net/sched: cls_u32: fix netns refcount changes in u32_change()

Out of scope as the patch is aarch64 related

perf: Fix perf_event_validate_size() lockdep splat

perf: Fix perf_event_validate_size() lockdep splat

net/packet: fix slab-out-of-bounds access in packet_recvmsg()

drm/vmwgfx: Fix shader stage validation

video: of_display_timing.h: include errno.h

fbcon: Disallow setting font bigger than screen size

fbcon: Prevent that screen size is smaller than font size

fbmem: Check virtual screen sizes in fb_set_var()

media: em28xx: initialize refcount before kref_get

devlink: Fix use-after-free after a failed reload

drm/amdgpu: Fix potential fence use-after-free v2

media: dvb-core: Fix kernel WARNING for blocking operation in wait_event*()

KVM: nVMX: add missing consistency checks for CR0 and CR4

netfilter: nf_tables: reject QUEUE/DROP verdict parameters

sctp: fail if no bound addresses can be used for a given scope

KVM: VMX: Execute IBPB on emulated VM-exit when guest has IBRS

tty: n_gsm: fix the UAF caused by race condition in gsm_cleanup_mux

drm/vmwgfx: Remove rcu locks from user resources

drm/vmwgfx: Remove rcu locks from user resources

drm/vmwgfx: Fix possible null pointer derefence with invalid contexts

psi: Fix uaf issue when psi trigger is destroyed while being polled (adaptation)

HID: elo: fix memory leak in elo_probe

net: sched: fix use-after-free in tc_new_tfilter()

smb: client: fix OOB in smbCalcSize()

drm/atomic: Fix potential use-after-free in nonblocking commits

drm/atomic: Fix potential use-after-free in nonblocking commits

wifi: cfg80211: fix BSS refcounting bugs

smb: client: fix OOB in receive_encrypted_standard()

KVM: x86/mmu: Fix race condition in direct_page_fault

wifi: cfg80211: avoid nontransmitted BSS list corruption

atlantic: Fix OOB read and write in hw_atl_utils_fw_rpc_wait

wifi: mac80211: fix crash in beacon protection for P2P-device

wifi: cfg80211: fix u8 overflow in cfg80211_update_notlisted_nontrans()

netfilter: ctnetlink: fix possible refcount leak in ctnetlink_create_conntrack()

Medium severity vulnerability CVE requiring extremely complex adaptation (if at all possible)

ext4: fix kernel BUG in 'ext4_write_inline_data_end()'

media: rc: Fix use-after-free bugs caused by ene_tx_irqsim()

sched/membarrier: reduce the ability to hammer on sys_membarrier

KVM: x86: avoid calling x86 emulator without a decoded

ext4: check if directory block is within i_size

ext4: make sure ext4_append() always allocates

ext4: fix check for block being out of directory size

veth: ensure skb entering GRO are not cloned

Bluetooth: L2CAP: fix use-after-free in l2cap_conn_del()

Bluetooth: L2CAP: Fix attempting to access uninitialized memory

An introduction of required changes through KernelCare could cause unavoidable problems to applications which use unprivileged eBPF.

ipv4: avoid using shared IP generator for connected sockets

ipv4: tcp: send zero IPID in SYNACK messages

mlxsw: spectrum_acl_tcam: Fix stack corruption

Complex adaptation required.

net: add atomic_long_t to net_device_stats fields

net: Fix unwanted sign extension in netdev_stats_to_stats64()

net: bridge: use DEV_STATS_INC()

net: add atomic_long_t to net_device_stats fields

net:emac/emac-mac: Fix a use after free in emac_mac_tx_buf_send

net: sched: atm: dont intepret cls results when asked to drop

Bluetooth: af_bluetooth: Fix Use-After-Free in

wifi: mac80211: fix potential key use-after-free

ALSA: pcm: Fix races among concurrent read/write and buffer changes

ALSA: pcm: Fix races among concurrent prepare and hw_params/hw_free calls

ALSA: pcm: Fix races among concurrent hw_params and hw_free calls

ALSA: pcm: Fix races among concurrent prealloc proc writes

ALSA: pcm: Fix races among concurrent hw_params and hw_free calls (adaptation)

netfilter: nf_tables: disallow anonymous set with timeout flag

fs: sysfs: Fix reference leak in sysfs_break_active_protection()

net: ti: fix UAF in tlan_remove_one

KVM: x86/mmu: fix NULL pointer dereference on guest INVPCID

tls: disable async encrypt/decrypt

ipv6: sr: fix possible use-after-free and

Bluetooth: Avoid potential use-after-free in

net: ip_tunnel: prevent perpetual headroom growth

netfilter: Complex adaptation required.

net: ena: Fix incorrect descriptor free behavior

netfilter: nf_tables: honor table dormant flag from

tipc: fix UAF in error path

ethernet: hisilicon: hns: hns_dsaf_misc: fix a possible array overflow in hns_dsaf_ge_srst_by_port()

net: amd-xgbe: Fix skb data length underflow

net/mlx5e: fix a potential double-free in fs_any_create_groups

bonding: stop the device in bond_setup_by_slave()

arp: Prevent overflow in arp_req_get().

net/ipv6: avoid possible UAF in ip6_route_mpath_notify()

CVE marked as rejected by vendor

net/mlx5: Properly link new fs rules into the tree

i40e: fix vf may be used uninitialized in this

scsi: qla2xxx: Fix off by one in

net: core: reject skb_copy(_expand) for fraglist GSO skbs

af_unix: Fix data races in

af_unix: Fix data-races around sk->sk_shutdown.

hwmon: (mlxreg-fan) Return non-zero value when fan current state is enforced from sysfs

drm: Don't unref the same fb many times by mistake due to deadlock handling

tcp: add sanity checks to rx zerocopy

vfio/pci: Lock external INTx masking ops

mptcp: fix data re-injection from stale subflow

NFSv4.2: fix nfs4_listxattr kernel BUG at

ipvlan: Dont Use skb->sk in

wifi: mac80211: check/clear fast rx for non-4addr

mm/hugetlb: fix missing hugetlb_lock for resv

tls: fix missing memory barrier in tls_init

net/mlx5: Discard command completions in internal

net: qcom/emac: fix UAF in emac_remove

proc/vmcore: let pfn_is_ram() return a bool

proc/vmcore: fix clearing user buffer by properly using clear_user()

bnxt: prevent skb UAF after handing over to PTP worker

NFSD: Fix the behavior of READ near OFFSET_MAX

NFSD: Fix ia_size underflow

NFSD: Fix NFSv3 SETATTR/CREATE's handling of large file sizes

uio: Fix use-after-free in uio_open

gfs2: Fix kernel NULL pointer dereference in gfs2_rgrp_dump

tcp: do not accept ACK of bytes we never sent

SUNRPC: Fix UAF in svc_tcp_listen_data_ready()

VFIO: Add the SPR_DSA and SPR_IAX devices to the

mlxsw: spectrum_acl_tcam: Fix memory leak when

rtnetlink: Correct nested IFLA_VF_VLAN_LIST

net: fix __dst_negative_advice() race

ionic: clean interrupt before enabling queue to avoid credit race

ionic: fix use after netif_napi_del()

tap: add missing verification for short frame

tun: add missing verification for short frame

ipc/mqueue.c: remove duplicated code

ipc/mqueue.c: update/document memory barriers

ipc/msg.c: update and document memory barriers

ipc/sem.c: document and update memory barriers

ipc/mqueue, msg, sem: avoid relying on a stack reference past its expiry

mISDN: fix possible use-after-free in HFC_cleanup()

mISDN: hfcpci: Fix use-after-free bug in hfcpci_softirq

isdn: mISDN: Fix sleeping function called from invalid context

KVM: x86: nSVM: fix potential NULL derefernce on nested migration

perf: Fix list corruption in perf_cgroup_switch()

