CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2026-31508 – net: openvswitch: Avoid releasing netdev before teardown completes
https://notcve.org/view.php?id=CVE-2026-31508
22 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: net: openvswitch: Avoid releasing netdev before teardown completes The patch cited in the Fixes tag below changed the teardown code for OVS ports to no longer unconditionally take the RTNL. After this change, the netdev_destroy() callback can proceed immediately to the call_rcu() invocation if the IFF_OVS_DATAPATH flag is already cleared on the netdev. The ovs_netdev_detach_dev() function clears the flag before completing the unregistration... • https://git.kernel.org/stable/c/b823c3344d5446b720227ba561df10a4f0add515 •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2026-31507 – net/smc: fix double-free of smc_spd_priv when tee() duplicates splice pipe buffer
https://notcve.org/view.php?id=CVE-2026-31507
22 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: net/smc: fix double-free of smc_spd_priv when tee() duplicates splice pipe buffer smc_rx_splice() allocates one smc_spd_priv per pipe_buffer and stores the pointer in pipe_buffer.private. The pipe_buf_operations for these buffers used .get = generic_pipe_buf_get, which only increments the page reference count when tee(2) duplicates a pipe buffer. The smc_spd_priv pointer itself was not handled, so after tee() both the original and the clone... • https://git.kernel.org/stable/c/9014db202cb764b8e14c53e7bacc81f9a1a2ba7f • CWE-415: Double Free •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2026-31505 – iavf: fix out-of-bounds writes in iavf_get_ethtool_stats()
https://notcve.org/view.php?id=CVE-2026-31505
22 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: iavf: fix out-of-bounds writes in iavf_get_ethtool_stats() iavf incorrectly uses real_num_tx_queues for ETH_SS_STATS. Since the value could change in runtime, we should use num_tx_queues instead. Moreover iavf_get_ethtool_stats() uses num_active_queues while iavf_get_sset_count() and iavf_get_stat_strings() use real_num_tx_queues, which triggers out-of-bounds writes when we do "ethtool -L" and "ethtool -S" simultaneously [1]. For example wh... • https://git.kernel.org/stable/c/64430f70ba6fcd5872ac190f4ae3ddee3f48f00d • CWE-787: Out-of-bounds Write •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2026-31504 – net: fix fanout UAF in packet_release() via NETDEV_UP race
https://notcve.org/view.php?id=CVE-2026-31504
22 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: net: fix fanout UAF in packet_release() via NETDEV_UP race `packet_release()` has a race window where `NETDEV_UP` can re-register a socket into a fanout group's `arr[]` array. The re-registration is not cleaned up by `fanout_release()`, leaving a dangling pointer in the fanout array. `packet_release()` does NOT zero `po->num` in its `bind_lock` section. After releasing `bind_lock`, `po->num` is still non-zero and `po->ifindex` still matches... • https://git.kernel.org/stable/c/ce06b03e60fc19c680d1bf873e779bf11c2fc518 • CWE-416: Use After Free •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2026-31503 – udp: Fix wildcard bind conflict check when using hash2
https://notcve.org/view.php?id=CVE-2026-31503
22 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: udp: Fix wildcard bind conflict check when using hash2 When binding a udp_sock to a local address and port, UDP uses two hashes (udptable->hash and udptable->hash2) for collision detection. The current code switches to "hash2" when hslot->count > 10. "hash2" is keyed by local address and local port. "hash" is keyed by local port only. The issue can be shown in the following bind sequence (pseudo code): bind(fd1, "[fd00::1]:8888") bind(fd2, ... • https://git.kernel.org/stable/c/30fff9231fad757c061285e347b33c5149c2c2e4 •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2026-31502 – team: fix header_ops type confusion with non-Ethernet ports
https://notcve.org/view.php?id=CVE-2026-31502
22 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: team: fix header_ops type confusion with non-Ethernet ports Similar to commit 950803f72547 ("bonding: fix type confusion in bond_setup_by_slave()") team has the same class of header_ops type confusion. For non-Ethernet ports, team_setup_by_port() copies port_dev->header_ops directly. When the team device later calls dev_hard_header() or dev_parse_header(), these callbacks can run with the team net_device instead of the real lower device, so... • https://git.kernel.org/stable/c/1d76efe1577b4323609b1bcbfafa8b731eda071a • CWE-843: Access of Resource Using Incompatible Type ('Type Confusion') •
CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2026-31500 – Bluetooth: btintel: serialize btintel_hw_error() with hci_req_sync_lock
https://notcve.org/view.php?id=CVE-2026-31500
22 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btintel: serialize btintel_hw_error() with hci_req_sync_lock btintel_hw_error() issues two __hci_cmd_sync() calls (HCI_OP_RESET and Intel exception-info retrieval) without holding hci_req_sync_lock(). This lets it race against hci_dev_do_close() -> btintel_shutdown_combined(), which also runs __hci_cmd_sync() under the same lock. When both paths manipulate hdev->req_status/req_rsp concurrently, the close path may free the respons... • https://git.kernel.org/stable/c/973bb97e5aee56edddaae3d5c96877101ad509c0 • CWE-416: Use After Free •
CVSS: 5.5EPSS: 0%CPEs: 13EXPL: 0CVE-2026-31498 – Bluetooth: L2CAP: Fix ERTM re-init and zero pdu_len infinite loop
https://notcve.org/view.php?id=CVE-2026-31498
22 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix ERTM re-init and zero pdu_len infinite loop l2cap_config_req() processes CONFIG_REQ for channels in BT_CONNECTED state to support L2CAP reconfiguration (e.g. MTU changes). However, since both CONF_INPUT_DONE and CONF_OUTPUT_DONE are already set from the initial configuration, the reconfiguration path falls through to l2cap_ertm_init(), which re-initializes tx_q, srej_q, srej_list, and retrans_list without freeing the p... • https://git.kernel.org/stable/c/96298f640104e4cd9a913a6e50b0b981829b94ff • CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2026-31497 – Bluetooth: btusb: clamp SCO altsetting table indices
https://notcve.org/view.php?id=CVE-2026-31497
22 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btusb: clamp SCO altsetting table indices btusb_work() maps the number of active SCO links to USB alternate settings through a three-entry lookup table when CVSD traffic uses transparent voice settings. The lookup currently indexes alts[] with data->sco_num - 1 without first constraining sco_num to the number of available table entries. While the table only defines alternate settings for up to three SCO links, data->sco_num comes... • https://git.kernel.org/stable/c/baac6276c0a9f36f1fe1f00590ef00d2ba5ba626 •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2026-31496 – netfilter: nf_conntrack_expect: skip expectations in other netns via proc
https://notcve.org/view.php?id=CVE-2026-31496
22 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conntrack_expect: skip expectations in other netns via proc Skip expectations that do not reside in this netns. Similar to e77e6ff502ea ("netfilter: conntrack: do not dump other netns's conntrack entries via proc"). • https://git.kernel.org/stable/c/9b03f38d0487f3908696242286d934c9b38f9d2a •