CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2026-23126 – netdevsim: fix a race issue related to the operation on bpf_bound_progs list
https://notcve.org/view.php?id=CVE-2026-23126
14 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: netdevsim: fix a race issue related to the operation on bpf_bound_progs list The netdevsim driver lacks a protection mechanism for operations on the bpf_bound_progs list. When the nsim_bpf_create_prog() performs list_add_tail, it is possible that nsim_bpf_destroy_prog() is simultaneously performs list_del. Concurrent operations on the list may lead to list corruption and trigger a kernel crash as follows: [ 417.290971] kernel BUG at lib/lis... • https://git.kernel.org/stable/c/31d3ad832948c75139b0e5b653912f7898a1d5d5 •
CVSS: 5.5EPSS: 0%CPEs: 7EXPL: 0CVE-2026-23125 – sctp: move SCTP_CMD_ASSOC_SHKEY right after SCTP_CMD_PEER_INIT
https://notcve.org/view.php?id=CVE-2026-23125
14 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: sctp: move SCTP_CMD_ASSOC_SHKEY right after SCTP_CMD_PEER_INIT A null-ptr-deref was reported in the SCTP transmit path when SCTP-AUTH key initialization fails: ================================================================== KASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f] CPU: 0 PID: 16 Comm: ksoftirqd/0 Tainted: G W 6.6.0 #2 RIP: 0010:sctp_packet_bundle_auth net/sctp/output.c:264 [inline] RIP: 0010:sctp_packet_appe... • https://git.kernel.org/stable/c/730fc3d05cd4ba4c9ce2de91f3d43349e95dbbf5 •
CVSS: 5.4EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23124 – ipv6: annotate data-race in ndisc_router_discovery()
https://notcve.org/view.php?id=CVE-2026-23124
14 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: ipv6: annotate data-race in ndisc_router_discovery() syzbot found that ndisc_router_discovery() could read and write in6_dev->ra_mtu without holding a lock [1] This looks fine, IFLA_INET6_RA_MTU is best effort. Add READ_ONCE()/WRITE_ONCE() to document the race. Note that we might also reject illegal MTU values (mtu < IPV6_MIN_MTU || mtu > skb->dev->mtu) in a future patch. [1] BUG: KCSAN: data-race in ndisc_router_discovery / ndisc_router_di... • https://git.kernel.org/stable/c/49b99da2c9ce13ffcd93fe3a0f5670791c1d76f7 •
CVSS: 7.1EPSS: 0%CPEs: 7EXPL: 0CVE-2026-23121 – mISDN: annotate data-race around dev->work
https://notcve.org/view.php?id=CVE-2026-23121
14 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: mISDN: annotate data-race around dev->work dev->work can re read locklessly in mISDN_read() and mISDN_poll(). Add READ_ONCE()/WRITE_ONCE() annotations. BUG: KCSAN: data-race in mISDN_ioctl / mISDN_read write to 0xffff88812d848280 of 4 bytes by task 10864 on cpu 1: misdn_add_timer drivers/isdn/mISDN/timerdev.c:175 [inline] mISDN_ioctl+0x2fb/0x550 drivers/isdn/mISDN/timerdev.c:233 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:597... • https://git.kernel.org/stable/c/1b2b03f8e514e4f68e293846ba511a948b80243c •
CVSS: 6.9EPSS: 0%CPEs: 9EXPL: 0CVE-2026-23120 – l2tp: avoid one data-race in l2tp_tunnel_del_work()
https://notcve.org/view.php?id=CVE-2026-23120
14 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: l2tp: avoid one data-race in l2tp_tunnel_del_work() We should read sk->sk_socket only when dealing with kernel sockets. syzbot reported the following data-race: BUG: KCSAN: data-race in l2tp_tunnel_del_work / sk_common_release write to 0xffff88811c182b20 of 8 bytes by task 5365 on cpu 0: sk_set_socket include/net/sock.h:2092 [inline] sock_orphan include/net/sock.h:2118 [inline] sk_common_release+0xae/0x230 net/core/sock.c:4003 udp_lib_close... • https://git.kernel.org/stable/c/d00fa9adc528c1b0e64d532556764852df8bd7b9 •
