CVSS: -EPSS: 0%CPEs: 4EXPL: 0CVE-2026-43470 – nfs: return EISDIR on nfs3_proc_create if d_alias is a dir
https://notcve.org/view.php?id=CVE-2026-43470
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: nfs: return EISDIR on nfs3_proc_create if d_alias is a dir If we found an alias through nfs3_do_create/nfs_add_or_obtain /d_splice_alias which happens to be a dir dentry, we don't return any error, and simply forget about this alias, but the original dentry we were adding and passed as parameter remains negative. This later causes an oops on nfs_atomic_open_v23/finish_open since we supply a negative dentry to do_dentry_open. This has been o... • https://git.kernel.org/stable/c/7c6c5249f061b64fc6b5b90bc147169a048691bf •
CVSS: 7.5EPSS: 0%CPEs: 7EXPL: 0CVE-2026-43469 – xprtrdma: Decrement re_receiving on the early exit paths
https://notcve.org/view.php?id=CVE-2026-43469
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: xprtrdma: Decrement re_receiving on the early exit paths In the event that rpcrdma_post_recvs() fails to create a work request (due to memory allocation failure, say) or otherwise exits early, we should decrement ep->re_receiving before returning. Otherwise we will hang in rpcrdma_xprt_drain() as re_receiving will never reach zero and the completion will never be triggered. On a system with high memory pressure, this can appear as the follo... • https://git.kernel.org/stable/c/15788d1d1077ebe029c48842c738876516d85076 •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-43468 – net/mlx5: Fix deadlock between devlink lock and esw->wq
https://notcve.org/view.php?id=CVE-2026-43468
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Fix deadlock between devlink lock and esw->wq esw->work_queue executes esw_functions_changed_event_handler -> esw_vfs_changed_event_handler and acquires the devlink lock. .eswitch_mode_set (acquires devlink lock in devlink_nl_pre_doit) -> mlx5_devlink_eswitch_mode_set -> mlx5_eswitch_disable_locked -> mlx5_eswitch_event_handler_unregister -> flush_workqueue deadlocks when esw_vfs_changed_event_handler executes. Fix that by no long... • https://git.kernel.org/stable/c/f1bc646c9a06f09aad5d8bacb87103b5573ee45e •
CVSS: -EPSS: 0%CPEs: 5EXPL: 0CVE-2026-43467 – net/mlx5: Fix crash when moving to switchdev mode
https://notcve.org/view.php?id=CVE-2026-43467
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Fix crash when moving to switchdev mode When moving to switchdev mode when the device doesn't support IPsec, we try to clean up the IPsec resources anyway which causes the crash below, fix that by correctly checking for IPsec support before trying to clean up its resources. [27642.515799] WARNING: arch/x86/mm/fault.c:1276 at do_user_addr_fault+0x18a/0x680, CPU#4: devlink/6490 [27642.517159] Modules linked in: xt_conntrack xt_MASQU... • https://git.kernel.org/stable/c/7e212cebc863c2c7a82f480446cd731721451691 •
CVSS: 8.2EPSS: 0%CPEs: 8EXPL: 0CVE-2026-43466 – net/mlx5e: Fix DMA FIFO desync on error CQE SQ recovery
https://notcve.org/view.php?id=CVE-2026-43466
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Fix DMA FIFO desync on error CQE SQ recovery In case of a TX error CQE, a recovery flow is triggered, mlx5e_reset_txqsq_cc_pc() resets dma_fifo_cc to 0 but not dma_fifo_pc, desyncing the DMA FIFO producer and consumer. After recovery, the producer pushes new DMA entries at the old dma_fifo_pc, while the consumer reads from position 0. This causes us to unmap stale DMA addresses from before the recovery. The DMA FIFO is a purely s... • https://git.kernel.org/stable/c/db75373c91b0cfb6a68ad6ae88721e4e21ae6261 •
CVSS: 9.8EPSS: 0%CPEs: 6EXPL: 0CVE-2026-43465 – net/mlx5e: RX, Fix XDP multi-buf frag counting for striding RQ
https://notcve.org/view.php?id=CVE-2026-43465
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: RX, Fix XDP multi-buf frag counting for striding RQ XDP multi-buf programs can modify the layout of the XDP buffer when the program calls bpf_xdp_pull_data() or bpf_xdp_adjust_tail(). The referenced commit in the fixes tag corrected the assumption in the mlx5 driver that the XDP buffer layout doesn't change during a program execution. However, this fix introduced another issue: the dropped fragments still need to be counted on th... • https://git.kernel.org/stable/c/87bcef158ac1faca1bd7e0104588e8e2956d10be •
CVSS: 7.5EPSS: 0%CPEs: 6EXPL: 0CVE-2026-43464 – net/mlx5e: RX, Fix XDP multi-buf frag counting for legacy RQ
https://notcve.org/view.php?id=CVE-2026-43464
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: RX, Fix XDP multi-buf frag counting for legacy RQ XDP multi-buf programs can modify the layout of the XDP buffer when the program calls bpf_xdp_pull_data() or bpf_xdp_adjust_tail(). The referenced commit in the fixes tag corrected the assumption in the mlx5 driver that the XDP buffer layout doesn't change during a program execution. However, this fix introduced another issue: the dropped fragments still need to be counted on the ... • https://git.kernel.org/stable/c/afd5ba577c10639f62e8120df67dc70ea4b61176 •
CVSS: -EPSS: 0%CPEs: 4EXPL: 0CVE-2026-43463 – rxrpc, afs: Fix missing error pointer check after rxrpc_kernel_lookup_peer()
https://notcve.org/view.php?id=CVE-2026-43463
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: rxrpc, afs: Fix missing error pointer check after rxrpc_kernel_lookup_peer() rxrpc_kernel_lookup_peer() can also return error pointers in addition to NULL, so just checking for NULL is not sufficient. Fix this by: (1) Changing rxrpc_kernel_lookup_peer() to return -ENOMEM rather than NULL on allocation failure. (2) Making the callers in afs use IS_ERR() and PTR_ERR() to pass on the error code returned. • https://git.kernel.org/stable/c/72904d7b9bfbf2dd146254edea93958bc35bbbfe •
CVSS: -EPSS: 0%CPEs: 3EXPL: 0CVE-2026-43460 – spi: rockchip-sfc: Fix double-free in remove() callback
https://notcve.org/view.php?id=CVE-2026-43460
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: spi: rockchip-sfc: Fix double-free in remove() callback The driver uses devm_spi_register_controller() for registration, which automatically unregisters the controller via devm cleanup when the device is removed. The manual call to spi_unregister_controller() in the remove() callback can lead to a double-free. And to make sure controller is unregistered before DMA buffer is unmapped, switch to use spi_register_controller() in probe(). • https://git.kernel.org/stable/c/8011709906d0d6ff1ba9589de5a906bf6e430782 •
CVSS: 7.3EPSS: 0%CPEs: 8EXPL: 0CVE-2026-43459 – ASoC: soc-core: flush delayed work before removing DAIs and widgets
https://notcve.org/view.php?id=CVE-2026-43459
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: ASoC: soc-core: flush delayed work before removing DAIs and widgets When a sound card is unbound while a PCM stream is open, a use-after-free can occur in snd_soc_dapm_stream_event(), called from the close_delayed_work workqueue handler. During unbind, snd_soc_unbind_card() flushes delayed work and then calls soc_cleanup_card_resources(). Inside cleanup, snd_card_disconnect_sync() releases all PCM file descriptors, and the resulting PCM clo... • https://git.kernel.org/stable/c/e894efef9ac7c10b7727798dcc711cccf07569f9 •