CVSS: -EPSS: 0%CPEs: 5EXPL: 0CVE-2026-43409 – kprobes: avoid crash when rmmod/insmod after ftrace killed
https://notcve.org/view.php?id=CVE-2026-43409
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: kprobes: avoid crash when rmmod/insmod after ftrace killed After we hit ftrace is killed by some errors, the kernel crash if we remove modules in which kprobe probes. BUG: unable to handle page fault for address: fffffbfff805000d PGD 817fcc067 P4D 817fcc067 PUD 817fc8067 PMD 101555067 PTE 0 Oops: Oops: 0000 [#1] SMP KASAN PTI CPU: 4 UID: 0 PID: 2012 Comm: rmmod Tainted: G W OE Tainted: [W]=WARN, [O]=OOT_MODULE, [E]=UNSIGNED_MODULE RIP: 0010... • https://git.kernel.org/stable/c/ae6aa16fdc163afe6b04b6c073ad4ddd4663c03b •
CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2026-43408 – ceph: add a bunch of missing ceph_path_info initializers
https://notcve.org/view.php?id=CVE-2026-43408
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: ceph: add a bunch of missing ceph_path_info initializers ceph_mdsc_build_path() must be called with a zero-initialized ceph_path_info parameter, or else the following ceph_mdsc_free_path_info() may crash. Example crash (on Linux 6.18.12): virt_to_cache: Object is not a Slab page! WARNING: CPU: 184 PID: 2871736 at mm/slub.c:6732 kmem_cache_free+0x316/0x400 [...] Call Trace: [...] ceph_open+0x13d/0x3e0 do_dentry_open+0x134/0x480 vfs_open+0x2a... • https://git.kernel.org/stable/c/db378e6f83ec705c6091c65d482d555edc2b0a72 •
CVSS: 9.1EPSS: 0%CPEs: 8EXPL: 0CVE-2026-43407 – libceph: Fix potential out-of-bounds access in ceph_handle_auth_reply()
https://notcve.org/view.php?id=CVE-2026-43407
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: libceph: Fix potential out-of-bounds access in ceph_handle_auth_reply() This patch fixes an out-of-bounds access in ceph_handle_auth_reply() that can be triggered by a message of type CEPH_MSG_AUTH_REPLY. In ceph_handle_auth_reply(), the value of the payload_len field of such a message is stored in a variable of type int. A value greater than INT_MAX leads to an integer overflow and is interpreted as a negative value. This leads to decremen... • https://git.kernel.org/stable/c/4e7a5dcd1bbab6560fbc8ada29a840e7a20ed7bc •
CVSS: 9.1EPSS: 0%CPEs: 7EXPL: 0CVE-2026-43406 – libceph: prevent potential out-of-bounds reads in process_message_header()
https://notcve.org/view.php?id=CVE-2026-43406
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: libceph: prevent potential out-of-bounds reads in process_message_header() If the message frame is (maliciously) corrupted in a way that the length of the control segment ends up being less than the size of the message header or a different frame is made to look like a message frame, out-of-bounds reads may ensue in process_message_header(). Perform an explicit bounds check before decoding the message header. • https://git.kernel.org/stable/c/cd1a677cad994021b19665ed476aea63f5d54f31 •
CVSS: 7.5EPSS: 0%CPEs: 7EXPL: 0CVE-2026-43405 – libceph: Use u32 for non-negative values in ceph_monmap_decode()
https://notcve.org/view.php?id=CVE-2026-43405
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: libceph: Use u32 for non-negative values in ceph_monmap_decode() This patch fixes unnecessary implicit conversions that change signedness of blob_len and num_mon in ceph_monmap_decode(). Currently blob_len and num_mon are (signed) int variables. They are used to hold values that are always non-negative and get assigned in ceph_decode_32_safe(), which is meant to assign u32 values. Both variables are subsequently used as unsigned values, and... • https://git.kernel.org/stable/c/a5cbd5fc22d5043a8a76e15d75d031fe24d1f69c •
CVSS: 8.8EPSS: 0%CPEs: 4EXPL: 0CVE-2026-43403 – nsfs: tighten permission checks for ns iteration ioctls
https://notcve.org/view.php?id=CVE-2026-43403
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: nsfs: tighten permission checks for ns iteration ioctls Even privileged services should not necessarily be able to see other privileged service's namespaces so they can't leak information to each other. Use may_see_all_namespaces() helper that centralizes this policy until the nstree adapts. • https://git.kernel.org/stable/c/a1d220d9dafa8d76ba60a784a1016c3134e6a1e8 •
CVSS: -EPSS: 0%CPEs: 5EXPL: 0CVE-2026-43397 – drm/bridge: samsung-dsim: Fix memory leak in error path
https://notcve.org/view.php?id=CVE-2026-43397
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: drm/bridge: samsung-dsim: Fix memory leak in error path In samsung_dsim_host_attach(), drm_bridge_add() is called to add the bridge. However, if samsung_dsim_register_te_irq() or pdata->host_ops->attach() fails afterwards, the function returns without removing the bridge, causing a memory leak. Fix this by adding proper error handling with goto labels to ensure drm_bridge_remove() is called in all error paths. Also ensure that samsung_dsim_... • https://git.kernel.org/stable/c/e7447128ca4a250374d6721ee98e3e3cf99551a6 •
CVSS: -EPSS: 0%CPEs: 4EXPL: 0CVE-2026-43395 – drm/xe/sync: Cleanup partially initialized sync on parse failure
https://notcve.org/view.php?id=CVE-2026-43395
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: drm/xe/sync: Cleanup partially initialized sync on parse failure xe_sync_entry_parse() can allocate references (syncobj, fence, chain fence, or user fence) before hitting a later failure path. Several of those paths returned directly, leaving partially initialized state and leaking refs. Route these error paths through a common free_sync label and call xe_sync_entry_cleanup(sync) before returning the error. (cherry picked from commit f939bd... • https://git.kernel.org/stable/c/dd08ebf6c3525a7ea2186e636df064ea47281987 •
CVSS: -EPSS: 0%CPEs: 4EXPL: 0CVE-2026-43394 – nfsd: Fix cred ref leak in nfsd_nl_listener_set_doit().
https://notcve.org/view.php?id=CVE-2026-43394
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: nfsd: Fix cred ref leak in nfsd_nl_listener_set_doit(). nfsd_nl_listener_set_doit() uses get_current_cred() without put_cred(). As we can see from other callers, svc_xprt_create_from_sa() does not require the extra refcount. nfsd_nl_listener_set_doit() is always in the process context, sendmsg(), and current->cred does not go away. Let's use current_cred() in nfsd_nl_listener_set_doit(). • https://git.kernel.org/stable/c/16a471177496c8e04a9793812c187a2c1a2192fa •
CVSS: -EPSS: 0%CPEs: 4EXPL: 0CVE-2026-43393 – btrfs: fix chunk map leak in btrfs_map_block() after btrfs_chunk_map_num_copies()
https://notcve.org/view.php?id=CVE-2026-43393
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: btrfs: fix chunk map leak in btrfs_map_block() after btrfs_chunk_map_num_copies() Fix a chunk map leak in btrfs_map_block(): if we return early with -EINVAL, we're not freeing the chunk map that we've just looked up. • https://git.kernel.org/stable/c/0ae653fbec2b9fbc72c65a0c99528990bfb2136d •