CVSS: -EPSS: %CPEs: 2EXPL: 0CVE-2026-23227 – drm/exynos: vidi: use ctx->lock to protect struct vidi_context member variables related to memory alloc/free
https://notcve.org/view.php?id=CVE-2026-23227
18 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: drm/exynos: vidi: use ctx->lock to protect struct vidi_context member variables related to memory alloc/free Exynos Virtual Display driver performs memory alloc/free operations without lock protection, which easily causes concurrency problem. For example, use-after-free can occur in race scenario like this: ``` CPU0 CPU1 CPU2 ---- ---- ---- vidi_connection_ioctl() if (vidi->connection) // true drm_edid = drm_edid_alloc(); // alloc drm_edid ... • https://git.kernel.org/stable/c/60b75407c172e1f341a8a5097c5cbc97dbbdd893 •
CVSS: -EPSS: %CPEs: 2EXPL: 0CVE-2026-23226 – ksmbd: add chann_lock to protect ksmbd_chann_list xarray
https://notcve.org/view.php?id=CVE-2026-23226
18 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: ksmbd: add chann_lock to protect ksmbd_chann_list xarray ksmbd_chann_list xarray lacks synchronization, allowing use-after-free in multi-channel sessions (between lookup_chann_list() and ksmbd_chann_del). Adds rw_semaphore chann_lock to struct ksmbd_session and protects all xa_load/xa_store/xa_erase accesses. • https://git.kernel.org/stable/c/e4a8a96a93d08570e0405cfd989a8a07e5b6ff33 •
CVSS: -EPSS: %CPEs: 1EXPL: 0CVE-2026-23225 – sched/mmcid: Don't assume CID is CPU owned on mode switch
https://notcve.org/view.php?id=CVE-2026-23225
18 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: sched/mmcid: Don't assume CID is CPU owned on mode switch Shinichiro reported a KASAN UAF, which is actually an out of bounds access in the MMCID management code. CPU0 CPU1 T1 runs in userspace T0: fork(T4) -> Switch to per CPU CID mode fixup() set MM_CID_TRANSIT on T1/CPU1 T4 exit() T3 exit() T2 exit() T1 exit() switch to per task mode ---> Out of bounds access. As T1 has not scheduled after T0 set the TRANSIT bit, it exits with the TRANSI... • https://git.kernel.org/stable/c/81f29975631db8a78651b3140ecd0f88ffafc476 •
CVSS: -EPSS: %CPEs: 2EXPL: 0CVE-2026-23221 – bus: fsl-mc: fix use-after-free in driver_override_show()
https://notcve.org/view.php?id=CVE-2026-23221
18 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: bus: fsl-mc: fix use-after-free in driver_override_show() The driver_override_show() function reads the driver_override string without holding the device_lock. However, driver_override_store() uses driver_set_override(), which modifies and frees the string while holding the device_lock. This can result in a concurrent use-after-free if the string is freed by the store function while being read by the show function. Fix this by holding the d... • https://git.kernel.org/stable/c/1d6bd6183e723a7b256ff34bbb5b498b5f4f2ec0 •
CVSS: -EPSS: %CPEs: 2EXPL: 0CVE-2025-71230 – hfs: ensure sb->s_fs_info is always cleaned up
https://notcve.org/view.php?id=CVE-2025-71230
18 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: hfs: ensure sb->s_fs_info is always cleaned up When hfs was converted to the new mount api a bug was introduced by changing the allocation pattern of sb->s_fs_info. If setup_bdev_super() fails after a new superblock has been allocated by sget_fc(), but before hfs_fill_super() takes ownership of the filesystem-specific s_fs_info data it was leaked. Fix this by freeing sb->s_fs_info in hfs_kill_super(). • https://git.kernel.org/stable/c/46c1d56ad321fb024761abd9af61a0cb616cf2f6 •
CVSS: -EPSS: %CPEs: 2EXPL: 0CVE-2026-23217 – riscv: trace: fix snapshot deadlock with sbi ecall