CVSS: 5.5EPSS: 0%CPEs: 7EXPL: 0CVE-2026-23119 – bonding: provide a net pointer to __skb_flow_dissect()
https://notcve.org/view.php?id=CVE-2026-23119
14 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: bonding: provide a net pointer to __skb_flow_dissect() After 3cbf4ffba5ee ("net: plumb network namespace into __skb_flow_dissect") we have to provide a net pointer to __skb_flow_dissect(), either via skb->dev, skb->sk, or a user provided pointer. In the following case, syzbot was able to cook a bare skb. WARNING: net/core/flow_dissector.c:1131 at __skb_flow_dissect+0xb57/0x68b0 net/core/flow_dissector.c:1131, CPU#1: syz.2.1418/11053 Call Tr... • https://git.kernel.org/stable/c/58deb77cc52da9360d20676e68dd215742cbe473 •
CVSS: 6.3EPSS: 0%CPEs: 3EXPL: 0CVE-2026-23118 – rxrpc: Fix data-race warning and potential load/store tearing
https://notcve.org/view.php?id=CVE-2026-23118
14 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix data-race warning and potential load/store tearing Fix the following: BUG: KCSAN: data-race in rxrpc_peer_keepalive_worker / rxrpc_send_data_packet which is reporting an issue with the reads and writes to ->last_tx_at in: conn->peer->last_tx_at = ktime_get_seconds(); and: keepalive_at = peer->last_tx_at + RXRPC_KEEPALIVE_TIME; The lockless accesses to these to values aren't actually a problem as the read only needs an approximate... • https://git.kernel.org/stable/c/ace45bec6d77bc061c3c3d8ad99e298ea9800c2b •
CVSS: 7.1EPSS: 0%CPEs: 4EXPL: 0CVE-2026-23113 – io_uring/io-wq: check IO_WQ_BIT_EXIT inside work run loop
https://notcve.org/view.php?id=CVE-2026-23113
14 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: io_uring/io-wq: check IO_WQ_BIT_EXIT inside work run loop Currently this is checked before running the pending work. Normally this is quite fine, as work items either end up blocking (which will create a new worker for other items), or they complete fairly quickly. But syzbot reports an issue where io-wq takes seemingly forever to exit, and with a bit of debugging, this turns out to be because it queues a bunch of big (2GB - 4096b) reads wi... • https://git.kernel.org/stable/c/c60eb049f4a19ddddcd3ee97a9c79ab8066a6a03 •
CVSS: -EPSS: 0%CPEs: 7EXPL: 0CVE-2026-23112 – nvmet-tcp: add bounds checks in nvmet_tcp_build_pdu_iovec
https://notcve.org/view.php?id=CVE-2026-23112
13 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: nvmet-tcp: add bounds checks in nvmet_tcp_build_pdu_iovec nvmet_tcp_build_pdu_iovec() could walk past cmd->req.sg when a PDU length or offset exceeds sg_cnt and then use bogus sg->length/offset values, leading to _copy_to_iter() GPF/KASAN. Guard sg_idx, remaining entries, and sg->length/offset before building the bvec. Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service... • https://git.kernel.org/stable/c/872d26a391da92ed8f0c0f5cb5fef428067b7f30 •
CVSS: -EPSS: 0%CPEs: 10EXPL: 0CVE-2026-23111 – netfilter: nf_tables: fix inverted genmask check in nft_map_catchall_activate()
https://notcve.org/view.php?id=CVE-2026-23111
13 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: fix inverted genmask check in nft_map_catchall_activate() nft_map_catchall_activate() has an inverted element activity check compared to its non-catchall counterpart nft_mapelem_activate() and compared to what is logically required. nft_map_catchall_activate() is called from the abort path to re-activate catchall map elements that were deactivated during a failed transaction. It should skip elements that are already ac... • https://git.kernel.org/stable/c/25aa2ad37c2162be1c0bc4fe6397f7e4c13f00f8 •