CVSS: 7.2EPSS: 0%CPEs: 4EXPL: 0CVE-2026-23204 – net/sched: cls_u32: use skb_header_pointer_careful()
https://notcve.org/view.php?id=CVE-2026-23204
14 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: net/sched: cls_u32: use skb_header_pointer_careful() skb_header_pointer() does not fully validate negative @offset values. Use skb_header_pointer_careful() instead. GangMin Kim provided a report and a repro fooling u32_classify(): BUG: KASAN: slab-out-of-bounds in u32_classify+0x1180/0x11b0 net/sched/cls_u32.c:221 In the Linux kernel, the following vulnerability has been resolved: net/sched: cls_u32: use skb_header_pointer_careful() skb_hea... • https://git.kernel.org/stable/c/fbc2e7d9cf49e0bf89b9e91fd60a06851a855c5d •
CVSS: 5.5EPSS: 0%CPEs: 7EXPL: 0CVE-2026-23198 – KVM: Don't clobber irqfd routing type when deassigning irqfd
https://notcve.org/view.php?id=CVE-2026-23198
14 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: KVM: Don't clobber irqfd routing type when deassigning irqfd When deassigning a KVM_IRQFD, don't clobber the irqfd's copy of the IRQ's routing entry as doing so breaks kvm_arch_irq_bypass_del_producer() on x86 and arm64, which explicitly look for KVM_IRQ_ROUTING_MSI. Instead, to handle a concurrent routing update, verify that the irqfd is still active before consuming the routing information. As evidenced by the x86 and arm64 bugs, and anot... • https://git.kernel.org/stable/c/f70c20aaf141adb715a2d750c55154073b02a9c3 •
CVSS: 7.0EPSS: 0%CPEs: 7EXPL: 0CVE-2026-23193 – scsi: target: iscsi: Fix use-after-free in iscsit_dec_session_usage_count()
https://notcve.org/view.php?id=CVE-2026-23193
14 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: scsi: target: iscsi: Fix use-after-free in iscsit_dec_session_usage_count() In iscsit_dec_session_usage_count(), the function calls complete() while holding the sess->session_usage_lock. Similar to the connection usage count logic, the waiter signaled by complete() (e.g., in the session release path) may wake up and free the iscsit_session structure immediately. This creates a race condition where the current thread may attempt to execute s... • https://git.kernel.org/stable/c/e48354ce078c079996f89d715dfa44814b4eba01 •
CVSS: 6.6EPSS: 0%CPEs: 3EXPL: 0CVE-2026-23191 – ALSA: aloop: Fix racy access at PCM trigger
https://notcve.org/view.php?id=CVE-2026-23191
14 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: ALSA: aloop: Fix racy access at PCM trigger The PCM trigger callback of aloop driver tries to check the PCM state and stop the stream of the tied substream in the corresponding cable. Since both check and stop operations are performed outside the cable lock, this may result in UAF when a program attempts to trigger frequently while opening/closing the tied stream, as spotted by fuzzers. For addressing the UAF, this patch changes two things:... • https://git.kernel.org/stable/c/b1c73fc8e697eb73e23603e465e9af2711ed4183 •
CVSS: 5.6EPSS: 0%CPEs: 7EXPL: 0CVE-2026-23176 – platform/x86: toshiba_haps: Fix memory leaks in add/remove routines
https://notcve.org/view.php?id=CVE-2026-23176
14 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: platform/x86: toshiba_haps: Fix memory leaks in add/remove routines toshiba_haps_add() leaks the haps object allocated by it if it returns an error after allocating that object successfully. toshiba_haps_remove() does not free the object pointed to by toshiba_haps before clearing that pointer, so it becomes unreachable allocated memory. Address these memory leaks by using devm_kzalloc() for allocating the memory in question. In the Linux ke... • https://git.kernel.org/stable/c/23d0ba0c908ac10139f0351023c64198d7fc1409 •
