CVSS: -EPSS: %CPEs: 7EXPL: 0CVE-2026-22977 – net: sock: fix hardened usercopy panic in sock_recv_errqueue
https://notcve.org/view.php?id=CVE-2026-22977
21 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: net: sock: fix hardened usercopy panic in sock_recv_errqueue skbuff_fclone_cache was created without defining a usercopy region, [1] unlike skbuff_head_cache which properly whitelists the cb[] field. [2] This causes a usercopy BUG() when CONFIG_HARDENED_USERCOPY is enabled and the kernel attempts to copy sk_buff.cb data to userspace via sock_recv_errqueue() -> put_cmsg(). The crash occurs when: 1. TCP allocates an skb using alloc_skb_fclone... • https://git.kernel.org/stable/c/6d07d1cd300f4c7e16005f881fea388164999cc8 •
CVSS: -EPSS: 0%CPEs: 7EXPL: 0CVE-2026-22976 – net/sched: sch_qfq: Fix NULL deref when deactivating inactive aggregate in qfq_reset
https://notcve.org/view.php?id=CVE-2026-22976
21 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: net/sched: sch_qfq: Fix NULL deref when deactivating inactive aggregate in qfq_reset `qfq_class->leaf_qdisc->q.qlen > 0` does not imply that the class itself is active. Two qfq_class objects may point to the same leaf_qdisc. This happens when: 1. one QFQ qdisc is attached to the dev as the root qdisc, and 2. another QFQ qdisc is temporarily referenced (e.g., via qdisc_get() / qdisc_put()) and is pending to be destroyed, as in function tc_ne... • https://git.kernel.org/stable/c/0545a3037773512d3448557ba048cebb73b3e4af •
CVSS: 8.5EPSS: 0%CPEs: 6EXPL: 0CVE-2025-71144 – mptcp: ensure context reset on disconnect()
https://notcve.org/view.php?id=CVE-2025-71144
14 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: mptcp: ensure context reset on disconnect() After the blamed commit below, if the MPC subflow is already in TCP_CLOSE status or has fallback to TCP at mptcp_disconnect() time, mptcp_do_fastclose() skips setting the `send_fastclose flag` and the later __mptcp_close_ssk() does not reset anymore the related subflow context. Any later connection will be created with both the `request_mptcp` flag and the msk-level fallback status off (it is unco... • https://git.kernel.org/stable/c/3a13454fd098ed51e733958488f8ec62859a9ed8 •
CVSS: 7.2EPSS: 0%CPEs: 4EXPL: 0CVE-2025-71143 – clk: samsung: exynos-clkout: Assign .num before accessing .hws
https://notcve.org/view.php?id=CVE-2025-71143
14 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: clk: samsung: exynos-clkout: Assign .num before accessing .hws Commit f316cdff8d67 ("clk: Annotate struct clk_hw_onecell_data with __counted_by") annotated the hws member of 'struct clk_hw_onecell_data' with __counted_by, which informs the bounds sanitizer (UBSAN_BOUNDS) about the number of elements in .hws[], so that it can warn when .hws[] is accessed out of bounds. As noted in that change, the __counted_by member must be initialized with... • https://git.kernel.org/stable/c/f316cdff8d677db9ad9c90acb44c4cd535b0ee27 •
CVSS: 7.2EPSS: 0%CPEs: 2EXPL: 0CVE-2025-71142 – cpuset: fix warning when disabling remote partition
https://notcve.org/view.php?id=CVE-2025-71142
14 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: cpuset: fix warning when disabling remote partition A warning was triggered as follows: WARNING: kernel/cgroup/cpuset.c:1651 at remote_partition_disable+0xf7/0x110 RIP: 0010:remote_partition_disable+0xf7/0x110 RSP: 0018:ffffc90001947d88 EFLAGS: 00000206 RAX: 0000000000007fff RBX: ffff888103b6e000 RCX: 0000000000006f40 RDX: 0000000000006f00 RSI: ffffc90001947da8 RDI: ffff888103b6e000 RBP: ffff888103b6e000 R08: 0000000000000000 R09: 000000000... • https://git.kernel.org/stable/c/f62a5d39368e34a966c8df63e1f05eed7fe9c5de •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2025-71141 – drm/tilcdc: Fix removal actions in case of failed probe
