CVSS: -EPSS: 0%CPEs: 4EXPL: 0CVE-2026-23417 – bpf: Fix constant blinding for PROBE_MEM32 stores
https://notcve.org/view.php?id=CVE-2026-23417
02 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: bpf: Fix constant blinding for PROBE_MEM32 stores BPF_ST | BPF_PROBE_MEM32 immediate stores are not handled by bpf_jit_blind_insn(), allowing user-controlled 32-bit immediates to survive unblinded into JIT-compiled native code when bpf_jit_harden >= 1. The root cause is that convert_ctx_accesses() rewrites BPF_ST|BPF_MEM to BPF_ST|BPF_PROBE_MEM32 for arena pointer stores during verification, before bpf_jit_blind_constants() runs during JIT ... • https://git.kernel.org/stable/c/6082b6c328b5486da2b356eae94b8b83c98b5565 •
CVSS: -EPSS: 0%CPEs: 3EXPL: 0CVE-2026-23416 – mm/mseal: update VMA end correctly on merge
https://notcve.org/view.php?id=CVE-2026-23416
02 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: mm/mseal: update VMA end correctly on merge Previously we stored the end of the current VMA in curr_end, and then upon iterating to the next VMA updated curr_start to curr_end to advance to the next VMA. However, this doesn't take into account the fact that a VMA might be updated due to a merge by vma_modify_flags(), which can result in curr_end being stale and thus, upon setting curr_start to curr_end, ending up with an incorrect curr_star... • https://git.kernel.org/stable/c/6c2da14ae1e0a0146587381594559027bd46c059 •
CVSS: -EPSS: 0%CPEs: 3EXPL: 0CVE-2026-23415 – futex: Fix UaF between futex_key_to_node_opt() and vma_replace_policy()
https://notcve.org/view.php?id=CVE-2026-23415
02 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: futex: Fix UaF between futex_key_to_node_opt() and vma_replace_policy() During futex_key_to_node_opt() execution, vma->vm_policy is read under speculative mmap lock and RCU. Concurrently, mbind() may call vma_replace_policy() which frees the old mempolicy immediately via kmem_cache_free(). This creates a race where __futex_key_to_node() dereferences a freed mempolicy pointer, causing a use-after-free read of mpol->mode. [ 151.412631] BUG: K... • https://git.kernel.org/stable/c/c042c505210dc3453f378df432c10fff3d471bc5 •
CVSS: -EPSS: 0%CPEs: 7EXPL: 0CVE-2026-23414 – tls: Purge async_hold in tls_decrypt_async_wait()
https://notcve.org/view.php?id=CVE-2026-23414
02 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: tls: Purge async_hold in tls_decrypt_async_wait() The async_hold queue pins encrypted input skbs while the AEAD engine references their scatterlist data. Once tls_decrypt_async_wait() returns, every AEAD operation has completed and the engine no longer references those skbs, so they can be freed unconditionally. A subsequent patch adds batch async decryption to tls_sw_read_sock(), introducing a new call site that must drain pending AEAD ope... • https://git.kernel.org/stable/c/c61d4368197d65c4809d9271f3b85325a600586a •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23413 – clsact: Fix use-after-free in init/destroy rollback asymmetry
https://notcve.org/view.php?id=CVE-2026-23413
02 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: clsact: Fix use-after-free in init/destroy rollback asymmetry Fix a use-after-free in the clsact qdisc upon init/destroy rollback asymmetry. The latter is achieved by first fully initializing a clsact instance, and then in a second step having a replacement failure for the new clsact qdisc instance. clsact_init() initializes ingress first and then takes care of the egress part. This can fail midway, for example, via tcf_block_get_ext(). Upo... • https://git.kernel.org/stable/c/230bb13650b0f186f540500fd5f5f7096a822a2a •
CVSS: -EPSS: 0%CPEs: 5EXPL: 0CVE-2026-23412 – netfilter: bpf: defer hook memory release until rcu readers are done
https://notcve.org/view.php?id=CVE-2026-23412
02 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: netfilter: bpf: defer hook memory release until rcu readers are done Yiming Qian reports UaF when concurrent process is dumping hooks via nfnetlink_hooks: BUG: KASAN: slab-use-after-free in nfnl_hook_dump_one.isra.0+0xe71/0x10f0 Read of size 8 at addr ffff888003edbf88 by task poc/79 Call Trace:
CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2026-23411 – apparmor: fix race between freeing data and fs accessing it
https://notcve.org/view.php?id=CVE-2026-23411
01 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: apparmor: fix race between freeing data and fs accessing it AppArmor was putting the reference to i_private data on its end after removing the original entry from the file system. However the inode can aand does live beyond that point and it is possible that some of the fs call back functions will be invoked after the reference has been put, which results in a race between freeing the data and accessing it through the fs. While the rawdata/... • https://git.kernel.org/stable/c/c961ee5f21b202dea60b63eeef945730d92e46a6 •
CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2026-23410 – apparmor: fix race on rawdata dereference
https://notcve.org/view.php?id=CVE-2026-23410
01 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: apparmor: fix race on rawdata dereference There is a race condition that leads to a use-after-free situation: because the rawdata inodes are not refcounted, an attacker can start open()ing one of the rawdata files, and at the same time remove the last reference to this rawdata (by removing the corresponding profile, for example), which frees its struct aa_loaddata; as a result, when seq_rawdata_open() is reached, i_private is a dangling poi... • https://git.kernel.org/stable/c/5d5182cae40115c03933989473288e54afb39c7c •
CVSS: -EPSS: 0%CPEs: 5EXPL: 0CVE-2026-23409 – apparmor: fix differential encoding verification
https://notcve.org/view.php?id=CVE-2026-23409
01 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: apparmor: fix differential encoding verification Differential encoding allows loops to be created if it is abused. To prevent this the unpack should verify that a diff-encode chain terminates. Unfortunately the differential encode verification had two bugs. 1. it conflated states that had gone through check and already been marked, with states that were currently being checked and marked. This means that loops in the current chain being ver... • https://git.kernel.org/stable/c/031dcc8f4e84fea37dc6f78fdc7288aa7f8386c3 •
CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2026-23408 – apparmor: Fix double free of ns_name in aa_replace_profiles()
https://notcve.org/view.php?id=CVE-2026-23408
01 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: apparmor: Fix double free of ns_name in aa_replace_profiles() if ns_name is NULL after 1071 error = aa_unpack(udata, &lh, &ns_name); and if ent->ns_name contains an ns_name in 1089 } else if (ent->ns_name) { then ns_name is assigned the ent->ns_name 1095 ns_name = ent->ns_name; however ent->ns_name is freed at 1262 aa_load_ent_free(ent); and then again when freeing ns_name at 1270 kfree(ns_name); Fix this by NULLing out ent->ns_name after i... • https://git.kernel.org/stable/c/145a0ef21c8e944957f58e2c8ffcd8a10f46266a •