net/sched: tcindex: update imperfect hash filters

netfilter: nf_tables: deactivate anonymous set from preparation phase

Complex adaptation is required, mainline retired tcindex.

Complex adaptation required. Low impact CVE.

vt: drop old FONT ioctls

Bluetooth: L2CAP: Fix accepting connection request for invalid SPSM

Bluetooth: L2CAP: Fix l2cap_global_chan_by_psm

bluetooth: Perform careful capability checks in hci_sock_ioctl()

xfs: verify buffer contents when we skip log replay

net: tls: fix possible race condition between do_tls_getsockopt_conf() and do_tls_setsockopt_conf()

netfilter: nf_tables: incorrect error path handling with NFT_MSG_NEWRULE

net/sched: flower: fix possible OOB write in fl_set_geneve_opt()

hw: amd: Cross-Process Information Leak

vt: vt_ioctl: fix race in VT_RESIZEX

dm verity: set DM_TARGET_IMMUTABLE feature flag

dm verity: set DM_TARGET_IMMUTABLE feature flag

xfrm: xfrm_policy: fix a possible double xfrm_pols_put()

i2c: ismt: prevent memory corruption in ismt_access()

net: sched: fix race condition in qdisc_graft()

netfilter: nf_tables: fix null deref due to zeroed list head

perf: Fix check before add_event_to_groups() in perf_group_detach()

ipvlan:Fix out-of-bounds caused by unclear skb->cb

This is a low priority CVE & the patch impacts many critical components of the networking subsystem & it requires multiple complex adaptations in those components to avoid losing existing connections on patch/unpatch.

netfilter: nf_tables: prevent OOB access in nft_byteorder_eval

net/sched: cls_fw: No longer copy tcf_result on update to avoid use-after-free

net/sched: cls_route: No longer copy tcf_result on update to avoid use-after-free

net/sched: cls_u32: No longer copy tcf_result on update to avoid use-after-free

netfilter: nft_set_pipapo: fix improper element removal

net/sched: cls_u32: Fix reference counter leak leading to overflow

net/sched: cls_fw: Fix improper refcount update leads to use-after-free

media: dvbdev: remove double-unlock

media: dvbdev: Fix memleak in dvb_register_device

media: dvbdev: fix error logic at dvb_register_device()

media: dvbdev: adopts refcnt to avoid UAF

media: dvbdev: fix refcnt bug

media: dvbdev: adopts refcnt to avoid UAF (adaptation)

media: dvb-core: Fix use-after-free due to race at dvb_register_device()

media: dvb-core: Fix use-after-free due to race at dvb_register_device() (adaptation)

media: dvb_net: avoid speculation from net slot

media: dvb-core: Fix use-after-free due on race condition at dvb_net

media: dvb-core: Fix use-after-free due on race condition at dvb_net (adaptation)

media: dvb_ca_en50221: off by one in dvb_ca_en50221_io_do_ioctl()

media: dvb_ca_en50221: avoid speculation from CA slot

media: dvb_ca_en50221: fix a size write bug

media: dvb-core: Fix use-after-free due to race condition at dvb_ca_en50221

media: dvb-core: Fix use-after-free due to race condition at dvb_ca_en50221 (adaptation)

sctp: leave the err path free in sctp_stream_init to sctp_stream_free

Initialize registers to avoid stack leak into userspace.

Reinstate some of "swiotlb: rework "fix info leak with

fbcon: Check font dimension limits

Fix double fget() in vhost_net_set_backend()

fbcon: Fix error paths in set_con2fb_map()

drivers: net: slip: fix NPD bug in sl_tx_timeout()

net: vmxnet3: fix possible NULL pointer dereference in vmxnet3_rq_cleanup()

Complex adaptation required.

net/sched: sch_hfsc: Ensure inner classes have fsc curve

vc_screen: move load of struct vc_data pointer in vcs_read() to avoid UAF

igb: set max size RX buffer when store bad packet is enabled

igb: set max size RX buffer when store bad packet is enabled

usb: mon: make mmapped memory read only

af_key: Do not call xfrm_probe_algs in parallel

igmp: Add ip_mc_list lock in ip_check_mc_rcu

ath9k: fix use-after-free in ath9k_hif_usb_rx_cbMIME-Version: 1.0

net: fix a concurrency bug in l2tp_tunnel_register()

