CVSS: 5.5EPSS: 0%CPEs: 7EXPL: 0CVE-2026-22979 – net: fix memory leak in skb_segment_list for GRO packets
https://notcve.org/view.php?id=CVE-2026-22979
23 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: net: fix memory leak in skb_segment_list for GRO packets When skb_segment_list() is called during packet forwarding, it handles packets that were aggregated by the GRO engine. Historically, the segmentation logic in skb_segment_list assumes that individual segments are split from a parent SKB and may need to carry their own socket memory accounting. Accordingly, the code transfers truesize from the parent to the newly created segments. Prio... • https://git.kernel.org/stable/c/2eeab8c47c3c0276e0746bc382f405c9a236a5ad •
CVSS: 5.5EPSS: 0%CPEs: 7EXPL: 0CVE-2026-22978 – wifi: avoid kernel-infoleak from struct iw_point
https://notcve.org/view.php?id=CVE-2026-22978
23 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: wifi: avoid kernel-infoleak from struct iw_point struct iw_point has a 32bit hole on 64bit arches. struct iw_point { void __user *pointer; /* Pointer to the data (in user space) */ __u16 length; /* number of fields or size in bytes */ __u16 flags; /* Optional params */ }; Make sure to zero the structure to avoid disclosing 32bits of kernel data to user space. In the Linux kernel, the following vulnerability has been resolved: wifi: avoid ke... • https://git.kernel.org/stable/c/87de87d5e47f94b4ea647a5bd1bc8dc1f7930db4 •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2025-71161 – dm-verity: disable recursive forward error correction
https://notcve.org/view.php?id=CVE-2025-71161
23 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: dm-verity: disable recursive forward error correction There are two problems with the recursive correction: 1. It may cause denial-of-service. In fec_read_bufs, there is a loop that has 253 iterations. For each iteration, we may call verity_hash_for_block recursively. There is a limit of 4 nested recursions - that means that there may be at most 253^4 (4 billion) iterations. • https://git.kernel.org/stable/c/a739ff3f543afbb4a041c16cd0182c8e8d366e70 •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2025-71160 – netfilter: nf_tables: avoid chain re-validation if possible
https://notcve.org/view.php?id=CVE-2025-71160
23 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: avoid chain re-validation if possible Hamza Mahfooz reports cpu soft lock-ups in nft_chain_validate(): watchdog: BUG: soft lockup - CPU#1 stuck for 27s! [iptables-nft-re:37547] [..] RIP: 0010:nft_chain_validate+0xcb/0x110 [nf_tables] [..] nft_immediate_validate+0x36/0x50 [nf_tables] nft_chain_validate+0xc9/0x110 [nf_tables] nft_immediate_validate+0x36/0x50 [nf_tables] nft_chain_validate+0xc9/0x110 [nf_tables] nft_immed... • https://git.kernel.org/stable/c/a654de8fdc1815676ab750e70cab231fc814c29f •
CVSS: 5.5EPSS: 0%CPEs: 7EXPL: 0CVE-2025-71154 – net: usb: rtl8150: fix memory leak on usb_submit_urb() failure
https://notcve.org/view.php?id=CVE-2025-71154
23 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: net: usb: rtl8150: fix memory leak on usb_submit_urb() failure In async_set_registers(), when usb_submit_urb() fails, the allocated async_req structure and URB are not freed, causing a memory leak. The completion callback async_set_reg_cb() is responsible for freeing these allocations, but it is only called after the URB is successfully submitted and completes (successfully or with error). If submission fails, the callback never runs and th... • https://git.kernel.org/stable/c/4d12997a9bb3d217ad4b925ec3074ec89364bf95 •
CVSS: 7.1EPSS: 0%CPEs: 2EXPL: 0CVE-2025-71152 – net: dsa: properly keep track of conduit reference
https://notcve.org/view.php?id=CVE-2025-71152
23 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: net: dsa: properly keep track of conduit reference Problem description ------------------- DSA has a mumbo-jumbo of reference handling of the conduit net device and its kobject which, sadly, is just wrong and doesn't make sense. There are two distinct problems. 1. The OF path, which uses of_find_net_device_by_node(), never releases the elevated refcount on the conduit's kobject. Nominally, the OF and non-OF paths should result in objects ha... • https://git.kernel.org/stable/c/83c0afaec7b730b16c518aecc8e6246ec91b265e •
CVSS: 7.1EPSS: 0%CPEs: 6EXPL: 0CVE-2025-71150 – ksmbd: Fix refcount leak when invalid session is found on session lookup
https://notcve.org/view.php?id=CVE-2025-71150
23 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: ksmbd: Fix refcount leak when invalid session is found on session lookup When a session is found but its state is not SMB2_SESSION_VALID, It indicates that no valid session was found, but it is missing to decrement the reference count acquired by the session lookup, which results in a reference count leak. This patch fixes the issue by explicitly calling ksmbd_user_session_put to release the reference to the session. In the Linux kernel, th... • https://git.kernel.org/stable/c/37a0e2b362b3150317fb6e2139de67b1e29ae5ff •
CVSS: 6.6EPSS: 0%CPEs: 5EXPL: 0CVE-2025-71149 – io_uring/poll: correctly handle io_poll_add() return value on update
https://notcve.org/view.php?id=CVE-2025-71149
23 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: io_uring/poll: correctly handle io_poll_add() return value on update When the core of io_uring was updated to handle completions consistently and with fixed return codes, the POLL_REMOVE opcode with updates got slightly broken. If a POLL_ADD is pending and then POLL_REMOVE is used to update the events of that request, if that update causes the POLL_ADD to now trigger, then that completion is lost and a CQE is never posted. Additionally, ens... • https://git.kernel.org/stable/c/97b388d70b53fd7d286ac1b81e5a88bd6af98209 •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2025-71147 – KEYS: trusted: Fix a memory leak in tpm2_load_cmd
https://notcve.org/view.php?id=CVE-2025-71147
23 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: KEYS: trusted: Fix a memory leak in tpm2_load_cmd 'tpm2_load_cmd' allocates a tempoary blob indirectly via 'tpm2_key_decode' but it is not freed in the failure paths. Address this by wrapping the blob into with a cleanup helper. In the Linux kernel, the following vulnerability has been resolved: KEYS: trusted: Fix a memory leak in tpm2_load_cmd 'tpm2_load_cmd' allocates a tempoary blob indirectly via 'tpm2_key_decode' but it is not freed in... • https://git.kernel.org/stable/c/f2219745250f388edacabe6cca73654131c67d0a •
CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2025-71145 – usb: phy: isp1301: fix non-OF device reference imbalance
https://notcve.org/view.php?id=CVE-2025-71145
23 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: usb: phy: isp1301: fix non-OF device reference imbalance A recent change fixing a device reference leak in a UDC driver introduced a potential use-after-free in the non-OF case as the isp1301_get_client() helper only increases the reference count for the returned I2C device in the OF case. Increment the reference count also for non-OF so that the caller can decrement it unconditionally. Note that this is inherently racy just as using the re... • https://git.kernel.org/stable/c/21c7c83d592e6335bfb6d65608da3726f976bad4 •