CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2026-23011 – ipv4: ip_gre: make ipgre_header() robust
https://notcve.org/view.php?id=CVE-2026-23011
25 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: ipv4: ip_gre: make ipgre_header() robust Analog to commit db5b4e39c4e6 ("ip6_gre: make ip6gre_header() robust") Over the years, syzbot found many ways to crash the kernel in ipgre_header() [1]. This involves team or bonding drivers ability to dynamically change their dev->needed_headroom and/or dev->hard_header_len In this particular crash mld_newpack() allocated an skb with a too small reserve/headroom, and by the time mld_sendpack() was c... • https://git.kernel.org/stable/c/c54419321455631079c7d6e60bc732dd0c5914c5 •
CVSS: 7.1EPSS: 0%CPEs: 2EXPL: 0CVE-2026-23004 – dst: fix races in rt6_uncached_list_del() and rt_del_uncached_list()
https://notcve.org/view.php?id=CVE-2026-23004
25 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: dst: fix races in rt6_uncached_list_del() and rt_del_uncached_list() syzbot was able to crash the kernel in rt6_uncached_list_flush_dev() in an interesting way [1] Crash happens in list_del_init()/INIT_LIST_HEAD() while writing list->prev, while the prior write on list->next went well. static inline void INIT_LIST_HEAD(struct list_head *list) { WRITE_ONCE(list->next, list); // This went well WRITE_ONCE(list->prev, list); // Crash, @list has... • https://git.kernel.org/stable/c/78df76a065ae3b5dbcb9a29912adc02f697de498 •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2026-23003 – ip6_tunnel: use skb_vlan_inet_prepare() in __ip6_tnl_rcv()
https://notcve.org/view.php?id=CVE-2026-23003
25 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: ip6_tunnel: use skb_vlan_inet_prepare() in __ip6_tnl_rcv() Blamed commit did not take care of VLAN encapsulations as spotted by syzbot [1]. Use skb_vlan_inet_prepare() instead of pskb_inet_may_pull(). [1] BUG: KMSAN: uninit-value in __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline] BUG: KMSAN: uninit-value in INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline] BUG: KMSAN: uninit-value in IP6_ECN_decapsulate+0x7a8/0x1fa0 includ... • https://git.kernel.org/stable/c/8d975c15c0cd744000ca386247432d57b21f9df0 •
CVSS: 7.2EPSS: 0%CPEs: 3EXPL: 0CVE-2026-23001 – macvlan: fix possible UAF in macvlan_forward_source()
https://notcve.org/view.php?id=CVE-2026-23001
25 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: macvlan: fix possible UAF in macvlan_forward_source() Add RCU protection on (struct macvlan_source_entry)->vlan. Whenever macvlan_hash_del_source() is called, we must clear entry->vlan pointer before RCU grace period starts. This allows macvlan_forward_source() to skip over entries queued for freeing. Note that macvlan_dev are already RCU protected, as they are embedded in a standard netdev (netdev_priv(ndev)). https: //lore.kernel.org/netd... • https://git.kernel.org/stable/c/79cf79abce71eb7dbc40e2f3121048ca5405cb47 •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2026-23000 – net/mlx5e: Fix crash on profile change rollback failure
https://notcve.org/view.php?id=CVE-2026-23000
25 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Fix crash on profile change rollback failure mlx5e_netdev_change_profile can fail to attach a new profile and can fail to rollback to old profile, in such case, we could end up with a dangling netdev with a fully reset netdev_priv. A retry to change profile, e.g. another attempt to call mlx5e_netdev_change_profile via switchdev mode change, will crash trying to access the now NULL priv->mdev. This fix allows mlx5e_netdev_change_p... • https://git.kernel.org/stable/c/c4d7eb57687f358cd498ea3624519236af8db97e •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2026-22999 – net/sched: sch_qfq: do not free existing class in qfq_change_class()
https://notcve.org/view.php?id=CVE-2026-22999
25 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: net/sched: sch_qfq: do not free existing class in qfq_change_class() Fixes qfq_change_class() error case. cl->qdisc and cl should only be freed if a new class and qdisc were allocated, or we risk various UAF. In the Linux kernel, the following vulnerability has been resolved: net/sched: sch_qfq: do not free existing class in qfq_change_class() Fixes qfq_change_class() error case. cl->qdisc and cl should only be freed if a new class and qdis... • https://git.kernel.org/stable/c/462dbc9101acd38e92eda93c0726857517a24bbd •
CVSS: 7.2EPSS: 0%CPEs: 9EXPL: 0CVE-2026-22998 – nvme-tcp: fix NULL pointer dereferences in nvmet_tcp_build_pdu_iovec
https://notcve.org/view.php?id=CVE-2026-22998
25 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: nvme-tcp: fix NULL pointer dereferences in nvmet_tcp_build_pdu_iovec Commit efa56305908b ("nvmet-tcp: Fix a kernel panic when host sends an invalid H2C PDU length") added ttag bounds checking and data_offset validation in nvmet_tcp_handle_h2c_data_pdu(), but it did not validate whether the command's data structures (cmd->req.sg and cmd->iov) have been properly initialized before processing H2C_DATA PDUs. The nvmet_tcp_build_pdu_iovec() func... • https://git.kernel.org/stable/c/efa56305908ba20de2104f1b8508c6a7401833be •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2026-22997 – net: can: j1939: j1939_xtp_rx_rts_session_active(): deactivate session upon receiving the second rts
https://notcve.org/view.php?id=CVE-2026-22997
25 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: net: can: j1939: j1939_xtp_rx_rts_session_active(): deactivate session upon receiving the second rts Since j1939_session_deactivate_activate_next() in j1939_tp_rxtimer() is called only when the timer is enabled, we need to call j1939_session_deactivate_activate_next() if we cancelled the timer. Otherwise, refcount for j1939_session leaks, which will later appear as | unregister_netdevice: waiting for vcan0 to become free. Usage count = 2. p... • https://git.kernel.org/stable/c/9d71dd0c70099914fcd063135da3c580865e924c •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2026-22996 – net/mlx5e: Don't store mlx5e_priv in mlx5e_dev devlink priv
https://notcve.org/view.php?id=CVE-2026-22996
25 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Don't store mlx5e_priv in mlx5e_dev devlink priv mlx5e_priv is an unstable structure that can be memset(0) if profile attaching fails, mlx5e_priv in mlx5e_dev devlink private is used to reference the netdev and mdev associated with that struct. Instead, store netdev directly into mlx5e_dev and get mdev from the containing mlx5_adev aux device structure. This fixes a kernel oops in mlx5e_remove when switchdev mode fails due to cha... • https://git.kernel.org/stable/c/c4d7eb57687f358cd498ea3624519236af8db97e •
CVSS: 5.6EPSS: 0%CPEs: 3EXPL: 0CVE-2025-71163 – dmaengine: idxd: fix device leaks on compat bind and unbind
https://notcve.org/view.php?id=CVE-2025-71163
25 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: dmaengine: idxd: fix device leaks on compat bind and unbind Make sure to drop the reference taken when looking up the idxd device as part of the compat bind and unbind sysfs interface. In the Linux kernel, the following vulnerability has been resolved: dmaengine: idxd: fix device leaks on compat bind and unbind Make sure to drop the reference taken when looking up the idxd device as part of the compat bind and unbind sysfs interface. • https://git.kernel.org/stable/c/6e7f3ee97bbe2c7d7a53b7dbd7a08a579e03c8c9 •