Bluetooth: l2cap: fix null-ptr-deref in l2cap_chan_timeout

bpf: Add BPF_PROG_TYPE_CGROUP_SKB attach type enforcement in BPF_LINK_CREATE

mptcp: pm: Fix uaf in __timer_delete_sync

media: edia: dvbdev: fix a use-after-free

vsock/virtio: Initialization of the dangling pointer occurring in vsk->trans

blk-rq-qos: fix crash on rq_qos_wait vs. rq_qos_wake_function race

netfilter: nf_reject_ipv6: fix potential crash in nf_send_reset6()

selinux,smack: don't bypass permissions check in inode_setsecctx hook

net: avoid potential underflow in qdisc_pkt_len_init() with UFO

xfrm: validate new SA's prefixlen using SA family when sel.family is unset

xfrm: fix one more kernel-infoleak in algo dumping

arm64: Low-score CVE requiring adaptation that is hard to implement; targets very rare hardware

i40e: fix i40e_count_filters() to count only active/new filters

i40e: fix race condition by adding filter's intermediate sync state

i40e: fix race condition by adding filter's intermediate sync state

mptcp: cope racing subflow creation in mptcp_rcv_space_adjust

scsi: core: Fix unremoved procfs host directory regression

media: uvcvideo: Skip parsing frames of type UVC_VS_UNDEFINED in uvc_parse_format

HID: core: zero-initialize the report buffer

ALSA: usb-audio: Fix potential out-of-bound accesses for Extigy and Mbox devices

scsi: megaraid_sas: Fix for a potential deadlock

PPS for embedded GPS devices. Irrelevant for servers.

can: bcm: Fix UAF in bcm_proc_show()

Out of scope: ARM64 architecture isn't supported for current kernel

ALSA: usb-audio: Fix out of bounds reads when finding clock sources

netfilter: ipset: add missing range check in bitmap_ip_uadt

hwmon: (coretemp) fix pci device refcount leak in nv1a_ram_new()

net/mlx5: Always stop health timer during driver removal

net/mlx5e: SHAMPO, Fix invalid WQ linked list unlink

vsock: Keep the binding until socket destruction

vsock: Orphan socket after transport release

wifi: rtw89: Fix array index mistake in rtw89_sta_info_get_iter()

Out of scope: User-mode Linux isn't supported for current kernel

cifs: fix double free race when mount fails in cifs_get_root()

security/keys: fix slab-out-of-bounds in key_task_permission

idpf: fix idpf_vc_core_init error path

ndisc: use RCU protection in ndisc_alloc_skb()

Bluetooth: Fix use after free in hci_send_acl

Bluetooth: hci_sync: Fix queuing commands when HCI_UNREGISTER is set

cifs: potential buffer overflow in handling symlinks

media: uvcvideo: Fix double free in error path

x86/microcode/AMD: Fix out-of-bounds on systems with CPU-less NUMA nodes

net: atm: fix use after free in lec_send()

misc/vmw_vmci: fix an infoleak in vmci_host_do_receive_datagram()

ext4: fix off-by-one error in do_split

ext4: ignore xattrs past end

media: uvcvideo: Remove dangling pointers

media: uvcvideo: Remove dangling pointers

media: uvcvideo: Remove dangling pointers

media: uvcvideo: Remove dangling pointers

tcp/dccp: Don't use timer_pending() in reqsk_queue_unlink().

net: ch9200: fix uninitialised access during mii_nway_restart

sched/fair: Fix potential memory corruption in child_cfs_rq_on_list

wifi: iwlwifi: limit printed string from FW file

ftrace: Fix NULL pointer dereference in is_ftrace_trampoline when ftrace is dead

HID: intel-ish-hid: Fix use-after-free issue in ishtp_hid_remove()

memstick: rtsx_usb_ms: Fix slab-use-after-free in rtsx_usb_ms_drv_remove

ext4: avoid resizing to a partial cluster size

crypto: algif_hash - fix double free in hash_accept

net_sched: hfsc: Fix a UAF vulnerability in class with netem as child qdisc

sch_hfsc: Fix qlen accounting bug when using peek in hfsc_enqueue()

