7.1
CVE-2026-31699 - crypto: ccp: Don't attempt to copy CSR to userspace if PSP command failed
In the Linux kernel, the following vulnerability has been resolved: crypto: ccp: Don't attempt to copy CSR to userspace if PSP command failed When retrieving the PEK CSR, don't attempt to copy the blob to userspace if the firmware command failed. If the failure was due to an invalid length, i.e.β¦
8.8
CVE-2026-31706 - ksmbd: validate num_aces and harden ACE walk in smb_inherit_dacl()
In the Linux kernel, the following vulnerability has been resolved: ksmbd: validate num_aces and harden ACE walk in smb_inherit_dacl() smb_inherit_dacl() trusts the on-disk num_aces value from the parent directory's DACL xattr and uses it to size a heap allocation: aces_base = kmalloc(sizeof(sβ¦
5.5
CVE-2026-31750 - comedi: runflags cannot determine whether to reclaim chanlist
In the Linux kernel, the following vulnerability has been resolved: comedi: runflags cannot determine whether to reclaim chanlist syzbot reported a memory leak [1], because commit 4e1da516debb ("comedi: Add reference counting for Comedi command handling") did not consider the exceptional exit casβ¦
5.5
CVE-2026-31749 - comedi: ni_atmio16d: Fix invalid clean-up after failed attach
In the Linux kernel, the following vulnerability has been resolved: comedi: ni_atmio16d: Fix invalid clean-up after failed attach If the driver's COMEDI "attach" handler function (`atmio16d_attach()`) returns an error, the COMEDI core will call the driver's "detach" handler function (`atmio16d_deβ¦
5.5
CVE-2026-31744 - PM: EM: Fix NULL pointer dereference when perf domain ID is not found
In the Linux kernel, the following vulnerability has been resolved: PM: EM: Fix NULL pointer dereference when perf domain ID is not found dev_energymodel_nl_get_perf_domains_doit() calls em_perf_domain_get_by_id() but does not check the return value before passing it to __em_nl_get_pd_size(). Wheβ¦
5.5
CVE-2026-31736 - net: ethernet: mtk_ppe: avoid NULL deref when gmac0 is disabled
In the Linux kernel, the following vulnerability has been resolved: net: ethernet: mtk_ppe: avoid NULL deref when gmac0 is disabled If the gmac0 is disabled, the precheck for a valid ingress device will cause a NULL pointer deref and crash the system. This happens because eth->netdev[0] will be Nβ¦
5.5
CVE-2026-31734 - sched_ext: Fix is_bpf_migration_disabled() false negative on non-PREEMPT_RCU
In the Linux kernel, the following vulnerability has been resolved: sched_ext: Fix is_bpf_migration_disabled() false negative on non-PREEMPT_RCU Since commit 8e4f0b1ebcf2 ("bpf: use rcu_read_lock_dont_migrate() for trampoline.c"), the BPF prolog (__bpf_prog_enter) calls migrate_disable() only wheβ¦
7.8
CVE-2026-31730 - misc: fastrpc: possible double-free of cctx->remote_heap
In the Linux kernel, the following vulnerability has been resolved: misc: fastrpc: possible double-free of cctx->remote_heap fastrpc_init_create_static_process() may free cctx->remote_heap on the err_map path but does not clear the pointer. Later, fastrpc_rpmsg_remove() frees cctx->remote_heap agβ¦
5.5
CVE-2026-31726 - usb: gadget: uvc: fix NULL pointer dereference during unbind race
In the Linux kernel, the following vulnerability has been resolved: usb: gadget: uvc: fix NULL pointer dereference during unbind race Commit b81ac4395bbe ("usb: gadget: uvc: allow for application to cleanly shutdown") introduced two stages of synchronization waits totaling 1500ms in uvc_function_β¦
9.8
CVE-2026-43038 - ipv6: icmp: clear skb2->cb[] in ip6_err_gen_icmpv6_unreach()
In the Linux kernel, the following vulnerability has been resolved: ipv6: icmp: clear skb2->cb[] in ip6_err_gen_icmpv6_unreach() Sashiko AI-review observed: In ip6_err_gen_icmpv6_unreach(), the skb is an outer IPv4 ICMP error packet where its cb contains an IPv4 inet_skb_parm. When skb is clβ¦