CVSS: -EPSS: 0%CPEs: 4EXPL: 0CVE-2026-43463 – rxrpc, afs: Fix missing error pointer check after rxrpc_kernel_lookup_peer()
https://notcve.org/view.php?id=CVE-2026-43463
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: rxrpc, afs: Fix missing error pointer check after rxrpc_kernel_lookup_peer() rxrpc_kernel_lookup_peer() can also return error pointers in addition to NULL, so just checking for NULL is not sufficient. Fix this by: (1) Changing rxrpc_kernel_lookup_peer() to return -ENOMEM rather than NULL on allocation failure. (2) Making the callers in afs use IS_ERR() and PTR_ERR() to pass on the error code returned. • https://git.kernel.org/stable/c/72904d7b9bfbf2dd146254edea93958bc35bbbfe •
CVSS: 7.3EPSS: 0%CPEs: 8EXPL: 0CVE-2026-43459 – ASoC: soc-core: flush delayed work before removing DAIs and widgets
https://notcve.org/view.php?id=CVE-2026-43459
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: ASoC: soc-core: flush delayed work before removing DAIs and widgets When a sound card is unbound while a PCM stream is open, a use-after-free can occur in snd_soc_dapm_stream_event(), called from the close_delayed_work workqueue handler. During unbind, snd_soc_unbind_card() flushes delayed work and then calls soc_cleanup_card_resources(). Inside cleanup, snd_card_disconnect_sync() releases all PCM file descriptors, and the resulting PCM clo... • https://git.kernel.org/stable/c/e894efef9ac7c10b7727798dcc711cccf07569f9 •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2026-43458 – serial: caif: hold tty->link reference in ldisc_open and ser_release
https://notcve.org/view.php?id=CVE-2026-43458
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: serial: caif: hold tty->link reference in ldisc_open and ser_release A reproducer triggers a KASAN slab-use-after-free in pty_write_room() when caif_serial's TX path calls tty_write_room(). The faulting access is on tty->link->port. Hold an extra kref on tty->link for the lifetime of the caif_serial line discipline: get it in ldisc_open() and drop it in ser_release(), and also drop it on the ldisc_open() error path. With this change applied... • https://git.kernel.org/stable/c/e31d5a05948e4478ba8396063d1e1f39880928e2 •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-43457 – mctp: i2c: fix skb memory leak in receive path
https://notcve.org/view.php?id=CVE-2026-43457
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: mctp: i2c: fix skb memory leak in receive path When 'midev->allow_rx' is false, the newly allocated skb isn't consumed by netif_rx(), it needs to free the skb directly. • https://git.kernel.org/stable/c/f5b8abf9fc3dacd7529d363e26fe8230935d65f8 •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2026-43456 – bonding: fix type confusion in bond_setup_by_slave()
https://notcve.org/view.php?id=CVE-2026-43456
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: bonding: fix type confusion in bond_setup_by_slave() kernel BUG at net/core/skbuff.c:2306! Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI RIP: 0010:pskb_expand_head+0xa08/0xfe0 net/core/skbuff.c:2306 RSP: 0018:ffffc90004aff760 EFLAGS: 00010293 RAX: 0000000000000000 RBX: ffff88807e3c8780 RCX: ffffffff89593e0e RDX: ffff88807b7c4900 RSI: ffffffff89594747 RDI: ffff88807b7c4900 RBP: 0000000000000820 R08: 0000000000000005 R09: 0000000000000000 R... • https://git.kernel.org/stable/c/1284cd3a2b740d0118458d2ea470a1e5bc19b187 •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-43455 – mctp: route: hold key->lock in mctp_flow_prepare_output()
https://notcve.org/view.php?id=CVE-2026-43455
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: mctp: route: hold key->lock in mctp_flow_prepare_output() mctp_flow_prepare_output() checks key->dev and may call mctp_dev_set_key(), but it does not hold key->lock while doing so. mctp_dev_set_key() and mctp_dev_release_key() are annotated with __must_hold(&key->lock), so key->dev access is intended to be serialized by key->lock. The mctp_sendmsg() transmit path reaches mctp_flow_prepare_output() via mctp_local_output() -> mctp_dst_output(... • https://git.kernel.org/stable/c/67737c457281dd199ceb9e31b6ba7efd3bfe566d •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2026-43453 – netfilter: nft_set_pipapo: fix stack out-of-bounds read in pipapo_drop()
https://notcve.org/view.php?id=CVE-2026-43453
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_pipapo: fix stack out-of-bounds read in pipapo_drop() pipapo_drop() passes rulemap[i + 1].n to pipapo_unmap() as the to_offset argument on every iteration, including the last one where i == m->field_count - 1. This reads one element past the end of the stack-allocated rulemap array (declared as rulemap[NFT_PIPAPO_MAX_FIELDS] with NFT_PIPAPO_MAX_FIELDS == 16). Although pipapo_unmap() returns early when is_last is true with... • https://git.kernel.org/stable/c/3c4287f62044a90e73a561aa05fc46e62da173da •
CVSS: 8.2EPSS: 0%CPEs: 8EXPL: 0CVE-2026-43452 – netfilter: x_tables: guard option walkers against 1-byte tail reads
https://notcve.org/view.php?id=CVE-2026-43452
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: netfilter: x_tables: guard option walkers against 1-byte tail reads When the last byte of options is a non-single-byte option kind, walkers that advance with i += op[i + 1] ? : 1 can read op[i + 1] past the end of the option area. Add an explicit i == optlen - 1 check before dereferencing op[i + 1] in xt_tcpudp and xt_dccp option walkers. • https://git.kernel.org/stable/c/2e4e6a17af35be359cc8f1c924f8f198fbd478cc •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2026-43451 – netfilter: nfnetlink_queue: fix entry leak in bridge verdict error path
https://notcve.org/view.php?id=CVE-2026-43451
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: netfilter: nfnetlink_queue: fix entry leak in bridge verdict error path nfqnl_recv_verdict() calls find_dequeue_entry() to remove the queue entry from the queue data structures, taking ownership of the entry. For PF_BRIDGE packets, it then calls nfqa_parse_bridge() to parse VLAN attributes. If nfqa_parse_bridge() returns an error (e.g. NFQA_VLAN present but NFQA_VLAN_TCI missing), the function returns immediately without freeing the dequeue... • https://git.kernel.org/stable/c/8d45ff22f1b43249f0cf1baafe0262ca10d1666e •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2026-43450 – netfilter: nfnetlink_cthelper: fix OOB read in nfnl_cthelper_dump_table()
https://notcve.org/view.php?id=CVE-2026-43450
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: netfilter: nfnetlink_cthelper: fix OOB read in nfnl_cthelper_dump_table() nfnl_cthelper_dump_table() has a 'goto restart' that jumps to a label inside the for loop body. When the "last" helper saved in cb->args[1] is deleted between dump rounds, every entry fails the (cur != last) check, so cb->args[1] is never cleared. The for loop finishes with cb->args[0] == nf_ct_helper_hsize, and the 'goto restart' jumps back into the loop body bypassi... • https://git.kernel.org/stable/c/12f7a505331e6b2754684b509f2ac8f0011ce644 •