Microsoft Discloses Broad Set of Linux Kernel Vulnerabilities
Microsoft published a broad batch of Security Update Guide entries for Linux kernel flaws affecting memory management, networking, virtualization, device drivers, and subsystem input validation. The listed issues include use-after-free, NULL dereference, integer underflow, refcount underflow, information disclosure, and bounds-checking failures tracked as CVE-2026-31496, CVE-2026-31458, CVE-2026-31689, CVE-2026-31615, CVE-2026-31664, CVE-2026-31656, CVE-2026-31611, CVE-2026-31671, CVE-2026-31612, and others. Affected components span nf_conntrack_expect, damon, edac_mc, renesas_usb3, xfrm, drm/i915, ksmbd, stmmac, tipc, mptcp, NFC, HID, KVM, mmc, x86/CPU, PCI endpoint, blk-cgroup, media/as102, and altera-tse.
Several entries point to bugs that could lead to kernel crashes, memory corruption, or data leakage if triggered through malformed input, protocol handling, or device interaction. Notable examples include a slab use-after-free in mptcp, information leaks in xfrm_user and xfrm, validation flaws in ksmbd, endpoint index handling in usb: gadget: renesas_usb3, and multiple underflow and teardown-ordering bugs across networking and driver code. The disclosures indicate a coordinated publication of upstream Linux kernel fixes through Microsoft's advisory channel, underscoring the need for organizations running Linux workloads in Microsoft-connected environments to review affected kernel versions and apply vendor patches promptly.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Microsoft publishes CVE-2026-31689 advisory
Microsoft added CVE-2026-31689 to its Security Update Guide, describing a Linux kernel EDAC/mc issue involving error-path ordering in edac_mc_alloc().
Microsoft publishes batch of Linux kernel CVE advisories
Microsoft published a large set of Security Update Guide entries for Linux kernel vulnerabilities, including issues in USB, xfrm, ksmbd, networking, HID, KVM, MMC, PCI, memory management, media, and CPU components. The disclosures include CVE-2026-31578, CVE-2026-31586, CVE-2026-31588, CVE-2026-31594, CVE-2026-31611, CVE-2026-31612, CVE-2026-31615, CVE-2026-31622, CVE-2026-31624, CVE-2026-31628, CVE-2026-31649, CVE-2026-31651, CVE-2026-31656, CVE-2026-31658, CVE-2026-31662, CVE-2026-31664, CVE-2026-31669, and CVE-2026-31671.
Microsoft publishes CVE-2026-31496 advisory
Microsoft added CVE-2026-31496 to its Security Update Guide, covering a Linux kernel netfilter nf_conntrack_expect issue related to skipping expectations across network namespaces via proc.
Microsoft publishes CVE-2026-31458 advisory
Microsoft added CVE-2026-31458 to its Security Update Guide, describing a Linux kernel issue in mm/damon/sysfs involving access to contexts_arr[0] without checking contexts->nr first.
Sources
24 references tracked. Mallory keeps watching after this page renders.
