KVM: x86/mmu: Fix race condition in direct_page_fault

prlimit: do_prlimit needs to have a speculation check

ipvlan:Fix out-of-bounds caused by unclear skb->cb

net/sched: flower: fix possible OOB write in fl_set_geneve_opt()

x86/speculation: Allow enabling STIBP with legacy IBRS

x86/speculation: Allow enabling STIBP with legacy IBRS

nf_tables: disallow rule addition to bound chain via NFTA_RULE_CHAIN_ID

net/sched: cls_fw: Fix improper refcount update leads to use-after-free

out of scope, ARM EFI related

x86/speculation: Restore speculation related MSRs during S3 resume

hw: amd: Cross-Process Information Leak

netfilter: nft_set_pipapo: fix improper element removal

netfilter: nf_tables: incorrect error path handling with NFT_MSG_NEWRULE

nf_tables: disallow rule addition to bound chain via NFTA_RULE_CHAIN_ID

netfilter: nf_tables: prevent OOB access in nft_byteorder_eval

netfilter: nf_tables: fix chain binding transaction logic

netfilter: nf_tables: fix chain binding transaction logic

seccomp: Move copy_seccomp() to no failure path.

net/sched: cls_u32: Fix reference counter leak leading to overflow

NFSD: fix use-after-free in nfsd4_ssc_setup_dul()

Bluetooth: btsdio: fix use after free bug in btsdio_remove due to unfinished work

memstick: r592: Fix UAF bug in r592_remove due to race condition

relayfs: fix out-of-bounds access in relay_file_read

net/sched: cls_fw: No longer copy tcf_result on update to avoid use-after-free

net/sched: cls_route: No longer copy tcf_result on update to avoid use-after-free

net/sched: cls_u32: No longer copy tcf_result on update to avoid

libceph: harden msgr2.1 frame segment length checks

HID: check empty report_list in hid_validate_values()

HID: asus: use spinlock to safely schedule workers

HID: asus: use spinlock to safely schedule workers

HID: asus: use spinlock to safely schedule workers

KVM: nVMX: add missing consistency checks for CR0 and CR4

net: qcom/emac: Fix use after free bug in emac_remove due to race condition

drm/vmwgfx: Do not drop the reference to the handle too soon

Fixes require microcode updates

ovl: fix use after free in struct ovl_aio_req

ovl: fix use after free in struct ovl_aio_req

sctp: fail if no bound addresses can be used for a given scope

net: add sock_init_data_uid()

tap: tap_open(): correctly initialize socket uid

tun: tun_chr_open(): correctly initialize socket uid

This is a low priority CVE & the patch impacts many critical components of the networking subsystem & it requires multiple complex adaptations in those components to avoid losing existing connections on patch/unpatch.

hwmon: (xgene) Fix use after free bug in xgene_hwmon_remove due to race condition

fbcon: Check font dimension limits

fbcon: HID: intel_ish-hid: Add check for ishtp_dma_tx_map

xfrm: add NULL check in xfrm_update_ae_params

Smart Patch for fs/exfat/dir.c

r8152: Rate limit overflow messages

Bluetooth: L2CAP: Fix attempting to access uninitialized memory

mm/memory.c: fix race when faulting a device private page

nouveau: Fix migrate_to_ram() for faulting page

mm/memory: return vm_fault_t result from migrate_to_ram() callback

net/tls: tls_is_tx_ready() checked list_entry

net: mpls: fix stale pointer if allocation fails during device rename

gfs2: Don't deref jdesc in evict

net: tap_open(): set sk_uid from current_fsuid()

net: tun_chr_open(): set sk_uid from current_fsuid()

KVM: SEV: only access GHCB fields once

drm/vmwgfx: Remove rcu locks from user resources

drm/vmwgfx: Remove rcu locks from user resources

Medium severity vulnerability CVE requiring extremely complex adaptation (if at all possible)

In RHEL9 (and derivatives) isdn/mISDN driver is absent, not compiled.

coredump: fix memleak in dump_vma_snapshot()

coredump: Snapshot the vmas in do_coredump

coredump: Remove the WARN_ON in dump_vma_snapshot

coredump: Use the vma snapshot in fill_files_note

The fix consists of several patch-series and mix refactoring/bug-fixes/security-fixes/features for bpf subsystem. Dedicated security-fixes introduce crashes within newer bpf kselftests and the whole patch-series is not suitable for live-patching. At the same time the scope is limited to el9_2 only and is mitigated by the default kernel configuration (CONFIG_BPF_UNPRIV_DEFAULT_OFF=y).

nvme-pci: clamp max_hw_sectors based on DMA optimized limitation

nvme-pci: clamp max_hw_sectors based on DMA optimized limitation(KernelCare adaptation)

igb: set max size RX buffer when store bad packet is enabled

igb: set max size RX buffer when store bad packet is enabled

cifs: Fix UAF in cifs_demultiplex_thread()

x86/sev: Disable MMIO emulation from user mode

nfp: fix use-after-free in area_cache_get()

RDMA/core: Refactor rdma_bind_addr

netfilter: nf_tables: skip bound chain on rule flush

net: tun: fix bugs for oversize packet when napi frags enabled

kernel-5.14.0-284.11.1.el9_2 and earlier are not vulnerable because they don't have the commit 4bedf9eee016 (netfilter: nf_tables: fix chain binding transaction logic) that introduced the vulnerability

af_unix: Fix null-ptr-deref in unix_stream_sendpage().

net/sched: sch_hfsc: Ensure inner classes have fsc curve

Bluetooth: L2CAP: Fix use-after-free in l2cap_sock_ready_cb

drivers: net: slip: fix NPD bug in sl_tx_timeout()

x86/sev: Disable MMIO emulation from user mode

x86/sev: Check IOBM for IOIO exceptions from user-space

x86/sev: Check for user-space IOIO pointing to kernel space

drm/vmwgfx: Fix possible invalid drm gem put calls

drm/vmwgfx: Keep a gem reference to user bos in surfaces

netfilter: ipset: add the missing IP_SET_HASH_WITH_NET0 macro for ip_set_hash_netportnet.c

drm/vmwgfx: Fix shader stage validation

can: af_can: fix NULL pointer dereference in can_rcv_filter

fbcon: Fix error paths in set_con2fb_map

fbcon: set_con2fb_map needs to set con2fb_map!