l2tp: Serialize access to sk_user_data with sk_callback_lock

l2tp: Don't sleep and disable BH under writer-side sk_callback_lock

media: dvb-core: Fix UAF due to refcount races at releasing

net: sched: disallow noqueue for qdisc classes

net: sched: cbq: dont intepret cls results when asked to drop

cifs: fix use-after-free caused by invalid pointer `hostname`

ptrace: Check PTRACE_O_SUSPEND_SECCOMP permission on PTRACE_SEIZE

ipv6: raw: Deduct extension header length in rawv6_push_pending_frames

wifi: brcmfmac: Fix potential buffer overflow in brcmf_fweh_event_worker()

i2c: xgene-slimpro: Fix out-of-bounds bug in xgene_slimpro_i2c_xfer()

net/sched: sch_qfq: account for stab overhead in qfq_enqueue

net: sched: sch_qfq: prevent slab-out-of-bounds in qfq_activate_agg

kernel/relay.c: fix read_pos error when multiple readers

media: saa7134: fix use after free bug in saa7134_finidev due to race condition

media: dm1105: Fix use after free bug in dm1105_remove due to race condition

HID: asus: use spinlock to safely schedule workers

HID: asus: use spinlock to safely schedule workers

ext4: add EXT4_INODE_HAS_XATTR_SPACE macro in xattr.h

ext4: fix use-after-free in ext4_xattr_set_entry

HID: check empty report_list in hid_validate_values()

cifs: Fix UAF in cifs_demultiplex_thread()

net: qcom/emac: Fix use after free bug in emac_remove due to race condition

hwmon: (xgene) Fix use after free bug in xgene_hwmon_remove due to race condition

x86/speculation: Allow enabling STIBP with legacy IBRS

x86/speculation: Allow enabling STIBP with legacy IBRS

xfrm: add NULL check in xfrm_update_ae_params

tipc: fix an information leak in tipc_topsrv_kern_subscr

tipc: set con sock in tipc_conn_alloc

tipc: add an extra conn_get in tipc_conn_alloc

net: mpls: fix stale pointer if allocation fails during device rename

nvmet-tcp: Fix a possible UAF in queue intialization setup

net: tun: fix bugs for oversize packet when napi frags enabled

bpf: Fix incorrect verifier pruning due to missing register precision taints

scsi: iscsi_tcp: Fix UAF during login when accessing the shost ipaddress

af_unix: Fix null-ptr-deref in unix_stream_sendpage().

netfilter: ipset: add the missing IP_SET_HASH_WITH_NET0 macro for ip_set_hash_netportnet.c

mm: thp: fix wrong cache flush in remove_migration_pmd()

mm/thp: simplify copying of huge zero page pmd when fork

mm/userfaultfd: fix uffd-wp special cases for

Complex adaptation required.

Rejected, not a security issue.

Fix lock_sock() blockage by memcpy_from_msg()

fix double dev_kfree_skb() in error path

KVM: x86: do not report a vCPU as preempted outside instruction boundaries

KVM: x86: do not report a vCPU as preempted outside instruction boundaries

udf: Restore i_lenAlloc when inode expansion fails

cifs: prevent bad output lengths in smb2_ioctl_query_info()

cifs: fix NULL ptr dereference in smb2_ioctl_query_info()

NFSv4: Handle case where the lookup of a directory fails

netfilter: nf_tables: do not allow SET_ID to refer to another

udf: Fix NULL ptr deref when converting from inline format

netfilter: nf_tables: do not allow SET_ID to refer to another

media: v4l: ioctl: Fix memory leak in video_usercopy

x86/elf: Disable automatic READ_IMPLIES_EXEC on 64-bit

netfilter: nf_queue: do not allow packet truncation below transport header offset

SUNRPC: Ensure we flush any closed sockets before

[PATCH] SUNRPC: Don't leak sockets in xs_local_connect()

ovl: fix use after free in struct ovl_aio_req

ovl: fix use after free in struct ovl_aio_req

RDMA/core: Refactor rdma_bind_addr()

net: tls, update curr on splice as well

perf: Disallow mis-matched inherited group reads

perf: Disallow mis-matched inherited group reads (adaptation)

x86/sev: Disable MMIO emulation from user mode

x86/sev: Check IOBM for IOIO exceptions from user-space

x86/sev: Check for user-space IOIO pointing to kernel space

bpf: Fix ringbuf helper function compatibility

smb: client: fix potential OOB in smb2_dump_detail()

nvmet-tcp: Fix a kernel panic when host sends an invalid H2C PDU length

nvmet-tcp: fix a crash in nvmet_req_complete()

nvmet-tcp: remove boilerplate code

nvmet-tcp: Fix the H2C expected PDU len calculation

memstick: r592: Fix UAF bug in r592_remove due to race condition

Bluetooth: btsdio: fix use after free bug in btsdio_remove due to race condition

lockdown: also lock down previous kgdb use

seq_buf: Fix overflow in seq_buf_putmem_hex()

