CVSS: -EPSS: %CPEs: 8EXPL: 0CVE-2026-31418 – netfilter: ipset: drop logically empty buckets in mtype_del
https://notcve.org/view.php?id=CVE-2026-31418
13 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: netfilter: ipset: drop logically empty buckets in mtype_del mtype_del() counts empty slots below n->pos in k, but it only drops the bucket when both n->pos and k are zero. This misses buckets whose live entries have all been removed while n->pos still points past deleted slots. Treat a bucket as empty when all positions below n->pos are unused and release it directly instead of shrinking it further. • https://git.kernel.org/stable/c/8af1c6fbd9239877998c7f5a591cb2c88d41fb66 •
CVSS: -EPSS: %CPEs: 6EXPL: 0CVE-2026-31417 – net/x25: Fix overflow when accumulating packets
https://notcve.org/view.php?id=CVE-2026-31417
13 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: net/x25: Fix overflow when accumulating packets Add a check to ensure that `x25_sock.fraglen` does not overflow. The `fraglen` also needs to be resetted when purging `fragment_queue` in `x25_clear_queues()`. • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: -EPSS: %CPEs: 10EXPL: 0CVE-2026-31416 – netfilter: nfnetlink_log: account for netlink header size
https://notcve.org/view.php?id=CVE-2026-31416
13 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: netfilter: nfnetlink_log: account for netlink header size This is a followup to an old bug fix: NLMSG_DONE needs to account for the netlink header size, not just the attribute size. This can result in a WARN splat + drop of the netlink message, but other than this there are no ill effects. • https://git.kernel.org/stable/c/9dfa1dfe4d5e5e66a991321ab08afe69759d797a •
CVSS: -EPSS: %CPEs: 6EXPL: 0CVE-2026-31415 – ipv6: avoid overflows in ip6_datagram_send_ctl()
https://notcve.org/view.php?id=CVE-2026-31415
13 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: ipv6: avoid overflows in ip6_datagram_send_ctl() Yiming Qian reported : I believe I found a locally triggerable kernel bug in the IPv6 sendmsg ancillary-data path that can panic the kernel via `skb_under_panic()` (local DoS). The core issue is a mismatch between: - a 16-bit length accumulator (`struct ipv6_txoptions::opt_flen`, type `__u16`) and - a pointer to the *last* provided destination-options header (`opt->dst1opt`) when mult... • https://git.kernel.org/stable/c/333fad5364d6b457c8d837f7d05802d2aaf8a961 •
CVSS: -EPSS: %CPEs: 6EXPL: 0CVE-2026-31414 – netfilter: nf_conntrack_expect: use expect->helper
https://notcve.org/view.php?id=CVE-2026-31414
13 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conntrack_expect: use expect->helper Use expect->helper in ctnetlink and /proc to dump the helper name. Using nfct_help() without holding a reference to the master conntrack is unsafe. Use exp->master->helper in ctnetlink path if userspace does not provide an explicit helper when creating an expectation to retain the existing behaviour. The ctnetlink expectation path holds the reference on the master conntrack and nf_conntrack... • https://git.kernel.org/stable/c/847cb7fe26c5ce5dce0d1a41fac1ea488b7f1781 •
CVSS: -EPSS: 0%CPEs: 3EXPL: 0CVE-2026-31413 – bpf: Fix unsound scalar forking in maybe_fork_scalars() for BPF_OR
https://notcve.org/view.php?id=CVE-2026-31413
12 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: bpf: Fix unsound scalar forking in maybe_fork_scalars() for BPF_OR maybe_fork_scalars() is called for both BPF_AND and BPF_OR when the source operand is a constant. When dst has signed range [-1, 0], it forks the verifier state: the pushed path gets dst = 0, the current path gets dst = -1. For BPF_AND this is correct: 0 & K == 0. For BPF_OR this is wrong: 0 | K == K, not 0. The pushed path therefore tracks dst as 0 when the runtime value is... • https://git.kernel.org/stable/c/dea9989a3f3961faede93752cd81eb5a9514d911 •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-31412 – usb: gadget: f_mass_storage: Fix potential integer overflow in check_command_size_in_blocks()
https://notcve.org/view.php?id=CVE-2026-31412
10 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_mass_storage: Fix potential integer overflow in check_command_size_in_blocks() The `check_command_size_in_blocks()` function calculates the data size in bytes by left shifting `common->data_size_from_cmnd` by the block size (`common->curlun->blkbits`). However, it does not validate whether this shift operation will cause an integer overflow. Initially, the block size is set up in `fsg_lun_open()` , and the `common->data_size_... • https://git.kernel.org/stable/c/144974e7f9e32b53b02f6c8632be45d8f43d6ab5 •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2026-31411 – net: atm: fix crash due to unvalidated vcc pointer in sigd_send()
https://notcve.org/view.php?id=CVE-2026-31411
08 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: net: atm: fix crash due to unvalidated vcc pointer in sigd_send() Reproducer available at [1]. The ATM send path (sendmsg -> vcc_sendmsg -> sigd_send) reads the vcc pointer from msg->vcc and uses it directly without any validation. This pointer comes from userspace via sendmsg() and can be arbitrarily forged: int fd = socket(AF_ATMSVC, SOCK_DGRAM, 0); ioctl(fd, ATMSIGD_CTRL); // become ATM signaling daemon struct msghdr msg = { .msg_iov = &... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: -EPSS: 0%CPEs: 4EXPL: 0CVE-2026-31410 – ksmbd: use volume UUID in FS_OBJECT_ID_INFORMATION
https://notcve.org/view.php?id=CVE-2026-31410
06 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: ksmbd: use volume UUID in FS_OBJECT_ID_INFORMATION Use sb->s_uuid for a proper volume identifier as the primary choice. For filesystems that do not provide a UUID, fall back to stfs.f_fsid obtained from vfs_statfs(). • https://git.kernel.org/stable/c/e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9 •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-31409 – ksmbd: unset conn->binding on failed binding request
https://notcve.org/view.php?id=CVE-2026-31409
06 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: ksmbd: unset conn->binding on failed binding request When a multichannel SMB2_SESSION_SETUP request with SMB2_SESSION_REQ_FLAG_BINDING fails ksmbd sets conn->binding = true but never clears it on the error path. This leaves the connection in a binding state where all subsequent ksmbd_session_lookup_all() calls fall back to the global sessions table. This fix it by clearing conn->binding = false in the error path. • https://git.kernel.org/stable/c/f5a544e3bab78142207e0242d22442db85ba1eff •