CVSS: -EPSS: 0%CPEs: 1EXPL: 0CVE-2026-31688 – driver core: enforce device_lock for driver_match_device()
https://notcve.org/view.php?id=CVE-2026-31688
27 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: driver core: enforce device_lock for driver_match_device() Currently, driver_match_device() is called from three sites. One site (__device_attach_driver) holds device_lock(dev), but the other two (bind_store and __driver_attach) do not. This inconsistency means that bus match() callbacks are not guaranteed to be called with the lock held. Fix this by introducing driver_match_device_locked(), which guarantees holding the device lock using a ... • https://git.kernel.org/stable/c/49b420a13ff95b449947181190b08367348e3e1b •
CVSS: -EPSS: 0%CPEs: 11EXPL: 0CVE-2026-31687 – gpio: omap: do not register driver in probe()
https://notcve.org/view.php?id=CVE-2026-31687
27 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: gpio: omap: do not register driver in probe() Commit 11a78b794496 ("ARM: OMAP: MPUIO wake updates") registers the omap_mpuio_driver from omap_mpuio_init(), which is called from omap_gpio_probe(). However, it neither makes sense to register drivers from probe() callbacks of other drivers, nor does the driver core allow registering drivers with a device lock already being held. The latter was revealed by commit dc23806a7c47 ("driver core: enf... • https://git.kernel.org/stable/c/11a78b7944963a8b052be46108d07a3ced9e2762 •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-31686 – mm/kasan: fix double free for kasan pXds
https://notcve.org/view.php?id=CVE-2026-31686
27 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: mm/kasan: fix double free for kasan pXds kasan_free_pxd() assumes the page table is always struct page aligned. But that's not always the case for all architectures. E.g. In case of powerpc with 64K pagesize, PUD table (of size 4096) comes from slab cache named pgtable-2^9. Hence instead of page_to_virt(pxd_page()) let's just directly pass the start of the pxd table which is passed as the 1st argument. • https://git.kernel.org/stable/c/0207df4fa1a869281ddbf72db6203dbf036b3e1a •
CVSS: 9.4EPSS: 0%CPEs: 5EXPL: 0CVE-2026-31685 – netfilter: ip6t_eui64: reject invalid MAC header for all packets
https://notcve.org/view.php?id=CVE-2026-31685
25 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: netfilter: ip6t_eui64: reject invalid MAC header for all packets `eui64_mt6()` derives a modified EUI-64 from the Ethernet source address and compares it with the low 64 bits of the IPv6 source address. The existing guard only rejects an invalid MAC header when `par->fragoff != 0`. For packets with `par->fragoff == 0`, `eui64_mt6()` can still reach `eth_hdr(skb)` even when the MAC header is not valid. Fix this by removing the `par->fragoff ... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-31684 – net: sched: act_csum: validate nested VLAN headers
https://notcve.org/view.php?id=CVE-2026-31684
25 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: net: sched: act_csum: validate nested VLAN headers tcf_csum_act() walks nested VLAN headers directly from skb->data when an skb still carries in-payload VLAN tags. The current code reads vlan->h_vlan_encapsulated_proto and then pulls VLAN_HLEN bytes without first ensuring that the full VLAN header is present in the linear area. If only part of an inner VLAN header is linearized, accessing h_vlan_encapsulated_proto reads past the linear area... • https://git.kernel.org/stable/c/2ecba2d1e45b24620a7c3df9531895cf68d5dec6 •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2026-31683 – batman-adv: avoid OGM aggregation when skb tailroom is insufficient
https://notcve.org/view.php?id=CVE-2026-31683
25 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: batman-adv: avoid OGM aggregation when skb tailroom is insufficient When OGM aggregation state is toggled at runtime, an existing forwarded packet may have been allocated with only packet_len bytes, while a later packet can still be selected for aggregation. Appending in this case can hit skb_put overflow conditions. Reject aggregation when the target skb tailroom cannot accommodate the new packet. The caller then falls back to creating a n... • https://git.kernel.org/stable/c/c6c8fea29769d998d94fcec9b9f14d4b52b349d3 •
CVSS: 9.1EPSS: 0%CPEs: 8EXPL: 0CVE-2026-31682 – bridge: br_nd_send: linearize skb before parsing ND options
https://notcve.org/view.php?id=CVE-2026-31682
25 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: bridge: br_nd_send: linearize skb before parsing ND options br_nd_send() parses neighbour discovery options from ns->opt[] and assumes that these options are in the linear part of request. Its callers only guarantee that the ICMPv6 header and target address are available, so the option area can still be non-linear. Parsing ns->opt[] in that case can access data past the linear buffer. Linearize request before option parsing and derive ns fr... • https://git.kernel.org/stable/c/ed842faeb2bd49256f00485402f3113205f91d30 •
CVSS: -EPSS: 0%CPEs: 5EXPL: 0CVE-2026-31681 – netfilter: xt_multiport: validate range encoding in checkentry
https://notcve.org/view.php?id=CVE-2026-31681
25 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: netfilter: xt_multiport: validate range encoding in checkentry ports_match_v1() treats any non-zero pflags entry as the start of a port range and unconditionally consumes the next ports[] element as the range end. The checkentry path currently validates protocol, flags and count, but it does not validate the range encoding itself. As a result, malformed rules can mark the last slot as a range start or place two range starts back to back, le... • https://git.kernel.org/stable/c/a89ecb6a2ef732d04058d87801e2b6bd7e5c7089 •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2026-31680 – net: ipv6: flowlabel: defer exclusive option free until RCU teardown
https://notcve.org/view.php?id=CVE-2026-31680
25 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: net: ipv6: flowlabel: defer exclusive option free until RCU teardown `ip6fl_seq_show()` walks the global flowlabel hash under the seq-file RCU read-side lock and prints `fl->opt->opt_nflen` when an option block is present. Exclusive flowlabels currently free `fl->opt` as soon as `fl->users` drops to zero in `fl_release()`. However, the surrounding `struct ip6_flowlabel` remains visible in the global hash table until later garbage collection... • https://git.kernel.org/stable/c/d3aedd5ebd4b0b925b0bcda548066803e1318499 •
CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0CVE-2026-31678 – openvswitch: defer tunnel netdev_put to RCU release
https://notcve.org/view.php?id=CVE-2026-31678
25 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: openvswitch: defer tunnel netdev_put to RCU release ovs_netdev_tunnel_destroy() may run after NETDEV_UNREGISTER already detached the device. Dropping the netdev reference in destroy can race with concurrent readers that still observe vport->dev. Do not release vport->dev in ovs_netdev_tunnel_destroy(). Instead, let vport_netdev_free() drop the reference from the RCU callback, matching the non-tunnel destroy path and avoiding additional sync... • https://git.kernel.org/stable/c/a9020fde67a6eb77f8130feff633189f99264db1 •