Affected device driver does not exist in supported kernels.

An introduction of required changes through KernelCare could cause unavoidable problems to applications which use netfilter functionality.

drm/amdgpu: Fix potential fence use-after-free v2

perf: Disallow mis-matched inherited group reads

perf: Disallow mis-matched inherited group reads (adaptation)

smb: client: fix OOB in smbCalcSize()

smb: client: fix potential OOB in smb2_dump_detail()

netfilter: nft_set_pipapo: skip inactive elements during set walk

Vulnerable commit 5f68718b34a5 (netfilter: nf_tables: GC transaction API to avoid race with control plane) was introduced later than kernel-5.14.0-362.18.1.el9_3. None of our kernels are vulnerable.

net: tls, update curr on splice as well

nvmet-tcp: Fix a kernel panic when host sends an invalid H2C PDU length

nvmet-tcp: fix a crash in nvmet_req_complete()

nvmet-tcp: remove boilerplate code

nvmet-tcp: Fix the H2C expected PDU len calculation

Bluetooth: L2CAP: Fix u8 overflow

atm: Fix Use-After-Free in do_vcc_ioctl

perf: Fix perf_event_validate_size()

perf: Fix perf_event_validate_size() lockdep

netfilter: nf_tables: Reject tables of

ipv4: igmp: fix refcnt uaf issue when receiving igmp query packet

tty: n_gsm: fix the UAF caused by race condition in gsm_cleanup_mux

net/tls: do not free tls_rec on async operation in bpf_exec_tx_verdict()

RDMA/irdma: Prevent zero-length STAG registration

RDMA/irdma: Prevent zero-length STAG registration

smb: client: fix OOB in receive_encrypted_standard()

smb: client: fix potential OOBs in smb2_parse_contexts()

smb: client: fix parsing of SMB3.1.1 POSIX create context

netfilter: nf_tables: check if catch-all set element is active in next generation

Bluetooth: af_bluetooth: Fix Use-After-Free in

vc_screen: move load of struct vc_data pointer in

vc_screen: don't clobber return value in vcs_read

drm/qxl: fix UAF on handle creation

i2c: i801: Fix block process call transactions

ida: Fix crash in ida_free when the bitmap is empty

fs,hugetlb: fix NULL pointer dereference in hugetlbs_fill_super {CVE-2024-0841}

Bluetooth: Fix double free in hci_conn_cleanup

The patch for this CVE already present in kernel-5.14.0-362.24.1.el9_3 version. The kernel-5.14.0-362.18.1.el9_3 version and below are not vulnerable because they don't have commit 5f68718b34a5 (netfilter: nf_tables: GC transaction API to avoid race with control plane) which introduced the vulnerability.

Bluetooth: Add more enc key size check

netfilter: nfnetlink_osf: avoid OOB read

netfilter: xt_sctp: validate the flag_info count

kobject: Fix slab-out-of-bounds in fill_kobj_path()

kobject: modify kobject_get_path() to take a const *

Reapply "memcg: enable accounting for file lock

netfilter: nf_tables: bail out on mismatching

HID: sony: Fix a potential memory leak in sony_probe()

net/sched: act_ct: fix skb leak and crash on ooo frags

drm/vmwgfx: Fix possible null pointer derefence with invalid contexts

Complex adaptation required to add timer_shutdown_sync() in timers subsystem.

sched/membarrier: reduce the ability to hammer on sys_membarrier

ipv4: fix null-deref in ipv4_link_failure

gfs2: Fix kernel NULL pointer dereference in gfs2_rgrp_dump

The given kernel version isn't vulnerable.

neigh: make sure used and confirmed times are valid

net: fix possible store tearing in neigh_periodic_work()

net/core: Fix ETH_P_1588 flow dissector

netfilter: nf_tables: disallow timeout for anonymous sets

ip6_tunnel: fix NEXTHDR_FRAGMENT handling in ip6_tnl_parse_tlv_enc_lim()

net: tls: fix use-after-free with partial reads

Low-severity patch proven to suffer from stack-unsafety problem when patching during network load.

Low-severity patch proven to suffer from stack-unsafety problem when patching during network load.

Low-severity patch proven to suffer from stack-unsafety problem when patching during network load.

The modified structure mem_section_usage is used only during bootup time. As we patch the changes after booting they will have no effect. Therefore we cannot patch this CVE.

Bluetooth: hci_event: Ignore NULL link key

Bluetooth: Reject connection with the device

Bluetooth: hci_event: Fix using memcmp when

Bluetooth: hci_event: Fix coding style

Bluetooth: avoid memcmp() out of bounds warning

Bluetooth: HCI: Fix global-out-of-bounds

Bluetooth: hci_ldisc: check HCI_UART_PROTO_READY

The given kernel version isn't vulnerable (Netfilter).

io_uring/fdinfo: lock SQ thread while retrieving thread cpu/pid

net: add atomic_long_t to net_device_stats fields

net: bridge: use DEV_STATS_INC()

net: bridge: use DEV_STATS_INC()

USB: core: Unite old scheme and new scheme

USB: core: Change usb_get_device_descriptor() API

USB: core: Fix race by not overwriting

USB: core: Fix race by not overwriting udev->descriptor in hub_port_init()

net: xfrm: Fix xfrm_address_filter OOB read

team: fix null-ptr-deref when team device type is changed

team: fix null-ptr-deref when team device type is changed

nvmet: nul-terminate the NQNs passed in the

CVE has been marked as REJECTED on the NVD website.

