Bluetooth: L2CAP: Fix u8 overflow

atm: Fix Use-After-Free in do_vcc_ioctl

perf: Fix perf_event_validate_size()

perf: Fix perf_event_validate_size() lockdep

netfilter: nf_tables: Reject tables of

ipv4: igmp: fix refcnt uaf issue when receiving igmp query packet

tty: n_gsm: fix the UAF caused by race condition in gsm_cleanup_mux

net/tls: do not free tls_rec on async operation in bpf_exec_tx_verdict()

RDMA/irdma: Prevent zero-length STAG registration

RDMA/irdma: Prevent zero-length STAG registration

smb: client: fix OOB in receive_encrypted_standard()

smb: client: fix potential OOBs in smb2_parse_contexts()

smb: client: fix parsing of SMB3.1.1 POSIX create context

netfilter: nf_tables: check if catch-all set element is active in next generation

Bluetooth: af_bluetooth: Fix Use-After-Free in

io_uring/af_unix: disable sending io_uring over sockets

vc_screen: move load of struct vc_data pointer in

vc_screen: don't clobber return value in vcs_read

drm/qxl: fix UAF on handle creation

i2c: i801: Fix block process call transactions

ida: Fix crash in ida_free when the bitmap is empty

fs,hugetlb: fix NULL pointer dereference in hugetlbs_fill_super {CVE-2024-0841}

Bluetooth: Fix double free in hci_conn_cleanup

The patch for this CVE already present in kernel-5.14.0-362.24.1.el9_3 version. The kernel-5.14.0-362.18.1.el9_3 version and below are not vulnerable because they don't have commit 5f68718b34a5 (netfilter: nf_tables: GC transaction API to avoid race with control plane) which introduced the vulnerability.

Bluetooth: Add more enc key size check

netfilter: nfnetlink_osf: avoid OOB read

netfilter: xt_sctp: validate the flag_info count

kobject: Fix slab-out-of-bounds in fill_kobj_path()

kobject: modify kobject_get_path() to take a const *

Reapply "memcg: enable accounting for file lock

netfilter: nf_tables: bail out on mismatching

HID: sony: Fix a potential memory leak in sony_probe()

net/sched: act_ct: fix skb leak and crash on ooo frags

drm/vmwgfx: Fix possible null pointer derefence with invalid contexts

cxgb4: fix use after free bugs caused by circular

sched/membarrier: reduce the ability to hammer on sys_membarrier

ipv4: fix null-deref in ipv4_link_failure

gfs2: Fix kernel NULL pointer dereference in gfs2_rgrp_dump

perf/x86/lbr: Filter vsyscall addresses

neigh: make sure used and confirmed times are valid

net: fix possible store tearing in neigh_periodic_work()

net/core: Fix ETH_P_1588 flow dissector

ip6_tunnel: fix NEXTHDR_FRAGMENT handling in ip6_tnl_parse_tlv_enc_lim()

net: tls: fix use-after-free with partial reads

Low-severity patch proven to suffer from stack-unsafety problem when patching during network load.

Low-severity patch proven to suffer from stack-unsafety problem when patching during network load.

Low-severity patch proven to suffer from stack-unsafety problem when patching during network load.

The modified structure mem_section_usage is used only during bootup time. As we patch the changes after booting they will have no effect. Therefore we cannot patch this CVE.

Bluetooth: hci_event: Ignore NULL link key

Bluetooth: Reject connection with the device

Bluetooth: hci_event: Fix using memcmp when

Bluetooth: hci_event: Fix coding style

Bluetooth: avoid memcmp() out of bounds warning

Bluetooth: HCI: Fix global-out-of-bounds

Bluetooth: hci_ldisc: check HCI_UART_PROTO_READY

netfilter: ipset: Fix race between

io_uring/fdinfo: lock SQ thread while retrieving thread cpu/pid

net: add atomic_long_t to net_device_stats fields

net: bridge: use DEV_STATS_INC()

net: bridge: use DEV_STATS_INC()

USB: core: Unite old scheme and new scheme

USB: core: Change usb_get_device_descriptor() API

USB: core: Fix race by not overwriting

USB: core: Fix race by not overwriting udev->descriptor in hub_port_init()

net: xfrm: Fix xfrm_address_filter OOB read

team: fix null-ptr-deref when team device type is changed

team: fix null-ptr-deref when team device type is changed

nvmet: nul-terminate the NQNs passed in the

CVE has been marked as REJECTED on the NVD website.

