0.0
CVE-2026-31723 - usb: gadget: f_subset: Fix net_device lifecycle with device_move
In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_subset: Fix net_device lifecycle with device_move The net_device is allocated during function instance creation and registered during the bind phase with the gadget device as its sysfs parent. When the function unbβ¦
0.0
CVE-2026-31722 - usb: gadget: f_rndis: Fix net_device lifecycle with device_move
In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_rndis: Fix net_device lifecycle with device_move The net_device is allocated during function instance creation and registered during the bind phase with the gadget device as its sysfs parent. When the function unbiβ¦
0.0
CVE-2026-31721 - usb: gadget: f_hid: move list and spinlock inits from bind to alloc
In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_hid: move list and spinlock inits from bind to alloc There was an issue when you did the following: - setup and bind an hid gadget - open /dev/hidg0 - use the resulting fd in EPOLL_CTL_ADD - unbind the UDC - bind tβ¦
0.0
CVE-2026-31720 - usb: gadget: f_uac1_legacy: validate control request size
In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_uac1_legacy: validate control request size f_audio_complete() copies req->length bytes into a 4-byte stack variable: u32 data = 0; memcpy(&data, req->buf, req->length); req->length is derived from the host-coβ¦
0.0
CVE-2026-31715 - f2fs: fix UAF caused by decrementing sbi->nr_pages[] in f2fs_write_end_io()
In the Linux kernel, the following vulnerability has been resolved: f2fs: fix UAF caused by decrementing sbi->nr_pages[] in f2fs_write_end_io() The xfstests case "generic/107" and syzbot have both reported a NULL pointer dereference. The concurrent scenario that triggers the panic is as follows:β¦
0.0
CVE-2026-31714 - f2fs: fix to avoid memory leak in f2fs_rename()
In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to avoid memory leak in f2fs_rename() syzbot reported a f2fs bug as below: BUG: memory leak unreferenced object 0xffff888127f70830 (size 16): comm "syz.0.23", pid 6144, jiffies 4294943712 hex dump (first 16 bytes):β¦
0.0
CVE-2026-31713 - fuse: abort on fatal signal during sync init
In the Linux kernel, the following vulnerability has been resolved: fuse: abort on fatal signal during sync init When sync init is used and the server exits for some reason (error, crash) while processing FUSE_INIT, the filesystem creation will hang. The reason is that while all other threads wiβ¦
0.0
CVE-2026-31710 - smb: client: fix dir separator in SMB1 UNIX mounts
In the Linux kernel, the following vulnerability has been resolved: smb: client: fix dir separator in SMB1 UNIX mounts When calling cifs_mount_get_tcon() with SMB1 UNIX mounts, @cifs_sb->mnt_cifs_flags needs to be read or updated only after calling reset_cifs_unix_caps(), otherwise it might end uβ¦
0.0
CVE-2026-31704 - ksmbd: use check_add_overflow() to prevent u16 DACL size overflow
In the Linux kernel, the following vulnerability has been resolved: ksmbd: use check_add_overflow() to prevent u16 DACL size overflow set_posix_acl_entries_dacl() and set_ntacl_dacl() accumulate ACE sizes in u16 variables. When a file has many POSIX ACL entries, the accumulated size can wrap pastβ¦
0.0
CVE-2026-31702 - f2fs: fix use-after-free of sbi in f2fs_compress_write_end_io()
In the Linux kernel, the following vulnerability has been resolved: f2fs: fix use-after-free of sbi in f2fs_compress_write_end_io() In f2fs_compress_write_end_io(), dec_page_count(sbi, type) can bring the F2FS_WB_CP_DATA counter to zero, unblocking f2fs_wait_on_all_pages() in f2fs_put_super() on β¦