CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23315 – wifi: mt76: Fix possible oob access in mt76_connac2_mac_write_txwi_80211()
https://notcve.org/view.php?id=CVE-2026-23315
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: Fix possible oob access in mt76_connac2_mac_write_txwi_80211() Check frame length before accessing the mgmt fields in mt76_connac2_mac_write_txwi_80211 in order to avoid a possible oob access. [fix check to also cover mgmt->u.action.u.addba_req.capab, correct Fixes tag] • https://git.kernel.org/stable/c/577dbc6c656da6997dddc6cf842b7954588f2d4e •
CVSS: -EPSS: 0%CPEs: 4EXPL: 0CVE-2026-23313 – i40e: Fix preempt count leak in napi poll tracepoint
https://notcve.org/view.php?id=CVE-2026-23313
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: i40e: Fix preempt count leak in napi poll tracepoint Using get_cpu() in the tracepoint assignment causes an obvious preempt count leak because nothing invokes put_cpu() to undo it: softirq: huh, entered softirq 3 NET_RX with preempt_count 00000100, exited with 00000101? This clearly has seen a lot of testing in the last 3+ years... Use smp_processor_id() instead. • https://git.kernel.org/stable/c/6d4d584a7ea8fc8d2be77545cb503118c193738a •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23312 – net: usb: kaweth: validate USB endpoints
https://notcve.org/view.php?id=CVE-2026-23312
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: net: usb: kaweth: validate USB endpoints The kaweth driver should validate that the device it is probing has the proper number and types of USB endpoints it is expecting before it binds to it. If a malicious device were to not have the same urbs the driver will crash later on when it blindly accesses these endpoints. • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: -EPSS: 0%CPEs: 5EXPL: 0CVE-2026-23310 – bpf/bonding: reject vlan+srcmac xmit_hash_policy change when XDP is loaded
https://notcve.org/view.php?id=CVE-2026-23310
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: bpf/bonding: reject vlan+srcmac xmit_hash_policy change when XDP is loaded bond_option_mode_set() already rejects mode changes that would make a loaded XDP program incompatible via bond_xdp_check(). However, bond_option_xmit_hash_policy_set() has no such guard. For 802.3ad and balance-xor modes, bond_xdp_check() returns false when xmit_hash_policy is vlan+srcmac, because the 802.1q payload is usually absent due to hardware offload. This mea... • https://git.kernel.org/stable/c/39a0876d595bd7c7512782dfcce0ee66f65bf221 •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23309 – tracing: Add NULL pointer check to trigger_data_free()
https://notcve.org/view.php?id=CVE-2026-23309
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: tracing: Add NULL pointer check to trigger_data_free() If trigger_data_alloc() fails and returns NULL, event_hist_trigger_parse() jumps to the out_free error path. While kfree() safely handles a NULL pointer, trigger_data_free() does not. This causes a NULL pointer dereference in trigger_data_free() when evaluating data->cmd_ops->set_filter. Fix the problem by adding a NULL pointer check to trigger_data_free(). The problem was found by an e... • https://git.kernel.org/stable/c/c10f0efe57728508d796ae4ba7abe4c14ec3d8ef •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23307 – can: ems_usb: ems_usb_read_bulk_callback(): check the proper length of a message
https://notcve.org/view.php?id=CVE-2026-23307
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: can: ems_usb: ems_usb_read_bulk_callback(): check the proper length of a message When looking at the data in a USB urb, the actual_length is the size of the buffer passed to the driver, not the transfer_buffer_length which is set by the driver as the max size of the buffer. When parsing the messages in ems_usb_read_bulk_callback() properly check the size both at the beginning of parsing the message to make sure it is big enough for the expe... • https://git.kernel.org/stable/c/702171adeed3607ee9603ec30ce081411e36ae42 •
CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23306 – scsi: pm8001: Fix use-after-free in pm8001_queue_command()
https://notcve.org/view.php?id=CVE-2026-23306
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: scsi: pm8001: Fix use-after-free in pm8001_queue_command() Commit e29c47fe8946 ("scsi: pm8001: Simplify pm8001_task_exec()") refactors pm8001_queue_command(), however it introduces a potential cause of a double free scenario when it changes the function to return -ENODEV in case of phy down/device gone state. In this path, pm8001_queue_command() updates task status and calls task_done to indicate to upper layer that the task has been handle... • https://git.kernel.org/stable/c/e29c47fe8946cc732b0e0d393b65b13c84bb69d0 •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23304 – ipv6: fix NULL pointer deref in ip6_rt_get_dev_rcu()
https://notcve.org/view.php?id=CVE-2026-23304
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: ipv6: fix NULL pointer deref in ip6_rt_get_dev_rcu() l3mdev_master_dev_rcu() can return NULL when the slave device is being un-slaved from a VRF. All other callers deal with this, but we lost the fallback to loopback in ip6_rt_pcpu_alloc() -> ip6_rt_get_dev_rcu() with commit 4832c30d5458 ("net: ipv6: put host and anycast routes on device with address"). KASAN: null-ptr-deref in range [0x0000000000000108-0x000000000000010f] RIP: 0010:ip6_rt_... • https://git.kernel.org/stable/c/4832c30d5458387ff2533ff66fbde26ad8bb5a2d •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23303 – smb: client: Don't log plaintext credentials in cifs_set_cifscreds
https://notcve.org/view.php?id=CVE-2026-23303
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: smb: client: Don't log plaintext credentials in cifs_set_cifscreds When debug logging is enabled, cifs_set_cifscreds() logs the key payload and exposes the plaintext username and password. Remove the debug log to avoid exposing credentials. • https://git.kernel.org/stable/c/8a8798a5ff90977d6459ce1d657cf8fe13a51e97 •
CVSS: -EPSS: 0%CPEs: 3EXPL: 0CVE-2026-23302 – net: annotate data-races around sk->sk_{data_ready,write_space}
https://notcve.org/view.php?id=CVE-2026-23302
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: net: annotate data-races around sk->sk_{data_ready,write_space} skmsg (and probably other layers) are changing these pointers while other cpus might read them concurrently. Add corresponding READ_ONCE()/WRITE_ONCE() annotations for UDP, TCP and AF_UNIX. • https://git.kernel.org/stable/c/604326b41a6fb9b4a78b6179335decee0365cd8c •