CVSS: 5.5EPSS: 0%CPEs: 7EXPL: 0CVE-2026-22978 – wifi: avoid kernel-infoleak from struct iw_point
https://notcve.org/view.php?id=CVE-2026-22978
23 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: wifi: avoid kernel-infoleak from struct iw_point struct iw_point has a 32bit hole on 64bit arches. struct iw_point { void __user *pointer; /* Pointer to the data (in user space) */ __u16 length; /* number of fields or size in bytes */ __u16 flags; /* Optional params */ }; Make sure to zero the structure to avoid disclosing 32bits of kernel data to user space. In the Linux kernel, the following vulnerability has been resolved: wifi: avoid ke... • https://git.kernel.org/stable/c/87de87d5e47f94b4ea647a5bd1bc8dc1f7930db4 •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2025-71161 – dm-verity: disable recursive forward error correction
https://notcve.org/view.php?id=CVE-2025-71161
23 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: dm-verity: disable recursive forward error correction There are two problems with the recursive correction: 1. It may cause denial-of-service. In fec_read_bufs, there is a loop that has 253 iterations. For each iteration, we may call verity_hash_for_block recursively. There is a limit of 4 nested recursions - that means that there may be at most 253^4 (4 billion) iterations. • https://git.kernel.org/stable/c/a739ff3f543afbb4a041c16cd0182c8e8d366e70 •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2025-71160 – netfilter: nf_tables: avoid chain re-validation if possible
https://notcve.org/view.php?id=CVE-2025-71160
23 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: avoid chain re-validation if possible Hamza Mahfooz reports cpu soft lock-ups in nft_chain_validate(): watchdog: BUG: soft lockup - CPU#1 stuck for 27s! [iptables-nft-re:37547] [..] RIP: 0010:nft_chain_validate+0xcb/0x110 [nf_tables] [..] nft_immediate_validate+0x36/0x50 [nf_tables] nft_chain_validate+0xc9/0x110 [nf_tables] nft_immediate_validate+0x36/0x50 [nf_tables] nft_chain_validate+0xc9/0x110 [nf_tables] nft_immed... • https://git.kernel.org/stable/c/a654de8fdc1815676ab750e70cab231fc814c29f •
CVSS: 5.5EPSS: 0%CPEs: 7EXPL: 0CVE-2025-71154 – net: usb: rtl8150: fix memory leak on usb_submit_urb() failure
https://notcve.org/view.php?id=CVE-2025-71154
23 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: net: usb: rtl8150: fix memory leak on usb_submit_urb() failure In async_set_registers(), when usb_submit_urb() fails, the allocated async_req structure and URB are not freed, causing a memory leak. The completion callback async_set_reg_cb() is responsible for freeing these allocations, but it is only called after the URB is successfully submitted and completes (successfully or with error). If submission fails, the callback never runs and th... • https://git.kernel.org/stable/c/4d12997a9bb3d217ad4b925ec3074ec89364bf95 •
CVSS: 7.1EPSS: 0%CPEs: 2EXPL: 0CVE-2025-71152 – net: dsa: properly keep track of conduit reference
https://notcve.org/view.php?id=CVE-2025-71152
23 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: net: dsa: properly keep track of conduit reference Problem description ------------------- DSA has a mumbo-jumbo of reference handling of the conduit net device and its kobject which, sadly, is just wrong and doesn't make sense. There are two distinct problems. 1. The OF path, which uses of_find_net_device_by_node(), never releases the elevated refcount on the conduit's kobject. Nominally, the OF and non-OF paths should result in objects ha... • https://git.kernel.org/stable/c/83c0afaec7b730b16c518aecc8e6246ec91b265e •
CVSS: -EPSS: 0%CPEs: 7EXPL: 0CVE-2026-22977 – net: sock: fix hardened usercopy panic in sock_recv_errqueue
