CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23206 – dpaa2-switch: prevent ZERO_SIZE_PTR dereference when num_ifs is zero
https://notcve.org/view.php?id=CVE-2026-23206
14 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: dpaa2-switch: prevent ZERO_SIZE_PTR dereference when num_ifs is zero The driver allocates arrays for ports, FDBs, and filter blocks using kcalloc() with ethsw->sw_attr.num_ifs as the element count. In the Linux kernel, the following vulnerability has been resolved: dpaa2-switch: prevent ZERO_SIZE_PTR dereference when num_ifs is zero The driver allocates arrays for ports, FDBs, and filter blocks using kcalloc() with ethsw->sw_a... • https://git.kernel.org/stable/c/0b1b71370458860579831e77485883fcf2e8fbbe •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23205 – smb/client: fix memory leak in smb2_open_file()
https://notcve.org/view.php?id=CVE-2026-23205
14 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: smb/client: fix memory leak in smb2_open_file() Reproducer: 1. server: directories are exported read-only 2. client: mount -t cifs //${server_ip}/export /mnt 3. client: dd if=/dev/zero of=/mnt/file bs=512 count=1000 oflag=direct 4. client: umount /mnt 5. client: sleep 1 6. • https://git.kernel.org/stable/c/17e53a15e64b65623b8f2b1185d27d7b1cbf69ab •
CVSS: 7.2EPSS: 0%CPEs: 5EXPL: 0CVE-2026-23204 – net/sched: cls_u32: use skb_header_pointer_careful()
https://notcve.org/view.php?id=CVE-2026-23204
14 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: net/sched: cls_u32: use skb_header_pointer_careful() skb_header_pointer() does not fully validate negative @offset values. ... GangMin Kim provided a report and a repro fooling u32_classify(): BUG: KASAN: slab-out-of-bounds in u32_classify+0x1180/0x11b0 net/sched/cls_u32.c:221 In the Linux kernel, the following vulnerability has been resolved: net/sched: cls_u32: use skb_header_pointer_careful() skb_header_pointer() does not f... • https://git.kernel.org/stable/c/fbc2e7d9cf49e0bf89b9e91fd60a06851a855c5d •
CVSS: 7.1EPSS: 0%CPEs: 2EXPL: 0CVE-2026-23203 – net: cpsw_new: Execute ndo_set_rx_mode callback in a work queue
https://notcve.org/view.php?id=CVE-2026-23203
14 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: net: cpsw_new: Execute ndo_set_rx_mode callback in a work queue Commit 1767bb2d47b7 ("ipv6: mcast: Don't hold RTNL for IPV6_ADD_MEMBERSHIP and MCAST_JOIN_GROUP.") removed the RTNL lock for IPV6_ADD_MEMBERSHIP and MCAST_JOIN_GROUP operations. In the Linux kernel, the following vulnerability has been resolved: net: cpsw_new: Execute ndo_set_rx_mode callback in a work queue Commit 1767bb2d47b7 ("ipv6: mcast: Don't hold RTNL for I... • https://git.kernel.org/stable/c/1767bb2d47b715a106287a8f963d9ec6cbab4e69 •
CVSS: 5.6EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23202 – spi: tegra210-quad: Protect curr_xfer in tegra_qspi_combined_seq_xfer
https://notcve.org/view.php?id=CVE-2026-23202
14 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: spi: tegra210-quad: Protect curr_xfer in tegra_qspi_combined_seq_xfer The curr_xfer field is read by the IRQ handler without holding the lock to check if a transfer is in progress. In the Linux kernel, the following vulnerability has been resolved: spi: tegra210-quad: Protect curr_xfer in tegra_qspi_combined_seq_xfer The curr_xfer field is read by the IRQ handler without holding the lock to check if a transfer is in progress. • https://git.kernel.org/stable/c/88db8bb7ed1bb474618acdf05ebd4f0758d244e2 •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2026-23201 – ceph: fix oops due to invalid pointer for kfree() in parse_longname()
https://notcve.org/view.php?id=CVE-2026-23201
14 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: ceph: fix oops due to invalid pointer for kfree() in parse_longname() This fixes a kernel oops when reading ceph snapshot directories (.snap), for example by simply running `ls /mnt/my_ceph/.snap`. In the Linux kernel, the following vulnerability has been resolved: ceph: fix oops due to invalid pointer for kfree() in parse_longname() This fixes a kernel oops when reading ceph snapshot directories (.snap), for example by simply... • https://git.kernel.org/stable/c/bb80f7618832d26f7e395f52f82b1dac76223e5f •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2026-23200 – ipv6: Fix ECMP sibling count mismatch when clearing RTF_ADDRCONF
https://notcve.org/view.php?id=CVE-2026-23200
14 Feb 2026 — Oops: invalid opcode: 0000 [#1] SMP KASAN PTI CPU: 0 UID: 0 PID: 6010 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025 RIP: 0010:fib6_add_rt2node+0x3433/0x3470 net/ipv6/ip6_fib.c:1217 [...] Call Trace:
CVSS: 7.2EPSS: 0%CPEs: 3EXPL: 0CVE-2026-23199 – procfs: avoid fetching build ID while holding VMA lock
https://notcve.org/view.php?id=CVE-2026-23199
14 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: procfs: avoid fetching build ID while holding VMA lock Fix PROCMAP_QUERY to fetch optional build ID only after dropping mmap_lock or per-VMA lock, whichever was used to lock VMA under question, to avoid deadlock reported by syzbot: -> #1 (&mm->mmap_lock){++++}-{4:4}: __might_fault+0xed/0x170 _copy_to_iter+0x118/0x1720 copy_page_to_iter+0x12d/0x1e0 filemap_read+0x720/0x10a0 blkdev_read_iter+0x2b5/0x4e0 vfs_read+0x7f4/0xae0 ksys_read+0... • https://git.kernel.org/stable/c/ed5d583a88a9207b866c14ba834984c6f3c51d23 •
CVSS: 7.8EPSS: 0%CPEs: 7EXPL: 0CVE-2026-23198 – KVM: Don't clobber irqfd routing type when deassigning irqfd
https://notcve.org/view.php?id=CVE-2026-23198
14 Feb 2026 — Arcadia_IT_80/Arcadia_IT_80, BIOS 34.78.2-0 09/05/2025 RIP: 0010:__list_add_valid_or_report+0x97/0xc0 Call Trace:
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2026-23197 – i2c: imx: preserve error state in block data length handler
https://notcve.org/view.php?id=CVE-2026-23197
14 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: i2c: imx: preserve error state in block data length handler When a block read returns an invalid length, zero or >I2C_SMBUS_BLOCK_MAX, the length handler sets the state to IMX_I2C_STATE_FAILED. In the Linux kernel, the following vulnerability has been resolved: i2c: imx: preserve error state in block data length handler When a block read returns an invalid length, zero or >I2C_SMBUS_BLOCK_MAX, the length handler sets the state... • https://git.kernel.org/stable/c/5f5c2d4579ca6836f5604cca979debd68ecfe23f •