CVSS: -EPSS: 0%CPEs: 7EXPL: 0CVE-2026-23058 – can: ems_usb: ems_usb_read_bulk_callback(): fix URB memory leak
https://notcve.org/view.php?id=CVE-2026-23058
04 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: can: ems_usb: ems_usb_read_bulk_callback(): fix URB memory leak Fix similar memory leak as in commit 7352e1d5932a ("can: gs_usb: gs_usb_receive_bulk_callback(): fix URB memory leak"). In ems_usb_open(), the URBs for USB-in transfers are allocated, added to the dev->rx_submitted anchor and submitted. In the complete callback ems_usb_read_bulk_callback(), the URBs are processed and resubmitted. In ems_usb_close() the URBs are freed by calling... • https://git.kernel.org/stable/c/702171adeed3607ee9603ec30ce081411e36ae42 •
CVSS: -EPSS: 0%CPEs: 3EXPL: 0CVE-2026-23057 – vsock/virtio: Coalesce only linear skb
https://notcve.org/view.php?id=CVE-2026-23057
04 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: vsock/virtio: Coalesce only linear skb vsock/virtio common tries to coalesce buffers in rx queue: if a linear skb (with a spare tail room) is followed by a small skb (length limited by GOOD_COPY_LEN = 128), an attempt is made to join them. Since the introduction of MSG_ZEROCOPY support, assumption that a small skb will always be linear is incorrect. In the zerocopy case, data is lost and the linear skb is appended with uninitialized kernel ... • https://git.kernel.org/stable/c/581512a6dc939ef122e49336626ae159f3b8a345 •
CVSS: -EPSS: 0%CPEs: 7EXPL: 0CVE-2026-23056 – uacce: implement mremap in uacce_vm_ops to return -EPERM
https://notcve.org/view.php?id=CVE-2026-23056
04 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: uacce: implement mremap in uacce_vm_ops to return -EPERM The current uacce_vm_ops does not support the mremap operation of vm_operations_struct. Implement .mremap to return -EPERM to remind users. The reason we need to explicitly disable mremap is that when the driver does not implement .mremap, it uses the default mremap method. This could lead to a risk scenario: An application might first mmap address p1, then mremap to p2, followed by m... • https://git.kernel.org/stable/c/015d239ac0142ad0e26567fd890ef8d171f13709 •
CVSS: -EPSS: 0%CPEs: 7EXPL: 0CVE-2025-71199 – iio: adc: at91-sama5d2_adc: Fix potential use-after-free in sama5d2_adc driver
https://notcve.org/view.php?id=CVE-2025-71199
04 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: iio: adc: at91-sama5d2_adc: Fix potential use-after-free in sama5d2_adc driver at91_adc_interrupt can call at91_adc_touch_data_handler function to start the work by schedule_work(&st->touch_st.workq). If we remove the module which will call at91_adc_remove to make cleanup, it will free indio_dev through iio_device_unregister but quite a bit later. While the work mentioned above will be used. The sequence of operations that may lead to a UAF... • https://git.kernel.org/stable/c/23ec2774f1cc168b1f32a2e0ed2709cb473bb94e •
CVSS: -EPSS: 0%CPEs: 4EXPL: 0CVE-2025-71198 – iio: imu: st_lsm6dsx: fix iio_chan_spec for sensors without event detection
https://notcve.org/view.php?id=CVE-2025-71198
04 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: iio: imu: st_lsm6dsx: fix iio_chan_spec for sensors without event detection The st_lsm6dsx_acc_channels array of struct iio_chan_spec has a non-NULL event_spec field, indicating support for IIO events. However, event detection is not supported for all sensors, and if userspace tries to configure accelerometer wakeup events on a sensor device that does not support them (e.g. LSM6DS0), st_lsm6dsx_write_event() dereferences a NULL pointer when... • https://git.kernel.org/stable/c/b5969abfa8b8ed43ebd93479d394f664bd4a5a87 •
