CVSS: 9.8EPSS: 0%CPEs: 6EXPL: 0CVE-2026-31657 – batman-adv: hold claim backbone gateways by reference
https://notcve.org/view.php?id=CVE-2026-31657
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: batman-adv: hold claim backbone gateways by reference batadv_bla_add_claim() can replace claim->backbone_gw and drop the old gateway's last reference while readers still follow the pointer. The netlink claim dump path dereferences claim->backbone_gw->orig and takes claim->backbone_gw->crc_lock without pinning the underlying backbone gateway. batadv_bla_check_claim() still has the same naked pointer access pattern. Reuse batadv_bla_claim_get... • https://git.kernel.org/stable/c/23721387c409087fd3b97e274f34d3ddc0970b74 • CWE-476: NULL Pointer Dereference •
CVSS: 7.8EPSS: 0%CPEs: 7EXPL: 0CVE-2026-31656 – drm/i915/gt: fix refcount underflow in intel_engine_park_heartbeat
https://notcve.org/view.php?id=CVE-2026-31656
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: drm/i915/gt: fix refcount underflow in intel_engine_park_heartbeat A use-after-free / refcount underflow is possible when the heartbeat worker and intel_engine_park_heartbeat() race to release the same engine->heartbeat.systole request. The heartbeat worker reads engine->heartbeat.systole and calls i915_request_put() on it when the request is complete, but clears the pointer in a separate, non-atomic step. Concurrently, a request retirement... • https://git.kernel.org/stable/c/058179e72e0956a2dfe4927db6cbe5fbfb2406aa • CWE-191: Integer Underflow (Wrap or Wraparound) •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2026-31651 – mmc: vub300: fix NULL-deref on disconnect
https://notcve.org/view.php?id=CVE-2026-31651
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: mmc: vub300: fix NULL-deref on disconnect Make sure to deregister the controller before dropping the reference to the driver data on disconnect to avoid NULL-pointer dereferences or use-after-free. • https://git.kernel.org/stable/c/88095e7b473a3d9ec3b9c60429576e9cbd327c89 • CWE-476: NULL Pointer Dereference •
CVSS: 9.8EPSS: 0%CPEs: 8EXPL: 0CVE-2026-31649 – net: stmmac: fix integer underflow in chain mode
https://notcve.org/view.php?id=CVE-2026-31649
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: net: stmmac: fix integer underflow in chain mode The jumbo_frm() chain-mode implementation unconditionally computes len = nopaged_len - bmax; where nopaged_len = skb_headlen(skb) (linear bytes only) and bmax is BUF_SIZE_8KiB or BUF_SIZE_2KiB. However, the caller stmmac_xmit() decides to invoke jumbo_frm() based on skb->len (total length including page fragments): is_jumbo = stmmac_is_jumbo_frm(priv, skb->len, enh_desc); When a packet has a ... • https://git.kernel.org/stable/c/286a837217204b1ef105e3a554d0757e4fdfaac1 • CWE-190: Integer Overflow or Wraparound •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2026-31642 – rxrpc: Fix call removal to use RCU safe deletion
https://notcve.org/view.php?id=CVE-2026-31642
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix call removal to use RCU safe deletion Fix rxrpc call removal from the rxnet->calls list to use list_del_rcu() rather than list_del_init() to prevent stuffing up reading /proc/net/rxrpc/calls from potentially getting into an infinite loop. This, however, means that list_empty() no longer works on an entry that's been deleted from the list, making it harder to detect prior deletion. Fix this by: Firstly, make rxrpc_destroy_all_call... • https://git.kernel.org/stable/c/2baec2c3f854d1f79c7bb28386484e144e864a14 • CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') •
CVSS: 9.8EPSS: 0%CPEs: 5EXPL: 0CVE-2026-31637 – rxrpc: reject undecryptable rxkad response tickets
https://notcve.org/view.php?id=CVE-2026-31637
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: rxrpc: reject undecryptable rxkad response tickets rxkad_decrypt_ticket() decrypts the RXKAD response ticket and then parses the buffer as plaintext without checking whether crypto_skcipher_decrypt() succeeded. A malformed RESPONSE can therefore use a non-block-aligned ticket length, make the decrypt operation fail, and still drive the ticket parser with attacker-controlled bytes. Check the decrypt result and abort the connection with RXKAD... • https://git.kernel.org/stable/c/17926a79320afa9b95df6b977b40cca6d8713cea •
CVSS: 5.5EPSS: 0%CPEs: 7EXPL: 0CVE-2026-31634 – rxrpc: fix reference count leak in rxrpc_server_keyring()
https://notcve.org/view.php?id=CVE-2026-31634
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: rxrpc: fix reference count leak in rxrpc_server_keyring() This patch fixes a reference count leak in rxrpc_server_keyring() by checking if rx->securities is already set. • https://git.kernel.org/stable/c/17926a79320afa9b95df6b977b40cca6d8713cea •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2026-31630 – rxrpc: proc: size address buffers for %pISpc output
https://notcve.org/view.php?id=CVE-2026-31630
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: rxrpc: proc: size address buffers for %pISpc output The AF_RXRPC procfs helpers format local and remote socket addresses into fixed 50-byte stack buffers with "%pISpc". That is too small for the longest current-tree IPv6-with-port form the formatter can produce. In lib/vsprintf.c, the compressed IPv6 path uses a dotted-quad tail not only for v4mapped addresses, but also for ISATAP addresses via ipv6_addr_is_isatap(). As a result, a case suc... • https://git.kernel.org/stable/c/75b54cb57ca34cbe7a87c6ac757c55360a624590 •
CVSS: 8.8EPSS: 0%CPEs: 6EXPL: 0CVE-2026-31629 – nfc: llcp: add missing return after LLCP_CLOSED checks
https://notcve.org/view.php?id=CVE-2026-31629
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: nfc: llcp: add missing return after LLCP_CLOSED checks In nfc_llcp_recv_hdlc() and nfc_llcp_recv_disc(), when the socket state is LLCP_CLOSED, the code correctly calls release_sock() and nfc_llcp_sock_put() but fails to return. Execution falls through to the remainder of the function, which calls release_sock() and nfc_llcp_sock_put() again. This results in a double release_sock() and a refcount underflow via double nfc_llcp_sock_put(), lea... • https://git.kernel.org/stable/c/d646960f7986fefb460a2b062d5ccc8ccfeacc3a • CWE-667: Improper Locking •
CVSS: 5.5EPSS: 0%CPEs: 12EXPL: 0CVE-2026-31628 – x86/CPU: Fix FPDSS on Zen1
https://notcve.org/view.php?id=CVE-2026-31628
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: x86/CPU: Fix FPDSS on Zen1 Zen1's hardware divider can leave, under certain circumstances, partial results from previous operations. Those results can be leaked by another, attacker thread. Fix that with a chicken bit. • https://git.kernel.org/stable/c/f7f3dc00f61261cdc9ccd8b886f21bc4dffd6fd9 •