CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2026-31497 – Bluetooth: btusb: clamp SCO altsetting table indices
https://notcve.org/view.php?id=CVE-2026-31497
22 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btusb: clamp SCO altsetting table indices btusb_work() maps the number of active SCO links to USB alternate settings through a three-entry lookup table when CVSD traffic uses transparent voice settings. The lookup currently indexes alts[] with data->sco_num - 1 without first constraining sco_num to the number of available table entries. While the table only defines alternate settings for up to three SCO links, data->sco_num comes... • https://git.kernel.org/stable/c/baac6276c0a9f36f1fe1f00590ef00d2ba5ba626 •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2026-31496 – netfilter: nf_conntrack_expect: skip expectations in other netns via proc
https://notcve.org/view.php?id=CVE-2026-31496
22 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conntrack_expect: skip expectations in other netns via proc Skip expectations that do not reside in this netns. Similar to e77e6ff502ea ("netfilter: conntrack: do not dump other netns's conntrack entries via proc"). • https://git.kernel.org/stable/c/9b03f38d0487f3908696242286d934c9b38f9d2a •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2026-31495 – netfilter: ctnetlink: use netlink policy range checks
https://notcve.org/view.php?id=CVE-2026-31495
22 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: netfilter: ctnetlink: use netlink policy range checks Replace manual range and mask validations with netlink policy annotations in ctnetlink code paths, so that the netlink core rejects invalid values early and can generate extack errors. - CTA_PROTOINFO_TCP_STATE: reject values > TCP_CONNTRACK_SYN_SENT2 at policy level, removing the manual >= TCP_CONNTRACK_MAX check. - CTA_PROTOINFO_TCP_WSCALE_ORIGINAL/REPLY: reject values > TCP_MAX_WSCALE... • https://git.kernel.org/stable/c/c8e2078cfe414a99cf6f2f2f1d78c7e75392e9d4 •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2026-31494 – net: macb: use the current queue number for stats
https://notcve.org/view.php?id=CVE-2026-31494
22 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: net: macb: use the current queue number for stats There's a potential mismatch between the memory reserved for statistics and the amount of memory written. gem_get_sset_count() correctly computes the number of stats based on the active queues, whereas gem_get_ethtool_stats() indiscriminately copies data using the maximum number of queues, and in the case the number of active queues is less than MACB_MAX_QUEUES, this results in a OOB write a... • https://git.kernel.org/stable/c/512286bbd4b7d5b15d26ba8078c8bfd1fc1129bd • CWE-787: Out-of-bounds Write •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2026-31493 – RDMA/efa: Fix use of completion ctx after free
https://notcve.org/view.php?id=CVE-2026-31493
22 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: RDMA/efa: Fix use of completion ctx after free On admin queue completion handling, if the admin command completed with error we print data from the completion context. The issue is that we already freed the completion context in polling/interrupts handler which means we print data from context in an unknown state (it might be already used again). Change the admin submission flow so alloc/dealloc of the context will be symmetric and dealloc ... • https://git.kernel.org/stable/c/68fb9f3e312a36e49fd05ec2d6b668daf2c4931a • CWE-416: Use After Free •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2026-31492 – RDMA/irdma: Initialize free_qp completion before using it
https://notcve.org/view.php?id=CVE-2026-31492
22 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: RDMA/irdma: Initialize free_qp completion before using it In irdma_create_qp, if ib_copy_to_udata fails, it will call irdma_destroy_qp to clean up which will attempt to wait on the free_qp completion, which is not initialized yet. Fix this by initializing the completion before the ib_copy_to_udata call. • https://git.kernel.org/stable/c/b48c24c2d710cf34810c555dcef883a3d35a9c08 • CWE-908: Use of Uninitialized Resource •
CVSS: 7.8EPSS: 0%CPEs: 9EXPL: 0CVE-2026-31489 – spi: meson-spicc: Fix double-put in remove path
https://notcve.org/view.php?id=CVE-2026-31489
22 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: spi: meson-spicc: Fix double-put in remove path meson_spicc_probe() registers the controller with devm_spi_register_controller(), so teardown already drops the controller reference via devm cleanup. Calling spi_controller_put() again in meson_spicc_remove() causes a double-put. • https://git.kernel.org/stable/c/8311ee2164c5cd1b63a601ea366f540eae89f10e • CWE-415: Double Free •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2026-31488 – drm/amd/display: Do not skip unrelated mode changes in DSC validation
https://notcve.org/view.php?id=CVE-2026-31488
22 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Do not skip unrelated mode changes in DSC validation Starting with commit 17ce8a6907f7 ("drm/amd/display: Add dsc pre-validation in atomic check"), amdgpu resets the CRTC state mode_changed flag to false when recomputing the DSC configuration results in no timing change for a particular stream. However, this is incorrect in scenarios where a change in MST/DSC configuration happens in the same KMS commit as another (unrelate... • https://git.kernel.org/stable/c/17ce8a6907f77b7ac97ddaa071d8a1f6e06ce85b • CWE-416: Use After Free •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2026-31487 – spi: use generic driver_override infrastructure
https://notcve.org/view.php?id=CVE-2026-31487
22 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: spi: use generic driver_override infrastructure When a driver is probed through __driver_attach(), the bus' match() callback is called without the device lock held, thus accessing the driver_override field without a lock, which can cause a UAF. Fix this by using the driver-core driver_override infrastructure taking care of proper locking internally. Note that calling match() from __driver_attach() without the device lock held is intentional... • https://git.kernel.org/stable/c/5039563e7c25eccd7fec1de6706011009d1c5665 • CWE-667: Improper Locking •
CVSS: 7.1EPSS: 0%CPEs: 3EXPL: 0CVE-2026-31486 – hwmon: (pmbus/core) Protect regulator operations with mutex
https://notcve.org/view.php?id=CVE-2026-31486
22 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: hwmon: (pmbus/core) Protect regulator operations with mutex The regulator operations pmbus_regulator_get_voltage(), pmbus_regulator_set_voltage(), and pmbus_regulator_list_voltage() access PMBus registers and shared data but were not protected by the update_lock mutex. This could lead to race conditions. However, adding mutex protection directly to these functions causes a deadlock because pmbus_regulator_notify() (which calls regulator_not... • https://git.kernel.org/stable/c/ddbb4db4ced1ba784fcd3500179a7291b6c5d7b7 • CWE-667: Improper Locking •