{"schema_version":"1.7.2","id":"OESA-2026-2314","modified":"2026-05-15T14:01:29Z","published":"2026-05-15T14:01:29Z","upstream":["CVE-2026-31436","CVE-2026-31486","CVE-2026-31504","CVE-2026-31515","CVE-2026-31575","CVE-2026-31624","CVE-2026-31625","CVE-2026-31673","CVE-2026-31674","CVE-2026-31682","CVE-2026-43013","CVE-2026-43017","CVE-2026-43018","CVE-2026-43019","CVE-2026-43214","CVE-2026-43265","CVE-2026-43284","CVE-2026-43313","CVE-2026-43363","CVE-2026-43420","CVE-2026-43429"],"summary":"kernel security update","details":"The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: idxd: fix possible wrong descriptor completion in llist_abort_desc()\n\nAt the end of this function, d is the traversal cursor of flist, but the\ncode completes found instead. This can lead to issues such as NULL pointer\ndereferences, double completion, or descriptor leaks.\n\nFix this by completing d instead of found in the final\nlist_for_each_entry_safe() loop.(CVE-2026-31436)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nhwmon: (pmbus/core) Protect regulator operations with mutex\n\nThe regulator operations pmbus_regulator_get_voltage(),\npmbus_regulator_set_voltage(), and pmbus_regulator_list_voltage()\naccess PMBus registers and shared data but were not protected by\nthe update_lock mutex. This could lead to race conditions.\n\nHowever, adding mutex protection directly to these functions causes\na deadlock because pmbus_regulator_notify() (which calls\nregulator_notifier_call_chain()) is often called with the mutex\nalready held (e.g., from pmbus_fault_handler()). If a regulator\ncallback then calls one of the now-protected voltage functions,\nit will attempt to acquire the same mutex.\n\nRework pmbus_regulator_notify() to utilize a worker function to\nsend notifications outside of the mutex protection. Events are\nstored as atomics in a per-page bitmask and processed by the worker.\n\nInitialize the worker and its associated data during regulator\nregistration, and ensure it is cancelled on device removal using\ndevm_add_action_or_reset().\n\nWhile at it, remove the unnecessary include of linux/of.h.(CVE-2026-31486)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nnet: fix fanout UAF in packet_release() via NETDEV_UP race\n\n`packet_release()` has a race window where `NETDEV_UP` can re-register a\nsocket into a fanout group's `arr[]` array. The re-registration is not\ncleaned up by `fanout_release()`, leaving a dangling pointer in the fanout\narray.\n`packet_release()` does NOT zero `po->num` in its `bind_lock` section.\nAfter releasing `bind_lock`, `po->num` is still non-zero and `po->ifindex`\nstill matches the bound device. A concurrent `packet_notifier(NETDEV_UP)`\nthat already found the socket in `sklist` can re-register the hook.\nFor fanout sockets, this re-registration calls `__fanout_link(sk, po)`\nwhich adds the socket back into `f->arr[]` and increments `f->num_members`,\nbut does NOT increment `f->sk_ref`.\n\nThe fix sets `po->num` to zero in `packet_release` while `bind_lock` is\nheld to prevent NETDEV_UP from linking, preventing the race window.\n\nThis bug was found following an additional audit with Claude Code based\non CVE-2025-38617.(CVE-2026-31504)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\naf_key: validate families in pfkey_send_migrate()\n\nsyzbot was able to trigger a crash in skb_put() [1]\n\nIssue is that pfkey_send_migrate() does not check old/new families,\nand that set_ipsecrequest() @family argument was truncated,\nthus possibly overfilling the skb.\n\nValidate families early, do not wait set_ipsecrequest().\n\n[1]\n\nskbuff: skb_over_panic: text:ffffffff8a752120 len:392 put:16 head:ffff88802a4ad040 data:ffff88802a4ad040 tail:0x188 end:0x180 dev:<NULL>\n kernel BUG at net/core/skbuff.c:214 !\nCall Trace:\n <TASK>\n  skb_over_panic net/core/skbuff.c:219 [inline]\n  skb_put+0x159/0x210 net/core/skbuff.c:2655\n  skb_put_zero include/linux/skbuff.h:2788 [inline]\n  set_ipsecrequest net/key/af_key.c:3532 [inline]\n  pfkey_send_migrate+0x1270/0x2e50 net/key/af_key.c:3636\n  km_migrate+0x155/0x260 net/xfrm/xfrm_state.c:2848\n  xfrm_migrate+0x2140/0x2450 net/xfrm/xfrm_policy.c:4705\n  xfrm_do_migrate+0x8ff/0xaa0 net/xfrm/xfrm_user.c:3150(CVE-2026-31515)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nmm/userfaultfd: fix hugetlb fault mutex hash calculation\n\nIn mfill_atomic_hugetlb(), linear_page_index() is used to calculate the\npage index for hugetlb_fault_mutex_hash().  