CVSS: 5.5EPSS: 0%CPEs: 10EXPL: 0CVE-2026-23146 – Bluetooth: hci_uart: fix null-ptr-deref in hci_uart_write_work
https://notcve.org/view.php?id=CVE-2026-23146
14 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_uart: fix null-ptr-deref in hci_uart_write_work hci_uart_set_proto() sets HCI_UART_PROTO_INIT before calling hci_uart_register_dev(), which calls proto->open() to initialize hu->priv. However, if a TTY write wakeup occurs during this window, hci_uart_tx_wakeup() may schedule write_work before hu->priv is initialized, leading to a NULL pointer dereference in hci_uart_write_work() when proto->dequeue() accesses hu->priv. The ra... • https://git.kernel.org/stable/c/a40f94f7caa8d3421b64f63ac31bc0f24c890f39 •
CVSS: 7.1EPSS: 0%CPEs: 9EXPL: 0CVE-2026-23145 – ext4: fix iloc.bh leak in ext4_xattr_inode_update_ref
https://notcve.org/view.php?id=CVE-2026-23145
14 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: ext4: fix iloc.bh leak in ext4_xattr_inode_update_ref The error branch for ext4_xattr_inode_update_ref forget to release the refcount for iloc.bh. Find this when review code. In the Linux kernel, the following vulnerability has been resolved: ext4: fix iloc.bh leak in ext4_xattr_inode_update_ref The error branch for ext4_xattr_inode_update_ref forget to release the refcount for iloc.bh. Find this when review code. • https://git.kernel.org/stable/c/1cfb3e4ddbdc8e02e637b8852540bd4718bf4814 •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2026-23144 – mm/damon/sysfs: cleanup attrs subdirs on context dir setup failure
https://notcve.org/view.php?id=CVE-2026-23144
14 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: mm/damon/sysfs: cleanup attrs subdirs on context dir setup failure When a context DAMON sysfs directory setup is failed after setup of attrs/ directory, subdirectories of attrs/ directory are not cleaned up. As a result, DAMON sysfs interface is nearly broken until the system reboots, and the memory for the unremoved directory is leaked. Cleanup the directories under such failures. In the Linux kernel, the following vulnerability has been r... • https://git.kernel.org/stable/c/c951cd3b89010c7a4751b9d4ea074007e44851e6 •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2026-23142 – mm/damon/sysfs-scheme: cleanup access_pattern subdirs on scheme dir setup failure
https://notcve.org/view.php?id=CVE-2026-23142
14 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: mm/damon/sysfs-scheme: cleanup access_pattern subdirs on scheme dir setup failure When a DAMOS-scheme DAMON sysfs directory setup fails after setup of access_pattern/ directory, subdirectories of access_pattern/ directory are not cleaned up. As a result, DAMON sysfs interface is nearly broken until the system reboots, and the memory for the unremoved directory is leaked. Cleanup the directories under such failures. In the Linux kernel, the ... • https://git.kernel.org/stable/c/9bbb820a5bd5f406ae5e0819cc31f2c2e6f4d990 •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2026-23141 – btrfs: send: check for inline extents in range_is_hole_in_parent()
https://notcve.org/view.php?id=CVE-2026-23141
14 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: btrfs: send: check for inline extents in range_is_hole_in_parent() Before accessing the disk_bytenr field of a file extent item we need to check if we are dealing with an inline extent. This is because for inline extents their data starts at the offset of the disk_bytenr field. So accessing the disk_bytenr means we are accessing inline data or in case the inline data is less than 8 bytes we can actually cause an invalid memory access if thi... • https://git.kernel.org/stable/c/82bfb2e7b645c8f228dc3b6d3b27b0b10125ca4f •
CVSS: 6.9EPSS: 0%CPEs: 2EXPL: 0CVE-2025-71202 – iommu/sva: invalidate stale IOTLB entries for kernel address space
https://notcve.org/view.php?id=CVE-2025-71202
14 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: iommu/sva: invalidate stale IOTLB entries for kernel address space Introduce a new IOMMU interface to flush IOTLB paging cache entries for the CPU kernel address space. This interface is invoked from the x86 architecture code that manages combined user and kernel page tables, specifically before any kernel page table page is freed and reused. This addresses the main issue with vfree() which is a common occurrence and can be triggered by unp... • https://git.kernel.org/stable/c/2f26e0a9c9860db290d63e9d85c2c8c09813677f •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2026-23140 – bpf, test_run: Subtract size of xdp_frame from allowed metadata size
https://notcve.org/view.php?id=CVE-2026-23140
14 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: bpf, test_run: Subtract size of xdp_frame from allowed metadata size The xdp_frame structure takes up part of the XDP frame headroom, limiting the size of the metadata. However, in bpf_test_run, we don't take this into account, which makes it possible for userspace to supply a metadata size that is too large (taking up the entire headroom). If userspace supplies such a large metadata size in live packet mode, the xdp_update_frame_from_buff(... • https://git.kernel.org/stable/c/b6f1f780b3932ae497ed85e79bc8a1e513883624 •
CVSS: 6.6EPSS: 0%CPEs: 5EXPL: 0CVE-2026-23139 – netfilter: nf_conncount: update last_gc only when GC has been performed
https://notcve.org/view.php?id=CVE-2026-23139
14 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conncount: update last_gc only when GC has been performed Currently last_gc is being updated everytime a new connection is tracked, that means that it is updated even if a GC wasn't performed. With a sufficiently high packet rate, it is possible to always bypass the GC, causing the list to grow infinitely. Update the last_gc value only when a GC has been actually performed. In the Linux kernel, the following vulnerability has ... • https://git.kernel.org/stable/c/d265929930e2ffafc744c0ae05fb70acd53be1ee •
CVSS: 6.3EPSS: 0%CPEs: 2EXPL: 0CVE-2026-23138 – tracing: Add recursion protection in kernel stack trace recording
https://notcve.org/view.php?id=CVE-2026-23138
14 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: tracing: Add recursion protection in kernel stack trace recording A bug was reported about an infinite recursion caused by tracing the rcu events with the kernel stack trace trigger enabled. The stack trace code called back into RCU which then called the stack trace again. Expand the ftrace recursion protection to add a set of bits to protect events from recursion. Each bit represents the context that the event is in (normal, softirq, inter... • https://git.kernel.org/stable/c/5f5fa7ea89dc82d34ed458f4d7a8634e8e9eefce •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2026-23137 – of: unittest: Fix memory leak in unittest_data_add()
https://notcve.org/view.php?id=CVE-2026-23137
14 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: of: unittest: Fix memory leak in unittest_data_add() In unittest_data_add(), if of_resolve_phandles() fails, the allocated unittest_data is not freed, leading to a memory leak. Fix this by using scope-based cleanup helper __free(kfree) for automatic resource cleanup. This ensures unittest_data is automatically freed when it goes out of scope in error paths. For the success path, use retain_and_null_ptr() to transfer ownership of the memory ... • https://git.kernel.org/stable/c/2eb46da2a760e5764c48b752a5ef320e02b96b21 •