Linux Kernel vulnerabilities

CVE-2026-23000 [MEDIUM] CWE-476 CVE-2026-23000: In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Fix crash on profile In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Fix crash on profile change rollback failure mlx5e_netdev_change_profile can fail to attach a new profile and can fail to rollback to old profile, in such case, we could end up with a dangling netdev with a fully reset netdev_priv. A retry to change profile, e.g. anothe

CVE-2026-23007 [MEDIUM] CWE-908 CVE-2026-23007: In the Linux kernel, the following vulnerability has been resolved: block: zero non-PI portion of a In the Linux kernel, the following vulnerability has been resolved: block: zero non-PI portion of auto integrity buffer The auto-generated integrity buffer for writes needs to be fully initialized before being passed to the underlying block device, otherwise the uninitialized memory can be read back by userspace or anyone with physical access to t

CVE-2026-23005 [MEDIUM] CVE-2026-23005: In the Linux kernel, the following vulnerability has been resolved: x86/fpu: Clear XSTATE_BV[i] in In the Linux kernel, the following vulnerability has been resolved: x86/fpu: Clear XSTATE_BV[i] in guest XSAVE state whenever XFD[i]=1 When loading guest XSAVE state via KVM_SET_XSAVE, and when updating XFD in response to a guest WRMSR, clear XFD-disabled features in the saved (or to be restored) XSTATE_BV to ensure KVM doesn't attempt to load state for fe

CVE-2026-23004 [MEDIUM] CWE-362 CVE-2026-23004: In the Linux kernel, the following vulnerability has been resolved: dst: fix races in rt6_uncached_ In the Linux kernel, the following vulnerability has been resolved: dst: fix races in rt6_uncached_list_del() and rt_del_uncached_list() syzbot was able to crash the kernel in rt6_uncached_list_flush_dev() in an interesting way [1] Crash happens in list_del_init()/INIT_LIST_HEAD() while writing list->prev, while the prior write on list->next went

CVE-2026-23006 [MEDIUM] CWE-476 CVE-2026-23006: In the Linux kernel, the following vulnerability has been resolved: ASoC: tlv320adcx140: fix null p In the Linux kernel, the following vulnerability has been resolved: ASoC: tlv320adcx140: fix null pointer The "snd_soc_component" in "adcx140_priv" was only used once but never set. It was only used for reaching "dev" which is already present in "adcx140_priv".

CVE-2026-23002 [MEDIUM] CWE-476 CVE-2026-23002: In the Linux kernel, the following vulnerability has been resolved: lib/buildid: use __kernel_read( In the Linux kernel, the following vulnerability has been resolved: lib/buildid: use __kernel_read() for sleepable context Prevent a "BUG: unable to handle kernel NULL pointer dereference in filemap_read_folio". For the sleepable context, convert freader to use __kernel_read() instead of direct page cache access via read_cache_folio(). This simpl

CVE-2026-23003 [MEDIUM] CWE-908 CVE-2026-23003: In the Linux kernel, the following vulnerability has been resolved: ip6_tunnel: use skb_vlan_inet_p In the Linux kernel, the following vulnerability has been resolved: ip6_tunnel: use skb_vlan_inet_prepare() in __ip6_tnl_rcv() Blamed commit did not take care of VLAN encapsulations as spotted by syzbot [1]. Use skb_vlan_inet_prepare() instead of pskb_inet_may_pull(). [1] BUG: KMSAN: uninit-value in __INET_ECN_decapsulate include/net/inet_ecn.h:

CVE-2025-71163 [MEDIUM] CWE-401 CVE-2025-71163: In the Linux kernel, the following vulnerability has been resolved: dmaengine: idxd: fix device lea In the Linux kernel, the following vulnerability has been resolved: dmaengine: idxd: fix device leaks on compat bind and unbind Make sure to drop the reference taken when looking up the idxd device as part of the compat bind and unbind sysfs interface.

CVE-2026-23008 [MEDIUM] CWE-476 CVE-2026-23008: In the Linux kernel, the following vulnerability has been resolved: drm/vmwgfx: Fix KMS with 3D on In the Linux kernel, the following vulnerability has been resolved: drm/vmwgfx: Fix KMS with 3D on HW version 10 HW version 10 does not have GB Surfaces so there is no backing buffer for surface backed FBs. This would result in a nullptr dereference and crash the driver causing a black screen.

CVE-2026-22999 [MEDIUM] CVE-2026-22999: In the Linux kernel, the following vulnerability has been resolved: net/sched: sch_qfq: do not free In the Linux kernel, the following vulnerability has been resolved: net/sched: sch_qfq: do not free existing class in qfq_change_class() Fixes qfq_change_class() error case. cl->qdisc and cl should only be freed if a new class and qdisc were allocated, or we risk various UAF.