netfilter: nf_tables: reject QUEUE/DROP verdict parameters

drm/atomic: Fix potential use-after-free in nonblocking commits

drm/atomic: Fix potential use-after-free in nonblocking commits

crypto: akcipher - Disable signing and decryption

x86/sev: Harden #VC instruction emulation somewhat

netfilter: nf_tables: disallow anonymous set with timeout flag

netfilter: nft_ct: sanitize layer 3 and 4 protocol number in custom expectations

netfilter: nft_ct: fix l3num expectations with inet pseudo family

net: ip_tunnel: prevent perpetual headroom growth

ipv6: sr: fix possible use-after-free and null-ptr-deref

fs: sysfs: Fix reference leak in sysfs_break_active_protection()

net/mlx5e: fix a potential double-free in fs_any_create_groups

Bluetooth: Avoid potential use-after-free in hci_error_reset

net/mlx5: Properly link new fs rules into the tree

net: hns3: do not allow call hns3_nic_net_open repeatedly

xen-netfront: Add missing skb_mark_for_recycle

smb: client: fix UAF in smb2_reconnect_server()

crypto: qat - resolve race condition during AER recovery

crypto: qat - Fix ADF_DEV_RESET_SYNC memory leak

epoll: be better about file lifetimes

mlxbf_gige: stop interface during shutdown

net: amd-xgbe: Fix skb data length underflow

dm: call the resume method on internal suspend

nfp: flower: handle acti_netdevs allocation failure

net/ipv6: avoid possible UAF in ip6_route_mpath_notify()

icmp: prevent possible NULL dereferences from icmp_build_probe()

can: j1939: j1939_netdev_start(): fix UAF for

Squashfs: check the inode number is not the invalid value of zero

scsi: libfc: Fix potential NULL pointer

scsi: lpfc: Move NPIV's transport unregistration to after resource clean up

block: add check that partition length needs to be aligned with block size

mlxbf_gige: call request_irq() after NAPI initialized

scsi: lpfc: Release hbalock before calling

ext4: avoid allocating blocks from corrupted group in ext4_mb_try_best_found()

octeontx2: CVE patch is outside the scope.

eBPF: low score UAF with CONFIG_BPF_UNPRIV_DEFAULT_OFF=y by default but needs complex adaptation.

VFIO: Add the SPR_DSA and SPR_IAX devices to the

wifi: rtl8xxxu: add cancel_work_sync() for

wifi: iwlwifi: dbg-tlv: ensure NUL termination

net: annotate data-races around

net: fix __dst_negative_advice() race

bonding: Fix out-of-bounds read in

wifi: cfg80211: check A-MSDU format more

net: netlink: af_netlink: Prevent empty skb by

wifi: ath10k: fix NULL pointer dereference in

platform/x86: wmi: remove unnecessary initializations

platform/x86: wmi: Fix opening of char device

phy: ti: phy-omap-usb2: Fix NULL pointer

netfilter: nft_chain_filter: handle

netfilter: nf_tables: do not compare internal

ipv6: fix potential "struct net" leak in

i40e: fix vf may be used uninitialized in this

wifi: iwlwifi: read txq->read_ptr under lock

net: do not leave a dangling sk pointer, when socket creation fails

netns: Make get_net_ns() handle zero refcount net

ipvlan: Dont Use skb->sk in ipvlan_process_v{4,6}_outbound

wifi: mac80211: check/clear fast rx for non-4addr sta VLAN changes

vt: fix unicode buffer corruption when deleting characters

eeprom: at24: fix memory corruption race condition

mlxsw: spectrum_acl_tcam: Fix memory leak when canceling rehash work

netfilter: nf_tables: flush pending destroy work before exit_net release

ipv6: fix race condition between ipv6_get_ifaddr and ipv6_del_addr

WiFi - Complex adaptation required.

ipv6: prevent possible NULL deref in fib6_nh_init()

tcp: Fix shift-out-of-bounds in dctcp_update_alpha().

tcp: Fix shift-out-of-bounds in dctcp_update_alpha().

net: openvswitch: fix overwriting ct original tuple for ICMPv6

igc: avoid returning frame twice in XDP_REDIRECT

Out of scope: boot time issue

tls: fix missing memory barrier in tls_init

virtio: delete vq in vp_find_vqs_msix() when request_irq() fails

wifi: nl80211: don't free NULL coalescing rule

net: core: reject skb_copy(_expand) for fraglist GSO skbs

rtnetlink: Correct nested IFLA_VF_VLAN_LIST attribute validation

netfilter: nf_tables: honor table dormant flag from netdev release event path

Live-patching will introduce network performance degradation in the best case scenario, or even some more serious issues. N/A or Low cvss3 score from NVD or vendors.

scsi: qla2xxx: Fix off by one in

md/raid5: fix deadlock that raid5d() wait for

md/raid5: remove pr_debug() in raid5d()

netfilter: nf_tables: Fix potential data-race in

tap: add missing verification for short frame

tun: add missing verification for short frame

netfilter: nft_limit: reject configurations that cause integer overflow

net: bridge: xmit: make sure we have at least eth

tty: n_gsm: require CAP_NET_ADMIN to attach

CVE marked as rejected by vendor

netfilter: flowtable: validate pppoe header

netfilter: nf_tables: Fix potential data-race in

netfilter: validate user input for expected length

netfilter: complete validation of user input

nf_tables: disable toggling dormant table state more than once

netfilter: nf_tables: discard table flag update

netfilter: nf_tables: discard table flag update

cxl/port: Fix delete_endpoint() vs parent

vfio/pci: Lock external INTx masking ops

nvmet: fix a possible leak when destroy a ctrl

net: ice: Fix potential NULL pointer dereference

NFSv4: Fix memory leak in nfs4_set_security_label

udp: Set SOCK_RCU_FREE earlier in udp_lib_get_port().

net: ntb_netdev: Move ntb_netdev_rx_handler() to call netif_rx() from __netif_rx()

scsi: qedi: Fix crash while reading debugfs attribute

wifi: iwlwifi: mvm: don't read past the mfuart notifcation

wifi: iwlwifi: mvm: check n_ssids before accessing the ssids

wifi: mac80211: Fix deadlock in ieee80211_sta_ps_deliver_wakeup()

wifi: cfg80211: Lock wiphy in cfg80211_get_station

ipv6: fix possible race in __fib6_drop_pcpu_from()

tipc: force a dst refcount before doing decryption

mm/huge_memory: don't unpoison huge_zero_folio

RDMA/rxe: Fix seg fault in rxe_comp_queue_pkt

crypto: bcm - Fix pointer arithmetic

bnxt_re: avoid shift undefined behavior in

netfilter: nf_tables: Fix potential data-race in

net/mlx5e: Add wrapping for auxiliary_driver ops and remove unused args

net/mlx5e: Fix netif state handling

netfilter: bridge: confirm multicast packets

netfilter: bridge: confirm multicast packets kpatch

net: bridge: mst: fix vlan use-after-free

net: bridge: mst: fix vlan use-after-free

net: bridge: mst: fix vlan use-after-free

PCI/MSI: Fix UAF in msi_capability_init

nvme: avoid double free special payload

net/sched: Fix UAF when resolving a clash

nfsd: fix RELEASE_LOCKOWNER

kprobes/x86: Use copy_from_kernel_nofault() to read from unsafe address

mm/hugetlb: fix missing hugetlb_lock for resv

This CVE introduces a regression and is reverted by CVE-2024-42102 in the same errata

efivarfs: force RO when remounting if SetVariable

efivarfs: force RO when remounting if SetVariable

KVM: SVM: Flush pages under kvm->lock to fix UAF

net: fix out-of-bounds access in ops_init

scsi: qedf: Ensure the copied buf is NUL

xhci: Handle TD clearing for multiple streams

ppp: reject claimed-as-LCP but actually malformed

The patch affects too much kernel code. Low impact CVE.

