sunrpc: handle SVC_GARBAGE during svc auth processing as auth error

media: uvcvideo: Remove dangling pointers

media: uvcvideo: Remove dangling pointers

mm/huge_memory: fix dereferencing invalid pmd migration entry

RDMA/core: Fix use-after-free when rename device name

wifi: iwlwifi: limit printed string from FW file

media: uvcvideo: Fix double free in error path

net/mdiobus: Fix potential out-of-bounds clause 45 read/write access

ext4: avoid journaling sb update on error if journal is destroying

ext4: avoid journaling sb update on error if journal is destroying

RDMA/mlx5: Fix page_size variable overflow

ext4: fix out-of-bound read in ext4_xattr_inode_dec_ref_all()

ext4: fix out-of-bound read in ext4_xattr_inode_dec_ref_all()

net_sched: hfsc: Fix a UAF vulnerability in class handling

net: ch9200: fix uninitialised access during mii_nway_restart

cifs: Fix integer overflow while processing closetimeo mount option

padata: fix UAF in padata_reorder

net/sched: fix use-after-free in taprio_dev_notifier

misc/vmw_vmci: fix an infoleak in vmci_host_do_receive_datagram()

memstick: rtsx_usb_ms: Fix slab-use-after-free in rtsx_usb_ms_drv_remove

HID: intel-ish-hid: Fix use-after-free issue in hid_ishtp_cl_remove()

HID: intel-ish-hid: Fix use-after-free issue in ishtp_hid_remove()

net_sched: hfsc: Fix a UAF vulnerability in class with netem as child qdisc

sch_hfsc: Fix qlen accounting bug when using peek in hfsc_enqueue()

net_sched: hfsc: Address reentrant enqueue adding class to eltree twice

Complex adaptation required. Low impact CVE

crypto: algif_hash - fix double free in hash_accept

wifi: ath12k: fix invalid access to memory

Patch meant for use with microcode update

net: fix udp gso skb_segment after pull from frag_list

wifi: rtw88: fix the 'para' buffer size to avoid reading out of bounds

Bluetooth: hci_core: Fix use-after-free in vhci_flush()

mm/hugetlb: unshare page tables during VMA split, not before

Complex adaptation required. High risk of regression.

tls: always refresh the queue when reading sock

i2c/designware: Fix an initialization issue

bpf, test_run: Fix use-after-free issue in eth_skb_pkt_type()

udp: Fix memory accounting leak.

net_sched: ets: Fix double list add in class with netem as child qdisc

ice: fix eswitch code memory leak in reset scenario

RDMA/iwcm: Fix use-after-free of work objects after cm_id destruction

vsock: Fix transport_* TOCTOU

i40e: fix MMIO write access to an invalid page in i40e_clear_hw

net_sched: hfsc: Fix a potential UAF in hfsc_dequeue() too

net/sched: Always pass notifications when child class becomes empty

tipc: Fix use-after-free in tipc_conn_close().

xfrm: interface: fix use-after-free after changing collect_md xfrm interface

xfrm: interface: fix use-after-free after changing collect_md xfrm interface

udmabuf: fix a buf size overflow issue during udmabuf creation

idpf: convert control queue mutex to a spinlock

scsi: lpfc: Use memcpy() for BIOS version

drm/vkms: Fix use after free and double free on init error

drm/vkms: Fix use after free and double free on init error

requires a very complex adaptation

posix-cpu-timers: fix race between handle_posix_cpu_timers() and posix_cpu_timer_del()

ipv6: mcast: Delay put pmc->idev in mld_del_delrec()

