CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2026-31623 – net: usb: cdc-phonet: fix skb frags[] overflow in rx_complete()
https://notcve.org/view.php?id=CVE-2026-31623
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: net: usb: cdc-phonet: fix skb frags[] overflow in rx_complete() A malicious USB device claiming to be a CDC Phonet modem can overflow the skb_shared_info->frags[] array by sending an unbounded sequence of full-page bulk transfers. Drop the skb and increment the length error when the frag limit is reached. This matches the same fix that commit f0813bcd2d9d ("net: wwan: t7xx: fix potential skb->frags overflow in RX path") did for the t7xx dri... • https://git.kernel.org/stable/c/87cf65601e1709e57f7e28f0f7b3eb0a992c1782 • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') •
CVSS: 8.8EPSS: 0%CPEs: 6EXPL: 0CVE-2026-31622 – NFC: digital: Bounds check NFC-A cascade depth in SDD response handler
https://notcve.org/view.php?id=CVE-2026-31622
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: NFC: digital: Bounds check NFC-A cascade depth in SDD response handler The NFC-A anti-collision cascade in digital_in_recv_sdd_res() appends 3 or 4 bytes to target->nfcid1 on each round, but the number of cascade rounds is controlled entirely by the peer device. The peer sets the cascade tag in the SDD_RES (deciding 3 vs 4 bytes) and the cascade-incomplete bit in the SEL_RES (deciding whether another round follows). ISO 14443-3 limits NFC-A... • https://git.kernel.org/stable/c/2c66daecc4092e6049673c281b2e6f0d5e59a94c • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2026-31619 – ALSA: fireworks: bound device-supplied status before string array lookup
https://notcve.org/view.php?id=CVE-2026-31619
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: ALSA: fireworks: bound device-supplied status before string array lookup The status field in an EFW response is a 32-bit value supplied by the firewire device. efr_status_names[] has 17 entries so a status value outside that range goes off into the weeds when looking at the %s value. Even worse, the status could return EFR_STATUS_INCOMPLETE which is 0x80000000, and is obviously not in that array of potential strings. Fix this up by properly... • https://git.kernel.org/stable/c/bde8a8f23bbe6db51fa4e81644273af18fef3d7a •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2026-31618 – fbdev: tdfxfb: avoid divide-by-zero on FBIOPUT_VSCREENINFO
https://notcve.org/view.php?id=CVE-2026-31618
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: fbdev: tdfxfb: avoid divide-by-zero on FBIOPUT_VSCREENINFO Much like commit 19f953e74356 ("fbdev: fb_pm2fb: Avoid potential divide by zero error"), we also need to prevent that same crash from happening in the udlfb driver as it uses pixclock directly when dividing, which will crash. • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 • CWE-369: Divide By Zero •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2026-31616 – usb: gadget: f_phonet: fix skb frags[] overflow in pn_rx_complete()
https://notcve.org/view.php?id=CVE-2026-31616
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_phonet: fix skb frags[] overflow in pn_rx_complete() A broken/bored/mean USB host can overflow the skb_shared_info->frags[] array on a Linux gadget exposing a Phonet function by sending an unbounded sequence of full-page OUT transfers. pn_rx_complete() finalizes the skb only when req->actual < req->length, where req->length is set to PAGE_SIZE by the gadget. If the host always sends exactly PAGE_SIZE bytes per transfer, fp->r... • https://git.kernel.org/stable/c/b91cd1440870f7a0649e570498b7b93caf9f781c • CWE-401: Missing Release of Memory after Effective Lifetime •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2026-31615 – usb: gadget: renesas_usb3: validate endpoint index in standard request handlers
https://notcve.org/view.php?id=CVE-2026-31615
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: usb: gadget: renesas_usb3: validate endpoint index in standard request handlers The GET_STATUS and SET/CLEAR_FEATURE handlers extract the endpoint number from the host-supplied wIndex without any sort of validation. Fix this up by validating the number of endpoints actually match up with the number the device has before attempting to dereference a pointer based on this math. This is just like what was done in commit ee0d382feb44 ("usb: gadg... • https://git.kernel.org/stable/c/746bfe63bba37ad55956b7377c9af494e7e28929 • CWE-476: NULL Pointer Dereference •
CVSS: 9.8EPSS: 0%CPEs: 11EXPL: 0CVE-2026-31607 – usbip: validate number_of_packets in usbip_pack_ret_submit()
https://notcve.org/view.php?id=CVE-2026-31607
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: usbip: validate number_of_packets in usbip_pack_ret_submit() When a USB/IP client receives a RET_SUBMIT response, usbip_pack_ret_submit() unconditionally overwrites urb->number_of_packets from the network PDU. This value is subsequently used as the loop bound in usbip_recv_iso() and usbip_pad_iso() to iterate over urb->iso_frame_desc[], a flexible array whose size was fixed at URB allocation time based on the *original* number_of_packets fr... • https://git.kernel.org/stable/c/1325f85fa49f57df034869de430f7c302ae23109 • CWE-787: Out-of-bounds Write •
CVSS: -EPSS: 0%CPEs: 5EXPL: 0CVE-2026-31606 – usb: gadget: f_hid: don't call cdev_init while cdev in use
https://notcve.org/view.php?id=CVE-2026-31606
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_hid: don't call cdev_init while cdev in use When calling unbind, then bind again, cdev_init reinitialized the cdev, even though there may still be references to it. That's the case when the /dev/hidg* device is still opened. This obviously unsafe behavior like oopes. This fixes this by using cdev_alloc to put the cdev on the heap. That way, we can simply allocate a new one in hidg_bind. • https://git.kernel.org/stable/c/cb382536052fcc7713988869b54a81137069e5a9 •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-31605 – fbdev: udlfb: avoid divide-by-zero on FBIOPUT_VSCREENINFO
https://notcve.org/view.php?id=CVE-2026-31605
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: fbdev: udlfb: avoid divide-by-zero on FBIOPUT_VSCREENINFO Much like commit 19f953e74356 ("fbdev: fb_pm2fb: Avoid potential divide by zero error"), we also need to prevent that same crash from happening in the udlfb driver as it uses pixclock directly when dividing, which will crash. • https://git.kernel.org/stable/c/59277b679f8b5ce594e367759256668eba652d0d •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-31603 – staging: sm750fb: fix division by zero in ps_to_hz()
https://notcve.org/view.php?id=CVE-2026-31603
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: staging: sm750fb: fix division by zero in ps_to_hz() ps_to_hz() is called from hw_sm750_crtc_set_mode() without validating that pixclock is non-zero. A zero pixclock passed via FBIOPUT_VSCREENINFO causes a division by zero. Fix by rejecting zero pixclock in lynxfb_ops_check_var(), consistent with other framebuffer drivers. • https://git.kernel.org/stable/c/81dee67e215b23f0c98182eece122b906d35765a •