netfilter: flowtable: initialise extack before use

netpoll: Fix race condition in netpoll_owner_active

af_unix: Fix garbage collector racing against connect()

xfs: don't walk off the end of a directory data block

xfs: add bounds checking to xlog_recover_process_data

net/sched: act_api: fix possible infinite loop in tcf_idr_check_alloc()

ipv6: prevent possible NULL dereference in rt6_probe()

ext4: fold quota accounting into ext4_xattr_inode_lookup_create()

ext4: do not create EA inode under buffer lock

ext4: turn quotas off if mount failed after enabling quotas

ext4: fix uninitialized ratelimit_state->lock access in __ext4_fill_super()

wifi: mt76: mt7921s: fix potential hung tasks during chip recovery

tty: Fix out-of-bound vmalloc access in imageblit

tcp: add sanity checks to rx zerocopy

mptcp: fix data re-injection from stale subflow

scsi: core: Fix unremoved procfs host directory regression

mac802154: fix llsec key resources release in mac802154_llsec_key_del

mac802154: fix llsec key resources release in mac802154_llsec_key_del

net/sched: taprio: extend minimum interval restriction to entire cycle too

xfs: fix log recovery buffer allocation for the

netfilter: nft_inner: validate mandatory meta and payload

netfilter: nft_inner: validate mandatory meta and payload

USB: class: cdc-wdm: Fix CPU lockup caused by excessive log messages

mptcp: ensure snd_una is properly initialized on connect

kpatch add alt asm definitions

x86/bugs: Change commas to semicolons in 'spectre_v2' sysfs file

x86/bugs: x86/bhi: Add support for clearing branch history at syscall entry

PCI: Avoid potential out-of-bounds read in pci_dev_for_each_resource()

ipv6: mcast: fix data-race in ipv6_mc_down / mld_ifc_work

string.h: add array-wrappers for (v)memdup_user()

i2c: dev: copy userspace array safely

io_uring: clear opcode specific data for an early failure

media: uvcvideo: Fix OOB read

PCI: Avoid potential out-of-bounds read in pci_dev_for_each_resource()

function can sleep with no time out

maple_tree: fix mas_empty_area_rev() null pointer dereference

ipv4: Fix uninit-value access in __ip_make_skb()

ipv6: prevent NULL dereference in ip6_output()

block: fix overflow in blk_ioctl_discard()

nsh: Restore skb->{protocol,data,mac_header} for outer header in nsh_gso_segment().

ipv6: fib6_rules: avoid possible NULL dereference in fib6_rule_action()

netfs, fscache: Prevent Oops in fscache_put_cache()

ext4: regenerate buddy after block freeing failed if under fc replay

hwmon: (w83793) Fix NULL pointer dereference by removing unnecessary structure field

hwmon: (w83793) Fix NULL pointer dereference by removing unnecessary structure field

vhost: use kzalloc() instead of kmalloc() followed by memset()

net: openvswitch: limit the number of recursions from action sets

ubi: Check for too small LEB size in VTBL code

bpf: Fix re-attachment branch in bpf_tracing_prog_attach

x86/fpu: Stop relying on userspace for info to fault in xsave buffer

tcp: make sure init the accept_queue's spinlocks once

ipv6: init the accept_queue's spinlocks in inet6_create

media: cec: core: avoid recursive cec_claim_log_addrs kpatch

media: cec: core: avoid recursive cec_claim_log_addrs kpatch

i2c: Fix a potential use after free

of: fdt: fix off-by-one error in unflatten_dt_nodes()

media: pvrusb2: fix use after free on context disconnection

Out of scope as the patch is for powerpc arch only, x86_64 is not affected

Kernel versions older than 5.14.0-503.11.1.el9_5 are not affected

EDAC/thunderx: Fix possible out-of-bounds string access

net: ip_tunnel: make sure to pull inner header in ip_tunnel_rcv()

md/raid5: fix atomicity violation in raid5_cache_count

bpf: Reject variable offset alu on PTR_TO_FLOW_KEYS

RDMA/mlx5: Fix fortify source warning while accessing Eth segment

hwmon: (w83791d) Fix NULL pointer dereference by removing unnecessary structure field

x86/fpu: Keep xfd_state in sync with MSR_IA32_XFD

x86/fpu: Keep xfd_state in sync with MSR_IA32_XFD

stm class: Fix a double free in stm_register_device()

net/mlx5: Discard command completions in internal error

USB: core: Fix deadlock in usb_deauthorize_interface()

Out of scope: not affected

drm/amdgpu/mes: fix use-after-free issue

usb: typec: tcpm: fix use-after-free case in tcpm_register_source_caps

USB: core: Fix deadlock in port "disable" sysfs attribute

USB: core: Fix deadlock in port "disable" sysfs attribute

USB: core: Fix deadlock in port "disable" sysfs attribute

net/mlx5: Always stop health timer during driver removal

firmware: cs_dsp: Fix overflow checking of wmfw header

firmware: cs_dsp: Fix overflow checking of wmfw header (adaptation)

filelock: fix potential use-after-free in posix_lock_inode

drm/i915/gt: Fix potential UAF by revoke of fence registers

scsi: mpi3mr: Sanitise num_phys

drm/amdgpu: Using uninitialized value *size when calling amdgpu_vce_cs_reloc

net/iucv: fix use after free in iucv_sock_close()

dev/parport: fix the array out-of-bounds risk

wifi: rtw89: Fix array index mistake in rtw89_sta_info_get_iter()

CVE patch is for powerpc arch only

CVE patch is for powerpc arch only

Out of scope: not affected

net/sched: taprio: proper TCA_TAPRIO_TC_ENTRY_INDEX check

net/sched: taprio: proper TCA_TAPRIO_TC_ENTRY_INDEX check kpatch

minmax: add umin(a, b) and umax(a, b)

swiotlb: Fix double-allocation of slots due to broken alignment handling

octeontx2-af: fix the double free in rvu_npc_freemem()