xdp: Remove WARN() from __xdp_reg_mem_model()

x86: stop playing stack games in profile_pc()

Reverts CVE-2024-26720, which we don't use.

mm: avoid overflows in dirty throttling logic

x86/coco: Require seeding RNG with RDRAND on CoCo

x86/coco: Require seeding RNG with RDRAND on CoCo

usb-storage: alauda: Fix uninit-value in alauda_check_media()

usb-storage: alauda: Check whether the media is initialized

usb-storage: alauda: Check whether the media is initialized (Adaptation)

Bluetooth: af_bluetooth: Fix deadlock

uio: Fix use-after-free in uio_open

gfs2: Remove ill-placed consistency check

gfs2: simplify gdlm_put_lock with out_free label

gfs2: Fix potential glock use-after-free on unmount

gfs2: Fix potential glock use-after-free on unmount

scsi: qla2xxx: Fix double free of fcport

wifi: nl80211: Avoid address calculations via out of bounds array indexing

wifi: mac80211: Avoid address calculations via out of bounds array indexing

tty: n_gsm: fix possible out-of-bounds in gsm0_receive()

cppc_cpufreq: Fix possible null pointer dereference

wifi: mt76: replace skb_put with skb_put_zero

cpufreq: exit() callback is optional

gpiolib: cdev: Fix use after free in lineinfo_changed_notify

bpf, sockmap: Prevent lock inversion deadlock in map delete elem

scsi: qla2xxx: Fix command flush on cable pull

ring-buffer: Fix a race between readers and resize checks

Input: cyapa - add missing input core locking to suspend/resume functions

ARM related CVE

ACPICA: Revert "ACPICA: avoid Info: mapping multiple BARs. Your kernel is fine."

net, sunrpc: Remap EPERM in case of connection failure in xs_tcp_setup_socket

net/sched: act_mirred: Create function tcf_mirred_to_dev and improve readability

net/sched: act_mirred: don't override retval if we already lost the skb

net: sched: sch_multiq: fix possible OOB write in multiq_tune()

tipc: Return non-zero value from tipc_udp_addr2str() on error

hwmon: (w83792d) Fix NULL pointer dereference by removing unnecessary structure field

hwmon: (w83792d) Fix NULL pointer dereference by removing unnecessary structure field

dmaengine: idxd: Fix oops during rmmod on single-CPU platforms

xfrm6: check ip6_dst_idev() return value in xfrm6_get_saddr()

gfs2: Fix NULL pointer dereference in gfs2_log_flush

RFDS: Medium score vulnerability affecting only Intel Atom CPUs, mitigated via microcode update.

netfilter: nft_flow_offload: reset dst in route object after setting up flow

mptcp: ensure snd_nxt is properly initialized on connect

Patches a sleepable function, there is a small but non-zero risk of livepatching failure

el9 kernels are not vulnerable: no versions with commit 88c67aeb1407 only.

net/mlx5: Add a timeout to acquire the command queue semaphore

net/mlx5: Add a timeout to acquire the command queue semaphore

netfilter: flowtable: initialise extack before use

netpoll: Fix race condition in netpoll_owner_active

af_unix: Fix garbage collector racing against connect()

xfs: don't walk off the end of a directory data block

xfs: add bounds checking to xlog_recover_process_data

net/sched: act_api: fix possible infinite loop in tcf_idr_check_alloc()

ipv6: prevent possible NULL dereference in rt6_probe()

ext4: fold quota accounting into ext4_xattr_inode_lookup_create()

ext4: do not create EA inode under buffer lock

ext4: turn quotas off if mount failed after enabling quotas

ext4: fix uninitialized ratelimit_state->lock access in __ext4_fill_super()

wifi: mt76: mt7921s: fix potential hung tasks during chip recovery

tty: Fix out-of-bound vmalloc access in imageblit

tcp: add sanity checks to rx zerocopy

mptcp: fix data re-injection from stale subflow

scsi: core: Remove the /proc/scsi/${proc_name} directory earlier

scsi: core: Fix a procfs host directory removal regression

scsi: core: Fix unremoved procfs host directory regression

mac802154: fix llsec key resources release in mac802154_llsec_key_del

mac802154: fix llsec key resources release in mac802154_llsec_key_del

net/sched: taprio: extend minimum interval restriction to entire cycle too

xfs: fix log recovery buffer allocation for the

netfilter: nft_inner: validate mandatory meta and payload

USB: class: cdc-wdm: Fix CPU lockup caused by excessive log messages

mptcp: ensure snd_una is properly initialized on connect

kpatch add alt asm definitions

x86/bugs: Change commas to semicolons in 'spectre_v2' sysfs file

x86/bugs: x86/bhi: Add support for clearing branch history at syscall entry

PCI: Avoid potential out-of-bounds read in pci_dev_for_each_resource()

ipv6: mcast: fix data-race in ipv6_mc_down / mld_ifc_work

string.h: add array-wrappers for (v)memdup_user()

i2c: dev: copy userspace array safely

io_uring: clear opcode specific data for an early failure

function can sleep with no time out

ipv6: prevent NULL dereference in ip6_output()

block: fix overflow in blk_ioctl_discard()

nsh: Restore skb->{protocol,data,mac_header} for outer header in nsh_gso_segment().

