CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2026-43333 – bpf: reject direct access to nullable PTR_TO_BUF pointers
https://notcve.org/view.php?id=CVE-2026-43333
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: bpf: reject direct access to nullable PTR_TO_BUF pointers check_mem_access() matches PTR_TO_BUF via base_type() which strips PTR_MAYBE_NULL, allowing direct dereference without a null check. Map iterator ctx->key and ctx->value are PTR_TO_BUF | PTR_MAYBE_NULL. On stop callbacks these are NULL, causing a kernel NULL dereference. Add a type_may_be_null() guard to the PTR_TO_BUF branch, matching the existing PTR_TO_BTF_ID pattern. • https://git.kernel.org/stable/c/b453361384c2db1c703dacb806d5fd36aec4ceca •
CVSS: 7.8EPSS: 0%CPEs: 7EXPL: 0CVE-2026-43329 – netfilter: flowtable: strictly check for maximum number of actions
https://notcve.org/view.php?id=CVE-2026-43329
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: netfilter: flowtable: strictly check for maximum number of actions The maximum number of flowtable hardware offload actions in IPv6 is: * ethernet mangling (4 payload actions, 2 for each ethernet address) * SNAT (4 payload actions) * DNAT (4 payload actions) * Double VLAN (4 vlan actions, 2 for popping vlan, and 2 for pushing) for QinQ. * Redirect (1 action) Which makes 17, while the maximum is 16. But act_ct supports for tunnels actions to... • https://git.kernel.org/stable/c/c29f74e0df7a02b8303bcdce93a7c0132d62577a •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2026-43328 – cpufreq: governor: fix double free in cpufreq_dbs_governor_init() error path
https://notcve.org/view.php?id=CVE-2026-43328
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: cpufreq: governor: fix double free in cpufreq_dbs_governor_init() error path When kobject_init_and_add() fails, cpufreq_dbs_governor_init() calls kobject_put(&dbs_data->attr_set.kobj). The kobject release callback cpufreq_dbs_data_release() calls gov->exit(dbs_data) and kfree(dbs_data), but the current error path then calls gov->exit(dbs_data) and kfree(dbs_data) again, causing a double free. Keep the direct kfree(dbs_data) for the gov->ini... • https://git.kernel.org/stable/c/4ebe36c94aed95de71a8ce6a6762226d31c938ee •
CVSS: -EPSS: 0%CPEs: 14EXPL: 0CVE-2026-43327 – USB: dummy-hcd: Fix locking/synchronization error
https://notcve.org/view.php?id=CVE-2026-43327
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: USB: dummy-hcd: Fix locking/synchronization error Syzbot testing was able to provoke an addressing exception and crash in the usb_gadget_udc_reset() routine in drivers/usb/gadgets/udc/core.c, resulting from the fact that the routine was called with a second ("driver") argument of NULL. The bad caller was set_link_state() in dummy_hcd.c, and the problem arose because of a race between a USB reset and driver unbind. These sorts of races were ... • https://git.kernel.org/stable/c/7dbd8f4cabd96db5a50513de9d83a8105a5ffc81 •
CVSS: 7.8EPSS: 0%CPEs: 7EXPL: 0CVE-2026-43324 – USB: dummy-hcd: Fix interrupt synchronization error
https://notcve.org/view.php?id=CVE-2026-43324
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: USB: dummy-hcd: Fix interrupt synchronization error This fixes an error in synchronization in the dummy-hcd driver. The error has a somewhat involved history. The synchronization mechanism was introduced by commit 7dbd8f4cabd9 ("USB: dummy-hcd: Fix erroneous synchronization change"), which added an emulated "interrupts enabled" flag together with code emulating synchronize_irq() (it waits until all current handler callbacks have returned). ... • https://git.kernel.org/stable/c/04145a03db9d78469e0817ab3a767c76c0fb0947 •
CVSS: -EPSS: 0%CPEs: 4EXPL: 0CVE-2026-43318 – drm/amdgpu: fix sync handling in amdgpu_dma_buf_move_notify
https://notcve.org/view.php?id=CVE-2026-43318
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: fix sync handling in amdgpu_dma_buf_move_notify Invalidating a dmabuf will impact other users of the shared BO. In the scenario where process A moves the BO, it needs to inform process B about the move and process B will need to update its page table. The commit fixes a synchronisation bug caused by the use of the ticket: it made amdgpu_vm_handle_moved behave as if updating the page table immediately was correct but in this case... • https://git.kernel.org/stable/c/a448cb003edcb4b63d0a9c95f3faab724e6150fb •
CVSS: -EPSS: 0%CPEs: 4EXPL: 0CVE-2026-43317 – most: core: fix leak on early registration failure
https://notcve.org/view.php?id=CVE-2026-43317
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: most: core: fix leak on early registration failure A recent commit fixed a resource leak on early registration failures but for some reason left out the first error path which still leaks the resources associated with the interface. Fix up also the first error path so that the interface is always released on errors. • https://git.kernel.org/stable/c/723de0f9171eeb49a3ae98cae82ebbbb992b3a7c •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2026-43316 – media: solo6x10: Check for out of bounds chip_id
https://notcve.org/view.php?id=CVE-2026-43316
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: media: solo6x10: Check for out of bounds chip_id Clang with CONFIG_UBSAN_SHIFT=y noticed a condition where a signed type (literal "1" is an "int") could end up being shifted beyond 32 bits, so instrumentation was added (and due to the double is_tw286x() call seen via inlining), Clang decides the second one must now be undefined behavior and elides the rest of the function[1]. This is a known problem with Clang (that is still being worked on... • https://git.kernel.org/stable/c/faa4fd2a09517b39cc1f5d622453f97a59acfdac •
CVSS: -EPSS: 0%CPEs: 7EXPL: 0CVE-2026-43315 – KVM: nSVM: Remove a user-triggerable WARN on nested_svm_load_cr3() succeeding
https://notcve.org/view.php?id=CVE-2026-43315
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: KVM: nSVM: Remove a user-triggerable WARN on nested_svm_load_cr3() succeeding Drop the WARN in svm_set_nested_state() on nested_svm_load_cr3() failing as it is trivially easy to trigger from userspace by modifying CPUID after loading CR3. E.g. modifying the state restoration selftest like so: --- tools/testing/selftests/kvm/x86/state_test.c +++ tools/testing/selftests/kvm/x86/state_test.c @@ -280,7 +280,16 @@ int main(int argc, char *argv[]... • https://git.kernel.org/stable/c/b222b0b88162bdef4eceb12a79d5edbbdb23dbfd •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2026-43314 – dm: remove fake timeout to avoid leak request
https://notcve.org/view.php?id=CVE-2026-43314
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: dm: remove fake timeout to avoid leak request Since commit 15f73f5b3e59 ("blk-mq: move failure injection out of blk_mq_complete_request"), drivers are responsible for calling blk_should_fake_timeout() at appropriate code paths and opportunities. However, the dm driver does not implement its own timeout handler and relies on the timeout handling of its slave devices. If an io-timeout-fail error is injected to a dm device, the request will be... • https://git.kernel.org/stable/c/e6ee8c0b767540f59e20da3ced282601db8aa502 •