Linux Kernel vulnerabilities

CVE-2025-71146 [MEDIUM] CWE-401 CVE-2025-71146: In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conncount: fix le In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conncount: fix leaked ct in error paths There are some situations where ct might be leaked as error paths are skipping the refcounted check and return immediately. In order to solve it make sure that the check is always called.

CVE-2026-22988 [MEDIUM] CVE-2026-22988: In the Linux kernel, the following vulnerability has been resolved: arp: do not assume dev_hard_hea In the Linux kernel, the following vulnerability has been resolved: arp: do not assume dev_hard_header() does not change skb->head arp_create() is the only dev_hard_header() caller making assumption about skb->head being unchanged. A recent commit broke this assumption. Initialize @arp pointer after dev_hard_header() call.

CVE-2026-22987 [MEDIUM] CWE-476 CVE-2026-22987: In the Linux kernel, the following vulnerability has been resolved: net/sched: act_api: avoid deref In the Linux kernel, the following vulnerability has been resolved: net/sched: act_api: avoid dereferencing ERR_PTR in tcf_idrinfo_destroy syzbot reported a crash in tc_act_in_hw() during netns teardown where tcf_idrinfo_destroy() passed an ERR_PTR(-EBUSY) value as a tc_action pointer, leading to an invalid dereference. Guard against ERR_PTR entr

CVE-2026-22979 [MEDIUM] CWE-401 CVE-2026-22979: In the Linux kernel, the following vulnerability has been resolved: net: fix memory leak in skb_seg In the Linux kernel, the following vulnerability has been resolved: net: fix memory leak in skb_segment_list for GRO packets When skb_segment_list() is called during packet forwarding, it handles packets that were aggregated by the GRO engine. Historically, the segmentation logic in skb_segment_list assumes that individual segments are split from

CVE-2026-22986 [MEDIUM] CWE-362 CVE-2026-22986: In the Linux kernel, the following vulnerability has been resolved: gpiolib: fix race condition for In the Linux kernel, the following vulnerability has been resolved: gpiolib: fix race condition for gdev->srcu If two drivers were calling gpiochip_add_data_with_key(), one may be traversing the srcu-protected list in gpio_name_to_desc(), meanwhile other has just added its gdev in gpiodev_add_to_list_unlocked(). This creates a non-mutexed and non-

CVE-2025-71147 [MEDIUM] CWE-401 CVE-2025-71147: In the Linux kernel, the following vulnerability has been resolved: KEYS: trusted: Fix a memory lea In the Linux kernel, the following vulnerability has been resolved: KEYS: trusted: Fix a memory leak in tpm2_load_cmd 'tpm2_load_cmd' allocates a tempoary blob indirectly via 'tpm2_key_decode' but it is not freed in the failure paths. Address this by wrapping the blob into with a cleanup helper.

CVE-2026-22993 [MEDIUM] CWE-476 CVE-2026-22993: In the Linux kernel, the following vulnerability has been resolved: idpf: Fix RSS LUT NULL ptr issu In the Linux kernel, the following vulnerability has been resolved: idpf: Fix RSS LUT NULL ptr issue after soft reset During soft reset, the RSS LUT is freed and not restored unless the interface is up. If an ethtool command that accesses the rss lut is attempted immediately after reset, it will result in NULL ptr dereference. Also, there is no ne

CVE-2026-22981 [MEDIUM] CWE-476 CVE-2026-22981: In the Linux kernel, the following vulnerability has been resolved: idpf: detach and close netdevs In the Linux kernel, the following vulnerability has been resolved: idpf: detach and close netdevs while handling a reset Protect the reset path from callbacks by setting the netdevs to detached state and close any netdevs in UP state until the reset handling has completed. During a reset, the driver will de-allocate resources for the vport, and th

CVE-2026-22989 [MEDIUM] CVE-2026-22989: In the Linux kernel, the following vulnerability has been resolved: nfsd: check that server is runn In the Linux kernel, the following vulnerability has been resolved: nfsd: check that server is running in unlock_filesystem If we are trying to unlock the filesystem via an administrative interface and nfsd isn't running, it crashes the server. This happens currently because nfsd4_revoke_states() access state structures (eg., conf_id_hashtbl) that has bee

CVE-2026-22983 [MEDIUM] CWE-476 CVE-2026-22983: In the Linux kernel, the following vulnerability has been resolved: net: do not write to msg_get_in In the Linux kernel, the following vulnerability has been resolved: net: do not write to msg_get_inq in callee NULL pointer dereference fix. msg_get_inq is an input field from caller to callee. Don't set it in the callee, as the caller may not clear it on struct reuse. This is a kernel-internal variant of msghdr only, and the only user does rein