ipv6: fib6_rules: avoid possible NULL dereference in fib6_rule_action()

netfs, fscache: Prevent Oops in fscache_put_cache()

ext4: regenerate buddy after block freeing failed if under fc replay

hwmon: (w83793) Fix NULL pointer dereference by removing unnecessary structure field

hwmon: (w83793) Fix NULL pointer dereference by removing unnecessary structure field

vhost: use kzalloc() instead of kmalloc() followed by memset()

net: openvswitch: limit the number of recursions from action sets

ubi: Check for too small LEB size in VTBL code

bpf: Fix re-attachment branch in bpf_tracing_prog_attach

x86/fpu: Stop relying on userspace for info to fault in xsave buffer

tcp: make sure init the accept_queue's spinlocks once

media: cec: core: avoid recursive cec_claim_log_addrs kpatch

media: cec: core: avoid recursive cec_claim_log_addrs kpatch

i2c: Fix a potential use after free

of: fdt: fix off-by-one error in unflatten_dt_nodes()

media: pvrusb2: fix use after free on context disconnection

Out of scope as the patch is for powerpc arch only, x86_64 is not affected

Kernel versions older than 5.14.0-503.11.1.el9_5 are not affected

EDAC/thunderx: Fix possible out-of-bounds string access

net: ip_tunnel: make sure to pull inner header in ip_tunnel_rcv()

md/raid5: fix atomicity violation in raid5_cache_count

bpf: Reject variable offset alu on PTR_TO_FLOW_KEYS

RDMA/mlx5: Fix fortify source warning while accessing Eth segment

hwmon: (w83791d) Fix NULL pointer dereference by removing unnecessary structure field

x86/fpu: Keep xfd_state in sync with MSR_IA32_XFD

x86/fpu: Keep xfd_state in sync with MSR_IA32_XFD

stm class: Fix a double free in stm_register_device()

net/mlx5: Discard command completions in internal error

USB: core: Fix deadlock in usb_deauthorize_interface()

Out of scope: not affected

tpm_tis_spi: Account for SPI header when allocating TPM SPI xfer buffer

drm/amdgpu/mes: fix use-after-free issue

usb: typec: tcpm: fix use-after-free case in tcpm_register_source_caps

USB: core: Fix deadlock in port "disable" sysfs attribute

USB: core: Fix deadlock in port "disable" sysfs attribute

firmware: cs_dsp: Fix overflow checking of wmfw header

firmware: cs_dsp: Fix overflow checking of wmfw header (adaptation)

filelock: fix potential use-after-free in posix_lock_inode

drm/i915/gt: Fix potential UAF by revoke of fence registers

scsi: mpi3mr: Sanitise num_phys

drm/amdgpu: Using uninitialized value *size when calling amdgpu_vce_cs_reloc

net/iucv: fix use after free in iucv_sock_close()

dev/parport: fix the array out-of-bounds risk

wifi: rtw89: Fix array index mistake in rtw89_sta_info_get_iter()

CVE patch is for powerpc arch only

CVE patch is for powerpc arch only

Out of scope: not affected

octeontx2-af: fix the double free in rvu_npc_freemem()

ALSA: hda: intel-sdw-acpi: fix usage of device_get_named_child_node()

drm/amdgpu: add error handle to avoid out-of-bounds

drm/amdgpu: Fix signedness bug in sdma_v4_0_process_trap_irq()

Out of scope: not affected

CVE patch is for powerpc arch only

CVE patch is for powerpc arch only

CVE patch is for powerpc arch only

Out of scope as the patch is for powerpc arch only, x86_64 is not affected

include/linux/generic-radix-tree.h: replace kernel.h with the necessary inclusions

lib/generic-radix-tree.c: Don't overflow in peek()

can: isotp: isotp_sendmsg(): add result check for wait_event_interruptible()

can: isotp: isotp_sendmsg(): fix TX buffer concurrent access in isotp_sendmsg()

can: isotp: isotp_sendmsg(): fix TX buffer concurrent access in isotp_sendmsg()

can: isotp: fix error path in isotp_sendmsg() to unlock wait queue

usbnet: sanity check for maxpacket

nvmem: Fix shift-out-of-bound (UBSAN) with byte size cells

hwmon: (lm90) Prevent integer overflow/underflow in hysteresis calculations

asix: fix uninit-value in asix_mdio_read()

netfilter: nft_set_pipapo: do not free live element

ACPI: processor_idle: Fix memory leak in acpi_processor_power_exit()

atl1c: Work around the DMA RX overflow issue

atl1c: Work around the DMA RX overflow issue

cachefiles: fix slab-use-after-free in cachefiles_withdraw_cookie()

cachefiles: fix slab-use-after-free in cachefiles_withdraw_cookie()

cachefiles: fix slab-use-after-free in fscache_withdraw_volume()

cachefiles: fix slab-use-after-free in fscache_withdraw_volume()

Bluetooth: btrtl: fix out of bounds memory access

Bluetooth: btrtl: fix out of bounds memory access

CVE patch is for AMD Inception vulnerability related to Speculative Return Stack Overflow (SRSO)

Input: powermate - fix use-after-free in powermate_config_complete

Bluetooth: Fix TOCTOU in HCI debugfs implementation

xsk: validate user input for XDP_{UMEM|COMPLETION}_FILL_RING

mlxsw: spectrum_acl_tcam: Fix memory leak during rehash

filelock: Remove locks reliably when fcntl/close race is detected

Bluetooth: rfcomm: Fix null-ptr-deref in rfcomm_check_security

Bluetooth: rfcomm: Fix null-ptr-deref in rfcomm_check_security

mm/swap: fix race when skipping swapcache

ext4: avoid allocating blocks from corrupted group

ext4: avoid dividing by 0 in mb_update_avg_fragment_size()

mptcp: fix double-free on socket dismantle

net: veth: clear GRO when clearing XDP even when down MIME-Version: 1.0

Out of scope: boot time issue

bpf: Guard stack limits against 32bit overflow

of: Fix double free in of_parse_phandle_with_args_map

ALSA: scarlett2: Add clamp() in scarlett2_mixer_ctl_put()

ALSA: scarlett2: Add missing error checks to *_ctl_get()

x86/mm: Ensure input to pfn_to_kaddr() is treated as a 64-bit type

net: atlantic: eliminate double free in error handling logic

drm/vmwgfx: fix a memleak in vmw_gmrid_man_get_node

drm/tegra: rgb: Fix some error handling paths in tegra_dc_rgb_probe()

drm/tegra: rgb: Fix missing clk_put() in the error handling paths of tegra_dc_rgb_probe()

