CVSS: 8.8EPSS: 0%CPEs: 8EXPL: 0CVE-2026-43334 – Bluetooth: SMP: force responder MITM requirements before building the pairing response
https://notcve.org/view.php?id=CVE-2026-43334
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: Bluetooth: SMP: force responder MITM requirements before building the pairing response smp_cmd_pairing_req() currently builds the pairing response from the initiator auth_req before enforcing the local BT_SECURITY_HIGH requirement. If the initiator omits SMP_AUTH_MITM, the response can also omit it even though the local side still requires MITM. tk_request() then sees an auth value without SMP_AUTH_MITM and may select JUST_CFM, making metho... • https://git.kernel.org/stable/c/2b64d153a0cc9d2b60e47be013cde8490f16e0a5 •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2026-43328 – cpufreq: governor: fix double free in cpufreq_dbs_governor_init() error path
https://notcve.org/view.php?id=CVE-2026-43328
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: cpufreq: governor: fix double free in cpufreq_dbs_governor_init() error path When kobject_init_and_add() fails, cpufreq_dbs_governor_init() calls kobject_put(&dbs_data->attr_set.kobj). The kobject release callback cpufreq_dbs_data_release() calls gov->exit(dbs_data) and kfree(dbs_data), but the current error path then calls gov->exit(dbs_data) and kfree(dbs_data) again, causing a double free. Keep the direct kfree(dbs_data) for the gov->ini... • https://git.kernel.org/stable/c/4ebe36c94aed95de71a8ce6a6762226d31c938ee •
CVSS: -EPSS: 0%CPEs: 14EXPL: 0CVE-2026-43327 – USB: dummy-hcd: Fix locking/synchronization error
https://notcve.org/view.php?id=CVE-2026-43327
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: USB: dummy-hcd: Fix locking/synchronization error Syzbot testing was able to provoke an addressing exception and crash in the usb_gadget_udc_reset() routine in drivers/usb/gadgets/udc/core.c, resulting from the fact that the routine was called with a second ("driver") argument of NULL. The bad caller was set_link_state() in dummy_hcd.c, and the problem arose because of a race between a USB reset and driver unbind. These sorts of races were ... • https://git.kernel.org/stable/c/7dbd8f4cabd96db5a50513de9d83a8105a5ffc81 •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2026-43316 – media: solo6x10: Check for out of bounds chip_id
https://notcve.org/view.php?id=CVE-2026-43316
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: media: solo6x10: Check for out of bounds chip_id Clang with CONFIG_UBSAN_SHIFT=y noticed a condition where a signed type (literal "1" is an "int") could end up being shifted beyond 32 bits, so instrumentation was added (and due to the double is_tw286x() call seen via inlining), Clang decides the second one must now be undefined behavior and elides the rest of the function[1]. This is a known problem with Clang (that is still being worked on... • https://git.kernel.org/stable/c/faa4fd2a09517b39cc1f5d622453f97a59acfdac •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2026-43314 – dm: remove fake timeout to avoid leak request
https://notcve.org/view.php?id=CVE-2026-43314
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: dm: remove fake timeout to avoid leak request Since commit 15f73f5b3e59 ("blk-mq: move failure injection out of blk_mq_complete_request"), drivers are responsible for calling blk_should_fake_timeout() at appropriate code paths and opportunities. However, the dm driver does not implement its own timeout handler and relies on the timeout handling of its slave devices. If an io-timeout-fail error is injected to a dm device, the request will be... • https://git.kernel.org/stable/c/e6ee8c0b767540f59e20da3ced282601db8aa502 •
CVSS: -EPSS: 0%CPEs: 7EXPL: 0CVE-2026-43313 – ACPI: processor: Fix NULL-pointer dereference in acpi_processor_errata_piix4()
https://notcve.org/view.php?id=CVE-2026-43313
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: ACPI: processor: Fix NULL-pointer dereference in acpi_processor_errata_piix4() In acpi_processor_errata_piix4(), the pointer dev is first assigned an IDE device and then reassigned an ISA device: dev = pci_get_subsys(..., PCI_DEVICE_ID_INTEL_82371AB, ...); dev = pci_get_subsys(..., PCI_DEVICE_ID_INTEL_82371AB_0, ...); If the first lookup succeeds but the second fails, dev becomes NULL. This leads to a potential null-pointer dereference when... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: -EPSS: 0%CPEs: 9EXPL: 0CVE-2026-43309 – md raid: fix hang when stopping arrays with metadata through dm-raid
https://notcve.org/view.php?id=CVE-2026-43309
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: md raid: fix hang when stopping arrays with metadata through dm-raid When using device-mapper's dm-raid target, stopping a RAID array can cause the system to hang under specific conditions. This occurs when: - A dm-raid managed device tree is suspended from top to bottom (the top-level RAID device is suspended first, followed by its underlying metadata and data devices) - The top-level RAID device is then removed Removing the top-level devi... • https://git.kernel.org/stable/c/0dd84b319352bb8ba64752d4e45396d8b13e6018 •
CVSS: -EPSS: 0%CPEs: 2EXPL: 0CVE-2026-43308 – btrfs: don't BUG() on unexpected delayed ref type in run_one_delayed_ref()
https://notcve.org/view.php?id=CVE-2026-43308
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: btrfs: don't BUG() on unexpected delayed ref type in run_one_delayed_ref() There is no need to BUG(), we can just return an error and log an error message. • https://git.kernel.org/stable/c/5d4f98a28c7d334091c1b7744f48a1acdd2a4ae0 •
CVSS: 5.5EPSS: 0%CPEs: 7EXPL: 0CVE-2026-43302 – drm/v3d: Set DMA segment size to avoid debug warnings
https://notcve.org/view.php?id=CVE-2026-43302
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: drm/v3d: Set DMA segment size to avoid debug warnings When using V3D rendering with CONFIG_DMA_API_DEBUG enabled, the kernel occasionally reports a segment size mismatch. This is because 'max_seg_size' is not set. The kernel defaults to 64K. setting 'max_seg_size' to the maximum will prevent 'debug_dma_map_sg()' from complaining about the over-mapping of the V3D segment length. DMA-API: v3d 1002000000.v3d: mapping sg segment longer than dev... • https://git.kernel.org/stable/c/57692c94dcbe99a1e0444409a3da13fb3443562c • CWE-131: Incorrect Calculation of Buffer Size •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2026-43299 – btrfs: do not ASSERT() when the fs flips RO inside btrfs_repair_io_failure()
https://notcve.org/view.php?id=CVE-2026-43299
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: btrfs: do not ASSERT() when the fs flips RO inside btrfs_repair_io_failure() [BUG] There is a bug report that when btrfs hits ENOSPC error in a critical path, btrfs flips RO (this part is expected, although the ENOSPC bug still needs to be addressed). The problem is after the RO flip, if there is a read repair pending, we can hit the ASSERT() inside btrfs_repair_io_failure() like the following: BTRFS info (device vdc): relocating block grou... • https://git.kernel.org/stable/c/908960c6c0fb3b3ce3971dc0ca47b581d256b968 •