CVSS: 8.1EPSS: 0%CPEs: 5EXPL: 0CVE-2026-31708 – smb: client: fix OOB read in smb2_ioctl_query_info QUERY_INFO path
https://notcve.org/view.php?id=CVE-2026-31708
01 May 2026 — In the Linux kernel, the following vulnerability has been resolved: smb: client: fix OOB read in smb2_ioctl_query_info QUERY_INFO path smb2_ioctl_query_info() has two response-copy branches: PASSTHRU_FSCTL and the default QUERY_INFO path. • https://git.kernel.org/stable/c/f5778c398713692a16150ae96e5c8270bab8399f • CWE-125: Out-of-bounds Read •
CVSS: 7.1EPSS: 0%CPEs: 4EXPL: 0CVE-2026-31707 – ksmbd: validate response sizes in ipc_validate_msg()
https://notcve.org/view.php?id=CVE-2026-31707
01 May 2026 — In the Linux kernel, the following vulnerability has been resolved: ksmbd: validate response sizes in ipc_validate_msg() ipc_validate_msg() computes the expected message size for each response type by adding (or multiplying) attacker-controlled fields from the daemon response to a fixed struct size in unsigned int arithmetic. • https://git.kernel.org/stable/c/0626e6641f6b467447c81dd7678a69c66f7746cf • CWE-787: Out-of-bounds Write •
CVSS: 8.8EPSS: 0%CPEs: 4EXPL: 0CVE-2026-31706 – ksmbd: validate num_aces and harden ACE walk in smb_inherit_dacl()
https://notcve.org/view.php?id=CVE-2026-31706
01 May 2026 — In the Linux kernel, the following vulnerability has been resolved: ksmbd: validate num_aces and harden ACE walk in smb_inherit_dacl() smb_inherit_dacl() trusts the on-disk num_aces value from the parent directory's DACL xattr and uses it to size a heap allocation: aces_base = kmalloc(sizeof(struct smb_ace) * num_aces * 2, ...); num_aces is a u16 read from le16_to_cpu(parent_pdacl->num_aces) without checking that it is consistent with the declared pdacl_size. • https://git.kernel.org/stable/c/e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9 •
CVSS: 9.8EPSS: 0%CPEs: 7EXPL: 0CVE-2026-31705 – ksmbd: fix out-of-bounds write in smb2_get_ea() EA alignment
https://notcve.org/view.php?id=CVE-2026-31705
01 May 2026 — In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix out-of-bounds write in smb2_get_ea() EA alignment smb2_get_ea() applies 4-byte alignment padding via memset() after writing each EA entry. • https://git.kernel.org/stable/c/e2b76ab8b5c9327ab2dae6da05d0752eb2f4771d • CWE-787: Out-of-bounds Write •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2026-31704 – ksmbd: use check_add_overflow() to prevent u16 DACL size overflow
https://notcve.org/view.php?id=CVE-2026-31704
01 May 2026 — In the Linux kernel, the following vulnerability has been resolved: ksmbd: use check_add_overflow() to prevent u16 DACL size overflow set_posix_acl_entries_dacl() and set_ntacl_dacl() accumulate ACE sizes in u16 variables. • https://git.kernel.org/stable/c/e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9 •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2026-31703 – writeback: Fix use after free in inode_switch_wbs_work_fn()
https://notcve.org/view.php?id=CVE-2026-31703
01 May 2026 — In the Linux kernel, the following vulnerability has been resolved: writeback: Fix use after free in inode_switch_wbs_work_fn() inode_switch_wbs_work_fn() has a loop like: wb_get(new_wb); while (1) { list = llist_del_all(&new_wb->switch_wbs_ctxs); /* Nothing to do? • https://git.kernel.org/stable/c/e1b849cfa6b61f1c866a908c9e8dd9b5aaab820b • CWE-416: Use After Free •
CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2026-31702 – f2fs: fix use-after-free of sbi in f2fs_compress_write_end_io()
https://notcve.org/view.php?id=CVE-2026-31702
01 May 2026 — In the Linux kernel, the following vulnerability has been resolved: f2fs: fix use-after-free of sbi in f2fs_compress_write_end_io() In f2fs_compress_write_end_io(), dec_page_count(sbi, type) can bring the F2FS_WB_CP_DATA counter to zero, unblocking f2fs_wait_on_all_pages() in f2fs_put_super() on a concurrent unmount CPU. • https://git.kernel.org/stable/c/4c8ff7095bef64fc47e996a938f7d57f9e077da3 • CWE-416: Use After Free •
CVSS: 5.5EPSS: 0%CPEs: 11EXPL: 0CVE-2026-31701 – ALSA: caiaq: take a reference on the USB device in create_card()
https://notcve.org/view.php?id=CVE-2026-31701
01 May 2026 — In the Linux kernel, the following vulnerability has been resolved: ALSA: caiaq: take a reference on the USB device in create_card() The caiaq driver stores a pointer to the parent USB device in cdev->chip.dev but never takes a reference on it. • https://git.kernel.org/stable/c/4507a8b9b30344c5ddd8219945f446d47e966a6d •
CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2026-31700 – net/packet: fix TOCTOU race on mmap'd vnet_hdr in tpacket_snd()
https://notcve.org/view.php?id=CVE-2026-31700
01 May 2026 — In the Linux kernel, the following vulnerability has been resolved: net/packet: fix TOCTOU race on mmap'd vnet_hdr in tpacket_snd() In tpacket_snd(), when PACKET_VNET_HDR is enabled, vnet_hdr points directly into the mmap'd TX ring buffer shared with userspace. • https://git.kernel.org/stable/c/1d036d25e5609ba73fee6a88db01c306b140d512 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVSS: 7.1EPSS: 0%CPEs: 5EXPL: 0CVE-2026-31699 – crypto: ccp: Don't attempt to copy CSR to userspace if PSP command failed
https://notcve.org/view.php?id=CVE-2026-31699
01 May 2026 — /include/linux/instrumented.h:129 [inline] BUG: KASAN: slab-out-of-bounds in _inline_copy_to_user ../include/linux/uaccess.h:205 [inline] BUG: KASAN: slab-out-of-bounds in _copy_to_user+0x66/0xa0 ..... /include/linux/instrumented.h:129 [inline] _inline_copy_to_user ../include/linux/uaccess.h:205 [inline] _copy_to_user+0x66/0xa0 ..... /include/linux/uaccess.h:236 [inline] sev_ioctl_do_pek_csr+0x31f/0x590 .. • https://git.kernel.org/stable/c/e799035609e1526761aa2f896a974b233d04d36d • CWE-787: Out-of-bounds Write •