8.6
CVE-2026-23457 - netfilter: nf_conntrack_sip: fix Content-Length u32 truncation in sip_help_tcp()
In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conntrack_sip: fix Content-Length u32 truncation in sip_help_tcp() sip_help_tcp() parses the SIP Content-Length header with simple_strtoul(), which returns unsigned long, but stores the result in unsigned int clen. β¦
7.8
CVE-2026-23449 - net/sched: teql: Fix double-free in teql_master_xmit
In the Linux kernel, the following vulnerability has been resolved: net/sched: teql: Fix double-free in teql_master_xmit Whenever a TEQL devices has a lockless Qdisc as root, qdisc_reset should be called using the seq_lock to avoid racing with the datapath. Failure to do so may cause crashes likeβ¦
0.0
CVE-2026-23468 - drm/amdgpu: Limit BO list entry count to prevent resource exhaustion
In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Limit BO list entry count to prevent resource exhaustion Userspace can pass an arbitrary number of BO list entries via the bo_number field. Although the previous multiplication overflow check prevents out-of-bounds alβ¦
5.5
CVE-2026-31400 - sunrpc: fix cache_request leak in cache_release
In the Linux kernel, the following vulnerability has been resolved: sunrpc: fix cache_request leak in cache_release When a reader's file descriptor is closed while in the middle of reading a cache_request (rp->offset != 0), cache_release() decrements the request's readers count but never checks wβ¦
4.7
CVE-2026-31399 - nvdimm/bus: Fix potential use after free in asynchronous initialization
In the Linux kernel, the following vulnerability has been resolved: nvdimm/bus: Fix potential use after free in asynchronous initialization Dingisoul with KASAN reports a use after free if device_add() fails in nd_async_device_register(). Commit b6eae0f61db2 ("libnvdimm: Hold reference on parentβ¦
7.0
CVE-2026-31395 - bnxt_en: fix OOB access in DBG_BUF_PRODUCER async event handler
In the Linux kernel, the following vulnerability has been resolved: bnxt_en: fix OOB access in DBG_BUF_PRODUCER async event handler The ASYNC_EVENT_CMPL_EVENT_ID_DBG_BUF_PRODUCER handler in bnxt_async_event_process() uses a firmware-supplied 'type' field directly as an index into bp->bs_trace[] wβ¦
7.0
CVE-2026-31394 - mac80211: fix crash in ieee80211_chan_bw_change for AP_VLAN stations
In the Linux kernel, the following vulnerability has been resolved: mac80211: fix crash in ieee80211_chan_bw_change for AP_VLAN stations ieee80211_chan_bw_change() iterates all stations and accesses link->reserved.oper via sta->sdata->link[link_id]. For stations on AP_VLAN interfaces (e.g. 4addr β¦
8.1
CVE-2026-31393 - Bluetooth: L2CAP: Validate L2CAP_INFO_RSP payload length before access
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Validate L2CAP_INFO_RSP payload length before access l2cap_information_rsp() checks that cmd_len covers the fixed l2cap_info_rsp header (type + result, 4 bytes) but then reads rsp->data without verifying that thβ¦
8.1
CVE-2026-31392 - smb: client: fix krb5 mount with username option
In the Linux kernel, the following vulnerability has been resolved: smb: client: fix krb5 mount with username option Customer reported that some of their krb5 mounts were failing against a single server as the client was trying to mount the shares with wrong credentials. It turned out the clientβ¦
5.5
CVE-2026-23475 - spi: fix statistics allocation
In the Linux kernel, the following vulnerability has been resolved: spi: fix statistics allocation The controller per-cpu statistics is not allocated until after the controller has been registered with driver core, which leaves a window where accessing the sysfs attributes can trigger a NULL-poinβ¦