CVSS: 7.3EPSS: 0%CPEs: 8EXPL: 0CVE-2026-23236 – fbdev: smscufx: properly copy ioctl memory to kernelspace
https://notcve.org/view.php?id=CVE-2026-23236
04 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: fbdev: smscufx: properly copy ioctl memory to kernelspace The UFX_IOCTL_REPORT_DAMAGE ioctl does not properly copy data from userspace to kernelspace, and instead directly references the memory, which can cause problems if invalid data is passed from userspace. Fix this all up by correctly copying the memory before accessing it within the kernel. • https://git.kernel.org/stable/c/3c8a63e22a0802fd56380f6ab305b419f18eb6f5 •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2026-23235 – f2fs: fix out-of-bounds access in sysfs attribute read/write
https://notcve.org/view.php?id=CVE-2026-23235
04 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: f2fs: fix out-of-bounds access in sysfs attribute read/write Some f2fs sysfs attributes suffer from out-of-bounds memory access and incorrect handling of integer values whose size is not 4 bytes. For example: vm:~# echo 65537 > /sys/fs/f2fs/vde/carve_out vm:~# cat /sys/fs/f2fs/vde/carve_out 65537 vm:~# echo 4294967297 > /sys/fs/f2fs/vde/atgc_age_threshold vm:~# cat /sys/fs/f2fs/vde/atgc_age_threshold 1 carve_out maps to {struct f2fs_sb_info... • https://git.kernel.org/stable/c/b59d0bae6ca30c496f298881616258f9cde0d9c6 •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2026-23234 – f2fs: fix to avoid UAF in f2fs_write_end_io()
https://notcve.org/view.php?id=CVE-2026-23234
04 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to avoid UAF in f2fs_write_end_io() As syzbot reported an use-after-free issue in f2fs_write_end_io(). It is caused by below race condition: loop device umount - worker_thread - loop_process_work - do_req_filebacked - lo_rw_aio - lo_rw_aio_complete - blk_mq_end_request - blk_update_request - f2fs_write_end_io - dec_page_count - folio_end_writeback - kill_f2fs_super - kill_block_super - f2fs_put_super : free(sbi) : get_pages(, F2FS... • https://git.kernel.org/stable/c/e234088758fca3a669ebb1a02d8bf7bf60f0e4ff •
CVSS: -EPSS: 0%CPEs: 5EXPL: 0CVE-2026-23233 – f2fs: fix to avoid mapping wrong physical block for swapfile
https://notcve.org/view.php?id=CVE-2026-23233
04 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to avoid mapping wrong physical block for swapfile Xiaolong Guo reported a f2fs bug in bugzilla [1] [1] https://bugzilla.kernel.org/show_bug.cgi?id=220951 Quoted: "When using stress-ng's swap stress test on F2FS filesystem with kernel 6.6+, the system experiences data corruption leading to either: 1 dm-verity corruption errors and device reboot 2 F2FS node corruption errors and boot hangs The issue occurs specifically when: 1 Usin... • https://git.kernel.org/stable/c/40d76c393cca83938b11eb7ca8983aa3cd0ed69b •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2025-71238 – scsi: qla2xxx: Fix bsg_done() causing double free
https://notcve.org/view.php?id=CVE-2025-71238
04 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Fix bsg_done() causing double free Kernel panic observed on system, [5353358.825191] BUG: unable to handle page fault for address: ff5f5e897b024000 [5353358.825194] #PF: supervisor write access in kernel mode [5353358.825195] #PF: error_code(0x0002) - not-present page [5353358.825196] PGD 100006067 P4D 0 [5353358.825198] Oops: 0002 [#1] PREEMPT SMP NOPTI [5353358.825200] CPU: 5 PID: 2132085 Comm: qlafwupdate.sub Kdump: loaded... • https://git.kernel.org/stable/c/1b81e7f3019d632a707e07927e946ffbbc102910 •
CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23231 – netfilter: nf_tables: fix use-after-free in nf_tables_addchain()
https://notcve.org/view.php?id=CVE-2026-23231
04 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: fix use-after-free in nf_tables_addchain() nf_tables_addchain() publishes the chain to table->chains via list_add_tail_rcu() (in nft_chain_add()) before registering hooks. If nf_tables_register_hook() then fails, the error path calls nft_chain_del() (list_del_rcu()) followed by nf_tables_chain_destroy() with no RCU grace period in between. This creates two use-after-free conditions: 1) Control-plane: nf_tables_dump_cha... • https://git.kernel.org/stable/c/91c7b38dc9f0de4f7f444b796d14476bc12df7bc •
CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23227 – drm/exynos: vidi: use ctx->lock to protect struct vidi_context member variables related to memory alloc/free
https://notcve.org/view.php?id=CVE-2026-23227
18 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: drm/exynos: vidi: use ctx->lock to protect struct vidi_context member variables related to memory alloc/free Exynos Virtual Display driver performs memory alloc/free operations without lock protection, which easily causes concurrency problem. For example, use-after-free can occur in race scenario like this: ``` CPU0 CPU1 CPU2 ---- ---- ---- vidi_connection_ioctl() if (vidi->connection) // true drm_edid = drm_edid_alloc(); // alloc drm_edid ... • https://git.kernel.org/stable/c/d3b62dbfc7b9bb013926f56db79b60f6c18c392f •
CVSS: 8.8EPSS: 0%CPEs: 7EXPL: 0CVE-2026-23226 – ksmbd: add chann_lock to protect ksmbd_chann_list xarray
https://notcve.org/view.php?id=CVE-2026-23226
18 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: ksmbd: add chann_lock to protect ksmbd_chann_list xarray ksmbd_chann_list xarray lacks synchronization, allowing use-after-free in multi-channel sessions (between lookup_chann_list() and ksmbd_chann_del). Adds rw_semaphore chann_lock to struct ksmbd_session and protects all xa_load/xa_store/xa_erase accesses. • https://git.kernel.org/stable/c/1d9c4172110e645b383ff13eee759728d74f1a5d •
CVSS: -EPSS: 0%CPEs: 7EXPL: 0CVE-2026-23221 – bus: fsl-mc: fix use-after-free in driver_override_show()
https://notcve.org/view.php?id=CVE-2026-23221
18 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: bus: fsl-mc: fix use-after-free in driver_override_show() The driver_override_show() function reads the driver_override string without holding the device_lock. However, driver_override_store() uses driver_set_override(), which modifies and frees the string while holding the device_lock. This can result in a concurrent use-after-free if the string is freed by the store function while being read by the show function. Fix this by holding the d... • https://git.kernel.org/stable/c/1f86a00c1159fd77e66b1bd6ff1a183f4d46f34d •
CVSS: -EPSS: 0%CPEs: 3EXPL: 0CVE-2026-23217 – riscv: trace: fix snapshot deadlock with sbi ecall
https://notcve.org/view.php?id=CVE-2026-23217
18 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: riscv: trace: fix snapshot deadlock with sbi ecall If sbi_ecall.c's functions are traceable, echo "__sbi_ecall:snapshot" > /sys/kernel/tracing/set_ftrace_filter may get the kernel into a deadlock. (Functions in sbi_ecall.c are excluded from tracing if CONFIG_RISCV_ALTERNATIVE_EARLY is set.) __sbi_ecall triggers a snapshot of the ringbuffer. The snapshot code raises an IPI interrupt, which results in another call to __sbi_ecall and another s... • https://git.kernel.org/stable/c/1ff95eb2bebda50c4c5406caaf201e0fcb24cc8f •