net/sched: cls_u32: Fix reference counter leak leading to overflow

NFSD: fix use-after-free in nfsd4_ssc_setup_dul()

Bluetooth: btsdio: fix use after free bug in btsdio_remove due to unfinished work

memstick: r592: Fix UAF bug in r592_remove due to race condition

relayfs: fix out-of-bounds access in relay_file_read

net/sched: cls_fw: No longer copy tcf_result on update to avoid use-after-free

net/sched: cls_route: No longer copy tcf_result on update to avoid use-after-free

net/sched: cls_u32: No longer copy tcf_result on update to avoid

HID: check empty report_list in hid_validate_values()

HID: asus: use spinlock to safely schedule workers

HID: asus: use spinlock to safely schedule workers

HID: asus: use spinlock to safely schedule workers

KVM: nVMX: add missing consistency checks for CR0 and CR4

net: qcom/emac: Fix use after free bug in emac_remove due to race condition

drm/vmwgfx: Do not drop the reference to the handle too soon

Fixes require microcode updates

ovl: fix use after free in struct ovl_aio_req

ovl: fix use after free in struct ovl_aio_req

sctp: fail if no bound addresses can be used for a given scope

net: add sock_init_data_uid()

tap: tap_open(): correctly initialize socket uid

tun: tun_chr_open(): correctly initialize socket uid

This is a low priority CVE & the patch impacts many critical components of the networking subsystem & it requires multiple complex adaptations in those components to avoid losing existing connections on patch/unpatch.

hwmon: (xgene) Fix use after free bug in xgene_hwmon_remove due to race condition

fbcon: Check font dimension limits

fbcon: HID: intel_ish-hid: Add check for ishtp_dma_tx_map

xfrm: add NULL check in xfrm_update_ae_params

Smart Patch for fs/exfat/dir.c

r8152: Rate limit overflow messages

Bluetooth: L2CAP: Fix attempting to access uninitialized memory

mm/memory.c: fix race when faulting a device private page

nouveau: Fix migrate_to_ram() for faulting page

mm/memory: return vm_fault_t result from migrate_to_ram() callback

net/tls: tls_is_tx_ready() checked list_entry

net: mpls: fix stale pointer if allocation fails during device rename

gfs2: Don't deref jdesc in evict

net: tap_open(): set sk_uid from current_fsuid()

net: tun_chr_open(): set sk_uid from current_fsuid()

KVM: SEV: only access GHCB fields once

drm/vmwgfx: Remove rcu locks from user resources

drm/vmwgfx: Remove rcu locks from user resources

Medium severity vulnerability CVE requiring extremely complex adaptation (if at all possible)

In RHEL9 (and derivatives) isdn/mISDN driver is absent, not compiled.

coredump: fix memleak in dump_vma_snapshot()

coredump: Snapshot the vmas in do_coredump

coredump: Remove the WARN_ON in dump_vma_snapshot

coredump: Use the vma snapshot in fill_files_note

The fix consists of several patch-series and mix refactoring/bug-fixes/security-fixes/features for bpf subsystem. Dedicated security-fixes introduce crashes within newer bpf kselftests and the whole patch-series is not suitable for live-patching. At the same time the scope is limited to el9_2 only and is mitigated by the default kernel configuration (CONFIG_BPF_UNPRIV_DEFAULT_OFF=y).

igb: set max size RX buffer when store bad packet is enabled

igb: set max size RX buffer when store bad packet is enabled

cifs: Fix UAF in cifs_demultiplex_thread()

x86/sev: Disable MMIO emulation from user mode

nfp: fix use-after-free in area_cache_get()

RDMA/core: Refactor rdma_bind_addr

netfilter: nf_tables: skip bound chain on rule flush

net: tun: fix bugs for oversize packet when napi frags enabled

netfilter: nf_tables: skip immediate deactivate in _PREPARE_ERROR

af_unix: Fix null-ptr-deref in unix_stream_sendpage().

