CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2026-43456 – bonding: fix type confusion in bond_setup_by_slave()
https://notcve.org/view.php?id=CVE-2026-43456
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: bonding: fix type confusion in bond_setup_by_slave() kernel BUG at net/core/skbuff.c:2306! Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI RIP: 0010:pskb_expand_head+0xa08/0xfe0 net/core/skbuff.c:2306 RSP: 0018:ffffc90004aff760 EFLAGS: 00010293 RAX: 0000000000000000 RBX: ffff88807e3c8780 RCX: ffffffff89593e0e RDX: ffff88807b7c4900 RSI: ffffffff89594747 RDI: ffff88807b7c4900 RBP: 0000000000000820 R08: 0000000000000005 R09: 0000000000000000 R... • https://git.kernel.org/stable/c/1284cd3a2b740d0118458d2ea470a1e5bc19b187 •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-43455 – mctp: route: hold key->lock in mctp_flow_prepare_output()
https://notcve.org/view.php?id=CVE-2026-43455
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: mctp: route: hold key->lock in mctp_flow_prepare_output() mctp_flow_prepare_output() checks key->dev and may call mctp_dev_set_key(), but it does not hold key->lock while doing so. mctp_dev_set_key() and mctp_dev_release_key() are annotated with __must_hold(&key->lock), so key->dev access is intended to be serialized by key->lock. The mctp_sendmsg() transmit path reaches mctp_flow_prepare_output() via mctp_local_output() -> mctp_dst_output(... • https://git.kernel.org/stable/c/67737c457281dd199ceb9e31b6ba7efd3bfe566d •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2026-43454 – netfilter: nf_tables: Fix for duplicate device in netdev hooks
https://notcve.org/view.php?id=CVE-2026-43454
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: Fix for duplicate device in netdev hooks When handling NETDEV_REGISTER notification, duplicate device registration must be avoided since the device may have been added by nft_netdev_hook_alloc() already when creating the hook. • https://git.kernel.org/stable/c/a331b78a552551d0e404e58e6390b1c828d6af8f •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2026-43453 – netfilter: nft_set_pipapo: fix stack out-of-bounds read in pipapo_drop()
https://notcve.org/view.php?id=CVE-2026-43453
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_pipapo: fix stack out-of-bounds read in pipapo_drop() pipapo_drop() passes rulemap[i + 1].n to pipapo_unmap() as the to_offset argument on every iteration, including the last one where i == m->field_count - 1. This reads one element past the end of the stack-allocated rulemap array (declared as rulemap[NFT_PIPAPO_MAX_FIELDS] with NFT_PIPAPO_MAX_FIELDS == 16). Although pipapo_unmap() returns early when is_last is true with... • https://git.kernel.org/stable/c/3c4287f62044a90e73a561aa05fc46e62da173da •
CVSS: 8.2EPSS: 0%CPEs: 8EXPL: 0CVE-2026-43452 – netfilter: x_tables: guard option walkers against 1-byte tail reads
https://notcve.org/view.php?id=CVE-2026-43452
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: netfilter: x_tables: guard option walkers against 1-byte tail reads When the last byte of options is a non-single-byte option kind, walkers that advance with i += op[i + 1] ? : 1 can read op[i + 1] past the end of the option area. Add an explicit i == optlen - 1 check before dereferencing op[i + 1] in xt_tcpudp and xt_dccp option walkers. • https://git.kernel.org/stable/c/2e4e6a17af35be359cc8f1c924f8f198fbd478cc •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2026-43451 – netfilter: nfnetlink_queue: fix entry leak in bridge verdict error path
https://notcve.org/view.php?id=CVE-2026-43451
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: netfilter: nfnetlink_queue: fix entry leak in bridge verdict error path nfqnl_recv_verdict() calls find_dequeue_entry() to remove the queue entry from the queue data structures, taking ownership of the entry. For PF_BRIDGE packets, it then calls nfqa_parse_bridge() to parse VLAN attributes. If nfqa_parse_bridge() returns an error (e.g. NFQA_VLAN present but NFQA_VLAN_TCI missing), the function returns immediately without freeing the dequeue... • https://git.kernel.org/stable/c/8d45ff22f1b43249f0cf1baafe0262ca10d1666e •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2026-43450 – netfilter: nfnetlink_cthelper: fix OOB read in nfnl_cthelper_dump_table()
https://notcve.org/view.php?id=CVE-2026-43450
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: netfilter: nfnetlink_cthelper: fix OOB read in nfnl_cthelper_dump_table() nfnl_cthelper_dump_table() has a 'goto restart' that jumps to a label inside the for loop body. When the "last" helper saved in cb->args[1] is deleted between dump rounds, every entry fails the (cur != last) check, so cb->args[1] is never cleared. The for loop finishes with cb->args[0] == nf_ct_helper_hsize, and the 'goto restart' jumps back into the loop body bypassi... • https://git.kernel.org/stable/c/12f7a505331e6b2754684b509f2ac8f0011ce644 •
CVSS: -EPSS: 0%CPEs: 12EXPL: 0CVE-2026-43449 – nvme-pci: Fix slab-out-of-bounds in nvme_dbbuf_set
https://notcve.org/view.php?id=CVE-2026-43449
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: nvme-pci: Fix slab-out-of-bounds in nvme_dbbuf_set dev->online_queues is a count incremented in nvme_init_queue. Thus, valid indices are 0 through dev->online_queues − 1. This patch fixes the loop condition to ensure the index stays within the valid range. Index 0 is excluded because it is the admin queue. KASAN splat: ================================================================== BUG: KASAN: slab-out-of-bounds in nvme_dbbuf_free driver... • https://git.kernel.org/stable/c/0f0d2c876c96d4908a9ef40959a44bec21bdd6cf •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-43448 – nvme-pci: Fix race bug in nvme_poll_irqdisable()
https://notcve.org/view.php?id=CVE-2026-43448
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: nvme-pci: Fix race bug in nvme_poll_irqdisable() In the following scenario, pdev can be disabled between (1) and (3) by (2). This sets pdev->msix_enabled = 0. Then, pci_irq_vector() will return MSI-X IRQ(>15) for (1) whereas return INTx IRQ(<=15) for (2). This causes IRQ warning because it tries to enable INTx IRQ that has never been disabled before. To fix this, save IRQ number into a local variable and ensure disable_irq() and enable_irq(... • https://git.kernel.org/stable/c/fa059b856a593a7bddd4d3779ae8ab1380e05d91 •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2026-43447 – iavf: fix PTP use-after-free during reset
https://notcve.org/view.php?id=CVE-2026-43447
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: iavf: fix PTP use-after-free during reset Commit 7c01dbfc8a1c5f ("iavf: periodically cache PHC time") introduced a worker to cache PHC time, but failed to stop it during reset or disable. This creates a race condition where `iavf_reset_task()` or `iavf_disable_vf()` free adapter resources (AQ) while the worker is still running. If the worker triggers `iavf_queue_ptp_cmd()` during teardown, it accesses freed memory/locks, leading to a crash.... • https://git.kernel.org/stable/c/7c01dbfc8a1c5f8b8e4a7907ab06db1449d478d0 •