crypto: akcipher - Disable signing and decryption

x86/sev: Harden #VC instruction emulation somewhat

netfilter: nf_tables: disallow anonymous set with timeout flag

netfilter: nf_tables: mark set as dead when unbinding anonymous set with timeout

netfilter: nft_ct: sanitize layer 3 and 4 protocol number in custom expectations

netfilter: nft_ct: fix l3num expectations with inet pseudo family

net: ip_tunnel: prevent perpetual headroom growth

ipv6: sr: fix possible use-after-free and null-ptr-deref

fs: sysfs: Fix reference leak in sysfs_break_active_protection()

net/mlx5e: fix a potential double-free in fs_any_create_groups

Bluetooth: Avoid potential use-after-free in hci_error_reset

net/mlx5: Properly link new fs rules into the tree

net: hns3: do not allow call hns3_nic_net_open repeatedly

xen-netfront: Add missing skb_mark_for_recycle

smb: client: fix UAF in smb2_reconnect_server()

crypto: qat - resolve race condition during AER recovery

crypto: qat - Fix ADF_DEV_RESET_SYNC memory leak

epoll: be better about file lifetimes

mlxbf_gige: stop interface during shutdown

net: amd-xgbe: Fix skb data length underflow

dm: call the resume method on internal suspend

nfp: flower: handle acti_netdevs allocation failure

net/ipv6: avoid possible UAF in ip6_route_mpath_notify()

icmp: prevent possible NULL dereferences from icmp_build_probe()

can: j1939: j1939_netdev_start(): fix UAF for

Squashfs: check the inode number is not the invalid value of zero

scsi: libfc: Fix potential NULL pointer

scsi: lpfc: Move NPIV's transport unregistration to after resource clean up

block: add check that partition length needs to be aligned with block size

mlxbf_gige: call request_irq() after NAPI initialized

scsi: lpfc: Release hbalock before calling

ext4: avoid allocating blocks from corrupted group in ext4_mb_try_best_found()

octeontx2: CVE patch is outside the scope.

eBPF: low score UAF with CONFIG_BPF_UNPRIV_DEFAULT_OFF=y by default but needs complex adaptation.

VFIO: Add the SPR_DSA and SPR_IAX devices to the

wifi: rtl8xxxu: add cancel_work_sync() for

wifi: iwlwifi: dbg-tlv: ensure NUL termination

net: annotate data-races around

net: fix __dst_negative_advice() race

bonding: Fix out-of-bounds read in

wifi: cfg80211: check A-MSDU format more

net: netlink: af_netlink: Prevent empty skb by

wifi: ath10k: fix NULL pointer dereference in

platform/x86: wmi: remove unnecessary initializations

platform/x86: wmi: Fix opening of char device

phy: ti: phy-omap-usb2: Fix NULL pointer

netfilter: nft_chain_filter: handle

nfs: fix panic when nfs4_ff_layout_prepare_ds()

netfilter: nf_tables: do not compare internal

ipv6: fix potential "struct net" leak in

i40e: fix vf may be used uninitialized in this

wifi: iwlwifi: read txq->read_ptr under lock

ipv6: Fix potential uninit-value access in __ip6_make_skb()

wifi: iwlwifi: mvm: guard against invalid STA ID on removal

net: do not leave a dangling sk pointer, when socket creation fails

netns: Make get_net_ns() handle zero refcount net

ipvlan: Dont Use skb->sk in ipvlan_process_v{4,6}_outbound

wifi: mac80211: check/clear fast rx for non-4addr sta VLAN changes

vt: fix unicode buffer corruption when deleting characters

eeprom: at24: fix memory corruption race condition

mlxsw: spectrum_acl_tcam: Fix memory leak when canceling rehash work

netfilter: nf_tables: flush pending destroy work before exit_net release

ice: fix memory corruption bug with suspend and rebuild

ipv6: fix race condition between ipv6_get_ifaddr and ipv6_del_addr

WiFi - Complex adaptation required.

ipv6: prevent possible NULL deref in fib6_nh_init()

tcp: Fix shift-out-of-bounds in dctcp_update_alpha().

tcp: Fix shift-out-of-bounds in dctcp_update_alpha().

net: openvswitch: fix overwriting ct original tuple for ICMPv6

igc: avoid returning frame twice in XDP_REDIRECT

wifi: brcmfmac: pcie: handle randbuf allocation failure

cxl/region: Fix cxlr_pmem leaks

net: ethtool: fix the error condition in ethtool_get_phy_stats_ethtool()

wifi: iwlwifi: mvm: don't set the MFP flag for the GTK

Out of scope: boot time issue

tls: fix missing memory barrier in tls_init

virtio: delete vq in vp_find_vqs_msix() when request_irq() fails

wifi: nl80211: don't free NULL coalescing rule

net: core: reject skb_copy(_expand) for fraglist GSO skbs

rtnetlink: Correct nested IFLA_VF_VLAN_LIST attribute validation

netfilter: nf_tables: honor table dormant flag from netdev release event path

Live-patching will introduce network performance degradation in the best case scenario, or even some more serious issues. N/A or Low cvss3 score from NVD or vendors.

