An introduction of required changes through KernelCare could cause unavoidable problems to applications which use netfilter functionality.

net/tls: do not free tls_rec on async operation in bpf_exec_tx_verdict()

ipv4: igmp: fix refcnt uaf issue when receiving igmp query packet

Bluetooth: Fix double free in hci_conn_cleanup

fs,hugetlb: fix NULL pointer dereference in hugetlbs_fill_super

ida: Fix crash in ida_free when the bitmap is empty

drm/qxl: fix UAF on handle creation

UBUNTU: SAUCE: bpf: prevent helper argument PTR_TO_ALLOC_MEM to have offset other than 0

x86/sev: Harden #VC instruction emulation somewhat

Bluetooth: af_bluetooth: Fix Use-After-Free in

Bluetooth: Add more enc key size check

Input: gtco - bounds check collection indent level

The patch for this CVE already present in kernel-5.14.0-362.24.1.el9_3 version. The kernel-5.14.0-362.18.1.el9_3 version and below are not vulnerable because they don't have commit 5f68718b34a5 (netfilter: nf_tables: GC transaction API to avoid race with control plane) which introduced the vulnerability.

netfilter: nfnetlink_osf: avoid OOB read

netfilter: xt_sctp: validate the flag_info count

cxgb4: fix use after free bugs caused by circular

fbcon: Fix error paths in set_con2fb_map

fbcon: set_con2fb_map needs to set con2fb_map!

net/sched: cls_rsvp: always try to match inside the linear part of skb

netfilter: nf_tables: bail out on mismatching

kobject: Remove docstring reference to kset

kobject: modify kobject_get_path() to take a const

kobject: Fix slab-out-of-bounds in fill_kobj_path()

net: add a route cache full diagnostic message

net/dst: use a smaller percpu_counter batch for dst entries accounting

ipv6: remove max_size check inline with ipv4

ipv6: Remove extra counter pull before gc

media: technisat-usb2: break out of loop at end of

RDMA/irdma: Prevent zero-length STAG registration

atm: Fix Use-After-Free in do_vcc_ioctl

smb: client: fix potential OOBs in

smb: client: fix parsing of SMB3.1.1 POSIX create

mISDN: fix use-after-free bugs in l1oip timer

verify struct l1oip layout

Bluetooth: L2CAP: Fix u8 overflow

Complex adaptation required. Requires changes a lot of constants

Complex adaptation required.

team: fix null-ptr-deref when team device type is changed

team: fix null-ptr-deref when team device type is changed

vc_screen: move load of struct vc_data pointer in vcs_read() to avoid UAF

vc_screen: don't clobber return value in vcs_read

gfs2: Fix kernel NULL pointer dereference in gfs2_rgrp_dump

sched/membarrier: reduce the ability to hammer on sys_membarrier

ipv4: fix null-deref in ipv4_link_failure

The modified structure mem_section_usage is used only during bootup time. As we patch the changes after booting they will have no effect. Therefore we cannot patch this CVE.

CVE has been marked as REJECTED on the NVD website.

net/core: Fix ETH_P_1588 flow dissector

netfilter: nf_tables: disallow timeout for anonymous sets

blk-mq: fix IO hang from sbitmap wakeup race

tty: keyboard, do not speculate on func_table index

tty/vt: fix write/write race in ioctl(KDSKBSENT)

vt: keyboard, simplify vt_kdgkbsent

vt: keyboard, extend func_buf_lock to readers

vt: keyboard, rename i to kb_func in vt_do_kdgkb_ioctl

vt: keyboard, reorder user buffer handling in vt_do_kdgkb_ioctl

vt_kdsetmode: extend console locking

Bluetooth: hci_ldisc: check HCI_UART_PROTO_READY flag in HCIUARTGETPROTO

USB: core: Unite old scheme and new scheme descriptor reads

USB: core: Change usb_get_device_descriptor() API

USB: core: Fix race by not overwriting udev->descriptor in hub_port_init()

