CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23300 – net: ipv6: fix panic when IPv4 route references loopback IPv6 nexthop
https://notcve.org/view.php?id=CVE-2026-23300
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: net: ipv6: fix panic when IPv4 route references loopback IPv6 nexthop When a standalone IPv6 nexthop object is created with a loopback device (e.g., "ip -6 nexthop add id 100 dev lo"), fib6_nh_init() misclassifies it as a reject route. This is because nexthop objects have no destination prefix (fc_dst=::), causing fib6_is_reject() to match any loopback nexthop. The reject path skips fib_nh_common_init(), leaving nhc_pcpu_rth_output unalloca... • https://git.kernel.org/stable/c/493ced1ac47c48bb86d9d4e8e87df8592be85a0e •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23298 – can: ucan: Fix infinite loop from zero-length messages
https://notcve.org/view.php?id=CVE-2026-23298
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: can: ucan: Fix infinite loop from zero-length messages If a broken ucan device gets a message with the message length field set to 0, then the driver will loop for forever in ucan_read_bulk_callback(), hanging the system. If the length is 0, just skip the message and go on to the next one. This has been fixed in the kvaser_usb driver in the past in commit 0c73772cd2b8 ("can: kvaser_usb: leaf: Fix potential infinite loop in command parsers")... • https://git.kernel.org/stable/c/9f2d3eae88d26c29d96e42983b755940d9169cd9 •
CVSS: -EPSS: 0%CPEs: 9EXPL: 0CVE-2026-23296 – scsi: core: Fix refcount leak for tagset_refcnt
https://notcve.org/view.php?id=CVE-2026-23296
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: scsi: core: Fix refcount leak for tagset_refcnt This leak will cause a hang when tearing down the SCSI host. For example, iscsid hangs with the following call trace: [130120.652718] scsi_alloc_sdev: Allocation failure during SCSI scanning, some SCSI devices might not be configured PID: 2528 TASK: ffff9d0408974e00 CPU: 3 COMMAND: "iscsid" #0 [ffffb5b9c134b9e0] __schedule at ffffffff860657d4 #1 [ffffb5b9c134ba28] schedule at ffffffff86065c6f ... • https://git.kernel.org/stable/c/8fe4ce5836e932f5766317cb651c1ff2a4cd0506 •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23293 – net: vxlan: fix nd_tbl NULL dereference when IPv6 is disabled
https://notcve.org/view.php?id=CVE-2026-23293
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: net: vxlan: fix nd_tbl NULL dereference when IPv6 is disabled When booting with the 'ipv6.disable=1' parameter, the nd_tbl is never initialized because inet6_init() exits before ndisc_init() is called which initializes it. If an IPv6 packet is injected into the interface, route_shortcircuit() is called and a NULL pointer dereference happens on neigh_lookup(). BUG: kernel NULL pointer dereference, address: 0000000000000380 Oops: Oops: 0000 [... • https://git.kernel.org/stable/c/e15a00aafa4b7953ad717d3cb1ad7acf4ff76945 •
CVSS: -EPSS: 0%CPEs: 9EXPL: 0CVE-2026-23292 – scsi: target: Fix recursive locking in __configfs_open_file()
https://notcve.org/view.php?id=CVE-2026-23292
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: scsi: target: Fix recursive locking in __configfs_open_file() In flush_write_buffer, &p->frag_sem is acquired and then the loaded store function is called, which, here, is target_core_item_dbroot_store(). This function called filp_open(), following which these functions were called (in reverse order), according to the call trace: down_read __configfs_open_file do_dentry_open vfs_open do_open path_openat do_filp_open file_open_name filp_open... • https://git.kernel.org/stable/c/b0841eefd9693827afb9888235e26ddd098f9cef •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23291 – nfc: pn533: properly drop the usb interface reference on disconnect
https://notcve.org/view.php?id=CVE-2026-23291
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: nfc: pn533: properly drop the usb interface reference on disconnect When the device is disconnected from the driver, there is a "dangling" reference count on the usb interface that was grabbed in the probe callback. Fix this up by properly dropping the reference after we are done with it. • https://git.kernel.org/stable/c/c46ee38620a2aa2b25b16bc9738ace80dbff76a4 •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23290 – net: usb: pegasus: validate USB endpoints
https://notcve.org/view.php?id=CVE-2026-23290
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: net: usb: pegasus: validate USB endpoints The pegasus driver should validate that the device it is probing has the proper number and types of USB endpoints it is expecting before it binds to it. If a malicious device were to not have the same urbs the driver will crash later on when it blindly accesses these endpoints. • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23289 – IB/mthca: Add missed mthca_unmap_user_db() for mthca_create_srq()
https://notcve.org/view.php?id=CVE-2026-23289
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: IB/mthca: Add missed mthca_unmap_user_db() for mthca_create_srq() Fix a user triggerable leak on the system call failure path. • https://git.kernel.org/stable/c/ec34a922d243c3401a694450734e9effb2bafbfe •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23287 – irqchip/sifive-plic: Fix frozen interrupt due to affinity setting
https://notcve.org/view.php?id=CVE-2026-23287
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: irqchip/sifive-plic: Fix frozen interrupt due to affinity setting PLIC ignores interrupt completion message for disabled interrupt, explained by the specification: The PLIC signals it has completed executing an interrupt handler by writing the interrupt ID it received from the claim to the claim/complete register. The PLIC does not check whether the completion ID is the same as the last claim ID for that target. If the completion ID does no... • https://git.kernel.org/stable/c/cc9f04f9a84f745949e325661550ed14bd0ff322 •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23286 – atm: lec: fix null-ptr-deref in lec_arp_clear_vccs
https://notcve.org/view.php?id=CVE-2026-23286
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: atm: lec: fix null-ptr-deref in lec_arp_clear_vccs syzkaller reported a null-ptr-deref in lec_arp_clear_vccs(). This issue can be easily reproduced using the syzkaller reproducer. In the ATM LANE (LAN Emulation) module, the same atm_vcc can be shared by multiple lec_arp_table entries (e.g., via entry->vcc or entry->recv_vcc). When the underlying VCC is closed, lec_vcc_close() iterates over all ARP entries and calls lec_arp_clear_vccs() for ... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •