-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 27 May 2026 18:38:00 +0200
Source: linux
Architecture: source
Version: 5.10.257-1
Distribution: bullseye-security
Urgency: high
Maintainer: Debian Kernel Team <debian-kernel@lists.debian.org>
Changed-By: Ben Hutchings <benh@debian.org>
Changes:
linux (5.10.257-1) bullseye-security; urgency=high
.
* New upstream stable update:
https://www.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.10.252
- RDMA/siw: Fix potential NULL pointer dereference in header processing
(CVE-2026-23242)
- RDMA/umad: Reject negative data_len in ib_umad_write (CVE-2026-23243)
- hfsplus: return error when node already exists in hfs_bnode_create
- gfs2: Add new gfs2_iomap_get helper
- gfs2: Turn gfs2_extent_map into gfs2_{get,alloc}_extent
- gfs2: Replace gfs2_lblk_to_dblk with gfs2_get_extent
- gfs2: Add wrapper for iomap_file_buffered_write
- gfs2: Move the inode glock locking to gfs2_file_buffered_write
- gfs2: Add metapath_dibh helper
- gfs2: Fix use-after-free in iomap inline data write path
- tpm: tpm_i2c_infineon: Fix locality leak on get_burstcount() failure
- [x86] tpm: st33zp24: Fix missing cleanup on get_burstcount() error
- btrfs: qgroup: return correct error when deleting qgroup relation item
- md/raid10: fix any_working flag handling in raid10_sync_request
- iomap: fix submission side handling of completion side errors
- PM: wakeup: Handle empty list in wakeup_sources_walk_start()
- PM: sleep: wakeirq: harden dev_pm_clear_wake_irq() against races
- [armhf] VDSO: Patch out __vdso_clock_getres() if unavailable
- [arm64] crypto: cavium - fix dma_free_coherent() size
- hrtimer: Fix trace oddity
- sched/rt: Skip currently executing CPU in rto_next_cpu()
- pstore/ram: fix buffer overflow in persistent_ram_save_old()
- [x86] EDAC/i5000: Fix snprintf() size calculation in
calculate_dimm_size()
- [x86] EDAC/i5400: Fix snprintf() limit calculation in
calculate_dimm_size()
- [arm64] clk: qcom: Return correct error code in qcom_cc_probe_by_index()
- [arm64] dts: qcom: sdm630: Add qfprom subnodes
- [arm64] dts: qcom: sdm630: correct QFPROM byte offsets
- [arm64] dts: qcom: sdm630: fix gpu_speed_bin size
- [armhf] dts: allwinner: sun5i-a13-utoo-p66: delete "power-gpios" property
- [arm64] soc: qcom: cmd-db: Use devm_memremap() to fix memory leak in
cmd_db_dev_probe
- [arm64] dts: amlogic: axg: assign the MMC signal clocks
- [arm64] dts: amlogic: gx: assign the MMC signal clocks
- [arm64] dts: amlogic: g12: assign the MMC B and C signal clocks
- [arm64] dts: amlogic: g12: assign the MMC A signal clock
- [arm64] dts: qcom: sdm845-db845c: specify power for WiFi CH1
- drm/amdgpu: Use explicit VCN instance 0 in SR-IOV init
- regulator: core: Respect off_on_delay at startup
- regulator: core: Fix off_on_delay handling
- regulator: Flag uncontrollable regulators as always_on
- regulator: core: Fix off-on-delay-us for always-on/boot-on regulators
- regulator: core: Use ktime_get_boottime() to determine how long a
regulator was off
- regulator: core: Shorten off-on-delay-us for always-on/boot-on by time
since booted
- regulator: core: move supply check earlier in set_machine_constraints()
- [arm64] platform/chrome: cros_ec_lightbar: Fix response size
initialization
- Revert "hwmon: (ibmpex) fix use-after-free in high/low store" (regression
in 5.10.248)
- PCI: Do not attempt to set ExtTag for VFs
- PCI/portdrv: Fix potential resource leak
- wifi: cfg80211: stop NAN and P2P in cfg80211_leave
- netfilter: nf_conncount: make nf_conncount_gc_list() to disable BH
- netfilter: nf_conncount: increase the connection clean up limit to 64
