CVSS: -EPSS: 0%CPEs: 4EXPL: 0CVE-2026-23399 – nf_tables: nft_dynset: fix possible stateful expression memleak in error path
https://notcve.org/view.php?id=CVE-2026-23399
28 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: nf_tables: nft_dynset: fix possible stateful expression memleak in error path If cloning the second stateful expression in the element via GFP_ATOMIC fails, then the first stateful expression remains in place without being released. unreferenced object (percpu) 0x607b97e9cab8 (size 16): comm "softirq", pid 0, jiffies 4294931867 hex dump (first 16 bytes on cpu 3): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 backtrace (crc 0): pcpu_alloc_... • https://git.kernel.org/stable/c/563125a73ac30d7036ae69ca35c40500562c1de4 •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23398 – icmp: fix NULL pointer dereference in icmp_tag_validation()
https://notcve.org/view.php?id=CVE-2026-23398
26 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: icmp: fix NULL pointer dereference in icmp_tag_validation() icmp_tag_validation() unconditionally dereferences the result of rcu_dereference(inet_protos[proto]) without checking for NULL. The inet_protos[] array is sparse -- only about 15 of 256 protocol numbers have registered handlers. When ip_no_pmtu_disc is set to 3 (hardened PMTU mode) and the kernel receives an ICMP Fragmentation Needed error with a quoted inner IP header containing a... • https://git.kernel.org/stable/c/8ed1dc44d3e9e8387a104b1ae8f92e9a3fbf1b1e •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23397 – nfnetlink_osf: validate individual option lengths in fingerprints
https://notcve.org/view.php?id=CVE-2026-23397
26 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: nfnetlink_osf: validate individual option lengths in fingerprints nfnl_osf_add_callback() validates opt_num bounds and string NUL-termination but does not check individual option length fields. A zero-length option causes nf_osf_match_one() to enter the option matching loop even when foptsize sums to zero, which matches packets with no TCP options where ctx->optp is NULL: Oops: general protection fault KASAN: null-ptr-deref in range [0x0000... • https://git.kernel.org/stable/c/11eeef41d5f63c7d2f7fdfcc733eb7fb137cc384 •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23396 – wifi: mac80211: fix NULL deref in mesh_matches_local()
https://notcve.org/view.php?id=CVE-2026-23396
26 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: fix NULL deref in mesh_matches_local() mesh_matches_local() unconditionally dereferences ie->mesh_config to compare mesh configuration parameters. When called from mesh_rx_csa_frame(), the parsed action-frame elements may not contain a Mesh Configuration IE, leaving ie->mesh_config NULL and triggering a kernel NULL pointer dereference. The other two callers are already safe: - ieee80211_mesh_rx_bcn_presp() checks !elems->mes... • https://git.kernel.org/stable/c/2e3c8736820bf72a8ad10721c7e31d36d4fa7790 •
CVSS: 8.8EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23395 – Bluetooth: L2CAP: Fix accepting multiple L2CAP_ECRED_CONN_REQ
https://notcve.org/view.php?id=CVE-2026-23395
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix accepting multiple L2CAP_ECRED_CONN_REQ Currently the code attempts to accept requests regardless of the command identifier which may cause multiple requests to be marked as pending (FLAG_DEFER_SETUP) which can cause more than L2CAP_ECRED_MAX_CID(5) to be allocated in l2cap_ecred_rsp_defer causing an overflow. The spec is quite clear that the same identifier shall not be used on subsequent requests: 'Within each signal... • https://git.kernel.org/stable/c/15f02b91056253e8cdc592888f431da0731337b8 •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2026-23393 – bridge: cfm: Fix race condition in peer_mep deletion
https://notcve.org/view.php?id=CVE-2026-23393
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: bridge: cfm: Fix race condition in peer_mep deletion When a peer MEP is being deleted, cancel_delayed_work_sync() is called on ccm_rx_dwork before freeing. However, br_cfm_frame_rx() runs in softirq context under rcu_read_lock (without RTNL) and can re-schedule ccm_rx_dwork via ccm_rx_timer_start() between cancel_delayed_work_sync() returning and kfree_rcu() being called. The following is a simple race scenario: cpu0 cpu1 mep_delete_impleme... • https://git.kernel.org/stable/c/dc32cbb3dbd7da38c700d6e0fc6354df24920525 •
CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23392 – netfilter: nf_tables: release flowtable after rcu grace period on error
https://notcve.org/view.php?id=CVE-2026-23392
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: release flowtable after rcu grace period on error Call synchronize_rcu() after unregistering the hooks from error path, since a hook that already refers to this flowtable can be already registered, exposing this flowtable to packet path and nfnetlink_hook control plane. This error path is rare, it should only happen by reaching the maximum number hooks or by failing to set up to hardware offload, just call synchronize_... • https://git.kernel.org/stable/c/3b49e2e94e6ebb8b23d0955d9e898254455734f8 •
CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23391 – netfilter: xt_CT: drop pending enqueued packets on template removal
https://notcve.org/view.php?id=CVE-2026-23391
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: netfilter: xt_CT: drop pending enqueued packets on template removal Templates refer to objects that can go away while packets are sitting in nfqueue refer to: - helper, this can be an issue on module removal. - timeout policy, nfnetlink_cttimeout might remove it. The use of templates with zone and event cache filter are safe, since this just copies values. Flush these enqueued packets in case the template rule gets removed. • https://git.kernel.org/stable/c/24de58f465165298aaa8f286b2592f0163706cfe •
CVSS: -EPSS: 0%CPEs: 2EXPL: 0CVE-2026-23389 – ice: Fix memory leak in ice_set_ringparam()
https://notcve.org/view.php?id=CVE-2026-23389
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: ice: Fix memory leak in ice_set_ringparam() In ice_set_ringparam, tx_rings and xdp_rings are allocated before rx_rings. If the allocation of rx_rings fails, the code jumps to the done label leaking both tx_rings and xdp_rings. Furthermore, if the setup of an individual Rx ring fails during the loop, the code jumps to the free_tx label which releases tx_rings but leaks xdp_rings. Fix this by introducing a free_xdp label and updating the erro... • https://git.kernel.org/stable/c/fcea6f3da546b93050f3534aadea7bd96c1d7349 •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23388 – Squashfs: check metadata block offset is within range
https://notcve.org/view.php?id=CVE-2026-23388
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: Squashfs: check metadata block offset is within range Syzkaller reports a "general protection fault in squashfs_copy_data" This is ultimately caused by a corrupted index look-up table, which produces a negative metadata block offset. This is subsequently passed to squashfs_copy_data (via squashfs_read_metadata) where the negative offset causes an out of bounds access. The fix is to check that the offset is within range in squashfs_read_meta... • https://git.kernel.org/stable/c/f400e12656ab518be107febfe2315fb1eab5a342 •