posix-cpu-timers: Cleanup CPU timers before freeing them

ptrace: Check PTRACE_O_SUSPEND_SECCOMP permission on

Livepatching Retbleed may decrease kernel stability and performance. This vulnerability has medium security impact and applies to certain hardware environments only.

Livepatching Retbleed may decrease kernel stability and performance. This vulnerability has medium security impact and applies to certain hardware environments only.

Livepatching Retbleed may decrease the stability and performance of the kernel, while vulnerability has a medium security impact and only for a certain hardware environment.

Livepatching Retbleed may decrease kernel stability and performance. This vulnerability has medium security impact and applies to certain hardware environments only.

Livepatching Retbleed may decrease the stability and performance of the kernel, while vulnerability has a medium security impact and only for a certain hardware environment.

UBUNTU: SAUCE: ath9k: fix use-after-free in ath9k_hif_usb_rx_cb

fanotify: Fix stale file descriptor in copy_event_to_user()

openvswitch: fix OOB access in reserve_sfa_size()

net/packet: fix slab-out-of-bounds access in packet_recvmsg()

can: ems_usb: ems_usb_start_xmit(): fix double dev_kfree_skb() in error path

SUNRPC: Ensure we flush any closed sockets before

SUNRPC: Don't leak sockets in xs_local_connect()

SUNRPC: Ensure we flush any closed sockets before (adaptation)

net/sched: cls_u32: fix netns refcount changes in

netfilter: nf_queue: do not allow packet truncation below transport header offset

Bluetooth: fix repeated calls to sco_sock_kill

Bluetooth: avoid circular locks in sco_sock_connect

Bluetooth: sco: Fix lock_sock() blockage by memcpy_from_msg()

ALSA: pcm: Fix races among concurrent hw_params and hw_free calls

ALSA: pcm: Fix races among concurrent read/write and buffer changes

ALSA: pcm: Fix races among concurrent prepare and hw_params/hw_free calls

ALSA: pcm: Fix races among concurrent prealloc proc writes

ALSA: pcm: Fix races among concurrent hw_params and hw_free calls (adaptation)

af_key: add __GFP_ZERO flag for compose_sadb_supported in function pfkey_register

ipv4: avoid using shared IP generator for connected sockets

ipv4: tcp: send zero IPID in SYNACK messages

cifs: prevent bad output lengths in smb2_ioctl_query_info()

cifs: fix NULL ptr dereference in smb2_ioctl_query_info()

udf: Restore i_lenAlloc when inode expansion fails

udf: Fix NULL ptr deref when converting from inline format

Reinstate some of "swiotlb: rework "fix info leak with

netfilter: nf_tables: initialize registers in nft_do_chain()

ext4: verify dir block before splitting it

ext4: make variable "count" signed

KVM: x86: avoid calling x86 emulator without a decoded

x86/speculation/mmio: Add mitigation for Processor MMIO Stale Data

lockdown: also lock down previous kgdb use

netfilter: nf_tables: disallow binding to already bound chain

NFSv4: Handle case where the lookup of a directory fails

netfilter: nf_tables: do not allow SET_ID to refer to another

netfilter: nf_tables: do not allow CHAIN_ID to refer to

netfilter: nf_tables: do not allow RULE_ID to refer to

drm: add a locked version of drm_is_current_master

drm: add a locked version of drm_is_current_master

drm: add a locked version of drm_is_current_master

drm: add a locked version of drm_is_current_master (adaptation)

net: usb: ax88179_178a: Fix out-of-bounds accesses in RX

NFSD: Protect against send buffer overflow in NFSv2 READ

NFSD: Protect against send buffer overflow in NFSv2 READ

NFSD: Protect against send buffer overflow in NFSv2 READ

NFSD: Protect against send buffer overflow in NFSv2 READ

NFSD: Protect against send buffer overflow in NFSv2 READ

NFSD: Protect against send buffer overflow in NFSv2 READ

pipe: Fix missing lock in pipe_resize_ring()

drm/i915: fix TLB invalidation for Gen12 video and compute

i2c: ismt: prevent memory corruption in ismt_access()

proc: proc_skip_spaces() shouldn't think it is working on C strings

proc: avoid integer type confusion in get_proc_long

netfilter: nft_payload: incorrect arithmetics when fetching

NFSD: fix use-after-free in __nfs42_ssc_open()

Bluetooth: L2CAP: Fix use-after-free caused by l2cap_reassemble_sdu

i2c: ismt: Fix an out-of-bounds bug in ismt_access()

ALSA: pcm: Move rwsem lock inside snd_ctl_elem_read to prevent UAF

act_mirred: use the backlog for nested calls to mirred ingress

tun: avoid double free in tun_free_netdev

tun: avoid double free in tun_free_netdev

ovl: fail on invalid uid/gid mapping at copy up

KVM: VMX: Execute IBPB on emulated VM-exit when guest has IBRS

Bluetooth: L2CAP: fix use-after-free in l2cap_conn_del()

Bluetooth: L2CAP: Fix accepting connection request for invalid SPSM

Bluetooth: L2CAP: Fix l2cap_global_chan_by_psm

wifi: cfg80211: fix u8 overflow in cfg80211_update_notlisted_nontrans()

watchqueue: make sure to serialize 'wqueue->defunct' properly

devlink: Fix use-after-free after a failed reload

xen-netfront: restore __skb_queue_tail() positioning in xennet_get_responses()

wifi: cfg80211: fix BSS refcounting bugs

net/ulp: prevent ULP without clone op from entering the LISTEN status

af_key: Do not call xfrm_probe_algs in parallel

mm/hugetlb: fix race condition of uffd missing/minor handling

igmp: Add ip_mc_list lock in ip_check_mc_rcu

KVM: x86/mmu: fix NULL pointer dereference on guest INVPCID

Kernel lockdown bypass when UEFI secure boot is disabled / unavailable and IMA appraisal is enabled.

usb: mon: make mmapped memory read only

wifi: brcmfmac: Fix potential buffer overflow in brcmf_fweh_event_worker()

tty: use new tty_insert_flip_string_and_push_buffer() in pty_write()

tty: extract tty_flip_buffer_commit() from tty_flip_buffer_push()

tcp/udp: Fix memory leak in ipv6_renew_options().

