Linux Kernel vulnerabilities

CVE-2025-71220 [HIGH] CVE-2025-71220: In the Linux kernel, the following vulnerability has been resolved: smb/server: call ksmbd_session_ In the Linux kernel, the following vulnerability has been resolved: smb/server: call ksmbd_session_rpc_close() on error path in create_smb2_pipe() When ksmbd_iov_pin_rsp() fails, we should call ksmbd_session_rpc_close().

CVE-2025-71203 [HIGH] CWE-129 CVE-2025-71203: In the Linux kernel, the following vulnerability has been resolved: riscv: Sanitize syscall table i In the Linux kernel, the following vulnerability has been resolved: riscv: Sanitize syscall table indexing under speculation The syscall number is a user-controlled value used to index into the syscall table. Use array_index_nospec() to clamp this value after the bounds check to prevent speculative out-of-bounds access and subsequent data leakage vi

CVE-2026-23204 [HIGH] CWE-125 CVE-2026-23204: In the Linux kernel, the following vulnerability has been resolved: net/sched: cls_u32: use skb_hea In the Linux kernel, the following vulnerability has been resolved: net/sched: cls_u32: use skb_header_pointer_careful() skb_header_pointer() does not fully validate negative @offset values. Use skb_header_pointer_careful() instead. GangMin Kim provided a report and a repro fooling u32_classify(): BUG: KASAN: slab-out-of-bounds in u32_classify+0x

CVE-2026-23184 [HIGH] CWE-416 CVE-2026-23184: In the Linux kernel, the following vulnerability has been resolved: binder: fix UAF in binder_netli In the Linux kernel, the following vulnerability has been resolved: binder: fix UAF in binder_netlink_report() Oneway transactions sent to frozen targets via binder_proc_transaction() return a BR_TRANSACTION_PENDING_FROZEN error but they are still treated as successful since the target is expected to thaw at some point. It is then not safe to access

CVE-2026-23171 [HIGH] CWE-416 CVE-2026-23171: In the Linux kernel, the following vulnerability has been resolved: bonding: fix use-after-free due In the Linux kernel, the following vulnerability has been resolved: bonding: fix use-after-free due to enslave fail after slave array update Fix a use-after-free which happens due to enslave failure after the new slave has been added to the array. Since the new slave can be used for Tx immediately, we can use it after it has been freed by the enslav

CVE-2026-23194 [HIGH] CWE-787 CVE-2026-23194: In the Linux kernel, the following vulnerability has been resolved: rust_binder: correctly handle F In the Linux kernel, the following vulnerability has been resolved: rust_binder: correctly handle FDA objects of length zero Fix a bug where an empty FDA (fd array) object with 0 fds would cause an out-of-bounds error. The previous implementation used `skip == 0` to mean "this is a pointer fixup", but 0 is also the correct skip length for an empty F

CVE-2026-23208 [HIGH] CWE-787 CVE-2026-23208: In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Prevent excess In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Prevent excessive number of frames In this case, the user constructed the parameters with maxpacksize 40 for rate 22050 / pps 1000, and packsize[0] 22 packsize[1] 23. The buffer size for each data URB is maxpacksize * packets, which in this example is 40 * 6 = 240;

CVE-2026-23193 [HIGH] CWE-416 CVE-2026-23193: In the Linux kernel, the following vulnerability has been resolved: scsi: target: iscsi: Fix use-af In the Linux kernel, the following vulnerability has been resolved: scsi: target: iscsi: Fix use-after-free in iscsit_dec_session_usage_count() In iscsit_dec_session_usage_count(), the function calls complete() while holding the sess->session_usage_lock. Similar to the connection usage count logic, the waiter signaled by complete() (e.g., in the ses

CVE-2026-23162 [HIGH] CWE-415 CVE-2026-23162: In the Linux kernel, the following vulnerability has been resolved: drm/xe/nvm: Fix double-free on In the Linux kernel, the following vulnerability has been resolved: drm/xe/nvm: Fix double-free on aux add failure After a successful auxiliary_device_init(), aux_dev->dev.release (xe_nvm_release_dev()) is responsible for the kfree(nvm). When there is failure with auxiliary_device_add(), driver will call auxiliary_device_uninit(), which call put_devi

CVE-2026-23195 [HIGH] CWE-416 CVE-2026-23195: In the Linux kernel, the following vulnerability has been resolved: cgroup/dmem: avoid pool UAF An In the Linux kernel, the following vulnerability has been resolved: cgroup/dmem: avoid pool UAF An UAF issue was observed: BUG: KASAN: slab-use-after-free in page_counter_uncharge+0x65/0x150 Write of size 8 at addr ffff888106715440 by task insmod/527 CPU: 4 UID: 0 PID: 527 Comm: insmod 6.19.0-rc7-next-20260129+ #11 Tainted: [O]=OOT_MODULE Call Tra

