bluetooth: Perform careful capability checks in hci_sock_ioctl()

xfs: verify buffer contents when we skip log replay

i2c: xgene-slimpro: Fix out-of-bounds bug in xgene_slimpro_i2c_xfer()

perf: Fix check before add_event_to_groups() in perf_group_detach()

net: tls: fix possible race condition between do_tls_getsockopt_conf() and do_tls_setsockopt_conf()

netfilter: nf_tables: deactivate anonymous set from preparation phase

KVM: x86/mmu: Fix race condition in direct_page_fault

prlimit: do_prlimit needs to have a speculation check

ipvlan:Fix out-of-bounds caused by unclear skb->cb

net/sched: flower: fix possible OOB write in fl_set_geneve_opt()

x86/speculation: Allow enabling STIBP with legacy IBRS

x86/speculation: Allow enabling STIBP with legacy IBRS

nf_tables: disallow rule addition to bound chain via NFTA_RULE_CHAIN_ID

net/sched: cls_fw: Fix improper refcount update leads to use-after-free

out of scope, ARM EFI related

x86/speculation: Restore speculation related MSRs during S3 resume

hw: amd: Cross-Process Information Leak

netfilter: nft_set_pipapo: fix improper element removal

netfilter: nf_tables: incorrect error path handling with NFT_MSG_NEWRULE

nf_tables: disallow rule addition to bound chain via NFTA_RULE_CHAIN_ID

netfilter: nf_tables: prevent OOB access in nft_byteorder_eval

netfilter: nf_tables: fix chain binding transaction logic

netfilter: nf_tables: fix chain binding transaction logic

net/sched: cls_u32: Fix reference counter leak leading to overflow

NFSD: fix use-after-free in nfsd4_ssc_setup_dul()

Bluetooth: btsdio: fix use after free bug in btsdio_remove due to unfinished work

memstick: r592: Fix UAF bug in r592_remove due to race condition

relayfs: fix out-of-bounds access in relay_file_read

net/sched: cls_fw: No longer copy tcf_result on update to avoid use-after-free

net/sched: cls_route: No longer copy tcf_result on update to avoid use-after-free

net/sched: cls_u32: No longer copy tcf_result on update to avoid

libceph: harden msgr2.1 frame segment length checks

HID: check empty report_list in hid_validate_values()

HID: asus: use spinlock to safely schedule workers

HID: asus: use spinlock to safely schedule workers

HID: asus: use spinlock to safely schedule workers

KVM: nVMX: add missing consistency checks for CR0 and CR4

net: qcom/emac: Fix use after free bug in emac_remove due to race condition

drm/vmwgfx: Do not drop the reference to the handle too soon

Fixes require microcode updates

ovl: fix use after free in struct ovl_aio_req

ovl: fix use after free in struct ovl_aio_req

sctp: fail if no bound addresses can be used for a given scope

net: add sock_init_data_uid()

tap: tap_open(): correctly initialize socket uid

tun: tun_chr_open(): correctly initialize socket uid

This is a low priority CVE & the patch impacts many critical components of the networking subsystem & it requires multiple complex adaptations in those components to avoid losing existing connections on patch/unpatch.

hwmon: (xgene) Fix use after free bug in xgene_hwmon_remove due to race condition

fbcon: Check font dimension limits

fbcon: HID: intel_ish-hid: Add check for ishtp_dma_tx_map

xfrm: add NULL check in xfrm_update_ae_params

Smart Patch for fs/exfat/dir.c

r8152: Rate limit overflow messages

Bluetooth: L2CAP: Fix attempting to access uninitialized memory

mm/memory.c: fix race when faulting a device private page

nouveau: Fix migrate_to_ram() for faulting page

mm/memory: return vm_fault_t result from migrate_to_ram() callback

net/tls: tls_is_tx_ready() checked list_entry

net: mpls: fix stale pointer if allocation fails during device rename

gfs2: Don't deref jdesc in evict

net: tap_open(): set sk_uid from current_fsuid()

net: tun_chr_open(): set sk_uid from current_fsuid()

