Linux Kernel vulnerabilities

CVE-2026-23130 [MEDIUM] CWE-667 CVE-2026-23130: In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: fix dead lock whi In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: fix dead lock while flushing management frames Commit [1] converted the management transmission work item into a wiphy work. Since a wiphy work can only run under wiphy lock protection, a race condition happens in below scenario: 1. a management frame is queued for

CVE-2026-23157 [MEDIUM] CWE-667 CVE-2026-23157: In the Linux kernel, the following vulnerability has been resolved: btrfs: do not strictly require In the Linux kernel, the following vulnerability has been resolved: btrfs: do not strictly require dirty metadata threshold for metadata writepages [BUG] There is an internal report that over 1000 processes are waiting at the io_schedule_timeout() of balance_dirty_pages(), causing a system hang and trigger a kernel coredump. The kernel is v6.4 ker

CVE-2026-23122 [MEDIUM] CVE-2026-23122: In the Linux kernel, the following vulnerability has been resolved: igc: Reduce TSN TX packet buffe In the Linux kernel, the following vulnerability has been resolved: igc: Reduce TSN TX packet buffer from 7KB to 5KB per queue The previous 7 KB per queue caused TX unit hangs under heavy timestamping load. Reducing to 5 KB avoids these hangs and matches the TSN recommendation in I225/I226 SW User Manual Section 7.5.4. The 8 KB "freed" by this change is

CVE-2026-23152 [MEDIUM] CVE-2026-23152: In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: correctly decod In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: correctly decode TTLM with default link map TID-To-Link Mapping (TTLM) elements do not contain any link mapping presence indicator if a default mapping is used and parsing needs to be skipped. Note that access points should not explicitly report an advertised TTLM with a

CVE-2026-23201 [MEDIUM] CWE-476 CVE-2026-23201: In the Linux kernel, the following vulnerability has been resolved: ceph: fix oops due to invalid p In the Linux kernel, the following vulnerability has been resolved: ceph: fix oops due to invalid pointer for kfree() in parse_longname() This fixes a kernel oops when reading ceph snapshot directories (.snap), for example by simply running `ls /mnt/my_ceph/.snap`. The variable str is guarded by __free(kfree), but advanced by one for skipping the

CVE-2026-23120 [MEDIUM] CVE-2026-23120: In the Linux kernel, the following vulnerability has been resolved: l2tp: avoid one data-race in l2 In the Linux kernel, the following vulnerability has been resolved: l2tp: avoid one data-race in l2tp_tunnel_del_work() We should read sk->sk_socket only when dealing with kernel sockets. syzbot reported the following data-race: BUG: KCSAN: data-race in l2tp_tunnel_del_work / sk_common_release write to 0xffff88811c182b20 of 8 bytes by task 5365 on cpu

CVE-2026-23113 [MEDIUM] CVE-2026-23113: In the Linux kernel, the following vulnerability has been resolved: io_uring/io-wq: check IO_WQ_BIT In the Linux kernel, the following vulnerability has been resolved: io_uring/io-wq: check IO_WQ_BIT_EXIT inside work run loop Currently this is checked before running the pending work. Normally this is quite fine, as work items either end up blocking (which will create a new worker for other items), or they complete fairly quickly. But syzbot reports an i

CVE-2026-23143 [MEDIUM] CVE-2026-23143: In the Linux kernel, the following vulnerability has been resolved: virtio_net: Fix misalignment bu In the Linux kernel, the following vulnerability has been resolved: virtio_net: Fix misalignment bug in struct virtnet_info Use the new TRAILING_OVERLAP() helper to fix a misalignment bug along with the following warning: drivers/net/virtio_net.c:429:46: warning: structure containing a flexible array member is not at the end of another structure [-Wflex-

CVE-2026-23186 [MEDIUM] CWE-667 CVE-2026-23186: In the Linux kernel, the following vulnerability has been resolved: hwmon: (acpi_power_meter) Fix d In the Linux kernel, the following vulnerability has been resolved: hwmon: (acpi_power_meter) Fix deadlocks related to acpi_power_meter_notify() The acpi_power_meter driver's .notify() callback function, acpi_power_meter_notify(), calls hwmon_device_unregister() under a lock that is also acquired by callbacks in sysfs attributes of the device bein

CVE-2026-23146 [MEDIUM] CWE-476 CVE-2026-23146: In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_uart: fix null-p In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_uart: fix null-ptr-deref in hci_uart_write_work hci_uart_set_proto() sets HCI_UART_PROTO_INIT before calling hci_uart_register_dev(), which calls proto->open() to initialize hu->priv. However, if a TTY write wakeup occurs during this window, hci_uart_tx_wakeup() may

