CVSS: 9.1EPSS: 0%CPEs: 8EXPL: 0CVE-2026-43407 – libceph: Fix potential out-of-bounds access in ceph_handle_auth_reply()
https://notcve.org/view.php?id=CVE-2026-43407
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: libceph: Fix potential out-of-bounds access in ceph_handle_auth_reply() This patch fixes an out-of-bounds access in ceph_handle_auth_reply() that can be triggered by a message of type CEPH_MSG_AUTH_REPLY. In ceph_handle_auth_reply(), the value of the payload_len field of such a message is stored in a variable of type int. A value greater than INT_MAX leads to an integer overflow and is interpreted as a negative value. This leads to decremen... • https://git.kernel.org/stable/c/4e7a5dcd1bbab6560fbc8ada29a840e7a20ed7bc •
CVSS: 9.1EPSS: 0%CPEs: 7EXPL: 0CVE-2026-43406 – libceph: prevent potential out-of-bounds reads in process_message_header()
https://notcve.org/view.php?id=CVE-2026-43406
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: libceph: prevent potential out-of-bounds reads in process_message_header() If the message frame is (maliciously) corrupted in a way that the length of the control segment ends up being less than the size of the message header or a different frame is made to look like a message frame, out-of-bounds reads may ensue in process_message_header(). Perform an explicit bounds check before decoding the message header. • https://git.kernel.org/stable/c/cd1a677cad994021b19665ed476aea63f5d54f31 •
CVSS: 7.5EPSS: 0%CPEs: 7EXPL: 0CVE-2026-43405 – libceph: Use u32 for non-negative values in ceph_monmap_decode()
https://notcve.org/view.php?id=CVE-2026-43405
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: libceph: Use u32 for non-negative values in ceph_monmap_decode() This patch fixes unnecessary implicit conversions that change signedness of blob_len and num_mon in ceph_monmap_decode(). Currently blob_len and num_mon are (signed) int variables. They are used to hold values that are always non-negative and get assigned in ceph_decode_32_safe(), which is meant to assign u32 values. Both variables are subsequently used as unsigned values, and... • https://git.kernel.org/stable/c/a5cbd5fc22d5043a8a76e15d75d031fe24d1f69c •
CVSS: 8.8EPSS: 0%CPEs: 4EXPL: 0CVE-2026-43403 – nsfs: tighten permission checks for ns iteration ioctls
https://notcve.org/view.php?id=CVE-2026-43403
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: nsfs: tighten permission checks for ns iteration ioctls Even privileged services should not necessarily be able to see other privileged service's namespaces so they can't leak information to each other. Use may_see_all_namespaces() helper that centralizes this policy until the nstree adapts. • https://git.kernel.org/stable/c/a1d220d9dafa8d76ba60a784a1016c3134e6a1e8 •
CVSS: -EPSS: 0%CPEs: 5EXPL: 0CVE-2026-43397 – drm/bridge: samsung-dsim: Fix memory leak in error path
https://notcve.org/view.php?id=CVE-2026-43397
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: drm/bridge: samsung-dsim: Fix memory leak in error path In samsung_dsim_host_attach(), drm_bridge_add() is called to add the bridge. However, if samsung_dsim_register_te_irq() or pdata->host_ops->attach() fails afterwards, the function returns without removing the bridge, causing a memory leak. Fix this by adding proper error handling with goto labels to ensure drm_bridge_remove() is called in all error paths. Also ensure that samsung_dsim_... • https://git.kernel.org/stable/c/e7447128ca4a250374d6721ee98e3e3cf99551a6 •
CVSS: -EPSS: 0%CPEs: 4EXPL: 0CVE-2026-43395 – drm/xe/sync: Cleanup partially initialized sync on parse failure
https://notcve.org/view.php?id=CVE-2026-43395
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: drm/xe/sync: Cleanup partially initialized sync on parse failure xe_sync_entry_parse() can allocate references (syncobj, fence, chain fence, or user fence) before hitting a later failure path. Several of those paths returned directly, leaving partially initialized state and leaking refs. Route these error paths through a common free_sync label and call xe_sync_entry_cleanup(sync) before returning the error. (cherry picked from commit f939bd... • https://git.kernel.org/stable/c/dd08ebf6c3525a7ea2186e636df064ea47281987 •
CVSS: -EPSS: 0%CPEs: 4EXPL: 0CVE-2026-43394 – nfsd: Fix cred ref leak in nfsd_nl_listener_set_doit().
https://notcve.org/view.php?id=CVE-2026-43394
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: nfsd: Fix cred ref leak in nfsd_nl_listener_set_doit(). nfsd_nl_listener_set_doit() uses get_current_cred() without put_cred(). As we can see from other callers, svc_xprt_create_from_sa() does not require the extra refcount. nfsd_nl_listener_set_doit() is always in the process context, sendmsg(), and current->cred does not go away. Let's use current_cred() in nfsd_nl_listener_set_doit(). • https://git.kernel.org/stable/c/16a471177496c8e04a9793812c187a2c1a2192fa •
CVSS: -EPSS: 0%CPEs: 4EXPL: 0CVE-2026-43393 – btrfs: fix chunk map leak in btrfs_map_block() after btrfs_chunk_map_num_copies()
https://notcve.org/view.php?id=CVE-2026-43393
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: btrfs: fix chunk map leak in btrfs_map_block() after btrfs_chunk_map_num_copies() Fix a chunk map leak in btrfs_map_block(): if we return early with -EINVAL, we're not freeing the chunk map that we've just looked up. • https://git.kernel.org/stable/c/0ae653fbec2b9fbc72c65a0c99528990bfb2136d •
CVSS: -EPSS: 0%CPEs: 4EXPL: 0CVE-2026-43392 – sched_ext: Fix starvation of scx_enable() under fair-class saturation
https://notcve.org/view.php?id=CVE-2026-43392
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: sched_ext: Fix starvation of scx_enable() under fair-class saturation During scx_enable(), the READY -> ENABLED task switching loop changes the calling thread's sched_class from fair to ext. Since fair has higher priority than ext, saturating fair-class workloads can indefinitely starve the enable thread, hanging the system. This was introduced when the enable path switched from preempt_disable() to scx_bypass() which doesn't protect agains... • https://git.kernel.org/stable/c/8c2090c504e998c8f34ec870bae71dafcc96a6e0 •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2026-43387 – staging: rtl8723bs: properly validate the data in rtw_get_ie_ex()
https://notcve.org/view.php?id=CVE-2026-43387
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: staging: rtl8723bs: properly validate the data in rtw_get_ie_ex() Just like in commit 154828bf9559 ("staging: rtl8723bs: fix out-of-bounds read in rtw_get_ie() parser"), we don't trust the data in the frame so we should check the length better before acting on it • https://git.kernel.org/stable/c/554c0a3abf216c991c5ebddcdb2c08689ecd290b •