CVSS: 5.5EPSS: 0%CPEs: 7EXPL: 0CVE-2026-31519 – btrfs: set BTRFS_ROOT_ORPHAN_CLEANUP during subvol create
https://notcve.org/view.php?id=CVE-2026-31519
22 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: btrfs: set BTRFS_ROOT_ORPHAN_CLEANUP during subvol create We have recently observed a number of subvolumes with broken dentries. ls-ing the parent dir looks like: drwxrwxrwt 1 root root 16 Jan 23 16:49 . drwxr-xr-x 1 root root 24 Jan 23 16:48 .. d????????? ? ? ? ? • https://git.kernel.org/stable/c/c71bf099abddf3e0fdc27f251ba76fca1461d49a • CWE-476: NULL Pointer Dereference •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2026-31518 – esp: fix skb leak with espintcp and async crypto
https://notcve.org/view.php?id=CVE-2026-31518
22 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: esp: fix skb leak with espintcp and async crypto When the TX queue for espintcp is full, esp_output_tail_tcp will return an error and not free the skb, because with synchronous crypto, the common xfrm output code will drop the packet for us. With async crypto (esp_output_done), we need to drop the skb when esp_output_tail_tcp returns an error. • https://git.kernel.org/stable/c/e27cca96cd68fa2c6814c90f9a1cfd36bb68c593 • CWE-401: Missing Release of Memory after Effective Lifetime •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2026-31516 – xfrm: prevent policy_hthresh.work from racing with netns teardown
https://notcve.org/view.php?id=CVE-2026-31516
22 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: xfrm: prevent policy_hthresh.work from racing with netns teardown A XFRM_MSG_NEWSPDINFO request can queue the per-net work item policy_hthresh.work onto the system workqueue. The queued callback, xfrm_hash_rebuild(), retrieves the enclosing struct net via container_of(). If the net namespace is torn down before that work runs, the associated struct net may already have been freed, and xfrm_hash_rebuild() may then dereference stale memory. x... • https://git.kernel.org/stable/c/880a6fab8f6ba5b5abe59ea68533202ddea1012c • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2026-31515 – af_key: validate families in pfkey_send_migrate()
https://notcve.org/view.php?id=CVE-2026-31515
22 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: af_key: validate families in pfkey_send_migrate() syzbot was able to trigger a crash in skb_put() [1] Issue is that pfkey_send_migrate() does not check old/new families, and that set_ipsecrequest() @family argument was truncated, thus possibly overfilling the skb. Validate families early, do not wait set_ipsecrequest(). [1] skbuff: skb_over_panic: text:ffffffff8a752120 len:392 put:16 head:ffff88802a4ad040 data:ffff88802a4ad040 tail:0x188 en... • https://git.kernel.org/stable/c/08de61beab8a21c8e0b3906a97defda5f1f66ece • CWE-476: NULL Pointer Dereference •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2026-31512 – Bluetooth: L2CAP: Validate PDU length before reading SDU length in l2cap_ecred_data_rcv()
https://notcve.org/view.php?id=CVE-2026-31512
22 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Validate PDU length before reading SDU length in l2cap_ecred_data_rcv() l2cap_ecred_data_rcv() reads the SDU length field from skb->data using get_unaligned_le16() without first verifying that skb contains at least L2CAP_SDULEN_SIZE (2) bytes. When skb->len is less than 2, this reads past the valid data in the skb. The ERTM reassembly path correctly calls pskb_may_pull() before reading the SDU length (l2cap_reassemble_sdu,... • https://git.kernel.org/stable/c/aac23bf636593cc2d67144aed373a46a1a5f76b1 •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2026-31510 – Bluetooth: L2CAP: Fix null-ptr-deref on l2cap_sock_ready_cb
https://notcve.org/view.php?id=CVE-2026-31510
22 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix null-ptr-deref on l2cap_sock_ready_cb Before using sk pointer, check if it is null. Fix the following: KASAN: null-ptr-deref in range [0x0000000000000260-0x0000000000000267] CPU: 0 UID: 0 PID: 5985 Comm: kworker/0:5 Not tainted 7.0.0-rc4-00029-ga989fde763f4 #1 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.17.0-9.fc43 06/10/2025 Workqueue: events l2cap_info_timeout RIP: 0010:kasan_byte_accessi... • https://git.kernel.org/stable/c/54a59aa2b562872781d6a8fc89f300d360941691 • CWE-476: NULL Pointer Dereference •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2026-31509 – nfc: nci: fix circular locking dependency in nci_close_device
https://notcve.org/view.php?id=CVE-2026-31509
22 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: nfc: nci: fix circular locking dependency in nci_close_device nci_close_device() flushes rx_wq and tx_wq while holding req_lock. This causes a circular locking dependency because nci_rx_work() running on rx_wq can end up taking req_lock too: nci_rx_work -> nci_rx_data_packet -> nci_data_exchange_complete -> __sk_destruct -> rawsock_destruct -> nfc_deactivate_target -> nci_deactivate_target -> nci_request -> mutex_lock(&ndev->req_lock) Move ... • https://git.kernel.org/stable/c/6a2968aaf50c7a22fced77a5e24aa636281efca8 • CWE-667: Improper Locking •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2026-31508 – net: openvswitch: Avoid releasing netdev before teardown completes
https://notcve.org/view.php?id=CVE-2026-31508
22 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: net: openvswitch: Avoid releasing netdev before teardown completes The patch cited in the Fixes tag below changed the teardown code for OVS ports to no longer unconditionally take the RTNL. After this change, the netdev_destroy() callback can proceed immediately to the call_rcu() invocation if the IFF_OVS_DATAPATH flag is already cleared on the netdev. The ovs_netdev_detach_dev() function clears the flag before completing the unregistration... • https://git.kernel.org/stable/c/b823c3344d5446b720227ba561df10a4f0add515 •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2026-31507 – net/smc: fix double-free of smc_spd_priv when tee() duplicates splice pipe buffer
https://notcve.org/view.php?id=CVE-2026-31507
22 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: net/smc: fix double-free of smc_spd_priv when tee() duplicates splice pipe buffer smc_rx_splice() allocates one smc_spd_priv per pipe_buffer and stores the pointer in pipe_buffer.private. The pipe_buf_operations for these buffers used .get = generic_pipe_buf_get, which only increments the page reference count when tee(2) duplicates a pipe buffer. The smc_spd_priv pointer itself was not handled, so after tee() both the original and the clone... • https://git.kernel.org/stable/c/9014db202cb764b8e14c53e7bacc81f9a1a2ba7f • CWE-415: Double Free •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2026-31506 – net: bcmasp: fix double free of WoL irq
https://notcve.org/view.php?id=CVE-2026-31506
22 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: net: bcmasp: fix double free of WoL irq We do not need to free wol_irq since it was instantiated with devm_request_irq(). So devres will free for us. • https://git.kernel.org/stable/c/a2f0751206b03374f6d02f89c18a60f1bb238fea • CWE-415: Double Free •