CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2026-31692 – rtnetlink: add missing netlink_ns_capable() check for peer netns
https://notcve.org/view.php?id=CVE-2026-31692
30 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: rtnetlink: add missing netlink_ns_capable() check for peer netns rtnl_newlink() lacks a CAP_NET_ADMIN capability check on the peer network namespace when creating paired devices (veth, vxcan, netkit). This allows an unprivileged user with a user namespace to create interfaces in arbitrary network namespaces, including init_net. Add a netlink_ns_capable() check for CAP_NET_ADMIN in the peer namespace before allowing device creation to procee... • https://git.kernel.org/stable/c/81adee47dfb608df3ad0b91d230fb3cef75f0060 •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2026-31787 – xen/privcmd: fix double free via VMA splitting
https://notcve.org/view.php?id=CVE-2026-31787
30 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: xen/privcmd: fix double free via VMA splitting privcmd_vm_ops defines .close (privcmd_close), but neither .may_split nor .open. When userspace does a partial munmap() on a privcmd mapping, the kernel splits the VMA via __split_vma(). Since may_split is NULL, the split is allowed. vm_area_dup() copies vm_private_data (a pages array allocated in alloc_empty_pages()) into the new VMA without any fixup, because there is no .open callback. Both ... • https://git.kernel.org/stable/c/d71f513985c22f1050295d1a7e4327cf9fb060da • CWE-415: Double Free •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2026-31786 – Buffer overflow in drivers/xen/sys-hypervisor.c
https://notcve.org/view.php?id=CVE-2026-31786
30 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: Buffer overflow in drivers/xen/sys-hypervisor.c The build id returned by HYPERVISOR_xen_version(XENVER_build_id) is neither NUL terminated nor a string. The first causes a buffer overflow as sprintf in buildid_show will read and copy till it finds a NUL. 00000000 f4 91 51 f4 dd 38 9e 9d 65 47 52 eb 10 71 db 50 |..Q..8..eGR..q.P| 00000010 b9 a8 01 42 6f 2e 32 |...Bo.2| 00000017 So use a memcpy instead of sprintf to have the correct value: 00... • https://git.kernel.org/stable/c/84b7625728ea311ea35bdaa0eded53c1c56baeaa • CWE-787: Out-of-bounds Write •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-31689 – EDAC/mc: Fix error path ordering in edac_mc_alloc()
https://notcve.org/view.php?id=CVE-2026-31689
27 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: EDAC/mc: Fix error path ordering in edac_mc_alloc() When the mci->pvt_info allocation in edac_mc_alloc() fails, the error path will call put_device() which will end up calling the device's release function. However, the init ordering is wrong such that device_initialize() happens *after* the failed allocation and thus the device itself and the release function pointer are not initialized yet when they're called: MCE: In-kernel MCE decoding ... • https://git.kernel.org/stable/c/0bbb265f7089584aaa6d440805ca75ea4f3930d4 •
CVSS: -EPSS: 0%CPEs: 1EXPL: 0CVE-2026-31688 – driver core: enforce device_lock for driver_match_device()
https://notcve.org/view.php?id=CVE-2026-31688
27 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: driver core: enforce device_lock for driver_match_device() Currently, driver_match_device() is called from three sites. One site (__device_attach_driver) holds device_lock(dev), but the other two (bind_store and __driver_attach) do not. This inconsistency means that bus match() callbacks are not guaranteed to be called with the lock held. Fix this by introducing driver_match_device_locked(), which guarantees holding the device lock using a ... • https://git.kernel.org/stable/c/49b420a13ff95b449947181190b08367348e3e1b •
CVSS: -EPSS: 0%CPEs: 11EXPL: 0CVE-2026-31687 – gpio: omap: do not register driver in probe()
https://notcve.org/view.php?id=CVE-2026-31687
27 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: gpio: omap: do not register driver in probe() Commit 11a78b794496 ("ARM: OMAP: MPUIO wake updates") registers the omap_mpuio_driver from omap_mpuio_init(), which is called from omap_gpio_probe(). However, it neither makes sense to register drivers from probe() callbacks of other drivers, nor does the driver core allow registering drivers with a device lock already being held. The latter was revealed by commit dc23806a7c47 ("driver core: enf... • https://git.kernel.org/stable/c/11a78b7944963a8b052be46108d07a3ced9e2762 •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-31686 – mm/kasan: fix double free for kasan pXds
https://notcve.org/view.php?id=CVE-2026-31686
27 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: mm/kasan: fix double free for kasan pXds kasan_free_pxd() assumes the page table is always struct page aligned. But that's not always the case for all architectures. E.g. In case of powerpc with 64K pagesize, PUD table (of size 4096) comes from slab cache named pgtable-2^9. Hence instead of page_to_virt(pxd_page()) let's just directly pass the start of the pxd table which is passed as the 1st argument. • https://git.kernel.org/stable/c/0207df4fa1a869281ddbf72db6203dbf036b3e1a •
CVSS: 9.4EPSS: 0%CPEs: 5EXPL: 0CVE-2026-31685 – netfilter: ip6t_eui64: reject invalid MAC header for all packets
https://notcve.org/view.php?id=CVE-2026-31685
25 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: netfilter: ip6t_eui64: reject invalid MAC header for all packets `eui64_mt6()` derives a modified EUI-64 from the Ethernet source address and compares it with the low 64 bits of the IPv6 source address. The existing guard only rejects an invalid MAC header when `par->fragoff != 0`. For packets with `par->fragoff == 0`, `eui64_mt6()` can still reach `eth_hdr(skb)` even when the MAC header is not valid. Fix this by removing the `par->fragoff ... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-31684 – net: sched: act_csum: validate nested VLAN headers
https://notcve.org/view.php?id=CVE-2026-31684
25 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: net: sched: act_csum: validate nested VLAN headers tcf_csum_act() walks nested VLAN headers directly from skb->data when an skb still carries in-payload VLAN tags. The current code reads vlan->h_vlan_encapsulated_proto and then pulls VLAN_HLEN bytes without first ensuring that the full VLAN header is present in the linear area. If only part of an inner VLAN header is linearized, accessing h_vlan_encapsulated_proto reads past the linear area... • https://git.kernel.org/stable/c/2ecba2d1e45b24620a7c3df9531895cf68d5dec6 •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2026-31683 – batman-adv: avoid OGM aggregation when skb tailroom is insufficient
https://notcve.org/view.php?id=CVE-2026-31683
25 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: batman-adv: avoid OGM aggregation when skb tailroom is insufficient When OGM aggregation state is toggled at runtime, an existing forwarded packet may have been allocated with only packet_len bytes, while a later packet can still be selected for aggregation. Appending in this case can hit skb_put overflow conditions. Reject aggregation when the target skb tailroom cannot accommodate the new packet. The caller then falls back to creating a n... • https://git.kernel.org/stable/c/c6c8fea29769d998d94fcec9b9f14d4b52b349d3 •