CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-31396 – net: macb: fix use-after-free access to PTP clock
https://notcve.org/view.php?id=CVE-2026-31396
03 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: net: macb: fix use-after-free access to PTP clock PTP clock is registered on every opening of the interface and destroyed on every closing. However it may be accessed via get_ts_info ethtool call which is possible while the interface is just present in the kernel. BUG: KASAN: use-after-free in ptp_clock_index+0x47/0x50 drivers/ptp/ptp_clock.c:426 Read of size 4 at addr ffff8880194345cc by task syz.0.6/948 CPU: 1 PID: 948 Comm: syz.0.6 Not t... • https://git.kernel.org/stable/c/c2594d804d5c8033861d44840673d852d98508c1 •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-31393 – Bluetooth: L2CAP: Validate L2CAP_INFO_RSP payload length before access
https://notcve.org/view.php?id=CVE-2026-31393
03 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Validate L2CAP_INFO_RSP payload length before access l2cap_information_rsp() checks that cmd_len covers the fixed l2cap_info_rsp header (type + result, 4 bytes) but then reads rsp->data without verifying that the payload is present: - L2CAP_IT_FEAT_MASK calls get_unaligned_le32(rsp->data), which reads 4 bytes past the header (needs cmd_len >= 8). - L2CAP_IT_FIXED_CHAN reads rsp->data[0], 1 byte past the header (needs cmd_l... • https://git.kernel.org/stable/c/4e8402a3f884427f9233ba436459c158d1f2e114 •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2026-31392 – smb: client: fix krb5 mount with username option
https://notcve.org/view.php?id=CVE-2026-31392
03 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: smb: client: fix krb5 mount with username option Customer reported that some of their krb5 mounts were failing against a single server as the client was trying to mount the shares with wrong credentials. It turned out the client was reusing SMB session from first mount to try mounting the other shares, even though a different username= option had been specified to the other mounts. By using username mount option along with sec=krb5 to searc... • https://git.kernel.org/stable/c/4ff67b720c02c36e54d55b88c2931879b7db1cd2 •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23474 – mtd: Avoid boot crash in RedBoot partition table parser
https://notcve.org/view.php?id=CVE-2026-23474
03 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: mtd: Avoid boot crash in RedBoot partition table parser Given CONFIG_FORTIFY_SOURCE=y and a recent compiler, commit 439a1bcac648 ("fortify: Use __builtin_dynamic_object_size() when available") produces the warning below and an oops. Searching for RedBoot partition table in 50000000.flash at offset 0x7e0000 ------------[ cut here ]------------ WARNING: lib/string_helpers.c:1035 at 0xc029e04c, CPU#0: swapper/0/1 memcmp: detected buffer overfl... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: -EPSS: 0%CPEs: 3EXPL: 0CVE-2026-23472 – serial: core: fix infinite loop in handle_tx() for PORT_UNKNOWN
https://notcve.org/view.php?id=CVE-2026-23472
03 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: serial: core: fix infinite loop in handle_tx() for PORT_UNKNOWN uart_write_room() and uart_write() behave inconsistently when xmit_buf is NULL (which happens for PORT_UNKNOWN ports that were never properly initialized): - uart_write_room() returns kfifo_avail() which can be > 0 - uart_write() checks xmit_buf and returns 0 if NULL This inconsistency causes an infinite loop in drivers that rely on tty_write_room() to determine if they can wri... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: -EPSS: 0%CPEs: 3EXPL: 0CVE-2026-23468 – drm/amdgpu: Limit BO list entry count to prevent resource exhaustion
https://notcve.org/view.php?id=CVE-2026-23468
03 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Limit BO list entry count to prevent resource exhaustion Userspace can pass an arbitrary number of BO list entries via the bo_number field. Although the previous multiplication overflow check prevents out-of-bounds allocation, a large number of entries could still cause excessive memory allocation (up to potentially gigabytes) and unnecessarily long list processing times. Introduce a hard limit of 128k entries per BO list, which... • https://git.kernel.org/stable/c/d38ceaf99ed015f2a0b9af3499791bd3a3daae21 •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23463 – soc: fsl: qbman: fix race condition in qman_destroy_fq
https://notcve.org/view.php?id=CVE-2026-23463
03 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: soc: fsl: qbman: fix race condition in qman_destroy_fq When QMAN_FQ_FLAG_DYNAMIC_FQID is set, there's a race condition between fq_table[fq->idx] state and freeing/allocating from the pool and WARN_ON(fq_table[fq->idx]) in qman_create_fq() gets triggered. Indeed, we can have: Thread A Thread B qman_destroy_fq() qman_create_fq() qman_release_fqid() qman_shutdown_fq() gen_pool_free() -- At this point, the fqid is available again -- qman_alloc_... • https://git.kernel.org/stable/c/c535e923bb97a4b361e89a6383693482057f8b0c •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23462 – Bluetooth: HIDP: Fix possible UAF
https://notcve.org/view.php?id=CVE-2026-23462
03 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: Bluetooth: HIDP: Fix possible UAF This fixes the following trace caused by not dropping l2cap_conn reference when user->remove callback is called: [ 97.809249] l2cap_conn_free: freeing conn ffff88810a171c00 [ 97.809907] CPU: 1 UID: 0 PID: 1419 Comm: repro_standalon Not tainted 7.0.0-rc1-dirty #14 PREEMPT(lazy) [ 97.809935] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014 [ 97.809947] Call Trace: ... • https://git.kernel.org/stable/c/b4f34d8d9d26b2428fa7cf7c8f97690a297978e6 •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23460 – net/rose: fix NULL pointer dereference in rose_transmit_link on reconnect
https://notcve.org/view.php?id=CVE-2026-23460
03 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: net/rose: fix NULL pointer dereference in rose_transmit_link on reconnect syzkaller reported a bug [1], and the reproducer is available at [2]. ROSE sockets use four sk->sk_state values: TCP_CLOSE, TCP_LISTEN, TCP_SYN_SENT, and TCP_ESTABLISHED. rose_connect() already rejects calls for TCP_ESTABLISHED (-EISCONN) and TCP_CLOSE with SS_CONNECTING (-ECONNREFUSED), but lacks a check for TCP_SYN_SENT. When rose_connect() is called a second time w... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23458 – netfilter: ctnetlink: fix use-after-free in ctnetlink_dump_exp_ct()
https://notcve.org/view.php?id=CVE-2026-23458
03 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: netfilter: ctnetlink: fix use-after-free in ctnetlink_dump_exp_ct() ctnetlink_dump_exp_ct() stores a conntrack pointer in cb->data for the netlink dump callback ctnetlink_exp_ct_dump_table(), but drops the conntrack reference immediately after netlink_dump_start(). When the dump spans multiple rounds, the second recvmsg() triggers the dump callback which dereferences the now-freed conntrack via nfct_help(ct), leading to a use-after-free on ... • https://git.kernel.org/stable/c/e844a928431fa8f1359d1f4f2cef53d9b446bf52 •