CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2026-23241 – audit: add missing syscalls to read class
https://notcve.org/view.php?id=CVE-2026-23241
17 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: audit: add missing syscalls to read class The "at" variant of getxattr() and listxattr() are missing from the audit read class. Calling getxattrat() or listxattrat() on a file to read its extended attributes will bypass audit rules such as: -w /tmp/test -p rwa -k test_rwa The current patch adds missing syscalls to the audit read class. • https://git.kernel.org/stable/c/ed8efd623a5738e03de09dd74b505d0fb77b09f3 •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2025-71239 – audit: add fchmodat2() to change attributes class
https://notcve.org/view.php?id=CVE-2025-71239
17 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: audit: add fchmodat2() to change attributes class fchmodat2(), introduced in version 6.6 is currently not in the change attribute class of audit. Calling fchmodat2() to change a file attribute in the same fashion than chmod() or fchmodat() will bypass audit rules such as: -w /tmp/test -p rwa -k test_rwa The current patch adds fchmodat2() to the change attributes class. • https://git.kernel.org/stable/c/f714315d7d68898d03093f67285256a8770f903c •
CVSS: -EPSS: 0%CPEs: 7EXPL: 0CVE-2026-23238 – romfs: check sb_set_blocksize() return value
https://notcve.org/view.php?id=CVE-2026-23238
04 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: romfs: check sb_set_blocksize() return value romfs_fill_super() ignores the return value of sb_set_blocksize(), which can fail if the requested block size is incompatible with the block device's configuration. This can be triggered by setting a loop device's block size larger than PAGE_SIZE using ioctl(LOOP_SET_BLOCK_SIZE, 32768), then mounting a romfs filesystem on that device. When sb_set_blocksize(sb, ROMBSIZE) is called with ROMBSIZE=40... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: -EPSS: 0%CPEs: 7EXPL: 0CVE-2026-23237 – platform/x86: classmate-laptop: Add missing NULL pointer checks
https://notcve.org/view.php?id=CVE-2026-23237
04 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: platform/x86: classmate-laptop: Add missing NULL pointer checks In a few places in the Classmate laptop driver, code using the accel object may run before that object's address is stored in the driver data of the input device using it. For example, cmpc_accel_sensitivity_store_v4() is the "show" method of cmpc_accel_sensitivity_attr_v4 which is added in cmpc_accel_add_v4(), before calling dev_set_drvdata() for inputdev->dev. If the sysfs at... • https://git.kernel.org/stable/c/529aa8cb0a59367d08883f818e8c47028e819d0d •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2026-23236 – fbdev: smscufx: properly copy ioctl memory to kernelspace
https://notcve.org/view.php?id=CVE-2026-23236
04 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: fbdev: smscufx: properly copy ioctl memory to kernelspace The UFX_IOCTL_REPORT_DAMAGE ioctl does not properly copy data from userspace to kernelspace, and instead directly references the memory, which can cause problems if invalid data is passed from userspace. Fix this all up by correctly copying the memory before accessing it within the kernel. • https://git.kernel.org/stable/c/3c8a63e22a0802fd56380f6ab305b419f18eb6f5 •
CVSS: -EPSS: 0%CPEs: 4EXPL: 0CVE-2026-23227 – drm/exynos: vidi: use ctx->lock to protect struct vidi_context member variables related to memory alloc/free
https://notcve.org/view.php?id=CVE-2026-23227
18 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: drm/exynos: vidi: use ctx->lock to protect struct vidi_context member variables related to memory alloc/free Exynos Virtual Display driver performs memory alloc/free operations without lock protection, which easily causes concurrency problem. For example, use-after-free can occur in race scenario like this: ``` CPU0 CPU1 CPU2 ---- ---- ---- vidi_connection_ioctl() if (vidi->connection) // true drm_edid = drm_edid_alloc(); // alloc drm_edid ... • https://git.kernel.org/stable/c/d3b62dbfc7b9bb013926f56db79b60f6c18c392f •
CVSS: -EPSS: 0%CPEs: 2EXPL: 0CVE-2025-71227 – wifi: mac80211: don't WARN for connections on invalid channels
https://notcve.org/view.php?id=CVE-2025-71227
18 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: don't WARN for connections on invalid channels It's not clear (to me) how exactly syzbot managed to hit this, but it seems conceivable that e.g. regulatory changed and has disabled a channel between scanning (channel is checked to be usable by cfg80211_get_ies_channel_number) and connecting on the channel later. With one scenario that isn't covered elsewhere described above, the warning isn't good, replace it with a (more in... • https://git.kernel.org/stable/c/f2d9d270c15ae0139b54a7e7466d738327e97e03 •
CVSS: -EPSS: 0%CPEs: 5EXPL: 0CVE-2026-23212 – bonding: annotate data-races around slave->last_rx
https://notcve.org/view.php?id=CVE-2026-23212
18 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: bonding: annotate data-races around slave->last_rx slave->last_rx and slave->target_last_arp_rx[...] can be read and written locklessly. Add READ_ONCE() and WRITE_ONCE() annotations. syzbot reported: BUG: KCSAN: data-race in bond_rcv_validate / bond_rcv_validate write to 0xffff888149f0d428 of 8 bytes by interrupt on cpu 1: bond_rcv_validate+0x202/0x7a0 drivers/net/bonding/bond_main.c:3335 bond_handle_frame+0xde/0x5e0 drivers/net/bonding/bon... • https://git.kernel.org/stable/c/f5b2b966f032f22d3a289045a5afd4afa09f09c6 •
CVSS: -EPSS: 0%CPEs: 5EXPL: 0CVE-2025-71225 – md: suspend array while updating raid_disks via sysfs
https://notcve.org/view.php?id=CVE-2025-71225
18 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: md: suspend array while updating raid_disks via sysfs In raid1_reshape(), freeze_array() is called before modifying the r1bio memory pool (conf->r1bio_pool) and conf->raid_disks, and unfreeze_array() is called after the update is completed. However, freeze_array() only waits until nr_sync_pending and (nr_pending - nr_queued) of all buckets reaches zero. When an I/O error occurs, nr_queued is increased and the corresponding r1bio is queued t... • https://git.kernel.org/stable/c/e2d59925221cd562e07fee38ec8839f7209ae603 •
CVSS: -EPSS: 0%CPEs: 7EXPL: 0CVE-2026-23216 – scsi: target: iscsi: Fix use-after-free in iscsit_dec_conn_usage_count()
https://notcve.org/view.php?id=CVE-2026-23216
18 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: scsi: target: iscsi: Fix use-after-free in iscsit_dec_conn_usage_count() In iscsit_dec_conn_usage_count(), the function calls complete() while holding the conn->conn_usage_lock. As soon as complete() is invoked, the waiter (such as iscsit_close_connection()) may wake up and proceed to free the iscsit_conn structure. If the waiter frees the memory before the current thread reaches spin_unlock_bh(), it results in a KASAN slab-use-after-free a... • https://git.kernel.org/stable/c/e48354ce078c079996f89d715dfa44814b4eba01 •