usb: dwc3: gadget: check that event count does not exceed event buffer length

do_change_type(): refuse to operate on unmounted/not ours mounts

Out of scope: IBM System/390 architecture isn't supported for current kernel

net: usb: smsc75xx: Limit packet length to skb->len

net: usb: smsc75xx: Move packet length check to prevent kernel panic in skb_pull

netfilter: nf_conntrack: fix crash due to removal of uninitialised entry

smb: client: fix use-after-free in cifs_oplock_break

sctp: linearize cloned gso packets in sctp_rcv

tls: fix handling of zero-length records on the rx_list

io_uring/futex: ensure io_futex_wait() cleans up properly on failure

security/keys: fix slab-out-of-bounds in key_task_permission

KVM: x86/hyper-v: Skip non-canonical addresses during PV TLB flush

KVM: x86/hyper-v: Skip non-canonical addresses during PV TLB flush

wifi: ath12k: Decrement TID on RX peer frag setup error handling

eventpoll: Fix semi-unbounded recursion

eventpoll: Fix semi-unbounded recursion

eventpoll: Fix semi-unbounded recursion

HID: simplify snto32()

HID: stop exporting hid_snto32()

HID: core: Harden s32ton() against conversion to 0 bits

HID: stop exporting hid_snto32()

ALSA: usb-audio: Validate UAC3 cluster segment descriptors

ALSA: usb-audio: Fix size validation in convert_chmap_v3()

crypto: seqiv - Handle EBUSY correctly

nfsd: don't ignore the return code of svc_proc_register()

wifi: cfg80211: sme: cap SSID length in __cfg80211_connect_result()

sunrpc: fix handling of server side tls alerts

efivarfs: Fix slab-out-of-bounds in efivarfs_d_compare

sunrpc: fix client side handling of tls alerts

SUNRPC: call xs_sock_process_cmsg for all cmsg

scsi: lpfc: Fix buffer free/clear order in deferred receive path

Out of scope: not affected

NFS: Fix filehandle bounds checking in nfs_fh_to_dentry()

This CVE has been rejected or withdrawn by its CVE Numbering Authority as per NVD website

fs/smb: Fix inconsistent refcnt update

vsock/virtio: Validate length in packet header before skb_put()

pstore/ram: Check start of empty przs during init

ipv6: sr: Fix MAC comparison to be constant-time

fs: fix UAF/GPF bug in nilfs_mdt_destroy

crypto: xts - Handle EBUSY correctly

Squashfs: sanity check symbolic link size

net: af_can: do not leave a dangling sk pointer in can_create()

netfilter: conntrack: clamp maximum hashtable size to INT_MAX

nfsd: clear acl_access/acl_default after releasing them

Out of scope: not affected

vrf: use RCU protection in l3mdev_l3_out()

wifi: brcmsmac: add gain range check to wlc_phy_iqcal_gainparams_nphy()

acpi: nfit: vmalloc-out-of-bounds Read in acpi_nfit_ctl

usb: typec: ucsi: displayport: Fix NULL pointer access

RDMA/rxe: Fix the qp flush warnings in req

sched: sch_cake: add bounds checks to host bulk flow fairness counts

cachestat: fix page cache statistics permission checking

pfifo_tail_enqueue: Drop new packet when sch->limit == 0

ata: libata-sff: Ensure that we cannot write outside the allocated buffer

ima: Fix potential memory leak in ima_init_crypto()

ima: Fix a potential integer overflow in ima_appraise_measurement

tracing/histograms: Fix memory leak problem

usbnet: fix memory leak in error case

net: tun: unlink NAPI from device on destruction

soc: qcom: cmd-db: Map shared memory as WC, not WB

vfs: fix race between evice_inodes() and find_inode()&iput()

crypto: pcrypt - Call crypto layer directly when padata_do_parallel() return -EBUSY

HID: core: Fix assumption that Resolution Multipliers must be in Logical Collections

rtc: check if __rtc_read_time was successful in rtc_timer_do_work()

nfp: bpf: Add check for nfp_app_ctrl_msg_alloc()

can: j1939: j1939_send_one(): fix missing CAN header initialization

can: m_can: pci: add missing m_can_class_free_dev() in probe/remove methods

Out of scope: PowerPC architecture isn't supported for current kernel

bpf: Send signals asynchronously if !preemptible

[PATCH] bpf: Use preempt_count() directly in bpf_send_signal_common()

CONFIG_IBMVNIC is not enabled on EL9.