CVE-2025-71201 [HIGH] CWE-125 CVE-2025-71201: In the Linux kernel, the following vulnerability has been resolved: netfs: Fix early read unlock of In the Linux kernel, the following vulnerability has been resolved: netfs: Fix early read unlock of page with EOF in middle The read result collection for buffered reads seems to run ahead of the completion of subrequests under some circumstances, as can be seen in the following log snippet: 9p_client_res: client 18446612686390831168 response P9_TR

CVE-2026-23192 [HIGH] CWE-416 CVE-2026-23192: In the Linux kernel, the following vulnerability has been resolved: linkwatch: use __dev_put() in c In the Linux kernel, the following vulnerability has been resolved: linkwatch: use __dev_put() in callers to prevent UAF After linkwatch_do_dev() calls __dev_put() to release the linkwatch reference, the device refcount may drop to 1. At this point, netdev_run_todo() can proceed (since linkwatch_sync_dev() sees an empty list and returns without bloc

CVE-2026-23187 [HIGH] CWE-125 CVE-2026-23187: In the Linux kernel, the following vulnerability has been resolved: pmdomain: imx8m-blk-ctrl: fix o In the Linux kernel, the following vulnerability has been resolved: pmdomain: imx8m-blk-ctrl: fix out-of-range access of bc->domains Fix out-of-range access of bc->domains in imx8m_blk_ctrl_remove().

CVE-2026-23185 [HIGH] CWE-416 CVE-2026-23185: In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: mld: cancel mlo_ In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: mld: cancel mlo_scan_start_wk mlo_scan_start_wk is not canceled on disconnection. In fact, it is not canceled anywhere except in the restart cleanup, where we don't really have to. This can cause an init-after-queue issue: if, for example, the work was queued and the

CVE-2026-23191 [HIGH] CWE-416 CVE-2026-23191: In the Linux kernel, the following vulnerability has been resolved: ALSA: aloop: Fix racy access at In the Linux kernel, the following vulnerability has been resolved: ALSA: aloop: Fix racy access at PCM trigger The PCM trigger callback of aloop driver tries to check the PCM state and stop the stream of the tied substream in the corresponding cable. Since both check and stop operations are performed outside the cable lock, this may result in UAF w

CVE-2026-23156 [HIGH] CVE-2026-23156: In the Linux kernel, the following vulnerability has been resolved: efivarfs: fix error propagation In the Linux kernel, the following vulnerability has been resolved: efivarfs: fix error propagation in efivar_entry_get() efivar_entry_get() always returns success even if the underlying __efivar_entry_get() fails, masking errors. This may result in uninitialized heap memory being copied to userspace in the efivarfs_file_read() path. Fix it by returning t

CVE-2025-71221 [HIGH] CWE-362 CVE-2025-71221: In the Linux kernel, the following vulnerability has been resolved: dmaengine: mmp_pdma: Fix race c In the Linux kernel, the following vulnerability has been resolved: dmaengine: mmp_pdma: Fix race condition in mmp_pdma_residue() Add proper locking in mmp_pdma_residue() to prevent use-after-free when accessing descriptor list and descriptor contents. The race occurs when multiple threads call tx_status() while the tasklet on another CPU is freein

CVE-2026-23209 [HIGH] CWE-416 CVE-2026-23209: In the Linux kernel, the following vulnerability has been resolved: macvlan: fix error recovery in In the Linux kernel, the following vulnerability has been resolved: macvlan: fix error recovery in macvlan_common_newlink() valis provided a nice repro to crash the kernel: ip link add p1 type veth peer p2 ip link set address 00:00:00:00:00:20 dev p1 ip link set up dev p1 ip link set up dev p2 ip link add mv0 link p2 type macvlan mode source ip lin

CVE-2026-23132 [MEDIUM] CVE-2026-23132: In the Linux kernel, the following vulnerability has been resolved: drm/bridge: synopsys: dw-dp: fi In the Linux kernel, the following vulnerability has been resolved: drm/bridge: synopsys: dw-dp: fix error paths of dw_dp_bind Fix several issues in dw_dp_bind() error handling: 1. Missing return after drm_bridge_attach() failure - the function continued execution instead of returning an error. 2. Resource leak: drm_dp_aux_register() is not a devm funct

CVE-2025-71200 [MEDIUM] CVE-2025-71200: In the Linux kernel, the following vulnerability has been resolved: mmc: sdhci-of-dwcmshc: Prevent In the Linux kernel, the following vulnerability has been resolved: mmc: sdhci-of-dwcmshc: Prevent illegal clock reduction in HS200/HS400 mode When operating in HS200 or HS400 timing modes, reducing the clock frequency below 52MHz will lead to link broken as the Rockchip DWC MSHC controller requires maintaining a minimum clock of 52MHz in these modes. Add