CVSS: 5.5EPSS: 0%CPEs: 7EXPL: 0CVE-2026-23125 – sctp: move SCTP_CMD_ASSOC_SHKEY right after SCTP_CMD_PEER_INIT
https://notcve.org/view.php?id=CVE-2026-23125
14 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: sctp: move SCTP_CMD_ASSOC_SHKEY right after SCTP_CMD_PEER_INIT A null-ptr-deref was reported in the SCTP transmit path when SCTP-AUTH key initialization fails: ================================================================== KASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f] CPU: 0 PID: 16 Comm: ksoftirqd/0 Tainted: G W 6.6.0 #2 RIP: 0010:sctp_packet_bundle_auth net/sctp/output.c:264 [inline] RIP: 0010:sctp_packet_appe... • https://git.kernel.org/stable/c/730fc3d05cd4ba4c9ce2de91f3d43349e95dbbf5 •
CVSS: 7.1EPSS: 0%CPEs: 7EXPL: 0CVE-2026-23121 – mISDN: annotate data-race around dev->work
https://notcve.org/view.php?id=CVE-2026-23121
14 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: mISDN: annotate data-race around dev->work dev->work can re read locklessly in mISDN_read() and mISDN_poll(). Add READ_ONCE()/WRITE_ONCE() annotations. BUG: KCSAN: data-race in mISDN_ioctl / mISDN_read write to 0xffff88812d848280 of 4 bytes by task 10864 on cpu 1: misdn_add_timer drivers/isdn/mISDN/timerdev.c:175 [inline] mISDN_ioctl+0x2fb/0x550 drivers/isdn/mISDN/timerdev.c:233 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:597... • https://git.kernel.org/stable/c/1b2b03f8e514e4f68e293846ba511a948b80243c •
CVSS: 6.9EPSS: 0%CPEs: 9EXPL: 0CVE-2026-23120 – l2tp: avoid one data-race in l2tp_tunnel_del_work()
https://notcve.org/view.php?id=CVE-2026-23120
14 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: l2tp: avoid one data-race in l2tp_tunnel_del_work() We should read sk->sk_socket only when dealing with kernel sockets. syzbot reported the following data-race: BUG: KCSAN: data-race in l2tp_tunnel_del_work / sk_common_release write to 0xffff88811c182b20 of 8 bytes by task 5365 on cpu 0: sk_set_socket include/net/sock.h:2092 [inline] sock_orphan include/net/sock.h:2118 [inline] sk_common_release+0xae/0x230 net/core/sock.c:4003 udp_lib_close... • https://git.kernel.org/stable/c/d00fa9adc528c1b0e64d532556764852df8bd7b9 •
CVSS: 6.3EPSS: 0%CPEs: 3EXPL: 0CVE-2026-23118 – rxrpc: Fix data-race warning and potential load/store tearing
https://notcve.org/view.php?id=CVE-2026-23118
14 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix data-race warning and potential load/store tearing Fix the following: BUG: KCSAN: data-race in rxrpc_peer_keepalive_worker / rxrpc_send_data_packet which is reporting an issue with the reads and writes to ->last_tx_at in: conn->peer->last_tx_at = ktime_get_seconds(); and: keepalive_at = peer->last_tx_at + RXRPC_KEEPALIVE_TIME; The lockless accesses to these to values aren't actually a problem as the read only needs an approximate... • https://git.kernel.org/stable/c/ace45bec6d77bc061c3c3d8ad99e298ea9800c2b •
CVSS: -EPSS: 0%CPEs: 7EXPL: 0CVE-2026-23112 – nvmet-tcp: add bounds checks in nvmet_tcp_build_pdu_iovec
https://notcve.org/view.php?id=CVE-2026-23112
13 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: nvmet-tcp: add bounds checks in nvmet_tcp_build_pdu_iovec nvmet_tcp_build_pdu_iovec() could walk past cmd->req.sg when a PDU length or offset exceeds sg_cnt and then use bogus sg->length/offset values, leading to _copy_to_iter() GPF/KASAN. Guard sg_idx, remaining entries, and sg->length/offset before building the bvec. Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service... • https://git.kernel.org/stable/c/872d26a391da92ed8f0c0f5cb5fef428067b7f30 •
