SUSE CVE-2026-43111

In the Linux kernel, the following vulnerability has been resolved: HID: roccat: fix use-after-free in roccatreportevent roccatreportevent iterates over the device-readers list without holding the readerslock. This allows a concurrent roccatrelease to remove and free a reader while it's still bei...

SUSE CVE-2026-43112

In the Linux kernel, the following vulnerability has been resolved: fs/smb/client: fix out-of-bounds read in cifssanitizeprepath When cifssanitizeprepath is called with an empty string or a string containing only delimiters e.g., "/", the current logic attempts to check cursor2 - 1 before cursor2...

SUSE CVE-2026-43113

In the Linux kernel, the following vulnerability has been resolved: wifi: wl1251: validate packet IDs before indexing txframes wl1251txpacketcb uses the firmware completion ID directly to index the fixed 16-entry wl-txframes array. The ID is a raw u8 from the completion block, and the callback do...

SUSE CVE-2026-43114

In the Linux kernel, the following vulnerability has been resolved: netfilter: nftsetpipapoavx2: don't return non-matching entry on expiry New test case fails unexpectedly when avx2 matching functions are used. The test first loads a ranomly generated pipapo set with 'ipv4 . port' key, i.e. nft -...

SUSE CVE-2026-43115

In the Linux kernel, the following vulnerability has been resolved: srcu: Use irqwork to start GP in tiny SRCU Tiny SRCU's srcugpstartifneeded directly calls schedulework, which acquires the workqueue pool-lock. This causes a lockdep splat when callsrcu is called with a scheduler lock held, due t...

SUSE CVE-2026-43116

In the Linux kernel, the following vulnerability has been resolved: netfilter: ctnetlink: ensure safe access to master conntrack Holding reference on the expectation is not sufficient, the master conntrack object can just go away, making exp-master invalid. To access exp-master safely: - Grab the...

SUSE CVE-2026-43117

In the Linux kernel, the following vulnerability has been resolved: btrfs: tracepoints: get correct superblock from dentry in event btrfssyncfile If overlay is used on top of btrfs, dentry-dsb translates to overlay's super block and fsid assignment will lead to a crash. Use fileinodefile-isb to...

SUSE CVE-2026-43118

In the Linux kernel, the following vulnerability has been resolved: btrfs: fix zero size inode with non-zero size after log replay When logging that an inode exists, as part of logging a new name or logging new dir entries for a directory, we always set the generation of the logged inode item to ...

SUSE CVE-2026-43119

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hcisync: annotate data-races around hdev-reqstatus hcicmdsyncsk sets hdev-reqstatus under hdev-reqlock: hdev-reqstatus = HCIREQPEND; However, several other functions read or write hdev-reqstatus without holding any loc...

SUSE CVE-2026-43120

In the Linux kernel, the following vulnerability has been resolved: RDMA/irdma: Fix double free related to reregusermr If IBMRREREGTRANS is set during reregusermr, the umem will be released and a new one will be allocated in irdmareregmrtrans. If any step of irdmareregmrtrans fails after the new...

SUSE CVE-2026-43121

In the Linux kernel, the following vulnerability has been resolved: iouring/zcrx: fix userref race between scrub and refill paths The iozcrxputniovuref function uses a non-atomic check-then-decrement pattern atomicread followed by separate atomicdec to manipulate userrefs. This is serialized...

SUSE CVE-2026-43126

In the Linux kernel, the following vulnerability has been resolved: ALSA: mixer: oss: Add card disconnect checkpoints ALSA OSS mixer layer calls the kcontrol ops rather individually, and pending calls might be not always caught at disconnecting the device. For avoiding the potential UAF scenarios...

SUSE CVE-2026-43129

In the Linux kernel, the following vulnerability has been resolved: ima: verify the previous kernel's IMA buffer lies in addressable RAM Patch series "Address page fault in imarestoremeasurementlist", v3. When the second-stage kernel is booted via kexec with a limiting command line such as "mem="...

SUSE CVE-2026-43134

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix missing key size check for L2CAPLECONNREQ This adds a check for encryption key size upon receiving L2CAPLECONNREQ which is required by L2CAP/LE/CFC/BV-15-C which expects L2CAPCRLEBADKEYSIZE...

SUSE CVE-2026-43136

In the Linux kernel, the following vulnerability has been resolved: HID: logitech-hidpp: Check maxfield in hidppgetreportlength Do not crash when a report has no fields. Fake USB gadgets can send their own HID report descriptors and can define report structures without valid fields. This can be...

SUSE CVE-2026-43137

In the Linux kernel, the following vulnerability has been resolved: ASoC: SOF: Intel: hda: Fix NULL pointer dereference If there's a mismatch between the DAI links in the machine driver and the topology, it is possible that the playback/capture widget is not set, especially in the case of loopbac...

SUSE CVE-2026-43139

In the Linux kernel, the following vulnerability has been resolved: xfrm6: fix uninitialized saddr in xfrm6getsaddr xfrm6getsaddr does not check the return value of ipv6devgetsaddr. When ipv6devgetsaddr fails to find a suitable source address returns -EADDRNOTAVAIL, saddr-in6 is left uninitialize...

