CVSS: 9.8EPSS: 0%CPEs: 8EXPL: 0CVE-2026-31659 – batman-adv: reject oversized global TT response buffers
https://notcve.org/view.php?id=CVE-2026-31659
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: batman-adv: reject oversized global TT response buffers batadv_tt_prepare_tvlv_global_data() builds the allocation length for a global TT response in 16-bit temporaries. When a remote originator advertises a large enough global TT, the TT payload length plus the VLAN header offset can exceed 65535 and wrap before kmalloc(). The full-table response path still uses the original TT payload length when it fills tt_change, so the wrapped allocat... • https://git.kernel.org/stable/c/7ea7b4a142758deaf46c1af0ca9ceca6dd55138b •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2026-31658 – net: altera-tse: fix skb leak on DMA mapping error in tse_start_xmit()
https://notcve.org/view.php?id=CVE-2026-31658
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: net: altera-tse: fix skb leak on DMA mapping error in tse_start_xmit() When dma_map_single() fails in tse_start_xmit(), the function returns NETDEV_TX_OK without freeing the skb. Since NETDEV_TX_OK tells the stack the packet was consumed, the skb is never freed, leaking memory on every DMA mapping failure. Add dev_kfree_skb_any() before returning to properly free the skb. • https://git.kernel.org/stable/c/bbd2190ce96d8fce031f0526c1f970b68adc9d1a • CWE-401: Missing Release of Memory after Effective Lifetime •
CVSS: 9.8EPSS: 0%CPEs: 6EXPL: 0CVE-2026-31657 – batman-adv: hold claim backbone gateways by reference
https://notcve.org/view.php?id=CVE-2026-31657
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: batman-adv: hold claim backbone gateways by reference batadv_bla_add_claim() can replace claim->backbone_gw and drop the old gateway's last reference while readers still follow the pointer. The netlink claim dump path dereferences claim->backbone_gw->orig and takes claim->backbone_gw->crc_lock without pinning the underlying backbone gateway. batadv_bla_check_claim() still has the same naked pointer access pattern. Reuse batadv_bla_claim_get... • https://git.kernel.org/stable/c/23721387c409087fd3b97e274f34d3ddc0970b74 • CWE-476: NULL Pointer Dereference •
CVSS: 7.8EPSS: 0%CPEs: 7EXPL: 0CVE-2026-31656 – drm/i915/gt: fix refcount underflow in intel_engine_park_heartbeat
https://notcve.org/view.php?id=CVE-2026-31656
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: drm/i915/gt: fix refcount underflow in intel_engine_park_heartbeat A use-after-free / refcount underflow is possible when the heartbeat worker and intel_engine_park_heartbeat() race to release the same engine->heartbeat.systole request. The heartbeat worker reads engine->heartbeat.systole and calls i915_request_put() on it when the request is complete, but clears the pointer in a separate, non-atomic step. Concurrently, a request retirement... • https://git.kernel.org/stable/c/058179e72e0956a2dfe4927db6cbe5fbfb2406aa • CWE-191: Integer Underflow (Wrap or Wraparound) •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2026-31655 – pmdomain: imx8mp-blk-ctrl: Keep the NOC_HDCP clock enabled
https://notcve.org/view.php?id=CVE-2026-31655
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: pmdomain: imx8mp-blk-ctrl: Keep the NOC_HDCP clock enabled Keep the NOC_HDCP clock always enabled to fix the potential hang caused by the NoC ADB400 port power down handshake. • https://git.kernel.org/stable/c/77b0ddb42add47748c661f714e6f4b116a6e8759 •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2026-31651 – mmc: vub300: fix NULL-deref on disconnect
https://notcve.org/view.php?id=CVE-2026-31651
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: mmc: vub300: fix NULL-deref on disconnect Make sure to deregister the controller before dropping the reference to the driver data on disconnect to avoid NULL-pointer dereferences or use-after-free. • https://git.kernel.org/stable/c/88095e7b473a3d9ec3b9c60429576e9cbd327c89 • CWE-476: NULL Pointer Dereference •
CVSS: 9.8EPSS: 0%CPEs: 8EXPL: 0CVE-2026-31649 – net: stmmac: fix integer underflow in chain mode
https://notcve.org/view.php?id=CVE-2026-31649
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: net: stmmac: fix integer underflow in chain mode The jumbo_frm() chain-mode implementation unconditionally computes len = nopaged_len - bmax; where nopaged_len = skb_headlen(skb) (linear bytes only) and bmax is BUF_SIZE_8KiB or BUF_SIZE_2KiB. However, the caller stmmac_xmit() decides to invoke jumbo_frm() based on skb->len (total length including page fragments): is_jumbo = stmmac_is_jumbo_frm(priv, skb->len, enh_desc); When a packet has a ... • https://git.kernel.org/stable/c/286a837217204b1ef105e3a554d0757e4fdfaac1 • CWE-190: Integer Overflow or Wraparound •
CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0CVE-2026-31648 – mm: filemap: fix nr_pages calculation overflow in filemap_map_pages()
https://notcve.org/view.php?id=CVE-2026-31648
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: mm: filemap: fix nr_pages calculation overflow in filemap_map_pages() When running stress-ng on my Arm64 machine with v7.0-rc3 kernel, I encountered some very strange crash issues showing up as "Bad page state": " [ 734.496287] BUG: Bad page state in process stress-ng-env pfn:415735fb [ 734.496427] page: refcount:0 mapcount:1 mapping:0000000000000000 index:0x4cf316 pfn:0x415735fb [ 734.496434] flags: 0x57fffe000000800(owner_2|node=1|zone=2|... • https://git.kernel.org/stable/c/fe601b70eac6cd266e8d7d55030e90a73ed0e339 • CWE-190: Integer Overflow or Wraparound •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2026-31647 – idpf: fix PREEMPT_RT raw/bh spinlock nesting for async VC handling
https://notcve.org/view.php?id=CVE-2026-31647
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: idpf: fix PREEMPT_RT raw/bh spinlock nesting for async VC handling Switch from using the completion's raw spinlock to a local lock in the idpf_vc_xn struct. The conversion is safe because complete/_all() are called outside the lock and there is no reason to share the completion lock in the current logic. This avoids invalid wait context reported by the kernel due to the async handler taking BH spinlock: [ 805.726977] =======================... • https://git.kernel.org/stable/c/34c21fa894a1af6166f4284c81d1dc21efed8f38 •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2026-31646 – net: lan966x: fix page_pool error handling in lan966x_fdma_rx_alloc_page_pool()
https://notcve.org/view.php?id=CVE-2026-31646
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: net: lan966x: fix page_pool error handling in lan966x_fdma_rx_alloc_page_pool() page_pool_create() can return an ERR_PTR on failure. The return value is used unconditionally in the loop that follows, passing the error pointer through xdp_rxq_info_reg_mem_model() into page_pool_use_xdp_mem(), which dereferences it, causing a kernel oops. Add an IS_ERR check after page_pool_create() to return early on failure. • https://git.kernel.org/stable/c/11871aba19748b3387e83a2db6360aa7119e9a1a • CWE-476: NULL Pointer Dereference •