CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2026-31651 – mmc: vub300: fix NULL-deref on disconnect
https://notcve.org/view.php?id=CVE-2026-31651
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: mmc: vub300: fix NULL-deref on disconnect Make sure to deregister the controller before dropping the reference to the driver data on disconnect to avoid NULL-pointer dereferences or use-after-free. • https://git.kernel.org/stable/c/88095e7b473a3d9ec3b9c60429576e9cbd327c89 • CWE-476: NULL Pointer Dereference •
CVSS: 9.8EPSS: 0%CPEs: 8EXPL: 0CVE-2026-31649 – net: stmmac: fix integer underflow in chain mode
https://notcve.org/view.php?id=CVE-2026-31649
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: net: stmmac: fix integer underflow in chain mode The jumbo_frm() chain-mode implementation unconditionally computes len = nopaged_len - bmax; where nopaged_len = skb_headlen(skb) (linear bytes only) and bmax is BUF_SIZE_8KiB or BUF_SIZE_2KiB. However, the caller stmmac_xmit() decides to invoke jumbo_frm() based on skb->len (total length including page fragments): is_jumbo = stmmac_is_jumbo_frm(priv, skb->len, enh_desc); When a packet has a ... • https://git.kernel.org/stable/c/286a837217204b1ef105e3a554d0757e4fdfaac1 • CWE-190: Integer Overflow or Wraparound •
CVSS: 9.8EPSS: 0%CPEs: 5EXPL: 0CVE-2026-31637 – rxrpc: reject undecryptable rxkad response tickets
https://notcve.org/view.php?id=CVE-2026-31637
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: rxrpc: reject undecryptable rxkad response tickets rxkad_decrypt_ticket() decrypts the RXKAD response ticket and then parses the buffer as plaintext without checking whether crypto_skcipher_decrypt() succeeded. A malformed RESPONSE can therefore use a non-block-aligned ticket length, make the decrypt operation fail, and still drive the ticket parser with attacker-controlled bytes. Check the decrypt result and abort the connection with RXKAD... • https://git.kernel.org/stable/c/17926a79320afa9b95df6b977b40cca6d8713cea •
CVSS: 5.5EPSS: 0%CPEs: 7EXPL: 0CVE-2026-31634 – rxrpc: fix reference count leak in rxrpc_server_keyring()
https://notcve.org/view.php?id=CVE-2026-31634
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: rxrpc: fix reference count leak in rxrpc_server_keyring() This patch fixes a reference count leak in rxrpc_server_keyring() by checking if rx->securities is already set. • https://git.kernel.org/stable/c/17926a79320afa9b95df6b977b40cca6d8713cea •
CVSS: 8.8EPSS: 0%CPEs: 6EXPL: 0CVE-2026-31629 – nfc: llcp: add missing return after LLCP_CLOSED checks
https://notcve.org/view.php?id=CVE-2026-31629
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: nfc: llcp: add missing return after LLCP_CLOSED checks In nfc_llcp_recv_hdlc() and nfc_llcp_recv_disc(), when the socket state is LLCP_CLOSED, the code correctly calls release_sock() and nfc_llcp_sock_put() but fails to return. Execution falls through to the remainder of the function, which calls release_sock() and nfc_llcp_sock_put() again. This results in a double release_sock() and a refcount underflow via double nfc_llcp_sock_put(), lea... • https://git.kernel.org/stable/c/d646960f7986fefb460a2b062d5ccc8ccfeacc3a • CWE-667: Improper Locking •
CVSS: 5.5EPSS: 0%CPEs: 12EXPL: 0CVE-2026-31628 – x86/CPU: Fix FPDSS on Zen1
https://notcve.org/view.php?id=CVE-2026-31628
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: x86/CPU: Fix FPDSS on Zen1 Zen1's hardware divider can leave, under certain circumstances, partial results from previous operations. Those results can be leaked by another, attacker thread. Fix that with a chicken bit. • https://git.kernel.org/stable/c/f7f3dc00f61261cdc9ccd8b886f21bc4dffd6fd9 •
CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0CVE-2026-31627 – i2c: s3c24xx: check the size of the SMBUS message before using it
https://notcve.org/view.php?id=CVE-2026-31627
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: i2c: s3c24xx: check the size of the SMBUS message before using it The first byte of an i2c SMBUS message is the size, and it should be verified to ensure that it is in the range of 0..I2C_SMBUS_BLOCK_MAX before processing it. This is the same logic that was added in commit a6e04f05ce0b ("i2c: tegra: check msg length in SMBUS block read") to the i2c tegra driver. • https://git.kernel.org/stable/c/85747311ecb6167c989093c64a13807366fdd3a9 •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2026-31624 – HID: core: clamp report_size in s32ton() to avoid undefined shift
https://notcve.org/view.php?id=CVE-2026-31624
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: HID: core: clamp report_size in s32ton() to avoid undefined shift s32ton() shifts by n-1 where n is the field's report_size, a value that comes directly from a HID device. The HID parser bounds report_size only to <= 256, so a broken HID device can supply a report descriptor with a wide field that triggers shift exponents up to 256 on a 32-bit type when an output report is built via hid_output_field() or hid_set_field(). Commit ec61b4191858... • https://git.kernel.org/stable/c/dde5845a529ff753364a6d1aea61180946270bfa •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2026-31623 – net: usb: cdc-phonet: fix skb frags[] overflow in rx_complete()
https://notcve.org/view.php?id=CVE-2026-31623
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: net: usb: cdc-phonet: fix skb frags[] overflow in rx_complete() A malicious USB device claiming to be a CDC Phonet modem can overflow the skb_shared_info->frags[] array by sending an unbounded sequence of full-page bulk transfers. Drop the skb and increment the length error when the frag limit is reached. This matches the same fix that commit f0813bcd2d9d ("net: wwan: t7xx: fix potential skb->frags overflow in RX path") did for the t7xx dri... • https://git.kernel.org/stable/c/87cf65601e1709e57f7e28f0f7b3eb0a992c1782 • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') •
CVSS: 8.8EPSS: 0%CPEs: 6EXPL: 0CVE-2026-31622 – NFC: digital: Bounds check NFC-A cascade depth in SDD response handler
https://notcve.org/view.php?id=CVE-2026-31622
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: NFC: digital: Bounds check NFC-A cascade depth in SDD response handler The NFC-A anti-collision cascade in digital_in_recv_sdd_res() appends 3 or 4 bytes to target->nfcid1 on each round, but the number of cascade rounds is controlled entirely by the peer device. The peer sets the cascade tag in the SDD_RES (deciding 3 vs 4 bytes) and the cascade-incomplete bit in the SEL_RES (deciding whether another round follows). ISO 14443-3 limits NFC-A... • https://git.kernel.org/stable/c/2c66daecc4092e6049673c281b2e6f0d5e59a94c • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') •