SUSE CVE-2026-43144

In the Linux kernel, the following vulnerability has been resolved: wifi: brcmfmac: Fix potential kernel oops when probe fails When probe of the sdio brcmfmac device fails for some reasons i.e. missing firmware, the sdiodev-bus is set to error instead of NULL, thus the cleanup later in...

SUSE CVE-2026-43146

In the Linux kernel, the following vulnerability has been resolved: media: iris: Add buffer to list only after successful allocation Move listaddtail to after dmaallocattrs succeeds when creating internal buffers. Previously, the buffer was enqueued in buffers-list before the DMA allocation. If t...

SUSE CVE-2026-43149

In the Linux kernel, the following vulnerability has been resolved: net: wan/fslucchdlc: Fix dmafreecoherent in uhdlcmemclean The priv-rxbuffer and priv-txbuffer are alloc'd together as contiguous buffers in uhdlcinit but freed as two buffers in uhdlcmemclean. Change the cleanup to only call...

SUSE CVE-2026-43151

In the Linux kernel, the following vulnerability has been resolved: Revert "media: iris: Add sanity check for stop streaming" This reverts commit ad699fa78b59241c9d71a8cafb51525f3dab04d4. Revert the check that skipped stopstreaming when the instance was in IRISINSTERROR, as it caused multiple...

SUSE CVE-2026-43152

In the Linux kernel, the following vulnerability has been resolved: HID: hid-pl: handle probe errors Errors in init must be reported back or we'll follow a NULL pointer the first time FF is used...

SUSE CVE-2026-43154

In the Linux kernel, the following vulnerability has been resolved: erofs: fix incorrect early exits in volume label handling Crafted EROFS images containing valid volume labels can trigger incorrect early returns, leading to folio reference leaks. However, this does not cause system crashes or...

SUSE CVE-2026-43155

In the Linux kernel, the following vulnerability has been resolved: mux: mmio: fix regmap leak on probe failure The mmio regmap that may be allocated during probe is never freed. Switch to using the device managed allocator so that the regmap is released on probe failures e.g. probe deferral and ...

SUSE CVE-2026-43156

In the Linux kernel, the following vulnerability has been resolved: net: usb: pegasus: enable basic endpoint checking pegasusprobe fills URBs with hardcoded endpoint pipes without verifying the endpoint descriptors: - usbrcvbulkpipedev, 1 for RX data - usbsndbulkpipedev, 2 for TX data -...

SUSE CVE-2026-43158

In the Linux kernel, the following vulnerability has been resolved: xfs: fix freemap adjustments when adding xattrs to leaf blocks xfs/592 and xfs/794 both trip this assertion in the leaf block freemap adjustment code after 20 minutes of running on my test VMs: ASSERTichdr-firstused = ichdr-count...

SUSE CVE-2026-43160

In the Linux kernel, the following vulnerability has been resolved: mfd: macsmc: Initialize mutex Initialize struct applesmc's mutex in applesmcprobe. Using the mutex uninitialized surprisingly resulted only in occasional NULL pointer dereferences in applesmcread calls from the probe functions of...

SUSE CVE-2026-43162

In the Linux kernel, the following vulnerability has been resolved: media: tegra-video: Fix memory leak in tegrachanneltryformat The state object allocated by v4l2subdevstatealloc must be freed with v4l2subdevstatefree when it is no longer needed. In tegrachanneltryformat, two error paths return...

SUSE CVE-2026-43163

In the Linux kernel, the following vulnerability has been resolved: md/bitmap: fix GPF in writepage caused by resize race A General Protection Fault occurs in writepage during array resize: RIP: 0010:writepage+0x22b/0x3c0 mdmod This is a use-after-free race between bitmapdaemonwork and...

SUSE CVE-2026-43164

In the Linux kernel, the following vulnerability has been resolved: udplite: Fix null-ptr-deref in udpenqueuescheduleskb. syzbot reported null-ptr-deref of udpsksk-udpprodqueue. 0 Since the cited commit, udplibinitsock can fail, as can udpinitsock and udpv6initsock. Let's handle the error in...

SUSE CVE-2026-43171

In the Linux kernel, the following vulnerability has been resolved: EFI/CPER: don't dump the entire memory region The current logic at cperprintfwerr doesn't check if the error record length is big enough to handle offset. On a bad firmware, if the ofset is above the actual record, length -= offs...

SUSE CVE-2026-43173

In the Linux kernel, the following vulnerability has been resolved: net: ethernet: xscale: Check for PTP support properly In ixp4xxgettsinfo ixp46xptpfind is called unconditionally despite this feature only existing on ixp46x, leading to the following splat from tcpdump: root@OpenWrt: tcpdump -vv...

SUSE CVE-2026-43177

In the Linux kernel, the following vulnerability has been resolved: media: ipu6: Fix RPM reference leak in probe error paths Several error paths in ipu6pciprobe were jumping directly to outipu6busdeldevices without releasing the runtime PM reference. Add pmruntimeputsync before cleaning up other...

