CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2026-43295 – rapidio: replace rio_free_net() with kfree() in rio_scan_alloc_net()
https://notcve.org/view.php?id=CVE-2026-43295
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: rapidio: replace rio_free_net() with kfree() in rio_scan_alloc_net() When idtab allocation fails, net is not registered with rio_add_net() yet, so kfree(net) is sufficient to release the memory. Set mport->net to NULL to avoid dangling pointer. • https://git.kernel.org/stable/c/e6b585ca6e81badeb3d42db3cc408174f2826034 •
CVSS: 8.3EPSS: 0%CPEs: 8EXPL: 0CVE-2026-43291 – net: nfc: nci: Fix parameter validation for packet data
https://notcve.org/view.php?id=CVE-2026-43291
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: net: nfc: nci: Fix parameter validation for packet data Since commit 9c328f54741b ("net: nfc: nci: Add parameter validation for packet data") communication with nci nfc chips is not working any more. The mentioned commit tries to fix access of uninitialized data, but failed to understand that in some cases the data packet is of variable length and can therefore not be compared to the maximum packet length given by the sizeof(struct). • https://git.kernel.org/stable/c/8fcc7315a10a84264e55bb65ede10f0af20a983f • CWE-908: Use of Uninitialized Resource •
CVSS: -EPSS: 0%CPEs: 11EXPL: 0CVE-2026-43289 – kexec: derive purgatory entry from symbol
https://notcve.org/view.php?id=CVE-2026-43289
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: kexec: derive purgatory entry from symbol kexec_load_purgatory() derives image->start by locating e_entry inside an SHF_EXECINSTR section. If the purgatory object contains multiple executable sections with overlapping sh_addr, the entrypoint check can match more than once and trigger a WARN. Derive the entry section from the purgatory_start symbol when present and compute image->start from its final placement. Keep the existing e_entry fall... • https://git.kernel.org/stable/c/f368aed4827bd4276c0e3664fb2cb815a8d7caf3 •
CVSS: -EPSS: 0%CPEs: 5EXPL: 0CVE-2026-43288 – ext4: move ext4_percpu_param_init() before ext4_mb_init()
https://notcve.org/view.php?id=CVE-2026-43288
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: ext4: move ext4_percpu_param_init() before ext4_mb_init() When running `kvm-xfstests -c ext4/1k -C 1 generic/383` with the `DOUBLE_CHECK` macro defined, the following panic is triggered: ================================================================== EXT4-fs error (device vdc): ext4_validate_block_bitmap:423: comm mount: bg 0: bad block bitmap checksum BUG: unable to handle page fault for address: ff110000fa2cc000 PGD 3e01067 P4D 3e02067... • https://git.kernel.org/stable/c/d5e03cbb0c88cd1be39f2adc37d602230045964b •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2026-43287 – drm: Account property blob allocations to memcg
https://notcve.org/view.php?id=CVE-2026-43287
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: drm: Account property blob allocations to memcg DRM_IOCTL_MODE_CREATEPROPBLOB allows userspace to allocate arbitrary-sized property blobs backed by kernel memory. Currently, the blob data allocation is not accounted to the allocating process's memory cgroup, allowing unprivileged users to trigger unbounded kernel memory consumption and potentially cause system-wide OOM. Mark the property blob data allocation with GFP_KERNEL_ACCOUNT so that ... • https://git.kernel.org/stable/c/e2f5d2ea479b9b2619965d43db70939589afe43a •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2025-71297 – wifi: rtw88: 8822b: Avoid WARNING in rtw8822b_config_trx_mode()
https://notcve.org/view.php?id=CVE-2025-71297
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: wifi: rtw88: 8822b: Avoid WARNING in rtw8822b_config_trx_mode() rtw8822b_set_antenna() can be called from userspace when the chip is powered off. In that case a WARNING is triggered in rtw8822b_config_trx_mode() because trying to read the RF registers when the chip is powered off returns an unexpected value. Call rtw8822b_config_trx_mode() in rtw8822b_set_antenna() only when the chip is powered on. ------------[ cut here ]------------ write... • https://git.kernel.org/stable/c/297bcf8222f222fd7defead862de4b8e3ea0b08a •
CVSS: 8.8EPSS: 0%CPEs: 10EXPL: 1CVE-2026-43284 – xfrm: esp: avoid in-place decrypt on shared skb frags
https://notcve.org/view.php?id=CVE-2026-43284
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: xfrm: esp: avoid in-place decrypt on shared skb frags MSG_SPLICE_PAGES can attach pages from a pipe directly to an skb. TCP marks such skbs with SKBFL_SHARED_FRAG after skb_splice_from_iter(), so later paths that may modify packet data can first make a private copy. The IPv4/IPv6 datagram append paths did not set this flag when splicing pages into UDP skbs. That leaves an ESP-in-UDP packet made from shared pipe pages looking like an ordinar... • https://git.kernel.org/stable/c/cac2661c53f35cbe651bef9b07026a5a05ab8ce0 • CWE-123: Write-what-where Condition •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-71292 – jfs: nlink overflow in jfs_rename
https://notcve.org/view.php?id=CVE-2025-71292
06 May 2026 — In the Linux kernel, the following vulnerability has been resolved: jfs: nlink overflow in jfs_rename If nlink is maximal for a directory (-1) and inside that directory you perform a rename for some child directory (not moving from the parent), then the nlink of the first directory is first incremented and later decremented. Normally this is fine, but when nlink = -1 this causes a wrap around to 0, and then drop_nlink issues a warning. After applying the patch syzbot no longer issues any warnings. I also ra... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2025-71291 – misc: bcm_vk: Fix possible null-pointer dereferences in bcm_vk_read()
https://notcve.org/view.php?id=CVE-2025-71291
06 May 2026 — In the Linux kernel, the following vulnerability has been resolved: misc: bcm_vk: Fix possible null-pointer dereferences in bcm_vk_read() In the function bcm_vk_read(), the pointer entry is checked, indicating that it can be NULL. If entry is NULL and rc is set to -EMSGSIZE, the following code may cause null-pointer dereferences: struct vk_msg_blk tmp_msg = entry->to_h_msg[0]; set_msg_id(&tmp_msg, entry->usr_msg_id); tmp_msg.size = entry->to_h_blks - 1; To prevent these possible null-pointer dereferences, c... • https://git.kernel.org/stable/c/88517757a829e9ce146a6c7233ad5dcdc66fcbb0 • CWE-476: NULL Pointer Dereference •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2025-71289 – fs/ntfs3: handle attr_set_size() errors when truncating files
https://notcve.org/view.php?id=CVE-2025-71289
06 May 2026 — In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: handle attr_set_size() errors when truncating files If attr_set_size() fails while truncating down, the error is silently ignored and the inode may be left in an inconsistent state. • https://git.kernel.org/stable/c/4342306f0f0d5ff4315a204d315c1b51b914fca5 •