ALSA: hda: intel-sdw-acpi: fix usage of device_get_named_child_node()

drm/amdgpu: add error handle to avoid out-of-bounds

drm/amdgpu: Fix signedness bug in sdma_v4_0_process_trap_irq()

drm/drm_file: Fix pid refcounting race

Out of scope: not affected

CVE patch is for powerpc arch only

CVE patch is for powerpc arch only

CVE patch is for powerpc arch only

Out of scope as the patch is for powerpc arch only, x86_64 is not affected

include/linux/generic-radix-tree.h: replace kernel.h with the necessary inclusions

lib/generic-radix-tree.c: Don't overflow in peek()

can: isotp: isotp_sendmsg(): add result check for wait_event_interruptible()

can: isotp: isotp_sendmsg(): fix TX buffer concurrent access in isotp_sendmsg()

can: isotp: isotp_sendmsg(): fix TX buffer concurrent access in isotp_sendmsg()

can: isotp: fix error path in isotp_sendmsg() to unlock wait queue

usbnet: sanity check for maxpacket

nvmem: Fix shift-out-of-bound (UBSAN) with byte size cells

arm64/sme: Always exit sme_alloc() early with existing

hwmon: (lm90) Prevent integer overflow/underflow in hysteresis calculations

asix: fix uninit-value in asix_mdio_read()

netfilter: nft_set_pipapo: do not free live element

ACPI: processor_idle: Fix memory leak in acpi_processor_power_exit()

atl1c: Work around the DMA RX overflow issue

atl1c: Work around the DMA RX overflow issue

cachefiles: fix slab-use-after-free in cachefiles_withdraw_cookie()

cachefiles: fix slab-use-after-free in cachefiles_withdraw_cookie()

cachefiles: fix slab-use-after-free in fscache_withdraw_volume()

cachefiles: fix slab-use-after-free in fscache_withdraw_volume()

Bluetooth: btrtl: fix out of bounds memory access

Bluetooth: btrtl: fix out of bounds memory access

CVE patch is for AMD Inception vulnerability related to Speculative Return Stack Overflow (SRSO)

Input: powermate - fix use-after-free in powermate_config_complete

Bluetooth: Fix TOCTOU in HCI debugfs implementation

xsk: validate user input for XDP_{UMEM|COMPLETION}_FILL_RING

mlxsw: spectrum_acl_tcam: Fix memory leak during rehash

filelock: Remove locks reliably when fcntl/close race is detected

Bluetooth: rfcomm: Fix null-ptr-deref in rfcomm_check_security

Bluetooth: rfcomm: Fix null-ptr-deref in rfcomm_check_security

mm/swap: fix race when skipping swapcache

cxl/pci: Fix disabling memory if DVSEC CXL Range does not match a CFMWS window

drm/amd/display: fixed integer types and null check locations

ext4: avoid allocating blocks from corrupted group

ext4: avoid dividing by 0 in mb_update_avg_fragment_size()

mptcp: fix double-free on socket dismantle

iommufd: Fix protection fault in iommufd_test_syz_conv_iova

iommufd: Fix iopt_access_list_id overwrite bug

net: veth: clear GRO when clearing XDP even when down MIME-Version: 1.0

Out of scope: boot time issue

bpf: Guard stack limits against 32bit overflow

of: Fix double free in of_parse_phandle_with_args_map

ALSA: scarlett2: Add clamp() in scarlett2_mixer_ctl_put()

ALSA: scarlett2: Add missing error checks to *_ctl_get()

x86/mm: Ensure input to pfn_to_kaddr() is treated as a 64-bit type

net: atlantic: eliminate double free in error handling logic

drm/vmwgfx: fix a memleak in vmw_gmrid_man_get_node

ASoC: SOF: amd: Fix memory leak in amd_sof_acp_probe()

drm/tegra: rgb: Fix some error handling paths in tegra_dc_rgb_probe()

drm/tegra: rgb: Fix missing clk_put() in the error handling paths of tegra_dc_rgb_probe()

Do not support powerpc build with kasan sanitizer 4a7aee96200ad281a5cc4cf5c7a2e2a49d2b97b0

RDMA/qedr: Fix qedr_create_user_qp error flow

HID: i2c-hid-of: fix NULL-deref on failed power up

HID: i2c-hid-of: fix NULL-deref on failed power up

RDMA/srpt: Support specifying the srpt_service_guid

arp: Prevent overflow in arp_req_get().

md: Don't ignore suspended array in md_check_recovery()

net/sched: act_mirred: use the backlog for mirred ingress

md: Don't ignore read-only array in md_check_recovery()

vt_ioctl: fix array_index_nospec in vt_setactivate

thermal: core: Fix NULL pointer dereference in zone registration error path

ring-buffer: Do not attempt to read past "commit"

thermal/int340x_thermal: handle data_vault when the value is ZERO_SIZE_PTR

bpf: fix check for attempt to corrupt spilled pointer

mfd: syscon: Fix null pointer dereference in of_syscon_register()

Out of scope: not affected

platform/x86: think-lmi: Fix reference leak

drm/amdgpu: Fix possible NULL dereference in amdgpu_ras_query_error_status_helper()

virtio-blk: fix implicit overflow on virtio_max_dma_size

bonding: stop the device in bond_setup_by_slave()

smb: client: fix use-after-free in smb2_query_info_compound()

i2c: core: Run atomic i2c xfer when !preemptible

i2c: core: Fix atomic xfer check for non-preempt config

Bug doesn't hit as enum values are just shifted numbers

crypto: pcrypt - Fix hungtask for PADATA_RESET

scsi: ibmvfc: Remove BUG_ON in the case of an empty event pool

net/smc: avoid data corruption caused by decline

cpu/hotplug: Prevent self deadlock on CPU hot-unplug

cpu/hotplug: Don't offline the last non-isolated CPU

Bluetooth: btusb: Add date->evt_skb is NULL check

Input: synaptics-rmi4 - fix use after free in rmi_unregister_function()

perf: hisi: Fix use-after-free when register pmu fails

pstore/platform: Add check for kstrdup

can: dev: can_put_echo_skb(): don't crash kernel if can_priv::echo_skb is accessed out of bounds

nommu: kernel is not vulnerable. Commit 8220543("nommu: remove uses of VMA linked list") is absent

cachefiles: fix memory leak in cachefiles_add_cache()

geneve: make sure to pull inner header in geneve_rx()

hsr: Fix uninit-value access in hsr_get_node()

NFSv4.2: fix nfs4_listxattr kernel BUG at mm/usercopy.c:102

quota: Fix potential NULL pointer dereference

Bluetooth: hci_core: Fix possible buffer overflow

Current kernel is not vulnerable.

