CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2026-22996 – net/mlx5e: Don't store mlx5e_priv in mlx5e_dev devlink priv
https://notcve.org/view.php?id=CVE-2026-22996
25 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Don't store mlx5e_priv in mlx5e_dev devlink priv mlx5e_priv is an unstable structure that can be memset(0) if profile attaching fails, mlx5e_priv in mlx5e_dev devlink private is used to reference the netdev and mdev associated with that struct. Instead, store netdev directly into mlx5e_dev and get mdev from the containing mlx5_adev aux device structure. This fixes a kernel oops in mlx5e_remove when switchdev mode fails due to cha... • https://git.kernel.org/stable/c/c4d7eb57687f358cd498ea3624519236af8db97e •
CVSS: 5.6EPSS: 0%CPEs: 3EXPL: 0CVE-2025-71163 – dmaengine: idxd: fix device leaks on compat bind and unbind
https://notcve.org/view.php?id=CVE-2025-71163
25 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: dmaengine: idxd: fix device leaks on compat bind and unbind Make sure to drop the reference taken when looking up the idxd device as part of the compat bind and unbind sysfs interface. In the Linux kernel, the following vulnerability has been resolved: dmaengine: idxd: fix device leaks on compat bind and unbind Make sure to drop the reference taken when looking up the idxd device as part of the compat bind and unbind sysfs interface. • https://git.kernel.org/stable/c/6e7f3ee97bbe2c7d7a53b7dbd7a08a579e03c8c9 •
CVSS: 7.0EPSS: 0%CPEs: 3EXPL: 0CVE-2025-71162 – dmaengine: tegra-adma: Fix use-after-free
https://notcve.org/view.php?id=CVE-2025-71162
25 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: dmaengine: tegra-adma: Fix use-after-free A use-after-free bug exists in the Tegra ADMA driver when audio streams are terminated, particularly during XRUN conditions. The issue occurs when the DMA buffer is freed by tegra_adma_terminate_all() before the vchan completion tasklet finishes accessing it. The race condition follows this sequence: 1. DMA transfer completes, triggering an interrupt that schedules the completion tasklet (tasklet ha... • https://git.kernel.org/stable/c/f46b195799b5cb05338e7c44cb3617eacb56d755 •
CVSS: 7.1EPSS: 0%CPEs: 5EXPL: 0CVE-2026-22994 – bpf: Fix reference count leak in bpf_prog_test_run_xdp()
https://notcve.org/view.php?id=CVE-2026-22994
23 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: bpf: Fix reference count leak in bpf_prog_test_run_xdp() syzbot is reporting unregister_netdevice: waiting for sit0 to become free. Usage count = 2 problem. A debug printk() patch found that a refcount is obtained at xdp_convert_md_to_buff() from bpf_prog_test_run_xdp(). According to commit ec94670fcb3b ("bpf: Support specifying ingress via xdp_md context in BPF_PROG_TEST_RUN"), the refcount obtained by xdp_convert_md_to_buff() will be rele... • https://git.kernel.org/stable/c/1c194998252469cad00a08bd9ef0b99fd255c260 •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2026-22992 – libceph: return the handler error from mon_handle_auth_done()
https://notcve.org/view.php?id=CVE-2026-22992
23 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: libceph: return the handler error from mon_handle_auth_done() Currently any error from ceph_auth_handle_reply_done() is propagated via finish_auth() but isn't returned from mon_handle_auth_done(). This results in higher layers learning that (despite the monitor considering us to be successfully authenticated) something went wrong in the authentication phase and reacting accordingly, but msgr2 still trying to proceed with establishing the se... • https://git.kernel.org/stable/c/cd1a677cad994021b19665ed476aea63f5d54f31 •
CVSS: 5.5EPSS: 0%CPEs: 7EXPL: 0CVE-2026-22991 – libceph: make free_choose_arg_map() resilient to partial allocation
https://notcve.org/view.php?id=CVE-2026-22991
23 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: libceph: make free_choose_arg_map() resilient to partial allocation free_choose_arg_map() may dereference a NULL pointer if its caller fails after a partial allocation. For example, in decode_choose_args(), if allocation of arg_map->args fails, execution jumps to the fail label and free_choose_arg_map() is called. Since arg_map->size is updated to a non-zero value before memory allocation, free_choose_arg_map() will iterate over arg_map->ar... • https://git.kernel.org/stable/c/5cf9c4a9959b6273675310d14a834ef14fbca37c •
CVSS: 7.1EPSS: 0%CPEs: 7EXPL: 0CVE-2026-22990 – libceph: replace overzealous BUG_ON in osdmap_apply_incremental()
https://notcve.org/view.php?id=CVE-2026-22990
23 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: libceph: replace overzealous BUG_ON in osdmap_apply_incremental() If the osdmap is (maliciously) corrupted such that the incremental osdmap epoch is different from what is expected, there is no need to BUG. Instead, just declare the incremental osdmap to be invalid. In the Linux kernel, the following vulnerability has been resolved: libceph: replace overzealous BUG_ON in osdmap_apply_incremental() If the osdmap is (maliciously) corrupted su... • https://git.kernel.org/stable/c/f24e9980eb860d8600cbe5ef3d2fd9295320d229 •
CVSS: 7.1EPSS: 0%CPEs: 6EXPL: 0CVE-2026-22984 – libceph: prevent potential out-of-bounds reads in handle_auth_done()
https://notcve.org/view.php?id=CVE-2026-22984
23 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: libceph: prevent potential out-of-bounds reads in handle_auth_done() Perform an explicit bounds check on payload_len to avoid a possible out-of-bounds access in the callout. [ idryomov: changelog ] In the Linux kernel, the following vulnerability has been resolved: libceph: prevent potential out-of-bounds reads in handle_auth_done() Perform an explicit bounds check on payload_len to avoid a possible out-of-bounds access in the callout. [ id... • https://git.kernel.org/stable/c/cd1a677cad994021b19665ed476aea63f5d54f31 •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2026-22982 – net: mscc: ocelot: Fix crash when adding interface under a lag
https://notcve.org/view.php?id=CVE-2026-22982
23 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: net: mscc: ocelot: Fix crash when adding interface under a lag Commit 15faa1f67ab4 ("lan966x: Fix crash when adding interface under a lag") fixed a similar issue in the lan966x driver caused by a NULL pointer dereference. The ocelot_set_aggr_pgids() function in the ocelot driver has similar logic and is susceptible to the same crash. This issue specifically affects the ocelot_vsc7514.c frontend, which leaves unused ports as NULL pointers. T... • https://git.kernel.org/stable/c/528d3f190c98c8f7d9581f68db4af021696727b2 •
CVSS: 6.3EPSS: 0%CPEs: 7EXPL: 0CVE-2026-22980 – nfsd: provide locking for v4_end_grace
https://notcve.org/view.php?id=CVE-2026-22980
23 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: nfsd: provide locking for v4_end_grace Writing to v4_end_grace can race with server shutdown and result in memory being accessed after it was freed - reclaim_str_hashtbl in particularly. We cannot hold nfsd_mutex across the nfsd4_end_grace() call as that is held while client_tracking_op->init() is called and that can wait for an upcall to nfsdcltrack which can write to v4_end_grace, resulting in a deadlock. nfsd4_end_grace() is also called ... • https://git.kernel.org/stable/c/7f5ef2e900d9462bf9cffaf6bb246ed87a20a6d6 •