Do not support powerpc build with kasan sanitizer 4a7aee96200ad281a5cc4cf5c7a2e2a49d2b97b0

RDMA/qedr: Fix qedr_create_user_qp error flow

HID: i2c-hid-of: fix NULL-deref on failed power up

HID: i2c-hid-of: fix NULL-deref on failed power up

RDMA/srpt: Support specifying the srpt_service_guid

arp: Prevent overflow in arp_req_get().

md: Don't ignore suspended array in md_check_recovery()

net/sched: act_mirred: use the backlog for mirred ingress

md: Don't ignore read-only array in md_check_recovery()

vt_ioctl: fix array_index_nospec in vt_setactivate

ring-buffer: Do not attempt to read past "commit"

thermal/int340x_thermal: handle data_vault when the value is ZERO_SIZE_PTR

bpf: fix check for attempt to corrupt spilled pointer

mfd: syscon: Fix null pointer dereference in of_syscon_register()

Out of scope: not affected

platform/x86: think-lmi: Fix reference leak

drm/amdgpu: Fix possible NULL dereference in amdgpu_ras_query_error_status_helper()

virtio-blk: fix implicit overflow on virtio_max_dma_size

i915/perf: Fix NULL deref bugs with drm_dbg() calls

bonding: stop the device in bond_setup_by_slave()

i2c: core: Run atomic i2c xfer when !preemptible

i2c: core: Fix atomic xfer check for non-preempt config

Bug doesn't hit as enum values are just shifted numbers

crypto: pcrypt - Fix hungtask for PADATA_RESET

scsi: ibmvfc: Remove BUG_ON in the case of an empty event pool

net/smc: avoid data corruption caused by decline

cpu/hotplug: Prevent self deadlock on CPU hot-unplug

cpu/hotplug: Don't offline the last non-isolated CPU

Bluetooth: btusb: Add date->evt_skb is NULL check

Input: synaptics-rmi4 - fix use after free in rmi_unregister_function()

perf: hisi: Fix use-after-free when register pmu fails

drm/radeon: possible buffer overflow

pstore/platform: Add check for kstrdup

can: dev: can_put_echo_skb(): don't crash kernel if can_priv::echo_skb is accessed out of bounds

nommu: kernel is not vulnerable. Commit 8220543("nommu: remove uses of VMA linked list") is absent

cachefiles: fix memory leak in cachefiles_add_cache()

geneve: make sure to pull inner header in geneve_rx()

hsr: Fix uninit-value access in hsr_get_node()

NFSv4.2: fix nfs4_listxattr kernel BUG at mm/usercopy.c:102

quota: Fix potential NULL pointer dereference

Current kernel is not vulnerable.

do_sys_name_to_handle(): use kzalloc() to fix kernel-infoleak

x86/sev-es: Allow copy_from_kernel_nofault() in earlier boot

x86/mm: Disallow vsyscall page read for copy_from_kernel_nofault()

drm/amdgpu: Reset IH OVERFLOW_CLEAR bit

tracing/trigger: Fix to return error if failed to alloc snapshot

Live-patching will introduce network performance degradation in the best case scenario, or even some more serious issues. N/A or Low cvss3 score from NVD or vendors.

drm/i915/gt: Reset queue_priority_hint on parking

drm/i915/vma: Fix UAF on destroy against retire race

drm/vmwgfx: Create debugfs ttm_resource_manager entry only if needed

wireguard: netlink: access device through ctx instead of peer

wireguard: netlink: check for dangling peer via is_dead instead of empty list

net: esp: fix bad handling of pages from page_pool

nbd: fix uaf in nbd_open

nbd: fix uaf in nbd_open

Kernel is not vulnerable: commit f2d5dcb4 is absent.

wifi: rtw89: fix null pointer access when abort scan

dyndbg: fix old BUG_ON in >control parser

drm/client: Fully protect modes[] with dev->mode_config.mutex

drm/ast: Fix soft lockup

net/mlx5e: Fix mlx5e_priv_init() cleanup flow

geneve: fix header validation in geneve[6]_xmit_skb

geneve: Fix incorrect inner network header offset when innerprotoinherit is set

bareudp: Pull inner IP header on xmit

vxlan: Pull inner IP header in vxlan_xmit_one()

drm/amdgpu: Fix potential null pointer derefernce

USB: core: Fix access violation during port device removal

mlxsw: spectrum_acl_tcam: Fix possible use-after-free during rehash

Not a bug for a real-life RHEL9 setup

EFI Firmware: CVE patch is for EFI firmware which runs at boot time.

Kernel is not affected

Kernel is not affected

CVE patch is for powerpc arch only

tcp: defer shutdown(SEND_SHUTDOWN) for TCP_SYN_RECV sockets

drm/amdgpu: Fix a null pointer access when the smc_rreg pointer is NULL

drm/amdgpu/debugfs: fix error code when smc register accessors are NULL

ASoC: SOF: Add some bounds checking to firmware data

tcp_metrics: validate source addr length

net: hsr: remove WARN_ONCE() in send_hsr_supervision_frame()

inet: read sk->sk_family once in inet_recv_error()

Boot time issue

net: atlantic: Fix DMA mapping for PTP hwts ring

fs/proc: do_task_stat: move thread_group_cputime_adjusted() outside of lock_task_sighand()

fs/proc: do_task_stat: use sig->stats_lock to gather the threads/children stats

ext4: fix double-free of blocks due to wrong

drm/amd/display: Fix MST Null Ptr for RV

ppp_async: limit MRU to 64K

drm/amdkfd: Fix lock dependency warning with srcu

Warning fix doesn't worth live-patching

Boot time fix cannot be fixed with live-patching

The patch for this CVE fixing vulnerability which was introduced in kernel v6.7

PM / devfreq: Synchronize devfreq_monitor_[start/stop]

drm/tegra: dsi: Add missing check for of_find_device_by_node

Complex adaptation required. x86 and amd64 architectures are not affected. Issues triggers while dumping after another crash.