net/sched: sch_hfsc: Ensure inner classes have fsc curve

Bluetooth: L2CAP: Fix use-after-free in l2cap_sock_ready_cb

drivers: net: slip: fix NPD bug in sl_tx_timeout()

x86/sev: Disable MMIO emulation from user mode

x86/sev: Check IOBM for IOIO exceptions from user-space

x86/sev: Check for user-space IOIO pointing to kernel space

drm/vmwgfx: Fix possible invalid drm gem put calls

drm/vmwgfx: Keep a gem reference to user bos in surfaces

netfilter: ipset: add the missing IP_SET_HASH_WITH_NET0 macro for ip_set_hash_netportnet.c

drm/vmwgfx: Fix shader stage validation

can: af_can: fix NULL pointer dereference in can_rcv_filter

fbcon: Fix error paths in set_con2fb_map

fbcon: set_con2fb_map needs to set con2fb_map!

Affected device driver does not exist in supported kernels.

An introduction of required changes through KernelCare could cause unavoidable problems to applications which use netfilter functionality.

drm/amdgpu: Fix potential fence use-after-free v2

perf: Disallow mis-matched inherited group reads

perf: Disallow mis-matched inherited group reads (adaptation)

smb: client: fix OOB in smbCalcSize()

smb: client: fix potential OOB in smb2_dump_detail()

netfilter: nft_set_pipapo: skip inactive elements during set walk

Vulnerable commit 5f68718b34a5 (netfilter: nf_tables: GC transaction API to avoid race with control plane) was introduced later than kernel-5.14.0-362.18.1.el9_3. None of our kernels are vulnerable.

net: tls, update curr on splice as well

nvmet-tcp: Fix a kernel panic when host sends an invalid H2C PDU length

nvmet-tcp: fix a crash in nvmet_req_complete()

nvmet-tcp: remove boilerplate code

nvmet-tcp: Fix the H2C expected PDU len calculation

Bluetooth: L2CAP: Fix u8 overflow

atm: Fix Use-After-Free in do_vcc_ioctl

perf: Fix perf_event_validate_size()

perf: Fix perf_event_validate_size() lockdep

netfilter: nf_tables: Reject tables of

ipv4: igmp: fix refcnt uaf issue when receiving igmp query packet

tty: n_gsm: fix the UAF caused by race condition in gsm_cleanup_mux

net/tls: do not free tls_rec on async operation in bpf_exec_tx_verdict()

RDMA/irdma: Prevent zero-length STAG registration

RDMA/irdma: Prevent zero-length STAG registration

smb: client: fix OOB in receive_encrypted_standard()

smb: client: fix potential OOBs in smb2_parse_contexts()

smb: client: fix parsing of SMB3.1.1 POSIX create context

netfilter: nf_tables: check if catch-all set element is active in next generation

Bluetooth: af_bluetooth: Fix Use-After-Free in

io_uring/af_unix: disable sending io_uring over sockets

vc_screen: move load of struct vc_data pointer in

vc_screen: don't clobber return value in vcs_read

drm/qxl: fix UAF on handle creation

i2c: i801: Fix block process call transactions

ida: Fix crash in ida_free when the bitmap is empty

fs,hugetlb: fix NULL pointer dereference in hugetlbs_fill_super {CVE-2024-0841}

Bluetooth: Fix double free in hci_conn_cleanup

The patch for this CVE already present in kernel-5.14.0-362.24.1.el9_3 version. The kernel-5.14.0-362.18.1.el9_3 version and below are not vulnerable because they don't have commit 5f68718b34a5 (netfilter: nf_tables: GC transaction API to avoid race with control plane) which introduced the vulnerability.

