CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23452 – PM: runtime: Fix a race condition related to device removal
https://notcve.org/view.php?id=CVE-2026-23452
03 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: PM: runtime: Fix a race condition related to device removal The following code in pm_runtime_work() may dereference the dev->parent pointer after the parent device has been freed: /* Maybe the parent is now able to suspend. */ if (parent && !parent->power.ignore_children) { spin_unlock(&dev->power.lock); spin_lock(&parent->power.lock); rpm_idle(parent, RPM_ASYNC); spin_unlock(&parent->power.lock); spin_lock(&dev->power.lock); } Fix this by ... • https://git.kernel.org/stable/c/5e928f77a09a07f9dd595bb8a489965d69a83458 •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23449 – net/sched: teql: Fix double-free in teql_master_xmit
https://notcve.org/view.php?id=CVE-2026-23449
03 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: net/sched: teql: Fix double-free in teql_master_xmit Whenever a TEQL devices has a lockless Qdisc as root, qdisc_reset should be called using the seq_lock to avoid racing with the datapath. Failure to do so may cause crashes like the following: [ 238.028993][ T318] BUG: KASAN: double-free in skb_release_data (net/core/skbuff.c:1139) [ 238.029328][ T318] Free of addr ffff88810c67ec00 by task poc_teql_uaf_ke/318 [ 238.029749][ T318] [ 238.029... • https://git.kernel.org/stable/c/96009c7d500efdd5534e83b2e3eb2c58d4b137ae •
CVSS: -EPSS: 0%CPEs: 5EXPL: 0CVE-2026-23448 – net: usb: cdc_ncm: add ndpoffset to NDP16 nframes bounds check
https://notcve.org/view.php?id=CVE-2026-23448
03 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: net: usb: cdc_ncm: add ndpoffset to NDP16 nframes bounds check cdc_ncm_rx_verify_ndp16() validates that the NDP header and its DPE entries fit within the skb. The first check correctly accounts for ndpoffset: if ((ndpoffset + sizeof(struct usb_cdc_ncm_ndp16)) > skb_in->len) but the second check omits it: if ((sizeof(struct usb_cdc_ncm_ndp16) + ret * (sizeof(struct usb_cdc_ncm_dpe16))) > skb_in->len) This validates the DPE array size against... • https://git.kernel.org/stable/c/ff06ab13a4ccae4acb44a2d4e3ece367b616ab50 •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2026-23447 – net: usb: cdc_ncm: add ndpoffset to NDP32 nframes bounds check
https://notcve.org/view.php?id=CVE-2026-23447
03 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: net: usb: cdc_ncm: add ndpoffset to NDP32 nframes bounds check The same bounds-check bug fixed for NDP16 in the previous patch also exists in cdc_ncm_rx_verify_ndp32(). The DPE array size is validated against the total skb length without accounting for ndpoffset, allowing out-of-bounds reads when the NDP32 is placed near the end of the NTB. Add ndpoffset to the nframes bounds check and use struct_size_t() to express the NDP-plus-DPE-array s... • https://git.kernel.org/stable/c/0fa81b304a7973a499f844176ca031109487dd31 •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23446 – net: usb: aqc111: Do not perform PM inside suspend callback
https://notcve.org/view.php?id=CVE-2026-23446
03 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: net: usb: aqc111: Do not perform PM inside suspend callback syzbot reports "task hung in rpm_resume" This is caused by aqc111_suspend calling the PM variant of its write_cmd routine. The simplified call trace looks like this: rpm_suspend() usb_suspend_both() - here udev->dev.power.runtime_status == RPM_SUSPENDING aqc111_suspend() - called for the usb device interface aqc111_write32_cmd() usb_autopm_get_interface() pm_runtime_resume_and_get(... • https://git.kernel.org/stable/c/e58ba4544c7771591d1e3157bc01b4a8e4d1c3fc •
CVSS: -EPSS: 0%CPEs: 3EXPL: 0CVE-2026-23444 – wifi: mac80211: always free skb on ieee80211_tx_prepare_skb() failure
https://notcve.org/view.php?id=CVE-2026-23444
03 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: always free skb on ieee80211_tx_prepare_skb() failure ieee80211_tx_prepare_skb() has three error paths, but only two of them free the skb. The first error path (ieee80211_tx_prepare() returning TX_DROP) does not free it, while invoke_tx_handlers() failure and the fragmentation check both do. Add kfree_skb() to the first error path so all three are consistent, and remove the now-redundant frees in callers (ath9k, mt76, mac802... • https://git.kernel.org/stable/c/06be6b149f7e406bcf16098567f5a6c9f042bced •
CVSS: -EPSS: 0%CPEs: 2EXPL: 0CVE-2026-23442 – ipv6: add NULL checks for idev in SRv6 paths
https://notcve.org/view.php?id=CVE-2026-23442
03 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: ipv6: add NULL checks for idev in SRv6 paths __in6_dev_get() can return NULL when the device has no IPv6 configuration (e.g. MTU < IPV6_MIN_MTU or after NETDEV_UNREGISTER). Add NULL checks for idev returned by __in6_dev_get() in both seg6_hmac_validate_skb() and ipv6_srh_rcv() to prevent potential NULL pointer dereferences. • https://git.kernel.org/stable/c/1ababeba4a21f3dba3da3523c670b207fb2feb62 •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23439 – udp_tunnel: fix NULL deref caused by udp_sock_create6 when CONFIG_IPV6=n
https://notcve.org/view.php?id=CVE-2026-23439
03 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: udp_tunnel: fix NULL deref caused by udp_sock_create6 when CONFIG_IPV6=n When CONFIG_IPV6 is disabled, the udp_sock_create6() function returns 0 (success) without actually creating a socket. Callers such as fou_create() then proceed to dereference the uninitialized socket pointer, resulting in a NULL pointer dereference. The captured NULL deref crash: BUG: kernel NULL pointer dereference, address: 0000000000000018 RIP: 0010:fou_nl_add_doit ... • https://git.kernel.org/stable/c/fd384412e199b62c3ddaabd18dce86d0e164c5b9 •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23438 – net: mvpp2: guard flow control update with global_tx_fc in buffer switching
https://notcve.org/view.php?id=CVE-2026-23438
03 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: net: mvpp2: guard flow control update with global_tx_fc in buffer switching mvpp2_bm_switch_buffers() unconditionally calls mvpp2_bm_pool_update_priv_fc() when switching between per-cpu and shared buffer pool modes. This function programs CM3 flow control registers via mvpp2_cm3_read()/mvpp2_cm3_write(), which dereference priv->cm3_base without any NULL check. When the CM3 SRAM resource is not present in the device tree (the third reg entry... • https://git.kernel.org/stable/c/3a616b92a9d17448d96a33bf58e69f01457fd43a •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23434 – mtd: rawnand: serialize lock/unlock against other NAND operations
https://notcve.org/view.php?id=CVE-2026-23434
03 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: mtd: rawnand: serialize lock/unlock against other NAND operations nand_lock() and nand_unlock() call into chip->ops.lock_area/unlock_area without holding the NAND device lock. On controllers that implement SET_FEATURES via multiple low-level PIO commands, these can race with concurrent UBI/UBIFS background erase/write operations that hold the device lock, resulting in cmd_pending conflicts on the NAND controller. Add nand_get_device()/nand_... • https://git.kernel.org/stable/c/92270086b7e5ada7ab381c06cc3da2e95ed17088 •