https://notcve.org/view.php?id=CVE-2025-71141
14 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: drm/tilcdc: Fix removal actions in case of failed probe The drm_kms_helper_poll_fini() and drm_atomic_helper_shutdown() helpers should only be called when the device has been successfully registered. Currently, these functions are called unconditionally in tilcdc_fini(), which causes warnings during probe deferral scenarios. [ 7.972317] WARNING: CPU: 0 PID: 23 at drivers/gpu/drm/drm_atomic_state_helper.c:175 drm_atomic_helper_crtc_duplicate... • https://git.kernel.org/stable/c/69f03be1fa08a66735d53d92d3429c052540e3bf •
CVSS: 7.8EPSS: 0%CPEs: 7EXPL: 0CVE-2025-71140 – media: mediatek: vcodec: Use spinlock for context list protection lock
https://notcve.org/view.php?id=CVE-2025-71140
14 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: media: mediatek: vcodec: Use spinlock for context list protection lock Previously a mutex was added to protect the encoder and decoder context lists from unexpected changes originating from the SCP IP block, causing the context pointer to go invalid, resulting in a NULL pointer dereference in the IPI handler. Turns out on the MT8173, the VPU IPI handler is called from hard IRQ context. This causes a big warning from the scheduler. This was ... • https://git.kernel.org/stable/c/0a2dc707aa42214f9c4827bd57e344e29a0841d6 •
CVSS: 7.2EPSS: 0%CPEs: 2EXPL: 0CVE-2025-71139 – kernel/kexec: fix IMA when allocation happens in CMA area
https://notcve.org/view.php?id=CVE-2025-71139
14 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: kernel/kexec: fix IMA when allocation happens in CMA area *** Bug description *** When I tested kexec with the latest kernel, I ran into the following warning: [ 40.712410] ------------[ cut here ]------------ [ 40.712576] WARNING: CPU: 2 PID: 1562 at kernel/kexec_core.c:1001 kimage_map_segment+0x144/0x198 [...] [ 40.816047] Call trace: [ 40.818498] kimage_map_segment+0x144/0x198 (P) [ 40.823221] ima_kexec_post_load+0x58/0xc0 [ 40.827246] _... • https://git.kernel.org/stable/c/07d24902977e4704fab8472981e73a0ad6dfa1fd •
CVSS: 5.6EPSS: 0%CPEs: 4EXPL: 0CVE-2025-71138 – drm/msm/dpu: Add missing NULL pointer check for pingpong interface
https://notcve.org/view.php?id=CVE-2025-71138
14 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: drm/msm/dpu: Add missing NULL pointer check for pingpong interface It is checked almost always in dpu_encoder_phys_wb_setup_ctl(), but in a single place the check is missing. Also use convenient locals instead of phys_enc->* where available. Patchwork: https://patchwork.freedesktop.org/patch/693860/ In the Linux kernel, the following vulnerability has been resolved: drm/msm/dpu: Add missing NULL pointer check for pingpong interface It is ch... • https://git.kernel.org/stable/c/d7d0e73f7de33a2b9998b607707a3e944ef3b86d •
CVSS: 6.6EPSS: 0%CPEs: 7EXPL: 0CVE-2025-71137 – octeontx2-pf: fix "UBSAN: shift-out-of-bounds error"
https://notcve.org/view.php?id=CVE-2025-71137
14 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: octeontx2-pf: fix "UBSAN: shift-out-of-bounds error" This patch ensures that the RX ring size (rx_pending) is not set below the permitted length. This avoids UBSAN shift-out-of-bounds errors when users passes small or zero ring sizes via ethtool -G. In the Linux kernel, the following vulnerability has been resolved: octeontx2-pf: fix "UBSAN: shift-out-of-bounds error" This patch ensures that the RX ring size (rx_pending) is not set below th... • https://git.kernel.org/stable/c/d45d8979840d9c9ac93d3fe8cfc8e794b7228445 •