CVSS: -EPSS: 0%CPEs: 5EXPL: 0CVE-2026-23405 – apparmor: fix: limit the number of levels of policy namespaces
https://notcve.org/view.php?id=CVE-2026-23405
01 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: apparmor: fix: limit the number of levels of policy namespaces Currently the number of policy namespaces is not bounded relying on the user namespace limit. However policy namespaces aren't strictly tied to user namespaces and it is possible to create them and nest them arbitrarily deep which can be used to exhaust system resource. Hard cap policy namespaces to the same depth as user namespaces. • https://git.kernel.org/stable/c/c88d4c7b049e87998ac0a9f455aa545cc895ef92 •
CVSS: -EPSS: 0%CPEs: 5EXPL: 0CVE-2026-23404 – apparmor: replace recursive profile removal with iterative approach
https://notcve.org/view.php?id=CVE-2026-23404
01 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: apparmor: replace recursive profile removal with iterative approach The profile removal code uses recursion when removing nested profiles, which can lead to kernel stack exhaustion and system crashes. Reproducer: $ pf='a'; for ((i=0; i<1024; i++)); do echo -e "profile $pf { \n }" | apparmor_parser -K -a; pf="$pf//x"; done $ echo -n a > /sys/kernel/security/apparmor/.remove Replace the recursive __aa_profile_list_release() approach with an i... • https://git.kernel.org/stable/c/c88d4c7b049e87998ac0a9f455aa545cc895ef92 •
CVSS: -EPSS: 0%CPEs: 5EXPL: 0CVE-2026-23403 – apparmor: fix memory leak in verify_header
https://notcve.org/view.php?id=CVE-2026-23403
01 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: apparmor: fix memory leak in verify_header The function sets `*ns = NULL` on every call, leaking the namespace string allocated in previous iterations when multiple profiles are unpacked. This also breaks namespace consistency checking since *ns is always NULL when the comparison is made. Remove the incorrect assignment. The caller (aa_unpack) initializes *ns to NULL once before the loop, which is sufficient. • https://git.kernel.org/stable/c/dd51c84857630e77c139afe4d9bba65fc051dc3f •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23398 – icmp: fix NULL pointer dereference in icmp_tag_validation()
https://notcve.org/view.php?id=CVE-2026-23398
26 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: icmp: fix NULL pointer dereference in icmp_tag_validation() icmp_tag_validation() unconditionally dereferences the result of rcu_dereference(inet_protos[proto]) without checking for NULL. The inet_protos[] array is sparse -- only about 15 of 256 protocol numbers have registered handlers. When ip_no_pmtu_disc is set to 3 (hardened PMTU mode) and the kernel receives an ICMP Fragmentation Needed error with a quoted inner IP header containing a... • https://git.kernel.org/stable/c/8ed1dc44d3e9e8387a104b1ae8f92e9a3fbf1b1e •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23397 – nfnetlink_osf: validate individual option lengths in fingerprints
https://notcve.org/view.php?id=CVE-2026-23397
26 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: nfnetlink_osf: validate individual option lengths in fingerprints nfnl_osf_add_callback() validates opt_num bounds and string NUL-termination but does not check individual option length fields. A zero-length option causes nf_osf_match_one() to enter the option matching loop even when foptsize sums to zero, which matches packets with no TCP options where ctx->optp is NULL: Oops: general protection fault KASAN: null-ptr-deref in range [0x0000... • https://git.kernel.org/stable/c/11eeef41d5f63c7d2f7fdfcc733eb7fb137cc384 •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23396 – wifi: mac80211: fix NULL deref in mesh_matches_local()
https://notcve.org/view.php?id=CVE-2026-23396
26 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: fix NULL deref in mesh_matches_local() mesh_matches_local() unconditionally dereferences ie->mesh_config to compare mesh configuration parameters. When called from mesh_rx_csa_frame(), the parsed action-frame elements may not contain a Mesh Configuration IE, leaving ie->mesh_config NULL and triggering a kernel NULL pointer dereference. The other two callers are already safe: - ieee80211_mesh_rx_bcn_presp() checks !elems->mes... • https://git.kernel.org/stable/c/2e3c8736820bf72a8ad10721c7e31d36d4fa7790 •
CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23391 – netfilter: xt_CT: drop pending enqueued packets on template removal
https://notcve.org/view.php?id=CVE-2026-23391
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: netfilter: xt_CT: drop pending enqueued packets on template removal Templates refer to objects that can go away while packets are sitting in nfqueue refer to: - helper, this can be an issue on module removal. - timeout policy, nfnetlink_cttimeout might remove it. The use of templates with zone and event cache filter are safe, since this just copies values. Flush these enqueued packets in case the template rule gets removed. • https://git.kernel.org/stable/c/24de58f465165298aaa8f286b2592f0163706cfe •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23388 – Squashfs: check metadata block offset is within range
https://notcve.org/view.php?id=CVE-2026-23388
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: Squashfs: check metadata block offset is within range Syzkaller reports a "general protection fault in squashfs_copy_data" This is ultimately caused by a corrupted index look-up table, which produces a negative metadata block offset. This is subsequently passed to squashfs_copy_data (via squashfs_read_metadata) where the negative offset causes an out of bounds access. The fix is to check that the offset is within range in squashfs_read_meta... • https://git.kernel.org/stable/c/f400e12656ab518be107febfe2315fb1eab5a342 •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23382 – HID: Add HID_CLAIMED_INPUT guards in raw_event callbacks missing them
https://notcve.org/view.php?id=CVE-2026-23382
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: HID: Add HID_CLAIMED_INPUT guards in raw_event callbacks missing them In commit 2ff5baa9b527 ("HID: appleir: Fix potential NULL dereference at raw event handle"), we handle the fact that raw event callbacks can happen even for a HID device that has not been "claimed" causing a crash if a broken device were attempted to be connected to the system. Fix up the remaining in-tree HID drivers that forgot to add this same check to resolve the same... • https://git.kernel.org/stable/c/d0742abaa1c396a26bb3d3ce2732988cd3faa020 •
CVSS: -EPSS: 0%CPEs: 2EXPL: 0CVE-2026-23374 – blktrace: fix __this_cpu_read/write in preemptible context
https://notcve.org/view.php?id=CVE-2026-23374
25 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: blktrace: fix __this_cpu_read/write in preemptible context tracing_record_cmdline() internally uses __this_cpu_read() and __this_cpu_write() on the per-CPU variable trace_cmdline_save, and trace_save_cmdline() explicitly asserts preemption is disabled via lockdep_assert_preemption_disabled(). These operations are only safe when preemption is off, as they were designed to be called from the scheduler context (probe_wakeup_sched_switch() / pr... • https://git.kernel.org/stable/c/7ffbd48d5cab22bcd1120eb2349db1319e2d827a •