netfilter: ipset: add missing range check in bitmap_ip_uadt

hwmon: (coretemp) fix pci device refcount leak in nv1a_ram_new()

net/mlx5: Always stop health timer during driver removal

net/mlx5e: SHAMPO, Fix invalid WQ linked list unlink

vsock: Keep the binding until socket destruction

vsock: Orphan socket after transport release

wifi: rtw89: Fix array index mistake in rtw89_sta_info_get_iter()

Out of scope: User-mode Linux isn't supported for current kernel

cifs: fix double free race when mount fails in cifs_get_root()

security/keys: fix slab-out-of-bounds in key_task_permission

idpf: fix idpf_vc_core_init error path

ndisc: use RCU protection in ndisc_alloc_skb()

Bluetooth: Fix use after free in hci_send_acl

Bluetooth: hci_sync: Fix queuing commands when HCI_UNREGISTER is set

udf: Fix a slab-out-of-bounds write bug in udf_find_entry()

cifs: potential buffer overflow in handling symlinks

media: uvcvideo: Fix double free in error path

x86/microcode/AMD: Fix out-of-bounds on systems with CPU-less NUMA nodes

net: atm: fix use after free in lec_send()

misc/vmw_vmci: fix an infoleak in vmci_host_do_receive_datagram()

ext4: fix off-by-one error in do_split

ext4: ignore xattrs past end

media: uvcvideo: Remove dangling pointers

media: uvcvideo: Remove dangling pointers

media: uvcvideo: Remove dangling pointers

media: uvcvideo: Remove dangling pointers

tcp/dccp: Don't use timer_pending() in reqsk_queue_unlink().

net: ch9200: fix uninitialised access during mii_nway_restart

sched/fair: Fix potential memory corruption in child_cfs_rq_on_list

wifi: iwlwifi: limit printed string from FW file

ftrace: Fix NULL pointer dereference in is_ftrace_trampoline when ftrace is dead

HID: intel-ish-hid: Fix use-after-free issue in ishtp_hid_remove()

memstick: rtsx_usb_ms: Fix slab-use-after-free in rtsx_usb_ms_drv_remove

ext4: avoid resizing to a partial cluster size

crypto: algif_hash - fix double free in hash_accept

net_sched: hfsc: Fix a UAF vulnerability in class with netem as child qdisc

sch_hfsc: Fix qlen accounting bug when using peek in hfsc_enqueue()

net_sched: hfsc: Address reentrant enqueue adding class to eltree twice

Complex adaptation required. Low impact CVE

can: peak_usb: fix use after free bugs

padata: fix UAF in padata_reorder

ipv6: mcast: extend RCU protection in igmp6_send()

ipv6: mcast: extend RCU protection in igmp6_send()

wifi: rtw88: fix the 'para' buffer size to avoid reading out of bounds

net/ipv6: release expired exception dst cached in socket

Complex adaptation required. High risk of regression.

drm/vkms: Fix use after free and double free on init error

drm/vkms: Fix use after free and double free on init error

net_sched: ets: Fix double list add in class with netem as child qdisc

i2c/designware: Fix an initialization issue

Bluetooth: hci_core: Fix use-after-free in vhci_flush()

udp: Fix memory accounting leak.

i40e: fix MMIO write access to an invalid page in i40e_clear_hw

net/sched: sch_qfq: Fix race condition on qfq_aggregate

net/sched: sch_qfq: Fix race condition on qfq_aggregate

tipc: Fix use-after-free in tipc_conn_close().

RDMA/iwcm: Fix a use-after-free related to destroying CM IDs

RDMA/iwcm: Fix use-after-free of work objects after cm_id destruction

scsi: lpfc: Use memcpy() for BIOS version

bpf: Don't use tnum_range on array range checking for poke descriptors

posix-cpu-timers: fix race between handle_posix_cpu_timers() and posix_cpu_timer_del()

net: usb: smsc75xx: Limit packet length to skb->len

net: usb: smsc75xx: Move packet length check to prevent kernel panic in skb_pull

sch_qfq: make qfq_qlen_notify() idempotent

sch_cbq: make cbq_qlen_notify() idempotent

sch_htb: make htb_qlen_notify() idempotent

sch_htb: make htb_deactivate() idempotent

sch_hfsc: make hfsc_qlen_notify() idempotent

sch_ets: make est_qlen_notify() idempotent

sch_drr: make drr_qlen_notify() idempotent

net/sched: Always pass notifications when child class becomes empty

requires a very complex adaptation

idpf: convert control queue mutex to a spinlock

vsock: Fix transport_* TOCTOU

vsock: Fix transport_* TOCTOU

use uniform permission checks for all mount propagation changes

HID: core: Harden s32ton() against conversion to 0 bits

HID: core: fix shift-out-of-bounds in hid_report_raw_event

sctp: linearize cloned gso packets in sctp_rcv

Out of scope: not affected

net_sched: hfsc: Fix a UAF vulnerability in class handling

Out of scope: not affected

NFS: Fix filehandle bounds checking in nfs_fh_to_dentry()

smb: client: fix use-after-free in cifs_oplock_break

Bluetooth: L2CAP: Fix use-after-free

KVM: SVM: Don't BUG if userspace injects an interrupt with GIF=0

crypto: seqiv - Handle EBUSY correctly

This CVE has been rejected or withdrawn by its CVE Numbering Authority as per NVD website

