CVSS: 7.2EPSS: 0%CPEs: 3EXPL: 0CVE-2025-71184 – btrfs: fix NULL dereference on root when tracing inode eviction
https://notcve.org/view.php?id=CVE-2025-71184
31 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: btrfs: fix NULL dereference on root when tracing inode eviction When evicting an inode the first thing we do is to setup tracing for it, which implies fetching the root's id. But in btrfs_evict_inode() the root might be NULL, as implied in the next check that we do in btrfs_evict_inode(). Hence, we either should set the ->root_objectid to 0 in case the root is NULL, or we move tracing setup after checking that the root is not NULL. Setting ... • https://git.kernel.org/stable/c/1abe9b8a138c9988ba8f7bfded6453649a31541f •
CVSS: 6.3EPSS: 0%CPEs: 9EXPL: 0CVE-2025-71183 – btrfs: always detect conflicting inodes when logging inode refs
https://notcve.org/view.php?id=CVE-2025-71183
31 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: btrfs: always detect conflicting inodes when logging inode refs After rename exchanging (either with the rename exchange operation or regular renames in multiple non-atomic steps) two inodes and at least one of them is a directory, we can end up with a log tree that contains only of the inodes and after a power failure that can result in an attempt to delete the other inode when it should not because it was not deleted before the power fail... • https://git.kernel.org/stable/c/56f23fdbb600e6087db7b009775b95ce07cc3195 •
CVSS: 7.1EPSS: 0%CPEs: 7EXPL: 0CVE-2025-71182 – can: j1939: make j1939_session_activate() fail if device is no longer registered
https://notcve.org/view.php?id=CVE-2025-71182
31 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: can: j1939: make j1939_session_activate() fail if device is no longer registered syzbot is still reporting unregister_netdevice: waiting for vcan0 to become free. Usage count = 2 even after commit 93a27b5891b8 ("can: j1939: add missing calls in NETDEV_UNREGISTER notification handler") was added. A debug printk() patch found that j1939_session_activate() can succeed even after j1939_cancel_active_session() from j1939_netdev_notify(NETDEV_UNR... • https://git.kernel.org/stable/c/9d71dd0c70099914fcd063135da3c580865e924c •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2025-71180 – counter: interrupt-cnt: Drop IRQF_NO_THREAD flag
https://notcve.org/view.php?id=CVE-2025-71180
31 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: counter: interrupt-cnt: Drop IRQF_NO_THREAD flag An IRQ handler can either be IRQF_NO_THREAD or acquire spinlock_t, as CONFIG_PROVE_RAW_LOCK_NESTING warns: ============================= [ BUG: Invalid wait context ] 6.18.0-rc1+git... #1 ----------------------------- some-user-space-process/1251 is trying to lock: (&counter->events_list_lock){....}-{3:3}, at: counter_push_event [counter] other info that might help us debug this: context-{2:2... • https://git.kernel.org/stable/c/a55ebd47f21f6f0472766fb52c973849e31d1466 •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2026-23013 – net: octeon_ep_vf: fix free_irq dev_id mismatch in IRQ rollback
https://notcve.org/view.php?id=CVE-2026-23013
25 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: net: octeon_ep_vf: fix free_irq dev_id mismatch in IRQ rollback octep_vf_request_irqs() requests MSI-X queue IRQs with dev_id set to ioq_vector. If request_irq() fails part-way, the rollback loop calls free_irq() with dev_id set to 'oct', which does not match the original dev_id and may leave the irqaction registered. This can keep IRQ handlers alive while ioq_vector is later freed during unwind/teardown, leading to a use-after-free or cras... • https://git.kernel.org/stable/c/1cd3b407977c3ab1d2ddc26cb7113e7fb1509cd1 •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2026-23011 – ipv4: ip_gre: make ipgre_header() robust
https://notcve.org/view.php?id=CVE-2026-23011
25 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: ipv4: ip_gre: make ipgre_header() robust Analog to commit db5b4e39c4e6 ("ip6_gre: make ip6gre_header() robust") Over the years, syzbot found many ways to crash the kernel in ipgre_header() [1]. This involves team or bonding drivers ability to dynamically change their dev->needed_headroom and/or dev->hard_header_len In this particular crash mld_newpack() allocated an skb with a too small reserve/headroom, and by the time mld_sendpack() was c... • https://git.kernel.org/stable/c/c54419321455631079c7d6e60bc732dd0c5914c5 •
CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23010 – ipv6: Fix use-after-free in inet6_addr_del().
https://notcve.org/view.php?id=CVE-2026-23010
25 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: ipv6: Fix use-after-free in inet6_addr_del(). syzbot reported use-after-free of inet6_ifaddr in inet6_addr_del(). [0] The cited commit accidentally moved ipv6_del_addr() for mngtmpaddr before reading its ifp->flags for temporary addresses in inet6_addr_del(). Let's move ipv6_del_addr() down to fix the UAF. [0]: BUG: KASAN: slab-use-after-free in inet6_addr_del.constprop.0+0x67a/0x6b0 net/ipv6/addrconf.c:3117 Read of size 4 at addr ffff88807... • https://git.kernel.org/stable/c/836deb96383ed9c1a411f172954d74b3f74ec6ac •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2026-23006 – ASoC: tlv320adcx140: fix null pointer
https://notcve.org/view.php?id=CVE-2026-23006
25 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: ASoC: tlv320adcx140: fix null pointer The "snd_soc_component" in "adcx140_priv" was only used once but never set. It was only used for reaching "dev" which is already present in "adcx140_priv". In the Linux kernel, the following vulnerability has been resolved: ASoC: tlv320adcx140: fix null pointer The "snd_soc_component" in "adcx140_priv" was only used once but never set. It was only used for reaching "dev" which is already present in "adc... • https://git.kernel.org/stable/c/4e82971f7b556cff3491c867e8840e7d788693b9 •
CVSS: 6.5EPSS: 0%CPEs: 4EXPL: 0CVE-2026-23005 – x86/fpu: Clear XSTATE_BV[i] in guest XSAVE state whenever XFD[i]=1
https://notcve.org/view.php?id=CVE-2026-23005
25 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: x86/fpu: Clear XSTATE_BV[i] in guest XSAVE state whenever XFD[i]=1 When loading guest XSAVE state via KVM_SET_XSAVE, and when updating XFD in response to a guest WRMSR, clear XFD-disabled features in the saved (or to be restored) XSTATE_BV to ensure KVM doesn't attempt to load state for features that are disabled via the guest's XFD. Because the kernel executes XRSTOR with the guest's XFD, saving XSTATE_BV[i]=1 with XFD[i]=1 will cause XRST... • https://git.kernel.org/stable/c/820a6ee944e74e57255ac2e90916ecdaade57b95 •
CVSS: 7.1EPSS: 0%CPEs: 2EXPL: 0CVE-2026-23004 – dst: fix races in rt6_uncached_list_del() and rt_del_uncached_list()
https://notcve.org/view.php?id=CVE-2026-23004
25 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: dst: fix races in rt6_uncached_list_del() and rt_del_uncached_list() syzbot was able to crash the kernel in rt6_uncached_list_flush_dev() in an interesting way [1] Crash happens in list_del_init()/INIT_LIST_HEAD() while writing list->prev, while the prior write on list->next went well. static inline void INIT_LIST_HEAD(struct list_head *list) { WRITE_ONCE(list->next, list); // This went well WRITE_ONCE(list->prev, list); // Crash, @list has... • https://git.kernel.org/stable/c/78df76a065ae3b5dbcb9a29912adc02f697de498 •