CVSS: -EPSS: 0%CPEs: 5EXPL: 0CVE-2026-23405 – apparmor: fix: limit the number of levels of policy namespaces
https://notcve.org/view.php?id=CVE-2026-23405
01 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: apparmor: fix: limit the number of levels of policy namespaces Currently the number of policy namespaces is not bounded relying on the user namespace limit. However policy namespaces aren't strictly tied to user namespaces and it is possible to create them and nest them arbitrarily deep which can be used to exhaust system resource. Hard cap policy namespaces to the same depth as user namespaces. • https://git.kernel.org/stable/c/c88d4c7b049e87998ac0a9f455aa545cc895ef92 •
CVSS: -EPSS: 0%CPEs: 5EXPL: 0CVE-2026-23404 – apparmor: replace recursive profile removal with iterative approach
https://notcve.org/view.php?id=CVE-2026-23404
01 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: apparmor: replace recursive profile removal with iterative approach The profile removal code uses recursion when removing nested profiles, which can lead to kernel stack exhaustion and system crashes. Reproducer: $ pf='a'; for ((i=0; i<1024; i++)); do echo -e "profile $pf { \n }" | apparmor_parser -K -a; pf="$pf//x"; done $ echo -n a > /sys/kernel/security/apparmor/.remove Replace the recursive __aa_profile_list_release() approach with an i... • https://git.kernel.org/stable/c/c88d4c7b049e87998ac0a9f455aa545cc895ef92 •
CVSS: -EPSS: 0%CPEs: 5EXPL: 0CVE-2026-23403 – apparmor: fix memory leak in verify_header
https://notcve.org/view.php?id=CVE-2026-23403
01 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: apparmor: fix memory leak in verify_header The function sets `*ns = NULL` on every call, leaking the namespace string allocated in previous iterations when multiple profiles are unpacked. This also breaks namespace consistency checking since *ns is always NULL when the comparison is made. Remove the incorrect assignment. The caller (aa_unpack) initializes *ns to NULL once before the loop, which is sufficient. • https://git.kernel.org/stable/c/dd51c84857630e77c139afe4d9bba65fc051dc3f •
CVSS: -EPSS: 0%CPEs: 5EXPL: 0CVE-2026-23401 – KVM: x86/mmu: Drop/zap existing present SPTE even when creating an MMIO SPTE
https://notcve.org/view.php?id=CVE-2026-23401
01 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: KVM: x86/mmu: Drop/zap existing present SPTE even when creating an MMIO SPTE When installing an emulated MMIO SPTE, do so *after* dropping/zapping the existing SPTE (if it's shadow-present). While commit a54aa15c6bda3 was right about it being impossible to convert a shadow-present SPTE to an MMIO SPTE due to a _guest_ write, it failed to account for writes to guest memory that are outside the scope of KVM. E.g. if host userspace modifies a ... • https://git.kernel.org/stable/c/a54aa15c6bda3ca7e2f9e040ba968a1da303e24f •
CVSS: -EPSS: 0%CPEs: 4EXPL: 0CVE-2026-23399 – nf_tables: nft_dynset: fix possible stateful expression memleak in error path
https://notcve.org/view.php?id=CVE-2026-23399
28 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: nf_tables: nft_dynset: fix possible stateful expression memleak in error path If cloning the second stateful expression in the element via GFP_ATOMIC fails, then the first stateful expression remains in place without being released. unreferenced object (percpu) 0x607b97e9cab8 (size 16): comm "softirq", pid 0, jiffies 4294931867 hex dump (first 16 bytes on cpu 3): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 backtrace (crc 0): pcpu_alloc_... • https://git.kernel.org/stable/c/563125a73ac30d7036ae69ca35c40500562c1de4 •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23398 – icmp: fix NULL pointer dereference in icmp_tag_validation()
https://notcve.org/view.php?id=CVE-2026-23398
26 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: icmp: fix NULL pointer dereference in icmp_tag_validation() icmp_tag_validation() unconditionally dereferences the result of rcu_dereference(inet_protos[proto]) without checking for NULL. The inet_protos[] array is sparse -- only about 15 of 256 protocol numbers have registered handlers. When ip_no_pmtu_disc is set to 3 (hardened PMTU mode) and the kernel receives an ICMP Fragmentation Needed error with a quoted inner IP header containing a... • https://git.kernel.org/stable/c/8ed1dc44d3e9e8387a104b1ae8f92e9a3fbf1b1e •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23397 – nfnetlink_osf: validate individual option lengths in fingerprints
https://notcve.org/view.php?id=CVE-2026-23397
26 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: nfnetlink_osf: validate individual option lengths in fingerprints nfnl_osf_add_callback() validates opt_num bounds and string NUL-termination but does not check individual option length fields. A zero-length option causes nf_osf_match_one() to enter the option matching loop even when foptsize sums to zero, which matches packets with no TCP options where ctx->optp is NULL: Oops: general protection fault KASAN: null-ptr-deref in range [0x0000... • https://git.kernel.org/stable/c/11eeef41d5f63c7d2f7fdfcc733eb7fb137cc384 •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23396 – wifi: mac80211: fix NULL deref in mesh_matches_local()
https://notcve.org/view.php?id=CVE-2026-23396
26 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: fix NULL deref in mesh_matches_local() mesh_matches_local() unconditionally dereferences ie->mesh_config to compare mesh configuration parameters. When called from mesh_rx_csa_frame(), the parsed action-frame elements may not contain a Mesh Configuration IE, leaving ie->mesh_config NULL and triggering a kernel NULL pointer dereference. The other two callers are already safe: - ieee80211_mesh_rx_bcn_presp() checks !elems->mes... • https://git.kernel.org/stable/c/2e3c8736820bf72a8ad10721c7e31d36d4fa7790 •
CVSS: 8.8EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23395 – Bluetooth: L2CAP: Fix accepting multiple L2CAP_ECRED_CONN_REQ
https://notcve.org/view.php?id=CVE-2026-23395
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix accepting multiple L2CAP_ECRED_CONN_REQ Currently the code attempts to accept requests regardless of the command identifier which may cause multiple requests to be marked as pending (FLAG_DEFER_SETUP) which can cause more than L2CAP_ECRED_MAX_CID(5) to be allocated in l2cap_ecred_rsp_defer causing an overflow. The spec is quite clear that the same identifier shall not be used on subsequent requests: 'Within each signal... • https://git.kernel.org/stable/c/15f02b91056253e8cdc592888f431da0731337b8 •
CVSS: -EPSS: 0%CPEs: 4EXPL: 0CVE-2026-23394 – af_unix: Give up GC if MSG_PEEK intervened.
https://notcve.org/view.php?id=CVE-2026-23394
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: af_unix: Give up GC if MSG_PEEK intervened. Igor Ushakov reported that GC purged the receive queue of an alive socket due to a race with MSG_PEEK with a nice repro. This is the exact same issue previously fixed by commit cbcf01128d0a ("af_unix: fix garbage collect vs MSG_PEEK"). After GC was replaced with the current algorithm, the cited commit removed the locking dance in unix_peek_fds() and reintroduced the same issue. The problem is that... • https://git.kernel.org/stable/c/118f457da9ed58a79e24b73c2ef0aa1987241f0e •