CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2026-31522 – HID: magicmouse: avoid memory leak in magicmouse_report_fixup()
https://notcve.org/view.php?id=CVE-2026-31522
22 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: HID: magicmouse: avoid memory leak in magicmouse_report_fixup() The magicmouse_report_fixup() function was returning a newly kmemdup()-allocated buffer, but never freeing it. The caller of report_fixup() does not take ownership of the returned pointer, but it *is* permitted to return a sub-portion of the input rdesc, whose lifetime is managed by the caller. • https://git.kernel.org/stable/c/e6ad399596bd234be4722022146e33e15c7e424d • CWE-401: Missing Release of Memory after Effective Lifetime •
CVSS: 5.5EPSS: 0%CPEs: 7EXPL: 0CVE-2026-31521 – module: Fix kernel panic when a symbol st_shndx is out of bounds
https://notcve.org/view.php?id=CVE-2026-31521
22 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: module: Fix kernel panic when a symbol st_shndx is out of bounds The module loader doesn't check for bounds of the ELF section index in simplify_symbols(): for (i = 1; i < symsec->sh_size / sizeof(Elf_Sym); i++) { const char *name = info->strtab + sym[i].st_name; switch (sym[i].st_shndx) { case SHN_COMMON: [...] default: /* Divert to percpu allocation if a percpu var. */ if (sym[i].st_shndx == info->index.pcpu) secbase = (unsigned long)mod_... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 • CWE-787: Out-of-bounds Write •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2026-31520 – HID: apple: avoid memory leak in apple_report_fixup()
https://notcve.org/view.php?id=CVE-2026-31520
22 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: HID: apple: avoid memory leak in apple_report_fixup() The apple_report_fixup() function was returning a newly kmemdup()-allocated buffer, but never freeing it. The caller of report_fixup() does not take ownership of the returned pointer, but it *is* permitted to return a sub-portion of the input rdesc, whose lifetime is managed by the caller. • https://git.kernel.org/stable/c/6e143293e17a73c9313f91c5ca3aaacbaef030cf • CWE-401: Missing Release of Memory after Effective Lifetime •
CVSS: 5.5EPSS: 0%CPEs: 7EXPL: 0CVE-2026-31519 – btrfs: set BTRFS_ROOT_ORPHAN_CLEANUP during subvol create
https://notcve.org/view.php?id=CVE-2026-31519
22 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: btrfs: set BTRFS_ROOT_ORPHAN_CLEANUP during subvol create We have recently observed a number of subvolumes with broken dentries. ls-ing the parent dir looks like: drwxrwxrwt 1 root root 16 Jan 23 16:49 . drwxr-xr-x 1 root root 24 Jan 23 16:48 .. d????????? ? ? ? ? • https://git.kernel.org/stable/c/c71bf099abddf3e0fdc27f251ba76fca1461d49a • CWE-476: NULL Pointer Dereference •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2026-31518 – esp: fix skb leak with espintcp and async crypto
https://notcve.org/view.php?id=CVE-2026-31518
22 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: esp: fix skb leak with espintcp and async crypto When the TX queue for espintcp is full, esp_output_tail_tcp will return an error and not free the skb, because with synchronous crypto, the common xfrm output code will drop the packet for us. With async crypto (esp_output_done), we need to drop the skb when esp_output_tail_tcp returns an error. • https://git.kernel.org/stable/c/e27cca96cd68fa2c6814c90f9a1cfd36bb68c593 • CWE-401: Missing Release of Memory after Effective Lifetime •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2026-31516 – xfrm: prevent policy_hthresh.work from racing with netns teardown
https://notcve.org/view.php?id=CVE-2026-31516
22 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: xfrm: prevent policy_hthresh.work from racing with netns teardown A XFRM_MSG_NEWSPDINFO request can queue the per-net work item policy_hthresh.work onto the system workqueue. The queued callback, xfrm_hash_rebuild(), retrieves the enclosing struct net via container_of(). If the net namespace is torn down before that work runs, the associated struct net may already have been freed, and xfrm_hash_rebuild() may then dereference stale memory. x... • https://git.kernel.org/stable/c/880a6fab8f6ba5b5abe59ea68533202ddea1012c • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2026-31515 – af_key: validate families in pfkey_send_migrate()
https://notcve.org/view.php?id=CVE-2026-31515
22 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: af_key: validate families in pfkey_send_migrate() syzbot was able to trigger a crash in skb_put() [1] Issue is that pfkey_send_migrate() does not check old/new families, and that set_ipsecrequest() @family argument was truncated, thus possibly overfilling the skb. Validate families early, do not wait set_ipsecrequest(). [1] skbuff: skb_over_panic: text:ffffffff8a752120 len:392 put:16 head:ffff88802a4ad040 data:ffff88802a4ad040 tail:0x188 en... • https://git.kernel.org/stable/c/08de61beab8a21c8e0b3906a97defda5f1f66ece • CWE-476: NULL Pointer Dereference •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2026-31512 – Bluetooth: L2CAP: Validate PDU length before reading SDU length in l2cap_ecred_data_rcv()
https://notcve.org/view.php?id=CVE-2026-31512
22 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Validate PDU length before reading SDU length in l2cap_ecred_data_rcv() l2cap_ecred_data_rcv() reads the SDU length field from skb->data using get_unaligned_le16() without first verifying that skb contains at least L2CAP_SDULEN_SIZE (2) bytes. When skb->len is less than 2, this reads past the valid data in the skb. The ERTM reassembly path correctly calls pskb_may_pull() before reading the SDU length (l2cap_reassemble_sdu,... • https://git.kernel.org/stable/c/aac23bf636593cc2d67144aed373a46a1a5f76b1 •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2026-31510 – Bluetooth: L2CAP: Fix null-ptr-deref on l2cap_sock_ready_cb
https://notcve.org/view.php?id=CVE-2026-31510
22 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix null-ptr-deref on l2cap_sock_ready_cb Before using sk pointer, check if it is null. Fix the following: KASAN: null-ptr-deref in range [0x0000000000000260-0x0000000000000267] CPU: 0 UID: 0 PID: 5985 Comm: kworker/0:5 Not tainted 7.0.0-rc4-00029-ga989fde763f4 #1 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.17.0-9.fc43 06/10/2025 Workqueue: events l2cap_info_timeout RIP: 0010:kasan_byte_accessi... • https://git.kernel.org/stable/c/54a59aa2b562872781d6a8fc89f300d360941691 • CWE-476: NULL Pointer Dereference •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2026-31509 – nfc: nci: fix circular locking dependency in nci_close_device
https://notcve.org/view.php?id=CVE-2026-31509
22 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: nfc: nci: fix circular locking dependency in nci_close_device nci_close_device() flushes rx_wq and tx_wq while holding req_lock. This causes a circular locking dependency because nci_rx_work() running on rx_wq can end up taking req_lock too: nci_rx_work -> nci_rx_data_packet -> nci_data_exchange_complete -> __sk_destruct -> rawsock_destruct -> nfc_deactivate_target -> nci_deactivate_target -> nci_request -> mutex_lock(&ndev->req_lock) Move ... • https://git.kernel.org/stable/c/6a2968aaf50c7a22fced77a5e24aa636281efca8 • CWE-667: Improper Locking •