CVSS: 4.7EPSS: 0%CPEs: 7EXPL: 0CVE-2026-43275 – scsi: ufs: core: Flush exception handling work when RPM level is zero
https://notcve.org/view.php?id=CVE-2026-43275
06 May 2026 — In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: core: Flush exception handling work when RPM level is zero Ensure that the exception event handling work is explicitly flushed during suspend when the runtime power management level is set to UFS_PM_LVL_0. When the RPM level is zero, the device power mode and link state both remain active. Previously, the UFS core driver bypassed flushing exception event handling jobs in this configuration. This created a race condition where the... • https://git.kernel.org/stable/c/57d104c153d3d6d7bea60089e80f37501851ed2c • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2026-43273 – ceph: supply snapshot context in ceph_zero_partial_object()
https://notcve.org/view.php?id=CVE-2026-43273
06 May 2026 — In the Linux kernel, the following vulnerability has been resolved: ceph: supply snapshot context in ceph_zero_partial_object() The ceph_zero_partial_object function was missing proper snapshot context for its OSD write operations, which could lead to data inconsistencies in snapshots. Reproducer: ../src/vstart.sh --new -x --localhost --bluestore ./bin/ceph auth caps client.fs_a mds 'allow rwps fsname=a' mon 'allow r fsname=a' osd 'allow rw tag cephfs data=a' mount -t ceph fs_a@.a=/ /mnt/mycephfs/ -o conf=.... • https://git.kernel.org/stable/c/ad7a60de882aca31afb58721db166f7e77afcd92 •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2026-43271 – md-cluster: fix NULL pointer dereference in process_metadata_update
https://notcve.org/view.php?id=CVE-2026-43271
06 May 2026 — In the Linux kernel, the following vulnerability has been resolved: md-cluster: fix NULL pointer dereference in process_metadata_update The function process_metadata_update() blindly dereferences the 'thread' pointer (acquired via rcu_dereference_protected) within the wait_event() macro. While the code comment states "daemon thread must exist", there is a valid race condition window during the MD array startup sequence (md_run): 1. bitmap_load() is called, which invokes md_cluster_ops->join(). 2. join() sta... • https://git.kernel.org/stable/c/0ba959774e93911caff596de6391f085fb640ac4 • CWE-476: NULL Pointer Dereference •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2026-43270 – media: mtk-mdp: Fix a reference leak bug in mtk_mdp_remove()
https://notcve.org/view.php?id=CVE-2026-43270
06 May 2026 — In the Linux kernel, the following vulnerability has been resolved: media: mtk-mdp: Fix a reference leak bug in mtk_mdp_remove() In mtk_mdp_probe(), vpu_get_plat_device() increases the reference count of the returned platform device. Add platform_device_put() to prevent reference leak. • https://git.kernel.org/stable/c/c8eb2d7e8202fd9cb912f5d33cc34ede66dcb24a •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2026-43269 – drm/atmel-hlcdc: fix memory leak from the atomic_destroy_state callback
https://notcve.org/view.php?id=CVE-2026-43269
06 May 2026 — In the Linux kernel, the following vulnerability has been resolved: drm/atmel-hlcdc: fix memory leak from the atomic_destroy_state callback After several commits, the slab memory increases. Some drm_crtc_commit objects are not freed. The atomic_destroy_state callback only put the framebuffer. Use the __drm_atomic_helper_plane_destroy_state() function to put all the objects that are no longer needed. It has been seen after hours of usage of a graphics application or using kmemleak: unreferenced object 0xc63a... • https://git.kernel.org/stable/c/2389fc1305fc1e2cf8b310a75463fefd3058bf48 • CWE-401: Missing Release of Memory after Effective Lifetime •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2026-43268 – hfsplus: pretend special inodes as regular files
https://notcve.org/view.php?id=CVE-2026-43268
06 May 2026 — In the Linux kernel, the following vulnerability has been resolved: hfsplus: pretend special inodes as regular files Since commit af153bb63a33 ("vfs: catch invalid modes in may_open()") requires any inode be one of S_IFDIR/S_IFLNK/S_IFREG/S_IFCHR/S_IFBLK/ S_IFIFO/S_IFSOCK type, use S_IFREG for special inodes. • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2026-43266 – EFI/CPER: don't go past the ARM processor CPER record buffer
https://notcve.org/view.php?id=CVE-2026-43266
06 May 2026 — In the Linux kernel, the following vulnerability has been resolved: EFI/CPER: don't go past the ARM processor CPER record buffer There's a logic inside GHES/CPER to detect if the section_length is too small, but it doesn't detect if it is too big. Currently, if the firmware receives an ARM processor CPER record stating that a section length is big, kernel will blindly trust section_length, producing a very long dump. For instance, a 67 bytes record with ERR_INFO_NUM set 46198 and section length set to 85491... • https://git.kernel.org/stable/c/2f74f09bce4f8d0236f20174a6daae63e10fe733 •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2026-43265 – KVM: x86: Ignore -EBUSY when checking nested events from vcpu_block()
https://notcve.org/view.php?id=CVE-2026-43265
06 May 2026 — In the Linux kernel, the following vulnerability has been resolved: KVM: x86: Ignore -EBUSY when checking nested events from vcpu_block() Ignore -EBUSY when checking nested events after exiting a blocking state while L2 is active, as exiting to userspace will generate a spurious userspace exit, usually with KVM_EXIT_UNKNOWN, and likely lead to the VM's demise. Continuing with the wakeup isn't perfect either, as *something* has gone sideways if a vCPU is awakened in L2 with an injected event (or worse, a nes... • https://git.kernel.org/stable/c/26844fee6adee9b1557d2279b0506285de9ee82b •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2026-43264 – fbdev: of: display_timing: fix refcount leak in of_get_display_timings()
https://notcve.org/view.php?id=CVE-2026-43264
06 May 2026 — In the Linux kernel, the following vulnerability has been resolved: fbdev: of: display_timing: fix refcount leak in of_get_display_timings() of_parse_phandle() returns a device_node with refcount incremented, which is stored in 'entry' and then copied to 'native_mode'. When the error paths at lines 184 or 192 jump to 'entryfail', native_mode's refcount is not decremented, causing a refcount leak. Fix this by changing the goto target from 'entryfail' to 'timingfail', which properly calls of_node_put(native_m... • https://git.kernel.org/stable/c/cc3f414cf2e404130584b63d373161ba6fd24bc2 •
CVSS: 5.5EPSS: 0%CPEs: 7EXPL: 0CVE-2026-43262 – gfs2: fiemap page fault fix
https://notcve.org/view.php?id=CVE-2026-43262
06 May 2026 — In the Linux kernel, the following vulnerability has been resolved: gfs2: fiemap page fault fix In gfs2_fiemap(), we are calling iomap_fiemap() while holding the inode glock. This can lead to recursive glock taking if the fiemap buffer is memory mapped to the same inode and accessing it triggers a page fault. Fix by disabling page faults for iomap_fiemap() and faulting in the buffer by hand if necessary. Fixes xfstest generic/742. • https://git.kernel.org/stable/c/e9079cce201784632aed4b1a3121ee38c1ced0b6 • CWE-401: Missing Release of Memory after Effective Lifetime •