CVSS: -EPSS: %CPEs: 8EXPL: 0CVE-2026-31418 – netfilter: ipset: drop logically empty buckets in mtype_del
https://notcve.org/view.php?id=CVE-2026-31418
13 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: netfilter: ipset: drop logically empty buckets in mtype_del mtype_del() counts empty slots below n->pos in k, but it only drops the bucket when both n->pos and k are zero. This misses buckets whose live entries have all been removed while n->pos still points past deleted slots. Treat a bucket as empty when all positions below n->pos are unused and release it directly instead of shrinking it further. • https://git.kernel.org/stable/c/8af1c6fbd9239877998c7f5a591cb2c88d41fb66 •
CVSS: -EPSS: %CPEs: 6EXPL: 0CVE-2026-31417 – net/x25: Fix overflow when accumulating packets
https://notcve.org/view.php?id=CVE-2026-31417
13 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: net/x25: Fix overflow when accumulating packets Add a check to ensure that `x25_sock.fraglen` does not overflow. The `fraglen` also needs to be resetted when purging `fragment_queue` in `x25_clear_queues()`. • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: -EPSS: %CPEs: 10EXPL: 0CVE-2026-31416 – netfilter: nfnetlink_log: account for netlink header size
https://notcve.org/view.php?id=CVE-2026-31416
13 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: netfilter: nfnetlink_log: account for netlink header size This is a followup to an old bug fix: NLMSG_DONE needs to account for the netlink header size, not just the attribute size. This can result in a WARN splat + drop of the netlink message, but other than this there are no ill effects. • https://git.kernel.org/stable/c/9dfa1dfe4d5e5e66a991321ab08afe69759d797a •
CVSS: -EPSS: %CPEs: 6EXPL: 0CVE-2026-31415 – ipv6: avoid overflows in ip6_datagram_send_ctl()
https://notcve.org/view.php?id=CVE-2026-31415
13 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: ipv6: avoid overflows in ip6_datagram_send_ctl() Yiming Qian reported : I believe I found a locally triggerable kernel bug in the IPv6 sendmsg ancillary-data path that can panic the kernel via `skb_under_panic()` (local DoS). The core issue is a mismatch between: - a 16-bit length accumulator (`struct ipv6_txoptions::opt_flen`, type `__u16`) and - a pointer to the *last* provided destination-options header (`opt->dst1opt`) when mult... • https://git.kernel.org/stable/c/333fad5364d6b457c8d837f7d05802d2aaf8a961 •
CVSS: -EPSS: %CPEs: 6EXPL: 0CVE-2026-31414 – netfilter: nf_conntrack_expect: use expect->helper
https://notcve.org/view.php?id=CVE-2026-31414
13 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conntrack_expect: use expect->helper Use expect->helper in ctnetlink and /proc to dump the helper name. Using nfct_help() without holding a reference to the master conntrack is unsafe. Use exp->master->helper in ctnetlink path if userspace does not provide an explicit helper when creating an expectation to retain the existing behaviour. The ctnetlink expectation path holds the reference on the master conntrack and nf_conntrack... • https://git.kernel.org/stable/c/847cb7fe26c5ce5dce0d1a41fac1ea488b7f1781 •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-31412 – usb: gadget: f_mass_storage: Fix potential integer overflow in check_command_size_in_blocks()
https://notcve.org/view.php?id=CVE-2026-31412
10 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_mass_storage: Fix potential integer overflow in check_command_size_in_blocks() The `check_command_size_in_blocks()` function calculates the data size in bytes by left shifting `common->data_size_from_cmnd` by the block size (`common->curlun->blkbits`). However, it does not validate whether this shift operation will cause an integer overflow. Initially, the block size is set up in `fsg_lun_open()` , and the `common->data_size_... • https://git.kernel.org/stable/c/144974e7f9e32b53b02f6c8632be45d8f43d6ab5 •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2026-31411 – net: atm: fix crash due to unvalidated vcc pointer in sigd_send()
https://notcve.org/view.php?id=CVE-2026-31411
08 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: net: atm: fix crash due to unvalidated vcc pointer in sigd_send() Reproducer available at [1]. The ATM send path (sendmsg -> vcc_sendmsg -> sigd_send) reads the vcc pointer from msg->vcc and uses it directly without any validation. This pointer comes from userspace via sendmsg() and can be arbitrarily forged: int fd = socket(AF_ATMSVC, SOCK_DGRAM, 0); ioctl(fd, ATMSIGD_CTRL); // become ATM signaling daemon struct msghdr msg = { .msg_iov = &... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-31408 – Bluetooth: SCO: Fix use-after-free in sco_recv_frame() due to missing sock_hold
https://notcve.org/view.php?id=CVE-2026-31408
06 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: Bluetooth: SCO: Fix use-after-free in sco_recv_frame() due to missing sock_hold sco_recv_frame() reads conn->sk under sco_conn_lock() but immediately releases the lock without holding a reference to the socket. A concurrent close() can free the socket between the lock release and the subsequent sk->sk_state access, resulting in a use-after-free. Other functions in the same file (sco_sock_timeout(), sco_conn_del()) correctly use sco_sock_hol... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: -EPSS: 0%CPEs: 2EXPL: 0CVE-2026-31407 – netfilter: conntrack: add missing netlink policy validations
https://notcve.org/view.php?id=CVE-2026-31407
06 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: netfilter: conntrack: add missing netlink policy validations Hyunwoo Kim reports out-of-bounds access in sctp and ctnetlink. These attributes are used by the kernel without any validation. Extend the netlink policies accordingly. Quoting the reporter: nlattr_to_sctp() assigns the user-supplied CTA_PROTOINFO_SCTP_STATE value directly to ct->proto.sctp.state without checking that it is within the valid range. [..] and: ... with exp->dir = 100... • https://git.kernel.org/stable/c/a258860e01b80e8f554a4ab1a6c95e6042eb8b73 •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-31405 – media: dvb-net: fix OOB access in ULE extension header tables
https://notcve.org/view.php?id=CVE-2026-31405
06 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: media: dvb-net: fix OOB access in ULE extension header tables The ule_mandatory_ext_handlers[] and ule_optional_ext_handlers[] tables in handle_one_ule_extension() are declared with 255 elements (valid indices 0-254), but the index htype is derived from network-controlled data as (ule_sndu_type & 0x00FF), giving a range of 0-255. When htype equals 255, an out-of-bounds read occurs on the function pointer table, and the OOB value may be call... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •