CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2026-43353 – i3c: mipi-i3c-hci: Fix race in DMA ring dequeue
https://notcve.org/view.php?id=CVE-2026-43353
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: i3c: mipi-i3c-hci: Fix race in DMA ring dequeue The HCI DMA dequeue path (hci_dma_dequeue_xfer()) may be invoked for multiple transfers that timeout around the same time. However, the function is not serialized and can race with itself. When a timeout occurs, hci_dma_dequeue_xfer() stops the ring, processes incomplete transfers, and then restarts the ring. If another timeout triggers a parallel call into the same function, the two instances... • https://git.kernel.org/stable/c/9ad9a52cce2828d932ae9495181e3d6414f72c07 •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2026-43352 – i3c: mipi-i3c-hci: Correct RING_CTRL_ABORT handling in DMA dequeue
https://notcve.org/view.php?id=CVE-2026-43352
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: i3c: mipi-i3c-hci: Correct RING_CTRL_ABORT handling in DMA dequeue The logic used to abort the DMA ring contains several flaws: 1. The driver unconditionally issues a ring abort even when the ring has already stopped. 2. The completion used to wait for abort completion is never re-initialized, resulting in incorrect wait behavior. 3. The abort sequence unintentionally clears RING_CTRL_ENABLE, which resets hardware ring pointers and disrupts... • https://git.kernel.org/stable/c/9ad9a52cce2828d932ae9495181e3d6414f72c07 •
CVSS: 7.6EPSS: 0%CPEs: 5EXPL: 0CVE-2026-43350 – smb: client: require a full NFS mode SID before reading mode bits
https://notcve.org/view.php?id=CVE-2026-43350
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: smb: client: require a full NFS mode SID before reading mode bits parse_dacl() treats an ACE SID matching sid_unix_NFS_mode as an NFS mode SID and reads sid.sub_auth[2] to recover the mode bits. That assumes the ACE carries three subauthorities, but compare_sids() only compares min(a, b) subauthorities. A malicious server can return an ACE with num_subauth = 2 and sub_auth[] = {88, 3}, which still matches sid_unix_NFS_mode and then drives t... • https://git.kernel.org/stable/c/e2f8fbfb8d09c06decde162090fac3ee220aa280 •
CVSS: -EPSS: 0%CPEs: 2EXPL: 0CVE-2026-43344 – perf/x86/intel/uncore: Fix die ID init and look up bugs
https://notcve.org/view.php?id=CVE-2026-43344
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: perf/x86/intel/uncore: Fix die ID init and look up bugs In snbep_pci2phy_map_init(), in the nr_node_ids > 8 path, uncore_device_to_die() may return -1 when all CPUs associated with the UBOX device are offline. Remove the WARN_ON_ONCE(die_id == -1) check for two reasons: - The current code breaks out of the loop. This is incorrect because pci_get_device() does not guarantee iteration in domain or bus order, so additional UBOX devices may be ... • https://git.kernel.org/stable/c/9a7832ce3d920426a36cdd78eda4b3568d4d09e3 •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2026-43343 – usb: gadget: f_subset: Fix unbalanced refcnt in geth_free
https://notcve.org/view.php?id=CVE-2026-43343
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_subset: Fix unbalanced refcnt in geth_free geth_alloc() increments the reference count, but geth_free() fails to decrement it. This prevents the configuration of attributes via configfs after unlinking the function. Decrement the reference count in geth_free() to ensure proper cleanup. • https://git.kernel.org/stable/c/02832e56f88a981474ee4c7c141f46fc1b4454f4 •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2026-43342 – usb: gadget: f_rndis: Protect RNDIS options with mutex
https://notcve.org/view.php?id=CVE-2026-43342
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_rndis: Protect RNDIS options with mutex The class/subclass/protocol options are suspectible to race conditions as they can be accessed concurrently through configfs. Use existing mutex to protect these options. This issue was identified during code inspection. • https://git.kernel.org/stable/c/73517cf49bd449122b615d2b7a6bb835f02252e5 •
CVSS: 9.8EPSS: 0%CPEs: 6EXPL: 0CVE-2026-43341 – net/ipv6: ioam6: prevent schema length wraparound in trace fill
https://notcve.org/view.php?id=CVE-2026-43341
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: net/ipv6: ioam6: prevent schema length wraparound in trace fill ioam6_fill_trace_data() stores the schema contribution to the trace length in a u8. With bit 22 enabled and the largest schema payload, sclen becomes 1 + 1020 / 4, wraps from 256 to 0, and bypasses the remaining-space check. __ioam6_fill_trace_data() then positions the write cursor without reserving the schema area but still copies the 4-byte schema header and the full schema p... • https://git.kernel.org/stable/c/8c6f6fa6772696be0c047a711858084b38763728 •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2026-43340 – comedi: Reinit dev->spinlock between attachments to low-level drivers
https://notcve.org/view.php?id=CVE-2026-43340
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: comedi: Reinit dev->spinlock between attachments to low-level drivers `struct comedi_device` is the main controlling structure for a COMEDI device created by the COMEDI subsystem. It contains a member `spinlock` containing a spin-lock that is initialized by the COMEDI subsystem, but is reserved for use by a low-level driver attached to the COMEDI device (at least since commit 25436dc9d84f ("Staging: comedi: remove RT code")). Some COMEDI de... • https://git.kernel.org/stable/c/ed9eccbe8970f6eedc1b978c157caf1251a896d4 •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2026-43339 – ipv6: prevent possible UaF in addrconf_permanent_addr()
https://notcve.org/view.php?id=CVE-2026-43339
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: ipv6: prevent possible UaF in addrconf_permanent_addr() The mentioned helper try to warn the user about an exceptional condition, but the message is delivered too late, accessing the ipv6 after its possible deletion. Reorder the statement to avoid the possible UaF; while at it, place the warning outside the idev->lock as it needs no protection. • https://git.kernel.org/stable/c/f1705ec197e705b79ea40fe7a2cc5acfa1d3bfac •
CVSS: -EPSS: 0%CPEs: 4EXPL: 0CVE-2026-43338 – btrfs: reserve enough transaction items for qgroup ioctls
https://notcve.org/view.php?id=CVE-2026-43338
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: btrfs: reserve enough transaction items for qgroup ioctls Currently our qgroup ioctls don't reserve any space, they just do a transaction join, which does not reserve any space, neither for the quota tree updates nor for the delayed refs generated when updating the quota tree. The quota root uses the global block reserve, which is fine most of the time since we don't expect a lot of updates to the quota root, or to be too close to -ENOSPC s... • https://git.kernel.org/stable/c/5d13a37bd5327220e13329943d1228acfbe5934a •