CVSS: -EPSS: 0%CPEs: 3EXPL: 0CVE-2026-31691 – igb: remove napi_synchronize() in igb_down()
https://notcve.org/view.php?id=CVE-2026-31691
27 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: igb: remove napi_synchronize() in igb_down() When an AF_XDP zero-copy application terminates abruptly (e.g., kill -9), the XSK buffer pool is destroyed but NAPI polling continues. igb_clean_rx_irq_zc() repeatedly returns the full budget, preventing napi_complete_done() from clearing NAPI_STATE_SCHED. igb_down() calls napi_synchronize() before napi_disable() for each queue vector. napi_synchronize() spins waiting for NAPI_STATE_SCHED to clea... • https://git.kernel.org/stable/c/2c6196013f84651772388a86dfd4bb033d0c0d45 •
CVSS: -EPSS: 0%CPEs: 3EXPL: 0CVE-2026-31690 – firmware: thead: Fix buffer overflow and use standard endian macros
https://notcve.org/view.php?id=CVE-2026-31690
27 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: firmware: thead: Fix buffer overflow and use standard endian macros Addresses two issues in the TH1520 AON firmware protocol driver: 1. Fix a potential buffer overflow where the code used unsafe pointer arithmetic to access the 'mode' field through the 'resource' pointer with an offset. This was flagged by Smatch static checker as: "buffer overflow 'data' 2 <= 3" 2. Replace custom RPC_SET_BE* and RPC_GET_BE* macros with standard kernel endi... • https://git.kernel.org/stable/c/e4b3cbd840e565484d0ad8d260d27c057466ed17 •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-31689 – EDAC/mc: Fix error path ordering in edac_mc_alloc()
https://notcve.org/view.php?id=CVE-2026-31689
27 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: EDAC/mc: Fix error path ordering in edac_mc_alloc() When the mci->pvt_info allocation in edac_mc_alloc() fails, the error path will call put_device() which will end up calling the device's release function. However, the init ordering is wrong such that device_initialize() happens *after* the failed allocation and thus the device itself and the release function pointer are not initialized yet when they're called: MCE: In-kernel MCE decoding ... • https://git.kernel.org/stable/c/0bbb265f7089584aaa6d440805ca75ea4f3930d4 •
CVSS: -EPSS: 0%CPEs: 1EXPL: 0CVE-2026-31688 – driver core: enforce device_lock for driver_match_device()
https://notcve.org/view.php?id=CVE-2026-31688
27 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: driver core: enforce device_lock for driver_match_device() Currently, driver_match_device() is called from three sites. One site (__device_attach_driver) holds device_lock(dev), but the other two (bind_store and __driver_attach) do not. This inconsistency means that bus match() callbacks are not guaranteed to be called with the lock held. Fix this by introducing driver_match_device_locked(), which guarantees holding the device lock using a ... • https://git.kernel.org/stable/c/49b420a13ff95b449947181190b08367348e3e1b •
CVSS: -EPSS: 0%CPEs: 11EXPL: 0CVE-2026-31687 – gpio: omap: do not register driver in probe()
https://notcve.org/view.php?id=CVE-2026-31687
27 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: gpio: omap: do not register driver in probe() Commit 11a78b794496 ("ARM: OMAP: MPUIO wake updates") registers the omap_mpuio_driver from omap_mpuio_init(), which is called from omap_gpio_probe(). However, it neither makes sense to register drivers from probe() callbacks of other drivers, nor does the driver core allow registering drivers with a device lock already being held. The latter was revealed by commit dc23806a7c47 ("driver core: enf... • https://git.kernel.org/stable/c/11a78b7944963a8b052be46108d07a3ced9e2762 •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-31686 – mm/kasan: fix double free for kasan pXds
https://notcve.org/view.php?id=CVE-2026-31686
27 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: mm/kasan: fix double free for kasan pXds kasan_free_pxd() assumes the page table is always struct page aligned. But that's not always the case for all architectures. E.g. In case of powerpc with 64K pagesize, PUD table (of size 4096) comes from slab cache named pgtable-2^9. Hence instead of page_to_virt(pxd_page()) let's just directly pass the start of the pxd table which is passed as the 1st argument. • https://git.kernel.org/stable/c/0207df4fa1a869281ddbf72db6203dbf036b3e1a •
CVSS: 9.4EPSS: 0%CPEs: 5EXPL: 0CVE-2026-31685 – netfilter: ip6t_eui64: reject invalid MAC header for all packets
https://notcve.org/view.php?id=CVE-2026-31685
25 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: netfilter: ip6t_eui64: reject invalid MAC header for all packets `eui64_mt6()` derives a modified EUI-64 from the Ethernet source address and compares it with the low 64 bits of the IPv6 source address. The existing guard only rejects an invalid MAC header when `par->fragoff != 0`. For packets with `par->fragoff == 0`, `eui64_mt6()` can still reach `eth_hdr(skb)` even when the MAC header is not valid. Fix this by removing the `par->fragoff ... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-31684 – net: sched: act_csum: validate nested VLAN headers
https://notcve.org/view.php?id=CVE-2026-31684
25 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: net: sched: act_csum: validate nested VLAN headers tcf_csum_act() walks nested VLAN headers directly from skb->data when an skb still carries in-payload VLAN tags. The current code reads vlan->h_vlan_encapsulated_proto and then pulls VLAN_HLEN bytes without first ensuring that the full VLAN header is present in the linear area. If only part of an inner VLAN header is linearized, accessing h_vlan_encapsulated_proto reads past the linear area... • https://git.kernel.org/stable/c/2ecba2d1e45b24620a7c3df9531895cf68d5dec6 •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2026-31683 – batman-adv: avoid OGM aggregation when skb tailroom is insufficient
https://notcve.org/view.php?id=CVE-2026-31683
25 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: batman-adv: avoid OGM aggregation when skb tailroom is insufficient When OGM aggregation state is toggled at runtime, an existing forwarded packet may have been allocated with only packet_len bytes, while a later packet can still be selected for aggregation. Appending in this case can hit skb_put overflow conditions. Reject aggregation when the target skb tailroom cannot accommodate the new packet. The caller then falls back to creating a n... • https://git.kernel.org/stable/c/c6c8fea29769d998d94fcec9b9f14d4b52b349d3 •
CVSS: 9.1EPSS: 0%CPEs: 8EXPL: 0CVE-2026-31682 – bridge: br_nd_send: linearize skb before parsing ND options
https://notcve.org/view.php?id=CVE-2026-31682
25 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: bridge: br_nd_send: linearize skb before parsing ND options br_nd_send() parses neighbour discovery options from ns->opt[] and assumes that these options are in the linear part of request. Its callers only guarantee that the ICMPv6 header and target address are available, so the option area can still be non-linear. Parsing ns->opt[] in that case can access data past the linear buffer. Linearize request before option parsing and derive ns fr... • https://git.kernel.org/stable/c/ed842faeb2bd49256f00485402f3113205f91d30 •