Bluetooth: Add more enc key size check

netfilter: nfnetlink_osf: avoid OOB read

netfilter: xt_sctp: validate the flag_info count

kobject: Fix slab-out-of-bounds in fill_kobj_path()

kobject: modify kobject_get_path() to take a const *

Reapply "memcg: enable accounting for file lock

netfilter: nf_tables: bail out on mismatching

HID: sony: Fix a potential memory leak in sony_probe()

net/sched: act_ct: fix skb leak and crash on ooo frags

drm/vmwgfx: Fix possible null pointer derefence with invalid contexts

Complex adaptation required to add timer_shutdown_sync() in timers subsystem.

sched/membarrier: reduce the ability to hammer on sys_membarrier

ipv4: fix null-deref in ipv4_link_failure

gfs2: Fix kernel NULL pointer dereference in gfs2_rgrp_dump

The given kernel version isn't vulnerable.

neigh: make sure used and confirmed times are valid

net: fix possible store tearing in neigh_periodic_work()

net/core: Fix ETH_P_1588 flow dissector

netfilter: nf_tables: disallow timeout for anonymous sets

ip6_tunnel: fix NEXTHDR_FRAGMENT handling in ip6_tnl_parse_tlv_enc_lim()

net: tls: fix use-after-free with partial reads

Low-severity patch proven to suffer from stack-unsafety problem when patching during network load.

Low-severity patch proven to suffer from stack-unsafety problem when patching during network load.

Low-severity patch proven to suffer from stack-unsafety problem when patching during network load.

The modified structure mem_section_usage is used only during bootup time. As we patch the changes after booting they will have no effect. Therefore we cannot patch this CVE.

Bluetooth: hci_event: Ignore NULL link key

Bluetooth: Reject connection with the device

Bluetooth: hci_event: Fix using memcmp when

Bluetooth: hci_event: Fix coding style

Bluetooth: avoid memcmp() out of bounds warning

Bluetooth: HCI: Fix global-out-of-bounds

Bluetooth: hci_ldisc: check HCI_UART_PROTO_READY

The given kernel version isn't vulnerable (Netfilter).

io_uring/fdinfo: lock SQ thread while retrieving thread cpu/pid

net: add atomic_long_t to net_device_stats fields

net: bridge: use DEV_STATS_INC()

net: bridge: use DEV_STATS_INC()

USB: core: Unite old scheme and new scheme

USB: core: Change usb_get_device_descriptor() API

USB: core: Fix race by not overwriting

USB: core: Fix race by not overwriting udev->descriptor in hub_port_init()

net: xfrm: Fix xfrm_address_filter OOB read

team: fix null-ptr-deref when team device type is changed

team: fix null-ptr-deref when team device type is changed

nvmet: nul-terminate the NQNs passed in the

CVE has been marked as REJECTED on the NVD website.

netfilter: nf_tables: reject QUEUE/DROP verdict parameters

drm/atomic: Fix potential use-after-free in nonblocking commits

drm/atomic: Fix potential use-after-free in nonblocking commits

crypto: akcipher - Disable signing and decryption

x86/sev: Harden #VC instruction emulation somewhat

netfilter: nf_tables: disallow anonymous set with timeout flag

netfilter: nft_ct: sanitize layer 3 and 4 protocol number in custom expectations

netfilter: nft_ct: fix l3num expectations with inet pseudo family

net: ip_tunnel: prevent perpetual headroom growth

ipv6: sr: fix possible use-after-free and null-ptr-deref

fs: sysfs: Fix reference leak in sysfs_break_active_protection()

net/mlx5e: fix a potential double-free in fs_any_create_groups

Bluetooth: Avoid potential use-after-free in hci_error_reset

net/mlx5: Properly link new fs rules into the tree

net: hns3: do not allow call hns3_nic_net_open repeatedly

xen-netfront: Add missing skb_mark_for_recycle

smb: client: fix UAF in smb2_reconnect_server()

crypto: qat - resolve race condition during AER recovery

crypto: qat - Fix ADF_DEV_RESET_SYNC memory leak

epoll: be better about file lifetimes

mlxbf_gige: stop interface during shutdown

net: amd-xgbe: Fix skb data length underflow

dm: call the resume method on internal suspend

nfp: flower: handle acti_netdevs allocation failure

net/ipv6: avoid possible UAF in ip6_route_mpath_notify()

icmp: prevent possible NULL dereferences from icmp_build_probe()

can: j1939: j1939_netdev_start(): fix UAF for

Squashfs: check the inode number is not the invalid value of zero

scsi: libfc: Fix potential NULL pointer

scsi: lpfc: Move NPIV's transport unregistration to after resource clean up

block: add check that partition length needs to be aligned with block size

mlxbf_gige: call request_irq() after NAPI initialized

scsi: lpfc: Release hbalock before calling

ext4: avoid allocating blocks from corrupted group in ext4_mb_try_best_found()

octeontx2: CVE patch is outside the scope.

eBPF: low score UAF with CONFIG_BPF_UNPRIV_DEFAULT_OFF=y by default but needs complex adaptation.

