CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2026-31673 – af_unix: read UNIX_DIAG_VFS data under unix_state_lock
https://notcve.org/view.php?id=CVE-2026-31673
25 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: af_unix: read UNIX_DIAG_VFS data under unix_state_lock Exact UNIX diag lookups hold a reference to the socket, but not to u->path. Meanwhile, unix_release_sock() clears u->path under unix_state_lock() and drops the path reference after unlocking. Read the inode and device numbers for UNIX_DIAG_VFS while holding unix_state_lock(), then emit the netlink attribute after dropping the lock. This keeps the VFS data stable while the reply is being... • https://git.kernel.org/stable/c/5f7b0569460b7d8d01ca776430a00505a68b7584 •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2026-31671 – xfrm_user: fix info leak in build_report()
https://notcve.org/view.php?id=CVE-2026-31671
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: xfrm_user: fix info leak in build_report() struct xfrm_user_report is a __u8 proto field followed by a struct xfrm_selector which means there is three "empty" bytes of padding, but the padding is never zeroed before copying to userspace. Fix that up by zeroing the structure before setting individual member variables. • https://git.kernel.org/stable/c/97a64b4577ae2bc5599dbd008a3cd9e25de9b9f5 • CWE-401: Missing Release of Memory after Effective Lifetime •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2026-31670 – net: rfkill: prevent unlimited numbers of rfkill events from being created
https://notcve.org/view.php?id=CVE-2026-31670
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: net: rfkill: prevent unlimited numbers of rfkill events from being created Userspace can create an unlimited number of rfkill events if the system is so configured, while not consuming them from the rfkill file descriptor, causing a potential out of memory situation. Prevent this from bounding the number of pending rfkill events at a "large" number (i.e. 1000) to prevent abuses like this. • https://git.kernel.org/stable/c/c64fb01627e24725d1f9d535e4426475a4415753 •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2026-31667 – Input: uinput - fix circular locking dependency with ff-core
https://notcve.org/view.php?id=CVE-2026-31667
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: Input: uinput - fix circular locking dependency with ff-core A lockdep circular locking dependency warning can be triggered reproducibly when using a force-feedback gamepad with uinput (for example, playing ELDEN RING under Wine with a Flydigi Vader 5 controller): ff->mutex -> udev->mutex -> input_mutex -> dev->mutex -> ff->mutex The cycle is caused by four lock acquisition paths: 1. ff upload: input_ff_upload() holds ff->mutex and calls ui... • https://git.kernel.org/stable/c/ff462551235d8d7d843a005950bc90924fcedede • CWE-667: Improper Locking •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2026-31664 – xfrm: clear trailing padding in build_polexpire()
https://notcve.org/view.php?id=CVE-2026-31664
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: xfrm: clear trailing padding in build_polexpire() build_expire() clears the trailing padding bytes of struct xfrm_user_expire after setting the hard field via memset_after(), but the analogous function build_polexpire() does not do this for struct xfrm_user_polexpire. The padding bytes after the __u8 hard field are left uninitialized from the heap allocation, and are then sent to userspace via netlink multicast to XFRMNLGRP_EXPIRE listeners... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0CVE-2026-31663 – xfrm: hold dev ref until after transport_finish NF_HOOK
https://notcve.org/view.php?id=CVE-2026-31663
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: xfrm: hold dev ref until after transport_finish NF_HOOK After async crypto completes, xfrm_input_resume() calls dev_put() immediately on re-entry before the skb reaches transport_finish. The skb->dev pointer is then used inside NF_HOOK and its okfn, which can race with device teardown. Remove the dev_put from the async resumption entry and instead drop the reference after the NF_HOOK call in transport_finish, using a saved device pointer si... • https://git.kernel.org/stable/c/acf568ee859f098279eadf551612f103afdacb4e •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2026-31661 – wifi: brcmsmac: Fix dma_free_coherent() size
https://notcve.org/view.php?id=CVE-2026-31661
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: wifi: brcmsmac: Fix dma_free_coherent() size dma_alloc_consistent() may change the size to align it. The new size is saved in alloced. Change the free size to match the allocation size. • https://git.kernel.org/stable/c/5b435de0d786869c95d1962121af0d7df2542009 •
CVSS: 9.8EPSS: 0%CPEs: 8EXPL: 0CVE-2026-31659 – batman-adv: reject oversized global TT response buffers
https://notcve.org/view.php?id=CVE-2026-31659
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: batman-adv: reject oversized global TT response buffers batadv_tt_prepare_tvlv_global_data() builds the allocation length for a global TT response in 16-bit temporaries. When a remote originator advertises a large enough global TT, the TT payload length plus the VLAN header offset can exceed 65535 and wrap before kmalloc(). The full-table response path still uses the original TT payload length when it fills tt_change, so the wrapped allocat... • https://git.kernel.org/stable/c/7ea7b4a142758deaf46c1af0ca9ceca6dd55138b •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2026-31658 – net: altera-tse: fix skb leak on DMA mapping error in tse_start_xmit()
https://notcve.org/view.php?id=CVE-2026-31658
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: net: altera-tse: fix skb leak on DMA mapping error in tse_start_xmit() When dma_map_single() fails in tse_start_xmit(), the function returns NETDEV_TX_OK without freeing the skb. Since NETDEV_TX_OK tells the stack the packet was consumed, the skb is never freed, leaking memory on every DMA mapping failure. Add dev_kfree_skb_any() before returning to properly free the skb. • https://git.kernel.org/stable/c/bbd2190ce96d8fce031f0526c1f970b68adc9d1a • CWE-401: Missing Release of Memory after Effective Lifetime •
CVSS: 9.8EPSS: 0%CPEs: 6EXPL: 0CVE-2026-31657 – batman-adv: hold claim backbone gateways by reference
https://notcve.org/view.php?id=CVE-2026-31657
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: batman-adv: hold claim backbone gateways by reference batadv_bla_add_claim() can replace claim->backbone_gw and drop the old gateway's last reference while readers still follow the pointer. The netlink claim dump path dereferences claim->backbone_gw->orig and takes claim->backbone_gw->crc_lock without pinning the underlying backbone gateway. batadv_bla_check_claim() still has the same naked pointer access pattern. Reuse batadv_bla_claim_get... • https://git.kernel.org/stable/c/23721387c409087fd3b97e274f34d3ddc0970b74 • CWE-476: NULL Pointer Dereference •