However, linear_page_index()\nreturns the index in PAGE_SIZE units, while hugetlb_fault_mutex_hash()\nexpects the index in huge page units.  This mismatch means that different\naddresses within the same huge page can produce different hash values,\nleading to the use of different mutexes for the same huge page.  This can\ncause races between faulting threads, which can corrupt the reservation\nmap and trigger the BUG_ON in resv_map_release().\n\nFix this by introducing hugetlb_linear_page_index(), which returns the\npage index in huge page granularity, and using it in place of\nlinear_page_index().(CVE-2026-31575)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nHID: core: clamp report_size in s32ton() to avoid undefined shift\n\ns32ton() shifts by n-1 where n is the field's report_size, a value that\ncomes directly from a HID device.  The HID parser bounds report_size\nonly to <= 256, so a broken HID device can supply a report descriptor\nwith a wide field that triggers shift exponents up to 256 on a 32-bit\ntype when an output report is built via hid_output_field() or\nhid_set_field().\n\nCommit ec61b41918587 ("HID: core: fix shift-out-of-bounds in\nhid_report_raw_event") added the same n > 32 clamp to the function\nsnto32(), but s32ton() was never given the same fix as I guess syzbot\nhadn't figured out how to fuzz a device the same way.\n\nFix this up by just clamping the max value of n, just like snto32()\ndoes.(CVE-2026-31624)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nHID: alps: fix NULL pointer dereference in alps_raw_event()\n\nCommit ecfa6f34492c ("HID: Add HID_CLAIMED_INPUT guards in raw_event\ncallbacks missing them") attempted to fix up the HID drivers that had\nmissed the previous fix that was done in 2ff5baa9b527 ("HID: appleir:\nFix potential NULL dereference at raw event handle"), but the alps\ndriver was missed.\n\nFix this up by properly checking in the hid-alps driver that it had been\nclaimed correctly before attempting to process the raw event.(CVE-2026-31625)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\naf_unix: read UNIX_DIAG_VFS data under unix_state_lock\n\nExact UNIX diag lookups hold a reference to the socket, but not to\nu->path. Meanwhile, unix_release_sock() clears u->path under\nunix_state_lock() and drops the path reference after unlocking.\n\nRead the inode and device numbers for UNIX_DIAG_VFS while holding\nunix_state_lock(), then emit the netlink attribute after dropping the\nlock.\n\nThis keeps the VFS data stable while the reply is being built.(CVE-2026-31673)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: ip6t_rt: reject oversized addrnr in rt_mt6_check()\n\nReject rt match rules whose addrnr exceeds IP6T_RT_HOPS.\n\nrt_mt6() expects addrnr to stay within the bounds of rtinfo->addrs[].\nValidate addrnr during rule installation so malformed rules are rejected\nbefore the match logic can use an out-of-range value.(CVE-2026-31674)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nbridge: br_nd_send: linearize skb before parsing ND options\n\nbr_nd_send() parses neighbour discovery options from ns->opt[] and\nassumes that these options are in the linear part of request.\n\nIts callers only guarantee that the ICMPv6 header and target address\nare available, so the option area can still be non-linear. Parsing\nns->opt[] in that case can access data past the linear buffer.\n\nLinearize request before option parsing and derive ns from the linear\nnetwork header.(CVE-2026-31682)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: lag: Check for LAG device before creating debugfs\n\n__mlx5_lag_dev_add_mdev() may return 0 (success) even when an error\noccurs that is handled gracefully. Consequently, the initialization\nflow proceeds to call mlx5_ldev_add_debugfs() even when there is no\nvalid LAG context.