CVSS: -EPSS: %CPEs: 6EXPL: 0CVE-2026-31428 – netfilter: nfnetlink_log: fix uninitialized padding leak in NFULA_PAYLOAD
https://notcve.org/view.php?id=CVE-2026-31428
13 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: netfilter: nfnetlink_log: fix uninitialized padding leak in NFULA_PAYLOAD __build_packet_message() manually constructs the NFULA_PAYLOAD netlink attribute using skb_put() and skb_copy_bits(), bypassing the standard nla_reserve()/nla_put() helpers. While nla_total_size(data_len) bytes are allocated (including NLA alignment padding), only data_len bytes of actual packet data are copied. The trailing nla_padlen(data_len) bytes (1-3 when data_l... • https://git.kernel.org/stable/c/df6fb868d6118686805c2fa566e213a8f31c8e4f •
CVSS: -EPSS: %CPEs: 6EXPL: 0CVE-2026-31427 – netfilter: nf_conntrack_sip: fix use of uninitialized rtp_addr in process_sdp
https://notcve.org/view.php?id=CVE-2026-31427
13 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conntrack_sip: fix use of uninitialized rtp_addr in process_sdp process_sdp() declares union nf_inet_addr rtp_addr on the stack and passes it to the nf_nat_sip sdp_session hook after walking the SDP media descriptions. However rtp_addr is only initialized inside the media loop when a recognized media type with a non-zero port is found. If the SDP body contains no m= lines, only inactive media sections (m=audio 0 ...) or only u... • https://git.kernel.org/stable/c/4ab9e64e5e3c0516577818804aaf13a630d67bc9 •
CVSS: -EPSS: %CPEs: 6EXPL: 0CVE-2026-31425 – rds: ib: reject FRMR registration before IB connection is established
https://notcve.org/view.php?id=CVE-2026-31425
13 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: rds: ib: reject FRMR registration before IB connection is established rds_ib_get_mr() extracts the rds_ib_connection from conn->c_transport_data and passes it to rds_ib_reg_frmr() for FRWR memory registration. On a fresh outgoing connection, ic is allocated in rds_ib_conn_alloc() with i_cm_id = NULL because the connection worker has not yet called rds_ib_conn_path_connect() to create the rdma_cm_id. When sendmsg() with RDS_CMSG_RDMA_MAP is ... • https://git.kernel.org/stable/c/1659185fb4d0025835eb2058a141f0746c5cab00 •
CVSS: -EPSS: %CPEs: 6EXPL: 0CVE-2026-31424 – netfilter: x_tables: restrict xt_check_match/xt_check_target extensions for NFPROTO_ARP
https://notcve.org/view.php?id=CVE-2026-31424
13 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: netfilter: x_tables: restrict xt_check_match/xt_check_target extensions for NFPROTO_ARP Weiming Shi says: xt_match and xt_target structs registered with NFPROTO_UNSPEC can be loaded by any protocol family through nft_compat. When such a match/target sets .hooks to restrict which hooks it may run on, the bitmask uses NF_INET_* constants. This is only correct for families whose hook layout matches NF_INET_*: IPv4, IPv6, INET, and bridge all s... • https://git.kernel.org/stable/c/9291747f118d6404e509747b85ff5f6dfec368d2 •
CVSS: -EPSS: %CPEs: 6EXPL: 0CVE-2026-31423 – net/sched: sch_hfsc: fix divide-by-zero in rtsc_min()
https://notcve.org/view.php?id=CVE-2026-31423
13 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: net/sched: sch_hfsc: fix divide-by-zero in rtsc_min() m2sm() converts a u32 slope to a u64 scaled value. For large inputs (e.g. m1=4000000000), the result can reach 2^32. rtsc_min() stores the difference of two such u64 values in a u32 variable `dsm` and uses it as a divisor. When the difference is exactly 2^32 the truncation yields zero, causing a divide-by-zero oops in the concave-curve intersection path: Oops: divide error: 0000 RIP: 001... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: -EPSS: %CPEs: 6EXPL: 0CVE-2026-31422 – net/sched: cls_flow: fix NULL pointer dereference on shared blocks
https://notcve.org/view.php?id=CVE-2026-31422
13 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: net/sched: cls_flow: fix NULL pointer dereference on shared blocks flow_change() calls tcf_block_q() and dereferences q->handle to derive a default baseclass. Shared blocks leave block->q NULL, causing a NULL deref when a flow filter without a fully qualified baseclass is created on a shared block. Check tcf_block_shared() before accessing block->q and return -EINVAL for shared blocks. This avoids the null-deref shown below: ===============... • https://git.kernel.org/stable/c/1abf272022cf1d18469405f47b4ec49c6a3125db •
CVSS: -EPSS: %CPEs: 6EXPL: 0CVE-2026-31421 – net/sched: cls_fw: fix NULL pointer dereference on shared blocks
https://notcve.org/view.php?id=CVE-2026-31421
13 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: net/sched: cls_fw: fix NULL pointer dereference on shared blocks The old-method path in fw_classify() calls tcf_block_q() and dereferences q->handle. Shared blocks leave block->q NULL, causing a NULL deref when an empty cls_fw filter is attached to a shared block and a packet with a nonzero major skb mark is classified. Reject the configuration in fw_change() when the old method (no TCA_OPTIONS) is used on a shared block, since fw_classify(... • https://git.kernel.org/stable/c/1abf272022cf1d18469405f47b4ec49c6a3125db •
CVSS: -EPSS: %CPEs: 6EXPL: 0CVE-2026-31417 – net/x25: Fix overflow when accumulating packets
https://notcve.org/view.php?id=CVE-2026-31417
13 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: net/x25: Fix overflow when accumulating packets Add a check to ensure that `x25_sock.fraglen` does not overflow. The `fraglen` also needs to be resetted when purging `fragment_queue` in `x25_clear_queues()`. • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: -EPSS: %CPEs: 10EXPL: 0CVE-2026-31416 – netfilter: nfnetlink_log: account for netlink header size
https://notcve.org/view.php?id=CVE-2026-31416
13 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: netfilter: nfnetlink_log: account for netlink header size This is a followup to an old bug fix: NLMSG_DONE needs to account for the netlink header size, not just the attribute size. This can result in a WARN splat + drop of the netlink message, but other than this there are no ill effects. • https://git.kernel.org/stable/c/9dfa1dfe4d5e5e66a991321ab08afe69759d797a •
CVSS: -EPSS: %CPEs: 6EXPL: 0CVE-2026-31415 – ipv6: avoid overflows in ip6_datagram_send_ctl()
https://notcve.org/view.php?id=CVE-2026-31415
13 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: ipv6: avoid overflows in ip6_datagram_send_ctl() Yiming Qian reported : I believe I found a locally triggerable kernel bug in the IPv6 sendmsg ancillary-data path that can panic the kernel via `skb_under_panic()` (local DoS). The core issue is a mismatch between: - a 16-bit length accumulator (`struct ipv6_txoptions::opt_flen`, type `__u16`) and - a pointer to the *last* provided destination-options header (`opt->dst1opt`) when mult... • https://git.kernel.org/stable/c/333fad5364d6b457c8d837f7d05802d2aaf8a961 •