smb: client: fix potential OOBs in

smb: client: fix parsing of SMB3.1.1 POSIX create

net/sched: act_ct: fix skb leak and crash on ooo frags

platform/x86: wmi: Fix opening of char device

wifi: iwlwifi: dbg-tlv: ensure NUL termination

tty: n_gsm: fix possible out-of-bounds in gsm0_receive()

tcp: Use refcount_inc_not_zero() in tcp_twsk_unique()

wifi: nl80211: don't free NULL coalescing rule

gfs2: Remove ill-placed consistency check

gfs2: simplify gdlm_put_lock with out_free label

gfs2: Fix potential glock use-after-free on unmount

gfs2: Fix potential glock use-after-free on unmount

iommu: Fix potential use-after-free during probe

cxgb4: avoid accessing registers when clearing filters

nvme-rdma: destroy cm id before destroy qp to avoid use after free

mm/slub: fix to return errno if kmalloc() fails

bnxt_re: avoid shift undefined behavior in bnxt_qplib_alloc_init_hwq

bpf: Add BPF_PROG_TYPE_CGROUP_SKB attach type enforcement in BPF_LINK_CREATE

r8169: Fix possible ring buffer corruption on fragmented Tx packets

xfs: add bounds checking to xlog_recover_process_data

userfaultfd: fix a race between writeprotect and exit_mmap()

hv_netvsc: Fix race condition between netvsc_probe and netvsc_remove

Squashfs: check the inode number is not the invalid

vt: fix unicode buffer corruption when deleting

mm, thp: bail out early in collapse_file for writeback page

ipv6: sr: fix out-of-bounds read when setting HMAC data

virtio-net: Add validation for used length

netfilter: nf_tables: Fix potential data-race in __nft_expr_type_get()

netfilter: nf_tables: Fix potential data-race in

netfilter: nf_tables: Fix potential data-race in __nft_flowtable_type_get()

ext4: fix double-free of blocks due to wrong

ext4: avoid allocating blocks from corrupted group in ext4_mb_find_by_goal()

ext4: avoid allocating blocks from corrupted group in ext4_mb_try_best_found()

cgroup: cgroup_get_from_id() must check the looked-up kn is a directory

exit: Use the correct exit_code in /proc/<pid>/stat

fs/proc: do_task_stat: use __for_each_thread()

fs/proc: do_task_stat: move thread_group_cputime_adjusted() outside of lock_task_sighand()

fs/proc: do_task_stat: use sig->stats_lock to gather the threads/children stats

mptcp: ensure snd_nxt is properly initialized on connect

wifi: mac80211: Avoid address calculations via out of bounds array indexing

netfilter: tproxy: bail out if IP has been disabled

af_unix: Fix garbage collector racing against connect()

KVM: arm64: vgic-its: Avoid potential UAF in LPI translation cache

Fixed function sleeps and executed in kthread, which may prevent patching/unpatching. Low score CVE.

ext4: fix uninitialized ratelimit_state->lock access in __ext4_fill_super()

xprtrdma: fix pointer derefs in error cases of rpcrdma_ep_create

drm/amdgpu: fix use-after-free bug

mptcp: pm: Fix uaf in __timer_delete_sync

scsi: mpt3sas: Fix use-after-free warning

vsock: remove vsock from connected table when connect is interrupted by a signal

gro: fix ownership transfer

media: uvcvideo: Skip parsing frames of type UVC_VS_UNDEFINED in uvc_parse_format

cifs: Return correct error code from smb2_get_enc_key

can: bcm: Fix UAF in bcm_proc_show()

