CVSS: 8.3EPSS: 0%CPEs: 8EXPL: 0CVE-2026-43291 – net: nfc: nci: Fix parameter validation for packet data
https://notcve.org/view.php?id=CVE-2026-43291
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: net: nfc: nci: Fix parameter validation for packet data Since commit 9c328f54741b ("net: nfc: nci: Add parameter validation for packet data") communication with nci nfc chips is not working any more. The mentioned commit tries to fix access of uninitialized data, but failed to understand that in some cases the data packet is of variable length and can therefore not be compared to the maximum packet length given by the sizeof(struct). • https://git.kernel.org/stable/c/8fcc7315a10a84264e55bb65ede10f0af20a983f • CWE-908: Use of Uninitialized Resource •
CVSS: -EPSS: 0%CPEs: 11EXPL: 0CVE-2026-43289 – kexec: derive purgatory entry from symbol
https://notcve.org/view.php?id=CVE-2026-43289
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: kexec: derive purgatory entry from symbol kexec_load_purgatory() derives image->start by locating e_entry inside an SHF_EXECINSTR section. If the purgatory object contains multiple executable sections with overlapping sh_addr, the entrypoint check can match more than once and trigger a WARN. Derive the entry section from the purgatory_start symbol when present and compute image->start from its final placement. Keep the existing e_entry fall... • https://git.kernel.org/stable/c/f368aed4827bd4276c0e3664fb2cb815a8d7caf3 •
CVSS: -EPSS: 0%CPEs: 5EXPL: 0CVE-2026-43288 – ext4: move ext4_percpu_param_init() before ext4_mb_init()
https://notcve.org/view.php?id=CVE-2026-43288
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: ext4: move ext4_percpu_param_init() before ext4_mb_init() When running `kvm-xfstests -c ext4/1k -C 1 generic/383` with the `DOUBLE_CHECK` macro defined, the following panic is triggered: ================================================================== EXT4-fs error (device vdc): ext4_validate_block_bitmap:423: comm mount: bg 0: bad block bitmap checksum BUG: unable to handle page fault for address: ff110000fa2cc000 PGD 3e01067 P4D 3e02067... • https://git.kernel.org/stable/c/d5e03cbb0c88cd1be39f2adc37d602230045964b •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2026-43287 – drm: Account property blob allocations to memcg
https://notcve.org/view.php?id=CVE-2026-43287
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: drm: Account property blob allocations to memcg DRM_IOCTL_MODE_CREATEPROPBLOB allows userspace to allocate arbitrary-sized property blobs backed by kernel memory. Currently, the blob data allocation is not accounted to the allocating process's memory cgroup, allowing unprivileged users to trigger unbounded kernel memory consumption and potentially cause system-wide OOM. Mark the property blob data allocation with GFP_KERNEL_ACCOUNT so that ... • https://git.kernel.org/stable/c/e2f5d2ea479b9b2619965d43db70939589afe43a •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2025-71297 – wifi: rtw88: 8822b: Avoid WARNING in rtw8822b_config_trx_mode()
https://notcve.org/view.php?id=CVE-2025-71297
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: wifi: rtw88: 8822b: Avoid WARNING in rtw8822b_config_trx_mode() rtw8822b_set_antenna() can be called from userspace when the chip is powered off. In that case a WARNING is triggered in rtw8822b_config_trx_mode() because trying to read the RF registers when the chip is powered off returns an unexpected value. Call rtw8822b_config_trx_mode() in rtw8822b_set_antenna() only when the chip is powered on. ------------[ cut here ]------------ write... • https://git.kernel.org/stable/c/297bcf8222f222fd7defead862de4b8e3ea0b08a •
CVSS: 8.8EPSS: 0%CPEs: 10EXPL: 1CVE-2026-43284 – xfrm: esp: avoid in-place decrypt on shared skb frags
https://notcve.org/view.php?id=CVE-2026-43284
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: xfrm: esp: avoid in-place decrypt on shared skb frags MSG_SPLICE_PAGES can attach pages from a pipe directly to an skb. TCP marks such skbs with SKBFL_SHARED_FRAG after skb_splice_from_iter(), so later paths that may modify packet data can first make a private copy. The IPv4/IPv6 datagram append paths did not set this flag when splicing pages into UDP skbs. That leaves an ESP-in-UDP packet made from shared pipe pages looking like an ordinar... • https://git.kernel.org/stable/c/cac2661c53f35cbe651bef9b07026a5a05ab8ce0 • CWE-123: Write-what-where Condition •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2025-71295 – fs/buffer: add alert in try_to_free_buffers() for folios without buffers
https://notcve.org/view.php?id=CVE-2025-71295
06 May 2026 — In the Linux kernel, the following vulnerability has been resolved: fs/buffer: add alert in try_to_free_buffers() for folios without buffers try_to_free_buffers() can be called on folios with no buffers attached when filemap_release_folio() is invoked on a folio belonging to a mapping with AS_RELEASE_ALWAYS set but no release_folio operation defined. In such cases, folio_needs_release() returns true because of the AS_RELEASE_ALWAYS flag, but the folio has no private buffer data. This causes try_to_free_buff... • https://git.kernel.org/stable/c/d0eafc763135508be118dac208887a26c0adb74d • CWE-476: NULL Pointer Dereference •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2025-71294 – drm/amdgpu: fix NULL pointer issue buffer funcs
https://notcve.org/view.php?id=CVE-2025-71294
06 May 2026 — In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: fix NULL pointer issue buffer funcs If SDMA block not enabled, buffer_funcs will not initialize, fix the null pointer issue if buffer_funcs not initialized. • https://git.kernel.org/stable/c/b70438004a14f4d0f9890b3297cd66248728546c • CWE-476: NULL Pointer Dereference •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-71292 – jfs: nlink overflow in jfs_rename
https://notcve.org/view.php?id=CVE-2025-71292
06 May 2026 — In the Linux kernel, the following vulnerability has been resolved: jfs: nlink overflow in jfs_rename If nlink is maximal for a directory (-1) and inside that directory you perform a rename for some child directory (not moving from the parent), then the nlink of the first directory is first incremented and later decremented. Normally this is fine, but when nlink = -1 this causes a wrap around to 0, and then drop_nlink issues a warning. After applying the patch syzbot no longer issues any warnings. I also ra... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2025-71291 – misc: bcm_vk: Fix possible null-pointer dereferences in bcm_vk_read()
https://notcve.org/view.php?id=CVE-2025-71291
06 May 2026 — In the Linux kernel, the following vulnerability has been resolved: misc: bcm_vk: Fix possible null-pointer dereferences in bcm_vk_read() In the function bcm_vk_read(), the pointer entry is checked, indicating that it can be NULL. If entry is NULL and rc is set to -EMSGSIZE, the following code may cause null-pointer dereferences: struct vk_msg_blk tmp_msg = entry->to_h_msg[0]; set_msg_id(&tmp_msg, entry->usr_msg_id); tmp_msg.size = entry->to_h_blks - 1; To prevent these possible null-pointer dereferences, c... • https://git.kernel.org/stable/c/88517757a829e9ce146a6c7233ad5dcdc66fcbb0 • CWE-476: NULL Pointer Dereference •