CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2026-23393 – bridge: cfm: Fix race condition in peer_mep deletion
https://notcve.org/view.php?id=CVE-2026-23393
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: bridge: cfm: Fix race condition in peer_mep deletion When a peer MEP is being deleted, cancel_delayed_work_sync() is called on ccm_rx_dwork before freeing. However, br_cfm_frame_rx() runs in softirq context under rcu_read_lock (without RTNL) and can re-schedule ccm_rx_dwork via ccm_rx_timer_start() between cancel_delayed_work_sync() returning and kfree_rcu() being called. The following is a simple race scenario: cpu0 cpu1 mep_delete_impleme... • https://git.kernel.org/stable/c/dc32cbb3dbd7da38c700d6e0fc6354df24920525 •
CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23392 – netfilter: nf_tables: release flowtable after rcu grace period on error
https://notcve.org/view.php?id=CVE-2026-23392
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: release flowtable after rcu grace period on error Call synchronize_rcu() after unregistering the hooks from error path, since a hook that already refers to this flowtable can be already registered, exposing this flowtable to packet path and nfnetlink_hook control plane. This error path is rare, it should only happen by reaching the maximum number hooks or by failing to set up to hardware offload, just call synchronize_... • https://git.kernel.org/stable/c/3b49e2e94e6ebb8b23d0955d9e898254455734f8 •
CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23391 – netfilter: xt_CT: drop pending enqueued packets on template removal
https://notcve.org/view.php?id=CVE-2026-23391
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: netfilter: xt_CT: drop pending enqueued packets on template removal Templates refer to objects that can go away while packets are sitting in nfqueue refer to: - helper, this can be an issue on module removal. - timeout policy, nfnetlink_cttimeout might remove it. The use of templates with zone and event cache filter are safe, since this just copies values. Flush these enqueued packets in case the template rule gets removed. • https://git.kernel.org/stable/c/24de58f465165298aaa8f286b2592f0163706cfe •
CVSS: -EPSS: 0%CPEs: 3EXPL: 0CVE-2026-23390 – tracing/dma: Cap dma_map_sg tracepoint arrays to prevent buffer overflow
https://notcve.org/view.php?id=CVE-2026-23390
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: tracing/dma: Cap dma_map_sg tracepoint arrays to prevent buffer overflow The dma_map_sg tracepoint can trigger a perf buffer overflow when tracing large scatter-gather lists. With devices like virtio-gpu creating large DRM buffers, nents can exceed 1000 entries, resulting in: phys_addrs: 1000 * 8 bytes = 8,000 bytes dma_addrs: 1000 * 8 bytes = 8,000 bytes lengths: 1000 * 4 bytes = 4,000 bytes Total: ~20,000 bytes This exceeds PERF_MAX_TRACE... • https://git.kernel.org/stable/c/038eb433dc1474c4bc7d33188294e3d4778efdfd •
CVSS: -EPSS: 0%CPEs: 2EXPL: 0CVE-2026-23389 – ice: Fix memory leak in ice_set_ringparam()
https://notcve.org/view.php?id=CVE-2026-23389
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: ice: Fix memory leak in ice_set_ringparam() In ice_set_ringparam, tx_rings and xdp_rings are allocated before rx_rings. If the allocation of rx_rings fails, the code jumps to the done label leaking both tx_rings and xdp_rings. Furthermore, if the setup of an individual Rx ring fails during the loop, the code jumps to the free_tx label which releases tx_rings but leaks xdp_rings. Fix this by introducing a free_xdp label and updating the erro... • https://git.kernel.org/stable/c/fcea6f3da546b93050f3534aadea7bd96c1d7349 •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23388 – Squashfs: check metadata block offset is within range
https://notcve.org/view.php?id=CVE-2026-23388
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: Squashfs: check metadata block offset is within range Syzkaller reports a "general protection fault in squashfs_copy_data" This is ultimately caused by a corrupted index look-up table, which produces a negative metadata block offset. This is subsequently passed to squashfs_copy_data (via squashfs_read_metadata) where the negative offset causes an out of bounds access. The fix is to check that the offset is within range in squashfs_read_meta... • https://git.kernel.org/stable/c/f400e12656ab518be107febfe2315fb1eab5a342 •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23387 – pinctrl: cirrus: cs42l43: Fix double-put in cs42l43_pin_probe()
https://notcve.org/view.php?id=CVE-2026-23387
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: pinctrl: cirrus: cs42l43: Fix double-put in cs42l43_pin_probe() devm_add_action_or_reset() already invokes the action on failure, so the explicit put causes a double-put. • https://git.kernel.org/stable/c/9026f31a520d43cc01eb1c08938fc19efadd78cc •
CVSS: -EPSS: 0%CPEs: 5EXPL: 0CVE-2026-23386 – gve: fix incorrect buffer cleanup in gve_tx_clean_pending_packets for QPL
https://notcve.org/view.php?id=CVE-2026-23386
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: gve: fix incorrect buffer cleanup in gve_tx_clean_pending_packets for QPL In DQ-QPL mode, gve_tx_clean_pending_packets() incorrectly uses the RDA buffer cleanup path. It iterates num_bufs times and attempts to unmap entries in the dma array. This leads to two issues: 1. The dma array shares storage with tx_qpl_buf_ids (union). Interpreting buffer IDs as DMA addresses results in attempting to unmap incorrect memory locations. 2. num_bufs in ... • https://git.kernel.org/stable/c/a6fb8d5a8b6925f1e635818d3dd2d89531d4a058 •
CVSS: -EPSS: 0%CPEs: 3EXPL: 0CVE-2026-23385 – netfilter: nf_tables: clone set on flush only
https://notcve.org/view.php?id=CVE-2026-23385
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: clone set on flush only Syzbot with fault injection triggered a failing memory allocation with GFP_KERNEL which results in a WARN splat: iter.err WARNING: net/netfilter/nf_tables_api.c:845 at nft_map_deactivate+0x34e/0x3c0 net/netfilter/nf_tables_api.c:845, CPU#0: syz.0.17/5992 Modules linked in: CPU: 0 UID: 0 PID: 5992 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Go... • https://git.kernel.org/stable/c/3f1d886cc7c3525d4dbeee24bfa9bb3fe0d48ddc •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2026-23383 – bpf, arm64: Force 8-byte alignment for JIT buffer to prevent atomic tearing
https://notcve.org/view.php?id=CVE-2026-23383
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: bpf, arm64: Force 8-byte alignment for JIT buffer to prevent atomic tearing struct bpf_plt contains a u64 target field. Currently, the BPF JIT allocator requests an alignment of 4 bytes (sizeof(u32)) for the JIT buffer. Because the base address of the JIT buffer can be 4-byte aligned (e.g., ending in 0x4 or 0xc), the relative padding logic in build_plt() fails to ensure that target lands on an 8-byte boundary. This leads to two issues: 1. • https://git.kernel.org/stable/c/b2ad54e1533e91449cb2a371e034942bd7882b58 •