CVSS: -EPSS: 0%CPEs: 7EXPL: 0CVE-2026-23100 – mm/hugetlb: fix hugetlb_pmd_shared()
https://notcve.org/view.php?id=CVE-2026-23100
04 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: mm/hugetlb: fix hugetlb_pmd_shared() Patch series "mm/hugetlb: fixes for PMD table sharing (incl. using mmu_gather)", v3. One functional fix, one performance regression fix, and two related comment fixes. I cleaned up my prototype I recently shared [1] for the performance fix, deferring most of the cleanups I had in the prototype to a later point. While doing that I identified the other things. The goal of this patch set is to be backported... • https://git.kernel.org/stable/c/59d9094df3d79443937add8700b2ef1a866b1081 •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23099 – bonding: limit BOND_MODE_8023AD to Ethernet devices
https://notcve.org/view.php?id=CVE-2026-23099
04 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: bonding: limit BOND_MODE_8023AD to Ethernet devices BOND_MODE_8023AD makes sense for ARPHRD_ETHER only. syzbot reported: BUG: KASAN: global-out-of-bounds in __hw_addr_create net/core/dev_addr_lists.c:63 [inline] BUG: KASAN: global-out-of-bounds in __hw_addr_add_ex+0x25d/0x760 net/core/dev_addr_lists.c:118 Read of size 16 at addr ffffffff8bf94040 by task syz.1.3580/19497 CPU: 1 UID: 0 PID: 19497 Comm: syz.1.3580 Tainted: G L syzkaller #0 PRE... • https://git.kernel.org/stable/c/872254dd6b1f80cb95ee9e2e22980888533fc293 •
CVSS: -EPSS: 0%CPEs: 7EXPL: 0CVE-2026-23098 – netrom: fix double-free in nr_route_frame()
https://notcve.org/view.php?id=CVE-2026-23098
04 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: netrom: fix double-free in nr_route_frame() In nr_route_frame(), old_skb is immediately freed without checking if nr_neigh->ax25 pointer is NULL. Therefore, if nr_neigh->ax25 is NULL, the caller function will free old_skb again, causing a double-free bug. Therefore, to prevent this, we need to modify it to check whether nr_neigh->ax25 is NULL before freeing old_skb. Several vulnerabilities have been discovered in the Linux kernel that may l... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2026-23097 – migrate: correct lock ordering for hugetlb file folios
https://notcve.org/view.php?id=CVE-2026-23097
04 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: migrate: correct lock ordering for hugetlb file folios Syzbot has found a deadlock (analyzed by Lance Yang): 1) Task (5749): Holds folio_lock, then tries to acquire i_mmap_rwsem(read lock). 2) Task (5754): Holds i_mmap_rwsem(write lock), then tries to acquire folio_lock. migrate_pages() -> migrate_hugetlbs() -> unmap_and_move_huge_page() <- Takes folio_lock! -> remove_migration_ptes() -> __rmap_walk_file() -> i_mmap_lock_read() <- Waits for... • https://git.kernel.org/stable/c/336bf30eb76580b579dc711ded5d599d905c0217 •
CVSS: -EPSS: 0%CPEs: 7EXPL: 0CVE-2026-23096 – uacce: fix cdev handling in the cleanup path
https://notcve.org/view.php?id=CVE-2026-23096
04 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: uacce: fix cdev handling in the cleanup path When cdev_device_add fails, it internally releases the cdev memory, and if cdev_device_del is then executed, it will cause a hang error. To fix it, we check the return value of cdev_device_add() and clear uacce->cdev to avoid calling cdev_device_del in the uacce_remove. Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or i... • https://git.kernel.org/stable/c/015d239ac0142ad0e26567fd890ef8d171f13709 •
CVSS: -EPSS: 0%CPEs: 7EXPL: 0CVE-2026-23095 – gue: Fix skb memleak with inner IP protocol 0.
https://notcve.org/view.php?id=CVE-2026-23095
04 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: gue: Fix skb memleak with inner IP protocol 0. syzbot reported skb memleak below. [0] The repro generated a GUE packet with its inner protocol 0. gue_udp_recv() returns -guehdr->proto_ctype for "resubmit" in ip_protocol_deliver_rcu(), but this only works with non-zero protocol number. Let's drop such packets. Note that 0 is a valid number (IPv6 Hop-by-Hop Option). I think it is not practical to encap HOPOPT in GUE, so once someone starts to... • https://git.kernel.org/stable/c/37dd0247797b168ad1cc7f5dbec825a1ee66535b •
CVSS: -EPSS: 0%CPEs: 4EXPL: 0CVE-2026-23094 – uacce: fix isolate sysfs check condition
https://notcve.org/view.php?id=CVE-2026-23094
04 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: uacce: fix isolate sysfs check condition uacce supports the device isolation feature. If the driver implements the isolate_err_threshold_read and isolate_err_threshold_write callback functions, uacce will create sysfs files now. Users can read and configure the isolation policy through sysfs. Currently, sysfs files are created as long as either isolate_err_threshold_read or isolate_err_threshold_write callback functions are present. However... • https://git.kernel.org/stable/c/e3e289fbc0b520cf469469e8cdba84a50424eb65 •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23093 – ksmbd: smbd: fix dma_unmap_sg() nents
https://notcve.org/view.php?id=CVE-2026-23093
04 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: ksmbd: smbd: fix dma_unmap_sg() nents The dma_unmap_sg() functions should be called with the same nents as the dma_map_sg(), not the value the map function returned. Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. For the oldstable distribution (bookworm), these problems have been fixed in version 6.1.162-1. • https://git.kernel.org/stable/c/0626e6641f6b467447c81dd7678a69c66f7746cf •
CVSS: -EPSS: 0%CPEs: 7EXPL: 0CVE-2026-23091 – intel_th: fix device leak on output open()
https://notcve.org/view.php?id=CVE-2026-23091
04 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: intel_th: fix device leak on output open() Make sure to drop the reference taken when looking up the th device during output device open() on errors and on close(). Note that a recent commit fixed the leak in a couple of open() error paths but not all of them, and the reference is still leaking on successful open(). Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or... • https://git.kernel.org/stable/c/39f4034693b7c7bd1fe4cb58c93259d600f55561 •
CVSS: -EPSS: 0%CPEs: 7EXPL: 0CVE-2026-23090 – slimbus: core: fix device reference leak on report present
https://notcve.org/view.php?id=CVE-2026-23090
04 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: slimbus: core: fix device reference leak on report present Slimbus devices can be allocated dynamically upon reception of report-present messages. Make sure to drop the reference taken when looking up already registered devices. Note that this requires taking an extra reference in case the device has not yet been registered and has to be allocated. Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege... • https://git.kernel.org/stable/c/46a2bb5a7f7ea2728be50f8f5b29a20267f700fe •