CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-31403 – NFSD: Hold net reference for the lifetime of /proc/fs/nfs/exports fd
https://notcve.org/view.php?id=CVE-2026-31403
03 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: NFSD: Hold net reference for the lifetime of /proc/fs/nfs/exports fd The /proc/fs/nfs/exports proc entry is created at module init and persists for the module's lifetime. exports_proc_open() captures the caller's current network namespace and stores its svc_export_cache in seq->private, but takes no reference on the namespace. If the namespace is subsequently torn down (e.g. container destruction after the opener does setns() to a different... • https://git.kernel.org/stable/c/96d851c4d28de8cc83fe2bd5c6bc2eb8f253a6c5 •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-31402 – nfsd: fix heap overflow in NFSv4.0 LOCK replay cache
https://notcve.org/view.php?id=CVE-2026-31402
03 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: nfsd: fix heap overflow in NFSv4.0 LOCK replay cache The NFSv4.0 replay cache uses a fixed 112-byte inline buffer (rp_ibuf[NFSD4_REPLAY_ISIZE]) to store encoded operation responses. This size was calculated based on OPEN responses and does not account for LOCK denied responses, which include the conflicting lock owner as a variable-length field up to 1024 bytes (NFS4_OPAQUE_LIMIT). When a LOCK operation is denied due to a conflict with an e... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-31400 – sunrpc: fix cache_request leak in cache_release
https://notcve.org/view.php?id=CVE-2026-31400
03 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: sunrpc: fix cache_request leak in cache_release When a reader's file descriptor is closed while in the middle of reading a cache_request (rp->offset != 0), cache_release() decrements the request's readers count but never checks whether it should free the request. In cache_read(), when readers drops to 0 and CACHE_PENDING is clear, the cache_request is removed from the queue and freed along with its buffer and cache_head reference. cache_rel... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: -EPSS: 0%CPEs: 11EXPL: 0CVE-2026-31399 – nvdimm/bus: Fix potential use after free in asynchronous initialization
https://notcve.org/view.php?id=CVE-2026-31399
03 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: nvdimm/bus: Fix potential use after free in asynchronous initialization Dingisoul with KASAN reports a use after free if device_add() fails in nd_async_device_register(). Commit b6eae0f61db2 ("libnvdimm: Hold reference on parent while scheduling async init") correctly added a reference on the parent device to be held until asynchronous initialization was complete. However, if device_add() results in an allocation failure the ref count of th... • https://git.kernel.org/stable/c/b6eae0f61db27748606cc00dafcfd1e2c032f0a5 •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-31396 – net: macb: fix use-after-free access to PTP clock
https://notcve.org/view.php?id=CVE-2026-31396
03 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: net: macb: fix use-after-free access to PTP clock PTP clock is registered on every opening of the interface and destroyed on every closing. However it may be accessed via get_ts_info ethtool call which is possible while the interface is just present in the kernel. BUG: KASAN: use-after-free in ptp_clock_index+0x47/0x50 drivers/ptp/ptp_clock.c:426 Read of size 4 at addr ffff8880194345cc by task syz.0.6/948 CPU: 1 PID: 948 Comm: syz.0.6 Not t... • https://git.kernel.org/stable/c/c2594d804d5c8033861d44840673d852d98508c1 •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-31393 – Bluetooth: L2CAP: Validate L2CAP_INFO_RSP payload length before access
https://notcve.org/view.php?id=CVE-2026-31393
03 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Validate L2CAP_INFO_RSP payload length before access l2cap_information_rsp() checks that cmd_len covers the fixed l2cap_info_rsp header (type + result, 4 bytes) but then reads rsp->data without verifying that the payload is present: - L2CAP_IT_FEAT_MASK calls get_unaligned_le32(rsp->data), which reads 4 bytes past the header (needs cmd_len >= 8). - L2CAP_IT_FIXED_CHAN reads rsp->data[0], 1 byte past the header (needs cmd_l... • https://git.kernel.org/stable/c/4e8402a3f884427f9233ba436459c158d1f2e114 •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2026-31392 – smb: client: fix krb5 mount with username option
https://notcve.org/view.php?id=CVE-2026-31392
03 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: smb: client: fix krb5 mount with username option Customer reported that some of their krb5 mounts were failing against a single server as the client was trying to mount the shares with wrong credentials. It turned out the client was reusing SMB session from first mount to try mounting the other shares, even though a different username= option had been specified to the other mounts. By using username mount option along with sec=krb5 to searc... • https://git.kernel.org/stable/c/4ff67b720c02c36e54d55b88c2931879b7db1cd2 •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-31391 – crypto: atmel-sha204a - Fix OOM ->tfm_count leak
https://notcve.org/view.php?id=CVE-2026-31391
03 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: crypto: atmel-sha204a - Fix OOM ->tfm_count leak If memory allocation fails, decrement ->tfm_count to avoid blocking future reads. • https://git.kernel.org/stable/c/da001fb651b00e1deeaf24767dd691ae8152a4f5 •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23474 – mtd: Avoid boot crash in RedBoot partition table parser
https://notcve.org/view.php?id=CVE-2026-23474
03 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: mtd: Avoid boot crash in RedBoot partition table parser Given CONFIG_FORTIFY_SOURCE=y and a recent compiler, commit 439a1bcac648 ("fortify: Use __builtin_dynamic_object_size() when available") produces the warning below and an oops. Searching for RedBoot partition table in 50000000.flash at offset 0x7e0000 ------------[ cut here ]------------ WARNING: lib/string_helpers.c:1035 at 0xc029e04c, CPU#0: swapper/0/1 memcmp: detected buffer overfl... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: -EPSS: 0%CPEs: 3EXPL: 0CVE-2026-23472 – serial: core: fix infinite loop in handle_tx() for PORT_UNKNOWN
https://notcve.org/view.php?id=CVE-2026-23472
03 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: serial: core: fix infinite loop in handle_tx() for PORT_UNKNOWN uart_write_room() and uart_write() behave inconsistently when xmit_buf is NULL (which happens for PORT_UNKNOWN ports that were never properly initialized): - uart_write_room() returns kfifo_avail() which can be > 0 - uart_write() checks xmit_buf and returns 0 if NULL This inconsistency causes an infinite loop in drivers that rely on tty_write_room() to determine if they can wri... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •