CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2026-31400 – sunrpc: fix cache_request leak in cache_release
https://notcve.org/view.php?id=CVE-2026-31400
03 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: sunrpc: fix cache_request leak in cache_release When a reader's file descriptor is closed while in the middle of reading a cache_request (rp->offset != 0), cache_release() decrements the request's readers count but never checks whether it should free the request. In cache_read(), when readers drops to 0 and CACHE_PENDING is clear, the cache_request is removed from the queue and freed along with its buffer and cache_head reference. cache_rel... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: 8.1EPSS: 0%CPEs: 8EXPL: 0CVE-2026-31393 – Bluetooth: L2CAP: Validate L2CAP_INFO_RSP payload length before access
https://notcve.org/view.php?id=CVE-2026-31393
03 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Validate L2CAP_INFO_RSP payload length before access l2cap_information_rsp() checks that cmd_len covers the fixed l2cap_info_rsp header (type + result, 4 bytes) but then reads rsp->data without verifying that the payload is present: - L2CAP_IT_FEAT_MASK calls get_unaligned_le32(rsp->data), which reads 4 bytes past the header (needs cmd_len >= 8). - L2CAP_IT_FIXED_CHAN reads rsp->data[0], 1 byte past the header (needs cmd_l... • https://git.kernel.org/stable/c/4e8402a3f884427f9233ba436459c158d1f2e114 •
CVSS: 8.1EPSS: 0%CPEs: 8EXPL: 0CVE-2026-31392 – smb: client: fix krb5 mount with username option
https://notcve.org/view.php?id=CVE-2026-31392
03 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: smb: client: fix krb5 mount with username option Customer reported that some of their krb5 mounts were failing against a single server as the client was trying to mount the shares with wrong credentials. It turned out the client was reusing SMB session from first mount to try mounting the other shares, even though a different username= option had been specified to the other mounts. By using username mount option along with sec=krb5 to searc... • https://git.kernel.org/stable/c/4ff67b720c02c36e54d55b88c2931879b7db1cd2 •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2026-23474 – mtd: Avoid boot crash in RedBoot partition table parser
https://notcve.org/view.php?id=CVE-2026-23474
03 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: mtd: Avoid boot crash in RedBoot partition table parser Given CONFIG_FORTIFY_SOURCE=y and a recent compiler, commit 439a1bcac648 ("fortify: Use __builtin_dynamic_object_size() when available") produces the warning below and an oops. Searching for RedBoot partition table in 50000000.flash at offset 0x7e0000 ------------[ cut here ]------------ WARNING: lib/string_helpers.c:1035 at 0xc029e04c, CPU#0: swapper/0/1 memcmp: detected buffer overfl... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: -EPSS: 0%CPEs: 3EXPL: 0CVE-2026-23472 – serial: core: fix infinite loop in handle_tx() for PORT_UNKNOWN
https://notcve.org/view.php?id=CVE-2026-23472
03 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: serial: core: fix infinite loop in handle_tx() for PORT_UNKNOWN uart_write_room() and uart_write() behave inconsistently when xmit_buf is NULL (which happens for PORT_UNKNOWN ports that were never properly initialized): - uart_write_room() returns kfifo_avail() which can be > 0 - uart_write() checks xmit_buf and returns 0 if NULL This inconsistency causes an infinite loop in drivers that rely on tty_write_room() to determine if they can wri... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: 8.8EPSS: 0%CPEs: 8EXPL: 0CVE-2026-23462 – Bluetooth: HIDP: Fix possible UAF
https://notcve.org/view.php?id=CVE-2026-23462
03 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: Bluetooth: HIDP: Fix possible UAF This fixes the following trace caused by not dropping l2cap_conn reference when user->remove callback is called: [ 97.809249] l2cap_conn_free: freeing conn ffff88810a171c00 [ 97.809907] CPU: 1 UID: 0 PID: 1419 Comm: repro_standalon Not tainted 7.0.0-rc1-dirty #14 PREEMPT(lazy) [ 97.809935] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014 [ 97.809947] Call Trace: ... • https://git.kernel.org/stable/c/b4f34d8d9d26b2428fa7cf7c8f97690a297978e6 •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2026-23460 – net/rose: fix NULL pointer dereference in rose_transmit_link on reconnect
https://notcve.org/view.php?id=CVE-2026-23460
03 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: net/rose: fix NULL pointer dereference in rose_transmit_link on reconnect syzkaller reported a bug [1], and the reproducer is available at [2]. ROSE sockets use four sk->sk_state values: TCP_CLOSE, TCP_LISTEN, TCP_SYN_SENT, and TCP_ESTABLISHED. rose_connect() already rejects calls for TCP_ESTABLISHED (-EISCONN) and TCP_CLOSE with SS_CONNECTING (-ECONNREFUSED), but lacks a check for TCP_SYN_SENT. When rose_connect() is called a second time w... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2026-23458 – netfilter: ctnetlink: fix use-after-free in ctnetlink_dump_exp_ct()
https://notcve.org/view.php?id=CVE-2026-23458
03 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: netfilter: ctnetlink: fix use-after-free in ctnetlink_dump_exp_ct() ctnetlink_dump_exp_ct() stores a conntrack pointer in cb->data for the netlink dump callback ctnetlink_exp_ct_dump_table(), but drops the conntrack reference immediately after netlink_dump_start(). When the dump spans multiple rounds, the second recvmsg() triggers the dump callback which dereferences the now-freed conntrack via nfct_help(ct), leading to a use-after-free on ... • https://git.kernel.org/stable/c/e844a928431fa8f1359d1f4f2cef53d9b446bf52 •
CVSS: 8.6EPSS: 0%CPEs: 8EXPL: 0CVE-2026-23457 – netfilter: nf_conntrack_sip: fix Content-Length u32 truncation in sip_help_tcp()
https://notcve.org/view.php?id=CVE-2026-23457
03 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conntrack_sip: fix Content-Length u32 truncation in sip_help_tcp() sip_help_tcp() parses the SIP Content-Length header with simple_strtoul(), which returns unsigned long, but stores the result in unsigned int clen. On 64-bit systems, values exceeding UINT_MAX are silently truncated before computing the SIP message boundary. For example, Content-Length 4294967328 (2^32 + 32) is truncated to 32, causing the parser to miscalculat... • https://git.kernel.org/stable/c/f5b321bd37fbec9188feb1f721ab46a5ac0b35da •
CVSS: 8.2EPSS: 0%CPEs: 8EXPL: 0CVE-2026-23456 – netfilter: nf_conntrack_h323: fix OOB read in decode_int() CONS case
https://notcve.org/view.php?id=CVE-2026-23456
03 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conntrack_h323: fix OOB read in decode_int() CONS case In decode_int(), the CONS case calls get_bits(bs, 2) to read a length value, then calls get_uint(bs, len) without checking that len bytes remain in the buffer. The existing boundary check only validates the 2 bits for get_bits(), not the subsequent 1-4 bytes that get_uint() reads. This allows a malformed H.323/RAS packet to cause a 1-4 byte slab-out-of-bounds read. Add a b... • https://git.kernel.org/stable/c/5e35941d990123f155b02d5663e51a24f816b6f3 •