CVSS: -EPSS: 0%CPEs: 12EXPL: 0CVE-2026-43449 – nvme-pci: Fix slab-out-of-bounds in nvme_dbbuf_set
https://notcve.org/view.php?id=CVE-2026-43449
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: nvme-pci: Fix slab-out-of-bounds in nvme_dbbuf_set dev->online_queues is a count incremented in nvme_init_queue. Thus, valid indices are 0 through dev->online_queues − 1. This patch fixes the loop condition to ensure the index stays within the valid range. Index 0 is excluded because it is the admin queue. KASAN splat: ================================================================== BUG: KASAN: slab-out-of-bounds in nvme_dbbuf_free driver... • https://git.kernel.org/stable/c/0f0d2c876c96d4908a9ef40959a44bec21bdd6cf •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2026-43445 – e1000/e1000e: Fix leak in DMA error cleanup
https://notcve.org/view.php?id=CVE-2026-43445
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: e1000/e1000e: Fix leak in DMA error cleanup If an error is encountered while mapping TX buffers, the driver should unmap any buffers already mapped for that skb. Because count is incremented after a successful mapping, it will always match the correct number of unmappings needed when dma_error is reached. Decrementing count before the while loop in dma_error causes an off-by-one error. If any mapping was successful before an unsuccessful ma... • https://git.kernel.org/stable/c/c1fa347f20f17f14a4a1575727fa24340e8a9117 •
CVSS: -EPSS: 0%CPEs: 10EXPL: 0CVE-2026-43439 – cgroup: fix race between task migration and iteration
https://notcve.org/view.php?id=CVE-2026-43439
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: cgroup: fix race between task migration and iteration When a task is migrated out of a css_set, cgroup_migrate_add_task() first moves it from cset->tasks to cset->mg_tasks via: list_move_tail(&task->cg_list, &cset->mg_tasks); If a css_task_iter currently has it->task_pos pointing to this task, css_set_move_task() calls css_task_iter_skip() to keep the iterator valid. However, since the task has already been moved to ->mg_tasks, the iterator... • https://git.kernel.org/stable/c/b636fd38dc40113f853337a7d2a6885ad23b8811 •
CVSS: 7.8EPSS: 0%CPEs: 7EXPL: 0CVE-2026-43437 – ALSA: pcm: fix use-after-free on linked stream runtime in snd_pcm_drain()
https://notcve.org/view.php?id=CVE-2026-43437
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: ALSA: pcm: fix use-after-free on linked stream runtime in snd_pcm_drain() In the drain loop, the local variable 'runtime' is reassigned to a linked stream's runtime (runtime = s->runtime at line 2157). After releasing the stream lock at line 2169, the code accesses runtime->no_period_wakeup, runtime->rate, and runtime->buffer_size (lines 2170-2178) — all referencing the linked stream's runtime without any lock or refcount protecting its lif... • https://git.kernel.org/stable/c/f2b3614cefb61ee6046a0aaee503ee37f227d310 •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2026-43430 – usb: yurex: fix race in probe
https://notcve.org/view.php?id=CVE-2026-43430
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: usb: yurex: fix race in probe The bbu member of the descriptor must be set to the value standing for uninitialized values before the URB whose completion handler sets bbu is submitted. Otherwise there is a window during which probing can overwrite already retrieved data. • https://git.kernel.org/stable/c/6bc235a2e24a5ef677daee3fd4f74f6cd643e23c •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2026-43428 – USB: core: Limit the length of unkillable synchronous timeouts
https://notcve.org/view.php?id=CVE-2026-43428
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: USB: core: Limit the length of unkillable synchronous timeouts The usb_control_msg(), usb_bulk_msg(), and usb_interrupt_msg() APIs in usbcore allow unlimited timeout durations. And since they use uninterruptible waits, this leaves open the possibility of hanging a task for an indefinitely long time, with no way to kill it short of unplugging the target device. To prevent this sort of problem, enforce a maximum limit on the length of these u... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2026-43427 – usb: class: cdc-wdm: fix reordering issue in read code path
https://notcve.org/view.php?id=CVE-2026-43427
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: usb: class: cdc-wdm: fix reordering issue in read code path Quoting the bug report: Due to compiler optimization or CPU out-of-order execution, the desc->length update can be reordered before the memmove. If this happens, wdm_read() can see the new length and call copy_to_user() on uninitialized memory. This also violates LKMM data race rules [1]. Fix it by using WRITE_ONCE and memory barriers. • https://git.kernel.org/stable/c/afba937e540c902c989cd516fd97ea0c8499bb27 •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2026-43426 – usb: renesas_usbhs: fix use-after-free in ISR during device removal
https://notcve.org/view.php?id=CVE-2026-43426
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: usb: renesas_usbhs: fix use-after-free in ISR during device removal In usbhs_remove(), the driver frees resources (including the pipe array) while the interrupt handler (usbhs_interrupt) is still registered. If an interrupt fires after usbhs_pipe_remove() but before the driver is fully unbound, the ISR may access freed memory, causing a use-after-free. Fix this by calling devm_free_irq() before freeing resources. This ensures the interrupt ... • https://git.kernel.org/stable/c/f1407d5c66240b33d11a7f1a41d55ccf6a9d7647 •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2026-43425 – usb: image: mdc800: kill download URB on timeout
https://notcve.org/view.php?id=CVE-2026-43425
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: usb: image: mdc800: kill download URB on timeout mdc800_device_read() submits download_urb and waits for completion. If the timeout fires and the device has not responded, the function returns without killing the URB, leaving it active. A subsequent read() resubmits the same URB while it is still in-flight, triggering the WARN in usb_submit_urb(): "URB submitted while active" Check the return value of wait_event_timeout() and kill the URB i... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: -EPSS: 0%CPEs: 7EXPL: 0CVE-2026-43424 – usb: gadget: f_tcm: Fix NULL pointer dereferences in nexus handling
https://notcve.org/view.php?id=CVE-2026-43424
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_tcm: Fix NULL pointer dereferences in nexus handling The `tpg->tpg_nexus` pointer in the USB Target driver is dynamically managed and tied to userspace configuration via ConfigFS. It can be NULL if the USB host sends requests before the nexus is fully established or immediately after it is dropped. Currently, functions like `bot_submit_command()` and the data transfer paths retrieve `tv_nexus = tpg->tpg_nexus` and immediately... • https://git.kernel.org/stable/c/c52661d60f636d17e26ad834457db333bd1df494 •