CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2026-31530 – cxl/port: Fix use after free of parent_port in cxl_detach_ep()
https://notcve.org/view.php?id=CVE-2026-31530
22 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: cxl/port: Fix use after free of parent_port in cxl_detach_ep() cxl_detach_ep() is called during bottom-up removal when all CXL memory devices beneath a switch port have been removed. For each port in the hierarchy it locks both the port and its parent, removes the endpoint, and if the port is now empty, marks it dead and unregisters the port by calling delete_switch_port(). There are two places during this work where the parent_port may be ... • https://git.kernel.org/stable/c/2345df54249c6fb7779e2a72b427ee79ed3eaad5 • CWE-416: Use After Free •
CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2026-31528 – perf: Make sure to use pmu_ctx->pmu for groups
https://notcve.org/view.php?id=CVE-2026-31528
22 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: perf: Make sure to use pmu_ctx->pmu for groups Oliver reported that x86_pmu_del() ended up doing an out-of-bound memory access when group_sched_in() fails and needs to roll back. This *should* be handled by the transaction callbacks, but he found that when the group leader is a software event, the transaction handlers of the wrong PMU are used. Despite the move_group case in perf_event_open() and group_sched_in() using pmu_ctx->pmu. Turns o... • https://git.kernel.org/stable/c/bd27568117664b8b3e259721393df420ed51f57b • CWE-125: Out-of-bounds Read •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2026-31527 – driver core: platform: use generic driver_override infrastructure
https://notcve.org/view.php?id=CVE-2026-31527
22 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: driver core: platform: use generic driver_override infrastructure When a driver is probed through __driver_attach(), the bus' match() callback is called without the device lock held, thus accessing the driver_override field without a lock, which can cause a UAF. Fix this by using the driver-core driver_override infrastructure taking care of proper locking internally. Note that calling match() from __driver_attach() without the device lock h... • https://git.kernel.org/stable/c/3d713e0e382e6fcfb4bba1501645b66c129ad60b • CWE-416: Use After Free •
CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2026-31525 – bpf: Fix undefined behavior in interpreter sdiv/smod for INT_MIN
https://notcve.org/view.php?id=CVE-2026-31525
22 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: bpf: Fix undefined behavior in interpreter sdiv/smod for INT_MIN The BPF interpreter's signed 32-bit division and modulo handlers use the kernel abs() macro on s32 operands. The abs() macro documentation (include/linux/math.h) explicitly states the result is undefined when the input is the type minimum. When DST contains S32_MIN (0x80000000), abs((s32)DST) triggers undefined behavior and returns S32_MIN unchanged on arm64/x86. This value is... • https://git.kernel.org/stable/c/ec0e2da95f72d4a46050a4d994e4fe471474fd80 • CWE-787: Out-of-bounds Write •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2026-31524 – HID: asus: avoid memory leak in asus_report_fixup()
https://notcve.org/view.php?id=CVE-2026-31524
22 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: HID: asus: avoid memory leak in asus_report_fixup() The asus_report_fixup() function was returning a newly allocated kmemdup()-allocated buffer, but never freeing it. Switch to devm_kzalloc() to ensure the memory is managed and freed automatically when the device is removed. The caller of report_fixup() does not take ownership of the returned pointer, but it is permitted to return a pointer whose lifetime is at least that of the input buffe... • https://git.kernel.org/stable/c/5703e52cc711bc01e72cf12b86a126909c79d213 • CWE-401: Missing Release of Memory after Effective Lifetime •
CVSS: 4.7EPSS: 0%CPEs: 8EXPL: 0CVE-2026-31523 – nvme-pci: ensure we're polling a polled queue
https://notcve.org/view.php?id=CVE-2026-31523
22 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: nvme-pci: ensure we're polling a polled queue A user can change the polled queue count at run time. There's a brief window during a reset where a hipri task may try to poll that queue before the block layer has updated the queue maps, which would race with the now interrupt driven queue and may cause double completions. • https://git.kernel.org/stable/c/4b04cc6a8f86c4842314def22332de1f15de8523 • CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2026-31522 – HID: magicmouse: avoid memory leak in magicmouse_report_fixup()
https://notcve.org/view.php?id=CVE-2026-31522
22 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: HID: magicmouse: avoid memory leak in magicmouse_report_fixup() The magicmouse_report_fixup() function was returning a newly kmemdup()-allocated buffer, but never freeing it. The caller of report_fixup() does not take ownership of the returned pointer, but it *is* permitted to return a sub-portion of the input rdesc, whose lifetime is managed by the caller. • https://git.kernel.org/stable/c/e6ad399596bd234be4722022146e33e15c7e424d • CWE-401: Missing Release of Memory after Effective Lifetime •
CVSS: 5.5EPSS: 0%CPEs: 7EXPL: 0CVE-2026-31521 – module: Fix kernel panic when a symbol st_shndx is out of bounds
https://notcve.org/view.php?id=CVE-2026-31521
22 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: module: Fix kernel panic when a symbol st_shndx is out of bounds The module loader doesn't check for bounds of the ELF section index in simplify_symbols(): for (i = 1; i < symsec->sh_size / sizeof(Elf_Sym); i++) { const char *name = info->strtab + sym[i].st_name; switch (sym[i].st_shndx) { case SHN_COMMON: [...] default: /* Divert to percpu allocation if a percpu var. */ if (sym[i].st_shndx == info->index.pcpu) secbase = (unsigned long)mod_... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 • CWE-787: Out-of-bounds Write •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2026-31520 – HID: apple: avoid memory leak in apple_report_fixup()
https://notcve.org/view.php?id=CVE-2026-31520
22 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: HID: apple: avoid memory leak in apple_report_fixup() The apple_report_fixup() function was returning a newly kmemdup()-allocated buffer, but never freeing it. The caller of report_fixup() does not take ownership of the returned pointer, but it *is* permitted to return a sub-portion of the input rdesc, whose lifetime is managed by the caller. • https://git.kernel.org/stable/c/6e143293e17a73c9313f91c5ca3aaacbaef030cf • CWE-401: Missing Release of Memory after Effective Lifetime •
CVSS: 5.5EPSS: 0%CPEs: 7EXPL: 0CVE-2026-31519 – btrfs: set BTRFS_ROOT_ORPHAN_CLEANUP during subvol create
https://notcve.org/view.php?id=CVE-2026-31519
22 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: btrfs: set BTRFS_ROOT_ORPHAN_CLEANUP during subvol create We have recently observed a number of subvolumes with broken dentries. ls-ing the parent dir looks like: drwxrwxrwt 1 root root 16 Jan 23 16:49 . drwxr-xr-x 1 root root 24 Jan 23 16:48 .. d????????? ? ? ? ? • https://git.kernel.org/stable/c/c71bf099abddf3e0fdc27f251ba76fca1461d49a • CWE-476: NULL Pointer Dereference •