CVE-2026-31689 - Security Update Guide - Microsoft - EDAC/mc: Fix error path ordering in edac_mc_alloc()
msrc.microsoft.com
Open sourceCVE-2026-31656 - Security Update Guide - Microsoft - drm/i915/gt: fix refcount underflow in intel_engine_park_heartbeat
msrc.microsoft.com
Open sourceCVE-2026-31669 - Security Update Guide - Microsoft - mptcp: fix slab-use-after-free in __inet_lookup_established
msrc.microsoft.com
Open sourceCVE-2026-31671 - Security Update Guide - Microsoft - xfrm_user: fix info leak in build_report()
msrc.microsoft.com
Open sourceCVE-2026-31655 - Security Update Guide - Microsoft - pmdomain: imx8mp-blk-ctrl: Keep the NOC_HDCP clock enabled
msrc.microsoft.com
Open sourceCVE-2026-31664 - Security Update Guide - Microsoft - xfrm: clear trailing padding in build_polexpire()
msrc.microsoft.com
Open sourceCVE-2026-31496 - Security Update Guide - Microsoft - netfilter: nf_conntrack_expect: skip expectations in other netns via proc
msrc.microsoft.com
Open sourceCVE-2026-31458 - Security Update Guide - Microsoft - mm/damon/sysfs: check contexts->nr before accessing contexts_arr[0]
msrc.microsoft.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Microsoft discloses multiple Linux kernel flaws affecting filesystems, networking, and drivers
Microsoft published a batch of Security Update Guide entries for Linux kernel vulnerabilities spanning core subsystems including `ext4`, `xfs`, memory management, networking, virtualization, and device drivers. The listed issues include memory-safety and stability flaws such as a use-after-free in `ext4` tracked as **CVE-2026-31446**, an `smc` double-free in **CVE-2026-31507**, a teardown-order use-after-free in the `spi-fsl-lpspi` driver in **CVE-2026-31485**, and a Bluetooth `L2CAP` bug in **CVE-2026-31498** that could trigger an infinite loop. Additional entries cover fixes in `af_key`, `netfilter` `ctnetlink`, `nfc` `nci`, `perf`, and memory-management code paths. The disclosures also include filesystem and virtual networking fixes such as **CVE-2026-31452** in `ext4`, **CVE-2026-31454** in `xfs`, and two `openvswitch` issues, **CVE-2026-31678** and **CVE-2026-31679`, addressing tunnel device release handling and MPLS payload-length validation. Microsoft further listed **CVE-2026-31601** in `vfio/xe` and **CVE-2026-31589** in the kernel MM subsystem, indicating broad exposure across Linux environments that rely on affected kernel components. The set of advisories points to patch activity focused on preventing use-after-free, double-free, locking, validation, and resource-lifecycle errors in widely deployed kernel code.
Apr 30, 2026
Microsoft Discloses Linux Kernel Flaws Affecting SMB, KVM, Virtio, BPF, and Networking
Microsoft added several CVEs to its Security Update Guide for Linux kernel components, including **CVE-2026-31609** in SMB, **CVE-2026-31591** in KVM SEV/SNP handling, **CVE-2026-31469** in `virtio_net`, **CVE-2026-31525** in BPF, and **CVE-2026-31494** in the `macb` network driver. The listed issues span memory-safety and logic flaws such as a double-free in `smbd_free_send_io()` after `smbd_send_batch_flush()`, a use-after-free in `virtio_net`, and undefined behavior in the BPF interpreter for signed division and modulo involving `INT_MIN`. The disclosures also include a KVM fix that locks all vCPUs while synchronizing VMSAs during SEV-SNP launch completion, indicating impact in confidential computing and virtualization workflows, alongside a `macb` driver correction for queue statistics handling. Taken together, the entries show Microsoft tracking upstream Linux kernel vulnerabilities across file sharing, virtualization, packet processing, and network drivers, with several bugs carrying potential stability or security impact in environments running affected kernel code paths.
Apr 30, 2026
Microsoft Discloses Linux Kernel Flaws in NFC USB Handling and eBPF
Microsoft published security advisories for **CVE-2026-23291** and **CVE-2026-23319**, two vulnerabilities affecting Linux kernel components tracked through the Security Update Guide. **CVE-2026-23291** is tied to the `nfc: pn533` driver and describes improper release of a USB interface reference during device disconnect, a flaw that can lead to resource-management and memory-safety issues in systems using the PN533 NFC stack. The second issue, **CVE-2026-23319**, affects `bpf` and is described as a **use-after-free** bug in `bpf_trampoline_link_cgroup_shim`, pointing to a memory corruption risk in the eBPF subsystem. Together, the advisories highlight kernel-level weaknesses in both hardware interface handling and programmable packet-processing infrastructure, underscoring the need for organizations running affected Linux-based environments to review Microsoft guidance and apply relevant updates or downstream vendor patches.
Mar 28, 2026