Linux Kernel vulnerabilities

CVE-2026-23083 [HIGH] CVE-2026-23083: In the Linux kernel, the following vulnerability has been resolved: fou: Don't allow 0 for FOU_ATTR In the Linux kernel, the following vulnerability has been resolved: fou: Don't allow 0 for FOU_ATTR_IPPROTO. fou_udp_recv() has the same problem mentioned in the previous patch. If FOU_ATTR_IPPROTO is set to 0, skb is not freed by fou_udp_recv() nor "resubmit"-ted in ip_protocol_deliver_rcu(). Let's forbid 0 for FOU_ATTR_IPPROTO.

CVE-2026-23098 [HIGH] CWE-415 CVE-2026-23098: In the Linux kernel, the following vulnerability has been resolved: netrom: fix double-free in nr_r In the Linux kernel, the following vulnerability has been resolved: netrom: fix double-free in nr_route_frame() In nr_route_frame(), old_skb is immediately freed without checking if nr_neigh->ax25 pointer is NULL. Therefore, if nr_neigh->ax25 is NULL, the caller function will free old_skb again, causing a double-free bug. Therefore, to prevent this

CVE-2026-23068 [HIGH] CWE-415 CVE-2026-23068: In the Linux kernel, the following vulnerability has been resolved: spi: spi-sprd-adi: Fix double f In the Linux kernel, the following vulnerability has been resolved: spi: spi-sprd-adi: Fix double free in probe error path The driver currently uses spi_alloc_host() to allocate the controller but registers it using devm_spi_register_controller(). If devm_register_restart_handler() fails, the code jumps to the put_ctlr label and calls spi_controlle

CVE-2026-23099 [HIGH] CWE-125 CVE-2026-23099: In the Linux kernel, the following vulnerability has been resolved: bonding: limit BOND_MODE_8023AD In the Linux kernel, the following vulnerability has been resolved: bonding: limit BOND_MODE_8023AD to Ethernet devices BOND_MODE_8023AD makes sense for ARPHRD_ETHER only. syzbot reported: BUG: KASAN: global-out-of-bounds in __hw_addr_create net/core/dev_addr_lists.c:63 [inline] BUG: KASAN: global-out-of-bounds in __hw_addr_add_ex+0x25d/0x760 net/

CVE-2026-23077 [HIGH] CWE-416 CVE-2026-23077: In the Linux kernel, the following vulnerability has been resolved: mm/vma: fix anon_vma UAF on mre In the Linux kernel, the following vulnerability has been resolved: mm/vma: fix anon_vma UAF on mremap() faulted, unfaulted merge Patch series "mm/vma: fix anon_vma UAF on mremap() faulted, unfaulted merge", v2. Commit 879bca0a2c4f ("mm/vma: fix incorrectly disallowed anonymous VMA merges") introduced the ability to merge previously unavailable VMA

CVE-2026-23102 [HIGH] CWE-125 CVE-2026-23102: In the Linux kernel, the following vulnerability has been resolved: arm64/fpsimd: signal: Fix resto In the Linux kernel, the following vulnerability has been resolved: arm64/fpsimd: signal: Fix restoration of SVE context When SME is supported, Restoring SVE signal context can go wrong in a few ways, including placing the task into an invalid state where the kernel may read from out-of-bounds memory (and may potentially take a fatal fault) and/or m

CVE-2026-23092 [HIGH] CWE-787 CVE-2026-23092: In the Linux kernel, the following vulnerability has been resolved: iio: dac: ad3552r-hs: fix out-o In the Linux kernel, the following vulnerability has been resolved: iio: dac: ad3552r-hs: fix out-of-bound write in ad3552r_hs_write_data_source When simple_write_to_buffer() succeeds, it returns the number of bytes actually copied to the buffer. The code incorrectly uses 'count' as the index for null termination instead of the actual bytes copied.

CVE-2026-23076 [HIGH] CWE-125 CVE-2026-23076: In the Linux kernel, the following vulnerability has been resolved: ALSA: ctxfi: Fix potential OOB In the Linux kernel, the following vulnerability has been resolved: ALSA: ctxfi: Fix potential OOB access in audio mixer handling In the audio mixer handling code of ctxfi driver, the conf field is used as a kind of loop index, and it's referred in the index callbacks (amixer_index() and sum_index()). As spotted recently by fuzzers, the current code

CVE-2026-23074 [HIGH] CWE-416 CVE-2026-23074: In the Linux kernel, the following vulnerability has been resolved: net/sched: Enforce that teql ca In the Linux kernel, the following vulnerability has been resolved: net/sched: Enforce that teql can only be used as root qdisc Design intent of teql is that it is only supposed to be used as root qdisc. We need to check for that constraint. Although not important, I will describe the scenario that unearthed this issue for the curious. GangMin Kim

