CVSS: -EPSS: %CPEs: 7EXPL: 0CVE-2026-23238 – romfs: check sb_set_blocksize() return value
https://notcve.org/view.php?id=CVE-2026-23238
04 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: romfs: check sb_set_blocksize() return value romfs_fill_super() ignores the return value of sb_set_blocksize(), which can fail if the requested block size is incompatible with the block device's configuration. This can be triggered by setting a loop device's block size larger than PAGE_SIZE using ioctl(LOOP_SET_BLOCK_SIZE, 32768), then mounting a romfs filesystem on that device. When sb_set_blocksize(sb, ROMBSIZE) is called with ROMBSIZE=40... • https://git.kernel.org/stable/c/a381f0f61b35c8894b0bd0d6acef2d8f9b08b244 •
CVSS: -EPSS: %CPEs: 7EXPL: 0CVE-2026-23237 – platform/x86: classmate-laptop: Add missing NULL pointer checks
https://notcve.org/view.php?id=CVE-2026-23237
04 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: platform/x86: classmate-laptop: Add missing NULL pointer checks In a few places in the Classmate laptop driver, code using the accel object may run before that object's address is stored in the driver data of the input device using it. For example, cmpc_accel_sensitivity_store_v4() is the "show" method of cmpc_accel_sensitivity_attr_v4 which is added in cmpc_accel_add_v4(), before calling dev_set_drvdata() for inputdev->dev. If the sysfs at... • https://git.kernel.org/stable/c/993708fc18d0d0919db438361b4e8c1f980a8d1b •
CVSS: -EPSS: %CPEs: 8EXPL: 0CVE-2026-23236 – fbdev: smscufx: properly copy ioctl memory to kernelspace
https://notcve.org/view.php?id=CVE-2026-23236
04 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: fbdev: smscufx: properly copy ioctl memory to kernelspace The UFX_IOCTL_REPORT_DAMAGE ioctl does not properly copy data from userspace to kernelspace, and instead directly references the memory, which can cause problems if invalid data is passed from userspace. Fix this all up by correctly copying the memory before accessing it within the kernel. • https://git.kernel.org/stable/c/061cfeb560aa3ddc174153dbe5be9d0b55eb7248 •
CVSS: -EPSS: %CPEs: 8EXPL: 0CVE-2026-23235 – f2fs: fix out-of-bounds access in sysfs attribute read/write
https://notcve.org/view.php?id=CVE-2026-23235
04 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: f2fs: fix out-of-bounds access in sysfs attribute read/write Some f2fs sysfs attributes suffer from out-of-bounds memory access and incorrect handling of integer values whose size is not 4 bytes. For example: vm:~# echo 65537 > /sys/fs/f2fs/vde/carve_out vm:~# cat /sys/fs/f2fs/vde/carve_out 65537 vm:~# echo 4294967297 > /sys/fs/f2fs/vde/atgc_age_threshold vm:~# cat /sys/fs/f2fs/vde/atgc_age_threshold 1 carve_out maps to {struct f2fs_sb_info... • https://git.kernel.org/stable/c/b59d0bae6ca30c496f298881616258f9cde0d9c6 •
CVSS: -EPSS: %CPEs: 8EXPL: 0CVE-2026-23234 – f2fs: fix to avoid UAF in f2fs_write_end_io()
https://notcve.org/view.php?id=CVE-2026-23234
04 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to avoid UAF in f2fs_write_end_io() As syzbot reported an use-after-free issue in f2fs_write_end_io(). It is caused by below race condition: loop device umount - worker_thread - loop_process_work - do_req_filebacked - lo_rw_aio - lo_rw_aio_complete - blk_mq_end_request - blk_update_request - f2fs_write_end_io - dec_page_count - folio_end_writeback - kill_f2fs_super - kill_block_super - f2fs_put_super : free(sbi) : get_pages(, F2FS... • https://git.kernel.org/stable/c/e234088758fca3a669ebb1a02d8bf7bf60f0e4ff •