HID: core: zero-initialize the report buffer

ALSA: usb-audio: Fix potential out-of-bound accesses for Extigy and Mbox devices

ALSA: usb-audio: Fix a DMA to stack memory bug

ALSA: usb-audio: add minimal macros for __free(kfree) to work

Out of scope: ARM64 architecture isn't supported for current kernel

ALSA: usb-audio: Fix out of bounds reads when finding clock sources

netfilter: ipset: add missing range check in bitmap_ip_uadt

Postponed: complex analysis and adaptation required

tipc: fix use-after-free Read in tipc_named_reinit

ndisc: use RCU protection in ndisc_alloc_skb()

scsi: libfc: Fix use after free in fc_exch_abts_resp()

dm ioctl: prevent potential spectre v1 gadget

Bluetooth: Fix use after free in hci_send_acl

udf: Fix a slab-out-of-bounds write bug in udf_find_entry()

udf: Fix a slab-out-of-bounds write bug in udf_find_entry()

cifs: potential buffer overflow in handling symlinks

Out of scope: User-mode Linux isn't supported for current kernel

net: atm: fix use after free in lec_send()

wifi: iwlwifi: limit printed string from FW file

ext4: ignore xattrs past end

misc/vmw_vmci: fix an infoleak in vmci_host_do_receive_datagram()

ext4: avoid resizing to a partial cluster size

drivers:md:fix a potential use-after-free bug

media: uvcvideo: Fix double free in error path

media: uvcvideo: Remove s_ctrl and g_ctrl

media: uvcvideo: Remove s_ctrl and g_ctrl

media: uvcvideo: Set error_idx during ctrl_commit errors

media: uvcvideo: Remove dangling pointers

media: uvcvideo: Remove dangling pointers

media: uvcvideo: Remove dangling pointers

media: uvcvideo: Remove dangling pointers

padata: fix UAF in padata_reorder

sched/fair: Fix potential memory corruption in child_cfs_rq_on_list

HID: intel-ish-hid: Fix use-after-free issue in ishtp_hid_remove()

ext4: fix off-by-one error in do_split

Complex adaptation required. Low impact CVE

net: ch9200: fix uninitialised access during mii_nway_restart

i2c/designware: Fix an initialization issue

can: peak_usb: fix use after free bugs

sch_hfsc: make hfsc_qlen_notify() idempotent

net_sched: hfsc: Fix a UAF vulnerability in class with netem as child qdisc

sch_hfsc: Fix qlen accounting bug when using peek in hfsc_enqueue()

net_sched: hfsc: Address reentrant enqueue adding class to eltree twice

crypto: algif_hash - fix double free in hash_accept

ftrace: Fix NULL pointer dereference in is_ftrace_trampoline when ftrace is dead

Bluetooth: hci_core: Fix use-after-free in vhci_flush()

sch_qfq: make qfq_qlen_notify() idempotent

sch_cbq: make cbq_qlen_notify() idempotent

sch_htb: make htb_qlen_notify() idempotent

sch_htb: make htb_deactivate() idempotent

sch_ets: make est_qlen_notify() idempotent

sch_drr: make drr_qlen_notify() idempotent

net/sched: Always pass notifications when child class becomes empty

Complex adaptation required. High risk of regression.

wifi: rtw88: fix the 'para' buffer size to avoid reading out of bounds

scsi: lpfc: Use memcpy() for BIOS version

posix-cpu-timers: fix race between handle_posix_cpu_timers() and posix_cpu_timer_del()

tipc: Fix use-after-free in tipc_conn_close().

md-raid10: fix KASAN warning

ipv6: mcast: extend RCU protection in igmp6_send()

ipv6: mcast: extend RCU protection in igmp6_send()

udp: Fix memory accounting leak.