drm/i915/gvt: fix double free bug in split_2MB_gtt_entry

mptcp: fix subflow traversal at disconnect time

l2tp: Serialize access to sk_user_data with sk_callback_lock

l2tp: Don't sleep and disable BH under writer-side sk_callback_lock

can: usb_8dev: usb_8dev_start_xmit(): fix double dev_kfree_skb() in error path

wifi: cfg80211: avoid nontransmitted BSS list corruption

ext4: fix kernel BUG in 'ext4_write_inline_data_end()'

bluetooth: Perform careful capability checks in hci_sock_ioctl()

xfs: verify buffer contents when we skip log replay

i2c: xgene-slimpro: Fix out-of-bounds bug in xgene_slimpro_i2c_xfer()

perf: Fix check before add_event_to_groups() in perf_group_detach()

net: tls: fix possible race condition between do_tls_getsockopt_conf() and do_tls_setsockopt_conf()

netfilter: nf_tables: deactivate anonymous set from preparation phase

KVM: x86/mmu: Fix race condition in direct_page_fault

prlimit: do_prlimit needs to have a speculation check

ipvlan:Fix out-of-bounds caused by unclear skb->cb

net/sched: flower: fix possible OOB write in fl_set_geneve_opt()

nf_tables: disallow rule addition to bound chain via NFTA_RULE_CHAIN_ID

net/sched: cls_fw: Fix improper refcount update leads to use-after-free

out of scope, ARM EFI related

x86/speculation: Restore speculation related MSRs during S3 resume

hw: amd: Cross-Process Information Leak

netfilter: nft_set_pipapo: fix improper element removal

netfilter: nf_tables: incorrect error path handling with NFT_MSG_NEWRULE

nf_tables: disallow rule addition to bound chain via NFTA_RULE_CHAIN_ID

netfilter: nf_tables: prevent OOB access in nft_byteorder_eval

netfilter: nf_tables: fix chain binding transaction logic

netfilter: nf_tables: fix chain binding transaction logic

seccomp: Move copy_seccomp() to no failure path.

net/sched: cls_u32: Fix reference counter leak leading to overflow

NFSD: fix use-after-free in nfsd4_ssc_setup_dul()

Bluetooth: btsdio: fix use after free bug in btsdio_remove due to unfinished work

memstick: r592: Fix UAF bug in r592_remove due to race condition

relayfs: fix out-of-bounds access in relay_file_read

net/sched: cls_fw: No longer copy tcf_result on update to avoid use-after-free

net/sched: cls_route: No longer copy tcf_result on update to avoid use-after-free

net/sched: cls_u32: No longer copy tcf_result on update to avoid

libceph: harden msgr2.1 frame segment length checks

HID: check empty report_list in hid_validate_values()

HID: asus: use spinlock to safely schedule workers

HID: asus: use spinlock to safely schedule workers

HID: asus: use spinlock to safely schedule workers

KVM: nVMX: add missing consistency checks for CR0 and CR4

net: qcom/emac: Fix use after free bug in emac_remove due to race condition

Fixes require microcode updates

ovl: fix use after free in struct ovl_aio_req

ovl: fix use after free in struct ovl_aio_req

sctp: fail if no bound addresses can be used for a given scope

net: add sock_init_data_uid()

tap: tap_open(): correctly initialize socket uid

tun: tun_chr_open(): correctly initialize socket uid

This is a low priority CVE & the patch impacts many critical components of the networking subsystem & it requires multiple complex adaptations in those components to avoid losing existing connections on patch/unpatch.

hwmon: (xgene) Fix use after free bug in xgene_hwmon_remove due to race condition

fbcon: Check font dimension limits

fbcon: HID: intel_ish-hid: Add check for ishtp_dma_tx_map

xfrm: add NULL check in xfrm_update_ae_params

Smart Patch for fs/exfat/dir.c

r8152: Rate limit overflow messages

Bluetooth: L2CAP: Fix attempting to access uninitialized memory

mm/memory.c: fix race when faulting a device private page

nouveau: Fix migrate_to_ram() for faulting page

mm/memory: return vm_fault_t result from migrate_to_ram() callback

net/tls: tls_is_tx_ready() checked list_entry

net: mpls: fix stale pointer if allocation fails during device rename

gfs2: Don't deref jdesc in evict

net: tap_open(): set sk_uid from current_fsuid()

net: tun_chr_open(): set sk_uid from current_fsuid()

KVM: SEV: only access GHCB fields once

Medium severity vulnerability CVE requiring extremely complex adaptation (if at all possible)

In RHEL9 (and derivatives) isdn/mISDN driver is absent, not compiled.

coredump/elf: Pass coredump_params into fill_note_info

coredump: fix memleak in dump_vma_snapshot()

coredump: Snapshot the vmas in do_coredump

coredump: Remove the WARN_ON in dump_vma_snapshot

coredump: Use the vma snapshot in fill_files_note

Dependency patch required to support nvme-pci-clamp-max_hw_sectors-based-on-DMA-optimized-limitation-dependency.patch

nvme-pci: clamp max_hw_sectors based on DMA optimized limitation

nvme-pci: clamp max_hw_sectors based on DMA optimized limitation(KernelCare adaptation)

igb: set max size RX buffer when store bad packet is enabled

igb: set max size RX buffer when store bad packet is enabled

cifs: Fix UAF in cifs_demultiplex_thread()

x86/sev: Disable MMIO emulation from user mode

nfp: fix use-after-free in area_cache_get()

netfilter: nf_tables: skip bound chain on rule flush

net: tun: fix bugs for oversize packet when napi frags enabled

kernel-5.14.0-284.11.1.el9_2 and earlier are not vulnerable because they don't have the commit 4bedf9eee016 (netfilter: nf_tables: fix chain binding transaction logic) that introduced the vulnerability

af_unix: Fix null-ptr-deref in unix_stream_sendpage().

net/sched: sch_hfsc: Ensure inner classes have fsc curve

Bluetooth: L2CAP: Fix use-after-free in l2cap_sock_ready_cb

drivers: net: slip: fix NPD bug in sl_tx_timeout()

x86/sev: Disable MMIO emulation from user mode

x86/sev: Check IOBM for IOIO exceptions from user-space

x86/sev: Check for user-space IOIO pointing to kernel space

netfilter: ipset: add the missing IP_SET_HASH_WITH_NET0 macro for ip_set_hash_netportnet.c

drm/vmwgfx: Fix shader stage validation

can: af_can: fix NULL pointer dereference in can_rcv_filter

Affected device driver does not exist in supported kernels.

