CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23289 – IB/mthca: Add missed mthca_unmap_user_db() for mthca_create_srq()
https://notcve.org/view.php?id=CVE-2026-23289
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: IB/mthca: Add missed mthca_unmap_user_db() for mthca_create_srq() Fix a user triggerable leak on the system call failure path. • https://git.kernel.org/stable/c/ec34a922d243c3401a694450734e9effb2bafbfe •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23286 – atm: lec: fix null-ptr-deref in lec_arp_clear_vccs
https://notcve.org/view.php?id=CVE-2026-23286
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: atm: lec: fix null-ptr-deref in lec_arp_clear_vccs syzkaller reported a null-ptr-deref in lec_arp_clear_vccs(). This issue can be easily reproduced using the syzkaller reproducer. In the ATM LANE (LAN Emulation) module, the same atm_vcc can be shared by multiple lec_arp_table entries (e.g., via entry->vcc or entry->recv_vcc). When the underlying VCC is closed, lec_vcc_close() iterates over all ARP entries and calls lec_arp_clear_vccs() for ... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23281 – wifi: libertas: fix use-after-free in lbs_free_adapter()
https://notcve.org/view.php?id=CVE-2026-23281
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: wifi: libertas: fix use-after-free in lbs_free_adapter() The lbs_free_adapter() function uses timer_delete() (non-synchronous) for both command_timer and tx_lockup_timer before the structure is freed. This is incorrect because timer_delete() does not wait for any running timer callback to complete. If a timer callback is executing when lbs_free_adapter() is called, the callback will access freed memory since lbs_cfg_free() frees the contain... • https://git.kernel.org/stable/c/954ee164f4f4598afc172c0ec3865d0352e55a0b •
CVSS: -EPSS: 0%CPEs: 5EXPL: 0CVE-2026-23276 – net: add xmit recursion limit to tunnel xmit functions
https://notcve.org/view.php?id=CVE-2026-23276
20 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: net: add xmit recursion limit to tunnel xmit functions Tunnel xmit functions (iptunnel_xmit, ip6tunnel_xmit) lack their own recursion limit. When a bond device in broadcast mode has GRE tap interfaces as slaves, and those GRE tunnels route back through the bond, multicast/broadcast traffic triggers infinite recursion between bond_xmit_broadcast() and ip_tunnel_xmit()/ip6_tnl_xmit(), causing kernel stack overflow. The existing XMIT_RECURSION... • https://git.kernel.org/stable/c/745e20f1b626b1be4b100af5d4bf7b3439392f8f •
CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23271 – perf: Fix __perf_event_overflow() vs perf_remove_from_context() race
https://notcve.org/view.php?id=CVE-2026-23271
20 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: perf: Fix __perf_event_overflow() vs perf_remove_from_context() race Make sure that __perf_event_overflow() runs with IRQs disabled for all possible callchains. Specifically the software events can end up running it with only preemption disabled. This opens up a race vs perf_event_exit_event() and friends that will go and free various things the overflow path expects to be present, like the BPF program. En el kernel de Linux, la siguiente v... • https://git.kernel.org/stable/c/592903cdcbf606a838056bae6d03fc557806c914 •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2026-23266 – fbdev: rivafb: fix divide error in nv3_arb()
https://notcve.org/view.php?id=CVE-2026-23266
18 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: fbdev: rivafb: fix divide error in nv3_arb() A userspace program can trigger the RIVA NV3 arbitration code by calling the FBIOPUT_VSCREENINFO ioctl on /dev/fb*. When doing so, the driver recomputes FIFO arbitration parameters in nv3_arb(), using state->mclk_khz (derived from the PRAMDAC MCLK PLL) as a divisor without validating it first. In a normal setup, state->mclk_khz is provided by the real hardware and is non-zero. However, an attacke... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: -EPSS: 0%CPEs: 3EXPL: 0CVE-2026-23255 – net: add proper RCU protection to /proc/net/ptype
https://notcve.org/view.php?id=CVE-2026-23255
18 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: net: add proper RCU protection to /proc/net/ptype Yin Fengwei reported an RCU stall in ptype_seq_show() and provided a patch. Real issue is that ptype_seq_next() and ptype_seq_show() violate RCU rules. ptype_seq_show() runs under rcu_read_lock(), and reads pt->dev to get device name without any barrier. At the same time, concurrent writers can remove a packet_type structure (which is correctly freed after an RCU grace period) and clear pt->... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23253 – media: dvb-core: fix wrong reinitialization of ringbuffer on reopen
https://notcve.org/view.php?id=CVE-2026-23253
18 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: media: dvb-core: fix wrong reinitialization of ringbuffer on reopen dvb_dvr_open() calls dvb_ringbuffer_init() when a new reader opens the DVR device. dvb_ringbuffer_init() calls init_waitqueue_head(), which reinitializes the waitqueue list head to empty. Since dmxdev->dvr_buffer.queue is a shared waitqueue (all opens of the same DVR device share it), this orphans any existing waitqueue entries from io_uring poll or epoll, leaving them with... • https://git.kernel.org/stable/c/34731df288a5ffe4b0c396caf8cd24c6a710a222 •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2026-23243 – RDMA/umad: Reject negative data_len in ib_umad_write
https://notcve.org/view.php?id=CVE-2026-23243
18 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: RDMA/umad: Reject negative data_len in ib_umad_write ib_umad_write computes data_len from user-controlled count and the MAD header sizes. With a mismatched user MAD header size and RMPP header length, data_len can become negative and reach ib_create_send_mad(). This can make the padding calculation exceed the segment size and trigger an out-of-bounds memset in alloc_send_rmpp_list(). Add an explicit check to reject negative data_len before ... • https://git.kernel.org/stable/c/2be8e3ee8efd6f99ce454115c29d09750915021a •
CVSS: -EPSS: 0%CPEs: 7EXPL: 0CVE-2026-23238 – romfs: check sb_set_blocksize() return value
https://notcve.org/view.php?id=CVE-2026-23238
04 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: romfs: check sb_set_blocksize() return value romfs_fill_super() ignores the return value of sb_set_blocksize(), which can fail if the requested block size is incompatible with the block device's configuration. This can be triggered by setting a loop device's block size larger than PAGE_SIZE using ioctl(LOOP_SET_BLOCK_SIZE, 32768), then mounting a romfs filesystem on that device. When sb_set_blocksize(sb, ROMBSIZE) is called with ROMBSIZE=40... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •