CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23446 – net: usb: aqc111: Do not perform PM inside suspend callback
https://notcve.org/view.php?id=CVE-2026-23446
03 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: net: usb: aqc111: Do not perform PM inside suspend callback syzbot reports "task hung in rpm_resume" This is caused by aqc111_suspend calling the PM variant of its write_cmd routine. The simplified call trace looks like this: rpm_suspend() usb_suspend_both() - here udev->dev.power.runtime_status == RPM_SUSPENDING aqc111_suspend() - called for the usb device interface aqc111_write32_cmd() usb_autopm_get_interface() pm_runtime_resume_and_get(... • https://git.kernel.org/stable/c/e58ba4544c7771591d1e3157bc01b4a8e4d1c3fc •
CVSS: -EPSS: 0%CPEs: 3EXPL: 0CVE-2026-23444 – wifi: mac80211: always free skb on ieee80211_tx_prepare_skb() failure
https://notcve.org/view.php?id=CVE-2026-23444
03 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: always free skb on ieee80211_tx_prepare_skb() failure ieee80211_tx_prepare_skb() has three error paths, but only two of them free the skb. The first error path (ieee80211_tx_prepare() returning TX_DROP) does not free it, while invoke_tx_handlers() failure and the fragmentation check both do. Add kfree_skb() to the first error path so all three are consistent, and remove the now-redundant frees in callers (ath9k, mt76, mac802... • https://git.kernel.org/stable/c/06be6b149f7e406bcf16098567f5a6c9f042bced •
CVSS: -EPSS: 0%CPEs: 2EXPL: 0CVE-2026-23442 – ipv6: add NULL checks for idev in SRv6 paths
https://notcve.org/view.php?id=CVE-2026-23442
03 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: ipv6: add NULL checks for idev in SRv6 paths __in6_dev_get() can return NULL when the device has no IPv6 configuration (e.g. MTU < IPV6_MIN_MTU or after NETDEV_UNREGISTER). Add NULL checks for idev returned by __in6_dev_get() in both seg6_hmac_validate_skb() and ipv6_srh_rcv() to prevent potential NULL pointer dereferences. • https://git.kernel.org/stable/c/1ababeba4a21f3dba3da3523c670b207fb2feb62 •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23439 – udp_tunnel: fix NULL deref caused by udp_sock_create6 when CONFIG_IPV6=n
https://notcve.org/view.php?id=CVE-2026-23439
03 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: udp_tunnel: fix NULL deref caused by udp_sock_create6 when CONFIG_IPV6=n When CONFIG_IPV6 is disabled, the udp_sock_create6() function returns 0 (success) without actually creating a socket. Callers such as fou_create() then proceed to dereference the uninitialized socket pointer, resulting in a NULL pointer dereference. The captured NULL deref crash: BUG: kernel NULL pointer dereference, address: 0000000000000018 RIP: 0010:fou_nl_add_doit ... • https://git.kernel.org/stable/c/fd384412e199b62c3ddaabd18dce86d0e164c5b9 •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23420 – wifi: wlcore: Fix a locking bug
https://notcve.org/view.php?id=CVE-2026-23420
03 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: wifi: wlcore: Fix a locking bug Make sure that wl->mutex is locked before it is unlocked. This has been detected by the Clang thread-safety analyzer. • https://git.kernel.org/stable/c/45aa7f071b06c8481afed4c7b93e07c9584741e8 •
CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2026-23411 – apparmor: fix race between freeing data and fs accessing it
https://notcve.org/view.php?id=CVE-2026-23411
01 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: apparmor: fix race between freeing data and fs accessing it AppArmor was putting the reference to i_private data on its end after removing the original entry from the file system. However the inode can aand does live beyond that point and it is possible that some of the fs call back functions will be invoked after the reference has been put, which results in a race between freeing the data and accessing it through the fs. While the rawdata/... • https://git.kernel.org/stable/c/c961ee5f21b202dea60b63eeef945730d92e46a6 •
CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2026-23410 – apparmor: fix race on rawdata dereference
https://notcve.org/view.php?id=CVE-2026-23410
01 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: apparmor: fix race on rawdata dereference There is a race condition that leads to a use-after-free situation: because the rawdata inodes are not refcounted, an attacker can start open()ing one of the rawdata files, and at the same time remove the last reference to this rawdata (by removing the corresponding profile, for example), which frees its struct aa_loaddata; as a result, when seq_rawdata_open() is reached, i_private is a dangling poi... • https://git.kernel.org/stable/c/5d5182cae40115c03933989473288e54afb39c7c •
CVSS: -EPSS: 0%CPEs: 5EXPL: 0CVE-2026-23409 – apparmor: fix differential encoding verification
https://notcve.org/view.php?id=CVE-2026-23409
01 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: apparmor: fix differential encoding verification Differential encoding allows loops to be created if it is abused. To prevent this the unpack should verify that a diff-encode chain terminates. Unfortunately the differential encode verification had two bugs. 1. it conflated states that had gone through check and already been marked, with states that were currently being checked and marked. This means that loops in the current chain being ver... • https://git.kernel.org/stable/c/031dcc8f4e84fea37dc6f78fdc7288aa7f8386c3 •
CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2026-23407 – apparmor: fix missing bounds check on DEFAULT table in verify_dfa()
https://notcve.org/view.php?id=CVE-2026-23407
01 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: apparmor: fix missing bounds check on DEFAULT table in verify_dfa() The verify_dfa() function only checks DEFAULT_TABLE bounds when the state is not differentially encoded. When the verification loop traverses the differential encoding chain, it reads k = DEFAULT_TABLE[j] and uses k as an array index without validation. A malformed DFA with DEFAULT_TABLE[j] >= state_count, therefore, causes both out-of-bounds reads and writes. [ 57.179855] ... • https://git.kernel.org/stable/c/031dcc8f4e84fea37dc6f78fdc7288aa7f8386c3 •
CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2026-23406 – apparmor: fix side-effect bug in match_char() macro usage
https://notcve.org/view.php?id=CVE-2026-23406
01 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: apparmor: fix side-effect bug in match_char() macro usage The match_char() macro evaluates its character parameter multiple times when traversing differential encoding chains. When invoked with *str++, the string pointer advances on each iteration of the inner do-while loop, causing the DFA to check different characters at each iteration and therefore skip input characters. This results in out-of-bounds reads when the pointer advances past ... • https://git.kernel.org/stable/c/074c1cd798cb0b481d7eaa749b64aa416563c053 •