An introduction of required changes through KernelCare could cause unavoidable problems to applications which use netfilter functionality.

drm/amdgpu: Fix potential fence use-after-free v2

perf: Disallow mis-matched inherited group reads

perf: Disallow mis-matched inherited group reads (adaptation)

smb: client: fix OOB in smbCalcSize()

smb: client: fix potential OOB in smb2_dump_detail()

netfilter: nft_set_pipapo: skip inactive elements during set walk

Vulnerable commit 5f68718b34a5 (netfilter: nf_tables: GC transaction API to avoid race with control plane) was introduced later than kernel-5.14.0-362.18.1.el9_3. None of our kernels are vulnerable.

net: tls, update curr on splice as well

nvmet-tcp: Fix a kernel panic when host sends an invalid H2C PDU length

nvmet-tcp: fix a crash in nvmet_req_complete()

nvmet-tcp: remove boilerplate code

nvmet-tcp: Fix the H2C expected PDU len calculation

Bluetooth: L2CAP: Fix u8 overflow

atm: Fix Use-After-Free in do_vcc_ioctl

perf: Fix perf_event_validate_size()

perf: Fix perf_event_validate_size() lockdep

netfilter: nf_tables: Reject tables of

ipv4: igmp: fix refcnt uaf issue when receiving igmp query packet

tty: n_gsm: fix the UAF caused by race condition in gsm_cleanup_mux

net/tls: do not free tls_rec on async operation in bpf_exec_tx_verdict()

RDMA/irdma: Prevent zero-length STAG registration

RDMA/irdma: Prevent zero-length STAG registration

smb: client: fix OOB in receive_encrypted_standard()

smb: client: fix potential OOBs in smb2_parse_contexts()

smb: client: fix parsing of SMB3.1.1 POSIX create context

netfilter: nf_tables: check if catch-all set element is active in next generation

Bluetooth: af_bluetooth: Fix Use-After-Free in

vc_screen: move load of struct vc_data pointer in

vc_screen: don't clobber return value in vcs_read

drm/qxl: fix UAF on handle creation

i2c: i801: Fix block process call transactions

ida: Fix crash in ida_free when the bitmap is empty

fs,hugetlb: fix NULL pointer dereference in hugetlbs_fill_super {CVE-2024-0841}

Bluetooth: Fix double free in hci_conn_cleanup

The patch for this CVE already present in kernel-5.14.0-362.24.1.el9_3 version. The kernel-5.14.0-362.18.1.el9_3 version and below are not vulnerable because they don't have commit 5f68718b34a5 (netfilter: nf_tables: GC transaction API to avoid race with control plane) which introduced the vulnerability.

Bluetooth: Add more enc key size check

netfilter: nfnetlink_osf: avoid OOB read

netfilter: xt_sctp: validate the flag_info count

kobject: Fix slab-out-of-bounds in fill_kobj_path()

kobject: modify kobject_get_path() to take a const *

Reapply "memcg: enable accounting for file lock

netfilter: nf_tables: bail out on mismatching

HID: sony: Fix a potential memory leak in sony_probe()

net/sched: act_ct: fix skb leak and crash on ooo frags

drm/vmwgfx: Fix possible null pointer derefence with invalid contexts

Complex adaptation required to add timer_shutdown_sync() in timers subsystem.

sched/membarrier: reduce the ability to hammer on sys_membarrier

ipv4: fix null-deref in ipv4_link_failure

gfs2: Fix kernel NULL pointer dereference in gfs2_rgrp_dump

The given kernel version isn't vulnerable.

neigh: make sure used and confirmed times are valid

net: fix possible store tearing in neigh_periodic_work()

net/core: Fix ETH_P_1588 flow dissector

netfilter: nf_tables: disallow timeout for anonymous sets

ip6_tunnel: fix NEXTHDR_FRAGMENT handling in ip6_tnl_parse_tlv_enc_lim()

net: tls: fix use-after-free with partial reads

Low-severity patch proven to suffer from stack-unsafety problem when patching during network load.

Low-severity patch proven to suffer from stack-unsafety problem when patching during network load.

Low-severity patch proven to suffer from stack-unsafety problem when patching during network load.

The modified structure mem_section_usage is used only during bootup time. As we patch the changes after booting they will have no effect. Therefore we cannot patch this CVE.

Bluetooth: hci_event: Ignore NULL link key

Bluetooth: Reject connection with the device

Bluetooth: hci_event: Fix using memcmp when

Bluetooth: hci_event: Fix coding style

Bluetooth: avoid memcmp() out of bounds warning

Bluetooth: hci_ldisc: check HCI_UART_PROTO_READY

The given kernel version isn't vulnerable (Netfilter).

io_uring/fdinfo: lock SQ thread while retrieving thread cpu/pid

net: add atomic_long_t to net_device_stats fields

net: bridge: use DEV_STATS_INC()

net: bridge: use DEV_STATS_INC()

USB: core: Unite old scheme and new scheme

USB: core: Change usb_get_device_descriptor() API

USB: core: Fix race by not overwriting

USB: core: Fix race by not overwriting udev->descriptor in hub_port_init()

net: xfrm: Fix xfrm_address_filter OOB read

team: fix null-ptr-deref when team device type is changed

team: fix null-ptr-deref when team device type is changed

nvmet: nul-terminate the NQNs passed in the

CVE has been marked as REJECTED on the NVD website.

netfilter: nf_tables: reject QUEUE/DROP verdict parameters

wifi: mac80211: don't return unset power in ieee80211_get_tx_power()

drm/atomic: Fix potential use-after-free in nonblocking commits

drm/atomic: Fix potential use-after-free in nonblocking commits

crypto: akcipher - Disable signing and decryption

x86/sev: Harden #VC instruction emulation somewhat

netfilter: nf_tables: disallow anonymous set with timeout flag

netfilter: nft_ct: sanitize layer 3 and 4 protocol number in custom expectations

netfilter: nft_ct: fix l3num expectations with inet pseudo family

net: ip_tunnel: prevent perpetual headroom growth

ipv6: sr: fix possible use-after-free and null-ptr-deref

fs: sysfs: Fix reference leak in sysfs_break_active_protection()

net/mlx5e: fix a potential double-free in fs_any_create_groups

Bluetooth: Avoid potential use-after-free in hci_error_reset

net/mlx5: Properly link new fs rules into the tree

net: hns3: do not allow call hns3_nic_net_open repeatedly

xen-netfront: Add missing skb_mark_for_recycle

smb: client: fix UAF in smb2_reconnect_server()