- netfilter: nf_conncount: fix tracking of connections from localhost
- PCI: Mark 3ware-9650SA Root Port Extended Tags as broken
- [x86] iommu/vt-d: Flush cache for PASID table before using it
- nfsd: never defer requests during idmap lookup
- fat: avoid parent link count underflow in rmdir
- tcp: tcp_tx_timestamp() must look at the rtx queue
- PCI: Initialize RCB from pci_configure_device()
- ucount: check for CAP_SYS_RESOURCE using ns_capable_noaudit()
- bonding: only set speed/duplex to unknown, if getting speed failed
- netfilter: nft_set_hash: fix get operation on big endian
- netfilter: nft_set_rbtree: check for partial overlaps in anonymous sets
- procfs: fix missing RCU protection when reading real_parent in
do_task_stat()
- net: atm: fix crash due to unvalidated vcc pointer in sigd_send()
(CVE-2026-31411)
- serial: caif: fix use-after-free in caif_serial ldisc_close()
- power: supply: {act8945a,bq25980,cpcap-battery,goldfish,rt9455,
sbs-battery}: Fix use-after-free in power_supply_changed()
- power: supply: bq27xxx: fix wrong errno when bus ops are unsupported
- RDMA/rxe: Fix double free in rxe_srq_from_init
- PM: core: Redefine pm_ptr() macro
- PM: core: Add new *_PM_OPS macros, deprecate old ones
- [x86] crypto: ccp - Add an S4 restore flow
- RDMA/uverbs: Validate wqe_size before using it in ib_uverbs_post_send
- svcrdma: Add a batch Receive posting mechanism
- svcrdma: Use svc_rdma_refresh_recvs() in wc_receive
- svcrdma: Maintain a Receive water mark
- RDMA/core: Fix a couple of obvious typos in comments
- svcrdma: Remove queue-shortening warnings
- svcrdma: Clean up comment in svc_rdma_accept()
- svcrdma: Increase the per-transport rw_ctx count
- svcrdma: Reduce the number of rdma_rw contexts per-QP
- RDMA/core: add rdma_rw_max_sge() helper for SQ sizing
- RDMA/uverbs: Add __GFP_NOWARN to ib_uverbs_unmarshall_recv() kmalloc
- pNFS: fix a missing wake up while waiting on NFS_LAYOUT_DRAIN
- scsi: csiostor: Fix dereference of null pointer rn
- nvdimm: virtio_pmem: serialize flush requests
- [arm64] clk: meson: gxbb: Limit the HDMI PLL OD to /4 on GXL/GXM SoCs
- mmc: core: Initial support for SD express card/host
- misc: rtsx: Add SD Express mode support for RTS5261
- drivers: iio: mpu3050: use dev_err_probe for regulator request
- ovl: Fix uninit-value in ovl_fill_real
- iio: sca3000: Fix a resource leak in sca3000_probe()
- pinctrl: single: fix refcount leak in pcs_add_gpio_func()
- cpuidle: Skip governor when only one idle state is available
- usbb: catc: use correct API for MAC addresses
- net: usb: catc: enable basic endpoint checking
- xen-netback: reject zero-queue configuration from guest
- net/rds: rds_sendmsg should not discard payload_len
- netfilter: nf_conntrack_h323: don't pass uninitialised l3num value
- ipv6: fix a race in ip6_sock_set_v6only()
- macvlan: observe an RCU grace period in macvlan_common_newlink() error
path (CVE-2026-23273)
- bonding: alb: fix UAF in rlb_arp_recv during bond up/down
- apparmor: fix NULL sock in aa_sock_file_perm
- apparmor: fix rlimit for posix cpu timers
- apparmor: fix invalid deref of rawdata when export_binary is unset
- [x86] drm/i915/acpi: free _DSM package when no connectors
- btrfs: fix invalid leaf access in btrfs_quota_enable() if ref key not
found
- ext4: don't cache extent during splitting extent
- ext4: fix memory leak in ext4_ext_shift_extents()
- SUNRPC: auth_gss: fix memory leaks in XDR decoding error paths
- SUNRPC: fix gss_auth kref leak in gss_alloc_msg error path
- perf callchain: Fix srcline printing with inlines
- rtc: interface: Alarm race handling should not discard preceding error
(regression in 5.10.246)
