CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2026-31615 – usb: gadget: renesas_usb3: validate endpoint index in standard request handlers
https://notcve.org/view.php?id=CVE-2026-31615
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: usb: gadget: renesas_usb3: validate endpoint index in standard request handlers The GET_STATUS and SET/CLEAR_FEATURE handlers extract the endpoint number from the host-supplied wIndex without any sort of validation. Fix this up by validating the number of endpoints actually match up with the number the device has before attempting to dereference a pointer based on this math. This is just like what was done in commit ee0d382feb44 ("usb: gadg... • https://git.kernel.org/stable/c/746bfe63bba37ad55956b7377c9af494e7e28929 • CWE-476: NULL Pointer Dereference •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-31614 – smb: client: fix off-by-8 bounds check in check_wsl_eas()
https://notcve.org/view.php?id=CVE-2026-31614
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: smb: client: fix off-by-8 bounds check in check_wsl_eas() The bounds check uses (u8 *)ea + nlen + 1 + vlen as the end of the EA name and value, but ea_data sits at offset sizeof(struct smb2_file_full_ea_info) = 8 from ea, not at offset 0. The strncmp() later reads ea->ea_data[0..nlen-1] and the value bytes follow at ea_data[nlen+1..nlen+vlen], so the actual end is ea->ea_data + nlen + 1 + vlen. Isn't pointer math fun? The earlier check (u8 ... • https://git.kernel.org/stable/c/7449d736bbbd160c76b01b8fcdf72f58a8757d4b •
CVSS: 8.1EPSS: 0%CPEs: 5EXPL: 0CVE-2026-31613 – smb: client: fix OOB reads parsing symlink error response
https://notcve.org/view.php?id=CVE-2026-31613
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: smb: client: fix OOB reads parsing symlink error response When a CREATE returns STATUS_STOPPED_ON_SYMLINK, smb2_check_message() returns success without any length validation, leaving the symlink parsers as the only defense against an untrusted server. symlink_data() walks SMB 3.1.1 error contexts with the loop test "p < end", but reads p->ErrorId at offset 4 and p->ErrorDataLength at offset 0. When the server-controlled ErrorDataLength adva... • https://git.kernel.org/stable/c/76894f3e2f71177747b8b4763fb180e800279585 • CWE-125: Out-of-bounds Read •
CVSS: 7.5EPSS: 0%CPEs: 6EXPL: 0CVE-2026-31612 – ksmbd: validate EaNameLength in smb2_get_ea()
https://notcve.org/view.php?id=CVE-2026-31612
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: ksmbd: validate EaNameLength in smb2_get_ea() smb2_get_ea() reads ea_req->EaNameLength from the client request and passes it directly to strncmp() as the comparison length without verifying that the length of the name really is the size of the input buffer received. Fix this up by properly checking the size of the name based on the value received and the overall size of the request, to prevent a later strncmp() call to use the length as a "... • https://git.kernel.org/stable/c/e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9 •
CVSS: 8.6EPSS: 0%CPEs: 6EXPL: 0CVE-2026-31611 – ksmbd: require 3 sub-authorities before reading sub_auth[2]
https://notcve.org/view.php?id=CVE-2026-31611
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: ksmbd: require 3 sub-authorities before reading sub_auth[2] parse_dacl() compares each ACE SID against sid_unix_NFS_mode and on match reads sid.sub_auth[2] as the file mode. If sid_unix_NFS_mode is the prefix S-1-5-88-3 with num_subauth = 2 then compare_sids() compares only min(num_subauth, 2) sub-authorities so a client SID with num_subauth = 2 and sub_auth = {88, 3} will match. If num_subauth = 2 and the ACE is placed at the very end of t... • https://git.kernel.org/stable/c/e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9 •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-31610 – ksmbd: fix mechToken leak when SPNEGO decode fails after token alloc
https://notcve.org/view.php?id=CVE-2026-31610
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix mechToken leak when SPNEGO decode fails after token alloc The kernel ASN.1 BER decoder calls action callbacks incrementally as it walks the input. When ksmbd_decode_negTokenInit() reaches the mechToken [2] OCTET STRING element, ksmbd_neg_token_alloc() allocates conn->mechToken immediately via kmemdup_nul(). If a later element in the same blob is malformed, then the decoder will return nonzero after the allocation is already live.... • https://git.kernel.org/stable/c/fad4161b5cd01a24202234976ebbb133f7adc0b5 •
CVSS: 9.8EPSS: 0%CPEs: 11EXPL: 0CVE-2026-31607 – usbip: validate number_of_packets in usbip_pack_ret_submit()
https://notcve.org/view.php?id=CVE-2026-31607
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: usbip: validate number_of_packets in usbip_pack_ret_submit() When a USB/IP client receives a RET_SUBMIT response, usbip_pack_ret_submit() unconditionally overwrites urb->number_of_packets from the network PDU. This value is subsequently used as the loop bound in usbip_recv_iso() and usbip_pad_iso() to iterate over urb->iso_frame_desc[], a flexible array whose size was fixed at URB allocation time based on the *original* number_of_packets fr... • https://git.kernel.org/stable/c/1325f85fa49f57df034869de430f7c302ae23109 • CWE-787: Out-of-bounds Write •
CVSS: -EPSS: 0%CPEs: 5EXPL: 0CVE-2026-31606 – usb: gadget: f_hid: don't call cdev_init while cdev in use
https://notcve.org/view.php?id=CVE-2026-31606
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_hid: don't call cdev_init while cdev in use When calling unbind, then bind again, cdev_init reinitialized the cdev, even though there may still be references to it. That's the case when the /dev/hidg* device is still opened. This obviously unsafe behavior like oopes. This fixes this by using cdev_alloc to put the cdev on the heap. That way, we can simply allocate a new one in hidg_bind. • https://git.kernel.org/stable/c/cb382536052fcc7713988869b54a81137069e5a9 •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-31605 – fbdev: udlfb: avoid divide-by-zero on FBIOPUT_VSCREENINFO
https://notcve.org/view.php?id=CVE-2026-31605
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: fbdev: udlfb: avoid divide-by-zero on FBIOPUT_VSCREENINFO Much like commit 19f953e74356 ("fbdev: fb_pm2fb: Avoid potential divide by zero error"), we also need to prevent that same crash from happening in the udlfb driver as it uses pixclock directly when dividing, which will crash. • https://git.kernel.org/stable/c/59277b679f8b5ce594e367759256668eba652d0d •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-31604 – wifi: rtw88: fix device leak on probe failure
https://notcve.org/view.php?id=CVE-2026-31604
24 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: wifi: rtw88: fix device leak on probe failure Driver core holds a reference to the USB interface and its parent USB device while the interface is bound to a driver and there is no need to take additional references unless the structures are needed after disconnect. This driver takes a reference to the USB device during probe but does not to release it on all probe errors (e.g. when descriptor parsing fails). Drop the redundant device refere... • https://git.kernel.org/stable/c/a82dfd33d1237f6c0fb8a7077022189d1fc7ec98 •