CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23230 – smb: client: split cached_fid bitfields to avoid shared-byte RMW races
https://notcve.org/view.php?id=CVE-2026-23230
18 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: smb: client: split cached_fid bitfields to avoid shared-byte RMW races is_open, has_lease and on_list are stored in the same bitfield byte in struct cached_fid but are updated in different code paths that may run concurrently. Bitfield assignments generate byte read–modify–write operations (e.g. `orb $mask, addr` on x86_64), so updating one flag can restore stale values of the others. A possible interleaving is: CPU1: load old byte (has_lea... • https://git.kernel.org/stable/c/ebe98f1447bbccf8228335c62d86af02a0ed23f7 •
CVSS: 6.3EPSS: 0%CPEs: 7EXPL: 0CVE-2026-23209 – macvlan: fix error recovery in macvlan_common_newlink()
https://notcve.org/view.php?id=CVE-2026-23209
14 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: macvlan: fix error recovery in macvlan_common_newlink() valis provided a nice repro to crash the kernel: ip link add p1 type veth peer p2 ip link set address 00:00:00:00:00:20 dev p1 ip link set up dev p1 ip link set up dev p2 ip link add mv0 link p2 type macvlan mode source ip link add invalid% link p2 type macvlan mode source macaddr add 00:00:00:00:00:20 ping -c1 -I p1 1.2.3.4 He also gave a very detailed analysis: The issu... • https://git.kernel.org/stable/c/aa5fd0fb77486b8a6764ead8627baa14790e4280 •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2026-23208 – ALSA: usb-audio: Prevent excessive number of frames
https://notcve.org/view.php?id=CVE-2026-23208
14 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Prevent excessive number of frames In this case, the user constructed the parameters with maxpacksize 40 for rate 22050 / pps 1000, and packsize[0] 22 packsize[1] 23. The buffer size for each data URB is maxpacksize * packets, which in this example is 40 * 6 = 240; When the user performs a write operation to send audio data into the ALSA PCM playback stream, the calculated number of frames is packsize[0] * packets = 264, wh... • https://git.kernel.org/stable/c/02c56650f3c118d3752122996d96173d26bb13aa •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23207 – spi: tegra210-quad: Protect curr_xfer check in IRQ handler
https://notcve.org/view.php?id=CVE-2026-23207
14 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: spi: tegra210-quad: Protect curr_xfer check in IRQ handler Now that all other accesses to curr_xfer are done under the lock, protect the curr_xfer NULL check in tegra_qspi_isr_thread() with the spinlock. Without this protection, the following race can occur: CPU0 (ISR thread) CPU1 (timeout path) ---------------- ------------------- if (!tqspi->curr_xfer) // sees non-NULL spin_lock() tqspi->curr_xfer = NULL spin_unlock() handle_*_xfer() spin... • https://git.kernel.org/stable/c/01bbf25c767219b14c3235bfa85906b8d2cb8fbc •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23206 – dpaa2-switch: prevent ZERO_SIZE_PTR dereference when num_ifs is zero
https://notcve.org/view.php?id=CVE-2026-23206
14 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: dpaa2-switch: prevent ZERO_SIZE_PTR dereference when num_ifs is zero The driver allocates arrays for ports, FDBs, and filter blocks using kcalloc() with ethsw->sw_attr.num_ifs as the element count. When the device reports zero interfaces (either due to hardware configuration or firmware issues), kcalloc(0, ...) returns ZERO_SIZE_PTR (0x10) instead of NULL. Later in dpaa2_switch_probe(), the NAPI initialization unconditionally accesses ethsw... • https://git.kernel.org/stable/c/0b1b71370458860579831e77485883fcf2e8fbbe •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23205 – smb/client: fix memory leak in smb2_open_file()
https://notcve.org/view.php?id=CVE-2026-23205
14 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: smb/client: fix memory leak in smb2_open_file() Reproducer: 1. server: directories are exported read-only 2. client: mount -t cifs //${server_ip}/export /mnt 3. client: dd if=/dev/zero of=/mnt/file bs=512 count=1000 oflag=direct 4. client: umount /mnt 5. client: sleep 1 6. client: modprobe -r cifs The error message is as follows: ============================================================================= BUG cifs_small_rq (Not tainted): O... • https://git.kernel.org/stable/c/17e53a15e64b65623b8f2b1185d27d7b1cbf69ab •
CVSS: 7.2EPSS: 0%CPEs: 4EXPL: 0CVE-2026-23204 – net/sched: cls_u32: use skb_header_pointer_careful()
https://notcve.org/view.php?id=CVE-2026-23204
14 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: net/sched: cls_u32: use skb_header_pointer_careful() skb_header_pointer() does not fully validate negative @offset values. Use skb_header_pointer_careful() instead. GangMin Kim provided a report and a repro fooling u32_classify(): BUG: KASAN: slab-out-of-bounds in u32_classify+0x1180/0x11b0 net/sched/cls_u32.c:221 In the Linux kernel, the following vulnerability has been resolved: net/sched: cls_u32: use skb_header_pointer_careful() skb_hea... • https://git.kernel.org/stable/c/fbc2e7d9cf49e0bf89b9e91fd60a06851a855c5d •
CVSS: 5.6EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23202 – spi: tegra210-quad: Protect curr_xfer in tegra_qspi_combined_seq_xfer
https://notcve.org/view.php?id=CVE-2026-23202
14 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: spi: tegra210-quad: Protect curr_xfer in tegra_qspi_combined_seq_xfer The curr_xfer field is read by the IRQ handler without holding the lock to check if a transfer is in progress. When clearing curr_xfer in the combined sequence transfer loop, protect it with the spinlock to prevent a race with the interrupt handler. Protect the curr_xfer clearing at the exit path of tegra_qspi_combined_seq_xfer() with the spinlock to prevent a race with t... • https://git.kernel.org/stable/c/88db8bb7ed1bb474618acdf05ebd4f0758d244e2 •
CVSS: 5.5EPSS: 0%CPEs: 7EXPL: 0CVE-2026-23198 – KVM: Don't clobber irqfd routing type when deassigning irqfd
https://notcve.org/view.php?id=CVE-2026-23198
14 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: KVM: Don't clobber irqfd routing type when deassigning irqfd When deassigning a KVM_IRQFD, don't clobber the irqfd's copy of the IRQ's routing entry as doing so breaks kvm_arch_irq_bypass_del_producer() on x86 and arm64, which explicitly look for KVM_IRQ_ROUTING_MSI. Instead, to handle a concurrent routing update, verify that the irqfd is still active before consuming the routing information. As evidenced by the x86 and arm64 bugs, and anot... • https://git.kernel.org/stable/c/f70c20aaf141adb715a2d750c55154073b02a9c3 •
CVSS: 7.0EPSS: 0%CPEs: 7EXPL: 0CVE-2026-23193 – scsi: target: iscsi: Fix use-after-free in iscsit_dec_session_usage_count()
https://notcve.org/view.php?id=CVE-2026-23193
14 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: scsi: target: iscsi: Fix use-after-free in iscsit_dec_session_usage_count() In iscsit_dec_session_usage_count(), the function calls complete() while holding the sess->session_usage_lock. Similar to the connection usage count logic, the waiter signaled by complete() (e.g., in the session release path) may wake up and free the iscsit_session structure immediately. This creates a race condition where the current thread may attempt to execute s... • https://git.kernel.org/stable/c/e48354ce078c079996f89d715dfa44814b4eba01 •