fbdev: Fix invalid page access after closing deferred I/O devices

CVE patch is for powerpc arch only

CVE patch is for powerpc arch only

Out of scope as the patch is for powerpc arch only

mmc: sdio: fix possible resource leaks in some error paths

net/usb: kalmia: Don't pass act_len in usb_bulk_msg error path

ASoC: Intel: sof_sdw_rt_sdca_jack_common: ctx->headset_codec_dev = NULL

calipso: fix memory leak in netlbl_calipso_add_pass()

nfs: fix UAF in direct writes

nfs: fix UAF in direct writes

mm: swap: fix race between free_swap_and_cache() and swapoff()

usb: xhci: Add error handling in xhci_map_urb_for_dma

fat: fix uninitialized field in nostale filehandles

nouveau: fix instmem race condition around ptr stores

mm/memory-failure: fix deadlock when hugetlb_optimize_vmemmap is enabled

Out of scope as the patch is for vmlinux init sections which are discarded after the boot

arm64: hibernate: Fix level3 translation fault in swsusp_save()

nbd: null check for nla_nest_start

Fix commit isn't present

pstore: inode: Only d_invalidate() is needed

clk: Fix clk_core_get NULL dereference

drm/amdgpu: Fix potential out-of-bounds access in 'amdgpu_discovery_reg_base_init()'

net: openvswitch: Fix Use-After-Free in ovs_ct_exit

Complex adaptation required. Network services prevents update because they can sleep in subflow_finish_connect() function.

wifi: nl80211: reject iftype change with mesh ID change

cpumap: Zero-initialise xdp_rxq_info struct before running

ALSA: usb-audio: Stop parsing channels bits when all channels

genirq/cpuhotplug, x86/vector: Prevent vector leak during CPU offline

KVM: Always flush async #PF workqueue when vCPU is being destroyed

KVM: Always flush async #PF workqueue when vCPU is being destroyed

Kernel is not affected

Bug triggers in kdump kernel which we don't patch

ip6_tunnel: make sure to pull inner header in __ip6_tnl_rcv()

drm/amd/display: Implement bounds check for stream encoder creation in DCN301

tipc: Check the bearer type before calling tipc_udp_nl_bearer_add()

hwmon: (coretemp) Fix out-of-bounds memory access

net/sched: flower: Fix chain template offload kpatch

Out of scope: not affected

tun: limit printing rate when illegal packet received by tun dev

netfilter: flowtable: incorrect pppoe tuple

x86/mm/pat: fix VM_PAT handling in COW mappings

smb: client: fix potential UAF in smb2_is_valid_lease_break()

smb: client: fix potential UAF in cifs_dump_full_key()

smb: client: fix potential UAF in smb2_is_valid_oplock_break()

smb: client: fix potential UAF in cifs_stats_proc_show()

of: module: prevent NULL pointer dereference in vsnprintf()

mm/secretmem: fix GUP-fast succeeding on secretmem folios

x86/mce: Make sure to grab mce_sysfs_mutex in set_bank()

ipv6: Fix infinite recursion in fib6_dump_done().

erspan: make sure erspan_base_hdr is present in skb->head

net/sched: fix lockdep splat in qdisc_tree_reduce_backlog()

netfilter: nf_tables: reject new basechain after table flag update

bpf: Fix verification of indirect var-off stack access

bpf: Protect against int overflow for stack access size

tls: get psock ref after taking rxlock to avoid leak

wifi: iwlwifi: mvm: rfi: fix potential response leaks

It is not possible to fix this vulnerability using kernel livepatching because it lies below the system call level.

Existing kernels aren't affected

Existing kernels aren't affected

soundwire: cadence: fix invalid PDI offset

ALSA: timer: Set lower bound of start tick time

af_unix: Fix data races around sk->sk_shutdown.

af_unix: Fix data races around sk->sk_shutdown.

af_unix: Fix data races in unix_release_sock/unix_stream_sendmsg

ext4: fix mb_cache_entry's e_refcnt leak in ext4_xattr_block_cache_find()

ALSA: Fix deadlocks with kctl removals at disconnection

ALSA: hda/cs_dsp_ctl: Use private_free for control cleanup

ALSA: hda/cs_dsp_ctl: add minimal macros for __free(kfree) to work

scsi: qedf: Make qedf_execute_tmf() non-preemptible

drm/nouveau: fix null pointer dereference in nouveau_connector_get_modes

ftruncate: pass a signed offset

pinctrl: fix deadlock in create_pinctrl() when handling -EPROBE_DEFER

wifi: cfg80211: restrict NL80211_ATTR_TXQ_QUANTUM values

wifi: cfg80211: restrict NL80211_ATTR_TXQ_QUANTUM values (Adaptation)

kernel version 5.14 not affected

kernel version 5.14 not affected

kernel version 5.14 not affected

netfilter: nf_tables: fully validate NFT_DATA_VALUE on store to data registers

clk: Get runtime PM before walking tree during disable_unused

clk: Get runtime PM before walking tree during disable_unused

Get runtime PM before walking tree for clk_summaryatch-description:

nouveau: lock the client object tree

nouveau: lock the client object tree

Affects only __init function for a built-in component, so patching will have no effect

None of the kernels is affected

net/mlx5e: fix a double-free in arfs_create_groups

mptcp: use OPTION_MPTCP_MPJ_SYNACK in subflow_finish_connect()

mlxsw: spectrum_acl_tcam: Fix possible use-after-free during activity update

wifi: mac80211: fix potential sta-link leak

irqchip/gic-v3-its: Prevent double free on error

smb: client: fix potential UAF in cifs_debug_files_proc_show()

smb: client: fix potential UAF in cifs_signal_cifsd_for_reconnect()

smb: client: fix potential UAF in smb2_is_network_name_deleted()

smb: client: fix potential UAF in is_valid_oplock_break()

net: bridge: switchdev: Skip MDB replays of deferred events on offload

Out of scope as the patch is for i.MX SoC

wifi: mt76: mt7921e: fix use-after-free in free_irq()

mm, vmalloc: fix high order __GFP_NOFAIL allocations

mm/vmalloc: fix vmalloc which may return null if called with

Out of scope: ARM64 architecture issue

drm/shmem-helper: Fix BUG_ON() on mmap(PROT_WRITE, MAP_PRIVATE)

Kernel is not affected.

vmci: prevent speculation leaks by sanitizing event in event_deliver()

Existing kernels aren't affected

serial: imx: Introduce timeout when waiting on transmitter empty

iommu: Return right value in iommu_sva_bind_device()

net/mlx5: Fix tainted pointer delete is case of flow rules creation fail

drm/radeon: fix UBSAN warning in kv_dpm.c

mm/page_table_check: fix crash on ZONE_DEVICE

nfs: handle error of rpc_proc_register() in init_nfs_fs()

[PATCH] pinctrl: core: delete incorrect free in pinctrl_enable()

Kernel is not affected

net/smc: fix neighbour and rtable leak in smc_ib_find_route()

Thermal debugfs isn't present on redhat kernels.