scsi: qla2xxx: Fix off by one in

md/raid5: fix deadlock that raid5d() wait for

md/raid5: remove pr_debug() in raid5d()

netfilter: nf_tables: release mutex after

netfilter: nft_set_rbtree: skip end interval

netfilter: nf_tables: Fix potential data-race in

tap: add missing verification for short frame

tun: add missing verification for short frame

netfilter: nft_limit: reject configurations that cause integer overflow

net: bridge: xmit: make sure we have at least eth

tty: n_gsm: require CAP_NET_ADMIN to attach

CVE marked as rejected by vendor

netfilter: flowtable: validate pppoe header

netfilter: nf_tables: Fix potential data-race in

netfilter: validate user input for expected length

netfilter: complete validation of user input

netfilter: nf_tables: discard table flag update

netfilter: nf_tables: discard table flag update

cxl/port: Fix delete_endpoint() vs parent

vfio/pci: Lock external INTx masking ops

nvmet: fix a possible leak when destroy a ctrl

net: ice: Fix potential NULL pointer dereference

NFSv4: Fix memory leak in nfs4_set_security_label

udp: Set SOCK_RCU_FREE earlier in udp_lib_get_port().

net: ntb_netdev: Move ntb_netdev_rx_handler() to call netif_rx() from __netif_rx()

seg6: fix parameter passing when calling NF_HOOK() in End.DX4 and End.DX6 behaviors

scsi: qedi: Fix crash while reading debugfs attribute

wifi: iwlwifi: mvm: don't read past the mfuart notifcation

wifi: iwlwifi: mvm: check n_ssids before accessing the ssids

wifi: mac80211: Fix deadlock in ieee80211_sta_ps_deliver_wakeup()

wifi: cfg80211: Lock wiphy in cfg80211_get_station

net: wwan: iosm: Fix tainted pointer delete is case of region creation fail

ipv6: fix possible race in __fib6_drop_pcpu_from()

tipc: force a dst refcount before doing decryption

mm/huge_memory: don't unpoison huge_zero_folio

RDMA/rxe: Fix seg fault in rxe_comp_queue_pkt

crypto: bcm - Fix pointer arithmetic

bnxt_re: avoid shift undefined behavior in

netfilter: nf_tables: Fix potential data-race in

net/mlx5e: Add wrapping for auxiliary_driver ops and remove unused args

net/mlx5e: Fix netif state handling

netfilter: bridge: confirm multicast packets

netfilter: bridge: confirm multicast packets kpatch

net: bridge: mst: fix vlan use-after-free

net: bridge: mst: fix vlan use-after-free

net: bridge: mst: fix vlan use-after-free

PCI/MSI: Fix UAF in msi_capability_init

nvme: avoid double free special payload

net/sched: Fix UAF when resolving a clash

iommufd: Fix missing update of domains_itree after splitting iopt_area

nfsd: fix RELEASE_LOCKOWNER

kprobes/x86: Use copy_from_kernel_nofault() to read from unsafe address

mm/hugetlb: fix missing hugetlb_lock for resv

This CVE introduces a regression and is reverted by CVE-2024-42102 in the same errata

efivarfs: force RO when remounting if SetVariable

efivarfs: force RO when remounting if SetVariable

KVM: SVM: Flush pages under kvm->lock to fix UAF

net: fix out-of-bounds access in ops_init

scsi: qedf: Ensure the copied buf is NUL

xhci: Handle TD clearing for multiple streams

ppp: reject claimed-as-LCP but actually malformed

Fix for skipped CVE-2023-52489 that modifies structure mem_section_usage only used at boot time

xdp: Remove WARN() from __xdp_reg_mem_model()

x86: stop playing stack games in profile_pc()

Reverts CVE-2024-26720, which we don't use.

mm: avoid overflows in dirty throttling logic

x86/coco: Require seeding RNG with RDRAND on CoCo

x86/coco: Require seeding RNG with RDRAND on CoCo

usb-storage: alauda: Fix uninit-value in alauda_check_media()

usb-storage: alauda: Check whether the media is initialized

usb-storage: alauda: Check whether the media is initialized (Adaptation)

uio: Fix use-after-free in uio_open

gfs2: Remove ill-placed consistency check

gfs2: simplify gdlm_put_lock with out_free label

gfs2: Fix potential glock use-after-free on unmount

gfs2: Fix potential glock use-after-free on unmount

scsi: qla2xxx: Fix double free of fcport

scsi: qla2xxx: Fix double free of the ha->vp_map pointer

fork: defer linking file vma until vma is fully initialized

wifi: nl80211: Avoid address calculations via out of bounds array indexing

wifi: mac80211: Avoid address calculations via out of bounds array indexing

tty: n_gsm: fix possible out-of-bounds in gsm0_receive()

cppc_cpufreq: Fix possible null pointer dereference

wifi: mt76: replace skb_put with skb_put_zero

cpufreq: exit() callback is optional

gpiolib: cdev: Fix use after free in lineinfo_changed_notify

bpf, sockmap: Prevent lock inversion deadlock in map delete elem

scsi: qla2xxx: Fix command flush on cable pull

ring-buffer: Fix a race between readers and resize checks

Input: cyapa - add missing input core locking to suspend/resume functions

ARM related CVE

ACPICA: Revert "ACPICA: avoid Info: mapping multiple BARs. Your kernel is fine."

