_init_file_extent_tree() while holding a path with a read locked leaf from a subvolume tree, and btrfs_init_file_extent_tree() may do a GFP_KERNEL allocation,

CVE-2026-23017 [MEDIUM] CWE-476 CVE-2026-23017: In the Linux kernel, the following vulnerability has been resolved: idpf: fix error handling in the In the Linux kernel, the following vulnerability has been resolved: idpf: fix error handling in the init_task on load If the init_task fails during a driver load, we end up without vports and netdevs, effectively failing the entire process. In that state a subsequent reset will result in a crash as the service task attempts to access uninitialized

CVE-2026-23016 [MEDIUM] CVE-2026-23016: In the Linux kernel, the following vulnerability has been resolved: inet: frags: drop fraglist conn In the Linux kernel, the following vulnerability has been resolved: inet: frags: drop fraglist conntrack references Jakub added a warning in nf_conntrack_cleanup_net_list() to make debugging leaked skbs/conntrack references more obvious. syzbot reports this as triggering, and I can also reproduce this via ip_defrag.sh selftest: conntrack cleanup blocked

CVE-2026-23019 [MEDIUM] CWE-476 CVE-2026-23019: In the Linux kernel, the following vulnerability has been resolved: net: marvell: prestera: fix NUL In the Linux kernel, the following vulnerability has been resolved: net: marvell: prestera: fix NULL dereference on devlink_alloc() failure devlink_alloc() may return NULL on allocation failure, but prestera_devlink_alloc() unconditionally calls devlink_priv() on the returned pointer. This leads to a NULL pointer dereference if devlink allocation

CVE-2025-71183 [MEDIUM] CVE-2025-71183: In the Linux kernel, the following vulnerability has been resolved: btrfs: always detect conflictin In the Linux kernel, the following vulnerability has been resolved: btrfs: always detect conflicting inodes when logging inode refs After rename exchanging (either with the rename exchange operation or regular renames in multiple non-atomic steps) two inodes and at least one of them is a directory, we can end up with a log tree that contains only of the i

CVE-2025-71181 [MEDIUM] CWE-667 CVE-2025-71181: In the Linux kernel, the following vulnerability has been resolved: rust_binder: remove spin_lock() In the Linux kernel, the following vulnerability has been resolved: rust_binder: remove spin_lock() in rust_shrink_free_page() When forward-porting Rust Binder to 6.18, I neglected to take commit fb56fdf8b9a2 ("mm/list_lru: split the lock to per-cgroup scope") into account, and apparently I did not end up running the shrinker callback when I sanit

CVE-2025-71187 [MEDIUM] CWE-401 CVE-2025-71187: In the Linux kernel, the following vulnerability has been resolved: dmaengine: sh: rz-dmac: fix dev In the Linux kernel, the following vulnerability has been resolved: dmaengine: sh: rz-dmac: fix device leak on probe failure Make sure to drop the reference taken when looking up the ICU device during probe also on probe failures (e.g. probe deferral).

CVE-2025-71184 [MEDIUM] CWE-476 CVE-2025-71184: In the Linux kernel, the following vulnerability has been resolved: btrfs: fix NULL dereference on In the Linux kernel, the following vulnerability has been resolved: btrfs: fix NULL dereference on root when tracing inode eviction When evicting an inode the first thing we do is to setup tracing for it, which implies fetching the root's id. But in btrfs_evict_inode() the root might be NULL, as implied in the next check that we do in btrfs_evict_i

CVE-2026-23026 [MEDIUM] CWE-401 CVE-2026-23026: In the Linux kernel, the following vulnerability has been resolved: dmaengine: qcom: gpi: Fix memor In the Linux kernel, the following vulnerability has been resolved: dmaengine: qcom: gpi: Fix memory leak in gpi_peripheral_config() Fix a memory leak in gpi_peripheral_config() where the original memory pointed to by gchan->config could be lost if krealloc() fails. The issue occurs when: 1. gchan->config points to previously allocated memory 2.

