CVSS: 7.5EPSS: 0%CPEs: 8EXPL: 0CVE-2026-31662 – tipc: fix bc_ackers underflow on duplicate GRP_ACK_MSG
https://notcve.org/view.php?id=CVE-2026-31662
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: tipc: fix bc_ackers underflow on duplicate GRP_ACK_MSG The GRP_ACK_MSG handler in tipc_group_proto_rcv() currently decrements bc_ackers on every inbound group ACK, even when the same member has already acknowledged the current broadcast round. Because bc_ackers is a u16, a duplicate ACK received after the last legitimate ACK wraps the counter to 65535. Once wrapped, tipc_group_bc_cong() keeps reporting congestion and later group broadcasts ... • https://git.kernel.org/stable/c/2f487712b89376fce267223bbb0db93d393d4b09 • CWE-191: Integer Underflow (Wrap or Wraparound) •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2026-31661 – wifi: brcmsmac: Fix dma_free_coherent() size
https://notcve.org/view.php?id=CVE-2026-31661
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: wifi: brcmsmac: Fix dma_free_coherent() size dma_alloc_consistent() may change the size to align it. The new size is saved in alloced. Change the free size to match the allocation size. • https://git.kernel.org/stable/c/5b435de0d786869c95d1962121af0d7df2542009 •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2026-31660 – nfc: pn533: allocate rx skb before consuming bytes
https://notcve.org/view.php?id=CVE-2026-31660
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: nfc: pn533: allocate rx skb before consuming bytes pn532_receive_buf() reports the number of accepted bytes to the serdev core. The current code consumes bytes into recv_skb and may already hand a complete frame to pn533_recv_frame() before allocating a fresh receive buffer. If that alloc_skb() fails, the callback returns 0 even though it has already consumed bytes, and it leaves recv_skb as NULL for the next receive callback. That breaks t... • https://git.kernel.org/stable/c/c656aa4c27b17a8c70da223ed5ab42145800d6b5 •
CVSS: 9.8EPSS: 0%CPEs: 8EXPL: 0CVE-2026-31659 – batman-adv: reject oversized global TT response buffers
https://notcve.org/view.php?id=CVE-2026-31659
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: batman-adv: reject oversized global TT response buffers batadv_tt_prepare_tvlv_global_data() builds the allocation length for a global TT response in 16-bit temporaries. When a remote originator advertises a large enough global TT, the TT payload length plus the VLAN header offset can exceed 65535 and wrap before kmalloc(). The full-table response path still uses the original TT payload length when it fills tt_change, so the wrapped allocat... • https://git.kernel.org/stable/c/7ea7b4a142758deaf46c1af0ca9ceca6dd55138b •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2026-31658 – net: altera-tse: fix skb leak on DMA mapping error in tse_start_xmit()
https://notcve.org/view.php?id=CVE-2026-31658
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: net: altera-tse: fix skb leak on DMA mapping error in tse_start_xmit() When dma_map_single() fails in tse_start_xmit(), the function returns NETDEV_TX_OK without freeing the skb. Since NETDEV_TX_OK tells the stack the packet was consumed, the skb is never freed, leaking memory on every DMA mapping failure. Add dev_kfree_skb_any() before returning to properly free the skb. • https://git.kernel.org/stable/c/bbd2190ce96d8fce031f0526c1f970b68adc9d1a • CWE-401: Missing Release of Memory after Effective Lifetime •
CVSS: 9.8EPSS: 0%CPEs: 6EXPL: 0CVE-2026-31657 – batman-adv: hold claim backbone gateways by reference
https://notcve.org/view.php?id=CVE-2026-31657
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: batman-adv: hold claim backbone gateways by reference batadv_bla_add_claim() can replace claim->backbone_gw and drop the old gateway's last reference while readers still follow the pointer. The netlink claim dump path dereferences claim->backbone_gw->orig and takes claim->backbone_gw->crc_lock without pinning the underlying backbone gateway. batadv_bla_check_claim() still has the same naked pointer access pattern. Reuse batadv_bla_claim_get... • https://git.kernel.org/stable/c/23721387c409087fd3b97e274f34d3ddc0970b74 • CWE-476: NULL Pointer Dereference •
CVSS: 7.8EPSS: 0%CPEs: 7EXPL: 0CVE-2026-31656 – drm/i915/gt: fix refcount underflow in intel_engine_park_heartbeat
https://notcve.org/view.php?id=CVE-2026-31656
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: drm/i915/gt: fix refcount underflow in intel_engine_park_heartbeat A use-after-free / refcount underflow is possible when the heartbeat worker and intel_engine_park_heartbeat() race to release the same engine->heartbeat.systole request. The heartbeat worker reads engine->heartbeat.systole and calls i915_request_put() on it when the request is complete, but clears the pointer in a separate, non-atomic step. Concurrently, a request retirement... • https://git.kernel.org/stable/c/058179e72e0956a2dfe4927db6cbe5fbfb2406aa • CWE-191: Integer Underflow (Wrap or Wraparound) •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2026-31655 – pmdomain: imx8mp-blk-ctrl: Keep the NOC_HDCP clock enabled
https://notcve.org/view.php?id=CVE-2026-31655
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: pmdomain: imx8mp-blk-ctrl: Keep the NOC_HDCP clock enabled Keep the NOC_HDCP clock always enabled to fix the potential hang caused by the NoC ADB400 port power down handshake. • https://git.kernel.org/stable/c/77b0ddb42add47748c661f714e6f4b116a6e8759 •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2026-31651 – mmc: vub300: fix NULL-deref on disconnect
https://notcve.org/view.php?id=CVE-2026-31651
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: mmc: vub300: fix NULL-deref on disconnect Make sure to deregister the controller before dropping the reference to the driver data on disconnect to avoid NULL-pointer dereferences or use-after-free. • https://git.kernel.org/stable/c/88095e7b473a3d9ec3b9c60429576e9cbd327c89 • CWE-476: NULL Pointer Dereference •
CVSS: 9.8EPSS: 0%CPEs: 8EXPL: 0CVE-2026-31649 – net: stmmac: fix integer underflow in chain mode
https://notcve.org/view.php?id=CVE-2026-31649
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: net: stmmac: fix integer underflow in chain mode The jumbo_frm() chain-mode implementation unconditionally computes len = nopaged_len - bmax; where nopaged_len = skb_headlen(skb) (linear bytes only) and bmax is BUF_SIZE_8KiB or BUF_SIZE_2KiB. However, the caller stmmac_xmit() decides to invoke jumbo_frm() based on skb->len (total length including page fragments): is_jumbo = stmmac_is_jumbo_frm(priv, skb->len, enh_desc); When a packet has a ... • https://git.kernel.org/stable/c/286a837217204b1ef105e3a554d0757e4fdfaac1 • CWE-190: Integer Overflow or Wraparound •