CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23306 – scsi: pm8001: Fix use-after-free in pm8001_queue_command()
https://notcve.org/view.php?id=CVE-2026-23306
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: scsi: pm8001: Fix use-after-free in pm8001_queue_command() Commit e29c47fe8946 ("scsi: pm8001: Simplify pm8001_task_exec()") refactors pm8001_queue_command(), however it introduces a potential cause of a double free scenario when it changes the function to return -ENODEV in case of phy down/device gone state. In this path, pm8001_queue_command() updates task status and calls task_done to indicate to upper layer that the task has been handle... • https://git.kernel.org/stable/c/e29c47fe8946cc732b0e0d393b65b13c84bb69d0 •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23304 – ipv6: fix NULL pointer deref in ip6_rt_get_dev_rcu()
https://notcve.org/view.php?id=CVE-2026-23304
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: ipv6: fix NULL pointer deref in ip6_rt_get_dev_rcu() l3mdev_master_dev_rcu() can return NULL when the slave device is being un-slaved from a VRF. All other callers deal with this, but we lost the fallback to loopback in ip6_rt_pcpu_alloc() -> ip6_rt_get_dev_rcu() with commit 4832c30d5458 ("net: ipv6: put host and anycast routes on device with address"). KASAN: null-ptr-deref in range [0x0000000000000108-0x000000000000010f] RIP: 0010:ip6_rt_... • https://git.kernel.org/stable/c/4832c30d5458387ff2533ff66fbde26ad8bb5a2d •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23303 – smb: client: Don't log plaintext credentials in cifs_set_cifscreds
https://notcve.org/view.php?id=CVE-2026-23303
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: smb: client: Don't log plaintext credentials in cifs_set_cifscreds When debug logging is enabled, cifs_set_cifscreds() logs the key payload and exposes the plaintext username and password. Remove the debug log to avoid exposing credentials. • https://git.kernel.org/stable/c/8a8798a5ff90977d6459ce1d657cf8fe13a51e97 •
CVSS: -EPSS: 0%CPEs: 3EXPL: 0CVE-2026-23302 – net: annotate data-races around sk->sk_{data_ready,write_space}
https://notcve.org/view.php?id=CVE-2026-23302
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: net: annotate data-races around sk->sk_{data_ready,write_space} skmsg (and probably other layers) are changing these pointers while other cpus might read them concurrently. Add corresponding READ_ONCE()/WRITE_ONCE() annotations for UDP, TCP and AF_UNIX. • https://git.kernel.org/stable/c/604326b41a6fb9b4a78b6179335decee0365cd8c •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23300 – net: ipv6: fix panic when IPv4 route references loopback IPv6 nexthop
https://notcve.org/view.php?id=CVE-2026-23300
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: net: ipv6: fix panic when IPv4 route references loopback IPv6 nexthop When a standalone IPv6 nexthop object is created with a loopback device (e.g., "ip -6 nexthop add id 100 dev lo"), fib6_nh_init() misclassifies it as a reject route. This is because nexthop objects have no destination prefix (fc_dst=::), causing fib6_is_reject() to match any loopback nexthop. The reject path skips fib_nh_common_init(), leaving nhc_pcpu_rth_output unalloca... • https://git.kernel.org/stable/c/493ced1ac47c48bb86d9d4e8e87df8592be85a0e •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23298 – can: ucan: Fix infinite loop from zero-length messages
https://notcve.org/view.php?id=CVE-2026-23298
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: can: ucan: Fix infinite loop from zero-length messages If a broken ucan device gets a message with the message length field set to 0, then the driver will loop for forever in ucan_read_bulk_callback(), hanging the system. If the length is 0, just skip the message and go on to the next one. This has been fixed in the kvaser_usb driver in the past in commit 0c73772cd2b8 ("can: kvaser_usb: leaf: Fix potential infinite loop in command parsers")... • https://git.kernel.org/stable/c/9f2d3eae88d26c29d96e42983b755940d9169cd9 •
CVSS: -EPSS: 0%CPEs: 9EXPL: 0CVE-2026-23296 – scsi: core: Fix refcount leak for tagset_refcnt
https://notcve.org/view.php?id=CVE-2026-23296
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: scsi: core: Fix refcount leak for tagset_refcnt This leak will cause a hang when tearing down the SCSI host. For example, iscsid hangs with the following call trace: [130120.652718] scsi_alloc_sdev: Allocation failure during SCSI scanning, some SCSI devices might not be configured PID: 2528 TASK: ffff9d0408974e00 CPU: 3 COMMAND: "iscsid" #0 [ffffb5b9c134b9e0] __schedule at ffffffff860657d4 #1 [ffffb5b9c134ba28] schedule at ffffffff86065c6f ... • https://git.kernel.org/stable/c/8fe4ce5836e932f5766317cb651c1ff2a4cd0506 •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23293 – net: vxlan: fix nd_tbl NULL dereference when IPv6 is disabled
https://notcve.org/view.php?id=CVE-2026-23293
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: net: vxlan: fix nd_tbl NULL dereference when IPv6 is disabled When booting with the 'ipv6.disable=1' parameter, the nd_tbl is never initialized because inet6_init() exits before ndisc_init() is called which initializes it. If an IPv6 packet is injected into the interface, route_shortcircuit() is called and a NULL pointer dereference happens on neigh_lookup(). BUG: kernel NULL pointer dereference, address: 0000000000000380 Oops: Oops: 0000 [... • https://git.kernel.org/stable/c/e15a00aafa4b7953ad717d3cb1ad7acf4ff76945 •
CVSS: -EPSS: 0%CPEs: 9EXPL: 0CVE-2026-23292 – scsi: target: Fix recursive locking in __configfs_open_file()
https://notcve.org/view.php?id=CVE-2026-23292
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: scsi: target: Fix recursive locking in __configfs_open_file() In flush_write_buffer, &p->frag_sem is acquired and then the loaded store function is called, which, here, is target_core_item_dbroot_store(). This function called filp_open(), following which these functions were called (in reverse order), according to the call trace: down_read __configfs_open_file do_dentry_open vfs_open do_open path_openat do_filp_open file_open_name filp_open... • https://git.kernel.org/stable/c/b0841eefd9693827afb9888235e26ddd098f9cef •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23291 – nfc: pn533: properly drop the usb interface reference on disconnect
https://notcve.org/view.php?id=CVE-2026-23291
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: nfc: pn533: properly drop the usb interface reference on disconnect When the device is disconnected from the driver, there is a "dangling" reference count on the usb interface that was grabbed in the probe callback. Fix this up by properly dropping the reference after we are done with it. • https://git.kernel.org/stable/c/c46ee38620a2aa2b25b16bc9738ace80dbff76a4 •