Linux Kernel vulnerabilities

CVE-2026-23164 [MEDIUM] CWE-401 CVE-2026-23164: In the Linux kernel, the following vulnerability has been resolved: rocker: fix memory leak in rock In the Linux kernel, the following vulnerability has been resolved: rocker: fix memory leak in rocker_world_port_post_fini() In rocker_world_port_pre_init(), rocker_port->wpriv is allocated with kzalloc(wops->port_priv_size, GFP_KERNEL). However, in rocker_world_port_post_fini(), the memory is only freed when wops->port_post_fini callback is set:

CVE-2026-23141 [MEDIUM] CVE-2026-23141: In the Linux kernel, the following vulnerability has been resolved: btrfs: send: check for inline e In the Linux kernel, the following vulnerability has been resolved: btrfs: send: check for inline extents in range_is_hole_in_parent() Before accessing the disk_bytenr field of a file extent item we need to check if we are dealing with an inline extent. This is because for inline extents their data starts at the offset of the disk_bytenr field. So accessi

CVE-2026-23124 [MEDIUM] CVE-2026-23124: In the Linux kernel, the following vulnerability has been resolved: ipv6: annotate data-race in ndi In the Linux kernel, the following vulnerability has been resolved: ipv6: annotate data-race in ndisc_router_discovery() syzbot found that ndisc_router_discovery() could read and write in6_dev->ra_mtu without holding a lock [1] This looks fine, IFLA_INET6_RA_MTU is best effort. Add READ_ONCE()/WRITE_ONCE() to document the race. Note that we might also

CVE-2026-23121 [MEDIUM] CVE-2026-23121: In the Linux kernel, the following vulnerability has been resolved: mISDN: annotate data-race aroun In the Linux kernel, the following vulnerability has been resolved: mISDN: annotate data-race around dev->work dev->work can re read locklessly in mISDN_read() and mISDN_poll(). Add READ_ONCE()/WRITE_ONCE() annotations. BUG: KCSAN: data-race in mISDN_ioctl / mISDN_read write to 0xffff88812d848280 of 4 bytes by task 10864 on cpu 1: misdn_add_timer driver

CVE-2026-23159 [MEDIUM] CWE-476 CVE-2026-23159: In the Linux kernel, the following vulnerability has been resolved: perf: sched: Fix perf crash wit In the Linux kernel, the following vulnerability has been resolved: perf: sched: Fix perf crash with new is_user_task() helper In order to do a user space stacktrace the current task needs to be a user task that has executed in user space. It use to be possible to test if a task is a user task or not by simply checking the task_struct mm field. If

CVE-2026-23200 [MEDIUM] CWE-476 CVE-2026-23200: In the Linux kernel, the following vulnerability has been resolved: ipv6: Fix ECMP sibling count mi In the Linux kernel, the following vulnerability has been resolved: ipv6: Fix ECMP sibling count mismatch when clearing RTF_ADDRCONF syzbot reported a kernel BUG in fib6_add_rt2node() when adding an IPv6 route. [0] Commit f72514b3c569 ("ipv6: clear RA flags when adding a static route") introduced logic to clear RTF_ADDRCONF from existing routes w

CVE-2026-23166 [MEDIUM] CWE-476 CVE-2026-23166: In the Linux kernel, the following vulnerability has been resolved: ice: Fix NULL pointer dereferen In the Linux kernel, the following vulnerability has been resolved: ice: Fix NULL pointer dereference in ice_vsi_set_napi_queues Add NULL pointer checks in ice_vsi_set_napi_queues() to prevent crashes during resume from suspend when rings[q_idx]->q_vector is NULL. Tested adaptor: 60:00.0 Ethernet controller [0200]: Intel Corporation Ethernet Cont

CVE-2025-71222 [MEDIUM] CVE-2025-71222: In the Linux kernel, the following vulnerability has been resolved: wifi: wlcore: ensure skb headro In the Linux kernel, the following vulnerability has been resolved: wifi: wlcore: ensure skb headroom before skb_push This avoids occasional skb_under_panic Oops from wl1271_tx_work. In this case, headroom is less than needed (typically 110 - 94 = 16 bytes).

CVE-2025-71202 [MEDIUM] CVE-2025-71202: In the Linux kernel, the following vulnerability has been resolved: iommu/sva: invalidate stale IOT In the Linux kernel, the following vulnerability has been resolved: iommu/sva: invalidate stale IOTLB entries for kernel address space Introduce a new IOMMU interface to flush IOTLB paging cache entries for the CPU kernel address space. This interface is invoked from the x86 architecture code that manages combined user and kernel page tables, specifically

CVE-2026-23188 [MEDIUM] CWE-667 CVE-2026-23188: In the Linux kernel, the following vulnerability has been resolved: net: usb: r8152: fix resume res In the Linux kernel, the following vulnerability has been resolved: net: usb: r8152: fix resume reset deadlock rtl8152 can trigger device reset during reset which potentially can result in a deadlock: **** DPM device timeout after 10 seconds; 15 seconds until panic **** Call Trace: schedule+0x483/0x1370 schedule_preempt_disabled+0x15/0x30 __mute

