CVSS: -EPSS: 0%CPEs: 3EXPL: 0CVE-2026-23330 – nfc: nci: complete pending data exchange on device close
https://notcve.org/view.php?id=CVE-2026-23330
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: nfc: nci: complete pending data exchange on device close In nci_close_device(), complete any pending data exchange before closing. The data exchange callback (e.g. rawsock_data_exchange_complete) holds a socket reference. NIPA occasionally hits this leak: unreferenced object 0xff1100000f435000 (size 2048): comm "nci_dev", pid 3954, jiffies 4295441245 hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................... • https://git.kernel.org/stable/c/38f04c6b1b682f1879441e2925403ad9aff9e229 •
CVSS: -EPSS: 0%CPEs: 2EXPL: 0CVE-2026-23327 – cxl/mbox: validate payload size before accessing contents in cxl_payload_from_user_allowed()
https://notcve.org/view.php?id=CVE-2026-23327
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: cxl/mbox: validate payload size before accessing contents in cxl_payload_from_user_allowed() cxl_payload_from_user_allowed() casts and dereferences the input payload without first verifying its size. When a raw mailbox command is sent with an undersized payload (ie: 1 byte for CXL_MBOX_OP_CLEAR_LOG, which expects a 16-byte UUID), uuid_equal() reads past the allocated buffer, triggering a KASAN splat: BUG: KASAN: slab-out-of-bounds in memcmp... • https://git.kernel.org/stable/c/6179045ccc0c6229dc449afc1701dc7fbd40571f •
CVSS: -EPSS: 0%CPEs: 5EXPL: 0CVE-2026-23325 – wifi: mt76: mt7996: Fix possible oob access in mt7996_mac_write_txwi_80211()
https://notcve.org/view.php?id=CVE-2026-23325
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: mt7996: Fix possible oob access in mt7996_mac_write_txwi_80211() Check frame length before accessing the mgmt fields in mt7996_mac_write_txwi_80211 in order to avoid a possible oob access. • https://git.kernel.org/stable/c/98686cd21624c75a043e96812beadddf4f6f48e5 •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23324 – can: usb: etas_es58x: correctly anchor the urb in the read bulk callback
https://notcve.org/view.php?id=CVE-2026-23324
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: can: usb: etas_es58x: correctly anchor the urb in the read bulk callback When submitting an urb, that is using the anchor pattern, it needs to be anchored before submitting it otherwise it could be leaked if usb_kill_anchored_urbs() is called. This logic is correctly done elsewhere in the driver, except in the read bulk callback so do that here also. • https://git.kernel.org/stable/c/8537257874e949a59c834cecfd5a063e11b64b0b •
CVSS: -EPSS: 0%CPEs: 7EXPL: 0CVE-2026-23321 – mptcp: pm: in-kernel: always mark signal+subflow endp as used
https://notcve.org/view.php?id=CVE-2026-23321
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: mptcp: pm: in-kernel: always mark signal+subflow endp as used Syzkaller managed to find a combination of actions that was generating this warning: msk->pm.local_addr_used == 0 WARNING: net/mptcp/pm_kernel.c:1071 at __mark_subflow_endp_available net/mptcp/pm_kernel.c:1071 [inline], CPU#1: syz.2.17/961 WARNING: net/mptcp/pm_kernel.c:1071 at mptcp_nl_remove_subflow_and_signal_addr net/mptcp/pm_kernel.c:1103 [inline], CPU#1: syz.2.17/961 WARNIN... • https://git.kernel.org/stable/c/d93cf38fad9f66397093432b8917971a92ee0146 •
CVSS: -EPSS: 0%CPEs: 3EXPL: 0CVE-2026-23320 – usb: gadget: f_ncm: align net_device lifecycle with bind/unbind
https://notcve.org/view.php?id=CVE-2026-23320
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_ncm: align net_device lifecycle with bind/unbind Currently, the net_device is allocated in ncm_alloc_inst() and freed in ncm_free_inst(). This ties the network interface's lifetime to the configuration instance rather than the USB connection (bind/unbind). This decoupling causes issues when the USB gadget is disconnected where the underlying gadget device is removed. The net_device can outlive its parent, leading to dangling ... • https://git.kernel.org/stable/c/40d133d7f542616cf9538508a372306e626a16e9 •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23319 – bpf: Fix a UAF issue in bpf_trampoline_link_cgroup_shim
https://notcve.org/view.php?id=CVE-2026-23319
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: bpf: Fix a UAF issue in bpf_trampoline_link_cgroup_shim The root cause of this bug is that when 'bpf_link_put' reduces the refcount of 'shim_link->link.link' to zero, the resource is considered released but may still be referenced via 'tr->progs_hlist' in 'cgroup_shim_find'. The actual cleanup of 'tr->progs_hlist' in 'bpf_shim_tramp_link_release' is deferred. During this window, another process can cause a use-after-free via 'bpf_trampoline... • https://git.kernel.org/stable/c/69fd337a975c7e690dfe49d9cb4fe5ba1e6db44e •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2026-23318 – ALSA: usb-audio: Use correct version for UAC3 header validation
https://notcve.org/view.php?id=CVE-2026-23318
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Use correct version for UAC3 header validation The entry of the validators table for UAC3 AC header descriptor is defined with the wrong protocol version UAC_VERSION_2, while it should have been UAC_VERSION_3. This results in the validator never matching for actual UAC3 devices (protocol == UAC_VERSION_3), causing their header descriptors to bypass validation entirely. A malicious USB device presenting a truncated UAC3 head... • https://git.kernel.org/stable/c/57f8770620e9b51c61089751f0b5ad3dbe376ff2 •
CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23317 – drm/vmwgfx: Return the correct value in vmw_translate_ptr functions
https://notcve.org/view.php?id=CVE-2026-23317
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: drm/vmwgfx: Return the correct value in vmw_translate_ptr functions Before the referenced fixes these functions used a lookup function that returned a pointer. This was changed to another lookup function that returned an error code with the pointer becoming an out parameter. The error path when the lookup failed was not changed to reflect this change and the code continued to return the PTR_ERR of the now uninitialized pointer. This could c... • https://git.kernel.org/stable/c/7ac9578e45b20e3f3c0c8eb71f5417a499a7226a •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23315 – wifi: mt76: Fix possible oob access in mt76_connac2_mac_write_txwi_80211()
https://notcve.org/view.php?id=CVE-2026-23315
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: Fix possible oob access in mt76_connac2_mac_write_txwi_80211() Check frame length before accessing the mgmt fields in mt76_connac2_mac_write_txwi_80211 in order to avoid a possible oob access. [fix check to also cover mgmt->u.action.u.addba_req.capab, correct Fixes tag] • https://git.kernel.org/stable/c/577dbc6c656da6997dddc6cf842b7954588f2d4e •