CVSS: 7.5EPSS: 0%CPEs: 7EXPL: 0CVE-2026-31563 – net: macb: Use dev_consume_skb_any() to free TX SKBs
https://notcve.org/view.php?id=CVE-2026-31563
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: net: macb: Use dev_consume_skb_any() to free TX SKBs The napi_consume_skb() function is not intended to be called in an IRQ disabled context. However, after commit 6bc8a5098bf4 ("net: macb: Fix tx_ptr_lock locking"), the freeing of TX SKBs is performed with IRQs disabled. To resolve the following call trace, use dev_consume_skb_any() for freeing TX SKBs: WARNING: kernel/softirq.c:430 at __local_bh_enable_ip+0x174/0x188, CPU#0: ksoftirqd/0/1... • https://git.kernel.org/stable/c/aeeafeb29b1b270302a9a85a13f7d70a68a3b9e6 •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2026-31560 – spi: spi-dw-dma: fix print error log when wait finish transaction
https://notcve.org/view.php?id=CVE-2026-31560
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: spi: spi-dw-dma: fix print error log when wait finish transaction If an error occurs, the device may not have a current message. In this case, the system will crash. In this case, it's better to use dev from the struct ctlr (struct spi_controller*). • https://git.kernel.org/stable/c/bdbdf0f06337d3661b64c0288c291cb06624065e •
CVSS: 7.5EPSS: 0%CPEs: 6EXPL: 0CVE-2026-31557 – nvmet: move async event work off nvmet-wq
https://notcve.org/view.php?id=CVE-2026-31557
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: nvmet: move async event work off nvmet-wq For target nvmet_ctrl_free() flushes ctrl->async_event_work. If nvmet_ctrl_free() runs on nvmet-wq, the flush re-enters workqueue completion for the same worker:- A. Async event work queued on nvmet-wq (prior to disconnect): nvmet_execute_async_event() queue_work(nvmet_wq, &ctrl->async_event_work) nvmet_add_async_event() queue_work(nvmet_wq, &ctrl->async_event_work) B. Full pre-work chain (RDMA CM p... • https://git.kernel.org/stable/c/8832cf922151e9dfa2821736beb0ae2dd3968b6e •
CVSS: 5.5EPSS: 0%CPEs: 13EXPL: 0CVE-2026-31555 – futex: Clear stale exiting pointer in futex_lock_pi() retry path
https://notcve.org/view.php?id=CVE-2026-31555
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: futex: Clear stale exiting pointer in futex_lock_pi() retry path Fuzzying/stressing futexes triggered: WARNING: kernel/futex/core.c:825 at wait_for_owner_exiting+0x7a/0x80, CPU#11: futex_lock_pi_s/524 When futex_lock_pi_atomic() sees the owner is exiting, it returns -EBUSY and stores a refcounted task pointer in 'exiting'. After wait_for_owner_exiting() consumes that reference, the local pointer is never reset to nil. Upon a retry, if futex... • https://git.kernel.org/stable/c/3ef240eaff36b8119ac9e2ea17cbf41179c930ba •
CVSS: 7.5EPSS: 0%CPEs: 8EXPL: 0CVE-2026-31552 – wifi: wlcore: Return -ENOMEM instead of -EAGAIN if there is not enough headroom
https://notcve.org/view.php?id=CVE-2026-31552
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: wifi: wlcore: Return -ENOMEM instead of -EAGAIN if there is not enough headroom Since upstream commit e75665dd0968 ("wifi: wlcore: ensure skb headroom before skb_push"), wl1271_tx_allocate() and with it wl1271_prepare_tx_frame() returns -EAGAIN if pskb_expand_head() fails. However, in wlcore_tx_work_locked(), a return value of -EAGAIN from wl1271_prepare_tx_frame() is interpreted as the aggregation buffer being full. This causes the code to... • https://git.kernel.org/stable/c/88295a55fefe5414e64293638b6f7549646e58ed • CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') •
CVSS: 5.5EPSS: 0%CPEs: 7EXPL: 0CVE-2026-31551 – wifi: mac80211: Fix static_branch_dec() underflow for aql_disable.
https://notcve.org/view.php?id=CVE-2026-31551
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: Fix static_branch_dec() underflow for aql_disable. syzbot reported static_branch_dec() underflow in aql_enable_write(). [0] The problem is that aql_enable_write() does not serialise concurrent write()s to the debugfs. aql_enable_write() checks static_key_false(&aql_disable.key) and later calls static_branch_inc() or static_branch_dec(), but the state may change between the two calls. aql_disable does not need to track inc/de... • https://git.kernel.org/stable/c/e908435e402aff23c9b0b3c59c7cd12b08b681b0 • CWE-191: Integer Underflow (Wrap or Wraparound) •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2026-31550 – pmdomain: bcm: bcm2835-power: Increase ASB control timeout
https://notcve.org/view.php?id=CVE-2026-31550
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: pmdomain: bcm: bcm2835-power: Increase ASB control timeout The bcm2835_asb_control() function uses a tight polling loop to wait for the ASB bridge to acknowledge a request. During intensive workloads, this handshake intermittently fails for V3D's master ASB on BCM2711, resulting in "Failed to disable ASB master for v3d" errors during runtime PM suspend. As a consequence, the failed power-off leaves V3D in a broken state, leading to bus faul... • https://git.kernel.org/stable/c/670c672608a1ffcbc7ac0f872734843593bb8b15 •
CVSS: 5.5EPSS: 0%CPEs: 7EXPL: 0CVE-2026-31549 – i2c: cp2615: fix serial string NULL-deref at probe
https://notcve.org/view.php?id=CVE-2026-31549
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: i2c: cp2615: fix serial string NULL-deref at probe The cp2615 driver uses the USB device serial string as the i2c adapter name but does not make sure that the string exists. Verify that the device has a serial number before accessing it to avoid triggering a NULL-pointer dereference (e.g. with malicious devices). • https://git.kernel.org/stable/c/4a7695429eade517b07ea72f9ec366130e81a076 • CWE-476: NULL Pointer Dereference •
CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0CVE-2026-31548 – wifi: cfg80211: cancel pmsr_free_wk in cfg80211_pmsr_wdev_down
https://notcve.org/view.php?id=CVE-2026-31548
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: wifi: cfg80211: cancel pmsr_free_wk in cfg80211_pmsr_wdev_down When the nl80211 socket that originated a PMSR request is closed, cfg80211_release_pmsr() sets the request's nl_portid to zero and schedules pmsr_free_wk to process the abort asynchronously. If the interface is concurrently torn down before that work runs, cfg80211_pmsr_wdev_down() calls cfg80211_pmsr_process_abort() directly. However, the already- scheduled pmsr_free_wk work it... • https://git.kernel.org/stable/c/9bb7e0f24e7e7d00daa1219b14539e2e602649b2 •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2026-31546 – net: bonding: fix NULL deref in bond_debug_rlb_hash_show
https://notcve.org/view.php?id=CVE-2026-31546
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: net: bonding: fix NULL deref in bond_debug_rlb_hash_show rlb_clear_slave intentionally keeps RLB hash-table entries on the rx_hashtbl_used_head list with slave set to NULL when no replacement slave is available. However, bond_debug_rlb_hash_show visites client_info->slave without checking if it's NULL. Other used-list iterators in bond_alb.c already handle this NULL-slave state safely: - rlb_update_client returns early on !client_info->slav... • https://git.kernel.org/stable/c/caafa84251b886feb6cdf23d50e2cc99dcdaaaf3 •