VFIO: Add the SPR_DSA and SPR_IAX devices to the

wifi: rtl8xxxu: add cancel_work_sync() for

wifi: iwlwifi: dbg-tlv: ensure NUL termination

net: annotate data-races around

net: fix __dst_negative_advice() race

bonding: Fix out-of-bounds read in

wifi: cfg80211: check A-MSDU format more

net: netlink: af_netlink: Prevent empty skb by

wifi: ath10k: fix NULL pointer dereference in

platform/x86: wmi: remove unnecessary initializations

platform/x86: wmi: Fix opening of char device

phy: ti: phy-omap-usb2: Fix NULL pointer

netfilter: nft_chain_filter: handle

netfilter: nf_tables: do not compare internal

ipv6: fix potential "struct net" leak in

i40e: fix vf may be used uninitialized in this

wifi: iwlwifi: read txq->read_ptr under lock

net: do not leave a dangling sk pointer, when socket creation fails

netns: Make get_net_ns() handle zero refcount net

ipvlan: Dont Use skb->sk in ipvlan_process_v{4,6}_outbound

wifi: mac80211: check/clear fast rx for non-4addr sta VLAN changes

vt: fix unicode buffer corruption when deleting characters

eeprom: at24: fix memory corruption race condition

mlxsw: spectrum_acl_tcam: Fix memory leak when canceling rehash work

netfilter: nf_tables: flush pending destroy work before exit_net release

ipv6: fix race condition between ipv6_get_ifaddr and ipv6_del_addr

WiFi - Complex adaptation required.

ipv6: prevent possible NULL deref in fib6_nh_init()

tcp: Fix shift-out-of-bounds in dctcp_update_alpha().

tcp: Fix shift-out-of-bounds in dctcp_update_alpha().

net: openvswitch: fix overwriting ct original tuple for ICMPv6

igc: avoid returning frame twice in XDP_REDIRECT

Out of scope: boot time issue

tls: fix missing memory barrier in tls_init

virtio: delete vq in vp_find_vqs_msix() when request_irq() fails

wifi: nl80211: don't free NULL coalescing rule

net: core: reject skb_copy(_expand) for fraglist GSO skbs

rtnetlink: Correct nested IFLA_VF_VLAN_LIST attribute validation

netfilter: nf_tables: honor table dormant flag from netdev release event path

Live-patching will introduce network performance degradation in the best case scenario, or even some more serious issues. N/A or Low cvss3 score from NVD or vendors.

scsi: qla2xxx: Fix off by one in

md/raid5: fix deadlock that raid5d() wait for

md/raid5: remove pr_debug() in raid5d()

netfilter: nf_tables: Fix potential data-race in

tap: add missing verification for short frame

tun: add missing verification for short frame

netfilter: nft_limit: reject configurations that cause integer overflow

net: bridge: xmit: make sure we have at least eth

tty: n_gsm: require CAP_NET_ADMIN to attach

CVE marked as rejected by vendor

netfilter: flowtable: validate pppoe header

netfilter: nf_tables: Fix potential data-race in

netfilter: validate user input for expected length

netfilter: complete validation of user input

nf_tables: disable toggling dormant table state more than once

netfilter: nf_tables: discard table flag update

netfilter: nf_tables: discard table flag update

cxl/port: Fix delete_endpoint() vs parent

vfio/pci: Lock external INTx masking ops

nvmet: fix a possible leak when destroy a ctrl

net: ice: Fix potential NULL pointer dereference

NFSv4: Fix memory leak in nfs4_set_security_label

udp: Set SOCK_RCU_FREE earlier in udp_lib_get_port().

