5.5
CVE-2026-31481 - tracing: Drain deferred trigger frees if kthread creation fails
In the Linux kernel, the following vulnerability has been resolved: tracing: Drain deferred trigger frees if kthread creation fails Boot-time trigger registration can fail before the trigger-data cleanup kthread exists. Deferring those frees until late init is fine, but the post-boot fallback musβ¦
9.8
CVE-2026-31501 - net: ti: icssg-prueth: fix use-after-free of CPPI descriptor in RX path
In the Linux kernel, the following vulnerability has been resolved: net: ti: icssg-prueth: fix use-after-free of CPPI descriptor in RX path cppi5_hdesc_get_psdata() returns a pointer into the CPPI descriptor. In both emac_rx_packet() and emac_rx_packet_zc(), the descriptor is freed via k3_cppi_deβ¦
5.5
CVE-2026-31492 - RDMA/irdma: Initialize free_qp completion before using it
In the Linux kernel, the following vulnerability has been resolved: RDMA/irdma: Initialize free_qp completion before using it In irdma_create_qp, if ib_copy_to_udata fails, it will call irdma_destroy_qp to clean up which will attempt to wait on the free_qp completion, which is not initialized yetβ¦
7.8
CVE-2026-31471 - xfrm: iptfs: only publish mode_data after clone setup
In the Linux kernel, the following vulnerability has been resolved: xfrm: iptfs: only publish mode_data after clone setup iptfs_clone_state() stores x->mode_data before allocating the reorder window. If that allocation fails, the code frees the cloned state and returns -ENOMEM, leaving x->mode_daβ¦
7.8
CVE-2026-31468 - vfio/pci: Fix double free in dma-buf feature
In the Linux kernel, the following vulnerability has been resolved: vfio/pci: Fix double free in dma-buf feature The error path through vfio_pci_core_feature_dma_buf() ignores its own advice to only use dma_buf_put() after dma_buf_export(), instead falling through the entire unwind chain. In theβ¦
7.5
CVE-2026-31467 - erofs: add GFP_NOIO in the bio completion if needed
In the Linux kernel, the following vulnerability has been resolved: erofs: add GFP_NOIO in the bio completion if needed The bio completion path in the process context (e.g. dm-verity) will directly call into decompression rather than trigger another workqueue context for minimal scheduling latencβ¦
9.8
CVE-2026-31463 - iomap: fix invalid folio access when i_blkbits differs from I/O granularity
In the Linux kernel, the following vulnerability has been resolved: iomap: fix invalid folio access when i_blkbits differs from I/O granularity Commit aa35dd5cbc06 ("iomap: fix invalid folio access after folio_end_read()") partially addressed invalid folio access for folios without an ifs attacheβ¦
8.8
CVE-2026-31435 - netfs: Fix read abandonment during retry
In the Linux kernel, the following vulnerability has been resolved: netfs: Fix read abandonment during retry Under certain circumstances, all the remaining subrequests from a read request will get abandoned during retry. The abandonment process expects the 'subreq' variable to be set to the placβ¦
9.8
CVE-2026-31436 - dmaengine: idxd: fix possible wrong descriptor completion in llist_abort_desc()
In the Linux kernel, the following vulnerability has been resolved: dmaengine: idxd: fix possible wrong descriptor completion in llist_abort_desc() At the end of this function, d is the traversal cursor of flist, but the code completes found instead. This can lead to issues such as NULL pointer dβ¦
7.0
CVE-2026-31527 - driver core: platform: use generic driver_override infrastructure
In the Linux kernel, the following vulnerability has been resolved: driver core: platform: use generic driver_override infrastructure When a driver is probed through __driver_attach(), the bus' match() callback is called without the device lock held, thus accessing the driver_override field withoβ¦