KVM: SEV: only access GHCB fields once

drm/vmwgfx: Remove rcu locks from user resources

drm/vmwgfx: Remove rcu locks from user resources

Medium severity vulnerability CVE requiring extremely complex adaptation (if at all possible)

In RHEL9 (and derivatives) isdn/mISDN driver is absent, not compiled.

coredump: fix memleak in dump_vma_snapshot()

coredump: Snapshot the vmas in do_coredump

coredump: Remove the WARN_ON in dump_vma_snapshot

coredump: Use the vma snapshot in fill_files_note

The fix consists of several patch-series and mix refactoring/bug-fixes/security-fixes/features for bpf subsystem. Dedicated security-fixes introduce crashes within newer bpf kselftests and the whole patch-series is not suitable for live-patching. At the same time the scope is limited to el9_2 only and is mitigated by the default kernel configuration (CONFIG_BPF_UNPRIV_DEFAULT_OFF=y).

igb: set max size RX buffer when store bad packet is enabled

igb: set max size RX buffer when store bad packet is enabled

cifs: Fix UAF in cifs_demultiplex_thread()

x86/sev: Disable MMIO emulation from user mode

nfp: fix use-after-free in area_cache_get()

RDMA/core: Refactor rdma_bind_addr

netfilter: nf_tables: skip bound chain on rule flush

net: tun: fix bugs for oversize packet when napi frags enabled

kernel-5.14.0-284.11.1.el9_2 and earlier are not vulnerable because they don't have the commit 4bedf9eee016 (netfilter: nf_tables: fix chain binding transaction logic) that introduced the vulnerability

af_unix: Fix null-ptr-deref in unix_stream_sendpage().

net/sched: sch_hfsc: Ensure inner classes have fsc curve

Bluetooth: L2CAP: Fix use-after-free in l2cap_sock_ready_cb

drivers: net: slip: fix NPD bug in sl_tx_timeout()

x86/sev: Disable MMIO emulation from user mode

x86/sev: Check IOBM for IOIO exceptions from user-space

x86/sev: Check for user-space IOIO pointing to kernel space

drm/vmwgfx: Fix possible invalid drm gem put calls

drm/vmwgfx: Keep a gem reference to user bos in surfaces

netfilter: ipset: add the missing IP_SET_HASH_WITH_NET0 macro for ip_set_hash_netportnet.c

drm/vmwgfx: Fix shader stage validation

can: af_can: fix NULL pointer dereference in can_rcv_filter

fbcon: Fix error paths in set_con2fb_map

fbcon: set_con2fb_map needs to set con2fb_map!

Affected device driver does not exist in supported kernels.

An introduction of required changes through KernelCare could cause unavoidable problems to applications which use netfilter functionality.

drm/amdgpu: Fix potential fence use-after-free v2

perf: Disallow mis-matched inherited group reads

perf: Disallow mis-matched inherited group reads (adaptation)

smb: client: fix OOB in smbCalcSize()

smb: client: fix potential OOB in smb2_dump_detail()

netfilter: nft_set_pipapo: skip inactive elements during set walk

Vulnerable commit 5f68718b34a5 (netfilter: nf_tables: GC transaction API to avoid race with control plane) was introduced later than kernel-5.14.0-362.18.1.el9_3. None of our kernels are vulnerable.

net: tls, update curr on splice as well

nvmet-tcp: Fix a kernel panic when host sends an invalid H2C PDU length

nvmet-tcp: fix a crash in nvmet_req_complete()

nvmet-tcp: remove boilerplate code

nvmet-tcp: Fix the H2C expected PDU len calculation

Bluetooth: L2CAP: Fix u8 overflow

atm: Fix Use-After-Free in do_vcc_ioctl

perf: Fix perf_event_validate_size()

perf: Fix perf_event_validate_size() lockdep

netfilter: nf_tables: Reject tables of

ipv4: igmp: fix refcnt uaf issue when receiving igmp query packet

tty: n_gsm: fix the UAF caused by race condition in gsm_cleanup_mux

net/tls: do not free tls_rec on async operation in bpf_exec_tx_verdict()

