CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2026-31495 – netfilter: ctnetlink: use netlink policy range checks
https://notcve.org/view.php?id=CVE-2026-31495
22 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: netfilter: ctnetlink: use netlink policy range checks Replace manual range and mask validations with netlink policy annotations in ctnetlink code paths, so that the netlink core rejects invalid values early and can generate extack errors. - CTA_PROTOINFO_TCP_STATE: reject values > TCP_CONNTRACK_SYN_SENT2 at policy level, removing the manual >= TCP_CONNTRACK_MAX check. - CTA_PROTOINFO_TCP_WSCALE_ORIGINAL/REPLY: reject values > TCP_MAX_WSCALE... • https://git.kernel.org/stable/c/c8e2078cfe414a99cf6f2f2f1d78c7e75392e9d4 •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2026-31494 – net: macb: use the current queue number for stats
https://notcve.org/view.php?id=CVE-2026-31494
22 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: net: macb: use the current queue number for stats There's a potential mismatch between the memory reserved for statistics and the amount of memory written. gem_get_sset_count() correctly computes the number of stats based on the active queues, whereas gem_get_ethtool_stats() indiscriminately copies data using the maximum number of queues, and in the case the number of active queues is less than MACB_MAX_QUEUES, this results in a OOB write a... • https://git.kernel.org/stable/c/512286bbd4b7d5b15d26ba8078c8bfd1fc1129bd • CWE-787: Out-of-bounds Write •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2026-31493 – RDMA/efa: Fix use of completion ctx after free
https://notcve.org/view.php?id=CVE-2026-31493
22 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: RDMA/efa: Fix use of completion ctx after free On admin queue completion handling, if the admin command completed with error we print data from the completion context. The issue is that we already freed the completion context in polling/interrupts handler which means we print data from context in an unknown state (it might be already used again). Change the admin submission flow so alloc/dealloc of the context will be symmetric and dealloc ... • https://git.kernel.org/stable/c/68fb9f3e312a36e49fd05ec2d6b668daf2c4931a • CWE-416: Use After Free •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2026-31492 – RDMA/irdma: Initialize free_qp completion before using it
https://notcve.org/view.php?id=CVE-2026-31492
22 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: RDMA/irdma: Initialize free_qp completion before using it In irdma_create_qp, if ib_copy_to_udata fails, it will call irdma_destroy_qp to clean up which will attempt to wait on the free_qp completion, which is not initialized yet. Fix this by initializing the completion before the ib_copy_to_udata call. • https://git.kernel.org/stable/c/b48c24c2d710cf34810c555dcef883a3d35a9c08 • CWE-908: Use of Uninitialized Resource •
CVSS: 7.8EPSS: 0%CPEs: 9EXPL: 0CVE-2026-31489 – spi: meson-spicc: Fix double-put in remove path
https://notcve.org/view.php?id=CVE-2026-31489
22 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: spi: meson-spicc: Fix double-put in remove path meson_spicc_probe() registers the controller with devm_spi_register_controller(), so teardown already drops the controller reference via devm cleanup. Calling spi_controller_put() again in meson_spicc_remove() causes a double-put. • https://git.kernel.org/stable/c/8311ee2164c5cd1b63a601ea366f540eae89f10e • CWE-415: Double Free •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2026-31488 – drm/amd/display: Do not skip unrelated mode changes in DSC validation
https://notcve.org/view.php?id=CVE-2026-31488
22 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Do not skip unrelated mode changes in DSC validation Starting with commit 17ce8a6907f7 ("drm/amd/display: Add dsc pre-validation in atomic check"), amdgpu resets the CRTC state mode_changed flag to false when recomputing the DSC configuration results in no timing change for a particular stream. However, this is incorrect in scenarios where a change in MST/DSC configuration happens in the same KMS commit as another (unrelate... • https://git.kernel.org/stable/c/17ce8a6907f77b7ac97ddaa071d8a1f6e06ce85b • CWE-416: Use After Free •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2026-31487 – spi: use generic driver_override infrastructure
https://notcve.org/view.php?id=CVE-2026-31487
22 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: spi: use generic driver_override infrastructure When a driver is probed through __driver_attach(), the bus' match() callback is called without the device lock held, thus accessing the driver_override field without a lock, which can cause a UAF. Fix this by using the driver-core driver_override infrastructure taking care of proper locking internally. Note that calling match() from __driver_attach() without the device lock held is intentional... • https://git.kernel.org/stable/c/5039563e7c25eccd7fec1de6706011009d1c5665 • CWE-667: Improper Locking •
CVSS: 7.1EPSS: 0%CPEs: 3EXPL: 0CVE-2026-31486 – hwmon: (pmbus/core) Protect regulator operations with mutex
https://notcve.org/view.php?id=CVE-2026-31486
22 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: hwmon: (pmbus/core) Protect regulator operations with mutex The regulator operations pmbus_regulator_get_voltage(), pmbus_regulator_set_voltage(), and pmbus_regulator_list_voltage() access PMBus registers and shared data but were not protected by the update_lock mutex. This could lead to race conditions. However, adding mutex protection directly to these functions causes a deadlock because pmbus_regulator_notify() (which calls regulator_not... • https://git.kernel.org/stable/c/ddbb4db4ced1ba784fcd3500179a7291b6c5d7b7 • CWE-667: Improper Locking •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2026-31485 – spi: spi-fsl-lpspi: fix teardown order issue (UAF)
https://notcve.org/view.php?id=CVE-2026-31485
22 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: spi: spi-fsl-lpspi: fix teardown order issue (UAF) There is a teardown order issue in the driver. The SPI controller is registered using devm_spi_register_controller(), which delays unregistration of the SPI controller until after the fsl_lpspi_remove() function returns. As the fsl_lpspi_remove() function synchronously tears down the DMA channels, a running SPI transfer triggers the following NULL pointer dereference due to use after free: ... • https://git.kernel.org/stable/c/5314987de5e5f5e38436ef4a69328bc472bbd63e • CWE-416: Use After Free •
CVSS: 5.5EPSS: 0%CPEs: 7EXPL: 0CVE-2026-31483 – s390/syscalls: Add spectre boundary for syscall dispatch table
https://notcve.org/view.php?id=CVE-2026-31483
22 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: s390/syscalls: Add spectre boundary for syscall dispatch table The s390 syscall number is directly controlled by userspace, but does not have an array_index_nospec() boundary to prevent access past the syscall function pointer tables. • https://git.kernel.org/stable/c/56e62a73702836017564eaacd5212e4d0fa1c01d •