CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2026-22982 – net: mscc: ocelot: Fix crash when adding interface under a lag
https://notcve.org/view.php?id=CVE-2026-22982
23 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: net: mscc: ocelot: Fix crash when adding interface under a lag Commit 15faa1f67ab4 ("lan966x: Fix crash when adding interface under a lag") fixed a similar issue in the lan966x driver caused by a NULL pointer dereference. The ocelot_set_aggr_pgids() function in the ocelot driver has similar logic and is susceptible to the same crash. This issue specifically affects the ocelot_vsc7514.c frontend, which leaves unused ports as NULL pointers. T... • https://git.kernel.org/stable/c/528d3f190c98c8f7d9581f68db4af021696727b2 •
CVSS: 6.3EPSS: 0%CPEs: 7EXPL: 0CVE-2026-22980 – nfsd: provide locking for v4_end_grace
https://notcve.org/view.php?id=CVE-2026-22980
23 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: nfsd: provide locking for v4_end_grace Writing to v4_end_grace can race with server shutdown and result in memory being accessed after it was freed - reclaim_str_hashtbl in particularly. We cannot hold nfsd_mutex across the nfsd4_end_grace() call as that is held while client_tracking_op->init() is called and that can wait for an upcall to nfsdcltrack which can write to v4_end_grace, resulting in a deadlock. nfsd4_end_grace() is also called ... • https://git.kernel.org/stable/c/7f5ef2e900d9462bf9cffaf6bb246ed87a20a6d6 •
CVSS: 5.5EPSS: 0%CPEs: 7EXPL: 0CVE-2026-22979 – net: fix memory leak in skb_segment_list for GRO packets
https://notcve.org/view.php?id=CVE-2026-22979
23 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: net: fix memory leak in skb_segment_list for GRO packets When skb_segment_list() is called during packet forwarding, it handles packets that were aggregated by the GRO engine. Historically, the segmentation logic in skb_segment_list assumes that individual segments are split from a parent SKB and may need to carry their own socket memory accounting. Accordingly, the code transfers truesize from the parent to the newly created segments. Prio... • https://git.kernel.org/stable/c/2eeab8c47c3c0276e0746bc382f405c9a236a5ad •
CVSS: 5.5EPSS: 0%CPEs: 7EXPL: 0CVE-2026-22978 – wifi: avoid kernel-infoleak from struct iw_point
https://notcve.org/view.php?id=CVE-2026-22978
23 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: wifi: avoid kernel-infoleak from struct iw_point struct iw_point has a 32bit hole on 64bit arches. struct iw_point { void __user *pointer; /* Pointer to the data (in user space) */ __u16 length; /* number of fields or size in bytes */ __u16 flags; /* Optional params */ }; Make sure to zero the structure to avoid disclosing 32bits of kernel data to user space. In the Linux kernel, the following vulnerability has been resolved: wifi: avoid ke... • https://git.kernel.org/stable/c/87de87d5e47f94b4ea647a5bd1bc8dc1f7930db4 •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2025-71161 – dm-verity: disable recursive forward error correction
https://notcve.org/view.php?id=CVE-2025-71161
23 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: dm-verity: disable recursive forward error correction There are two problems with the recursive correction: 1. It may cause denial-of-service. In fec_read_bufs, there is a loop that has 253 iterations. For each iteration, we may call verity_hash_for_block recursively. There is a limit of 4 nested recursions - that means that there may be at most 253^4 (4 billion) iterations. • https://git.kernel.org/stable/c/a739ff3f543afbb4a041c16cd0182c8e8d366e70 •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2025-71160 – netfilter: nf_tables: avoid chain re-validation if possible
https://notcve.org/view.php?id=CVE-2025-71160
23 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: avoid chain re-validation if possible Hamza Mahfooz reports cpu soft lock-ups in nft_chain_validate(): watchdog: BUG: soft lockup - CPU#1 stuck for 27s! [iptables-nft-re:37547] [..] RIP: 0010:nft_chain_validate+0xcb/0x110 [nf_tables] [..] nft_immediate_validate+0x36/0x50 [nf_tables] nft_chain_validate+0xc9/0x110 [nf_tables] nft_immediate_validate+0x36/0x50 [nf_tables] nft_chain_validate+0xc9/0x110 [nf_tables] nft_immed... • https://git.kernel.org/stable/c/a654de8fdc1815676ab750e70cab231fc814c29f •
CVSS: 5.5EPSS: 0%CPEs: 7EXPL: 0CVE-2025-71154 – net: usb: rtl8150: fix memory leak on usb_submit_urb() failure
https://notcve.org/view.php?id=CVE-2025-71154
23 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: net: usb: rtl8150: fix memory leak on usb_submit_urb() failure In async_set_registers(), when usb_submit_urb() fails, the allocated async_req structure and URB are not freed, causing a memory leak. The completion callback async_set_reg_cb() is responsible for freeing these allocations, but it is only called after the URB is successfully submitted and completes (successfully or with error). If submission fails, the callback never runs and th... • https://git.kernel.org/stable/c/4d12997a9bb3d217ad4b925ec3074ec89364bf95 •
CVSS: 7.1EPSS: 0%CPEs: 2EXPL: 0CVE-2025-71152 – net: dsa: properly keep track of conduit reference
https://notcve.org/view.php?id=CVE-2025-71152
23 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: net: dsa: properly keep track of conduit reference Problem description ------------------- DSA has a mumbo-jumbo of reference handling of the conduit net device and its kobject which, sadly, is just wrong and doesn't make sense. There are two distinct problems. 1. The OF path, which uses of_find_net_device_by_node(), never releases the elevated refcount on the conduit's kobject. Nominally, the OF and non-OF paths should result in objects ha... • https://git.kernel.org/stable/c/83c0afaec7b730b16c518aecc8e6246ec91b265e •
CVSS: 7.1EPSS: 0%CPEs: 6EXPL: 0CVE-2025-71150 – ksmbd: Fix refcount leak when invalid session is found on session lookup
https://notcve.org/view.php?id=CVE-2025-71150
23 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: ksmbd: Fix refcount leak when invalid session is found on session lookup When a session is found but its state is not SMB2_SESSION_VALID, It indicates that no valid session was found, but it is missing to decrement the reference count acquired by the session lookup, which results in a reference count leak. This patch fixes the issue by explicitly calling ksmbd_user_session_put to release the reference to the session. In the Linux kernel, th... • https://git.kernel.org/stable/c/37a0e2b362b3150317fb6e2139de67b1e29ae5ff •
CVSS: 6.6EPSS: 0%CPEs: 5EXPL: 0CVE-2025-71149 – io_uring/poll: correctly handle io_poll_add() return value on update
https://notcve.org/view.php?id=CVE-2025-71149
23 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: io_uring/poll: correctly handle io_poll_add() return value on update When the core of io_uring was updated to handle completions consistently and with fixed return codes, the POLL_REMOVE opcode with updates got slightly broken. If a POLL_ADD is pending and then POLL_REMOVE is used to update the events of that request, if that update causes the POLL_ADD to now trigger, then that completion is lost and a CQE is never posted. Additionally, ens... • https://git.kernel.org/stable/c/97b388d70b53fd7d286ac1b81e5a88bd6af98209 •