CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2026-43411 – tipc: fix divide-by-zero in tipc_sk_filter_connect()
https://notcve.org/view.php?id=CVE-2026-43411
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: tipc: fix divide-by-zero in tipc_sk_filter_connect() A user can set conn_timeout to any value via setsockopt(TIPC_CONN_TIMEOUT), including values less than 4. When a SYN is rejected with TIPC_ERR_OVERLOAD and the retry path in tipc_sk_filter_connect() executes: delay %= (tsk->conn_timeout / 4); If conn_timeout is in the range [0, 3], the integer division yields 0, and the modulo operation triggers a divide-by-zero exception, causing a kerne... • https://git.kernel.org/stable/c/6787927475e52f6933e3affce365dabb2aa2fadf •
CVSS: -EPSS: 0%CPEs: 5EXPL: 0CVE-2026-43409 – kprobes: avoid crash when rmmod/insmod after ftrace killed
https://notcve.org/view.php?id=CVE-2026-43409
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: kprobes: avoid crash when rmmod/insmod after ftrace killed After we hit ftrace is killed by some errors, the kernel crash if we remove modules in which kprobe probes. BUG: unable to handle page fault for address: fffffbfff805000d PGD 817fcc067 P4D 817fcc067 PUD 817fc8067 PMD 101555067 PTE 0 Oops: Oops: 0000 [#1] SMP KASAN PTI CPU: 4 UID: 0 PID: 2012 Comm: rmmod Tainted: G W OE Tainted: [W]=WARN, [O]=OOT_MODULE, [E]=UNSIGNED_MODULE RIP: 0010... • https://git.kernel.org/stable/c/ae6aa16fdc163afe6b04b6c073ad4ddd4663c03b •
CVSS: 9.1EPSS: 0%CPEs: 8EXPL: 0CVE-2026-43407 – libceph: Fix potential out-of-bounds access in ceph_handle_auth_reply()
https://notcve.org/view.php?id=CVE-2026-43407
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: libceph: Fix potential out-of-bounds access in ceph_handle_auth_reply() This patch fixes an out-of-bounds access in ceph_handle_auth_reply() that can be triggered by a message of type CEPH_MSG_AUTH_REPLY. In ceph_handle_auth_reply(), the value of the payload_len field of such a message is stored in a variable of type int. A value greater than INT_MAX leads to an integer overflow and is interpreted as a negative value. This leads to decremen... • https://git.kernel.org/stable/c/4e7a5dcd1bbab6560fbc8ada29a840e7a20ed7bc •
CVSS: 9.1EPSS: 0%CPEs: 7EXPL: 0CVE-2026-43406 – libceph: prevent potential out-of-bounds reads in process_message_header()
https://notcve.org/view.php?id=CVE-2026-43406
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: libceph: prevent potential out-of-bounds reads in process_message_header() If the message frame is (maliciously) corrupted in a way that the length of the control segment ends up being less than the size of the message header or a different frame is made to look like a message frame, out-of-bounds reads may ensue in process_message_header(). Perform an explicit bounds check before decoding the message header. • https://git.kernel.org/stable/c/cd1a677cad994021b19665ed476aea63f5d54f31 •
CVSS: 7.5EPSS: 0%CPEs: 7EXPL: 0CVE-2026-43405 – libceph: Use u32 for non-negative values in ceph_monmap_decode()
https://notcve.org/view.php?id=CVE-2026-43405
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: libceph: Use u32 for non-negative values in ceph_monmap_decode() This patch fixes unnecessary implicit conversions that change signedness of blob_len and num_mon in ceph_monmap_decode(). Currently blob_len and num_mon are (signed) int variables. They are used to hold values that are always non-negative and get assigned in ceph_decode_32_safe(), which is meant to assign u32 values. Both variables are subsequently used as unsigned values, and... • https://git.kernel.org/stable/c/a5cbd5fc22d5043a8a76e15d75d031fe24d1f69c •
CVSS: -EPSS: 0%CPEs: 5EXPL: 0CVE-2026-43397 – drm/bridge: samsung-dsim: Fix memory leak in error path
https://notcve.org/view.php?id=CVE-2026-43397
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: drm/bridge: samsung-dsim: Fix memory leak in error path In samsung_dsim_host_attach(), drm_bridge_add() is called to add the bridge. However, if samsung_dsim_register_te_irq() or pdata->host_ops->attach() fails afterwards, the function returns without removing the bridge, causing a memory leak. Fix this by adding proper error handling with goto labels to ensure drm_bridge_remove() is called in all error paths. Also ensure that samsung_dsim_... • https://git.kernel.org/stable/c/e7447128ca4a250374d6721ee98e3e3cf99551a6 •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2026-43387 – staging: rtl8723bs: properly validate the data in rtw_get_ie_ex()
https://notcve.org/view.php?id=CVE-2026-43387
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: staging: rtl8723bs: properly validate the data in rtw_get_ie_ex() Just like in commit 154828bf9559 ("staging: rtl8723bs: fix out-of-bounds read in rtw_get_ie() parser"), we don't trust the data in the frame so we should check the length better before acting on it • https://git.kernel.org/stable/c/554c0a3abf216c991c5ebddcdb2c08689ecd290b •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2026-43386 – staging: rtl8723bs: fix potential out-of-bounds read in rtw_restruct_wmm_ie
https://notcve.org/view.php?id=CVE-2026-43386
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: staging: rtl8723bs: fix potential out-of-bounds read in rtw_restruct_wmm_ie The current code checks 'i + 5 < in_len' at the end of the if statement. However, it accesses 'in_ie[i + 5]' before that check, which can lead to an out-of-bounds read. Move the length check to the beginning of the conditional to ensure the index is within bounds before accessing the array. • https://git.kernel.org/stable/c/554c0a3abf216c991c5ebddcdb2c08689ecd290b •
CVSS: 9.4EPSS: 0%CPEs: 7EXPL: 0CVE-2026-43383 – net/tcp-md5: Fix MAC comparison to be constant-time
https://notcve.org/view.php?id=CVE-2026-43383
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: net/tcp-md5: Fix MAC comparison to be constant-time To prevent timing attacks, MACs need to be compared in constant time. Use the appropriate helper function for this. • https://git.kernel.org/stable/c/cfb6eeb4c860592edd123fdea908d23c6ad1c7dc •
CVSS: -EPSS: 0%CPEs: 10EXPL: 0CVE-2026-43382 – batman-adv: Avoid double-rtnl_lock ELP metric worker
https://notcve.org/view.php?id=CVE-2026-43382
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: batman-adv: Avoid double-rtnl_lock ELP metric worker batadv_v_elp_get_throughput() might be called when the RTNL lock is already held. This could be problematic when the work queue item is cancelled via cancel_delayed_work_sync() in batadv_v_elp_iface_disable(). In this case, an rtnl_lock() would cause a deadlock. To avoid this, rtnl_trylock() was used in this function to skip the retrieval of the ethtool information in case the RTNL lock w... • https://git.kernel.org/stable/c/a0019971f340ae02ba54cf1861f72da7e03e6b66 •