net: ntb_netdev: Move ntb_netdev_rx_handler() to call netif_rx() from __netif_rx()

scsi: qedi: Fix crash while reading debugfs attribute

wifi: iwlwifi: mvm: don't read past the mfuart notifcation

wifi: iwlwifi: mvm: check n_ssids before accessing the ssids

wifi: mac80211: Fix deadlock in ieee80211_sta_ps_deliver_wakeup()

wifi: cfg80211: Lock wiphy in cfg80211_get_station

ipv6: fix possible race in __fib6_drop_pcpu_from()

tipc: force a dst refcount before doing decryption

mm/huge_memory: don't unpoison huge_zero_folio

RDMA/rxe: Fix seg fault in rxe_comp_queue_pkt

crypto: bcm - Fix pointer arithmetic

bnxt_re: avoid shift undefined behavior in

netfilter: nf_tables: Fix potential data-race in

net/mlx5e: Add wrapping for auxiliary_driver ops and remove unused args

net/mlx5e: Fix netif state handling

netfilter: bridge: confirm multicast packets

netfilter: bridge: confirm multicast packets kpatch

net: bridge: mst: fix vlan use-after-free

net: bridge: mst: fix vlan use-after-free

net: bridge: mst: fix vlan use-after-free

PCI/MSI: Fix UAF in msi_capability_init

nvme: avoid double free special payload

net/sched: Fix UAF when resolving a clash

nfsd: fix RELEASE_LOCKOWNER

kprobes/x86: Use copy_from_kernel_nofault() to read from unsafe address

mm/hugetlb: fix missing hugetlb_lock for resv

This CVE introduces a regression and is reverted by CVE-2024-42102 in the same errata

efivarfs: force RO when remounting if SetVariable

efivarfs: force RO when remounting if SetVariable

KVM: SVM: Flush pages under kvm->lock to fix UAF

net: fix out-of-bounds access in ops_init

scsi: qedf: Ensure the copied buf is NUL

xhci: Handle TD clearing for multiple streams

ppp: reject claimed-as-LCP but actually malformed

Fix for skipped CVE-2023-52489 that modifies structure mem_section_usage only used at boot time

xdp: Remove WARN() from __xdp_reg_mem_model()

x86: stop playing stack games in profile_pc()

Reverts CVE-2024-26720, which we don't use.

mm: avoid overflows in dirty throttling logic

x86/coco: Require seeding RNG with RDRAND on CoCo

x86/coco: Require seeding RNG with RDRAND on CoCo

usb-storage: alauda: Fix uninit-value in alauda_check_media()

usb-storage: alauda: Check whether the media is initialized

usb-storage: alauda: Check whether the media is initialized (Adaptation)

uio: Fix use-after-free in uio_open

gfs2: Remove ill-placed consistency check

gfs2: simplify gdlm_put_lock with out_free label

gfs2: Fix potential glock use-after-free on unmount

gfs2: Fix potential glock use-after-free on unmount

scsi: qla2xxx: Fix double free of fcport

wifi: nl80211: Avoid address calculations via out of bounds array indexing

wifi: mac80211: Avoid address calculations via out of bounds array indexing

tty: n_gsm: fix possible out-of-bounds in gsm0_receive()

cppc_cpufreq: Fix possible null pointer dereference

wifi: mt76: replace skb_put with skb_put_zero

cpufreq: exit() callback is optional

gpiolib: cdev: Fix use after free in lineinfo_changed_notify

bpf, sockmap: Prevent lock inversion deadlock in map delete elem

scsi: qla2xxx: Fix command flush on cable pull

ring-buffer: Fix a race between readers and resize checks

Input: cyapa - add missing input core locking to suspend/resume functions

ARM related CVE

ACPICA: Revert "ACPICA: avoid Info: mapping multiple BARs. Your kernel is fine."