crypto: qat - resolve race condition during AER recovery

crypto: qat - Fix ADF_DEV_RESET_SYNC memory leak

epoll: be better about file lifetimes

mlxbf_gige: stop interface during shutdown

net: amd-xgbe: Fix skb data length underflow

dm: call the resume method on internal suspend

nfp: flower: handle acti_netdevs allocation failure

net/ipv6: avoid possible UAF in ip6_route_mpath_notify()

icmp: prevent possible NULL dereferences from icmp_build_probe()

can: j1939: j1939_netdev_start(): fix UAF for

Squashfs: check the inode number is not the invalid value of zero

scsi: libfc: Fix potential NULL pointer

scsi: lpfc: Move NPIV's transport unregistration to after resource clean up

block: add check that partition length needs to be aligned with block size

mlxbf_gige: call request_irq() after NAPI initialized

scsi: lpfc: Release hbalock before calling

ext4: avoid allocating blocks from corrupted group in ext4_mb_try_best_found()

octeontx2: CVE patch is outside the scope.

eBPF: low score UAF with CONFIG_BPF_UNPRIV_DEFAULT_OFF=y by default but needs complex adaptation.

VFIO: Add the SPR_DSA and SPR_IAX devices to the

wifi: rtl8xxxu: add cancel_work_sync() for

wifi: iwlwifi: dbg-tlv: ensure NUL termination

net: annotate data-races around

net: fix __dst_negative_advice() race

bonding: Fix out-of-bounds read in

wifi: cfg80211: check A-MSDU format more

net: netlink: af_netlink: Prevent empty skb by

wifi: ath10k: fix NULL pointer dereference in

platform/x86: wmi: remove unnecessary initializations

platform/x86: wmi: Fix opening of char device

phy: ti: phy-omap-usb2: Fix NULL pointer

netfilter: nft_chain_filter: handle

netfilter: nf_tables: do not compare internal

ipv6: fix potential "struct net" leak in

wifi: iwlwifi: read txq->read_ptr under lock

net: do not leave a dangling sk pointer, when socket creation fails

netns: Make get_net_ns() handle zero refcount net

ipvlan: Dont Use skb->sk in ipvlan_process_v{4,6}_outbound

wifi: mac80211: check/clear fast rx for non-4addr sta VLAN changes

vt: fix unicode buffer corruption when deleting characters

eeprom: at24: fix memory corruption race condition

mlxsw: spectrum_acl_tcam: Fix memory leak when canceling rehash work

netfilter: nf_tables: flush pending destroy work before exit_net release

ipv6: fix race condition between ipv6_get_ifaddr and ipv6_del_addr

WiFi - Complex adaptation required.

ipv6: prevent possible NULL deref in fib6_nh_init()

tcp: Fix shift-out-of-bounds in dctcp_update_alpha().

tcp: Fix shift-out-of-bounds in dctcp_update_alpha().

net: openvswitch: fix overwriting ct original tuple for ICMPv6

igc: avoid returning frame twice in XDP_REDIRECT

Out of scope: boot time issue

tls: fix missing memory barrier in tls_init

virtio: delete vq in vp_find_vqs_msix() when request_irq() fails

wifi: nl80211: don't free NULL coalescing rule

net: core: reject skb_copy(_expand) for fraglist GSO skbs

rtnetlink: Correct nested IFLA_VF_VLAN_LIST attribute validation

netfilter: nf_tables: honor table dormant flag from netdev release event path

Live-patching will introduce network performance degradation in the best case scenario, or even some more serious issues. N/A or Low cvss3 score from NVD or vendors.

tap: add missing verification for short frame

tun: add missing verification for short frame

netfilter: nft_limit: reject configurations that cause integer overflow

net: bridge: xmit: make sure we have at least eth

tty: n_gsm: require CAP_NET_ADMIN to attach

CVE marked as rejected by vendor

netfilter: flowtable: Fix QinQ and pppoe support for inet table

netfilter: flowtable: validate pppoe header

netfilter: nf_tables: Fix potential data-race in

netfilter: validate user input for expected length

netfilter: complete validation of user input

nf_tables: disable toggling dormant table state more than once

netfilter: nf_tables: discard table flag update

netfilter: nf_tables: discard table flag update

vfio/pci: Lock external INTx masking ops

nvmet: fix a possible leak when destroy a ctrl

net: ice: Fix potential NULL pointer dereference

NFSv4: Fix memory leak in nfs4_set_security_label

udp: Set SOCK_RCU_FREE earlier in udp_lib_get_port().

scsi: qedi: Fix crash while reading debugfs attribute

wifi: iwlwifi: mvm: don't read past the mfuart notifcation

wifi: iwlwifi: mvm: check n_ssids before accessing the ssids

wifi: mac80211: Fix deadlock in ieee80211_sta_ps_deliver_wakeup()

wifi: cfg80211: Lock wiphy in cfg80211_get_station

ipv6: fix possible race in __fib6_drop_pcpu_from()

tipc: force a dst refcount before doing decryption

mm/huge_memory: don't unpoison huge_zero_folio

RDMA/rxe: Fix seg fault in rxe_comp_queue_pkt

crypto: bcm - Fix pointer arithmetic

bnxt_re: avoid shift undefined behavior in

netfilter: nf_tables: Fix potential data-race in

net/mlx5e: Add wrapping for auxiliary_driver ops and remove unused args

net/mlx5e: Fix netif state handling

netfilter: bridge: confirm multicast packets

netfilter: bridge: confirm multicast packets kpatch

PCI/MSI: Fix UAF in msi_capability_init

nvme: avoid double free special payload

net/sched: Fix UAF when resolving a clash

mm/hugetlb: fix missing hugetlb_lock for resv

This CVE introduces a regression and is reverted by CVE-2024-42102 in the same errata

efivarfs: force RO when remounting if SetVariable

efivarfs: force RO when remounting if SetVariable

KVM: SVM: Flush pages under kvm->lock to fix UAF

net: fix out-of-bounds access in ops_init

scsi: qedf: Ensure the copied buf is NUL

xhci: Fix failure to give back some cached cancelled URBs.

xhci: Add additional dynamic debug to follow URBs in cancel and error cases.

