CVSS: 8.8EPSS: 0%CPEs: 10EXPL: 1CVE-2026-43284 – xfrm: esp: avoid in-place decrypt on shared skb frags
https://notcve.org/view.php?id=CVE-2026-43284
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: xfrm: esp: avoid in-place decrypt on shared skb frags MSG_SPLICE_PAGES can attach pages from a pipe directly to an skb. TCP marks such skbs with SKBFL_SHARED_FRAG after skb_splice_from_iter(), so later paths that may modify packet data can first make a private copy. The IPv4/IPv6 datagram append paths did not set this flag when splicing pages into UDP skbs. That leaves an ESP-in-UDP packet made from shared pipe pages looking like an ordinar... • https://git.kernel.org/stable/c/cac2661c53f35cbe651bef9b07026a5a05ab8ce0 • CWE-123: Write-what-where Condition •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2025-71295 – fs/buffer: add alert in try_to_free_buffers() for folios without buffers
https://notcve.org/view.php?id=CVE-2025-71295
06 May 2026 — In the Linux kernel, the following vulnerability has been resolved: fs/buffer: add alert in try_to_free_buffers() for folios without buffers try_to_free_buffers() can be called on folios with no buffers attached when filemap_release_folio() is invoked on a folio belonging to a mapping with AS_RELEASE_ALWAYS set but no release_folio operation defined. In such cases, folio_needs_release() returns true because of the AS_RELEASE_ALWAYS flag, but the folio has no private buffer data. This causes try_to_free_buff... • https://git.kernel.org/stable/c/d0eafc763135508be118dac208887a26c0adb74d • CWE-476: NULL Pointer Dereference •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-71292 – jfs: nlink overflow in jfs_rename
https://notcve.org/view.php?id=CVE-2025-71292
06 May 2026 — In the Linux kernel, the following vulnerability has been resolved: jfs: nlink overflow in jfs_rename If nlink is maximal for a directory (-1) and inside that directory you perform a rename for some child directory (not moving from the parent), then the nlink of the first directory is first incremented and later decremented. Normally this is fine, but when nlink = -1 this causes a wrap around to 0, and then drop_nlink issues a warning. After applying the patch syzbot no longer issues any warnings. I also ra... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2025-71291 – misc: bcm_vk: Fix possible null-pointer dereferences in bcm_vk_read()
https://notcve.org/view.php?id=CVE-2025-71291
06 May 2026 — In the Linux kernel, the following vulnerability has been resolved: misc: bcm_vk: Fix possible null-pointer dereferences in bcm_vk_read() In the function bcm_vk_read(), the pointer entry is checked, indicating that it can be NULL. If entry is NULL and rc is set to -EMSGSIZE, the following code may cause null-pointer dereferences: struct vk_msg_blk tmp_msg = entry->to_h_msg[0]; set_msg_id(&tmp_msg, entry->usr_msg_id); tmp_msg.size = entry->to_h_blks - 1; To prevent these possible null-pointer dereferences, c... • https://git.kernel.org/stable/c/88517757a829e9ce146a6c7233ad5dcdc66fcbb0 • CWE-476: NULL Pointer Dereference •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2025-71289 – fs/ntfs3: handle attr_set_size() errors when truncating files
https://notcve.org/view.php?id=CVE-2025-71289
06 May 2026 — In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: handle attr_set_size() errors when truncating files If attr_set_size() fails while truncating down, the error is silently ignored and the inode may be left in an inconsistent state. • https://git.kernel.org/stable/c/4342306f0f0d5ff4315a204d315c1b51b914fca5 •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2025-71288 – memory: mtk-smi: fix device leaks on common probe
https://notcve.org/view.php?id=CVE-2025-71288
06 May 2026 — In the Linux kernel, the following vulnerability has been resolved: memory: mtk-smi: fix device leaks on common probe Make sure to drop the reference taken when looking up the SMI device during common probe on late probe failure (e.g. probe deferral) and on driver unbind. • https://git.kernel.org/stable/c/47404757702ec8aa5c8310cdf58a267081f0ce6c • CWE-401: Missing Release of Memory after Effective Lifetime •
CVSS: 5.5EPSS: 0%CPEs: 7EXPL: 0CVE-2025-71287 – memory: mtk-smi: fix device leak on larb probe
https://notcve.org/view.php?id=CVE-2025-71287
06 May 2026 — In the Linux kernel, the following vulnerability has been resolved: memory: mtk-smi: fix device leak on larb probe Make sure to drop the reference taken when looking up the SMI device during larb probe on late probe failure (e.g. probe deferral) and on driver unbind. • https://git.kernel.org/stable/c/cc8bbe1a83128ad06457e4dc69907c4f9a6fc1a7 • CWE-401: Missing Release of Memory after Effective Lifetime •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-71286 – ASoC: SOF: ipc4-topology: Correct the allocation size for bytes controls
https://notcve.org/view.php?id=CVE-2025-71286
06 May 2026 — In the Linux kernel, the following vulnerability has been resolved: ASoC: SOF: ipc4-topology: Correct the allocation size for bytes controls The size of the data behind of scontrol->ipc_control_data for bytes controls is: [1] sizeof(struct sof_ipc4_control_data) + // kernel only struct [2] sizeof(struct sof_abi_hdr)) + payload The max_size specifies the size of [2] and it is coming from topology. Change the function to take this into account and allocate adequate amount of memory behind scontrol->ipc_contro... • https://git.kernel.org/stable/c/a382082ff74b036944cbc5b6ad29b65f633acd3a •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2025-71285 – net: qrtr: Drop the MHI auto_queue feature for IPCR DL channels
https://notcve.org/view.php?id=CVE-2025-71285
06 May 2026 — In the Linux kernel, the following vulnerability has been resolved: net: qrtr: Drop the MHI auto_queue feature for IPCR DL channels MHI stack offers the 'auto_queue' feature, which allows the MHI stack to auto queue the buffers for the RX path (DL channel). Though this feature simplifies the client driver design, it introduces race between the client drivers and the MHI stack. For instance, with auto_queue, the 'dl_callback' for the DL channel may get called before the client driver is fully probed. This me... • https://git.kernel.org/stable/c/227fee5fc99eeb74d43bf68832f6d59d30ac07d8 • CWE-476: NULL Pointer Dereference •
CVSS: 8.8EPSS: 0%CPEs: 8EXPL: 0CVE-2026-43283 – net: ethernet: ec_bhf: Fix dma_free_coherent() dma handle
https://notcve.org/view.php?id=CVE-2026-43283
06 May 2026 — In the Linux kernel, the following vulnerability has been resolved: net: ethernet: ec_bhf: Fix dma_free_coherent() dma handle dma_free_coherent() in error path takes priv->rx_buf.alloc_len as the dma handle. This would lead to improper unmapping of the buffer. Change the dma handle to priv->rx_buf.alloc_phys. • https://git.kernel.org/stable/c/6af55ff52b02d492d45db88df3e461fa51a6f753 •