CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2026-31615 – usb: gadget: renesas_usb3: validate endpoint index in standard request handlers
https://notcve.org/view.php?id=CVE-2026-31615
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: usb: gadget: renesas_usb3: validate endpoint index in standard request handlers The GET_STATUS and SET/CLEAR_FEATURE handlers extract the endpoint number from the host-supplied wIndex without any sort of validation. Fix this up by validating the number of endpoints actually match up with the number the device has before attempting to dereference a pointer based on this math. This is just like what was done in commit ee0d382feb44 ("usb: gadg... • https://git.kernel.org/stable/c/746bfe63bba37ad55956b7377c9af494e7e28929 • CWE-476: NULL Pointer Dereference •
CVSS: 9.8EPSS: 0%CPEs: 11EXPL: 0CVE-2026-31607 – usbip: validate number_of_packets in usbip_pack_ret_submit()
https://notcve.org/view.php?id=CVE-2026-31607
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: usbip: validate number_of_packets in usbip_pack_ret_submit() When a USB/IP client receives a RET_SUBMIT response, usbip_pack_ret_submit() unconditionally overwrites urb->number_of_packets from the network PDU. This value is subsequently used as the loop bound in usbip_recv_iso() and usbip_pad_iso() to iterate over urb->iso_frame_desc[], a flexible array whose size was fixed at URB allocation time based on the *original* number_of_packets fr... • https://git.kernel.org/stable/c/1325f85fa49f57df034869de430f7c302ae23109 • CWE-787: Out-of-bounds Write •
CVSS: -EPSS: 0%CPEs: 5EXPL: 0CVE-2026-31606 – usb: gadget: f_hid: don't call cdev_init while cdev in use
https://notcve.org/view.php?id=CVE-2026-31606
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_hid: don't call cdev_init while cdev in use When calling unbind, then bind again, cdev_init reinitialized the cdev, even though there may still be references to it. That's the case when the /dev/hidg* device is still opened. This obviously unsafe behavior like oopes. This fixes this by using cdev_alloc to put the cdev on the heap. That way, we can simply allocate a new one in hidg_bind. • https://git.kernel.org/stable/c/cb382536052fcc7713988869b54a81137069e5a9 •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-31605 – fbdev: udlfb: avoid divide-by-zero on FBIOPUT_VSCREENINFO
https://notcve.org/view.php?id=CVE-2026-31605
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: fbdev: udlfb: avoid divide-by-zero on FBIOPUT_VSCREENINFO Much like commit 19f953e74356 ("fbdev: fb_pm2fb: Avoid potential divide by zero error"), we also need to prevent that same crash from happening in the udlfb driver as it uses pixclock directly when dividing, which will crash. • https://git.kernel.org/stable/c/59277b679f8b5ce594e367759256668eba652d0d •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-31603 – staging: sm750fb: fix division by zero in ps_to_hz()
https://notcve.org/view.php?id=CVE-2026-31603
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: staging: sm750fb: fix division by zero in ps_to_hz() ps_to_hz() is called from hw_sm750_crtc_set_mode() without validating that pixclock is non-zero. A zero pixclock passed via FBIOPUT_VSCREENINFO causes a division by zero. Fix by rejecting zero pixclock in lynxfb_ops_check_var(), consistent with other framebuffer drivers. • https://git.kernel.org/stable/c/81dee67e215b23f0c98182eece122b906d35765a •
CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0CVE-2026-31602 – ALSA: ctxfi: Limit PTP to a single page
https://notcve.org/view.php?id=CVE-2026-31602
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: ALSA: ctxfi: Limit PTP to a single page Commit 391e69143d0a increased CT_PTP_NUM from 1 to 4 to support 256 playback streams, but the additional pages are not used by the card correctly. The CT20K2 hardware already has multiple VMEM_PTPAL registers, but using them separately would require refactoring the entire virtual memory allocation logic. ct_vm_map() always uses PTEs in vm->ptp[0].area regardless of CT_PTP_NUM. On AMD64 systems, a sing... • https://git.kernel.org/stable/c/391e69143d0a05f960e3ab39a8c26b7b230bb8a9 •
CVSS: 7.5EPSS: 0%CPEs: 6EXPL: 0CVE-2026-31598 – ocfs2: fix possible deadlock between unlink and dio_end_io_write
https://notcve.org/view.php?id=CVE-2026-31598
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: ocfs2: fix possible deadlock between unlink and dio_end_io_write ocfs2_unlink takes orphan dir inode_lock first and then ip_alloc_sem, while in ocfs2_dio_end_io_write, it acquires these locks in reverse order. This creates an ABBA lock ordering violation on lock classes ocfs2_sysfile_lock_key[ORPHAN_DIR_SYSTEM_INODE] and ocfs2_file_ip_alloc_sem_key. Lock Chain #0 (orphan dir inode_lock -> ip_alloc_sem): ocfs2_unlink ocfs2_prepare_orphan_dir... • https://git.kernel.org/stable/c/a86a72a4a4e0ec109a98e2737948864ed6794bf7 •
CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0CVE-2026-31597 – ocfs2: fix use-after-free in ocfs2_fault() when VM_FAULT_RETRY
https://notcve.org/view.php?id=CVE-2026-31597
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: ocfs2: fix use-after-free in ocfs2_fault() when VM_FAULT_RETRY filemap_fault() may drop the mmap_lock before returning VM_FAULT_RETRY, as documented in mm/filemap.c: "If our return value has VM_FAULT_RETRY set, it's because the mmap_lock may be dropped before doing I/O or by lock_folio_maybe_drop_mmap()." When this happens, a concurrent munmap() can call remove_vma() and free the vm_area_struct via RCU. The saved 'vma' pointer in ocfs2_faul... • https://git.kernel.org/stable/c/614a9e849ca6ea24843795251cb30af525d5336b •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-31596 – ocfs2: handle invalid dinode in ocfs2_group_extend
https://notcve.org/view.php?id=CVE-2026-31596
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: ocfs2: handle invalid dinode in ocfs2_group_extend [BUG] kernel BUG at fs/ocfs2/resize.c:308! Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI RIP: 0010:ocfs2_group_extend+0x10aa/0x1ae0 fs/ocfs2/resize.c:308 Code: 8b8520ff ffff83f8 860f8580 030000e8 5cc3c1fe Call Trace: ... ocfs2_ioctl+0x175/0x6e0 fs/ocfs2/ioctl.c:869 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:597 [inline] __se_sys_ioctl fs/ioctl.c:583 [inline] __x64_sys_ioct... • https://git.kernel.org/stable/c/10995aa2451afa20b721cc7de856cae1a13dba57 •
CVSS: 8.8EPSS: 0%CPEs: 6EXPL: 0CVE-2026-31588 – KVM: x86: Use scratch field in MMIO fragment to hold small write values
https://notcve.org/view.php?id=CVE-2026-31588
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: KVM: x86: Use scratch field in MMIO fragment to hold small write values When exiting to userspace to service an emulated MMIO write, copy the to-be-written value to a scratch field in the MMIO fragment if the size of the data payload is 8 bytes or less, i.e. can fit in a single chunk, instead of pointing the fragment directly at the source value. This fixes a class of use-after-free bugs that occur when the emulator initiates a write using ... • https://git.kernel.org/stable/c/f78146b0f9230765c6315b2e14f56112513389ad •