CVSS: -EPSS: 0%CPEs: 3EXPL: 0CVE-2026-23472 – serial: core: fix infinite loop in handle_tx() for PORT_UNKNOWN
https://notcve.org/view.php?id=CVE-2026-23472
03 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: serial: core: fix infinite loop in handle_tx() for PORT_UNKNOWN uart_write_room() and uart_write() behave inconsistently when xmit_buf is NULL (which happens for PORT_UNKNOWN ports that were never properly initialized): - uart_write_room() returns kfifo_avail() which can be > 0 - uart_write() checks xmit_buf and returns 0 if NULL This inconsistency causes an infinite loop in drivers that rely on tty_write_room() to determine if they can wri... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: -EPSS: 0%CPEs: 3EXPL: 0CVE-2026-23468 – drm/amdgpu: Limit BO list entry count to prevent resource exhaustion
https://notcve.org/view.php?id=CVE-2026-23468
03 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Limit BO list entry count to prevent resource exhaustion Userspace can pass an arbitrary number of BO list entries via the bo_number field. Although the previous multiplication overflow check prevents out-of-bounds allocation, a large number of entries could still cause excessive memory allocation (up to potentially gigabytes) and unnecessarily long list processing times. Introduce a hard limit of 128k entries per BO list, which... • https://git.kernel.org/stable/c/d38ceaf99ed015f2a0b9af3499791bd3a3daae21 •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23462 – Bluetooth: HIDP: Fix possible UAF
https://notcve.org/view.php?id=CVE-2026-23462
03 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: Bluetooth: HIDP: Fix possible UAF This fixes the following trace caused by not dropping l2cap_conn reference when user->remove callback is called: [ 97.809249] l2cap_conn_free: freeing conn ffff88810a171c00 [ 97.809907] CPU: 1 UID: 0 PID: 1419 Comm: repro_standalon Not tainted 7.0.0-rc1-dirty #14 PREEMPT(lazy) [ 97.809935] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014 [ 97.809947] Call Trace: ... • https://git.kernel.org/stable/c/b4f34d8d9d26b2428fa7cf7c8f97690a297978e6 •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23460 – net/rose: fix NULL pointer dereference in rose_transmit_link on reconnect
https://notcve.org/view.php?id=CVE-2026-23460
03 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: net/rose: fix NULL pointer dereference in rose_transmit_link on reconnect syzkaller reported a bug [1], and the reproducer is available at [2]. ROSE sockets use four sk->sk_state values: TCP_CLOSE, TCP_LISTEN, TCP_SYN_SENT, and TCP_ESTABLISHED. rose_connect() already rejects calls for TCP_ESTABLISHED (-EISCONN) and TCP_CLOSE with SS_CONNECTING (-ECONNREFUSED), but lacks a check for TCP_SYN_SENT. When rose_connect() is called a second time w... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23458 – netfilter: ctnetlink: fix use-after-free in ctnetlink_dump_exp_ct()
https://notcve.org/view.php?id=CVE-2026-23458
03 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: netfilter: ctnetlink: fix use-after-free in ctnetlink_dump_exp_ct() ctnetlink_dump_exp_ct() stores a conntrack pointer in cb->data for the netlink dump callback ctnetlink_exp_ct_dump_table(), but drops the conntrack reference immediately after netlink_dump_start(). When the dump spans multiple rounds, the second recvmsg() triggers the dump callback which dereferences the now-freed conntrack via nfct_help(ct), leading to a use-after-free on ... • https://git.kernel.org/stable/c/e844a928431fa8f1359d1f4f2cef53d9b446bf52 •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23457 – netfilter: nf_conntrack_sip: fix Content-Length u32 truncation in sip_help_tcp()
https://notcve.org/view.php?id=CVE-2026-23457
03 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conntrack_sip: fix Content-Length u32 truncation in sip_help_tcp() sip_help_tcp() parses the SIP Content-Length header with simple_strtoul(), which returns unsigned long, but stores the result in unsigned int clen. On 64-bit systems, values exceeding UINT_MAX are silently truncated before computing the SIP message boundary. For example, Content-Length 4294967328 (2^32 + 32) is truncated to 32, causing the parser to miscalculat... • https://git.kernel.org/stable/c/f5b321bd37fbec9188feb1f721ab46a5ac0b35da •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23456 – netfilter: nf_conntrack_h323: fix OOB read in decode_int() CONS case
https://notcve.org/view.php?id=CVE-2026-23456
03 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conntrack_h323: fix OOB read in decode_int() CONS case In decode_int(), the CONS case calls get_bits(bs, 2) to read a length value, then calls get_uint(bs, len) without checking that len bytes remain in the buffer. The existing boundary check only validates the 2 bits for get_bits(), not the subsequent 1-4 bytes that get_uint() reads. This allows a malformed H.323/RAS packet to cause a 1-4 byte slab-out-of-bounds read. Add a b... • https://git.kernel.org/stable/c/5e35941d990123f155b02d5663e51a24f816b6f3 •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23455 – netfilter: nf_conntrack_h323: check for zero length in DecodeQ931()
https://notcve.org/view.php?id=CVE-2026-23455
03 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conntrack_h323: check for zero length in DecodeQ931() In DecodeQ931(), the UserUserIE code path reads a 16-bit length from the packet, then decrements it by 1 to skip the protocol discriminator byte before passing it to DecodeH323_UserInformation(). If the encoded length is 0, the decrement wraps to -1, which is then passed as a large value to the decoder, leading to an out-of-bounds read. Add a check to ensure len is positive... • https://git.kernel.org/stable/c/5e35941d990123f155b02d5663e51a24f816b6f3 •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23452 – PM: runtime: Fix a race condition related to device removal
https://notcve.org/view.php?id=CVE-2026-23452
03 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: PM: runtime: Fix a race condition related to device removal The following code in pm_runtime_work() may dereference the dev->parent pointer after the parent device has been freed: /* Maybe the parent is now able to suspend. */ if (parent && !parent->power.ignore_children) { spin_unlock(&dev->power.lock); spin_lock(&parent->power.lock); rpm_idle(parent, RPM_ASYNC); spin_unlock(&parent->power.lock); spin_lock(&dev->power.lock); } Fix this by ... • https://git.kernel.org/stable/c/5e928f77a09a07f9dd595bb8a489965d69a83458 •
CVSS: -EPSS: 0%CPEs: 5EXPL: 0CVE-2026-23448 – net: usb: cdc_ncm: add ndpoffset to NDP16 nframes bounds check
https://notcve.org/view.php?id=CVE-2026-23448
03 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: net: usb: cdc_ncm: add ndpoffset to NDP16 nframes bounds check cdc_ncm_rx_verify_ndp16() validates that the NDP header and its DPE entries fit within the skb. The first check correctly accounts for ndpoffset: if ((ndpoffset + sizeof(struct usb_cdc_ncm_ndp16)) > skb_in->len) but the second check omits it: if ((sizeof(struct usb_cdc_ncm_ndp16) + ret * (sizeof(struct usb_cdc_ncm_dpe16))) > skb_in->len) This validates the DPE array size against... • https://git.kernel.org/stable/c/ff06ab13a4ccae4acb44a2d4e3ece367b616ab50 •