CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2026-43363 – x86/apic: Disable x2apic on resume if the kernel expects so
https://notcve.org/view.php?id=CVE-2026-43363
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: x86/apic: Disable x2apic on resume if the kernel expects so When resuming from s2ram, firmware may re-enable x2apic mode, which may have been disabled by the kernel during boot either because it doesn't support IRQ remapping or for other reasons. This causes the kernel to continue using the xapic interface, while the hardware is in x2apic mode, which causes hangs. This happens on defconfig + bare metal + s2ram. Fix this in lapic_resume() by... • https://git.kernel.org/stable/c/6e1cb38a2aef7680975e71f23de187859ee8b158 •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2026-43361 – btrfs: fix transaction abort when snapshotting received subvolumes
https://notcve.org/view.php?id=CVE-2026-43361
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: btrfs: fix transaction abort when snapshotting received subvolumes Currently a user can trigger a transaction abort by snapshotting a previously received snapshot a bunch of times until we reach a BTRFS_UUID_KEY_RECEIVED_SUBVOL item overflow (the maximum item size we can store in a leaf). This is very likely not common in practice, but if it happens, it turns the filesystem into RO mode. The snapshot, send and set_received_subvol and subvol... • https://git.kernel.org/stable/c/dd5f9615fc5c5e8d3751aab3a17b92768fb1ce70 •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2026-43359 – btrfs: fix transaction abort on set received ioctl due to item overflow
https://notcve.org/view.php?id=CVE-2026-43359
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: btrfs: fix transaction abort on set received ioctl due to item overflow If the set received ioctl fails due to an item overflow when attempting to add the BTRFS_UUID_KEY_RECEIVED_SUBVOL we have to abort the transaction since we did some metadata updates before. This means that if a user calls this ioctl with the same received UUID field for a lot of subvolumes, we will hit the overflow, trigger the transaction abort and turn the filesystem ... • https://git.kernel.org/stable/c/dd5f9615fc5c5e8d3751aab3a17b92768fb1ce70 • CWE-191: Integer Underflow (Wrap or Wraparound) •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2026-43343 – usb: gadget: f_subset: Fix unbalanced refcnt in geth_free
https://notcve.org/view.php?id=CVE-2026-43343
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_subset: Fix unbalanced refcnt in geth_free geth_alloc() increments the reference count, but geth_free() fails to decrement it. This prevents the configuration of attributes via configfs after unlinking the function. Decrement the reference count in geth_free() to ensure proper cleanup. • https://git.kernel.org/stable/c/02832e56f88a981474ee4c7c141f46fc1b4454f4 •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2026-43340 – comedi: Reinit dev->spinlock between attachments to low-level drivers
https://notcve.org/view.php?id=CVE-2026-43340
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: comedi: Reinit dev->spinlock between attachments to low-level drivers `struct comedi_device` is the main controlling structure for a COMEDI device created by the COMEDI subsystem. It contains a member `spinlock` containing a spin-lock that is initialized by the COMEDI subsystem, but is reserved for use by a low-level driver attached to the COMEDI device (at least since commit 25436dc9d84f ("Staging: comedi: remove RT code")). Some COMEDI de... • https://git.kernel.org/stable/c/ed9eccbe8970f6eedc1b978c157caf1251a896d4 •
CVSS: -EPSS: 0%CPEs: 4EXPL: 0CVE-2026-43338 – btrfs: reserve enough transaction items for qgroup ioctls
https://notcve.org/view.php?id=CVE-2026-43338
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: btrfs: reserve enough transaction items for qgroup ioctls Currently our qgroup ioctls don't reserve any space, they just do a transaction join, which does not reserve any space, neither for the quota tree updates nor for the delayed refs generated when updating the quota tree. The quota root uses the global block reserve, which is fine most of the time since we don't expect a lot of updates to the quota root, or to be too close to -ENOSPC s... • https://git.kernel.org/stable/c/5d13a37bd5327220e13329943d1228acfbe5934a •
CVSS: 8.8EPSS: 0%CPEs: 8EXPL: 0CVE-2026-43334 – Bluetooth: SMP: force responder MITM requirements before building the pairing response
https://notcve.org/view.php?id=CVE-2026-43334
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: Bluetooth: SMP: force responder MITM requirements before building the pairing response smp_cmd_pairing_req() currently builds the pairing response from the initiator auth_req before enforcing the local BT_SECURITY_HIGH requirement. If the initiator omits SMP_AUTH_MITM, the response can also omit it even though the local side still requires MITM. tk_request() then sees an auth value without SMP_AUTH_MITM and may select JUST_CFM, making metho... • https://git.kernel.org/stable/c/2b64d153a0cc9d2b60e47be013cde8490f16e0a5 •
CVSS: -EPSS: 0%CPEs: 14EXPL: 0CVE-2026-43327 – USB: dummy-hcd: Fix locking/synchronization error
https://notcve.org/view.php?id=CVE-2026-43327
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: USB: dummy-hcd: Fix locking/synchronization error Syzbot testing was able to provoke an addressing exception and crash in the usb_gadget_udc_reset() routine in drivers/usb/gadgets/udc/core.c, resulting from the fact that the routine was called with a second ("driver") argument of NULL. The bad caller was set_link_state() in dummy_hcd.c, and the problem arose because of a race between a USB reset and driver unbind. These sorts of races were ... • https://git.kernel.org/stable/c/7dbd8f4cabd96db5a50513de9d83a8105a5ffc81 •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2026-43316 – media: solo6x10: Check for out of bounds chip_id
https://notcve.org/view.php?id=CVE-2026-43316
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: media: solo6x10: Check for out of bounds chip_id Clang with CONFIG_UBSAN_SHIFT=y noticed a condition where a signed type (literal "1" is an "int") could end up being shifted beyond 32 bits, so instrumentation was added (and due to the double is_tw286x() call seen via inlining), Clang decides the second one must now be undefined behavior and elides the rest of the function[1]. This is a known problem with Clang (that is still being worked on... • https://git.kernel.org/stable/c/faa4fd2a09517b39cc1f5d622453f97a59acfdac •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2026-43314 – dm: remove fake timeout to avoid leak request
https://notcve.org/view.php?id=CVE-2026-43314
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: dm: remove fake timeout to avoid leak request Since commit 15f73f5b3e59 ("blk-mq: move failure injection out of blk_mq_complete_request"), drivers are responsible for calling blk_should_fake_timeout() at appropriate code paths and opportunities. However, the dm driver does not implement its own timeout handler and relies on the timeout handling of its slave devices. If an io-timeout-fail error is injected to a dm device, the request will be... • https://git.kernel.org/stable/c/e6ee8c0b767540f59e20da3ced282601db8aa502 •