CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2026-23039 – drm/gud: fix NULL fb and crtc dereferences on USB disconnect
https://notcve.org/view.php?id=CVE-2026-23039
31 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: drm/gud: fix NULL fb and crtc dereferences on USB disconnect On disconnect drm_atomic_helper_disable_all() is called which sets both the fb and crtc for a plane to NULL before invoking a commit. This causes a kernel oops on every display disconnect. Add guards for those dereferences. In the Linux kernel, the following vulnerability has been resolved: drm/gud: fix NULL fb and crtc dereferences on USB disconnect On disconnect drm_atomic_helpe... • https://git.kernel.org/stable/c/73cfd166e045769a1b42d36897accaa6e06b8102 •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2026-23038 – pnfs/flexfiles: Fix memory leak in nfs4_ff_alloc_deviceid_node()
https://notcve.org/view.php?id=CVE-2026-23038
31 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: pnfs/flexfiles: Fix memory leak in nfs4_ff_alloc_deviceid_node() In nfs4_ff_alloc_deviceid_node(), if the allocation for ds_versions fails, the function jumps to the out_scratch label without freeing the already allocated dsaddrs list, leading to a memory leak. Fix this by jumping to the out_err_drain_dsaddrs label, which properly frees the dsaddrs list before cleaning up other resources. In the Linux kernel, the following vulnerability has... • https://git.kernel.org/stable/c/d67ae825a59d639e4d8b82413af84d854617a87e •
CVSS: 5.6EPSS: 0%CPEs: 4EXPL: 0CVE-2026-23037 – can: etas_es58x: allow partial RX URB allocation to succeed
https://notcve.org/view.php?id=CVE-2026-23037
31 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: can: etas_es58x: allow partial RX URB allocation to succeed When es58x_alloc_rx_urbs() fails to allocate the requested number of URBs but succeeds in allocating some, it returns an error code. This causes es58x_open() to return early, skipping the cleanup label 'free_urbs', which leads to the anchored URBs being leaked. As pointed out by maintainer Vincent Mailhol, the driver is designed to handle partial URB allocation gracefully. Therefor... • https://git.kernel.org/stable/c/8537257874e949a59c834cecfd5a063e11b64b0b •
CVSS: 4.7EPSS: 0%CPEs: 2EXPL: 0CVE-2026-23036 – btrfs: release path before iget_failed() in btrfs_read_locked_inode()
https://notcve.org/view.php?id=CVE-2026-23036
31 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: btrfs: release path before iget_failed() in btrfs_read_locked_inode() In btrfs_read_locked_inode() if we fail to lookup the inode, we jump to the 'out' label with a path that has a read locked leaf and then we call iget_failed(). This can result in a ABBA deadlock, since iget_failed() triggers inode eviction and that causes the release of the delayed inode, which must lock the delayed inode's mutex, and a task updating a delayed inode start... • https://git.kernel.org/stable/c/69673992b1aea5540199d9b8b658ede72f55a6cf •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2026-23035 – net/mlx5e: Pass netdev to mlx5e_destroy_netdev instead of priv
https://notcve.org/view.php?id=CVE-2026-23035
31 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Pass netdev to mlx5e_destroy_netdev instead of priv mlx5e_priv is an unstable structure that can be memset(0) if profile attaching fails. Pass netdev to mlx5e_destroy_netdev() to guarantee it will work on a valid netdev. On mlx5e_remove: Check validity of priv->profile, before attempting to cleanup any resources that might be not there. This fixes a kernel oops in mlx5e_remove when switchdev mode fails due to change profile failu... • https://git.kernel.org/stable/c/c4d7eb57687f358cd498ea3624519236af8db97e •
CVSS: 5.6EPSS: 0%CPEs: 2EXPL: 0CVE-2026-23034 – drm/amdgpu/userq: Fix fence reference leak on queue teardown v2
https://notcve.org/view.php?id=CVE-2026-23034
31 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu/userq: Fix fence reference leak on queue teardown v2 The user mode queue keeps a pointer to the most recent fence in userq->last_fence. This pointer holds an extra dma_fence reference. When the queue is destroyed, we free the fence driver and its xarray, but we forgot to drop the last_fence reference. Because of the missing dma_fence_put(), the last fence object can stay alive when the driver unloads. This leaves an allocated obj... • https://git.kernel.org/stable/c/edc762a51c7181d6fe1e0837e2eb69afb406f98e •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2026-23033 – dmaengine: omap-dma: fix dma_pool resource leak in error paths
https://notcve.org/view.php?id=CVE-2026-23033
31 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: dmaengine: omap-dma: fix dma_pool resource leak in error paths The dma_pool created by dma_pool_create() is not destroyed when dma_async_device_register() or of_dma_controller_register() fails, causing a resource leak in the probe error paths. Add dma_pool_destroy() in both error paths to properly release the allocated dma_pool resource. In the Linux kernel, the following vulnerability has been resolved: dmaengine: omap-dma: fix dma_pool re... • https://git.kernel.org/stable/c/7bedaa5537604f34d1d63c5ec7891e559d2a61ed •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2026-23032 – null_blk: fix kmemleak by releasing references to fault configfs items
https://notcve.org/view.php?id=CVE-2026-23032
31 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: null_blk: fix kmemleak by releasing references to fault configfs items When CONFIG_BLK_DEV_NULL_BLK_FAULT_INJECTION is enabled, the null-blk driver sets up fault injection support by creating the timeout_inject, requeue_inject, and init_hctx_fault_inject configfs items as children of the top-level nullbX configfs group. However, when the nullbX device is removed, the references taken to these fault-config configfs items are not released. As... • https://git.kernel.org/stable/c/bb4c19e030f45c5416f1eb4daa94fbaf7165e9ea •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2026-23031 – can: gs_usb: gs_usb_receive_bulk_callback(): fix URB memory leak
https://notcve.org/view.php?id=CVE-2026-23031
31 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: can: gs_usb: gs_usb_receive_bulk_callback(): fix URB memory leak In gs_can_open(), the URBs for USB-in transfers are allocated, added to the parent->rx_submitted anchor and submitted. In the complete callback gs_usb_receive_bulk_callback(), the URB is processed and resubmitted. In gs_can_close() the URBs are freed by calling usb_kill_anchored_urbs(parent->rx_submitted). However, this does not take into account that the USB framework unancho... • https://git.kernel.org/stable/c/d08e973a77d128b25e01a08c34d89593fdf222da •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2026-23030 – phy: rockchip: inno-usb2: Fix a double free bug in rockchip_usb2phy_probe()
https://notcve.org/view.php?id=CVE-2026-23030
31 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: phy: rockchip: inno-usb2: Fix a double free bug in rockchip_usb2phy_probe() The for_each_available_child_of_node() calls of_node_put() to release child_np in each success loop. After breaking from the loop with the child_np has been released, the code will jump to the put_child label and will call the of_node_put() again if the devm_request_threaded_irq() fails. These cause a double free bug. Fix by returning directly to avoid the duplicate... • https://git.kernel.org/stable/c/ed2b5a8e6b98d042b323afbe177a5dc618921b31 •