CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23446 – net: usb: aqc111: Do not perform PM inside suspend callback
https://notcve.org/view.php?id=CVE-2026-23446
03 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: net: usb: aqc111: Do not perform PM inside suspend callback syzbot reports "task hung in rpm_resume" This is caused by aqc111_suspend calling the PM variant of its write_cmd routine. The simplified call trace looks like this: rpm_suspend() usb_suspend_both() - here udev->dev.power.runtime_status == RPM_SUSPENDING aqc111_suspend() - called for the usb device interface aqc111_write32_cmd() usb_autopm_get_interface() pm_runtime_resume_and_get(... • https://git.kernel.org/stable/c/e58ba4544c7771591d1e3157bc01b4a8e4d1c3fc •
CVSS: -EPSS: 0%CPEs: 3EXPL: 0CVE-2026-23444 – wifi: mac80211: always free skb on ieee80211_tx_prepare_skb() failure
https://notcve.org/view.php?id=CVE-2026-23444
03 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: always free skb on ieee80211_tx_prepare_skb() failure ieee80211_tx_prepare_skb() has three error paths, but only two of them free the skb. The first error path (ieee80211_tx_prepare() returning TX_DROP) does not free it, while invoke_tx_handlers() failure and the fragmentation check both do. Add kfree_skb() to the first error path so all three are consistent, and remove the now-redundant frees in callers (ath9k, mt76, mac802... • https://git.kernel.org/stable/c/06be6b149f7e406bcf16098567f5a6c9f042bced •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23443 – ACPI: processor: Fix previous acpi_processor_errata_piix4() fix
https://notcve.org/view.php?id=CVE-2026-23443
03 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: ACPI: processor: Fix previous acpi_processor_errata_piix4() fix After commi f132e089fe89 ("ACPI: processor: Fix NULL-pointer dereference in acpi_processor_errata_piix4()"), device pointers may be dereferenced after dropping references to the device objects pointed to by them, which may cause a use-after-free to occur. Moreover, debug messages about enabling the errata may be printed if the errata flags corresponding to them are unset. Addre... • https://git.kernel.org/stable/c/ad86ac604f8391c0212a91412d4f764c7a85f254 •
CVSS: -EPSS: 0%CPEs: 2EXPL: 0CVE-2026-23442 – ipv6: add NULL checks for idev in SRv6 paths
https://notcve.org/view.php?id=CVE-2026-23442
03 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: ipv6: add NULL checks for idev in SRv6 paths __in6_dev_get() can return NULL when the device has no IPv6 configuration (e.g. MTU < IPV6_MIN_MTU or after NETDEV_UNREGISTER). Add NULL checks for idev returned by __in6_dev_get() in both seg6_hmac_validate_skb() and ipv6_srh_rcv() to prevent potential NULL pointer dereferences. • https://git.kernel.org/stable/c/1ababeba4a21f3dba3da3523c670b207fb2feb62 •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23439 – udp_tunnel: fix NULL deref caused by udp_sock_create6 when CONFIG_IPV6=n
https://notcve.org/view.php?id=CVE-2026-23439
03 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: udp_tunnel: fix NULL deref caused by udp_sock_create6 when CONFIG_IPV6=n When CONFIG_IPV6 is disabled, the udp_sock_create6() function returns 0 (success) without actually creating a socket. Callers such as fou_create() then proceed to dereference the uninitialized socket pointer, resulting in a NULL pointer dereference. The captured NULL deref crash: BUG: kernel NULL pointer dereference, address: 0000000000000018 RIP: 0010:fou_nl_add_doit ... • https://git.kernel.org/stable/c/fd384412e199b62c3ddaabd18dce86d0e164c5b9 •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23438 – net: mvpp2: guard flow control update with global_tx_fc in buffer switching
https://notcve.org/view.php?id=CVE-2026-23438
03 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: net: mvpp2: guard flow control update with global_tx_fc in buffer switching mvpp2_bm_switch_buffers() unconditionally calls mvpp2_bm_pool_update_priv_fc() when switching between per-cpu and shared buffer pool modes. This function programs CM3 flow control registers via mvpp2_cm3_read()/mvpp2_cm3_write(), which dereference priv->cm3_base without any NULL check. When the CM3 SRAM resource is not present in the device tree (the third reg entry... • https://git.kernel.org/stable/c/3a616b92a9d17448d96a33bf58e69f01457fd43a •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23434 – mtd: rawnand: serialize lock/unlock against other NAND operations
https://notcve.org/view.php?id=CVE-2026-23434
03 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: mtd: rawnand: serialize lock/unlock against other NAND operations nand_lock() and nand_unlock() call into chip->ops.lock_area/unlock_area without holding the NAND device lock. On controllers that implement SET_FEATURES via multiple low-level PIO commands, these can race with concurrent UBI/UBIFS background erase/write operations that hold the device lock, resulting in cmd_pending conflicts on the NAND controller. Add nand_get_device()/nand_... • https://git.kernel.org/stable/c/92270086b7e5ada7ab381c06cc3da2e95ed17088 •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2026-23428 – ksmbd: fix use-after-free of share_conf in compound request
https://notcve.org/view.php?id=CVE-2026-23428
03 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix use-after-free of share_conf in compound request smb2_get_ksmbd_tcon() reuses work->tcon in compound requests without validating tcon->t_state. ksmbd_tree_conn_lookup() checks t_state == TREE_CONNECTED on the initial lookup path, but the compound reuse path bypasses this check entirely. If a prior command in the compound (SMB2_TREE_DISCONNECT) sets t_state to TREE_DISCONNECTED and frees share_conf via ksmbd_share_config_put(), su... • https://git.kernel.org/stable/c/854156d12caa9d36de1cf5f084591c7686cc8a9d •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23426 – drm/logicvc: Fix device node reference leak in logicvc_drm_config_parse()
https://notcve.org/view.php?id=CVE-2026-23426
03 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: drm/logicvc: Fix device node reference leak in logicvc_drm_config_parse() The logicvc_drm_config_parse() function calls of_get_child_by_name() to find the "layers" node but fails to release the reference, leading to a device node reference leak. Fix this by using the __free(device_node) cleanup attribute to automatic release the reference when the variable goes out of scope. • https://git.kernel.org/stable/c/efeeaefe9be56e8ae5e5b4e9ff6d2275ec977ec5 •
CVSS: -EPSS: 0%CPEs: 7EXPL: 0CVE-2026-23422 – dpaa2-switch: Fix interrupt storm after receiving bad if_id in IRQ handler
https://notcve.org/view.php?id=CVE-2026-23422
03 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: dpaa2-switch: Fix interrupt storm after receiving bad if_id in IRQ handler Commit 31a7a0bbeb00 ("dpaa2-switch: add bounds check for if_id in IRQ handler") introduces a range check for if_id to avoid an out-of-bounds access. If an out-of-bounds if_id is detected, the interrupt status is not cleared. This may result in an interrupt storm. Clear the interrupt status after detecting an out-of-bounds if_id to avoid the problem. Found by an exper... • https://git.kernel.org/stable/c/34b56c16efd61325d80bf1d780d0e176be662f59 •