CVSS: -EPSS: %CPEs: 3EXPL: 0CVE-2026-23014 – perf: Ensure swevent hrtimer is properly destroyed
https://notcve.org/view.php?id=CVE-2026-23014
28 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: perf: Ensure swevent hrtimer is properly destroyed With the change to hrtimer_try_to_cancel() in perf_swevent_cancel_hrtimer() it appears possible for the hrtimer to still be active by the time the event gets freed. Make sure the event does a full hrtimer_cancel() on the free path by installing a perf_event::destroy handler. • https://git.kernel.org/stable/c/eb3182ef0405ff2f6668fd3e5ff9883f60ce8801 •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2026-23013 – net: octeon_ep_vf: fix free_irq dev_id mismatch in IRQ rollback
https://notcve.org/view.php?id=CVE-2026-23013
25 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: net: octeon_ep_vf: fix free_irq dev_id mismatch in IRQ rollback octep_vf_request_irqs() requests MSI-X queue IRQs with dev_id set to ioq_vector. If request_irq() fails part-way, the rollback loop calls free_irq() with dev_id set to 'oct', which does not match the original dev_id and may leave the irqaction registered. This can keep IRQ handlers alive while ioq_vector is later freed during unwind/teardown, leading to a use-after-free or cras... • https://git.kernel.org/stable/c/1cd3b407977c3ab1d2ddc26cb7113e7fb1509cd1 •
CVSS: 8.5EPSS: 0%CPEs: 2EXPL: 0CVE-2026-23012 – mm/damon/core: remove call_control in inactive contexts
https://notcve.org/view.php?id=CVE-2026-23012
25 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: mm/damon/core: remove call_control in inactive contexts If damon_call() is executed against a DAMON context that is not running, the function returns error while keeping the damon_call_control object linked to the context's call_controls list. Let's suppose the object is deallocated after the damon_call(), and yet another damon_call() is executed against the same context. The function tries to add the new damon_call_control object to the ca... • https://git.kernel.org/stable/c/004ded6bee11b8ed463cdc54b89a4390f4b64f6d •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2026-23011 – ipv4: ip_gre: make ipgre_header() robust
https://notcve.org/view.php?id=CVE-2026-23011
25 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: ipv4: ip_gre: make ipgre_header() robust Analog to commit db5b4e39c4e6 ("ip6_gre: make ip6gre_header() robust") Over the years, syzbot found many ways to crash the kernel in ipgre_header() [1]. This involves team or bonding drivers ability to dynamically change their dev->needed_headroom and/or dev->hard_header_len In this particular crash mld_newpack() allocated an skb with a too small reserve/headroom, and by the time mld_sendpack() was c... • https://git.kernel.org/stable/c/c54419321455631079c7d6e60bc732dd0c5914c5 •
CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23010 – ipv6: Fix use-after-free in inet6_addr_del().
https://notcve.org/view.php?id=CVE-2026-23010
25 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: ipv6: Fix use-after-free in inet6_addr_del(). syzbot reported use-after-free of inet6_ifaddr in inet6_addr_del(). [0] The cited commit accidentally moved ipv6_del_addr() for mngtmpaddr before reading its ifp->flags for temporary addresses in inet6_addr_del(). Let's move ipv6_del_addr() down to fix the UAF. [0]: BUG: KASAN: slab-use-after-free in inet6_addr_del.constprop.0+0x67a/0x6b0 net/ipv6/addrconf.c:3117 Read of size 4 at addr ffff88807... • https://git.kernel.org/stable/c/cb74207ef98317f8874a0b9780bb339c2eb700b0 •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2026-23009 – xhci: sideband: don't dereference freed ring when removing sideband endpoint
https://notcve.org/view.php?id=CVE-2026-23009
25 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: xhci: sideband: don't dereference freed ring when removing sideband endpoint xhci_sideband_remove_endpoint() incorrecly assumes that the endpoint is running and has a valid transfer ring. Lianqin reported a crash during suspend/wake-up stress testing, and found the cause to be dereferencing a non-existing transfer ring 'ep->ring' during xhci_sideband_remove_endpoint(). The endpoint and its ring may be in unknown state if this function is ca... • https://git.kernel.org/stable/c/de66754e9f8029f8ae955a588959b99cab56b506 •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2026-23008 – drm/vmwgfx: Fix KMS with 3D on HW version 10
https://notcve.org/view.php?id=CVE-2026-23008
25 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: drm/vmwgfx: Fix KMS with 3D on HW version 10 HW version 10 does not have GB Surfaces so there is no backing buffer for surface backed FBs. This would result in a nullptr dereference and crash the driver causing a black screen. In the Linux kernel, the following vulnerability has been resolved: drm/vmwgfx: Fix KMS with 3D on HW version 10 HW version 10 does not have GB Surfaces so there is no backing buffer for surface backed FBs. This would... • https://git.kernel.org/stable/c/965544150d1cadf0e8f5bb6c13c19697e46e1429 •
CVSS: 7.1EPSS: 0%CPEs: 2EXPL: 0CVE-2026-23007 – block: zero non-PI portion of auto integrity buffer
https://notcve.org/view.php?id=CVE-2026-23007
25 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: block: zero non-PI portion of auto integrity buffer The auto-generated integrity buffer for writes needs to be fully initialized before being passed to the underlying block device, otherwise the uninitialized memory can be read back by userspace or anyone with physical access to the storage device. If protection information is generated, that portion of the integrity buffer is already initialized. The integrity data is also zeroed if PI gen... • https://git.kernel.org/stable/c/c546d6f438338017480d105ab597292da67f6f6a •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2026-23006 – ASoC: tlv320adcx140: fix null pointer
https://notcve.org/view.php?id=CVE-2026-23006
25 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: ASoC: tlv320adcx140: fix null pointer The "snd_soc_component" in "adcx140_priv" was only used once but never set. It was only used for reaching "dev" which is already present in "adcx140_priv". In the Linux kernel, the following vulnerability has been resolved: ASoC: tlv320adcx140: fix null pointer The "snd_soc_component" in "adcx140_priv" was only used once but never set. It was only used for reaching "dev" which is already present in "adc... • https://git.kernel.org/stable/c/4e82971f7b556cff3491c867e8840e7d788693b9 •
CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 0CVE-2026-23005 – x86/fpu: Clear XSTATE_BV[i] in guest XSAVE state whenever XFD[i]=1
https://notcve.org/view.php?id=CVE-2026-23005
25 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: x86/fpu: Clear XSTATE_BV[i] in guest XSAVE state whenever XFD[i]=1 When loading guest XSAVE state via KVM_SET_XSAVE, and when updating XFD in response to a guest WRMSR, clear XFD-disabled features in the saved (or to be restored) XSTATE_BV to ensure KVM doesn't attempt to load state for features that are disabled via the guest's XFD. Because the kernel executes XRSTOR with the guest's XFD, saving XSTATE_BV[i]=1 with XFD[i]=1 will cause XRST... • https://git.kernel.org/stable/c/820a6ee944e74e57255ac2e90916ecdaade57b95 •