CVSS: 9.8EPSS: 0%CPEs: 6EXPL: 0CVE-2026-43341 – net/ipv6: ioam6: prevent schema length wraparound in trace fill
https://notcve.org/view.php?id=CVE-2026-43341
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: net/ipv6: ioam6: prevent schema length wraparound in trace fill ioam6_fill_trace_data() stores the schema contribution to the trace length in a u8. With bit 22 enabled and the largest schema payload, sclen becomes 1 + 1020 / 4, wraps from 256 to 0, and bypasses the remaining-space check. __ioam6_fill_trace_data() then positions the write cursor without reserving the schema area but still copies the 4-byte schema header and the full schema p... • https://git.kernel.org/stable/c/8c6f6fa6772696be0c047a711858084b38763728 •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2026-43340 – comedi: Reinit dev->spinlock between attachments to low-level drivers
https://notcve.org/view.php?id=CVE-2026-43340
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: comedi: Reinit dev->spinlock between attachments to low-level drivers `struct comedi_device` is the main controlling structure for a COMEDI device created by the COMEDI subsystem. It contains a member `spinlock` containing a spin-lock that is initialized by the COMEDI subsystem, but is reserved for use by a low-level driver attached to the COMEDI device (at least since commit 25436dc9d84f ("Staging: comedi: remove RT code")). Some COMEDI de... • https://git.kernel.org/stable/c/ed9eccbe8970f6eedc1b978c157caf1251a896d4 •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2026-43339 – ipv6: prevent possible UaF in addrconf_permanent_addr()
https://notcve.org/view.php?id=CVE-2026-43339
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: ipv6: prevent possible UaF in addrconf_permanent_addr() The mentioned helper try to warn the user about an exceptional condition, but the message is delivered too late, accessing the ipv6 after its possible deletion. Reorder the statement to avoid the possible UaF; while at it, place the warning outside the idev->lock as it needs no protection. • https://git.kernel.org/stable/c/f1705ec197e705b79ea40fe7a2cc5acfa1d3bfac •
CVSS: -EPSS: 0%CPEs: 4EXPL: 0CVE-2026-43338 – btrfs: reserve enough transaction items for qgroup ioctls
https://notcve.org/view.php?id=CVE-2026-43338
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: btrfs: reserve enough transaction items for qgroup ioctls Currently our qgroup ioctls don't reserve any space, they just do a transaction join, which does not reserve any space, neither for the quota tree updates nor for the delayed refs generated when updating the quota tree. The quota root uses the global block reserve, which is fine most of the time since we don't expect a lot of updates to the quota root, or to be too close to -ENOSPC s... • https://git.kernel.org/stable/c/5d13a37bd5327220e13329943d1228acfbe5934a •
CVSS: 7.5EPSS: 0%CPEs: 8EXPL: 0CVE-2026-43336 – lib/crypto: chacha: Zeroize permuted_state before it leaves scope
https://notcve.org/view.php?id=CVE-2026-43336
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: lib/crypto: chacha: Zeroize permuted_state before it leaves scope Since the ChaCha permutation is invertible, the local variable 'permuted_state' is sufficient to compute the original 'state', and thus the key, even after the permutation has been done. While the kernel is quite inconsistent about zeroizing secrets on the stack (and some prominent userspace crypto libraries don't bother at all since it's not guaranteed to work anyway), the k... • https://git.kernel.org/stable/c/c08d0e647305c3f8f640010a56c9e4bafb9488d3 •
CVSS: 8.8EPSS: 0%CPEs: 8EXPL: 0CVE-2026-43334 – Bluetooth: SMP: force responder MITM requirements before building the pairing response
https://notcve.org/view.php?id=CVE-2026-43334
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: Bluetooth: SMP: force responder MITM requirements before building the pairing response smp_cmd_pairing_req() currently builds the pairing response from the initiator auth_req before enforcing the local BT_SECURITY_HIGH requirement. If the initiator omits SMP_AUTH_MITM, the response can also omit it even though the local side still requires MITM. tk_request() then sees an auth value without SMP_AUTH_MITM and may select JUST_CFM, making metho... • https://git.kernel.org/stable/c/2b64d153a0cc9d2b60e47be013cde8490f16e0a5 •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2026-43333 – bpf: reject direct access to nullable PTR_TO_BUF pointers
https://notcve.org/view.php?id=CVE-2026-43333
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: bpf: reject direct access to nullable PTR_TO_BUF pointers check_mem_access() matches PTR_TO_BUF via base_type() which strips PTR_MAYBE_NULL, allowing direct dereference without a null check. Map iterator ctx->key and ctx->value are PTR_TO_BUF | PTR_MAYBE_NULL. On stop callbacks these are NULL, causing a kernel NULL dereference. Add a type_may_be_null() guard to the PTR_TO_BUF branch, matching the existing PTR_TO_BTF_ID pattern. • https://git.kernel.org/stable/c/b453361384c2db1c703dacb806d5fd36aec4ceca •
CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2026-43330 – crypto: caam - fix overflow on long hmac keys
https://notcve.org/view.php?id=CVE-2026-43330
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: crypto: caam - fix overflow on long hmac keys When a key longer than block size is supplied, it is copied and then hashed into the real key. The memory allocated for the copy needs to be rounded to DMA cache alignment, as otherwise the hashed key may corrupt neighbouring memory. The copying is performed using kmemdup, however this leads to an overflow: reading more bytes (aligned_len - keylen) from the keylen source buffer. Fix this by repl... • https://git.kernel.org/stable/c/199354d7fb6eaa2cc5bb650af0bca624baffee35 •
CVSS: 7.8EPSS: 0%CPEs: 7EXPL: 0CVE-2026-43329 – netfilter: flowtable: strictly check for maximum number of actions
https://notcve.org/view.php?id=CVE-2026-43329
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: netfilter: flowtable: strictly check for maximum number of actions The maximum number of flowtable hardware offload actions in IPv6 is: * ethernet mangling (4 payload actions, 2 for each ethernet address) * SNAT (4 payload actions) * DNAT (4 payload actions) * Double VLAN (4 vlan actions, 2 for popping vlan, and 2 for pushing) for QinQ. * Redirect (1 action) Which makes 17, while the maximum is 16. But act_ct supports for tunnels actions to... • https://git.kernel.org/stable/c/c29f74e0df7a02b8303bcdce93a7c0132d62577a •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2026-43328 – cpufreq: governor: fix double free in cpufreq_dbs_governor_init() error path
https://notcve.org/view.php?id=CVE-2026-43328
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: cpufreq: governor: fix double free in cpufreq_dbs_governor_init() error path When kobject_init_and_add() fails, cpufreq_dbs_governor_init() calls kobject_put(&dbs_data->attr_set.kobj). The kobject release callback cpufreq_dbs_data_release() calls gov->exit(dbs_data) and kfree(dbs_data), but the current error path then calls gov->exit(dbs_data) and kfree(dbs_data) again, causing a double free. Keep the direct kfree(dbs_data) for the gov->ini... • https://git.kernel.org/stable/c/4ebe36c94aed95de71a8ce6a6762226d31c938ee •