CVSS: -EPSS: 0%CPEs: 7EXPL: 0CVE-2026-43315 – KVM: nSVM: Remove a user-triggerable WARN on nested_svm_load_cr3() succeeding
https://notcve.org/view.php?id=CVE-2026-43315
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: KVM: nSVM: Remove a user-triggerable WARN on nested_svm_load_cr3() succeeding Drop the WARN in svm_set_nested_state() on nested_svm_load_cr3() failing as it is trivially easy to trigger from userspace by modifying CPUID after loading CR3. E.g. modifying the state restoration selftest like so: --- tools/testing/selftests/kvm/x86/state_test.c +++ tools/testing/selftests/kvm/x86/state_test.c @@ -280,7 +280,16 @@ int main(int argc, char *argv[]... • https://git.kernel.org/stable/c/b222b0b88162bdef4eceb12a79d5edbbdb23dbfd •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2026-43314 – dm: remove fake timeout to avoid leak request
https://notcve.org/view.php?id=CVE-2026-43314
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: dm: remove fake timeout to avoid leak request Since commit 15f73f5b3e59 ("blk-mq: move failure injection out of blk_mq_complete_request"), drivers are responsible for calling blk_should_fake_timeout() at appropriate code paths and opportunities. However, the dm driver does not implement its own timeout handler and relies on the timeout handling of its slave devices. If an io-timeout-fail error is injected to a dm device, the request will be... • https://git.kernel.org/stable/c/e6ee8c0b767540f59e20da3ced282601db8aa502 •
CVSS: -EPSS: 0%CPEs: 7EXPL: 0CVE-2026-43313 – ACPI: processor: Fix NULL-pointer dereference in acpi_processor_errata_piix4()
https://notcve.org/view.php?id=CVE-2026-43313
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: ACPI: processor: Fix NULL-pointer dereference in acpi_processor_errata_piix4() In acpi_processor_errata_piix4(), the pointer dev is first assigned an IDE device and then reassigned an ISA device: dev = pci_get_subsys(..., PCI_DEVICE_ID_INTEL_82371AB, ...); dev = pci_get_subsys(..., PCI_DEVICE_ID_INTEL_82371AB_0, ...); If the first lookup succeeds but the second fails, dev becomes NULL. This leads to a potential null-pointer dereference when... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: -EPSS: 0%CPEs: 7EXPL: 0CVE-2026-43312 – media: i2c: ov5647: Initialize subdev before controls
https://notcve.org/view.php?id=CVE-2026-43312
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: media: i2c: ov5647: Initialize subdev before controls In ov5647_init_controls() we call v4l2_get_subdevdata, but it is initialized by v4l2_i2c_subdev_init() in the probe, which currently happens after init_controls(). This can result in a segfault if the error condition is hit, and we try to access i2c_client, so fix the order. • https://git.kernel.org/stable/c/4974c2f19fd810ec9a4e534bfc69e176256b7a03 •
CVSS: -EPSS: 0%CPEs: 2EXPL: 0CVE-2026-43310 – media: verisilicon: Avoid G2 bus error while decoding H.264 and HEVC
https://notcve.org/view.php?id=CVE-2026-43310
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: media: verisilicon: Avoid G2 bus error while decoding H.264 and HEVC For the i.MX8MQ platform, there is a hardware limitation: the g1 VPU and g2 VPU cannot decode simultaneously; otherwise, it will cause below bus error and produce corrupted pictures, even potentially lead to system hang. [ 110.527986] hantro-vpu 38310000.video-codec: frame decode timed out. [ 110.583517] hantro-vpu 38310000.video-codec: bus error detected. Therefore, it is... • https://git.kernel.org/stable/c/cb5dd5a0fa518dff14ff2b90837c3c8f98f4dd5c •
CVSS: -EPSS: 0%CPEs: 9EXPL: 0CVE-2026-43309 – md raid: fix hang when stopping arrays with metadata through dm-raid
https://notcve.org/view.php?id=CVE-2026-43309
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: md raid: fix hang when stopping arrays with metadata through dm-raid When using device-mapper's dm-raid target, stopping a RAID array can cause the system to hang under specific conditions. This occurs when: - A dm-raid managed device tree is suspended from top to bottom (the top-level RAID device is suspended first, followed by its underlying metadata and data devices) - The top-level RAID device is then removed Removing the top-level devi... • https://git.kernel.org/stable/c/0dd84b319352bb8ba64752d4e45396d8b13e6018 •
CVSS: -EPSS: 0%CPEs: 2EXPL: 0CVE-2026-43308 – btrfs: don't BUG() on unexpected delayed ref type in run_one_delayed_ref()
https://notcve.org/view.php?id=CVE-2026-43308
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: btrfs: don't BUG() on unexpected delayed ref type in run_one_delayed_ref() There is no need to BUG(), we can just return an error and log an error message. • https://git.kernel.org/stable/c/5d4f98a28c7d334091c1b7744f48a1acdd2a4ae0 •
CVSS: 9.8EPSS: 0%CPEs: 7EXPL: 0CVE-2026-43304 – libceph: define and enforce CEPH_MAX_KEY_LEN
https://notcve.org/view.php?id=CVE-2026-43304
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: libceph: define and enforce CEPH_MAX_KEY_LEN When decoding the key, verify that the key material would fit into a fixed-size buffer in process_auth_done() and generally has a sane length. The new CEPH_MAX_KEY_LEN check replaces the existing check for a key with no key material which is a) not universal since CEPH_CRYPTO_NONE has to be excluded and b) doesn't provide much value since a smaller than needed key is just as invalid as no key -- ... • https://git.kernel.org/stable/c/cd1a677cad994021b19665ed476aea63f5d54f31 •
CVSS: 5.5EPSS: 0%CPEs: 7EXPL: 0CVE-2026-43302 – drm/v3d: Set DMA segment size to avoid debug warnings
https://notcve.org/view.php?id=CVE-2026-43302
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: drm/v3d: Set DMA segment size to avoid debug warnings When using V3D rendering with CONFIG_DMA_API_DEBUG enabled, the kernel occasionally reports a segment size mismatch. This is because 'max_seg_size' is not set. The kernel defaults to 64K. setting 'max_seg_size' to the maximum will prevent 'debug_dma_map_sg()' from complaining about the over-mapping of the V3D segment length. DMA-API: v3d 1002000000.v3d: mapping sg segment longer than dev... • https://git.kernel.org/stable/c/57692c94dcbe99a1e0444409a3da13fb3443562c • CWE-131: Incorrect Calculation of Buffer Size •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2026-43299 – btrfs: do not ASSERT() when the fs flips RO inside btrfs_repair_io_failure()
https://notcve.org/view.php?id=CVE-2026-43299
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: btrfs: do not ASSERT() when the fs flips RO inside btrfs_repair_io_failure() [BUG] There is a bug report that when btrfs hits ENOSPC error in a critical path, btrfs flips RO (this part is expected, although the ENOSPC bug still needs to be addressed). The problem is after the RO flip, if there is a read repair pending, we can hit the ASSERT() inside btrfs_repair_io_failure() like the following: BTRFS info (device vdc): relocating block grou... • https://git.kernel.org/stable/c/908960c6c0fb3b3ce3971dc0ca47b581d256b968 •