CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2026-22993 – idpf: Fix RSS LUT NULL ptr issue after soft reset
https://notcve.org/view.php?id=CVE-2026-22993
23 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: idpf: Fix RSS LUT NULL ptr issue after soft reset During soft reset, the RSS LUT is freed and not restored unless the interface is up. If an ethtool command that accesses the rss lut is attempted immediately after reset, it will result in NULL ptr dereference. Also, there is no need to reset the rss lut if the soft reset does not involve queue count change. After soft reset, set the RSS LUT to default values based on the updated queue count... • https://git.kernel.org/stable/c/02cbfba1add5bd9088c7d14c6b93b77a6ea8f3bb •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2026-22992 – libceph: return the handler error from mon_handle_auth_done()
https://notcve.org/view.php?id=CVE-2026-22992
23 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: libceph: return the handler error from mon_handle_auth_done() Currently any error from ceph_auth_handle_reply_done() is propagated via finish_auth() but isn't returned from mon_handle_auth_done(). This results in higher layers learning that (despite the monitor considering us to be successfully authenticated) something went wrong in the authentication phase and reacting accordingly, but msgr2 still trying to proceed with establishing the se... • https://git.kernel.org/stable/c/cd1a677cad994021b19665ed476aea63f5d54f31 •
CVSS: 5.5EPSS: 0%CPEs: 7EXPL: 0CVE-2026-22991 – libceph: make free_choose_arg_map() resilient to partial allocation
https://notcve.org/view.php?id=CVE-2026-22991
23 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: libceph: make free_choose_arg_map() resilient to partial allocation free_choose_arg_map() may dereference a NULL pointer if its caller fails after a partial allocation. For example, in decode_choose_args(), if allocation of arg_map->args fails, execution jumps to the fail label and free_choose_arg_map() is called. Since arg_map->size is updated to a non-zero value before memory allocation, free_choose_arg_map() will iterate over arg_map->ar... • https://git.kernel.org/stable/c/5cf9c4a9959b6273675310d14a834ef14fbca37c •
CVSS: 7.1EPSS: 0%CPEs: 7EXPL: 0CVE-2026-22990 – libceph: replace overzealous BUG_ON in osdmap_apply_incremental()
https://notcve.org/view.php?id=CVE-2026-22990
23 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: libceph: replace overzealous BUG_ON in osdmap_apply_incremental() If the osdmap is (maliciously) corrupted such that the incremental osdmap epoch is different from what is expected, there is no need to BUG. Instead, just declare the incremental osdmap to be invalid. In the Linux kernel, the following vulnerability has been resolved: libceph: replace overzealous BUG_ON in osdmap_apply_incremental() If the osdmap is (maliciously) corrupted su... • https://git.kernel.org/stable/c/f24e9980eb860d8600cbe5ef3d2fd9295320d229 •
CVSS: 7.2EPSS: 0%CPEs: 3EXPL: 0CVE-2026-22989 – nfsd: check that server is running in unlock_filesystem
https://notcve.org/view.php?id=CVE-2026-22989
23 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: nfsd: check that server is running in unlock_filesystem If we are trying to unlock the filesystem via an administrative interface and nfsd isn't running, it crashes the server. This happens currently because nfsd4_revoke_states() access state structures (eg., conf_id_hashtbl) that has been freed as a part of the server shutdown. [ 59.465072] Call trace: [ 59.465308] nfsd4_revoke_states+0x1b4/0x898 [nfsd] (P) [ 59.465830] write_unlock_fs+0x2... • https://git.kernel.org/stable/c/1ac3629bf012592cb0320e52a1cceb319a05ad17 •
CVSS: 7.1EPSS: 0%CPEs: 5EXPL: 0CVE-2026-22988 – arp: do not assume dev_hard_header() does not change skb->head
https://notcve.org/view.php?id=CVE-2026-22988
23 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: arp: do not assume dev_hard_header() does not change skb->head arp_create() is the only dev_hard_header() caller making assumption about skb->head being unchanged. A recent commit broke this assumption. Initialize @arp pointer after dev_hard_header() call. In the Linux kernel, the following vulnerability has been resolved: arp: do not assume dev_hard_header() does not change skb->head arp_create() is the only dev_hard_header() caller making... • https://git.kernel.org/stable/c/adee129db814474f2f81207bd182bf343832a52e •
CVSS: 5.4EPSS: 0%CPEs: 2EXPL: 0CVE-2026-22986 – gpiolib: fix race condition for gdev->srcu
https://notcve.org/view.php?id=CVE-2026-22986
23 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: gpiolib: fix race condition for gdev->srcu If two drivers were calling gpiochip_add_data_with_key(), one may be traversing the srcu-protected list in gpio_name_to_desc(), meanwhile other has just added its gdev in gpiodev_add_to_list_unlocked(). This creates a non-mutexed and non-protected timeframe, when one instance is dereferencing and using &gdev->srcu, before the other has initialized it, resulting in crash: [ 4.935481] Unable to handl... • https://git.kernel.org/stable/c/47d8b4c1d868148c8fb51b785a89e58ca2d02c4d •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2026-22985 – idpf: Fix RSS LUT NULL pointer crash on early ethtool operations
https://notcve.org/view.php?id=CVE-2026-22985
23 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: idpf: Fix RSS LUT NULL pointer crash on early ethtool operations The RSS LUT is not initialized until the interface comes up, causing the following NULL pointer crash when ethtool operations like rxhash on/off are performed before the interface is brought up for the first time. Move RSS LUT initialization from ndo_open to vport creation to ensure LUT is always available. This enables RSS configuration via ethtool before bringing the interfa... • https://git.kernel.org/stable/c/a251eee62133774cf35ff829041377e721ef9c8c •
CVSS: 7.1EPSS: 0%CPEs: 6EXPL: 0CVE-2026-22984 – libceph: prevent potential out-of-bounds reads in handle_auth_done()
https://notcve.org/view.php?id=CVE-2026-22984
23 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: libceph: prevent potential out-of-bounds reads in handle_auth_done() Perform an explicit bounds check on payload_len to avoid a possible out-of-bounds access in the callout. [ idryomov: changelog ] In the Linux kernel, the following vulnerability has been resolved: libceph: prevent potential out-of-bounds reads in handle_auth_done() Perform an explicit bounds check on payload_len to avoid a possible out-of-bounds access in the callout. [ id... • https://git.kernel.org/stable/c/cd1a677cad994021b19665ed476aea63f5d54f31 •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2026-22982 – net: mscc: ocelot: Fix crash when adding interface under a lag
https://notcve.org/view.php?id=CVE-2026-22982
23 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: net: mscc: ocelot: Fix crash when adding interface under a lag Commit 15faa1f67ab4 ("lan966x: Fix crash when adding interface under a lag") fixed a similar issue in the lan966x driver caused by a NULL pointer dereference. The ocelot_set_aggr_pgids() function in the ocelot driver has similar logic and is susceptible to the same crash. This issue specifically affects the ocelot_vsc7514.c frontend, which leaves unused ports as NULL pointers. T... • https://git.kernel.org/stable/c/528d3f190c98c8f7d9581f68db4af021696727b2 •