CVSS: 8.8EPSS: 0%CPEs: 3EXPL: 0CVE-2026-43172 – wifi: iwlwifi: fix 22000 series SMEM parsing
https://notcve.org/view.php?id=CVE-2026-43172
06 May 2026 — In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: fix 22000 series SMEM parsing If the firmware were to report three LMACs (which doesn't exist in hardware) then using "fwrt->smem_cfg.lmac[2]" is an overrun of the array. Reject such and use IWL_FW_CHECK instead of WARN_ON in this function. • https://git.kernel.org/stable/c/ebfa7f8ae155c9a0bb2e4038d6b5d8b14881c424 •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2026-43171 – EFI/CPER: don't dump the entire memory region
https://notcve.org/view.php?id=CVE-2026-43171
06 May 2026 — In the Linux kernel, the following vulnerability has been resolved: EFI/CPER: don't dump the entire memory region The current logic at cper_print_fw_err() doesn't check if the error record length is big enough to handle offset. On a bad firmware, if the ofset is above the actual record, length -= offset will underflow, making it dump the entire memory. The end result can be: - the logic taking a lot of time dumping large regions of memory; - data disclosure due to the memory dumps; - an OOPS, if it tries to... • https://git.kernel.org/stable/c/3d8c11efd528d56972d44ed0de51c4e11a9a4fa9 • CWE-191: Integer Underflow (Wrap or Wraparound) •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2026-43168 – ocfs2: fix reflink preserve cleanup issue
https://notcve.org/view.php?id=CVE-2026-43168
06 May 2026 — In the Linux kernel, the following vulnerability has been resolved: ocfs2: fix reflink preserve cleanup issue commit c06c303832ec ("ocfs2: fix xattr array entry __counted_by error") doesn't handle all cases and the cleanup job for preserved xattr entries still has bug: - the 'last' pointer should be shifted by one unit after cleanup an array entry. - current code logic doesn't cleanup the first entry when xh_count is 1. Note, commit c06c303832ec is also a bug fix for 0fe9b66c65f3. • https://git.kernel.org/stable/c/0fe9b66c65f3ff227da45381afe7612f91e32740 •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2026-43167 – xfrm: always flush state and policy upon NETDEV_UNREGISTER event
https://notcve.org/view.php?id=CVE-2026-43167
06 May 2026 — In the Linux kernel, the following vulnerability has been resolved: xfrm: always flush state and policy upon NETDEV_UNREGISTER event syzbot is reporting that "struct xfrm_state" refcount is leaking. unregister_netdevice: waiting for netdevsim0 to become free. Usage count = 2 ref_tracker: netdev@ffff888052f24618 has 1/1 users at __netdev_tracker_alloc include/linux/netdevice.h:4400 [inline] netdev_tracker_alloc include/linux/netdevice.h:4412 [inline] xfrm_dev_state_add+0x3a5/0x1080 net/xfrm/xfrm_device.c:316... • https://git.kernel.org/stable/c/d77e38e612a017480157fe6d2c1422f42cb5b7e3 •
CVSS: 4.7EPSS: 0%CPEs: 8EXPL: 0CVE-2026-43163 – md/bitmap: fix GPF in write_page caused by resize race
https://notcve.org/view.php?id=CVE-2026-43163
06 May 2026 — In the Linux kernel, the following vulnerability has been resolved: md/bitmap: fix GPF in write_page caused by resize race A General Protection Fault occurs in write_page() during array resize: RIP: 0010:write_page+0x22b/0x3c0 [md_mod] This is a use-after-free race between bitmap_daemon_work() and __bitmap_resize(). The daemon iterates over `bitmap->storage.filemap` without locking, while the resize path frees that storage via md_bitmap_file_unmap(). `quiesce()` does not stop the md thread, allowing concurr... • https://git.kernel.org/stable/c/d60b479d177a5735b6b4db6ee5280ef6653f50e7 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2026-43162 – media: tegra-video: Fix memory leak in __tegra_channel_try_format()
https://notcve.org/view.php?id=CVE-2026-43162
06 May 2026 — In the Linux kernel, the following vulnerability has been resolved: media: tegra-video: Fix memory leak in __tegra_channel_try_format() The state object allocated by __v4l2_subdev_state_alloc() must be freed with __v4l2_subdev_state_free() when it is no longer needed. In __tegra_channel_try_format(), two error paths return directly after v4l2_subdev_call() fails, without freeing the allocated 'sd_state' object. This violates the requirement and causes a memory leak. Fix this by introducing a cleanup label a... • https://git.kernel.org/stable/c/1ebaeb09830f36c1111b72a95420814225bd761c • CWE-401: Missing Release of Memory after Effective Lifetime •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2026-43159 – staging: rtl8723bs: fix null dereference in find_network
https://notcve.org/view.php?id=CVE-2026-43159
06 May 2026 — In the Linux kernel, the following vulnerability has been resolved: staging: rtl8723bs: fix null dereference in find_network The variable pwlan has the possibility of being NULL when passed into rtw_free_network_nolock() which would later dereference the variable. • https://git.kernel.org/stable/c/554c0a3abf216c991c5ebddcdb2c08689ecd290b • CWE-476: NULL Pointer Dereference •
CVSS: 8.8EPSS: 0%CPEs: 8EXPL: 0CVE-2026-43158 – xfs: fix freemap adjustments when adding xattrs to leaf blocks
https://notcve.org/view.php?id=CVE-2026-43158
06 May 2026 — In the Linux kernel, the following vulnerability has been resolved: xfs: fix freemap adjustments when adding xattrs to leaf blocks xfs/592 and xfs/794 both trip this assertion in the leaf block freemap adjustment code after ~20 minutes of running on my test VMs: ASSERT(ichdr->firstused >= ichdr->count * sizeof(xfs_attr_leaf_entry_t) + xfs_attr3_leaf_hdr_size(leaf)); Upon enabling quite a lot more debugging code, I narrowed this down to fsstress trying to set a local extended attribute with namelen=3 and val... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 • CWE-787: Out-of-bounds Write •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2026-43156 – net: usb: pegasus: enable basic endpoint checking
https://notcve.org/view.php?id=CVE-2026-43156
06 May 2026 — In the Linux kernel, the following vulnerability has been resolved: net: usb: pegasus: enable basic endpoint checking pegasus_probe() fills URBs with hardcoded endpoint pipes without verifying the endpoint descriptors: - usb_rcvbulkpipe(dev, 1) for RX data - usb_sndbulkpipe(dev, 2) for TX data - usb_rcvintpipe(dev, 3) for status interrupts A malformed USB device can present these endpoints with transfer types that differ from what the driver assumes. Add a pegasus_usb_ep enum for endpoint numbers, replacing... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2026-43153 – xfs: remove xfs_attr_leaf_hasname
https://notcve.org/view.php?id=CVE-2026-43153
06 May 2026 — In the Linux kernel, the following vulnerability has been resolved: xfs: remove xfs_attr_leaf_hasname The calling convention of xfs_attr_leaf_hasname() is problematic, because it returns a NULL buffer when xfs_attr3_leaf_read fails, a valid buffer when xfs_attr3_leaf_lookup_int returns -ENOATTR or -EEXIST, and a non-NULL buffer pointer for an already released buffer when xfs_attr3_leaf_lookup_int fails with other error values. Fix this by simply open coding xfs_attr_leaf_hasname in the callers, so that the ... • https://git.kernel.org/stable/c/07120f1abdff80f3d1351f733661abe28d609535 •