Linux Kernel Patches Two Notable Vulnerabilities in February 2026

Linux Kernel Patches Two Notable Vulnerabilities in February 2026

February 20, 2026 — The Linux kernel security team published fixes this month for two newly disclosed vulnerabilities affecting the WWAN subsystem and the DAMON memory monitoring interface.

Both CVEs were reserved in January 2026 and officially published on February 14, 2026. Linux system administrators are advised to review their distributions’ security advisories and apply relevant updates.

CVE-2026-23172: Fragment Array Overflow in t7xx WWAN Driver

The first vulnerability, tracked as CVE-2026-23172, resides in the t7xx WWAN PCIe driver — the kernel driver developed for Linux and Chrome OS platforms to support data exchange with MediaTek’s T700 5G modem over a PCIe interface.

The flaw was identified through static code analysis. In the DPMAIF receive path, the function t7xx_dpmaif_set_frag_to_skb() adds page fragments to a socket buffer (skb) without first verifying that the number of fragments has not exceeded MAX_SKB_FRAGS — the kernel’s hard limit on how many fragments an skb structure can hold. If this limit is exceeded, the write overflows into the skb_shinfo(skb)->frags[] array, corrupting adjacent kernel memory. The consequences can range from a kernel crash to other undefined behavior.

Researchers who identified the issue noted a parallel with a similar bug fixed in the mt76 Wi-Fi driver. The comparison underscored that the kernel should not unconditionally trust firmware behavior: while standard protocol conditions (MTU of 3,080 bytes, BAT buffer of 3,584 bytes) would not normally cause excessive fragmentation, malicious, buggy, or compromised modem firmware could craft packets designed to trigger the overflow.

The fix adds a bounds check before skb_add_rx_frag() is called, ensuring that nr_frags does not exceed MAX_SKB_FRAGS. The check is deliberately placed before DMA unmapping to prevent a page leak or a double DMA unmap during device teardown. Patches have been merged into multiple stable kernel branches.

Systems affected: Linux systems and Chromebooks using the MediaTek T700 5G modem with the t7xx PCIe driver. No CVSS score has been formally assigned at this time, and there are no reports of active exploitation in the wild.

CVE-2026-23142: Memory Leak in DAMON Sysfs Directory Cleanup

The second vulnerability, CVE-2026-23142, is a memory management bug in the DAMON (Data Access MONitor) subsystem, specifically in its sysfs interface (mm/damon/sysfs-schemes.c).

DAMON is a Linux kernel feature that monitors memory access patterns and supports policy-driven memory management. It exposes a configuration interface under /sys/kernel/mm/damon/. The vulnerability occurs during the setup of a DAMOS-scheme directory: if the setup process fails after the access_pattern/ subdirectory has already been created, the subdirectories under access_pattern/ are not properly cleaned up. Two consequences follow: the memory allocated for those unremoved directories is leaked, and the DAMON sysfs interface is left in a broken state — effectively inaccessible — until the system is rebooted.

It is important to characterize this vulnerability accurately. It is not a persistent background memory drain or a remote-attack vector. It is triggered on a specific error path during setup, and its primary impact is localized: memory is leaked when directory setup fails, and the sysfs management interface for DAMON is disrupted. On systems that rely heavily on DAMON for workload optimization or memory management automation, this could cause operational disruption.

The fix cleans up the access_pattern/ subdirectories when the parent scheme directory setup encounters an error, ensuring proper teardown on all code paths. Patches have been merged into multiple stable branches.

Systems affected: Linux systems using the DAMON subsystem (enabled via CONFIG_DAMON_SYSFS). Severity is moderate; no active exploitation has been reported.

What About CVE-2026-23084?

Some early reporting has referenced a third CVE — CVE-2026-23084 — described as a null pointer dereference in the be2net network driver. At the time of publication, this CVE could not be independently verified through official sources including the NVD, kernel.org, or major distribution security advisories. Administrators should treat claims about this CVE with caution and await confirmation from authoritative sources before acting on them.

Broader Context: Linux Kernel CVE Volume Is Rising

These two vulnerabilities arrive against a backdrop of significantly increasing Linux kernel CVE disclosures. Since the Linux kernel team became a CVE Numbering Authority (CNA) in 2024, the rate of disclosure has accelerated sharply — reaching thousands of CVEs per year. The vast majority are low-severity bugs addressed through routine patching, but the sheer volume creates a triage burden for security and operations teams.

Neither CVE-2026-23172 nor CVE-2026-23142 has been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, and neither carries confirmed public proof-of-concept exploit code at this time.

Recommendations for Administrators

Check your kernel version and loaded drivers. Use uname -r and lsmod to confirm whether the t7xx WWAN driver or DAMON sysfs support is active on your systems.
Consult your distribution’s security advisories. Upstream patches exist for both CVEs; the specific package updates will vary by distribution (Ubuntu, Debian, RHEL, SUSE, etc.).
Prioritize systems with 5G WWAN modules. CVE-2026-23172 is relevant primarily to endpoints and embedded Linux systems using the MediaTek T700 modem with the t7xx PCIe driver.
Apply kernel updates as part of regular patch cycles. Neither CVE is currently assessed as critical or known to be exploited, but timely patching remains best practice.
Do not rely on unverified CVE descriptions. As the volume of kernel CVEs grows, inaccurate secondary reporting also increases. Always verify vulnerability details against primary sources such as the NVD, kernel.org git logs, and your distribution vendor’s security bulletins.