CVE-2025-71191 [MEDIUM] CVE-2025-71191: In the Linux kernel, the following vulnerability has been resolved: dmaengine: at_hdmac: fix device In the Linux kernel, the following vulnerability has been resolved: dmaengine: at_hdmac: fix device leak on of_dma_xlate() Make sure to drop the reference taken when looking up the DMA platform device during of_dma_xlate() when releasing channel resources. Note that commit 3832b78b3ec2 ("dmaengine: at_hdmac: add missing put_device() call in at_dma_xlate(

CVE-2026-23015 [MEDIUM] CVE-2026-23015: In the Linux kernel, the following vulnerability has been resolved: gpio: mpsse: fix reference leak In the Linux kernel, the following vulnerability has been resolved: gpio: mpsse: fix reference leak in gpio_mpsse_probe() error paths The reference obtained by calling usb_get_dev() is not released in the gpio_mpsse_probe() error paths. Fix that by using device managed helper functions. Also remove the usb_put_dev() call in the disconnect function since n

CVE-2026-23021 [MEDIUM] CWE-401 CVE-2026-23021: In the Linux kernel, the following vulnerability has been resolved: net: usb: pegasus: fix memory l In the Linux kernel, the following vulnerability has been resolved: net: usb: pegasus: fix memory leak in update_eth_regs_async() When asynchronously writing to the device registers and if usb_submit_urb() fail, the code fail to release allocated to this point resources.

CVE-2025-71189 [MEDIUM] CWE-401 CVE-2025-71189: In the Linux kernel, the following vulnerability has been resolved: dmaengine: dw: dmamux: fix OF n In the Linux kernel, the following vulnerability has been resolved: dmaengine: dw: dmamux: fix OF node leak on route allocation failure Make sure to drop the reference taken to the DMA master OF node also on late route allocation failures.

CVE-2025-71190 [MEDIUM] CVE-2025-71190: In the Linux kernel, the following vulnerability has been resolved: dmaengine: bcm-sba-raid: fix de In the Linux kernel, the following vulnerability has been resolved: dmaengine: bcm-sba-raid: fix device leak on probe Make sure to drop the reference taken when looking up the mailbox device during probe on probe failures and on driver unbind.

CVE-2026-23024 [MEDIUM] CWE-401 CVE-2026-23024: In the Linux kernel, the following vulnerability has been resolved: idpf: fix memory leak of flow s In the Linux kernel, the following vulnerability has been resolved: idpf: fix memory leak of flow steer list on rmmod The flow steering list maintains entries that are added and removed as ethtool creates and deletes flow steering rules. Module removal with active entries causes memory leak as the list is not properly cleaned up. Prevent this by

CVE-2025-71182 [MEDIUM] CVE-2025-71182: In the Linux kernel, the following vulnerability has been resolved: can: j1939: make j1939_session_ In the Linux kernel, the following vulnerability has been resolved: can: j1939: make j1939_session_activate() fail if device is no longer registered syzbot is still reporting unregister_netdevice: waiting for vcan0 to become free. Usage count = 2 even after commit 93a27b5891b8 ("can: j1939: add missing calls in NETDEV_UNREGISTER notification handler") w

CVE-2026-23020 [MEDIUM] CWE-476 CVE-2026-23020: In the Linux kernel, the following vulnerability has been resolved: net: 3com: 3c59x: fix possible In the Linux kernel, the following vulnerability has been resolved: net: 3com: 3c59x: fix possible null dereference in vortex_probe1() pdev can be null and free_ring: can be called in 1297 with a null pdev.

CVE-2026-23028 LoongArch: KVM: Fix kvm_device leak in kvm_ipi_destroy() LoongArch: KVM: Fix kvm_device leak in kvm_ipi_destroy() In the Linux kernel, the following vulnerability has been resolved: LoongArch: KVM: Fix kvm_device leak in kvm_ipi_destroy() In kvm_ioctl_create_device(), kvm_device has allocated memory, kvm_device->destroy() seems to be supposed to free its kvm_device struct, but kvm_ipi_destroy() is not currently doing this, that would lead to a memory leak. So, fix it.

CVE-2026-23034 CVE-2026-23034: In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu/userq: Fix fence reference leak on queue teardown v2 The user mode queu In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu/userq: Fix fence reference leak on queue teardown v2 The user mode queue keeps a pointer to the most recent fence in userq->last_fence. This pointer holds an extra dma_fence reference. When the queue is destroyed, we free the fence driver

CVE-2026-23031 can: gs_usb: gs_usb_receive_bulk_callback(): fix URB memory leak can: gs_usb: gs_usb_receive_bulk_callback(): fix URB memory leak In the Linux kernel, the following vulnerability has been resolved: can: gs_usb: gs_usb_receive_bulk_callback(): fix URB memory leak In gs_can_open(), the URBs for USB-in transfers are allocated, added to the parent->rx_submitted anchor and submitted. In the complete callback gs_usb_receive_bulk_callback(), the URB is processed and resubmitted. In gs