vt: use tty_insert_flip_string in respond_string

vt: keyboard, use tty_insert_flip_string in puts_queue

tty: drivers/tty/, stop using tty_schedule_flip()

tty: the rest, stop using tty_schedule_flip()

tty: drop tty_schedule_flip()

tty: extract tty_flip_buffer_commit() from tty_flip_buffer_push()

tty: use new tty_insert_flip_string_and_push_buffer() in pty_write()

tty: drop tty_schedule_flip()

netfilter: nf_tables: sanitize nft_set_desc_concat_parse()

tcp/udp: Fix memory leak in ipv6_renew_options()

drm/i915/gvt: fix double free bug in split_2MB_gtt_entry

can: usb_8dev: usb_8dev_start_xmit(): fix double dev_kfree_skb() in error path

media: usb: siano: Fix use after free bugs caused by do_submit_urb

media: usb: siano: Fix use after free bugs caused by do_submit_urb

net: sched: atm: dont intepret cls results when asked to drop

media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer()

netfilter: nf_conntrack_irc: Tighten matching on DCC message

netfilter: nf_conntrack_irc: Fix forged IP logic

r8152: Rate limit overflow messages

prlimit: do_prlimit needs to have a speculation check

media: ttusb-dec: fix memory leak in ttusb_dec_exit_dvb()

Bluetooth: L2CAP: Fix memory leak in vhci_write

net/tls: tls_is_tx_ready() checked list_entry

tcp: Fix data races around icsk->icsk_af_ops.

mm/hugetlb: fix races when looking up a CONT-PTE/PMD size hugetlb page

A low priority AMD Inception vulnerability that affects Zen3/Zen4 & relates to RetBleed fixes requiring microcode updates, we can't do much about it in KCare Infra.

CAN code restructuring commits that introduce this security bug aren't present in older kernels.

bpf: Make per_cpu_ptr return rdonly PTR_TO_MEM.

bpf: Make per_cpu_ptr return rdonly PTR_TO_MEM.

net: sched: sch_qfq: Fix UAF in qfq_dequeue()

net: sched: sch_qfq: Fix UAF in qfq_dequeue() (adaptation)

USB: ene_usb6250: Allocate enough memory for full object

nfp: fix use-after-free in area_cache_get()

ipv4: igmp: fix refcnt uaf issue when receiving igmp query packet

netfilter: nft_set_pipapo: skip inactive elements during set walk

bpf: Fix out of bounds access from invalid *_or_null type verification

Bluetooth: L2CAP: Fix use-after-free in l2cap_sock_ready_cb

UBUNTU: SAUCE: bpf: prevent helper argument PTR_TO_ALLOC_MEM to have offset other than 0

net/sched: cls_u32: fix netns refcount changes in u32_change()

Out of scope as the patch is aarch64 related

perf: Fix perf_event_validate_size() lockdep splat

perf: Fix perf_event_validate_size() lockdep splat

net/packet: fix slab-out-of-bounds access in packet_recvmsg()

drm/vmwgfx: Fix shader stage validation

video: of_display_timing.h: include errno.h

fbcon: Disallow setting font bigger than screen size

fbcon: Prevent that screen size is smaller than font size

fbmem: Check virtual screen sizes in fb_set_var()

media: em28xx: initialize refcount before kref_get

devlink: Fix use-after-free after a failed reload

drm/amdgpu: Fix potential fence use-after-free v2

media: dvb-core: Fix kernel WARNING for blocking operation in wait_event*()

KVM: nVMX: add missing consistency checks for CR0 and CR4

netfilter: nf_tables: reject QUEUE/DROP verdict parameters

sctp: fail if no bound addresses can be used for a given scope

KVM: VMX: Execute IBPB on emulated VM-exit when guest has IBRS

tty: n_gsm: fix the UAF caused by race condition in gsm_cleanup_mux

drm/vmwgfx: Remove rcu locks from user resources

drm/vmwgfx: Remove rcu locks from user resources

drm/vmwgfx: Fix possible null pointer derefence with invalid contexts

psi: Fix uaf issue when psi trigger is destroyed while being polled (adaptation)

HID: elo: fix memory leak in elo_probe

net: sched: fix use-after-free in tc_new_tfilter()

smb: client: fix OOB in smbCalcSize()

drm/atomic: Fix potential use-after-free in nonblocking commits

drm/atomic: Fix potential use-after-free in nonblocking commits

wifi: cfg80211: fix BSS refcounting bugs

smb: client: fix OOB in receive_encrypted_standard()

