CVSS: 9.4EPSS: 0%CPEs: 5EXPL: 0CVE-2026-43114 – netfilter: nft_set_pipapo_avx2: don't return non-matching entry on expiry
https://notcve.org/view.php?id=CVE-2026-43114
06 May 2026 — In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_pipapo_avx2: don't return non-matching entry on expiry New test case fails unexpectedly when avx2 matching functions are used. The test first loads a ranomly generated pipapo set with 'ipv4 . port' key, i.e. nft -f foo. This works. Then, it reloads the set after a flush: (echo flush set t s; cat foo) | nft -f - This is expected to work, because its the same set after all and it was already loaded once. But with avx2, this... • https://git.kernel.org/stable/c/7400b063969bdca4a06cd97f1294d765c8eecbe1 •
CVSS: 8.8EPSS: 0%CPEs: 5EXPL: 0CVE-2026-43113 – wifi: wl1251: validate packet IDs before indexing tx_frames
https://notcve.org/view.php?id=CVE-2026-43113
06 May 2026 — In the Linux kernel, the following vulnerability has been resolved: wifi: wl1251: validate packet IDs before indexing tx_frames wl1251_tx_packet_cb() uses the firmware completion ID directly to index the fixed 16-entry wl->tx_frames[] array. The ID is a raw u8 from the completion block, and the callback does not currently verify that it fits the array before dereferencing it. Reject completion IDs that fall outside wl->tx_frames[] and keep the existing NULL check in the same guard. This keeps the fix local ... • https://git.kernel.org/stable/c/2f01a1f58889fbfeb68b1bc1b52e4197f3333490 • CWE-476: NULL Pointer Dereference •
CVSS: 8.8EPSS: 0%CPEs: 6EXPL: 0CVE-2026-43112 – fs/smb/client: fix out-of-bounds read in cifs_sanitize_prepath
https://notcve.org/view.php?id=CVE-2026-43112
06 May 2026 — In the Linux kernel, the following vulnerability has been resolved: fs/smb/client: fix out-of-bounds read in cifs_sanitize_prepath When cifs_sanitize_prepath is called with an empty string or a string containing only delimiters (e.g., "/"), the current logic attempts to check *(cursor2 - 1) before cursor2 has advanced. This results in an out-of-bounds read. This patch adds an early exit check after stripping prepended delimiters. If no path content remains, the function returns NULL. The bug was identified ... • https://git.kernel.org/stable/c/a31080899d5fdafcccf7f39dd214a814a2c82626 • CWE-125: Out-of-bounds Read •
CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2026-43111 – HID: roccat: fix use-after-free in roccat_report_event
https://notcve.org/view.php?id=CVE-2026-43111
06 May 2026 — In the Linux kernel, the following vulnerability has been resolved: HID: roccat: fix use-after-free in roccat_report_event roccat_report_event() iterates over the device->readers list without holding the readers_lock. This allows a concurrent roccat_release() to remove and free a reader while it's still being accessed, leading to a use-after-free. Protect the readers list traversal with the readers_lock mutex. • https://git.kernel.org/stable/c/206f5f2fcb5ff5bb0c60f9e9189937f3ca03e378 • CWE-416: Use After Free •
CVSS: 8.8EPSS: 0%CPEs: 5EXPL: 0CVE-2026-43110 – wifi: brcmfmac: validate bsscfg indices in IF events
https://notcve.org/view.php?id=CVE-2026-43110
06 May 2026 — In the Linux kernel, the following vulnerability has been resolved: wifi: brcmfmac: validate bsscfg indices in IF events brcmf_fweh_handle_if_event() validates the firmware-provided interface index before it touches drvr->iflist[], but it still uses the raw bsscfgidx field as an array index without a matching range check. Reject IF events whose bsscfg index does not fit in drvr->iflist[] before indexing the interface array. [add missing wifi prefix] • https://git.kernel.org/stable/c/2880b86859967af710c72f7d34fb421a86a71e22 •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2026-43107 – xfrm: account XFRMA_IF_ID in aevent size calculation
https://notcve.org/view.php?id=CVE-2026-43107
06 May 2026 — In the Linux kernel, the following vulnerability has been resolved: xfrm: account XFRMA_IF_ID in aevent size calculation xfrm_get_ae() allocates the reply skb with xfrm_aevent_msgsize(), then build_aevent() appends attributes including XFRMA_IF_ID when x->if_id is set. xfrm_aevent_msgsize() does not include space for XFRMA_IF_ID. For states with if_id, build_aevent() can fail with -EMSGSIZE and hit BUG_ON(err < 0) in xfrm_get_ae(), turning a malformed netlink interaction into a kernel panic. Account XFRMA_I... • https://git.kernel.org/stable/c/7e6526404adedf079279aa7aa11722deaca8fe2e • CWE-131: Incorrect Calculation of Buffer Size •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2026-43105 – drm/vc4: Fix memory leak of BO array in hang state
https://notcve.org/view.php?id=CVE-2026-43105
06 May 2026 — In the Linux kernel, the following vulnerability has been resolved: drm/vc4: Fix memory leak of BO array in hang state The hang state's BO array is allocated separately with kzalloc() in vc4_save_hang_state() but never freed in vc4_free_hang_state(). Add the missing kfree() for the BO array before freeing the hang state struct. • https://git.kernel.org/stable/c/214613656b5179f0daab6e0a080814b5100d45f0 • CWE-401: Missing Release of Memory after Effective Lifetime •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2026-43104 – drm/vc4: Fix a memory leak in hang state error path
https://notcve.org/view.php?id=CVE-2026-43104
06 May 2026 — In the Linux kernel, the following vulnerability has been resolved: drm/vc4: Fix a memory leak in hang state error path When vc4_save_hang_state() encounters an early return condition, it returns without freeing the previously allocated `kernel_state`, leaking memory. Add the missing kfree() calls by consolidating the early return paths into a single place. • https://git.kernel.org/stable/c/214613656b5179f0daab6e0a080814b5100d45f0 • CWE-401: Missing Release of Memory after Effective Lifetime •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2026-43103 – net: lapbether: handle NETDEV_PRE_TYPE_CHANGE
https://notcve.org/view.php?id=CVE-2026-43103
06 May 2026 — In the Linux kernel, the following vulnerability has been resolved: net: lapbether: handle NETDEV_PRE_TYPE_CHANGE lapbeth_data_transmit() expects the underlying device type to be ARPHRD_ETHER. Returning NOTIFY_BAD from lapbeth_device_event() makes sure bonding driver can not break this expectation. • https://git.kernel.org/stable/c/872254dd6b1f80cb95ee9e2e22980888533fc293 •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0CVE-2026-43101 – ipv6: ioam: fix potential NULL dereferences in __ioam6_fill_trace_data()
https://notcve.org/view.php?id=CVE-2026-43101
06 May 2026 — In the Linux kernel, the following vulnerability has been resolved: ipv6: ioam: fix potential NULL dereferences in __ioam6_fill_trace_data() We need to check __in6_dev_get() for possible NULL value, as suggested by Yiming Qian. Also add skb_dst_dev_rcu() instead of skb_dst_dev(), and two missing READ_ONCE(). Note that @dev can't be NULL. • https://git.kernel.org/stable/c/9ee11f0fff205b4b3df9750bff5e94f97c71b6a0 • CWE-476: NULL Pointer Dereference •