CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0CVE-2026-43391 – nsfs: tighten permission checks for handle opening
https://notcve.org/view.php?id=CVE-2026-43391
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: nsfs: tighten permission checks for handle opening Even privileged services should not necessarily be able to see other privileged service's namespaces so they can't leak information to each other. Use may_see_all_namespaces() helper that centralizes this policy until the nstree adapts. • https://git.kernel.org/stable/c/5222470b2fbb3740f931f189db33dd1367b1ae75 •
CVSS: -EPSS: 0%CPEs: 3EXPL: 0CVE-2026-43388 – mm/damon/core: clear walk_control on inactive context in damos_walk()
https://notcve.org/view.php?id=CVE-2026-43388
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: mm/damon/core: clear walk_control on inactive context in damos_walk() damos_walk() sets ctx->walk_control to the caller-provided control structure before checking whether the context is running. If the context is inactive (damon_is_running() returns false), the function returns -EINVAL without clearing ctx->walk_control. This leaves a dangling pointer to a stack-allocated structure that will be freed when the caller returns. This is structu... • https://git.kernel.org/stable/c/bf0eaba0ff9c9c8e6fd58ddfa1a8b6df4b813f61 •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2026-43387 – staging: rtl8723bs: properly validate the data in rtw_get_ie_ex()
https://notcve.org/view.php?id=CVE-2026-43387
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: staging: rtl8723bs: properly validate the data in rtw_get_ie_ex() Just like in commit 154828bf9559 ("staging: rtl8723bs: fix out-of-bounds read in rtw_get_ie() parser"), we don't trust the data in the frame so we should check the length better before acting on it • https://git.kernel.org/stable/c/554c0a3abf216c991c5ebddcdb2c08689ecd290b •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2026-43386 – staging: rtl8723bs: fix potential out-of-bounds read in rtw_restruct_wmm_ie
https://notcve.org/view.php?id=CVE-2026-43386
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: staging: rtl8723bs: fix potential out-of-bounds read in rtw_restruct_wmm_ie The current code checks 'i + 5 < in_len' at the end of the if statement. However, it accesses 'in_ie[i + 5]' before that check, which can lead to an out-of-bounds read. Move the length check to the beginning of the conditional to ensure the index is within bounds before accessing the array. • https://git.kernel.org/stable/c/554c0a3abf216c991c5ebddcdb2c08689ecd290b •
CVSS: 9.8EPSS: 0%CPEs: 4EXPL: 0CVE-2026-43384 – net/tcp-ao: Fix MAC comparison to be constant-time
https://notcve.org/view.php?id=CVE-2026-43384
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: net/tcp-ao: Fix MAC comparison to be constant-time To prevent timing attacks, MACs need to be compared in constant time. Use the appropriate helper function for this. • https://git.kernel.org/stable/c/0a3a809089eb1d4a0a2fd0c16b520d603988c859 •
CVSS: 9.4EPSS: 0%CPEs: 7EXPL: 0CVE-2026-43383 – net/tcp-md5: Fix MAC comparison to be constant-time
https://notcve.org/view.php?id=CVE-2026-43383
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: net/tcp-md5: Fix MAC comparison to be constant-time To prevent timing attacks, MACs need to be compared in constant time. Use the appropriate helper function for this. • https://git.kernel.org/stable/c/cfb6eeb4c860592edd123fdea908d23c6ad1c7dc •
CVSS: -EPSS: 0%CPEs: 10EXPL: 0CVE-2026-43382 – batman-adv: Avoid double-rtnl_lock ELP metric worker
https://notcve.org/view.php?id=CVE-2026-43382
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: batman-adv: Avoid double-rtnl_lock ELP metric worker batadv_v_elp_get_throughput() might be called when the RTNL lock is already held. This could be problematic when the work queue item is cancelled via cancel_delayed_work_sync() in batadv_v_elp_iface_disable(). In this case, an rtnl_lock() would cause a deadlock. To avoid this, rtnl_trylock() was used in this function to skip the retrieval of the ethtool information in case the RTNL lock w... • https://git.kernel.org/stable/c/a0019971f340ae02ba54cf1861f72da7e03e6b66 •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2026-43381 – nouveau/dpcd: return EBUSY for aux xfer if the device is asleep
https://notcve.org/view.php?id=CVE-2026-43381
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: nouveau/dpcd: return EBUSY for aux xfer if the device is asleep If we have runtime suspended, and userspace wants to use /dev/drm_dp_* then just tell it the device is busy instead of crashing in the GSP code. WARNING: CPU: 2 PID: 565741 at drivers/gpu/drm/nouveau/nvkm/subdev/gsp/rm/r535/rpc.c:164 r535_gsp_msgq_wait+0x9a/0xb0 [nouveau] CPU: 2 UID: 0 PID: 565741 Comm: fwupd Not tainted 6.18.10-200.fc43.x86_64 #1 PREEMPT(lazy) Hardware name: L... • https://git.kernel.org/stable/c/8894f4919bc43f821775db2cfff4b917871b2102 •
CVSS: -EPSS: 0%CPEs: 7EXPL: 0CVE-2026-43380 – hwmon: (pmbus/q54sj108a2) fix stack overflow in debugfs read
https://notcve.org/view.php?id=CVE-2026-43380
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: hwmon: (pmbus/q54sj108a2) fix stack overflow in debugfs read The q54sj108a2_debugfs_read function suffers from a stack buffer overflow due to incorrect arguments passed to bin2hex(). The function currently passes 'data' as the destination and 'data_char' as the source. Because bin2hex() converts each input byte into two hex characters, a 32-byte block read results in 64 bytes of output. Since 'data' is only 34 bytes (I2C_SMBUS_BLOCK_MAX + 2... • https://git.kernel.org/stable/c/d014538aa38561cd24c5eb228223585f26c5ec71 •
CVSS: 9.8EPSS: 0%CPEs: 5EXPL: 0CVE-2026-43379 – ksmbd: fix use-after-free in smb_lazy_parent_lease_break_close()
https://notcve.org/view.php?id=CVE-2026-43379
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix use-after-free in smb_lazy_parent_lease_break_close() opinfo pointer obtained via rcu_dereference(fp->f_opinfo) is being accessed after rcu_read_unlock() has been called. This creates a race condition where the memory could be freed by a concurrent writer between the unlock and the subsequent pointer dereferences (opinfo->is_lease, etc.), leading to a use-after-free. • https://git.kernel.org/stable/c/27b40b7bfcd121fe13a150ffe11957630cf49246 •