do_sys_name_to_handle(): use kzalloc() to fix kernel-infoleak

x86/sev-es: Allow copy_from_kernel_nofault() in earlier boot

x86/mm: Disallow vsyscall page read for copy_from_kernel_nofault()

drm/amdgpu: Reset IH OVERFLOW_CLEAR bit

tracing/trigger: Fix to return error if failed to alloc snapshot

Live-patching will introduce network performance degradation in the best case scenario, or even some more serious issues. N/A or Low cvss3 score from NVD or vendors.

drm/i915/gt: Reset queue_priority_hint on parking

drm/i915/bios: Tolerate devdata==NULL in intel_bios_encoder_supports_dp_dual_mode()

drm/i915/vma: Fix UAF on destroy against retire race

drm/vmwgfx: Create debugfs ttm_resource_manager entry only if needed

wireguard: netlink: access device through ctx instead of peer

wireguard: netlink: check for dangling peer via is_dead instead of empty list

net: esp: fix bad handling of pages from page_pool

nbd: fix uaf in nbd_open

nbd: fix uaf in nbd_open

Kernel is not vulnerable: commit f2d5dcb4 is absent.

wifi: rtw89: fix null pointer access when abort scan

wifi: rtw89: fix null pointer access when abort scan

dyndbg: fix old BUG_ON in >control parser

drm/client: Fully protect modes[] with dev->mode_config.mutex

net/mlx5e: Fix mlx5e_priv_init() cleanup flow

geneve: fix header validation in geneve[6]_xmit_skb

geneve: Fix incorrect inner network header offset when innerprotoinherit is set

bareudp: Pull inner IP header on xmit

vxlan: Pull inner IP header in vxlan_xmit_one()

keys: Fix overwrite of key expiration on instantiation

USB: core: Fix access violation during port device removal

mlxsw: spectrum_acl_tcam: Fix possible use-after-free during rehash

Not a bug for a real-life RHEL9 setup

EFI Firmware: CVE patch is for EFI firmware which runs at boot time.

Kernel is not affected

Kernel is not affected

CVE patch is for powerpc arch only

tcp: defer shutdown(SEND_SHUTDOWN) for TCP_SYN_RECV sockets

ASoC: SOF: Add some bounds checking to firmware data

tcp_metrics: validate source addr length

net: hsr: remove WARN_ONCE() in send_hsr_supervision_frame()

inet: read sk->sk_family once in inet_recv_error()

Boot time issue

KVM: arm64: Fix circular locking dependency

net: atlantic: Fix DMA mapping for PTP hwts ring

fs/proc: do_task_stat: move thread_group_cputime_adjusted() outside of lock_task_sighand()

fs/proc: do_task_stat: use sig->stats_lock to gather the threads/children stats

ext4: fix double-free of blocks due to wrong

drm/amd/display: Fix MST Null Ptr for RV

ppp_async: limit MRU to 64K

smb: client: fix potential deadlock when releasing mids

drm/amdkfd: Fix lock dependency warning with srcu

Warning fix doesn't worth live-patching

Boot time fix cannot be fixed with live-patching

The patch for this CVE fixing vulnerability which was introduced in kernel v6.7

PM / devfreq: Synchronize devfreq_monitor_[start/stop]

drm/vmwgfx: Unmap the surface before resetting it on a plane state state

drm/vkms: Avoid reading beyond LUT array

drm/tegra: dsi: Add missing check for of_find_device_by_node

Complex adaptation required. x86 and amd64 architectures are not affected. Issues triggers while dumping after another crash.

fbdev: Fix invalid page access after closing deferred I/O devices

CVE patch is for powerpc arch only

CVE patch is for powerpc arch only

Out of scope as the patch is for powerpc arch only

mmc: sdio: fix possible resource leaks in some error paths

net/usb: kalmia: Don't pass act_len in usb_bulk_msg error path

ASoC: Intel: sof_sdw_rt_sdca_jack_common: ctx->headset_codec_dev = NULL

calipso: fix memory leak in netlbl_calipso_add_pass()

ALSA: scarlett2: Add missing mutex lock around get meter levels

nfs: fix UAF in direct writes

nfs: fix UAF in direct writes

mm: swap: fix race between free_swap_and_cache() and swapoff()

usb: xhci: Add error handling in xhci_map_urb_for_dma

fat: fix uninitialized field in nostale filehandles

powercap: intel_rapl: Fix a NULL pointer dereference

nouveau: fix instmem race condition around ptr stores

mm/memory-failure: fix deadlock when hugetlb_optimize_vmemmap is enabled

Out of scope as the patch is for vmlinux init sections which are discarded after the boot

arm64: hibernate: Fix level3 translation fault in swsusp_save()

nbd: null check for nla_nest_start

Fix commit isn't present

pstore: inode: Only d_invalidate() is needed

clk: Fix clk_core_get NULL dereference

drm/amdgpu: Fix potential out-of-bounds access in 'amdgpu_discovery_reg_base_init()'

wifi: brcm80211: handle pmk_op allocation failure

ASoC: SOF: ipc4-pcm: Workaround for crashed firmware on system suspend

net: openvswitch: Fix Use-After-Free in ovs_ct_exit

Complex adaptation required. Network services prevents update because they can sleep in subflow_finish_connect() function.

wifi: nl80211: reject iftype change with mesh ID change

rtnetlink: fix error logic of IFLA_BRIDGE_FLAGS writing back

md/md-bitmap: fix incorrect usage for sb_index

drm/amdgpu: fix deadlock while reading mqd from debugfs

cpumap: Zero-initialise xdp_rxq_info struct before running

ALSA: usb-audio: Stop parsing channels bits when all channels

genirq/cpuhotplug, x86/vector: Prevent vector leak during CPU offline

KVM: Always flush async #PF workqueue when vCPU is being destroyed

KVM: Always flush async #PF workqueue when vCPU is being destroyed

Kernel is not affected

Bug triggers in kdump kernel which we don't patch

ip6_tunnel: make sure to pull inner header in __ip6_tnl_rcv()

drm/amdgpu: fix use-after-free bug

drm/amd/display: Implement bounds check for stream encoder creation in DCN301

drm/amd/display: Add NULL test for 'timing generator' in 'dcn21_set_pipe()'

drm/amd/display: Fix 'panel_cntl' could be null in 'dcn21_set_backlight_level()'

tipc: Check the bearer type before calling tipc_udp_nl_bearer_add()

net/sched: flower: Fix chain template offload kpatch

Out of scope: not affected

KVM: x86/mmu: Write-protect L2 SPTEs in TDP MMU when clearing dirty status

tun: limit printing rate when illegal packet received by tun dev

netfilter: flowtable: incorrect pppoe tuple

x86/mm/pat: fix VM_PAT handling in COW mappings

smb: client: fix potential UAF in smb2_is_valid_lease_break()

smb: client: fix potential UAF in cifs_dump_full_key()

smb: client: fix potential UAF in smb2_is_valid_oplock_break()

smb: client: fix potential UAF in cifs_stats_proc_show()

of: module: prevent NULL pointer dereference in vsnprintf()

mm/secretmem: fix GUP-fast succeeding on secretmem folios

x86/mce: Make sure to grab mce_sysfs_mutex in set_bank()

ipv6: Fix infinite recursion in fib6_dump_done().