CVSS: -EPSS: %CPEs: 8EXPL: 0CVE-2025-71238 – scsi: qla2xxx: Fix bsg_done() causing double free
https://notcve.org/view.php?id=CVE-2025-71238
04 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Fix bsg_done() causing double free Kernel panic observed on system, [5353358.825191] BUG: unable to handle page fault for address: ff5f5e897b024000 [5353358.825194] #PF: supervisor write access in kernel mode [5353358.825195] #PF: error_code(0x0002) - not-present page [5353358.825196] PGD 100006067 P4D 0 [5353358.825198] Oops: 0002 [#1] PREEMPT SMP NOPTI [5353358.825200] CPU: 5 PID: 2132085 Comm: qlafwupdate.sub Kdump: loaded... • https://git.kernel.org/stable/c/057a5bdc481e58ab853117254867ffb22caf9f6e •
CVSS: -EPSS: %CPEs: 6EXPL: 0CVE-2026-23231 – netfilter: nf_tables: fix use-after-free in nf_tables_addchain()
https://notcve.org/view.php?id=CVE-2026-23231
04 Mar 2026 — In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: fix use-after-free in nf_tables_addchain() nf_tables_addchain() publishes the chain to table->chains via list_add_tail_rcu() (in nft_chain_add()) before registering hooks. If nf_tables_register_hook() then fails, the error path calls nft_chain_del() (list_del_rcu()) followed by nf_tables_chain_destroy() with no RCU grace period in between. This creates two use-after-free conditions: 1) Control-plane: nf_tables_dump_cha... • https://git.kernel.org/stable/c/91c7b38dc9f0de4f7f444b796d14476bc12df7bc •
CVSS: -EPSS: 0%CPEs: 3EXPL: 0CVE-2026-23227 – drm/exynos: vidi: use ctx->lock to protect struct vidi_context member variables related to memory alloc/free
https://notcve.org/view.php?id=CVE-2026-23227
18 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: drm/exynos: vidi: use ctx->lock to protect struct vidi_context member variables related to memory alloc/free Exynos Virtual Display driver performs memory alloc/free operations without lock protection, which easily causes concurrency problem. For example, use-after-free can occur in race scenario like this: ``` CPU0 CPU1 CPU2 ---- ---- ---- vidi_connection_ioctl() if (vidi->connection) // true drm_edid = drm_edid_alloc(); // alloc drm_edid ... • https://git.kernel.org/stable/c/d3b62dbfc7b9bb013926f56db79b60f6c18c392f •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23226 – ksmbd: add chann_lock to protect ksmbd_chann_list xarray
https://notcve.org/view.php?id=CVE-2026-23226
18 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: ksmbd: add chann_lock to protect ksmbd_chann_list xarray ksmbd_chann_list xarray lacks synchronization, allowing use-after-free in multi-channel sessions (between lookup_chann_list() and ksmbd_chann_del). Adds rw_semaphore chann_lock to struct ksmbd_session and protects all xa_load/xa_store/xa_erase accesses. • https://git.kernel.org/stable/c/1d9c4172110e645b383ff13eee759728d74f1a5d •
CVSS: -EPSS: 0%CPEs: 7EXPL: 0CVE-2026-23221 – bus: fsl-mc: fix use-after-free in driver_override_show()
https://notcve.org/view.php?id=CVE-2026-23221
18 Feb 2026 — In the Linux kernel, the following vulnerability has been resolved: bus: fsl-mc: fix use-after-free in driver_override_show() The driver_override_show() function reads the driver_override string without holding the device_lock. However, driver_override_store() uses driver_set_override(), which modifies and frees the string while holding the device_lock. This can result in a concurrent use-after-free if the string is freed by the store function while being read by the show function. Fix this by holding the d... • https://git.kernel.org/stable/c/1f86a00c1159fd77e66b1bd6ff1a183f4d46f34d •