\n\nmlx5_ldev_add_debugfs() blindly created the debugfs directory and\nattributes. This exposed interfaces (like the members file) that rely on\na valid ldev pointer, leading to potential NULL pointer dereferences if\naccessed when ldev is NULL.\n\nAdd a check to verify that mlx5_lag_dev(dev) returns a valid pointer\nbefore attempting to create the debugfs entries.(CVE-2026-43013)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: MGMT: validate mesh send advertising payload length\n\nmesh_send() currently bounds MGMT_OP_MESH_SEND by total command\nlength, but it never verifies that the bytes supplied for the\nflexible adv_data[] array actually match the embedded adv_data_len\nfield. MGMT_MESH_SEND_SIZE only covers the fixed header, so a\ntruncated command can still pass the existing 20..50 byte range\ncheck and later drive the async mesh send path past the end of the\nqueued command buffer.\n\nKeep rejecting zero-length and oversized advertising payloads, but\nvalidate adv_data_len explicitly and require the command length to\nexactly match the flexible array size before queueing the request.(CVE-2026-43017)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_event: fix potential UAF in hci_le_remote_conn_param_req_evt\n\nhci_conn lookup and field access must be covered by hdev lock in\nhci_le_remote_conn_param_req_evt, otherwise it's possible it is freed\nconcurrently.\n\nExtend the hci_dev_lock critical section to cover all conn usage.(CVE-2026-43018)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_conn: fix potential UAF in set_cig_params_sync\n\nhci_conn lookup and field access must be covered by hdev lock in\nset_cig_params_sync, otherwise it's possible it is freed concurrently.\n\nTake hdev lock to prevent hci_conn from being deleted or modified\nconcurrently.  Just RCU lock is not suitable here, as we also want to\navoid "tearing" in the configuration.(CVE-2026-43019)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nKVM: x86: Add SRCU protection for reading PDPTRs in __get_sregs2()\n\nAdd SRCU read-side protection when reading PDPTR registers in\n__get_sregs2().\n\nReading PDPTRs may trigger access to guest memory:\nkvm_pdptr_read() -> svm_cache_reg() -> load_pdptrs() ->\nkvm_vcpu_read_guest_page() -> kvm_vcpu_gfn_to_memslot()\n\nkvm_vcpu_gfn_to_memslot() dereferences memslots via __kvm_memslots(),\nwhich uses srcu_dereference_check() and requires either kvm->srcu or\nkvm->slots_lock to be held. Currently only vcpu->mutex is held,\ntriggering lockdep warning:\n\n=============================\nWARNING: suspicious RCU usage in kvm_vcpu_gfn_to_memslot\n6.12.59+ #3 Not tainted\n\ninclude/linux/kvm_host.h:1062 suspicious rcu_dereference_check() usage!\n\nother info that might help us debug this:\n\nrcu_scheduler_active = 2, debug_locks = 1\n1 lock held by syz.5.1717/15100:\n #0: ff1100002f4b00b0 (&vcpu->mutex){+.+.}-{3:3}, at: kvm_vcpu_ioctl+0x1d5/0x1590\n\nCall Trace:\n <TASK>\n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0xf0/0x120 lib/dump_stack.c:120\n lockdep_rcu_suspicious+0x1e3/0x270 kernel/locking/lockdep.c:6824\n __kvm_memslots include/linux/kvm_host.h:1062 [inline]\n __kvm_memslots include/linux/kvm_host.h:1059 [inline]\n kvm_vcpu_memslots include/linux/kvm_host.h:1076 [inline]\n kvm_vcpu_gfn_to_memslot+0x518/0x5e0 virt/kvm/kvm_main.c:2617\n kvm_vcpu_read_guest_page+0x27/0x50 virt/kvm/kvm_main.c:3302\n load_pdptrs+0xff/0x4b0 arch/x86/kvm/x86.c:1065\n svm_cache_reg+0x1c9/0x230 arch/x86/kvm/svm/svm.c:1688\n kvm_pdptr_read arch/x86/kvm/kvm_cache_regs.h:141 [inline]\n __get_sregs2 arch/x86/kvm/x86.c:11784 [inline]\n kvm_arch_vcpu_ioctl+0x3e20/0x4aa0 arch/x86/kvm/x86.c:6279\n kvm_vcpu_ioctl+0x856/0x1590 virt/kvm/kvm_main.c:4663\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:907 [inline]\n __se_sys_ioctl fs/ioctl.c:893 [inline]\n __x64_sys_ioctl+0x18b/0x210 fs/ioctl.c:893\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xbd/0x1d0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller.(CVE-2026-43214)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nKVM: x86: Ignore -EBUSY when checking nested events from vcpu_block()\n\nIgnore -EBUSY when checking nested events after exiting a blocking state\nwhile L2 is active, as exiting to userspace will generate a spurious\nuserspace exit, usually with KVM_EXIT_UNKNOWN, and likely lead to the VM's\ndemise.  