erspan: make sure erspan_base_hdr is present in skb->head

net/sched: fix lockdep splat in qdisc_tree_reduce_backlog()

mptcp: prevent BPF accessing lowat from a subflow socket.

netfilter: nf_tables: reject new basechain after table flag update

bpf: Fix verification of indirect var-off stack access

bpf: Protect against int overflow for stack access size

tls: get psock ref after taking rxlock to avoid leak

wifi: iwlwifi: mvm: rfi: fix potential response leaks

wifi: iwlwifi: mvm: pick the version of SESSION_PROTECTION_NOTIF

It is not possible to fix this vulnerability using kernel livepatching because it lies below the system call level.

Existing kernels aren't affected

Existing kernels aren't affected

soundwire: cadence: fix invalid PDI offset

ALSA: timer: Set lower bound of start tick time

af_unix: Fix data races around sk->sk_shutdown.

af_unix: Fix data races around sk->sk_shutdown.

af_unix: Fix data races in unix_release_sock/unix_stream_sendmsg

ext4: fix mb_cache_entry's e_refcnt leak in ext4_xattr_block_cache_find()

ALSA: Fix deadlocks with kctl removals at disconnection

dmaengine: idxd: Avoid unnecessary destruction of file_ida

ALSA: hda/cs_dsp_ctl: Use private_free for control cleanup

md: fix resync softlockup when bitmap size is less than array size

scsi: qedf: Make qedf_execute_tmf() non-preemptible

drm/nouveau: fix null pointer dereference in nouveau_connector_get_modes

ftruncate: pass a signed offset

pinctrl: fix deadlock in create_pinctrl() when handling -EPROBE_DEFER

wifi: cfg80211: restrict NL80211_ATTR_TXQ_QUANTUM values

wifi: cfg80211: restrict NL80211_ATTR_TXQ_QUANTUM values (Adaptation)

kernel version 5.14 not affected

kernel version 5.14 not affected

kernel version 5.14 not affected

bluetooth/hci: disallow setting handle bigger than HCI_CONN_HANDLE_MAX

netfilter: nf_tables: fully validate NFT_DATA_VALUE on store to data registers

clk: Get runtime PM before walking tree during disable_unused

clk: Get runtime PM before walking tree during disable_unused

mptcp: really cope with fastopen race

Get runtime PM before walking tree for clk_summaryatch-description:

nouveau: lock the client object tree

nouveau: lock the client object tree

Affects only __init function for a built-in component, so patching will have no effect

None of the kernels is affected

net/mlx5e: fix a double-free in arfs_create_groups

mptcp: use OPTION_MPTCP_MPJ_SYNACK in subflow_finish_connect()

mlxsw: spectrum_acl_tcam: Fix possible use-after-free during activity update

wifi: mac80211: fix potential sta-link leak

irqchip/gic-v3-its: Prevent double free on error

io_uring: Fix release of pinned pages when __io_uaddr_map fails

smb: client: fix potential UAF in cifs_debug_files_proc_show()

smb: client: fix potential UAF in cifs_signal_cifsd_for_reconnect()

smb: client: fix potential UAF in smb2_is_network_name_deleted()

smb: client: fix potential UAF in is_valid_oplock_break()

net: bridge: switchdev: Skip MDB replays of deferred events on offload

Out of scope as the patch is for i.MX SoC

wifi: mt76: mt7921e: fix use-after-free in free_irq()

mm/memory-failure: fix handling of dissolved but not taken off from buddy pages

ASoC: SOF: ipc4-topology: Fix input format query of process modules without base extension

mm/vmalloc: fix vmalloc which may return null if called with

Out of scope: ARM64 architecture issue

drm/shmem-helper: Fix BUG_ON() on mmap(PROT_WRITE, MAP_PRIVATE)

Kernel is not affected.

vmci: prevent speculation leaks by sanitizing event in event_deliver()

Existing kernels aren't affected

serial: imx: Introduce timeout when waiting on transmitter empty

iommu: Return right value in iommu_sva_bind_device()

net/mlx5: Fix tainted pointer delete is case of flow rules creation fail

drm/radeon: fix UBSAN warning in kv_dpm.c

mm/page_table_check: fix crash on ZONE_DEVICE

cpufreq: amd-pstate: fix memory leak on CPU EPP exit

cpufreq: amd-pstate: fix memory leak on CPU EPP exit

ALSA: hda: cs35l56: Fix lifetime of cs_dsp instance

nfs: handle error of rpc_proc_register() in init_nfs_fs()

[PATCH] pinctrl: core: delete incorrect free in pinctrl_enable()

Kernel is not affected

net/smc: fix neighbour and rtable leak in smc_ib_find_route()

Thermal debugfs isn't present on redhat kernels.

[PATCH 1/1] drm/vmwgfx: Fix invalid reads in fence signaled events

Thermal debugfs isn't present on redhat kernels.