CVE-2025-71151 [MEDIUM] CWE-401 CVE-2025-71151: In the Linux kernel, the following vulnerability has been resolved: cifs: Fix memory and informatio In the Linux kernel, the following vulnerability has been resolved: cifs: Fix memory and information leak in smb3_reconfigure() In smb3_reconfigure(), if smb3_sync_session_ctx_passwords() fails, the function returns immediately without freeing and erasing the newly allocated new_password and new_password2. This causes both a memory leak and a pote

CVE-2026-22985 [MEDIUM] CWE-476 CVE-2026-22985: In the Linux kernel, the following vulnerability has been resolved: idpf: Fix RSS LUT NULL pointer In the Linux kernel, the following vulnerability has been resolved: idpf: Fix RSS LUT NULL pointer crash on early ethtool operations The RSS LUT is not initialized until the interface comes up, causing the following NULL pointer crash when ethtool operations like rxhash on/off are performed before the interface is brought up for the first time. Mo

CVE-2025-71161 [MEDIUM] CWE-193 CVE-2025-71161: In the Linux kernel, the following vulnerability has been resolved: dm-verity: disable recursive fo In the Linux kernel, the following vulnerability has been resolved: dm-verity: disable recursive forward error correction There are two problems with the recursive correction: 1. It may cause denial-of-service. In fec_read_bufs, there is a loop that has 253 iterations. For each iteration, we may call verity_hash_for_block recursively. There is a

CVE-2026-22982 [MEDIUM] CWE-476 CVE-2026-22982: In the Linux kernel, the following vulnerability has been resolved: net: mscc: ocelot: Fix crash wh In the Linux kernel, the following vulnerability has been resolved: net: mscc: ocelot: Fix crash when adding interface under a lag Commit 15faa1f67ab4 ("lan966x: Fix crash when adding interface under a lag") fixed a similar issue in the lan966x driver caused by a NULL pointer dereference. The ocelot_set_aggr_pgids() function in the ocelot driver h

CVE-2025-71153 [MEDIUM] CWE-401 CVE-2025-71153: In the Linux kernel, the following vulnerability has been resolved: ksmbd: Fix memory leak in get_f In the Linux kernel, the following vulnerability has been resolved: ksmbd: Fix memory leak in get_file_all_info() In get_file_all_info(), if vfs_getattr() fails, the function returns immediately without freeing the allocated filename, leading to a memory leak. Fix this by freeing the filename before returning in this error case.

CVE-2026-22994 [MEDIUM] CVE-2026-22994: In the Linux kernel, the following vulnerability has been resolved: bpf: Fix reference count leak i In the Linux kernel, the following vulnerability has been resolved: bpf: Fix reference count leak in bpf_prog_test_run_xdp() syzbot is reporting unregister_netdevice: waiting for sit0 to become free. Usage count = 2 problem. A debug printk() patch found that a refcount is obtained at xdp_convert_md_to_buff() from bpf_prog_test_run_xdp(). According to c

CVE-2025-71158 [MEDIUM] CVE-2025-71158: In the Linux kernel, the following vulnerability has been resolved: gpio: mpsse: ensure worker is t In the Linux kernel, the following vulnerability has been resolved: gpio: mpsse: ensure worker is torn down When an IRQ worker is running, unplugging the device would cause a crash. The sealevel hardware this driver was written for was not hotpluggable, so I never realized it. This change uses a spinlock to protect a list of workers, which it tears down

CVE-2026-22992 [MEDIUM] CWE-476 CVE-2026-22992: In the Linux kernel, the following vulnerability has been resolved: libceph: return the handler err In the Linux kernel, the following vulnerability has been resolved: libceph: return the handler error from mon_handle_auth_done() Currently any error from ceph_auth_handle_reply_done() is propagated via finish_auth() but isn't returned from mon_handle_auth_done(). This results in higher layers learning that (despite the monitor considering us to b

CVE-2025-71150 [MEDIUM] CVE-2025-71150: In the Linux kernel, the following vulnerability has been resolved: ksmbd: Fix refcount leak when i In the Linux kernel, the following vulnerability has been resolved: ksmbd: Fix refcount leak when invalid session is found on session lookup When a session is found but its state is not SMB2_SESSION_VALID, It indicates that no valid session was found, but it is missing to decrement the reference count acquired by the session lookup, which results in a ref

CVE-2026-22990 [MEDIUM] CWE-617 CVE-2026-22990: In the Linux kernel, the following vulnerability has been resolved: libceph: replace overzealous BU In the Linux kernel, the following vulnerability has been resolved: libceph: replace overzealous BUG_ON in osdmap_apply_incremental() If the osdmap is (maliciously) corrupted such that the incremental osdmap epoch is different from what is expected, there is no need to BUG. Instead, just declare the incremental osdmap to be invalid.