CVSS: -EPSS: 0%CPEs: 11EXPL: 0CVE-2026-31399 – nvdimm/bus: Fix potential use after free in asynchronous initialization
https://notcve.org/view.php?id=CVE-2026-31399
03 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: nvdimm/bus: Fix potential use after free in asynchronous initialization Dingisoul with KASAN reports a use after free if device_add() fails in nd_async_device_register(). Commit b6eae0f61db2 ("libnvdimm: Hold reference on parent while scheduling async init") correctly added a reference on the parent device to be held until asynchronous initialization was complete. However, if device_add() results in an allocation failure the ref count of th... • https://git.kernel.org/stable/c/b6eae0f61db27748606cc00dafcfd1e2c032f0a5 •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-31396 – net: macb: fix use-after-free access to PTP clock
https://notcve.org/view.php?id=CVE-2026-31396
03 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: net: macb: fix use-after-free access to PTP clock PTP clock is registered on every opening of the interface and destroyed on every closing. However it may be accessed via get_ts_info ethtool call which is possible while the interface is just present in the kernel. BUG: KASAN: use-after-free in ptp_clock_index+0x47/0x50 drivers/ptp/ptp_clock.c:426 Read of size 4 at addr ffff8880194345cc by task syz.0.6/948 CPU: 1 PID: 948 Comm: syz.0.6 Not t... • https://git.kernel.org/stable/c/c2594d804d5c8033861d44840673d852d98508c1 •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-31393 – Bluetooth: L2CAP: Validate L2CAP_INFO_RSP payload length before access
https://notcve.org/view.php?id=CVE-2026-31393
03 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Validate L2CAP_INFO_RSP payload length before access l2cap_information_rsp() checks that cmd_len covers the fixed l2cap_info_rsp header (type + result, 4 bytes) but then reads rsp->data without verifying that the payload is present: - L2CAP_IT_FEAT_MASK calls get_unaligned_le32(rsp->data), which reads 4 bytes past the header (needs cmd_len >= 8). - L2CAP_IT_FIXED_CHAN reads rsp->data[0], 1 byte past the header (needs cmd_l... • https://git.kernel.org/stable/c/4e8402a3f884427f9233ba436459c158d1f2e114 •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2026-31392 – smb: client: fix krb5 mount with username option
https://notcve.org/view.php?id=CVE-2026-31392
03 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: smb: client: fix krb5 mount with username option Customer reported that some of their krb5 mounts were failing against a single server as the client was trying to mount the shares with wrong credentials. It turned out the client was reusing SMB session from first mount to try mounting the other shares, even though a different username= option had been specified to the other mounts. By using username mount option along with sec=krb5 to searc... • https://git.kernel.org/stable/c/4ff67b720c02c36e54d55b88c2931879b7db1cd2 •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-31391 – crypto: atmel-sha204a - Fix OOM ->tfm_count leak
https://notcve.org/view.php?id=CVE-2026-31391
03 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: crypto: atmel-sha204a - Fix OOM ->tfm_count leak If memory allocation fails, decrement ->tfm_count to avoid blocking future reads. • https://git.kernel.org/stable/c/da001fb651b00e1deeaf24767dd691ae8152a4f5 •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23474 – mtd: Avoid boot crash in RedBoot partition table parser
https://notcve.org/view.php?id=CVE-2026-23474
03 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: mtd: Avoid boot crash in RedBoot partition table parser Given CONFIG_FORTIFY_SOURCE=y and a recent compiler, commit 439a1bcac648 ("fortify: Use __builtin_dynamic_object_size() when available") produces the warning below and an oops. Searching for RedBoot partition table in 50000000.flash at offset 0x7e0000 ------------[ cut here ]------------ WARNING: lib/string_helpers.c:1035 at 0xc029e04c, CPU#0: swapper/0/1 memcmp: detected buffer overfl... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: -EPSS: 0%CPEs: 3EXPL: 0CVE-2026-23472 – serial: core: fix infinite loop in handle_tx() for PORT_UNKNOWN
https://notcve.org/view.php?id=CVE-2026-23472
03 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: serial: core: fix infinite loop in handle_tx() for PORT_UNKNOWN uart_write_room() and uart_write() behave inconsistently when xmit_buf is NULL (which happens for PORT_UNKNOWN ports that were never properly initialized): - uart_write_room() returns kfifo_avail() which can be > 0 - uart_write() checks xmit_buf and returns 0 if NULL This inconsistency causes an infinite loop in drivers that rely on tty_write_room() to determine if they can wri... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: -EPSS: 0%CPEs: 3EXPL: 0CVE-2026-23468 – drm/amdgpu: Limit BO list entry count to prevent resource exhaustion
https://notcve.org/view.php?id=CVE-2026-23468
03 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Limit BO list entry count to prevent resource exhaustion Userspace can pass an arbitrary number of BO list entries via the bo_number field. Although the previous multiplication overflow check prevents out-of-bounds allocation, a large number of entries could still cause excessive memory allocation (up to potentially gigabytes) and unnecessarily long list processing times. Introduce a hard limit of 128k entries per BO list, which... • https://git.kernel.org/stable/c/d38ceaf99ed015f2a0b9af3499791bd3a3daae21 •
CVSS: -EPSS: 0%CPEs: 5EXPL: 0CVE-2026-23465 – btrfs: log new dentries when logging parent dir of a conflicting inode
https://notcve.org/view.php?id=CVE-2026-23465
03 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: btrfs: log new dentries when logging parent dir of a conflicting inode If we log the parent directory of a conflicting inode, we are not logging the new dentries of the directory, so when we finish we have the parent directory's inode marked as logged but we did not log its new dentries. As a consequence if the parent directory is explicitly fsynced later and it does not have any new changes since we logged it, the fsync is a no-op and afte... • https://git.kernel.org/stable/c/a3baaf0d786e22fc86295fda9c58ba0dee07599f •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-23463 – soc: fsl: qbman: fix race condition in qman_destroy_fq
https://notcve.org/view.php?id=CVE-2026-23463
03 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: soc: fsl: qbman: fix race condition in qman_destroy_fq When QMAN_FQ_FLAG_DYNAMIC_FQID is set, there's a race condition between fq_table[fq->idx] state and freeing/allocating from the pool and WARN_ON(fq_table[fq->idx]) in qman_create_fq() gets triggered. Indeed, we can have: Thread A Thread B qman_destroy_fq() qman_create_fq() qman_release_fqid() qman_shutdown_fq() gen_pool_free() -- At this point, the fqid is available again -- qman_alloc_... • https://git.kernel.org/stable/c/c535e923bb97a4b361e89a6383693482057f8b0c •