CVSS: -EPSS: 0%CPEs: 2EXPL: 0CVE-2026-43422 – usb: legacy: ncm: Fix NPE in gncm_bind
https://notcve.org/view.php?id=CVE-2026-43422
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: usb: legacy: ncm: Fix NPE in gncm_bind Commit 56a512a9b410 ("usb: gadget: f_ncm: align net_device lifecycle with bind/unbind") deferred the allocation of the net_device. This change leads to a NULL pointer dereference in the legacy NCM driver as it attempts to access the net_device before it's fully instantiated. Store the provided qmult, host_addr, and dev_addr into the struct ncm_opts->net_opts during gncm_bind(). These values will be pro... • https://git.kernel.org/stable/c/b62076e780a2121903ecf9ffdfb89c64647cb7da •
CVSS: -EPSS: 0%CPEs: 4EXPL: 0CVE-2026-43421 – usb: gadget: f_ncm: Fix net_device lifecycle with device_move
https://notcve.org/view.php?id=CVE-2026-43421
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_ncm: Fix net_device lifecycle with device_move The network device outlived its parent gadget device during disconnection, resulting in dangling sysfs links and null pointer dereference problems. A prior attempt to solve this by removing SET_NETDEV_DEV entirely [1] was reverted due to power management ordering concerns and a NO-CARRIER regression. A subsequent attempt to defer net_device allocation to bind [2] broke 1:1 mappin... • https://git.kernel.org/stable/c/40d133d7f542616cf9538508a372306e626a16e9 •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2026-43420 – ceph: fix i_nlink underrun during async unlink
https://notcve.org/view.php?id=CVE-2026-43420
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: ceph: fix i_nlink underrun during async unlink During async unlink, we drop the `i_nlink` counter before we receive the completion (that will eventually update the `i_nlink`) because "we assume that the unlink will succeed". That is not a bad idea, but it races against deletions by other clients (or against the completion of our own unlink) and can lead to an underrun which emits a WARNING like this one: WARNING: CPU: 85 PID: 25093 at fs/in... • https://git.kernel.org/stable/c/2ccb45462aeaf0831397b90d31d3d50a7704fa1f •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2026-43419 – ceph: fix memory leaks in ceph_mdsc_build_path()
https://notcve.org/view.php?id=CVE-2026-43419
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: ceph: fix memory leaks in ceph_mdsc_build_path() Add __putname() calls to error code paths that did not free the "path" pointer obtained by __getname(). If ownership of this pointer is not passed to the caller via path_info.path, the function must free it before returning. • https://git.kernel.org/stable/c/3fd945a79e147ee10f84213976889b29049c3519 •
CVSS: -EPSS: 0%CPEs: 2EXPL: 0CVE-2026-43418 – sched/mmcid: Prevent CID stalls due to concurrent forks
https://notcve.org/view.php?id=CVE-2026-43418
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: sched/mmcid: Prevent CID stalls due to concurrent forks A newly forked task is accounted as MMCID user before the task is visible in the process' thread list and the global task list. This creates the following problem: CPU1 CPU2 fork() sched_mm_cid_fork(tnew1) tnew1->mm.mm_cid_users++; tnew1->mm_cid.cid = getcid() -> preemption fork() sched_mm_cid_fork(tnew2) tnew2->mm.mm_cid_users++; // Reaches the per CPU threshold mm_cid_fixup_tasks_to_... • https://git.kernel.org/stable/c/fbd0e71dc370af73f6b316e4de9eed273dd90340 •
CVSS: -EPSS: 0%CPEs: 2EXPL: 0CVE-2026-43417 – sched/mmcid: Handle vfork()/CLONE_VM correctly
https://notcve.org/view.php?id=CVE-2026-43417
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: sched/mmcid: Handle vfork()/CLONE_VM correctly Matthieu and Jiri reported stalls where a task endlessly loops in mm_get_cid() when scheduling in. It turned out that the logic which handles vfork()'ed tasks is broken. It is invoked when the number of tasks associated to a process is smaller than the number of MMCID users. It then walks the task list to find the vfork()'ed task, but accounts all the already processed tasks as well. If that do... • https://git.kernel.org/stable/c/fbd0e71dc370af73f6b316e4de9eed273dd90340 •
CVSS: -EPSS: 0%CPEs: 3EXPL: 0CVE-2026-43416 – powerpc, perf: Check that current->mm is alive before getting user callchain
https://notcve.org/view.php?id=CVE-2026-43416
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: powerpc, perf: Check that current->mm is alive before getting user callchain It may happen that mm is already released, which leads to kernel panic. This adds the NULL check for current->mm, similarly to commit 20afc60f892d ("x86, perf: Check that current->mm is alive before getting user callchain"). I was getting this panic when running a profiling BPF program (profile.py from bcc-tools): [26215.051935] Kernel attempted to read user page (... • https://git.kernel.org/stable/c/20002ded4d937ca87aca6253b874920a96a763c4 •
CVSS: -EPSS: 0%CPEs: 5EXPL: 0CVE-2026-43415 – scsi: ufs: core: Fix SError in ufshcd_rtc_work() during UFS suspend
https://notcve.org/view.php?id=CVE-2026-43415
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: core: Fix SError in ufshcd_rtc_work() during UFS suspend In __ufshcd_wl_suspend(), cancel_delayed_work_sync() is called to cancel the UFS RTC work, but it is placed after ufshcd_vops_suspend(hba, pm_op, POST_CHANGE). This creates a race condition where ufshcd_rtc_work() can still be running while ufshcd_vops_suspend() is executing. When UFSHCD_CAP_CLK_GATING is not supported, the condition !hba->clk_gating.active_reqs is always t... • https://git.kernel.org/stable/c/06701a545e9a3c4e007cff6872a074bf97c40619 •
CVSS: 9.8EPSS: 0%CPEs: 12EXPL: 0CVE-2026-43414 – scsi: qla2xxx: Completely fix fcport double free
https://notcve.org/view.php?id=CVE-2026-43414
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Completely fix fcport double free In qla24xx_els_dcmd_iocb() sp->free is set to qla2x00_els_dcmd_sp_free(). When an error happens, this function is called by qla2x00_sp_release(), when kref_put() releases the first and the last reference. qla2x00_els_dcmd_sp_free() frees fcport by calling qla2x00_free_fcport(). Doing it one more time after kref_put() is a bad idea. • https://git.kernel.org/stable/c/4895009c4bb72f71f2e682f1e7d2c2d96e482087 •
CVSS: -EPSS: 0%CPEs: 5EXPL: 0CVE-2026-43413 – scsi: hisi_sas: Fix NULL pointer exception during user_scan()
https://notcve.org/view.php?id=CVE-2026-43413
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: scsi: hisi_sas: Fix NULL pointer exception during user_scan() user_scan() invokes updated sas_user_scan() for channel 0, and if successful, iteratively scans remaining channels (1 to shost->max_channel) via scsi_scan_host_selected() in commit 37c4e72b0651 ("scsi: Fix sas_user_scan() to handle wildcard and multi-channel scans"). However, hisi_sas supports only one channel, and the current value of max_channel is 1. sas_user_scan() for channe... • https://git.kernel.org/stable/c/e21fe3a52692f554efd67957c772c702de627a3a •