CVSS: -EPSS: 0%CPEs: 3EXPL: 0CVE-2026-43416 – powerpc, perf: Check that current->mm is alive before getting user callchain
https://notcve.org/view.php?id=CVE-2026-43416
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: powerpc, perf: Check that current->mm is alive before getting user callchain It may happen that mm is already released, which leads to kernel panic. This adds the NULL check for current->mm, similarly to commit 20afc60f892d ("x86, perf: Check that current->mm is alive before getting user callchain"). I was getting this panic when running a profiling BPF program (profile.py from bcc-tools): [26215.051935] Kernel attempted to read user page (... • https://git.kernel.org/stable/c/20002ded4d937ca87aca6253b874920a96a763c4 •
CVSS: -EPSS: 0%CPEs: 5EXPL: 0CVE-2026-43413 – scsi: hisi_sas: Fix NULL pointer exception during user_scan()
https://notcve.org/view.php?id=CVE-2026-43413
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: scsi: hisi_sas: Fix NULL pointer exception during user_scan() user_scan() invokes updated sas_user_scan() for channel 0, and if successful, iteratively scans remaining channels (1 to shost->max_channel) via scsi_scan_host_selected() in commit 37c4e72b0651 ("scsi: Fix sas_user_scan() to handle wildcard and multi-channel scans"). However, hisi_sas supports only one channel, and the current value of max_channel is 1. sas_user_scan() for channe... • https://git.kernel.org/stable/c/e21fe3a52692f554efd67957c772c702de627a3a •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2026-43411 – tipc: fix divide-by-zero in tipc_sk_filter_connect()
https://notcve.org/view.php?id=CVE-2026-43411
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: tipc: fix divide-by-zero in tipc_sk_filter_connect() A user can set conn_timeout to any value via setsockopt(TIPC_CONN_TIMEOUT), including values less than 4. When a SYN is rejected with TIPC_ERR_OVERLOAD and the retry path in tipc_sk_filter_connect() executes: delay %= (tsk->conn_timeout / 4); If conn_timeout is in the range [0, 3], the integer division yields 0, and the modulo operation triggers a divide-by-zero exception, causing a kerne... • https://git.kernel.org/stable/c/6787927475e52f6933e3affce365dabb2aa2fadf •
CVSS: -EPSS: 0%CPEs: 5EXPL: 0CVE-2026-43409 – kprobes: avoid crash when rmmod/insmod after ftrace killed
https://notcve.org/view.php?id=CVE-2026-43409
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: kprobes: avoid crash when rmmod/insmod after ftrace killed After we hit ftrace is killed by some errors, the kernel crash if we remove modules in which kprobe probes. BUG: unable to handle page fault for address: fffffbfff805000d PGD 817fcc067 P4D 817fcc067 PUD 817fc8067 PMD 101555067 PTE 0 Oops: Oops: 0000 [#1] SMP KASAN PTI CPU: 4 UID: 0 PID: 2012 Comm: rmmod Tainted: G W OE Tainted: [W]=WARN, [O]=OOT_MODULE, [E]=UNSIGNED_MODULE RIP: 0010... • https://git.kernel.org/stable/c/ae6aa16fdc163afe6b04b6c073ad4ddd4663c03b •
CVSS: 9.1EPSS: 0%CPEs: 8EXPL: 0CVE-2026-43407 – libceph: Fix potential out-of-bounds access in ceph_handle_auth_reply()
https://notcve.org/view.php?id=CVE-2026-43407
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: libceph: Fix potential out-of-bounds access in ceph_handle_auth_reply() This patch fixes an out-of-bounds access in ceph_handle_auth_reply() that can be triggered by a message of type CEPH_MSG_AUTH_REPLY. In ceph_handle_auth_reply(), the value of the payload_len field of such a message is stored in a variable of type int. A value greater than INT_MAX leads to an integer overflow and is interpreted as a negative value. This leads to decremen... • https://git.kernel.org/stable/c/4e7a5dcd1bbab6560fbc8ada29a840e7a20ed7bc •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2026-43387 – staging: rtl8723bs: properly validate the data in rtw_get_ie_ex()
https://notcve.org/view.php?id=CVE-2026-43387
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: staging: rtl8723bs: properly validate the data in rtw_get_ie_ex() Just like in commit 154828bf9559 ("staging: rtl8723bs: fix out-of-bounds read in rtw_get_ie() parser"), we don't trust the data in the frame so we should check the length better before acting on it • https://git.kernel.org/stable/c/554c0a3abf216c991c5ebddcdb2c08689ecd290b •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2026-43386 – staging: rtl8723bs: fix potential out-of-bounds read in rtw_restruct_wmm_ie
https://notcve.org/view.php?id=CVE-2026-43386
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: staging: rtl8723bs: fix potential out-of-bounds read in rtw_restruct_wmm_ie The current code checks 'i + 5 < in_len' at the end of the if statement. However, it accesses 'in_ie[i + 5]' before that check, which can lead to an out-of-bounds read. Move the length check to the beginning of the conditional to ensure the index is within bounds before accessing the array. • https://git.kernel.org/stable/c/554c0a3abf216c991c5ebddcdb2c08689ecd290b •
CVSS: 9.4EPSS: 0%CPEs: 7EXPL: 0CVE-2026-43383 – net/tcp-md5: Fix MAC comparison to be constant-time
https://notcve.org/view.php?id=CVE-2026-43383
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: net/tcp-md5: Fix MAC comparison to be constant-time To prevent timing attacks, MACs need to be compared in constant time. Use the appropriate helper function for this. • https://git.kernel.org/stable/c/cfb6eeb4c860592edd123fdea908d23c6ad1c7dc •
CVSS: -EPSS: 0%CPEs: 10EXPL: 0CVE-2026-43382 – batman-adv: Avoid double-rtnl_lock ELP metric worker
https://notcve.org/view.php?id=CVE-2026-43382
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: batman-adv: Avoid double-rtnl_lock ELP metric worker batadv_v_elp_get_throughput() might be called when the RTNL lock is already held. This could be problematic when the work queue item is cancelled via cancel_delayed_work_sync() in batadv_v_elp_iface_disable(). In this case, an rtnl_lock() would cause a deadlock. To avoid this, rtnl_trylock() was used in this function to skip the retrieval of the ethtool information in case the RTNL lock w... • https://git.kernel.org/stable/c/a0019971f340ae02ba54cf1861f72da7e03e6b66 •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2026-43381 – nouveau/dpcd: return EBUSY for aux xfer if the device is asleep
https://notcve.org/view.php?id=CVE-2026-43381
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: nouveau/dpcd: return EBUSY for aux xfer if the device is asleep If we have runtime suspended, and userspace wants to use /dev/drm_dp_* then just tell it the device is busy instead of crashing in the GSP code. WARNING: CPU: 2 PID: 565741 at drivers/gpu/drm/nouveau/nvkm/subdev/gsp/rm/r535/rpc.c:164 r535_gsp_msgq_wait+0x9a/0xb0 [nouveau] CPU: 2 UID: 0 PID: 565741 Comm: fwupd Not tainted 6.18.10-200.fc43.x86_64 #1 PREEMPT(lazy) Hardware name: L... • https://git.kernel.org/stable/c/8894f4919bc43f821775db2cfff4b917871b2102 •