CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2026-43472 – unshare: fix unshare_fs() handling
https://notcve.org/view.php?id=CVE-2026-43472
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: unshare: fix unshare_fs() handling There's an unpleasant corner case in unshare(2), when we have a CLONE_NEWNS in flags and current->fs hadn't been shared at all; in that case copy_mnt_ns() gets passed current->fs instead of a private copy, which causes interesting warts in proof of correctness] > I guess if private means fs->users == 1, the condition could still be true. Unfortunately, it's worse than just a convoluted proof of correctness... • https://git.kernel.org/stable/c/741a295130606143edbf9fc740f633dbc1e6225f •
CVSS: 7.5EPSS: 0%CPEs: 7EXPL: 0CVE-2026-43469 – xprtrdma: Decrement re_receiving on the early exit paths
https://notcve.org/view.php?id=CVE-2026-43469
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: xprtrdma: Decrement re_receiving on the early exit paths In the event that rpcrdma_post_recvs() fails to create a work request (due to memory allocation failure, say) or otherwise exits early, we should decrement ep->re_receiving before returning. Otherwise we will hang in rpcrdma_xprt_drain() as re_receiving will never reach zero and the completion will never be triggered. On a system with high memory pressure, this can appear as the follo... • https://git.kernel.org/stable/c/15788d1d1077ebe029c48842c738876516d85076 •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-43468 – net/mlx5: Fix deadlock between devlink lock and esw->wq
https://notcve.org/view.php?id=CVE-2026-43468
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Fix deadlock between devlink lock and esw->wq esw->work_queue executes esw_functions_changed_event_handler -> esw_vfs_changed_event_handler and acquires the devlink lock. .eswitch_mode_set (acquires devlink lock in devlink_nl_pre_doit) -> mlx5_devlink_eswitch_mode_set -> mlx5_eswitch_disable_locked -> mlx5_eswitch_event_handler_unregister -> flush_workqueue deadlocks when esw_vfs_changed_event_handler executes. Fix that by no long... • https://git.kernel.org/stable/c/f1bc646c9a06f09aad5d8bacb87103b5573ee45e •
CVSS: 8.2EPSS: 0%CPEs: 8EXPL: 0CVE-2026-43466 – net/mlx5e: Fix DMA FIFO desync on error CQE SQ recovery
https://notcve.org/view.php?id=CVE-2026-43466
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Fix DMA FIFO desync on error CQE SQ recovery In case of a TX error CQE, a recovery flow is triggered, mlx5e_reset_txqsq_cc_pc() resets dma_fifo_cc to 0 but not dma_fifo_pc, desyncing the DMA FIFO producer and consumer. After recovery, the producer pushes new DMA entries at the old dma_fifo_pc, while the consumer reads from position 0. This causes us to unmap stale DMA addresses from before the recovery. The DMA FIFO is a purely s... • https://git.kernel.org/stable/c/db75373c91b0cfb6a68ad6ae88721e4e21ae6261 •
CVSS: 7.3EPSS: 0%CPEs: 8EXPL: 0CVE-2026-43459 – ASoC: soc-core: flush delayed work before removing DAIs and widgets
https://notcve.org/view.php?id=CVE-2026-43459
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: ASoC: soc-core: flush delayed work before removing DAIs and widgets When a sound card is unbound while a PCM stream is open, a use-after-free can occur in snd_soc_dapm_stream_event(), called from the close_delayed_work workqueue handler. During unbind, snd_soc_unbind_card() flushes delayed work and then calls soc_cleanup_card_resources(). Inside cleanup, snd_card_disconnect_sync() releases all PCM file descriptors, and the resulting PCM clo... • https://git.kernel.org/stable/c/e894efef9ac7c10b7727798dcc711cccf07569f9 •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2026-43458 – serial: caif: hold tty->link reference in ldisc_open and ser_release
https://notcve.org/view.php?id=CVE-2026-43458
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: serial: caif: hold tty->link reference in ldisc_open and ser_release A reproducer triggers a KASAN slab-use-after-free in pty_write_room() when caif_serial's TX path calls tty_write_room(). The faulting access is on tty->link->port. Hold an extra kref on tty->link for the lifetime of the caif_serial line discipline: get it in ldisc_open() and drop it in ser_release(), and also drop it on the ldisc_open() error path. With this change applied... • https://git.kernel.org/stable/c/e31d5a05948e4478ba8396063d1e1f39880928e2 •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-43457 – mctp: i2c: fix skb memory leak in receive path
https://notcve.org/view.php?id=CVE-2026-43457
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: mctp: i2c: fix skb memory leak in receive path When 'midev->allow_rx' is false, the newly allocated skb isn't consumed by netif_rx(), it needs to free the skb directly. • https://git.kernel.org/stable/c/f5b8abf9fc3dacd7529d363e26fe8230935d65f8 •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2026-43456 – bonding: fix type confusion in bond_setup_by_slave()
https://notcve.org/view.php?id=CVE-2026-43456
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: bonding: fix type confusion in bond_setup_by_slave() kernel BUG at net/core/skbuff.c:2306! Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI RIP: 0010:pskb_expand_head+0xa08/0xfe0 net/core/skbuff.c:2306 RSP: 0018:ffffc90004aff760 EFLAGS: 00010293 RAX: 0000000000000000 RBX: ffff88807e3c8780 RCX: ffffffff89593e0e RDX: ffff88807b7c4900 RSI: ffffffff89594747 RDI: ffff88807b7c4900 RBP: 0000000000000820 R08: 0000000000000005 R09: 0000000000000000 R... • https://git.kernel.org/stable/c/1284cd3a2b740d0118458d2ea470a1e5bc19b187 •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-43455 – mctp: route: hold key->lock in mctp_flow_prepare_output()
https://notcve.org/view.php?id=CVE-2026-43455
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: mctp: route: hold key->lock in mctp_flow_prepare_output() mctp_flow_prepare_output() checks key->dev and may call mctp_dev_set_key(), but it does not hold key->lock while doing so. mctp_dev_set_key() and mctp_dev_release_key() are annotated with __must_hold(&key->lock), so key->dev access is intended to be serialized by key->lock. The mctp_sendmsg() transmit path reaches mctp_flow_prepare_output() via mctp_local_output() -> mctp_dst_output(... • https://git.kernel.org/stable/c/67737c457281dd199ceb9e31b6ba7efd3bfe566d •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2026-43453 – netfilter: nft_set_pipapo: fix stack out-of-bounds read in pipapo_drop()
https://notcve.org/view.php?id=CVE-2026-43453
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_pipapo: fix stack out-of-bounds read in pipapo_drop() pipapo_drop() passes rulemap[i + 1].n to pipapo_unmap() as the to_offset argument on every iteration, including the last one where i == m->field_count - 1. This reads one element past the end of the stack-allocated rulemap array (declared as rulemap[NFT_PIPAPO_MAX_FIELDS] with NFT_PIPAPO_MAX_FIELDS == 16). Although pipapo_unmap() returns early when is_last is true with... • https://git.kernel.org/stable/c/3c4287f62044a90e73a561aa05fc46e62da173da •