CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2026-43361 – btrfs: fix transaction abort when snapshotting received subvolumes
https://notcve.org/view.php?id=CVE-2026-43361
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: btrfs: fix transaction abort when snapshotting received subvolumes Currently a user can trigger a transaction abort by snapshotting a previously received snapshot a bunch of times until we reach a BTRFS_UUID_KEY_RECEIVED_SUBVOL item overflow (the maximum item size we can store in a leaf). This is very likely not common in practice, but if it happens, it turns the filesystem into RO mode. The snapshot, send and set_received_subvol and subvol... • https://git.kernel.org/stable/c/dd5f9615fc5c5e8d3751aab3a17b92768fb1ce70 •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2026-43360 – btrfs: fix transaction abort on file creation due to name hash collision
https://notcve.org/view.php?id=CVE-2026-43360
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: btrfs: fix transaction abort on file creation due to name hash collision If we attempt to create several files with names that result in the same hash, we have to pack them in same dir item and that has a limit inherent to the leaf size. However if we reach that limit, we trigger a transaction abort and turns the filesystem into RO mode. This allows for a malicious user to disrupt a system, without the need to have administration privileges... • https://git.kernel.org/stable/c/caae78e032343df525b8d05c58b462827f10b2a3 •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2026-43359 – btrfs: fix transaction abort on set received ioctl due to item overflow
https://notcve.org/view.php?id=CVE-2026-43359
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: btrfs: fix transaction abort on set received ioctl due to item overflow If the set received ioctl fails due to an item overflow when attempting to add the BTRFS_UUID_KEY_RECEIVED_SUBVOL we have to abort the transaction since we did some metadata updates before. This means that if a user calls this ioctl with the same received UUID field for a lot of subvolumes, we will hit the overflow, trigger the transaction abort and turn the filesystem ... • https://git.kernel.org/stable/c/dd5f9615fc5c5e8d3751aab3a17b92768fb1ce70 • CWE-191: Integer Underflow (Wrap or Wraparound) •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2026-43357 – iio: gyro: mpu3050-core: fix pm_runtime error handling
https://notcve.org/view.php?id=CVE-2026-43357
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: iio: gyro: mpu3050-core: fix pm_runtime error handling The return value of pm_runtime_get_sync() is not checked, allowing the driver to access hardware that may fail to resume. The device usage count is also unconditionally incremented. Use pm_runtime_resume_and_get() which propagates errors and avoids incrementing the usage count on failure. In preenable, add pm_runtime_put_autosuspend() on set_8khz_samplerate() failure since postdisable d... • https://git.kernel.org/stable/c/3904b28efb2c780c23dcddfb87e07fe0230661e5 •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2026-43355 – iio: light: bh1780: fix PM runtime leak on error path
https://notcve.org/view.php?id=CVE-2026-43355
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: iio: light: bh1780: fix PM runtime leak on error path Move pm_runtime_put_autosuspend() before the error check to ensure the PM runtime reference count is always decremented after pm_runtime_get_sync(), regardless of whether the read operation succeeds or fails. • https://git.kernel.org/stable/c/1f0477f18306c018a954e4f333690a9d0f7efc76 • CWE-401: Missing Release of Memory after Effective Lifetime •
CVSS: -EPSS: 0%CPEs: 4EXPL: 0CVE-2026-43354 – iio: proximity: hx9023s: Protect against division by zero in set_samp_freq
https://notcve.org/view.php?id=CVE-2026-43354
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: iio: proximity: hx9023s: Protect against division by zero in set_samp_freq Avoid division by zero when sampling frequency is unspecified. • https://git.kernel.org/stable/c/60df548277b7281171f51b87b214ab6717fc6101 •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2026-43353 – i3c: mipi-i3c-hci: Fix race in DMA ring dequeue
https://notcve.org/view.php?id=CVE-2026-43353
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: i3c: mipi-i3c-hci: Fix race in DMA ring dequeue The HCI DMA dequeue path (hci_dma_dequeue_xfer()) may be invoked for multiple transfers that timeout around the same time. However, the function is not serialized and can race with itself. When a timeout occurs, hci_dma_dequeue_xfer() stops the ring, processes incomplete transfers, and then restarts the ring. If another timeout triggers a parallel call into the same function, the two instances... • https://git.kernel.org/stable/c/9ad9a52cce2828d932ae9495181e3d6414f72c07 •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2026-43352 – i3c: mipi-i3c-hci: Correct RING_CTRL_ABORT handling in DMA dequeue
https://notcve.org/view.php?id=CVE-2026-43352
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: i3c: mipi-i3c-hci: Correct RING_CTRL_ABORT handling in DMA dequeue The logic used to abort the DMA ring contains several flaws: 1. The driver unconditionally issues a ring abort even when the ring has already stopped. 2. The completion used to wait for abort completion is never re-initialized, resulting in incorrect wait behavior. 3. The abort sequence unintentionally clears RING_CTRL_ENABLE, which resets hardware ring pointers and disrupts... • https://git.kernel.org/stable/c/9ad9a52cce2828d932ae9495181e3d6414f72c07 •
CVSS: 7.6EPSS: 0%CPEs: 5EXPL: 0CVE-2026-43350 – smb: client: require a full NFS mode SID before reading mode bits
https://notcve.org/view.php?id=CVE-2026-43350
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: smb: client: require a full NFS mode SID before reading mode bits parse_dacl() treats an ACE SID matching sid_unix_NFS_mode as an NFS mode SID and reads sid.sub_auth[2] to recover the mode bits. That assumes the ACE carries three subauthorities, but compare_sids() only compares min(a, b) subauthorities. A malicious server can return an ACE with num_subauth = 2 and sub_auth[] = {88, 3}, which still matches sid_unix_NFS_mode and then drives t... • https://git.kernel.org/stable/c/e2f8fbfb8d09c06decde162090fac3ee220aa280 •
CVSS: 7.5EPSS: 0%CPEs: 5EXPL: 0CVE-2026-43345 – net: ipa: fix event ring index not programmed for IPA v5.0+
https://notcve.org/view.php?id=CVE-2026-43345
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: net: ipa: fix event ring index not programmed for IPA v5.0+ For IPA v5.0+, the event ring index field moved from CH_C_CNTXT_0 to CH_C_CNTXT_1. The v5.0 register definition intended to define this field in the CH_C_CNTXT_1 fmask array but used the old identifier of ERINDEX instead of CH_ERINDEX. Without a valid event ring, GSI channels could never signal transfer completions. This caused gsi_channel_trans_quiesce() to block forever in wait_f... • https://git.kernel.org/stable/c/faf0678ec8a0aa9039d8b188d012206abd67dd5c •