xhci: Handle TD clearing for multiple streams

ppp: reject claimed-as-LCP but actually malformed

The patch affects too much kernel code. Low impact CVE.

x86: stop playing stack games in profile_pc()

Reverts CVE-2024-26720, which we don't use.

mm: avoid overflows in dirty throttling logic

usb-storage: alauda: Fix uninit-value in alauda_check_media()

usb-storage: alauda: Check whether the media is initialized

usb-storage: alauda: Check whether the media is initialized (Adaptation)

Bluetooth: af_bluetooth: Fix deadlock

uio: Fix use-after-free in uio_open

gfs2: Remove ill-placed consistency check

gfs2: simplify gdlm_put_lock with out_free label

gfs2: Fix potential glock use-after-free on unmount

gfs2: Fix potential glock use-after-free on unmount

scsi: qla2xxx: Fix double free of fcport

wifi: nl80211: Avoid address calculations via out of bounds array indexing

wifi: mac80211: Avoid address calculations via out of bounds array indexing

tty: n_gsm: fix possible out-of-bounds in gsm0_receive()

cppc_cpufreq: Fix possible null pointer dereference

wifi: mt76: replace skb_put with skb_put_zero

cpufreq: exit() callback is optional

gpiolib: cdev: Fix use after free in lineinfo_changed_notify

bpf, sockmap: Prevent lock inversion deadlock in map delete elem

scsi: qla2xxx: Fix command flush on cable pull

ring-buffer: Fix a race between readers and resize checks

Input: cyapa - add missing input core locking to suspend/resume functions

ARM related CVE

ACPICA: Revert "ACPICA: avoid Info: mapping multiple BARs. Your kernel is fine."

net, sunrpc: Remap EPERM in case of connection failure in xs_tcp_setup_socket

net/sched: act_mirred: Create function tcf_mirred_to_dev and improve readability

net/sched: act_mirred: don't override retval if we already lost the skb

net: sched: sch_multiq: fix possible OOB write in multiq_tune()

tipc: Return non-zero value from tipc_udp_addr2str() on error

hwmon: (w83792d) Fix NULL pointer dereference by removing unnecessary structure field

hwmon: (w83792d) Fix NULL pointer dereference by removing unnecessary structure field

dmaengine: idxd: Fix oops during rmmod on single-CPU platforms

xfrm6: check ip6_dst_idev() return value in xfrm6_get_saddr()

gfs2: Fix NULL pointer dereference in gfs2_log_flush

RFDS: Medium score vulnerability affecting only Intel Atom CPUs, mitigated via microcode update.

netfilter: nft_flow_offload: reset dst in route object after setting up flow

mptcp: ensure snd_nxt is properly initialized on connect

Patches a sleepable function, there is a small but non-zero risk of livepatching failure

el9 kernels are not vulnerable: no versions with commit 88c67aeb1407 only.

netfilter: flowtable: initialise extack before use

netpoll: Fix race condition in netpoll_owner_active

af_unix: Fix garbage collector racing against connect()

xfs: don't walk off the end of a directory data block

xfs: add bounds checking to xlog_recover_process_data

net/sched: act_api: fix possible infinite loop in tcf_idr_check_alloc()

ipv6: prevent possible NULL dereference in rt6_probe()

ext4: fold quota accounting into ext4_xattr_inode_lookup_create()

ext4: do not create EA inode under buffer lock

ext4: turn quotas off if mount failed after enabling quotas

ext4: fix uninitialized ratelimit_state->lock access in __ext4_fill_super()

wifi: mt76: mt7921s: fix potential hung tasks during chip recovery

tty: Fix out-of-bound vmalloc access in imageblit

tcp: add sanity checks to rx zerocopy

mptcp: fix data re-injection from stale subflow

scsi: core: Remove the /proc/scsi/${proc_name} directory earlier

scsi: core: Fix a procfs host directory removal regression

scsi: core: Fix unremoved procfs host directory regression

mac802154: fix llsec key resources release in mac802154_llsec_key_del

mac802154: fix llsec key resources release in mac802154_llsec_key_del

net/sched: taprio: extend minimum interval restriction to entire cycle too

xfs: fix log recovery buffer allocation for the

netfilter: nft_inner: validate mandatory meta and payload

USB: class: cdc-wdm: Fix CPU lockup caused by excessive log messages

mptcp: ensure snd_una is properly initialized on connect

kpatch add alt asm definitions

x86/bugs: Change commas to semicolons in 'spectre_v2' sysfs file

x86/bugs: x86/bhi: Add support for clearing branch history at syscall entry

ipv6: mcast: fix data-race in ipv6_mc_down / mld_ifc_work

string.h: add array-wrappers for (v)memdup_user()

i2c: dev: copy userspace array safely

io_uring: clear opcode specific data for an early failure

function can sleep with no time out

ipv6: prevent NULL dereference in ip6_output()

block: fix overflow in blk_ioctl_discard()

nsh: Restore skb->{protocol,data,mac_header} for outer header in nsh_gso_segment().

ipv6: fib6_rules: avoid possible NULL dereference in fib6_rule_action()

ext4: regenerate buddy after block freeing failed if under fc replay

hwmon: (w83793) Fix NULL pointer dereference by removing unnecessary structure field

hwmon: (w83793) Fix NULL pointer dereference by removing unnecessary structure field

vhost: use kzalloc() instead of kmalloc() followed by memset()

net: openvswitch: limit the number of recursions from action sets

ubi: Check for too small LEB size in VTBL code

bpf: Fix re-attachment branch in bpf_tracing_prog_attach

x86/fpu: Stop relying on userspace for info to fault in xsave buffer

tcp: make sure init the accept_queue's spinlocks once

ipv6: init the accept_queue's spinlocks in inet6_create

media: cec: core: avoid recursive cec_claim_log_addrs kpatch

media: cec: core: avoid recursive cec_claim_log_addrs kpatch

i2c: Fix a potential use after free

of: fdt: fix off-by-one error in unflatten_dt_nodes()

media: pvrusb2: fix use after free on context disconnection

Out of scope as the patch is for powerpc arch only, x86_64 is not affected

Kernel versions older than 5.14.0-503.11.1.el9_5 are not affected

EDAC/thunderx: Fix possible out-of-bounds string access

net: ip_tunnel: make sure to pull inner header in ip_tunnel_rcv()

md/raid5: fix atomicity violation in raid5_cache_count

bpf: Reject variable offset alu on PTR_TO_FLOW_KEYS

RDMA/mlx5: Fix fortify source warning while accessing Eth segment

hwmon: (w83791d) Fix NULL pointer dereference by removing unnecessary structure field

x86/fpu: Keep xfd_state in sync with MSR_IA32_XFD

x86/fpu: Keep xfd_state in sync with MSR_IA32_XFD

stm class: Fix a double free in stm_register_device()

net/mlx5: Discard command completions in internal error

USB: core: Fix deadlock in usb_deauthorize_interface()

