cifs: potential buffer overflow in handling symlinks

Out of scope: User-mode Linux isn't supported for current kernel

net: atm: fix use after free in lec_send()

wifi: iwlwifi: limit printed string from FW file

ext4: ignore xattrs past end

misc/vmw_vmci: fix an infoleak in vmci_host_do_receive_datagram()

ext4: avoid resizing to a partial cluster size

drivers:md:fix a potential use-after-free bug

media: uvcvideo: Fix double free in error path

media: uvcvideo: Remove s_ctrl and g_ctrl

media: uvcvideo: Remove s_ctrl and g_ctrl

media: uvcvideo: Set error_idx during ctrl_commit errors

media: uvcvideo: Remove dangling pointers

media: uvcvideo: Remove dangling pointers

media: uvcvideo: Remove dangling pointers

media: uvcvideo: Remove dangling pointers

padata: fix UAF in padata_reorder

sched/fair: Fix potential memory corruption in child_cfs_rq_on_list

HID: intel-ish-hid: Fix use-after-free issue in ishtp_hid_remove()

ext4: fix off-by-one error in do_split

Complex adaptation required. Low impact CVE

net: ch9200: fix uninitialised access during mii_nway_restart

i2c/designware: Fix an initialization issue

can: peak_usb: fix use after free bugs

sch_hfsc: make hfsc_qlen_notify() idempotent

net_sched: hfsc: Fix a UAF vulnerability in class with netem as child qdisc

sch_hfsc: Fix qlen accounting bug when using peek in hfsc_enqueue()

net_sched: hfsc: Address reentrant enqueue adding class to eltree twice

crypto: algif_hash - fix double free in hash_accept

ftrace: Fix NULL pointer dereference in is_ftrace_trampoline when ftrace is dead

Bluetooth: hci_core: Fix use-after-free in vhci_flush()

sch_qfq: make qfq_qlen_notify() idempotent

sch_cbq: make cbq_qlen_notify() idempotent

sch_htb: make htb_qlen_notify() idempotent

sch_htb: make htb_deactivate() idempotent

sch_ets: make est_qlen_notify() idempotent

sch_drr: make drr_qlen_notify() idempotent

net/sched: Always pass notifications when child class becomes empty

Complex adaptation required. High risk of regression.

wifi: rtw88: fix the 'para' buffer size to avoid reading out of bounds

scsi: lpfc: Use memcpy() for BIOS version

posix-cpu-timers: fix race between handle_posix_cpu_timers() and posix_cpu_timer_del()

tipc: Fix use-after-free in tipc_conn_close().

md-raid10: fix KASAN warning

ipv6: mcast: extend RCU protection in igmp6_send()

udp: Fix memory accounting leak.

i40e: fix MMIO write access to an invalid page in i40e_clear_hw

net/sched: sch_qfq: Fix race condition on qfq_aggregate

net/sched: sch_qfq: Fix race condition on qfq_aggregate

smb: client: fix use-after-free in cifs_oplock_break

drm/amd/display: clear optc underflow before turn off odm clock

bpf: Don't use tnum_range on array range checking for poke descriptors

Out of scope: not affected

ALSA: bcd2000: Fix a UAF bug on the error path of probing

net_sched: ets: Fix double list add in class with netem as child qdisc

RDMA/iwcm: Fix a use-after-free related to destroying CM IDs

RDMA/iwcm: Fix use-after-free of work objects after cm_id destruction

requires a very complex adaptation

vsock: Fix transport_* TOCTOU

vsock: Fix transport_* TOCTOU

use uniform permission checks for all mount propagation changes

Not affected: issue introduced since 4.18.0-477.*

Bluetooth: L2CAP: Fix use-after-free

net: usb: smsc75xx: Limit packet length to skb->len

net: usb: smsc75xx: Move packet length check to prevent kernel panic in skb_pull

NFS: Fix filehandle bounds checking in nfs_fh_to_dentry()

HID: core: Harden s32ton() against conversion to 0 bits

HID: core: fix shift-out-of-bounds in hid_report_raw_event

Out of scope: not affected

RDMA/irdma: Fix a window for use-after-free

KVM: SVM: Don't BUG if userspace injects an interrupt with GIF=0

net_sched: hfsc: Fix a UAF vulnerability in class handling

This CVE has been rejected or withdrawn by its CVE Numbering Authority as per NVD website

mptcp: do not queue data on closed subflows

mm: fix zswap writeback race condition

mm: zswap: fix missing folio cleanup in writeback race path

crypto: seqiv - Handle EBUSY correctly

Bluetooth: Fix potential use-after-free when clear keys

wifi: cfg80211: fix use-after-free in cmp_bss()

fs: fix UAF/GPF bug in nilfs_mdt_destroy

scsi: lpfc: Fix buffer free/clear order in deferred receive path

wifi: brcmfmac: fix use-after-free bug in brcmf_netdev_start_xmit()

ALSA: usb-audio: Fix an out-of-bounds bug in __snd_usb_parse_audio_interface()

iomap: iomap: fix memory corruption when recording errors during writeback

wifi: ath9k: don't allow to overwrite ENDPOINT0 attributes

wifi: brcmfmac: slab-out-of-bounds read in brcmf_get_assoc_ies()

ASoC: SOF: Intel: hda: Fix potential buffer overflow by snprintf()

wifi: mac80211: check S1G action frame size

sctp: linearize cloned gso packets in sctp_rcv

ALSA: usb-audio: Validate UAC3 cluster segment descriptors

ALSA: usb-audio: Validate UAC3 cluster segment descriptors

The vulnerable commit isn't present in the kernel-eus-8.6 series.

NFSD: Protect against send buffer overflow in NFSv2 READ

ALSA: usb-audio: Validate UAC3 power domain descriptors, too

ALSA: usb-audio: Validate UAC3 power domain descriptors, too

mt76: mt7921: fix kernel panic by accessing unallocated eeprom.data

ip6mr: Fix skb_under_panic in ip6mr_cache_report()

mm/memory-failure: fix VM_BUG_ON_PAGE(PagePoisoned(page)) when unpoison memory

net: sched: sfb: fix null pointer access issue when sfb_init() fails

ext4: fix undefined behavior in bit shift for ext4_check_flag_values

skbuff: skb_segment, Call zero copy functions before using skbuff frags

wifi: mwifiex: Fix OOB and integer underflow when rx packets

wifi: mwifiex: Fix missed return in oob checks failed path

wifi: mwifiex: Fix OOB and integer underflow when rx packets

nfsd: handle get_client_locked() failure in nfsd4_setclientid_confirm()

tcp: Clear tcp_sk(sk)->fastopen_rsk in tcp_disconnect().

tcp: Don't call reqsk_fastopen_remove() in tcp_conn_request().

smb: client: fix race with concurrent opens in rename(2)

tty: keyboard, do not speculate on func_table index

tty/vt: fix write/write race in ioctl(KDSKBSENT)

vt: keyboard, simplify vt_kdgkbsent

vt: keyboard, extend func_buf_lock to readers

vt: keyboard, rename i to kb_func in vt_do_kdgkb_ioctl

vt: keyboard, reorder user buffer handling in vt_do_kdgkb_ioctl

wifi: mac80211: don't return unset power in ieee80211_get_tx_power()

RDMA/rxe: Fix mr->map double free

scsi: qla2xxx: Wait for io return on terminate rport

mm: kmem: fix a NULL pointer dereference in obj_stock_flush_required()

nbd: fix incomplete validation of ioctl arg

scsi: ses: Fix possible addl_desc_ptr out-of-bounds accesses

scsi: ses: Fix possible desc_ptr out-of-bounds accesses

NFSD: Avoid calling OPDESC() with ops->opnum == OP_ILLEGAL

smb: client: Fix use-after-free in cifs_fill_dirent

e1000e: fix heap overflow in e1000_set_eeprom

i40e: fix validation of VF state in get resources

i40e: fix input validation logic for action_meta

i40e: fix idx validation in config queues msg

i40e: fix idx validation in i40e_validate_queue_map

i40e: add validation for ring_len param

i40e: add validation for ring_len param

i40e: validate ring_len parameter against hardware-specific values

libceph: fix potential use-after-free in have_mon_and_osd_map()

mac80211: fix potential double free on mesh join

drm/vmwgfx: Validate command header size against SVGA_CMD_MAX_DATASIZE

ipv6: Fix out-of-bounds access in ipv6_find_tlv()

vsock: Ignore signal/timeout on connect() if already established

media: rc: fix races with imon_disconnect()

tcp: fix a signed-integer-overflow bug in tcp_add_backlog()

mptcp: fix race condition in mptcp_schedule_work()

Bluetooth: hci_event: call disconnect callback before deleting conn

NFSv4/pNFS: Clear NFS_INO_LAYOUTCOMMIT in pnfs_mark_layout_stateid_invalid

fbdev: Add bounds checking in bit_putcs to fix vmalloc-out-of-bounds

efivarfs: Fix slab-out-of-bounds in efivarfs_d_compare

fbdev: bitblit: bound-check glyph index in bit_putcs*

ext4: fix use-after-free in ext4_orphan_cleanup

net/mlx5e: Check for NOT_READY flag state after locking

Out of scope: not affected

ASoC: Intel: bytcr_rt5640: Fix invalid quirk input mapping

cifs: fix potential use-after-free bugs in TCP_Server_Info::hostname

cifs: fix potential use-after-free bugs in TCP_Server_Info::hostname

atm: clip: Fix infinite recursive call of clip_push().

RDMA/core: Fix "KASAN: slab-use-after-free Read in ib_register_device" problem

Squashfs: check return result of sb_min_blocksize

squashfs: fix memory leak in squashfs_fill_super

Squashfs: check return result of sb_min_blocksize

smb: client: let recv_done verify data_offset, data_length and remaining_data_length

usb: core: config: Prevent OOB read in SS endpoint companion parsing

net/sched: Enforce that teql can only be used as root

fs/proc: fix uaf in proc_readdir_de()

ip6_vti: fix slab-use-after-free in decode_session6

net: page_pool: use in_softirq() instead

page_pool: fix inconsistency for page_pool_ring_[un]lock()

page_pool: Fix use-after-free in page_pool_recycle_in_ring

ALSA: usb-audio: Fix potential overflow of PCM transfer buffer