CVSS: -EPSS: 0%CPEs: 4EXPL: 0CVE-2026-31677 – crypto: af_alg - limit RX SG extraction by receive buffer budget
https://notcve.org/view.php?id=CVE-2026-31677
25 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: crypto: af_alg - limit RX SG extraction by receive buffer budget Make af_alg_get_rsgl() limit each RX scatterlist extraction to the remaining receive buffer budget. af_alg_get_rsgl() currently uses af_alg_readable() only as a gate before extracting data into the RX scatterlist. Limit each extraction to the remaining af_alg_rcvbuf(sk) budget so that receive-side accounting matches the amount of data attached to the request. If skcipher canno... • https://git.kernel.org/stable/c/e870456d8e7c8d57c059ea479b5aadbb55ff4c3a •
CVSS: 7.5EPSS: 0%CPEs: 5EXPL: 0CVE-2026-31676 – rxrpc: only handle RESPONSE during service challenge
https://notcve.org/view.php?id=CVE-2026-31676
25 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: rxrpc: only handle RESPONSE during service challenge Only process RESPONSE packets while the service connection is still in RXRPC_CONN_SERVICE_CHALLENGING. Check that state under state_lock before running response verification and security initialization, then use a local secured flag to decide whether to queue the secured-connection work after the state transition. This keeps duplicate or late RESPONSE packets from re-running the setup pat... • https://git.kernel.org/stable/c/17926a79320afa9b95df6b977b40cca6d8713cea •
CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2026-31675 – net/sched: sch_netem: fix out-of-bounds access in packet corruption
https://notcve.org/view.php?id=CVE-2026-31675
25 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: net/sched: sch_netem: fix out-of-bounds access in packet corruption In netem_enqueue(), the packet corruption logic uses get_random_u32_below(skb_headlen(skb)) to select an index for modifying skb->data. When an AF_PACKET TX_RING sends fully non-linear packets over an IPIP tunnel, skb_headlen(skb) evaluates to 0. Passing 0 to get_random_u32_below() takes the variable-ceil slow path which returns an unconstrained 32-bit random integer. Using... • https://git.kernel.org/stable/c/c865e5d99e25a171e8262fc0f7ba608568633c64 •
CVSS: 7.1EPSS: 0%CPEs: 8EXPL: 0CVE-2026-31674 – netfilter: ip6t_rt: reject oversized addrnr in rt_mt6_check()
https://notcve.org/view.php?id=CVE-2026-31674
25 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: netfilter: ip6t_rt: reject oversized addrnr in rt_mt6_check() Reject rt match rules whose addrnr exceeds IP6T_RT_HOPS. rt_mt6() expects addrnr to stay within the bounds of rtinfo->addrs[]. Validate addrnr during rule installation so malformed rules are rejected before the match logic can use an out-of-range value. • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2026-31673 – af_unix: read UNIX_DIAG_VFS data under unix_state_lock
https://notcve.org/view.php?id=CVE-2026-31673
25 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: af_unix: read UNIX_DIAG_VFS data under unix_state_lock Exact UNIX diag lookups hold a reference to the socket, but not to u->path. Meanwhile, unix_release_sock() clears u->path under unix_state_lock() and drops the path reference after unlocking. Read the inode and device numbers for UNIX_DIAG_VFS while holding unix_state_lock(), then emit the netlink attribute after dropping the lock. This keeps the VFS data stable while the reply is being... • https://git.kernel.org/stable/c/5f7b0569460b7d8d01ca776430a00505a68b7584 •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2026-31672 – wifi: rt2x00usb: fix devres lifetime
https://notcve.org/view.php?id=CVE-2026-31672
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: wifi: rt2x00usb: fix devres lifetime USB drivers bind to USB interfaces and any device managed resources should have their lifetime tied to the interface rather than parent USB device. This avoids issues like memory leaks when drivers are unbound without their devices being physically disconnected (e.g. on probe deferral or configuration changes). Fix the USB anchor lifetime so that it is released on driver unbind. • https://git.kernel.org/stable/c/8b4c0009313f3d42e2540e3e1f776097dd0db73d • CWE-401: Missing Release of Memory after Effective Lifetime •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2026-31671 – xfrm_user: fix info leak in build_report()
https://notcve.org/view.php?id=CVE-2026-31671
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: xfrm_user: fix info leak in build_report() struct xfrm_user_report is a __u8 proto field followed by a struct xfrm_selector which means there is three "empty" bytes of padding, but the padding is never zeroed before copying to userspace. Fix that up by zeroing the structure before setting individual member variables. • https://git.kernel.org/stable/c/97a64b4577ae2bc5599dbd008a3cd9e25de9b9f5 • CWE-401: Missing Release of Memory after Effective Lifetime •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2026-31670 – net: rfkill: prevent unlimited numbers of rfkill events from being created
https://notcve.org/view.php?id=CVE-2026-31670
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: net: rfkill: prevent unlimited numbers of rfkill events from being created Userspace can create an unlimited number of rfkill events if the system is so configured, while not consuming them from the rfkill file descriptor, causing a potential out of memory situation. Prevent this from bounding the number of pending rfkill events at a "large" number (i.e. 1000) to prevent abuses like this. • https://git.kernel.org/stable/c/c64fb01627e24725d1f9d535e4426475a4415753 •
CVSS: 9.8EPSS: 0%CPEs: 8EXPL: 0CVE-2026-31668 – seg6: separate dst_cache for input and output paths in seg6 lwtunnel
https://notcve.org/view.php?id=CVE-2026-31668
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: seg6: separate dst_cache for input and output paths in seg6 lwtunnel The seg6 lwtunnel uses a single dst_cache per encap route, shared between seg6_input_core() and seg6_output_core(). These two paths can perform the post-encap SID lookup in different routing contexts (e.g., ip rules matching on the ingress interface, or VRF table separation). Whichever path runs first populates the cache, and the other reuses it blindly, bypassing its own ... • https://git.kernel.org/stable/c/6c8702c60b88651072460f3f4026c7dfe2521d12 •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2026-31667 – Input: uinput - fix circular locking dependency with ff-core
https://notcve.org/view.php?id=CVE-2026-31667
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: Input: uinput - fix circular locking dependency with ff-core A lockdep circular locking dependency warning can be triggered reproducibly when using a force-feedback gamepad with uinput (for example, playing ELDEN RING under Wine with a Flydigi Vader 5 controller): ff->mutex -> udev->mutex -> input_mutex -> dev->mutex -> ff->mutex The cycle is caused by four lock acquisition paths: 1. ff upload: input_ff_upload() holds ff->mutex and calls ui... • https://git.kernel.org/stable/c/ff462551235d8d7d843a005950bc90924fcedede • CWE-667: Improper Locking •