CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23455 – netfilter: nf_conntrack_h323: check for zero length in DecodeQ931()
https://notcve.org/view.php?id=CVE-2026-23455
03 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conntrack_h323: check for zero length in DecodeQ931() In DecodeQ931(), the UserUserIE code path reads a 16-bit length from the packet, then decrements it by 1 to skip the protocol discriminator byte before passing it to DecodeH323_UserInformation(). If the encoded length is 0, the decrement wraps to -1, which is then passed as a large value to the decoder, leading to an out-of-bounds read. Add a check to ensure len is positive... • https://git.kernel.org/stable/c/5e35941d990123f155b02d5663e51a24f816b6f3 •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23454 – net: mana: fix use-after-free in mana_hwc_destroy_channel() by reordering teardown
https://notcve.org/view.php?id=CVE-2026-23454
03 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: net: mana: fix use-after-free in mana_hwc_destroy_channel() by reordering teardown A potential race condition exists in mana_hwc_destroy_channel() where hwc->caller_ctx is freed before the HWC's Completion Queue (CQ) and Event Queue (EQ) are destroyed. This allows an in-flight CQ interrupt handler to dereference freed memory, leading to a use-after-free or NULL pointer dereference in mana_hwc_handle_resp(). mana_smc_teardown_hwc() signals t... • https://git.kernel.org/stable/c/ca9c54d2d6a5ab2430c4eda364c77125d62e5e0f •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23452 – PM: runtime: Fix a race condition related to device removal
https://notcve.org/view.php?id=CVE-2026-23452
03 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: PM: runtime: Fix a race condition related to device removal The following code in pm_runtime_work() may dereference the dev->parent pointer after the parent device has been freed: /* Maybe the parent is now able to suspend. */ if (parent && !parent->power.ignore_children) { spin_unlock(&dev->power.lock); spin_lock(&parent->power.lock); rpm_idle(parent, RPM_ASYNC); spin_unlock(&parent->power.lock); spin_lock(&dev->power.lock); } Fix this by ... • https://git.kernel.org/stable/c/5e928f77a09a07f9dd595bb8a489965d69a83458 •
CVSS: -EPSS: 0%CPEs: 7EXPL: 0CVE-2026-23450 – net/smc: fix NULL dereference and UAF in smc_tcp_syn_recv_sock()
https://notcve.org/view.php?id=CVE-2026-23450
03 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: net/smc: fix NULL dereference and UAF in smc_tcp_syn_recv_sock() Syzkaller reported a panic in smc_tcp_syn_recv_sock() [1]. smc_tcp_syn_recv_sock() is called in the TCP receive path (softirq) via icsk_af_ops->syn_recv_sock on the clcsock (TCP listening socket). It reads sk_user_data to get the smc_sock pointer. However, when the SMC listen socket is being closed concurrently, smc_close_active() sets clcsock->sk_user_data to NULL under sk_ca... • https://git.kernel.org/stable/c/8270d9c21041470f58348248b9d9dcf3bf79592e •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23449 – net/sched: teql: Fix double-free in teql_master_xmit
https://notcve.org/view.php?id=CVE-2026-23449
03 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: net/sched: teql: Fix double-free in teql_master_xmit Whenever a TEQL devices has a lockless Qdisc as root, qdisc_reset should be called using the seq_lock to avoid racing with the datapath. Failure to do so may cause crashes like the following: [ 238.028993][ T318] BUG: KASAN: double-free in skb_release_data (net/core/skbuff.c:1139) [ 238.029328][ T318] Free of addr ffff88810c67ec00 by task poc_teql_uaf_ke/318 [ 238.029749][ T318] [ 238.029... • https://git.kernel.org/stable/c/96009c7d500efdd5534e83b2e3eb2c58d4b137ae •
CVSS: -EPSS: 0%CPEs: 5EXPL: 0CVE-2026-23448 – net: usb: cdc_ncm: add ndpoffset to NDP16 nframes bounds check
https://notcve.org/view.php?id=CVE-2026-23448
03 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: net: usb: cdc_ncm: add ndpoffset to NDP16 nframes bounds check cdc_ncm_rx_verify_ndp16() validates that the NDP header and its DPE entries fit within the skb. The first check correctly accounts for ndpoffset: if ((ndpoffset + sizeof(struct usb_cdc_ncm_ndp16)) > skb_in->len) but the second check omits it: if ((sizeof(struct usb_cdc_ncm_ndp16) + ret * (sizeof(struct usb_cdc_ncm_dpe16))) > skb_in->len) This validates the DPE array size against... • https://git.kernel.org/stable/c/ff06ab13a4ccae4acb44a2d4e3ece367b616ab50 •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2026-23447 – net: usb: cdc_ncm: add ndpoffset to NDP32 nframes bounds check
https://notcve.org/view.php?id=CVE-2026-23447
03 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: net: usb: cdc_ncm: add ndpoffset to NDP32 nframes bounds check The same bounds-check bug fixed for NDP16 in the previous patch also exists in cdc_ncm_rx_verify_ndp32(). The DPE array size is validated against the total skb length without accounting for ndpoffset, allowing out-of-bounds reads when the NDP32 is placed near the end of the NTB. Add ndpoffset to the nframes bounds check and use struct_size_t() to express the NDP-plus-DPE-array s... • https://git.kernel.org/stable/c/0fa81b304a7973a499f844176ca031109487dd31 •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23446 – net: usb: aqc111: Do not perform PM inside suspend callback
https://notcve.org/view.php?id=CVE-2026-23446
03 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: net: usb: aqc111: Do not perform PM inside suspend callback syzbot reports "task hung in rpm_resume" This is caused by aqc111_suspend calling the PM variant of its write_cmd routine. The simplified call trace looks like this: rpm_suspend() usb_suspend_both() - here udev->dev.power.runtime_status == RPM_SUSPENDING aqc111_suspend() - called for the usb device interface aqc111_write32_cmd() usb_autopm_get_interface() pm_runtime_resume_and_get(... • https://git.kernel.org/stable/c/e58ba4544c7771591d1e3157bc01b4a8e4d1c3fc •
CVSS: -EPSS: 0%CPEs: 3EXPL: 0CVE-2026-23444 – wifi: mac80211: always free skb on ieee80211_tx_prepare_skb() failure
https://notcve.org/view.php?id=CVE-2026-23444
03 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: always free skb on ieee80211_tx_prepare_skb() failure ieee80211_tx_prepare_skb() has three error paths, but only two of them free the skb. The first error path (ieee80211_tx_prepare() returning TX_DROP) does not free it, while invoke_tx_handlers() failure and the fragmentation check both do. Add kfree_skb() to the first error path so all three are consistent, and remove the now-redundant frees in callers (ath9k, mt76, mac802... • https://git.kernel.org/stable/c/06be6b149f7e406bcf16098567f5a6c9f042bced •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23443 – ACPI: processor: Fix previous acpi_processor_errata_piix4() fix
https://notcve.org/view.php?id=CVE-2026-23443
03 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: ACPI: processor: Fix previous acpi_processor_errata_piix4() fix After commi f132e089fe89 ("ACPI: processor: Fix NULL-pointer dereference in acpi_processor_errata_piix4()"), device pointers may be dereferenced after dropping references to the device objects pointed to by them, which may cause a use-after-free to occur. Moreover, debug messages about enabling the errata may be printed if the errata flags corresponding to them are unset. Addre... • https://git.kernel.org/stable/c/ad86ac604f8391c0212a91412d4f764c7a85f254 •