CVSS: -EPSS: %CPEs: 6EXPL: 0CVE-2026-31428 – netfilter: nfnetlink_log: fix uninitialized padding leak in NFULA_PAYLOAD
https://notcve.org/view.php?id=CVE-2026-31428
13 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: netfilter: nfnetlink_log: fix uninitialized padding leak in NFULA_PAYLOAD __build_packet_message() manually constructs the NFULA_PAYLOAD netlink attribute using skb_put() and skb_copy_bits(), bypassing the standard nla_reserve()/nla_put() helpers. While nla_total_size(data_len) bytes are allocated (including NLA alignment padding), only data_len bytes of actual packet data are copied. The trailing nla_padlen(data_len) bytes (1-3 when data_l... • https://git.kernel.org/stable/c/df6fb868d6118686805c2fa566e213a8f31c8e4f •
CVSS: -EPSS: %CPEs: 6EXPL: 0CVE-2026-31427 – netfilter: nf_conntrack_sip: fix use of uninitialized rtp_addr in process_sdp
https://notcve.org/view.php?id=CVE-2026-31427
13 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conntrack_sip: fix use of uninitialized rtp_addr in process_sdp process_sdp() declares union nf_inet_addr rtp_addr on the stack and passes it to the nf_nat_sip sdp_session hook after walking the SDP media descriptions. However rtp_addr is only initialized inside the media loop when a recognized media type with a non-zero port is found. If the SDP body contains no m= lines, only inactive media sections (m=audio 0 ...) or only u... • https://git.kernel.org/stable/c/4ab9e64e5e3c0516577818804aaf13a630d67bc9 •
CVSS: -EPSS: %CPEs: 6EXPL: 0CVE-2026-31423 – net/sched: sch_hfsc: fix divide-by-zero in rtsc_min()
https://notcve.org/view.php?id=CVE-2026-31423
13 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: net/sched: sch_hfsc: fix divide-by-zero in rtsc_min() m2sm() converts a u32 slope to a u64 scaled value. For large inputs (e.g. m1=4000000000), the result can reach 2^32. rtsc_min() stores the difference of two such u64 values in a u32 variable `dsm` and uses it as a divisor. When the difference is exactly 2^32 the truncation yields zero, causing a divide-by-zero oops in the concave-curve intersection path: Oops: divide error: 0000 RIP: 001... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: -EPSS: %CPEs: 6EXPL: 0CVE-2026-31417 – net/x25: Fix overflow when accumulating packets
https://notcve.org/view.php?id=CVE-2026-31417
13 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: net/x25: Fix overflow when accumulating packets Add a check to ensure that `x25_sock.fraglen` does not overflow. The `fraglen` also needs to be resetted when purging `fragment_queue` in `x25_clear_queues()`. • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: -EPSS: %CPEs: 6EXPL: 0CVE-2026-31415 – ipv6: avoid overflows in ip6_datagram_send_ctl()
https://notcve.org/view.php?id=CVE-2026-31415
13 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: ipv6: avoid overflows in ip6_datagram_send_ctl() Yiming Qian reported : I believe I found a locally triggerable kernel bug in the IPv6 sendmsg ancillary-data path that can panic the kernel via `skb_under_panic()` (local DoS). The core issue is a mismatch between: - a 16-bit length accumulator (`struct ipv6_txoptions::opt_flen`, type `__u16`) and - a pointer to the *last* provided destination-options header (`opt->dst1opt`) when mult... • https://git.kernel.org/stable/c/333fad5364d6b457c8d837f7d05802d2aaf8a961 •
CVSS: -EPSS: %CPEs: 6EXPL: 0CVE-2026-31414 – netfilter: nf_conntrack_expect: use expect->helper
https://notcve.org/view.php?id=CVE-2026-31414
13 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conntrack_expect: use expect->helper Use expect->helper in ctnetlink and /proc to dump the helper name. Using nfct_help() without holding a reference to the master conntrack is unsafe. Use exp->master->helper in ctnetlink path if userspace does not provide an explicit helper when creating an expectation to retain the existing behaviour. The ctnetlink expectation path holds the reference on the master conntrack and nf_conntrack... • https://git.kernel.org/stable/c/847cb7fe26c5ce5dce0d1a41fac1ea488b7f1781 •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2026-31411 – net: atm: fix crash due to unvalidated vcc pointer in sigd_send()
https://notcve.org/view.php?id=CVE-2026-31411
08 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: net: atm: fix crash due to unvalidated vcc pointer in sigd_send() Reproducer available at [1]. The ATM send path (sendmsg -> vcc_sendmsg -> sigd_send) reads the vcc pointer from msg->vcc and uses it directly without any validation. This pointer comes from userspace via sendmsg() and can be arbitrarily forged: int fd = socket(AF_ATMSVC, SOCK_DGRAM, 0); ioctl(fd, ATMSIGD_CTRL); // become ATM signaling daemon struct msghdr msg = { .msg_iov = &... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-31408 – Bluetooth: SCO: Fix use-after-free in sco_recv_frame() due to missing sock_hold
https://notcve.org/view.php?id=CVE-2026-31408
06 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: Bluetooth: SCO: Fix use-after-free in sco_recv_frame() due to missing sock_hold sco_recv_frame() reads conn->sk under sco_conn_lock() but immediately releases the lock without holding a reference to the socket. A concurrent close() can free the socket between the lock release and the subsequent sk->sk_state access, resulting in a use-after-free. Other functions in the same file (sco_sock_timeout(), sco_conn_del()) correctly use sco_sock_hol... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: -EPSS: 0%CPEs: 2EXPL: 0CVE-2026-31407 – netfilter: conntrack: add missing netlink policy validations
https://notcve.org/view.php?id=CVE-2026-31407
06 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: netfilter: conntrack: add missing netlink policy validations Hyunwoo Kim reports out-of-bounds access in sctp and ctnetlink. These attributes are used by the kernel without any validation. Extend the netlink policies accordingly. Quoting the reporter: nlattr_to_sctp() assigns the user-supplied CTA_PROTOINFO_SCTP_STATE value directly to ct->proto.sctp.state without checking that it is within the valid range. [..] and: ... with exp->dir = 100... • https://git.kernel.org/stable/c/a258860e01b80e8f554a4ab1a6c95e6042eb8b73 •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-31405 – media: dvb-net: fix OOB access in ULE extension header tables
https://notcve.org/view.php?id=CVE-2026-31405
06 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: media: dvb-net: fix OOB access in ULE extension header tables The ule_mandatory_ext_handlers[] and ule_optional_ext_handlers[] tables in handle_one_ule_extension() are declared with 255 elements (valid indices 0-254), but the index htype is derived from network-controlled data as (ule_sndu_type & 0x00FF), giving a range of 0-255. When htype equals 255, an out-of-bounds read occurs on the function pointer table, and the OOB value may be call... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •