UBUNTU-CVE-2026-31526

In the Linux kernel, the following vulnerability has been resolved: bpf: Fix exception exit lock checking for subprogs processbpfexitfull passes checklock = !curframe to checkresourceleak, which is false in cases when bpfthrow is called from a static subprog. This makes checkresourceleak to skip...

CVE-2026-31450

In the Linux kernel, the following vulnerability has been resolved: ext4: publish jinode after initialization ext4inodeattachjinode publishes ei-jinode to concurrent users. It used to set ei-jinode before jbd2journalinitjbdinode, allowing a reader to observe a non-NULL jinode with ivfsinode still...

UBUNTU-CVE-2026-31528

In the Linux kernel, the following vulnerability has been resolved: perf: Make sure to use pmuctx-pmu for groups Oliver reported that x86pmudel ended up doing an out-of-bound memory access when groupschedin fails and needs to roll back. This should be handled by the transaction callbacks, but he...

UBUNTU-CVE-2026-31507

In the Linux kernel, the following vulnerability has been resolved: net/smc: fix double-free of smcspdpriv when tee duplicates splice pipe buffer smcrxsplice allocates one smcspdpriv per pipebuffer and stores the pointer in pipebuffer.private. The pipebufoperations for these buffers used .get =...

UBUNTU-CVE-2026-31514

In the Linux kernel, the following vulnerability has been resolved: erofs: set fileio bio failed in short read case For file-backed mount, IO requests are handled by vfsiocbiterread. However, it can be interrupted by SIGKILL, returning the number of bytes actually copied. Unused folios in bio are...

CVE-2026-31527

In the Linux kernel, the following vulnerability has been resolved: driver core: platform: use generic driveroverride infrastructure When a driver is probed through driverattach, the bus' match callback is called without the device lock held, thus accessing the driveroverride field without a lock...

CVE-2026-31524

In the Linux kernel, the following vulnerability has been resolved: HID: asus: avoid memory leak in asusreportfixup The asusreportfixup function was returning a newly allocated kmemdup-allocated buffer, but never freeing it. Switch to devmkzalloc to ensure the memory is managed and freed...

CVE-2026-31517

In the Linux kernel, the following vulnerability has been resolved: xfrm: iptfs: fix skbput panic on non-linear skb during reassembly In iptfsreassemcont, IP-TFS attempts to append data to the new inner packet 'newskb' that is being reassembled. First a zero-copy approach is tried if it succeeds...

CVE-2026-31513

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix stack-out-of-bounds read in l2capecredconnreq Syzbot reported a KASAN stack-out-of-bounds read in l2capbuildcmd that is triggered by a malformed Enhanced Credit Based Connection Request. The vulnerability...

CVE-2026-31510

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix null-ptr-deref on l2capsockreadycb Before using sk pointer, check if it is null. Fix the following: KASAN: null-ptr-deref in range 0x0000000000000260-0x0000000000000267 CPU: 0 UID: 0 PID: 5985 Comm:...

CVE-2026-31502

In the Linux kernel, the following vulnerability has been resolved: team: fix headerops type confusion with non-Ethernet ports Similar to commit 950803f72547 "bonding: fix type confusion in bondsetupbyslave" team has the same class of headerops type confusion. For non-Ethernet ports,...

CVE-2026-31496

In the Linux kernel, the following vulnerability has been resolved: netfilter: nfconntrackexpect: skip expectations in other netns via proc Skip expectations that do not reside in this netns. Similar to e77e6ff502ea "netfilter: conntrack: do not dump other netns's conntrack entries via proc"...

CVE-2026-31495

In the Linux kernel, the following vulnerability has been resolved: netfilter: ctnetlink: use netlink policy range checks Replace manual range and mask validations with netlink policy annotations in ctnetlink code paths, so that the netlink core rejects invalid values early and can generate extac...

CVE-2026-31483

In the Linux kernel, the following vulnerability has been resolved: s390/syscalls: Add spectre boundary for syscall dispatch table The s390 syscall number is directly controlled by userspace, but does not have an arrayindexnospec boundary to prevent access past the syscall function pointer tables...

CVE-2026-31482

In the Linux kernel, the following vulnerability has been resolved: s390/entry: Scrub r12 register on kernel entry Before commit f33f2d4c7c80 "s390/bp: remove TIFISOLATEBP", all entry handlers loaded r12 with the current task pointer lg %r12,LCCURRENT for use by the BPENTER/BPEXIT macros. That...

CVE-2026-31477

In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix memory leaks and NULL deref in smb2lock smb2lock has three error handling issues after listdel detaches smblock from locklist at nocheckcl: 1 If vfslockfile returns an unexpected error in the non-UNLOCK path, goto out...

CVE-2026-31471

In the Linux kernel, the following vulnerability has been resolved: xfrm: iptfs: only publish modedata after clone setup iptfsclonestate stores x-modedata before allocating the reorder window. If that allocation fails, the code frees the cloned state and returns -ENOMEM, leaving x-modedata pointi...

CVE-2026-31467

In the Linux kernel, the following vulnerability has been resolved: erofs: add GFPNOIO in the bio completion if needed The bio completion path in the process context e.g. dm-verity will directly call into decompression rather than trigger another workqueue context for minimal scheduling latencies...

CVE-2026-31464

In the Linux kernel, the following vulnerability has been resolved: scsi: ibmvfc: Fix OOB access in ibmvfcdiscovertargetsdone A malicious or compromised VIO server can return a numwritten value in the discover targets MAD response that exceeds maxtargets. This value is stored directly in...

CVE-2026-31462

In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: prevent immediate PASID reuse case PASID resue could cause interrupt issue when process immediately runs into hw state left by previous process exited with the same PASID, it's possible that page faults are still...