CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23340 – net: sched: avoid qdisc_reset_all_tx_gt() vs dequeue race for lockless qdiscs
https://notcve.org/view.php?id=CVE-2026-23340
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: net: sched: avoid qdisc_reset_all_tx_gt() vs dequeue race for lockless qdiscs When shrinking the number of real tx queues, netif_set_real_num_tx_queues() calls qdisc_reset_all_tx_gt() to flush qdiscs for queues which will no longer be used. qdisc_reset_all_tx_gt() currently serializes qdisc_reset() with qdisc_lock(). However, for lockless qdiscs, the dequeue path is serialized by qdisc_run_begin/end() using qdisc->seqlock instead, so qdisc_... • https://git.kernel.org/stable/c/6b3ba9146fe64b9bebb6346c9dcfe3b4851de2d7 •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23339 – nfc: nci: free skb on nci_transceive early error paths
https://notcve.org/view.php?id=CVE-2026-23339
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: nfc: nci: free skb on nci_transceive early error paths nci_transceive() takes ownership of the skb passed by the caller, but the -EPROTO, -EINVAL, and -EBUSY error paths return without freeing it. Due to issues clearing NCI_DATA_EXCHANGE fixed by subsequent changes the nci/nci_dev selftest hits the error path occasionally in NIPA, and kmemleak detects leaks: unreferenced object 0xff11000015ce6a40 (size 640): comm "nci_dev", pid 3954, jiffie... • https://git.kernel.org/stable/c/6a2968aaf50c7a22fced77a5e24aa636281efca8 •
CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23336 – wifi: cfg80211: cancel rfkill_block work in wiphy_unregister()
https://notcve.org/view.php?id=CVE-2026-23336
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: wifi: cfg80211: cancel rfkill_block work in wiphy_unregister() There is a use-after-free error in cfg80211_shutdown_all_interfaces found by syzkaller: BUG: KASAN: use-after-free in cfg80211_shutdown_all_interfaces+0x213/0x220 Read of size 8 at addr ffff888112a78d98 by task kworker/0:5/5326 CPU: 0 UID: 0 PID: 5326 Comm: kworker/0:5 Not tainted 6.19.0-rc2 #2 PREEMPT(voluntary) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0... • https://git.kernel.org/stable/c/1f87f7d3a3b42b20f34cb03f0fd1a41c3d0e27f3 •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23335 – RDMA/irdma: Fix kernel stack leak in irdma_create_user_ah()
https://notcve.org/view.php?id=CVE-2026-23335
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: RDMA/irdma: Fix kernel stack leak in irdma_create_user_ah() struct irdma_create_ah_resp { // 8 bytes, no padding __u32 ah_id; // offset 0 - SET (uresp.ah_id = ah->sc_ah.ah_info.ah_idx) __u8 rsvd[4]; // offset 4 - NEVER SET <- LEAK }; rsvd[4]: 4 bytes of stack memory leaked unconditionally. Only ah_id is assigned before ib_respond_udata(). The reserved members of the structure were not zeroed. • https://git.kernel.org/stable/c/b48c24c2d710cf34810c555dcef883a3d35a9c08 •
CVSS: -EPSS: 0%CPEs: 1EXPL: 0CVE-2026-23333 – netfilter: nft_set_rbtree: validate open interval overlap
https://notcve.org/view.php?id=CVE-2026-23333
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_rbtree: validate open interval overlap [ Upstream commit 648946966a08e4cb1a71619e3d1b12bd7642de7b ] Open intervals do not have an end element, in particular an open interval at the end of the set is hard to validate because of it is lacking the end element, and interval validation relies on such end element to perform the checks. This patch adds a new flag field to struct nft_set_elem, this is not an issue because this is... • https://git.kernel.org/stable/c/7c84d41416d836ef7e533bd4d64ccbdf40c5ac70 •
CVSS: -EPSS: 0%CPEs: 3EXPL: 0CVE-2026-23330 – nfc: nci: complete pending data exchange on device close
https://notcve.org/view.php?id=CVE-2026-23330
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: nfc: nci: complete pending data exchange on device close In nci_close_device(), complete any pending data exchange before closing. The data exchange callback (e.g. rawsock_data_exchange_complete) holds a socket reference. NIPA occasionally hits this leak: unreferenced object 0xff1100000f435000 (size 2048): comm "nci_dev", pid 3954, jiffies 4295441245 hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................... • https://git.kernel.org/stable/c/38f04c6b1b682f1879441e2925403ad9aff9e229 •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23324 – can: usb: etas_es58x: correctly anchor the urb in the read bulk callback
https://notcve.org/view.php?id=CVE-2026-23324
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: can: usb: etas_es58x: correctly anchor the urb in the read bulk callback When submitting an urb, that is using the anchor pattern, it needs to be anchored before submitting it otherwise it could be leaked if usb_kill_anchored_urbs() is called. This logic is correctly done elsewhere in the driver, except in the read bulk callback so do that here also. • https://git.kernel.org/stable/c/8537257874e949a59c834cecfd5a063e11b64b0b •
CVSS: -EPSS: 0%CPEs: 3EXPL: 0CVE-2026-23320 – usb: gadget: f_ncm: align net_device lifecycle with bind/unbind
https://notcve.org/view.php?id=CVE-2026-23320
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_ncm: align net_device lifecycle with bind/unbind Currently, the net_device is allocated in ncm_alloc_inst() and freed in ncm_free_inst(). This ties the network interface's lifetime to the configuration instance rather than the USB connection (bind/unbind). This decoupling causes issues when the USB gadget is disconnected where the underlying gadget device is removed. The net_device can outlive its parent, leading to dangling ... • https://git.kernel.org/stable/c/40d133d7f542616cf9538508a372306e626a16e9 •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2026-23318 – ALSA: usb-audio: Use correct version for UAC3 header validation
https://notcve.org/view.php?id=CVE-2026-23318
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Use correct version for UAC3 header validation The entry of the validators table for UAC3 AC header descriptor is defined with the wrong protocol version UAC_VERSION_2, while it should have been UAC_VERSION_3. This results in the validator never matching for actual UAC3 devices (protocol == UAC_VERSION_3), causing their header descriptors to bypass validation entirely. A malicious USB device presenting a truncated UAC3 head... • https://git.kernel.org/stable/c/57f8770620e9b51c61089751f0b5ad3dbe376ff2 •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23315 – wifi: mt76: Fix possible oob access in mt76_connac2_mac_write_txwi_80211()
https://notcve.org/view.php?id=CVE-2026-23315
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: Fix possible oob access in mt76_connac2_mac_write_txwi_80211() Check frame length before accessing the mgmt fields in mt76_connac2_mac_write_txwi_80211 in order to avoid a possible oob access. [fix check to also cover mgmt->u.action.u.addba_req.capab, correct Fixes tag] • https://git.kernel.org/stable/c/577dbc6c656da6997dddc6cf842b7954588f2d4e •