CVSS: -EPSS: 0%CPEs: 7EXPL: 0CVE-2025-71197 – w1: therm: Fix off-by-one buffer overflow in alarms_store
https://notcve.org/view.php?id=CVE-2025-71197
04 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: w1: therm: Fix off-by-one buffer overflow in alarms_store The sysfs buffer passed to alarms_store() is allocated with 'size + 1' bytes and a NUL terminator is appended. However, the 'size' argument does not account for this extra byte. The original code then allocated 'size' bytes and used strcpy() to copy 'buf', which always writes one byte past the allocated buffer since strcpy() copies until the NUL terminator at index 'size'. Fix this b... • https://git.kernel.org/stable/c/e2c94d6f572079511945e64537eb1218643f2e68 •
CVSS: -EPSS: 0%CPEs: 3EXPL: 0CVE-2026-23055 – i2c: riic: Move suspend handling to NOIRQ phase
https://notcve.org/view.php?id=CVE-2026-23055
04 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: i2c: riic: Move suspend handling to NOIRQ phase Commit 53326135d0e0 ("i2c: riic: Add suspend/resume support") added suspend support for the Renesas I2C driver and following this change on RZ/G3E the following WARNING is seen on entering suspend ... [ 134.275704] Freezing remaining freezable tasks completed (elapsed 0.001 seconds) [ 134.285536] ------------[ cut here ]------------ [ 134.290298] i2c i2c-2: Transfer while suspended [ 134.29517... • https://git.kernel.org/stable/c/53326135d0e041ebe7d08bf22f82529ae69a096e •
CVSS: -EPSS: 0%CPEs: 5EXPL: 0CVE-2026-23054 – net: hv_netvsc: reject RSS hash key programming without RX indirection table
https://notcve.org/view.php?id=CVE-2026-23054
04 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: net: hv_netvsc: reject RSS hash key programming without RX indirection table RSS configuration requires a valid RX indirection table. When the device reports a single receive queue, rndis_filter_device_add() does not allocate an indirection table, accepting RSS hash key updates in this state leads to a hang. Fix this by gating netvsc_set_rxfh() on ndc->rx_table_sz and return -EOPNOTSUPP when the table is absent. This aligns set_rxfh with th... • https://git.kernel.org/stable/c/962f3fee83a4ef9010ae84dc43ae7aecb572e2a9 •
CVSS: -EPSS: 0%CPEs: 4EXPL: 0CVE-2026-23053 – NFS: Fix a deadlock involving nfs_release_folio()
https://notcve.org/view.php?id=CVE-2026-23053
04 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: NFS: Fix a deadlock involving nfs_release_folio() Wang Zhaolong reports a deadlock involving NFSv4.1 state recovery waiting on kthreadd, which is attempting to reclaim memory by calling nfs_release_folio(). The latter cannot make progress due to state recovery being needed. It seems that the only safe thing to do here is to kick off a writeback of the folio, without waiting for completion, or else kicking off an asynchronous commit. Several... • https://git.kernel.org/stable/c/96780ca55e3cbf4f150fd5a833a61492c9947b5b •
CVSS: -EPSS: 0%CPEs: 2EXPL: 0CVE-2026-23052 – ftrace: Do not over-allocate ftrace memory
https://notcve.org/view.php?id=CVE-2026-23052
04 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: ftrace: Do not over-allocate ftrace memory The pg_remaining calculation in ftrace_process_locs() assumes that ENTRIES_PER_PAGE multiplied by 2^order equals the actual capacity of the allocated page group. However, ENTRIES_PER_PAGE is PAGE_SIZE / ENTRY_SIZE (integer division). When PAGE_SIZE is not a multiple of ENTRY_SIZE (e.g. 4096 / 24 = 170 with remainder 16), high-order allocations (like 256 pages) have significantly more capacity than ... • https://git.kernel.org/stable/c/4a3efc6baff931da9a85c6d2e42c87bd9a827399 •