CVSS: -EPSS: 0%CPEs: 2EXPL: 0CVE-2026-23066 – rxrpc: Fix recvmsg() unconditional requeue
https://notcve.org/view.php?id=CVE-2026-23066
04 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix recvmsg() unconditional requeue If rxrpc_recvmsg() fails because MSG_DONTWAIT was specified but the call at the front of the recvmsg queue already has its mutex locked, it requeues the call - whether or not the call is already queued. The call may be on the queue because MSG_PEEK was also passed and so the call was not dequeued or because the I/O thread requeued it. The unconditional requeue may then corrupt the recvmsg queue, le... • https://git.kernel.org/stable/c/540b1c48c37ac0ad66212004db21e1ff7e2d78be •
CVSS: -EPSS: 0%CPEs: 7EXPL: 0CVE-2026-23064 – net/sched: act_ife: avoid possible NULL deref
https://notcve.org/view.php?id=CVE-2026-23064
04 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: net/sched: act_ife: avoid possible NULL deref tcf_ife_encode() must make sure ife_encode() does not return NULL. syzbot reported: Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] RIP: 0010:ife_tlv_meta_encode+0x41/0xa0 net/ife/ife.c:166 CPU: 3 UID: 0 PID: 8990 Comm: syz.0.696 Not tainted syzkaller #0 PREEMPT... • https://git.kernel.org/stable/c/295a6e06d21e1f469c9f38b00125a13b60ad4e7c •
CVSS: -EPSS: 0%CPEs: 7EXPL: 0CVE-2026-23063 – uacce: ensure safe queue release with state management
https://notcve.org/view.php?id=CVE-2026-23063
04 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: uacce: ensure safe queue release with state management Directly calling `put_queue` carries risks since it cannot guarantee that resources of `uacce_queue` have been fully released beforehand. So adding a `stop_queue` operation for the UACCE_CMD_PUT_Q command and leaving the `put_queue` operation to the final resource release ensures safety. Queue states are defined as follows: - UACCE_Q_ZOMBIE: Initial state - UACCE_Q_INIT: After opening `... • https://git.kernel.org/stable/c/015d239ac0142ad0e26567fd890ef8d171f13709 •
CVSS: -EPSS: 0%CPEs: 4EXPL: 0CVE-2026-23062 – platform/x86: hp-bioscfg: Fix kernel panic in GET_INSTANCE_ID macro
https://notcve.org/view.php?id=CVE-2026-23062
04 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: platform/x86: hp-bioscfg: Fix kernel panic in GET_INSTANCE_ID macro The GET_INSTANCE_ID macro that caused a kernel panic when accessing sysfs attributes: 1. Off-by-one error: The loop condition used '<=' instead of '<', causing access beyond array bounds. Since array indices are 0-based and go from 0 to instances_count-1, the loop should use '<'. 2. Missing NULL check: The code dereferenced attr_name_kobj->name without checking if attr_name... • https://git.kernel.org/stable/c/5f94f181ca25d8c5b77beb2da0cb466ddb6ece29 •
CVSS: -EPSS: 0%CPEs: 7EXPL: 0CVE-2026-23061 – can: kvaser_usb: kvaser_usb_read_bulk_callback(): fix URB memory leak
https://notcve.org/view.php?id=CVE-2026-23061
04 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: can: kvaser_usb: kvaser_usb_read_bulk_callback(): fix URB memory leak Fix similar memory leak as in commit 7352e1d5932a ("can: gs_usb: gs_usb_receive_bulk_callback(): fix URB memory leak"). In kvaser_usb_set_{,data_}bittiming() -> kvaser_usb_setup_rx_urbs(), the URBs for USB-in transfers are allocated, added to the dev->rx_submitted anchor and submitted. In the complete callback kvaser_usb_read_bulk_callback(), the URBs are processed and re... • https://git.kernel.org/stable/c/080f40a6fa28dab299da7a652e444b1e2d9231e7 •
CVSS: -EPSS: 0%CPEs: 7EXPL: 0CVE-2026-23060 – crypto: authencesn - reject too-short AAD (assoclen<8) to match ESP/ESN spec