i40e: fix MMIO write access to an invalid page in i40e_clear_hw

net/sched: sch_qfq: Fix race condition on qfq_aggregate

net/sched: sch_qfq: Fix race condition on qfq_aggregate

smb: client: fix use-after-free in cifs_oplock_break

drm/amd/display: clear optc underflow before turn off odm clock

bpf: Don't use tnum_range on array range checking for poke descriptors

Out of scope: not affected

ALSA: bcd2000: Fix a UAF bug on the error path of probing

net_sched: ets: Fix double list add in class with netem as child qdisc

RDMA/iwcm: Fix a use-after-free related to destroying CM IDs

RDMA/iwcm: Fix use-after-free of work objects after cm_id destruction

requires a very complex adaptation

vsock: Fix transport_* TOCTOU

vsock: Fix transport_* TOCTOU

use uniform permission checks for all mount propagation changes

Not affected: issue introduced since 4.18.0-477.*

Bluetooth: L2CAP: Fix use-after-free

Bluetooth: L2CAP: Fix use-after-free

net: usb: smsc75xx: Limit packet length to skb->len

net: usb: smsc75xx: Move packet length check to prevent kernel panic in skb_pull

NFS: Fix filehandle bounds checking in nfs_fh_to_dentry()

HID: core: Harden s32ton() against conversion to 0 bits

HID: core: fix shift-out-of-bounds in hid_report_raw_event

Out of scope: not affected

RDMA/irdma: Fix a window for use-after-free

KVM: SVM: Don't BUG if userspace injects an interrupt with GIF=0

net_sched: hfsc: Fix a UAF vulnerability in class handling

This CVE has been rejected or withdrawn by its CVE Numbering Authority as per NVD website

mptcp: do not queue data on closed subflows

mm: fix zswap writeback race condition

mm: zswap: fix missing folio cleanup in writeback race path

crypto: seqiv - Handle EBUSY correctly

Bluetooth: Fix potential use-after-free when clear keys

wifi: cfg80211: fix use-after-free in cmp_bss()

fs: fix UAF/GPF bug in nilfs_mdt_destroy

scsi: lpfc: Fix buffer free/clear order in deferred receive path

wifi: brcmfmac: fix use-after-free bug in brcmf_netdev_start_xmit()

ALSA: usb-audio: Fix an out-of-bounds bug in __snd_usb_parse_audio_interface()

iomap: iomap: fix memory corruption when recording errors during writeback

wifi: ath9k: don't allow to overwrite ENDPOINT0 attributes

wifi: brcmfmac: slab-out-of-bounds read in brcmf_get_assoc_ies()

ASoC: SOF: Intel: hda: Fix potential buffer overflow by snprintf()

wifi: mac80211: check S1G action frame size

sctp: linearize cloned gso packets in sctp_rcv

ALSA: usb-audio: Validate UAC3 cluster segment descriptors

ALSA: usb-audio: Validate UAC3 cluster segment descriptors

The vulnerable commit isn't present in the kernel-eus-8.6 series.

NFSD: Protect against send buffer overflow in NFSv2 READ

ALSA: usb-audio: Validate UAC3 power domain descriptors, too

ALSA: usb-audio: Validate UAC3 power domain descriptors, too

mt76: mt7921: fix kernel panic by accessing unallocated eeprom.data

ip6mr: Fix skb_under_panic in ip6mr_cache_report()

mm/memory-failure: fix VM_BUG_ON_PAGE(PagePoisoned(page)) when unpoison memory

net: sched: sfb: fix null pointer access issue when sfb_init() fails

ext4: fix undefined behavior in bit shift for ext4_check_flag_values

skbuff: skb_segment, Call zero copy functions before using skbuff frags

wifi: mwifiex: Fix OOB and integer underflow when rx packets

wifi: mwifiex: Fix missed return in oob checks failed path

wifi: mwifiex: Fix OOB and integer underflow when rx packets

nfsd: handle get_client_locked() failure in nfsd4_setclientid_confirm()

tcp: Clear tcp_sk(sk)->fastopen_rsk in tcp_disconnect().

tcp: Don't call reqsk_fastopen_remove() in tcp_conn_request().

smb: client: fix race with concurrent opens in rename(2)

tty: keyboard, do not speculate on func_table index

tty/vt: fix write/write race in ioctl(KDSKBSENT)

vt: keyboard, simplify vt_kdgkbsent

vt: keyboard, extend func_buf_lock to readers

vt: keyboard, rename i to kb_func in vt_do_kdgkb_ioctl

vt: keyboard, reorder user buffer handling in vt_do_kdgkb_ioctl

wifi: mac80211: don't return unset power in ieee80211_get_tx_power()

