0.0
CVE-2026-23469 - drm/imagination: Synchronize interrupts before suspending the GPU
In the Linux kernel, the following vulnerability has been resolved: drm/imagination: Synchronize interrupts before suspending the GPU The runtime PM suspend callback doesn't know whether the IRQ handler is in progress on a different CPU core and doesn't wait for it to finish. Depending on timingβ¦
7.8
CVE-2026-23466 - drm/xe: Open-code GGTT MMIO access protection
In the Linux kernel, the following vulnerability has been resolved: drm/xe: Open-code GGTT MMIO access protection GGTT MMIO access is currently protected by hotplug (drm_dev_enter), which works correctly when the driver loads successfully and is later unbound or unloaded. However, if driver load β¦
5.5
CVE-2026-23465 - btrfs: log new dentries when logging parent dir of a conflicting inode
In the Linux kernel, the following vulnerability has been resolved: btrfs: log new dentries when logging parent dir of a conflicting inode If we log the parent directory of a conflicting inode, we are not logging the new dentries of the directory, so when we finish we have the parent directory's β¦
0.0
CVE-2026-23464 - soc: microchip: mpfs: Fix memory leak in mpfs_sys_controller_probe()
In the Linux kernel, the following vulnerability has been resolved: soc: microchip: mpfs: Fix memory leak in mpfs_sys_controller_probe() In mpfs_sys_controller_probe(), if of_get_mtd_device_by_node() fails, the function returns immediately without freeing the allocated memory for sys_controller, β¦
5.5
CVE-2026-23463 - soc: fsl: qbman: fix race condition in qman_destroy_fq
In the Linux kernel, the following vulnerability has been resolved: soc: fsl: qbman: fix race condition in qman_destroy_fq When QMAN_FQ_FLAG_DYNAMIC_FQID is set, there's a race condition between fq_table[fq->idx] state and freeing/allocating from the pool and WARN_ON(fq_table[fq->idx]) in qman_crβ¦
8.8
CVE-2026-23461 - Bluetooth: L2CAP: Fix use-after-free in l2cap_unregister_user
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix use-after-free in l2cap_unregister_user After commit ab4eedb790ca ("Bluetooth: L2CAP: Fix corrupted list in hci_chan_del"), l2cap_conn_del() uses conn->lock to protect access to conn->users. However, l2cap_rβ¦
8.2
CVE-2026-23456 - netfilter: nf_conntrack_h323: fix OOB read in decode_int() CONS case
In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conntrack_h323: fix OOB read in decode_int() CONS case In decode_int(), the CONS case calls get_bits(bs, 2) to read a length value, then calls get_uint(bs, len) without checking that len bytes remain in the buffer. β¦
9.1
CVE-2026-23455 - netfilter: nf_conntrack_h323: check for zero length in DecodeQ931()
In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conntrack_h323: check for zero length in DecodeQ931() In DecodeQ931(), the UserUserIE code path reads a 16-bit length from the packet, then decrements it by 1 to skip the protocol discriminator byte before passing iβ¦
7.8
CVE-2026-23447 - net: usb: cdc_ncm: add ndpoffset to NDP32 nframes bounds check
In the Linux kernel, the following vulnerability has been resolved: net: usb: cdc_ncm: add ndpoffset to NDP32 nframes bounds check The same bounds-check bug fixed for NDP16 in the previous patch also exists in cdc_ncm_rx_verify_ndp32(). The DPE array size is validated against the total skb lengthβ¦
5.5
CVE-2026-23446 - net: usb: aqc111: Do not perform PM inside suspend callback
In the Linux kernel, the following vulnerability has been resolved: net: usb: aqc111: Do not perform PM inside suspend callback syzbot reports "task hung in rpm_resume" This is caused by aqc111_suspend calling the PM variant of its write_cmd routine. The simplified call trace looks like this: β¦