0.0
CVE-2026-23427 - ksmbd: fix use-after-free in durable v2 replay of active file handles
In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix use-after-free in durable v2 replay of active file handles parse_durable_handle_context() unconditionally assigns dh_info->fp->conn to the current connection when handling a DURABLE_REQ_V2 context with SMB2_FLAGS_REPLAβ¦
7.0
CVE-2026-31403 - NFSD: Hold net reference for the lifetime of /proc/fs/nfs/exports fd
In the Linux kernel, the following vulnerability has been resolved: NFSD: Hold net reference for the lifetime of /proc/fs/nfs/exports fd The /proc/fs/nfs/exports proc entry is created at module init and persists for the module's lifetime. exports_proc_open() captures the caller's current network β¦
7.0
CVE-2026-31395 - bnxt_en: fix OOB access in DBG_BUF_PRODUCER async event handler
In the Linux kernel, the following vulnerability has been resolved: bnxt_en: fix OOB access in DBG_BUF_PRODUCER async event handler The ASYNC_EVENT_CMPL_EVENT_ID_DBG_BUF_PRODUCER handler in bnxt_async_event_process() uses a firmware-supplied 'type' field directly as an index into bp->bs_trace[] wβ¦
7.0
CVE-2026-23441 - net/mlx5e: Prevent concurrent access to IPSec ASO context
In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Prevent concurrent access to IPSec ASO context The query or updating IPSec offload object is through Access ASO WQE. The driver uses a single mlx5e_ipsec_aso struct for each PF, which contains a shared DMA-mapped conteβ¦
7.0
CVE-2026-23461 - Bluetooth: L2CAP: Fix use-after-free in l2cap_unregister_user
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix use-after-free in l2cap_unregister_user After commit ab4eedb790ca ("Bluetooth: L2CAP: Fix corrupted list in hci_chan_del"), l2cap_conn_del() uses conn->lock to protect access to conn->users. However, l2cap_rβ¦
5.5
CVE-2026-23465 - btrfs: log new dentries when logging parent dir of a conflicting inode
In the Linux kernel, the following vulnerability has been resolved: btrfs: log new dentries when logging parent dir of a conflicting inode If we log the parent directory of a conflicting inode, we are not logging the new dentries of the directory, so when we finish we have the parent directory's β¦
5.5
CVE-2026-23463 - soc: fsl: qbman: fix race condition in qman_destroy_fq
In the Linux kernel, the following vulnerability has been resolved: soc: fsl: qbman: fix race condition in qman_destroy_fq When QMAN_FQ_FLAG_DYNAMIC_FQID is set, there's a race condition between fq_table[fq->idx] state and freeing/allocating from the pool and WARN_ON(fq_table[fq->idx]) in qman_crβ¦
4.7
CVE-2026-23440 - net/mlx5e: Fix race condition during IPSec ESN update
In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Fix race condition during IPSec ESN update In IPSec full offload mode, the device reports an ESN (Extended Sequence Number) wrap event to the driver. The driver validates this event by querying the IPSec ASO and checkiβ¦
7.0
CVE-2026-23451 - bonding: prevent potential infinite loop in bond_header_parse()
In the Linux kernel, the following vulnerability has been resolved: bonding: prevent potential infinite loop in bond_header_parse() bond_header_parse() can loop if a stack of two bonding devices is setup, because skb->dev always points to the hierarchy top. Add new "const struct net_device *dev"β¦
5.5
CVE-2026-23418 - drm/xe/reg_sr: Fix leak on xa_store failure
In the Linux kernel, the following vulnerability has been resolved: drm/xe/reg_sr: Fix leak on xa_store failure Free the newly allocated entry when xa_store() fails to avoid a memory leak on the error path. v2: use goto fail_free. (Bala) (cherry picked from commit 6bc6fec71ac45f52db609af4e62bdbβ¦