CVSS: -EPSS: 0%CPEs: 1EXPL: 0CVE-2026-31688 – driver core: enforce device_lock for driver_match_device()
https://notcve.org/view.php?id=CVE-2026-31688
27 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: driver core: enforce device_lock for driver_match_device() Currently, driver_match_device() is called from three sites. One site (__device_attach_driver) holds device_lock(dev), but the other two (bind_store and __driver_attach) do not. This inconsistency means that bus match() callbacks are not guaranteed to be called with the lock held. Fix this by introducing driver_match_device_locked(), which guarantees holding the device lock using a ... • https://git.kernel.org/stable/c/49b420a13ff95b449947181190b08367348e3e1b •
CVSS: -EPSS: 0%CPEs: 11EXPL: 0CVE-2026-31687 – gpio: omap: do not register driver in probe()
https://notcve.org/view.php?id=CVE-2026-31687
27 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: gpio: omap: do not register driver in probe() Commit 11a78b794496 ("ARM: OMAP: MPUIO wake updates") registers the omap_mpuio_driver from omap_mpuio_init(), which is called from omap_gpio_probe(). However, it neither makes sense to register drivers from probe() callbacks of other drivers, nor does the driver core allow registering drivers with a device lock already being held. The latter was revealed by commit dc23806a7c47 ("driver core: enf... • https://git.kernel.org/stable/c/11a78b7944963a8b052be46108d07a3ced9e2762 •
CVSS: 9.4EPSS: 0%CPEs: 5EXPL: 0CVE-2026-31685 – netfilter: ip6t_eui64: reject invalid MAC header for all packets
https://notcve.org/view.php?id=CVE-2026-31685
25 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: netfilter: ip6t_eui64: reject invalid MAC header for all packets `eui64_mt6()` derives a modified EUI-64 from the Ethernet source address and compares it with the low 64 bits of the IPv6 source address. The existing guard only rejects an invalid MAC header when `par->fragoff != 0`. For packets with `par->fragoff == 0`, `eui64_mt6()` can still reach `eth_hdr(skb)` even when the MAC header is not valid. Fix this by removing the `par->fragoff ... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2026-31683 – batman-adv: avoid OGM aggregation when skb tailroom is insufficient
https://notcve.org/view.php?id=CVE-2026-31683
25 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: batman-adv: avoid OGM aggregation when skb tailroom is insufficient When OGM aggregation state is toggled at runtime, an existing forwarded packet may have been allocated with only packet_len bytes, while a later packet can still be selected for aggregation. Appending in this case can hit skb_put overflow conditions. Reject aggregation when the target skb tailroom cannot accommodate the new packet. The caller then falls back to creating a n... • https://git.kernel.org/stable/c/c6c8fea29769d998d94fcec9b9f14d4b52b349d3 •
CVSS: -EPSS: 0%CPEs: 5EXPL: 0CVE-2026-31681 – netfilter: xt_multiport: validate range encoding in checkentry
https://notcve.org/view.php?id=CVE-2026-31681
25 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: netfilter: xt_multiport: validate range encoding in checkentry ports_match_v1() treats any non-zero pflags entry as the start of a port range and unconditionally consumes the next ports[] element as the range end. The checkentry path currently validates protocol, flags and count, but it does not validate the range encoding itself. As a result, malformed rules can mark the last slot as a range start or place two range starts back to back, le... • https://git.kernel.org/stable/c/a89ecb6a2ef732d04058d87801e2b6bd7e5c7089 •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2026-31680 – net: ipv6: flowlabel: defer exclusive option free until RCU teardown
https://notcve.org/view.php?id=CVE-2026-31680
25 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: net: ipv6: flowlabel: defer exclusive option free until RCU teardown `ip6fl_seq_show()` walks the global flowlabel hash under the seq-file RCU read-side lock and prints `fl->opt->opt_nflen` when an option block is present. Exclusive flowlabels currently free `fl->opt` as soon as `fl->users` drops to zero in `fl_release()`. However, the surrounding `struct ip6_flowlabel` remains visible in the global hash table until later garbage collection... • https://git.kernel.org/stable/c/d3aedd5ebd4b0b925b0bcda548066803e1318499 •
CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0CVE-2026-31678 – openvswitch: defer tunnel netdev_put to RCU release
https://notcve.org/view.php?id=CVE-2026-31678
25 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: openvswitch: defer tunnel netdev_put to RCU release ovs_netdev_tunnel_destroy() may run after NETDEV_UNREGISTER already detached the device. Dropping the netdev reference in destroy can race with concurrent readers that still observe vport->dev. Do not release vport->dev in ovs_netdev_tunnel_destroy(). Instead, let vport_netdev_free() drop the reference from the RCU callback, matching the non-tunnel destroy path and avoiding additional sync... • https://git.kernel.org/stable/c/a9020fde67a6eb77f8130feff633189f99264db1 •
CVSS: 7.5EPSS: 0%CPEs: 5EXPL: 0CVE-2026-31676 – rxrpc: only handle RESPONSE during service challenge
https://notcve.org/view.php?id=CVE-2026-31676
25 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: rxrpc: only handle RESPONSE during service challenge Only process RESPONSE packets while the service connection is still in RXRPC_CONN_SERVICE_CHALLENGING. Check that state under state_lock before running response verification and security initialization, then use a local secured flag to decide whether to queue the secured-connection work after the state transition. This keeps duplicate or late RESPONSE packets from re-running the setup pat... • https://git.kernel.org/stable/c/17926a79320afa9b95df6b977b40cca6d8713cea •
CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2026-31675 – net/sched: sch_netem: fix out-of-bounds access in packet corruption
https://notcve.org/view.php?id=CVE-2026-31675
25 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: net/sched: sch_netem: fix out-of-bounds access in packet corruption In netem_enqueue(), the packet corruption logic uses get_random_u32_below(skb_headlen(skb)) to select an index for modifying skb->data. When an AF_PACKET TX_RING sends fully non-linear packets over an IPIP tunnel, skb_headlen(skb) evaluates to 0. Passing 0 to get_random_u32_below() takes the variable-ceil slow path which returns an unconstrained 32-bit random integer. Using... • https://git.kernel.org/stable/c/c865e5d99e25a171e8262fc0f7ba608568633c64 •
CVSS: 7.1EPSS: 0%CPEs: 8EXPL: 0CVE-2026-31674 – netfilter: ip6t_rt: reject oversized addrnr in rt_mt6_check()
https://notcve.org/view.php?id=CVE-2026-31674
25 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: netfilter: ip6t_rt: reject oversized addrnr in rt_mt6_check() Reject rt match rules whose addrnr exceeds IP6T_RT_HOPS. rt_mt6() expects addrnr to stay within the bounds of rtinfo->addrs[]. Validate addrnr during rule installation so malformed rules are rejected before the match logic can use an out-of-range value. • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •