CVSS: 7.5EPSS: 0%CPEs: 8EXPL: 0CVE-2026-23242 – RDMA/siw: Fix potential NULL pointer dereference in header processing
https://notcve.org/view.php?id=CVE-2026-23242
18 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: RDMA/siw: Fix potential NULL pointer dereference in header processing If siw_get_hdr() returns -EINVAL before set_rx_fpdu_context(), qp->rx_fpdu can be NULL. The error path in siw_tcp_rx_data() dereferences qp->rx_fpdu->more_ddp_segs without checking, which may lead to a NULL pointer deref. Only check more_ddp_segs when rx_fpdu is present. KASAN splat: [ 101.384271] KASAN: null-ptr-deref in range [0x00000000000000c0-0x00000000000000c7] [ 10... • https://git.kernel.org/stable/c/8b6a361b8c482f22ac99c3273285ff16b23fba91 •
CVSS: -EPSS: 0%CPEs: 7EXPL: 0CVE-2025-71267 – fs: ntfs3: fix infinite loop triggered by zero-sized ATTR_LIST
https://notcve.org/view.php?id=CVE-2025-71267
18 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: fs: ntfs3: fix infinite loop triggered by zero-sized ATTR_LIST We found an infinite loop bug in the ntfs3 file system that can lead to a Denial-of-Service (DoS) condition. A malformed NTFS image can cause an infinite loop when an ATTR_LIST attribute indicates a zero data size while the driver allocates memory for it. When ntfs_load_attr_list() processes a resident ATTR_LIST with data_size set to zero, it still allocates memory because of al... • https://git.kernel.org/stable/c/be71b5cba2e6485e8959da7a9f9a44461a1bb074 •
CVSS: -EPSS: 0%CPEs: 7EXPL: 0CVE-2025-71266 – fs: ntfs3: check return value of indx_find to avoid infinite loop
https://notcve.org/view.php?id=CVE-2025-71266
18 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: fs: ntfs3: check return value of indx_find to avoid infinite loop We found an infinite loop bug in the ntfs3 file system that can lead to a Denial-of-Service (DoS) condition. A malformed dentry in the ntfs3 filesystem can cause the kernel to hang during the lookup operations. By setting the HAS_SUB_NODE flag in an INDEX_ENTRY within a directory's INDEX_ALLOCATION block and manipulating the VCN pointer, an attacker can cause the indx_find() ... • https://git.kernel.org/stable/c/82cae269cfa953032fbb8980a7d554d60fb00b17 •
CVSS: -EPSS: 0%CPEs: 7EXPL: 0CVE-2025-71265 – fs: ntfs3: fix infinite loop in attr_load_runs_range on inconsistent metadata
https://notcve.org/view.php?id=CVE-2025-71265
18 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: fs: ntfs3: fix infinite loop in attr_load_runs_range on inconsistent metadata We found an infinite loop bug in the ntfs3 file system that can lead to a Denial-of-Service (DoS) condition. A malformed NTFS image can cause an infinite loop when an attribute header indicates an empty run list, while directory entries reference it as containing actual data. In NTFS, setting evcn=-1 with svcn=0 is a valid way to represent an empty run list, and r... • https://git.kernel.org/stable/c/be71b5cba2e6485e8959da7a9f9a44461a1bb074 •
CVSS: -EPSS: 0%CPEs: 5EXPL: 0CVE-2025-71239 – audit: add fchmodat2() to change attributes class
https://notcve.org/view.php?id=CVE-2025-71239
17 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: audit: add fchmodat2() to change attributes class fchmodat2(), introduced in version 6.6 is currently not in the change attribute class of audit. Calling fchmodat2() to change a file attribute in the same fashion than chmod() or fchmodat() will bypass audit rules such as: -w /tmp/test -p rwa -k test_rwa The current patch adds fchmodat2() to the change attributes class. • https://git.kernel.org/stable/c/09da082b07bbae1c11d9560c8502800039aebcea •
CVSS: 9.8EPSS: 0%CPEs: 4EXPL: 0CVE-2026-23240 – tls: Fix race condition in tls_sw_cancel_work_tx()
https://notcve.org/view.php?id=CVE-2026-23240
10 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: tls: Fix race condition in tls_sw_cancel_work_tx() This issue was discovered during a code audit. After cancel_delayed_work_sync() is called from tls_sk_proto_close(), tx_work_handler() can still be scheduled from paths such as the Delayed ACK handler or ksoftirqd. As a result, the tx_work_handler() worker may dereference a freed TLS object. The following is a simple race scenario: cpu0 cpu1 tls_sk_proto_close() tls_sw_cancel_work_tx() tls_... • https://git.kernel.org/stable/c/f87e62d45e51b12d48d2cb46b5cde8f83b866bc4 •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2026-23239 – espintcp: Fix race condition in espintcp_close()
https://notcve.org/view.php?id=CVE-2026-23239
10 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: espintcp: Fix race condition in espintcp_close() This issue was discovered during a code audit. After cancel_work_sync() is called from espintcp_close(), espintcp_tx_work() can still be scheduled from paths such as the Delayed ACK handler or ksoftirqd. As a result, the espintcp_tx_work() worker may dereference a freed espintcp ctx or sk. The following is a simple race scenario: cpu0 cpu1 espintcp_close() cancel_work_sync(&ctx->work); espint... • https://git.kernel.org/stable/c/e27cca96cd68fa2c6814c90f9a1cfd36bb68c593 •
CVSS: -EPSS: 0%CPEs: 4EXPL: 0CVE-2024-14027 – xattr: switch to CLASS(fd)
https://notcve.org/view.php?id=CVE-2024-14027
09 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: fs/xattr: missing fdput() in fremovexattr error path In the Linux kernel, the fremovexattr() syscall calls fdget() to acquire a file reference but returns early without calling fdput() when strncpy_from_user() fails on the name argument. In multi-threaded processes where fdget() takes the slow path, this permanently leaks one file reference per call, pinning the struct file and associated kernel objects in memory. An unprivileged local user... • https://git.kernel.org/stable/c/c03185f4a23e7f89d84c9981091770e876e64480 •
CVSS: -EPSS: 0%CPEs: 7EXPL: 0CVE-2026-23238 – romfs: check sb_set_blocksize() return value
https://notcve.org/view.php?id=CVE-2026-23238
04 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: romfs: check sb_set_blocksize() return value romfs_fill_super() ignores the return value of sb_set_blocksize(), which can fail if the requested block size is incompatible with the block device's configuration. This can be triggered by setting a loop device's block size larger than PAGE_SIZE using ioctl(LOOP_SET_BLOCK_SIZE, 32768), then mounting a romfs filesystem on that device. When sb_set_blocksize(sb, ROMBSIZE) is called with ROMBSIZE=40... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: -EPSS: 0%CPEs: 7EXPL: 0CVE-2026-23237 – platform/x86: classmate-laptop: Add missing NULL pointer checks
https://notcve.org/view.php?id=CVE-2026-23237
04 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: platform/x86: classmate-laptop: Add missing NULL pointer checks In a few places in the Classmate laptop driver, code using the accel object may run before that object's address is stored in the driver data of the input device using it. For example, cmpc_accel_sensitivity_store_v4() is the "show" method of cmpc_accel_sensitivity_attr_v4 which is added in cmpc_accel_add_v4(), before calling dev_set_drvdata() for inputdev->dev. If the sysfs at... • https://git.kernel.org/stable/c/529aa8cb0a59367d08883f818e8c47028e819d0d •