CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2026-43419 – ceph: fix memory leaks in ceph_mdsc_build_path()
https://notcve.org/view.php?id=CVE-2026-43419
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: ceph: fix memory leaks in ceph_mdsc_build_path() Add __putname() calls to error code paths that did not free the "path" pointer obtained by __getname(). If ownership of this pointer is not passed to the caller via path_info.path, the function must free it before returning. • https://git.kernel.org/stable/c/3fd945a79e147ee10f84213976889b29049c3519 •
CVSS: -EPSS: 0%CPEs: 3EXPL: 0CVE-2026-43416 – powerpc, perf: Check that current->mm is alive before getting user callchain
https://notcve.org/view.php?id=CVE-2026-43416
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: powerpc, perf: Check that current->mm is alive before getting user callchain It may happen that mm is already released, which leads to kernel panic. This adds the NULL check for current->mm, similarly to commit 20afc60f892d ("x86, perf: Check that current->mm is alive before getting user callchain"). I was getting this panic when running a profiling BPF program (profile.py from bcc-tools): [26215.051935] Kernel attempted to read user page (... • https://git.kernel.org/stable/c/20002ded4d937ca87aca6253b874920a96a763c4 •
CVSS: 9.8EPSS: 0%CPEs: 12EXPL: 0CVE-2026-43414 – scsi: qla2xxx: Completely fix fcport double free
https://notcve.org/view.php?id=CVE-2026-43414
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Completely fix fcport double free In qla24xx_els_dcmd_iocb() sp->free is set to qla2x00_els_dcmd_sp_free(). When an error happens, this function is called by qla2x00_sp_release(), when kref_put() releases the first and the last reference. qla2x00_els_dcmd_sp_free() frees fcport by calling qla2x00_free_fcport(). Doing it one more time after kref_put() is a bad idea. • https://git.kernel.org/stable/c/4895009c4bb72f71f2e682f1e7d2c2d96e482087 •
CVSS: -EPSS: 0%CPEs: 5EXPL: 0CVE-2026-43413 – scsi: hisi_sas: Fix NULL pointer exception during user_scan()
https://notcve.org/view.php?id=CVE-2026-43413
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: scsi: hisi_sas: Fix NULL pointer exception during user_scan() user_scan() invokes updated sas_user_scan() for channel 0, and if successful, iteratively scans remaining channels (1 to shost->max_channel) via scsi_scan_host_selected() in commit 37c4e72b0651 ("scsi: Fix sas_user_scan() to handle wildcard and multi-channel scans"). However, hisi_sas supports only one channel, and the current value of max_channel is 1. sas_user_scan() for channe... • https://git.kernel.org/stable/c/e21fe3a52692f554efd67957c772c702de627a3a •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-43412 – ASoC: qcom: qdsp6: Fix q6apm remove ordering during ADSP stop and start
https://notcve.org/view.php?id=CVE-2026-43412
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: ASoC: qcom: qdsp6: Fix q6apm remove ordering during ADSP stop and start During ADSP stop and start, the kernel crashes due to the order in which ASoC components are removed. On ADSP stop, the q6apm-audio .remove callback unloads topology and removes PCM runtimes during ASoC teardown. This deletes the RTDs that contain the q6apm DAI components before their removal pass runs, leaving those components still linked to the card and causing crash... • https://git.kernel.org/stable/c/5477518b8a0e8a45239646acd80c9bafc4401522 •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2026-43411 – tipc: fix divide-by-zero in tipc_sk_filter_connect()
https://notcve.org/view.php?id=CVE-2026-43411
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: tipc: fix divide-by-zero in tipc_sk_filter_connect() A user can set conn_timeout to any value via setsockopt(TIPC_CONN_TIMEOUT), including values less than 4. When a SYN is rejected with TIPC_ERR_OVERLOAD and the retry path in tipc_sk_filter_connect() executes: delay %= (tsk->conn_timeout / 4); If conn_timeout is in the range [0, 3], the integer division yields 0, and the modulo operation triggers a divide-by-zero exception, causing a kerne... • https://git.kernel.org/stable/c/6787927475e52f6933e3affce365dabb2aa2fadf •
CVSS: -EPSS: 0%CPEs: 5EXPL: 0CVE-2026-43409 – kprobes: avoid crash when rmmod/insmod after ftrace killed
https://notcve.org/view.php?id=CVE-2026-43409
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: kprobes: avoid crash when rmmod/insmod after ftrace killed After we hit ftrace is killed by some errors, the kernel crash if we remove modules in which kprobe probes. BUG: unable to handle page fault for address: fffffbfff805000d PGD 817fcc067 P4D 817fcc067 PUD 817fc8067 PMD 101555067 PTE 0 Oops: Oops: 0000 [#1] SMP KASAN PTI CPU: 4 UID: 0 PID: 2012 Comm: rmmod Tainted: G W OE Tainted: [W]=WARN, [O]=OOT_MODULE, [E]=UNSIGNED_MODULE RIP: 0010... • https://git.kernel.org/stable/c/ae6aa16fdc163afe6b04b6c073ad4ddd4663c03b •
CVSS: 9.1EPSS: 0%CPEs: 8EXPL: 0CVE-2026-43407 – libceph: Fix potential out-of-bounds access in ceph_handle_auth_reply()
https://notcve.org/view.php?id=CVE-2026-43407
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: libceph: Fix potential out-of-bounds access in ceph_handle_auth_reply() This patch fixes an out-of-bounds access in ceph_handle_auth_reply() that can be triggered by a message of type CEPH_MSG_AUTH_REPLY. In ceph_handle_auth_reply(), the value of the payload_len field of such a message is stored in a variable of type int. A value greater than INT_MAX leads to an integer overflow and is interpreted as a negative value. This leads to decremen... • https://git.kernel.org/stable/c/4e7a5dcd1bbab6560fbc8ada29a840e7a20ed7bc •
CVSS: 9.1EPSS: 0%CPEs: 7EXPL: 0CVE-2026-43406 – libceph: prevent potential out-of-bounds reads in process_message_header()
https://notcve.org/view.php?id=CVE-2026-43406
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: libceph: prevent potential out-of-bounds reads in process_message_header() If the message frame is (maliciously) corrupted in a way that the length of the control segment ends up being less than the size of the message header or a different frame is made to look like a message frame, out-of-bounds reads may ensue in process_message_header(). Perform an explicit bounds check before decoding the message header. • https://git.kernel.org/stable/c/cd1a677cad994021b19665ed476aea63f5d54f31 •
CVSS: 7.5EPSS: 0%CPEs: 7EXPL: 0CVE-2026-43405 – libceph: Use u32 for non-negative values in ceph_monmap_decode()
https://notcve.org/view.php?id=CVE-2026-43405
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: libceph: Use u32 for non-negative values in ceph_monmap_decode() This patch fixes unnecessary implicit conversions that change signedness of blob_len and num_mon in ceph_monmap_decode(). Currently blob_len and num_mon are (signed) int variables. They are used to hold values that are always non-negative and get assigned in ceph_decode_32_safe(), which is meant to assign u32 values. Both variables are subsequently used as unsigned values, and... • https://git.kernel.org/stable/c/a5cbd5fc22d5043a8a76e15d75d031fe24d1f69c •