7.8
CVE-2026-31694 - fuse: reject oversized dirents in page cache
In the Linux kernel, the following vulnerability has been resolved: fuse: reject oversized dirents in page cache fuse_add_dirent_to_cache() computes a serialized dirent size from the server-controlled namelen field and copies the dirent into a single page-cache page. The existing logic only checkβ¦
7.3
CVE-2026-43025 - netfilter: ctnetlink: ignore explicit helper on new expectations
In the Linux kernel, the following vulnerability has been resolved: netfilter: ctnetlink: ignore explicit helper on new expectations Use the existing master conntrack helper, anything else is not really supported and it just makes validation more complicated, so just ignore what helper userspace β¦
8.1
CVE-2026-31771 - Bluetooth: hci_event: move wake reason storage into validated event handlers
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_event: move wake reason storage into validated event handlers hci_store_wake_reason() is called from hci_event_packet() immediately after stripping the HCI event header but before hci_event_func() enforces the per-β¦
7.1
CVE-2026-31697 - crypto: ccp: Don't attempt to copy ID to userspace if PSP command failed
In the Linux kernel, the following vulnerability has been resolved: crypto: ccp: Don't attempt to copy ID to userspace if PSP command failed When retrieving the ID for the CPU, don't attempt to copy the ID blob to userspace if the firmware command failed. If the failure was due to an invalid lenβ¦
7.5
CVE-2026-43031 - net: xilinx: axienet: Fix BQL accounting for multi-BD TX packets
In the Linux kernel, the following vulnerability has been resolved: net: xilinx: axienet: Fix BQL accounting for multi-BD TX packets When a TX packet spans multiple buffer descriptors (scatter-gather), axienet_free_tx_chain sums the per-BD actual length from descriptor status into a caller-providβ¦
8.8
CVE-2026-43018 - Bluetooth: hci_event: fix potential UAF in hci_le_remote_conn_param_req_evt
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_event: fix potential UAF in hci_le_remote_conn_param_req_evt hci_conn lookup and field access must be covered by hdev lock in hci_le_remote_conn_param_req_evt, otherwise it's possible it is freed concurrently. Extβ¦
7.8
CVE-2026-31742 - vt: discard stale unicode buffer on alt screen exit after resize
In the Linux kernel, the following vulnerability has been resolved: vt: discard stale unicode buffer on alt screen exit after resize When enter_alt_screen() saves vc_uni_lines into vc_saved_uni_lines and sets vc_uni_lines to NULL, a subsequent console resize via vc_do_resize() skips reallocating β¦
8.8
CVE-2026-31735 - iommupt: Fix short gather if the unmap goes into a large mapping
In the Linux kernel, the following vulnerability has been resolved: iommupt: Fix short gather if the unmap goes into a large mapping unmap has the odd behavior that it can unmap more than requested if the ending point lands within the middle of a large or contiguous IOPTE. In this case the gatheβ¦
8.8
CVE-2026-31773 - Bluetooth: SMP: derive legacy responder STK authentication from MITM state
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: SMP: derive legacy responder STK authentication from MITM state The legacy responder path in smp_random() currently labels the stored STK as authenticated whenever pending_sec_level is BT_SECURITY_HIGH. That reflects wβ¦
7.8
CVE-2026-31768 - iio: adc: ti-adc161s626: use DMA-safe memory for spi_read()
In the Linux kernel, the following vulnerability has been resolved: iio: adc: ti-adc161s626: use DMA-safe memory for spi_read() Add a DMA-safe buffer and use it for spi_read() instead of a stack memory. All SPI buffers must be DMA-safe. Since we only need up to 3 bytes, we just use a u8[] insteaβ¦