CVSS: -EPSS: 0%CPEs: 5EXPL: 0CVE-2026-23285 – drbd: fix null-pointer dereference on local read error
https://notcve.org/view.php?id=CVE-2026-23285
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: drbd: fix null-pointer dereference on local read error In drbd_request_endio(), READ_COMPLETED_WITH_ERROR is passed to __req_mod() with a NULL peer_device: __req_mod(req, what, NULL, &m); The READ_COMPLETED_WITH_ERROR handler then unconditionally passes this NULL peer_device to drbd_set_out_of_sync(), which dereferences it, causing a null-pointer dereference. Fix this by obtaining the peer_device via first_peer_device(device), matching how ... • https://git.kernel.org/stable/c/0d11f3cf279c5ad20a41f29242f170ba3c02f2da •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23284 – net: ethernet: mtk_eth_soc: Reset prog ptr to old_prog in case of error in mtk_xdp_setup()
https://notcve.org/view.php?id=CVE-2026-23284
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: net: ethernet: mtk_eth_soc: Reset prog ptr to old_prog in case of error in mtk_xdp_setup() Reset eBPF program pointer to old_prog and do not decrease its ref-count if mtk_open routine in mtk_xdp_setup() fails. • https://git.kernel.org/stable/c/7c26c20da5d420cde55618263be4aa2f6de53056 •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23281 – wifi: libertas: fix use-after-free in lbs_free_adapter()
https://notcve.org/view.php?id=CVE-2026-23281
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: wifi: libertas: fix use-after-free in lbs_free_adapter() The lbs_free_adapter() function uses timer_delete() (non-synchronous) for both command_timer and tx_lockup_timer before the structure is freed. This is incorrect because timer_delete() does not wait for any running timer callback to complete. If a timer callback is executing when lbs_free_adapter() is called, the callback will access freed memory since lbs_cfg_free() frees the contain... • https://git.kernel.org/stable/c/954ee164f4f4598afc172c0ec3865d0352e55a0b •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23279 – wifi: mac80211: fix NULL pointer dereference in mesh_rx_csa_frame()
https://notcve.org/view.php?id=CVE-2026-23279
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: fix NULL pointer dereference in mesh_rx_csa_frame() In mesh_rx_csa_frame(), elems->mesh_chansw_params_ie is dereferenced at lines 1638 and 1642 without a prior NULL check: ifmsh->chsw_ttl = elems->mesh_chansw_params_ie->mesh_ttl; ... pre_value = le16_to_cpu(elems->mesh_chansw_params_ie->mesh_pre_value); The mesh_matches_local() check above only validates the Mesh ID, Mesh Configuration, and Supported Rates IEs. It does not v... • https://git.kernel.org/stable/c/8f2535b92d685c68db4bc699dd78462a646f6ef9 •
CVSS: 8.2EPSS: 0%CPEs: 6EXPL: 0CVE-2026-31788 – xen/privcmd: restrict usage in unprivileged domU
https://notcve.org/view.php?id=CVE-2026-31788
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: xen/privcmd: restrict usage in unprivileged domU The Xen privcmd driver allows to issue arbitrary hypercalls from user space processes. This is normally no problem, as access is usually limited to root and the hypervisor will deny any hypercalls affecting other domains. In case the guest is booted using secure boot, however, the privcmd driver would be enabling a root user process to modify e.g. kernel memory contents, thus breaking the sec... • https://git.kernel.org/stable/c/1c5de1939c204bde9cce87f4eb3d26e9f9eb732b •
CVSS: 7.8EPSS: 0%CPEs: 10EXPL: 0CVE-2026-23278 – netfilter: nf_tables: always walk all pending catchall elements
https://notcve.org/view.php?id=CVE-2026-23278
20 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: always walk all pending catchall elements During transaction processing we might have more than one catchall element: 1 live catchall element and 1 pending element that is coming as part of the new batch. If the map holding the catchall elements is also going away, its required to toggle all catchall elements and not just the first viable candidate. Otherwise, we get: WARNING: ./include/net/netfilter/nf_tables.h:1281 a... • https://git.kernel.org/stable/c/628bd3e49cba1c066228e23d71a852c23e26da73 •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23277 – net/sched: teql: fix NULL pointer dereference in iptunnel_xmit on TEQL slave xmit
https://notcve.org/view.php?id=CVE-2026-23277
20 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: net/sched: teql: fix NULL pointer dereference in iptunnel_xmit on TEQL slave xmit teql_master_xmit() calls netdev_start_xmit(skb, slave) to transmit through slave devices, but does not update skb->dev to the slave device beforehand. When a gretap tunnel is a TEQL slave, the transmit path reaches iptunnel_xmit() which saves dev = skb->dev (still pointing to teql0 master) and later calls iptunnel_xmit_stats(dev, pkt_len). This function does: ... • https://git.kernel.org/stable/c/039f50629b7f860f36644ed1f34b27da9aa62f43 •
CVSS: -EPSS: 0%CPEs: 5EXPL: 0CVE-2026-23276 – net: add xmit recursion limit to tunnel xmit functions
https://notcve.org/view.php?id=CVE-2026-23276
20 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: net: add xmit recursion limit to tunnel xmit functions Tunnel xmit functions (iptunnel_xmit, ip6tunnel_xmit) lack their own recursion limit. When a bond device in broadcast mode has GRE tap interfaces as slaves, and those GRE tunnels route back through the bond, multicast/broadcast traffic triggers infinite recursion between bond_xmit_broadcast() and ip_tunnel_xmit()/ip6_tnl_xmit(), causing kernel stack overflow. The existing XMIT_RECURSION... • https://git.kernel.org/stable/c/745e20f1b626b1be4b100af5d4bf7b3439392f8f •
CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23274 – netfilter: xt_IDLETIMER: reject rev0 reuse of ALARM timer labels
https://notcve.org/view.php?id=CVE-2026-23274
20 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: netfilter: xt_IDLETIMER: reject rev0 reuse of ALARM timer labels IDLETIMER revision 0 rules reuse existing timers by label and always call mod_timer() on timer->timer. If the label was created first by revision 1 with XT_IDLETIMER_ALARM, the object uses alarm timer semantics and timer->timer is never initialized. Reusing that object from revision 0 causes mod_timer() on an uninitialized timer_list, triggering debugobjects warnings and possi... • https://git.kernel.org/stable/c/68983a354a655c35d3fb204489d383a2a051fda7 •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2026-23273 – macvlan: observe an RCU grace period in macvlan_common_newlink() error path
https://notcve.org/view.php?id=CVE-2026-23273
20 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: macvlan: observe an RCU grace period in macvlan_common_newlink() error path valis reported that a race condition still happens after my prior patch. macvlan_common_newlink() might have made @dev visible before detecting an error, and its caller will directly call free_netdev(dev). We must respect an RCU period, either in macvlan or the core networking stack. After adding a temporary mdelay(1000) in macvlan_forward_source_one() to open the r... • https://git.kernel.org/stable/c/da5c6b8ae47e414be47e5e04def15b25d5c962dc •