bpf: Fix UAF via mismatching bpf_prog/attachment RCU flavors

bpf: avoid holding freeze_mutex during mmap operation

io_uring: check if we need to reschedule during overflow flush

SUNRPC: introduce cache_check_rcu to help check in rcu context

SUNRPC: introduce cache_check_rcu to help check in rcu context

SUNRPC: no need get cache ref when protected by rcu

nfsd: no need get cache ref when protected by rcu

nfsd: fix UAF when access ex_uuid or ex_stats

NFS: Fix potential buffer overflowin nfs_sysfs_link_rpc_client()

io_uring: check if iowq is killed before queuing

block, bfq: fix waker_bfqq UAF after bfq_split_bfqq()

io_uring: prevent opcode speculation

RDMA/mlx5: Fix implicit ODP use after free

RDMA/mlx5: Fix unsafe xarray access in implicit ODP handling

RDMA/mlx5: Fix implicit ODP hang on parent deregistration

wifi: ath12k: fix read pointer after free in ath12k_mac_assign_vif_to_vdev()

wifi: rtw89: fix race between cancel_hw_scan and hw_scan completion

wifi: mt76: mt7925: fix off by one in mt7925_load_clc()

linux/dim: Fix divide by 0 in RDMA DIM

posix-clock: Fix missing timespec64 check in pc_clock_settime()

posix-clock: posix-clock: Fix unbalanced locking in pc_clock_settime()

Bluetooth: btrtl: check for NULL in btrtl_setup_realtek()

Bluetooth: btbcm: Fix NULL deref in btbcm_get_board_name()

crypto: tegra - do not transfer req when tegra init fails

ASoC: soc-pcm: don't use soc_pcm_ret() on .prepare callback

netfilter: nf_tables: reject mismatching sum of field_len with set key length

Postponed: complex analysis and adaptation required

blk-cgroup: Fix UAF in blkcg_unpin_online()

block: fix uaf for flush rq while iterating tags

x86/tdx: Fix "in-kernel MMIO" check

OPP: add index check to assert to avoid buffer overflow in _read_freq()

OPP: fix dev_pm_opp_find_bw_*() when bandwidth table not initialized

blk-cgroup: Fix class @block_class's subsystem refcount leakage

KVM: Explicitly verify target vCPU is online in kvm_get_vcpu()

team: better TEAM_OPTION_TYPE_STRING validation

vxlan: check vxlan_vnigroup_init() return value

Patches a sleepable function, which may prevent patching/unpatching.

afs: Fix merge preference rule failure condition

rxrpc: Fix a race between socket set up and I/O thread creation

smb: client: Add check for next_buffer in receive_encrypted_standard()

igb: Fix potential invalid memory access in igb_init_module()

bpf: put bpf_link's program when link is safe to be deallocated

bpf: put bpf_link's program when link is safe to be deallocated

ASoC: SOF: Intel: hda-dai: Ensure DAI widget is valid during params

io_uring/rw: fix missing NOWAIT check for O_DIRECT start write

ASoC: SOF: stream-ipc: Check for cstream nullity in sof_ipc_msg_data()

CVE has been marked as REJECTED on the NVD website.

Out of scope: not affected

wifi: rtlwifi: remove unused check_buddy_priv

Out of scope: PowerPC architecture isn't supported for current kernel

Out of scope: PowerPC architecture isn't supported for current kernel

can: j1939: j1939_session_new(): fix skb reference counting

fs: export anon_inode_make_secure_inode() and fix secretmem LSM bypass

CVE-2025-38396 header optimization: move anon_inode_make_secure_inode declaration to kc_fs.h

NFSD: fix hang in nfsd4_shutdown_callback

virtio/vsock: Fix accept_queue memory leak

bpf: Fix deadlock when freeing cgroup storage

arm64 and CONFIG_PAGE_SIZE_64KB specific

HID: hid-thrustmaster: Fix warning in thrustmaster_probe by adding endpoint check

HID: hid-thrustmaster: fix stack-out-of-bounds read in usb_check_int_endpoints()

HID: thrustmaster: fix memory leak in thrustmaster_interrupts()

config CONFIG_SCSI_UFSHCD is not set for any kernel version

eth: bnxt: fix out-of-range access of vnic_info array

scsi: target: iscsi: Fix timeout on deleted connection

Out of scope: T2 Macs not supported

Out of scope: PowerPC architecture isn't supported for current kernel

Complex adaptation required

Out of scope: not affected

usb: xhci: Fix NULL pointer dereference on certain command aborts

mm/migrate_device: don't add folio to be freed to LRU in migrate_device_finalize()

wifi: iwlwifi: mvm: avoid NULL pointer dereference

wifi: mt76: mt7925: fix NULL deref check in mt7925_change_vif_links

Patch for mm subsystem from CVE of medium (5.5) impact

CAN isn't used in servers

CAN isn't used in servers

wifi: mac80211: don't flush non-uploaded STAs

drm/xe/tracing: Fix a potential TP_printk UAF

KVM: VMX: Bury Intel PT virtualization (guest/host mode) behind CONFIG_BROKEN

KVM: VMX: Bury Intel PT virtualization (guest/host mode) behind CONFIG_BROKEN

rxrpc: Fix missing locking causing hanging calls

rxrpc: Fix missing locking causing hanging calls

KVM: x86: Load DR6 with guest value only before entering .vcpu_run() loop

Input: serio - define serio_pause_rx guard to pause and resume serio ports

Input: synaptics - fix crash when enabling pass-through port

Input: synaptics - fix crash when enabling pass-through port

list: fix a data-race around ep->rdllist

ipvs: fix UB due to uninitialized stack access in ip_vs_protocol_init()

tcp: drop secpath at the same time as we currently drop dst

acct: perform last write from workqueue

acct: perform last write from workqueue

net: let net.core.dev_weight always be non-zero

net: let net.core.dev_weight always be non-zero

afs: Fix lock recursion

[PATCH] mm: zswap: properly synchronize freeing resources during CPU hotunplug

[PATCH] mm: zswap: properly synchronize freeing resources during CPU hotunplug

[PATCH] mm: zswap: move allocations during CPU init outside the lock

[PATCH] mm: zswap: fix crypto_free_acomp() deadlock in zswap_cpu_comp_dead()

Complex adaptation required

wifi: cfg80211: fix use-after-free in cmp_bss()

nfsd: handle get_client_locked() failure in nfsd4_setclientid_confirm()

CVE rejected

iommu/vt-d: Disallow dirty tracking if incoherent page walk

ice: ice_adapter: release xa entry on adapter allocation failure

wifi: mt76: fix linked list corruption

Complex adaptation required

tcp: Clear tcp_sk(sk)->fastopen_rsk in tcp_disconnect().

tcp: Clear tcp_sk(sk)->fastopen_rsk in tcp_disconnect().

mm: slub: avoid wake up kswapd in set_track_prepare

Bluetooth: hci_event: Fix UAF in hci_acl_create_conn_sync

Bluetooth: hci_event: Fix UAF in hci_conn_tx_dequeue

io_uring/waitid: always prune wait queue entry in io_waitid_wait()

i40e: fix idx validation in config queues msg

NFS: Fix a race when updating an existing write

avoid modifying nfs_page_group_sync_on_bit

can: j1939: implement NETDEV_UNREGISTER notification handler

can: j1939: add missing calls in NETDEV_UNREGISTER notification handler

Blamed commit b581f4266928 is not present

tls: wait for pending async decryptions if tls_strp_msg_hold fails

clone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns

iommufd: Fix race during abort for file descriptors

iommufd: Fix race during abort for file descriptors

mm/memory-failure: fix VM_BUG_ON_PAGE(PagePoisoned(page)) when unpoison memory

sctp: avoid NULL dereference when chunk data buffer is missing

HID: multitouch: fix slab out-of-bounds access in mt_report_fixup()

drm/vmwgfx: Validate command header size against SVGA_CMD_MAX_DATASIZE

libceph: fix potential use-after-free in have_mon_and_osd_map()

libceph: fix potential use-after-free in have_mon_and_osd_map()

usb: dwc3: Fix race condition between concurrent dwc3_remove_requests() call paths

drm/xe: Make dma-fences compliant with the safe access rules

drm/xe: Make dma-fences compliant with the safe access rules

smb: client: let recv_done verify data_offset, data_length and remaining_data_length

eventpoll: don't decrement ep refcount while still holding the ep mutex

vsock: Ignore signal/timeout on connect() if already established

mptcp: fix race condition in mptcp_schedule_work()

net: atlantic: fix fragment overflow handling in RX path

Bluetooth: MGMT: Fix OOB access in parse_adv_monitor_pattern()