RDMA/irdma: Prevent zero-length STAG registration

RDMA/irdma: Prevent zero-length STAG registration

smb: client: fix OOB in receive_encrypted_standard()

smb: client: fix potential OOBs in smb2_parse_contexts()

smb: client: fix parsing of SMB3.1.1 POSIX create context

netfilter: nf_tables: check if catch-all set element is active in next generation

Bluetooth: af_bluetooth: Fix Use-After-Free in

io_uring/af_unix: disable sending io_uring over sockets

vc_screen: move load of struct vc_data pointer in

vc_screen: don't clobber return value in vcs_read

drm/qxl: fix UAF on handle creation

i2c: i801: Fix block process call transactions

ida: Fix crash in ida_free when the bitmap is empty

fs,hugetlb: fix NULL pointer dereference in hugetlbs_fill_super {CVE-2024-0841}

Bluetooth: Fix double free in hci_conn_cleanup

The patch for this CVE already present in kernel-5.14.0-362.24.1.el9_3 version. The kernel-5.14.0-362.18.1.el9_3 version and below are not vulnerable because they don't have commit 5f68718b34a5 (netfilter: nf_tables: GC transaction API to avoid race with control plane) which introduced the vulnerability.

Bluetooth: Add more enc key size check

netfilter: nfnetlink_osf: avoid OOB read

netfilter: xt_sctp: validate the flag_info count

kobject: Fix slab-out-of-bounds in fill_kobj_path()

kobject: modify kobject_get_path() to take a const *

Reapply "memcg: enable accounting for file lock

netfilter: nf_tables: bail out on mismatching

HID: sony: Fix a potential memory leak in sony_probe()

net/sched: act_ct: fix skb leak and crash on ooo frags

drm/vmwgfx: Fix possible null pointer derefence with invalid contexts

Complex adaptation required to add timer_shutdown_sync() in timers subsystem.

sched/membarrier: reduce the ability to hammer on sys_membarrier

ipv4: fix null-deref in ipv4_link_failure

gfs2: Fix kernel NULL pointer dereference in gfs2_rgrp_dump

The given kernel version isn't vulnerable.

neigh: make sure used and confirmed times are valid

net: fix possible store tearing in neigh_periodic_work()

net/core: Fix ETH_P_1588 flow dissector

netfilter: nf_tables: disallow timeout for anonymous sets

ip6_tunnel: fix NEXTHDR_FRAGMENT handling in ip6_tnl_parse_tlv_enc_lim()

net: tls: fix use-after-free with partial reads

Low-severity patch proven to suffer from stack-unsafety problem when patching during network load.

Low-severity patch proven to suffer from stack-unsafety problem when patching during network load.

Low-severity patch proven to suffer from stack-unsafety problem when patching during network load.

The modified structure mem_section_usage is used only during bootup time. As we patch the changes after booting they will have no effect. Therefore we cannot patch this CVE.

Bluetooth: hci_event: Ignore NULL link key

Bluetooth: Reject connection with the device

Bluetooth: hci_event: Fix using memcmp when

Bluetooth: hci_event: Fix coding style

Bluetooth: avoid memcmp() out of bounds warning

Bluetooth: HCI: Fix global-out-of-bounds

Bluetooth: hci_ldisc: check HCI_UART_PROTO_READY

The given kernel version isn't vulnerable (Netfilter).

io_uring/fdinfo: lock SQ thread while retrieving thread cpu/pid

net: add atomic_long_t to net_device_stats fields

net: bridge: use DEV_STATS_INC()

net: bridge: use DEV_STATS_INC()

