CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2026-43333 – bpf: reject direct access to nullable PTR_TO_BUF pointers
https://notcve.org/view.php?id=CVE-2026-43333
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: bpf: reject direct access to nullable PTR_TO_BUF pointers check_mem_access() matches PTR_TO_BUF via base_type() which strips PTR_MAYBE_NULL, allowing direct dereference without a null check. Map iterator ctx->key and ctx->value are PTR_TO_BUF | PTR_MAYBE_NULL. On stop callbacks these are NULL, causing a kernel NULL dereference. Add a type_may_be_null() guard to the PTR_TO_BUF branch, matching the existing PTR_TO_BTF_ID pattern. • https://git.kernel.org/stable/c/b453361384c2db1c703dacb806d5fd36aec4ceca •
CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0CVE-2026-43332 – thermal: core: Fix thermal zone device registration error path
https://notcve.org/view.php?id=CVE-2026-43332
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: thermal: core: Fix thermal zone device registration error path If thermal_zone_device_register_with_trips() fails after registering a thermal zone device, it needs to wait for the tz->removal completion like thermal_zone_device_unregister(), in case user space has managed to take a reference to the thermal zone device's kobject, in which case thermal_release() may not be called by the error path itself and tz may be freed prematurely. Add t... • https://git.kernel.org/stable/c/335176dd8ebaca6493807dceea33c478305667fa •
CVSS: -EPSS: 0%CPEs: 3EXPL: 0CVE-2026-43331 – x86/kexec: Disable KCOV instrumentation after load_segments()
https://notcve.org/view.php?id=CVE-2026-43331
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: x86/kexec: Disable KCOV instrumentation after load_segments() The load_segments() function changes segment registers, invalidating GS base (which KCOV relies on for per-cpu data). When CONFIG_KCOV is enabled, any subsequent instrumented C code call (e.g. native_gdt_invalidate()) begins crashing the kernel in an endless loop. To reproduce the problem, it's sufficient to do kexec on a KCOV-instrumented kernel: $ kexec -l /boot/otherKernel $ k... • https://git.kernel.org/stable/c/0d345996e4cb573f8cc81d49b3ee9a7fd2035bef •
CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2026-43330 – crypto: caam - fix overflow on long hmac keys
https://notcve.org/view.php?id=CVE-2026-43330
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: crypto: caam - fix overflow on long hmac keys When a key longer than block size is supplied, it is copied and then hashed into the real key. The memory allocated for the copy needs to be rounded to DMA cache alignment, as otherwise the hashed key may corrupt neighbouring memory. The copying is performed using kmemdup, however this leads to an overflow: reading more bytes (aligned_len - keylen) from the keylen source buffer. Fix this by repl... • https://git.kernel.org/stable/c/199354d7fb6eaa2cc5bb650af0bca624baffee35 •
CVSS: 7.8EPSS: 0%CPEs: 7EXPL: 0CVE-2026-43329 – netfilter: flowtable: strictly check for maximum number of actions
https://notcve.org/view.php?id=CVE-2026-43329
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: netfilter: flowtable: strictly check for maximum number of actions The maximum number of flowtable hardware offload actions in IPv6 is: * ethernet mangling (4 payload actions, 2 for each ethernet address) * SNAT (4 payload actions) * DNAT (4 payload actions) * Double VLAN (4 vlan actions, 2 for popping vlan, and 2 for pushing) for QinQ. * Redirect (1 action) Which makes 17, while the maximum is 16. But act_ct supports for tunnels actions to... • https://git.kernel.org/stable/c/c29f74e0df7a02b8303bcdce93a7c0132d62577a •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2026-43328 – cpufreq: governor: fix double free in cpufreq_dbs_governor_init() error path
https://notcve.org/view.php?id=CVE-2026-43328
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: cpufreq: governor: fix double free in cpufreq_dbs_governor_init() error path When kobject_init_and_add() fails, cpufreq_dbs_governor_init() calls kobject_put(&dbs_data->attr_set.kobj). The kobject release callback cpufreq_dbs_data_release() calls gov->exit(dbs_data) and kfree(dbs_data), but the current error path then calls gov->exit(dbs_data) and kfree(dbs_data) again, causing a double free. Keep the direct kfree(dbs_data) for the gov->ini... • https://git.kernel.org/stable/c/4ebe36c94aed95de71a8ce6a6762226d31c938ee •
CVSS: -EPSS: 0%CPEs: 14EXPL: 0CVE-2026-43327 – USB: dummy-hcd: Fix locking/synchronization error
https://notcve.org/view.php?id=CVE-2026-43327
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: USB: dummy-hcd: Fix locking/synchronization error Syzbot testing was able to provoke an addressing exception and crash in the usb_gadget_udc_reset() routine in drivers/usb/gadgets/udc/core.c, resulting from the fact that the routine was called with a second ("driver") argument of NULL. The bad caller was set_link_state() in dummy_hcd.c, and the problem arose because of a race between a USB reset and driver unbind. These sorts of races were ... • https://git.kernel.org/stable/c/7dbd8f4cabd96db5a50513de9d83a8105a5ffc81 •
CVSS: -EPSS: 0%CPEs: 2EXPL: 0CVE-2026-43326 – sched_ext: Fix SCX_KICK_WAIT deadlock by deferring wait to balance callback
https://notcve.org/view.php?id=CVE-2026-43326
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: sched_ext: Fix SCX_KICK_WAIT deadlock by deferring wait to balance callback SCX_KICK_WAIT busy-waits in kick_cpus_irq_workfn() using smp_cond_load_acquire() until the target CPU's kick_sync advances. Because the irq_work runs in hardirq context, the waiting CPU cannot reschedule and its own kick_sync never advances. If multiple CPUs form a wait cycle, all CPUs deadlock. Replace the busy-wait in kick_cpus_irq_workfn() with resched_curr() to ... • https://git.kernel.org/stable/c/90e55164dad42c6546b698c031697b224a320834 •
CVSS: -EPSS: 0%CPEs: 3EXPL: 0CVE-2026-43325 – wifi: iwlwifi: mvm: don't send a 6E related command when not supported
https://notcve.org/view.php?id=CVE-2026-43325
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: mvm: don't send a 6E related command when not supported MCC_ALLOWED_AP_TYPE_CMD is related to 6E support. Do not send it if the device doesn't support 6E. Apparently, the firmware is mistakenly advertising support for this command even on AX201 which does not support 6E and then the firmware crashes. • https://git.kernel.org/stable/c/0d2fc8821a7d667180ce27732697105db843a1b9 •
CVSS: 7.8EPSS: 0%CPEs: 7EXPL: 0CVE-2026-43324 – USB: dummy-hcd: Fix interrupt synchronization error
https://notcve.org/view.php?id=CVE-2026-43324
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: USB: dummy-hcd: Fix interrupt synchronization error This fixes an error in synchronization in the dummy-hcd driver. The error has a somewhat involved history. The synchronization mechanism was introduced by commit 7dbd8f4cabd9 ("USB: dummy-hcd: Fix erroneous synchronization change"), which added an emulated "interrupts enabled" flag together with code emulating synchronize_irq() (it waits until all current handler callbacks have returned). ... • https://git.kernel.org/stable/c/04145a03db9d78469e0817ab3a767c76c0fb0947 •