- hfsplus: fix volume corruption issue for generic/498
- hfsplus: pretend special inodes as regular files
- minix: Add required sanity checking to minix_check_superblock()
- tools/power cpupower: Reset errno before strtoull()
- [arm64] Add support for TSV110 Spectre-BHB mitigation
- rnbd-srv: Zero the rsp buffer before using it
- [i386] xen/pvh: Enable PAE mode for 32-bit guest only when
CONFIG_X86_PAE is set
- EFI/CPER: don't dump the entire memory region
- APEI/GHES: ensure that won't go past CPER allocated record
- [arm64] EFI/CPER: don't go past the ARM processor CPER record buffer
- ACPICA: Abort AML bytecode execution when executing AML_FATAL_OP
- xenbus: Use .freeze/.thaw to handle xenbus devices
- blk-mq-debugfs: add missing debugfs_mutex in
blk_mq_debugfs_register_hctxs()
- bpf: verifier improvement in 32bit shift sign extension pattern
- pstore: ram_core: fix incorrect success return when vmap() fails
- [arm64] tegra: smaug: Add usb-role-switch support
- media: dvb-core: dmxdevfilter must always flush bufs
- [armhf] media: omap3isp: isp_video_mbus_to_pix/pix_to_mbus fixes
- [armhf] media: omap3isp: isppreview: always clamp in preview_try_format()
- [armhf] media: omap3isp: set initial format
- media: pvrusb2: fix URB leak in pvr2_send_request_ex
- media: solo6x10: Check for out of bounds chip_id
- media: cx25821: Fix a resource leak in cx25821_dev_setup()
- drm: Account property blob allocations to memcg
- hyper-v: Mark inner union in hv_kvp_exchg_msg_value as packed
- virt: vbox: uapi: Mark inner unions in packed structs as packed
- HID: multitouch: add eGalaxTouch EXC3188 support
- spi: spi-mem: Protect dirmap_create() with spi_mem_access_start/end
- [armhf] ASoC: es8328: Add error unwind in resume
- jfs: Add missing set_freezable() for freezable kthread
- jfs: nlink overflow in jfs_rename
- dm: remove fake timeout to avoid leak request
- [arm64] iommu/arm-smmu-v3: Improve CMDQ lock fairness and efficiency
- wifi: libertas: fix WARNING in usb_tx_block
- netfilter: nf_conntrack: Add allow_clash to generic protocol handler
- netfilter: xt_tcpmss: check remaining length before reading optlen
- net: usb: r8152: fix transmit queue timeout
- net/rds: No shortcut out of RDS_CONN_ERROR
- wifi: iwlegacy: add missing mutex protection in il4965_store_tx_power()
- wifi: iwlegacy: add missing mutex protection in
il3945_store_measurement()
- ipv4: fib: Annotate access to struct fib_alias.fa_state.
- Bluetooth: hci_conn: use mod_delayed_work for active mode timeout
- Bluetooth: btusb: Add device ID for Realtek RTL8761BU
- wifi: ath10k: fix lock protection in
ath10k_wmi_event_peer_sta_ps_state_chg()
- net: usb: sr9700: remove code to drive nonexistent multicast filter
- [x86] vmw_vsock: bypass false-positive Wnonnull warning with gcc-16
- net/rds: Clear reconnect pending bit
- PCI: Mark ASM1164 SATA controller to avoid bus reset
- PCI: Fix pci_slot_lock () device locking
- PCI: Add ACS quirk for Qualcomm Hamoa & Glymur
- PCI: Mark Nvidia GB10 to avoid bus reset
- myri10ge: avoid uninitialized variable use
- serial: 8250_dw: handle clock enable errors in runtime_resume
- [x86] fix it87_wdt early reboot by reporting running timer
- binder: don't use %pK through printk
- [arm64] phy: fsl-imx8mq-usb: disable bind/unbind platform driver feature
- [armhf] Revert "mfd: da9052-spi: Change read-mask to write-mask"
(regression in 5.10.231)
- iio: magnetometer: Remove IRQF_ONESHOT
- include: uapi: netfilter_bridge.h: Cover for musl libc
- [armhf] 9467/1: mm: Don't use %pK through printk
- drm/amd/display: Avoid updating surface with the same surface under MPO
- drm/amdgpu: Add HAINAN clock adjustment
