CVSS: -EPSS: %CPEs: 6EXPL: 0CVE-2026-31428 – netfilter: nfnetlink_log: fix uninitialized padding leak in NFULA_PAYLOAD
https://notcve.org/view.php?id=CVE-2026-31428
13 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: netfilter: nfnetlink_log: fix uninitialized padding leak in NFULA_PAYLOAD __build_packet_message() manually constructs the NFULA_PAYLOAD netlink attribute using skb_put() and skb_copy_bits(), bypassing the standard nla_reserve()/nla_put() helpers. While nla_total_size(data_len) bytes are allocated (including NLA alignment padding), only data_len bytes of actual packet data are copied. The trailing nla_padlen(data_len) bytes (1-3 when data_l... • https://git.kernel.org/stable/c/df6fb868d6118686805c2fa566e213a8f31c8e4f •
CVSS: -EPSS: %CPEs: 6EXPL: 0CVE-2026-31427 – netfilter: nf_conntrack_sip: fix use of uninitialized rtp_addr in process_sdp
https://notcve.org/view.php?id=CVE-2026-31427
13 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conntrack_sip: fix use of uninitialized rtp_addr in process_sdp process_sdp() declares union nf_inet_addr rtp_addr on the stack and passes it to the nf_nat_sip sdp_session hook after walking the SDP media descriptions. However rtp_addr is only initialized inside the media loop when a recognized media type with a non-zero port is found. If the SDP body contains no m= lines, only inactive media sections (m=audio 0 ...) or only u... • https://git.kernel.org/stable/c/4ab9e64e5e3c0516577818804aaf13a630d67bc9 •
CVSS: -EPSS: %CPEs: 6EXPL: 0CVE-2026-31424 – netfilter: x_tables: restrict xt_check_match/xt_check_target extensions for NFPROTO_ARP
https://notcve.org/view.php?id=CVE-2026-31424
13 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: netfilter: x_tables: restrict xt_check_match/xt_check_target extensions for NFPROTO_ARP Weiming Shi says: xt_match and xt_target structs registered with NFPROTO_UNSPEC can be loaded by any protocol family through nft_compat. When such a match/target sets .hooks to restrict which hooks it may run on, the bitmask uses NF_INET_* constants. This is only correct for families whose hook layout matches NF_INET_*: IPv4, IPv6, INET, and bridge all s... • https://git.kernel.org/stable/c/9291747f118d6404e509747b85ff5f6dfec368d2 •
CVSS: -EPSS: %CPEs: 6EXPL: 0CVE-2026-31423 – net/sched: sch_hfsc: fix divide-by-zero in rtsc_min()
https://notcve.org/view.php?id=CVE-2026-31423
13 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: net/sched: sch_hfsc: fix divide-by-zero in rtsc_min() m2sm() converts a u32 slope to a u64 scaled value. For large inputs (e.g. m1=4000000000), the result can reach 2^32. rtsc_min() stores the difference of two such u64 values in a u32 variable `dsm` and uses it as a divisor. When the difference is exactly 2^32 the truncation yields zero, causing a divide-by-zero oops in the concave-curve intersection path: Oops: divide error: 0000 RIP: 001... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: -EPSS: %CPEs: 6EXPL: 0CVE-2026-31417 – net/x25: Fix overflow when accumulating packets
https://notcve.org/view.php?id=CVE-2026-31417
13 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: net/x25: Fix overflow when accumulating packets Add a check to ensure that `x25_sock.fraglen` does not overflow. The `fraglen` also needs to be resetted when purging `fragment_queue` in `x25_clear_queues()`. • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: -EPSS: %CPEs: 10EXPL: 0CVE-2026-31416 – netfilter: nfnetlink_log: account for netlink header size
https://notcve.org/view.php?id=CVE-2026-31416
13 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: netfilter: nfnetlink_log: account for netlink header size This is a followup to an old bug fix: NLMSG_DONE needs to account for the netlink header size, not just the attribute size. This can result in a WARN splat + drop of the netlink message, but other than this there are no ill effects. • https://git.kernel.org/stable/c/9dfa1dfe4d5e5e66a991321ab08afe69759d797a •
CVSS: -EPSS: %CPEs: 6EXPL: 0CVE-2026-31415 – ipv6: avoid overflows in ip6_datagram_send_ctl()
https://notcve.org/view.php?id=CVE-2026-31415
13 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: ipv6: avoid overflows in ip6_datagram_send_ctl() Yiming Qian reported : I believe I found a locally triggerable kernel bug in the IPv6 sendmsg ancillary-data path that can panic the kernel via `skb_under_panic()` (local DoS). The core issue is a mismatch between: - a 16-bit length accumulator (`struct ipv6_txoptions::opt_flen`, type `__u16`) and - a pointer to the *last* provided destination-options header (`opt->dst1opt`) when mult... • https://git.kernel.org/stable/c/333fad5364d6b457c8d837f7d05802d2aaf8a961 •
CVSS: -EPSS: %CPEs: 6EXPL: 0CVE-2026-31414 – netfilter: nf_conntrack_expect: use expect->helper
https://notcve.org/view.php?id=CVE-2026-31414
13 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conntrack_expect: use expect->helper Use expect->helper in ctnetlink and /proc to dump the helper name. Using nfct_help() without holding a reference to the master conntrack is unsafe. Use exp->master->helper in ctnetlink path if userspace does not provide an explicit helper when creating an expectation to retain the existing behaviour. The ctnetlink expectation path holds the reference on the master conntrack and nf_conntrack... • https://git.kernel.org/stable/c/847cb7fe26c5ce5dce0d1a41fac1ea488b7f1781 •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-31412 – usb: gadget: f_mass_storage: Fix potential integer overflow in check_command_size_in_blocks()
https://notcve.org/view.php?id=CVE-2026-31412
10 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_mass_storage: Fix potential integer overflow in check_command_size_in_blocks() The `check_command_size_in_blocks()` function calculates the data size in bytes by left shifting `common->data_size_from_cmnd` by the block size (`common->curlun->blkbits`). However, it does not validate whether this shift operation will cause an integer overflow. Initially, the block size is set up in `fsg_lun_open()` , and the `common->data_size_... • https://git.kernel.org/stable/c/144974e7f9e32b53b02f6c8632be45d8f43d6ab5 •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2026-31411 – net: atm: fix crash due to unvalidated vcc pointer in sigd_send()
https://notcve.org/view.php?id=CVE-2026-31411
08 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: net: atm: fix crash due to unvalidated vcc pointer in sigd_send() Reproducer available at [1]. The ATM send path (sendmsg -> vcc_sendmsg -> sigd_send) reads the vcc pointer from msg->vcc and uses it directly without any validation. This pointer comes from userspace via sendmsg() and can be arbitrarily forged: int fd = socket(AF_ATMSVC, SOCK_DGRAM, 0); ioctl(fd, ATMSIGD_CTRL); // become ATM signaling daemon struct msghdr msg = { .msg_iov = &... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •