CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2026-43425 – usb: image: mdc800: kill download URB on timeout
https://notcve.org/view.php?id=CVE-2026-43425
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: usb: image: mdc800: kill download URB on timeout mdc800_device_read() submits download_urb and waits for completion. If the timeout fires and the device has not responded, the function returns without killing the URB, leaving it active. A subsequent read() resubmits the same URB while it is still in-flight, triggering the WARN in usb_submit_urb(): "URB submitted while active" Check the return value of wait_event_timeout() and kill the URB i... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: -EPSS: 0%CPEs: 7EXPL: 0CVE-2026-43424 – usb: gadget: f_tcm: Fix NULL pointer dereferences in nexus handling
https://notcve.org/view.php?id=CVE-2026-43424
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_tcm: Fix NULL pointer dereferences in nexus handling The `tpg->tpg_nexus` pointer in the USB Target driver is dynamically managed and tied to userspace configuration via ConfigFS. It can be NULL if the USB host sends requests before the nexus is fully established or immediately after it is dropped. Currently, functions like `bot_submit_command()` and the data transfer paths retrieve `tv_nexus = tpg->tpg_nexus` and immediately... • https://git.kernel.org/stable/c/c52661d60f636d17e26ad834457db333bd1df494 •
CVSS: -EPSS: 0%CPEs: 4EXPL: 0CVE-2026-43421 – usb: gadget: f_ncm: Fix net_device lifecycle with device_move
https://notcve.org/view.php?id=CVE-2026-43421
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_ncm: Fix net_device lifecycle with device_move The network device outlived its parent gadget device during disconnection, resulting in dangling sysfs links and null pointer dereference problems. A prior attempt to solve this by removing SET_NETDEV_DEV entirely [1] was reverted due to power management ordering concerns and a NO-CARRIER regression. A subsequent attempt to defer net_device allocation to bind [2] broke 1:1 mappin... • https://git.kernel.org/stable/c/40d133d7f542616cf9538508a372306e626a16e9 •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2026-43420 – ceph: fix i_nlink underrun during async unlink
https://notcve.org/view.php?id=CVE-2026-43420
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: ceph: fix i_nlink underrun during async unlink During async unlink, we drop the `i_nlink` counter before we receive the completion (that will eventually update the `i_nlink`) because "we assume that the unlink will succeed". That is not a bad idea, but it races against deletions by other clients (or against the completion of our own unlink) and can lead to an underrun which emits a WARNING like this one: WARNING: CPU: 85 PID: 25093 at fs/in... • https://git.kernel.org/stable/c/2ccb45462aeaf0831397b90d31d3d50a7704fa1f •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2026-43419 – ceph: fix memory leaks in ceph_mdsc_build_path()
https://notcve.org/view.php?id=CVE-2026-43419
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: ceph: fix memory leaks in ceph_mdsc_build_path() Add __putname() calls to error code paths that did not free the "path" pointer obtained by __getname(). If ownership of this pointer is not passed to the caller via path_info.path, the function must free it before returning. • https://git.kernel.org/stable/c/3fd945a79e147ee10f84213976889b29049c3519 •
CVSS: -EPSS: 0%CPEs: 3EXPL: 0CVE-2026-43416 – powerpc, perf: Check that current->mm is alive before getting user callchain
https://notcve.org/view.php?id=CVE-2026-43416
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: powerpc, perf: Check that current->mm is alive before getting user callchain It may happen that mm is already released, which leads to kernel panic. This adds the NULL check for current->mm, similarly to commit 20afc60f892d ("x86, perf: Check that current->mm is alive before getting user callchain"). I was getting this panic when running a profiling BPF program (profile.py from bcc-tools): [26215.051935] Kernel attempted to read user page (... • https://git.kernel.org/stable/c/20002ded4d937ca87aca6253b874920a96a763c4 •
CVSS: -EPSS: 0%CPEs: 5EXPL: 0CVE-2026-43413 – scsi: hisi_sas: Fix NULL pointer exception during user_scan()
https://notcve.org/view.php?id=CVE-2026-43413
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: scsi: hisi_sas: Fix NULL pointer exception during user_scan() user_scan() invokes updated sas_user_scan() for channel 0, and if successful, iteratively scans remaining channels (1 to shost->max_channel) via scsi_scan_host_selected() in commit 37c4e72b0651 ("scsi: Fix sas_user_scan() to handle wildcard and multi-channel scans"). However, hisi_sas supports only one channel, and the current value of max_channel is 1. sas_user_scan() for channe... • https://git.kernel.org/stable/c/e21fe3a52692f554efd67957c772c702de627a3a •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2026-43411 – tipc: fix divide-by-zero in tipc_sk_filter_connect()
https://notcve.org/view.php?id=CVE-2026-43411
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: tipc: fix divide-by-zero in tipc_sk_filter_connect() A user can set conn_timeout to any value via setsockopt(TIPC_CONN_TIMEOUT), including values less than 4. When a SYN is rejected with TIPC_ERR_OVERLOAD and the retry path in tipc_sk_filter_connect() executes: delay %= (tsk->conn_timeout / 4); If conn_timeout is in the range [0, 3], the integer division yields 0, and the modulo operation triggers a divide-by-zero exception, causing a kerne... • https://git.kernel.org/stable/c/6787927475e52f6933e3affce365dabb2aa2fadf •
CVSS: -EPSS: 0%CPEs: 5EXPL: 0CVE-2026-43409 – kprobes: avoid crash when rmmod/insmod after ftrace killed
https://notcve.org/view.php?id=CVE-2026-43409
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: kprobes: avoid crash when rmmod/insmod after ftrace killed After we hit ftrace is killed by some errors, the kernel crash if we remove modules in which kprobe probes. BUG: unable to handle page fault for address: fffffbfff805000d PGD 817fcc067 P4D 817fcc067 PUD 817fc8067 PMD 101555067 PTE 0 Oops: Oops: 0000 [#1] SMP KASAN PTI CPU: 4 UID: 0 PID: 2012 Comm: rmmod Tainted: G W OE Tainted: [W]=WARN, [O]=OOT_MODULE, [E]=UNSIGNED_MODULE RIP: 0010... • https://git.kernel.org/stable/c/ae6aa16fdc163afe6b04b6c073ad4ddd4663c03b •
CVSS: 9.1EPSS: 0%CPEs: 8EXPL: 0CVE-2026-43407 – libceph: Fix potential out-of-bounds access in ceph_handle_auth_reply()
https://notcve.org/view.php?id=CVE-2026-43407
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: libceph: Fix potential out-of-bounds access in ceph_handle_auth_reply() This patch fixes an out-of-bounds access in ceph_handle_auth_reply() that can be triggered by a message of type CEPH_MSG_AUTH_REPLY. In ceph_handle_auth_reply(), the value of the payload_len field of such a message is stored in a variable of type int. A value greater than INT_MAX leads to an integer overflow and is interpreted as a negative value. This leads to decremen... • https://git.kernel.org/stable/c/4e7a5dcd1bbab6560fbc8ada29a840e7a20ed7bc •