USB: core: Unite old scheme and new scheme

USB: core: Change usb_get_device_descriptor() API

USB: core: Fix race by not overwriting

USB: core: Fix race by not overwriting udev->descriptor in hub_port_init()

net: xfrm: Fix xfrm_address_filter OOB read

team: fix null-ptr-deref when team device type is changed

team: fix null-ptr-deref when team device type is changed

nvmet: nul-terminate the NQNs passed in the

CVE has been marked as REJECTED on the NVD website.

drm/atomic: Fix potential use-after-free in nonblocking commits

drm/atomic: Fix potential use-after-free in nonblocking commits

crypto: akcipher - Disable signing and decryption

x86/sev: Harden #VC instruction emulation somewhat

netfilter: nf_tables: disallow anonymous set with timeout flag

netfilter: nft_ct: sanitize layer 3 and 4 protocol number in custom expectations

netfilter: nft_ct: fix l3num expectations with inet pseudo family

net: ip_tunnel: prevent perpetual headroom growth

ipv6: sr: fix possible use-after-free and null-ptr-deref

fs: sysfs: Fix reference leak in sysfs_break_active_protection()

net/mlx5e: fix a potential double-free in fs_any_create_groups

Bluetooth: Avoid potential use-after-free in hci_error_reset

net/mlx5: Properly link new fs rules into the tree

net: hns3: do not allow call hns3_nic_net_open repeatedly

xen-netfront: Add missing skb_mark_for_recycle

smb: client: fix UAF in smb2_reconnect_server()

crypto: qat - resolve race condition during AER recovery

crypto: qat - Fix ADF_DEV_RESET_SYNC memory leak

epoll: be better about file lifetimes

mlxbf_gige: stop interface during shutdown

net: amd-xgbe: Fix skb data length underflow

dm: call the resume method on internal suspend

nfp: flower: handle acti_netdevs allocation failure

net/ipv6: avoid possible UAF in ip6_route_mpath_notify()

icmp: prevent possible NULL dereferences from icmp_build_probe()

can: j1939: j1939_netdev_start(): fix UAF for

Squashfs: check the inode number is not the invalid value of zero

scsi: libfc: Fix potential NULL pointer

scsi: lpfc: Move NPIV's transport unregistration to after resource clean up

block: add check that partition length needs to be aligned with block size

mlxbf_gige: call request_irq() after NAPI initialized

scsi: lpfc: Release hbalock before calling

ext4: avoid allocating blocks from corrupted group in ext4_mb_try_best_found()

bpf: Complex adaptation required.

octeontx2: CVE patch is outside the scope.

netfilter: nf_tables: reject QUEUE/DROP verdict parameters

blk-cgroup: fix list corruption from resetting io

Not vulnerable: mapping mechanism that the bug applies to was introduced in v6.6 upstream (3178308ad4c) and appeared in RHEL9's since -427

netfilter: nf_tables: use timestamp to check for

netfilter: nf_tables: use timestamp to check for

nvme: fix reconnection fail due to reserved tag

Not vulnerable: function with the buggy code `dmirror_device_evict_chunk()` exists since 362.8.1

Not vulnerable: buggy function was introduced in v6.5 upsteam (or RHEL9's 427.13.1), and no similar code patterns existed before for this module

mm/vmscan: make sure wakeup_kswapd with managed zone

mm/vmscan: fix a bug calling wakeup_kswapd() with

tipc: fix UAF in error path

ethernet: hisilicon: hns: hns_dsaf_misc: fix a

octeontx2-af: avoid off-by-one read from

net: ena: Fix incorrect descriptor free behavior

vt: fix memory overlapping when deleting chars in

tcp: Use refcount_inc_not_zero() in

can: j1939: prevent deadlock by changing

can: j1939: prevent deadlock by changing

r8169: Fix possible ring buffer corruption on

net: hns3: fix use-after-free bug in

netfilter: tproxy: bail out if IP has been