CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2026-23200 – ipv6: Fix ECMP sibling count mismatch when clearing RTF_ADDRCONF
https://notcve.org/view.php?id=CVE-2026-23200
14 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: ipv6: Fix ECMP sibling count mismatch when clearing RTF_ADDRCONF syzbot reported a kernel BUG in fib6_add_rt2node() when adding an IPv6 route. [0] Commit f72514b3c569 ("ipv6: clear RA flags when adding a static route") introduced logic to clear RTF_ADDRCONF from existing routes when a static route with the same nexthop is added. However, this causes a problem when the existing route has a gateway. When RTF_ADDRCONF is cleared from a route t... • https://git.kernel.org/stable/c/cb2b0caa8ca93cbe39177516669bf699c74f7041 •
CVSS: 7.8EPSS: 0%CPEs: 7EXPL: 0CVE-2026-23198 – KVM: Don't clobber irqfd routing type when deassigning irqfd
https://notcve.org/view.php?id=CVE-2026-23198
14 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: KVM: Don't clobber irqfd routing type when deassigning irqfd When deassigning a KVM_IRQFD, don't clobber the irqfd's copy of the IRQ's routing entry as doing so breaks kvm_arch_irq_bypass_del_producer() on x86 and arm64, which explicitly look for KVM_IRQ_ROUTING_MSI. Instead, to handle a concurrent routing update, verify that the irqfd is still active before consuming the routing information. As evidenced by the x86 and arm64 bugs, and anot... • https://git.kernel.org/stable/c/f70c20aaf141adb715a2d750c55154073b02a9c3 •
CVSS: 8.8EPSS: 0%CPEs: 7EXPL: 0CVE-2026-23193 – scsi: target: iscsi: Fix use-after-free in iscsit_dec_session_usage_count()
https://notcve.org/view.php?id=CVE-2026-23193
14 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: scsi: target: iscsi: Fix use-after-free in iscsit_dec_session_usage_count() In iscsit_dec_session_usage_count(), the function calls complete() while holding the sess->session_usage_lock. Similar to the connection usage count logic, the waiter signaled by complete() (e.g., in the session release path) may wake up and free the iscsit_session structure immediately. This creates a race condition where the current thread may attempt to execute s... • https://git.kernel.org/stable/c/e48354ce078c079996f89d715dfa44814b4eba01 •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2026-23191 – ALSA: aloop: Fix racy access at PCM trigger
https://notcve.org/view.php?id=CVE-2026-23191
14 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: ALSA: aloop: Fix racy access at PCM trigger The PCM trigger callback of aloop driver tries to check the PCM state and stop the stream of the tied substream in the corresponding cable. Since both check and stop operations are performed outside the cable lock, this may result in UAF when a program attempts to trigger frequently while opening/closing the tied stream, as spotted by fuzzers. For addressing the UAF, this patch changes two things:... • https://git.kernel.org/stable/c/b1c73fc8e697eb73e23603e465e9af2711ed4183 •
CVSS: 6.6EPSS: 0%CPEs: 7EXPL: 0CVE-2026-23190 – ASoC: amd: fix memory leak in acp3x pdm dma ops
https://notcve.org/view.php?id=CVE-2026-23190
14 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: ASoC: amd: fix memory leak in acp3x pdm dma ops Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. For the stable distribution (trixie), these problems have been fixed in version 6.12.73-1. • https://git.kernel.org/stable/c/4a767b1d039a855c491c4853013804323c06f728 •
CVSS: 7.2EPSS: 0%CPEs: 5EXPL: 0CVE-2026-23187 – pmdomain: imx8m-blk-ctrl: fix out-of-range access of bc->domains
https://notcve.org/view.php?id=CVE-2026-23187
14 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: pmdomain: imx8m-blk-ctrl: fix out-of-range access of bc->domains Fix out-of-range access of bc->domains in imx8m_blk_ctrl_remove(). Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. For the stable distribution (trixie), these problems have been fixed in version 6.12.73-1. • https://git.kernel.org/stable/c/2684ac05a8c4d2d5c49e6c11eb6206b30a284813 •
CVSS: 5.5EPSS: 0%CPEs: 7EXPL: 0CVE-2026-23182 – spi: tegra: Fix a memory leak in tegra_slink_probe()
https://notcve.org/view.php?id=CVE-2026-23182
14 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: spi: tegra: Fix a memory leak in tegra_slink_probe() In tegra_slink_probe(), when platform_get_irq() fails, it directly returns from the function with an error code, which causes a memory leak. Replace it with a goto label to ensure proper cleanup. In the Linux kernel, the following vulnerability has been resolved: spi: tegra: Fix a memory leak in tegra_slink_probe() In tegra_slink_probe(), when platform_get_irq() fails, it directly returns... • https://git.kernel.org/stable/c/b64683f5d7282f7b160e9867e33cdac00b5c792b •
CVSS: 7.2EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23180 – dpaa2-switch: add bounds check for if_id in IRQ handler
https://notcve.org/view.php?id=CVE-2026-23180
14 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: dpaa2-switch: add bounds check for if_id in IRQ handler The IRQ handler extracts if_id from the upper 16 bits of the hardware status register and uses it to index into ethsw->ports[] without validation. Since if_id can be any 16-bit value (0-65535) but the ports array is only allocated with sw_attr.num_ifs elements, this can lead to an out-of-bounds read potentially. Add a bounds check before accessing the array, consistent with the existin... • https://git.kernel.org/stable/c/24ab724f8a4661b2dc8e696b41df93bdc108f7a1 •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2026-23179 – nvmet-tcp: fixup hang in nvmet_tcp_listen_data_ready()
https://notcve.org/view.php?id=CVE-2026-23179
14 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: nvmet-tcp: fixup hang in nvmet_tcp_listen_data_ready() When the socket is closed while in TCP_LISTEN a callback is run to flush all outstanding packets, which in turns calls nvmet_tcp_listen_data_ready() with the sk_callback_lock held. So we need to check if we are in TCP_LISTEN before attempting to get the sk_callback_lock() to avoid a deadlock. In the Linux kernel, the following vulnerability has been resolved: nvmet-tcp: fixup hang in nv... • https://git.kernel.org/stable/c/675b453e024154dd547921c6e6d5b58747ba7e0e •
CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2026-23178 – HID: i2c-hid: fix potential buffer overflow in i2c_hid_get_report()
https://notcve.org/view.php?id=CVE-2026-23178
14 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: HID: i2c-hid: fix potential buffer overflow in i2c_hid_get_report() `i2c_hid_xfer` is used to read `recv_len + sizeof(__le16)` bytes of data into `ihid->rawbuf`. The former can come from the userspace in the hidraw driver and is only bounded by HID_MAX_BUFFER_SIZE(16384) by default (unless we also set `max_buffer_size` field of `struct hid_ll_driver` which we do not). The latter has size determined at runtime by the maximum size of differen... • https://git.kernel.org/stable/c/85df713377ddc0482071c3e6b64c37bd1e48f1f1 •