CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23289 – IB/mthca: Add missed mthca_unmap_user_db() for mthca_create_srq()
https://notcve.org/view.php?id=CVE-2026-23289
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: IB/mthca: Add missed mthca_unmap_user_db() for mthca_create_srq() Fix a user triggerable leak on the system call failure path. • https://git.kernel.org/stable/c/ec34a922d243c3401a694450734e9effb2bafbfe •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23287 – irqchip/sifive-plic: Fix frozen interrupt due to affinity setting
https://notcve.org/view.php?id=CVE-2026-23287
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: irqchip/sifive-plic: Fix frozen interrupt due to affinity setting PLIC ignores interrupt completion message for disabled interrupt, explained by the specification: The PLIC signals it has completed executing an interrupt handler by writing the interrupt ID it received from the claim to the claim/complete register. The PLIC does not check whether the completion ID is the same as the last claim ID for that target. If the completion ID does no... • https://git.kernel.org/stable/c/cc9f04f9a84f745949e325661550ed14bd0ff322 •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23286 – atm: lec: fix null-ptr-deref in lec_arp_clear_vccs
https://notcve.org/view.php?id=CVE-2026-23286
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: atm: lec: fix null-ptr-deref in lec_arp_clear_vccs syzkaller reported a null-ptr-deref in lec_arp_clear_vccs(). This issue can be easily reproduced using the syzkaller reproducer. In the ATM LANE (LAN Emulation) module, the same atm_vcc can be shared by multiple lec_arp_table entries (e.g., via entry->vcc or entry->recv_vcc). When the underlying VCC is closed, lec_vcc_close() iterates over all ARP entries and calls lec_arp_clear_vccs() for ... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23284 – net: ethernet: mtk_eth_soc: Reset prog ptr to old_prog in case of error in mtk_xdp_setup()
https://notcve.org/view.php?id=CVE-2026-23284
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: net: ethernet: mtk_eth_soc: Reset prog ptr to old_prog in case of error in mtk_xdp_setup() Reset eBPF program pointer to old_prog and do not decrease its ref-count if mtk_open routine in mtk_xdp_setup() fails. • https://git.kernel.org/stable/c/7c26c20da5d420cde55618263be4aa2f6de53056 •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23281 – wifi: libertas: fix use-after-free in lbs_free_adapter()
https://notcve.org/view.php?id=CVE-2026-23281
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: wifi: libertas: fix use-after-free in lbs_free_adapter() The lbs_free_adapter() function uses timer_delete() (non-synchronous) for both command_timer and tx_lockup_timer before the structure is freed. This is incorrect because timer_delete() does not wait for any running timer callback to complete. If a timer callback is executing when lbs_free_adapter() is called, the callback will access freed memory since lbs_cfg_free() frees the contain... • https://git.kernel.org/stable/c/954ee164f4f4598afc172c0ec3865d0352e55a0b •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23279 – wifi: mac80211: fix NULL pointer dereference in mesh_rx_csa_frame()
https://notcve.org/view.php?id=CVE-2026-23279
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: fix NULL pointer dereference in mesh_rx_csa_frame() In mesh_rx_csa_frame(), elems->mesh_chansw_params_ie is dereferenced at lines 1638 and 1642 without a prior NULL check: ifmsh->chsw_ttl = elems->mesh_chansw_params_ie->mesh_ttl; ... pre_value = le16_to_cpu(elems->mesh_chansw_params_ie->mesh_pre_value); The mesh_matches_local() check above only validates the Mesh ID, Mesh Configuration, and Supported Rates IEs. It does not v... • https://git.kernel.org/stable/c/8f2535b92d685c68db4bc699dd78462a646f6ef9 •
CVSS: 8.2EPSS: 0%CPEs: 6EXPL: 0CVE-2026-31788 – xen/privcmd: restrict usage in unprivileged domU
https://notcve.org/view.php?id=CVE-2026-31788
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: xen/privcmd: restrict usage in unprivileged domU The Xen privcmd driver allows to issue arbitrary hypercalls from user space processes. This is normally no problem, as access is usually limited to root and the hypervisor will deny any hypercalls affecting other domains. In case the guest is booted using secure boot, however, the privcmd driver would be enabling a root user process to modify e.g. kernel memory contents, thus breaking the sec... • https://git.kernel.org/stable/c/1c5de1939c204bde9cce87f4eb3d26e9f9eb732b •
CVSS: 7.8EPSS: 0%CPEs: 10EXPL: 0CVE-2026-23278 – netfilter: nf_tables: always walk all pending catchall elements
https://notcve.org/view.php?id=CVE-2026-23278
20 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: always walk all pending catchall elements During transaction processing we might have more than one catchall element: 1 live catchall element and 1 pending element that is coming as part of the new batch. If the map holding the catchall elements is also going away, its required to toggle all catchall elements and not just the first viable candidate. Otherwise, we get: WARNING: ./include/net/netfilter/nf_tables.h:1281 a... • https://git.kernel.org/stable/c/628bd3e49cba1c066228e23d71a852c23e26da73 •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23277 – net/sched: teql: fix NULL pointer dereference in iptunnel_xmit on TEQL slave xmit
https://notcve.org/view.php?id=CVE-2026-23277
20 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: net/sched: teql: fix NULL pointer dereference in iptunnel_xmit on TEQL slave xmit teql_master_xmit() calls netdev_start_xmit(skb, slave) to transmit through slave devices, but does not update skb->dev to the slave device beforehand. When a gretap tunnel is a TEQL slave, the transmit path reaches iptunnel_xmit() which saves dev = skb->dev (still pointing to teql0 master) and later calls iptunnel_xmit_stats(dev, pkt_len). This function does: ... • https://git.kernel.org/stable/c/039f50629b7f860f36644ed1f34b27da9aa62f43 •
CVSS: -EPSS: 0%CPEs: 5EXPL: 0CVE-2026-23276 – net: add xmit recursion limit to tunnel xmit functions
https://notcve.org/view.php?id=CVE-2026-23276
20 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: net: add xmit recursion limit to tunnel xmit functions Tunnel xmit functions (iptunnel_xmit, ip6tunnel_xmit) lack their own recursion limit. When a bond device in broadcast mode has GRE tap interfaces as slaves, and those GRE tunnels route back through the bond, multicast/broadcast traffic triggers infinite recursion between bond_xmit_broadcast() and ip_tunnel_xmit()/ip6_tnl_xmit(), causing kernel stack overflow. The existing XMIT_RECURSION... • https://git.kernel.org/stable/c/745e20f1b626b1be4b100af5d4bf7b3439392f8f •