CVSS: -EPSS: %CPEs: 7EXPL: 0CVE-2026-46333 – ptrace: slightly saner 'get_dumpable()' logic
https://notcve.org/view.php?id=CVE-2026-46333
15 May 2026 — In the Linux kernel, the following vulnerability has been resolved: ptrace: slightly saner 'get_dumpable()' logic The 'dumpability' of a task is fundamentally about the memory image of the task - the concept comes from whether it can core dump or not - and makes no sense when you don't have an associated mm. And almost all users do in fact use it only for the case where the task has a mm pointer. But we have one odd special case: ptrace_may_access() uses 'dumpable' to check various other things entirely ind... • https://git.kernel.org/stable/c/93d4ba49d18e3d7fb41a9927c2d0cca5e9dfefd6 •
CVSS: -EPSS: 0%CPEs: 4EXPL: 0CVE-2026-43490 – ksmbd: validate inherited ACE SID length
https://notcve.org/view.php?id=CVE-2026-43490
15 May 2026 — In the Linux kernel, the following vulnerability has been resolved: ksmbd: validate inherited ACE SID length smb_inherit_dacl() walks the parent directory DACL loaded from the security descriptor xattr. It verifies that each ACE contains the fixed SID header before using it, but does not verify that the variable-length SID described by sid.num_subauth is fully contained in the ACE. A malformed inheritable ACE can advertise more subauthorities than are present in the ACE. compare_sids() may then read past th... • https://git.kernel.org/stable/c/e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9 •
CVSS: -EPSS: 0%CPEs: 7EXPL: 0CVE-2026-43484 – mmc: core: Avoid bitfield RMW for claim/retune flags
https://notcve.org/view.php?id=CVE-2026-43484
13 May 2026 — In the Linux kernel, the following vulnerability has been resolved: mmc: core: Avoid bitfield RMW for claim/retune flags Move claimed and retune control flags out of the bitfield word to avoid unrelated RMW side effects in asynchronous contexts. The host->claimed bit shared a word with retune flags. Writes to claimed in __mmc_claim_host() or retune_now in mmc_mq_queue_rq() can overwrite other bits when concurrent updates happen in other contexts, triggering spurious WARN_ON(!host->claimed). Convert claimed,... • https://git.kernel.org/stable/c/6c0cedd1ef9527ef13e66875746570e76a3188a7 •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-43483 – KVM: SVM: Set/clear CR8 write interception when AVIC is (de)activated
https://notcve.org/view.php?id=CVE-2026-43483
13 May 2026 — In the Linux kernel, the following vulnerability has been resolved: KVM: SVM: Set/clear CR8 write interception when AVIC is (de)activated Explicitly set/clear CR8 write interception when AVIC is (de)activated to fix a bug where KVM leaves the interception enabled after AVIC is activated. E.g. if KVM emulates INIT=>WFS while AVIC is deactivated, CR8 will remain intercepted in perpetuity. On its own, the dangling CR8 intercept is "just" a performance issue, but combined with the TPR sync bug fixed by commit d... • https://git.kernel.org/stable/c/3bbf3565f48ce3999b5a12cde946f81bd4475312 •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2026-43480 – ASoC: amd: acp3x-rt5682-max9836: Add missing error check for clock acquisition
https://notcve.org/view.php?id=CVE-2026-43480
13 May 2026 — In the Linux kernel, the following vulnerability has been resolved: ASoC: amd: acp3x-rt5682-max9836: Add missing error check for clock acquisition The acp3x_5682_init() function did not check the return value of clk_get(), which could lead to dereferencing error pointers in rt5682_clk_enable(). Fix this by: 1. Changing clk_get() to the device-managed devm_clk_get(). 2. Adding proper IS_ERR() checks for both clock acquisitions. • https://git.kernel.org/stable/c/6b8e4e7db3cd236a2cbb720360fb135087a2ac1d •
CVSS: -EPSS: 0%CPEs: 7EXPL: 0CVE-2026-43476 – iio: chemical: sps30_i2c: fix buffer size in sps30_i2c_read_meas()
https://notcve.org/view.php?id=CVE-2026-43476
13 May 2026 — In the Linux kernel, the following vulnerability has been resolved: iio: chemical: sps30_i2c: fix buffer size in sps30_i2c_read_meas() sizeof(num) evaluates to sizeof(size_t) (8 bytes on 64-bit) instead of the intended __be32 element size (4 bytes). Use sizeof(*meas) to correctly match the buffer element type. • https://git.kernel.org/stable/c/8f3f130852785dac0759843835ca97c3bacc2b10 •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2026-43500 – rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present
https://notcve.org/view.php?id=CVE-2026-43500
11 May 2026 — In the Linux kernel, the following vulnerability has been resolved: rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present The DATA-packet handler in rxrpc_input_call_event() and the RESPONSE handler in rxrpc_verify_response() copy the skb to a linear one before calling into the security ops only when skb_cloned() is true. An skb that is not cloned but still carries externally-owned paged fragments (e.g. SKBFL_SHARED_FRAG set by splice() into a UDP socket via __ip_append_data, or a chained s... • https://git.kernel.org/stable/c/d0d5c0cd1e711c98703f3544c1e6fc1372898de5 • CWE-787: Out-of-bounds Write •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2026-43475 – scsi: storvsc: Fix scheduling while atomic on PREEMPT_RT
https://notcve.org/view.php?id=CVE-2026-43475
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: scsi: storvsc: Fix scheduling while atomic on PREEMPT_RT This resolves the follow splat and lock-up when running with PREEMPT_RT enabled on Hyper-V: [ 415.140818] BUG: scheduling while atomic: stress-ng-iomix/1048/0x00000002 [ 415.140822] INFO: lockdep is turned off. [ 415.140823] Modules linked in: intel_rapl_msr intel_rapl_common intel_uncore_frequency_common intel_pmc_core pmt_telemetry pmt_discovery pmt_class intel_pmc_ssram_telemetry i... • https://git.kernel.org/stable/c/d86adf482b843b3a58a9ec3b7c1ccdbf7c705db1 •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-43473 – scsi: mpi3mr: Add NULL checks when resetting request and reply queues
https://notcve.org/view.php?id=CVE-2026-43473
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: scsi: mpi3mr: Add NULL checks when resetting request and reply queues The driver encountered a crash during resource cleanup when the reply and request queues were NULL due to freed memory. This issue occurred when the creation of reply or request queues failed, and the driver freed the memory first, but attempted to mem set the content of the freed memory, leading to a system crash. Add NULL pointer checks for reply and request queues befo... • https://git.kernel.org/stable/c/fe6db615156573d3f6a37564b8a590cb03bbaf25 •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2026-43472 – unshare: fix unshare_fs() handling
https://notcve.org/view.php?id=CVE-2026-43472
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: unshare: fix unshare_fs() handling There's an unpleasant corner case in unshare(2), when we have a CLONE_NEWNS in flags and current->fs hadn't been shared at all; in that case copy_mnt_ns() gets passed current->fs instead of a private copy, which causes interesting warts in proof of correctness] > I guess if private means fs->users == 1, the condition could still be true. Unfortunately, it's worse than just a convoluted proof of correctness... • https://git.kernel.org/stable/c/741a295130606143edbf9fc740f633dbc1e6225f •