[PATCH] KEYS: trusted: Fix memory leak in tpm2_key_encode()

[PATCH] net/sched: taprio: always validate TCA_TAPRIO_ATTR_PRIOMAP

usb: dwc3: Wait unconditionally after issuing EndXfer command

Intoduced in the same kernel version with the fix

Complex adaptation required

Intoduced in the same kernel version with the fix

net: hns3: fix kernel crash problem in concurrent scenario

scsi: mpt3sas: Avoid test/set_bit() operating in non-allocated memory

bnxt_en: Adjust logging of firmware messages in case of released token in __hwrm_send()

io_uring/rsrc: don't lock while !TASK_RUNNING

vmxnet3: disable rx data ring on dma allocation failure

Complex adaptation required, low score patch for non critical subsystem amdgpu

filelock: Fix fcntl/close race recovery compat path

Kernel not vulnerable: blamed commit is absent

firmware: cs_dsp: Prevent buffer overrun when processing V2 alg headers

netfilter: nf_tables: prefer nft_chain_validate

firmware: cs_dsp: Use strnlen() on name fields in V1 wmfw files

drm/radeon: check bo_va->bo is non-NULL before using it

Bluetooth: hci_core: cancel all works upon hci_unregister_dev()

RDMA/irdma: Fix KASAN issue with tasklet

nvme-fc: do not wait in vain when unloading module

nvme-fc: do not wait in vain when unloading module

RDMA/srpt: Do not register event handler until srpt device is fully setup

drm/amdgpu: validate the parameters of bo mapping operations more clearly

vfio/pci: Disable auto-enable of exclusive INTx IRQ

wireguard: receive: annotate data-race around receiving_counter.counter

drivers: core: synchronize really_probe() and dev_uevent()

KVM: x86/pmu: Disable support for adaptive PEBS

KVM: x86/pmu: Disable support for adaptive PEBS

[PATCH 1/1] leds: trigger: Unregister sysfs attributes before calling

dma: fix call order in dmam_free_coherent

Affects only the s390 architecture.

net/mlx5: Always drain health in shutdown callback

wifi: cfg80211: handle 2x996 RU allocation in cfg80211_calculate_bitrate_he()

[PATCH 5063/5129] mm/memcg: minor cleanup for MEM_CGROUP_ID_MAX

[PATCH] memcg: protect concurrent access to mem_cgroup_idr

wifi: mac80211: fix NULL dereference at band check in starting tx ba session

fuse: Initialize beyond-EOF page contents before setting uptodate

complex adaptation required for el9-arm64, el9-x86 not affected

spi: Fix null dereference on suspend

spi: Fix null dereference on suspend

tty: add the option to have a tty reject a new ldisc

tty: add the option to have a tty reject a new ldisc

Affected p2sb driver is not present in kernel v5.14.0

Bluetooth: ISO: Check socket flag instead of hcon

firmware: cs_dsp: Return error if block header overflows file

firmware: cs_dsp: Validate payload length before processing block

Revert "sched/fair: Make sure to try to detach at least one movable task"

Out of scope: 64-bit systems not affected.

net/mlx5: Fix missing lock on sync reset reload

nvme-pci: add missing condition check for existence of mapped data

netfilter: nf_tables: restore set elements when delete set fails

mlxsw: spectrum_acl_tcam: Fix incorrect list API usage

mm: use memalloc_nofs_save() in page_cache_ra_order()

ppdev: Add an error check in register_device

iommu/arm-smmu: Use the correct type in nvidia_smmu_context_fault()

mm/userfaultfd: reset ptes when close() for wr-protected ones

ACPI: CPPC: Use access_width over bit_width for system memory accesses

drm/vmwgfx: Fix the lifetime of the bo cursor memory

dm snapshot: fix lockup in dm_exception_table_exit

ext4: fix corruption during on-line resize

md: export helpers to stop sync_thread

md/dm-raid: don't call md_reap_sync_thread() directly

PCI/PM: Drain runtime-idle callbacks before driver removal

Patch for this CVE has been reverted. Hence skipped

drm/amdgpu: amdgpu_ttm_gart_bind set gtt bound flag

usb: udc: remove warning when queue disabled ep

misc: lis3lv02d_i2c: Fix regulators getting en-/dis-abled twice on suspend/resume

s390 arch not supported.

Existing kernels aren't affected

Already fixed in the existing el9 kernels.

tusb: gadget: core: Check for unset descriptor

packet: annotate data-races around ignore_outgoing

x86/mm: Fix pti_clone_pgtable() alignment assumption

netfilter: nf_tables: set dormant flag on hook register failure

net/mlx5e: SHAMPO, Fix invalid WQ linked list unlink

hwrng: core - Fix page fault dead lock on mmap-ed hwrng

bpf: Check rcu_read_lock_trace_held() before calling bpf map helpers

iio: core: fix memleak in iio_device_register_sysfs

nbd: Low-score CVE. Patched function is called from a kthread and sleeps, which may prevent patching/unpatching.

tracing: Ensure visibility when inserting an element into tracing_map

Affects only boot __init stage, already booted kernels are not affected

Kernel not vulnerable.

netfilter: nf_tables: fix memleak in map from abort path

commit that introduces CVE is not present

older kernels do not have support for DisplayCoreNext 3.5

older kernels do not have support for DisplayCoreNext 3.5

usb: typec: ucsi: Limit read size on v1.2

block: prevent division by zero in blk_rq_stat_sum()

drm: Check output polling initialized before disabling

The patch was later reverted in eb4f139888f6

scsi: lpfc: Fix possible memory leak in lpfc_rcv_padisc()

wifi:ath11k, low score CVE that needs complex adaptation but decreasing MHI Bus' buf-len isn't a typical security fix.

dma-direct: Leak pages on dma_set_decrypted() failure

VMCI: Use struct_size() in kmalloc()

VMCI: Fix memcpy() run-time warning in dg_dispatch_as_host()

VMCI: Fix possible memcpy() run-time warning in vmci_datagram_invoke_guest_handler()

None of the existing kernels is affected

Low-score CVE which might introduce problems in net subsystem

io_uring/sqpoll: work around a potential audit memory leak

Complex adaptation required, not worth the effort for 4.4 score CVE

CVE patch is for powerpc arch only

None of our RHEL9 kernels are affected by the bug

nvmet: always initialize cqe.result

drm/nouveau/dispnv04: fix null pointer dereference in nv17_tv_get_hd_modes

drm/nouveau/dispnv04: fix null pointer dereference in nv17_tv_get_ld_modes

null_blk: fix validation of block size

cxl/mem: Fix no cxl_nvd during pmem region auto-assembling

nvme-fabrics: use reserved tag for reg read/write command

drm/fbdev-dma: Only set smem_start is enable per module option

drm/amdgpu: avoid using null object of framebuffer

Patch introduced regression and was reverted later.

