CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23443 – ACPI: processor: Fix previous acpi_processor_errata_piix4() fix
https://notcve.org/view.php?id=CVE-2026-23443
03 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: ACPI: processor: Fix previous acpi_processor_errata_piix4() fix After commi f132e089fe89 ("ACPI: processor: Fix NULL-pointer dereference in acpi_processor_errata_piix4()"), device pointers may be dereferenced after dropping references to the device objects pointed to by them, which may cause a use-after-free to occur. Moreover, debug messages about enabling the errata may be printed if the errata flags corresponding to them are unset. Addre... • https://git.kernel.org/stable/c/ad86ac604f8391c0212a91412d4f764c7a85f254 •
CVSS: -EPSS: 0%CPEs: 2EXPL: 0CVE-2026-23442 – ipv6: add NULL checks for idev in SRv6 paths
https://notcve.org/view.php?id=CVE-2026-23442
03 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: ipv6: add NULL checks for idev in SRv6 paths __in6_dev_get() can return NULL when the device has no IPv6 configuration (e.g. MTU < IPV6_MIN_MTU or after NETDEV_UNREGISTER). Add NULL checks for idev returned by __in6_dev_get() in both seg6_hmac_validate_skb() and ipv6_srh_rcv() to prevent potential NULL pointer dereferences. • https://git.kernel.org/stable/c/1ababeba4a21f3dba3da3523c670b207fb2feb62 •
CVSS: -EPSS: 0%CPEs: 5EXPL: 0CVE-2026-23441 – net/mlx5e: Prevent concurrent access to IPSec ASO context
https://notcve.org/view.php?id=CVE-2026-23441
03 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Prevent concurrent access to IPSec ASO context The query or updating IPSec offload object is through Access ASO WQE. The driver uses a single mlx5e_ipsec_aso struct for each PF, which contains a shared DMA-mapped context for all ASO operations. A race condition exists because the ASO spinlock is released before the hardware has finished processing WQE. If a second operation is initiated immediately after, it overwrites the shared... • https://git.kernel.org/stable/c/1ed78fc033074c55221a80498204c539a3696877 •
CVSS: -EPSS: 0%CPEs: 5EXPL: 0CVE-2026-23440 – net/mlx5e: Fix race condition during IPSec ESN update
https://notcve.org/view.php?id=CVE-2026-23440
03 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Fix race condition during IPSec ESN update In IPSec full offload mode, the device reports an ESN (Extended Sequence Number) wrap event to the driver. The driver validates this event by querying the IPSec ASO and checking that the esn_event_arm field is 0x0, which indicates an event has occurred. After handling the event, the driver must re-arm the context by setting esn_event_arm back to 0x1. A race condition exists in this handl... • https://git.kernel.org/stable/c/fef06678931ff67b158d337b581e5cf5ca40a3a3 •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23439 – udp_tunnel: fix NULL deref caused by udp_sock_create6 when CONFIG_IPV6=n
https://notcve.org/view.php?id=CVE-2026-23439
03 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: udp_tunnel: fix NULL deref caused by udp_sock_create6 when CONFIG_IPV6=n When CONFIG_IPV6 is disabled, the udp_sock_create6() function returns 0 (success) without actually creating a socket. Callers such as fou_create() then proceed to dereference the uninitialized socket pointer, resulting in a NULL pointer dereference. The captured NULL deref crash: BUG: kernel NULL pointer dereference, address: 0000000000000018 RIP: 0010:fou_nl_add_doit ... • https://git.kernel.org/stable/c/fd384412e199b62c3ddaabd18dce86d0e164c5b9 •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23438 – net: mvpp2: guard flow control update with global_tx_fc in buffer switching
https://notcve.org/view.php?id=CVE-2026-23438
03 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: net: mvpp2: guard flow control update with global_tx_fc in buffer switching mvpp2_bm_switch_buffers() unconditionally calls mvpp2_bm_pool_update_priv_fc() when switching between per-cpu and shared buffer pool modes. This function programs CM3 flow control registers via mvpp2_cm3_read()/mvpp2_cm3_write(), which dereference priv->cm3_base without any NULL check. When the CM3 SRAM resource is not present in the device tree (the third reg entry... • https://git.kernel.org/stable/c/3a616b92a9d17448d96a33bf58e69f01457fd43a •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23434 – mtd: rawnand: serialize lock/unlock against other NAND operations
https://notcve.org/view.php?id=CVE-2026-23434
03 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: mtd: rawnand: serialize lock/unlock against other NAND operations nand_lock() and nand_unlock() call into chip->ops.lock_area/unlock_area without holding the NAND device lock. On controllers that implement SET_FEATURES via multiple low-level PIO commands, these can race with concurrent UBI/UBIFS background erase/write operations that hold the device lock, resulting in cmd_pending conflicts on the NAND controller. Add nand_get_device()/nand_... • https://git.kernel.org/stable/c/92270086b7e5ada7ab381c06cc3da2e95ed17088 •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2026-23428 – ksmbd: fix use-after-free of share_conf in compound request
https://notcve.org/view.php?id=CVE-2026-23428
03 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix use-after-free of share_conf in compound request smb2_get_ksmbd_tcon() reuses work->tcon in compound requests without validating tcon->t_state. ksmbd_tree_conn_lookup() checks t_state == TREE_CONNECTED on the initial lookup path, but the compound reuse path bypasses this check entirely. If a prior command in the compound (SMB2_TREE_DISCONNECT) sets t_state to TREE_DISCONNECTED and frees share_conf via ksmbd_share_config_put(), su... • https://git.kernel.org/stable/c/854156d12caa9d36de1cf5f084591c7686cc8a9d •
CVSS: -EPSS: 0%CPEs: 5EXPL: 0CVE-2026-23427 – ksmbd: fix use-after-free in durable v2 replay of active file handles
https://notcve.org/view.php?id=CVE-2026-23427
03 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix use-after-free in durable v2 replay of active file handles parse_durable_handle_context() unconditionally assigns dh_info->fp->conn to the current connection when handling a DURABLE_REQ_V2 context with SMB2_FLAGS_REPLAY_OPERATION. ksmbd_lookup_fd_cguid() does not filter by fp->conn, so it returns file handles that are already actively connected. The unconditional overwrite replaces fp->conn, and when the overwriting connection is... • https://git.kernel.org/stable/c/8df4bcdb0a4232192b2445256c39b787d58ef14d •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23426 – drm/logicvc: Fix device node reference leak in logicvc_drm_config_parse()
https://notcve.org/view.php?id=CVE-2026-23426
03 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: drm/logicvc: Fix device node reference leak in logicvc_drm_config_parse() The logicvc_drm_config_parse() function calls of_get_child_by_name() to find the "layers" node but fails to release the reference, leading to a device node reference leak. Fix this by using the __free(device_node) cleanup attribute to automatic release the reference when the variable goes out of scope. • https://git.kernel.org/stable/c/efeeaefe9be56e8ae5e5b4e9ff6d2275ec977ec5 •