CVSS: 9.1EPSS: 0%CPEs: 8EXPL: 0CVE-2026-31682 – bridge: br_nd_send: linearize skb before parsing ND options
https://notcve.org/view.php?id=CVE-2026-31682
25 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: bridge: br_nd_send: linearize skb before parsing ND options br_nd_send() parses neighbour discovery options from ns->opt[] and assumes that these options are in the linear part of request. Its callers only guarantee that the ICMPv6 header and target address are available, so the option area can still be non-linear. Parsing ns->opt[] in that case can access data past the linear buffer. Linearize request before option parsing and derive ns fr... • https://git.kernel.org/stable/c/ed842faeb2bd49256f00485402f3113205f91d30 •
CVSS: -EPSS: 0%CPEs: 5EXPL: 0CVE-2026-31681 – netfilter: xt_multiport: validate range encoding in checkentry
https://notcve.org/view.php?id=CVE-2026-31681
25 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: netfilter: xt_multiport: validate range encoding in checkentry ports_match_v1() treats any non-zero pflags entry as the start of a port range and unconditionally consumes the next ports[] element as the range end. The checkentry path currently validates protocol, flags and count, but it does not validate the range encoding itself. As a result, malformed rules can mark the last slot as a range start or place two range starts back to back, le... • https://git.kernel.org/stable/c/a89ecb6a2ef732d04058d87801e2b6bd7e5c7089 •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2026-31680 – net: ipv6: flowlabel: defer exclusive option free until RCU teardown
https://notcve.org/view.php?id=CVE-2026-31680
25 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: net: ipv6: flowlabel: defer exclusive option free until RCU teardown `ip6fl_seq_show()` walks the global flowlabel hash under the seq-file RCU read-side lock and prints `fl->opt->opt_nflen` when an option block is present. Exclusive flowlabels currently free `fl->opt` as soon as `fl->users` drops to zero in `fl_release()`. However, the surrounding `struct ip6_flowlabel` remains visible in the global hash table until later garbage collection... • https://git.kernel.org/stable/c/d3aedd5ebd4b0b925b0bcda548066803e1318499 •
CVSS: 7.1EPSS: 0%CPEs: 8EXPL: 0CVE-2026-31679 – openvswitch: validate MPLS set/set_masked payload length
https://notcve.org/view.php?id=CVE-2026-31679
25 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: openvswitch: validate MPLS set/set_masked payload length validate_set() accepted OVS_KEY_ATTR_MPLS as variable-sized payload for SET/SET_MASKED actions. In action handling, OVS expects fixed-size MPLS key data (struct ovs_key_mpls). Use the already normalized key_len (masked case included) and reject non-matching MPLS action key sizes. Reject invalid MPLS action payload lengths early. • https://git.kernel.org/stable/c/fbdcdd78da7c95f1b970d371e1b23cbd3aa990f3 •
CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0CVE-2026-31678 – openvswitch: defer tunnel netdev_put to RCU release
https://notcve.org/view.php?id=CVE-2026-31678
25 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: openvswitch: defer tunnel netdev_put to RCU release ovs_netdev_tunnel_destroy() may run after NETDEV_UNREGISTER already detached the device. Dropping the netdev reference in destroy can race with concurrent readers that still observe vport->dev. Do not release vport->dev in ovs_netdev_tunnel_destroy(). Instead, let vport_netdev_free() drop the reference from the RCU callback, matching the non-tunnel destroy path and avoiding additional sync... • https://git.kernel.org/stable/c/a9020fde67a6eb77f8130feff633189f99264db1 •
CVSS: -EPSS: 0%CPEs: 4EXPL: 0CVE-2026-31677 – crypto: af_alg - limit RX SG extraction by receive buffer budget
https://notcve.org/view.php?id=CVE-2026-31677
25 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: crypto: af_alg - limit RX SG extraction by receive buffer budget Make af_alg_get_rsgl() limit each RX scatterlist extraction to the remaining receive buffer budget. af_alg_get_rsgl() currently uses af_alg_readable() only as a gate before extracting data into the RX scatterlist. Limit each extraction to the remaining af_alg_rcvbuf(sk) budget so that receive-side accounting matches the amount of data attached to the request. If skcipher canno... • https://git.kernel.org/stable/c/e870456d8e7c8d57c059ea479b5aadbb55ff4c3a •
CVSS: 7.5EPSS: 0%CPEs: 5EXPL: 0CVE-2026-31676 – rxrpc: only handle RESPONSE during service challenge
https://notcve.org/view.php?id=CVE-2026-31676
25 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: rxrpc: only handle RESPONSE during service challenge Only process RESPONSE packets while the service connection is still in RXRPC_CONN_SERVICE_CHALLENGING. Check that state under state_lock before running response verification and security initialization, then use a local secured flag to decide whether to queue the secured-connection work after the state transition. This keeps duplicate or late RESPONSE packets from re-running the setup pat... • https://git.kernel.org/stable/c/17926a79320afa9b95df6b977b40cca6d8713cea •
CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2026-31675 – net/sched: sch_netem: fix out-of-bounds access in packet corruption
https://notcve.org/view.php?id=CVE-2026-31675
25 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: net/sched: sch_netem: fix out-of-bounds access in packet corruption In netem_enqueue(), the packet corruption logic uses get_random_u32_below(skb_headlen(skb)) to select an index for modifying skb->data. When an AF_PACKET TX_RING sends fully non-linear packets over an IPIP tunnel, skb_headlen(skb) evaluates to 0. Passing 0 to get_random_u32_below() takes the variable-ceil slow path which returns an unconstrained 32-bit random integer. Using... • https://git.kernel.org/stable/c/c865e5d99e25a171e8262fc0f7ba608568633c64 •
CVSS: 7.1EPSS: 0%CPEs: 8EXPL: 0CVE-2026-31674 – netfilter: ip6t_rt: reject oversized addrnr in rt_mt6_check()
https://notcve.org/view.php?id=CVE-2026-31674
25 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: netfilter: ip6t_rt: reject oversized addrnr in rt_mt6_check() Reject rt match rules whose addrnr exceeds IP6T_RT_HOPS. rt_mt6() expects addrnr to stay within the bounds of rtinfo->addrs[]. Validate addrnr during rule installation so malformed rules are rejected before the match logic can use an out-of-range value. • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2026-31673 – af_unix: read UNIX_DIAG_VFS data under unix_state_lock
https://notcve.org/view.php?id=CVE-2026-31673
25 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: af_unix: read UNIX_DIAG_VFS data under unix_state_lock Exact UNIX diag lookups hold a reference to the socket, but not to u->path. Meanwhile, unix_release_sock() clears u->path under unix_state_lock() and drops the path reference after unlocking. Read the inode and device numbers for UNIX_DIAG_VFS while holding unix_state_lock(), then emit the netlink attribute after dropping the lock. This keeps the VFS data stable while the reply is being... • https://git.kernel.org/stable/c/5f7b0569460b7d8d01ca776430a00505a68b7584 •