CVE-2026-23155 [MEDIUM] CWE-476 CVE-2026-23155: In the Linux kernel, the following vulnerability has been resolved: can: gs_usb: gs_usb_receive_bul In the Linux kernel, the following vulnerability has been resolved: can: gs_usb: gs_usb_receive_bulk_callback(): fix error message Sinc commit 79a6d1bfe114 ("can: gs_usb: gs_usb_receive_bulk_callback(): unanchor URL on usb_submit_urb() error") a failing resubmit URB will print an info message. In the case of a short read where netdev has not yet

CVE-2026-23151 [MEDIUM] CWE-401 CVE-2026-23151: In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: Fix memory lea In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: Fix memory leak in set_ssp_complete Fix memory leak in set_ssp_complete() where mgmt_pending_cmd structures are not freed after being removed from the pending list. Commit 302a1f674c00 ("Bluetooth: MGMT: Fix possible UAFs") replaced mgmt_pending_foreach() calls w

CVE-2026-23203 [MEDIUM] CVE-2026-23203: In the Linux kernel, the following vulnerability has been resolved: net: cpsw_new: Execute ndo_set_ In the Linux kernel, the following vulnerability has been resolved: net: cpsw_new: Execute ndo_set_rx_mode callback in a work queue Commit 1767bb2d47b7 ("ipv6: mcast: Don't hold RTNL for IPV6_ADD_MEMBERSHIP and MCAST_JOIN_GROUP.") removed the RTNL lock for IPV6_ADD_MEMBERSHIP and MCAST_JOIN_GROUP operations. However, this change triggered the following ca

CVE-2026-23118 [MEDIUM] CWE-362 CVE-2026-23118: In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix data-race warning an In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix data-race warning and potential load/store tearing Fix the following: BUG: KCSAN: data-race in rxrpc_peer_keepalive_worker / rxrpc_send_data_packet which is reporting an issue with the reads and writes to ->last_tx_at in: conn->peer->last_tx_at = ktime_get_seconds();

CVE-2026-23115 [MEDIUM] CWE-362 CVE-2026-23115: In the Linux kernel, the following vulnerability has been resolved: serial: Fix not set tty->port r In the Linux kernel, the following vulnerability has been resolved: serial: Fix not set tty->port race condition Revert commit bfc467db60b7 ("serial: remove redundant tty_port_link_device()") because the tty_port_link_device() is not redundant: the tty->port has to be confured before we call uart_configure_port(), otherwise user-space can open con

CVE-2026-23163 [MEDIUM] CWE-476 CVE-2026-23163: In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: fix NULL pointer de In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: fix NULL pointer dereference in amdgpu_gmc_filter_faults_remove On APUs such as Raven and Renoir (GC 9.1.0, 9.2.2, 9.3.0), the ih1 and ih2 interrupt ring buffers are not initialized. This is by design, as these secondary IH rings are only available on discrete GPUs. Se

CVE-2026-23127 [MEDIUM] CVE-2026-23127: In the Linux kernel, the following vulnerability has been resolved: perf: Fix refcount warning on e In the Linux kernel, the following vulnerability has been resolved: perf: Fix refcount warning on event->mmap_count increment When calling refcount_inc(&event->mmap_count) inside perf_mmap_rb(), the following warning is triggered: refcount_t: addition on 0; use-after-free. WARNING: lib/refcount.c:25 PoC: struct perf_event_attr attr = {0}; int fd = sysc

CVE-2026-23117 [MEDIUM] CWE-476 CVE-2026-23117: In the Linux kernel, the following vulnerability has been resolved: ice: add missing ice_deinit_hw( In the Linux kernel, the following vulnerability has been resolved: ice: add missing ice_deinit_hw() in devlink reinit path devlink-reload results in ice_init_hw failed error, and then removing the ice driver causes a NULL pointer dereference. [ +0.102213] ice 0000:ca:00.0: ice_init_hw failed: -16 ... [ +0.000001] Call Trace: [ +0.000003] [ +0.00

CVE-2026-23114 [MEDIUM] CVE-2026-23114: In the Linux kernel, the following vulnerability has been resolved: arm64/fpsimd: ptrace: Fix SVE w In the Linux kernel, the following vulnerability has been resolved: arm64/fpsimd: ptrace: Fix SVE writes on !SME systems When SVE is supported but SME is not supported, a ptrace write to the NT_ARM_SVE regset can place the tracee into an invalid state where (non-streaming) SVE register data is stored in FP_STATE_SVE format but TIF_SVE is clear. This can r

CVE-2026-23125 [MEDIUM] CWE-476 CVE-2026-23125: In the Linux kernel, the following vulnerability has been resolved: sctp: move SCTP_CMD_ASSOC_SHKEY In the Linux kernel, the following vulnerability has been resolved: sctp: move SCTP_CMD_ASSOC_SHKEY right after SCTP_CMD_PEER_INIT A null-ptr-deref was reported in the SCTP transmit path when SCTP-AUTH key initialization fails: KASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f] CPU: 0 PID: 16 Comm: ksoftirqd/0 Tainted: G W 6.6