- drm/radeon: Add HAINAN clock adjustment
- ntb: ntb_hw_switchtec: Fix array-index-out-of-bounds access
- ntb: ntb_hw_switchtec: Fix shift-out-of-bounds for 0 mw lut
- xfrm6: fix uninitialized saddr in xfrm6_get_saddr()
- net: usb: kaweth: remove TX queue manipulation in kaweth_set_rx_mode
- lan78xx: Remove unused pause frame queue
- lan78xx: Fix race condition in disconnect handling
- lan78xx: Fix memory allocation bug
- net: usb: lan78xx: scan all MDIO addresses on LAN7801
- wifi: cfg80211: wext: fix IGTK key ID off-by-one
- Bluetooth: L2CAP: Fix invalid response to L2CAP_ECRED_RECONF_REQ
- Bluetooth: L2CAP: Fix response to L2CAP_ECRED_CONN_REQ
- Bluetooth: Enforce key size of 16 bytes on FIPS level
- Bluetooth: l2cap: Check encryption key size on incoming connection
- Bluetooth: L2CAP: Fix not checking l2cap_chan security level
- Bluetooth: L2CAP: Fix missing key size check for L2CAP_LE_CONN_REQ
- RDMA/core: Fix stale RoCE GIDs during netdev events at registration
- net: wan: farsync: Fix use-after-free bugs caused by unfinished tasklets
- RDMA/efa: Fix typo in efa_alloc_mr()
- net: usb: pegasus: enable basic endpoint checking
- net: consume xmit errors of GSO frames
- netfilter: nf_conntrack_h323: fix OOB read in decode_choice()
- rpmsg: core: fix race in driver_override_show() and use core helper
- dm-verity: correctly handle dm_bufio_client_create() failure
- [arm*] media: mtk-mdp: Fix error handling in probe function
- [arm*] media: mtk-mdp: Fix a reference leak bug in mtk_mdp_remove()
- HID: hid-pl: handle probe errors
- HID: magicmouse: Do not crash on missing msc->input
- HID: prodikeys: Check presence of pm->input_ep82
- HID: logitech-hidpp: Check maxfield in hidpp_get_report_length()
- media: radio-keene: fix memory leak in error path
- media: cx88: Add missing unmap in snd_cx88_hw_params()
- media: cx23885: Add missing unmap in snd_cx23885_hw_params()
- media: cx25821: Add missing unmap in snd_cx25821_hw_params()
- [arm*] media: i2c/tw9903: Fix potential memory leak in tw9903_probe()
- [arm*] media: i2c/tw9906: Fix potential memory leak in tw9906_probe()
- dm-integrity: fix a typo in the code for write/discard race
- dm: clear cloned request bio pointer when last clone bio completes
- [arm*] soc: ti: pruss: Fix double free in pruss_clk_mux_setup()
- [armhf] clk: tegra: tegra124-emc: Fix potential memory leak in
tegra124_clk_register_emc()
- dm-unstripe: fix mapping bug when there are multiple targets in a table
- [arm64] dts: rockchip: Do not enable hdmi_sound node on Pinebook Pro
- [arm64] media: venus: vdec: fix error state assignment for zero bytesused
- drm: of: drm_of_panel_bridge_remove(): fix device_node leak
- mm, page_alloc, thp: prevent reclaim for __GFP_THISNODE THP allocations
- xfs: mark data structures corrupt on EIO and ENODATA
- [x86] iommu/vt-d: Flush dev-IOTLB only when PCIe device is accessible in
scalable mode
- xfs: delete attr leaf freemap entries when empty
- xfs: fix freemap adjustments when adding xattrs to leaf blocks
- xfs: fix remote xattr valuelblk check
- md/bitmap: fix GPF in write_page caused by resize race
- nfsd: fix return error code for nfsd_map_name_to_[ug]id
- [arm64] bus: fsl-mc: fix an error handling in fsl_mc_device_add()
- dm mpath: make pg_init_delay_msecs settable
- iio: gyro: itg3200: Fix unchecked return value in read_raw
- ocfs2: fix reflink preserve cleanup issue
- kexec: derive purgatory entry from symbol
- Revert "PCI/IOV: Add PCI rescan-remove locking when enabling/disabling
SR-IOV" (regression in 5.10.246)
- PCI/IOV: Fix race between SR-IOV enable/disable and hotplug
(CVE-2025-40219)
- btrfs: continue trimming remaining devices on failure