CVSS: 7.2EPSS: 0%CPEs: 7EXPL: 0CVE-2025-71224 – wifi: mac80211: ocb: skip rx_no_sta when interface is not joined
https://notcve.org/view.php?id=CVE-2025-71224
14 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: ocb: skip rx_no_sta when interface is not joined ieee80211_ocb_rx_no_sta() assumes a valid channel context, which is only present after JOIN_OCB. RX may run before JOIN_OCB is executed, in which case the OCB interface is not operational. Skip RX peer handling when the interface is not joined to avoid warnings in the RX path. In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: ocb: skip rx_no_s... • https://git.kernel.org/stable/c/239281f803e2efdb77d906ef296086b6917e5d71 •
CVSS: 7.1EPSS: 0%CPEs: 7EXPL: 0CVE-2025-71222 – wifi: wlcore: ensure skb headroom before skb_push
https://notcve.org/view.php?id=CVE-2025-71222
14 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: wifi: wlcore: ensure skb headroom before skb_push This avoids occasional skb_under_panic Oops from wl1271_tx_work. In this case, headroom is less than needed (typically 110 - 94 = 16 bytes). In the Linux kernel, the following vulnerability has been resolved: wifi: wlcore: ensure skb headroom before skb_push This avoids occasional skb_under_panic Oops from wl1271_tx_work. In this case, headroom is less than needed (typically 110 - 94 = 16 by... • https://git.kernel.org/stable/c/f5fc0f86b02afef1119b523623b4cde41475bc8c •
CVSS: 6.3EPSS: 0%CPEs: 2EXPL: 0CVE-2025-71221 – dmaengine: mmp_pdma: Fix race condition in mmp_pdma_residue()
https://notcve.org/view.php?id=CVE-2025-71221
14 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: dmaengine: mmp_pdma: Fix race condition in mmp_pdma_residue() Add proper locking in mmp_pdma_residue() to prevent use-after-free when accessing descriptor list and descriptor contents. The race occurs when multiple threads call tx_status() while the tasklet on another CPU is freeing completed descriptors: CPU 0 CPU 1 ----- ----- mmp_pdma_tx_status() mmp_pdma_residue() -> NO LOCK held list_for_each_entry(sw, ..) DMA interrupt dma_do_tasklet(... • https://git.kernel.org/stable/c/1b38da264674d6a0fe26a63996b8f88b88c3da48 •
CVSS: 7.1EPSS: 0%CPEs: 7EXPL: 0CVE-2026-23170 – drm/imx/tve: fix probe device leak
https://notcve.org/view.php?id=CVE-2026-23170
14 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: drm/imx/tve: fix probe device leak Make sure to drop the reference taken to the DDC device during probe on probe failure (e.g. probe deferral) and on driver unbind. In the Linux kernel, the following vulnerability has been resolved: drm/imx/tve: fix probe device leak Make sure to drop the reference taken to the DDC device during probe on probe failure (e.g. probe deferral) and on driver unbind. • https://git.kernel.org/stable/c/fcbc51e54d2aa9d402206601f4894251049e5d77 •
CVSS: 6.3EPSS: 0%CPEs: 7EXPL: 0CVE-2026-23167 – nfc: nci: Fix race between rfkill and nci_unregister_device().
https://notcve.org/view.php?id=CVE-2026-23167
14 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: nfc: nci: Fix race between rfkill and nci_unregister_device(). syzbot reported the splat below [0] without a repro. It indicates that struct nci_dev.cmd_wq had been destroyed before nci_close_device() was called via rfkill. nci_dev.cmd_wq is only destroyed in nci_unregister_device(), which (I think) was called from virtual_ncidev_close() when syzbot close()d an fd of virtual_ncidev. The problem is that nci_unregister_device() destroys nci_d... • https://git.kernel.org/stable/c/6a2968aaf50c7a22fced77a5e24aa636281efca8 •