CVSS: 7.1EPSS: 0%CPEs: 4EXPL: 0CVE-2026-22988 – arp: do not assume dev_hard_header() does not change skb->head
https://notcve.org/view.php?id=CVE-2026-22988
23 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: arp: do not assume dev_hard_header() does not change skb->head arp_create() is the only dev_hard_header() caller making assumption about skb->head being unchanged. A recent commit broke this assumption. Initialize @arp pointer after dev_hard_header() call. In the Linux kernel, the following vulnerability has been resolved: arp: do not assume dev_hard_header() does not change skb->head arp_create() is the only dev_hard_header() caller making... • https://git.kernel.org/stable/c/adee129db814474f2f81207bd182bf343832a52e •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2026-22985 – idpf: Fix RSS LUT NULL pointer crash on early ethtool operations
https://notcve.org/view.php?id=CVE-2026-22985
23 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: idpf: Fix RSS LUT NULL pointer crash on early ethtool operations The RSS LUT is not initialized until the interface comes up, causing the following NULL pointer crash when ethtool operations like rxhash on/off are performed before the interface is brought up for the first time. Move RSS LUT initialization from ndo_open to vport creation to ensure LUT is always available. This enables RSS configuration via ethtool before bringing the interfa... • https://git.kernel.org/stable/c/a251eee62133774cf35ff829041377e721ef9c8c •
CVSS: 7.1EPSS: 0%CPEs: 6EXPL: 0CVE-2026-22984 – libceph: prevent potential out-of-bounds reads in handle_auth_done()
https://notcve.org/view.php?id=CVE-2026-22984
23 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: libceph: prevent potential out-of-bounds reads in handle_auth_done() Perform an explicit bounds check on payload_len to avoid a possible out-of-bounds access in the callout. [ idryomov: changelog ] In the Linux kernel, the following vulnerability has been resolved: libceph: prevent potential out-of-bounds reads in handle_auth_done() Perform an explicit bounds check on payload_len to avoid a possible out-of-bounds access in the callout. [ id... • https://git.kernel.org/stable/c/cd1a677cad994021b19665ed476aea63f5d54f31 •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2026-22982 – net: mscc: ocelot: Fix crash when adding interface under a lag
https://notcve.org/view.php?id=CVE-2026-22982
23 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: net: mscc: ocelot: Fix crash when adding interface under a lag Commit 15faa1f67ab4 ("lan966x: Fix crash when adding interface under a lag") fixed a similar issue in the lan966x driver caused by a NULL pointer dereference. The ocelot_set_aggr_pgids() function in the ocelot driver has similar logic and is susceptible to the same crash. This issue specifically affects the ocelot_vsc7514.c frontend, which leaves unused ports as NULL pointers. T... • https://git.kernel.org/stable/c/528d3f190c98c8f7d9581f68db4af021696727b2 •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2026-22981 – idpf: detach and close netdevs while handling a reset
https://notcve.org/view.php?id=CVE-2026-22981
23 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: idpf: detach and close netdevs while handling a reset Protect the reset path from callbacks by setting the netdevs to detached state and close any netdevs in UP state until the reset handling has completed. During a reset, the driver will de-allocate resources for the vport, and there is no guarantee that those will recover, which is why the existing vport_ctrl_lock does not provide sufficient protection. idpf_detach_and_close() is called r... • https://git.kernel.org/stable/c/0fe45467a1041ea3657a7fa3a791c84c104fbd34 •
CVSS: 6.3EPSS: 0%CPEs: 7EXPL: 0CVE-2026-22980 – nfsd: provide locking for v4_end_grace
https://notcve.org/view.php?id=CVE-2026-22980
23 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: nfsd: provide locking for v4_end_grace Writing to v4_end_grace can race with server shutdown and result in memory being accessed after it was freed - reclaim_str_hashtbl in particularly. We cannot hold nfsd_mutex across the nfsd4_end_grace() call as that is held while client_tracking_op->init() is called and that can wait for an upcall to nfsdcltrack which can write to v4_end_grace, resulting in a deadlock. nfsd4_end_grace() is also called ... • https://git.kernel.org/stable/c/7f5ef2e900d9462bf9cffaf6bb246ed87a20a6d6 •
CVSS: 5.5EPSS: 0%CPEs: 7EXPL: 0CVE-2026-22979 – net: fix memory leak in skb_segment_list for GRO packets
https://notcve.org/view.php?id=CVE-2026-22979
23 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: net: fix memory leak in skb_segment_list for GRO packets When skb_segment_list() is called during packet forwarding, it handles packets that were aggregated by the GRO engine. Historically, the segmentation logic in skb_segment_list assumes that individual segments are split from a parent SKB and may need to carry their own socket memory accounting. Accordingly, the code transfers truesize from the parent to the newly created segments. Prio... • https://git.kernel.org/stable/c/2eeab8c47c3c0276e0746bc382f405c9a236a5ad •
CVSS: 5.5EPSS: 0%CPEs: 7EXPL: 0CVE-2026-22978 – wifi: avoid kernel-infoleak from struct iw_point
https://notcve.org/view.php?id=CVE-2026-22978
23 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: wifi: avoid kernel-infoleak from struct iw_point struct iw_point has a 32bit hole on 64bit arches. struct iw_point { void __user *pointer; /* Pointer to the data (in user space) */ __u16 length; /* number of fields or size in bytes */ __u16 flags; /* Optional params */ }; Make sure to zero the structure to avoid disclosing 32bits of kernel data to user space. In the Linux kernel, the following vulnerability has been resolved: wifi: avoid ke... • https://git.kernel.org/stable/c/87de87d5e47f94b4ea647a5bd1bc8dc1f7930db4 •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2025-71161 – dm-verity: disable recursive forward error correction
https://notcve.org/view.php?id=CVE-2025-71161
23 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: dm-verity: disable recursive forward error correction There are two problems with the recursive correction: 1. It may cause denial-of-service. In fec_read_bufs, there is a loop that has 253 iterations. For each iteration, we may call verity_hash_for_block recursively. There is a limit of 4 nested recursions - that means that there may be at most 253^4 (4 billion) iterations. • https://git.kernel.org/stable/c/a739ff3f543afbb4a041c16cd0182c8e8d366e70 •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2025-71160 – netfilter: nf_tables: avoid chain re-validation if possible
https://notcve.org/view.php?id=CVE-2025-71160
23 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: avoid chain re-validation if possible Hamza Mahfooz reports cpu soft lock-ups in nft_chain_validate(): watchdog: BUG: soft lockup - CPU#1 stuck for 27s! [iptables-nft-re:37547] [..] RIP: 0010:nft_chain_validate+0xcb/0x110 [nf_tables] [..] nft_immediate_validate+0x36/0x50 [nf_tables] nft_chain_validate+0xc9/0x110 [nf_tables] nft_immediate_validate+0x36/0x50 [nf_tables] nft_chain_validate+0xc9/0x110 [nf_tables] nft_immed... • https://git.kernel.org/stable/c/a654de8fdc1815676ab750e70cab231fc814c29f •