Out of scope: not affected

tpm_tis_spi: Account for SPI header when allocating TPM SPI xfer buffer

firmware: cs_dsp: Fix overflow checking of wmfw header

firmware: cs_dsp: Fix overflow checking of wmfw header (adaptation)

filelock: fix potential use-after-free in posix_lock_inode

drm/i915/gt: Fix potential UAF by revoke of fence registers

drm/amdgpu: Using uninitialized value *size when calling amdgpu_vce_cs_reloc

net/iucv: fix use after free in iucv_sock_close()

dev/parport: fix the array out-of-bounds risk

wifi: rtw89: Fix array index mistake in rtw89_sta_info_get_iter()

CVE patch is for powerpc arch only

CVE patch is for powerpc arch only

Out of scope: not affected

octeontx2-af: fix the double free in rvu_npc_freemem()

ALSA: hda: intel-sdw-acpi: fix usage of device_get_named_child_node()

drm/amdgpu: add error handle to avoid out-of-bounds

drm/amdgpu: Fix signedness bug in sdma_v4_0_process_trap_irq()

Out of scope: not affected

CVE patch is for powerpc arch only

CVE patch is for powerpc arch only

CVE patch is for powerpc arch only

Out of scope as the patch is for powerpc arch only, x86_64 is not affected

include/linux/generic-radix-tree.h: replace kernel.h with the necessary inclusions

lib/generic-radix-tree.c: Don't overflow in peek()

can: isotp: isotp_sendmsg(): add result check for wait_event_interruptible()

can: isotp: isotp_sendmsg(): fix TX buffer concurrent access in isotp_sendmsg()

can: isotp: isotp_sendmsg(): fix TX buffer concurrent access in isotp_sendmsg()

can: isotp: fix error path in isotp_sendmsg() to unlock wait queue

usbnet: sanity check for maxpacket

nvmem: Fix shift-out-of-bound (UBSAN) with byte size cells

hwmon: (lm90) Prevent integer overflow/underflow in hysteresis calculations

asix: fix uninit-value in asix_mdio_read()

netfilter: nft_set_pipapo: do not free live element

ACPI: processor_idle: Fix memory leak in acpi_processor_power_exit()

atl1c: Work around the DMA RX overflow issue

atl1c: Work around the DMA RX overflow issue

Bluetooth: btrtl: fix out of bounds memory access

Bluetooth: btrtl: fix out of bounds memory access

CVE patch is for AMD Inception vulnerability related to Speculative Return Stack Overflow (SRSO)

Input: powermate - fix use-after-free in powermate_config_complete

Bluetooth: Fix TOCTOU in HCI debugfs implementation

xsk: validate user input for XDP_{UMEM|COMPLETION}_FILL_RING

mlxsw: spectrum_acl_tcam: Fix memory leak during rehash

filelock: Remove locks reliably when fcntl/close race is detected

Bluetooth: rfcomm: Fix null-ptr-deref in rfcomm_check_security

Bluetooth: rfcomm: Fix null-ptr-deref in rfcomm_check_security

mm/swap: fix race when skipping swapcache

ext4: avoid allocating blocks from corrupted group

ext4: avoid dividing by 0 in mb_update_avg_fragment_size()

mptcp: fix double-free on socket dismantle

net: veth: clear GRO when clearing XDP even when down MIME-Version: 1.0

Out of scope: boot time issue

bpf: Guard stack limits against 32bit overflow

of: Fix double free in of_parse_phandle_with_args_map

ALSA: scarlett2: Add clamp() in scarlett2_mixer_ctl_put()

ALSA: scarlett2: Add missing error checks to *_ctl_get()

x86/mm: Ensure input to pfn_to_kaddr() is treated as a 64-bit type

net: atlantic: eliminate double free in error handling logic

Do not support powerpc build with kasan sanitizer 4a7aee96200ad281a5cc4cf5c7a2e2a49d2b97b0

RDMA/qedr: Fix qedr_create_user_qp error flow

HID: i2c-hid-of: fix NULL-deref on failed power up

HID: i2c-hid-of: fix NULL-deref on failed power up

RDMA/srpt: Support specifying the srpt_service_guid

arp: Prevent overflow in arp_req_get().

md: Don't ignore suspended array in md_check_recovery()

net/sched: act_mirred: use the backlog for mirred ingress

md: Don't ignore read-only array in md_check_recovery()

vt_ioctl: fix array_index_nospec in vt_setactivate

ring-buffer: Do not attempt to read past "commit"

thermal: int340x: Consolidate freeing of acpi_buffer pointer

thermal: int340x: Consolidate freeing of acpi_buffer pointer

thermal/int340x_thermal: handle data_vault when the value is ZERO_SIZE_PTR

bpf: Check the other end of slot_type for STACK_SPILL

bpf: fix check for attempt to corrupt spilled pointer

mfd: syscon: Fix null pointer dereference in of_syscon_register()

Out of scope: not affected

platform/x86: think-lmi: Fix reference leak

drm/amdgpu: Fix possible NULL dereference in amdgpu_ras_query_error_status_helper()

virtio-blk: fix implicit overflow on virtio_max_dma_size

bonding: stop the device in bond_setup_by_slave()

i2c: core: Run atomic i2c xfer when !preemptible

i2c: core: Fix atomic xfer check for non-preempt config

Bug doesn't hit as enum values are just shifted numbers

crypto: pcrypt - Fix hungtask for PADATA_RESET

scsi: ibmvfc: Remove BUG_ON in the case of an empty event pool

net/smc: avoid data corruption caused by decline

cpu/hotplug: Prevent self deadlock on CPU hot-unplug

cpu/hotplug: Don't offline the last non-isolated CPU

Bluetooth: btusb: Add date->evt_skb is NULL check

Input: synaptics-rmi4 - fix use after free in rmi_unregister_function()

perf: hisi: Fix use-after-free when register pmu fails

drm/radeon: possible buffer overflow

pstore/platform: Add check for kstrdup

can: dev: can_put_echo_skb(): don't crash kernel if can_priv::echo_skb is accessed out of bounds

nommu: kernel is not vulnerable. Commit 8220543("nommu: remove uses of VMA linked list") is absent

cachefiles: fix memory leak in cachefiles_add_cache()

geneve: make sure to pull inner header in geneve_rx()

hsr: Fix uninit-value access in hsr_get_node()

