CVE-2026-43267

In the Linux kernel, the following vulnerability has been resolved: wifi: rtw89: fix potential zero beacon interval in beacon tracking During fuzz testing, it was discovered that bssconf-beaconint might be zero, which could result in a division by zero error in subsequent calculations. Set a...

CVE-2026-43238

In the Linux kernel, the following vulnerability has been resolved: net/sched: actskbedit: fix divide-by-zero in tcfskbedithash Commit 38a6f0865796 "net: sched: support hash selecting tx queue" added SKBEDITFTXQSKBHASH support. The inclusive range size is computed as: mappingmod = queuemappingmax...

CVE-2026-43244

In the Linux kernel, the following vulnerability has been resolved: kcm: fix zero-frag skb in fraglist on partial sendmsg error Syzkaller reported a warning in kcmwritemsgs when processing a message with a zero-fragment skb in the fraglist. When kcmsendmsg fills MAXSKBFRAGS fragments in the curre...

CVE-2026-43184

In the Linux kernel, the following vulnerability has been resolved: rnbd-srv: Zero the rsp buffer before using it Before using the data buffer to send back the response message, zero it completely. This prevents any stray bytes to be picked up by the client side when there the message is exchange...

CVE-2026-43187

In the Linux kernel, the following vulnerability has been resolved: xfs: delete attr leaf freemap entries when empty Back in commit 2a2b5932db6758 "xfs: fix attr leaf header freemap.size underflow", Brian Foster observed that it's possible for a small freemap at the end of the end of the xattr...

CVE-2026-43182

In the Linux kernel, the following vulnerability has been resolved: media: ccs: Avoid possible division by zero Calculating maximum M for scaler configuration involves dividing by MINXOUTPUTSIZE limit register's value. Albeit the value is presumably non-zero, the driver was missing the check it i...

CVE-2026-43141

In the Linux kernel, the following vulnerability has been resolved: ntb: ntbhwswitchtec: Fix shift-out-of-bounds for 0 mw lut Number of MW LUTs depends on NTB configuration and can be set to zero, in such scenario rounddownpowoftwo will cause undefined behaviour and should not be performed. This...

CLSA-2026-1778068747 Fix CVE(s): CVE-2026-0966

SECURITY UPDATE: heap buffer underflow in sshgethexa on zero-length or NULL input, remotely reachable via GSSAPI authentication logging - debian/patches/CVE-2026-0966.patch: reject NULL/zero-length input in sshgethexa in src/dh.c - CVE-2026-0966: fix heap buffer underflow in sshgethexa...

CLSA-2026-1778068515 Fix CVE(s): CVE-2026-0966

SECURITY UPDATE: heap buffer underflow in sshgethexa on zero-length or NULL input, remotely reachable via GSSAPI authentication logging - debian/patches/CVE-2026-0966.patch: reject NULL/zero-length input in sshgethexa in src/dh.c - CVE-2026-0966: fix heap buffer underflow in sshgethexa...

CVE-2026-43281

CVE-2026-43281 affects the Linux kernel mailbox subsystem. The flaw is an out-of-bounds access in fw_mbox_index_xlate() that can occur when #mbox-cells is

CVE-2026-43281 mailbox: Prevent out-of-bounds access in fw_mbox_index_xlate()

In the Linux kernel, the following vulnerability has been resolved: mailbox: Prevent out-of-bounds access in fwmboxindexxlate Although it is guided that mbox-cells must be at least 1, there are many instances of mbox-cells = ; in the device tree. If that is the case and the corresponding mailbox...

CVE-2026-43275

In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: core: Flush exception handling work when RPM level is zero Ensure that the exception event handling work is explicitly flushed during suspend when the runtime power management level is set to UFSPMLVL0. When the RPM...

CVE-2026-43275

In the Linux kernel, a race condition in the UFS core driver can occur during system suspend when Runtime Power Management (RPM) level is zero. The driver previously bypassed flushing the exception-event handling work in this state, risking illegal host-controller access after entering deep power...

CVE-2026-43275

In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: core: Flush exception handling work when RPM level is zero Ensure that the exception event handling work is explicitly flushed during suspend when the runtime power management level is set to UFSPMLVL0. When the RPM...

CVE-2026-43273

In the Linux kernel, the following vulnerability has been resolved: ceph: supply snapshot context in cephzeropartialobject The cephzeropartialobject function was missing proper snapshot context for its OSD write operations, which could lead to data inconsistencies in snapshots. Reproducer:...

CVE-2026-43267

In the Linux kernel, the following vulnerability has been resolved: wifi: rtw89: fix potential zero beacon interval in beacon tracking During fuzz testing, it was discovered that bssconf-beaconint might be zero, which could result in a division by zero error in subsequent calculations. Set a...

CVE-2026-43267 wifi: rtw89: fix potential zero beacon interval in beacon tracking

In the Linux kernel, the following vulnerability has been resolved: wifi: rtw89: fix potential zero beacon interval in beacon tracking During fuzz testing, it was discovered that bssconf-beaconint might be zero, which could result in a division by zero error in subsequent calculations. Set a...

CVE-2026-43267

In the Linux kernel, the following vulnerability has been resolved: wifi: rtw89: fix potential zero beacon interval in beacon tracking During fuzz testing, it was discovered that bssconf-beaconint might be zero, which could result in a division by zero error in subsequent calculations. Set a...

CVE-2026-43244

In the Linux kernel, the following vulnerability has been resolved: kcm: fix zero-frag skb in fraglist on partial sendmsg error Syzkaller reported a warning in kcmwritemsgs when processing a message with a zero-fragment skb in the fraglist. When kcmsendmsg fills MAXSKBFRAGS fragments in the curre...

CVE-2026-43244

CVE-2026-43244 affects the Linux kernel KCM (Kernel Connection Multiplexer). The issue arises during partial sendmsg operations: when kcm_sendmsg fills MAX_SKB_FRAGS, it allocates a new skb in frag_list and may copy data; if the copy fails, the new tail skb can have zero frags, leaving an empty e...