CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2026-43355 – iio: light: bh1780: fix PM runtime leak on error path
https://notcve.org/view.php?id=CVE-2026-43355
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: iio: light: bh1780: fix PM runtime leak on error path Move pm_runtime_put_autosuspend() before the error check to ensure the PM runtime reference count is always decremented after pm_runtime_get_sync(), regardless of whether the read operation succeeds or fails. • https://git.kernel.org/stable/c/1f0477f18306c018a954e4f333690a9d0f7efc76 • CWE-401: Missing Release of Memory after Effective Lifetime •
CVSS: -EPSS: 0%CPEs: 4EXPL: 0CVE-2026-43354 – iio: proximity: hx9023s: Protect against division by zero in set_samp_freq
https://notcve.org/view.php?id=CVE-2026-43354
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: iio: proximity: hx9023s: Protect against division by zero in set_samp_freq Avoid division by zero when sampling frequency is unspecified. • https://git.kernel.org/stable/c/60df548277b7281171f51b87b214ab6717fc6101 •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2026-43353 – i3c: mipi-i3c-hci: Fix race in DMA ring dequeue
https://notcve.org/view.php?id=CVE-2026-43353
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: i3c: mipi-i3c-hci: Fix race in DMA ring dequeue The HCI DMA dequeue path (hci_dma_dequeue_xfer()) may be invoked for multiple transfers that timeout around the same time. However, the function is not serialized and can race with itself. When a timeout occurs, hci_dma_dequeue_xfer() stops the ring, processes incomplete transfers, and then restarts the ring. If another timeout triggers a parallel call into the same function, the two instances... • https://git.kernel.org/stable/c/9ad9a52cce2828d932ae9495181e3d6414f72c07 •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2026-43352 – i3c: mipi-i3c-hci: Correct RING_CTRL_ABORT handling in DMA dequeue
https://notcve.org/view.php?id=CVE-2026-43352
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: i3c: mipi-i3c-hci: Correct RING_CTRL_ABORT handling in DMA dequeue The logic used to abort the DMA ring contains several flaws: 1. The driver unconditionally issues a ring abort even when the ring has already stopped. 2. The completion used to wait for abort completion is never re-initialized, resulting in incorrect wait behavior. 3. The abort sequence unintentionally clears RING_CTRL_ENABLE, which resets hardware ring pointers and disrupts... • https://git.kernel.org/stable/c/9ad9a52cce2828d932ae9495181e3d6414f72c07 •
CVSS: -EPSS: 0%CPEs: 3EXPL: 0CVE-2026-43351 – KVM: arm64: Eagerly init vgic dist/redist on vgic creation
https://notcve.org/view.php?id=CVE-2026-43351
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: Eagerly init vgic dist/redist on vgic creation If vgic_allocate_private_irqs_locked() fails for any odd reason, we exit kvm_vgic_create() early, leaving dist->rd_regions uninitialised. kvm_vgic_dist_destroy() then comes along and walks into the weeds trying to free the RDs. Got to love this stuff. Solve it by moving all the static initialisation early, and make sure that if we fail halfway, we're in a reasonable shape to perform... • https://git.kernel.org/stable/c/b3aa9283c0c505b5cfd25f7d6cfd720de2adc807 •
CVSS: 7.6EPSS: 0%CPEs: 5EXPL: 0CVE-2026-43350 – smb: client: require a full NFS mode SID before reading mode bits
https://notcve.org/view.php?id=CVE-2026-43350
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: smb: client: require a full NFS mode SID before reading mode bits parse_dacl() treats an ACE SID matching sid_unix_NFS_mode as an NFS mode SID and reads sid.sub_auth[2] to recover the mode bits. That assumes the ACE carries three subauthorities, but compare_sids() only compares min(a, b) subauthorities. A malicious server can return an ACE with num_subauth = 2 and sub_auth[] = {88, 3}, which still matches sid_unix_NFS_mode and then drives t... • https://git.kernel.org/stable/c/e2f8fbfb8d09c06decde162090fac3ee220aa280 •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0CVE-2026-43347 – arm64: dts: qcom: monaco: Reserve full Gunyah metadata region
https://notcve.org/view.php?id=CVE-2026-43347
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: arm64: dts: qcom: monaco: Reserve full Gunyah metadata region We observe spurious "Synchronous External Abort" exceptions (ESR=0x96000010) and kernel crashes on Monaco-based platforms. These faults are caused by the kernel inadvertently accessing hypervisor-owned memory that is not properly marked as reserved. >From boot log, The Qualcomm hypervisor reports the memory range at 0x91a80000 of size 0x80000 (512 KiB) as hypervisor-owned: qhee_h... • https://git.kernel.org/stable/c/7be190e4bdd2bd1aca84afef06bb755c06a85473 •
CVSS: -EPSS: 0%CPEs: 4EXPL: 0CVE-2026-43346 – ice: ptp: don't WARN when controlling PF is unavailable
https://notcve.org/view.php?id=CVE-2026-43346
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: ice: ptp: don't WARN when controlling PF is unavailable In VFIO passthrough setups, it is possible to pass through only a PF which doesn't own the source timer. In that case the PTP controlling PF (adapter->ctrl_pf) is never initialized in the VM, so ice_get_ctrl_ptp() returns NULL and triggers WARN_ON() in ice_ptp_setup_pf(). Since this is an expected behavior in that configuration, replace WARN_ON() with an informational message and retur... • https://git.kernel.org/stable/c/e800654e85b5b27966fc6493201f5f8cf658beb6 •
CVSS: 7.5EPSS: 0%CPEs: 5EXPL: 0CVE-2026-43345 – net: ipa: fix event ring index not programmed for IPA v5.0+
https://notcve.org/view.php?id=CVE-2026-43345
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: net: ipa: fix event ring index not programmed for IPA v5.0+ For IPA v5.0+, the event ring index field moved from CH_C_CNTXT_0 to CH_C_CNTXT_1. The v5.0 register definition intended to define this field in the CH_C_CNTXT_1 fmask array but used the old identifier of ERINDEX instead of CH_ERINDEX. Without a valid event ring, GSI channels could never signal transfer completions. This caused gsi_channel_trans_quiesce() to block forever in wait_f... • https://git.kernel.org/stable/c/faf0678ec8a0aa9039d8b188d012206abd67dd5c •
CVSS: -EPSS: 0%CPEs: 2EXPL: 0CVE-2026-43344 – perf/x86/intel/uncore: Fix die ID init and look up bugs
https://notcve.org/view.php?id=CVE-2026-43344
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: perf/x86/intel/uncore: Fix die ID init and look up bugs In snbep_pci2phy_map_init(), in the nr_node_ids > 8 path, uncore_device_to_die() may return -1 when all CPUs associated with the UBOX device are offline. Remove the WARN_ON_ONCE(die_id == -1) check for two reasons: - The current code breaks out of the loop. This is incorrect because pci_get_device() does not guarantee iteration in domain or bus order, so additional UBOX devices may be ... • https://git.kernel.org/stable/c/9a7832ce3d920426a36cdd78eda4b3568d4d09e3 •