CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0CVE-2026-31580 – bcache: fix cached_dev.sb_bio use-after-free and crash
https://notcve.org/view.php?id=CVE-2026-31580
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: bcache: fix cached_dev.sb_bio use-after-free and crash In our production environment, we have received multiple crash reports regarding libceph, which have caught our attention: ``` [6888366.280350] Call Trace: [6888366.280452] blk_update_request+0x14e/0x370 [6888366.280561] blk_mq_end_request+0x1a/0x130 [6888366.280671] rbd_img_handle_request+0x1a0/0x1b0 [rbd] [6888366.280792] rbd_obj_handle_request+0x32/0x40 [rbd] [6888366.280903] __compl... • https://git.kernel.org/stable/c/cafe563591446cf80bfbc2fe3bc72a2e36cf1060 • CWE-416: Use After Free •
CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0CVE-2026-31578 – media: as102: fix to not free memory after the device is registered in as102_usb_probe()
https://notcve.org/view.php?id=CVE-2026-31578
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: media: as102: fix to not free memory after the device is registered in as102_usb_probe() In as102_usb driver, the following race condition occurs: ``` CPU0 CPU1 as102_usb_probe() kzalloc(); // alloc as102_dev_t .... usb_register_dev(); fd = sys_open("/path/to/dev"); // open as102 fd .... usb_deregister_dev(); .... kfree(); // free as102_dev_t .... sys_close(fd); as102_release() // UAF!! as102_usb_release() kfree(); // DFB!! ``` When a USB c... • https://git.kernel.org/stable/c/cd19f7d3e39b3160595d56bb3e3a2bf4f7f4669c • CWE-416: Use After Free •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2026-31546 – net: bonding: fix NULL deref in bond_debug_rlb_hash_show
https://notcve.org/view.php?id=CVE-2026-31546
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: net: bonding: fix NULL deref in bond_debug_rlb_hash_show rlb_clear_slave intentionally keeps RLB hash-table entries on the rx_hashtbl_used_head list with slave set to NULL when no replacement slave is available. However, bond_debug_rlb_hash_show visites client_info->slave without checking if it's NULL. Other used-list iterators in bond_alb.c already handle this NULL-slave state safely: - rlb_update_client returns early on !client_info->slav... • https://git.kernel.org/stable/c/caafa84251b886feb6cdf23d50e2cc99dcdaaaf3 •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2026-31527 – driver core: platform: use generic driver_override infrastructure
https://notcve.org/view.php?id=CVE-2026-31527
22 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: driver core: platform: use generic driver_override infrastructure When a driver is probed through __driver_attach(), the bus' match() callback is called without the device lock held, thus accessing the driver_override field without a lock, which can cause a UAF. Fix this by using the driver-core driver_override infrastructure taking care of proper locking internally. Note that calling match() from __driver_attach() without the device lock h... • https://git.kernel.org/stable/c/3d713e0e382e6fcfb4bba1501645b66c129ad60b • CWE-416: Use After Free •
CVSS: 5.5EPSS: 0%CPEs: 7EXPL: 0CVE-2026-31521 – module: Fix kernel panic when a symbol st_shndx is out of bounds
https://notcve.org/view.php?id=CVE-2026-31521
22 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: module: Fix kernel panic when a symbol st_shndx is out of bounds The module loader doesn't check for bounds of the ELF section index in simplify_symbols(): for (i = 1; i < symsec->sh_size / sizeof(Elf_Sym); i++) { const char *name = info->strtab + sym[i].st_name; switch (sym[i].st_shndx) { case SHN_COMMON: [...] default: /* Divert to percpu allocation if a percpu var. */ if (sym[i].st_shndx == info->index.pcpu) secbase = (unsigned long)mod_... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 • CWE-787: Out-of-bounds Write •
CVSS: 5.5EPSS: 0%CPEs: 7EXPL: 0CVE-2026-31519 – btrfs: set BTRFS_ROOT_ORPHAN_CLEANUP during subvol create
https://notcve.org/view.php?id=CVE-2026-31519
22 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: btrfs: set BTRFS_ROOT_ORPHAN_CLEANUP during subvol create We have recently observed a number of subvolumes with broken dentries. ls-ing the parent dir looks like: drwxrwxrwt 1 root root 16 Jan 23 16:49 . drwxr-xr-x 1 root root 24 Jan 23 16:48 .. d????????? ? ? ? ? • https://git.kernel.org/stable/c/c71bf099abddf3e0fdc27f251ba76fca1461d49a • CWE-476: NULL Pointer Dereference •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2026-31516 – xfrm: prevent policy_hthresh.work from racing with netns teardown
https://notcve.org/view.php?id=CVE-2026-31516
22 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: xfrm: prevent policy_hthresh.work from racing with netns teardown A XFRM_MSG_NEWSPDINFO request can queue the per-net work item policy_hthresh.work onto the system workqueue. The queued callback, xfrm_hash_rebuild(), retrieves the enclosing struct net via container_of(). If the net namespace is torn down before that work runs, the associated struct net may already have been freed, and xfrm_hash_rebuild() may then dereference stale memory. x... • https://git.kernel.org/stable/c/880a6fab8f6ba5b5abe59ea68533202ddea1012c • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2026-31515 – af_key: validate families in pfkey_send_migrate()
https://notcve.org/view.php?id=CVE-2026-31515
22 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: af_key: validate families in pfkey_send_migrate() syzbot was able to trigger a crash in skb_put() [1] Issue is that pfkey_send_migrate() does not check old/new families, and that set_ipsecrequest() @family argument was truncated, thus possibly overfilling the skb. Validate families early, do not wait set_ipsecrequest(). [1] skbuff: skb_over_panic: text:ffffffff8a752120 len:392 put:16 head:ffff88802a4ad040 data:ffff88802a4ad040 tail:0x188 en... • https://git.kernel.org/stable/c/08de61beab8a21c8e0b3906a97defda5f1f66ece • CWE-476: NULL Pointer Dereference •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2026-31512 – Bluetooth: L2CAP: Validate PDU length before reading SDU length in l2cap_ecred_data_rcv()
https://notcve.org/view.php?id=CVE-2026-31512
22 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Validate PDU length before reading SDU length in l2cap_ecred_data_rcv() l2cap_ecred_data_rcv() reads the SDU length field from skb->data using get_unaligned_le16() without first verifying that skb contains at least L2CAP_SDULEN_SIZE (2) bytes. When skb->len is less than 2, this reads past the valid data in the skb. The ERTM reassembly path correctly calls pskb_may_pull() before reading the SDU length (l2cap_reassemble_sdu,... • https://git.kernel.org/stable/c/aac23bf636593cc2d67144aed373a46a1a5f76b1 •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2026-31510 – Bluetooth: L2CAP: Fix null-ptr-deref on l2cap_sock_ready_cb
https://notcve.org/view.php?id=CVE-2026-31510
22 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix null-ptr-deref on l2cap_sock_ready_cb Before using sk pointer, check if it is null. Fix the following: KASAN: null-ptr-deref in range [0x0000000000000260-0x0000000000000267] CPU: 0 UID: 0 PID: 5985 Comm: kworker/0:5 Not tainted 7.0.0-rc4-00029-ga989fde763f4 #1 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.17.0-9.fc43 06/10/2025 Workqueue: events l2cap_info_timeout RIP: 0010:kasan_byte_accessi... • https://git.kernel.org/stable/c/54a59aa2b562872781d6a8fc89f300d360941691 • CWE-476: NULL Pointer Dereference •