CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2026-31665 – netfilter: nft_ct: fix use-after-free in timeout object destroy
https://notcve.org/view.php?id=CVE-2026-31665
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_ct: fix use-after-free in timeout object destroy nft_ct_timeout_obj_destroy() frees the timeout object with kfree() immediately after nf_ct_untimeout(), without waiting for an RCU grace period. Concurrent packet processing on other CPUs may still hold RCU-protected references to the timeout object obtained via rcu_dereference() in nf_ct_timeout_data(). Add an rcu_head to struct nf_ct_timeout and use kfree_rcu() to defer freei... • https://git.kernel.org/stable/c/7e0b2b57f01d183e1c84114f1f2287737358d748 • CWE-416: Use After Free •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2026-31664 – xfrm: clear trailing padding in build_polexpire()
https://notcve.org/view.php?id=CVE-2026-31664
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: xfrm: clear trailing padding in build_polexpire() build_expire() clears the trailing padding bytes of struct xfrm_user_expire after setting the hard field via memset_after(), but the analogous function build_polexpire() does not do this for struct xfrm_user_polexpire. The padding bytes after the __u8 hard field are left uninitialized from the heap allocation, and are then sent to userspace via netlink multicast to XFRMNLGRP_EXPIRE listeners... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0CVE-2026-31663 – xfrm: hold dev ref until after transport_finish NF_HOOK
https://notcve.org/view.php?id=CVE-2026-31663
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: xfrm: hold dev ref until after transport_finish NF_HOOK After async crypto completes, xfrm_input_resume() calls dev_put() immediately on re-entry before the skb reaches transport_finish. The skb->dev pointer is then used inside NF_HOOK and its okfn, which can race with device teardown. Remove the dev_put from the async resumption entry and instead drop the reference after the NF_HOOK call in transport_finish, using a saved device pointer si... • https://git.kernel.org/stable/c/acf568ee859f098279eadf551612f103afdacb4e •
CVSS: 7.5EPSS: 0%CPEs: 8EXPL: 0CVE-2026-31662 – tipc: fix bc_ackers underflow on duplicate GRP_ACK_MSG
https://notcve.org/view.php?id=CVE-2026-31662
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: tipc: fix bc_ackers underflow on duplicate GRP_ACK_MSG The GRP_ACK_MSG handler in tipc_group_proto_rcv() currently decrements bc_ackers on every inbound group ACK, even when the same member has already acknowledged the current broadcast round. Because bc_ackers is a u16, a duplicate ACK received after the last legitimate ACK wraps the counter to 65535. Once wrapped, tipc_group_bc_cong() keeps reporting congestion and later group broadcasts ... • https://git.kernel.org/stable/c/2f487712b89376fce267223bbb0db93d393d4b09 • CWE-191: Integer Underflow (Wrap or Wraparound) •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2026-31661 – wifi: brcmsmac: Fix dma_free_coherent() size
https://notcve.org/view.php?id=CVE-2026-31661
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: wifi: brcmsmac: Fix dma_free_coherent() size dma_alloc_consistent() may change the size to align it. The new size is saved in alloced. Change the free size to match the allocation size. • https://git.kernel.org/stable/c/5b435de0d786869c95d1962121af0d7df2542009 •
CVSS: 9.8EPSS: 0%CPEs: 8EXPL: 0CVE-2026-31659 – batman-adv: reject oversized global TT response buffers
https://notcve.org/view.php?id=CVE-2026-31659
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: batman-adv: reject oversized global TT response buffers batadv_tt_prepare_tvlv_global_data() builds the allocation length for a global TT response in 16-bit temporaries. When a remote originator advertises a large enough global TT, the TT payload length plus the VLAN header offset can exceed 65535 and wrap before kmalloc(). The full-table response path still uses the original TT payload length when it fills tt_change, so the wrapped allocat... • https://git.kernel.org/stable/c/7ea7b4a142758deaf46c1af0ca9ceca6dd55138b •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2026-31658 – net: altera-tse: fix skb leak on DMA mapping error in tse_start_xmit()
https://notcve.org/view.php?id=CVE-2026-31658
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: net: altera-tse: fix skb leak on DMA mapping error in tse_start_xmit() When dma_map_single() fails in tse_start_xmit(), the function returns NETDEV_TX_OK without freeing the skb. Since NETDEV_TX_OK tells the stack the packet was consumed, the skb is never freed, leaking memory on every DMA mapping failure. Add dev_kfree_skb_any() before returning to properly free the skb. • https://git.kernel.org/stable/c/bbd2190ce96d8fce031f0526c1f970b68adc9d1a • CWE-401: Missing Release of Memory after Effective Lifetime •
CVSS: 9.8EPSS: 0%CPEs: 6EXPL: 0CVE-2026-31657 – batman-adv: hold claim backbone gateways by reference
https://notcve.org/view.php?id=CVE-2026-31657
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: batman-adv: hold claim backbone gateways by reference batadv_bla_add_claim() can replace claim->backbone_gw and drop the old gateway's last reference while readers still follow the pointer. The netlink claim dump path dereferences claim->backbone_gw->orig and takes claim->backbone_gw->crc_lock without pinning the underlying backbone gateway. batadv_bla_check_claim() still has the same naked pointer access pattern. Reuse batadv_bla_claim_get... • https://git.kernel.org/stable/c/23721387c409087fd3b97e274f34d3ddc0970b74 • CWE-476: NULL Pointer Dereference •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2026-31651 – mmc: vub300: fix NULL-deref on disconnect
https://notcve.org/view.php?id=CVE-2026-31651
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: mmc: vub300: fix NULL-deref on disconnect Make sure to deregister the controller before dropping the reference to the driver data on disconnect to avoid NULL-pointer dereferences or use-after-free. • https://git.kernel.org/stable/c/88095e7b473a3d9ec3b9c60429576e9cbd327c89 • CWE-476: NULL Pointer Dereference •
CVSS: 9.8EPSS: 0%CPEs: 8EXPL: 0CVE-2026-31649 – net: stmmac: fix integer underflow in chain mode
https://notcve.org/view.php?id=CVE-2026-31649
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: net: stmmac: fix integer underflow in chain mode The jumbo_frm() chain-mode implementation unconditionally computes len = nopaged_len - bmax; where nopaged_len = skb_headlen(skb) (linear bytes only) and bmax is BUF_SIZE_8KiB or BUF_SIZE_2KiB. However, the caller stmmac_xmit() decides to invoke jumbo_frm() based on skb->len (total length including page fragments): is_jumbo = stmmac_is_jumbo_frm(priv, skb->len, enh_desc); When a packet has a ... • https://git.kernel.org/stable/c/286a837217204b1ef105e3a554d0757e4fdfaac1 • CWE-190: Integer Overflow or Wraparound •