net, sunrpc: Remap EPERM in case of connection failure in xs_tcp_setup_socket

net/sched: act_mirred: Create function tcf_mirred_to_dev and improve readability

net/sched: act_mirred: don't override retval if we already lost the skb

net: sched: sch_multiq: fix possible OOB write in multiq_tune()

tipc: Return non-zero value from tipc_udp_addr2str() on error

hwmon: (w83792d) Fix NULL pointer dereference by removing unnecessary structure field

hwmon: (w83792d) Fix NULL pointer dereference by removing unnecessary structure field

dmaengine: idxd: Fix oops during rmmod on single-CPU platforms

xfrm6: check ip6_dst_idev() return value in xfrm6_get_saddr()

gfs2: Fix NULL pointer dereference in gfs2_log_flush

RFDS: Medium score vulnerability affecting only Intel Atom CPUs, mitigated via microcode update.

netfilter: nft_flow_offload: reset dst in route object after setting up flow

mptcp: ensure snd_nxt is properly initialized on connect

Patches a sleepable function, there is a small but non-zero risk of livepatching failure

netfilter: flowtable: initialise extack before use

netpoll: Fix race condition in netpoll_owner_active

af_unix: Fix garbage collector racing against connect()

xfs: don't walk off the end of a directory data block

xfs: add bounds checking to xlog_recover_process_data

net/sched: act_api: fix possible infinite loop in tcf_idr_check_alloc()

block: initialize integrity buffer to zero before writing it to media

ipv6: prevent possible NULL dereference in rt6_probe()

ext4: fold quota accounting into ext4_xattr_inode_lookup_create()

ext4: do not create EA inode under buffer lock

ext4: turn quotas off if mount failed after enabling quotas

ext4: fix uninitialized ratelimit_state->lock access in __ext4_fill_super()

wifi: mt76: mt7921s: fix potential hung tasks during chip recovery

tty: Fix out-of-bound vmalloc access in imageblit

tcp: add sanity checks to rx zerocopy

mptcp: fix data re-injection from stale subflow

scsi: core: Remove the /proc/scsi/${proc_name} directory earlier

scsi: core: Fix a procfs host directory removal regression

scsi: core: Fix unremoved procfs host directory regression

mac802154: fix llsec key resources release in mac802154_llsec_key_del

mac802154: fix llsec key resources release in mac802154_llsec_key_del

net/sched: taprio: extend minimum interval restriction to entire cycle too

xfs: fix log recovery buffer allocation for the

netfilter: nft_inner: validate mandatory meta and payload

USB: class: cdc-wdm: Fix CPU lockup caused by excessive log messages

mptcp: ensure snd_una is properly initialized on connect

kpatch add alt asm definitions

x86/bugs: Change commas to semicolons in 'spectre_v2' sysfs file

x86/bugs: x86/bhi: Add support for clearing branch history at syscall entry

blk-cgroup: fix list corruption from resetting io

Not vulnerable: mapping mechanism that the bug applies to was introduced in v6.6 upstream (3178308ad4c) and appeared in RHEL9's since -427

netfilter: nf_tables: use timestamp to check for

netfilter: nf_tables: use timestamp to check for

nvme: fix reconnection fail due to reserved tag

Not vulnerable: function with the buggy code `dmirror_device_evict_chunk()` exists since 362.8.1

Not vulnerable: buggy function was introduced in v6.5 upsteam (or RHEL9's 427.13.1), and no similar code patterns existed before for this module

mm/vmscan: make sure wakeup_kswapd with managed zone

mm/vmscan: fix a bug calling wakeup_kswapd() with

tipc: fix UAF in error path

ethernet: hisilicon: hns: hns_dsaf_misc: fix a

octeontx2-af: avoid off-by-one read from

net: ena: Fix incorrect descriptor free behavior

vt: fix memory overlapping when deleting chars in

tcp: Use refcount_inc_not_zero() in

can: j1939: prevent deadlock by changing

can: j1939: prevent deadlock by changing

r8169: Fix possible ring buffer corruption on

net: hns3: fix use-after-free bug in

netfilter: tproxy: bail out if IP has been