CVSS: -EPSS: 0%CPEs: 2EXPL: 0CVE-2026-43443 – ASoC: amd: acp-mach-common: Add missing error check for clock acquisition
https://notcve.org/view.php?id=CVE-2026-43443
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: ASoC: amd: acp-mach-common: Add missing error check for clock acquisition The acp_card_rt5682_init() and acp_card_rt5682s_init() functions did not check the return values of clk_get(). This could lead to a kernel crash when the invalid pointers are later dereferenced by clock core functions. Fix this by: 1. Changing clk_get() to the device-managed devm_clk_get(). 2. Adding IS_ERR() checks immediately after each clock acquisition. • https://git.kernel.org/stable/c/d4c750f2c7d44b5b39e197308bc3f510205bba4b •
CVSS: 7.5EPSS: 0%CPEs: 6EXPL: 0CVE-2026-43441 – net: bonding: Fix nd_tbl NULL dereference when IPv6 is disabled
https://notcve.org/view.php?id=CVE-2026-43441
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: net: bonding: Fix nd_tbl NULL dereference when IPv6 is disabled When booting with the 'ipv6.disable=1' parameter, the nd_tbl is never initialized because inet6_init() exits before ndisc_init() is called which initializes it. If bonding ARP/NS validation is enabled, an IPv6 NS/NA packet received on a slave can reach bond_validate_na(), which calls bond_has_this_ip6(). That path calls ipv6_chk_addr() and can crash in __ipv6_chk_addr_and_flags... • https://git.kernel.org/stable/c/4e24be018eb9dbcefa4b01c07e298b147dc1a4d7 •
CVSS: -EPSS: 0%CPEs: 10EXPL: 0CVE-2026-43439 – cgroup: fix race between task migration and iteration
https://notcve.org/view.php?id=CVE-2026-43439
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: cgroup: fix race between task migration and iteration When a task is migrated out of a css_set, cgroup_migrate_add_task() first moves it from cset->tasks to cset->mg_tasks via: list_move_tail(&task->cg_list, &cset->mg_tasks); If a css_task_iter currently has it->task_pos pointing to this task, css_set_move_task() calls css_task_iter_skip() to keep the iterator valid. However, since the task has already been moved to ->mg_tasks, the iterator... • https://git.kernel.org/stable/c/b636fd38dc40113f853337a7d2a6885ad23b8811 •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2026-43438 – sched_ext: Remove redundant css_put() in scx_cgroup_init()
https://notcve.org/view.php?id=CVE-2026-43438
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: sched_ext: Remove redundant css_put() in scx_cgroup_init() The iterator css_for_each_descendant_pre() walks the cgroup hierarchy under cgroup_lock(). It does not increment the reference counts on yielded css structs. According to the cgroup documentation, css_put() should only be used to release a reference obtained via css_get() or css_tryget_online(). Since the iterator does not use either of these to acquire a reference, calling css_put(... • https://git.kernel.org/stable/c/8195136669661fdfe54e9a8923c33b31c92fc1da •
CVSS: 7.8EPSS: 0%CPEs: 7EXPL: 0CVE-2026-43437 – ALSA: pcm: fix use-after-free on linked stream runtime in snd_pcm_drain()
https://notcve.org/view.php?id=CVE-2026-43437
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: ALSA: pcm: fix use-after-free on linked stream runtime in snd_pcm_drain() In the drain loop, the local variable 'runtime' is reassigned to a linked stream's runtime (runtime = s->runtime at line 2157). After releasing the stream lock at line 2169, the code accesses runtime->no_period_wakeup, runtime->rate, and runtime->buffer_size (lines 2170-2178) — all referencing the linked stream's runtime without any lock or refcount protecting its lif... • https://git.kernel.org/stable/c/f2b3614cefb61ee6046a0aaee503ee37f227d310 •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-43436 – ALSA: usb-audio: Check endpoint numbers at parsing Scarlett2 mixer interfaces
https://notcve.org/view.php?id=CVE-2026-43436
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Check endpoint numbers at parsing Scarlett2 mixer interfaces The Scarlett2 mixer quirk in USB-audio driver may hit a NULL dereference when a malformed USB descriptor is passed, since it assumes the presence of an endpoint in the parsed interface in scarlett2_find_fc_interface(), as reported by fuzzer. For avoiding the NULL dereference, just add the sanity check of bNumEndpoints and skip the invalid interface. • https://git.kernel.org/stable/c/6c0a2078134aba6a77291554035304df9e16b85c •
CVSS: -EPSS: 0%CPEs: 10EXPL: 0CVE-2026-43432 – usb: xhci: Fix memory leak in xhci_disable_slot()
https://notcve.org/view.php?id=CVE-2026-43432
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: usb: xhci: Fix memory leak in xhci_disable_slot() xhci_alloc_command() allocates a command structure and, when the second argument is true, also allocates a completion structure. Currently, the error handling path in xhci_disable_slot() only frees the command structure using kfree(), causing the completion structure to leak. Use xhci_free_command() instead of kfree(). xhci_free_command() correctly frees both the command structure and the as... • https://git.kernel.org/stable/c/fee8be5bde562d4f5f9a100ca80c6d7072ed34c8 •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2026-43430 – usb: yurex: fix race in probe
https://notcve.org/view.php?id=CVE-2026-43430
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: usb: yurex: fix race in probe The bbu member of the descriptor must be set to the value standing for uninitialized values before the URB whose completion handler sets bbu is submitted. Otherwise there is a window during which probing can overwrite already retrieved data. • https://git.kernel.org/stable/c/6bc235a2e24a5ef677daee3fd4f74f6cd643e23c •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2026-43429 – USB: usbtmc: Use usb_bulk_msg_killable() with user-specified timeouts
https://notcve.org/view.php?id=CVE-2026-43429
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: USB: usbtmc: Use usb_bulk_msg_killable() with user-specified timeouts The usbtmc driver accepts timeout values specified by the user in an ioctl command, and uses these timeouts for some usb_bulk_msg() calls. Since the user can specify arbitrarily long timeouts and usb_bulk_msg() uses unkillable waits, call usb_bulk_msg_killable() instead to avoid the possibility of the user hanging a kernel thread indefinitely. • https://git.kernel.org/stable/c/048c6d88a0214757926f264823829e79154fcd4f •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2026-43428 – USB: core: Limit the length of unkillable synchronous timeouts
https://notcve.org/view.php?id=CVE-2026-43428
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: USB: core: Limit the length of unkillable synchronous timeouts The usb_control_msg(), usb_bulk_msg(), and usb_interrupt_msg() APIs in usbcore allow unlimited timeout durations. And since they use uninterruptible waits, this leaves open the possibility of hanging a task for an indefinitely long time, with no way to kill it short of unplugging the target device. To prevent this sort of problem, enforce a maximum limit on the length of these u... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •