Linux Kernel vulnerabilities

CVE-2026-23137 [MEDIUM] CWE-401 CVE-2026-23137: In the Linux kernel, the following vulnerability has been resolved: of: unittest: Fix memory leak i In the Linux kernel, the following vulnerability has been resolved: of: unittest: Fix memory leak in unittest_data_add() In unittest_data_add(), if of_resolve_phandles() fails, the allocated unittest_data is not freed, leading to a memory leak. Fix this by using scope-based cleanup helper __free(kfree) for automatic resource cleanup. This ensures

CVE-2026-23148 [HIGH] CWE-476 CVE-2026-23148: In the Linux kernel, the following vulnerability has been resolved: nvmet: fix race in nvmet_bio_do In the Linux kernel, the following vulnerability has been resolved: nvmet: fix race in nvmet_bio_done() leading to NULL pointer dereference There is a race condition in nvmet_bio_done() that can cause a NULL pointer dereference in blk_cgroup_bio_start(): 1. nvmet_bio_done() is called when a bio completes 2. nvmet_req_complete() is called, which inv

CVE-2026-23160 [MEDIUM] CWE-401 CVE-2026-23160: In the Linux kernel, the following vulnerability has been resolved: octeon_ep: Fix memory leak in o In the Linux kernel, the following vulnerability has been resolved: octeon_ep: Fix memory leak in octep_device_setup() In octep_device_setup(), if octep_ctrl_net_init() fails, the function returns directly without unmapping the mapped resources and freeing the allocated configuration memory. Fix this by jumping to the unsupported_dev label, which

CVE-2026-23169 [HIGH] CWE-362 CVE-2026-23169: In the Linux kernel, the following vulnerability has been resolved: mptcp: fix race in mptcp_pm_nl_ In the Linux kernel, the following vulnerability has been resolved: mptcp: fix race in mptcp_pm_nl_flush_addrs_doit() syzbot and Eulgyu Kim reported crashes in mptcp_pm_nl_get_local_id() and/or mptcp_pm_nl_is_backup() Root cause is list_splice_init() in mptcp_pm_nl_flush_addrs_doit() which is not RCU ready. list_splice_init_rcu() can not be called

CVE-2026-23161 [HIGH] CWE-362 CVE-2026-23161: In the Linux kernel, the following vulnerability has been resolved: mm/shmem, swap: fix race of tru In the Linux kernel, the following vulnerability has been resolved: mm/shmem, swap: fix race of truncate and swap entry split The helper for shmem swap freeing is not handling the order of swap entries correctly. It uses xa_cmpxchg_irq to erase the swap entry, but it gets the entry order before that using xa_get_order without lock protection, and it

CVE-2026-23197 [MEDIUM] CWE-476 CVE-2026-23197: In the Linux kernel, the following vulnerability has been resolved: i2c: imx: preserve error state In the Linux kernel, the following vulnerability has been resolved: i2c: imx: preserve error state in block data length handler When a block read returns an invalid length, zero or >I2C_SMBUS_BLOCK_MAX, the length handler sets the state to IMX_I2C_STATE_FAILED. However, i2c_imx_master_isr() unconditionally overwrites this with IMX_I2C_STATE_READ_CO

CVE-2026-23165 [MEDIUM] CWE-667 CVE-2026-23165: In the Linux kernel, the following vulnerability has been resolved: sfc: fix deadlock in RSS config In the Linux kernel, the following vulnerability has been resolved: sfc: fix deadlock in RSS config read Since cited commit, core locks the net_device's rss_lock when handling ethtool -x command, so driver's implementation should not lock it again. Remove the latter.

CVE-2025-71204 [MEDIUM] CVE-2025-71204: In the Linux kernel, the following vulnerability has been resolved: smb/server: fix refcount leak i In the Linux kernel, the following vulnerability has been resolved: smb/server: fix refcount leak in parse_durable_handle_context() When the command is a replay operation and -ENOEXEC is returned, the refcount of ksmbd_file must be released.

CVE-2026-23144 [MEDIUM] CVE-2026-23144: In the Linux kernel, the following vulnerability has been resolved: mm/damon/sysfs: cleanup attrs s In the Linux kernel, the following vulnerability has been resolved: mm/damon/sysfs: cleanup attrs subdirs on context dir setup failure When a context DAMON sysfs directory setup is failed after setup of attrs/ directory, subdirectories of attrs/ directory are not cleaned up. As a result, DAMON sysfs interface is nearly broken until the system reboots, and

CVE-2026-23198 [HIGH] CWE-476 CVE-2026-23198: In the Linux kernel, the following vulnerability has been resolved: KVM: Don't clobber irqfd routin In the Linux kernel, the following vulnerability has been resolved: KVM: Don't clobber irqfd routing type when deassigning irqfd When deassigning a KVM_IRQFD, don't clobber the irqfd's copy of the IRQ's routing entry as doing so breaks kvm_arch_irq_bypass_del_producer() on x86 and arm64, which explicitly look for KVM_IRQ_ROUTING_MSI. Instead, to han