https://notcve.org/view.php?id=CVE-2026-23217
18 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: riscv: trace: fix snapshot deadlock with sbi ecall If sbi_ecall.c's functions are traceable, echo "__sbi_ecall:snapshot" > /sys/kernel/tracing/set_ftrace_filter may get the kernel into a deadlock. (Functions in sbi_ecall.c are excluded from tracing if CONFIG_RISCV_ALTERNATIVE_EARLY is set.) __sbi_ecall triggers a snapshot of the ringbuffer. The snapshot code raises an IPI interrupt, which results in another call to __sbi_ecall and another s... • https://git.kernel.org/stable/c/b1f8285bc8e3508c1fde23b5205f1270215d4984 •
CVSS: -EPSS: %CPEs: 2EXPL: 0CVE-2025-71227 – wifi: mac80211: don't WARN for connections on invalid channels
https://notcve.org/view.php?id=CVE-2025-71227
18 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: don't WARN for connections on invalid channels It's not clear (to me) how exactly syzbot managed to hit this, but it seems conceivable that e.g. regulatory changed and has disabled a channel between scanning (channel is checked to be usable by cfg80211_get_ies_channel_number) and connecting on the channel later. With one scenario that isn't covered elsewhere described above, the warning isn't good, replace it with a (more in... • https://git.kernel.org/stable/c/10d3ff7e5812c8d70300f6fa8f524009a06aa7e1 •
CVSS: -EPSS: %CPEs: 2EXPL: 0CVE-2025-71226 – wifi: iwlwifi: Implement settime64 as stub for MVM/MLD PTP
https://notcve.org/view.php?id=CVE-2025-71226
18 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: Implement settime64 as stub for MVM/MLD PTP Since commit dfb073d32cac ("ptp: Return -EINVAL on ptp_clock_register if required ops are NULL"), PTP clock registered through ptp_clock_register is required to have ptp_clock_info.settime64 set, however, neither MVM nor MLD's PTP clock implementation sets it, resulting in warnings when the interface starts up, like WARNING: drivers/ptp/ptp_clock.c:325 at ptp_clock_register+0x2c8/0x... • https://git.kernel.org/stable/c/ff6892ea544c4052dd5799f675ebc20419953801 •
CVSS: -EPSS: %CPEs: 5EXPL: 0CVE-2026-23212 – bonding: annotate data-races around slave->last_rx
https://notcve.org/view.php?id=CVE-2026-23212
18 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: bonding: annotate data-races around slave->last_rx slave->last_rx and slave->target_last_arp_rx[...] can be read and written locklessly. Add READ_ONCE() and WRITE_ONCE() annotations. syzbot reported: BUG: KCSAN: data-race in bond_rcv_validate / bond_rcv_validate write to 0xffff888149f0d428 of 8 bytes by interrupt on cpu 1: bond_rcv_validate+0x202/0x7a0 drivers/net/bonding/bond_main.c:3335 bond_handle_frame+0xde/0x5e0 drivers/net/bonding/bon... • https://git.kernel.org/stable/c/f5b2b966f032f22d3a289045a5afd4afa09f09c6 •
CVSS: -EPSS: %CPEs: 3EXPL: 0CVE-2025-71225 – md: suspend array while updating raid_disks via sysfs
https://notcve.org/view.php?id=CVE-2025-71225
18 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: md: suspend array while updating raid_disks via sysfs In raid1_reshape(), freeze_array() is called before modifying the r1bio memory pool (conf->r1bio_pool) and conf->raid_disks, and unfreeze_array() is called after the update is completed. However, freeze_array() only waits until nr_sync_pending and (nr_pending - nr_queued) of all buckets reaches zero. When an I/O error occurs, nr_queued is increased and the corresponding r1bio is queued t... • https://git.kernel.org/stable/c/165d1359f945b72c5f90088f60d48ff46115269e •