CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2026-31639 – rxrpc: Fix key reference count leak from call->key
https://notcve.org/view.php?id=CVE-2026-31639
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix key reference count leak from call->key When creating a client call in rxrpc_alloc_client_call(), the code obtains a reference to the key. This is never cleaned up and gets leaked when the call is destroyed. Fix this by freeing call->key in rxrpc_destroy_call(). Before the patch, it shows the key reference counter elevated: $ cat /proc/keys | grep afs@54321 1bffe9cd I--Q--i 8053480 4169w 3b010000 1000 1000 rxrpc afs@54321: ka $ A... • https://git.kernel.org/stable/c/f3441d4125fc98995858550a5521b8d7daf0504a •
CVSS: 7.5EPSS: 0%CPEs: 5EXPL: 0CVE-2026-31638 – rxrpc: Only put the call ref if one was acquired
https://notcve.org/view.php?id=CVE-2026-31638
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: rxrpc: Only put the call ref if one was acquired rxrpc_input_packet_on_conn() can process a to-client packet after the current client call on the channel has already been torn down. In that case chan->call is NULL, rxrpc_try_get_call() returns NULL and there is no reference to drop. The client-side implicit-end error path does not account for that and unconditionally calls rxrpc_put_call(). This turns a protocol error path into a kernel cra... • https://git.kernel.org/stable/c/5e6ef4f1017c7f844e305283bbd8875af475e2fc • CWE-476: NULL Pointer Dereference •
CVSS: 9.8EPSS: 0%CPEs: 5EXPL: 0CVE-2026-31637 – rxrpc: reject undecryptable rxkad response tickets
https://notcve.org/view.php?id=CVE-2026-31637
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: rxrpc: reject undecryptable rxkad response tickets rxkad_decrypt_ticket() decrypts the RXKAD response ticket and then parses the buffer as plaintext without checking whether crypto_skcipher_decrypt() succeeded. A malformed RESPONSE can therefore use a non-block-aligned ticket length, make the decrypt operation fail, and still drive the ticket parser with attacker-controlled bytes. Check the decrypt result and abort the connection with RXKAD... • https://git.kernel.org/stable/c/17926a79320afa9b95df6b977b40cca6d8713cea •
CVSS: 5.5EPSS: 0%CPEs: 7EXPL: 0CVE-2026-31634 – rxrpc: fix reference count leak in rxrpc_server_keyring()
https://notcve.org/view.php?id=CVE-2026-31634
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: rxrpc: fix reference count leak in rxrpc_server_keyring() This patch fixes a reference count leak in rxrpc_server_keyring() by checking if rx->securities is already set. • https://git.kernel.org/stable/c/17926a79320afa9b95df6b977b40cca6d8713cea •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2026-31630 – rxrpc: proc: size address buffers for %pISpc output
https://notcve.org/view.php?id=CVE-2026-31630
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: rxrpc: proc: size address buffers for %pISpc output The AF_RXRPC procfs helpers format local and remote socket addresses into fixed 50-byte stack buffers with "%pISpc". That is too small for the longest current-tree IPv6-with-port form the formatter can produce. In lib/vsprintf.c, the compressed IPv6 path uses a dotted-quad tail not only for v4mapped addresses, but also for ISATAP addresses via ipv6_addr_is_isatap(). As a result, a case suc... • https://git.kernel.org/stable/c/75b54cb57ca34cbe7a87c6ac757c55360a624590 •
CVSS: 8.8EPSS: 0%CPEs: 6EXPL: 0CVE-2026-31629 – nfc: llcp: add missing return after LLCP_CLOSED checks
https://notcve.org/view.php?id=CVE-2026-31629
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: nfc: llcp: add missing return after LLCP_CLOSED checks In nfc_llcp_recv_hdlc() and nfc_llcp_recv_disc(), when the socket state is LLCP_CLOSED, the code correctly calls release_sock() and nfc_llcp_sock_put() but fails to return. Execution falls through to the remainder of the function, which calls release_sock() and nfc_llcp_sock_put() again. This results in a double release_sock() and a refcount underflow via double nfc_llcp_sock_put(), lea... • https://git.kernel.org/stable/c/d646960f7986fefb460a2b062d5ccc8ccfeacc3a • CWE-667: Improper Locking •
CVSS: 5.5EPSS: 0%CPEs: 12EXPL: 0CVE-2026-31628 – x86/CPU: Fix FPDSS on Zen1
https://notcve.org/view.php?id=CVE-2026-31628
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: x86/CPU: Fix FPDSS on Zen1 Zen1's hardware divider can leave, under certain circumstances, partial results from previous operations. Those results can be leaked by another, attacker thread. Fix that with a chicken bit. • https://git.kernel.org/stable/c/f7f3dc00f61261cdc9ccd8b886f21bc4dffd6fd9 •
CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0CVE-2026-31627 – i2c: s3c24xx: check the size of the SMBUS message before using it
https://notcve.org/view.php?id=CVE-2026-31627
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: i2c: s3c24xx: check the size of the SMBUS message before using it The first byte of an i2c SMBUS message is the size, and it should be verified to ensure that it is in the range of 0..I2C_SMBUS_BLOCK_MAX before processing it. This is the same logic that was added in commit a6e04f05ce0b ("i2c: tegra: check msg length in SMBUS block read") to the i2c tegra driver. • https://git.kernel.org/stable/c/85747311ecb6167c989093c64a13807366fdd3a9 •
CVSS: 7.1EPSS: 0%CPEs: 6EXPL: 0CVE-2026-31626 – staging: rtl8723bs: initialize le_tmp64 in rtw_BIP_verify()
https://notcve.org/view.php?id=CVE-2026-31626
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: staging: rtl8723bs: initialize le_tmp64 in rtw_BIP_verify() Initialize le_tmp64 to zero in rtw_BIP_verify() to prevent using uninitialized data. Smatch warns that only 6 bytes are copied to this 8-byte (u64) variable, leaving the last two bytes uninitialized: drivers/staging/rtl8723bs/core/rtw_security.c:1308 rtw_BIP_verify() warn: not copying enough bytes for '&le_tmp64' (8 vs 6 bytes) Initializing the variable at the start of the function... • https://git.kernel.org/stable/c/554c0a3abf216c991c5ebddcdb2c08689ecd290b • CWE-908: Use of Uninitialized Resource •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2026-31625 – HID: alps: fix NULL pointer dereference in alps_raw_event()
https://notcve.org/view.php?id=CVE-2026-31625
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: HID: alps: fix NULL pointer dereference in alps_raw_event() Commit ecfa6f34492c ("HID: Add HID_CLAIMED_INPUT guards in raw_event callbacks missing them") attempted to fix up the HID drivers that had missed the previous fix that was done in 2ff5baa9b527 ("HID: appleir: Fix potential NULL dereference at raw event handle"), but the alps driver was missed. Fix this up by properly checking in the hid-alps driver that it had been claimed correctl... • https://git.kernel.org/stable/c/73196ebe134d11a68a2e27814c489d685cfc8b03 • CWE-476: NULL Pointer Dereference •