CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-43448 – nvme-pci: Fix race bug in nvme_poll_irqdisable()
https://notcve.org/view.php?id=CVE-2026-43448
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: nvme-pci: Fix race bug in nvme_poll_irqdisable() In the following scenario, pdev can be disabled between (1) and (3) by (2). This sets pdev->msix_enabled = 0. Then, pci_irq_vector() will return MSI-X IRQ(>15) for (1) whereas return INTx IRQ(<=15) for (2). This causes IRQ warning because it tries to enable INTx IRQ that has never been disabled before. To fix this, save IRQ number into a local variable and ensure disable_irq() and enable_irq(... • https://git.kernel.org/stable/c/fa059b856a593a7bddd4d3779ae8ab1380e05d91 •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2026-43447 – iavf: fix PTP use-after-free during reset
https://notcve.org/view.php?id=CVE-2026-43447
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: iavf: fix PTP use-after-free during reset Commit 7c01dbfc8a1c5f ("iavf: periodically cache PHC time") introduced a worker to cache PHC time, but failed to stop it during reset or disable. This creates a race condition where `iavf_reset_task()` or `iavf_disable_vf()` free adapter resources (AQ) while the worker is still running. If the worker triggers `iavf_queue_ptp_cmd()` during teardown, it accesses freed memory/locks, leading to a crash.... • https://git.kernel.org/stable/c/7c01dbfc8a1c5f8b8e4a7907ab06db1449d478d0 •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2026-43445 – e1000/e1000e: Fix leak in DMA error cleanup
https://notcve.org/view.php?id=CVE-2026-43445
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: e1000/e1000e: Fix leak in DMA error cleanup If an error is encountered while mapping TX buffers, the driver should unmap any buffers already mapped for that skb. Because count is incremented after a successful mapping, it will always match the correct number of unmappings needed when dma_error is reached. Decrementing count before the while loop in dma_error causes an off-by-one error. If any mapping was successful before an unsuccessful ma... • https://git.kernel.org/stable/c/c1fa347f20f17f14a4a1575727fa24340e8a9117 •
CVSS: -EPSS: 0%CPEs: 4EXPL: 0CVE-2026-43444 – drm/amdkfd: Unreserve bo if queue update failed
https://notcve.org/view.php?id=CVE-2026-43444
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: Unreserve bo if queue update failed Error handling path should unreserve bo then return failed. (cherry picked from commit c24afed7de9ecce341825d8ab55a43a254348b33) • https://git.kernel.org/stable/c/305cd109b761202d71f2f655ea369fe889ba1d01 •
CVSS: -EPSS: 0%CPEs: 2EXPL: 0CVE-2026-43443 – ASoC: amd: acp-mach-common: Add missing error check for clock acquisition
https://notcve.org/view.php?id=CVE-2026-43443
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: ASoC: amd: acp-mach-common: Add missing error check for clock acquisition The acp_card_rt5682_init() and acp_card_rt5682s_init() functions did not check the return values of clk_get(). This could lead to a kernel crash when the invalid pointers are later dereferenced by clock core functions. Fix this by: 1. Changing clk_get() to the device-managed devm_clk_get(). 2. Adding IS_ERR() checks immediately after each clock acquisition. • https://git.kernel.org/stable/c/d4c750f2c7d44b5b39e197308bc3f510205bba4b •
CVSS: 7.5EPSS: 0%CPEs: 6EXPL: 0CVE-2026-43441 – net: bonding: Fix nd_tbl NULL dereference when IPv6 is disabled
https://notcve.org/view.php?id=CVE-2026-43441
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: net: bonding: Fix nd_tbl NULL dereference when IPv6 is disabled When booting with the 'ipv6.disable=1' parameter, the nd_tbl is never initialized because inet6_init() exits before ndisc_init() is called which initializes it. If bonding ARP/NS validation is enabled, an IPv6 NS/NA packet received on a slave can reach bond_validate_na(), which calls bond_has_this_ip6(). That path calls ipv6_chk_addr() and can crash in __ipv6_chk_addr_and_flags... • https://git.kernel.org/stable/c/4e24be018eb9dbcefa4b01c07e298b147dc1a4d7 •
CVSS: -EPSS: 0%CPEs: 10EXPL: 0CVE-2026-43439 – cgroup: fix race between task migration and iteration
https://notcve.org/view.php?id=CVE-2026-43439
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: cgroup: fix race between task migration and iteration When a task is migrated out of a css_set, cgroup_migrate_add_task() first moves it from cset->tasks to cset->mg_tasks via: list_move_tail(&task->cg_list, &cset->mg_tasks); If a css_task_iter currently has it->task_pos pointing to this task, css_set_move_task() calls css_task_iter_skip() to keep the iterator valid. However, since the task has already been moved to ->mg_tasks, the iterator... • https://git.kernel.org/stable/c/b636fd38dc40113f853337a7d2a6885ad23b8811 •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2026-43438 – sched_ext: Remove redundant css_put() in scx_cgroup_init()
https://notcve.org/view.php?id=CVE-2026-43438
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: sched_ext: Remove redundant css_put() in scx_cgroup_init() The iterator css_for_each_descendant_pre() walks the cgroup hierarchy under cgroup_lock(). It does not increment the reference counts on yielded css structs. According to the cgroup documentation, css_put() should only be used to release a reference obtained via css_get() or css_tryget_online(). Since the iterator does not use either of these to acquire a reference, calling css_put(... • https://git.kernel.org/stable/c/8195136669661fdfe54e9a8923c33b31c92fc1da •
CVSS: 7.8EPSS: 0%CPEs: 7EXPL: 0CVE-2026-43437 – ALSA: pcm: fix use-after-free on linked stream runtime in snd_pcm_drain()
https://notcve.org/view.php?id=CVE-2026-43437
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: ALSA: pcm: fix use-after-free on linked stream runtime in snd_pcm_drain() In the drain loop, the local variable 'runtime' is reassigned to a linked stream's runtime (runtime = s->runtime at line 2157). After releasing the stream lock at line 2169, the code accesses runtime->no_period_wakeup, runtime->rate, and runtime->buffer_size (lines 2170-2178) — all referencing the linked stream's runtime without any lock or refcount protecting its lif... • https://git.kernel.org/stable/c/f2b3614cefb61ee6046a0aaee503ee37f227d310 •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-43436 – ALSA: usb-audio: Check endpoint numbers at parsing Scarlett2 mixer interfaces
https://notcve.org/view.php?id=CVE-2026-43436
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Check endpoint numbers at parsing Scarlett2 mixer interfaces The Scarlett2 mixer quirk in USB-audio driver may hit a NULL dereference when a malformed USB descriptor is passed, since it assumes the presence of an endpoint in the parsed interface in scarlett2_find_fc_interface(), as reported by fuzzer. For avoiding the NULL dereference, just add the sanity check of bNumEndpoints and skip the invalid interface. • https://git.kernel.org/stable/c/6c0a2078134aba6a77291554035304df9e16b85c •