CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2026-31672 – wifi: rt2x00usb: fix devres lifetime
https://notcve.org/view.php?id=CVE-2026-31672
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: wifi: rt2x00usb: fix devres lifetime USB drivers bind to USB interfaces and any device managed resources should have their lifetime tied to the interface rather than parent USB device. This avoids issues like memory leaks when drivers are unbound without their devices being physically disconnected (e.g. on probe deferral or configuration changes). Fix the USB anchor lifetime so that it is released on driver unbind. • https://git.kernel.org/stable/c/8b4c0009313f3d42e2540e3e1f776097dd0db73d • CWE-401: Missing Release of Memory after Effective Lifetime •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2026-31671 – xfrm_user: fix info leak in build_report()
https://notcve.org/view.php?id=CVE-2026-31671
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: xfrm_user: fix info leak in build_report() struct xfrm_user_report is a __u8 proto field followed by a struct xfrm_selector which means there is three "empty" bytes of padding, but the padding is never zeroed before copying to userspace. Fix that up by zeroing the structure before setting individual member variables. • https://git.kernel.org/stable/c/97a64b4577ae2bc5599dbd008a3cd9e25de9b9f5 • CWE-401: Missing Release of Memory after Effective Lifetime •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2026-31670 – net: rfkill: prevent unlimited numbers of rfkill events from being created
https://notcve.org/view.php?id=CVE-2026-31670
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: net: rfkill: prevent unlimited numbers of rfkill events from being created Userspace can create an unlimited number of rfkill events if the system is so configured, while not consuming them from the rfkill file descriptor, causing a potential out of memory situation. Prevent this from bounding the number of pending rfkill events at a "large" number (i.e. 1000) to prevent abuses like this. • https://git.kernel.org/stable/c/c64fb01627e24725d1f9d535e4426475a4415753 •
CVSS: 9.8EPSS: 0%CPEs: 7EXPL: 0CVE-2026-31669 – mptcp: fix slab-use-after-free in __inet_lookup_established
https://notcve.org/view.php?id=CVE-2026-31669
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: mptcp: fix slab-use-after-free in __inet_lookup_established The ehash table lookups are lockless and rely on SLAB_TYPESAFE_BY_RCU to guarantee socket memory stability during RCU read-side critical sections. Both tcp_prot and tcpv6_prot have their slab caches created with this flag via proto_register(). However, MPTCP's mptcp_subflow_init() copies tcpv6_prot into tcpv6_prot_override during inet_init() (fs_initcall, level 5), before inet6_ini... • https://git.kernel.org/stable/c/b19bc2945b40b9fd38e835700907ffe8534ef0de • CWE-416: Use After Free •
CVSS: 9.8EPSS: 0%CPEs: 8EXPL: 0CVE-2026-31668 – seg6: separate dst_cache for input and output paths in seg6 lwtunnel
https://notcve.org/view.php?id=CVE-2026-31668
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: seg6: separate dst_cache for input and output paths in seg6 lwtunnel The seg6 lwtunnel uses a single dst_cache per encap route, shared between seg6_input_core() and seg6_output_core(). These two paths can perform the post-encap SID lookup in different routing contexts (e.g., ip rules matching on the ingress interface, or VRF table separation). Whichever path runs first populates the cache, and the other reuses it blindly, bypassing its own ... • https://git.kernel.org/stable/c/6c8702c60b88651072460f3f4026c7dfe2521d12 •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2026-31667 – Input: uinput - fix circular locking dependency with ff-core
https://notcve.org/view.php?id=CVE-2026-31667
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: Input: uinput - fix circular locking dependency with ff-core A lockdep circular locking dependency warning can be triggered reproducibly when using a force-feedback gamepad with uinput (for example, playing ELDEN RING under Wine with a Flydigi Vader 5 controller): ff->mutex -> udev->mutex -> input_mutex -> dev->mutex -> ff->mutex The cycle is caused by four lock acquisition paths: 1. ff upload: input_ff_upload() holds ff->mutex and calls ui... • https://git.kernel.org/stable/c/ff462551235d8d7d843a005950bc90924fcedede • CWE-667: Improper Locking •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2026-31666 – btrfs: fix incorrect return value after changing leaf in lookup_extent_data_ref()
https://notcve.org/view.php?id=CVE-2026-31666
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: btrfs: fix incorrect return value after changing leaf in lookup_extent_data_ref() After commit 1618aa3c2e01 ("btrfs: simplify return variables in lookup_extent_data_ref()"), the err and ret variables were merged into a single ret variable. However, when btrfs_next_leaf() returns 0 (success), ret is overwritten from -ENOENT to 0. If the first key in the next leaf does not match (different objectid or type), the function returns 0 instead of ... • https://git.kernel.org/stable/c/1618aa3c2e0163f5ac34d514ae89474521910536 •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2026-31665 – netfilter: nft_ct: fix use-after-free in timeout object destroy
https://notcve.org/view.php?id=CVE-2026-31665
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_ct: fix use-after-free in timeout object destroy nft_ct_timeout_obj_destroy() frees the timeout object with kfree() immediately after nf_ct_untimeout(), without waiting for an RCU grace period. Concurrent packet processing on other CPUs may still hold RCU-protected references to the timeout object obtained via rcu_dereference() in nf_ct_timeout_data(). Add an rcu_head to struct nf_ct_timeout and use kfree_rcu() to defer freei... • https://git.kernel.org/stable/c/7e0b2b57f01d183e1c84114f1f2287737358d748 • CWE-416: Use After Free •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2026-31664 – xfrm: clear trailing padding in build_polexpire()
https://notcve.org/view.php?id=CVE-2026-31664
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: xfrm: clear trailing padding in build_polexpire() build_expire() clears the trailing padding bytes of struct xfrm_user_expire after setting the hard field via memset_after(), but the analogous function build_polexpire() does not do this for struct xfrm_user_polexpire. The padding bytes after the __u8 hard field are left uninitialized from the heap allocation, and are then sent to userspace via netlink multicast to XFRMNLGRP_EXPIRE listeners... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0CVE-2026-31663 – xfrm: hold dev ref until after transport_finish NF_HOOK
https://notcve.org/view.php?id=CVE-2026-31663
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: xfrm: hold dev ref until after transport_finish NF_HOOK After async crypto completes, xfrm_input_resume() calls dev_put() immediately on re-entry before the skb reaches transport_finish. The skb->dev pointer is then used inside NF_HOOK and its okfn, which can race with device teardown. Remove the dev_put from the async resumption entry and instead drop the reference after the NF_HOOK call in transport_finish, using a saved device pointer si... • https://git.kernel.org/stable/c/acf568ee859f098279eadf551612f103afdacb4e •