CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23356 – drbd: fix "LOGIC BUG" in drbd_al_begin_io_nonblock()
https://notcve.org/view.php?id=CVE-2026-23356
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: drbd: fix "LOGIC BUG" in drbd_al_begin_io_nonblock() Even though we check that we "should" be able to do lc_get_cumulative() while holding the device->al_lock spinlock, it may still fail, if some other code path decided to do lc_try_lock() with bad timing. If that happened, we logged "LOGIC BUG for enr=...", but still did not return an error. The rest of the code now assumed that this request has references for the relevant activity log ext... • https://git.kernel.org/stable/c/08a1ddab6df7d3c7b6341774cb1cf4b21b96a214 •
CVSS: -EPSS: 0%CPEs: 7EXPL: 0CVE-2026-23352 – x86/efi: defer freeing of boot services memory
https://notcve.org/view.php?id=CVE-2026-23352
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: x86/efi: defer freeing of boot services memory efi_free_boot_services() frees memory occupied by EFI_BOOT_SERVICES_CODE and EFI_BOOT_SERVICES_DATA using memblock_free_late(). There are two issue with that: memblock_free_late() should be used for memory allocated with memblock_alloc() while the memory reserved with memblock_reserve() should be freed with free_reserved_area(). More acutely, with CONFIG_DEFERRED_STRUCT_PAGE_INIT=y efi_free_boo... • https://git.kernel.org/stable/c/0aed459e8487eb6ebdb4efe8cefe1eafbc704b30 •
CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23351 – netfilter: nft_set_pipapo: split gc into unlink and reclaim phase
https://notcve.org/view.php?id=CVE-2026-23351
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_pipapo: split gc into unlink and reclaim phase Yiming Qian reports Use-after-free in the pipapo set type: Under a large number of expired elements, commit-time GC can run for a very long time in a non-preemptible context, triggering soft lockup warnings and RCU stall reports (local denial of service). We must split GC in an unlink and a reclaim phase. We cannot queue elements for freeing until pointers have been swapped. ... • https://git.kernel.org/stable/c/3c4287f62044a90e73a561aa05fc46e62da173da •
CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23340 – net: sched: avoid qdisc_reset_all_tx_gt() vs dequeue race for lockless qdiscs
https://notcve.org/view.php?id=CVE-2026-23340
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: net: sched: avoid qdisc_reset_all_tx_gt() vs dequeue race for lockless qdiscs When shrinking the number of real tx queues, netif_set_real_num_tx_queues() calls qdisc_reset_all_tx_gt() to flush qdiscs for queues which will no longer be used. qdisc_reset_all_tx_gt() currently serializes qdisc_reset() with qdisc_lock(). However, for lockless qdiscs, the dequeue path is serialized by qdisc_run_begin/end() using qdisc->seqlock instead, so qdisc_... • https://git.kernel.org/stable/c/6b3ba9146fe64b9bebb6346c9dcfe3b4851de2d7 •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23339 – nfc: nci: free skb on nci_transceive early error paths
https://notcve.org/view.php?id=CVE-2026-23339
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: nfc: nci: free skb on nci_transceive early error paths nci_transceive() takes ownership of the skb passed by the caller, but the -EPROTO, -EINVAL, and -EBUSY error paths return without freeing it. Due to issues clearing NCI_DATA_EXCHANGE fixed by subsequent changes the nci/nci_dev selftest hits the error path occasionally in NIPA, and kmemleak detects leaks: unreferenced object 0xff11000015ce6a40 (size 640): comm "nci_dev", pid 3954, jiffie... • https://git.kernel.org/stable/c/6a2968aaf50c7a22fced77a5e24aa636281efca8 •
CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23336 – wifi: cfg80211: cancel rfkill_block work in wiphy_unregister()
https://notcve.org/view.php?id=CVE-2026-23336
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: wifi: cfg80211: cancel rfkill_block work in wiphy_unregister() There is a use-after-free error in cfg80211_shutdown_all_interfaces found by syzkaller: BUG: KASAN: use-after-free in cfg80211_shutdown_all_interfaces+0x213/0x220 Read of size 8 at addr ffff888112a78d98 by task kworker/0:5/5326 CPU: 0 UID: 0 PID: 5326 Comm: kworker/0:5 Not tainted 6.19.0-rc2 #2 PREEMPT(voluntary) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0... • https://git.kernel.org/stable/c/1f87f7d3a3b42b20f34cb03f0fd1a41c3d0e27f3 •
CVSS: -EPSS: 0%CPEs: 1EXPL: 0CVE-2026-23333 – netfilter: nft_set_rbtree: validate open interval overlap
https://notcve.org/view.php?id=CVE-2026-23333
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_rbtree: validate open interval overlap [ Upstream commit 648946966a08e4cb1a71619e3d1b12bd7642de7b ] Open intervals do not have an end element, in particular an open interval at the end of the set is hard to validate because of it is lacking the end element, and interval validation relies on such end element to perform the checks. This patch adds a new flag field to struct nft_set_elem, this is not an issue because this is... • https://git.kernel.org/stable/c/7c84d41416d836ef7e533bd4d64ccbdf40c5ac70 •
CVSS: -EPSS: 0%CPEs: 3EXPL: 0CVE-2026-23330 – nfc: nci: complete pending data exchange on device close
https://notcve.org/view.php?id=CVE-2026-23330
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: nfc: nci: complete pending data exchange on device close In nci_close_device(), complete any pending data exchange before closing. The data exchange callback (e.g. rawsock_data_exchange_complete) holds a socket reference. NIPA occasionally hits this leak: unreferenced object 0xff1100000f435000 (size 2048): comm "nci_dev", pid 3954, jiffies 4295441245 hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................... • https://git.kernel.org/stable/c/38f04c6b1b682f1879441e2925403ad9aff9e229 •
CVSS: -EPSS: 0%CPEs: 3EXPL: 0CVE-2026-23320 – usb: gadget: f_ncm: align net_device lifecycle with bind/unbind
https://notcve.org/view.php?id=CVE-2026-23320
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_ncm: align net_device lifecycle with bind/unbind Currently, the net_device is allocated in ncm_alloc_inst() and freed in ncm_free_inst(). This ties the network interface's lifetime to the configuration instance rather than the USB connection (bind/unbind). This decoupling causes issues when the USB gadget is disconnected where the underlying gadget device is removed. The net_device can outlive its parent, leading to dangling ... • https://git.kernel.org/stable/c/40d133d7f542616cf9538508a372306e626a16e9 •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2026-23318 – ALSA: usb-audio: Use correct version for UAC3 header validation
https://notcve.org/view.php?id=CVE-2026-23318
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Use correct version for UAC3 header validation The entry of the validators table for UAC3 AC header descriptor is defined with the wrong protocol version UAC_VERSION_2, while it should have been UAC_VERSION_3. This results in the validator never matching for actual UAC3 devices (protocol == UAC_VERSION_3), causing their header descriptors to bypass validation entirely. A malicious USB device presenting a truncated UAC3 head... • https://git.kernel.org/stable/c/57f8770620e9b51c61089751f0b5ad3dbe376ff2 •