Continuing with the wakeup isn't perfect either, as *something*\nhas gone sideways if a vCPU is awakened in L2 with an injected event (or\nworse, a nested run pending), but continuing on gives the VM a decent\nchance of surviving without any major side effects.\n\nAs explained in the Fixes commits, it _should_ be impossible for a vCPU to\nbe put into a blocking state with an already-injected event (exception,\nIRQ, or NMI).  Unfortunately, userspace can stuff MP_STATE and/or injected\nevents, and thus put the vCPU into what should be an impossible state.\n\nDon't bother trying to preserve the WARN, e.g. with an anti-syzkaller\nKconfig, as WARNs can (hopefully) be added in paths where _KVM_ would be\nviolating x86 architecture, e.g. by WARNing if KVM attempts to inject an\nexception or interrupt while the vCPU isn't running.(CVE-2026-43265)\n\nIn the Linux kernel xfrm/ESP (IPsec) subsystem, when appending pipe pages to network packets (skb) via zero-copy mechanisms such as splice() / MSG_SPLICE_PAGES, IPv4/IPv6 datagram paths are not correctly marked with the SKBFL_SHARED_FRAG flag. The ESP receive path incorrectly treats these externally owned shared pages as private data, skipping the COW (copy-on-write) step and performing in-place decryption directly, allowing an attacker to pollute otherwise read-only pages in the page cache. Combined with CVE-2026-43500, a complete exploit chain can be formed, allowing local unprivileged users to obtain root privileges. This vulnerability affects almost all Linux distributions since 2017 (kernel ~ 4.10), including Ubuntu, RHEL, AlmaLinux, Debian, Fedora, etc. A public PoC has been released and signs of active exploitation have been observed.(CVE-2026-43284)\n\nA NULL-pointer dereference vulnerability exists in the ACPI processor driver of the Linux kernel. In the acpi_processor_errata_piix4() function, the pointer dev is first assigned an IDE device and then reassigned an ISA device. If the first lookup succeeds but the second fails, dev becomes NULL. This leads to a potential null-pointer dereference when dev_dbg() is called. The fix is to use two temporary pointers and retrieve each device independently, avoiding overwriting dev with a possible NULL value.(CVE-2026-43313)\n\nIn the Linux kernel x86 APIC (Advanced Programmable Interrupt Controller) subsystem, when the system resumes from suspend (s2ram/suspend-to-RAM) state, if the kernel expects to disable x2APIC mode at startup, but the BIOS/firmware re-enables x2APIC during the recovery process, the kernel and hardware status will be inconsistent. This status mismatch may cause interrupt handling exceptions, system instability, or denial of service. The vulnerability belongs to CWE-372 (Internal State Corruption).(CVE-2026-43363)\n\nIn the Linux kernel, there is a race condition vulnerability in the Ceph filesystem. During async unlink, the `i_nlink` counter is dropped before receiving the completion (that will eventually update the `i_nlink`) because "we assume that the unlink will succeed". That is not a bad idea, but it races against deletions by other clients (or against the completion of our own unlink) and can lead to an underrun which emits a WARNING like this one:\n\nWARNING: CPU: 85 PID: 25093 at fs/inode.c:407 drop_nlink+0x50/0x68\nModules linked in:\nCPU: 85 UID: 3221252029 PID: 25093 Comm: php-cgi8.1 Not tainted 6.14.11-cm4all1-ampere #655\nHardware name: Supermicro ARS-110M-NR/R12SPD-A, BIOS 1.1b 10/17/2023\n\nIn ceph_unlink(), a call to ceph_mdsc_submit_request() submits the CEPH_MDS_OP_UNLINK to the MDS, but does not wait for completion. Meanwhile, between this call and the following drop_nlink() call, a worker thread may process a CEPH_CAP_OP_IMPORT, CEPH_CAP_OP_GRANT or just a CEPH_MSG_CLIENT_REPLY (the latter of which could be our own completion). These will lead to a set_nlink() call, updating the `i_nlink` counter to the value received from the MDS. If that new `i_nlink` value happens to be zero, it is illegal to decrement it further. But that is exactly what ceph_unlink() will do then.