tty: tty_buffer: Fix the softlockup issue in flush_to_ldisc

usb: hub: Guard against accesses to uninitialized BOS descriptors

dmaengine: fix NULL pointer in channel unregistration function

PM: sleep: Fix possible deadlocks in core system-wide PM code

PM: sleep: Fix possible deadlocks in core system-wide PM code

PM: sleep: Fix possible deadlocks in core system-wide PM code

RDMA/siw: Fix connection failure handling

net: usb: smsc75xx: Fix uninit-value access in __smsc75xx_read_reg

wifi: ath9k: Fix potential array-index-out-of-bounds read in ath9k_htc_txstatus()

wifi: rt2x00: restart beacon queue when hardware reset

PM / devfreq: Fix buffer overflow in trans_stat_show

io_uring/net: fix overflow check in io_recvmsg_mshot_prep()

net/sched: Fix mirred deadlock on device recursion

net/sched: Fix mirred deadlock on device recursion

net/mlx5e: Prevent deadlock while disabling aRFS

net/mlx5e: Prevent deadlock while disabling aRFS

drm/amdgpu : Add hive ras recovery check

drm/amdgpu : Add hive ras recovery check

drm/amdgpu: Skip do PCI error slot reset during RAS recovery

netfilter: nft_set_pipapo: walk over current view on netlink dump

nf_tables: missing iterator type in lookup walk

Out of scope: not affected

io_uring/io-wq: Use set_bit() and test_bit() at worker->flags

drm/i915/dpt: Make DPT object unshrinkable

raid1: fix use-after-free for original bio in raid1_write_request()

ext4: avoid online resizing failures due to oversized flex bg

ext4: avoid online resizing failures due to oversized flex bg

io_uring/unix: drop usage of io_uring socket

io_uring/unix: drop usage of io_uring socket

io_uring: drop any code related to SCM_RIGHTS

io_uring: drop any code related to SCM_RIGHTS

igb: Fix string truncation warnings in igb_set_fw_version

A complex adaptation is needed which is not possible to implement safely. Only Android OS is affected. Low score CVE.

Complex adaptation required.

drm/amdgpu: Init zone device and drm client after mode-1 reset on reload

Existing kernels aren't affected

This CVE has been rejected upstream

[PATCH] iommu/vt-d: Use device rbtree in iopf reporting path

can: j1939: Fix UAF in j1939_sk_match_filter during setsockopt(SO_J1939_FILTER)

can: j1939: Fix UAF in j1939_sk_match_filter during setsockopt(SO_J1939_FILTER) (kpatch)

The patch for CVE-2025-37747 reverts the patch for this CVE.

The patch for CVE-2025-37747 reverts the patch for this CVE.

Out of scope - affects 'smartphones' SoCs based on Cortex-A510 and Cortex-A520

Affects only boot __init stage, already booted kernels are not affected

dmaengine: idxd: Convert spinlock to mutex to lock evl workqueue

mm/khugepaged: fix ->anon_vma race

mm/swapfile: add cond_resched() in get_swap_pages()

mmc: core: use sysfs_emit() instead of sprintf()

Out of scope: not affected

x86/MCE/AMD: Fix memory leak when threshold_create_bank() fails

s390: arch is not supported

Out of scope: not affected

nouveau: offload fence uevents work to workqueue

nouveau: offload fence uevents work to workqueue

net: nexthop: Initialize all fields in dumped nexthops

mptcp: pm: Fix uaf in __timer_delete_sync

bpf: Fix overrunning reservations in ringbuf

bpf: Fix overrunning reservations in ringbuf

USB: serial: mos7840: fix crash on resume

USB: serial: mos7840: fix crash on resume

cxl/port: Fix use-after-free, permit out-of-order decoder shutdown

netfilter: nft_payload: sanitize offset and length before calling skb_checksum()

net/smc: fix illegal rmb_desc access in SMC-D connection dump

block: initialize integrity buffer to zero before writing it to media

selinux,smack: don't bypass permissions check in inode_setsecctx hook

net: avoid potential underflow in qdisc_pkt_len_init() with UFO

Bluetooth: l2cap: fix null-ptr-deref in l2cap_chan_timeout

bpf: Add BPF_PROG_TYPE_CGROUP_SKB attach type enforcement in BPF_LINK_CREATE

bpf: Fix use-after-free in bpf_uprobe_multi_link_attach()

arm64: probes: Remove broken LDR (literal) uprobe support

bpf: Fix out-of-bounds write in trie_get_next_key()

KVM: nSVM: Ignore nCR3[4:0] when loading PDPTEs from memory

xfrm: fix one more kernel-infoleak in algo dumping

xfrm: validate new SA's prefixlen using SA family when sel.family is unset

Bluetooth: bnep: fix wild-memory-access in proto_unregister

Bluetooth subsystem. Patched function may wait for a while, which may prevent patching/unpatching.

Bluetooth: SCO: Fix UAF on sco_sock_timeout

Bluetooth: ISO: Fix UAF on iso_sock_timeout

bpf: Fix a sdiv overflow issue

arm64: Low-score CVE requiring adaptation that is hard to implement; targets very rare hardware

RDMA/bnxt_re: Fix a bug while setting up Level-2 PBL pages

mptcp: cope racing subflow creation in mptcp_rcv_space_adjust

mlxsw: spectrum_ipip: Fix memory leak when changing remote IPv6 address

perf/aux: Fix AUX buffer serialization

perf/aux: Fix AUX buffer serialization (Adaptation)

tcp/dccp: Don't use timer_pending() in reqsk_queue_unlink()

Discard stale CPU state when handling SVE traps

i40e: fix i40e_count_filters() to count only active/new filters

fix race condition by adding filter's intermediate sync state

media: uvcvideo: Skip parsing frames of type UVC_VS_UNDEFINED in uvc_parse_format

mm: fix NULL pointer dereference in alloc_pages_bulk_noprof

ALSA: usb-audio: Fix potential out-of-bound accesses for Extigy and Mbox devices

can: bcm: Fix UAF in bcm_proc_show()

CVE Rejected

vsock/virtio: Initialization of the dangling pointer occurring in vsk->trans

HID: core: zero-initialize the report buffer

Out of scope: ARM64 architecture isn't supported for current kernel

ALSA: usb-audio: Fix out of bounds reads when finding clock sources

kobject_uevent: Fix OOB access within zap_modalias_env()

ipvs: properly dereference pe in ip_vs_add_service

bonding: fix null pointer deref in bond_ipsec_offload_ok

ELF: fix kernel.randomize_va_space double read

of: module: add buffer overflow check in of_modalias()

dmaengine: idxd: Fix possible Use-After-Free in irq_process_work_list

Patched function waits for external events, which may prevent patching/unpatching.

