CVSS: 7.1EPSS: 0%CPEs: 4EXPL: 0CVE-2026-23173 – net/mlx5e: TC, delete flows only for existing peers
https://notcve.org/view.php?id=CVE-2026-23173
14 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: TC, delete flows only for existing peers When deleting TC steering flows, iterate only over actual devcom peers instead of assuming all possible ports exist. This avoids touching non-existent peers and ensures cleanup is limited to devices the driver is currently connected to. BUG: kernel NULL pointer dereference, address: 0000000000000008 #PF: supervisor write access in kernel mode #PF: error_code(0x0002) - not-present page PGD ... • https://git.kernel.org/stable/c/9be6c21fdcf8a7ec48262bb76f78c17ac2761ac6 •
CVSS: 7.2EPSS: 0%CPEs: 5EXPL: 0CVE-2026-23172 – net: wwan: t7xx: fix potential skb->frags overflow in RX path
https://notcve.org/view.php?id=CVE-2026-23172
14 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: net: wwan: t7xx: fix potential skb->frags overflow in RX path When receiving data in the DPMAIF RX path, the t7xx_dpmaif_set_frag_to_skb() function adds page fragments to an skb without checking if the number of fragments has exceeded MAX_SKB_FRAGS. This could lead to a buffer overflow in skb_shinfo(skb)->frags[] array, corrupting adjacent memory and potentially causing kernel crashes or other undefined behavior. This issue was identified t... • https://git.kernel.org/stable/c/d642b012df70a76dd5723f2d426b40bffe83ac49 •
CVSS: 7.2EPSS: 0%CPEs: 2EXPL: 0CVE-2026-23171 – bonding: fix use-after-free due to enslave fail after slave array update
https://notcve.org/view.php?id=CVE-2026-23171
14 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: bonding: fix use-after-free due to enslave fail after slave array update Fix a use-after-free which happens due to enslave failure after the new slave has been added to the array. Since the new slave can be used for Tx immediately, we can use it after it has been freed by the enslave error cleanup path which frees the allocated slave memory. Slave update array is supposed to be called last when further enslave failures are not expected. Mov... • https://git.kernel.org/stable/c/9e2ee5c7e7c35d195e2aa0692a7241d47a433d1e •
CVSS: 7.1EPSS: 0%CPEs: 7EXPL: 0CVE-2026-23170 – drm/imx/tve: fix probe device leak
https://notcve.org/view.php?id=CVE-2026-23170
14 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: drm/imx/tve: fix probe device leak Make sure to drop the reference taken to the DDC device during probe on probe failure (e.g. probe deferral) and on driver unbind. In the Linux kernel, the following vulnerability has been resolved: drm/imx/tve: fix probe device leak Make sure to drop the reference taken to the DDC device during probe on probe failure (e.g. probe deferral) and on driver unbind. • https://git.kernel.org/stable/c/fcbc51e54d2aa9d402206601f4894251049e5d77 •
CVSS: 6.9EPSS: 0%CPEs: 4EXPL: 0CVE-2026-23169 – mptcp: fix race in mptcp_pm_nl_flush_addrs_doit()
https://notcve.org/view.php?id=CVE-2026-23169
14 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: mptcp: fix race in mptcp_pm_nl_flush_addrs_doit() syzbot and Eulgyu Kim reported crashes in mptcp_pm_nl_get_local_id() and/or mptcp_pm_nl_is_backup() Root cause is list_splice_init() in mptcp_pm_nl_flush_addrs_doit() which is not RCU ready. list_splice_init_rcu() can not be called here while holding pernet->lock spinlock. Many thanks to Eulgyu Kim for providing a repro and testing our patches. In the Linux kernel, the following vulnerabilit... • https://git.kernel.org/stable/c/141694df6573b49aa4143c92556544b4b0bbda72 •
CVSS: 7.1EPSS: 0%CPEs: 5EXPL: 0CVE-2026-23168 – flex_proportions: make fprop_new_period() hardirq safe
https://notcve.org/view.php?id=CVE-2026-23168
14 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: flex_proportions: make fprop_new_period() hardirq safe Bernd has reported a lockdep splat from flexible proportions code that is essentially complaining about the following race:
CVSS: 6.3EPSS: 0%CPEs: 7EXPL: 0CVE-2026-23167 – nfc: nci: Fix race between rfkill and nci_unregister_device().
https://notcve.org/view.php?id=CVE-2026-23167
14 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: nfc: nci: Fix race between rfkill and nci_unregister_device(). syzbot reported the splat below [0] without a repro. It indicates that struct nci_dev.cmd_wq had been destroyed before nci_close_device() was called via rfkill. nci_dev.cmd_wq is only destroyed in nci_unregister_device(), which (I think) was called from virtual_ncidev_close() when syzbot close()d an fd of virtual_ncidev. The problem is that nci_unregister_device() destroys nci_d... • https://git.kernel.org/stable/c/6a2968aaf50c7a22fced77a5e24aa636281efca8 •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2026-23166 – ice: Fix NULL pointer dereference in ice_vsi_set_napi_queues
https://notcve.org/view.php?id=CVE-2026-23166
14 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: ice: Fix NULL pointer dereference in ice_vsi_set_napi_queues Add NULL pointer checks in ice_vsi_set_napi_queues() to prevent crashes during resume from suspend when rings[q_idx]->q_vector is NULL. Tested adaptor: 60:00.0 Ethernet controller [0200]: Intel Corporation Ethernet Controller E810-XXV for SFP [8086:159b] (rev 02) Subsystem: Intel Corporation Ethernet Network Adapter E810-XXV-2 [8086:4003] SR-IOV state: both disabled and enabled ca... • https://git.kernel.org/stable/c/2a5dc090b92cfa5270e20056074241c6db5c9cdd •
CVSS: 5.5EPSS: 0%CPEs: 7EXPL: 0CVE-2026-23164 – rocker: fix memory leak in rocker_world_port_post_fini()
https://notcve.org/view.php?id=CVE-2026-23164
14 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: rocker: fix memory leak in rocker_world_port_post_fini() In rocker_world_port_pre_init(), rocker_port->wpriv is allocated with kzalloc(wops->port_priv_size, GFP_KERNEL). However, in rocker_world_port_post_fini(), the memory is only freed when wops->port_post_fini callback is set: if (!wops->port_post_fini) return; wops->port_post_fini(rocker_port); kfree(rocker_port->wpriv); Since rocker_ofdpa_ops does not implement port_post_fini callback ... • https://git.kernel.org/stable/c/e420114eef4a3a5025a243b89b0dc343101e3d3c •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2026-23163 – drm/amdgpu: fix NULL pointer dereference in amdgpu_gmc_filter_faults_remove
https://notcve.org/view.php?id=CVE-2026-23163
14 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: fix NULL pointer dereference in amdgpu_gmc_filter_faults_remove On APUs such as Raven and Renoir (GC 9.1.0, 9.2.2, 9.3.0), the ih1 and ih2 interrupt ring buffers are not initialized. This is by design, as these secondary IH rings are only available on discrete GPUs. See vega10_ih_sw_init() which explicitly skips ih1/ih2 initialization when AMD_IS_APU is set. However, amdgpu_gmc_filter_faults_remove() unconditionally uses ih1 to ... • https://git.kernel.org/stable/c/dd299441654fd8209056c7985ddf2373ebaba6ed •