net, sunrpc: Remap EPERM in case of connection failure in xs_tcp_setup_socket

net/sched: act_mirred: Create function tcf_mirred_to_dev and improve readability

net/sched: act_mirred: don't override retval if we already lost the skb

net: sched: sch_multiq: fix possible OOB write in multiq_tune()

tipc: Return non-zero value from tipc_udp_addr2str() on error

hwmon: (w83792d) Fix NULL pointer dereference by removing unnecessary structure field

hwmon: (w83792d) Fix NULL pointer dereference by removing unnecessary structure field

dmaengine: idxd: Fix oops during rmmod on single-CPU platforms

xfrm6: check ip6_dst_idev() return value in xfrm6_get_saddr()

gfs2: Fix NULL pointer dereference in gfs2_log_flush

RFDS: Medium score vulnerability affecting only Intel Atom CPUs, mitigated via microcode update.

Revert "net/mlx5: Block entering switchdev mode with ns inconsistency"

netfilter: nft_flow_offload: reset dst in route object after setting up flow

mptcp: ensure snd_nxt is properly initialized on connect

KVM: SVM: Don't try to pointlessly single-step SEV-ES guests for NMI window

KVM: SVM: WARN on vNMI + NMI window iff NMIs are outright masked

Patches a sleepable function, there is a small but non-zero risk of livepatching failure

netfilter: flowtable: initialise extack before use

netpoll: Fix race condition in netpoll_owner_active

af_unix: Fix garbage collector racing against connect()

xfs: don't walk off the end of a directory data block

xfs: add bounds checking to xlog_recover_process_data

net/sched: act_api: fix possible infinite loop in tcf_idr_check_alloc()

block: initialize integrity buffer to zero before writing it to media

ipv6: prevent possible NULL dereference in rt6_probe()

ext4: fold quota accounting into ext4_xattr_inode_lookup_create()

ext4: do not create EA inode under buffer lock

ext4: turn quotas off if mount failed after enabling quotas

ext4: fix uninitialized ratelimit_state->lock access in __ext4_fill_super()

wifi: mt76: mt7921s: fix potential hung tasks during chip recovery

tty: Fix out-of-bound vmalloc access in imageblit

tcp: add sanity checks to rx zerocopy

mptcp: fix data re-injection from stale subflow

scsi: core: Remove the /proc/scsi/${proc_name} directory earlier

scsi: core: Fix a procfs host directory removal regression

scsi: core: Fix unremoved procfs host directory regression

mac802154: fix llsec key resources release in mac802154_llsec_key_del

mac802154: fix llsec key resources release in mac802154_llsec_key_del

net/sched: taprio: extend minimum interval restriction to entire cycle too

xfs: fix log recovery buffer allocation for the

netfilter: nft_inner: validate mandatory meta and payload

USB: class: cdc-wdm: Fix CPU lockup caused by excessive log messages

mptcp: ensure snd_una is properly initialized on connect

kpatch add alt asm definitions

x86/bugs: Change commas to semicolons in 'spectre_v2' sysfs file

x86/bugs: x86/bhi: Add support for clearing branch history at syscall entry

blk-cgroup: fix list corruption from resetting io

Not vulnerable: mapping mechanism that the bug applies to was introduced in v6.6 upstream (3178308ad4c) and appeared in RHEL9's since -427

netfilter: nf_tables: use timestamp to check for

netfilter: nf_tables: use timestamp to check for

nvme: fix reconnection fail due to reserved tag

lib/test_hmm.c: handle src_pfns and dst_pfns

Not vulnerable: buggy function was introduced in v6.5 upsteam (or RHEL9's 427.13.1), and no similar code patterns existed before for this module

mm/vmscan: fix a bug calling wakeup_kswapd() with

tipc: fix UAF in error path

ethernet: hisilicon: hns: hns_dsaf_misc: fix a

octeontx2-af: avoid off-by-one read from

net: ena: Fix incorrect descriptor free behavior

vt: fix memory overlapping when deleting chars in

tcp: Use refcount_inc_not_zero() in

can: j1939: prevent deadlock by changing

can: j1939: prevent deadlock by changing

r8169: Fix possible ring buffer corruption on

net: hns3: fix use-after-free bug in

netfilter: tproxy: bail out if IP has been