CVSS: -EPSS: 0%CPEs: 7EXPL: 0CVE-2026-43476 – iio: chemical: sps30_i2c: fix buffer size in sps30_i2c_read_meas()
https://notcve.org/view.php?id=CVE-2026-43476
13 May 2026 — In the Linux kernel, the following vulnerability has been resolved: iio: chemical: sps30_i2c: fix buffer size in sps30_i2c_read_meas() sizeof(num) evaluates to sizeof(size_t) (8 bytes on 64-bit) instead of the intended __be32 element size (4 bytes). Use sizeof(*meas) to correctly match the buffer element type. • https://git.kernel.org/stable/c/8f3f130852785dac0759843835ca97c3bacc2b10 •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2026-43500 – rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present
https://notcve.org/view.php?id=CVE-2026-43500
11 May 2026 — In the Linux kernel, the following vulnerability has been resolved: rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present The DATA-packet handler in rxrpc_input_call_event() and the RESPONSE handler in rxrpc_verify_response() copy the skb to a linear one before calling into the security ops only when skb_cloned() is true. An skb that is not cloned but still carries externally-owned paged fragments (e.g. SKBFL_SHARED_FRAG set by splice() into a UDP socket via __ip_append_data, or a chained s... • https://git.kernel.org/stable/c/d0d5c0cd1e711c98703f3544c1e6fc1372898de5 • CWE-787: Out-of-bounds Write •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2026-43475 – scsi: storvsc: Fix scheduling while atomic on PREEMPT_RT
https://notcve.org/view.php?id=CVE-2026-43475
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: scsi: storvsc: Fix scheduling while atomic on PREEMPT_RT This resolves the follow splat and lock-up when running with PREEMPT_RT enabled on Hyper-V: [ 415.140818] BUG: scheduling while atomic: stress-ng-iomix/1048/0x00000002 [ 415.140822] INFO: lockdep is turned off. [ 415.140823] Modules linked in: intel_rapl_msr intel_rapl_common intel_uncore_frequency_common intel_pmc_core pmt_telemetry pmt_discovery pmt_class intel_pmc_ssram_telemetry i... • https://git.kernel.org/stable/c/d86adf482b843b3a58a9ec3b7c1ccdbf7c705db1 •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-43473 – scsi: mpi3mr: Add NULL checks when resetting request and reply queues
https://notcve.org/view.php?id=CVE-2026-43473
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: scsi: mpi3mr: Add NULL checks when resetting request and reply queues The driver encountered a crash during resource cleanup when the reply and request queues were NULL due to freed memory. This issue occurred when the creation of reply or request queues failed, and the driver freed the memory first, but attempted to mem set the content of the freed memory, leading to a system crash. Add NULL pointer checks for reply and request queues befo... • https://git.kernel.org/stable/c/fe6db615156573d3f6a37564b8a590cb03bbaf25 •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2026-43472 – unshare: fix unshare_fs() handling
https://notcve.org/view.php?id=CVE-2026-43472
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: unshare: fix unshare_fs() handling There's an unpleasant corner case in unshare(2), when we have a CLONE_NEWNS in flags and current->fs hadn't been shared at all; in that case copy_mnt_ns() gets passed current->fs instead of a private copy, which causes interesting warts in proof of correctness] > I guess if private means fs->users == 1, the condition could still be true. Unfortunately, it's worse than just a convoluted proof of correctness... • https://git.kernel.org/stable/c/741a295130606143edbf9fc740f633dbc1e6225f •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-43471 – scsi: ufs: core: Fix possible NULL pointer dereference in ufshcd_add_command_trace()
https://notcve.org/view.php?id=CVE-2026-43471
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: core: Fix possible NULL pointer dereference in ufshcd_add_command_trace() The kernel log indicates a crash in ufshcd_add_command_trace, due to a NULL pointer dereference when accessing hwq->id. This can happen if ufshcd_mcq_req_to_hwq() returns NULL. This patch adds a NULL check for hwq before accessing its id field to prevent a kernel crash. Kernel log excerpt: [
CVSS: -EPSS: 0%CPEs: 4EXPL: 0CVE-2026-43470 – nfs: return EISDIR on nfs3_proc_create if d_alias is a dir
https://notcve.org/view.php?id=CVE-2026-43470
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: nfs: return EISDIR on nfs3_proc_create if d_alias is a dir If we found an alias through nfs3_do_create/nfs_add_or_obtain /d_splice_alias which happens to be a dir dentry, we don't return any error, and simply forget about this alias, but the original dentry we were adding and passed as parameter remains negative. This later causes an oops on nfs_atomic_open_v23/finish_open since we supply a negative dentry to do_dentry_open. This has been o... • https://git.kernel.org/stable/c/7c6c5249f061b64fc6b5b90bc147169a048691bf •
CVSS: 7.5EPSS: 0%CPEs: 7EXPL: 0CVE-2026-43469 – xprtrdma: Decrement re_receiving on the early exit paths
https://notcve.org/view.php?id=CVE-2026-43469
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: xprtrdma: Decrement re_receiving on the early exit paths In the event that rpcrdma_post_recvs() fails to create a work request (due to memory allocation failure, say) or otherwise exits early, we should decrement ep->re_receiving before returning. Otherwise we will hang in rpcrdma_xprt_drain() as re_receiving will never reach zero and the completion will never be triggered. On a system with high memory pressure, this can appear as the follo... • https://git.kernel.org/stable/c/15788d1d1077ebe029c48842c738876516d85076 •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-43468 – net/mlx5: Fix deadlock between devlink lock and esw->wq
https://notcve.org/view.php?id=CVE-2026-43468
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Fix deadlock between devlink lock and esw->wq esw->work_queue executes esw_functions_changed_event_handler -> esw_vfs_changed_event_handler and acquires the devlink lock. .eswitch_mode_set (acquires devlink lock in devlink_nl_pre_doit) -> mlx5_devlink_eswitch_mode_set -> mlx5_eswitch_disable_locked -> mlx5_eswitch_event_handler_unregister -> flush_workqueue deadlocks when esw_vfs_changed_event_handler executes. Fix that by no long... • https://git.kernel.org/stable/c/f1bc646c9a06f09aad5d8bacb87103b5573ee45e •
CVSS: 8.2EPSS: 0%CPEs: 8EXPL: 0CVE-2026-43466 – net/mlx5e: Fix DMA FIFO desync on error CQE SQ recovery
https://notcve.org/view.php?id=CVE-2026-43466
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Fix DMA FIFO desync on error CQE SQ recovery In case of a TX error CQE, a recovery flow is triggered, mlx5e_reset_txqsq_cc_pc() resets dma_fifo_cc to 0 but not dma_fifo_pc, desyncing the DMA FIFO producer and consumer. After recovery, the producer pushes new DMA entries at the old dma_fifo_pc, while the consumer reads from position 0. This causes us to unmap stale DMA addresses from before the recovery. The DMA FIFO is a purely s... • https://git.kernel.org/stable/c/db75373c91b0cfb6a68ad6ae88721e4e21ae6261 •