7.1
CVE-2026-23327 - cxl/mbox: validate payload size before accessing contents in cxl_payload_from_user_allowed()
In the Linux kernel, the following vulnerability has been resolved: cxl/mbox: validate payload size before accessing contents in cxl_payload_from_user_allowed() cxl_payload_from_user_allowed() casts and dereferences the input payload without first verifying its size. When a raw mailbox command isβ¦
5.5
CVE-2026-23304 - ipv6: fix NULL pointer deref in ip6_rt_get_dev_rcu()
In the Linux kernel, the following vulnerability has been resolved: ipv6: fix NULL pointer deref in ip6_rt_get_dev_rcu() l3mdev_master_dev_rcu() can return NULL when the slave device is being un-slaved from a VRF. All other callers deal with this, but we lost the fallback to loopback in ip6_rt_pcβ¦
5.5
CVE-2026-23313 - i40e: Fix preempt count leak in napi poll tracepoint
In the Linux kernel, the following vulnerability has been resolved: i40e: Fix preempt count leak in napi poll tracepoint Using get_cpu() in the tracepoint assignment causes an obvious preempt count leak because nothing invokes put_cpu() to undo it: softirq: huh, entered softirq 3 NET_RX with pβ¦
7.8
CVE-2026-23343 - xdp: produce a warning when calculated tailroom is negative
In the Linux kernel, the following vulnerability has been resolved: xdp: produce a warning when calculated tailroom is negative Many ethernet drivers report xdp Rx queue frag size as being the same as DMA write size. However, the only user of this field, namely bpf_xdp_frags_increase_tail(), cleaβ¦
5.5
CVE-2026-23341 - accel/amdxdna: Fix crash when destroying a suspended hardware context
In the Linux kernel, the following vulnerability has been resolved: accel/amdxdna: Fix crash when destroying a suspended hardware context If userspace issues an ioctl to destroy a hardware context that has already been automatically suspended, the driver may crash because the mailbox channel poinβ¦
5.5
CVE-2026-23321 - mptcp: pm: in-kernel: always mark signal+subflow endp as used
In the Linux kernel, the following vulnerability has been resolved: mptcp: pm: in-kernel: always mark signal+subflow endp as used Syzkaller managed to find a combination of actions that was generating this warning: msk->pm.local_addr_used == 0 WARNING: net/mptcp/pm_kernel.c:1071 at __mark_suβ¦
7.0
CVE-2026-23320 - kernel: usb: gadget: f_ncm: align net_device lifecycle with bind/unbind
This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
5.5
CVE-2026-23389 - ice: Fix memory leak in ice_set_ringparam()
In the Linux kernel, the following vulnerability has been resolved: ice: Fix memory leak in ice_set_ringparam() In ice_set_ringparam, tx_rings and xdp_rings are allocated before rx_rings. If the allocation of rx_rings fails, the code jumps to the done label leaking both tx_rings and xdp_rings. Fuβ¦
5.5
CVE-2026-23335 - RDMA/irdma: Fix kernel stack leak in irdma_create_user_ah()
In the Linux kernel, the following vulnerability has been resolved: RDMA/irdma: Fix kernel stack leak in irdma_create_user_ah() struct irdma_create_ah_resp { // 8 bytes, no padding __u32 ah_id; // offset 0 - SET (uresp.ah_id = ah->sc_ah.ah_info.ah_idx) __u8 rsvd[4]; β¦
5.5
CVE-2026-23373 - wifi: rsi: Don't default to -EOPNOTSUPP in rsi_mac80211_config
In the Linux kernel, the following vulnerability has been resolved: wifi: rsi: Don't default to -EOPNOTSUPP in rsi_mac80211_config This triggers a WARN_ON in ieee80211_hw_conf_init and isn't the expected behavior from the driver - other drivers default to 0 too.