KVM: x86/mmu: Fix race condition in direct_page_fault

wifi: cfg80211: avoid nontransmitted BSS list corruption

atlantic: Fix OOB read and write in hw_atl_utils_fw_rpc_wait

wifi: mac80211: fix crash in beacon protection for P2P-device

wifi: cfg80211: fix u8 overflow in cfg80211_update_notlisted_nontrans()

netfilter: ctnetlink: fix possible refcount leak in ctnetlink_create_conntrack()

Medium severity vulnerability CVE requiring extremely complex adaptation (if at all possible)

ext4: fix kernel BUG in 'ext4_write_inline_data_end()'

media: rc: Fix use-after-free bugs caused by ene_tx_irqsim()

sched/membarrier: reduce the ability to hammer on sys_membarrier

KVM: x86: avoid calling x86 emulator without a decoded

ext4: check if directory block is within i_size

ext4: make sure ext4_append() always allocates

ext4: fix check for block being out of directory size

veth: ensure skb entering GRO are not cloned

Bluetooth: L2CAP: fix use-after-free in l2cap_conn_del()

Bluetooth: L2CAP: Fix attempting to access uninitialized memory

An introduction of required changes through KernelCare could cause unavoidable problems to applications which use unprivileged eBPF.

ipv4: avoid using shared IP generator for connected sockets

ipv4: tcp: send zero IPID in SYNACK messages

mlxsw: spectrum_acl_tcam: Fix stack corruption

Complex adaptation required.

net: add atomic_long_t to net_device_stats fields

net: Fix unwanted sign extension in netdev_stats_to_stats64()

net: bridge: use DEV_STATS_INC()

net: add atomic_long_t to net_device_stats fields

net:emac/emac-mac: Fix a use after free in emac_mac_tx_buf_send

net: sched: atm: dont intepret cls results when asked to drop

Bluetooth: af_bluetooth: Fix Use-After-Free in

wifi: mac80211: fix potential key use-after-free

ALSA: pcm: Fix races among concurrent read/write and buffer changes

ALSA: pcm: Fix races among concurrent prepare and hw_params/hw_free calls

ALSA: pcm: Fix races among concurrent hw_params and hw_free calls

ALSA: pcm: Fix races among concurrent prealloc proc writes

ALSA: pcm: Fix races among concurrent hw_params and hw_free calls (adaptation)

netfilter: nf_tables: disallow anonymous set with timeout flag

fs: sysfs: Fix reference leak in sysfs_break_active_protection()

net: ti: fix UAF in tlan_remove_one

KVM: x86/mmu: fix NULL pointer dereference on guest INVPCID

tls: disable async encrypt/decrypt

ipv6: sr: fix possible use-after-free and

Bluetooth: Avoid potential use-after-free in

net: ip_tunnel: prevent perpetual headroom growth

netfilter: Complex adaptation required.

net: ena: Fix incorrect descriptor free behavior

netfilter: nf_tables: honor table dormant flag from

tipc: fix UAF in error path

ethernet: hisilicon: hns: hns_dsaf_misc: fix a possible array overflow in hns_dsaf_ge_srst_by_port()

net: amd-xgbe: Fix skb data length underflow

net/mlx5e: fix a potential double-free in fs_any_create_groups

bonding: stop the device in bond_setup_by_slave()

arp: Prevent overflow in arp_req_get().

net/ipv6: avoid possible UAF in ip6_route_mpath_notify()

CVE marked as rejected by vendor

net/mlx5: Properly link new fs rules into the tree

i40e: fix vf may be used uninitialized in this

scsi: qla2xxx: Fix off by one in

net: core: reject skb_copy(_expand) for fraglist GSO skbs

af_unix: Fix data races in

af_unix: Fix data-races around sk->sk_shutdown.

hwmon: (mlxreg-fan) Return non-zero value when fan current state is enforced from sysfs

drm: Don't unref the same fb many times by mistake due to deadlock handling

tcp: add sanity checks to rx zerocopy

vfio/pci: Lock external INTx masking ops

mptcp: fix data re-injection from stale subflow

NFSv4.2: fix nfs4_listxattr kernel BUG at

ipvlan: Dont Use skb->sk in

wifi: mac80211: check/clear fast rx for non-4addr

mm/hugetlb: fix missing hugetlb_lock for resv

tls: fix missing memory barrier in tls_init

net/mlx5: Discard command completions in internal

net: qcom/emac: fix UAF in emac_remove

proc/vmcore: let pfn_is_ram() return a bool

proc/vmcore: fix clearing user buffer by properly using clear_user()

bnxt: prevent skb UAF after handing over to PTP worker

NFSD: Fix the behavior of READ near OFFSET_MAX

NFSD: Fix ia_size underflow

NFSD: Fix NFSv3 SETATTR/CREATE's handling of large file sizes

uio: Fix use-after-free in uio_open

gfs2: Fix kernel NULL pointer dereference in gfs2_rgrp_dump

tcp: do not accept ACK of bytes we never sent

SUNRPC: Fix UAF in svc_tcp_listen_data_ready()

