CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2026-23016 – inet: frags: drop fraglist conntrack references
https://notcve.org/view.php?id=CVE-2026-23016
31 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: inet: frags: drop fraglist conntrack references Jakub added a warning in nf_conntrack_cleanup_net_list() to make debugging leaked skbs/conntrack references more obvious. syzbot reports this as triggering, and I can also reproduce this via ip_defrag.sh selftest: conntrack cleanup blocked for 60s WARNING: net/netfilter/nf_conntrack_core.c:2512 [..] conntrack clenups gets stuck because there are skbs with still hold nf_conn references via thei... • https://git.kernel.org/stable/c/6471658dc66c670580a7616e75f51b52917e7883 •
CVSS: 5.6EPSS: 0%CPEs: 2EXPL: 0CVE-2026-23015 – gpio: mpsse: fix reference leak in gpio_mpsse_probe() error paths
https://notcve.org/view.php?id=CVE-2026-23015
31 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: gpio: mpsse: fix reference leak in gpio_mpsse_probe() error paths The reference obtained by calling usb_get_dev() is not released in the gpio_mpsse_probe() error paths. Fix that by using device managed helper functions. Also remove the usb_put_dev() call in the disconnect function since now it will be released automatically. In the Linux kernel, the following vulnerability has been resolved: gpio: mpsse: fix reference leak in gpio_mpsse_pro... • https://git.kernel.org/stable/c/c46a74ff05c0ac76ba11ef21c930c3b447abf31a •
CVSS: 7.2EPSS: 0%CPEs: 3EXPL: 0CVE-2025-71184 – btrfs: fix NULL dereference on root when tracing inode eviction
https://notcve.org/view.php?id=CVE-2025-71184
31 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: btrfs: fix NULL dereference on root when tracing inode eviction When evicting an inode the first thing we do is to setup tracing for it, which implies fetching the root's id. But in btrfs_evict_inode() the root might be NULL, as implied in the next check that we do in btrfs_evict_inode(). Hence, we either should set the ->root_objectid to 0 in case the root is NULL, or we move tracing setup after checking that the root is not NULL. Setting ... • https://git.kernel.org/stable/c/1abe9b8a138c9988ba8f7bfded6453649a31541f •
CVSS: 6.3EPSS: 0%CPEs: 9EXPL: 0CVE-2025-71183 – btrfs: always detect conflicting inodes when logging inode refs
https://notcve.org/view.php?id=CVE-2025-71183
31 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: btrfs: always detect conflicting inodes when logging inode refs After rename exchanging (either with the rename exchange operation or regular renames in multiple non-atomic steps) two inodes and at least one of them is a directory, we can end up with a log tree that contains only of the inodes and after a power failure that can result in an attempt to delete the other inode when it should not because it was not deleted before the power fail... • https://git.kernel.org/stable/c/56f23fdbb600e6087db7b009775b95ce07cc3195 •
CVSS: 7.1EPSS: 0%CPEs: 7EXPL: 0CVE-2025-71182 – can: j1939: make j1939_session_activate() fail if device is no longer registered
https://notcve.org/view.php?id=CVE-2025-71182
31 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: can: j1939: make j1939_session_activate() fail if device is no longer registered syzbot is still reporting unregister_netdevice: waiting for vcan0 to become free. Usage count = 2 even after commit 93a27b5891b8 ("can: j1939: add missing calls in NETDEV_UNREGISTER notification handler") was added. A debug printk() patch found that j1939_session_activate() can succeed even after j1939_cancel_active_session() from j1939_netdev_notify(NETDEV_UNR... • https://git.kernel.org/stable/c/9d71dd0c70099914fcd063135da3c580865e924c •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2025-71181 – rust_binder: remove spin_lock() in rust_shrink_free_page()
https://notcve.org/view.php?id=CVE-2025-71181
31 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: rust_binder: remove spin_lock() in rust_shrink_free_page() When forward-porting Rust Binder to 6.18, I neglected to take commit fb56fdf8b9a2 ("mm/list_lru: split the lock to per-cgroup scope") into account, and apparently I did not end up running the shrinker callback when I sanity tested the driver before submission. This leads to crashes like the following: ============================================ WARNING: possible recursive locking d... • https://git.kernel.org/stable/c/eafedbc7c050c44744fbdf80bdf3315e860b7513 •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2025-71180 – counter: interrupt-cnt: Drop IRQF_NO_THREAD flag
https://notcve.org/view.php?id=CVE-2025-71180
31 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: counter: interrupt-cnt: Drop IRQF_NO_THREAD flag An IRQ handler can either be IRQF_NO_THREAD or acquire spinlock_t, as CONFIG_PROVE_RAW_LOCK_NESTING warns: ============================= [ BUG: Invalid wait context ] 6.18.0-rc1+git... #1 ----------------------------- some-user-space-process/1251 is trying to lock: (&counter->events_list_lock){....}-{3:3}, at: counter_push_event [counter] other info that might help us debug this: context-{2:2... • https://git.kernel.org/stable/c/a55ebd47f21f6f0472766fb52c973849e31d1466 •
CVSS: 7.2EPSS: 0%CPEs: 3EXPL: 0CVE-2026-23014 – perf: Ensure swevent hrtimer is properly destroyed
https://notcve.org/view.php?id=CVE-2026-23014
28 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: perf: Ensure swevent hrtimer is properly destroyed With the change to hrtimer_try_to_cancel() in perf_swevent_cancel_hrtimer() it appears possible for the hrtimer to still be active by the time the event gets freed. Make sure the event does a full hrtimer_cancel() on the free path by installing a perf_event::destroy handler. In the Linux kernel, the following vulnerability has been resolved: perf: Ensure swevent hrtimer is properly destroye... • https://git.kernel.org/stable/c/eb3182ef0405ff2f6668fd3e5ff9883f60ce8801 •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2026-23013 – net: octeon_ep_vf: fix free_irq dev_id mismatch in IRQ rollback
https://notcve.org/view.php?id=CVE-2026-23013
25 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: net: octeon_ep_vf: fix free_irq dev_id mismatch in IRQ rollback octep_vf_request_irqs() requests MSI-X queue IRQs with dev_id set to ioq_vector. If request_irq() fails part-way, the rollback loop calls free_irq() with dev_id set to 'oct', which does not match the original dev_id and may leave the irqaction registered. This can keep IRQ handlers alive while ioq_vector is later freed during unwind/teardown, leading to a use-after-free or cras... • https://git.kernel.org/stable/c/1cd3b407977c3ab1d2ddc26cb7113e7fb1509cd1 •
CVSS: 8.5EPSS: 0%CPEs: 2EXPL: 0CVE-2026-23012 – mm/damon/core: remove call_control in inactive contexts
https://notcve.org/view.php?id=CVE-2026-23012
25 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: mm/damon/core: remove call_control in inactive contexts If damon_call() is executed against a DAMON context that is not running, the function returns error while keeping the damon_call_control object linked to the context's call_controls list. Let's suppose the object is deallocated after the damon_call(), and yet another damon_call() is executed against the same context. The function tries to add the new damon_call_control object to the ca... • https://git.kernel.org/stable/c/004ded6bee11b8ed463cdc54b89a4390f4b64f6d •