CVE-2026-23153 [MEDIUM] CWE-362 CVE-2026-23153: In the Linux kernel, the following vulnerability has been resolved: firewire: core: fix race condit In the Linux kernel, the following vulnerability has been resolved: firewire: core: fix race condition against transaction list The list of transaction is enumerated without acquiring card lock when processing AR response event. This causes a race condition bug when processing AT request completion event concurrently. This commit fixes the bug by

CVE-2026-23196 [MEDIUM] CWE-476 CVE-2026-23196: In the Linux kernel, the following vulnerability has been resolved: HID: Intel-thc-hid: Intel-thc: In the Linux kernel, the following vulnerability has been resolved: HID: Intel-thc-hid: Intel-thc: Add safety check for reading DMA buffer Add DMA buffer readiness check before reading DMA buffer to avoid unexpected NULL pointer accessing.

CVE-2026-23210 [MEDIUM] CWE-476 CVE-2026-23210: In the Linux kernel, the following vulnerability has been resolved: ice: Fix PTP NULL pointer deref In the Linux kernel, the following vulnerability has been resolved: ice: Fix PTP NULL pointer dereference during VSI rebuild Fix race condition where PTP periodic work runs while VSI is being rebuilt, accessing NULL vsi->rx_rings. The sequence was: 1. ice_ptp_prepare_for_reset() cancels PTP work 2. ice_ptp_rebuild() immediately queues PTP work 3.

CVE-2026-23136 [HIGH] CVE-2026-23136: In the Linux kernel, the following vulnerability has been resolved: libceph: reset sparse-read stat In the Linux kernel, the following vulnerability has been resolved: libceph: reset sparse-read state in osd_fault() When a fault occurs, the connection is abandoned, reestablished, and any pending operations are retried. The OSD client tracks the progress of a sparse-read reply using a separate state machine, largely independent of the messenger's state. I

CVE-2026-23189 [MEDIUM] CWE-476 CVE-2026-23189: In the Linux kernel, the following vulnerability has been resolved: ceph: fix NULL pointer derefere In the Linux kernel, the following vulnerability has been resolved: ceph: fix NULL pointer dereference in ceph_mds_auth_match() The CephFS kernel client has regression starting from 6.18-rc1. We have issue in ceph_mds_auth_match() if fs_name == NULL: const char fs_name = mdsc->fsc->mount_options->mds_namespace; ... if (auth->match.fs_name && strc

CVE-2026-23205 [MEDIUM] CWE-401 CVE-2026-23205: In the Linux kernel, the following vulnerability has been resolved: smb/client: fix memory leak in In the Linux kernel, the following vulnerability has been resolved: smb/client: fix memory leak in smb2_open_file() Reproducer: 1. server: directories are exported read-only 2. client: mount -t cifs //${server_ip}/export /mnt 3. client: dd if=/dev/zero of=/mnt/file bs=512 count=1000 oflag=direct 4. client: umount /mnt 5. client: sleep 1 6. client:

CVE-2026-23112 [CRITICAL] CWE-787 CVE-2026-23112: In the Linux kernel, the following vulnerability has been resolved: nvmet-tcp: add bounds checks in In the Linux kernel, the following vulnerability has been resolved: nvmet-tcp: add bounds checks in nvmet_tcp_build_pdu_iovec nvmet_tcp_build_pdu_iovec() could walk past cmd->req.sg when a PDU length or offset exceeds sg_cnt and then use bogus sg->length/offset values, leading to _copy_to_iter() GPF/KASAN. Guard sg_idx, remaining entries, and sg

CVE-2026-23111 [HIGH] CWE-416 CVE-2026-23111: In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: fix inver In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: fix inverted genmask check in nft_map_catchall_activate() nft_map_catchall_activate() has an inverted element activity check compared to its non-catchall counterpart nft_mapelem_activate() and compared to what is logically required. nft_map_catchall_activate()

CVE-2026-23078 [HIGH] CWE-787 CVE-2026-23078: In the Linux kernel, the following vulnerability has been resolved: ALSA: scarlett2: Fix buffer ove In the Linux kernel, the following vulnerability has been resolved: ALSA: scarlett2: Fix buffer overflow in config retrieval The scarlett2_usb_get_config() function has a logic error in the endianness conversion code that can cause buffer overflows when count > 1. The code checks `if (size == 2)` where `size` is the total buffer size in bytes, then

CVE-2026-23089 [HIGH] CWE-416 CVE-2026-23089: In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Fix use-after- In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Fix use-after-free in snd_usb_mixer_free() When snd_usb_create_mixer() fails, snd_usb_mixer_free() frees mixer->id_elems but the controls already added to the card still reference the freed memory. Later when snd_card_register() runs, the OSS mixer layer calls their