net_sched: hfsc: Address reentrant enqueue adding class to eltree twice

Complex adaptation required. Low impact CVE

can: peak_usb: fix use after free bugs

padata: fix UAF in padata_reorder

ipv6: mcast: extend RCU protection in igmp6_send()

ipv6: mcast: extend RCU protection in igmp6_send()

wifi: rtw88: fix the 'para' buffer size to avoid reading out of bounds

net/ipv6: release expired exception dst cached in socket

mm/hugetlb: fix huge_pmd_unshare() vs GUP-fast race

drm/vkms: Fix use after free and double free on init error

drm/vkms: Fix use after free and double free on init error

net_sched: ets: Fix double list add in class with netem as child qdisc

i2c/designware: Fix an initialization issue

Bluetooth: hci_core: Fix use-after-free in vhci_flush()

module: use RCU to synchronize find_module

udp: Fix memory accounting leak.

i40e: fix MMIO write access to an invalid page in i40e_clear_hw

net/sched: sch_qfq: Fix race condition on qfq_aggregate

net/sched: sch_qfq: Fix race condition on qfq_aggregate

tipc: Fix use-after-free in tipc_conn_close().

RDMA/iwcm: Fix a use-after-free related to destroying CM IDs

RDMA/iwcm: Fix use-after-free of work objects after cm_id destruction

scsi: lpfc: Use memcpy() for BIOS version

bpf: Don't use tnum_range on array range checking for poke descriptors

posix-cpu-timers: fix race between handle_posix_cpu_timers() and posix_cpu_timer_del()

net: usb: smsc75xx: Limit packet length to skb->len

net: usb: smsc75xx: Move packet length check to prevent kernel panic in skb_pull

sch_qfq: make qfq_qlen_notify() idempotent

sch_cbq: make cbq_qlen_notify() idempotent

sch_htb: make htb_qlen_notify() idempotent

sch_htb: make htb_deactivate() idempotent

sch_hfsc: make hfsc_qlen_notify() idempotent

sch_ets: make est_qlen_notify() idempotent

sch_drr: make drr_qlen_notify() idempotent

net/sched: Always pass notifications when child class becomes empty

requires a very complex adaptation

idpf: convert control queue mutex to a spinlock

vsock: Fix transport_* TOCTOU

vsock: Fix transport_* TOCTOU

use uniform permission checks for all mount propagation changes

HID: core: Harden s32ton() against conversion to 0 bits

HID: core: fix shift-out-of-bounds in hid_report_raw_event

sctp: linearize cloned gso packets in sctp_rcv

Out of scope: not affected

net_sched: hfsc: Fix a UAF vulnerability in class handling

Out of scope: not affected

NFS: Fix filehandle bounds checking in nfs_fh_to_dentry()

smb: client: fix use-after-free in cifs_oplock_break

Bluetooth: L2CAP: Fix use-after-free

KVM: SVM: Don't BUG if userspace injects an interrupt with GIF=0

crypto: seqiv - Handle EBUSY correctly

This CVE has been rejected or withdrawn by its CVE Numbering Authority as per NVD website

ALSA: usb-audio: Validate UAC3 cluster segment descriptors

ALSA: usb-audio: Validate UAC3 cluster segment descriptors

Bluetooth: L2CAP: fix "bad unlock balance" in l2cap_disconnect_rsp

efivarfs: Fix slab-out-of-bounds in efivarfs_d_compare

scsi: lpfc: Fix buffer free/clear order in deferred receive path

wifi: cfg80211: sme: cap SSID length in __cfg80211_connect_result()

Bluetooth: Fix potential use-after-free when clear keys

wifi: cfg80211: fix use-after-free in cmp_bss()

wifi: mwifiex: Fix OOB and integer underflow when rx packets

wifi: mwifiex: Fix missed return in oob checks failed path

wifi: mwifiex: Fix OOB and integer underflow when rx packets

wifi: mac80211: check S1G action frame size

fs: fix UAF/GPF bug in nilfs_mdt_destroy

mm: fix zswap writeback race condition

mm: zswap: fix missing folio cleanup in writeback race path

vsock/virtio: Validate length in packet header before skb_put()

x86 xen add xenpv restore regs and return to usermode

kpatch add alt asm definitions