CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23099 – bonding: limit BOND_MODE_8023AD to Ethernet devices
https://notcve.org/view.php?id=CVE-2026-23099
04 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: bonding: limit BOND_MODE_8023AD to Ethernet devices BOND_MODE_8023AD makes sense for ARPHRD_ETHER only. syzbot reported: BUG: KASAN: global-out-of-bounds in __hw_addr_create net/core/dev_addr_lists.c:63 [inline] BUG: KASAN: global-out-of-bounds in __hw_addr_add_ex+0x25d/0x760 net/core/dev_addr_lists.c:118 Read of size 16 at addr ffffffff8bf94040 by task syz.1.3580/19497 CPU: 1 UID: 0 PID: 19497 Comm: syz.1.3580 Tainted: G L syzkaller #0 PRE... • https://git.kernel.org/stable/c/872254dd6b1f80cb95ee9e2e22980888533fc293 •
CVSS: -EPSS: 0%CPEs: 7EXPL: 0CVE-2026-23098 – netrom: fix double-free in nr_route_frame()
https://notcve.org/view.php?id=CVE-2026-23098
04 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: netrom: fix double-free in nr_route_frame() In nr_route_frame(), old_skb is immediately freed without checking if nr_neigh->ax25 pointer is NULL. Therefore, if nr_neigh->ax25 is NULL, the caller function will free old_skb again, causing a double-free bug. Therefore, to prevent this, we need to modify it to check whether nr_neigh->ax25 is NULL before freeing old_skb. Several vulnerabilities have been discovered in the Linux kernel that may l... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2026-23097 – migrate: correct lock ordering for hugetlb file folios
https://notcve.org/view.php?id=CVE-2026-23097
04 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: migrate: correct lock ordering for hugetlb file folios Syzbot has found a deadlock (analyzed by Lance Yang): 1) Task (5749): Holds folio_lock, then tries to acquire i_mmap_rwsem(read lock). 2) Task (5754): Holds i_mmap_rwsem(write lock), then tries to acquire folio_lock. migrate_pages() -> migrate_hugetlbs() -> unmap_and_move_huge_page() <- Takes folio_lock! -> remove_migration_ptes() -> __rmap_walk_file() -> i_mmap_lock_read() <- Waits for... • https://git.kernel.org/stable/c/336bf30eb76580b579dc711ded5d599d905c0217 •
CVSS: -EPSS: 0%CPEs: 7EXPL: 0CVE-2026-23096 – uacce: fix cdev handling in the cleanup path
https://notcve.org/view.php?id=CVE-2026-23096
04 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: uacce: fix cdev handling in the cleanup path When cdev_device_add fails, it internally releases the cdev memory, and if cdev_device_del is then executed, it will cause a hang error. To fix it, we check the return value of cdev_device_add() and clear uacce->cdev to avoid calling cdev_device_del in the uacce_remove. Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or i... • https://git.kernel.org/stable/c/015d239ac0142ad0e26567fd890ef8d171f13709 •
CVSS: -EPSS: 0%CPEs: 7EXPL: 0CVE-2026-23095 – gue: Fix skb memleak with inner IP protocol 0.
https://notcve.org/view.php?id=CVE-2026-23095
04 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: gue: Fix skb memleak with inner IP protocol 0. syzbot reported skb memleak below. [0] The repro generated a GUE packet with its inner protocol 0. gue_udp_recv() returns -guehdr->proto_ctype for "resubmit" in ip_protocol_deliver_rcu(), but this only works with non-zero protocol number. Let's drop such packets. Note that 0 is a valid number (IPv6 Hop-by-Hop Option). I think it is not practical to encap HOPOPT in GUE, so once someone starts to... • https://git.kernel.org/stable/c/37dd0247797b168ad1cc7f5dbec825a1ee66535b •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23093 – ksmbd: smbd: fix dma_unmap_sg() nents
https://notcve.org/view.php?id=CVE-2026-23093
04 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: ksmbd: smbd: fix dma_unmap_sg() nents The dma_unmap_sg() functions should be called with the same nents as the dma_map_sg(), not the value the map function returned. Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. For the oldstable distribution (bookworm), these problems have been fixed in version 6.1.162-1. • https://git.kernel.org/stable/c/0626e6641f6b467447c81dd7678a69c66f7746cf •
CVSS: -EPSS: 0%CPEs: 7EXPL: 0CVE-2026-23091 – intel_th: fix device leak on output open()
https://notcve.org/view.php?id=CVE-2026-23091
04 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: intel_th: fix device leak on output open() Make sure to drop the reference taken when looking up the th device during output device open() on errors and on close(). Note that a recent commit fixed the leak in a couple of open() error paths but not all of them, and the reference is still leaking on successful open(). Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or... • https://git.kernel.org/stable/c/39f4034693b7c7bd1fe4cb58c93259d600f55561 •
CVSS: -EPSS: 0%CPEs: 7EXPL: 0CVE-2026-23090 – slimbus: core: fix device reference leak on report present
https://notcve.org/view.php?id=CVE-2026-23090
04 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: slimbus: core: fix device reference leak on report present Slimbus devices can be allocated dynamically upon reception of report-present messages. Make sure to drop the reference taken when looking up already registered devices. Note that this requires taking an extra reference in case the device has not yet been registered and has to be allocated. Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege... • https://git.kernel.org/stable/c/46a2bb5a7f7ea2728be50f8f5b29a20267f700fe •
CVSS: -EPSS: 0%CPEs: 7EXPL: 0CVE-2026-23089 – ALSA: usb-audio: Fix use-after-free in snd_usb_mixer_free()
https://notcve.org/view.php?id=CVE-2026-23089
04 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Fix use-after-free in snd_usb_mixer_free() When snd_usb_create_mixer() fails, snd_usb_mixer_free() frees mixer->id_elems but the controls already added to the card still reference the freed memory. Later when snd_card_register() runs, the OSS mixer layer calls their callbacks and hits a use-after-free read. Call trace: get_ctl_value+0x63f/0x820 sound/usb/mixer.c:411 get_min_max_with_quirks.isra.0+0x240/0x1f40 sound/usb/mixe... • https://git.kernel.org/stable/c/6639b6c2367f884ca172b78d69f7da17bfab2e5e •
CVSS: -EPSS: 0%CPEs: 7EXPL: 0CVE-2026-23088 – tracing: Fix crash on synthetic stacktrace field usage
https://notcve.org/view.php?id=CVE-2026-23088
04 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: tracing: Fix crash on synthetic stacktrace field usage When creating a synthetic event based on an existing synthetic event that had a stacktrace field and the new synthetic event used that field a kernel crash occurred: ~# cd /sys/kernel/tracing ~# echo 's:stack unsigned long stack[];' > dynamic_events ~# echo 'hist:keys=prev_pid:s0=common_stacktrace if prev_state & 3' >> events/sched/sched_switch/trigger ~# echo 'hist:keys=next_pid:s1=$s0... • https://git.kernel.org/stable/c/00cf3d672a9dd409418647e9f98784c339c3ff63 •