RDMA/rxe: Fix mr->map double free

scsi: qla2xxx: Wait for io return on terminate rport

mm: kmem: fix a NULL pointer dereference in obj_stock_flush_required()

nbd: fix incomplete validation of ioctl arg

scsi: ses: Fix possible addl_desc_ptr out-of-bounds accesses

scsi: ses: Fix possible desc_ptr out-of-bounds accesses

NFSD: Avoid calling OPDESC() with ops->opnum == OP_ILLEGAL

smb: client: Fix use-after-free in cifs_fill_dirent

e1000e: fix heap overflow in e1000_set_eeprom

i40e: fix validation of VF state in get resources

i40e: fix input validation logic for action_meta

i40e: fix idx validation in config queues msg

i40e: fix idx validation in i40e_validate_queue_map

i40e: add validation for ring_len param

i40e: add validation for ring_len param

i40e: validate ring_len parameter against hardware-specific values

libceph: fix potential use-after-free in have_mon_and_osd_map()

mac80211: fix potential double free on mesh join

drm/vmwgfx: Validate command header size against SVGA_CMD_MAX_DATASIZE

ipv6: Fix out-of-bounds access in ipv6_find_tlv()

vsock: Ignore signal/timeout on connect() if already established

media: rc: fix races with imon_disconnect()

tcp: fix a signed-integer-overflow bug in tcp_add_backlog()

mptcp: fix race condition in mptcp_schedule_work()

Bluetooth: hci_event: call disconnect callback before deleting conn

NFSv4/pNFS: Clear NFS_INO_LAYOUTCOMMIT in pnfs_mark_layout_stateid_invalid

fbdev: Add bounds checking in bit_putcs to fix vmalloc-out-of-bounds

efivarfs: Fix slab-out-of-bounds in efivarfs_d_compare

fbdev: bitblit: bound-check glyph index in bit_putcs*

ext4: fix use-after-free in ext4_orphan_cleanup

net/mlx5e: Check for NOT_READY flag state after locking

Out of scope: not affected

ASoC: Intel: bytcr_rt5640: Fix invalid quirk input mapping

cifs: fix potential use-after-free bugs in TCP_Server_Info::hostname

cifs: fix potential use-after-free bugs in TCP_Server_Info::hostname

atm: clip: Fix infinite recursive call of clip_push().

RDMA/core: Fix "KASAN: slab-use-after-free Read in ib_register_device" problem

Squashfs: check return result of sb_min_blocksize

squashfs: fix memory leak in squashfs_fill_super

Squashfs: check return result of sb_min_blocksize

smb: client: let recv_done verify data_offset, data_length and remaining_data_length

usb: core: config: Prevent OOB read in SS endpoint companion parsing

net/sched: Enforce that teql can only be used as root

fs/proc: fix uaf in proc_readdir_de()

ip6_vti: fix slab-use-after-free in decode_session6

net: page_pool: use in_softirq() instead

page_pool: fix inconsistency for page_pool_ring_[un]lock()

page_pool: Fix use-after-free in page_pool_recycle_in_ring

ALSA: usb-audio: Fix potential overflow of PCM transfer buffer

RDMA/rxe: Fix incomplete state save in rxe_requester

RDMA/rxe: Fix slab-use-after-free Read in rxe_queue_cleanup bug

sctp: avoid NULL dereference when chunk data buffer is missing

ipv6: BUG() in pskb_expand_head() as part of calipso_skbuff_setattr()

macvlan: flush source entries on error in macvlan_common_newlink()

macvlan: fix error recovery in macvlan_common_newlink()

bridge: mcast: Fix use-after-free during router port configuration

dm raid: fix accesses beyond end of raid member array

mptcp: cope racing subflow creation in mptcp_rcv_space_adjust