CVSS: -EPSS: 0%CPEs: 3EXPL: 0CVE-2026-23468 – drm/amdgpu: Limit BO list entry count to prevent resource exhaustion
https://notcve.org/view.php?id=CVE-2026-23468
03 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Limit BO list entry count to prevent resource exhaustion Userspace can pass an arbitrary number of BO list entries via the bo_number field. Although the previous multiplication overflow check prevents out-of-bounds allocation, a large number of entries could still cause excessive memory allocation (up to potentially gigabytes) and unnecessarily long list processing times. Introduce a hard limit of 128k entries per BO list, which... • https://git.kernel.org/stable/c/d38ceaf99ed015f2a0b9af3499791bd3a3daae21 •
CVSS: -EPSS: 0%CPEs: 5EXPL: 0CVE-2026-23465 – btrfs: log new dentries when logging parent dir of a conflicting inode
https://notcve.org/view.php?id=CVE-2026-23465
03 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: btrfs: log new dentries when logging parent dir of a conflicting inode If we log the parent directory of a conflicting inode, we are not logging the new dentries of the directory, so when we finish we have the parent directory's inode marked as logged but we did not log its new dentries. As a consequence if the parent directory is explicitly fsynced later and it does not have any new changes since we logged it, the fsync is a no-op and afte... • https://git.kernel.org/stable/c/a3baaf0d786e22fc86295fda9c58ba0dee07599f •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23463 – soc: fsl: qbman: fix race condition in qman_destroy_fq
https://notcve.org/view.php?id=CVE-2026-23463
03 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: soc: fsl: qbman: fix race condition in qman_destroy_fq When QMAN_FQ_FLAG_DYNAMIC_FQID is set, there's a race condition between fq_table[fq->idx] state and freeing/allocating from the pool and WARN_ON(fq_table[fq->idx]) in qman_create_fq() gets triggered. Indeed, we can have: Thread A Thread B qman_destroy_fq() qman_create_fq() qman_release_fqid() qman_shutdown_fq() gen_pool_free() -- At this point, the fqid is available again -- qman_alloc_... • https://git.kernel.org/stable/c/c535e923bb97a4b361e89a6383693482057f8b0c •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23462 – Bluetooth: HIDP: Fix possible UAF
https://notcve.org/view.php?id=CVE-2026-23462
03 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: Bluetooth: HIDP: Fix possible UAF This fixes the following trace caused by not dropping l2cap_conn reference when user->remove callback is called: [ 97.809249] l2cap_conn_free: freeing conn ffff88810a171c00 [ 97.809907] CPU: 1 UID: 0 PID: 1419 Comm: repro_standalon Not tainted 7.0.0-rc1-dirty #14 PREEMPT(lazy) [ 97.809935] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014 [ 97.809947] Call Trace: ... • https://git.kernel.org/stable/c/b4f34d8d9d26b2428fa7cf7c8f97690a297978e6 •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23460 – net/rose: fix NULL pointer dereference in rose_transmit_link on reconnect
https://notcve.org/view.php?id=CVE-2026-23460
03 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: net/rose: fix NULL pointer dereference in rose_transmit_link on reconnect syzkaller reported a bug [1], and the reproducer is available at [2]. ROSE sockets use four sk->sk_state values: TCP_CLOSE, TCP_LISTEN, TCP_SYN_SENT, and TCP_ESTABLISHED. rose_connect() already rejects calls for TCP_ESTABLISHED (-EISCONN) and TCP_CLOSE with SS_CONNECTING (-ECONNREFUSED), but lacks a check for TCP_SYN_SENT. When rose_connect() is called a second time w... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23458 – netfilter: ctnetlink: fix use-after-free in ctnetlink_dump_exp_ct()
https://notcve.org/view.php?id=CVE-2026-23458
03 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: netfilter: ctnetlink: fix use-after-free in ctnetlink_dump_exp_ct() ctnetlink_dump_exp_ct() stores a conntrack pointer in cb->data for the netlink dump callback ctnetlink_exp_ct_dump_table(), but drops the conntrack reference immediately after netlink_dump_start(). When the dump spans multiple rounds, the second recvmsg() triggers the dump callback which dereferences the now-freed conntrack via nfct_help(ct), leading to a use-after-free on ... • https://git.kernel.org/stable/c/e844a928431fa8f1359d1f4f2cef53d9b446bf52 •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23457 – netfilter: nf_conntrack_sip: fix Content-Length u32 truncation in sip_help_tcp()
https://notcve.org/view.php?id=CVE-2026-23457
03 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conntrack_sip: fix Content-Length u32 truncation in sip_help_tcp() sip_help_tcp() parses the SIP Content-Length header with simple_strtoul(), which returns unsigned long, but stores the result in unsigned int clen. On 64-bit systems, values exceeding UINT_MAX are silently truncated before computing the SIP message boundary. For example, Content-Length 4294967328 (2^32 + 32) is truncated to 32, causing the parser to miscalculat... • https://git.kernel.org/stable/c/f5b321bd37fbec9188feb1f721ab46a5ac0b35da •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23456 – netfilter: nf_conntrack_h323: fix OOB read in decode_int() CONS case
https://notcve.org/view.php?id=CVE-2026-23456
03 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conntrack_h323: fix OOB read in decode_int() CONS case In decode_int(), the CONS case calls get_bits(bs, 2) to read a length value, then calls get_uint(bs, len) without checking that len bytes remain in the buffer. The existing boundary check only validates the 2 bits for get_bits(), not the subsequent 1-4 bytes that get_uint() reads. This allows a malformed H.323/RAS packet to cause a 1-4 byte slab-out-of-bounds read. Add a b... • https://git.kernel.org/stable/c/5e35941d990123f155b02d5663e51a24f816b6f3 •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23455 – netfilter: nf_conntrack_h323: check for zero length in DecodeQ931()
https://notcve.org/view.php?id=CVE-2026-23455
03 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conntrack_h323: check for zero length in DecodeQ931() In DecodeQ931(), the UserUserIE code path reads a 16-bit length from the packet, then decrements it by 1 to skip the protocol discriminator byte before passing it to DecodeH323_UserInformation(). If the encoded length is 0, the decrement wraps to -1, which is then passed as a large value to the decoder, leading to an out-of-bounds read. Add a check to ensure len is positive... • https://git.kernel.org/stable/c/5e35941d990123f155b02d5663e51a24f816b6f3 •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23452 – PM: runtime: Fix a race condition related to device removal
https://notcve.org/view.php?id=CVE-2026-23452
03 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: PM: runtime: Fix a race condition related to device removal The following code in pm_runtime_work() may dereference the dev->parent pointer after the parent device has been freed: /* Maybe the parent is now able to suspend. */ if (parent && !parent->power.ignore_children) { spin_unlock(&dev->power.lock); spin_lock(&parent->power.lock); rpm_idle(parent, RPM_ASYNC); spin_unlock(&parent->power.lock); spin_lock(&dev->power.lock); } Fix this by ... • https://git.kernel.org/stable/c/5e928f77a09a07f9dd595bb8a489965d69a83458 •