CVSS: 7.1EPSS: 0%CPEs: 2EXPL: 0CVE-2026-43442 – io_uring: fix physical SQE bounds check for SQE_MIXED 128-byte ops
https://notcve.org/view.php?id=CVE-2026-43442
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: io_uring: fix physical SQE bounds check for SQE_MIXED 128-byte ops When IORING_SETUP_SQE_MIXED is used without IORING_SETUP_NO_SQARRAY, the boundary check for 128-byte SQE operations in io_init_req() validated the logical SQ head position rather than the physical SQE index. The existing check: !(ctx->cached_sq_head & (ctx->sq_entries - 1)) ensures the logical position isn't at the end of the ring, which is correct for NO_SQARRAY rings where... • https://git.kernel.org/stable/c/1cba30bf9fdd6c982708f3587f609a30c370d889 •
CVSS: 7.5EPSS: 0%CPEs: 6EXPL: 0CVE-2026-43441 – net: bonding: Fix nd_tbl NULL dereference when IPv6 is disabled
https://notcve.org/view.php?id=CVE-2026-43441
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: net: bonding: Fix nd_tbl NULL dereference when IPv6 is disabled When booting with the 'ipv6.disable=1' parameter, the nd_tbl is never initialized because inet6_init() exits before ndisc_init() is called which initializes it. If bonding ARP/NS validation is enabled, an IPv6 NS/NA packet received on a slave can reach bond_validate_na(), which calls bond_has_this_ip6(). That path calls ipv6_chk_addr() and can crash in __ipv6_chk_addr_and_flags... • https://git.kernel.org/stable/c/4e24be018eb9dbcefa4b01c07e298b147dc1a4d7 •
CVSS: -EPSS: 0%CPEs: 2EXPL: 0CVE-2026-43440 – net/mana: Null service_wq on setup error to prevent double destroy
https://notcve.org/view.php?id=CVE-2026-43440
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: net/mana: Null service_wq on setup error to prevent double destroy In mana_gd_setup() error path, set gc->service_wq to NULL after destroy_workqueue() to match the cleanup in mana_gd_cleanup(). This prevents a use-after-free if the workqueue pointer is checked after a failed setup. • https://git.kernel.org/stable/c/fa3c2f8d9152344a478abb847081c1b5f84a94f5 •
CVSS: -EPSS: 0%CPEs: 10EXPL: 0CVE-2026-43439 – cgroup: fix race between task migration and iteration
https://notcve.org/view.php?id=CVE-2026-43439
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: cgroup: fix race between task migration and iteration When a task is migrated out of a css_set, cgroup_migrate_add_task() first moves it from cset->tasks to cset->mg_tasks via: list_move_tail(&task->cg_list, &cset->mg_tasks); If a css_task_iter currently has it->task_pos pointing to this task, css_set_move_task() calls css_task_iter_skip() to keep the iterator valid. However, since the task has already been moved to ->mg_tasks, the iterator... • https://git.kernel.org/stable/c/b636fd38dc40113f853337a7d2a6885ad23b8811 •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2026-43438 – sched_ext: Remove redundant css_put() in scx_cgroup_init()
https://notcve.org/view.php?id=CVE-2026-43438
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: sched_ext: Remove redundant css_put() in scx_cgroup_init() The iterator css_for_each_descendant_pre() walks the cgroup hierarchy under cgroup_lock(). It does not increment the reference counts on yielded css structs. According to the cgroup documentation, css_put() should only be used to release a reference obtained via css_get() or css_tryget_online(). Since the iterator does not use either of these to acquire a reference, calling css_put(... • https://git.kernel.org/stable/c/8195136669661fdfe54e9a8923c33b31c92fc1da •
CVSS: 7.8EPSS: 0%CPEs: 7EXPL: 0CVE-2026-43437 – ALSA: pcm: fix use-after-free on linked stream runtime in snd_pcm_drain()
https://notcve.org/view.php?id=CVE-2026-43437
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: ALSA: pcm: fix use-after-free on linked stream runtime in snd_pcm_drain() In the drain loop, the local variable 'runtime' is reassigned to a linked stream's runtime (runtime = s->runtime at line 2157). After releasing the stream lock at line 2169, the code accesses runtime->no_period_wakeup, runtime->rate, and runtime->buffer_size (lines 2170-2178) — all referencing the linked stream's runtime without any lock or refcount protecting its lif... • https://git.kernel.org/stable/c/f2b3614cefb61ee6046a0aaee503ee37f227d310 •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-43436 – ALSA: usb-audio: Check endpoint numbers at parsing Scarlett2 mixer interfaces
https://notcve.org/view.php?id=CVE-2026-43436
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Check endpoint numbers at parsing Scarlett2 mixer interfaces The Scarlett2 mixer quirk in USB-audio driver may hit a NULL dereference when a malformed USB descriptor is passed, since it assumes the presence of an endpoint in the parsed interface in scarlett2_find_fc_interface(), as reported by fuzzer. For avoiding the NULL dereference, just add the sanity check of bNumEndpoints and skip the invalid interface. • https://git.kernel.org/stable/c/6c0a2078134aba6a77291554035304df9e16b85c •
CVSS: -EPSS: 0%CPEs: 3EXPL: 0CVE-2026-43435 – rust_binder: fix oneway spam detection
https://notcve.org/view.php?id=CVE-2026-43435
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: rust_binder: fix oneway spam detection The spam detection logic in TreeRange was executed before the current request was inserted into the tree. So the new request was not being factored in the spam calculation. Fix this by moving the logic after the new range has been inserted. Also, the detection logic for ArrayRange was missing altogether which meant large spamming transactions could get away without being detected. Fix this by implement... • https://git.kernel.org/stable/c/eafedbc7c050c44744fbdf80bdf3315e860b7513 •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2026-43434 – rust_binder: check ownership before using vma
https://notcve.org/view.php?id=CVE-2026-43434
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: rust_binder: check ownership before using vma When installing missing pages (or zapping them), Rust Binder will look up the vma in the mm by address, and then call vm_insert_page (or zap_page_range_single). However, if the vma is closed and replaced with a different vma at the same address, this can lead to Rust Binder installing pages into the wrong vma. By installing the page into a writable vma, it becomes possible to write to your own b... • https://git.kernel.org/stable/c/eafedbc7c050c44744fbdf80bdf3315e860b7513 •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2026-43433 – rust_binder: avoid reading the written value in offsets array
https://notcve.org/view.php?id=CVE-2026-43433
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: rust_binder: avoid reading the written value in offsets array When sending a transaction, its offsets array is first copied into the target proc's vma, and then the values are read back from there. This is normally fine because the vma is a read-only mapping, so the target process cannot change the value under us. However, if the target process somehow gains the ability to write to its own vma, it could change the offset before it's read ba... • https://git.kernel.org/stable/c/eafedbc7c050c44744fbdf80bdf3315e860b7513 •