Linux Kernel vulnerabilities

CVE-2026-23131 [MEDIUM] CVE-2026-23131: In the Linux kernel, the following vulnerability has been resolved: platform/x86: hp-bioscfg: Fix k In the Linux kernel, the following vulnerability has been resolved: platform/x86: hp-bioscfg: Fix kobject warnings for empty attribute names The hp-bioscfg driver attempts to register kobjects with empty names when the HP BIOS returns attributes with empty name strings. This causes multiple kernel warnings: kobject: (00000000135fb5e6): attempted to be re

CVE-2026-23170 [MEDIUM] CWE-401 CVE-2026-23170: In the Linux kernel, the following vulnerability has been resolved: drm/imx/tve: fix probe device l In the Linux kernel, the following vulnerability has been resolved: drm/imx/tve: fix probe device leak Make sure to drop the reference taken to the DDC device during probe on probe failure (e.g. probe deferral) and on driver unbind.

CVE-2026-23190 [MEDIUM] CWE-401 CVE-2026-23190: In the Linux kernel, the following vulnerability has been resolved: ASoC: amd: fix memory leak in a In the Linux kernel, the following vulnerability has been resolved: ASoC: amd: fix memory leak in acp3x pdm dma ops

CVE-2026-23142 [MEDIUM] CVE-2026-23142: In the Linux kernel, the following vulnerability has been resolved: mm/damon/sysfs-scheme: cleanup In the Linux kernel, the following vulnerability has been resolved: mm/damon/sysfs-scheme: cleanup access_pattern subdirs on scheme dir setup failure When a DAMOS-scheme DAMON sysfs directory setup fails after setup of access_pattern/ directory, subdirectories of access_pattern/ directory are not cleaned up. As a result, DAMON sysfs interface is nearly bro

CVE-2026-23149 [MEDIUM] CVE-2026-23149: In the Linux kernel, the following vulnerability has been resolved: drm: Do not allow userspace to In the Linux kernel, the following vulnerability has been resolved: drm: Do not allow userspace to trigger kernel warnings in drm_gem_change_handle_ioctl() Since GEM bo handles are u32 in the uapi and the internal implementation uses idr_alloc() which uses int ranges, passing a new handle larger than INT_MAX trivially triggers a kernel warning: idr_alloc(

CVE-2025-71223 [MEDIUM] CVE-2025-71223: In the Linux kernel, the following vulnerability has been resolved: smb/server: fix refcount leak i In the Linux kernel, the following vulnerability has been resolved: smb/server: fix refcount leak in smb2_open() When ksmbd_vfs_getattr() fails, the reference count of ksmbd_file must be released.

CVE-2026-23129 [MEDIUM] CVE-2026-23129: In the Linux kernel, the following vulnerability has been resolved: dpll: Prevent duplicate registr In the Linux kernel, the following vulnerability has been resolved: dpll: Prevent duplicate registrations Modify the internal registration helpers dpll_xa_ref_{dpll,pin}_add() to reject duplicate registration attempts. Previously, if a caller attempted to register the same pin multiple times (with the same ops, priv, and cookie) on the same device, the c

CVE-2026-23150 [MEDIUM] CWE-401 CVE-2026-23150: In the Linux kernel, the following vulnerability has been resolved: nfc: llcp: Fix memleak in nfc_l In the Linux kernel, the following vulnerability has been resolved: nfc: llcp: Fix memleak in nfc_llcp_send_ui_frame(). syzbot reported various memory leaks related to NFC, struct nfc_llcp_sock, sk_buff, nfc_dev, etc. [0] The leading log hinted that nfc_llcp_send_ui_frame() failed to allocate skb due to sock_error(sk) being -ENXIO. ENXIO is set

CVE-2026-23172 [HIGH] CWE-401 CVE-2026-23172: In the Linux kernel, the following vulnerability has been resolved: net: wwan: t7xx: fix potential In the Linux kernel, the following vulnerability has been resolved: net: wwan: t7xx: fix potential skb->frags overflow in RX path When receiving data in the DPMAIF RX path, the t7xx_dpmaif_set_frag_to_skb() function adds page fragments to an skb without checking if the number of fragments has exceeded MAX_SKB_FRAGS. This could lead to a buffer overfl

CVE-2026-23138 [MEDIUM] CVE-2026-23138: In the Linux kernel, the following vulnerability has been resolved: tracing: Add recursion protecti In the Linux kernel, the following vulnerability has been resolved: tracing: Add recursion protection in kernel stack trace recording A bug was reported about an infinite recursion caused by tracing the rcu events with the kernel stack trace trigger enabled. The stack trace code called back into RCU which then called the stack trace again. Expand the ftr

CVE-2026-23147 [MEDIUM] CWE-401 CVE-2026-23147: In the Linux kernel, the following vulnerability has been resolved: btrfs: zlib: fix the folio leak In the Linux kernel, the following vulnerability has been resolved: btrfs: zlib: fix the folio leak on S390 hardware acceleration [BUG] After commit aa60fe12b4f4 ("btrfs: zlib: refactor S390x HW acceleration buffer preparation"), we no longer release the folio of the page cache of folio returned by btrfs_compress_filemap_get_folio() for S390 hardw

CVE-2026-23123 [MEDIUM] CWE-908 CVE-2026-23123: In the Linux kernel, the following vulnerability has been resolved: interconnect: debugfs: initiali In the Linux kernel, the following vulnerability has been resolved: interconnect: debugfs: initialize src_node and dst_node to empty strings The debugfs_create_str() API assumes that the string pointer is either NULL or points to valid kmalloc() memory. Leaving the pointer uninitialized can cause problems. Initialize src_node and dst_node to empt

CVE-2026-23145 [MEDIUM] CWE-401 CVE-2026-23145: In the Linux kernel, the following vulnerability has been resolved: ext4: fix iloc.bh leak in ext4_ In the Linux kernel, the following vulnerability has been resolved: ext4: fix iloc.bh leak in ext4_xattr_inode_update_ref The error branch for ext4_xattr_inode_update_ref forget to release the refcount for iloc.bh. Find this when review code.

CVE-2026-23168 [MEDIUM] CVE-2026-23168: In the Linux kernel, the following vulnerability has been resolved: flex_proportions: make fprop_ne In the Linux kernel, the following vulnerability has been resolved: flex_proportions: make fprop_new_period() hardirq safe Bernd has reported a lockdep splat from flexible proportions code that is essentially complaining about the following race: run_timer_softirq - we are in softirq context call_timer_fn writeout_period fprop_new_period write_seqcount_

CVE-2026-23134 [MEDIUM] CVE-2026-23134: In the Linux kernel, the following vulnerability has been resolved: slab: fix kmalloc_nolock() cont In the Linux kernel, the following vulnerability has been resolved: slab: fix kmalloc_nolock() context check for PREEMPT_RT On PREEMPT_RT kernels, local_lock becomes a sleeping lock. The current check in kmalloc_nolock() only verifies we're not in NMI or hard IRQ context, but misses the case where preemption is disabled. When a BPF program runs from a tr

CVE-2026-23206 [MEDIUM] CWE-476 CVE-2026-23206: In the Linux kernel, the following vulnerability has been resolved: dpaa2-switch: prevent ZERO_SIZE In the Linux kernel, the following vulnerability has been resolved: dpaa2-switch: prevent ZERO_SIZE_PTR dereference when num_ifs is zero The driver allocates arrays for ports, FDBs, and filter blocks using kcalloc() with ethsw->sw_attr.num_ifs as the element count. When the device reports zero interfaces (either due to hardware configuration or fi

CVE-2026-23139 [HIGH] CVE-2026-23139: In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conncount: update In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conncount: update last_gc only when GC has been performed Currently last_gc is being updated everytime a new connection is tracked, that means that it is updated even if a GC wasn't performed. With a sufficiently high packet rate, it is possible to always bypass the GC, causin

CVE-2026-23135 [MEDIUM] CVE-2026-23135: In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: fix dma_free_cohe In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: fix dma_free_coherent() pointer dma_alloc_coherent() allocates a DMA mapped buffer and stores the addresses in XXX_unaligned fields. Those should be reused when freeing the buffer rather than the aligned addresses.

CVE-2026-23126 [MEDIUM] CWE-362 CVE-2026-23126: In the Linux kernel, the following vulnerability has been resolved: netdevsim: fix a race issue rel In the Linux kernel, the following vulnerability has been resolved: netdevsim: fix a race issue related to the operation on bpf_bound_progs list The netdevsim driver lacks a protection mechanism for operations on the bpf_bound_progs list. When the nsim_bpf_create_prog() performs list_add_tail, it is possible that nsim_bpf_destroy_prog() is simulta

CVE-2026-23202 [MEDIUM] CWE-476 CVE-2026-23202: In the Linux kernel, the following vulnerability has been resolved: spi: tegra210-quad: Protect cur In the Linux kernel, the following vulnerability has been resolved: spi: tegra210-quad: Protect curr_xfer in tegra_qspi_combined_seq_xfer The curr_xfer field is read by the IRQ handler without holding the lock to check if a transfer is in progress. When clearing curr_xfer in the combined sequence transfer loop, protect it with the spinlock to prev