Bluetooth: msft: fix slab-use-after-free in msft_do_close()

netfilter: nf_reject_ipv6: fix nf_reject_ip6_tcphdr_put()

tracing: Free buffers when a used dynamic event is removed

hwmon: (ibmpex) Fix possible UAF when ibmpex_register_bmc() fails

net: tun: Fix use-after-free in tun_detach()

exec: Fix ToCToU between perm check and set-uid/gid usage

drm: nv04: Fix out of bounds access

vhost/vsock: always initialize seqpacket_allow

vhost/vsock: always initialize seqpacket_allow

net: bridge: mcast: wait for previous gc cycles when removing port

hwmon: (w83627ehf) Fix underflows seen when writing limit attributes

hwmon: (lm95234) Fix underflows seen when writing limit attributes

hwmon: (adc128d818) Fix underflows seen when writing limit attributes

ipv6: prevent UAF in ip6_send_skb()

scsi: aacraid: Fix double-free on probe failure

drm/amdgpu: Fix out-of-bounds write warning

idpf: fix memory leaks and crashes while performing a soft reset

Blamed commit 90912f9 ("idpf: convert header split mode to libeth + napi_build_skb()") is absent.

ext4: fix double brelse() the buffer of the extents path

ext4: aovid use-after-free in ext4_ext_insert_extent()

ext4: fix slab-use-after-free in ext4_split_extent_at()

ext4: avoid use-after-free in ext4_ext_show_leaf()

wifi: ath11k: fix array out-of-bound access in SoC stats

Bluetooth: L2CAP: Fix uaf in l2cap_connect

Bluetooth: hci_core: Fix calling mgmt_device_connected

ext4: fix timer use-after-free on failed mount

ext4: no need to continue when the number of entries is 1

ext4: drop ppath from ext4_ext_replay_update_ex() to avoid double-free

drm/amdkfd: amdkfd_free_gtt_mem clear the correct pointer

drm/amdgpu: fix mc_data out-of-bounds read warning

drm/amdgpu: fix ucode out-of-bounds read warning

drm/amdgpu: Fix out-of-bounds read of df_v1_7_channel_number

of/irq: Prevent device address out-of-bounds read in interrupt map walk

HID: cougar: fix slab-out-of-bounds Read in cougar_report_fixup

ACPI: sysfs: validate return type of _STR method

powercap: intel_rapl: Fix off by one in get_rpi()

wifi: rtw89: avoid reading out of bounds when loading TX power FW elements

slip: make slhc_remember() more robust against malicious packets

ppp: fix ppp_async_encode() illegal access

fscache: delete fscache_cookie_lru_timer when fscache exits to avoid UAF

sch/netem: fix use after free in netem_dequeue

spi: nxp-fspi: fix the KASAN report out-of-bounds bug

vhost_vdpa: assign irq bypass producer token correctly

mm: call the security_mmap_file() LSM hook in remap_file_pages()

mm: split critical region in remap_file_pages() and invoke LSMs in between

iommufd: Protect against overflow of ALIGN() during iova allocation

sched: sch_cake: fix bulk flow accounting logic for host fairness

wifi: rtw88: always wait for both firmware loading attempts

macsec: Fix use-after-free while sending the offloading packet

net: sched: fix use-after-free in taprio_change()

udf: fix uninit-value use in udf_get_fileshortad

nvmet-auth: assign dh_key to NULL after kfree_sensitive

net: explicitly clear the sk pointer, when pf->create fails

smb: client: fix OOBs when building SMB2_IOCTL request

wifi: cfg80211: clear wdev->cqm_config pointer on free

drm/amdgpu: add missing size check in amdgpu_debugfs_gprwave_read()

PCI: Fix use-after-free of slot->bus on hot remove

PCI: Fix use-after-free of slot->bus on hot remove

nfsd: make sure exp active before svc_export_show

net: inet: do not leave a dangling sk pointer in inet_create()

net: inet6: do not leave a dangling sk pointer in inet6_create()

Bluetooth: MGMT: Fix slab-use-after-free Read in set_powered_sync

drm/amdgpu: fix usage slab after free

Bluetooth: RFCOMM: avoid leaving dangling sk pointer in rfcomm_sock_alloc()

xsk: fix OOB map writes when deleting elements

tipc: Fix use-after-free of kernel socket in cleanup_bearer().

net: ieee802154: do not leave a dangling sk pointer in ieee802154_create()

Bluetooth: L2CAP: do not leave dangling sk pointer on error in l2cap_sock_create()

scsi: sg: Fix slab-use-after-free read in sg_release()

drm/dp_mst: Ensure mst_primary pointer is valid in drm_dp_mst_handle_up_req()

tipc: guard against string buffer overrun

Bluetooth: hci_conn: helper

Bluetooth: hci_conn: Fix UAF in hci_enhanced_setup_sync

smb: client: fix UAF in async decryption

driver core: bus: Fix double free in driver API bus_register()

uprobe: avoid out-of-bounds memory access of fetching args

tty: n_gsm: Fix use-after-free in gsm_cleanup_mux

parport: Proper fix for array out-of-bounds access

nfsd: cancel nfsd_shrinker_work using sync mode in nfs4_state_shutdown_net

net: sched: use RCU read-side critical section in taprio_dump()

net/sched: stop qdisc_tree_reduce_backlog on TC_H_ROOT

wifi: iwlwifi: mvm: Fix response handling in iwl_mvm_send_recovery_cmd()

low-scored CVE which inevitably will cause verification conflicts with freezable kthread and cifs reading routines.

hv_sock: Initializing vsk->trans to NULL to prevent a dangling pointer

SUNRPC: make sure cache entry active before cache_show

Patch affects initramfs

block, bfq: fix bfqq uaf in bfq_limit_depth()

NFSv4.0: Fix a use-after-free problem in the asynchronous open()

wifi: ath9k: add range check for conn_rsp_epid in htc_connect_service()