\n\nThe root cause of this vulnerability is updating the `i_nlink` counter without proper lock protection, creating a TOCTOU (Time-of-Check Time-of-Use) race condition. Since ceph_fill_inode() and handle_cap_grant() both hold the `ceph_inode_info.i_ceph_lock` spinlock while set_nlink() runs, this seems like the proper lock to protect the `i_nlink` updates.(CVE-2026-43420)\n\nIn the Linux kernel, there is a security vulnerability in the USB Test and Measurement Class driver (usbtmc). The driver accepts timeout values specified by the user via an ioctl command and uses these timeouts for usb_bulk_msg() calls. Since the user can specify arbitrarily long timeouts and usb_bulk_msg() uses unkillable waits, this may cause kernel threads to hang indefinitely.(CVE-2026-43429)","affected":[{"package":{"ecosystem":"openEuler:24.03-LTS-SP3","name":"kernel","purl":"pkg:rpm/openEuler/kernel&distro=openEuler-24.03-LTS-SP3"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"6.6.0-145.0.10.141.oe2403sp3"}]}],"ecosystem_specific":{"aarch64":["bpftool-6.6.0-145.0.10.141.oe2403sp3.aarch64.rpm","bpftool-debuginfo-6.6.0-145.0.10.141.oe2403sp3.aarch64.rpm","kernel-6.6.0-145.0.10.141.oe2403sp3.aarch64.rpm","kernel-debuginfo-6.6.0-145.0.10.141.oe2403sp3.aarch64.rpm","kernel-debugsource-6.6.0-145.0.10.141.oe2403sp3.aarch64.rpm","kernel-devel-6.6.0-145.0.10.141.oe2403sp3.aarch64.rpm","kernel-extra-modules-6.6.0-145.0.10.141.oe2403sp3.aarch64.rpm","kernel-headers-6.6.0-145.0.10.141.oe2403sp3.aarch64.rpm","kernel-source-6.6.0-145.0.10.141.oe2403sp3.aarch64.rpm","kernel-tools-6.6.0-145.0.10.141.oe2403sp3.aarch64.rpm","kernel-tools-debuginfo-6.6.0-145.0.10.141.oe2403sp3.aarch64.rpm","kernel-tools-devel-6.6.0-145.0.10.141.oe2403sp3.aarch64.rpm","perf-6.6.0-145.0.10.141.oe2403sp3.aarch64.rpm","perf-debuginfo-6.6.0-145.0.10.141.oe2403sp3.aarch64.rpm","python3-perf-6.6.0-145.0.10.141.oe2403sp3.aarch64.rpm","python3-perf-debuginfo-6.6.0-145.0.10.141.oe2403sp3.aarch64.rpm"],"src":["kernel-6.6.0-145.0.10.141.oe2403sp3.src.rpm"],"x86_64":["bpftool-6.6.0-145.0.10.141.oe2403sp3.x86_64.rpm","bpftool-debuginfo-6.6.0-145.0.10.141.oe2403sp3.x86_64.rpm","kernel-6.6.0-145.0.10.141.oe2403sp3.x86_64.rpm","kernel-debuginfo-6.6.0-145.0.10.141.oe2403sp3.x86_64.rpm","kernel-debugsource-6.6.0-145.0.10.141.oe2403sp3.x86_64.rpm","kernel-devel-6.6.0-145.0.10.141.oe2403sp3.x86_64.rpm","kernel-extra-modules-6.6.0-145.0.10.141.oe2403sp3.x86_64.rpm","kernel-headers-6.6.0-145.0.10.141.oe2403sp3.x86_64.rpm","kernel-source-6.6.0-145.0.10.141.oe2403sp3.x86_64.rpm","kernel-tools-6.6.0-145.0.10.141.oe2403sp3.x86_64.rpm","kernel-tools-debuginfo-6.6.0-145.0.10.141.oe2403sp3.x86_64.rpm","kernel-tools-devel-6.6.0-145.0.10.141.oe2403sp3.x86_64.rpm","perf-6.6.0-145.0.10.141.oe2403sp3.x86_64.rpm","perf-debuginfo-6.6.0-145.0.10.141.oe2403sp3.x86_64.rpm","python3-perf-6.6.0-145.0.10.141.oe2403sp3.x86_64.rpm","python3-perf-debuginfo-6.6.0-145.0.10.141.oe2403sp3.x86_64.rpm"]}}],"references":[{"type":"ADVISORY","url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2314"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31436"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31486"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31504"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31515"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31575"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31624"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31625"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31673"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31674"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31682"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-43013"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-43017"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-43018"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-43019"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-43214"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-43265"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-43284"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-43313"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-43363"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-43420"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-43429"}],"database_specific":{"severity":"Critical"}}