CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2026-31512 – Bluetooth: L2CAP: Validate PDU length before reading SDU length in l2cap_ecred_data_rcv()
https://notcve.org/view.php?id=CVE-2026-31512
22 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Validate PDU length before reading SDU length in l2cap_ecred_data_rcv() l2cap_ecred_data_rcv() reads the SDU length field from skb->data using get_unaligned_le16() without first verifying that skb contains at least L2CAP_SDULEN_SIZE (2) bytes. When skb->len is less than 2, this reads past the valid data in the skb. The ERTM reassembly path correctly calls pskb_may_pull() before reading the SDU length (l2cap_reassemble_sdu,... • https://git.kernel.org/stable/c/aac23bf636593cc2d67144aed373a46a1a5f76b1 •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2026-31510 – Bluetooth: L2CAP: Fix null-ptr-deref on l2cap_sock_ready_cb
https://notcve.org/view.php?id=CVE-2026-31510
22 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix null-ptr-deref on l2cap_sock_ready_cb Before using sk pointer, check if it is null. Fix the following: KASAN: null-ptr-deref in range [0x0000000000000260-0x0000000000000267] CPU: 0 UID: 0 PID: 5985 Comm: kworker/0:5 Not tainted 7.0.0-rc4-00029-ga989fde763f4 #1 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.17.0-9.fc43 06/10/2025 Workqueue: events l2cap_info_timeout RIP: 0010:kasan_byte_accessi... • https://git.kernel.org/stable/c/54a59aa2b562872781d6a8fc89f300d360941691 • CWE-476: NULL Pointer Dereference •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2026-31509 – nfc: nci: fix circular locking dependency in nci_close_device
https://notcve.org/view.php?id=CVE-2026-31509
22 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: nfc: nci: fix circular locking dependency in nci_close_device nci_close_device() flushes rx_wq and tx_wq while holding req_lock. This causes a circular locking dependency because nci_rx_work() running on rx_wq can end up taking req_lock too: nci_rx_work -> nci_rx_data_packet -> nci_data_exchange_complete -> __sk_destruct -> rawsock_destruct -> nfc_deactivate_target -> nci_deactivate_target -> nci_request -> mutex_lock(&ndev->req_lock) Move ... • https://git.kernel.org/stable/c/6a2968aaf50c7a22fced77a5e24aa636281efca8 • CWE-667: Improper Locking •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2026-31507 – net/smc: fix double-free of smc_spd_priv when tee() duplicates splice pipe buffer
https://notcve.org/view.php?id=CVE-2026-31507
22 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: net/smc: fix double-free of smc_spd_priv when tee() duplicates splice pipe buffer smc_rx_splice() allocates one smc_spd_priv per pipe_buffer and stores the pointer in pipe_buffer.private. The pipe_buf_operations for these buffers used .get = generic_pipe_buf_get, which only increments the page reference count when tee(2) duplicates a pipe buffer. The smc_spd_priv pointer itself was not handled, so after tee() both the original and the clone... • https://git.kernel.org/stable/c/9014db202cb764b8e14c53e7bacc81f9a1a2ba7f • CWE-415: Double Free •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2026-31504 – net: fix fanout UAF in packet_release() via NETDEV_UP race
https://notcve.org/view.php?id=CVE-2026-31504
22 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: net: fix fanout UAF in packet_release() via NETDEV_UP race `packet_release()` has a race window where `NETDEV_UP` can re-register a socket into a fanout group's `arr[]` array. The re-registration is not cleaned up by `fanout_release()`, leaving a dangling pointer in the fanout array. `packet_release()` does NOT zero `po->num` in its `bind_lock` section. After releasing `bind_lock`, `po->num` is still non-zero and `po->ifindex` still matches... • https://git.kernel.org/stable/c/ce06b03e60fc19c680d1bf873e779bf11c2fc518 • CWE-416: Use After Free •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2026-31503 – udp: Fix wildcard bind conflict check when using hash2
https://notcve.org/view.php?id=CVE-2026-31503
22 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: udp: Fix wildcard bind conflict check when using hash2 When binding a udp_sock to a local address and port, UDP uses two hashes (udptable->hash and udptable->hash2) for collision detection. The current code switches to "hash2" when hslot->count > 10. "hash2" is keyed by local address and local port. "hash" is keyed by local port only. The issue can be shown in the following bind sequence (pseudo code): bind(fd1, "[fd00::1]:8888") bind(fd2, ... • https://git.kernel.org/stable/c/30fff9231fad757c061285e347b33c5149c2c2e4 •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2026-31502 – team: fix header_ops type confusion with non-Ethernet ports
https://notcve.org/view.php?id=CVE-2026-31502
22 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: team: fix header_ops type confusion with non-Ethernet ports Similar to commit 950803f72547 ("bonding: fix type confusion in bond_setup_by_slave()") team has the same class of header_ops type confusion. For non-Ethernet ports, team_setup_by_port() copies port_dev->header_ops directly. When the team device later calls dev_hard_header() or dev_parse_header(), these callbacks can run with the team net_device instead of the real lower device, so... • https://git.kernel.org/stable/c/1d76efe1577b4323609b1bcbfafa8b731eda071a • CWE-843: Access of Resource Using Incompatible Type ('Type Confusion') •
CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2026-31500 – Bluetooth: btintel: serialize btintel_hw_error() with hci_req_sync_lock
https://notcve.org/view.php?id=CVE-2026-31500
22 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btintel: serialize btintel_hw_error() with hci_req_sync_lock btintel_hw_error() issues two __hci_cmd_sync() calls (HCI_OP_RESET and Intel exception-info retrieval) without holding hci_req_sync_lock(). This lets it race against hci_dev_do_close() -> btintel_shutdown_combined(), which also runs __hci_cmd_sync() under the same lock. When both paths manipulate hdev->req_status/req_rsp concurrently, the close path may free the respons... • https://git.kernel.org/stable/c/973bb97e5aee56edddaae3d5c96877101ad509c0 • CWE-416: Use After Free •
CVSS: 5.5EPSS: 0%CPEs: 13EXPL: 0CVE-2026-31498 – Bluetooth: L2CAP: Fix ERTM re-init and zero pdu_len infinite loop
https://notcve.org/view.php?id=CVE-2026-31498
22 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix ERTM re-init and zero pdu_len infinite loop l2cap_config_req() processes CONFIG_REQ for channels in BT_CONNECTED state to support L2CAP reconfiguration (e.g. MTU changes). However, since both CONF_INPUT_DONE and CONF_OUTPUT_DONE are already set from the initial configuration, the reconfiguration path falls through to l2cap_ertm_init(), which re-initializes tx_q, srej_q, srej_list, and retrans_list without freeing the p... • https://git.kernel.org/stable/c/96298f640104e4cd9a913a6e50b0b981829b94ff • CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2026-31497 – Bluetooth: btusb: clamp SCO altsetting table indices
https://notcve.org/view.php?id=CVE-2026-31497
22 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btusb: clamp SCO altsetting table indices btusb_work() maps the number of active SCO links to USB alternate settings through a three-entry lookup table when CVSD traffic uses transparent voice settings. The lookup currently indexes alts[] with data->sco_num - 1 without first constraining sco_num to the number of available table entries. While the table only defines alternate settings for up to three SCO links, data->sco_num comes... • https://git.kernel.org/stable/c/baac6276c0a9f36f1fe1f00590ef00d2ba5ba626 •