CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2026-31492 – RDMA/irdma: Initialize free_qp completion before using it
https://notcve.org/view.php?id=CVE-2026-31492
22 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: RDMA/irdma: Initialize free_qp completion before using it In irdma_create_qp, if ib_copy_to_udata fails, it will call irdma_destroy_qp to clean up which will attempt to wait on the free_qp completion, which is not initialized yet. Fix this by initializing the completion before the ib_copy_to_udata call. • https://git.kernel.org/stable/c/b48c24c2d710cf34810c555dcef883a3d35a9c08 • CWE-908: Use of Uninitialized Resource •
CVSS: 7.8EPSS: 0%CPEs: 9EXPL: 0CVE-2026-31489 – spi: meson-spicc: Fix double-put in remove path
https://notcve.org/view.php?id=CVE-2026-31489
22 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: spi: meson-spicc: Fix double-put in remove path meson_spicc_probe() registers the controller with devm_spi_register_controller(), so teardown already drops the controller reference via devm cleanup. Calling spi_controller_put() again in meson_spicc_remove() causes a double-put. • https://git.kernel.org/stable/c/8311ee2164c5cd1b63a601ea366f540eae89f10e • CWE-415: Double Free •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2026-31488 – drm/amd/display: Do not skip unrelated mode changes in DSC validation
https://notcve.org/view.php?id=CVE-2026-31488
22 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Do not skip unrelated mode changes in DSC validation Starting with commit 17ce8a6907f7 ("drm/amd/display: Add dsc pre-validation in atomic check"), amdgpu resets the CRTC state mode_changed flag to false when recomputing the DSC configuration results in no timing change for a particular stream. However, this is incorrect in scenarios where a change in MST/DSC configuration happens in the same KMS commit as another (unrelate... • https://git.kernel.org/stable/c/17ce8a6907f77b7ac97ddaa071d8a1f6e06ce85b • CWE-416: Use After Free •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2026-31487 – spi: use generic driver_override infrastructure
https://notcve.org/view.php?id=CVE-2026-31487
22 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: spi: use generic driver_override infrastructure When a driver is probed through __driver_attach(), the bus' match() callback is called without the device lock held, thus accessing the driver_override field without a lock, which can cause a UAF. Fix this by using the driver-core driver_override infrastructure taking care of proper locking internally. Note that calling match() from __driver_attach() without the device lock held is intentional... • https://git.kernel.org/stable/c/5039563e7c25eccd7fec1de6706011009d1c5665 • CWE-667: Improper Locking •
CVSS: 7.1EPSS: 0%CPEs: 3EXPL: 0CVE-2026-31486 – hwmon: (pmbus/core) Protect regulator operations with mutex
https://notcve.org/view.php?id=CVE-2026-31486
22 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: hwmon: (pmbus/core) Protect regulator operations with mutex The regulator operations pmbus_regulator_get_voltage(), pmbus_regulator_set_voltage(), and pmbus_regulator_list_voltage() access PMBus registers and shared data but were not protected by the update_lock mutex. This could lead to race conditions. However, adding mutex protection directly to these functions causes a deadlock because pmbus_regulator_notify() (which calls regulator_not... • https://git.kernel.org/stable/c/ddbb4db4ced1ba784fcd3500179a7291b6c5d7b7 • CWE-667: Improper Locking •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2026-31485 – spi: spi-fsl-lpspi: fix teardown order issue (UAF)
https://notcve.org/view.php?id=CVE-2026-31485
22 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: spi: spi-fsl-lpspi: fix teardown order issue (UAF) There is a teardown order issue in the driver. The SPI controller is registered using devm_spi_register_controller(), which delays unregistration of the SPI controller until after the fsl_lpspi_remove() function returns. As the fsl_lpspi_remove() function synchronously tears down the DMA channels, a running SPI transfer triggers the following NULL pointer dereference due to use after free: ... • https://git.kernel.org/stable/c/5314987de5e5f5e38436ef4a69328bc472bbd63e • CWE-416: Use After Free •
CVSS: 5.5EPSS: 0%CPEs: 7EXPL: 0CVE-2026-31483 – s390/syscalls: Add spectre boundary for syscall dispatch table
https://notcve.org/view.php?id=CVE-2026-31483
22 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: s390/syscalls: Add spectre boundary for syscall dispatch table The s390 syscall number is directly controlled by userspace, but does not have an array_index_nospec() boundary to prevent access past the syscall function pointer tables. • https://git.kernel.org/stable/c/56e62a73702836017564eaacd5212e4d0fa1c01d •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2026-31482 – s390/entry: Scrub r12 register on kernel entry
https://notcve.org/view.php?id=CVE-2026-31482
22 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: s390/entry: Scrub r12 register on kernel entry Before commit f33f2d4c7c80 ("s390/bp: remove TIF_ISOLATE_BP"), all entry handlers loaded r12 with the current task pointer (lg %r12,__LC_CURRENT) for use by the BPENTER/BPEXIT macros. That commit removed TIF_ISOLATE_BP, dropping both the branch prediction macros and the r12 load, but did not add r12 to the register clearing sequence. Add the missing xgr %r12,%r12 to make the register scrub cons... • https://git.kernel.org/stable/c/f33f2d4c7c80c641f6ca3dfe5e7dfe1f91543780 •
CVSS: 5.5EPSS: 0%CPEs: 7EXPL: 0CVE-2026-31480 – tracing: Fix potential deadlock in cpu hotplug with osnoise
https://notcve.org/view.php?id=CVE-2026-31480
22 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: tracing: Fix potential deadlock in cpu hotplug with osnoise The following sequence may leads deadlock in cpu hotplug: task1 task2 task3 ----- ----- ----- mutex_lock(&interface_lock) [CPU GOING OFFLINE] cpus_write_lock(); osnoise_cpu_die(); kthread_stop(task3); wait_for_completion(); osnoise_sleep(); mutex_lock(&interface_lock); cpus_read_lock(); [DEAD LOCK] Fix by swap the order of cpus_read_lock() and mutex_lock(&interface_lock). • https://git.kernel.org/stable/c/bce29ac9ce0bb0b0b146b687ab978378c21e9078 • CWE-667: Improper Locking •
CVSS: 9.8EPSS: 0%CPEs: 7EXPL: 0CVE-2026-31478 – ksmbd: replace hardcoded hdr2_len with offsetof() in smb2_calc_max_out_buf_len()
https://notcve.org/view.php?id=CVE-2026-31478
22 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: ksmbd: replace hardcoded hdr2_len with offsetof() in smb2_calc_max_out_buf_len() After this commit (e2b76ab8b5c9 "ksmbd: add support for read compound"), response buffer management was changed to use dynamic iov array. In the new design, smb2_calc_max_out_buf_len() expects the second argument (hdr2_len) to be the offset of ->Buffer field in the response structure, not a hardcoded magic number. Fix the remaining call sites to use the correct... • https://git.kernel.org/stable/c/f2283680a80571ca82d710bc6ecd8f8beac67d63 •