CVSS: 8.1EPSS: 0%CPEs: 8EXPL: 0CVE-2026-31464 – scsi: ibmvfc: Fix OOB access in ibmvfc_discover_targets_done()
https://notcve.org/view.php?id=CVE-2026-31464
22 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: scsi: ibmvfc: Fix OOB access in ibmvfc_discover_targets_done() A malicious or compromised VIO server can return a num_written value in the discover targets MAD response that exceeds max_targets. This value is stored directly in vhost->num_targets without validation, and is then used as the loop bound in ibmvfc_alloc_targets() to index into disc_buf[], which is only allocated for max_targets entries. Indices at or beyond max_targets access k... • https://git.kernel.org/stable/c/072b91f9c6510d0ec4a49d07dbc318760c7da7b3 •
CVSS: -EPSS: 0%CPEs: 4EXPL: 0CVE-2026-31462 – drm/amdgpu: prevent immediate PASID reuse case
https://notcve.org/view.php?id=CVE-2026-31462
22 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: prevent immediate PASID reuse case PASID resue could cause interrupt issue when process immediately runs into hw state left by previous process exited with the same PASID, it's possible that page faults are still pending in the IH ring buffer when the process exits and frees up its PASID. To prevent the case, it uses idr cyclic allocator same as kernel pid's. (cherry picked from commit 8f1de51f49be692de137c8525106e0fce2d1912d) • https://git.kernel.org/stable/c/02208441cc3a5110191996bb129db39ff10e7395 •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2026-31455 – xfs: stop reclaim before pushing AIL during unmount
https://notcve.org/view.php?id=CVE-2026-31455
22 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: xfs: stop reclaim before pushing AIL during unmount The unmount sequence in xfs_unmount_flush_inodes() pushed the AIL while background reclaim and inodegc are still running. This is broken independently of any use-after-free issues - background reclaim and inodegc should not be running while the AIL is being pushed during unmount, as inodegc can dirty and insert inodes into the AIL during the flush, and background reclaim can race to abort ... • https://git.kernel.org/stable/c/90c60e16401248a4900f3f9387f563d0178dcf34 •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2026-31454 – xfs: save ailp before dropping the AIL lock in push callbacks
https://notcve.org/view.php?id=CVE-2026-31454
22 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: xfs: save ailp before dropping the AIL lock in push callbacks In xfs_inode_item_push() and xfs_qm_dquot_logitem_push(), the AIL lock is dropped to perform buffer IO. Once the cluster buffer no longer protects the log item from reclaim, the log item may be freed by background reclaim or the dquot shrinker. The subsequent spin_lock() call dereferences lip->li_ailp, which is a use-after-free. Fix this by saving the ailp pointer in a local vari... • https://git.kernel.org/stable/c/90c60e16401248a4900f3f9387f563d0178dcf34 •
CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0CVE-2026-31453 – xfs: avoid dereferencing log items after push callbacks
https://notcve.org/view.php?id=CVE-2026-31453
22 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: xfs: avoid dereferencing log items after push callbacks After xfsaild_push_item() calls iop_push(), the log item may have been freed if the AIL lock was dropped during the push. Background inode reclaim or the dquot shrinker can free the log item while the AIL lock is not held, and the tracepoints in the switch statement dereference the log item after iop_push() returns. Fix this by capturing the log item type, flags, and LSN before calling... • https://git.kernel.org/stable/c/90c60e16401248a4900f3f9387f563d0178dcf34 •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2026-31452 – ext4: convert inline data to extents when truncate exceeds inline size
https://notcve.org/view.php?id=CVE-2026-31452
22 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: ext4: convert inline data to extents when truncate exceeds inline size Add a check in ext4_setattr() to convert files from inline data storage to extent-based storage when truncate() grows the file size beyond the inline capacity. This prevents the filesystem from entering an inconsistent state where the inline data flag is set but the file size exceeds what can be stored inline. Without this fix, the following sequence causes a kernel BUG_... • https://git.kernel.org/stable/c/67cf5b09a46f72e048501b84996f2f77bc42e947 •
CVSS: -EPSS: 0%CPEs: 5EXPL: 0CVE-2026-31451 – ext4: replace BUG_ON with proper error handling in ext4_read_inline_folio
https://notcve.org/view.php?id=CVE-2026-31451
22 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: ext4: replace BUG_ON with proper error handling in ext4_read_inline_folio Replace BUG_ON() with proper error handling when inline data size exceeds PAGE_SIZE. This prevents kernel panic and allows the system to continue running while properly reporting the filesystem corruption. The error is logged via ext4_error_inode(), the buffer head is released to prevent memory leak, and -EFSCORRUPTED is returned to indicate filesystem corruption. • https://git.kernel.org/stable/c/46c7f254543dedcf134ad05091ed2b935a9a597d •
CVSS: 8.8EPSS: 0%CPEs: 8EXPL: 0CVE-2026-31450 – ext4: publish jinode after initialization
https://notcve.org/view.php?id=CVE-2026-31450
22 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: ext4: publish jinode after initialization ext4_inode_attach_jinode() publishes ei->jinode to concurrent users. It used to set ei->jinode before jbd2_journal_init_jbd_inode(), allowing a reader to observe a non-NULL jinode with i_vfs_inode still unset. The fast commit flush path can then pass this jinode to jbd2_wait_inode_data(), which dereferences i_vfs_inode->i_mapping and may crash. Below is the crash I observe: ``` BUG: unable to handle... • https://git.kernel.org/stable/c/a361293f5fedea0016a10599f409631a15d47ee7 •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2026-31449 – ext4: validate p_idx bounds in ext4_ext_correct_indexes
https://notcve.org/view.php?id=CVE-2026-31449
22 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: ext4: validate p_idx bounds in ext4_ext_correct_indexes ext4_ext_correct_indexes() walks up the extent tree correcting index entries when the first extent in a leaf is modified. Before accessing path[k].p_idx->ei_block, there is no validation that p_idx falls within the valid range of index entries for that level. If the on-disk extent header contains a corrupted or crafted eh_entries value, p_idx can point past the end of the allocated buf... • https://git.kernel.org/stable/c/a86c61812637c7dd0c57e29880cffd477b62f2e7 •
CVSS: 9.4EPSS: 0%CPEs: 6EXPL: 0CVE-2026-31448 – ext4: avoid infinite loops caused by residual data
https://notcve.org/view.php?id=CVE-2026-31448
22 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: ext4: avoid infinite loops caused by residual data On the mkdir/mknod path, when mapping logical blocks to physical blocks, if inserting a new extent into the extent tree fails (in this example, because the file system disabled the huge file feature when marking the inode as dirty), ext4_ext_map_blocks() only calls ext4_free_blocks() to reclaim the physical block without deleting the corresponding data in the extent tree. This causes subseq... • https://git.kernel.org/stable/c/315054f023d28ee64f308adf8b5737831541776b •