7.5
CVE-2026-31612 - ksmbd: validate EaNameLength in smb2_get_ea()
In the Linux kernel, the following vulnerability has been resolved: ksmbd: validate EaNameLength in smb2_get_ea() smb2_get_ea() reads ea_req->EaNameLength from the client request and passes it directly to strncmp() as the comparison length without verifying that the length of the name really is tβ¦
7.1
CVE-2026-31614 - smb: client: fix off-by-8 bounds check in check_wsl_eas()
In the Linux kernel, the following vulnerability has been resolved: smb: client: fix off-by-8 bounds check in check_wsl_eas() The bounds check uses (u8 *)ea + nlen + 1 + vlen as the end of the EA name and value, but ea_data sits at offset sizeof(struct smb2_file_full_ea_info) = 8 from ea, not at β¦
9.8
CVE-2026-31608 - smb: server: avoid double-free in smb_direct_free_sendmsg after smb_direct_flush_send_list()
In the Linux kernel, the following vulnerability has been resolved: smb: server: avoid double-free in smb_direct_free_sendmsg after smb_direct_flush_send_list() smb_direct_flush_send_list() already calls smb_direct_free_sendmsg(), so we should not call it again after post_sendmsg() moved it to thβ¦
5.5
CVE-2026-31606 - usb: gadget: f_hid: don't call cdev_init while cdev in use
In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_hid: don't call cdev_init while cdev in use When calling unbind, then bind again, cdev_init reinitialized the cdev, even though there may still be references to it. That's the case when the /dev/hidg* device is stiβ¦
5.5
CVE-2026-31599 - media: vidtv: fix NULL pointer dereference in vidtv_channel_pmt_match_sections
In the Linux kernel, the following vulnerability has been resolved: media: vidtv: fix NULL pointer dereference in vidtv_channel_pmt_match_sections syzbot reported a general protection fault in vidtv_psi_desc_assign [1]. vidtv_psi_pmt_stream_init() can return NULL on memory allocation failure, buβ¦
7.5
CVE-2026-31598 - ocfs2: fix possible deadlock between unlink and dio_end_io_write
In the Linux kernel, the following vulnerability has been resolved: ocfs2: fix possible deadlock between unlink and dio_end_io_write ocfs2_unlink takes orphan dir inode_lock first and then ip_alloc_sem, while in ocfs2_dio_end_io_write, it acquires these locks in reverse order. This creates an ABBβ¦
5.5
CVE-2026-31594 - PCI: endpoint: pci-epf-vntb: Remove duplicate resource teardown
In the Linux kernel, the following vulnerability has been resolved: PCI: endpoint: pci-epf-vntb: Remove duplicate resource teardown epf_ntb_epc_destroy() duplicates the teardown that the caller is supposed to perform later. This leads to an oops when .allow_link fails or when .drop_link is perforβ¦
5.5
CVE-2026-31604 - wifi: rtw88: fix device leak on probe failure
In the Linux kernel, the following vulnerability has been resolved: wifi: rtw88: fix device leak on probe failure Driver core holds a reference to the USB interface and its parent USB device while the interface is bound to a driver and there is no need to take additional references unless the strβ¦
4
CVE-2026-42095 -
bookserver in KDE Arianna before 26.04.1 allows attackers to read files over a socket connection by guessing a URL.
6.1
CVE-2025-61872 - Mahara XSS Vulnerability via Malicious Search Query in Elasticsearch7 Plugin
Mahara before 25.04.2 and 24.04.11 are vulnerable to displaying results that can trigger XSS via a malicious search query string. This occurs in the 'search site' feature when using the Elasticsearch7 search plugin. The Elasticsearch function does not properly sanitize input in the query parameter.