CVSS: -EPSS: %CPEs: 7EXPL: 0CVE-2026-46333 – ptrace: slightly saner 'get_dumpable()' logic
https://notcve.org/view.php?id=CVE-2026-46333
15 May 2026 — In the Linux kernel, the following vulnerability has been resolved: ptrace: slightly saner 'get_dumpable()' logic The 'dumpability' of a task is fundamentally about the memory image of the task - the concept comes from whether it can core dump or not - and makes no sense when you don't have an associated mm. And almost all users do in fact use it only for the case where the task has a mm pointer. But we have one odd special case: ptrace_may_access() uses 'dumpable' to check various other things entirely ind... • https://git.kernel.org/stable/c/93d4ba49d18e3d7fb41a9927c2d0cca5e9dfefd6 •
CVSS: -EPSS: 0%CPEs: 7EXPL: 0CVE-2026-43484 – mmc: core: Avoid bitfield RMW for claim/retune flags
https://notcve.org/view.php?id=CVE-2026-43484
13 May 2026 — In the Linux kernel, the following vulnerability has been resolved: mmc: core: Avoid bitfield RMW for claim/retune flags Move claimed and retune control flags out of the bitfield word to avoid unrelated RMW side effects in asynchronous contexts. The host->claimed bit shared a word with retune flags. Writes to claimed in __mmc_claim_host() or retune_now in mmc_mq_queue_rq() can overwrite other bits when concurrent updates happen in other contexts, triggering spurious WARN_ON(!host->claimed). Convert claimed,... • https://git.kernel.org/stable/c/6c0cedd1ef9527ef13e66875746570e76a3188a7 •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2026-43483 – KVM: SVM: Set/clear CR8 write interception when AVIC is (de)activated
https://notcve.org/view.php?id=CVE-2026-43483
13 May 2026 — In the Linux kernel, the following vulnerability has been resolved: KVM: SVM: Set/clear CR8 write interception when AVIC is (de)activated Explicitly set/clear CR8 write interception when AVIC is (de)activated to fix a bug where KVM leaves the interception enabled after AVIC is activated. E.g. if KVM emulates INIT=>WFS while AVIC is deactivated, CR8 will remain intercepted in perpetuity. On its own, the dangling CR8 intercept is "just" a performance issue, but combined with the TPR sync bug fixed by commit d... • https://git.kernel.org/stable/c/3bbf3565f48ce3999b5a12cde946f81bd4475312 •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2026-43480 – ASoC: amd: acp3x-rt5682-max9836: Add missing error check for clock acquisition
https://notcve.org/view.php?id=CVE-2026-43480
13 May 2026 — In the Linux kernel, the following vulnerability has been resolved: ASoC: amd: acp3x-rt5682-max9836: Add missing error check for clock acquisition The acp3x_5682_init() function did not check the return value of clk_get(), which could lead to dereferencing error pointers in rt5682_clk_enable(). Fix this by: 1. Changing clk_get() to the device-managed devm_clk_get(). 2. Adding proper IS_ERR() checks for both clock acquisitions. • https://git.kernel.org/stable/c/6b8e4e7db3cd236a2cbb720360fb135087a2ac1d •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2026-43500 – rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present
https://notcve.org/view.php?id=CVE-2026-43500
11 May 2026 — In the Linux kernel, the following vulnerability has been resolved: rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present The DATA-packet handler in rxrpc_input_call_event() and the RESPONSE handler in rxrpc_verify_response() copy the skb to a linear one before calling into the security ops only when skb_cloned() is true. An skb that is not cloned but still carries externally-owned paged fragments (e.g. SKBFL_SHARED_FRAG set by splice() into a UDP socket via __ip_append_data, or a chained s... • https://git.kernel.org/stable/c/d0d5c0cd1e711c98703f3544c1e6fc1372898de5 • CWE-787: Out-of-bounds Write •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2026-43475 – scsi: storvsc: Fix scheduling while atomic on PREEMPT_RT
https://notcve.org/view.php?id=CVE-2026-43475
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: scsi: storvsc: Fix scheduling while atomic on PREEMPT_RT This resolves the follow splat and lock-up when running with PREEMPT_RT enabled on Hyper-V: [ 415.140818] BUG: scheduling while atomic: stress-ng-iomix/1048/0x00000002 [ 415.140822] INFO: lockdep is turned off. [ 415.140823] Modules linked in: intel_rapl_msr intel_rapl_common intel_uncore_frequency_common intel_pmc_core pmt_telemetry pmt_discovery pmt_class intel_pmc_ssram_telemetry i... • https://git.kernel.org/stable/c/d86adf482b843b3a58a9ec3b7c1ccdbf7c705db1 •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2026-43472 – unshare: fix unshare_fs() handling
https://notcve.org/view.php?id=CVE-2026-43472
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: unshare: fix unshare_fs() handling There's an unpleasant corner case in unshare(2), when we have a CLONE_NEWNS in flags and current->fs hadn't been shared at all; in that case copy_mnt_ns() gets passed current->fs instead of a private copy, which causes interesting warts in proof of correctness] > I guess if private means fs->users == 1, the condition could still be true. Unfortunately, it's worse than just a convoluted proof of correctness... • https://git.kernel.org/stable/c/741a295130606143edbf9fc740f633dbc1e6225f •
CVSS: 8.2EPSS: 0%CPEs: 8EXPL: 0CVE-2026-43466 – net/mlx5e: Fix DMA FIFO desync on error CQE SQ recovery
https://notcve.org/view.php?id=CVE-2026-43466
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Fix DMA FIFO desync on error CQE SQ recovery In case of a TX error CQE, a recovery flow is triggered, mlx5e_reset_txqsq_cc_pc() resets dma_fifo_cc to 0 but not dma_fifo_pc, desyncing the DMA FIFO producer and consumer. After recovery, the producer pushes new DMA entries at the old dma_fifo_pc, while the consumer reads from position 0. This causes us to unmap stale DMA addresses from before the recovery. The DMA FIFO is a purely s... • https://git.kernel.org/stable/c/db75373c91b0cfb6a68ad6ae88721e4e21ae6261 •
CVSS: 7.3EPSS: 0%CPEs: 8EXPL: 0CVE-2026-43459 – ASoC: soc-core: flush delayed work before removing DAIs and widgets
https://notcve.org/view.php?id=CVE-2026-43459
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: ASoC: soc-core: flush delayed work before removing DAIs and widgets When a sound card is unbound while a PCM stream is open, a use-after-free can occur in snd_soc_dapm_stream_event(), called from the close_delayed_work workqueue handler. During unbind, snd_soc_unbind_card() flushes delayed work and then calls soc_cleanup_card_resources(). Inside cleanup, snd_card_disconnect_sync() releases all PCM file descriptors, and the resulting PCM clo... • https://git.kernel.org/stable/c/e894efef9ac7c10b7727798dcc711cccf07569f9 •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2026-43458 – serial: caif: hold tty->link reference in ldisc_open and ser_release
https://notcve.org/view.php?id=CVE-2026-43458
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: serial: caif: hold tty->link reference in ldisc_open and ser_release A reproducer triggers a KASAN slab-use-after-free in pty_write_room() when caif_serial's TX path calls tty_write_room(). The faulting access is on tty->link->port. Hold an extra kref on tty->link for the lifetime of the caif_serial line discipline: get it in ldisc_open() and drop it in ser_release(), and also drop it on the ldisc_open() error path. With this change applied... • https://git.kernel.org/stable/c/e31d5a05948e4478ba8396063d1e1f39880928e2 •