CVSS: 9.8EPSS: 0%CPEs: 8EXPL: 0CVE-2026-31668 – seg6: separate dst_cache for input and output paths in seg6 lwtunnel
https://notcve.org/view.php?id=CVE-2026-31668
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: seg6: separate dst_cache for input and output paths in seg6 lwtunnel The seg6 lwtunnel uses a single dst_cache per encap route, shared between seg6_input_core() and seg6_output_core(). These two paths can perform the post-encap SID lookup in different routing contexts (e.g., ip rules matching on the ingress interface, or VRF table separation). Whichever path runs first populates the cache, and the other reuses it blindly, bypassing its own ... • https://git.kernel.org/stable/c/6c8702c60b88651072460f3f4026c7dfe2521d12 •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2026-31667 – Input: uinput - fix circular locking dependency with ff-core
https://notcve.org/view.php?id=CVE-2026-31667
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: Input: uinput - fix circular locking dependency with ff-core A lockdep circular locking dependency warning can be triggered reproducibly when using a force-feedback gamepad with uinput (for example, playing ELDEN RING under Wine with a Flydigi Vader 5 controller): ff->mutex -> udev->mutex -> input_mutex -> dev->mutex -> ff->mutex The cycle is caused by four lock acquisition paths: 1. ff upload: input_ff_upload() holds ff->mutex and calls ui... • https://git.kernel.org/stable/c/ff462551235d8d7d843a005950bc90924fcedede • CWE-667: Improper Locking •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2026-31665 – netfilter: nft_ct: fix use-after-free in timeout object destroy
https://notcve.org/view.php?id=CVE-2026-31665
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_ct: fix use-after-free in timeout object destroy nft_ct_timeout_obj_destroy() frees the timeout object with kfree() immediately after nf_ct_untimeout(), without waiting for an RCU grace period. Concurrent packet processing on other CPUs may still hold RCU-protected references to the timeout object obtained via rcu_dereference() in nf_ct_timeout_data(). Add an rcu_head to struct nf_ct_timeout and use kfree_rcu() to defer freei... • https://git.kernel.org/stable/c/7e0b2b57f01d183e1c84114f1f2287737358d748 • CWE-416: Use After Free •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2026-31664 – xfrm: clear trailing padding in build_polexpire()
https://notcve.org/view.php?id=CVE-2026-31664
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: xfrm: clear trailing padding in build_polexpire() build_expire() clears the trailing padding bytes of struct xfrm_user_expire after setting the hard field via memset_after(), but the analogous function build_polexpire() does not do this for struct xfrm_user_polexpire. The padding bytes after the __u8 hard field are left uninitialized from the heap allocation, and are then sent to userspace via netlink multicast to XFRMNLGRP_EXPIRE listeners... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0CVE-2026-31663 – xfrm: hold dev ref until after transport_finish NF_HOOK
https://notcve.org/view.php?id=CVE-2026-31663
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: xfrm: hold dev ref until after transport_finish NF_HOOK After async crypto completes, xfrm_input_resume() calls dev_put() immediately on re-entry before the skb reaches transport_finish. The skb->dev pointer is then used inside NF_HOOK and its okfn, which can race with device teardown. Remove the dev_put from the async resumption entry and instead drop the reference after the NF_HOOK call in transport_finish, using a saved device pointer si... • https://git.kernel.org/stable/c/acf568ee859f098279eadf551612f103afdacb4e •
CVSS: 7.5EPSS: 0%CPEs: 8EXPL: 0CVE-2026-31662 – tipc: fix bc_ackers underflow on duplicate GRP_ACK_MSG
https://notcve.org/view.php?id=CVE-2026-31662
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: tipc: fix bc_ackers underflow on duplicate GRP_ACK_MSG The GRP_ACK_MSG handler in tipc_group_proto_rcv() currently decrements bc_ackers on every inbound group ACK, even when the same member has already acknowledged the current broadcast round. Because bc_ackers is a u16, a duplicate ACK received after the last legitimate ACK wraps the counter to 65535. Once wrapped, tipc_group_bc_cong() keeps reporting congestion and later group broadcasts ... • https://git.kernel.org/stable/c/2f487712b89376fce267223bbb0db93d393d4b09 • CWE-191: Integer Underflow (Wrap or Wraparound) •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2026-31661 – wifi: brcmsmac: Fix dma_free_coherent() size
https://notcve.org/view.php?id=CVE-2026-31661
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: wifi: brcmsmac: Fix dma_free_coherent() size dma_alloc_consistent() may change the size to align it. The new size is saved in alloced. Change the free size to match the allocation size. • https://git.kernel.org/stable/c/5b435de0d786869c95d1962121af0d7df2542009 •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2026-31660 – nfc: pn533: allocate rx skb before consuming bytes
https://notcve.org/view.php?id=CVE-2026-31660
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: nfc: pn533: allocate rx skb before consuming bytes pn532_receive_buf() reports the number of accepted bytes to the serdev core. The current code consumes bytes into recv_skb and may already hand a complete frame to pn533_recv_frame() before allocating a fresh receive buffer. If that alloc_skb() fails, the callback returns 0 even though it has already consumed bytes, and it leaves recv_skb as NULL for the next receive callback. That breaks t... • https://git.kernel.org/stable/c/c656aa4c27b17a8c70da223ed5ab42145800d6b5 •
CVSS: 9.8EPSS: 0%CPEs: 8EXPL: 0CVE-2026-31659 – batman-adv: reject oversized global TT response buffers
https://notcve.org/view.php?id=CVE-2026-31659
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: batman-adv: reject oversized global TT response buffers batadv_tt_prepare_tvlv_global_data() builds the allocation length for a global TT response in 16-bit temporaries. When a remote originator advertises a large enough global TT, the TT payload length plus the VLAN header offset can exceed 65535 and wrap before kmalloc(). The full-table response path still uses the original TT payload length when it fills tt_change, so the wrapped allocat... • https://git.kernel.org/stable/c/7ea7b4a142758deaf46c1af0ca9ceca6dd55138b •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2026-31658 – net: altera-tse: fix skb leak on DMA mapping error in tse_start_xmit()
https://notcve.org/view.php?id=CVE-2026-31658
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: net: altera-tse: fix skb leak on DMA mapping error in tse_start_xmit() When dma_map_single() fails in tse_start_xmit(), the function returns NETDEV_TX_OK without freeing the skb. Since NETDEV_TX_OK tells the stack the packet was consumed, the skb is never freed, leaking memory on every DMA mapping failure. Add dev_kfree_skb_any() before returning to properly free the skb. • https://git.kernel.org/stable/c/bbd2190ce96d8fce031f0526c1f970b68adc9d1a • CWE-401: Missing Release of Memory after Effective Lifetime •