CVSS: 5.5EPSS: 0%CPEs: 7EXPL: 0CVE-2026-31480 – tracing: Fix potential deadlock in cpu hotplug with osnoise
https://notcve.org/view.php?id=CVE-2026-31480
22 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: tracing: Fix potential deadlock in cpu hotplug with osnoise The following sequence may leads deadlock in cpu hotplug: task1 task2 task3 ----- ----- ----- mutex_lock(&interface_lock) [CPU GOING OFFLINE] cpus_write_lock(); osnoise_cpu_die(); kthread_stop(task3); wait_for_completion(); osnoise_sleep(); mutex_lock(&interface_lock); cpus_read_lock(); [DEAD LOCK] Fix by swap the order of cpus_read_lock() and mutex_lock(&interface_lock). • https://git.kernel.org/stable/c/bce29ac9ce0bb0b0b146b687ab978378c21e9078 • CWE-667: Improper Locking •
CVSS: 9.8EPSS: 0%CPEs: 7EXPL: 0CVE-2026-31478 – ksmbd: replace hardcoded hdr2_len with offsetof() in smb2_calc_max_out_buf_len()
https://notcve.org/view.php?id=CVE-2026-31478
22 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: ksmbd: replace hardcoded hdr2_len with offsetof() in smb2_calc_max_out_buf_len() After this commit (e2b76ab8b5c9 "ksmbd: add support for read compound"), response buffer management was changed to use dynamic iov array. In the new design, smb2_calc_max_out_buf_len() expects the second argument (hdr2_len) to be the offset of ->Buffer field in the response structure, not a hardcoded magic number. Fix the remaining call sites to use the correct... • https://git.kernel.org/stable/c/f2283680a80571ca82d710bc6ecd8f8beac67d63 •
CVSS: 7.5EPSS: 0%CPEs: 6EXPL: 0CVE-2026-31477 – ksmbd: fix memory leaks and NULL deref in smb2_lock()
https://notcve.org/view.php?id=CVE-2026-31477
22 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix memory leaks and NULL deref in smb2_lock() smb2_lock() has three error handling issues after list_del() detaches smb_lock from lock_list at no_check_cl: 1) If vfs_lock_file() returns an unexpected error in the non-UNLOCK path, goto out leaks smb_lock and its flock because the out: handler only iterates lock_list and rollback_list, neither of which contains the detached smb_lock. 2) If vfs_lock_file() returns -ENOENT in the UNLOCK... • https://git.kernel.org/stable/c/e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9 • CWE-476: NULL Pointer Dereference •
CVSS: 8.2EPSS: 0%CPEs: 6EXPL: 0CVE-2026-31476 – ksmbd: do not expire session on binding failure
https://notcve.org/view.php?id=CVE-2026-31476
22 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: ksmbd: do not expire session on binding failure When a multichannel session binding request fails (e.g. wrong password), the error path unconditionally sets sess->state = SMB2_SESSION_EXPIRED. However, during binding, sess points to the target session looked up via ksmbd_session_lookup_slowpath() -- which belongs to another connection's user. This allows a remote attacker to invalidate any active session by simply sending a binding request ... • https://git.kernel.org/stable/c/f5a544e3bab78142207e0242d22442db85ba1eff •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2026-31473 – media: mc, v4l2: serialize REINIT and REQBUFS with req_queue_mutex
https://notcve.org/view.php?id=CVE-2026-31473
22 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: media: mc, v4l2: serialize REINIT and REQBUFS with req_queue_mutex MEDIA_REQUEST_IOC_REINIT can run concurrently with VIDIOC_REQBUFS(0) queue teardown paths. This can race request object cleanup against vb2 queue cancellation and lead to use-after-free reports. We already serialize request queueing against STREAMON/OFF with req_queue_mutex. Extend that serialization to REQBUFS, and also take the same mutex in media_request_ioctl_reinit() so... • https://git.kernel.org/stable/c/6093d3002eabd7c2913d97f1d1f4ce34b072acf9 • CWE-416: Use After Free •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2026-31469 – virtio_net: Fix UAF on dst_ops when IFF_XMIT_DST_RELEASE is cleared and napi_tx is false
