CVSS: -EPSS: 0%CPEs: 3EXPL: 0CVE-2026-23385 – netfilter: nf_tables: clone set on flush only
https://notcve.org/view.php?id=CVE-2026-23385
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: clone set on flush only Syzbot with fault injection triggered a failing memory allocation with GFP_KERNEL which results in a WARN splat: iter.err WARNING: net/netfilter/nf_tables_api.c:845 at nft_map_deactivate+0x34e/0x3c0 net/netfilter/nf_tables_api.c:845, CPU#0: syz.0.17/5992 Modules linked in: CPU: 0 UID: 0 PID: 5992 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Go... • https://git.kernel.org/stable/c/3f1d886cc7c3525d4dbeee24bfa9bb3fe0d48ddc •
CVSS: -EPSS: 0%CPEs: 3EXPL: 0CVE-2026-23384 – RDMA/ionic: Fix kernel stack leak in ionic_create_cq()
https://notcve.org/view.php?id=CVE-2026-23384
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: RDMA/ionic: Fix kernel stack leak in ionic_create_cq() struct ionic_cq_resp resp { __u32 cqid[2]; // offset 0 - PARTIALLY SET (see below) __u8 udma_mask; // offset 8 - SET (resp.udma_mask = vcq->udma_mask) __u8 rsvd[7]; // offset 9 - NEVER SET <- LEAK }; rsvd[7]: 7 bytes of stack memory leaked unconditionally. cqid[2]: The loop at line 1256 iterates over udma_idx but skips indices where !(vcq->udma_mask & BIT(udma_idx)). The array has 2 ent... • https://git.kernel.org/stable/c/e8521822c733c6deab0f339843cd37cd62c12795 •
CVSS: -EPSS: 0%CPEs: 4EXPL: 0CVE-2026-23383 – bpf, arm64: Force 8-byte alignment for JIT buffer to prevent atomic tearing
https://notcve.org/view.php?id=CVE-2026-23383
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: bpf, arm64: Force 8-byte alignment for JIT buffer to prevent atomic tearing struct bpf_plt contains a u64 target field. Currently, the BPF JIT allocator requests an alignment of 4 bytes (sizeof(u32)) for the JIT buffer. Because the base address of the JIT buffer can be 4-byte aligned (e.g., ending in 0x4 or 0xc), the relative padding logic in build_plt() fails to ensure that target lands on an 8-byte boundary. This leads to two issues: 1. • https://git.kernel.org/stable/c/b2ad54e1533e91449cb2a371e034942bd7882b58 •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23382 – HID: Add HID_CLAIMED_INPUT guards in raw_event callbacks missing them
https://notcve.org/view.php?id=CVE-2026-23382
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: HID: Add HID_CLAIMED_INPUT guards in raw_event callbacks missing them In commit 2ff5baa9b527 ("HID: appleir: Fix potential NULL dereference at raw event handle"), we handle the fact that raw event callbacks can happen even for a HID device that has not been "claimed" causing a crash if a broken device were attempted to be connected to the system. Fix up the remaining in-tree HID drivers that forgot to add this same check to resolve the same... • https://git.kernel.org/stable/c/d0742abaa1c396a26bb3d3ce2732988cd3faa020 •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23381 – net: bridge: fix nd_tbl NULL dereference when IPv6 is disabled
https://notcve.org/view.php?id=CVE-2026-23381
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: net: bridge: fix nd_tbl NULL dereference when IPv6 is disabled When booting with the 'ipv6.disable=1' parameter, the nd_tbl is never initialized because inet6_init() exits before ndisc_init() is called which initializes it. Then, if neigh_suppress is enabled and an ICMPv6 Neighbor Discovery packet reaches the bridge, br_do_suppress_nd() will dereference ipv6_stub->nd_tbl which is NULL, passing it to neigh_lookup(). This causes a kernel NULL... • https://git.kernel.org/stable/c/ed842faeb2bd49256f00485402f3113205f91d30 •
CVSS: -EPSS: 0%CPEs: 4EXPL: 0CVE-2026-23380 – tracing: Fix WARN_ON in tracing_buffers_mmap_close
https://notcve.org/view.php?id=CVE-2026-23380
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: tracing: Fix WARN_ON in tracing_buffers_mmap_close When a process forks, the child process copies the parent's VMAs but the user_mapped reference count is not incremented. As a result, when both the parent and child processes exit, tracing_buffers_mmap_close() is called twice. On the second call, user_mapped is already 0, causing the function to return -ENODEV and triggering a WARN_ON. Normally, this isn't an issue as the memory is mapped w... • https://git.kernel.org/stable/c/cf9f0f7c4c5bb45e7bb270e48bab6f7837825a64 •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23379 – net/sched: ets: fix divide by zero in the offload path
https://notcve.org/view.php?id=CVE-2026-23379
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: net/sched: ets: fix divide by zero in the offload path Offloading ETS requires computing each class' WRR weight: this is done by averaging over the sums of quanta as 'q_sum' and 'q_psum'. Using unsigned int, the same integer size as the individual DRR quanta, can overflow and even cause division by zero, like it happened in the following splat: Oops: divide error: 0000 [#1] SMP PTI CPU: 13 UID: 0 PID: 487 Comm: tc Tainted: G E 6.19.0-virtme... • https://git.kernel.org/stable/c/d35eb52bd2ac7557b62bda52668f2e64dde2cf90 •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23378 – net/sched: act_ife: Fix metalist update behavior
https://notcve.org/view.php?id=CVE-2026-23378
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: net/sched: act_ife: Fix metalist update behavior Whenever an ife action replace changes the metalist, instead of replacing the old data on the metalist, the current ife code is appending the new metadata. Aside from being innapropriate behavior, this may lead to an unbounded addition of metadata to the metalist which might cause an out of bounds error when running the encode op: [ 138.423369][ C1] ===========================================... • https://git.kernel.org/stable/c/aa9fd9a325d51fa0b11153b03b8fefff569fa955 •
CVSS: -EPSS: 0%CPEs: 2EXPL: 0CVE-2026-23377 – ice: change XDP RxQ frag_size from DMA write length to xdp.frame_sz
https://notcve.org/view.php?id=CVE-2026-23377
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: ice: change XDP RxQ frag_size from DMA write length to xdp.frame_sz The only user of frag_size field in XDP RxQ info is bpf_xdp_frags_increase_tail(). It clearly expects whole buff size instead of DMA write size. Different assumptions in ice driver configuration lead to negative tailroom. This allows to trigger kernel panic, when using XDP_ADJUST_TAIL_GROW_MULTI_BUFF xskxceiver test and changing packet size to 6912 and the requested offset ... • https://git.kernel.org/stable/c/2fba7dc5157b6f85dbf1b8e26e63a724db1f3d79 •
CVSS: -EPSS: 0%CPEs: 4EXPL: 0CVE-2026-23376 – nvmet-fcloop: Check remoteport port_state before calling done callback
https://notcve.org/view.php?id=CVE-2026-23376
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: nvmet-fcloop: Check remoteport port_state before calling done callback In nvme_fc_handle_ls_rqst_work, the lsrsp->done callback is only set when remoteport->port_state is FC_OBJSTATE_ONLINE. Otherwise, the nvme_fc_xmt_ls_rsp's LLDD call to lport->ops->xmt_ls_rsp is expected to fail and the nvme-fc transport layer itself will directly call nvme_fc_xmt_ls_rsp_free instead of relying on LLDD's done callback to free the lsrsp resources. Update ... • https://git.kernel.org/stable/c/10c165af35d225eb033f4edc7fcc699a8d2d533d •