CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23392 – netfilter: nf_tables: release flowtable after rcu grace period on error
https://notcve.org/view.php?id=CVE-2026-23392
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: release flowtable after rcu grace period on error Call synchronize_rcu() after unregistering the hooks from error path, since a hook that already refers to this flowtable can be already registered, exposing this flowtable to packet path and nfnetlink_hook control plane. This error path is rare, it should only happen by reaching the maximum number hooks or by failing to set up to hardware offload, just call synchronize_... • https://git.kernel.org/stable/c/3b49e2e94e6ebb8b23d0955d9e898254455734f8 •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23391 – netfilter: xt_CT: drop pending enqueued packets on template removal
https://notcve.org/view.php?id=CVE-2026-23391
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: netfilter: xt_CT: drop pending enqueued packets on template removal Templates refer to objects that can go away while packets are sitting in nfqueue refer to: - helper, this can be an issue on module removal. - timeout policy, nfnetlink_cttimeout might remove it. The use of templates with zone and event cache filter are safe, since this just copies values. Flush these enqueued packets in case the template rule gets removed. • https://git.kernel.org/stable/c/24de58f465165298aaa8f286b2592f0163706cfe •
CVSS: -EPSS: 0%CPEs: 2EXPL: 0CVE-2026-23389 – ice: Fix memory leak in ice_set_ringparam()
https://notcve.org/view.php?id=CVE-2026-23389
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: ice: Fix memory leak in ice_set_ringparam() In ice_set_ringparam, tx_rings and xdp_rings are allocated before rx_rings. If the allocation of rx_rings fails, the code jumps to the done label leaking both tx_rings and xdp_rings. Furthermore, if the setup of an individual Rx ring fails during the loop, the code jumps to the free_tx label which releases tx_rings but leaks xdp_rings. Fix this by introducing a free_xdp label and updating the erro... • https://git.kernel.org/stable/c/fcea6f3da546b93050f3534aadea7bd96c1d7349 •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23388 – Squashfs: check metadata block offset is within range
https://notcve.org/view.php?id=CVE-2026-23388
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: Squashfs: check metadata block offset is within range Syzkaller reports a "general protection fault in squashfs_copy_data" This is ultimately caused by a corrupted index look-up table, which produces a negative metadata block offset. This is subsequently passed to squashfs_copy_data (via squashfs_read_metadata) where the negative offset causes an out of bounds access. The fix is to check that the offset is within range in squashfs_read_meta... • https://git.kernel.org/stable/c/f400e12656ab518be107febfe2315fb1eab5a342 •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23382 – HID: Add HID_CLAIMED_INPUT guards in raw_event callbacks missing them
https://notcve.org/view.php?id=CVE-2026-23382
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: HID: Add HID_CLAIMED_INPUT guards in raw_event callbacks missing them In commit 2ff5baa9b527 ("HID: appleir: Fix potential NULL dereference at raw event handle"), we handle the fact that raw event callbacks can happen even for a HID device that has not been "claimed" causing a crash if a broken device were attempted to be connected to the system. Fix up the remaining in-tree HID drivers that forgot to add this same check to resolve the same... • https://git.kernel.org/stable/c/d0742abaa1c396a26bb3d3ce2732988cd3faa020 •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23381 – net: bridge: fix nd_tbl NULL dereference when IPv6 is disabled
https://notcve.org/view.php?id=CVE-2026-23381
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: net: bridge: fix nd_tbl NULL dereference when IPv6 is disabled When booting with the 'ipv6.disable=1' parameter, the nd_tbl is never initialized because inet6_init() exits before ndisc_init() is called which initializes it. Then, if neigh_suppress is enabled and an ICMPv6 Neighbor Discovery packet reaches the bridge, br_do_suppress_nd() will dereference ipv6_stub->nd_tbl which is NULL, passing it to neigh_lookup(). This causes a kernel NULL... • https://git.kernel.org/stable/c/ed842faeb2bd49256f00485402f3113205f91d30 •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23378 – net/sched: act_ife: Fix metalist update behavior
https://notcve.org/view.php?id=CVE-2026-23378
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: net/sched: act_ife: Fix metalist update behavior Whenever an ife action replace changes the metalist, instead of replacing the old data on the metalist, the current ife code is appending the new metadata. Aside from being innapropriate behavior, this may lead to an unbounded addition of metadata to the metalist which might cause an out of bounds error when running the encode op: [ 138.423369][ C1] ===========================================... • https://git.kernel.org/stable/c/aa9fd9a325d51fa0b11153b03b8fefff569fa955 •
CVSS: -EPSS: 0%CPEs: 2EXPL: 0CVE-2026-23374 – blktrace: fix __this_cpu_read/write in preemptible context
https://notcve.org/view.php?id=CVE-2026-23374
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: blktrace: fix __this_cpu_read/write in preemptible context tracing_record_cmdline() internally uses __this_cpu_read() and __this_cpu_write() on the per-CPU variable trace_cmdline_save, and trace_save_cmdline() explicitly asserts preemption is disabled via lockdep_assert_preemption_disabled(). These operations are only safe when preemption is off, as they were designed to be called from the scheduler context (probe_wakeup_sched_switch() / pr... • https://git.kernel.org/stable/c/7ffbd48d5cab22bcd1120eb2349db1319e2d827a •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23372 – nfc: rawsock: cancel tx_work before socket teardown
https://notcve.org/view.php?id=CVE-2026-23372
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: nfc: rawsock: cancel tx_work before socket teardown In rawsock_release(), cancel any pending tx_work and purge the write queue before orphaning the socket. rawsock_tx_work runs on the system workqueue and calls nfc_data_exchange which dereferences the NCI device. Without synchronization, tx_work can race with socket and device teardown when a process is killed (e.g. by SIGKILL), leading to use-after-free or leaked references. Set SEND_SHUTD... • https://git.kernel.org/stable/c/23b7869c0fd08d73c9f83a2db88a13312d6198bb •
CVSS: -EPSS: 0%CPEs: 4EXPL: 0CVE-2026-23371 – sched/deadline: Fix missing ENQUEUE_REPLENISH during PI de-boosting
https://notcve.org/view.php?id=CVE-2026-23371
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: sched/deadline: Fix missing ENQUEUE_REPLENISH during PI de-boosting Running stress-ng --schedpolicy 0 on an RT kernel on a big machine might lead to the following WARNINGs (edited). sched: DL de-boosted task PID 22725: REPLENISH flag missing WARNING: CPU: 93 PID: 0 at kernel/sched/deadline.c:239 dequeue_task_dl+0x15c/0x1f8 ... (running_bw underflow) Call trace: dequeue_task_dl+0x15c/0x1f8 (P) dequeue_task+0x80/0x168 deactivate_task+0x24/0x5... • https://git.kernel.org/stable/c/2279f540ea7d05f22d2f0c4224319330228586bc •