CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23324 – can: usb: etas_es58x: correctly anchor the urb in the read bulk callback
https://notcve.org/view.php?id=CVE-2026-23324
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: can: usb: etas_es58x: correctly anchor the urb in the read bulk callback When submitting an urb, that is using the anchor pattern, it needs to be anchored before submitting it otherwise it could be leaked if usb_kill_anchored_urbs() is called. This logic is correctly done elsewhere in the driver, except in the read bulk callback so do that here also. • https://git.kernel.org/stable/c/8537257874e949a59c834cecfd5a063e11b64b0b •
CVSS: -EPSS: 0%CPEs: 3EXPL: 0CVE-2026-23320 – usb: gadget: f_ncm: align net_device lifecycle with bind/unbind
https://notcve.org/view.php?id=CVE-2026-23320
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_ncm: align net_device lifecycle with bind/unbind Currently, the net_device is allocated in ncm_alloc_inst() and freed in ncm_free_inst(). This ties the network interface's lifetime to the configuration instance rather than the USB connection (bind/unbind). This decoupling causes issues when the USB gadget is disconnected where the underlying gadget device is removed. The net_device can outlive its parent, leading to dangling ... • https://git.kernel.org/stable/c/40d133d7f542616cf9538508a372306e626a16e9 •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23319 – bpf: Fix a UAF issue in bpf_trampoline_link_cgroup_shim
https://notcve.org/view.php?id=CVE-2026-23319
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: bpf: Fix a UAF issue in bpf_trampoline_link_cgroup_shim The root cause of this bug is that when 'bpf_link_put' reduces the refcount of 'shim_link->link.link' to zero, the resource is considered released but may still be referenced via 'tr->progs_hlist' in 'cgroup_shim_find'. The actual cleanup of 'tr->progs_hlist' in 'bpf_shim_tramp_link_release' is deferred. During this window, another process can cause a use-after-free via 'bpf_trampoline... • https://git.kernel.org/stable/c/69fd337a975c7e690dfe49d9cb4fe5ba1e6db44e •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2026-23318 – ALSA: usb-audio: Use correct version for UAC3 header validation
https://notcve.org/view.php?id=CVE-2026-23318
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Use correct version for UAC3 header validation The entry of the validators table for UAC3 AC header descriptor is defined with the wrong protocol version UAC_VERSION_2, while it should have been UAC_VERSION_3. This results in the validator never matching for actual UAC3 devices (protocol == UAC_VERSION_3), causing their header descriptors to bypass validation entirely. A malicious USB device presenting a truncated UAC3 head... • https://git.kernel.org/stable/c/57f8770620e9b51c61089751f0b5ad3dbe376ff2 •
CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23317 – drm/vmwgfx: Return the correct value in vmw_translate_ptr functions
https://notcve.org/view.php?id=CVE-2026-23317
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: drm/vmwgfx: Return the correct value in vmw_translate_ptr functions Before the referenced fixes these functions used a lookup function that returned a pointer. This was changed to another lookup function that returned an error code with the pointer becoming an out parameter. The error path when the lookup failed was not changed to reflect this change and the code continued to return the PTR_ERR of the now uninitialized pointer. This could c... • https://git.kernel.org/stable/c/7ac9578e45b20e3f3c0c8eb71f5417a499a7226a •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23315 – wifi: mt76: Fix possible oob access in mt76_connac2_mac_write_txwi_80211()
https://notcve.org/view.php?id=CVE-2026-23315
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: Fix possible oob access in mt76_connac2_mac_write_txwi_80211() Check frame length before accessing the mgmt fields in mt76_connac2_mac_write_txwi_80211 in order to avoid a possible oob access. [fix check to also cover mgmt->u.action.u.addba_req.capab, correct Fixes tag] • https://git.kernel.org/stable/c/577dbc6c656da6997dddc6cf842b7954588f2d4e •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23312 – net: usb: kaweth: validate USB endpoints
https://notcve.org/view.php?id=CVE-2026-23312
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: net: usb: kaweth: validate USB endpoints The kaweth driver should validate that the device it is probing has the proper number and types of USB endpoints it is expecting before it binds to it. If a malicious device were to not have the same urbs the driver will crash later on when it blindly accesses these endpoints. • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: -EPSS: 0%CPEs: 5EXPL: 0CVE-2026-23310 – bpf/bonding: reject vlan+srcmac xmit_hash_policy change when XDP is loaded
https://notcve.org/view.php?id=CVE-2026-23310
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: bpf/bonding: reject vlan+srcmac xmit_hash_policy change when XDP is loaded bond_option_mode_set() already rejects mode changes that would make a loaded XDP program incompatible via bond_xdp_check(). However, bond_option_xmit_hash_policy_set() has no such guard. For 802.3ad and balance-xor modes, bond_xdp_check() returns false when xmit_hash_policy is vlan+srcmac, because the 802.1q payload is usually absent due to hardware offload. This mea... • https://git.kernel.org/stable/c/39a0876d595bd7c7512782dfcce0ee66f65bf221 •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23307 – can: ems_usb: ems_usb_read_bulk_callback(): check the proper length of a message
https://notcve.org/view.php?id=CVE-2026-23307
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: can: ems_usb: ems_usb_read_bulk_callback(): check the proper length of a message When looking at the data in a USB urb, the actual_length is the size of the buffer passed to the driver, not the transfer_buffer_length which is set by the driver as the max size of the buffer. When parsing the messages in ems_usb_read_bulk_callback() properly check the size both at the beginning of parsing the message to make sure it is big enough for the expe... • https://git.kernel.org/stable/c/702171adeed3607ee9603ec30ce081411e36ae42 •
CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23306 – scsi: pm8001: Fix use-after-free in pm8001_queue_command()
https://notcve.org/view.php?id=CVE-2026-23306
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: scsi: pm8001: Fix use-after-free in pm8001_queue_command() Commit e29c47fe8946 ("scsi: pm8001: Simplify pm8001_task_exec()") refactors pm8001_queue_command(), however it introduces a potential cause of a double free scenario when it changes the function to return -ENODEV in case of phy down/device gone state. In this path, pm8001_queue_command() updates task status and calls task_done to indicate to upper layer that the task has been handle... • https://git.kernel.org/stable/c/e29c47fe8946cc732b0e0d393b65b13c84bb69d0 •