CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2026-23011 – ipv4: ip_gre: make ipgre_header() robust
https://notcve.org/view.php?id=CVE-2026-23011
25 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: ipv4: ip_gre: make ipgre_header() robust Analog to commit db5b4e39c4e6 ("ip6_gre: make ip6gre_header() robust") Over the years, syzbot found many ways to crash the kernel in ipgre_header() [1]. This involves team or bonding drivers ability to dynamically change their dev->needed_headroom and/or dev->hard_header_len In this particular crash mld_newpack() allocated an skb with a too small reserve/headroom, and by the time mld_sendpack() was c... • https://git.kernel.org/stable/c/c54419321455631079c7d6e60bc732dd0c5914c5 •
CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23010 – ipv6: Fix use-after-free in inet6_addr_del().
https://notcve.org/view.php?id=CVE-2026-23010
25 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: ipv6: Fix use-after-free in inet6_addr_del(). syzbot reported use-after-free of inet6_ifaddr in inet6_addr_del(). [0] The cited commit accidentally moved ipv6_del_addr() for mngtmpaddr before reading its ifp->flags for temporary addresses in inet6_addr_del(). Let's move ipv6_del_addr() down to fix the UAF. [0]: BUG: KASAN: slab-use-after-free in inet6_addr_del.constprop.0+0x67a/0x6b0 net/ipv6/addrconf.c:3117 Read of size 4 at addr ffff88807... • https://git.kernel.org/stable/c/cb74207ef98317f8874a0b9780bb339c2eb700b0 •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2026-23006 – ASoC: tlv320adcx140: fix null pointer
https://notcve.org/view.php?id=CVE-2026-23006
25 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: ASoC: tlv320adcx140: fix null pointer The "snd_soc_component" in "adcx140_priv" was only used once but never set. It was only used for reaching "dev" which is already present in "adcx140_priv". In the Linux kernel, the following vulnerability has been resolved: ASoC: tlv320adcx140: fix null pointer The "snd_soc_component" in "adcx140_priv" was only used once but never set. It was only used for reaching "dev" which is already present in "adc... • https://git.kernel.org/stable/c/4e82971f7b556cff3491c867e8840e7d788693b9 •
CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 0CVE-2026-23005 – x86/fpu: Clear XSTATE_BV[i] in guest XSAVE state whenever XFD[i]=1
https://notcve.org/view.php?id=CVE-2026-23005
25 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: x86/fpu: Clear XSTATE_BV[i] in guest XSAVE state whenever XFD[i]=1 When loading guest XSAVE state via KVM_SET_XSAVE, and when updating XFD in response to a guest WRMSR, clear XFD-disabled features in the saved (or to be restored) XSTATE_BV to ensure KVM doesn't attempt to load state for features that are disabled via the guest's XFD. Because the kernel executes XRSTOR with the guest's XFD, saving XSTATE_BV[i]=1 with XFD[i]=1 will cause XRST... • https://git.kernel.org/stable/c/820a6ee944e74e57255ac2e90916ecdaade57b95 •
CVSS: 7.1EPSS: 0%CPEs: 2EXPL: 0CVE-2026-23004 – dst: fix races in rt6_uncached_list_del() and rt_del_uncached_list()
https://notcve.org/view.php?id=CVE-2026-23004
25 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: dst: fix races in rt6_uncached_list_del() and rt_del_uncached_list() syzbot was able to crash the kernel in rt6_uncached_list_flush_dev() in an interesting way [1] Crash happens in list_del_init()/INIT_LIST_HEAD() while writing list->prev, while the prior write on list->next went well. static inline void INIT_LIST_HEAD(struct list_head *list) { WRITE_ONCE(list->next, list); // This went well WRITE_ONCE(list->prev, list); // Crash, @list has... • https://git.kernel.org/stable/c/78df76a065ae3b5dbcb9a29912adc02f697de498 •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2026-23003 – ip6_tunnel: use skb_vlan_inet_prepare() in __ip6_tnl_rcv()
https://notcve.org/view.php?id=CVE-2026-23003
25 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: ip6_tunnel: use skb_vlan_inet_prepare() in __ip6_tnl_rcv() Blamed commit did not take care of VLAN encapsulations as spotted by syzbot [1]. Use skb_vlan_inet_prepare() instead of pskb_inet_may_pull(). [1] BUG: KMSAN: uninit-value in __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline] BUG: KMSAN: uninit-value in INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline] BUG: KMSAN: uninit-value in IP6_ECN_decapsulate+0x7a8/0x1fa0 includ... • https://git.kernel.org/stable/c/8d975c15c0cd744000ca386247432d57b21f9df0 •
CVSS: 7.2EPSS: 0%CPEs: 3EXPL: 0CVE-2026-23001 – macvlan: fix possible UAF in macvlan_forward_source()
https://notcve.org/view.php?id=CVE-2026-23001
25 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: macvlan: fix possible UAF in macvlan_forward_source() Add RCU protection on (struct macvlan_source_entry)->vlan. Whenever macvlan_hash_del_source() is called, we must clear entry->vlan pointer before RCU grace period starts. This allows macvlan_forward_source() to skip over entries queued for freeing. Note that macvlan_dev are already RCU protected, as they are embedded in a standard netdev (netdev_priv(ndev)). https: //lore.kernel.org/netd... • https://git.kernel.org/stable/c/79cf79abce71eb7dbc40e2f3121048ca5405cb47 •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2026-23000 – net/mlx5e: Fix crash on profile change rollback failure
https://notcve.org/view.php?id=CVE-2026-23000
25 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Fix crash on profile change rollback failure mlx5e_netdev_change_profile can fail to attach a new profile and can fail to rollback to old profile, in such case, we could end up with a dangling netdev with a fully reset netdev_priv. A retry to change profile, e.g. another attempt to call mlx5e_netdev_change_profile via switchdev mode change, will crash trying to access the now NULL priv->mdev. This fix allows mlx5e_netdev_change_p... • https://git.kernel.org/stable/c/c4d7eb57687f358cd498ea3624519236af8db97e •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2026-22999 – net/sched: sch_qfq: do not free existing class in qfq_change_class()
https://notcve.org/view.php?id=CVE-2026-22999
25 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: net/sched: sch_qfq: do not free existing class in qfq_change_class() Fixes qfq_change_class() error case. cl->qdisc and cl should only be freed if a new class and qdisc were allocated, or we risk various UAF. In the Linux kernel, the following vulnerability has been resolved: net/sched: sch_qfq: do not free existing class in qfq_change_class() Fixes qfq_change_class() error case. cl->qdisc and cl should only be freed if a new class and qdis... • https://git.kernel.org/stable/c/462dbc9101acd38e92eda93c0726857517a24bbd •
CVSS: 7.2EPSS: 0%CPEs: 9EXPL: 0CVE-2026-22998 – nvme-tcp: fix NULL pointer dereferences in nvmet_tcp_build_pdu_iovec
https://notcve.org/view.php?id=CVE-2026-22998
25 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: nvme-tcp: fix NULL pointer dereferences in nvmet_tcp_build_pdu_iovec Commit efa56305908b ("nvmet-tcp: Fix a kernel panic when host sends an invalid H2C PDU length") added ttag bounds checking and data_offset validation in nvmet_tcp_handle_h2c_data_pdu(), but it did not validate whether the command's data structures (cmd->req.sg and cmd->iov) have been properly initialized before processing H2C_DATA PDUs. The nvmet_tcp_build_pdu_iovec() func... • https://git.kernel.org/stable/c/efa56305908ba20de2104f1b8508c6a7401833be •