CVE-2026-23073 [HIGH] CWE-787 CVE-2026-23073: In the Linux kernel, the following vulnerability has been resolved: wifi: rsi: Fix memory corruptio In the Linux kernel, the following vulnerability has been resolved: wifi: rsi: Fix memory corruption due to not set vif driver data size The struct ieee80211_vif contains trailing space for vif driver data, when struct ieee80211_vif is allocated, the total memory size that is allocated is sizeof(struct ieee80211_vif) + size of vif driver data. The s

CVE-2026-23063 [MEDIUM] CWE-476 CVE-2026-23063: In the Linux kernel, the following vulnerability has been resolved: uacce: ensure safe queue releas In the Linux kernel, the following vulnerability has been resolved: uacce: ensure safe queue release with state management Directly calling `put_queue` carries risks since it cannot guarantee that resources of `uacce_queue` have been fully released beforehand. So adding a `stop_queue` operation for the UACCE_CMD_PUT_Q command and leaving the `put_

CVE-2026-23093 [MEDIUM] CVE-2026-23093: In the Linux kernel, the following vulnerability has been resolved: ksmbd: smbd: fix dma_unmap_sg() In the Linux kernel, the following vulnerability has been resolved: ksmbd: smbd: fix dma_unmap_sg() nents The dma_unmap_sg() functions should be called with the same nents as the dma_map_sg(), not the value the map function returned.

CVE-2026-23070 [MEDIUM] CVE-2026-23070: In the Linux kernel, the following vulnerability has been resolved: Octeontx2-af: Add proper checks In the Linux kernel, the following vulnerability has been resolved: Octeontx2-af: Add proper checks for fwdata firmware populates MAC address, link modes (supported, advertised) and EEPROM data in shared firmware structure which kernel access via MAC block(CGX/RPM). Accessing fwdata, on boards booted with out MAC block leading to kernel panics. Internal

CVE-2026-23079 [MEDIUM] CWE-401 CVE-2026-23079: In the Linux kernel, the following vulnerability has been resolved: gpio: cdev: Fix resource leaks In the Linux kernel, the following vulnerability has been resolved: gpio: cdev: Fix resource leaks on errors in lineinfo_changed_notify() On error handling paths, lineinfo_changed_notify() doesn't free the allocated resources which results leaks. Fix it.

CVE-2026-23064 [MEDIUM] CWE-476 CVE-2026-23064: In the Linux kernel, the following vulnerability has been resolved: net/sched: act_ife: avoid possi In the Linux kernel, the following vulnerability has been resolved: net/sched: act_ife: avoid possible NULL deref tcf_ife_encode() must make sure ife_encode() does not return NULL. syzbot reported: Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x00

CVE-2026-23097 [MEDIUM] CVE-2026-23097: In the Linux kernel, the following vulnerability has been resolved: migrate: correct lock ordering In the Linux kernel, the following vulnerability has been resolved: migrate: correct lock ordering for hugetlb file folios Syzbot has found a deadlock (analyzed by Lance Yang): 1) Task (5749): Holds folio_lock, then tries to acquire i_mmap_rwsem(read lock). 2) Task (5754): Holds i_mmap_rwsem(write lock), then tries to acquire folio_lock. migrate_pages()

CVE-2026-23075 [MEDIUM] CWE-401 CVE-2026-23075: In the Linux kernel, the following vulnerability has been resolved: can: esd_usb: esd_usb_read_bulk In the Linux kernel, the following vulnerability has been resolved: can: esd_usb: esd_usb_read_bulk_callback(): fix URB memory leak Fix similar memory leak as in commit 7352e1d5932a ("can: gs_usb: gs_usb_receive_bulk_callback(): fix URB memory leak"). In esd_usb_open(), the URBs for USB-in transfers are allocated, added to the dev->rx_submitted a

CVE-2026-23060 [MEDIUM] CWE-476 CVE-2026-23060: In the Linux kernel, the following vulnerability has been resolved: crypto: authencesn - reject too In the Linux kernel, the following vulnerability has been resolved: crypto: authencesn - reject too-short AAD (assoclen<8) to match ESP/ESN spec authencesn assumes an ESP/ESN-formatted AAD. When assoclen is shorter than the minimum expected length, crypto_authenc_esn_decrypt() can advance past the end of the destination scatterlist and trigger a N

CVE-2026-23094 [MEDIUM] CVE-2026-23094: In the Linux kernel, the following vulnerability has been resolved: uacce: fix isolate sysfs check In the Linux kernel, the following vulnerability has been resolved: uacce: fix isolate sysfs check condition uacce supports the device isolation feature. If the driver implements the isolate_err_threshold_read and isolate_err_threshold_write callback functions, uacce will create sysfs files now. Users can read and configure the isolation policy through sys

CVE-2026-23104 [MEDIUM] CVE-2026-23104: In the Linux kernel, the following vulnerability has been resolved: ice: fix devlink reload call tr In the Linux kernel, the following vulnerability has been resolved: ice: fix devlink reload call trace Commit 4da71a77fc3b ("ice: read internal temperature sensor") introduced internal temperature sensor reading via HWMON. ice_hwmon_init() was added to ice_init_feature() and ice_hwmon_exit() was added to ice_remove(). As a result if devlink reload is used