- [arm*] usb: dwc2: fix resume failure if dr_mode is host
- tipc: fix RCU dereference race in tipc_aead_users_dec()
- drm/amdkfd: Fix out-of-bounds write in kfd_event_page_set()
- [armhf] net: cpsw_new: Fix unnecessary netdev unregistration in
cpsw_probe() error path
- PCI: Fix pci_slot_trylock() error handling
- ceph: supply snapshot context in ceph_zero_partial_object()
- net: ethernet: marvell: skge: remove incorrect conflicting PCI ID
- net: intel: fix PCI device ID conflict between i40e and ipw2200
- atm: fore200e: fix use-after-free in tasklets during device removal
- [armhf] fbdev: vt8500lcdfb: fix missing dma_free_coherent()
- fbdev: of: display_timing: fix refcount leak in of_get_display_timings()
- drm/amdgpu: keep vga memory on MacBooks with switchable graphics
https://www.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.10.253
- [armhf] clean up the memset64() C wrapper
- scsi: lpfc: Properly set WC for DPP mapping
- scsi: ufs: core: Move link recovery for hibern8 exit failure to wl_resume
(regression in 5.10.241)
- ALSA: usb-audio: Cap the packet size pre-calculations
- btrfs: fix incorrect key offset in error message in
check_dev_extent_item()
- [armhf] OMAP2+: add missing of_node_put before break and return
- [armhf] omap2: Fix reference count leaks in omap_control_init()
- [arm*] drm/tegra: dsi: fix device leak on probe
- [armhf] clk: tegra: tegra124-emc: fix device leak on set_rate()
- [x86] ALSA: hda/conexant: Add quirk for HP ZBook Studio G4
- hwmon: (max16065) Use READ/WRITE_ONCE to avoid compiler optimization
induced race
- [x86] ALSA: hda/conexant: Fix headphone jack handling on Acer Swift SF314
- [x86] net: arcnet: com20020-pci: fix support for 2.5Mbit cards
- media: dvb-core: fix wrong reinitialization of ringbuffer on reopen
(CVE-2026-23253)
- nfc: pn533: properly drop the usb interface reference on disconnect
(CVE-2026-23291)
- net: usb: kaweth: validate USB endpoints (CVE-2026-23312)
- net: usb: kalmia: validate USB endpoints (CVE-2026-23365)
- net: usb: pegasus: validate USB endpoints (CVE-2026-23290)
- can: ems_usb: ems_usb_read_bulk_callback(): check the proper length of a
message (CVE-2026-23307)
- can: ucan: Fix infinite loop from zero-length messages (CVE-2026-23298)
- HID: Add HID_CLAIMED_INPUT guards in raw_event callbacks missing them
(CVE-2026-23382)
- [x86] efi: defer freeing of boot services memory (CVE-2026-23352)
- ALSA: usb-audio: Use correct version for UAC3 header validation
(CVE-2026-23318)
- wifi: radiotap: reject radiotap with unknown bits (CVE-2026-23367)
- IB/mthca: Add missed mthca_unmap_user_db() for mthca_create_srq()
(CVE-2026-23289)
- net/sched: ets: fix divide by zero in the offload path (CVE-2026-23379)
- Squashfs: check metadata block offset is within range (CVE-2026-23388)
- drbd: fix "LOGIC BUG" in drbd_al_begin_io_nonblock() (CVE-2026-23356)
- [x86] platform/x86: thinkpad_acpi: Fix errors reading battery thresholds
- [armhf] net: ethernet: ti: am65-cpsw-nuss/cpsw-ale: Fix multicast entry
handling in ALE table
- atm: lec: fix null-ptr-deref in lec_arp_clear_vccs (CVE-2026-23286)
- can: bcm: fix locking for bcm_op runtime updates (CVE-2026-23362)
- can: mcp251x: fix deadlock in error path of mcp251x_open (CVE-2026-23357)
- wifi: wlcore: Fix a locking bug (CVE-2026-23420)
- indirect_call_wrapper: do not reevaluate function pointer
- [amd64] xen/acpi-processor: fix _CST detection using undersized
evaluation buffer
- ipv6: fix NULL pointer deref in ip6_rt_get_dev_rcu() (CVE-2026-23304)
- amd-xgbe: fix sleep while atomic on suspend/resume
- net: nfc: nci: Fix zero-length proprietary notifications (regression in
