CVSS: -EPSS: 0%CPEs: 5EXPL: 0CVE-2026-23310 – bpf/bonding: reject vlan+srcmac xmit_hash_policy change when XDP is loaded
https://notcve.org/view.php?id=CVE-2026-23310
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: bpf/bonding: reject vlan+srcmac xmit_hash_policy change when XDP is loaded bond_option_mode_set() already rejects mode changes that would make a loaded XDP program incompatible via bond_xdp_check(). However, bond_option_xmit_hash_policy_set() has no such guard. For 802.3ad and balance-xor modes, bond_xdp_check() returns false when xmit_hash_policy is vlan+srcmac, because the 802.1q payload is usually absent due to hardware offload. This mea... • https://git.kernel.org/stable/c/39a0876d595bd7c7512782dfcce0ee66f65bf221 •
CVSS: -EPSS: 0%CPEs: 5EXPL: 0CVE-2026-23309 – tracing: Add NULL pointer check to trigger_data_free()
https://notcve.org/view.php?id=CVE-2026-23309
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: tracing: Add NULL pointer check to trigger_data_free() If trigger_data_alloc() fails and returns NULL, event_hist_trigger_parse() jumps to the out_free error path. While kfree() safely handles a NULL pointer, trigger_data_free() does not. This causes a NULL pointer dereference in trigger_data_free() when evaluating data->cmd_ops->set_filter. Fix the problem by adding a NULL pointer check to trigger_data_free(). The problem was found by an e... • https://git.kernel.org/stable/c/c10f0efe57728508d796ae4ba7abe4c14ec3d8ef •
CVSS: -EPSS: 0%CPEs: 5EXPL: 0CVE-2026-23308 – pinctrl: equilibrium: fix warning trace on load
https://notcve.org/view.php?id=CVE-2026-23308
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: pinctrl: equilibrium: fix warning trace on load The callback functions 'eqbr_irq_mask()' and 'eqbr_irq_ack()' are also called in the callback function 'eqbr_irq_mask_ack()'. This is done to avoid source code duplication. The problem, is that in the function 'eqbr_irq_mask()' also calles the gpiolib function 'gpiochip_disable_irq()' This generates the following warning trace in the log for every gpio on load. [ 6.088111] ------------[ cut he... • https://git.kernel.org/stable/c/52066a53bd116a2f41d04d99b5095c02ad8cf953 •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2026-23307 – can: ems_usb: ems_usb_read_bulk_callback(): check the proper length of a message
https://notcve.org/view.php?id=CVE-2026-23307
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: can: ems_usb: ems_usb_read_bulk_callback(): check the proper length of a message When looking at the data in a USB urb, the actual_length is the size of the buffer passed to the driver, not the transfer_buffer_length which is set by the driver as the max size of the buffer. When parsing the messages in ems_usb_read_bulk_callback() properly check the size both at the beginning of parsing the message to make sure it is big enough for the expe... • https://git.kernel.org/stable/c/702171adeed3607ee9603ec30ce081411e36ae42 •
CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23306 – scsi: pm8001: Fix use-after-free in pm8001_queue_command()
https://notcve.org/view.php?id=CVE-2026-23306
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: scsi: pm8001: Fix use-after-free in pm8001_queue_command() Commit e29c47fe8946 ("scsi: pm8001: Simplify pm8001_task_exec()") refactors pm8001_queue_command(), however it introduces a potential cause of a double free scenario when it changes the function to return -ENODEV in case of phy down/device gone state. In this path, pm8001_queue_command() updates task status and calls task_done to indicate to upper layer that the task has been handle... • https://git.kernel.org/stable/c/e29c47fe8946cc732b0e0d393b65b13c84bb69d0 •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2026-23304 – ipv6: fix NULL pointer deref in ip6_rt_get_dev_rcu()
https://notcve.org/view.php?id=CVE-2026-23304
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: ipv6: fix NULL pointer deref in ip6_rt_get_dev_rcu() l3mdev_master_dev_rcu() can return NULL when the slave device is being un-slaved from a VRF. All other callers deal with this, but we lost the fallback to loopback in ip6_rt_pcpu_alloc() -> ip6_rt_get_dev_rcu() with commit 4832c30d5458 ("net: ipv6: put host and anycast routes on device with address"). KASAN: null-ptr-deref in range [0x0000000000000108-0x000000000000010f] RIP: 0010:ip6_rt_... • https://git.kernel.org/stable/c/4832c30d5458387ff2533ff66fbde26ad8bb5a2d •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2026-23303 – smb: client: Don't log plaintext credentials in cifs_set_cifscreds
https://notcve.org/view.php?id=CVE-2026-23303
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: smb: client: Don't log plaintext credentials in cifs_set_cifscreds When debug logging is enabled, cifs_set_cifscreds() logs the key payload and exposes the plaintext username and password. Remove the debug log to avoid exposing credentials. • https://git.kernel.org/stable/c/8a8798a5ff90977d6459ce1d657cf8fe13a51e97 •
CVSS: -EPSS: 0%CPEs: 5EXPL: 0CVE-2026-23302 – net: annotate data-races around sk->sk_{data_ready,write_space}
https://notcve.org/view.php?id=CVE-2026-23302
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: net: annotate data-races around sk->sk_{data_ready,write_space} skmsg (and probably other layers) are changing these pointers while other cpus might read them concurrently. Add corresponding READ_ONCE()/WRITE_ONCE() annotations for UDP, TCP and AF_UNIX. • https://git.kernel.org/stable/c/604326b41a6fb9b4a78b6179335decee0365cd8c •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2026-23300 – net: ipv6: fix panic when IPv4 route references loopback IPv6 nexthop
https://notcve.org/view.php?id=CVE-2026-23300
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: net: ipv6: fix panic when IPv4 route references loopback IPv6 nexthop When a standalone IPv6 nexthop object is created with a loopback device (e.g., "ip -6 nexthop add id 100 dev lo"), fib6_nh_init() misclassifies it as a reject route. This is because nexthop objects have no destination prefix (fc_dst=::), causing fib6_is_reject() to match any loopback nexthop. The reject path skips fib_nh_common_init(), leaving nhc_pcpu_rth_output unalloca... • https://git.kernel.org/stable/c/493ced1ac47c48bb86d9d4e8e87df8592be85a0e •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2026-23298 – can: ucan: Fix infinite loop from zero-length messages
https://notcve.org/view.php?id=CVE-2026-23298
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: can: ucan: Fix infinite loop from zero-length messages If a broken ucan device gets a message with the message length field set to 0, then the driver will loop for forever in ucan_read_bulk_callback(), hanging the system. If the length is 0, just skip the message and go on to the next one. This has been fixed in the kvaser_usb driver in the past in commit 0c73772cd2b8 ("can: kvaser_usb: leaf: Fix potential infinite loop in command parsers")... • https://git.kernel.org/stable/c/9f2d3eae88d26c29d96e42983b755940d9169cd9 •