CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2026-43450 – netfilter: nfnetlink_cthelper: fix OOB read in nfnl_cthelper_dump_table()
https://notcve.org/view.php?id=CVE-2026-43450
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: netfilter: nfnetlink_cthelper: fix OOB read in nfnl_cthelper_dump_table() nfnl_cthelper_dump_table() has a 'goto restart' that jumps to a label inside the for loop body. When the "last" helper saved in cb->args[1] is deleted between dump rounds, every entry fails the (cur != last) check, so cb->args[1] is never cleared. The for loop finishes with cb->args[0] == nf_ct_helper_hsize, and the 'goto restart' jumps back into the loop body bypassi... • https://git.kernel.org/stable/c/12f7a505331e6b2754684b509f2ac8f0011ce644 •
CVSS: -EPSS: 0%CPEs: 12EXPL: 0CVE-2026-43449 – nvme-pci: Fix slab-out-of-bounds in nvme_dbbuf_set
https://notcve.org/view.php?id=CVE-2026-43449
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: nvme-pci: Fix slab-out-of-bounds in nvme_dbbuf_set dev->online_queues is a count incremented in nvme_init_queue. Thus, valid indices are 0 through dev->online_queues − 1. This patch fixes the loop condition to ensure the index stays within the valid range. Index 0 is excluded because it is the admin queue. KASAN splat: ================================================================== BUG: KASAN: slab-out-of-bounds in nvme_dbbuf_free driver... • https://git.kernel.org/stable/c/0f0d2c876c96d4908a9ef40959a44bec21bdd6cf •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-43448 – nvme-pci: Fix race bug in nvme_poll_irqdisable()
https://notcve.org/view.php?id=CVE-2026-43448
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: nvme-pci: Fix race bug in nvme_poll_irqdisable() In the following scenario, pdev can be disabled between (1) and (3) by (2). This sets pdev->msix_enabled = 0. Then, pci_irq_vector() will return MSI-X IRQ(>15) for (1) whereas return INTx IRQ(<=15) for (2). This causes IRQ warning because it tries to enable INTx IRQ that has never been disabled before. To fix this, save IRQ number into a local variable and ensure disable_irq() and enable_irq(... • https://git.kernel.org/stable/c/fa059b856a593a7bddd4d3779ae8ab1380e05d91 •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2026-43447 – iavf: fix PTP use-after-free during reset
https://notcve.org/view.php?id=CVE-2026-43447
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: iavf: fix PTP use-after-free during reset Commit 7c01dbfc8a1c5f ("iavf: periodically cache PHC time") introduced a worker to cache PHC time, but failed to stop it during reset or disable. This creates a race condition where `iavf_reset_task()` or `iavf_disable_vf()` free adapter resources (AQ) while the worker is still running. If the worker triggers `iavf_queue_ptp_cmd()` during teardown, it accesses freed memory/locks, leading to a crash.... • https://git.kernel.org/stable/c/7c01dbfc8a1c5f8b8e4a7907ab06db1449d478d0 •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2026-43445 – e1000/e1000e: Fix leak in DMA error cleanup
https://notcve.org/view.php?id=CVE-2026-43445
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: e1000/e1000e: Fix leak in DMA error cleanup If an error is encountered while mapping TX buffers, the driver should unmap any buffers already mapped for that skb. Because count is incremented after a successful mapping, it will always match the correct number of unmappings needed when dma_error is reached. Decrementing count before the while loop in dma_error causes an off-by-one error. If any mapping was successful before an unsuccessful ma... • https://git.kernel.org/stable/c/c1fa347f20f17f14a4a1575727fa24340e8a9117 •
CVSS: -EPSS: 0%CPEs: 4EXPL: 0CVE-2026-43444 – drm/amdkfd: Unreserve bo if queue update failed
https://notcve.org/view.php?id=CVE-2026-43444
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: Unreserve bo if queue update failed Error handling path should unreserve bo then return failed. (cherry picked from commit c24afed7de9ecce341825d8ab55a43a254348b33) • https://git.kernel.org/stable/c/305cd109b761202d71f2f655ea369fe889ba1d01 •
CVSS: -EPSS: 0%CPEs: 2EXPL: 0CVE-2026-43443 – ASoC: amd: acp-mach-common: Add missing error check for clock acquisition
https://notcve.org/view.php?id=CVE-2026-43443
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: ASoC: amd: acp-mach-common: Add missing error check for clock acquisition The acp_card_rt5682_init() and acp_card_rt5682s_init() functions did not check the return values of clk_get(). This could lead to a kernel crash when the invalid pointers are later dereferenced by clock core functions. Fix this by: 1. Changing clk_get() to the device-managed devm_clk_get(). 2. Adding IS_ERR() checks immediately after each clock acquisition. • https://git.kernel.org/stable/c/d4c750f2c7d44b5b39e197308bc3f510205bba4b •
CVSS: 7.5EPSS: 0%CPEs: 6EXPL: 0CVE-2026-43441 – net: bonding: Fix nd_tbl NULL dereference when IPv6 is disabled
https://notcve.org/view.php?id=CVE-2026-43441
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: net: bonding: Fix nd_tbl NULL dereference when IPv6 is disabled When booting with the 'ipv6.disable=1' parameter, the nd_tbl is never initialized because inet6_init() exits before ndisc_init() is called which initializes it. If bonding ARP/NS validation is enabled, an IPv6 NS/NA packet received on a slave can reach bond_validate_na(), which calls bond_has_this_ip6(). That path calls ipv6_chk_addr() and can crash in __ipv6_chk_addr_and_flags... • https://git.kernel.org/stable/c/4e24be018eb9dbcefa4b01c07e298b147dc1a4d7 •
CVSS: -EPSS: 0%CPEs: 10EXPL: 0CVE-2026-43439 – cgroup: fix race between task migration and iteration
https://notcve.org/view.php?id=CVE-2026-43439
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: cgroup: fix race between task migration and iteration When a task is migrated out of a css_set, cgroup_migrate_add_task() first moves it from cset->tasks to cset->mg_tasks via: list_move_tail(&task->cg_list, &cset->mg_tasks); If a css_task_iter currently has it->task_pos pointing to this task, css_set_move_task() calls css_task_iter_skip() to keep the iterator valid. However, since the task has already been moved to ->mg_tasks, the iterator... • https://git.kernel.org/stable/c/b636fd38dc40113f853337a7d2a6885ad23b8811 •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2026-43438 – sched_ext: Remove redundant css_put() in scx_cgroup_init()
https://notcve.org/view.php?id=CVE-2026-43438
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: sched_ext: Remove redundant css_put() in scx_cgroup_init() The iterator css_for_each_descendant_pre() walks the cgroup hierarchy under cgroup_lock(). It does not increment the reference counts on yielded css structs. According to the cgroup documentation, css_put() should only be used to release a reference obtained via css_get() or css_tryget_online(). Since the iterator does not use either of these to acquire a reference, calling css_put(... • https://git.kernel.org/stable/c/8195136669661fdfe54e9a8923c33b31c92fc1da •