Bluetooth: Ignore too large handle values in BIG

gpio: pca953x: fix pca953x_irq_bus_sync_unlock race

fs: prevent out-of-bounds array speculation when closing a file descriptor

ice: Add a per-VF limit on number of FDIR filters

ice: Add a per-VF limit on number of FDIR filters

block: fix deadlock between sd_remove & sd_release

ext4: make sure the first directory block is not a hole

ext4: check dot and dotdot of dx_root before making dir indexed

sysctl: always initialize i_uid/i_gid

devres: Fix memory leakage caused by driver API devm_free_percpu()

Bluetooth: MGMT: Add error handling to pair_device()

ext4: sanity check for NULL pointer after ext4_force_shutdown

md/raid5: avoid BUG_ON() while continue reshape after reassembling

gpio: prevent potential speculation leaks in gpio_device_get_desc()

driver core: Fix uevent_show() vs driver detach race

cgroup/cpuset: fix panic caused by partcmd_update

pci/hotplug/pnv_php: Fix hotplug driver crash on Powernv

arm64: acpi: Harden get_cpu_for_acpi_id() against missing CPU entry

userfaultfd: fix checks for huge PMDs

tcp_bpf: fix return value of tcp_bpf_sendmsg()

drm/amdgpu: fix the waring dereferencing hive

drm/amdgpu: Fix the warning division or modulo by zero

drm/amd/amdgpu: Check tbo resource pointer

drm/amdgpu: the warning dereferencing obj for nbio_v7_4

drm/amdgpu: Fix smatch static checker warning

blk_iocost: fix more out of bound shifts

fs/inode: Prevent dump_mapping() accessing invalid dentry.d_name.name

ACPI: PAD: fix crash in exit_round_robin()

wifi: cfg80211: Set correct chandef when starting CAC

wifi: ath9k_htc: Use __skb_set_length() for resetting urb before resubmit

wifi: rtw89: avoid to add interface to list twice when SER

ppp: do not assume bh is held in ppp_channel_bridge_input()

net: add more sanity checks to qdisc_pkt_len_init()

Bluetooth: hci_sync: Add helper functions to manipulate cmd_sync queue

Bluetooth: MGMT: Fix possible crash on mgmt_index_removed

sched/smt: Introduce sched_smt_present_inc/dec() helper

sched/smt: Fix unbalance sched_smt_present dec/inc

pipe: wakeup wr_wait after setting max_usage

pipe: wakeup wr_wait after setting max_usage kpatch

watch_queue: fix pipe accounting mismatch

net: wwan: fix global oob in wwan_rtnl_policy

net: wwan: fix global oob in wwan_rtnl_policy

Vendor reverted in d1aa0c04294 as it causes deadlocks

dm cache: fix potential out-of-bounds access on the first resume

virtio_net: Add hash_key_length check

wifi: nl80211: fix NL80211_ATTR_MLO_LINK_ID off-by-one

wifi: nl80211: fix NL80211_ATTR_MLO_LINK_ID off-by-one

vmxnet3: Fix packet corruption in vmxnet3_xdp_xmit_frame

serial: protect uart_port_dtr_rts() in uart_shutdown() too

blk-rq-qos: fix crash on rq_qos_wait vs. rq_qos_wake_function race

blk-mq: setup queue ->tag_set before initializing hctx

iommu/vt-d: Fix incorrect pci_for_each_dma_alias() for non-PCI devices

low score, complex adaptation

Bluetooth: ISO: Fix multiple init when debugfs is disabled

Bluetooth: Call iso_exit() on module unload

thermal: intel: int340x: processor: Fix warning during module unload

xhci: tegra: fix checked USB2 port number

NFSD: Prevent a potential integer overflow

rcu/kvfree: Fix data-race in __mod_timer / kvfree_call_rcu

EDAC/bluefield: Fix potential integer overflow

net: sched: fix ordering of qlen adjustment

wifi: rtlwifi: Drastically reduce the attempts to read efuse in case of failures

PCI: keystone: Fix NULL pointer dereference in case of DT error in ks_pcie_setup_rc_app_regs()

exfat: fix potential deadlock on __exfat_get_dentry_set

net: flow_dissector: use DEBUG_NET_WARN_ON_ONCE

net: flow_dissector: use DEBUG_NET_WARN_ON_ONCE

ext4: fix infinite loop when replaying fast_commit

cgroup/cpuset: Prevent UAF in proc_cpuset_show()

lib: objagg: Fix general protection fault

scsi: lpfc: Fix a possible null pointer dereference

xdp: fix invalid wait context of page_pool_destroy()

workqueue: wq_watchdog_touch is always called with valid CPU

fsnotify: clear PARENT_WATCHED flags lazily

lib/generic-radix-tree.c: Fix rare race in __genradix_ptr_alloc()

block: fix potential invalid pointer dereference in blk_add_partition

ext4: fix race between writepages and remount

ext4: check stripe size compatibility on remount as well

icmp: change the order of rate limits

vdpa/mlx5: Fix invalid mr resource destroy

x86/sgx: Fix deadlock in SGX NUMA node search

cachefiles: fix dentry leak in cachefiles_open_file()

nfsd: map the EBADMSG to nfserr_io to avoid warning

resource: fix region_intersects() vs add_memory_driver_managed()

ext4: update orig_path in ext4_find_extent()

platform/x86: ISST: Fix the KASAN report slab-out-of-bounds bug

x86/ioapic: Handle allocation failures gracefully

wifi: iwlwifi: mvm: avoid NULL pointer dereference

Complex adaptation required (too many dependency patches)

net: Make copy_safe_from_sockptr() match documentation

Bluetooth: hci_sock: Fix not validating setsockopt user input

Bluetooth: ISO: Fix not validating setsockopt user input

Bluetooth: L2CAP: Fix not validating setsockopt user input

Bluetooth: RFCOMM: Fix not validating setsockopt user input

Bluetooth: SCO: Fix not validating setsockopt user input

Bluetooth: Fix memory leak in hci_req_sync_complete()

Bluetooth: HCI: Fix potential null-ptr-deref

Bluetooth: qca: add missing firmware sanity checks

Bluetooth: qca: fix firmware check error path

bpf: Remove tst_run from lwt_seg6local_prog_ops.

bpf: Remove tst_run from lwt_seg6local_prog_ops.

Requires adaptation (missing commit e7b02296)

nfsd: return -EINVAL when namelen is 0

xen/netfront: stop tx queues during live migration

xen-netfront: Fix NULL sring after live migration

fscache: Fix oops due to race with cookie_lru and use_cookie