CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2026-23242 – RDMA/siw: Fix potential NULL pointer dereference in header processing
https://notcve.org/view.php?id=CVE-2026-23242
18 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: RDMA/siw: Fix potential NULL pointer dereference in header processing If siw_get_hdr() returns -EINVAL before set_rx_fpdu_context(), qp->rx_fpdu can be NULL. The error path in siw_tcp_rx_data() dereferences qp->rx_fpdu->more_ddp_segs without checking, which may lead to a NULL pointer deref. Only check more_ddp_segs when rx_fpdu is present. KASAN splat: [ 101.384271] KASAN: null-ptr-deref in range [0x00000000000000c0-0x00000000000000c7] [ 10... • https://git.kernel.org/stable/c/8b6a361b8c482f22ac99c3273285ff16b23fba91 •
CVSS: -EPSS: 0%CPEs: 7EXPL: 0CVE-2025-71267 – fs: ntfs3: fix infinite loop triggered by zero-sized ATTR_LIST
https://notcve.org/view.php?id=CVE-2025-71267
18 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: fs: ntfs3: fix infinite loop triggered by zero-sized ATTR_LIST We found an infinite loop bug in the ntfs3 file system that can lead to a Denial-of-Service (DoS) condition. A malformed NTFS image can cause an infinite loop when an ATTR_LIST attribute indicates a zero data size while the driver allocates memory for it. When ntfs_load_attr_list() processes a resident ATTR_LIST with data_size set to zero, it still allocates memory because of al... • https://git.kernel.org/stable/c/be71b5cba2e6485e8959da7a9f9a44461a1bb074 •
CVSS: -EPSS: 0%CPEs: 7EXPL: 0CVE-2025-71266 – fs: ntfs3: check return value of indx_find to avoid infinite loop
https://notcve.org/view.php?id=CVE-2025-71266
18 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: fs: ntfs3: check return value of indx_find to avoid infinite loop We found an infinite loop bug in the ntfs3 file system that can lead to a Denial-of-Service (DoS) condition. A malformed dentry in the ntfs3 filesystem can cause the kernel to hang during the lookup operations. By setting the HAS_SUB_NODE flag in an INDEX_ENTRY within a directory's INDEX_ALLOCATION block and manipulating the VCN pointer, an attacker can cause the indx_find() ... • https://git.kernel.org/stable/c/82cae269cfa953032fbb8980a7d554d60fb00b17 •
CVSS: -EPSS: 0%CPEs: 7EXPL: 0CVE-2025-71265 – fs: ntfs3: fix infinite loop in attr_load_runs_range on inconsistent metadata
https://notcve.org/view.php?id=CVE-2025-71265
18 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: fs: ntfs3: fix infinite loop in attr_load_runs_range on inconsistent metadata We found an infinite loop bug in the ntfs3 file system that can lead to a Denial-of-Service (DoS) condition. A malformed NTFS image can cause an infinite loop when an attribute header indicates an empty run list, while directory entries reference it as containing actual data. In NTFS, setting evcn=-1 with svcn=0 is a valid way to represent an empty run list, and r... • https://git.kernel.org/stable/c/be71b5cba2e6485e8959da7a9f9a44461a1bb074 •
CVSS: -EPSS: 0%CPEs: 4EXPL: 0CVE-2026-23240 – tls: Fix race condition in tls_sw_cancel_work_tx()
https://notcve.org/view.php?id=CVE-2026-23240
10 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: tls: Fix race condition in tls_sw_cancel_work_tx() This issue was discovered during a code audit. After cancel_delayed_work_sync() is called from tls_sk_proto_close(), tx_work_handler() can still be scheduled from paths such as the Delayed ACK handler or ksoftirqd. As a result, the tx_work_handler() worker may dereference a freed TLS object. The following is a simple race scenario: cpu0 cpu1 tls_sk_proto_close() tls_sw_cancel_work_tx() tls_... • https://git.kernel.org/stable/c/f87e62d45e51b12d48d2cb46b5cde8f83b866bc4 •
CVSS: -EPSS: 0%CPEs: 4EXPL: 0CVE-2026-23239 – espintcp: Fix race condition in espintcp_close()
https://notcve.org/view.php?id=CVE-2026-23239
10 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: espintcp: Fix race condition in espintcp_close() This issue was discovered during a code audit. After cancel_work_sync() is called from espintcp_close(), espintcp_tx_work() can still be scheduled from paths such as the Delayed ACK handler or ksoftirqd. As a result, the espintcp_tx_work() worker may dereference a freed espintcp ctx or sk. The following is a simple race scenario: cpu0 cpu1 espintcp_close() cancel_work_sync(&ctx->work); espint... • https://git.kernel.org/stable/c/e27cca96cd68fa2c6814c90f9a1cfd36bb68c593 •
CVSS: -EPSS: 0%CPEs: 7EXPL: 0CVE-2026-23238 – romfs: check sb_set_blocksize() return value
https://notcve.org/view.php?id=CVE-2026-23238
04 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: romfs: check sb_set_blocksize() return value romfs_fill_super() ignores the return value of sb_set_blocksize(), which can fail if the requested block size is incompatible with the block device's configuration. This can be triggered by setting a loop device's block size larger than PAGE_SIZE using ioctl(LOOP_SET_BLOCK_SIZE, 32768), then mounting a romfs filesystem on that device. When sb_set_blocksize(sb, ROMBSIZE) is called with ROMBSIZE=40... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: -EPSS: 0%CPEs: 7EXPL: 0CVE-2026-23237 – platform/x86: classmate-laptop: Add missing NULL pointer checks
https://notcve.org/view.php?id=CVE-2026-23237
04 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: platform/x86: classmate-laptop: Add missing NULL pointer checks In a few places in the Classmate laptop driver, code using the accel object may run before that object's address is stored in the driver data of the input device using it. For example, cmpc_accel_sensitivity_store_v4() is the "show" method of cmpc_accel_sensitivity_attr_v4 which is added in cmpc_accel_add_v4(), before calling dev_set_drvdata() for inputdev->dev. If the sysfs at... • https://git.kernel.org/stable/c/529aa8cb0a59367d08883f818e8c47028e819d0d •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2026-23236 – fbdev: smscufx: properly copy ioctl memory to kernelspace
https://notcve.org/view.php?id=CVE-2026-23236
04 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: fbdev: smscufx: properly copy ioctl memory to kernelspace The UFX_IOCTL_REPORT_DAMAGE ioctl does not properly copy data from userspace to kernelspace, and instead directly references the memory, which can cause problems if invalid data is passed from userspace. Fix this all up by correctly copying the memory before accessing it within the kernel. • https://git.kernel.org/stable/c/3c8a63e22a0802fd56380f6ab305b419f18eb6f5 •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2026-23235 – f2fs: fix out-of-bounds access in sysfs attribute read/write
https://notcve.org/view.php?id=CVE-2026-23235
04 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: f2fs: fix out-of-bounds access in sysfs attribute read/write Some f2fs sysfs attributes suffer from out-of-bounds memory access and incorrect handling of integer values whose size is not 4 bytes. For example: vm:~# echo 65537 > /sys/fs/f2fs/vde/carve_out vm:~# cat /sys/fs/f2fs/vde/carve_out 65537 vm:~# echo 4294967297 > /sys/fs/f2fs/vde/atgc_age_threshold vm:~# cat /sys/fs/f2fs/vde/atgc_age_threshold 1 carve_out maps to {struct f2fs_sb_info... • https://git.kernel.org/stable/c/b59d0bae6ca30c496f298881616258f9cde0d9c6 •