NFSv4.2: fix nfs4_listxattr kernel BUG at mm/usercopy.c:102

quota: Fix potential NULL pointer dereference

Current kernel is not vulnerable.

do_sys_name_to_handle(): use kzalloc() to fix kernel-infoleak

x86/sev-es: Allow copy_from_kernel_nofault() in earlier boot

x86/mm: Disallow vsyscall page read for copy_from_kernel_nofault()

drm/amdgpu: Reset IH OVERFLOW_CLEAR bit

tracing/trigger: Fix to return error if failed to alloc snapshot

Live-patching will introduce network performance degradation in the best case scenario, or even some more serious issues. N/A or Low cvss3 score from NVD or vendors.

drm/i915/gt: Reset queue_priority_hint on parking

wireguard: netlink: access device through ctx instead of peer

wireguard: netlink: check for dangling peer via is_dead instead of empty list

net: esp: fix bad handling of pages from page_pool

nbd: fix uaf in nbd_open

nbd: fix uaf in nbd_open

Kernel is not vulnerable: commit f2d5dcb4 is absent.

dyndbg: fix old BUG_ON in >control parser

drm/client: Fully protect modes[] with dev->mode_config.mutex

geneve: fix header validation in geneve[6]_xmit_skb

geneve: Fix incorrect inner network header offset when innerprotoinherit is set

bareudp: Pull inner IP header on xmit

vxlan: Pull inner IP header in vxlan_xmit_one()

drm/amdgpu: Fix potential null pointer derefernce

mlxsw: spectrum_acl_tcam: Fix possible use-after-free during rehash

Not a bug for a real-life RHEL9 setup

EFI Firmware: CVE patch is for EFI firmware which runs at boot time.

Kernel is not affected

Kernel is not affected

CVE patch is for powerpc arch only

tcp: defer shutdown(SEND_SHUTDOWN) for TCP_SYN_RECV sockets

drm/amdgpu: Fix a null pointer access when the smc_rreg pointer is NULL

drm/amdgpu/debugfs: fix error code when smc register accessors are NULL

ASoC: SOF: Add some bounds checking to firmware data

tcp_metrics: validate source addr length

net: hsr: remove WARN_ONCE() in send_hsr_supervision_frame()

inet: read sk->sk_family once in inet_recv_error()

Boot time issue

net: atlantic: Fix DMA mapping for PTP hwts ring

exit: Use the correct exit_code in /proc/<pid>/stat

fs/proc: do_task_stat: move thread_group_cputime_adjusted() outside of lock_task_sighand()

fs/proc: do_task_stat: use sig->stats_lock to gather the threads/children stats

ext4: fix double-free of blocks due to wrong

drm/amd/display: Fix MST Null Ptr for RV

ppp_async: limit MRU to 64K

Warning fix doesn't worth live-patching

Boot time fix cannot be fixed with live-patching

The patch for this CVE fixing vulnerability which was introduced in kernel v6.7

PM / devfreq: Synchronize devfreq_monitor_[start/stop]

drm/tegra: dsi: Add missing check for of_find_device_by_node

Complex adaptation required. x86 and amd64 architectures are not affected. Issues triggers while dumping after another crash.

fbdev: Fix invalid page access after closing deferred I/O devices

CVE patch is for powerpc arch only

CVE patch is for powerpc arch only

Out of scope as the patch is for powerpc arch only

mmc: sdio: fix possible resource leaks in some error paths

net/usb: kalmia: Don't pass act_len in usb_bulk_msg error path

ASoC: Intel: sof_sdw_rt_sdca_jack_common: ctx->headset_codec_dev = NULL

calipso: fix memory leak in netlbl_calipso_add_pass()

nfs: fix UAF in direct writes

nfs: fix UAF in direct writes

mm: swap: fix race between free_swap_and_cache() and swapoff()

usb: xhci: Add error handling in xhci_map_urb_for_dma

fat: fix uninitialized field in nostale filehandles

nouveau: fix instmem race condition around ptr stores

mm/memory-failure: fix deadlock when hugetlb_optimize_vmemmap is enabled

Out of scope as the patch is for vmlinux init sections which are discarded after the boot

arm64: hibernate: Fix level3 translation fault in swsusp_save()

nbd: null check for nla_nest_start

Fix commit isn't present

pstore: inode: Only d_invalidate() is needed

clk: Fix clk_core_get NULL dereference

net: openvswitch: Fix Use-After-Free in ovs_ct_exit

Complex adaptation required. Network services prevents update because they can sleep in subflow_finish_connect() function.

wifi: nl80211: reject iftype change with mesh ID change

cpumap: Zero-initialise xdp_rxq_info struct before running

ALSA: usb-audio: Stop parsing channels bits when all channels

genirq/cpuhotplug, x86/vector: Prevent vector leak during CPU offline

KVM: Always flush async #PF workqueue when vCPU is being destroyed

KVM: Always flush async #PF workqueue when vCPU is being destroyed

Kernel is not affected

Bug triggers in kdump kernel which we don't patch

drm/amd/display: Implement bounds check for stream encoder creation in DCN301

tipc: Check the bearer type before calling tipc_udp_nl_bearer_add()

net/sched: flower: Fix chain template offload kpatch

Out of scope: not affected

tun: limit printing rate when illegal packet received by tun dev

netfilter: flowtable: incorrect pppoe tuple

x86/mm/pat: fix VM_PAT handling in COW mappings

smb: client: fix potential UAF in smb2_is_valid_lease_break()

smb: client: fix potential UAF in cifs_dump_full_key()

smb: client: fix potential UAF in smb2_is_valid_oplock_break()

smb: client: fix potential UAF in cifs_stats_proc_show()

of: module: prevent NULL pointer dereference in vsnprintf()

mm/secretmem: fix GUP-fast succeeding on secretmem folios

x86/mce: Make sure to grab mce_sysfs_mutex in set_bank()

ipv6: Fix infinite recursion in fib6_dump_done().

erspan: make sure erspan_base_hdr is present in skb->head

net/sched: fix lockdep splat in qdisc_tree_reduce_backlog()

netfilter: nf_tables: reject new basechain after table flag update

bpf: Fix verification of indirect var-off stack access

bpf: Protect against int overflow for stack access size

iwlwifi: mvm: rfi: use kmemdup() to replace kzalloc + memcpy

wifi: iwlwifi: mvm: rfi: fix potential response leaks

It is not possible to fix this vulnerability using kernel livepatching because it lies below the system call level.