CVE-2026-22996 [MEDIUM] CWE-476 CVE-2026-22996: In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Don't store mlx5e_pr In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Don't store mlx5e_priv in mlx5e_dev devlink priv mlx5e_priv is an unstable structure that can be memset(0) if profile attaching fails, mlx5e_priv in mlx5e_dev devlink private is used to reference the netdev and mdev associated with that struct. Instead, store netdev dir

CVE-2026-22980 [HIGH] CWE-416 CVE-2026-22980: In the Linux kernel, the following vulnerability has been resolved: nfsd: provide locking for v4_en In the Linux kernel, the following vulnerability has been resolved: nfsd: provide locking for v4_end_grace Writing to v4_end_grace can race with server shutdown and result in memory being accessed after it was freed - reclaim_str_hashtbl in particularly. We cannot hold nfsd_mutex across the nfsd4_end_grace() call as that is held while client_tracki

CVE-2025-71159 [HIGH] CWE-416 CVE-2025-71159: In the Linux kernel, the following vulnerability has been resolved: btrfs: fix use-after-free warni In the Linux kernel, the following vulnerability has been resolved: btrfs: fix use-after-free warning in btrfs_get_or_create_delayed_node() Previously, btrfs_get_or_create_delayed_node() set the delayed_node's refcount before acquiring the root->delayed_nodes lock. Commit e8513c012de7 ("btrfs: implement ref_tracker for delayed_nodes") moved refcount

CVE-2025-71145 [HIGH] CVE-2025-71145: In the Linux kernel, the following vulnerability has been resolved: usb: phy: isp1301: fix non-OF d In the Linux kernel, the following vulnerability has been resolved: usb: phy: isp1301: fix non-OF device reference imbalance A recent change fixing a device reference leak in a UDC driver introduced a potential use-after-free in the non-OF case as the isp1301_get_client() helper only increases the reference count for the returned I2C device in the OF case.

CVE-2025-71157 [HIGH] CVE-2025-71157: In the Linux kernel, the following vulnerability has been resolved: RDMA/core: always drop device r In the Linux kernel, the following vulnerability has been resolved: RDMA/core: always drop device refcount in ib_del_sub_device_and_put() Since nldev_deldev() (introduced by commit 060c642b2ab8 ("RDMA/nldev: Add support to add/delete a sub IB device through netlink") grabs a reference using ib_device_get_by_index() before calling ib_del_sub_device_and_put()

CVE-2025-71156 [HIGH] CVE-2025-71156: In the Linux kernel, the following vulnerability has been resolved: gve: defer interrupt enabling u In the Linux kernel, the following vulnerability has been resolved: gve: defer interrupt enabling until NAPI registration Currently, interrupts are automatically enabled immediately upon request. This allows interrupt to fire before the associated NAPI context is fully initialized and cause failures like below: [ 0.946369] Call Trace: [ 0.946369] [ 0.94636

CVE-2025-71155 [HIGH] CWE-787 CVE-2025-71155: In the Linux kernel, the following vulnerability has been resolved: KVM: s390: Fix gmap_helper_zap_ In the Linux kernel, the following vulnerability has been resolved: KVM: s390: Fix gmap_helper_zap_one_page() again A few checks were missing in gmap_helper_zap_one_page(), which can lead to memory corruption in the guest under specific circumstances. Add the missing checks.

CVE-2026-22995 [HIGH] CWE-416 CVE-2026-22995: In the Linux kernel, the following vulnerability has been resolved: ublk: fix use-after-free in ubl In the Linux kernel, the following vulnerability has been resolved: ublk: fix use-after-free in ublk_partition_scan_work A race condition exists between the async partition scan work and device teardown that can lead to a use-after-free of ub->ub_disk: 1. ublk_ctrl_start_dev() schedules partition_scan_work after add_disk() 2. ublk_stop_dev() calls

CVE-2025-71152 [HIGH] CVE-2025-71152: In the Linux kernel, the following vulnerability has been resolved: net: dsa: properly keep track o In the Linux kernel, the following vulnerability has been resolved: net: dsa: properly keep track of conduit reference Problem description DSA has a mumbo-jumbo of reference handling of the conduit net device and its kobject which, sadly, is just wrong and doesn't make sense. There are two distinct problems. 1. The OF path, which uses of_find_net_device_

CVE-2026-22984 [HIGH] CWE-125 CVE-2026-22984: In the Linux kernel, the following vulnerability has been resolved: libceph: prevent potential out- In the Linux kernel, the following vulnerability has been resolved: libceph: prevent potential out-of-bounds reads in handle_auth_done() Perform an explicit bounds check on payload_len to avoid a possible out-of-bounds access in the callout. [ idryomov: changelog ]