CVSS: -EPSS: %CPEs: 7EXPL: 0CVE-2026-46333 – ptrace: slightly saner 'get_dumpable()' logic
https://notcve.org/view.php?id=CVE-2026-46333
15 May 2026 — In the Linux kernel, the following vulnerability has been resolved: ptrace: slightly saner 'get_dumpable()' logic The 'dumpability' of a task is fundamentally about the memory image of the task - the concept comes from whether it can core dump or not - and makes no sense when you don't have an associated mm. And almost all users do in fact use it only for the case where the task has a mm pointer. But we have one odd special case: ptrace_may_access() uses 'dumpable' to check various other things entirely ind... • https://git.kernel.org/stable/c/93d4ba49d18e3d7fb41a9927c2d0cca5e9dfefd6 •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2026-43472 – unshare: fix unshare_fs() handling
https://notcve.org/view.php?id=CVE-2026-43472
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: unshare: fix unshare_fs() handling There's an unpleasant corner case in unshare(2), when we have a CLONE_NEWNS in flags and current->fs hadn't been shared at all; in that case copy_mnt_ns() gets passed current->fs instead of a private copy, which causes interesting warts in proof of correctness] > I guess if private means fs->users == 1, the condition could still be true. Unfortunately, it's worse than just a convoluted proof of correctness... • https://git.kernel.org/stable/c/741a295130606143edbf9fc740f633dbc1e6225f •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2026-43458 – serial: caif: hold tty->link reference in ldisc_open and ser_release
https://notcve.org/view.php?id=CVE-2026-43458
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: serial: caif: hold tty->link reference in ldisc_open and ser_release A reproducer triggers a KASAN slab-use-after-free in pty_write_room() when caif_serial's TX path calls tty_write_room(). The faulting access is on tty->link->port. Hold an extra kref on tty->link for the lifetime of the caif_serial line discipline: get it in ldisc_open() and drop it in ser_release(), and also drop it on the ldisc_open() error path. With this change applied... • https://git.kernel.org/stable/c/e31d5a05948e4478ba8396063d1e1f39880928e2 •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2026-43456 – bonding: fix type confusion in bond_setup_by_slave()
https://notcve.org/view.php?id=CVE-2026-43456
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: bonding: fix type confusion in bond_setup_by_slave() kernel BUG at net/core/skbuff.c:2306! Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI RIP: 0010:pskb_expand_head+0xa08/0xfe0 net/core/skbuff.c:2306 RSP: 0018:ffffc90004aff760 EFLAGS: 00010293 RAX: 0000000000000000 RBX: ffff88807e3c8780 RCX: ffffffff89593e0e RDX: ffff88807b7c4900 RSI: ffffffff89594747 RDI: ffff88807b7c4900 RBP: 0000000000000820 R08: 0000000000000005 R09: 0000000000000000 R... • https://git.kernel.org/stable/c/1284cd3a2b740d0118458d2ea470a1e5bc19b187 •
CVSS: 8.2EPSS: 0%CPEs: 8EXPL: 0CVE-2026-43452 – netfilter: x_tables: guard option walkers against 1-byte tail reads
https://notcve.org/view.php?id=CVE-2026-43452
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: netfilter: x_tables: guard option walkers against 1-byte tail reads When the last byte of options is a non-single-byte option kind, walkers that advance with i += op[i + 1] ? : 1 can read op[i + 1] past the end of the option area. Add an explicit i == optlen - 1 check before dereferencing op[i + 1] in xt_tcpudp and xt_dccp option walkers. • https://git.kernel.org/stable/c/2e4e6a17af35be359cc8f1c924f8f198fbd478cc •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2026-43450 – netfilter: nfnetlink_cthelper: fix OOB read in nfnl_cthelper_dump_table()
https://notcve.org/view.php?id=CVE-2026-43450
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: netfilter: nfnetlink_cthelper: fix OOB read in nfnl_cthelper_dump_table() nfnl_cthelper_dump_table() has a 'goto restart' that jumps to a label inside the for loop body. When the "last" helper saved in cb->args[1] is deleted between dump rounds, every entry fails the (cur != last) check, so cb->args[1] is never cleared. The for loop finishes with cb->args[0] == nf_ct_helper_hsize, and the 'goto restart' jumps back into the loop body bypassi... • https://git.kernel.org/stable/c/12f7a505331e6b2754684b509f2ac8f0011ce644 •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2026-43445 – e1000/e1000e: Fix leak in DMA error cleanup
https://notcve.org/view.php?id=CVE-2026-43445
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: e1000/e1000e: Fix leak in DMA error cleanup If an error is encountered while mapping TX buffers, the driver should unmap any buffers already mapped for that skb. Because count is incremented after a successful mapping, it will always match the correct number of unmappings needed when dma_error is reached. Decrementing count before the while loop in dma_error causes an off-by-one error. If any mapping was successful before an unsuccessful ma... • https://git.kernel.org/stable/c/c1fa347f20f17f14a4a1575727fa24340e8a9117 •
CVSS: 7.8EPSS: 0%CPEs: 7EXPL: 0CVE-2026-43437 – ALSA: pcm: fix use-after-free on linked stream runtime in snd_pcm_drain()
https://notcve.org/view.php?id=CVE-2026-43437
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: ALSA: pcm: fix use-after-free on linked stream runtime in snd_pcm_drain() In the drain loop, the local variable 'runtime' is reassigned to a linked stream's runtime (runtime = s->runtime at line 2157). After releasing the stream lock at line 2169, the code accesses runtime->no_period_wakeup, runtime->rate, and runtime->buffer_size (lines 2170-2178) — all referencing the linked stream's runtime without any lock or refcount protecting its lif... • https://git.kernel.org/stable/c/f2b3614cefb61ee6046a0aaee503ee37f227d310 •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2026-43430 – usb: yurex: fix race in probe
https://notcve.org/view.php?id=CVE-2026-43430
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: usb: yurex: fix race in probe The bbu member of the descriptor must be set to the value standing for uninitialized values before the URB whose completion handler sets bbu is submitted. Otherwise there is a window during which probing can overwrite already retrieved data. • https://git.kernel.org/stable/c/6bc235a2e24a5ef677daee3fd4f74f6cd643e23c •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2026-43428 – USB: core: Limit the length of unkillable synchronous timeouts
https://notcve.org/view.php?id=CVE-2026-43428
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: USB: core: Limit the length of unkillable synchronous timeouts The usb_control_msg(), usb_bulk_msg(), and usb_interrupt_msg() APIs in usbcore allow unlimited timeout durations. And since they use uninterruptible waits, this leaves open the possibility of hanging a task for an indefinitely long time, with no way to kill it short of unplugging the target device. To prevent this sort of problem, enforce a maximum limit on the length of these u... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •