CVSS: -EPSS: 0%CPEs: 3EXPL: 0CVE-2026-23348 – cxl: Fix race of nvdimm_bus object when creating nvdimm objects
https://notcve.org/view.php?id=CVE-2026-23348
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: cxl: Fix race of nvdimm_bus object when creating nvdimm objects Found issue during running of cxl-translate.sh unit test. Adding a 3s sleep right before the test seems to make the issue reproduce fairly consistently. The cxl_translate module has dependency on cxl_acpi and causes orphaned nvdimm objects to reprobe after cxl_acpi is removed. The nvdimm_bus object is registered by the cxl_nvb object when cxl_acpi_probe() is called. With the nv... • https://git.kernel.org/stable/c/8fdcb1704f61a8fd9be0f3849a174d084def0666 •
CVSS: -EPSS: 0%CPEs: 3EXPL: 0CVE-2026-23346 – arm64: io: Extract user memory type in ioremap_prot()
https://notcve.org/view.php?id=CVE-2026-23346
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: arm64: io: Extract user memory type in ioremap_prot() The only caller of ioremap_prot() outside of the generic ioremap() implementation is generic_access_phys(), which passes a 'pgprot_t' value determined from the user mapping of the target 'pfn' being accessed by the kernel. On arm64, the 'pgprot_t' contains all of the non-address bits from the pte, including the permission controls, and so we end up returning a new user mapping from iorem... • https://git.kernel.org/stable/c/893dea9ccd08dab924839354aba21d4ed7a9abc0 •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23343 – xdp: produce a warning when calculated tailroom is negative
https://notcve.org/view.php?id=CVE-2026-23343
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: xdp: produce a warning when calculated tailroom is negative Many ethernet drivers report xdp Rx queue frag size as being the same as DMA write size. However, the only user of this field, namely bpf_xdp_frags_increase_tail(), clearly expects a truesize. Such difference leads to unspecific memory corruption issues under certain circumstances, e.g. in ixgbevf maximum DMA write size is 3 KB, so when running xskxceiver's XDP_ADJUST_TAIL_GROW_MUL... • https://git.kernel.org/stable/c/bf25146a5595269810b1f47d048f114c5ff9f544 •
CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23340 – net: sched: avoid qdisc_reset_all_tx_gt() vs dequeue race for lockless qdiscs
https://notcve.org/view.php?id=CVE-2026-23340
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: net: sched: avoid qdisc_reset_all_tx_gt() vs dequeue race for lockless qdiscs When shrinking the number of real tx queues, netif_set_real_num_tx_queues() calls qdisc_reset_all_tx_gt() to flush qdiscs for queues which will no longer be used. qdisc_reset_all_tx_gt() currently serializes qdisc_reset() with qdisc_lock(). However, for lockless qdiscs, the dequeue path is serialized by qdisc_run_begin/end() using qdisc->seqlock instead, so qdisc_... • https://git.kernel.org/stable/c/6b3ba9146fe64b9bebb6346c9dcfe3b4851de2d7 •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23339 – nfc: nci: free skb on nci_transceive early error paths
https://notcve.org/view.php?id=CVE-2026-23339
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: nfc: nci: free skb on nci_transceive early error paths nci_transceive() takes ownership of the skb passed by the caller, but the -EPROTO, -EINVAL, and -EBUSY error paths return without freeing it. Due to issues clearing NCI_DATA_EXCHANGE fixed by subsequent changes the nci/nci_dev selftest hits the error path occasionally in NIPA, and kmemleak detects leaks: unreferenced object 0xff11000015ce6a40 (size 640): comm "nci_dev", pid 3954, jiffie... • https://git.kernel.org/stable/c/6a2968aaf50c7a22fced77a5e24aa636281efca8 •
CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23336 – wifi: cfg80211: cancel rfkill_block work in wiphy_unregister()
https://notcve.org/view.php?id=CVE-2026-23336
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: wifi: cfg80211: cancel rfkill_block work in wiphy_unregister() There is a use-after-free error in cfg80211_shutdown_all_interfaces found by syzkaller: BUG: KASAN: use-after-free in cfg80211_shutdown_all_interfaces+0x213/0x220 Read of size 8 at addr ffff888112a78d98 by task kworker/0:5/5326 CPU: 0 UID: 0 PID: 5326 Comm: kworker/0:5 Not tainted 6.19.0-rc2 #2 PREEMPT(voluntary) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0... • https://git.kernel.org/stable/c/1f87f7d3a3b42b20f34cb03f0fd1a41c3d0e27f3 •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23335 – RDMA/irdma: Fix kernel stack leak in irdma_create_user_ah()
https://notcve.org/view.php?id=CVE-2026-23335
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: RDMA/irdma: Fix kernel stack leak in irdma_create_user_ah() struct irdma_create_ah_resp { // 8 bytes, no padding __u32 ah_id; // offset 0 - SET (uresp.ah_id = ah->sc_ah.ah_info.ah_idx) __u8 rsvd[4]; // offset 4 - NEVER SET <- LEAK }; rsvd[4]: 4 bytes of stack memory leaked unconditionally. Only ah_id is assigned before ib_respond_udata(). The reserved members of the structure were not zeroed. • https://git.kernel.org/stable/c/b48c24c2d710cf34810c555dcef883a3d35a9c08 •
CVSS: -EPSS: 0%CPEs: 1EXPL: 0CVE-2026-23333 – netfilter: nft_set_rbtree: validate open interval overlap
https://notcve.org/view.php?id=CVE-2026-23333
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_rbtree: validate open interval overlap [ Upstream commit 648946966a08e4cb1a71619e3d1b12bd7642de7b ] Open intervals do not have an end element, in particular an open interval at the end of the set is hard to validate because of it is lacking the end element, and interval validation relies on such end element to perform the checks. This patch adds a new flag field to struct nft_set_elem, this is not an issue because this is... • https://git.kernel.org/stable/c/7c84d41416d836ef7e533bd4d64ccbdf40c5ac70 •
CVSS: -EPSS: 0%CPEs: 3EXPL: 0CVE-2026-23330 – nfc: nci: complete pending data exchange on device close
https://notcve.org/view.php?id=CVE-2026-23330
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: nfc: nci: complete pending data exchange on device close In nci_close_device(), complete any pending data exchange before closing. The data exchange callback (e.g. rawsock_data_exchange_complete) holds a socket reference. NIPA occasionally hits this leak: unreferenced object 0xff1100000f435000 (size 2048): comm "nci_dev", pid 3954, jiffies 4295441245 hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................... • https://git.kernel.org/stable/c/38f04c6b1b682f1879441e2925403ad9aff9e229 •
CVSS: -EPSS: 0%CPEs: 2EXPL: 0CVE-2026-23327 – cxl/mbox: validate payload size before accessing contents in cxl_payload_from_user_allowed()
https://notcve.org/view.php?id=CVE-2026-23327
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: cxl/mbox: validate payload size before accessing contents in cxl_payload_from_user_allowed() cxl_payload_from_user_allowed() casts and dereferences the input payload without first verifying its size. When a raw mailbox command is sent with an undersized payload (ie: 1 byte for CXL_MBOX_OP_CLEAR_LOG, which expects a 16-byte UUID), uuid_equal() reads past the allocated buffer, triggering a KASAN splat: BUG: KASAN: slab-out-of-bounds in memcmp... • https://git.kernel.org/stable/c/6179045ccc0c6229dc449afc1701dc7fbd40571f •