CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2026-31509 – nfc: nci: fix circular locking dependency in nci_close_device
https://notcve.org/view.php?id=CVE-2026-31509
22 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: nfc: nci: fix circular locking dependency in nci_close_device nci_close_device() flushes rx_wq and tx_wq while holding req_lock. This causes a circular locking dependency because nci_rx_work() running on rx_wq can end up taking req_lock too: nci_rx_work -> nci_rx_data_packet -> nci_data_exchange_complete -> __sk_destruct -> rawsock_destruct -> nfc_deactivate_target -> nci_deactivate_target -> nci_request -> mutex_lock(&ndev->req_lock) Move ... • https://git.kernel.org/stable/c/6a2968aaf50c7a22fced77a5e24aa636281efca8 • CWE-667: Improper Locking •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2026-31504 – net: fix fanout UAF in packet_release() via NETDEV_UP race
https://notcve.org/view.php?id=CVE-2026-31504
22 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: net: fix fanout UAF in packet_release() via NETDEV_UP race `packet_release()` has a race window where `NETDEV_UP` can re-register a socket into a fanout group's `arr[]` array. The re-registration is not cleaned up by `fanout_release()`, leaving a dangling pointer in the fanout array. `packet_release()` does NOT zero `po->num` in its `bind_lock` section. After releasing `bind_lock`, `po->num` is still non-zero and `po->ifindex` still matches... • https://git.kernel.org/stable/c/ce06b03e60fc19c680d1bf873e779bf11c2fc518 • CWE-416: Use After Free •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2026-31503 – udp: Fix wildcard bind conflict check when using hash2
https://notcve.org/view.php?id=CVE-2026-31503
22 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: udp: Fix wildcard bind conflict check when using hash2 When binding a udp_sock to a local address and port, UDP uses two hashes (udptable->hash and udptable->hash2) for collision detection. The current code switches to "hash2" when hslot->count > 10. "hash2" is keyed by local address and local port. "hash" is keyed by local port only. The issue can be shown in the following bind sequence (pseudo code): bind(fd1, "[fd00::1]:8888") bind(fd2, ... • https://git.kernel.org/stable/c/30fff9231fad757c061285e347b33c5149c2c2e4 •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2026-31496 – netfilter: nf_conntrack_expect: skip expectations in other netns via proc
https://notcve.org/view.php?id=CVE-2026-31496
22 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conntrack_expect: skip expectations in other netns via proc Skip expectations that do not reside in this netns. Similar to e77e6ff502ea ("netfilter: conntrack: do not dump other netns's conntrack entries via proc"). • https://git.kernel.org/stable/c/9b03f38d0487f3908696242286d934c9b38f9d2a •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2026-31495 – netfilter: ctnetlink: use netlink policy range checks
https://notcve.org/view.php?id=CVE-2026-31495
22 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: netfilter: ctnetlink: use netlink policy range checks Replace manual range and mask validations with netlink policy annotations in ctnetlink code paths, so that the netlink core rejects invalid values early and can generate extack errors. - CTA_PROTOINFO_TCP_STATE: reject values > TCP_CONNTRACK_SYN_SENT2 at policy level, removing the manual >= TCP_CONNTRACK_MAX check. - CTA_PROTOINFO_TCP_WSCALE_ORIGINAL/REPLY: reject values > TCP_MAX_WSCALE... • https://git.kernel.org/stable/c/c8e2078cfe414a99cf6f2f2f1d78c7e75392e9d4 •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2026-31469 – virtio_net: Fix UAF on dst_ops when IFF_XMIT_DST_RELEASE is cleared and napi_tx is false
https://notcve.org/view.php?id=CVE-2026-31469
22 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: virtio_net: Fix UAF on dst_ops when IFF_XMIT_DST_RELEASE is cleared and napi_tx is false A UAF issue occurs when the virtio_net driver is configured with napi_tx=N and the device's IFF_XMIT_DST_RELEASE flag is cleared (e.g., during the configuration of tc route filter rules). When IFF_XMIT_DST_RELEASE is removed from the net_device, the network stack expects the driver to hold the reference to skb->dst until the packet is fully transmitted ... • https://git.kernel.org/stable/c/f2fc6a54585a1be6669613a31fbaba2ecbadcd36 •
CVSS: 8.1EPSS: 0%CPEs: 8EXPL: 0CVE-2026-31464 – scsi: ibmvfc: Fix OOB access in ibmvfc_discover_targets_done()
https://notcve.org/view.php?id=CVE-2026-31464
22 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: scsi: ibmvfc: Fix OOB access in ibmvfc_discover_targets_done() A malicious or compromised VIO server can return a num_written value in the discover targets MAD response that exceeds max_targets. This value is stored directly in vhost->num_targets without validation, and is then used as the loop bound in ibmvfc_alloc_targets() to index into disc_buf[], which is only allocated for max_targets entries. Indices at or beyond max_targets access k... • https://git.kernel.org/stable/c/072b91f9c6510d0ec4a49d07dbc318760c7da7b3 •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2026-31449 – ext4: validate p_idx bounds in ext4_ext_correct_indexes
https://notcve.org/view.php?id=CVE-2026-31449
22 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: ext4: validate p_idx bounds in ext4_ext_correct_indexes ext4_ext_correct_indexes() walks up the extent tree correcting index entries when the first extent in a leaf is modified. Before accessing path[k].p_idx->ei_block, there is no validation that p_idx falls within the valid range of index entries for that level. If the on-disk extent header contains a corrupted or crafted eh_entries value, p_idx can point past the end of the allocated buf... • https://git.kernel.org/stable/c/a86c61812637c7dd0c57e29880cffd477b62f2e7 •
CVSS: 9.4EPSS: 0%CPEs: 6EXPL: 0CVE-2026-31448 – ext4: avoid infinite loops caused by residual data
https://notcve.org/view.php?id=CVE-2026-31448
22 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: ext4: avoid infinite loops caused by residual data On the mkdir/mknod path, when mapping logical blocks to physical blocks, if inserting a new extent into the extent tree fails (in this example, because the file system disabled the huge file feature when marking the inode as dirty), ext4_ext_map_blocks() only calls ext4_free_blocks() to reclaim the physical block without deleting the corresponding data in the extent tree. This causes subseq... • https://git.kernel.org/stable/c/315054f023d28ee64f308adf8b5737831541776b •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2026-31447 – ext4: reject mount if bigalloc with s_first_data_block != 0
https://notcve.org/view.php?id=CVE-2026-31447
22 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: ext4: reject mount if bigalloc with s_first_data_block != 0 bigalloc with s_first_data_block != 0 is not supported, reject mounting it. • https://git.kernel.org/stable/c/281b59959707dfae03ce038cdf231bf4904e170c •