CVSS: 7.8EPSS: 0%CPEs: 9EXPL: 0CVE-2026-31446 – ext4: fix use-after-free in update_super_work when racing with umount
https://notcve.org/view.php?id=CVE-2026-31446
22 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: ext4: fix use-after-free in update_super_work when racing with umount Commit b98535d09179 ("ext4: fix bug_on in start_this_handle during umount filesystem") moved ext4_unregister_sysfs() before flushing s_sb_upd_work to prevent new error work from being queued via /proc/fs/ext4/xx/mb_groups reads during unmount. However, this introduced a use-after-free because update_super_work calls ext4_notify_error_sysfs() -> sysfs_notify() which access... • https://git.kernel.org/stable/c/52c3a04f9ec2a16a4204d6274db338cb8d5b2d74 •
CVSS: -EPSS: 0%CPEs: 7EXPL: 0CVE-2026-31441 – dmaengine: idxd: Fix memory leak when a wq is reset
https://notcve.org/view.php?id=CVE-2026-31441
22 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: dmaengine: idxd: Fix memory leak when a wq is reset idxd_wq_disable_cleanup() which is called from the reset path for a workqueue, sets the wq type to NONE, which for other parts of the driver mean that the wq is empty (all its resources were released). Only set the wq type to NONE after its resources are released. • https://git.kernel.org/stable/c/da32b28c95a79e399e18c03f8178f41aec9c66e4 •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-31434 – btrfs: fix leak of kobject name for sub-group space_info
https://notcve.org/view.php?id=CVE-2026-31434
22 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: btrfs: fix leak of kobject name for sub-group space_info When create_space_info_sub_group() allocates elements of space_info->sub_group[], kobject_init_and_add() is called for each element via btrfs_sysfs_add_space_info_type(). However, when check_removing_space_info() frees these elements, it does not call btrfs_sysfs_remove_space_info() on them. As a result, kobject_put() is not called and the associated kobj->name objects are leaked. Thi... • https://git.kernel.org/stable/c/64c7ddda83acfbaa0efb381a1928ce908c584607 •
CVSS: 8.8EPSS: 0%CPEs: 7EXPL: 0CVE-2026-31433 – ksmbd: fix potencial OOB in get_file_all_info() for compound requests
https://notcve.org/view.php?id=CVE-2026-31433
22 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix potencial OOB in get_file_all_info() for compound requests When a compound request consists of QUERY_DIRECTORY + QUERY_INFO (FILE_ALL_INFORMATION) and the first command consumes nearly the entire max_trans_size, get_file_all_info() would blindly call smbConvertToUTF16() with PATH_MAX, causing out-of-bounds write beyond the response buffer. In get_file_all_info(), there was a missing validation check for the client-provided Output... • https://git.kernel.org/stable/c/f2283680a80571ca82d710bc6ecd8f8beac67d63 •
CVSS: 8.8EPSS: 0%CPEs: 6EXPL: 0CVE-2026-31432 – ksmbd: fix OOB write in QUERY_INFO for compound requests
https://notcve.org/view.php?id=CVE-2026-31432
22 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix OOB write in QUERY_INFO for compound requests When a compound request such as READ + QUERY_INFO(Security) is received, and the first command (READ) consumes most of the response buffer, ksmbd could write beyond the allocated buffer while building a security descriptor. The root cause was that smb2_get_info_sec() checked buffer space using ppntsd_size from xattr, while build_sec_desc() often synthesized a significantly larger desc... • https://git.kernel.org/stable/c/e2b76ab8b5c9327ab2dae6da05d0752eb2f4771d •
CVSS: 7.8EPSS: 2%CPEs: 8EXPL: 0CVE-2026-31431 – Linux Kernel Incorrect Resource Transfer Between Spheres Vulnerability
https://notcve.org/view.php?id=CVE-2026-31431
22 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: crypto: algif_aead - Revert to operating out-of-place This mostly reverts commit 72548b093ee3 except for the copying of the associated data. There is no benefit in operating in-place in algif_aead since the source and destination come from different mappings. Get rid of all the complexity added for in-place operation and just copy the AD directly. Linux Kernel contains an incorrect resource transfer between spheres vulnerability that could ... • https://git.kernel.org/stable/c/72548b093ee38a6d4f2a19e6ef1948ae05c181f7 • CWE-669: Incorrect Resource Transfer Between Spheres •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2026-31428 – netfilter: nfnetlink_log: fix uninitialized padding leak in NFULA_PAYLOAD
https://notcve.org/view.php?id=CVE-2026-31428
13 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: netfilter: nfnetlink_log: fix uninitialized padding leak in NFULA_PAYLOAD __build_packet_message() manually constructs the NFULA_PAYLOAD netlink attribute using skb_put() and skb_copy_bits(), bypassing the standard nla_reserve()/nla_put() helpers. While nla_total_size(data_len) bytes are allocated (including NLA alignment padding), only data_len bytes of actual packet data are copied. The trailing nla_padlen(data_len) bytes (1-3 when data_l... • https://git.kernel.org/stable/c/df6fb868d6118686805c2fa566e213a8f31c8e4f •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2026-31427 – netfilter: nf_conntrack_sip: fix use of uninitialized rtp_addr in process_sdp
https://notcve.org/view.php?id=CVE-2026-31427
13 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conntrack_sip: fix use of uninitialized rtp_addr in process_sdp process_sdp() declares union nf_inet_addr rtp_addr on the stack and passes it to the nf_nat_sip sdp_session hook after walking the SDP media descriptions. However rtp_addr is only initialized inside the media loop when a recognized media type with a non-zero port is found. If the SDP body contains no m= lines, only inactive media sections (m=audio 0 ...) or only u... • https://git.kernel.org/stable/c/4ab9e64e5e3c0516577818804aaf13a630d67bc9 •
CVSS: 7.0EPSS: 0%CPEs: 6EXPL: 0CVE-2026-31426 – ACPI: EC: clean up handlers on probe failure in acpi_ec_setup()
https://notcve.org/view.php?id=CVE-2026-31426
13 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: ACPI: EC: clean up handlers on probe failure in acpi_ec_setup() When ec_install_handlers() returns -EPROBE_DEFER on reduced-hardware platforms, it has already started the EC and installed the address space handler with the struct acpi_ec pointer as handler context. However, acpi_ec_setup() propagates the error without any cleanup. The caller acpi_ec_add() then frees the struct acpi_ec for non-boot instances, leaving a dangling handler conte... • https://git.kernel.org/stable/c/03e9a0e05739cf872fee494b06c75c0469704a21 •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2026-31425 – rds: ib: reject FRMR registration before IB connection is established
https://notcve.org/view.php?id=CVE-2026-31425
13 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: rds: ib: reject FRMR registration before IB connection is established rds_ib_get_mr() extracts the rds_ib_connection from conn->c_transport_data and passes it to rds_ib_reg_frmr() for FRWR memory registration. On a fresh outgoing connection, ic is allocated in rds_ib_conn_alloc() with i_cm_id = NULL because the connection worker has not yet called rds_ib_conn_path_connect() to create the rdma_cm_id. When sendmsg() with RDS_CMSG_RDMA_MAP is ... • https://git.kernel.org/stable/c/1659185fb4d0025835eb2058a141f0746c5cab00 •