CVSS: 7.5EPSS: 0%CPEs: 8EXPL: 0CVE-2026-43373 – net: ncsi: fix skb leak in error paths
https://notcve.org/view.php?id=CVE-2026-43373
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: net: ncsi: fix skb leak in error paths Early return paths in NCSI RX and AEN handlers fail to release the received skb, resulting in a memory leak. Specifically, ncsi_aen_handler() returns on invalid AEN packets without consuming the skb. Similarly, ncsi_rcv_rsp() exits early when failing to resolve the NCSI device, response handler, or request, leaving the skb unfreed. • https://git.kernel.org/stable/c/138635cc27c9737f940c3aa80912ff7a61c825af • CWE-401: Missing Release of Memory after Effective Lifetime •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2026-43371 – net: macb: Shuffle the tx ring before enabling tx
https://notcve.org/view.php?id=CVE-2026-43371
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: net: macb: Shuffle the tx ring before enabling tx Quanyang observed that when using an NFS rootfs on an AMD ZynqMp board, the rootfs may take an extended time to recover after a suspend. Upon investigation, it was determined that the issue originates from a problem in the macb driver. According to the Zynq UltraScale TRM [1], when transmit is disabled, the transmit buffer queue pointer resets to point to the address specified by the transmi... • https://git.kernel.org/stable/c/d89b8b17057e16fad4564c71160e68ca549c1b42 • CWE-401: Missing Release of Memory after Effective Lifetime •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2026-43370 – drm/amdgpu: Fix use-after-free race in VM acquire
https://notcve.org/view.php?id=CVE-2026-43370
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Fix use-after-free race in VM acquire Replace non-atomic vm->process_info assignment with cmpxchg() to prevent race when parent/child processes sharing a drm_file both try to acquire the same VM after fork(). (cherry picked from commit c7c573275ec20db05be769288a3e3bb2250ec618) • https://git.kernel.org/stable/c/ede0dd86f45adf2b7083bb161f6bc81da5fe2bad • CWE-416: Use After Free •
CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2026-43368 – drm/i915: Fix potential overflow of shmem scatterlist length
https://notcve.org/view.php?id=CVE-2026-43368
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: drm/i915: Fix potential overflow of shmem scatterlist length When a scatterlists table of a GEM shmem object of size 4 GB or more is populated with pages allocated from a folio, unsigned int .length attribute of a scatterlist may get overflowed if total byte length of pages allocated to that single scatterlist happens to reach or cross the 4GB limit. As a consequence, users of the object may suffer from hitting unexpected, premature end of ... • https://git.kernel.org/stable/c/0b62af28f249b9c4036a05acfb053058dc02e2e2 •
CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0CVE-2026-43366 – io_uring/kbuf: check if target buffer list is still legacy on recycle
https://notcve.org/view.php?id=CVE-2026-43366
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: io_uring/kbuf: check if target buffer list is still legacy on recycle There's a gap between when the buffer was grabbed and when it potentially gets recycled, where if the list is empty, someone could've upgraded it to a ring provided type. This can happen if the request is forced via io-wq. The legacy recycling is missing checking if the buffer_list still exists, and if it's of the correct type. Add those checks. • https://git.kernel.org/stable/c/c7fb19428d67dd0a2a78a4f237af01d39c78dc5a •
CVSS: 8.2EPSS: 0%CPEs: 7EXPL: 0CVE-2026-43365 – xfs: fix undersized l_iclog_roundoff values
https://notcve.org/view.php?id=CVE-2026-43365
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: xfs: fix undersized l_iclog_roundoff values If the superblock doesn't list a log stripe unit, we set the incore log roundoff value to 512. This leads to corrupt logs and unmountable filesystems in generic/617 on a disk with 4k physical sectors... XFS (sda1): Mounting V5 Filesystem ff3121ca-26e6-4b77-b742-aaff9a449e1c XFS (sda1): Torn write (CRC failure) detected at log block 0x318e. Truncating head block from 0x3197. XFS (sda1): failed to l... • https://git.kernel.org/stable/c/a6a65fef5ef8d0a6a0ce514eb66b2f3dfa777b48 •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2026-43363 – x86/apic: Disable x2apic on resume if the kernel expects so
https://notcve.org/view.php?id=CVE-2026-43363
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: x86/apic: Disable x2apic on resume if the kernel expects so When resuming from s2ram, firmware may re-enable x2apic mode, which may have been disabled by the kernel during boot either because it doesn't support IRQ remapping or for other reasons. This causes the kernel to continue using the xapic interface, while the hardware is in x2apic mode, which causes hangs. This happens on defconfig + bare metal + s2ram. Fix this in lapic_resume() by... • https://git.kernel.org/stable/c/6e1cb38a2aef7680975e71f23de187859ee8b158 •
CVSS: 8.1EPSS: 0%CPEs: 5EXPL: 0CVE-2026-43362 – smb: client: fix in-place encryption corruption in SMB2_write()
https://notcve.org/view.php?id=CVE-2026-43362
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: smb: client: fix in-place encryption corruption in SMB2_write() SMB2_write() places write payload in iov[1..n] as part of rq_iov. smb3_init_transform_rq() pointer-shares rq_iov, so crypt_message() encrypts iov[1] in-place, replacing the original plaintext with ciphertext. On a replayable error, the retry sends the same iov[1] which now contains ciphertext instead of the original data, resulting in corruption. The corruption is most likely t... • https://git.kernel.org/stable/c/026e93dc0a3eefb0be060bcb9ecd8d7a7fd5c398 •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2026-43361 – btrfs: fix transaction abort when snapshotting received subvolumes
https://notcve.org/view.php?id=CVE-2026-43361
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: btrfs: fix transaction abort when snapshotting received subvolumes Currently a user can trigger a transaction abort by snapshotting a previously received snapshot a bunch of times until we reach a BTRFS_UUID_KEY_RECEIVED_SUBVOL item overflow (the maximum item size we can store in a leaf). This is very likely not common in practice, but if it happens, it turns the filesystem into RO mode. The snapshot, send and set_received_subvol and subvol... • https://git.kernel.org/stable/c/dd5f9615fc5c5e8d3751aab3a17b92768fb1ce70 •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2026-43360 – btrfs: fix transaction abort on file creation due to name hash collision
https://notcve.org/view.php?id=CVE-2026-43360
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: btrfs: fix transaction abort on file creation due to name hash collision If we attempt to create several files with names that result in the same hash, we have to pack them in same dir item and that has a limit inherent to the leaf size. However if we reach that limit, we trigger a transaction abort and turns the filesystem into RO mode. This allows for a malicious user to disrupt a system, without the need to have administration privileges... • https://git.kernel.org/stable/c/caae78e032343df525b8d05c58b462827f10b2a3 •