CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23462 – Bluetooth: HIDP: Fix possible UAF
https://notcve.org/view.php?id=CVE-2026-23462
03 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: Bluetooth: HIDP: Fix possible UAF This fixes the following trace caused by not dropping l2cap_conn reference when user->remove callback is called: [ 97.809249] l2cap_conn_free: freeing conn ffff88810a171c00 [ 97.809907] CPU: 1 UID: 0 PID: 1419 Comm: repro_standalon Not tainted 7.0.0-rc1-dirty #14 PREEMPT(lazy) [ 97.809935] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014 [ 97.809947] Call Trace: ... • https://git.kernel.org/stable/c/b4f34d8d9d26b2428fa7cf7c8f97690a297978e6 •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23460 – net/rose: fix NULL pointer dereference in rose_transmit_link on reconnect
https://notcve.org/view.php?id=CVE-2026-23460
03 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: net/rose: fix NULL pointer dereference in rose_transmit_link on reconnect syzkaller reported a bug [1], and the reproducer is available at [2]. ROSE sockets use four sk->sk_state values: TCP_CLOSE, TCP_LISTEN, TCP_SYN_SENT, and TCP_ESTABLISHED. rose_connect() already rejects calls for TCP_ESTABLISHED (-EISCONN) and TCP_CLOSE with SS_CONNECTING (-ECONNREFUSED), but lacks a check for TCP_SYN_SENT. When rose_connect() is called a second time w... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23458 – netfilter: ctnetlink: fix use-after-free in ctnetlink_dump_exp_ct()
https://notcve.org/view.php?id=CVE-2026-23458
03 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: netfilter: ctnetlink: fix use-after-free in ctnetlink_dump_exp_ct() ctnetlink_dump_exp_ct() stores a conntrack pointer in cb->data for the netlink dump callback ctnetlink_exp_ct_dump_table(), but drops the conntrack reference immediately after netlink_dump_start(). When the dump spans multiple rounds, the second recvmsg() triggers the dump callback which dereferences the now-freed conntrack via nfct_help(ct), leading to a use-after-free on ... • https://git.kernel.org/stable/c/e844a928431fa8f1359d1f4f2cef53d9b446bf52 •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23457 – netfilter: nf_conntrack_sip: fix Content-Length u32 truncation in sip_help_tcp()
https://notcve.org/view.php?id=CVE-2026-23457
03 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conntrack_sip: fix Content-Length u32 truncation in sip_help_tcp() sip_help_tcp() parses the SIP Content-Length header with simple_strtoul(), which returns unsigned long, but stores the result in unsigned int clen. On 64-bit systems, values exceeding UINT_MAX are silently truncated before computing the SIP message boundary. For example, Content-Length 4294967328 (2^32 + 32) is truncated to 32, causing the parser to miscalculat... • https://git.kernel.org/stable/c/f5b321bd37fbec9188feb1f721ab46a5ac0b35da •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23456 – netfilter: nf_conntrack_h323: fix OOB read in decode_int() CONS case
https://notcve.org/view.php?id=CVE-2026-23456
03 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conntrack_h323: fix OOB read in decode_int() CONS case In decode_int(), the CONS case calls get_bits(bs, 2) to read a length value, then calls get_uint(bs, len) without checking that len bytes remain in the buffer. The existing boundary check only validates the 2 bits for get_bits(), not the subsequent 1-4 bytes that get_uint() reads. This allows a malformed H.323/RAS packet to cause a 1-4 byte slab-out-of-bounds read. Add a b... • https://git.kernel.org/stable/c/5e35941d990123f155b02d5663e51a24f816b6f3 •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23455 – netfilter: nf_conntrack_h323: check for zero length in DecodeQ931()
https://notcve.org/view.php?id=CVE-2026-23455
03 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conntrack_h323: check for zero length in DecodeQ931() In DecodeQ931(), the UserUserIE code path reads a 16-bit length from the packet, then decrements it by 1 to skip the protocol discriminator byte before passing it to DecodeH323_UserInformation(). If the encoded length is 0, the decrement wraps to -1, which is then passed as a large value to the decoder, leading to an out-of-bounds read. Add a check to ensure len is positive... • https://git.kernel.org/stable/c/5e35941d990123f155b02d5663e51a24f816b6f3 •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23452 – PM: runtime: Fix a race condition related to device removal
https://notcve.org/view.php?id=CVE-2026-23452
03 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: PM: runtime: Fix a race condition related to device removal The following code in pm_runtime_work() may dereference the dev->parent pointer after the parent device has been freed: /* Maybe the parent is now able to suspend. */ if (parent && !parent->power.ignore_children) { spin_unlock(&dev->power.lock); spin_lock(&parent->power.lock); rpm_idle(parent, RPM_ASYNC); spin_unlock(&parent->power.lock); spin_lock(&dev->power.lock); } Fix this by ... • https://git.kernel.org/stable/c/5e928f77a09a07f9dd595bb8a489965d69a83458 •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23449 – net/sched: teql: Fix double-free in teql_master_xmit
https://notcve.org/view.php?id=CVE-2026-23449
03 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: net/sched: teql: Fix double-free in teql_master_xmit Whenever a TEQL devices has a lockless Qdisc as root, qdisc_reset should be called using the seq_lock to avoid racing with the datapath. Failure to do so may cause crashes like the following: [ 238.028993][ T318] BUG: KASAN: double-free in skb_release_data (net/core/skbuff.c:1139) [ 238.029328][ T318] Free of addr ffff88810c67ec00 by task poc_teql_uaf_ke/318 [ 238.029749][ T318] [ 238.029... • https://git.kernel.org/stable/c/96009c7d500efdd5534e83b2e3eb2c58d4b137ae •
CVSS: -EPSS: 0%CPEs: 5EXPL: 0CVE-2026-23448 – net: usb: cdc_ncm: add ndpoffset to NDP16 nframes bounds check
https://notcve.org/view.php?id=CVE-2026-23448
03 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: net: usb: cdc_ncm: add ndpoffset to NDP16 nframes bounds check cdc_ncm_rx_verify_ndp16() validates that the NDP header and its DPE entries fit within the skb. The first check correctly accounts for ndpoffset: if ((ndpoffset + sizeof(struct usb_cdc_ncm_ndp16)) > skb_in->len) but the second check omits it: if ((sizeof(struct usb_cdc_ncm_ndp16) + ret * (sizeof(struct usb_cdc_ncm_dpe16))) > skb_in->len) This validates the DPE array size against... • https://git.kernel.org/stable/c/ff06ab13a4ccae4acb44a2d4e3ece367b616ab50 •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2026-23447 – net: usb: cdc_ncm: add ndpoffset to NDP32 nframes bounds check
https://notcve.org/view.php?id=CVE-2026-23447
03 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: net: usb: cdc_ncm: add ndpoffset to NDP32 nframes bounds check The same bounds-check bug fixed for NDP16 in the previous patch also exists in cdc_ncm_rx_verify_ndp32(). The DPE array size is validated against the total skb length without accounting for ndpoffset, allowing out-of-bounds reads when the NDP32 is placed near the end of the NTB. Add ndpoffset to the nframes bounds check and use struct_size_t() to express the NDP-plus-DPE-array s... • https://git.kernel.org/stable/c/0fa81b304a7973a499f844176ca031109487dd31 •