CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2026-23013 – net: octeon_ep_vf: fix free_irq dev_id mismatch in IRQ rollback
https://notcve.org/view.php?id=CVE-2026-23013
25 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: net: octeon_ep_vf: fix free_irq dev_id mismatch in IRQ rollback octep_vf_request_irqs() requests MSI-X queue IRQs with dev_id set to ioq_vector. If request_irq() fails part-way, the rollback loop calls free_irq() with dev_id set to 'oct', which does not match the original dev_id and may leave the irqaction registered. This can keep IRQ handlers alive while ioq_vector is later freed during unwind/teardown, leading to a use-after-free or cras... • https://git.kernel.org/stable/c/1cd3b407977c3ab1d2ddc26cb7113e7fb1509cd1 •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2026-23011 – ipv4: ip_gre: make ipgre_header() robust
https://notcve.org/view.php?id=CVE-2026-23011
25 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: ipv4: ip_gre: make ipgre_header() robust Analog to commit db5b4e39c4e6 ("ip6_gre: make ip6gre_header() robust") Over the years, syzbot found many ways to crash the kernel in ipgre_header() [1]. This involves team or bonding drivers ability to dynamically change their dev->needed_headroom and/or dev->hard_header_len In this particular crash mld_newpack() allocated an skb with a too small reserve/headroom, and by the time mld_sendpack() was c... • https://git.kernel.org/stable/c/c54419321455631079c7d6e60bc732dd0c5914c5 •
CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23010 – ipv6: Fix use-after-free in inet6_addr_del().
https://notcve.org/view.php?id=CVE-2026-23010
25 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: ipv6: Fix use-after-free in inet6_addr_del(). syzbot reported use-after-free of inet6_ifaddr in inet6_addr_del(). [0] The cited commit accidentally moved ipv6_del_addr() for mngtmpaddr before reading its ifp->flags for temporary addresses in inet6_addr_del(). Let's move ipv6_del_addr() down to fix the UAF. [0]: BUG: KASAN: slab-use-after-free in inet6_addr_del.constprop.0+0x67a/0x6b0 net/ipv6/addrconf.c:3117 Read of size 4 at addr ffff88807... • https://git.kernel.org/stable/c/cb74207ef98317f8874a0b9780bb339c2eb700b0 •
CVSS: 7.1EPSS: 0%CPEs: 2EXPL: 0CVE-2026-23007 – block: zero non-PI portion of auto integrity buffer
https://notcve.org/view.php?id=CVE-2026-23007
25 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: block: zero non-PI portion of auto integrity buffer The auto-generated integrity buffer for writes needs to be fully initialized before being passed to the underlying block device, otherwise the uninitialized memory can be read back by userspace or anyone with physical access to the storage device. If protection information is generated, that portion of the integrity buffer is already initialized. The integrity data is also zeroed if PI gen... • https://git.kernel.org/stable/c/c546d6f438338017480d105ab597292da67f6f6a •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2026-23006 – ASoC: tlv320adcx140: fix null pointer
https://notcve.org/view.php?id=CVE-2026-23006
25 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: ASoC: tlv320adcx140: fix null pointer The "snd_soc_component" in "adcx140_priv" was only used once but never set. It was only used for reaching "dev" which is already present in "adcx140_priv". In the Linux kernel, the following vulnerability has been resolved: ASoC: tlv320adcx140: fix null pointer The "snd_soc_component" in "adcx140_priv" was only used once but never set. It was only used for reaching "dev" which is already present in "adc... • https://git.kernel.org/stable/c/4e82971f7b556cff3491c867e8840e7d788693b9 •
CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 0CVE-2026-23005 – x86/fpu: Clear XSTATE_BV[i] in guest XSAVE state whenever XFD[i]=1
https://notcve.org/view.php?id=CVE-2026-23005
25 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: x86/fpu: Clear XSTATE_BV[i] in guest XSAVE state whenever XFD[i]=1 When loading guest XSAVE state via KVM_SET_XSAVE, and when updating XFD in response to a guest WRMSR, clear XFD-disabled features in the saved (or to be restored) XSTATE_BV to ensure KVM doesn't attempt to load state for features that are disabled via the guest's XFD. Because the kernel executes XRSTOR with the guest's XFD, saving XSTATE_BV[i]=1 with XFD[i]=1 will cause XRST... • https://git.kernel.org/stable/c/820a6ee944e74e57255ac2e90916ecdaade57b95 •
CVSS: 7.1EPSS: 0%CPEs: 2EXPL: 0CVE-2026-23004 – dst: fix races in rt6_uncached_list_del() and rt_del_uncached_list()
https://notcve.org/view.php?id=CVE-2026-23004
25 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: dst: fix races in rt6_uncached_list_del() and rt_del_uncached_list() syzbot was able to crash the kernel in rt6_uncached_list_flush_dev() in an interesting way [1] Crash happens in list_del_init()/INIT_LIST_HEAD() while writing list->prev, while the prior write on list->next went well. static inline void INIT_LIST_HEAD(struct list_head *list) { WRITE_ONCE(list->next, list); // This went well WRITE_ONCE(list->prev, list); // Crash, @list has... • https://git.kernel.org/stable/c/78df76a065ae3b5dbcb9a29912adc02f697de498 •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2026-23003 – ip6_tunnel: use skb_vlan_inet_prepare() in __ip6_tnl_rcv()
https://notcve.org/view.php?id=CVE-2026-23003
25 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: ip6_tunnel: use skb_vlan_inet_prepare() in __ip6_tnl_rcv() Blamed commit did not take care of VLAN encapsulations as spotted by syzbot [1]. Use skb_vlan_inet_prepare() instead of pskb_inet_may_pull(). [1] BUG: KMSAN: uninit-value in __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline] BUG: KMSAN: uninit-value in INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline] BUG: KMSAN: uninit-value in IP6_ECN_decapsulate+0x7a8/0x1fa0 includ... • https://git.kernel.org/stable/c/8d975c15c0cd744000ca386247432d57b21f9df0 •
CVSS: 7.2EPSS: 0%CPEs: 3EXPL: 0CVE-2026-23001 – macvlan: fix possible UAF in macvlan_forward_source()
https://notcve.org/view.php?id=CVE-2026-23001
25 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: macvlan: fix possible UAF in macvlan_forward_source() Add RCU protection on (struct macvlan_source_entry)->vlan. Whenever macvlan_hash_del_source() is called, we must clear entry->vlan pointer before RCU grace period starts. This allows macvlan_forward_source() to skip over entries queued for freeing. Note that macvlan_dev are already RCU protected, as they are embedded in a standard netdev (netdev_priv(ndev)). https: //lore.kernel.org/netd... • https://git.kernel.org/stable/c/79cf79abce71eb7dbc40e2f3121048ca5405cb47 •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2026-23000 – net/mlx5e: Fix crash on profile change rollback failure
https://notcve.org/view.php?id=CVE-2026-23000
25 Jan 2026 — In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Fix crash on profile change rollback failure mlx5e_netdev_change_profile can fail to attach a new profile and can fail to rollback to old profile, in such case, we could end up with a dangling netdev with a fully reset netdev_priv. A retry to change profile, e.g. another attempt to call mlx5e_netdev_change_profile via switchdev mode change, will crash trying to access the now NULL priv->mdev. This fix allows mlx5e_netdev_change_p... • https://git.kernel.org/stable/c/c4d7eb57687f358cd498ea3624519236af8db97e •