https://notcve.org/view.php?id=CVE-2026-31469
22 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: virtio_net: Fix UAF on dst_ops when IFF_XMIT_DST_RELEASE is cleared and napi_tx is false A UAF issue occurs when the virtio_net driver is configured with napi_tx=N and the device's IFF_XMIT_DST_RELEASE flag is cleared (e.g., during the configuration of tc route filter rules). When IFF_XMIT_DST_RELEASE is removed from the net_device, the network stack expects the driver to hold the reference to skb->dst until the packet is fully transmitted ... • https://git.kernel.org/stable/c/f2fc6a54585a1be6669613a31fbaba2ecbadcd36 •
CVSS: 7.5EPSS: 0%CPEs: 7EXPL: 0CVE-2026-31467 – erofs: add GFP_NOIO in the bio completion if needed
https://notcve.org/view.php?id=CVE-2026-31467
22 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: erofs: add GFP_NOIO in the bio completion if needed The bio completion path in the process context (e.g. dm-verity) will directly call into decompression rather than trigger another workqueue context for minimal scheduling latencies, which can then call vm_map_ram() with GFP_KERNEL. Due to insufficient memory, vm_map_ram() may generate memory swapping I/O, which can cause submit_bio_wait to deadlock in some scenarios. Trimmed down the call ... • https://git.kernel.org/stable/c/648f2de053a882c87c05f0060f47d3b11841fdbe •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2026-31466 – mm/huge_memory: fix folio isn't locked in softleaf_to_folio()
https://notcve.org/view.php?id=CVE-2026-31466
22 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: mm/huge_memory: fix folio isn't locked in softleaf_to_folio() On arm64 server, we found folio that get from migration entry isn't locked in softleaf_to_folio(). This issue triggers when mTHP splitting and zap_nonpresent_ptes() races, and the root cause is lack of memory barrier in softleaf_to_folio(). The race is as follows: CPU0 CPU1 deferred_split_scan() zap_nonpresent_ptes() lock folio split_folio() unmap_folio() change ptes to migration... • https://git.kernel.org/stable/c/e9b61f19858a5d6c42ce2298cf138279375d0d9b •
CVSS: 8.1EPSS: 0%CPEs: 8EXPL: 0CVE-2026-31464 – scsi: ibmvfc: Fix OOB access in ibmvfc_discover_targets_done()
https://notcve.org/view.php?id=CVE-2026-31464
22 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: scsi: ibmvfc: Fix OOB access in ibmvfc_discover_targets_done() A malicious or compromised VIO server can return a num_written value in the discover targets MAD response that exceeds max_targets. This value is stored directly in vhost->num_targets without validation, and is then used as the loop bound in ibmvfc_alloc_targets() to index into disc_buf[], which is only allocated for max_targets entries. Indices at or beyond max_targets access k... • https://git.kernel.org/stable/c/072b91f9c6510d0ec4a49d07dbc318760c7da7b3 •
CVSS: -EPSS: 0%CPEs: 4EXPL: 0CVE-2026-31462 – drm/amdgpu: prevent immediate PASID reuse case
https://notcve.org/view.php?id=CVE-2026-31462
22 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: prevent immediate PASID reuse case PASID resue could cause interrupt issue when process immediately runs into hw state left by previous process exited with the same PASID, it's possible that page faults are still pending in the IH ring buffer when the process exits and frees up its PASID. To prevent the case, it uses idr cyclic allocator same as kernel pid's. (cherry picked from commit 8f1de51f49be692de137c8525106e0fce2d1912d) • https://git.kernel.org/stable/c/02208441cc3a5110191996bb129db39ff10e7395 •