CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2026-23270 – net/sched: Only allow act_ct to bind to clsact/ingress qdiscs and shared blocks
https://notcve.org/view.php?id=CVE-2026-23270
18 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: net/sched: Only allow act_ct to bind to clsact/ingress qdiscs and shared blocks As Paolo said earlier [1]: "Since the blamed commit below, classify can return TC_ACT_CONSUMED while the current skb being held by the defragmentation engine. As reported by GangMin Kim, if such packet is that may cause a UaF when the defrag engine later on tries to tuch again such packet." act_ct was never meant to be used in the egress path, however some users... • https://git.kernel.org/stable/c/0b5b831122fc3789fff75be433ba3e4dd7b779d4 •
CVSS: 7.1EPSS: 0%CPEs: 5EXPL: 0CVE-2026-23269 – apparmor: validate DFA start states are in bounds in unpack_pdb
https://notcve.org/view.php?id=CVE-2026-23269
18 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: apparmor: validate DFA start states are in bounds in unpack_pdb Start states are read from untrusted data and used as indexes into the DFA state tables. The aa_dfa_next() function call in unpack_pdb() will access dfa->tables[YYTD_ID_BASE][start], and if the start state exceeds the number of states in the DFA, this results in an out-of-bound read. ================================================================== BUG: KASAN: slab-out-of-boun... • https://git.kernel.org/stable/c/ad5ff3db53c68c2f12936bc74ea5dfe0af943592 •
CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2026-23268 – apparmor: fix unprivileged local user can do privileged policy management
https://notcve.org/view.php?id=CVE-2026-23268
18 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: apparmor: fix unprivileged local user can do privileged policy management An unprivileged local user can load, replace, and remove profiles by opening the apparmorfs interfaces, via a confused deputy attack, by passing the opened fd to a privileged process, and getting the privileged process to write to the interface. This does require a privileged target that can be manipulated to do the write for the unprivileged process, but once such ac... • https://git.kernel.org/stable/c/b7fd2c0340eacbee892425e9007647568b7f2a3c •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23267 – f2fs: fix IS_CHECKPOINTED flag inconsistency issue caused by concurrent atomic commit and checkpoint writes
https://notcve.org/view.php?id=CVE-2026-23267
18 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: f2fs: fix IS_CHECKPOINTED flag inconsistency issue caused by concurrent atomic commit and checkpoint writes During SPO tests, when mounting F2FS, an -EINVAL error was returned from f2fs_recover_inode_page. The issue occurred under the following scenario Thread A Thread B f2fs_ioc_commit_atomic_write - f2fs_do_sync_file // atomic = true - f2fs_fsync_node_pages : last_folio = inode folio : schedule before folio_lock(last_folio) f2fs_write_che... • https://git.kernel.org/stable/c/608514deba38c8611ad330d6a3c8e2b9a1f68e4b •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2026-23266 – fbdev: rivafb: fix divide error in nv3_arb()
https://notcve.org/view.php?id=CVE-2026-23266
18 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: fbdev: rivafb: fix divide error in nv3_arb() A userspace program can trigger the RIVA NV3 arbitration code by calling the FBIOPUT_VSCREENINFO ioctl on /dev/fb*. When doing so, the driver recomputes FIFO arbitration parameters in nv3_arb(), using state->mclk_khz (derived from the PRAMDAC MCLK PLL) as a divisor without validating it first. In a normal setup, state->mclk_khz is provided by the real hardware and is non-zero. However, an attacke... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: -EPSS: 0%CPEs: 3EXPL: 0CVE-2026-23265 – f2fs: fix to do sanity check on node footer in {read,write}_end_io
https://notcve.org/view.php?id=CVE-2026-23265
18 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to do sanity check on node footer in {read,write}_end_io -----------[ cut here ]------------ kernel BUG at fs/f2fs/data.c:358! Call Trace:
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23264 – Revert "drm/amd: Check if ASPM is enabled from PCIe subsystem"
https://notcve.org/view.php?id=CVE-2026-23264
18 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: Revert "drm/amd: Check if ASPM is enabled from PCIe subsystem" This reverts commit 7294863a6f01248d72b61d38478978d638641bee. This commit was erroneously applied again after commit 0ab5d711ec74 ("drm/amd: Refactor `amdgpu_aspm` to be evaluated per device") removed it, leading to very hard to debug crashes, when used with a system with two AMD GPUs of which only one supports ASPM. (cherry picked from commit 97a9689300eb2b393ba5efc17c8e5db8359... • https://git.kernel.org/stable/c/0ab5d711ec74d9e60673900974806b7688857947 •
CVSS: -EPSS: 0%CPEs: 7EXPL: 0CVE-2026-23262 – gve: Fix stats report corruption on queue count change
https://notcve.org/view.php?id=CVE-2026-23262
18 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: gve: Fix stats report corruption on queue count change The driver and the NIC share a region in memory for stats reporting. The NIC calculates its offset into this region based on the total size of the stats region and the size of the NIC's stats. When the number of queues is changed, the driver's stats region is resized. If the queue count is increased, the NIC can write past the end of the allocated stats region, causing memory corruption... • https://git.kernel.org/stable/c/24aeb56f2d38edf1b324bdb4f8bc6faf9f0f540c •
CVSS: -EPSS: 0%CPEs: 5EXPL: 0CVE-2026-23261 – nvme-fc: release admin tagset if init fails
https://notcve.org/view.php?id=CVE-2026-23261
18 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: nvme-fc: release admin tagset if init fails nvme_fabrics creates an NVMe/FC controller in following path: nvmf_dev_write() -> nvmf_create_ctrl() -> nvme_fc_create_ctrl() -> nvme_fc_init_ctrl() nvme_fc_init_ctrl() allocates the admin blk-mq resources right after nvme_add_ctrl() succeeds. If any of the subsequent steps fail (changing the controller state, scheduling connect work, etc.), we jump to the fail_ctrl path, which tears down the cont... • https://git.kernel.org/stable/c/5fe335a80548e2eda5d51fab801108b323600e95 •
CVSS: -EPSS: 0%CPEs: 4EXPL: 0CVE-2026-23260 – regmap: maple: free entry on mas_store_gfp() failure
https://notcve.org/view.php?id=CVE-2026-23260
18 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: regmap: maple: free entry on mas_store_gfp() failure regcache_maple_write() allocates a new block ('entry') to merge adjacent ranges and then stores it with mas_store_gfp(). When mas_store_gfp() fails, the new 'entry' remains allocated and is never freed, leaking memory. Free 'entry' on the failure path; on success continue freeing the replaced neighbor blocks ('lower', 'upper'). En el kernel de Linux, la siguiente vulnerabilidad ha sido re... • https://git.kernel.org/stable/c/f033c26de5a5734625d2dd1dc196745fae186f1b •