https://notcve.org/view.php?id=CVE-2026-23060
04 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: crypto: authencesn - reject too-short AAD (assoclen<8) to match ESP/ESN spec authencesn assumes an ESP/ESN-formatted AAD. When assoclen is shorter than the minimum expected length, crypto_authenc_esn_decrypt() can advance past the end of the destination scatterlist and trigger a NULL pointer dereference in scatterwalk_map_and_copy(), leading to a kernel panic (DoS). Add a minimum AAD length check to fail fast on invalid inputs. Several vuln... • https://git.kernel.org/stable/c/104880a6b470958ddc30e139c41aa4f6ed3a5234 •
CVSS: -EPSS: 0%CPEs: 4EXPL: 0CVE-2026-23059 – scsi: qla2xxx: Sanitize payload size to prevent member overflow
https://notcve.org/view.php?id=CVE-2026-23059
04 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Sanitize payload size to prevent member overflow In qla27xx_copy_fpin_pkt() and qla27xx_copy_multiple_pkt(), the frame_size reported by firmware is used to calculate the copy length into item->iocb. However, the iocb member is defined as a fixed-size 64-byte array within struct purex_item. If the reported frame_size exceeds 64 bytes, subsequent memcpy calls will overflow the iocb member boundary. While extra memory might be a... • https://git.kernel.org/stable/c/875386b98857822b77ac7f95bdf367b70af5b78c •
CVSS: -EPSS: 0%CPEs: 7EXPL: 0CVE-2026-23058 – can: ems_usb: ems_usb_read_bulk_callback(): fix URB memory leak
https://notcve.org/view.php?id=CVE-2026-23058
04 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: can: ems_usb: ems_usb_read_bulk_callback(): fix URB memory leak Fix similar memory leak as in commit 7352e1d5932a ("can: gs_usb: gs_usb_receive_bulk_callback(): fix URB memory leak"). In ems_usb_open(), the URBs for USB-in transfers are allocated, added to the dev->rx_submitted anchor and submitted. In the complete callback ems_usb_read_bulk_callback(), the URBs are processed and resubmitted. In ems_usb_close() the URBs are freed by calling... • https://git.kernel.org/stable/c/702171adeed3607ee9603ec30ce081411e36ae42 •
CVSS: -EPSS: 0%CPEs: 7EXPL: 0CVE-2026-23056 – uacce: implement mremap in uacce_vm_ops to return -EPERM
https://notcve.org/view.php?id=CVE-2026-23056
04 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: uacce: implement mremap in uacce_vm_ops to return -EPERM The current uacce_vm_ops does not support the mremap operation of vm_operations_struct. Implement .mremap to return -EPERM to remind users. The reason we need to explicitly disable mremap is that when the driver does not implement .mremap, it uses the default mremap method. This could lead to a risk scenario: An application might first mmap address p1, then mremap to p2, followed by m... • https://git.kernel.org/stable/c/015d239ac0142ad0e26567fd890ef8d171f13709 •
CVSS: -EPSS: 0%CPEs: 7EXPL: 0CVE-2025-71199 – iio: adc: at91-sama5d2_adc: Fix potential use-after-free in sama5d2_adc driver
https://notcve.org/view.php?id=CVE-2025-71199
04 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: iio: adc: at91-sama5d2_adc: Fix potential use-after-free in sama5d2_adc driver at91_adc_interrupt can call at91_adc_touch_data_handler function to start the work by schedule_work(&st->touch_st.workq). If we remove the module which will call at91_adc_remove to make cleanup, it will free indio_dev through iio_device_unregister but quite a bit later. While the work mentioned above will be used. The sequence of operations that may lead to a UAF... • https://git.kernel.org/stable/c/23ec2774f1cc168b1f32a2e0ed2709cb473bb94e •