CVSS: 8.1EPSS: 0%CPEs: 6EXPL: 0CVE-2026-43377 – ksmbd: Don't log keys in SMB3 signing and encryption key generation
https://notcve.org/view.php?id=CVE-2026-43377
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: ksmbd: Don't log keys in SMB3 signing and encryption key generation When KSMBD_DEBUG_AUTH logging is enabled, generate_smb3signingkey() and generate_smb3encryptionkey() log the session, signing, encryption, and decryption key bytes. Remove the logs to avoid exposing credentials. • https://git.kernel.org/stable/c/e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9 •
CVSS: 9.8EPSS: 0%CPEs: 6EXPL: 0CVE-2026-43376 – ksmbd: fix use-after-free by using call_rcu() for oplock_info
https://notcve.org/view.php?id=CVE-2026-43376
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix use-after-free by using call_rcu() for oplock_info ksmbd currently frees oplock_info immediately using kfree(), even though it is accessed under RCU read-side critical sections in places like opinfo_get() and proc_show_files(). Since there is no RCU grace period delay between nullifying the pointer and freeing the memory, a reader can still access oplock_info structure after it has been freed. This can leads to a use-after-free e... • https://git.kernel.org/stable/c/296cb5457cc6f4a754c4ae29855f8a253d52bcc6 • CWE-416: Use After Free •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2026-43374 – net: nexthop: fix percpu use-after-free in remove_nh_grp_entry
https://notcve.org/view.php?id=CVE-2026-43374
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: net: nexthop: fix percpu use-after-free in remove_nh_grp_entry When removing a nexthop from a group, remove_nh_grp_entry() publishes the new group via rcu_assign_pointer() then immediately frees the removed entry's percpu stats with free_percpu(). However, the synchronize_net() grace period in the caller remove_nexthop_from_groups() runs after the free. RCU readers that entered before the publish still see the old group and can dereference ... • https://git.kernel.org/stable/c/f4676ea74b8549cd88dbfe2a592ce4530039e61f • CWE-416: Use After Free •
CVSS: 7.5EPSS: 0%CPEs: 8EXPL: 0CVE-2026-43373 – net: ncsi: fix skb leak in error paths
https://notcve.org/view.php?id=CVE-2026-43373
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: net: ncsi: fix skb leak in error paths Early return paths in NCSI RX and AEN handlers fail to release the received skb, resulting in a memory leak. Specifically, ncsi_aen_handler() returns on invalid AEN packets without consuming the skb. Similarly, ncsi_rcv_rsp() exits early when failing to resolve the NCSI device, response handler, or request, leaving the skb unfreed. • https://git.kernel.org/stable/c/138635cc27c9737f940c3aa80912ff7a61c825af • CWE-401: Missing Release of Memory after Effective Lifetime •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2026-43372 – net: dsa: microchip: Fix error path in PTP IRQ setup
https://notcve.org/view.php?id=CVE-2026-43372
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: net: dsa: microchip: Fix error path in PTP IRQ setup If request_threaded_irq() fails during the PTP message IRQ setup, the newly created IRQ mapping is never disposed. Indeed, the ksz_ptp_irq_setup()'s error path only frees the mappings that were successfully set up. Dispose the newly created mapping if the associated request_threaded_irq() fails at setup. • https://git.kernel.org/stable/c/3b5a6115d6ea45df1ea65dc9b832b23db5d593ba •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2026-43371 – net: macb: Shuffle the tx ring before enabling tx
https://notcve.org/view.php?id=CVE-2026-43371
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: net: macb: Shuffle the tx ring before enabling tx Quanyang observed that when using an NFS rootfs on an AMD ZynqMp board, the rootfs may take an extended time to recover after a suspend. Upon investigation, it was determined that the issue originates from a problem in the macb driver. According to the Zynq UltraScale TRM [1], when transmit is disabled, the transmit buffer queue pointer resets to point to the address specified by the transmi... • https://git.kernel.org/stable/c/d89b8b17057e16fad4564c71160e68ca549c1b42 • CWE-401: Missing Release of Memory after Effective Lifetime •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2026-43370 – drm/amdgpu: Fix use-after-free race in VM acquire
https://notcve.org/view.php?id=CVE-2026-43370
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Fix use-after-free race in VM acquire Replace non-atomic vm->process_info assignment with cmpxchg() to prevent race when parent/child processes sharing a drm_file both try to acquire the same VM after fork(). (cherry picked from commit c7c573275ec20db05be769288a3e3bb2250ec618) • https://git.kernel.org/stable/c/ede0dd86f45adf2b7083bb161f6bc81da5fe2bad • CWE-416: Use After Free •
CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2026-43368 – drm/i915: Fix potential overflow of shmem scatterlist length
https://notcve.org/view.php?id=CVE-2026-43368
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: drm/i915: Fix potential overflow of shmem scatterlist length When a scatterlists table of a GEM shmem object of size 4 GB or more is populated with pages allocated from a folio, unsigned int .length attribute of a scatterlist may get overflowed if total byte length of pages allocated to that single scatterlist happens to reach or cross the 4GB limit. As a consequence, users of the object may suffer from hitting unexpected, premature end of ... • https://git.kernel.org/stable/c/0b62af28f249b9c4036a05acfb053058dc02e2e2 •
CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0CVE-2026-43366 – io_uring/kbuf: check if target buffer list is still legacy on recycle
https://notcve.org/view.php?id=CVE-2026-43366
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: io_uring/kbuf: check if target buffer list is still legacy on recycle There's a gap between when the buffer was grabbed and when it potentially gets recycled, where if the list is empty, someone could've upgraded it to a ring provided type. This can happen if the request is forced via io-wq. The legacy recycling is missing checking if the buffer_list still exists, and if it's of the correct type. Add those checks. • https://git.kernel.org/stable/c/c7fb19428d67dd0a2a78a4f237af01d39c78dc5a •
CVSS: 8.2EPSS: 0%CPEs: 7EXPL: 0CVE-2026-43365 – xfs: fix undersized l_iclog_roundoff values
https://notcve.org/view.php?id=CVE-2026-43365
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: xfs: fix undersized l_iclog_roundoff values If the superblock doesn't list a log stripe unit, we set the incore log roundoff value to 512. This leads to corrupt logs and unmountable filesystems in generic/617 on a disk with 4k physical sectors... XFS (sda1): Mounting V5 Filesystem ff3121ca-26e6-4b77-b742-aaff9a449e1c XFS (sda1): Torn write (CRC failure) detected at log block 0x318e. Truncating head block from 0x3197. XFS (sda1): failed to l... • https://git.kernel.org/stable/c/a6a65fef5ef8d0a6a0ce514eb66b2f3dfa777b48 •