CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23274 – netfilter: xt_IDLETIMER: reject rev0 reuse of ALARM timer labels
https://notcve.org/view.php?id=CVE-2026-23274
20 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: netfilter: xt_IDLETIMER: reject rev0 reuse of ALARM timer labels IDLETIMER revision 0 rules reuse existing timers by label and always call mod_timer() on timer->timer. If the label was created first by revision 1 with XT_IDLETIMER_ALARM, the object uses alarm timer semantics and timer->timer is never initialized. Reusing that object from revision 0 causes mod_timer() on an uninitialized timer_list, triggering debugobjects warnings and possi... • https://git.kernel.org/stable/c/68983a354a655c35d3fb204489d383a2a051fda7 •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2026-23273 – macvlan: observe an RCU grace period in macvlan_common_newlink() error path
https://notcve.org/view.php?id=CVE-2026-23273
20 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: macvlan: observe an RCU grace period in macvlan_common_newlink() error path valis reported that a race condition still happens after my prior patch. macvlan_common_newlink() might have made @dev visible before detecting an error, and its caller will directly call free_netdev(dev). We must respect an RCU period, either in macvlan or the core networking stack. After adding a temporary mdelay(1000) in macvlan_forward_source_one() to open the r... • https://git.kernel.org/stable/c/da5c6b8ae47e414be47e5e04def15b25d5c962dc •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2026-23272 – netfilter: nf_tables: unconditionally bump set->nelems before insertion
https://notcve.org/view.php?id=CVE-2026-23272
20 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: unconditionally bump set->nelems before insertion In case that the set is full, a new element gets published then removed without waiting for the RCU grace period, while RCU reader can be walking over it already. To address this issue, add the element transaction even if set is full, but toggle the set_full flag to report -ENFILE so the abort path safely unwinds the set to its previous state. As for element updates, de... • https://git.kernel.org/stable/c/35d0ac9070ef619e3bf44324375878a1c540387b •
CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23271 – perf: Fix __perf_event_overflow() vs perf_remove_from_context() race
https://notcve.org/view.php?id=CVE-2026-23271
20 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: perf: Fix __perf_event_overflow() vs perf_remove_from_context() race Make sure that __perf_event_overflow() runs with IRQs disabled for all possible callchains. Specifically the software events can end up running it with only preemption disabled. This opens up a race vs perf_event_exit_event() and friends that will go and free various things the overflow path expects to be present, like the BPF program. En el kernel de Linux, la siguiente v... • https://git.kernel.org/stable/c/592903cdcbf606a838056bae6d03fc557806c914 •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2026-23270 – net/sched: Only allow act_ct to bind to clsact/ingress qdiscs and shared blocks
https://notcve.org/view.php?id=CVE-2026-23270
18 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: net/sched: Only allow act_ct to bind to clsact/ingress qdiscs and shared blocks As Paolo said earlier [1]: "Since the blamed commit below, classify can return TC_ACT_CONSUMED while the current skb being held by the defragmentation engine. As reported by GangMin Kim, if such packet is that may cause a UaF when the defrag engine later on tries to tuch again such packet." act_ct was never meant to be used in the egress path, however some users... • https://git.kernel.org/stable/c/0b5b831122fc3789fff75be433ba3e4dd7b779d4 •
CVSS: 7.1EPSS: 0%CPEs: 5EXPL: 0CVE-2026-23269 – apparmor: validate DFA start states are in bounds in unpack_pdb
https://notcve.org/view.php?id=CVE-2026-23269
18 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: apparmor: validate DFA start states are in bounds in unpack_pdb Start states are read from untrusted data and used as indexes into the DFA state tables. The aa_dfa_next() function call in unpack_pdb() will access dfa->tables[YYTD_ID_BASE][start], and if the start state exceeds the number of states in the DFA, this results in an out-of-bound read. ================================================================== BUG: KASAN: slab-out-of-boun... • https://git.kernel.org/stable/c/ad5ff3db53c68c2f12936bc74ea5dfe0af943592 •
CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2026-23268 – apparmor: fix unprivileged local user can do privileged policy management
https://notcve.org/view.php?id=CVE-2026-23268
18 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: apparmor: fix unprivileged local user can do privileged policy management An unprivileged local user can load, replace, and remove profiles by opening the apparmorfs interfaces, via a confused deputy attack, by passing the opened fd to a privileged process, and getting the privileged process to write to the interface. This does require a privileged target that can be manipulated to do the write for the unprivileged process, but once such ac... • https://git.kernel.org/stable/c/b7fd2c0340eacbee892425e9007647568b7f2a3c •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23267 – f2fs: fix IS_CHECKPOINTED flag inconsistency issue caused by concurrent atomic commit and checkpoint writes
https://notcve.org/view.php?id=CVE-2026-23267
18 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: f2fs: fix IS_CHECKPOINTED flag inconsistency issue caused by concurrent atomic commit and checkpoint writes During SPO tests, when mounting F2FS, an -EINVAL error was returned from f2fs_recover_inode_page. The issue occurred under the following scenario Thread A Thread B f2fs_ioc_commit_atomic_write - f2fs_do_sync_file // atomic = true - f2fs_fsync_node_pages : last_folio = inode folio : schedule before folio_lock(last_folio) f2fs_write_che... • https://git.kernel.org/stable/c/608514deba38c8611ad330d6a3c8e2b9a1f68e4b •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2026-23266 – fbdev: rivafb: fix divide error in nv3_arb()
https://notcve.org/view.php?id=CVE-2026-23266
18 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: fbdev: rivafb: fix divide error in nv3_arb() A userspace program can trigger the RIVA NV3 arbitration code by calling the FBIOPUT_VSCREENINFO ioctl on /dev/fb*. When doing so, the driver recomputes FIFO arbitration parameters in nv3_arb(), using state->mclk_khz (derived from the PRAMDAC MCLK PLL) as a divisor without validating it first. In a normal setup, state->mclk_khz is provided by the real hardware and is non-zero. However, an attacke... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: -EPSS: 0%CPEs: 3EXPL: 0CVE-2026-23265 – f2fs: fix to do sanity check on node footer in {read,write}_end_io
https://notcve.org/view.php?id=CVE-2026-23265
18 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to do sanity check on node footer in {read,write}_end_io -----------[ cut here ]------------ kernel BUG at fs/f2fs/data.c:358! Call Trace: