CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2026-43118 – btrfs: fix zero size inode with non-zero size after log replay
https://notcve.org/view.php?id=CVE-2026-43118
06 May 2026 — In the Linux kernel, the following vulnerability has been resolved: btrfs: fix zero size inode with non-zero size after log replay When logging that an inode exists, as part of logging a new name or logging new dir entries for a directory, we always set the generation of the logged inode item to 0. This is to signal during log replay (in overwrite_item()), that we should not set the i_size since we only logged that an inode exists, so the i_size of the inode in the subvolume tree must be preserved (as when ... • https://git.kernel.org/stable/c/12fcfd22fe5bf4fe74710232098bc101af497995 •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2026-43116 – netfilter: ctnetlink: ensure safe access to master conntrack
https://notcve.org/view.php?id=CVE-2026-43116
06 May 2026 — In the Linux kernel, the following vulnerability has been resolved: netfilter: ctnetlink: ensure safe access to master conntrack Holding reference on the expectation is not sufficient, the master conntrack object can just go away, making exp->master invalid. To access exp->master safely: - Grab the nf_conntrack_expect_lock, this gets serialized with clean_from_lists() which also holds this lock when the master conntrack goes away. - Hold reference on master conntrack via nf_conntrack_find_get(). Not so easy... • https://git.kernel.org/stable/c/c1d10adb4a521de5760112853f42aaeefcec96eb • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVSS: 8.8EPSS: 0%CPEs: 5EXPL: 0CVE-2026-43113 – wifi: wl1251: validate packet IDs before indexing tx_frames
https://notcve.org/view.php?id=CVE-2026-43113
06 May 2026 — In the Linux kernel, the following vulnerability has been resolved: wifi: wl1251: validate packet IDs before indexing tx_frames wl1251_tx_packet_cb() uses the firmware completion ID directly to index the fixed 16-entry wl->tx_frames[] array. The ID is a raw u8 from the completion block, and the callback does not currently verify that it fits the array before dereferencing it. Reject completion IDs that fall outside wl->tx_frames[] and keep the existing NULL check in the same guard. This keeps the fix local ... • https://git.kernel.org/stable/c/2f01a1f58889fbfeb68b1bc1b52e4197f3333490 • CWE-476: NULL Pointer Dereference •
CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2026-43111 – HID: roccat: fix use-after-free in roccat_report_event
https://notcve.org/view.php?id=CVE-2026-43111
06 May 2026 — In the Linux kernel, the following vulnerability has been resolved: HID: roccat: fix use-after-free in roccat_report_event roccat_report_event() iterates over the device->readers list without holding the readers_lock. This allows a concurrent roccat_release() to remove and free a reader while it's still being accessed, leading to a use-after-free. Protect the readers list traversal with the readers_lock mutex. • https://git.kernel.org/stable/c/206f5f2fcb5ff5bb0c60f9e9189937f3ca03e378 • CWE-416: Use After Free •
CVSS: 8.8EPSS: 0%CPEs: 5EXPL: 0CVE-2026-43110 – wifi: brcmfmac: validate bsscfg indices in IF events
https://notcve.org/view.php?id=CVE-2026-43110
06 May 2026 — In the Linux kernel, the following vulnerability has been resolved: wifi: brcmfmac: validate bsscfg indices in IF events brcmf_fweh_handle_if_event() validates the firmware-provided interface index before it touches drvr->iflist[], but it still uses the raw bsscfgidx field as an array index without a matching range check. Reject IF events whose bsscfg index does not fit in drvr->iflist[] before indexing the interface array. [add missing wifi prefix] • https://git.kernel.org/stable/c/2880b86859967af710c72f7d34fb421a86a71e22 •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2026-43103 – net: lapbether: handle NETDEV_PRE_TYPE_CHANGE
https://notcve.org/view.php?id=CVE-2026-43103
06 May 2026 — In the Linux kernel, the following vulnerability has been resolved: net: lapbether: handle NETDEV_PRE_TYPE_CHANGE lapbeth_data_transmit() expects the underlying device type to be ARPHRD_ETHER. Returning NOTIFY_BAD from lapbeth_device_event() makes sure bonding driver can not break this expectation. • https://git.kernel.org/stable/c/872254dd6b1f80cb95ee9e2e22980888533fc293 •
CVSS: -EPSS: 0%CPEs: 5EXPL: 0CVE-2026-43089 – xfrm_user: fix info leak in build_mapping()
https://notcve.org/view.php?id=CVE-2026-43089
06 May 2026 — In the Linux kernel, the following vulnerability has been resolved: xfrm_user: fix info leak in build_mapping() struct xfrm_usersa_id has a one-byte padding hole after the proto field, which ends up never getting set to zero before copying out to userspace. Fix that up by zeroing out the whole structure before setting individual variables. • https://git.kernel.org/stable/c/3a2dfbe8acb154905fdc2fd03ec56df42e6c4cc4 •
CVSS: -EPSS: 0%CPEs: 4EXPL: 0CVE-2026-43088 – net: af_key: zero aligned sockaddr tail in PF_KEY exports
https://notcve.org/view.php?id=CVE-2026-43088
06 May 2026 — In the Linux kernel, the following vulnerability has been resolved: net: af_key: zero aligned sockaddr tail in PF_KEY exports PF_KEY export paths use `pfkey_sockaddr_size()` when reserving sockaddr payload space, so IPv6 addresses occupy 32 bytes on the wire. However, `pfkey_sockaddr_fill()` initializes only the first 28 bytes of `struct sockaddr_in6`, leaving the final 4 aligned bytes uninitialized. Not every PF_KEY message is affected. The state and policy dump builders already zero the whole message buff... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: -EPSS: 0%CPEs: 5EXPL: 0CVE-2026-43085 – netfilter: nfnetlink_log: initialize nfgenmsg in NLMSG_DONE terminator
https://notcve.org/view.php?id=CVE-2026-43085
06 May 2026 — In the Linux kernel, the following vulnerability has been resolved: netfilter: nfnetlink_log: initialize nfgenmsg in NLMSG_DONE terminator When batching multiple NFLOG messages (inst->qlen > 1), __nfulnl_send() appends an NLMSG_DONE terminator with sizeof(struct nfgenmsg) payload via nlmsg_put(), but never initializes the nfgenmsg bytes. The nlmsg_put() helper only zeroes alignment padding after the payload, not the payload itself, so four bytes of stale kernel heap data are leaked to userspace in the NLMSG... • https://git.kernel.org/stable/c/29c5d4afba51c71cfeadd3f74f3c42e064483fb0 •
CVSS: -EPSS: 0%CPEs: 5EXPL: 0CVE-2026-43080 – l2tp: Drop large packets with UDP encap
https://notcve.org/view.php?id=CVE-2026-43080
06 May 2026 — In the Linux kernel, the following vulnerability has been resolved: l2tp: Drop large packets with UDP encap syzbot reported a WARN on my patch series [1]. The actual issue is an overflow of 16-bit UDP length field, and it exists in the upstream code. My series added a debug WARN with an overflow check that exposed the issue, that's why syzbot tripped on my patches, rather than on upstream code. syzbot's repro: r0 = socket$pppl2tp(0x18, 0x1, 0x1) r1 = socket$inet6_udp(0xa, 0x2, 0x0) connect$inet6(r1, &(0x7f0... • https://git.kernel.org/stable/c/3557baabf28088f49bdf72a048fd33ab62e205b1 •