CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2026-31504 – net: fix fanout UAF in packet_release() via NETDEV_UP race
https://notcve.org/view.php?id=CVE-2026-31504
22 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: net: fix fanout UAF in packet_release() via NETDEV_UP race `packet_release()` has a race window where `NETDEV_UP` can re-register a socket into a fanout group's `arr[]` array. The re-registration is not cleaned up by `fanout_release()`, leaving a dangling pointer in the fanout array. `packet_release()` does NOT zero `po->num` in its `bind_lock` section. After releasing `bind_lock`, `po->num` is still non-zero and `po->ifindex` still matches... • https://git.kernel.org/stable/c/ce06b03e60fc19c680d1bf873e779bf11c2fc518 • CWE-416: Use After Free •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2026-31503 – udp: Fix wildcard bind conflict check when using hash2
https://notcve.org/view.php?id=CVE-2026-31503
22 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: udp: Fix wildcard bind conflict check when using hash2 When binding a udp_sock to a local address and port, UDP uses two hashes (udptable->hash and udptable->hash2) for collision detection. The current code switches to "hash2" when hslot->count > 10. "hash2" is keyed by local address and local port. "hash" is keyed by local port only. The issue can be shown in the following bind sequence (pseudo code): bind(fd1, "[fd00::1]:8888") bind(fd2, ... • https://git.kernel.org/stable/c/30fff9231fad757c061285e347b33c5149c2c2e4 •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2026-31502 – team: fix header_ops type confusion with non-Ethernet ports
https://notcve.org/view.php?id=CVE-2026-31502
22 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: team: fix header_ops type confusion with non-Ethernet ports Similar to commit 950803f72547 ("bonding: fix type confusion in bond_setup_by_slave()") team has the same class of header_ops type confusion. For non-Ethernet ports, team_setup_by_port() copies port_dev->header_ops directly. When the team device later calls dev_hard_header() or dev_parse_header(), these callbacks can run with the team net_device instead of the real lower device, so... • https://git.kernel.org/stable/c/1d76efe1577b4323609b1bcbfafa8b731eda071a • CWE-843: Access of Resource Using Incompatible Type ('Type Confusion') •
CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2026-31500 – Bluetooth: btintel: serialize btintel_hw_error() with hci_req_sync_lock
https://notcve.org/view.php?id=CVE-2026-31500
22 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btintel: serialize btintel_hw_error() with hci_req_sync_lock btintel_hw_error() issues two __hci_cmd_sync() calls (HCI_OP_RESET and Intel exception-info retrieval) without holding hci_req_sync_lock(). This lets it race against hci_dev_do_close() -> btintel_shutdown_combined(), which also runs __hci_cmd_sync() under the same lock. When both paths manipulate hdev->req_status/req_rsp concurrently, the close path may free the respons... • https://git.kernel.org/stable/c/973bb97e5aee56edddaae3d5c96877101ad509c0 • CWE-416: Use After Free •
CVSS: 5.5EPSS: 0%CPEs: 13EXPL: 0CVE-2026-31498 – Bluetooth: L2CAP: Fix ERTM re-init and zero pdu_len infinite loop
https://notcve.org/view.php?id=CVE-2026-31498
22 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix ERTM re-init and zero pdu_len infinite loop l2cap_config_req() processes CONFIG_REQ for channels in BT_CONNECTED state to support L2CAP reconfiguration (e.g. MTU changes). However, since both CONF_INPUT_DONE and CONF_OUTPUT_DONE are already set from the initial configuration, the reconfiguration path falls through to l2cap_ertm_init(), which re-initializes tx_q, srej_q, srej_list, and retrans_list without freeing the p... • https://git.kernel.org/stable/c/96298f640104e4cd9a913a6e50b0b981829b94ff • CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2026-31497 – Bluetooth: btusb: clamp SCO altsetting table indices
https://notcve.org/view.php?id=CVE-2026-31497
22 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btusb: clamp SCO altsetting table indices btusb_work() maps the number of active SCO links to USB alternate settings through a three-entry lookup table when CVSD traffic uses transparent voice settings. The lookup currently indexes alts[] with data->sco_num - 1 without first constraining sco_num to the number of available table entries. While the table only defines alternate settings for up to three SCO links, data->sco_num comes... • https://git.kernel.org/stable/c/baac6276c0a9f36f1fe1f00590ef00d2ba5ba626 •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2026-31496 – netfilter: nf_conntrack_expect: skip expectations in other netns via proc
https://notcve.org/view.php?id=CVE-2026-31496
22 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conntrack_expect: skip expectations in other netns via proc Skip expectations that do not reside in this netns. Similar to e77e6ff502ea ("netfilter: conntrack: do not dump other netns's conntrack entries via proc"). • https://git.kernel.org/stable/c/9b03f38d0487f3908696242286d934c9b38f9d2a •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2026-31495 – netfilter: ctnetlink: use netlink policy range checks
https://notcve.org/view.php?id=CVE-2026-31495
22 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: netfilter: ctnetlink: use netlink policy range checks Replace manual range and mask validations with netlink policy annotations in ctnetlink code paths, so that the netlink core rejects invalid values early and can generate extack errors. - CTA_PROTOINFO_TCP_STATE: reject values > TCP_CONNTRACK_SYN_SENT2 at policy level, removing the manual >= TCP_CONNTRACK_MAX check. - CTA_PROTOINFO_TCP_WSCALE_ORIGINAL/REPLY: reject values > TCP_MAX_WSCALE... • https://git.kernel.org/stable/c/c8e2078cfe414a99cf6f2f2f1d78c7e75392e9d4 •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2026-31494 – net: macb: use the current queue number for stats
https://notcve.org/view.php?id=CVE-2026-31494
22 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: net: macb: use the current queue number for stats There's a potential mismatch between the memory reserved for statistics and the amount of memory written. gem_get_sset_count() correctly computes the number of stats based on the active queues, whereas gem_get_ethtool_stats() indiscriminately copies data using the maximum number of queues, and in the case the number of active queues is less than MACB_MAX_QUEUES, this results in a OOB write a... • https://git.kernel.org/stable/c/512286bbd4b7d5b15d26ba8078c8bfd1fc1129bd • CWE-787: Out-of-bounds Write •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2026-31493 – RDMA/efa: Fix use of completion ctx after free
https://notcve.org/view.php?id=CVE-2026-31493
22 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: RDMA/efa: Fix use of completion ctx after free On admin queue completion handling, if the admin command completed with error we print data from the completion context. The issue is that we already freed the completion context in polling/interrupts handler which means we print data from context in an unknown state (it might be already used again). Change the admin submission flow so alloc/dealloc of the context will be symmetric and dealloc ... • https://git.kernel.org/stable/c/68fb9f3e312a36e49fd05ec2d6b668daf2c4931a • CWE-416: Use After Free •