CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2026-43450 – netfilter: nfnetlink_cthelper: fix OOB read in nfnl_cthelper_dump_table()
https://notcve.org/view.php?id=CVE-2026-43450
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: netfilter: nfnetlink_cthelper: fix OOB read in nfnl_cthelper_dump_table() nfnl_cthelper_dump_table() has a 'goto restart' that jumps to a label inside the for loop body. When the "last" helper saved in cb->args[1] is deleted between dump rounds, every entry fails the (cur != last) check, so cb->args[1] is never cleared. The for loop finishes with cb->args[0] == nf_ct_helper_hsize, and the 'goto restart' jumps back into the loop body bypassi... • https://git.kernel.org/stable/c/12f7a505331e6b2754684b509f2ac8f0011ce644 •
CVSS: -EPSS: 0%CPEs: 12EXPL: 0CVE-2026-43449 – nvme-pci: Fix slab-out-of-bounds in nvme_dbbuf_set
https://notcve.org/view.php?id=CVE-2026-43449
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: nvme-pci: Fix slab-out-of-bounds in nvme_dbbuf_set dev->online_queues is a count incremented in nvme_init_queue. Thus, valid indices are 0 through dev->online_queues − 1. This patch fixes the loop condition to ensure the index stays within the valid range. Index 0 is excluded because it is the admin queue. KASAN splat: ================================================================== BUG: KASAN: slab-out-of-bounds in nvme_dbbuf_free driver... • https://git.kernel.org/stable/c/0f0d2c876c96d4908a9ef40959a44bec21bdd6cf •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-43448 – nvme-pci: Fix race bug in nvme_poll_irqdisable()
https://notcve.org/view.php?id=CVE-2026-43448
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: nvme-pci: Fix race bug in nvme_poll_irqdisable() In the following scenario, pdev can be disabled between (1) and (3) by (2). This sets pdev->msix_enabled = 0. Then, pci_irq_vector() will return MSI-X IRQ(>15) for (1) whereas return INTx IRQ(<=15) for (2). This causes IRQ warning because it tries to enable INTx IRQ that has never been disabled before. To fix this, save IRQ number into a local variable and ensure disable_irq() and enable_irq(... • https://git.kernel.org/stable/c/fa059b856a593a7bddd4d3779ae8ab1380e05d91 •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2026-43445 – e1000/e1000e: Fix leak in DMA error cleanup
https://notcve.org/view.php?id=CVE-2026-43445
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: e1000/e1000e: Fix leak in DMA error cleanup If an error is encountered while mapping TX buffers, the driver should unmap any buffers already mapped for that skb. Because count is incremented after a successful mapping, it will always match the correct number of unmappings needed when dma_error is reached. Decrementing count before the while loop in dma_error causes an off-by-one error. If any mapping was successful before an unsuccessful ma... • https://git.kernel.org/stable/c/c1fa347f20f17f14a4a1575727fa24340e8a9117 •
CVSS: -EPSS: 0%CPEs: 2EXPL: 0CVE-2026-43443 – ASoC: amd: acp-mach-common: Add missing error check for clock acquisition
https://notcve.org/view.php?id=CVE-2026-43443
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: ASoC: amd: acp-mach-common: Add missing error check for clock acquisition The acp_card_rt5682_init() and acp_card_rt5682s_init() functions did not check the return values of clk_get(). This could lead to a kernel crash when the invalid pointers are later dereferenced by clock core functions. Fix this by: 1. Changing clk_get() to the device-managed devm_clk_get(). 2. Adding IS_ERR() checks immediately after each clock acquisition. • https://git.kernel.org/stable/c/d4c750f2c7d44b5b39e197308bc3f510205bba4b •
CVSS: 7.5EPSS: 0%CPEs: 6EXPL: 0CVE-2026-43441 – net: bonding: Fix nd_tbl NULL dereference when IPv6 is disabled
https://notcve.org/view.php?id=CVE-2026-43441
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: net: bonding: Fix nd_tbl NULL dereference when IPv6 is disabled When booting with the 'ipv6.disable=1' parameter, the nd_tbl is never initialized because inet6_init() exits before ndisc_init() is called which initializes it. If bonding ARP/NS validation is enabled, an IPv6 NS/NA packet received on a slave can reach bond_validate_na(), which calls bond_has_this_ip6(). That path calls ipv6_chk_addr() and can crash in __ipv6_chk_addr_and_flags... • https://git.kernel.org/stable/c/4e24be018eb9dbcefa4b01c07e298b147dc1a4d7 •
CVSS: -EPSS: 0%CPEs: 10EXPL: 0CVE-2026-43439 – cgroup: fix race between task migration and iteration
https://notcve.org/view.php?id=CVE-2026-43439
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: cgroup: fix race between task migration and iteration When a task is migrated out of a css_set, cgroup_migrate_add_task() first moves it from cset->tasks to cset->mg_tasks via: list_move_tail(&task->cg_list, &cset->mg_tasks); If a css_task_iter currently has it->task_pos pointing to this task, css_set_move_task() calls css_task_iter_skip() to keep the iterator valid. However, since the task has already been moved to ->mg_tasks, the iterator... • https://git.kernel.org/stable/c/b636fd38dc40113f853337a7d2a6885ad23b8811 •
CVSS: 7.8EPSS: 0%CPEs: 7EXPL: 0CVE-2026-43437 – ALSA: pcm: fix use-after-free on linked stream runtime in snd_pcm_drain()
https://notcve.org/view.php?id=CVE-2026-43437
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: ALSA: pcm: fix use-after-free on linked stream runtime in snd_pcm_drain() In the drain loop, the local variable 'runtime' is reassigned to a linked stream's runtime (runtime = s->runtime at line 2157). After releasing the stream lock at line 2169, the code accesses runtime->no_period_wakeup, runtime->rate, and runtime->buffer_size (lines 2170-2178) — all referencing the linked stream's runtime without any lock or refcount protecting its lif... • https://git.kernel.org/stable/c/f2b3614cefb61ee6046a0aaee503ee37f227d310 •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-43436 – ALSA: usb-audio: Check endpoint numbers at parsing Scarlett2 mixer interfaces
https://notcve.org/view.php?id=CVE-2026-43436
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Check endpoint numbers at parsing Scarlett2 mixer interfaces The Scarlett2 mixer quirk in USB-audio driver may hit a NULL dereference when a malformed USB descriptor is passed, since it assumes the presence of an endpoint in the parsed interface in scarlett2_find_fc_interface(), as reported by fuzzer. For avoiding the NULL dereference, just add the sanity check of bNumEndpoints and skip the invalid interface. • https://git.kernel.org/stable/c/6c0a2078134aba6a77291554035304df9e16b85c •
CVSS: -EPSS: 0%CPEs: 10EXPL: 0CVE-2026-43432 – usb: xhci: Fix memory leak in xhci_disable_slot()
https://notcve.org/view.php?id=CVE-2026-43432
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: usb: xhci: Fix memory leak in xhci_disable_slot() xhci_alloc_command() allocates a command structure and, when the second argument is true, also allocates a completion structure. Currently, the error handling path in xhci_disable_slot() only frees the command structure using kfree(), causing the completion structure to leak. Use xhci_free_command() instead of kfree(). xhci_free_command() correctly frees both the command structure and the as... • https://git.kernel.org/stable/c/fee8be5bde562d4f5f9a100ca80c6d7072ed34c8 •