CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23458 – netfilter: ctnetlink: fix use-after-free in ctnetlink_dump_exp_ct()
https://notcve.org/view.php?id=CVE-2026-23458
03 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: netfilter: ctnetlink: fix use-after-free in ctnetlink_dump_exp_ct() ctnetlink_dump_exp_ct() stores a conntrack pointer in cb->data for the netlink dump callback ctnetlink_exp_ct_dump_table(), but drops the conntrack reference immediately after netlink_dump_start(). When the dump spans multiple rounds, the second recvmsg() triggers the dump callback which dereferences the now-freed conntrack via nfct_help(ct), leading to a use-after-free on ... • https://git.kernel.org/stable/c/e844a928431fa8f1359d1f4f2cef53d9b446bf52 •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23457 – netfilter: nf_conntrack_sip: fix Content-Length u32 truncation in sip_help_tcp()
https://notcve.org/view.php?id=CVE-2026-23457
03 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conntrack_sip: fix Content-Length u32 truncation in sip_help_tcp() sip_help_tcp() parses the SIP Content-Length header with simple_strtoul(), which returns unsigned long, but stores the result in unsigned int clen. On 64-bit systems, values exceeding UINT_MAX are silently truncated before computing the SIP message boundary. For example, Content-Length 4294967328 (2^32 + 32) is truncated to 32, causing the parser to miscalculat... • https://git.kernel.org/stable/c/f5b321bd37fbec9188feb1f721ab46a5ac0b35da •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23456 – netfilter: nf_conntrack_h323: fix OOB read in decode_int() CONS case
https://notcve.org/view.php?id=CVE-2026-23456
03 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conntrack_h323: fix OOB read in decode_int() CONS case In decode_int(), the CONS case calls get_bits(bs, 2) to read a length value, then calls get_uint(bs, len) without checking that len bytes remain in the buffer. The existing boundary check only validates the 2 bits for get_bits(), not the subsequent 1-4 bytes that get_uint() reads. This allows a malformed H.323/RAS packet to cause a 1-4 byte slab-out-of-bounds read. Add a b... • https://git.kernel.org/stable/c/5e35941d990123f155b02d5663e51a24f816b6f3 •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23455 – netfilter: nf_conntrack_h323: check for zero length in DecodeQ931()
https://notcve.org/view.php?id=CVE-2026-23455
03 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conntrack_h323: check for zero length in DecodeQ931() In DecodeQ931(), the UserUserIE code path reads a 16-bit length from the packet, then decrements it by 1 to skip the protocol discriminator byte before passing it to DecodeH323_UserInformation(). If the encoded length is 0, the decrement wraps to -1, which is then passed as a large value to the decoder, leading to an out-of-bounds read. Add a check to ensure len is positive... • https://git.kernel.org/stable/c/5e35941d990123f155b02d5663e51a24f816b6f3 •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23454 – net: mana: fix use-after-free in mana_hwc_destroy_channel() by reordering teardown
https://notcve.org/view.php?id=CVE-2026-23454
03 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: net: mana: fix use-after-free in mana_hwc_destroy_channel() by reordering teardown A potential race condition exists in mana_hwc_destroy_channel() where hwc->caller_ctx is freed before the HWC's Completion Queue (CQ) and Event Queue (EQ) are destroyed. This allows an in-flight CQ interrupt handler to dereference freed memory, leading to a use-after-free or NULL pointer dereference in mana_hwc_handle_resp(). mana_smc_teardown_hwc() signals t... • https://git.kernel.org/stable/c/ca9c54d2d6a5ab2430c4eda364c77125d62e5e0f •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23452 – PM: runtime: Fix a race condition related to device removal
https://notcve.org/view.php?id=CVE-2026-23452
03 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: PM: runtime: Fix a race condition related to device removal The following code in pm_runtime_work() may dereference the dev->parent pointer after the parent device has been freed: /* Maybe the parent is now able to suspend. */ if (parent && !parent->power.ignore_children) { spin_unlock(&dev->power.lock); spin_lock(&parent->power.lock); rpm_idle(parent, RPM_ASYNC); spin_unlock(&parent->power.lock); spin_lock(&dev->power.lock); } Fix this by ... • https://git.kernel.org/stable/c/5e928f77a09a07f9dd595bb8a489965d69a83458 •
CVSS: -EPSS: 0%CPEs: 7EXPL: 0CVE-2026-23450 – net/smc: fix NULL dereference and UAF in smc_tcp_syn_recv_sock()
https://notcve.org/view.php?id=CVE-2026-23450
03 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: net/smc: fix NULL dereference and UAF in smc_tcp_syn_recv_sock() Syzkaller reported a panic in smc_tcp_syn_recv_sock() [1]. smc_tcp_syn_recv_sock() is called in the TCP receive path (softirq) via icsk_af_ops->syn_recv_sock on the clcsock (TCP listening socket). It reads sk_user_data to get the smc_sock pointer. However, when the SMC listen socket is being closed concurrently, smc_close_active() sets clcsock->sk_user_data to NULL under sk_ca... • https://git.kernel.org/stable/c/8270d9c21041470f58348248b9d9dcf3bf79592e •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23449 – net/sched: teql: Fix double-free in teql_master_xmit
https://notcve.org/view.php?id=CVE-2026-23449
03 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: net/sched: teql: Fix double-free in teql_master_xmit Whenever a TEQL devices has a lockless Qdisc as root, qdisc_reset should be called using the seq_lock to avoid racing with the datapath. Failure to do so may cause crashes like the following: [ 238.028993][ T318] BUG: KASAN: double-free in skb_release_data (net/core/skbuff.c:1139) [ 238.029328][ T318] Free of addr ffff88810c67ec00 by task poc_teql_uaf_ke/318 [ 238.029749][ T318] [ 238.029... • https://git.kernel.org/stable/c/96009c7d500efdd5534e83b2e3eb2c58d4b137ae •
CVSS: -EPSS: 0%CPEs: 5EXPL: 0CVE-2026-23448 – net: usb: cdc_ncm: add ndpoffset to NDP16 nframes bounds check
https://notcve.org/view.php?id=CVE-2026-23448
03 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: net: usb: cdc_ncm: add ndpoffset to NDP16 nframes bounds check cdc_ncm_rx_verify_ndp16() validates that the NDP header and its DPE entries fit within the skb. The first check correctly accounts for ndpoffset: if ((ndpoffset + sizeof(struct usb_cdc_ncm_ndp16)) > skb_in->len) but the second check omits it: if ((sizeof(struct usb_cdc_ncm_ndp16) + ret * (sizeof(struct usb_cdc_ncm_dpe16))) > skb_in->len) This validates the DPE array size against... • https://git.kernel.org/stable/c/ff06ab13a4ccae4acb44a2d4e3ece367b616ab50 •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2026-23447 – net: usb: cdc_ncm: add ndpoffset to NDP32 nframes bounds check
https://notcve.org/view.php?id=CVE-2026-23447
03 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: net: usb: cdc_ncm: add ndpoffset to NDP32 nframes bounds check The same bounds-check bug fixed for NDP16 in the previous patch also exists in cdc_ncm_rx_verify_ndp32(). The DPE array size is validated against the total skb length without accounting for ndpoffset, allowing out-of-bounds reads when the NDP32 is placed near the end of the NTB. Add ndpoffset to the nframes bounds check and use struct_size_t() to express the NDP-plus-DPE-array s... • https://git.kernel.org/stable/c/0fa81b304a7973a499f844176ca031109487dd31 •