CVSS: -EPSS: %CPEs: 6EXPL: 0CVE-2026-31428 – netfilter: nfnetlink_log: fix uninitialized padding leak in NFULA_PAYLOAD
https://notcve.org/view.php?id=CVE-2026-31428
13 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: netfilter: nfnetlink_log: fix uninitialized padding leak in NFULA_PAYLOAD __build_packet_message() manually constructs the NFULA_PAYLOAD netlink attribute using skb_put() and skb_copy_bits(), bypassing the standard nla_reserve()/nla_put() helpers. While nla_total_size(data_len) bytes are allocated (including NLA alignment padding), only data_len bytes of actual packet data are copied. The trailing nla_padlen(data_len) bytes (1-3 when data_l... • https://git.kernel.org/stable/c/df6fb868d6118686805c2fa566e213a8f31c8e4f •
CVSS: -EPSS: %CPEs: 6EXPL: 0CVE-2026-31427 – netfilter: nf_conntrack_sip: fix use of uninitialized rtp_addr in process_sdp
https://notcve.org/view.php?id=CVE-2026-31427
13 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conntrack_sip: fix use of uninitialized rtp_addr in process_sdp process_sdp() declares union nf_inet_addr rtp_addr on the stack and passes it to the nf_nat_sip sdp_session hook after walking the SDP media descriptions. However rtp_addr is only initialized inside the media loop when a recognized media type with a non-zero port is found. If the SDP body contains no m= lines, only inactive media sections (m=audio 0 ...) or only u... • https://git.kernel.org/stable/c/4ab9e64e5e3c0516577818804aaf13a630d67bc9 •
CVSS: -EPSS: %CPEs: 6EXPL: 0CVE-2026-31426 – ACPI: EC: clean up handlers on probe failure in acpi_ec_setup()
https://notcve.org/view.php?id=CVE-2026-31426
13 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: ACPI: EC: clean up handlers on probe failure in acpi_ec_setup() When ec_install_handlers() returns -EPROBE_DEFER on reduced-hardware platforms, it has already started the EC and installed the address space handler with the struct acpi_ec pointer as handler context. However, acpi_ec_setup() propagates the error without any cleanup. The caller acpi_ec_add() then frees the struct acpi_ec for non-boot instances, leaving a dangling handler conte... • https://git.kernel.org/stable/c/03e9a0e05739cf872fee494b06c75c0469704a21 •
CVSS: -EPSS: %CPEs: 6EXPL: 0CVE-2026-31425 – rds: ib: reject FRMR registration before IB connection is established
https://notcve.org/view.php?id=CVE-2026-31425
13 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: rds: ib: reject FRMR registration before IB connection is established rds_ib_get_mr() extracts the rds_ib_connection from conn->c_transport_data and passes it to rds_ib_reg_frmr() for FRWR memory registration. On a fresh outgoing connection, ic is allocated in rds_ib_conn_alloc() with i_cm_id = NULL because the connection worker has not yet called rds_ib_conn_path_connect() to create the rdma_cm_id. When sendmsg() with RDS_CMSG_RDMA_MAP is ... • https://git.kernel.org/stable/c/1659185fb4d0025835eb2058a141f0746c5cab00 •
CVSS: -EPSS: %CPEs: 6EXPL: 0CVE-2026-31424 – netfilter: x_tables: restrict xt_check_match/xt_check_target extensions for NFPROTO_ARP
https://notcve.org/view.php?id=CVE-2026-31424
13 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: netfilter: x_tables: restrict xt_check_match/xt_check_target extensions for NFPROTO_ARP Weiming Shi says: xt_match and xt_target structs registered with NFPROTO_UNSPEC can be loaded by any protocol family through nft_compat. When such a match/target sets .hooks to restrict which hooks it may run on, the bitmask uses NF_INET_* constants. This is only correct for families whose hook layout matches NF_INET_*: IPv4, IPv6, INET, and bridge all s... • https://git.kernel.org/stable/c/9291747f118d6404e509747b85ff5f6dfec368d2 •
CVSS: -EPSS: %CPEs: 6EXPL: 0CVE-2026-31423 – net/sched: sch_hfsc: fix divide-by-zero in rtsc_min()
https://notcve.org/view.php?id=CVE-2026-31423
13 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: net/sched: sch_hfsc: fix divide-by-zero in rtsc_min() m2sm() converts a u32 slope to a u64 scaled value. For large inputs (e.g. m1=4000000000), the result can reach 2^32. rtsc_min() stores the difference of two such u64 values in a u32 variable `dsm` and uses it as a divisor. When the difference is exactly 2^32 the truncation yields zero, causing a divide-by-zero oops in the concave-curve intersection path: Oops: divide error: 0000 RIP: 001... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: -EPSS: %CPEs: 6EXPL: 0CVE-2026-31422 – net/sched: cls_flow: fix NULL pointer dereference on shared blocks
https://notcve.org/view.php?id=CVE-2026-31422
13 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: net/sched: cls_flow: fix NULL pointer dereference on shared blocks flow_change() calls tcf_block_q() and dereferences q->handle to derive a default baseclass. Shared blocks leave block->q NULL, causing a NULL deref when a flow filter without a fully qualified baseclass is created on a shared block. Check tcf_block_shared() before accessing block->q and return -EINVAL for shared blocks. This avoids the null-deref shown below: ===============... • https://git.kernel.org/stable/c/1abf272022cf1d18469405f47b4ec49c6a3125db •
CVSS: -EPSS: %CPEs: 6EXPL: 0CVE-2026-31421 – net/sched: cls_fw: fix NULL pointer dereference on shared blocks
https://notcve.org/view.php?id=CVE-2026-31421
13 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: net/sched: cls_fw: fix NULL pointer dereference on shared blocks The old-method path in fw_classify() calls tcf_block_q() and dereferences q->handle. Shared blocks leave block->q NULL, causing a NULL deref when an empty cls_fw filter is attached to a shared block and a packet with a nonzero major skb mark is classified. Reject the configuration in fw_change() when the old method (no TCA_OPTIONS) is used on a shared block, since fw_classify(... • https://git.kernel.org/stable/c/1abf272022cf1d18469405f47b4ec49c6a3125db •
CVSS: -EPSS: %CPEs: 2EXPL: 0CVE-2026-31420 – bridge: mrp: reject zero test interval to avoid OOM panic
https://notcve.org/view.php?id=CVE-2026-31420
13 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: bridge: mrp: reject zero test interval to avoid OOM panic br_mrp_start_test() and br_mrp_start_in_test() accept the user-supplied interval value from netlink without validation. When interval is 0, usecs_to_jiffies(0) yields 0, causing the delayed work (br_mrp_test_work_expired / br_mrp_in_test_work_expired) to reschedule itself with zero delay. This creates a tight loop on system_percpu_wq that allocates and transmits MRP test frames at ma... • https://git.kernel.org/stable/c/20f6a05ef63594feb0c6dfbd629da0448b43124d •
CVSS: -EPSS: %CPEs: 6EXPL: 0CVE-2026-31419 – net: bonding: fix use-after-free in bond_xmit_broadcast()
https://notcve.org/view.php?id=CVE-2026-31419
13 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: net: bonding: fix use-after-free in bond_xmit_broadcast() bond_xmit_broadcast() reuses the original skb for the last slave (determined by bond_is_last_slave()) and clones it for others. Concurrent slave enslave/release can mutate the slave list during RCU-protected iteration, changing which slave is "last" mid-loop. This causes the original skb to be double-consumed (double-freed). Replace the racy bond_is_last_slave() check with a simple i... • https://git.kernel.org/stable/c/4e5bd03ae34652cd932ab4c91c71c511793df75c •