CVSS: -EPSS: 0%CPEs: 11EXPL: 0CVE-2026-31687 – gpio: omap: do not register driver in probe()
https://notcve.org/view.php?id=CVE-2026-31687
27 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: gpio: omap: do not register driver in probe() Commit 11a78b794496 ("ARM: OMAP: MPUIO wake updates") registers the omap_mpuio_driver from omap_mpuio_init(), which is called from omap_gpio_probe(). However, it neither makes sense to register drivers from probe() callbacks of other drivers, nor does the driver core allow registering drivers with a device lock already being held. The latter was revealed by commit dc23806a7c47 ("driver core: enf... • https://git.kernel.org/stable/c/11a78b7944963a8b052be46108d07a3ced9e2762 •
CVSS: 9.4EPSS: 0%CPEs: 5EXPL: 0CVE-2026-31685 – netfilter: ip6t_eui64: reject invalid MAC header for all packets
https://notcve.org/view.php?id=CVE-2026-31685
25 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: netfilter: ip6t_eui64: reject invalid MAC header for all packets `eui64_mt6()` derives a modified EUI-64 from the Ethernet source address and compares it with the low 64 bits of the IPv6 source address. The existing guard only rejects an invalid MAC header when `par->fragoff != 0`. For packets with `par->fragoff == 0`, `eui64_mt6()` can still reach `eth_hdr(skb)` even when the MAC header is not valid. Fix this by removing the `par->fragoff ... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: -EPSS: 0%CPEs: 5EXPL: 0CVE-2026-31681 – netfilter: xt_multiport: validate range encoding in checkentry
https://notcve.org/view.php?id=CVE-2026-31681
25 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: netfilter: xt_multiport: validate range encoding in checkentry ports_match_v1() treats any non-zero pflags entry as the start of a port range and unconditionally consumes the next ports[] element as the range end. The checkentry path currently validates protocol, flags and count, but it does not validate the range encoding itself. As a result, malformed rules can mark the last slot as a range start or place two range starts back to back, le... • https://git.kernel.org/stable/c/a89ecb6a2ef732d04058d87801e2b6bd7e5c7089 •
CVSS: 7.5EPSS: 0%CPEs: 5EXPL: 0CVE-2026-31676 – rxrpc: only handle RESPONSE during service challenge
https://notcve.org/view.php?id=CVE-2026-31676
25 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: rxrpc: only handle RESPONSE during service challenge Only process RESPONSE packets while the service connection is still in RXRPC_CONN_SERVICE_CHALLENGING. Check that state under state_lock before running response verification and security initialization, then use a local secured flag to decide whether to queue the secured-connection work after the state transition. This keeps duplicate or late RESPONSE packets from re-running the setup pat... • https://git.kernel.org/stable/c/17926a79320afa9b95df6b977b40cca6d8713cea •
CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2026-31675 – net/sched: sch_netem: fix out-of-bounds access in packet corruption
https://notcve.org/view.php?id=CVE-2026-31675
25 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: net/sched: sch_netem: fix out-of-bounds access in packet corruption In netem_enqueue(), the packet corruption logic uses get_random_u32_below(skb_headlen(skb)) to select an index for modifying skb->data. When an AF_PACKET TX_RING sends fully non-linear packets over an IPIP tunnel, skb_headlen(skb) evaluates to 0. Passing 0 to get_random_u32_below() takes the variable-ceil slow path which returns an unconstrained 32-bit random integer. Using... • https://git.kernel.org/stable/c/c865e5d99e25a171e8262fc0f7ba608568633c64 •
CVSS: 7.1EPSS: 0%CPEs: 8EXPL: 0CVE-2026-31674 – netfilter: ip6t_rt: reject oversized addrnr in rt_mt6_check()
https://notcve.org/view.php?id=CVE-2026-31674
25 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: netfilter: ip6t_rt: reject oversized addrnr in rt_mt6_check() Reject rt match rules whose addrnr exceeds IP6T_RT_HOPS. rt_mt6() expects addrnr to stay within the bounds of rtinfo->addrs[]. Validate addrnr during rule installation so malformed rules are rejected before the match logic can use an out-of-range value. • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2026-31671 – xfrm_user: fix info leak in build_report()
https://notcve.org/view.php?id=CVE-2026-31671
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: xfrm_user: fix info leak in build_report() struct xfrm_user_report is a __u8 proto field followed by a struct xfrm_selector which means there is three "empty" bytes of padding, but the padding is never zeroed before copying to userspace. Fix that up by zeroing the structure before setting individual member variables. • https://git.kernel.org/stable/c/97a64b4577ae2bc5599dbd008a3cd9e25de9b9f5 • CWE-401: Missing Release of Memory after Effective Lifetime •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2026-31667 – Input: uinput - fix circular locking dependency with ff-core
https://notcve.org/view.php?id=CVE-2026-31667
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: Input: uinput - fix circular locking dependency with ff-core A lockdep circular locking dependency warning can be triggered reproducibly when using a force-feedback gamepad with uinput (for example, playing ELDEN RING under Wine with a Flydigi Vader 5 controller): ff->mutex -> udev->mutex -> input_mutex -> dev->mutex -> ff->mutex The cycle is caused by four lock acquisition paths: 1. ff upload: input_ff_upload() holds ff->mutex and calls ui... • https://git.kernel.org/stable/c/ff462551235d8d7d843a005950bc90924fcedede • CWE-667: Improper Locking •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2026-31664 – xfrm: clear trailing padding in build_polexpire()
https://notcve.org/view.php?id=CVE-2026-31664
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: xfrm: clear trailing padding in build_polexpire() build_expire() clears the trailing padding bytes of struct xfrm_user_expire after setting the hard field via memset_after(), but the analogous function build_polexpire() does not do this for struct xfrm_user_polexpire. The padding bytes after the __u8 hard field are left uninitialized from the heap allocation, and are then sent to userspace via netlink multicast to XFRMNLGRP_EXPIRE listeners... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: 9.8EPSS: 0%CPEs: 5EXPL: 0CVE-2026-31637 – rxrpc: reject undecryptable rxkad response tickets
https://notcve.org/view.php?id=CVE-2026-31637
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: rxrpc: reject undecryptable rxkad response tickets rxkad_decrypt_ticket() decrypts the RXKAD response ticket and then parses the buffer as plaintext without checking whether crypto_skcipher_decrypt() succeeded. A malformed RESPONSE can therefore use a non-block-aligned ticket length, make the decrypt operation fail, and still drive the ticket parser with attacker-controlled bytes. Check the decrypt result and abort the connection with RXKAD... • https://git.kernel.org/stable/c/17926a79320afa9b95df6b977b40cca6d8713cea •