CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23356 – drbd: fix "LOGIC BUG" in drbd_al_begin_io_nonblock()
https://notcve.org/view.php?id=CVE-2026-23356
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: drbd: fix "LOGIC BUG" in drbd_al_begin_io_nonblock() Even though we check that we "should" be able to do lc_get_cumulative() while holding the device->al_lock spinlock, it may still fail, if some other code path decided to do lc_try_lock() with bad timing. If that happened, we logged "LOGIC BUG for enr=...", but still did not return an error. The rest of the code now assumed that this request has references for the relevant activity log ext... • https://git.kernel.org/stable/c/08a1ddab6df7d3c7b6341774cb1cf4b21b96a214 •
CVSS: -EPSS: 0%CPEs: 7EXPL: 0CVE-2026-23352 – x86/efi: defer freeing of boot services memory
https://notcve.org/view.php?id=CVE-2026-23352
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: x86/efi: defer freeing of boot services memory efi_free_boot_services() frees memory occupied by EFI_BOOT_SERVICES_CODE and EFI_BOOT_SERVICES_DATA using memblock_free_late(). There are two issue with that: memblock_free_late() should be used for memory allocated with memblock_alloc() while the memory reserved with memblock_reserve() should be freed with free_reserved_area(). More acutely, with CONFIG_DEFERRED_STRUCT_PAGE_INIT=y efi_free_boo... • https://git.kernel.org/stable/c/0aed459e8487eb6ebdb4efe8cefe1eafbc704b30 •
CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23351 – netfilter: nft_set_pipapo: split gc into unlink and reclaim phase
https://notcve.org/view.php?id=CVE-2026-23351
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_pipapo: split gc into unlink and reclaim phase Yiming Qian reports Use-after-free in the pipapo set type: Under a large number of expired elements, commit-time GC can run for a very long time in a non-preemptible context, triggering soft lockup warnings and RCU stall reports (local denial of service). We must split GC in an unlink and a reclaim phase. We cannot queue elements for freeing until pointers have been swapped. ... • https://git.kernel.org/stable/c/3c4287f62044a90e73a561aa05fc46e62da173da •
CVSS: -EPSS: 0%CPEs: 3EXPL: 0CVE-2026-23348 – cxl: Fix race of nvdimm_bus object when creating nvdimm objects
https://notcve.org/view.php?id=CVE-2026-23348
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: cxl: Fix race of nvdimm_bus object when creating nvdimm objects Found issue during running of cxl-translate.sh unit test. Adding a 3s sleep right before the test seems to make the issue reproduce fairly consistently. The cxl_translate module has dependency on cxl_acpi and causes orphaned nvdimm objects to reprobe after cxl_acpi is removed. The nvdimm_bus object is registered by the cxl_nvb object when cxl_acpi_probe() is called. With the nv... • https://git.kernel.org/stable/c/8fdcb1704f61a8fd9be0f3849a174d084def0666 •
CVSS: -EPSS: 0%CPEs: 3EXPL: 0CVE-2026-23346 – arm64: io: Extract user memory type in ioremap_prot()
https://notcve.org/view.php?id=CVE-2026-23346
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: arm64: io: Extract user memory type in ioremap_prot() The only caller of ioremap_prot() outside of the generic ioremap() implementation is generic_access_phys(), which passes a 'pgprot_t' value determined from the user mapping of the target 'pfn' being accessed by the kernel. On arm64, the 'pgprot_t' contains all of the non-address bits from the pte, including the permission controls, and so we end up returning a new user mapping from iorem... • https://git.kernel.org/stable/c/893dea9ccd08dab924839354aba21d4ed7a9abc0 •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23343 – xdp: produce a warning when calculated tailroom is negative
https://notcve.org/view.php?id=CVE-2026-23343
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: xdp: produce a warning when calculated tailroom is negative Many ethernet drivers report xdp Rx queue frag size as being the same as DMA write size. However, the only user of this field, namely bpf_xdp_frags_increase_tail(), clearly expects a truesize. Such difference leads to unspecific memory corruption issues under certain circumstances, e.g. in ixgbevf maximum DMA write size is 3 KB, so when running xskxceiver's XDP_ADJUST_TAIL_GROW_MUL... • https://git.kernel.org/stable/c/bf25146a5595269810b1f47d048f114c5ff9f544 •
CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23340 – net: sched: avoid qdisc_reset_all_tx_gt() vs dequeue race for lockless qdiscs
https://notcve.org/view.php?id=CVE-2026-23340
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: net: sched: avoid qdisc_reset_all_tx_gt() vs dequeue race for lockless qdiscs When shrinking the number of real tx queues, netif_set_real_num_tx_queues() calls qdisc_reset_all_tx_gt() to flush qdiscs for queues which will no longer be used. qdisc_reset_all_tx_gt() currently serializes qdisc_reset() with qdisc_lock(). However, for lockless qdiscs, the dequeue path is serialized by qdisc_run_begin/end() using qdisc->seqlock instead, so qdisc_... • https://git.kernel.org/stable/c/6b3ba9146fe64b9bebb6346c9dcfe3b4851de2d7 •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23339 – nfc: nci: free skb on nci_transceive early error paths
https://notcve.org/view.php?id=CVE-2026-23339
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: nfc: nci: free skb on nci_transceive early error paths nci_transceive() takes ownership of the skb passed by the caller, but the -EPROTO, -EINVAL, and -EBUSY error paths return without freeing it. Due to issues clearing NCI_DATA_EXCHANGE fixed by subsequent changes the nci/nci_dev selftest hits the error path occasionally in NIPA, and kmemleak detects leaks: unreferenced object 0xff11000015ce6a40 (size 640): comm "nci_dev", pid 3954, jiffie... • https://git.kernel.org/stable/c/6a2968aaf50c7a22fced77a5e24aa636281efca8 •
CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23336 – wifi: cfg80211: cancel rfkill_block work in wiphy_unregister()
https://notcve.org/view.php?id=CVE-2026-23336
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: wifi: cfg80211: cancel rfkill_block work in wiphy_unregister() There is a use-after-free error in cfg80211_shutdown_all_interfaces found by syzkaller: BUG: KASAN: use-after-free in cfg80211_shutdown_all_interfaces+0x213/0x220 Read of size 8 at addr ffff888112a78d98 by task kworker/0:5/5326 CPU: 0 UID: 0 PID: 5326 Comm: kworker/0:5 Not tainted 6.19.0-rc2 #2 PREEMPT(voluntary) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0... • https://git.kernel.org/stable/c/1f87f7d3a3b42b20f34cb03f0fd1a41c3d0e27f3 •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23335 – RDMA/irdma: Fix kernel stack leak in irdma_create_user_ah()
https://notcve.org/view.php?id=CVE-2026-23335
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: RDMA/irdma: Fix kernel stack leak in irdma_create_user_ah() struct irdma_create_ah_resp { // 8 bytes, no padding __u32 ah_id; // offset 0 - SET (uresp.ah_id = ah->sc_ah.ah_info.ah_idx) __u8 rsvd[4]; // offset 4 - NEVER SET <- LEAK }; rsvd[4]: 4 bytes of stack memory leaked unconditionally. Only ah_id is assigned before ib_respond_udata(). The reserved members of the structure were not zeroed. • https://git.kernel.org/stable/c/b48c24c2d710cf34810c555dcef883a3d35a9c08 •