CVSS: -EPSS: 0%CPEs: 7EXPL: 0CVE-2026-23098 – netrom: fix double-free in nr_route_frame()
https://notcve.org/view.php?id=CVE-2026-23098
04 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: netrom: fix double-free in nr_route_frame() In nr_route_frame(), old_skb is immediately freed without checking if nr_neigh->ax25 pointer is NULL. Therefore, if nr_neigh->ax25 is NULL, the caller function will free old_skb again, causing a double-free bug. Therefore, to prevent this, we need to modify it to check whether nr_neigh->ax25 is NULL before freeing old_skb. Several vulnerabilities have been discovered in the Linux kernel that may l... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: -EPSS: 0%CPEs: 7EXPL: 0CVE-2026-23089 – ALSA: usb-audio: Fix use-after-free in snd_usb_mixer_free()
https://notcve.org/view.php?id=CVE-2026-23089
04 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Fix use-after-free in snd_usb_mixer_free() When snd_usb_create_mixer() fails, snd_usb_mixer_free() frees mixer->id_elems but the controls already added to the card still reference the freed memory. Later when snd_card_register() runs, the OSS mixer layer calls their callbacks and hits a use-after-free read. Call trace: get_ctl_value+0x63f/0x820 sound/usb/mixer.c:411 get_min_max_with_quirks.isra.0+0x240/0x1f40 sound/usb/mixe... • https://git.kernel.org/stable/c/6639b6c2367f884ca172b78d69f7da17bfab2e5e •
CVSS: -EPSS: 0%CPEs: 7EXPL: 0CVE-2026-23076 – ALSA: ctxfi: Fix potential OOB access in audio mixer handling
https://notcve.org/view.php?id=CVE-2026-23076
04 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: ALSA: ctxfi: Fix potential OOB access in audio mixer handling In the audio mixer handling code of ctxfi driver, the conf field is used as a kind of loop index, and it's referred in the index callbacks (amixer_index() and sum_index()). As spotted recently by fuzzers, the current code causes OOB access at those functions. | UBSAN: array-index-out-of-bounds in /build/reproducible-path/linux-6.17.8/sound/pci/ctxfi/ctamixer.c:347:48 | index 8 is... • https://git.kernel.org/stable/c/8cc72361481f00253f1e468ade5795427386d593 •
CVSS: -EPSS: 0%CPEs: 7EXPL: 0CVE-2026-23075 – can: esd_usb: esd_usb_read_bulk_callback(): fix URB memory leak
https://notcve.org/view.php?id=CVE-2026-23075
04 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: can: esd_usb: esd_usb_read_bulk_callback(): fix URB memory leak Fix similar memory leak as in commit 7352e1d5932a ("can: gs_usb: gs_usb_receive_bulk_callback(): fix URB memory leak"). In esd_usb_open(), the URBs for USB-in transfers are allocated, added to the dev->rx_submitted anchor and submitted. In the complete callback esd_usb_read_bulk_callback(), the URBs are processed and resubmitted. In esd_usb_close() the URBs are freed by calling... • https://git.kernel.org/stable/c/96d8e90382dc336b5de401164597edfdc2e8d9f1 •
CVSS: -EPSS: 0%CPEs: 7EXPL: 0CVE-2026-23074 – net/sched: Enforce that teql can only be used as root qdisc
https://notcve.org/view.php?id=CVE-2026-23074
04 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: net/sched: Enforce that teql can only be used as root qdisc Design intent of teql is that it is only supposed to be used as root qdisc. We need to check for that constraint. Although not important, I will describe the scenario that unearthed this issue for the curious. GangMin Kim
CVSS: -EPSS: 0%CPEs: 7EXPL: 0CVE-2026-23058 – can: ems_usb: ems_usb_read_bulk_callback(): fix URB memory leak
https://notcve.org/view.php?id=CVE-2026-23058
04 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: can: ems_usb: ems_usb_read_bulk_callback(): fix URB memory leak Fix similar memory leak as in commit 7352e1d5932a ("can: gs_usb: gs_usb_receive_bulk_callback(): fix URB memory leak"). In ems_usb_open(), the URBs for USB-in transfers are allocated, added to the dev->rx_submitted anchor and submitted. In the complete callback ems_usb_read_bulk_callback(), the URBs are processed and resubmitted. In ems_usb_close() the URBs are freed by calling... • https://git.kernel.org/stable/c/702171adeed3607ee9603ec30ce081411e36ae42 •
CVSS: 7.2EPSS: 0%CPEs: 4EXPL: 0CVE-2025-71184 – btrfs: fix NULL dereference on root when tracing inode eviction
https://notcve.org/view.php?id=CVE-2025-71184
31 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: btrfs: fix NULL dereference on root when tracing inode eviction When evicting an inode the first thing we do is to setup tracing for it, which implies fetching the root's id. But in btrfs_evict_inode() the root might be NULL, as implied in the next check that we do in btrfs_evict_inode(). Hence, we either should set the ->root_objectid to 0 in case the root is NULL, or we move tracing setup after checking that the root is not NULL. Setting ... • https://git.kernel.org/stable/c/1abe9b8a138c9988ba8f7bfded6453649a31541f •
CVSS: 7.1EPSS: 0%CPEs: 7EXPL: 0CVE-2026-22990 – libceph: replace overzealous BUG_ON in osdmap_apply_incremental()
https://notcve.org/view.php?id=CVE-2026-22990
23 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: libceph: replace overzealous BUG_ON in osdmap_apply_incremental() If the osdmap is (maliciously) corrupted such that the incremental osdmap epoch is different from what is expected, there is no need to BUG. Instead, just declare the incremental osdmap to be invalid. In the Linux kernel, the following vulnerability has been resolved: libceph: replace overzealous BUG_ON in osdmap_apply_incremental() If the osdmap is (maliciously) corrupted su... • https://git.kernel.org/stable/c/f24e9980eb860d8600cbe5ef3d2fd9295320d229 •
CVSS: 5.5EPSS: 0%CPEs: 7EXPL: 0CVE-2026-22978 – wifi: avoid kernel-infoleak from struct iw_point
https://notcve.org/view.php?id=CVE-2026-22978
23 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: wifi: avoid kernel-infoleak from struct iw_point struct iw_point has a 32bit hole on 64bit arches. struct iw_point { void __user *pointer; /* Pointer to the data (in user space) */ __u16 length; /* number of fields or size in bytes */ __u16 flags; /* Optional params */ }; Make sure to zero the structure to avoid disclosing 32bits of kernel data to user space. In the Linux kernel, the following vulnerability has been resolved: wifi: avoid ke... • https://git.kernel.org/stable/c/87de87d5e47f94b4ea647a5bd1bc8dc1f7930db4 •
CVSS: -EPSS: 0%CPEs: 7EXPL: 0CVE-2026-22976 – net/sched: sch_qfq: Fix NULL deref when deactivating inactive aggregate in qfq_reset
https://notcve.org/view.php?id=CVE-2026-22976
21 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: net/sched: sch_qfq: Fix NULL deref when deactivating inactive aggregate in qfq_reset `qfq_class->leaf_qdisc->q.qlen > 0` does not imply that the class itself is active. Two qfq_class objects may point to the same leaf_qdisc. This happens when: 1. one QFQ qdisc is attached to the dev as the root qdisc, and 2. another QFQ qdisc is temporarily referenced (e.g., via qdisc_get() / qdisc_put()) and is pending to be destroyed, as in function tc_ne... • https://git.kernel.org/stable/c/0545a3037773512d3448557ba048cebb73b3e4af •