USB: core: Fix oversight in SuperSpeed initialization

net: xfrm: Fix xfrm_address_filter OOB read

nvmet: nul-terminate the NQNs passed in the connect command

kvm: initialize all of the kvm_debugregs structure before sending it to userspace

i2c: i801: Don't generate an interrupt on bus reset

media: dvbdev: Fix memory leak in dvb_media_device_free()

net: usb: fix memory leak in smsc75xx_bind

net: usb: fix possible use-after-free in

crypto: akcipher - default implementations for request callbacks

crypto: testmgr - split akcipher tests by a key type

crypto: akcipher - Disable signing and decryption

platform/x86: think-lmi: Fix reference leak

wifi: iwlwifi: fix a memory corruption

net/sched: act_ct: fix skb leak and crash on ooo frags

Out of scope as the patch is for s390 arch only, x86_64 is not affected

Out of scope as the patch is for powerpc arch only, x86_64 is not affected

Out of scope as the patch is for powerpc arch only, x86_64 is not affected

uio: Fix use-after-free in uio_open

i2c: i801: Fix block process call transactions

i2c: Fix a potential use after free

media: pvrusb2: fix use after free on context disconnection

md/raid5: fix atomicity violation in raid5_cache_count

CVE patch is for powerpc arch only

This CVE modifies the functions which won't be available or doesn't make sense to patch as they are used during bootup time or init. Therefore we cannot patch this CVE.

tty: tty_buffer: Fix the softlockup issue in flush_to_ldisc

vt: fix memory overlapping when deleting chars in the buffer

usb: hub: Guard against accesses to uninitialized BOS descriptors

RDMA/siw: Fix connection failure handling

net: usb: smsc75xx: Fix uninit-value access in __smsc75xx_read_reg

wifi: ath9k: Fix potential array-index-out-of-bounds read in ath9k_htc_txstatus()

wifi: rt2x00: restart beacon queue when hardware reset

RDMA/srpt: Do not register event handler until srpt device is fully setup

wifi: mt76: mt7921e: fix use-after-free in free_irq()

The given kernel version isn't vulnerable.

mtd: properly check all write ioctls for permissions

mtd: require write permissions for locking and badblock ioctls

WiFi - Complex adaptation required.

wifi: rtl8xxxu: add cancel_work_sync() for c2hcmd_work

RDMA/qedr: Fix qedr_create_user_qp error flow

wifi: mac80211: fix race condition on enabling

do_sys_name_to_handle(): use kzalloc() to fix

usb: ulpi: Fix debugfs directory leak

USB: core: Add hub_get() and hub_put() routines

USB: core: Fix deadlock in port "disable" sysfs attribute

USB: core: Fix deadlock in

USB: core: Add hub_get() and hub_put() routines

fat: fix uninitialized field in nostale filehandles

fs: sysfs: Fix reference leak in sysfs_break_active_protection()

vhost: use kzalloc() instead of kmalloc() followed by memset()

x86/fpu: Stop relying on userspace for info to

net/smc: fix illegal rmb_desc access in SMC-D connection dum

netfilter: nf_tables: disallow anonymous set with timeout flag

The given kernel version isn't vulnerable (Netfilter).

hwmon: (coretemp) Fix out-of-bounds memory access

wifi: iwlwifi: mvm: fix a crash when we run out of stations

wifi: iwlwifi: fix double-free bug

USB: usb-storage: Prevent divide-by-0 error in

net:emac/emac-mac: Fix a use after free in

i2c: validate user data in compat ioctl

xhci: process isoc TD properly when there was a

xhci: process isoc TD properly when there was a transaction error mid TD kpatch

xhci: handle isoc Babble and Buffer Overrun events

net/mlx5e: Prevent deadlock while disabling aRFS

net/mlx5e: Prevent deadlock while disabling aRFS

x86 xen add xenpv restore regs and return to usermode

kpatch add alt asm definitions

kpatch add paravirt asm definitions