CVE-2026-31503

In the Linux kernel, the following vulnerability has been resolved: udp: Fix wildcard bind conflict check when using hash2 When binding a udpsock to a local address and port, UDP uses two hashes udptable-hash and udptable-hash2 for collision detection. The current code switches to "hash2" when...

CVE-2026-31496

In the Linux kernel, the following vulnerability has been resolved: netfilter: nfconntrackexpect: skip expectations in other netns via proc Skip expectations that do not reside in this netns. Similar to e77e6ff502ea "netfilter: conntrack: do not dump other netns's conntrack entries via proc"...

CVE-2026-31481

In the Linux kernel, the following vulnerability has been resolved: tracing: Drain deferred trigger frees if kthread creation fails Boot-time trigger registration can fail before the trigger-data cleanup kthread exists. Deferring those frees until late init is fine, but the post-boot fallback mus...

CVE-2026-31472

In the Linux kernel, the following vulnerability has been resolved: xfrm: iptfs: validate inner IPv4 header length in IPTFS payload Add validation of the inner IPv4 packet totlen and ihl fields parsed from decrypted IPTFS payloads in inputprocesspayload. A crafted ESP packet containing an inner...

CVE-2026-31494

In the Linux kernel, the following vulnerability has been resolved: net: macb: use the current queue number for stats There's a potential mismatch between the memory reserved for statistics and the amount of memory written. gemgetssetcount correctly computes the number of stats based on the activ...

CVE-2026-31468

In the Linux kernel, the following vulnerability has been resolved: vfio/pci: Fix double free in dma-buf feature The error path through vfiopcicorefeaturedmabuf ignores its own advice to only use dmabufput after dmabufexport, instead falling through the entire unwind chain. In the unlikely event...

CVE-2026-31436

In the Linux kernel, the following vulnerability has been resolved: dmaengine: idxd: fix possible wrong descriptor completion in llistabortdesc At the end of this function, d is the traversal cursor of flist, but the code completes found instead. This can lead to issues such as NULL pointer...

CVE-2026-31489

In the Linux kernel, the following vulnerability has been resolved: spi: meson-spicc: Fix double-put in remove path mesonspiccprobe registers the controller with devmspiregistercontroller, so teardown already drops the controller reference via devm cleanup. Calling spicontrollerput again in...

CVE-2026-31510

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix null-ptr-deref on l2capsockreadycb Before using sk pointer, check if it is null. Fix the following: KASAN: null-ptr-deref in range 0x0000000000000260-0x0000000000000267 CPU: 0 UID: 0 PID: 5985 Comm:...

CVE-2026-31441

In the Linux kernel, the following vulnerability has been resolved: dmaengine: idxd: Fix memory leak when a wq is reset idxdwqdisablecleanup which is called from the reset path for a workqueue, sets the wq type to NONE, which for other parts of the driver mean that the wq is empty all its resourc...

CVE-2026-31525

In the Linux kernel, the following vulnerability has been resolved: bpf: Fix undefined behavior in interpreter sdiv/smod for INTMIN The BPF interpreter's signed 32-bit division and modulo handlers use the kernel abs macro on s32 operands. The abs macro documentation include/linux/math.h explicitl...

CVE-2026-31518

In the Linux kernel, the following vulnerability has been resolved: esp: fix skb leak with espintcp and async crypto When the TX queue for espintcp is full, espoutputtailtcp will return an error and not free the skb, because with synchronous crypto, the common xfrm output code will drop the packe...

CVE-2026-31466

In the Linux kernel, the following vulnerability has been resolved: mm/hugememory: fix folio isn't locked in softleaftofolio On arm64 server, we found folio that get from migration entry isn't locked in softleaftofolio. This issue triggers when mTHP splitting and zapnonpresentptes races, and the...

CVE-2026-31475

In the Linux kernel, the following vulnerability has been resolved: ASoC: sma1307: fix double free of devmkzalloc memory A previous change added NULL checks and cleanup for allocation failures in sma1307settingloaded. However, the cleanup for modeset entries is wrong. Those entries are allocated...

UBUNTU-CVE-2026-31514

In the Linux kernel, the following vulnerability has been resolved: erofs: set fileio bio failed in short read case For file-backed mount, IO requests are handled by vfsiocbiterread. However, it can be interrupted by SIGKILL, returning the number of bytes actually copied. Unused folios in bio are...

UBUNTU-CVE-2026-31508

In the Linux kernel, the following vulnerability has been resolved: net: openvswitch: Avoid releasing netdev before teardown completes The patch cited in the Fixes tag below changed the teardown code for OVS ports to no longer unconditionally take the RTNL. After this change, the netdevdestroy...

CVE-2026-31450

In the Linux kernel, the following vulnerability has been resolved: ext4: publish jinode after initialization ext4inodeattachjinode publishes ei-jinode to concurrent users. It used to set ei-jinode before jbd2journalinitjbdinode, allowing a reader to observe a non-NULL jinode with ivfsinode still...

UBUNTU-CVE-2026-31507

In the Linux kernel, the following vulnerability has been resolved: net/smc: fix double-free of smcspdpriv when tee duplicates splice pipe buffer smcrxsplice allocates one smcspdpriv per pipebuffer and stores the pointer in pipebuffer.private. The pipebufoperations for these buffers used .get =...

UBUNTU-CVE-2026-31528

In the Linux kernel, the following vulnerability has been resolved: perf: Make sure to use pmuctx-pmu for groups Oliver reported that x86pmudel ended up doing an out-of-bound memory access when groupschedin fails and needs to roll back. This should be handled by the transaction callbacks, but he...

CVE-2026-31513

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix stack-out-of-bounds read in l2capecredconnreq Syzbot reported a KASAN stack-out-of-bounds read in l2capbuildcmd that is triggered by a malformed Enhanced Credit Based Connection Request. The vulnerability...