https://notcve.org/view.php?id=CVE-2026-22977
21 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: net: sock: fix hardened usercopy panic in sock_recv_errqueue skbuff_fclone_cache was created without defining a usercopy region, [1] unlike skbuff_head_cache which properly whitelists the cb[] field. [2] This causes a usercopy BUG() when CONFIG_HARDENED_USERCOPY is enabled and the kernel attempts to copy sk_buff.cb data to userspace via sock_recv_errqueue() -> put_cmsg(). The crash occurs when: 1. TCP allocates an skb using alloc_skb_fclone... • https://git.kernel.org/stable/c/6d07d1cd300f4c7e16005f881fea388164999cc8 •
CVSS: -EPSS: 0%CPEs: 7EXPL: 0CVE-2026-22976 – net/sched: sch_qfq: Fix NULL deref when deactivating inactive aggregate in qfq_reset
https://notcve.org/view.php?id=CVE-2026-22976
21 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: net/sched: sch_qfq: Fix NULL deref when deactivating inactive aggregate in qfq_reset `qfq_class->leaf_qdisc->q.qlen > 0` does not imply that the class itself is active. Two qfq_class objects may point to the same leaf_qdisc. This happens when: 1. one QFQ qdisc is attached to the dev as the root qdisc, and 2. another QFQ qdisc is temporarily referenced (e.g., via qdisc_get() / qdisc_put()) and is pending to be destroyed, as in function tc_ne... • https://git.kernel.org/stable/c/0545a3037773512d3448557ba048cebb73b3e4af •
CVSS: 6.6EPSS: 0%CPEs: 7EXPL: 0CVE-2025-71137 – octeontx2-pf: fix "UBSAN: shift-out-of-bounds error"
https://notcve.org/view.php?id=CVE-2025-71137
14 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: octeontx2-pf: fix "UBSAN: shift-out-of-bounds error" This patch ensures that the RX ring size (rx_pending) is not set below the permitted length. This avoids UBSAN shift-out-of-bounds errors when users passes small or zero ring sizes via ethtool -G. In the Linux kernel, the following vulnerability has been resolved: octeontx2-pf: fix "UBSAN: shift-out-of-bounds error" This patch ensures that the RX ring size (rx_pending) is not set below th... • https://git.kernel.org/stable/c/d45d8979840d9c9ac93d3fe8cfc8e794b7228445 •
CVSS: 5.6EPSS: 0%CPEs: 7EXPL: 0CVE-2025-71136 – media: adv7842: Avoid possible out-of-bounds array accesses in adv7842_cp_log_status()
https://notcve.org/view.php?id=CVE-2025-71136
14 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: media: adv7842: Avoid possible out-of-bounds array accesses in adv7842_cp_log_status() It's possible for cp_read() and hdmi_read() to return -EIO. Those values are further used as indexes for accessing arrays. Fix that by checking return values where it's needed. Found by Linux Verification Center (linuxtesting.org) with SVACE. In the Linux kernel, the following vulnerability has been resolved: media: adv7842: Avoid possible out-of-bounds a... • https://git.kernel.org/stable/c/a89bcd4c6c2023615a89001b5a11b0bb77eb9491 •
CVSS: 6.6EPSS: 0%CPEs: 7EXPL: 0CVE-2025-71131 – crypto: seqiv - Do not use req->iv after crypto_aead_encrypt
https://notcve.org/view.php?id=CVE-2025-71131
14 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: crypto: seqiv - Do not use req->iv after crypto_aead_encrypt As soon as crypto_aead_encrypt is called, the underlying request may be freed by an asynchronous completion. Thus dereferencing req->iv after it returns is invalid. Instead of checking req->iv against info, create a new variable unaligned_info and use it for that purpose instead. In the Linux kernel, the following vulnerability has been resolved: crypto: seqiv - Do not use req->iv... • https://git.kernel.org/stable/c/0a270321dbf948963aeb0e8382fe17d2c2eb3771 •