Microsoft Discloses Linux Kernel Flaws Affecting SMB, KVM, Virtio, BPF, and Networking
Microsoft added several CVEs to its Security Update Guide for Linux kernel components, including CVE-2026-31609 in SMB, CVE-2026-31591 in KVM SEV/SNP handling, CVE-2026-31469 in virtio_net, CVE-2026-31525 in BPF, and CVE-2026-31494 in the macb network driver. The listed issues span memory-safety and logic flaws such as a double-free in smbd_free_send_io() after smbd_send_batch_flush(), a use-after-free in virtio_net, and undefined behavior in the BPF interpreter for signed division and modulo involving INT_MIN.
The disclosures also include a KVM fix that locks all vCPUs while synchronizing VMSAs during SEV-SNP launch completion, indicating impact in confidential computing and virtualization workflows, alongside a macb driver correction for queue statistics handling. Taken together, the entries show Microsoft tracking upstream Linux kernel vulnerabilities across file sharing, virtualization, packet processing, and network drivers, with several bugs carrying potential stability or security impact in environments running affected kernel code paths.
Timeline
Apr 26, 2026
Microsoft publishes CVE-2026-31609 advisory
Microsoft added CVE-2026-31609 to its Security Update Guide, describing an SMB client double-free issue in smbd_free_send_io() after smbd_send_batch_flush().
Apr 26, 2026
Microsoft publishes CVE-2026-31591 advisory
Microsoft published CVE-2026-31591 in its Security Update Guide, describing a KVM SEV issue involving locking all vCPUs when synchronizing VMSAs for SNP launch finish.
Apr 23, 2026
Microsoft publishes CVE-2026-31525 advisory
Microsoft released a Security Update Guide entry for CVE-2026-31525, covering undefined behavior in the BPF interpreter's signed division and modulo handling for INT_MIN.
Apr 23, 2026
Microsoft publishes CVE-2026-31494 advisory
Microsoft published CVE-2026-31494 in its Security Update Guide for a net: macb issue related to using the current queue number for statistics.
Apr 23, 2026
Microsoft publishes CVE-2026-31469 advisory
Microsoft added CVE-2026-31469 to its Security Update Guide, describing a virtio_net use-after-free issue involving dst_ops when IFF_XMIT_DST_RELEASE is cleared and napi_tx is false.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Sources
1 more from sources like msrc security advisories
Related Stories
Microsoft discloses multiple Linux kernel flaws affecting filesystems, networking, and drivers
Microsoft published a batch of Security Update Guide entries for Linux kernel vulnerabilities spanning core subsystems including `ext4`, `xfs`, memory management, networking, virtualization, and device drivers. The listed issues include memory-safety and stability flaws such as a use-after-free in `ext4` tracked as **CVE-2026-31446**, an `smc` double-free in **CVE-2026-31507**, a teardown-order use-after-free in the `spi-fsl-lpspi` driver in **CVE-2026-31485**, and a Bluetooth `L2CAP` bug in **CVE-2026-31498** that could trigger an infinite loop. Additional entries cover fixes in `af_key`, `netfilter` `ctnetlink`, `nfc` `nci`, `perf`, and memory-management code paths. The disclosures also include filesystem and virtual networking fixes such as **CVE-2026-31452** in `ext4`, **CVE-2026-31454** in `xfs`, and two `openvswitch` issues, **CVE-2026-31678** and **CVE-2026-31679`, addressing tunnel device release handling and MPLS payload-length validation. Microsoft further listed **CVE-2026-31601** in `vfio/xe` and **CVE-2026-31589** in the kernel MM subsystem, indicating broad exposure across Linux environments that rely on affected kernel components. The set of advisories points to patch activity focused on preventing use-after-free, double-free, locking, validation, and resource-lifecycle errors in widely deployed kernel code.
3 days ago
Microsoft Discloses Broad Set of Linux Kernel Vulnerabilities
Microsoft published a broad batch of Security Update Guide entries for Linux kernel flaws affecting memory management, networking, virtualization, device drivers, and subsystem input validation. The listed issues include use-after-free, NULL dereference, integer underflow, refcount underflow, information disclosure, and bounds-checking failures tracked as **`CVE-2026-31496`**, **`CVE-2026-31458`**, **`CVE-2026-31689`**, **`CVE-2026-31615`**, **`CVE-2026-31664`**, **`CVE-2026-31656`**, **`CVE-2026-31611`**, **`CVE-2026-31671`**, **`CVE-2026-31612`**, and others. Affected components span `nf_conntrack_expect`, `damon`, `edac_mc`, `renesas_usb3`, `xfrm`, `drm/i915`, `ksmbd`, `stmmac`, `tipc`, `mptcp`, `NFC`, `HID`, `KVM`, `mmc`, `x86/CPU`, `PCI endpoint`, `blk-cgroup`, `media/as102`, and `altera-tse`. Several entries point to bugs that could lead to kernel crashes, memory corruption, or data leakage if triggered through malformed input, protocol handling, or device interaction. Notable examples include a slab use-after-free in `mptcp`, information leaks in `xfrm_user` and `xfrm`, validation flaws in `ksmbd`, endpoint index handling in `usb: gadget: renesas_usb3`, and multiple underflow and teardown-ordering bugs across networking and driver code. The disclosures indicate a coordinated publication of upstream Linux kernel fixes through Microsoft's advisory channel, underscoring the need for organizations running Linux workloads in Microsoft-connected environments to review affected kernel versions and apply vendor patches promptly.
Yesterday
Microsoft Discloses Linux Kernel Flaws in Bridge and DRBD Components
Microsoft published security advisories for two Linux kernel vulnerabilities tracked as **CVE-2026-23381** and **CVE-2026-23356**. The first affects the networking stack's bridge code, where `nd_tbl` can be dereferenced as `NULL` when IPv6 is disabled, creating a stability and potential denial-of-service risk in affected systems. The second advisory covers a logic bug in the Distributed Replicated Block Device (**DRBD**) subsystem, specifically in `drbd_al_begin_io_nonblock()`. Together, the disclosures highlight flaws in both kernel networking and storage-replication paths that administrators should review in Microsoft-tracked update guidance and remediate through available vendor patches.
1 months ago