CVE-2026-23207 [MEDIUM] CWE-362 CVE-2026-23207: In the Linux kernel, the following vulnerability has been resolved: spi: tegra210-quad: Protect cur In the Linux kernel, the following vulnerability has been resolved: spi: tegra210-quad: Protect curr_xfer check in IRQ handler Now that all other accesses to curr_xfer are done under the lock, protect the curr_xfer NULL check in tegra_qspi_isr_thread() with the spinlock. Without this protection, the following race can occur: CPU0 (ISR thread) CPU

CVE-2026-23154 [MEDIUM] CVE-2026-23154: In the Linux kernel, the following vulnerability has been resolved: net: fix segmentation of forwar In the Linux kernel, the following vulnerability has been resolved: net: fix segmentation of forwarding fraglist GRO This patch enhances GSO segment handling by properly checking the SKB_GSO_DODGY flag for frag_list GSO packets, addressing low throughput issues observed when a station accesses IPv4 servers via hotspots with an IPv6-only upstream interface

CVE-2026-23199 [MEDIUM] CWE-667 CVE-2026-23199: In the Linux kernel, the following vulnerability has been resolved: procfs: avoid fetching build ID In the Linux kernel, the following vulnerability has been resolved: procfs: avoid fetching build ID while holding VMA lock Fix PROCMAP_QUERY to fetch optional build ID only after dropping mmap_lock or per-VMA lock, whichever was used to lock VMA under question, to avoid deadlock reported by syzbot: -> #1 (&mm->mmap_lock){++++}-{4:4}: __might_faul

CVE-2026-23133 [MEDIUM] CVE-2026-23133: In the Linux kernel, the following vulnerability has been resolved: wifi: ath10k: fix dma_free_cohe In the Linux kernel, the following vulnerability has been resolved: wifi: ath10k: fix dma_free_coherent() pointer dma_alloc_coherent() allocates a DMA mapped buffer and stores the addresses in XXX_unaligned fields. Those should be reused when freeing the buffer rather than the aligned addresses.

CVE-2026-23167 [MEDIUM] CWE-362 CVE-2026-23167: In the Linux kernel, the following vulnerability has been resolved: nfc: nci: Fix race between rfki In the Linux kernel, the following vulnerability has been resolved: nfc: nci: Fix race between rfkill and nci_unregister_device(). syzbot reported the splat below [0] without a repro. It indicates that struct nci_dev.cmd_wq had been destroyed before nci_close_device() was called via rfkill. nci_dev.cmd_wq is only destroyed in nci_unregister_devi

CVE-2026-23128 [MEDIUM] CVE-2026-23128: In the Linux kernel, the following vulnerability has been resolved: arm64: Set __nocfi on swsusp_ar In the Linux kernel, the following vulnerability has been resolved: arm64: Set __nocfi on swsusp_arch_resume() A DABT is reported[1] on an android based system when resume from hiberate. This happens because swsusp_arch_suspend_exit() is marked with SYM_CODE_*() and does not have a CFI hash, but swsusp_arch_resume() will attempt to verify the CFI hash whe

CVE-2026-23173 [MEDIUM] CWE-476 CVE-2026-23173: In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: TC, delete flows onl In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: TC, delete flows only for existing peers When deleting TC steering flows, iterate only over actual devcom peers instead of assuming all possible ports exist. This avoids touching non-existent peers and ensures cleanup is limited to devices the driver is currently connec

CVE-2026-23119 [MEDIUM] CVE-2026-23119: In the Linux kernel, the following vulnerability has been resolved: bonding: provide a net pointer In the Linux kernel, the following vulnerability has been resolved: bonding: provide a net pointer to __skb_flow_dissect() After 3cbf4ffba5ee ("net: plumb network namespace into __skb_flow_dissect") we have to provide a net pointer to __skb_flow_dissect(), either via skb->dev, skb->sk, or a user provided pointer. In the following case, syzbot was able to

CVE-2026-23140 [MEDIUM] CVE-2026-23140: In the Linux kernel, the following vulnerability has been resolved: bpf, test_run: Subtract size of In the Linux kernel, the following vulnerability has been resolved: bpf, test_run: Subtract size of xdp_frame from allowed metadata size The xdp_frame structure takes up part of the XDP frame headroom, limiting the size of the metadata. However, in bpf_test_run, we don't take this into account, which makes it possible for userspace to supply a metadata si

CVE-2026-23116 [MEDIUM] CVE-2026-23116: In the Linux kernel, the following vulnerability has been resolved: pmdomain: imx8m-blk-ctrl: Remov In the Linux kernel, the following vulnerability has been resolved: pmdomain: imx8m-blk-ctrl: Remove separate rst and clk mask for 8mq vpu For i.MX8MQ platform, the ADB in the VPUMIX domain has no separate reset and clock enable bits, but is ungated and reset together with the VPUs. So we can't reset G1 or G2 separately, it may led to the system hang. Rem