CVSS: 5.5EPSS: 0%CPEs: 7EXPL: 0CVE-2025-71185 – dmaengine: ti: dma-crossbar: fix device leak on am335x route allocation
https://notcve.org/view.php?id=CVE-2025-71185
31 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: dmaengine: ti: dma-crossbar: fix device leak on am335x route allocation Make sure to drop the reference taken when looking up the crossbar platform device during am335x route allocation. In the Linux kernel, the following vulnerability has been resolved: dmaengine: ti: dma-crossbar: fix device leak on am335x route allocation Make sure to drop the reference taken when looking up the crossbar platform device during am335x route allocation. Se... • https://git.kernel.org/stable/c/42dbdcc6bf965997c088caff2a8be7f9bf44f701 •
CVSS: 5.5EPSS: 0%CPEs: 7EXPL: 0CVE-2026-23021 – net: usb: pegasus: fix memory leak in update_eth_regs_async()
https://notcve.org/view.php?id=CVE-2026-23021
31 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: net: usb: pegasus: fix memory leak in update_eth_regs_async() When asynchronously writing to the device registers and if usb_submit_urb() fail, the code fail to release allocated to this point resources. In the Linux kernel, the following vulnerability has been resolved: net: usb: pegasus: fix memory leak in update_eth_regs_async() When asynchronously writing to the device registers and if usb_submit_urb() fail, the code fail to release all... • https://git.kernel.org/stable/c/323b34963d113efb566635f43858f40cce01d5f9 •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2026-23020 – net: 3com: 3c59x: fix possible null dereference in vortex_probe1()
https://notcve.org/view.php?id=CVE-2026-23020
31 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: net: 3com: 3c59x: fix possible null dereference in vortex_probe1() pdev can be null and free_ring: can be called in 1297 with a null pdev. In the Linux kernel, the following vulnerability has been resolved: net: 3com: 3c59x: fix possible null dereference in vortex_probe1() pdev can be null and free_ring: can be called in 1297 with a null pdev. Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege esca... • https://git.kernel.org/stable/c/55c82617c3e82210b7471e9334e8fc5df6a9961f •
CVSS: 7.2EPSS: 0%CPEs: 3EXPL: 0CVE-2025-71184 – btrfs: fix NULL dereference on root when tracing inode eviction
https://notcve.org/view.php?id=CVE-2025-71184
31 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: btrfs: fix NULL dereference on root when tracing inode eviction When evicting an inode the first thing we do is to setup tracing for it, which implies fetching the root's id. But in btrfs_evict_inode() the root might be NULL, as implied in the next check that we do in btrfs_evict_inode(). Hence, we either should set the ->root_objectid to 0 in case the root is NULL, or we move tracing setup after checking that the root is not NULL. Setting ... • https://git.kernel.org/stable/c/1abe9b8a138c9988ba8f7bfded6453649a31541f •
CVSS: 6.3EPSS: 0%CPEs: 9EXPL: 0CVE-2025-71183 – btrfs: always detect conflicting inodes when logging inode refs
https://notcve.org/view.php?id=CVE-2025-71183
31 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: btrfs: always detect conflicting inodes when logging inode refs After rename exchanging (either with the rename exchange operation or regular renames in multiple non-atomic steps) two inodes and at least one of them is a directory, we can end up with a log tree that contains only of the inodes and after a power failure that can result in an attempt to delete the other inode when it should not because it was not deleted before the power fail... • https://git.kernel.org/stable/c/56f23fdbb600e6087db7b009775b95ce07cc3195 •
CVSS: 5.5EPSS: 0%CPEs: 7EXPL: 0CVE-2026-23011 – ipv4: ip_gre: make ipgre_header() robust
https://notcve.org/view.php?id=CVE-2026-23011
25 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: ipv4: ip_gre: make ipgre_header() robust Analog to commit db5b4e39c4e6 ("ip6_gre: make ip6gre_header() robust") Over the years, syzbot found many ways to crash the kernel in ipgre_header() [1]. This involves team or bonding drivers ability to dynamically change their dev->needed_headroom and/or dev->hard_header_len In this particular crash mld_newpack() allocated an skb with a too small reserve/headroom, and by the time mld_sendpack() was c... • https://git.kernel.org/stable/c/c54419321455631079c7d6e60bc732dd0c5914c5 •
CVSS: 7.1EPSS: 0%CPEs: 2EXPL: 0CVE-2026-23004 – dst: fix races in rt6_uncached_list_del() and rt_del_uncached_list()
https://notcve.org/view.php?id=CVE-2026-23004
25 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: dst: fix races in rt6_uncached_list_del() and rt_del_uncached_list() syzbot was able to crash the kernel in rt6_uncached_list_flush_dev() in an interesting way [1] Crash happens in list_del_init()/INIT_LIST_HEAD() while writing list->prev, while the prior write on list->next went well. static inline void INIT_LIST_HEAD(struct list_head *list) { WRITE_ONCE(list->next, list); // This went well WRITE_ONCE(list->prev, list); // Crash, @list has... • https://git.kernel.org/stable/c/78df76a065ae3b5dbcb9a29912adc02f697de498 •
CVSS: 7.2EPSS: 0%CPEs: 7EXPL: 0CVE-2026-23001 – macvlan: fix possible UAF in macvlan_forward_source()
https://notcve.org/view.php?id=CVE-2026-23001
25 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: macvlan: fix possible UAF in macvlan_forward_source() Add RCU protection on (struct macvlan_source_entry)->vlan. Whenever macvlan_hash_del_source() is called, we must clear entry->vlan pointer before RCU grace period starts. This allows macvlan_forward_source() to skip over entries queued for freeing. Note that macvlan_dev are already RCU protected, as they are embedded in a standard netdev (netdev_priv(ndev)). https: //lore.kernel.org/netd... • https://git.kernel.org/stable/c/79cf79abce71eb7dbc40e2f3121048ca5405cb47 •
CVSS: 7.1EPSS: 0%CPEs: 7EXPL: 0CVE-2026-22999 – net/sched: sch_qfq: do not free existing class in qfq_change_class()
https://notcve.org/view.php?id=CVE-2026-22999
25 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: net/sched: sch_qfq: do not free existing class in qfq_change_class() Fixes qfq_change_class() error case. cl->qdisc and cl should only be freed if a new class and qdisc were allocated, or we risk various UAF. In the Linux kernel, the following vulnerability has been resolved: net/sched: sch_qfq: do not free existing class in qfq_change_class() Fixes qfq_change_class() error case. cl->qdisc and cl should only be freed if a new class and qdis... • https://git.kernel.org/stable/c/462dbc9101acd38e92eda93c0726857517a24bbd •
CVSS: 7.0EPSS: 0%CPEs: 7EXPL: 0CVE-2025-71162 – dmaengine: tegra-adma: Fix use-after-free
https://notcve.org/view.php?id=CVE-2025-71162
25 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: dmaengine: tegra-adma: Fix use-after-free A use-after-free bug exists in the Tegra ADMA driver when audio streams are terminated, particularly during XRUN conditions. The issue occurs when the DMA buffer is freed by tegra_adma_terminate_all() before the vchan completion tasklet finishes accessing it. The race condition follows this sequence: 1. DMA transfer completes, triggering an interrupt that schedules the completion tasklet (tasklet ha... • https://git.kernel.org/stable/c/f46b195799b5cb05338e7c44cb3617eacb56d755 •