PT-2026-35798

OpenClaw before 2026.4.8 contains an authentication state management vulnerability where the resolvedAuth closure becomes stale after configuration reload. Newly accepted gateway connections continue using outdated resolved auth state, allowing attackers to bypass authentication controls through...

CVE-2026-34267 affecting package mysql for versions less than 8.0.46-1

CVE-2026-34267 affecting package mysql for versions less than 8.0.46-1. An upgraded version of the package is available that resolves this issue...

CVE-2026-31689

In the Linux kernel, the following vulnerability has been resolved: EDAC/mc: Fix error path ordering in edacmcalloc When the mci-pvtinfo allocation in edacmcalloc fails, the error path will call putdevice which will end up calling the device's release function. However, the init ordering is wrong...

CVE-2026-31688

In the Linux kernel, the following vulnerability has been resolved: driver core: enforce devicelock for drivermatchdevice Currently, drivermatchdevice is called from three sites. One site deviceattachdriver holds devicelockdev, but the other two bindstore and driverattach do not. This inconsisten...

CVE-2026-31687

In the Linux kernel, the following vulnerability has been resolved: gpio: omap: do not register driver in probe Commit 11a78b794496 "ARM: OMAP: MPUIO wake updates" registers the omapmpuiodriver from omapmpuioinit, which is called from omapgpioprobe. However, it neither makes sense to register...

UBUNTU-CVE-2026-31689

In the Linux kernel, the following vulnerability has been resolved: EDAC/mc: Fix error path ordering in edacmcalloc When the mci-pvtinfo allocation in edacmcalloc fails, the error path will call putdevice which will end up calling the device's release function. However, the init ordering is wrong...

CVE-2026-31690

In the Linux kernel, the following vulnerability has been resolved: firmware: thead: Fix buffer overflow and use standard endian macros Addresses two issues in the TH1520 AON firmware protocol driver: 1. Fix a potential buffer overflow where the code used unsafe pointer arithmetic to access the...

CVE-2026-31686

In the Linux kernel, the following vulnerability has been resolved: mm/kasan: fix double free for kasan pXds kasanfreepxd assumes the page table is always struct page aligned. But that's not always the case for all architectures. E.g. In case of powerpc with 64K pagesize, PUD table of size 4096...

UBUNTU-CVE-2026-31677

In the Linux kernel, the following vulnerability has been resolved: crypto: afalg - limit RX SG extraction by receive buffer budget Make afalggetrsgl limit each RX scatterlist extraction to the remaining receive buffer budget. afalggetrsgl currently uses afalgreadable only as a gate before...

CVE-2026-31674

In the Linux kernel, the following vulnerability has been resolved: netfilter: ip6trt: reject oversized addrnr in rtmt6check Reject rt match rules whose addrnr exceeds IP6TRTHOPS. rtmt6 expects addrnr to stay within the bounds of rtinfo-addrs. Validate addrnr during rule installation so malformed...

CVE-2026-31682

In the Linux kernel, the following vulnerability has been resolved: bridge: brndsend: linearize skb before parsing ND options brndsend parses neighbour discovery options from ns-opt and assumes that these options are in the linear part of request. Its callers only guarantee that the ICMPv6 header...

CVE-2026-31678

In the Linux kernel, the following vulnerability has been resolved: openvswitch: defer tunnel netdevput to RCU release ovsnetdevtunneldestroy may run after NETDEVUNREGISTER already detached the device. Dropping the netdev reference in destroy can race with concurrent readers that still observe...

CVE-2026-31607

In the Linux kernel, the following vulnerability has been resolved: usbip: validate numberofpackets in usbippackretsubmit When a USB/IP client receives a RETSUBMIT response, usbippackretsubmit unconditionally overwrites urb-numberofpackets from the network PDU. This value is subsequently used as...

CVE-2026-31670

In the Linux kernel, the following vulnerability has been resolved: net: rfkill: prevent unlimited numbers of rfkill events from being created Userspace can create an unlimited number of rfkill events if the system is so configured, while not consuming them from the rfkill file descriptor, causin...

CVE-2026-31611

In the Linux kernel, the following vulnerability has been resolved: ksmbd: require 3 sub-authorities before reading subauth2 parsedacl compares each ACE SID against sidunixNFSmode and on match reads sid.subauth2 as the file mode. If sidunixNFSmode is the prefix S-1-5-88-3 with numsubauth = 2 then...

CVE-2026-31658

In the Linux kernel, the following vulnerability has been resolved: net: altera-tse: fix skb leak on DMA mapping error in tsestartxmit When dmamapsingle fails in tsestartxmit, the function returns NETDEVTXOK without freeing the skb. Since NETDEVTXOK tells the stack the packet was consumed, the sk...

CVE-2026-31589

In the Linux kernel, the following vulnerability has been resolved: mm: call -freefolio directly in foliounmapinvalidate We can only call filemapfreefolio if we have a reference to or hold a lock on the mapping. Otherwise, we've already removed the folio from the mapping so it no longer pins the...

CVE-2026-31573

In the Linux kernel, the following vulnerability has been resolved: media: verisilicon: Fix kernel panic due to initconst misuse Fix a kernel panic when probing the driver as a module: Unable to handle kernel paging request at virtual address ffffd9c18eb05000 offindmatchingnodeandmatch+0x5c/0x1a0...

CVE-2026-31619

In the Linux kernel, the following vulnerability has been resolved: ALSA: fireworks: bound device-supplied status before string array lookup The status field in an EFW response is a 32-bit value supplied by the firewire device. efrstatusnames has 17 entries so a status value outside that range go...

CVE-2026-31654

In the Linux kernel, the following vulnerability has been resolved: mm/vma: fix memory leak in mmapregion commit 605f6586ecf7 "mm/vma: do not leak memory when .mmapprepare swaps the file" handled the success path by skipping getfile via filedoesntneedget, but missed the error path. When /dev/zero...