CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0CVE-2026-31584 – media: mediatek: vcodec: fix use-after-free in encoder release path
https://notcve.org/view.php?id=CVE-2026-31584
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: media: mediatek: vcodec: fix use-after-free in encoder release path The fops_vcodec_release() function frees the context structure (ctx) without first cancelling any pending or running work in ctx->encode_work. This creates a race window where the workqueue handler (mtk_venc_worker) may still be accessing the context memory after it has been freed. Race condition: CPU 0 (release path) CPU 1 (workqueue) --------------------- ----------------... • https://git.kernel.org/stable/c/0934d37596151edce115c6d0843a9ad7d5e5d232 • CWE-416: Use After Free •
CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0CVE-2026-31583 – media: em28xx: fix use-after-free in em28xx_v4l2_open()
https://notcve.org/view.php?id=CVE-2026-31583
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: media: em28xx: fix use-after-free in em28xx_v4l2_open() em28xx_v4l2_open() reads dev->v4l2 without holding dev->lock, creating a race with em28xx_v4l2_init()'s error path and em28xx_v4l2_fini(), both of which free the em28xx_v4l2 struct and set dev->v4l2 to NULL under dev->lock. This race leads to two issues: - use-after-free in v4l2_fh_init() when accessing vdev->ctrl_handler, since the video_device is embedded in the freed em28xx_v4l2 str... • https://git.kernel.org/stable/c/8139a4d583abad45eb987b5a99b3281b6d435b7e • CWE-416: Use After Free •
CVSS: 7.8EPSS: 0%CPEs: 12EXPL: 0CVE-2026-31581 – ALSA: 6fire: fix use-after-free on disconnect
https://notcve.org/view.php?id=CVE-2026-31581
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: ALSA: 6fire: fix use-after-free on disconnect In usb6fire_chip_abort(), the chip struct is allocated as the card's private data (via snd_card_new with sizeof(struct sfire_chip)). When snd_card_free_when_closed() is called and no file handles are open, the card and embedded chip are freed synchronously. The subsequent chip->card = NULL write then hits freed slab memory. Call trace: usb6fire_chip_abort sound/usb/6fire/chip.c:59 [inline] usb6f... • https://git.kernel.org/stable/c/b754e831a94f82f2593af806741392903f359168 • CWE-416: Use After Free •
CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0CVE-2026-31580 – bcache: fix cached_dev.sb_bio use-after-free and crash
https://notcve.org/view.php?id=CVE-2026-31580
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: bcache: fix cached_dev.sb_bio use-after-free and crash In our production environment, we have received multiple crash reports regarding libceph, which have caught our attention: ``` [6888366.280350] Call Trace: [6888366.280452] blk_update_request+0x14e/0x370 [6888366.280561] blk_mq_end_request+0x1a/0x130 [6888366.280671] rbd_img_handle_request+0x1a0/0x1b0 [rbd] [6888366.280792] rbd_obj_handle_request+0x32/0x40 [rbd] [6888366.280903] __compl... • https://git.kernel.org/stable/c/cafe563591446cf80bfbc2fe3bc72a2e36cf1060 • CWE-416: Use After Free •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2026-31579 – wireguard: device: use exit_rtnl callback instead of manual rtnl_lock in pre_exit
https://notcve.org/view.php?id=CVE-2026-31579
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: wireguard: device: use exit_rtnl callback instead of manual rtnl_lock in pre_exit wg_netns_pre_exit() manually acquires rtnl_lock() inside the pernet .pre_exit callback. This causes a hung task when another thread holds rtnl_mutex - the cleanup_net workqueue (or the setup_net failure rollback path) blocks indefinitely in wg_netns_pre_exit() waiting to acquire the lock. Convert to .exit_rtnl, introduced in commit 7a60d91c690b ("net: Add ->ex... • https://git.kernel.org/stable/c/900575aa33a3eaaef802b31de187a85c4a4b4bd0 • CWE-476: NULL Pointer Dereference •
CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0CVE-2026-31578 – media: as102: fix to not free memory after the device is registered in as102_usb_probe()
https://notcve.org/view.php?id=CVE-2026-31578
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: media: as102: fix to not free memory after the device is registered in as102_usb_probe() In as102_usb driver, the following race condition occurs: ``` CPU0 CPU1 as102_usb_probe() kzalloc(); // alloc as102_dev_t .... usb_register_dev(); fd = sys_open("/path/to/dev"); // open as102 fd .... usb_deregister_dev(); .... kfree(); // free as102_dev_t .... sys_close(fd); as102_release() // UAF!! as102_usb_release() kfree(); // DFB!! ``` When a USB c... • https://git.kernel.org/stable/c/cd19f7d3e39b3160595d56bb3e3a2bf4f7f4669c • CWE-416: Use After Free •
CVSS: 5.5EPSS: 0%CPEs: 12EXPL: 0CVE-2026-31577 – nilfs2: fix NULL i_assoc_inode dereference in nilfs_mdt_save_to_shadow_map
https://notcve.org/view.php?id=CVE-2026-31577
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: nilfs2: fix NULL i_assoc_inode dereference in nilfs_mdt_save_to_shadow_map The DAT inode's btree node cache (i_assoc_inode) is initialized lazily during btree operations. However, nilfs_mdt_save_to_shadow_map() assumes i_assoc_inode is already initialized when copying dirty pages to the shadow map during GC. If NILFS_IOCTL_CLEAN_SEGMENTS is called immediately after mount before any btree operation has occurred on the DAT inode, i_assoc_inod... • https://git.kernel.org/stable/c/e897be17a441fa637cd166fc3de1445131e57692 • CWE-476: NULL Pointer Dereference •
CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0CVE-2026-31576 – media: hackrf: fix to not free memory after the device is registered in hackrf_probe()
https://notcve.org/view.php?id=CVE-2026-31576
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: media: hackrf: fix to not free memory after the device is registered in hackrf_probe() In hackrf driver, the following race condition occurs: ``` CPU0 CPU1 hackrf_probe() kzalloc(); // alloc hackrf_dev .... v4l2_device_register(); .... fd = sys_open("/path/to/dev"); // open hackrf fd .... v4l2_device_unregister(); .... kfree(); // free hackrf_dev .... sys_ioctl(fd, ...); v4l2_ioctl(); video_is_registered() // UAF!! .... sys_close(fd); v4l2_... • https://git.kernel.org/stable/c/8bc4a9ed85046c214458c9e82aea75d2f46cfffd • CWE-416: Use After Free •
CVSS: 8.8EPSS: 0%CPEs: 8EXPL: 0CVE-2026-31570 – can: gw: fix OOB heap access in cgw_csum_crc8_rel()
https://notcve.org/view.php?id=CVE-2026-31570
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: can: gw: fix OOB heap access in cgw_csum_crc8_rel() cgw_csum_crc8_rel() correctly computes bounds-safe indices via calc_idx(): int from = calc_idx(crc8->from_idx, cf->len); int to = calc_idx(crc8->to_idx, cf->len); int res = calc_idx(crc8->result_idx, cf->len); if (from < 0 || to < 0 || res < 0) return; However, the loop and the result write then use the raw s8 fields directly instead of the computed variables: for (i = crc8->from_idx; ...)... • https://git.kernel.org/stable/c/456a8a646b2563438c16a9b27decf9aa717f1ebb • CWE-125: Out-of-bounds Read •
CVSS: 7.1EPSS: 0%CPEs: 3EXPL: 0CVE-2026-31568 – s390/mm: Add missing secure storage access fixups for donated memory
https://notcve.org/view.php?id=CVE-2026-31568
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: s390/mm: Add missing secure storage access fixups for donated memory There are special cases where secure storage access exceptions happen in a kernel context for pages that don't have the PG_arch_1 bit set. That bit is set for non-exported guest secure storage (memory) but is absent on storage donated to the Ultravisor since the kernel isn't allowed to export donated pages. Prior to this patch we would try to export the page by calling arc... • https://git.kernel.org/stable/c/084ea4d611a3d00ee3930400b262240e10895900 • CWE-125: Out-of-bounds Read •