Bluetooth: MGMT: Fix OOB access in parse_adv_monitor_pattern()

dm: fix dm_blk_report_zones

dm: fix dm_blk_report_zones

Bluetooth: hci_sock: Prevent race in socket write iter and sock bind

ASoC: Intel: bytcr_rt5640: Fix invalid quirk input mapping

devlink: rate: Unset parent pointer in devl_rate_nodes_destroy

net/sched: mqprio: fix stack out-of-bounds write in tc entry parsing

net/sched: mqprio: fix stack out-of-bounds write in tc entry parsing

Bluetooth: ISO: Fix possible UAF on iso_conn_free

net: openvswitch: fix nested key length validation in the set() action

Out of scope: ARM64 architecture isn't supported for current kernel

RDMA/core: Fix "KASAN: slab-use-after-free Read in ib_register_device" problem

Bluetooth: hci_sync: fix race in hci_cmd_sync_dequeue_once

fs/proc: fix uaf in proc_readdir_de()

RDMA/rxe: Fix slab-use-after-free Read in rxe_queue_cleanup bug

usb: core: config: Prevent OOB read in SS endpoint companion parsing

Squashfs: check return result of sb_min_blocksize

Squashfs: check return result of sb_min_blocksize

squashfs: fix memory leak in squashfs_fill_super

ALSA: usb-audio: Fix potential overflow of PCM transfer buffer

vsock/vmci: Clear the vmci transport packet properly when initializing it

net: dst: add four helpers to annotate data-races around dst->dev

net: Add locking to protect skb->dev access in ip_output

ipv4: use RCU protection in __ip_rt_update_pmtu()

net: dst: introduce dst->dev_rcu

ipv6: use RCU in ip6_output()

ipv6: use RCU in ip6_xmit()

CVE-2025-40170: optimize kpatch by redirecting inline callers to kc_ wrappers in kc_dst.h

net: ipv4: Consolidate ipv4_mtu and ip_dst_mtu_maybe_forward

ipv4: use RCU protection in ip_dst_mtu_maybe_forward()

net: use dst_dev_rcu() in sk_setup_caps()

atm: clip: Fix infinite recursive call of clip_push().

io_uring/net: commit partial buffers on retry

NFSv4/pNFS: Clear NFS_INO_LAYOUTCOMMIT in pnfs_mark_layout_stateid_invalid

svcrdma: use rc_pageoff for memcpy byte offset

nvme-tcp: fix NULL pointer dereferences in nvmet_tcp_build_pdu_iovec

fbdev: bitblit: bound-check glyph index in bit_putcs*

fbdev: Add bounds checking in bit_putcs to fix vmalloc-out-of-bounds

ntb_hw_switchtec: Fix shift-out-of-bounds in switchtec_ntb_mw_set_trans

smc: Fix use-after-free in __pnet_find_base_ndev().

exfat: fix double free in delayed_free

page_pool: Fix use-after-free in page_pool_recycle_in_ring

smc: Use __sk_dst_get() and dst_dev_rcu() in smc_clc_prfx_match().

ipv6: BUG() in pskb_expand_head() as part of calipso_skbuff_setattr()

migrate: correct lock ordering for hugetlb file folios

io_uring: fix use-after-free of sq->thread in __io_uring_show_fdinfo()

KPATCH: drop io_sq_thread changes from CVE-2025-38106

macvlan: fix possible UAF in macvlan_forward_source()

mlxsw: spectrum_mr: Fix use-after-free when updating multicast route stats

Out of scope: intel-thc-hid driver not present in this kernel (introduced in 6.14)