CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2026-31642 – rxrpc: Fix call removal to use RCU safe deletion
https://notcve.org/view.php?id=CVE-2026-31642
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix call removal to use RCU safe deletion Fix rxrpc call removal from the rxnet->calls list to use list_del_rcu() rather than list_del_init() to prevent stuffing up reading /proc/net/rxrpc/calls from potentially getting into an infinite loop. This, however, means that list_empty() no longer works on an entry that's been deleted from the list, making it harder to detect prior deletion. Fix this by: Firstly, make rxrpc_destroy_all_call... • https://git.kernel.org/stable/c/2baec2c3f854d1f79c7bb28386484e144e864a14 • CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') •
CVSS: 9.8EPSS: 0%CPEs: 5EXPL: 0CVE-2026-31637 – rxrpc: reject undecryptable rxkad response tickets
https://notcve.org/view.php?id=CVE-2026-31637
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: rxrpc: reject undecryptable rxkad response tickets rxkad_decrypt_ticket() decrypts the RXKAD response ticket and then parses the buffer as plaintext without checking whether crypto_skcipher_decrypt() succeeded. A malformed RESPONSE can therefore use a non-block-aligned ticket length, make the decrypt operation fail, and still drive the ticket parser with attacker-controlled bytes. Check the decrypt result and abort the connection with RXKAD... • https://git.kernel.org/stable/c/17926a79320afa9b95df6b977b40cca6d8713cea •
CVSS: 5.5EPSS: 0%CPEs: 7EXPL: 0CVE-2026-31634 – rxrpc: fix reference count leak in rxrpc_server_keyring()
https://notcve.org/view.php?id=CVE-2026-31634
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: rxrpc: fix reference count leak in rxrpc_server_keyring() This patch fixes a reference count leak in rxrpc_server_keyring() by checking if rx->securities is already set. • https://git.kernel.org/stable/c/17926a79320afa9b95df6b977b40cca6d8713cea •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2026-31630 – rxrpc: proc: size address buffers for %pISpc output
https://notcve.org/view.php?id=CVE-2026-31630
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: rxrpc: proc: size address buffers for %pISpc output The AF_RXRPC procfs helpers format local and remote socket addresses into fixed 50-byte stack buffers with "%pISpc". That is too small for the longest current-tree IPv6-with-port form the formatter can produce. In lib/vsprintf.c, the compressed IPv6 path uses a dotted-quad tail not only for v4mapped addresses, but also for ISATAP addresses via ipv6_addr_is_isatap(). As a result, a case suc... • https://git.kernel.org/stable/c/75b54cb57ca34cbe7a87c6ac757c55360a624590 •
CVSS: 8.8EPSS: 0%CPEs: 6EXPL: 0CVE-2026-31629 – nfc: llcp: add missing return after LLCP_CLOSED checks
https://notcve.org/view.php?id=CVE-2026-31629
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: nfc: llcp: add missing return after LLCP_CLOSED checks In nfc_llcp_recv_hdlc() and nfc_llcp_recv_disc(), when the socket state is LLCP_CLOSED, the code correctly calls release_sock() and nfc_llcp_sock_put() but fails to return. Execution falls through to the remainder of the function, which calls release_sock() and nfc_llcp_sock_put() again. This results in a double release_sock() and a refcount underflow via double nfc_llcp_sock_put(), lea... • https://git.kernel.org/stable/c/d646960f7986fefb460a2b062d5ccc8ccfeacc3a • CWE-667: Improper Locking •
CVSS: 5.5EPSS: 0%CPEs: 12EXPL: 0CVE-2026-31628 – x86/CPU: Fix FPDSS on Zen1
https://notcve.org/view.php?id=CVE-2026-31628
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: x86/CPU: Fix FPDSS on Zen1 Zen1's hardware divider can leave, under certain circumstances, partial results from previous operations. Those results can be leaked by another, attacker thread. Fix that with a chicken bit. • https://git.kernel.org/stable/c/f7f3dc00f61261cdc9ccd8b886f21bc4dffd6fd9 •
CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0CVE-2026-31627 – i2c: s3c24xx: check the size of the SMBUS message before using it
https://notcve.org/view.php?id=CVE-2026-31627
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: i2c: s3c24xx: check the size of the SMBUS message before using it The first byte of an i2c SMBUS message is the size, and it should be verified to ensure that it is in the range of 0..I2C_SMBUS_BLOCK_MAX before processing it. This is the same logic that was added in commit a6e04f05ce0b ("i2c: tegra: check msg length in SMBUS block read") to the i2c tegra driver. • https://git.kernel.org/stable/c/85747311ecb6167c989093c64a13807366fdd3a9 •
CVSS: 7.1EPSS: 0%CPEs: 6EXPL: 0CVE-2026-31626 – staging: rtl8723bs: initialize le_tmp64 in rtw_BIP_verify()
https://notcve.org/view.php?id=CVE-2026-31626
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: staging: rtl8723bs: initialize le_tmp64 in rtw_BIP_verify() Initialize le_tmp64 to zero in rtw_BIP_verify() to prevent using uninitialized data. Smatch warns that only 6 bytes are copied to this 8-byte (u64) variable, leaving the last two bytes uninitialized: drivers/staging/rtl8723bs/core/rtw_security.c:1308 rtw_BIP_verify() warn: not copying enough bytes for '&le_tmp64' (8 vs 6 bytes) Initializing the variable at the start of the function... • https://git.kernel.org/stable/c/554c0a3abf216c991c5ebddcdb2c08689ecd290b • CWE-908: Use of Uninitialized Resource •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2026-31625 – HID: alps: fix NULL pointer dereference in alps_raw_event()
https://notcve.org/view.php?id=CVE-2026-31625
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: HID: alps: fix NULL pointer dereference in alps_raw_event() Commit ecfa6f34492c ("HID: Add HID_CLAIMED_INPUT guards in raw_event callbacks missing them") attempted to fix up the HID drivers that had missed the previous fix that was done in 2ff5baa9b527 ("HID: appleir: Fix potential NULL dereference at raw event handle"), but the alps driver was missed. Fix this up by properly checking in the hid-alps driver that it had been claimed correctl... • https://git.kernel.org/stable/c/73196ebe134d11a68a2e27814c489d685cfc8b03 • CWE-476: NULL Pointer Dereference •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2026-31624 – HID: core: clamp report_size in s32ton() to avoid undefined shift
https://notcve.org/view.php?id=CVE-2026-31624
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: HID: core: clamp report_size in s32ton() to avoid undefined shift s32ton() shifts by n-1 where n is the field's report_size, a value that comes directly from a HID device. The HID parser bounds report_size only to <= 256, so a broken HID device can supply a report descriptor with a wide field that triggers shift exponents up to 256 on a 32-bit type when an output report is built via hid_output_field() or hid_set_field(). Commit ec61b4191858... • https://git.kernel.org/stable/c/dde5845a529ff753364a6d1aea61180946270bfa •