CVSS: -EPSS: 0%CPEs: 7EXPL: 0CVE-2026-23080 – can: mcba_usb: mcba_usb_read_bulk_callback(): fix URB memory leak
https://notcve.org/view.php?id=CVE-2026-23080
04 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: can: mcba_usb: mcba_usb_read_bulk_callback(): fix URB memory leak Fix similar memory leak as in commit 7352e1d5932a ("can: gs_usb: gs_usb_receive_bulk_callback(): fix URB memory leak"). In mcba_usb_probe() -> mcba_usb_start(), the URBs for USB-in transfers are allocated, added to the priv->rx_submitted anchor and submitted. In the complete callback mcba_usb_read_bulk_callback(), the URBs are processed and resubmitted. In mcba_usb_close() ->... • https://git.kernel.org/stable/c/51f3baad7de943780ce0c17bd7975df567dd6e14 •
CVSS: -EPSS: 0%CPEs: 7EXPL: 0CVE-2026-23076 – ALSA: ctxfi: Fix potential OOB access in audio mixer handling
https://notcve.org/view.php?id=CVE-2026-23076
04 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: ALSA: ctxfi: Fix potential OOB access in audio mixer handling In the audio mixer handling code of ctxfi driver, the conf field is used as a kind of loop index, and it's referred in the index callbacks (amixer_index() and sum_index()). As spotted recently by fuzzers, the current code causes OOB access at those functions. | UBSAN: array-index-out-of-bounds in /build/reproducible-path/linux-6.17.8/sound/pci/ctxfi/ctamixer.c:347:48 | index 8 is... • https://git.kernel.org/stable/c/8cc72361481f00253f1e468ade5795427386d593 •
CVSS: -EPSS: 0%CPEs: 7EXPL: 0CVE-2026-23075 – can: esd_usb: esd_usb_read_bulk_callback(): fix URB memory leak
https://notcve.org/view.php?id=CVE-2026-23075
04 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: can: esd_usb: esd_usb_read_bulk_callback(): fix URB memory leak Fix similar memory leak as in commit 7352e1d5932a ("can: gs_usb: gs_usb_receive_bulk_callback(): fix URB memory leak"). In esd_usb_open(), the URBs for USB-in transfers are allocated, added to the dev->rx_submitted anchor and submitted. In the complete callback esd_usb_read_bulk_callback(), the URBs are processed and resubmitted. In esd_usb_close() the URBs are freed by calling... • https://git.kernel.org/stable/c/96d8e90382dc336b5de401164597edfdc2e8d9f1 •
CVSS: -EPSS: 0%CPEs: 7EXPL: 0CVE-2026-23074 – net/sched: Enforce that teql can only be used as root qdisc
https://notcve.org/view.php?id=CVE-2026-23074
04 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: net/sched: Enforce that teql can only be used as root qdisc Design intent of teql is that it is only supposed to be used as root qdisc. We need to check for that constraint. Although not important, I will describe the scenario that unearthed this issue for the curious. GangMin Kim
CVSS: -EPSS: 0%CPEs: 7EXPL: 0CVE-2026-23073 – wifi: rsi: Fix memory corruption due to not set vif driver data size
https://notcve.org/view.php?id=CVE-2026-23073
04 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: wifi: rsi: Fix memory corruption due to not set vif driver data size The struct ieee80211_vif contains trailing space for vif driver data, when struct ieee80211_vif is allocated, the total memory size that is allocated is sizeof(struct ieee80211_vif) + size of vif driver data. The size of vif driver data is set by each WiFi driver as needed. The RSI911x driver does not set vif driver data size, no trailing space for vif driver data is there... • https://git.kernel.org/stable/c/dad0d04fa7ba41ce603a01e8e64967650303e9a2 •
CVSS: -EPSS: 0%CPEs: 7EXPL: 0CVE-2026-23071 – regmap: Fix race condition in hwspinlock irqsave routine
https://notcve.org/view.php?id=CVE-2026-23071
04 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: regmap: Fix race condition in hwspinlock irqsave routine Previously, the address of the shared member '&map->spinlock_flags' was passed directly to 'hwspin_lock_timeout_irqsave'. This creates a race condition where multiple contexts contending for the lock could overwrite the shared flags variable, potentially corrupting the state for the current lock owner. Fix this by using a local stack variable 'flags' to store the IRQ state temporarily... • https://git.kernel.org/stable/c/8698b9364710e7bac84b3af07dd410e39c8c2e08 •
CVSS: -EPSS: 0%CPEs: 5EXPL: 0CVE-2026-23069 – vsock/virtio: fix potential underflow in virtio_transport_get_credit()
https://notcve.org/view.php?id=CVE-2026-23069
04 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: vsock/virtio: fix potential underflow in virtio_transport_get_credit() The credit calculation in virtio_transport_get_credit() uses unsigned arithmetic: ret = vvs->peer_buf_alloc - (vvs->tx_cnt - vvs->peer_fwd_cnt); If the peer shrinks its advertised buffer (peer_buf_alloc) while bytes are in flight, the subtraction can underflow and produce a large positive value, potentially allowing more data to be queued than the peer can handle. Reuse ... • https://git.kernel.org/stable/c/06a8fc78367d070720af960dcecec917d3ae5f3b •
CVSS: -EPSS: 0%CPEs: 5EXPL: 0CVE-2026-23068 – spi: spi-sprd-adi: Fix double free in probe error path
https://notcve.org/view.php?id=CVE-2026-23068
04 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: spi: spi-sprd-adi: Fix double free in probe error path The driver currently uses spi_alloc_host() to allocate the controller but registers it using devm_spi_register_controller(). If devm_register_restart_handler() fails, the code jumps to the put_ctlr label and calls spi_controller_put(). However, since the controller was registered via a devm function, the device core will automatically call spi_controller_put() again when the probe fails... • https://git.kernel.org/stable/c/ac1775012058e13ef1522938e27f5973d9e3f053 •
CVSS: -EPSS: 0%CPEs: 2EXPL: 0CVE-2026-23066 – rxrpc: Fix recvmsg() unconditional requeue
https://notcve.org/view.php?id=CVE-2026-23066
04 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix recvmsg() unconditional requeue If rxrpc_recvmsg() fails because MSG_DONTWAIT was specified but the call at the front of the recvmsg queue already has its mutex locked, it requeues the call - whether or not the call is already queued. The call may be on the queue because MSG_PEEK was also passed and so the call was not dequeued or because the I/O thread requeued it. The unconditional requeue may then corrupt the recvmsg queue, le... • https://git.kernel.org/stable/c/540b1c48c37ac0ad66212004db21e1ff7e2d78be •
CVSS: -EPSS: 0%CPEs: 7EXPL: 0CVE-2026-23064 – net/sched: act_ife: avoid possible NULL deref
https://notcve.org/view.php?id=CVE-2026-23064
04 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: net/sched: act_ife: avoid possible NULL deref tcf_ife_encode() must make sure ife_encode() does not return NULL. syzbot reported: Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] RIP: 0010:ife_tlv_meta_encode+0x41/0xa0 net/ife/ife.c:166 CPU: 3 UID: 0 PID: 8990 Comm: syz.0.696 Not tainted syzkaller #0 PREEMPT... • https://git.kernel.org/stable/c/295a6e06d21e1f469c9f38b00125a13b60ad4e7c •