CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2026-23222 – crypto: omap - Allocate OMAP_CRYPTO_FORCE_COPY scatterlists correctly
https://notcve.org/view.php?id=CVE-2026-23222
18 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: crypto: omap - Allocate OMAP_CRYPTO_FORCE_COPY scatterlists correctly The existing allocation of scatterlists in omap_crypto_copy_sg_lists() was allocating an array of scatterlist pointers, not scatterlist objects, resulting in a 4x too small allocation. Use sizeof(*new_sg) to get the correct object size. Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or informatio... • https://git.kernel.org/stable/c/74ed87e7e7f7197137164738dd0610ccd5ec5ed1 •
CVSS: -EPSS: 0%CPEs: 4EXPL: 0CVE-2026-23223 – xfs: fix UAF in xchk_btree_check_block_owner
https://notcve.org/view.php?id=CVE-2026-23223
18 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: xfs: fix UAF in xchk_btree_check_block_owner We cannot dereference bs->cur when trying to determine if bs->cur aliases bs->sc->sa.{bno,rmap}_cur after the latter has been freed. Fix this by sampling before type before any freeing could happen. The correct temporal ordering was broken when we removed xfs_btnum_t. Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or inf... • https://git.kernel.org/stable/c/ec793e690f801d97a7ae2a0d429fea1fee4d44aa •
CVSS: -EPSS: 0%CPEs: 4EXPL: 0CVE-2026-23224 – erofs: fix UAF issue for file-backed mounts w/ directio option
https://notcve.org/view.php?id=CVE-2026-23224
18 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: erofs: fix UAF issue for file-backed mounts w/ directio option [ 9.269940][ T3222] Call trace: [ 9.269948][ T3222] ext4_file_read_iter+0xac/0x108 [ 9.269979][ T3222] vfs_iocb_iter_read+0xac/0x198 [ 9.269993][ T3222] erofs_fileio_rq_submit+0x12c/0x180 [ 9.270008][ T3222] erofs_fileio_submit_bio+0x14/0x24 [ 9.270030][ T3222] z_erofs_runqueue+0x834/0x8ac [ 9.270054][ T3222] z_erofs_read_folio+0x120/0x220 [ 9.270083][ T3222] filemap_read_folio+... • https://git.kernel.org/stable/c/fb176750266a3d7f42ebdcf28e8ba40350b27847 •
CVSS: -EPSS: 0%CPEs: 7EXPL: 0CVE-2026-23228 – smb: server: fix leak of active_num_conn in ksmbd_tcp_new_connection()
https://notcve.org/view.php?id=CVE-2026-23228
18 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: smb: server: fix leak of active_num_conn in ksmbd_tcp_new_connection() On kthread_run() failure in ksmbd_tcp_new_connection(), the transport is freed via free_transport(), which does not decrement active_num_conn, leaking this counter. Replace free_transport() with ksmbd_tcp_disconnect(). Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. For the ... • https://git.kernel.org/stable/c/4210c3555db4b38bade92331b153e583261f05f9 •
CVSS: -EPSS: 0%CPEs: 11EXPL: 0CVE-2026-23229 – crypto: virtio - Add spinlock protection with virtqueue notification
https://notcve.org/view.php?id=CVE-2026-23229
18 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: crypto: virtio - Add spinlock protection with virtqueue notification When VM boots with one virtio-crypto PCI device and builtin backend, run openssl benchmark command with multiple processes, such as openssl speed -evp aes-128-cbc -engine afalg -seconds 10 -multi 32 openssl processes will hangup and there is error reported like this: virtio_crypto virtio0: dataq.0:id 3 is not a head! It seems that the data virtqueue need protection when it... • https://git.kernel.org/stable/c/0eb69890e86775d178452880ea0d24384c5ccedf •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23230 – smb: client: split cached_fid bitfields to avoid shared-byte RMW races
https://notcve.org/view.php?id=CVE-2026-23230
18 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: smb: client: split cached_fid bitfields to avoid shared-byte RMW races is_open, has_lease and on_list are stored in the same bitfield byte in struct cached_fid but are updated in different code paths that may run concurrently. Bitfield assignments generate byte read–modify–write operations (e.g. `orb $mask, addr` on x86_64), so updating one flag can restore stale values of the others. A possible interleaving is: CPU1: load old byte (has_lea... • https://git.kernel.org/stable/c/ebe98f1447bbccf8228335c62d86af02a0ed23f7 •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2026-23210 – ice: Fix PTP NULL pointer dereference during VSI rebuild
https://notcve.org/view.php?id=CVE-2026-23210
14 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: ice: Fix PTP NULL pointer dereference during VSI rebuild Fix race condition where PTP periodic work runs while VSI is being rebuilt, accessing NULL vsi->rx_rings. The sequence was: 1. ice_ptp_prepare_for_reset() cancels PTP work 2. ice_ptp_rebuild() immediately queues PTP work 3. VSI rebuild happens AFTER ice_ptp_rebuild() 4. PTP work runs and accesses NULL vsi->rx_rings Fix: Keep PTP work cancelled during rebuild, only queue it after VSI r... • https://git.kernel.org/stable/c/803bef817807d2d36c930dada20c96fffae0dd19 •
CVSS: 6.3EPSS: 0%CPEs: 7EXPL: 0CVE-2026-23209 – macvlan: fix error recovery in macvlan_common_newlink()
https://notcve.org/view.php?id=CVE-2026-23209
14 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: macvlan: fix error recovery in macvlan_common_newlink() valis provided a nice repro to crash the kernel: ip link add p1 type veth peer p2 ip link set address 00:00:00:00:00:20 dev p1 ip link set up dev p1 ip link set up dev p2 ip link add mv0 link p2 type macvlan mode source ip link add invalid% link p2 type macvlan mode source macaddr add 00:00:00:00:00:20 ping -c1 -I p1 1.2.3.4 He also gave a very detailed analysis: The issu... • https://git.kernel.org/stable/c/aa5fd0fb77486b8a6764ead8627baa14790e4280 •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2026-23208 – ALSA: usb-audio: Prevent excessive number of frames
https://notcve.org/view.php?id=CVE-2026-23208
14 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Prevent excessive number of frames In this case, the user constructed the parameters with maxpacksize 40 for rate 22050 / pps 1000, and packsize[0] 22 packsize[1] 23. The buffer size for each data URB is maxpacksize * packets, which in this example is 40 * 6 = 240; When the user performs a write operation to send audio data into the ALSA PCM playback stream, the calculated number of frames is packsize[0] * packets = 264, wh... • https://git.kernel.org/stable/c/02c56650f3c118d3752122996d96173d26bb13aa •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23207 – spi: tegra210-quad: Protect curr_xfer check in IRQ handler
https://notcve.org/view.php?id=CVE-2026-23207
14 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: spi: tegra210-quad: Protect curr_xfer check in IRQ handler Now that all other accesses to curr_xfer are done under the lock, protect the curr_xfer NULL check in tegra_qspi_isr_thread() with the spinlock. Without this protection, the following race can occur: CPU0 (ISR thread) CPU1 (timeout path) ---------------- ------------------- if (!tqspi->curr_xfer) // sees non-NULL spin_lock() tqspi->curr_xfer = NULL spin_unlock() handle_*_xfer() spin... • https://git.kernel.org/stable/c/01bbf25c767219b14c3235bfa85906b8d2cb8fbc •