CVSS: -EPSS: 0%CPEs: 10EXPL: 0CVE-2026-23111 – netfilter: nf_tables: fix inverted genmask check in nft_map_catchall_activate()
https://notcve.org/view.php?id=CVE-2026-23111
13 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: fix inverted genmask check in nft_map_catchall_activate() nft_map_catchall_activate() has an inverted element activity check compared to its non-catchall counterpart nft_mapelem_activate() and compared to what is logically required. nft_map_catchall_activate() is called from the abort path to re-activate catchall map elements that were deactivated during a failed transaction. It should skip elements that are already ac... • https://git.kernel.org/stable/c/25aa2ad37c2162be1c0bc4fe6397f7e4c13f00f8 •
CVSS: -EPSS: 0%CPEs: 7EXPL: 0CVE-2026-23108 – can: usb_8dev: usb_8dev_read_bulk_callback(): fix URB memory leak
https://notcve.org/view.php?id=CVE-2026-23108
04 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: can: usb_8dev: usb_8dev_read_bulk_callback(): fix URB memory leak Fix similar memory leak as in commit 7352e1d5932a ("can: gs_usb: gs_usb_receive_bulk_callback(): fix URB memory leak"). In usb_8dev_open() -> usb_8dev_start(), the URBs for USB-in transfers are allocated, added to the priv->rx_submitted anchor and submitted. In the complete callback usb_8dev_read_bulk_callback(), the URBs are processed and resubmitted. In usb_8dev_close() -> ... • https://git.kernel.org/stable/c/0024d8ad1639e32d717445c69ca813fd19c2a91c •
CVSS: -EPSS: 0%CPEs: 7EXPL: 0CVE-2026-23105 – net/sched: qfq: Use cl_is_active to determine whether class is active in qfq_rm_from_ag
https://notcve.org/view.php?id=CVE-2026-23105
04 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: net/sched: qfq: Use cl_is_active to determine whether class is active in qfq_rm_from_ag This is more of a preventive patch to make the code more consistent and to prevent possible exploits that employ child qlen manipulations on qfq. use cl_is_active instead of relying on the child qdisc's qlen to determine class activation. Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of s... • https://git.kernel.org/stable/c/462dbc9101acd38e92eda93c0726857517a24bbd •
CVSS: -EPSS: 0%CPEs: 7EXPL: 0CVE-2026-23103 – ipvlan: Make the addrs_lock be per port
https://notcve.org/view.php?id=CVE-2026-23103
04 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: ipvlan: Make the addrs_lock be per port Make the addrs_lock be per port, not per ipvlan dev. Initial code seems to be written in the assumption, that any address change must occur under RTNL. But it is not so for the case of IPv6. So 1) Introduce per-port addrs_lock. 2) It was needed to fix places where it was forgotten to take lock (ipvlan_open/ipvlan_close) This appears to be a very minor problem though. Since it's highly unlikely that ip... • https://git.kernel.org/stable/c/8230819494b3bf284ca7262ac5f877333147b937 •
CVSS: -EPSS: 0%CPEs: 7EXPL: 0CVE-2026-23101 – leds: led-class: Only Add LED to leds_list when it is fully ready
https://notcve.org/view.php?id=CVE-2026-23101
04 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: leds: led-class: Only Add LED to leds_list when it is fully ready Before this change the LED was added to leds_list before led_init_core() gets called adding it the list before led_classdev.set_brightness_work gets initialized. This leaves a window where led_trigger_register() of a LED's default trigger will call led_trigger_set() which calls led_set_brightness() which in turn will end up queueing the *uninitialized* led_classdev.set_bright... • https://git.kernel.org/stable/c/d23a22a74fded23a12434c9463fe66cec2b0afcd •