CVSS: -EPSS: %CPEs: 4EXPL: 0CVE-2026-23230 – smb: client: split cached_fid bitfields to avoid shared-byte RMW races
https://notcve.org/view.php?id=CVE-2026-23230
18 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: smb: client: split cached_fid bitfields to avoid shared-byte RMW races is_open, has_lease and on_list are stored in the same bitfield byte in struct cached_fid but are updated in different code paths that may run concurrently. Bitfield assignments generate byte read–modify–write operations (e.g. `orb $mask, addr` on x86_64), so updating one flag can restore stale values of the others. A possible interleaving is: CPU1: load old byte (has_lea... • https://git.kernel.org/stable/c/4386f6af8aaedd0c5ad6f659b40cadcc8f423828 •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2026-23210 – ice: Fix PTP NULL pointer dereference during VSI rebuild
https://notcve.org/view.php?id=CVE-2026-23210
14 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: ice: Fix PTP NULL pointer dereference during VSI rebuild Fix race condition where PTP periodic work runs while VSI is being rebuilt, accessing NULL vsi->rx_rings. The sequence was: 1. ice_ptp_prepare_for_reset() cancels PTP work 2. ice_ptp_rebuild() immediately queues PTP work 3. VSI rebuild happens AFTER ice_ptp_rebuild() 4. PTP work runs and accesses NULL vsi->rx_rings Fix: Keep PTP work cancelled during rebuild, only queue it after VSI r... • https://git.kernel.org/stable/c/803bef817807d2d36c930dada20c96fffae0dd19 •
CVSS: 6.3EPSS: 0%CPEs: 7EXPL: 0CVE-2026-23209 – macvlan: fix error recovery in macvlan_common_newlink()
https://notcve.org/view.php?id=CVE-2026-23209
14 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: macvlan: fix error recovery in macvlan_common_newlink() valis provided a nice repro to crash the kernel: ip link add p1 type veth peer p2 ip link set address 00:00:00:00:00:20 dev p1 ip link set up dev p1 ip link set up dev p2 ip link add mv0 link p2 type macvlan mode source ip link add invalid% link p2 type macvlan mode source macaddr add 00:00:00:00:00:20 ping -c1 -I p1 1.2.3.4 He also gave a very detailed analysis: The issu... • https://git.kernel.org/stable/c/aa5fd0fb77486b8a6764ead8627baa14790e4280 •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2026-23208 – ALSA: usb-audio: Prevent excessive number of frames
https://notcve.org/view.php?id=CVE-2026-23208
14 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Prevent excessive number of frames In this case, the user constructed the parameters with maxpacksize 40 for rate 22050 / pps 1000, and packsize[0] 22 packsize[1] 23. The buffer size for each data URB is maxpacksize * packets, which in this example is 40 * 6 = 240; When the user performs a write operation to send audio data into the ALSA PCM playback stream, the calculated number of frames is packsize[0] * packets = 264, wh... • https://git.kernel.org/stable/c/02c56650f3c118d3752122996d96173d26bb13aa •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23207 – spi: tegra210-quad: Protect curr_xfer check in IRQ handler
https://notcve.org/view.php?id=CVE-2026-23207
14 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: spi: tegra210-quad: Protect curr_xfer check in IRQ handler Now that all other accesses to curr_xfer are done under the lock, protect the curr_xfer NULL check in tegra_qspi_isr_thread() with the spinlock. Without this protection, the following race can occur: CPU0 (ISR thread) CPU1 (timeout path) ---------------- ------------------- if (!tqspi->curr_xfer) // sees non-NULL spin_lock() tqspi->curr_xfer = NULL spin_unlock() handle_*_xfer() spin... • https://git.kernel.org/stable/c/01bbf25c767219b14c3235bfa85906b8d2cb8fbc •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23206 – dpaa2-switch: prevent ZERO_SIZE_PTR dereference when num_ifs is zero
https://notcve.org/view.php?id=CVE-2026-23206
14 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: dpaa2-switch: prevent ZERO_SIZE_PTR dereference when num_ifs is zero The driver allocates arrays for ports, FDBs, and filter blocks using kcalloc() with ethsw->sw_attr.num_ifs as the element count. When the device reports zero interfaces (either due to hardware configuration or firmware issues), kcalloc(0, ...) returns ZERO_SIZE_PTR (0x10) instead of NULL. Later in dpaa2_switch_probe(), the NAPI initialization unconditionally accesses ethsw... • https://git.kernel.org/stable/c/0b1b71370458860579831e77485883fcf2e8fbbe •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23205 – smb/client: fix memory leak in smb2_open_file()
https://notcve.org/view.php?id=CVE-2026-23205
14 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: smb/client: fix memory leak in smb2_open_file() Reproducer: 1. server: directories are exported read-only 2. client: mount -t cifs //${server_ip}/export /mnt 3. client: dd if=/dev/zero of=/mnt/file bs=512 count=1000 oflag=direct 4. client: umount /mnt 5. client: sleep 1 6. client: modprobe -r cifs The error message is as follows: ============================================================================= BUG cifs_small_rq (Not tainted): O... • https://git.kernel.org/stable/c/17e53a15e64b65623b8f2b1185d27d7b1cbf69ab •
CVSS: 7.2EPSS: 0%CPEs: 4EXPL: 0CVE-2026-23204 – net/sched: cls_u32: use skb_header_pointer_careful()
https://notcve.org/view.php?id=CVE-2026-23204
14 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: net/sched: cls_u32: use skb_header_pointer_careful() skb_header_pointer() does not fully validate negative @offset values. Use skb_header_pointer_careful() instead. GangMin Kim provided a report and a repro fooling u32_classify(): BUG: KASAN: slab-out-of-bounds in u32_classify+0x1180/0x11b0 net/sched/cls_u32.c:221 In the Linux kernel, the following vulnerability has been resolved: net/sched: cls_u32: use skb_header_pointer_careful() skb_hea... • https://git.kernel.org/stable/c/fbc2e7d9cf49e0bf89b9e91fd60a06851a855c5d •
CVSS: 5.6EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23202 – spi: tegra210-quad: Protect curr_xfer in tegra_qspi_combined_seq_xfer
https://notcve.org/view.php?id=CVE-2026-23202
14 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: spi: tegra210-quad: Protect curr_xfer in tegra_qspi_combined_seq_xfer The curr_xfer field is read by the IRQ handler without holding the lock to check if a transfer is in progress. When clearing curr_xfer in the combined sequence transfer loop, protect it with the spinlock to prevent a race with the interrupt handler. Protect the curr_xfer clearing at the exit path of tegra_qspi_combined_seq_xfer() with the spinlock to prevent a race with t... • https://git.kernel.org/stable/c/88db8bb7ed1bb474618acdf05ebd4f0758d244e2 •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2026-23200 – ipv6: Fix ECMP sibling count mismatch when clearing RTF_ADDRCONF
https://notcve.org/view.php?id=CVE-2026-23200
14 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: ipv6: Fix ECMP sibling count mismatch when clearing RTF_ADDRCONF syzbot reported a kernel BUG in fib6_add_rt2node() when adding an IPv6 route. [0] Commit f72514b3c569 ("ipv6: clear RA flags when adding a static route") introduced logic to clear RTF_ADDRCONF from existing routes when a static route with the same nexthop is added. However, this causes a problem when the existing route has a gateway. When RTF_ADDRCONF is cleared from a route t... • https://git.kernel.org/stable/c/cb2b0caa8ca93cbe39177516669bf699c74f7041 •