SUSE CVE-2026-43178

In the Linux kernel, the following vulnerability has been resolved: procfs: fix possible double mmput in doprocmapquery When user provides incorrectly sized buffer for build ID for PROCMAPQUERY we return with -ENAMETOOLONG error. After recent changes this condition happens later, after we unlocke...

SUSE CVE-2026-43179

In the Linux kernel, the following vulnerability has been resolved: erofs: fix incorrect early exits for invalid metabox-enabled images Crafted EROFS images with metadata compression enabled can trigger incorrect early returns, leading to folio reference leaks. However, this does not cause system...

SUSE CVE-2026-43182

In the Linux kernel, the following vulnerability has been resolved: media: ccs: Avoid possible division by zero Calculating maximum M for scaler configuration involves dividing by MINXOUTPUTSIZE limit register's value. Albeit the value is presumably non-zero, the driver was missing the check it i...

SUSE CVE-2026-43186

In the Linux kernel, the following vulnerability has been resolved: ipv6: ioam: fix heap buffer overflow in ioam6filltracedata On the receive path, ioam6filltracedata uses trace-nodelen to decide how much data to write for each node. It trusts this field as-is from the incoming packet, with no...

SUSE CVE-2026-43191

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Adjust PHY FSM transition to TXEN-to-PLLON for TMDS on DCN35 Why A backport of the change made for DCN401 that addresses an issue where we turn off the PHY PLL when disabling TMDS output, which causes the OTG to...

SUSE CVE-2026-43193

In the Linux kernel, the following vulnerability has been resolved: nfsd: fix nfs4file refcount leak in nfsdgetdirdeleg Claude pointed out that there is a nfs4file refcount leak in nfsdgetdirdeleg. Ensure that the reference to "fp" is released before returning...

SUSE CVE-2026-43194

In the Linux kernel, the following vulnerability has been resolved: net: consume xmit errors of GSO frames udpgrofrglist.sh and udpgrobench.sh are the flakiest tests currently in NIPA. They fail in the same exact way, TCP GRO test stalls occasionally and the test gets killed after 10min. These...

SUSE CVE-2026-43202

In the Linux kernel, the following vulnerability has been resolved: fbdev: vt8500lcdfb: fix missing dmafreecoherent fbi-fb.screenbuffer is allocated with dmaalloccoherent but is not freed if the error path is reached...

SUSE CVE-2026-43203

In the Linux kernel, the following vulnerability has been resolved: atm: fore200e: fix use-after-free in tasklets during device removal When the PCA-200E or SBA-200E adapter is being detached, the fore200e is deallocated. However, the txtasklet or rxtasklet may still be running or pending, leadin...

SUSE CVE-2026-43204

In the Linux kernel, the following vulnerability has been resolved: ASoC: qcom: q6asm: drop DSP responses for closed data streams 'Commit a354f030dbce "ASoC: qcom: q6asm: handle the responses after closing"' attempted to ignore DSP responses arriving after a stream had been closed. However, those...

SUSE CVE-2026-43205

In the Linux kernel, the following vulnerability has been resolved: dpaa2-switch: validate numifs to prevent out-of-bounds write The driver obtains swattr.numifs from firmware via dpswgetattributes but never validates it against DPSWMAXIF 64. This value controls iteration in...

SUSE CVE-2026-43206

In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: Fix out-of-bounds write in kfdeventpageset The kfdeventpageset function writes KFDSIGNALEVENTLIMIT 8 bytes via memset without checking the buffer size parameter. This allows unprivileged userspace to trigger an out-of...

SUSE CVE-2026-43209

In the Linux kernel, the following vulnerability has been resolved: minix: Add required sanity checking to minixchecksuperblock The fs/minix implementation of the minix filesystem does not currently support any other value for slogzonesize than 0. This is also the only value supported in...

SUSE CVE-2026-43210

In the Linux kernel, the following vulnerability has been resolved: tracing: ring-buffer: Fix to check event length before using Check the event length before adding it for accessing next index in rbreaddatabuffer. Since this function is used for validating possibly broken ring buffers, the lengt...

SUSE CVE-2026-43213

In the Linux kernel, the following vulnerability has been resolved: wifi: rtw89: pci: validate sequence number of TX release report Hardware rarely reports abnormal sequence number in TX release report, which will access out-of-bounds of wdring-pages array, causing NULL pointer dereference. BUG:...

SUSE CVE-2026-43216

In the Linux kernel, the following vulnerability has been resolved: net: Drop the lock in skbmaytxtimestamp skbmaytxtimestamp may acquire sock::skcallbacklock. The lock must not be taken in IRQ context, only softirq is okay. A few drivers receive the timestamp via a dedicated interrupt and comple...

SUSE CVE-2026-43217

In the Linux kernel, the following vulnerability has been resolved: media: iris: gen2: Add sanity check for session stop In iriskillsession, inst-state is set to IRISINSTERROR and sessionclose is executed, which will kfreeinsthfigen2-packet. If stopstreaming is called afterward, it will cause a...