Thermal debugfs isn't present on redhat kernels.

[PATCH] KEYS: trusted: Fix memory leak in tpm2_key_encode()

[PATCH] net/sched: taprio: always validate TCA_TAPRIO_ATTR_PRIOMAP

usb: dwc3: Wait unconditionally after issuing EndXfer command

Intoduced in the same kernel version with the fix

Complex adaptation required

Intoduced in the same kernel version with the fix

net: hns3: fix kernel crash problem in concurrent scenario

scsi: mpt3sas: Avoid test/set_bit() operating in non-allocated memory

bnxt_en: Adjust logging of firmware messages in case of released token in __hwrm_send()

vmxnet3: disable rx data ring on dma allocation failure

Complex adaptation required, low score patch for non critical subsystem amdgpu

filelock: Fix fcntl/close race recovery compat path

Kernel not vulnerable: blamed commit is absent

firmware: cs_dsp: Prevent buffer overrun when processing V2 alg headers

netfilter: nf_tables: prefer nft_chain_validate

firmware: cs_dsp: Use strnlen() on name fields in V1 wmfw files

drm/radeon: check bo_va->bo is non-NULL before using it

Bluetooth: hci_core: cancel all works upon hci_unregister_dev()

RDMA/irdma: Fix KASAN issue with tasklet

nvme-fc: do not wait in vain when unloading module

nvme-fc: do not wait in vain when unloading module

RDMA/srpt: Do not register event handler until srpt device is fully setup

amdgpu: validate offset_in_bo of drm_amdgpu_gem_va

drm/amdgpu: validate the parameters of bo mapping operations more clearly

vfio/pci: Disable auto-enable of exclusive INTx IRQ

wireguard: receive: annotate data-race around receiving_counter.counter

drivers: core: synchronize really_probe() and dev_uevent()

KVM: x86/pmu: Disable support for adaptive PEBS

[PATCH 1/1] leds: trigger: Unregister sysfs attributes before calling

dma: fix call order in dmam_free_coherent

Affects only the s390 architecture.

net/mlx5: Always drain health in shutdown callback

wifi: cfg80211: handle 2x996 RU allocation in cfg80211_calculate_bitrate_he()

[PATCH 5063/5129] mm/memcg: minor cleanup for MEM_CGROUP_ID_MAX

[PATCH 05019/17954] memcontrol: ensure memcg acquired by id is

[PATCH] memcg: protect concurrent access to mem_cgroup_idr

wifi: mac80211: fix NULL dereference at band check in starting tx ba session

fuse: Initialize beyond-EOF page contents before setting uptodate

complex adaptation required for el9-arm64, el9-x86 not affected

spi: Fix null dereference on suspend

spi: Fix null dereference on suspend

tty: add the option to have a tty reject a new ldisc

tty: add the option to have a tty reject a new ldisc

Affected p2sb driver is not present in kernel v5.14.0

firmware: cs_dsp: Return error if block header overflows file

firmware: cs_dsp: Validate payload length before processing block

Out of scope: 64-bit systems not affected.

net/mlx5: Fix missing lock on sync reset reload

nvme-pci: add missing condition check for existence of mapped data

mlxsw: spectrum_acl_tcam: Fix incorrect list API usage

mm: use memalloc_nofs_save() in page_cache_ra_order()

ppdev: Add an error check in register_device

iommu/arm-smmu: Use the correct type in nvidia_smmu_context_fault()

ACPI: CPPC: Use access_width over bit_width for system memory accesses

dm snapshot: fix lockup in dm_exception_table_exit

ext4: fix corruption during on-line resize

Revert "md: unlock mddev before reap sync_thread in action_store"

md: refactor action_store() for 'idle' and 'frozen'

md: export helpers to stop sync_thread

md/dm-raid: don't call md_reap_sync_thread() directly

PCI/PM: Drain runtime-idle callbacks before driver removal

Patch for this CVE has been reverted. Hence skipped

drm/amdgpu: amdgpu_ttm_gart_bind set gtt bound flag

usb: udc: remove warning when queue disabled ep

misc: lis3lv02d_i2c: Fix regulators getting en-/dis-abled twice on suspend/resume

s390 arch not supported.

Existing kernels aren't affected

Already fixed in the existing el9 kernels.

tusb: gadget: core: Check for unset descriptor

packet: annotate data-races around ignore_outgoing

x86/mm: Fix pti_clone_pgtable() alignment assumption

netfilter: nf_tables: set dormant flag on hook register failure

net/mlx5e: SHAMPO, Fix invalid WQ linked list unlink

hwrng: core - Fix page fault dead lock on mmap-ed hwrng

bpf: Check rcu_read_lock_trace_held() before calling bpf map helpers

iio: core: fix memleak in iio_device_register_sysfs

nbd: Low-score CVE. Patched function is called from a kthread and sleeps, which may prevent patching/unpatching.

tracing: Ensure visibility when inserting an element into tracing_map

Affects only boot __init stage, already booted kernels are not affected

Kernel not vulnerable.

netfilter: nf_tables: fix memleak in map from abort path

commit that introduces CVE is not present

older kernels do not have support for DisplayCoreNext 3.5

older kernels do not have support for DisplayCoreNext 3.5

usb: typec: ucsi: Limit read size on v1.2

block: prevent division by zero in blk_rq_stat_sum()

drm: Check output polling initialized before disabling

The patch was later reverted in eb4f139888f6

scsi: lpfc: Fix possible memory leak in lpfc_rcv_padisc()

wifi:ath11k, low score CVE that needs complex adaptation but decreasing MHI Bus' buf-len isn't a typical security fix.

dma-direct: Leak pages on dma_set_decrypted() failure

VMCI: Use struct_size() in kmalloc()

VMCI: Fix memcpy() run-time warning in dg_dispatch_as_host()

VMCI: Fix possible memcpy() run-time warning in vmci_datagram_invoke_guest_handler()

None of the existing kernels is affected

Low-score CVE which might introduce problems in net subsystem

io_uring/sqpoll: work around a potential audit memory leak