ALSA: usb-audio: Validate UAC3 cluster segment descriptors

ALSA: usb-audio: Validate UAC3 cluster segment descriptors

Bluetooth: L2CAP: fix "bad unlock balance" in l2cap_disconnect_rsp

efivarfs: Fix slab-out-of-bounds in efivarfs_d_compare

scsi: lpfc: Fix buffer free/clear order in deferred receive path

wifi: cfg80211: sme: cap SSID length in __cfg80211_connect_result()

Bluetooth: Fix potential use-after-free when clear keys

wifi: cfg80211: fix use-after-free in cmp_bss()

wifi: mwifiex: Fix OOB and integer underflow when rx packets

wifi: mwifiex: Fix missed return in oob checks failed path

wifi: mwifiex: Fix OOB and integer underflow when rx packets

wifi: mac80211: check S1G action frame size

fs: fix UAF/GPF bug in nilfs_mdt_destroy

mm: fix zswap writeback race condition

mm: zswap: fix missing folio cleanup in writeback race path

vsock/virtio: Validate length in packet header before skb_put()

NFS: Fix a race when updating an existing write

i40e: fix idx validation in config queues msg

nbd: fix incomplete validation of ioctl arg

smb: client: fix race with concurrent opens in rename(2)

nfsd: handle get_client_locked() failure in nfsd4_setclientid_confirm()

e1000e: fix heap overflow in e1000_set_eeprom

mm/memory-failure: fix VM_BUG_ON_PAGE(PagePoisoned(page)) when unpoison memory

tcp: Clear tcp_sk(sk)->fastopen_rsk in tcp_disconnect().

tcp: Don't call reqsk_fastopen_remove() in tcp_conn_request().

RDMA/rxe: Fix mr->map double free

mm: kmem: fix a NULL pointer dereference in obj_stock_flush_required()

RDMA/rxe: Fix incomplete state save in rxe_requester

sctp: avoid NULL dereference when chunk data buffer is missing

libceph: fix potential use-after-free in have_mon_and_osd_map()

libceph: fix potential use-after-free in have_mon_and_osd_map()

media: rc: fix races with imon_disconnect()

Complex adaptation required.

drm/sched: Fix potential double free in drm_sched_job_add_resv_dependencies

net: atlantic: fix fragment overflow handling in RX path

smb: client: Fix use-after-free in cifs_fill_dirent

smb: client: let recv_done verify data_offset, data_length and remaining_data_length

vsock: Ignore signal/timeout on connect() if already established

drm/vmwgfx: Validate command header size against SVGA_CMD_MAX_DATASIZE

Bluetooth: hci_event: call disconnect callback before deleting conn

ASoC: Intel: bytcr_rt5640: Fix invalid quirk input mapping

tcp: fix a signed-integer-overflow bug in tcp_add_backlog()

Squashfs: check return result of sb_min_blocksize

squashfs: fix memory leak in squashfs_fill_super

Squashfs: check return result of sb_min_blocksize

IB/hfi1: Fix sdma.h tx->num_descs off-by-one error

RDMA/core: Fix "KASAN: slab-use-after-free Read in ib_register_device" problem

RDMA/rxe: Fix slab-use-after-free Read in rxe_queue_cleanup bug

atm: clip: Fix infinite recursive call of clip_push().

usb: core: config: Prevent OOB read in SS endpoint companion parsing

mptcp: fix race condition in mptcp_schedule_work()

fs/proc: fix uaf in proc_readdir_de()

fbdev: bitblit: bound-check glyph index in bit_putcs*

ext4: fix use-after-free in ext4_orphan_cleanup

vsock/vmci: Clear the vmci transport packet properly when initializing it

ALSA: usb-audio: Fix potential overflow of PCM transfer buffer

NFSv4/pNFS: Clear NFS_INO_LAYOUTCOMMIT in pnfs_mark_layout_stateid_invalid

nvme-tcp: fix NULL pointer dereferences in nvmet_tcp_build_pdu_iovec

net: dst: add four helpers to annotate data-races around dst->dev

net: Add locking to protect skb->dev access in ip_output

net: gain ipv4 mtu when mtu is not locked

ipv4: use RCU protection in __ip_rt_update_pmtu()

net: dst: introduce dst->dev_rcu

ipv6: use RCU in ip6_output()

ipv6: use RCU in ip6_xmit()

net: use dst_dev_rcu() in sk_setup_caps()

ipv4: add RCU protection to ip4_dst_hoplimit()

ipv4: use RCU protection in ip_dst_mtu_maybe_forward()

net: use dst_dev_rcu() in sk_setup_caps()

smc: Use __sk_dst_get() and dst_dev_rcu() in smc_clc_prfx_match().

fbdev: Add bounds checking in bit_putcs to fix vmalloc-out-of-bounds

Bluetooth: hci_event: Ignore multiple conn complete events

Bluetooth: hci_event: Fix checking for invalid handle on error status

Bluetooth: hci_sync: Cleanup hci_conn if it cannot be aborted

Bluetooth: hci_sync: Fix UAF on hci_abort_conn_sync

Bluetooth: hci_sync: Fix UAF in hci_disconnect_all_sync

smc: Fix use-after-free in __pnet_find_base_ndev().

mlxsw: spectrum_mr: Fix use-after-free when updating multicast route stats

page_pool: Fix use-after-free in page_pool_recycle_in_ring

net/sched: Enforce that teql can only be used as root qdisc

bridge: mcast: Fix use-after-free during router port configuration

migrate: correct lock ordering for hugetlb file folios

ipv6: BUG() in pskb_expand_head() as part of calipso_skbuff_setattr()

macvlan: fix possible UAF in macvlan_forward_source()

x86 xen add xenpv restore regs and return to usermode

kpatch add alt asm definitions