CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2026-43223 – media: pvrusb2: fix URB leak in pvr2_send_request_ex
https://notcve.org/view.php?id=CVE-2026-43223
06 May 2026 — In the Linux kernel, the following vulnerability has been resolved: media: pvrusb2: fix URB leak in pvr2_send_request_ex When pvr2_send_request_ex() submits a write URB successfully but fails to submit the read URB (e.g. returns -ENOMEM), it returns immediately without waiting for the write URB to complete. Since the driver reuses the same URB structure, a subsequent call to pvr2_send_request_ex() attempts to submit the still-active write URB, triggering a 'URB submitted while active' warning in usb_submit_... • https://git.kernel.org/stable/c/d855497edbfbf9e19a17f4a1154bca69cb4bd9ba • CWE-401: Missing Release of Memory after Effective Lifetime •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2026-43219 – net: cpsw_new: Fix potential unregister of netdev that has not been registered yet
https://notcve.org/view.php?id=CVE-2026-43219
06 May 2026 — In the Linux kernel, the following vulnerability has been resolved: net: cpsw_new: Fix potential unregister of netdev that has not been registered yet If an error occurs during register_netdev() for the first MAC in cpsw_register_ports(), even though cpsw->slaves[0].ndev is set to NULL, cpsw->slaves[1].ndev would remain unchanged. This could later cause cpsw_unregister_ports() to attempt unregistering the second MAC. To address this, add a check for ndev->reg_state before calling unregister_netdev(). With t... • https://git.kernel.org/stable/c/ed3525eda4c4983fb8509e488de0a351788041ba •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2026-43218 – media: i2c/tw9903: Fix potential memory leak in tw9903_probe()
https://notcve.org/view.php?id=CVE-2026-43218
06 May 2026 — In the Linux kernel, the following vulnerability has been resolved: media: i2c/tw9903: Fix potential memory leak in tw9903_probe() In one of the error paths in tw9903_probe(), the memory allocated in v4l2_ctrl_handler_init() and v4l2_ctrl_new_std() is not freed. Fix that by calling v4l2_ctrl_handler_free() on the handler in that error path. • https://git.kernel.org/stable/c/0890ec19c65def8c8e445931b026e0fa8d809a34 • CWE-401: Missing Release of Memory after Effective Lifetime •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2026-43216 – net: Drop the lock in skb_may_tx_timestamp()
https://notcve.org/view.php?id=CVE-2026-43216
06 May 2026 — In the Linux kernel, the following vulnerability has been resolved: net: Drop the lock in skb_may_tx_timestamp() skb_may_tx_timestamp() may acquire sock::sk_callback_lock. The lock must not be taken in IRQ context, only softirq is okay. A few drivers receive the timestamp via a dedicated interrupt and complete the TX timestamp from that handler. This will lead to a deadlock if the lock is already write-locked on the same CPU. Taking the lock can be avoided. • https://git.kernel.org/stable/c/b245be1f4db1a0394e4b6eb66059814b46670ac3 • CWE-476: NULL Pointer Dereference •
CVSS: 7.8EPSS: 0%CPEs: 11EXPL: 0CVE-2026-43211 – PCI: Fix pci_slot_trylock() error handling
https://notcve.org/view.php?id=CVE-2026-43211
06 May 2026 — In the Linux kernel, the following vulnerability has been resolved: PCI: Fix pci_slot_trylock() error handling Commit a4e772898f8b ("PCI: Add missing bridge lock to pci_bus_lock()") delegates the bridge device's pci_dev_trylock() to pci_bus_trylock() in pci_slot_trylock(), but it forgets to remove the corresponding pci_dev_unlock() when pci_bus_trylock() fails. Before a4e772898f8b, the code did: if (!pci_dev_trylock(dev)) /* <- lock bridge device */ goto unlock; if (dev->subordinate) { if (!pci_bus_trylock(... • https://git.kernel.org/stable/c/e2355d513b89a2cb511b4ded0deb426cdb01acd0 • CWE-667: Improper Locking •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2026-43209 – minix: Add required sanity checking to minix_check_superblock()
https://notcve.org/view.php?id=CVE-2026-43209
06 May 2026 — In the Linux kernel, the following vulnerability has been resolved: minix: Add required sanity checking to minix_check_superblock() The fs/minix implementation of the minix filesystem does not currently support any other value for s_log_zone_size than 0. This is also the only value supported in util-linux; see mkfs.minix.c line 511. In addition, this patch adds some sanity checking for the other minix superblock fields, and moves the minix_blocks_needed() checks for the zmap and imap also to minix_check_sup... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2026-43207 – media: mtk-mdp: Fix error handling in probe function
https://notcve.org/view.php?id=CVE-2026-43207
06 May 2026 — In the Linux kernel, the following vulnerability has been resolved: media: mtk-mdp: Fix error handling in probe function Add mtk_mdp_unregister_m2m_device() on the error handling path to prevent resource leak. Add check for the return value of vpu_get_plat_device() to prevent null pointer dereference. And vpu_get_plat_device() increases the reference count of the returned platform device. Add platform_device_put() to prevent reference leak. • https://git.kernel.org/stable/c/c8eb2d7e8202fd9cb912f5d33cc34ede66dcb24a • CWE-476: NULL Pointer Dereference •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2026-43206 – drm/amdkfd: Fix out-of-bounds write in kfd_event_page_set()
https://notcve.org/view.php?id=CVE-2026-43206
06 May 2026 — In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: Fix out-of-bounds write in kfd_event_page_set() The kfd_event_page_set() function writes KFD_SIGNAL_EVENT_LIMIT * 8 bytes via memset without checking the buffer size parameter. This allows unprivileged userspace to trigger an out-of bounds kernel memory write by passing a small buffer, leading to potential privilege escalation. • https://git.kernel.org/stable/c/0fc8011f89feb8b2c3008583b777d097e1974660 • CWE-787: Out-of-bounds Write •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2026-43204 – ASoC: qcom: q6asm: drop DSP responses for closed data streams
https://notcve.org/view.php?id=CVE-2026-43204
06 May 2026 — In the Linux kernel, the following vulnerability has been resolved: ASoC: qcom: q6asm: drop DSP responses for closed data streams 'Commit a354f030dbce ("ASoC: qcom: q6asm: handle the responses after closing")' attempted to ignore DSP responses arriving after a stream had been closed. However, those responses were still handled, causing lockups. Fix this by unconditionally dropping all DSP responses associated with closed data streams. • https://git.kernel.org/stable/c/68fd8480bb7baaf361e983f75d8571f25e017c67 •
CVSS: 7.5EPSS: 0%CPEs: 8EXPL: 0CVE-2026-43203 – atm: fore200e: fix use-after-free in tasklets during device removal
https://notcve.org/view.php?id=CVE-2026-43203
06 May 2026 — In the Linux kernel, the following vulnerability has been resolved: atm: fore200e: fix use-after-free in tasklets during device removal When the PCA-200E or SBA-200E adapter is being detached, the fore200e is deallocated. However, the tx_tasklet or rx_tasklet may still be running or pending, leading to use-after-free bug when the already freed fore200e is accessed again in fore200e_tx_tasklet() or fore200e_rx_tasklet(). One of the race conditions can occur as follows: CPU 0 (cleanup) | CPU 1 (tasklet) fore2... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 • CWE-416: Use After Free •