VFIO: Add the SPR_DSA and SPR_IAX devices to the

mlxsw: spectrum_acl_tcam: Fix memory leak when

rtnetlink: Correct nested IFLA_VF_VLAN_LIST

net: fix __dst_negative_advice() race

ionic: clean interrupt before enabling queue to avoid credit race

ionic: fix use after netif_napi_del()

tap: add missing verification for short frame

tun: add missing verification for short frame

ipc/mqueue.c: remove duplicated code

ipc/mqueue.c: update/document memory barriers

ipc/msg.c: update and document memory barriers

ipc/sem.c: document and update memory barriers

ipc/mqueue, msg, sem: avoid relying on a stack reference past its expiry

mISDN: fix possible use-after-free in HFC_cleanup()

mISDN: hfcpci: Fix use-after-free bug in hfcpci_softirq

isdn: mISDN: Fix sleeping function called from invalid context

KVM: x86: nSVM: fix potential NULL derefernce on nested migration

perf: Fix list corruption in perf_cgroup_switch()

smb: client: fix potential OOBs in

smb: client: fix parsing of SMB3.1.1 POSIX create

net/sched: act_ct: fix skb leak and crash on ooo frags

platform/x86: wmi: Fix opening of char device

wifi: iwlwifi: dbg-tlv: ensure NUL termination

tty: n_gsm: fix possible out-of-bounds in gsm0_receive()

tcp: Use refcount_inc_not_zero() in tcp_twsk_unique()

wifi: nl80211: don't free NULL coalescing rule

iommu: Fix potential use-after-free during probe

cxgb4: avoid accessing registers when clearing filters

nvme-rdma: destroy cm id before destroy qp to avoid use after free

mm/slub: fix to return errno if kmalloc() fails

bnxt_re: avoid shift undefined behavior in bnxt_qplib_alloc_init_hwq

bpf: Add BPF_PROG_TYPE_CGROUP_SKB attach type enforcement in BPF_LINK_CREATE

r8169: Fix possible ring buffer corruption on fragmented Tx packets

xfs: add bounds checking to xlog_recover_process_data

userfaultfd: fix a race between writeprotect and exit_mmap()

hv_netvsc: Fix race condition between netvsc_probe and netvsc_remove

Squashfs: check the inode number is not the invalid

vt: fix unicode buffer corruption when deleting

mm, thp: bail out early in collapse_file for writeback page

ipv6: sr: fix out-of-bounds read when setting HMAC data

virtio-net: Add validation for used length

netfilter: nf_tables: Fix potential data-race in __nft_expr_type_get()

netfilter: nf_tables: Fix potential data-race in

netfilter: nf_tables: Fix potential data-race in __nft_flowtable_type_get()

ext4: fix double-free of blocks due to wrong

ext4: avoid allocating blocks from corrupted group in ext4_mb_find_by_goal()

ext4: avoid allocating blocks from corrupted group in ext4_mb_try_best_found()

cgroup: cgroup_get_from_id() must check the looked-up kn is a directory

exit: Use the correct exit_code in /proc/<pid>/stat

fs/proc: do_task_stat: use __for_each_thread()

fs/proc: do_task_stat: move thread_group_cputime_adjusted() outside of lock_task_sighand()

fs/proc: do_task_stat: use sig->stats_lock to gather the threads/children stats

mptcp: ensure snd_nxt is properly initialized on connect

wifi: mac80211: Avoid address calculations via out of bounds array indexing

netfilter: tproxy: bail out if IP has been disabled

af_unix: Fix garbage collector racing against connect()

tty: keyboard, do not speculate on func_table index

tty/vt: fix write/write race in ioctl(KDSKBSENT)

vt: keyboard, simplify vt_kdgkbsent

vt: keyboard, extend func_buf_lock to readers

vt: keyboard, rename i to kb_func in vt_do_kdgkb_ioctl

vt: keyboard, reorder user buffer handling in vt_do_kdgkb_ioctl

tcp: defer shutdown(SEND_SHUTDOWN) for TCP_SYN_RECV sockets

wifi: mac80211: don't return unset power in ieee80211_get_tx_power()

Not affected: issue introduced since 4.18.0-477.*