Existing kernels aren't affected

Existing kernels aren't affected

soundwire: cadence: fix invalid PDI offset

ALSA: timer: Set lower bound of start tick time

af_unix: Fix data races around sk->sk_shutdown.

af_unix: Fix data races around sk->sk_shutdown.

af_unix: Fix data races in unix_release_sock/unix_stream_sendmsg

ext4: fix mb_cache_entry's e_refcnt leak in ext4_xattr_block_cache_find()

ALSA: Fix deadlocks with kctl removals at disconnection

scsi: qedf: Make qedf_execute_tmf() non-preemptible

drm/nouveau: fix null pointer dereference in nouveau_connector_get_modes

ftruncate: pass a signed offset

pinctrl: fix deadlock in create_pinctrl() when handling -EPROBE_DEFER

wifi: cfg80211: restrict NL80211_ATTR_TXQ_QUANTUM values

wifi: cfg80211: restrict NL80211_ATTR_TXQ_QUANTUM values (Adaptation)

kernel version 5.14 not affected

kernel version 5.14 not affected

kernel version 5.14 not affected

netfilter: nf_tables: fully validate NFT_DATA_VALUE on store to data registers

clk: Get runtime PM before walking tree during disable_unused

clk: Get runtime PM before walking tree during disable_unused

Get runtime PM before walking tree for clk_summaryatch-description:

nouveau: lock the client object tree

nouveau: lock the client object tree

Affects only __init function for a built-in component, so patching will have no effect

None of the kernels is affected

net/mlx5e: fix a double-free in arfs_create_groups

mptcp: use OPTION_MPTCP_MPJ_SYNACK in subflow_finish_connect()

mlxsw: spectrum_acl_tcam: Fix possible use-after-free during activity update

irqchip/gic-v3-its: Prevent double free on error

smb: client: fix potential UAF in cifs_debug_files_proc_show()

smb: client: fix potential UAF in smb2_is_network_name_deleted()

smb: client: fix potential UAF in is_valid_oplock_break()

CVE requires complex backporting due to many missing patches

Out of scope as the patch is for i.MX SoC

wifi: mt76: mt7921e: fix use-after-free in free_irq()

Out of scope: ARM64 architecture issue

drm/shmem-helper: Fix BUG_ON() on mmap(PROT_WRITE, MAP_PRIVATE)

Kernel is not affected.

vmci: prevent speculation leaks by sanitizing event in event_deliver()

Existing kernels aren't affected

serial: imx: Introduce timeout when waiting on transmitter empty

iommu: Return right value in iommu_sva_bind_device()

nfs: handle error of rpc_proc_register() in init_nfs_fs()

[PATCH] pinctrl: core: fix possible memory leak in pinctrl_enable()

[PATCH] pinctrl: core: delete incorrect free in pinctrl_enable()

Kernel is not affected

Thermal debugfs isn't present on redhat kernels.

[PATCH 1/1] drm/vmwgfx: Fix invalid reads in fence signaled events

Thermal debugfs isn't present on redhat kernels.

[PATCH] KEYS: trusted: Fix memory leak in tpm2_key_encode()

[PATCH] net/sched: taprio: always validate TCA_TAPRIO_ATTR_PRIOMAP

usb: dwc3: Wait unconditionally after issuing EndXfer command

Intoduced in the same kernel version with the fix

Complex adaptation required

Intoduced in the same kernel version with the fix

net: hns3: fix kernel crash problem in concurrent scenario

scsi: mpt3sas: Avoid test/set_bit() operating in non-allocated memory

vmxnet3: disable rx data ring on dma allocation failure

Complex adaptation required, low score patch for non critical subsystem amdgpu

filelock: Fix fcntl/close race recovery compat path

Kernel not vulnerable: blamed commit is absent

firmware: cs_dsp: Prevent buffer overrun when processing V2 alg headers

netfilter: nf_tables: prefer nft_chain_validate

firmware: cs_dsp: Use strnlen() on name fields in V1 wmfw files

drm/radeon: check bo_va->bo is non-NULL before using it

Bluetooth: hci_core: cancel all works upon hci_unregister_dev()

RDMA/irdma: Fix KASAN issue with tasklet

nvme-fc: do not wait in vain when unloading module

nvme-fc: do not wait in vain when unloading module

RDMA/srpt: Do not register event handler until srpt device is fully setup

amdgpu: validate offset_in_bo of drm_amdgpu_gem_va

drm/amdgpu: validate the parameters of bo mapping operations more clearly

vfio/pci: Disable auto-enable of exclusive INTx IRQ

wireguard: receive: annotate data-race around receiving_counter.counter

drivers: core: synchronize really_probe() and dev_uevent()

[PATCH 1/1] leds: trigger: Unregister sysfs attributes before calling

dma: fix call order in dmam_free_coherent

Affects only the s390 architecture.

net/mlx5: Always drain health in shutdown callback

wifi: cfg80211: handle 2x996 RU allocation in cfg80211_calculate_bitrate_he()

[PATCH 5063/5129] mm/memcg: minor cleanup for MEM_CGROUP_ID_MAX

[PATCH 01288/16137] mm: memcontrol: fix cannot alloc the maximum

[PATCH 05019/17954] memcontrol: ensure memcg acquired by id is

[PATCH] memcg: protect concurrent access to mem_cgroup_idr

wifi: mac80211: fix NULL dereference at band check in starting tx ba session

fuse: Initialize beyond-EOF page contents before setting uptodate

complex adaptation required for el9-arm64, el9-x86 not affected

spi: Fix null dereference on suspend

spi: Fix null dereference on suspend

tty: add the option to have a tty reject a new ldisc

tty: add the option to have a tty reject a new ldisc

Affected p2sb driver is not present in kernel v5.14.0

firmware: cs_dsp: Return error if block header overflows file

firmware: cs_dsp: Validate payload length before processing block

Out of scope: 64-bit systems not affected.