CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2025-71285 – net: qrtr: Drop the MHI auto_queue feature for IPCR DL channels
https://notcve.org/view.php?id=CVE-2025-71285
06 May 2026 — In the Linux kernel, the following vulnerability has been resolved: net: qrtr: Drop the MHI auto_queue feature for IPCR DL channels MHI stack offers the 'auto_queue' feature, which allows the MHI stack to auto queue the buffers for the RX path (DL channel). Though this feature simplifies the client driver design, it introduces race between the client drivers and the MHI stack. For instance, with auto_queue, the 'dl_callback' for the DL channel may get called before the client driver is fully probed. This me... • https://git.kernel.org/stable/c/227fee5fc99eeb74d43bf68832f6d59d30ac07d8 • CWE-476: NULL Pointer Dereference •
CVSS: 8.8EPSS: 0%CPEs: 8EXPL: 0CVE-2026-43283 – net: ethernet: ec_bhf: Fix dma_free_coherent() dma handle
https://notcve.org/view.php?id=CVE-2026-43283
06 May 2026 — In the Linux kernel, the following vulnerability has been resolved: net: ethernet: ec_bhf: Fix dma_free_coherent() dma handle dma_free_coherent() in error path takes priv->rx_buf.alloc_len as the dma handle. This would lead to improper unmapping of the buffer. Change the dma handle to priv->rx_buf.alloc_phys. • https://git.kernel.org/stable/c/6af55ff52b02d492d45db88df3e461fa51a6f753 •
CVSS: 7.1EPSS: 0%CPEs: 6EXPL: 0CVE-2026-43281 – mailbox: Prevent out-of-bounds access in fw_mbox_index_xlate()
https://notcve.org/view.php?id=CVE-2026-43281
06 May 2026 — In the Linux kernel, the following vulnerability has been resolved: mailbox: Prevent out-of-bounds access in fw_mbox_index_xlate() Although it is guided that `#mbox-cells` must be at least 1, there are many instances of `#mbox-cells = <0>;` in the device tree. If that is the case and the corresponding mailbox controller does not provide `fw_xlate` and of_xlate` function pointers, `fw_mbox_index_xlate()` will be used by default and out-of-bounds accesses could occur due to lack of bounds check in that functi... • https://git.kernel.org/stable/c/2b6d83e2b8b7de82331a6a1dcd64b51020a6031c • CWE-125: Out-of-bounds Read •
CVSS: 7.8EPSS: 0%CPEs: 7EXPL: 0CVE-2026-43279 – ALSA: usb-audio: Add sanity check for OOB writes at silencing
https://notcve.org/view.php?id=CVE-2026-43279
06 May 2026 — In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Add sanity check for OOB writes at silencing At silencing the playback URB packets in the implicit fb mode before the actual playback, we blindly assume that the received packets fit with the buffer size. But when the setup in the capture stream differs from the playback stream (e.g. due to the USB core limitation of max packet size), such an inconsistency may lead to OOB writes to the buffer, resulting in a crash. For addr... • https://git.kernel.org/stable/c/c75a8a7ae565d7cd9baa87a504ba9162e355b4b0 • CWE-787: Out-of-bounds Write •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2026-43277 – APEI/GHES: ensure that won't go past CPER allocated record
https://notcve.org/view.php?id=CVE-2026-43277
06 May 2026 — In the Linux kernel, the following vulnerability has been resolved: APEI/GHES: ensure that won't go past CPER allocated record The logic at ghes_new() prevents allocating too large records, by checking if they're bigger than GHES_ESTATUS_MAX_SIZE (currently, 64KB). Yet, the allocation is done with the actual number of pages from the CPER bios table location, which can be smaller. Yet, a bad firmware could send data with a different size, which might be bigger than the allocated memory, causing an OOPS: Unab... • https://git.kernel.org/stable/c/d334a49113a4a33109fd24e46073280ecd1bea0d •
CVSS: 4.7EPSS: 0%CPEs: 7EXPL: 0CVE-2026-43275 – scsi: ufs: core: Flush exception handling work when RPM level is zero
https://notcve.org/view.php?id=CVE-2026-43275
06 May 2026 — In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: core: Flush exception handling work when RPM level is zero Ensure that the exception event handling work is explicitly flushed during suspend when the runtime power management level is set to UFS_PM_LVL_0. When the RPM level is zero, the device power mode and link state both remain active. Previously, the UFS core driver bypassed flushing exception event handling jobs in this configuration. This created a race condition where the... • https://git.kernel.org/stable/c/57d104c153d3d6d7bea60089e80f37501851ed2c • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2026-43273 – ceph: supply snapshot context in ceph_zero_partial_object()
https://notcve.org/view.php?id=CVE-2026-43273
06 May 2026 — In the Linux kernel, the following vulnerability has been resolved: ceph: supply snapshot context in ceph_zero_partial_object() The ceph_zero_partial_object function was missing proper snapshot context for its OSD write operations, which could lead to data inconsistencies in snapshots. Reproducer: ../src/vstart.sh --new -x --localhost --bluestore ./bin/ceph auth caps client.fs_a mds 'allow rwps fsname=a' mon 'allow r fsname=a' osd 'allow rw tag cephfs data=a' mount -t ceph fs_a@.a=/ /mnt/mycephfs/ -o conf=.... • https://git.kernel.org/stable/c/ad7a60de882aca31afb58721db166f7e77afcd92 •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2026-43271 – md-cluster: fix NULL pointer dereference in process_metadata_update
https://notcve.org/view.php?id=CVE-2026-43271
06 May 2026 — In the Linux kernel, the following vulnerability has been resolved: md-cluster: fix NULL pointer dereference in process_metadata_update The function process_metadata_update() blindly dereferences the 'thread' pointer (acquired via rcu_dereference_protected) within the wait_event() macro. While the code comment states "daemon thread must exist", there is a valid race condition window during the MD array startup sequence (md_run): 1. bitmap_load() is called, which invokes md_cluster_ops->join(). 2. join() sta... • https://git.kernel.org/stable/c/0ba959774e93911caff596de6391f085fb640ac4 • CWE-476: NULL Pointer Dereference •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2026-43270 – media: mtk-mdp: Fix a reference leak bug in mtk_mdp_remove()
https://notcve.org/view.php?id=CVE-2026-43270
06 May 2026 — In the Linux kernel, the following vulnerability has been resolved: media: mtk-mdp: Fix a reference leak bug in mtk_mdp_remove() In mtk_mdp_probe(), vpu_get_plat_device() increases the reference count of the returned platform device. Add platform_device_put() to prevent reference leak. • https://git.kernel.org/stable/c/c8eb2d7e8202fd9cb912f5d33cc34ede66dcb24a •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2026-43269 – drm/atmel-hlcdc: fix memory leak from the atomic_destroy_state callback
https://notcve.org/view.php?id=CVE-2026-43269
06 May 2026 — In the Linux kernel, the following vulnerability has been resolved: drm/atmel-hlcdc: fix memory leak from the atomic_destroy_state callback After several commits, the slab memory increases. Some drm_crtc_commit objects are not freed. The atomic_destroy_state callback only put the framebuffer. Use the __drm_atomic_helper_plane_destroy_state() function to put all the objects that are no longer needed. It has been seen after hours of usage of a graphics application or using kmemleak: unreferenced object 0xc63a... • https://git.kernel.org/stable/c/2389fc1305fc1e2cf8b310a75463fefd3058bf48 • CWE-401: Missing Release of Memory after Effective Lifetime •