5.10.215)
- nfc: nci: free skb on nci_transceive early error paths (CVE-2026-23339)
- nfc: nci: clear NCI_DATA_EXCHANGE before calling completion callback
- nfc: rawsock: cancel tx_work before socket teardown (CVE-2026-23372)
- net: bridge: fix nd_tbl NULL dereference when IPv6 is disabled
(CVE-2026-23381)
- net: vxlan: fix nd_tbl NULL dereference when IPv6 is disabled
(CVE-2026-23293)
- net: ipv6: fix panic when IPv4 route references loopback IPv6 nexthop
(CVE-2026-23300)
- [rt][x86] scsi: storvsc: Fix scheduling while atomic on PREEMPT_RT
- [x86] ACPI: PM: Save NVS memory on Lenovo G70-35
- unshare: fix unshare_fs() handling
- [x86] ACPI: OSI: Add DMI quirk for Acer Aspire One D255
- scsi: ses: Fix devices attaching to different hosts
- bonding: handle BOND_LINK_FAIL, BOND_LINK_BACK as valid link states
- net/mlx5e: Fix DMA FIFO desync on error CQE SQ recovery
- net/sched: teql: fix NULL pointer dereference in iptunnel_xmit on TEQL
slave xmit (CVE-2026-23277)
- ASoC: soc-core: drop delayed_work_pending() check before flush
- ASoC: topology: use inclusive language for bclk and fsync
- ASoC: don't indicate error message for snd_soc_[pcm_]dai_xxx()
- ASoC: soc-core: move snd_soc_runtime_set_dai_fmt() to upside
- ASoC: soc-core: add snd_soc_runtime_get_dai_fmt()
- ASoC: soc-core: accept zero format at snd_soc_runtime_set_dai_fmt()
- ASoC: core: Exit all links before removing their components
- ASoC: core: Do not call link_exit() on uninitialized rtd objects
- ASoC: soc-core: flush delayed work before removing DAIs and widgets
- serial: caif: hold tty->link reference in ldisc_open and ser_release
- netfilter: nft_set_pipapo: fix stack out-of-bounds read in pipapo_drop()
- netfilter: x_tables: guard option walkers against 1-byte tail reads
- netfilter: nfnetlink_queue: fix entry leak in bridge verdict error path
- netfilter: nfnetlink_cthelper: fix OOB read in nfnl_cthelper_dump_table()
- netfilter: xt_IDLETIMER: reject rev0 reuse of ALARM timer labels
(CVE-2026-23274)
- sched: idle: Make skipping governor callbacks more consistent
- nvme-pci: Fix slab-out-of-bounds in nvme_dbbuf_set
- i40e: fix src IP mask checks and memcpy argument names in cloud filter
- e1000/e1000e: Fix leak in DMA error cleanup
- [x86] ASoC: amd: acp3x-rt5682-max9836: Add missing error check for clock
acquisition
- ASoC: detect empty DMI strings
- cgroup: fix race between task migration and iteration
- net: usb: lan78xx: fix silent drop of packets with checksum errors
- net: usb: lan78xx: skip LTM configuration for LAN7850
- usb/core/quirks: Add Huawei ME906S-device to wakeup quirk
- usb: xhci: Fix memory leak in xhci_disable_slot() (regression in 5.10.85)
- usb: yurex: fix race in probe
- usb: misc: uss720: properly clean up reference in uss720_probe()
- usb: core: don't power off roothub PHYs if phy_set_mode() fails
- usb: cdc-acm: Restore CAP_BRK functionnality to CH343 (regression in
5.10.209)
- USB: usbcore: Introduce usb_bulk_msg_killable()
- USB: usbtmc: Use usb_bulk_msg_killable() with user-specified timeouts
- USB: core: Limit the length of unkillable synchronous timeouts
- usb: class: cdc-wdm: fix reordering issue in read code path
- [arm*] usb: renesas_usbhs: fix use-after-free in ISR during device
removal
- usb: mdc800: handle signal and read racing
- usb: image: mdc800: kill download URB on timeout
- mm/tracing: rss_stat: ensure curr is false from kthread context
- [arm*] mmc: mmci: Fix device_node reference leak in of_get_dml_pipe_index()
- tipc: fix divide-by-zero in tipc_sk_filter_connect()
- libceph: Fix potential out-of-bounds access in ceph_handle_auth_reply()
- ceph: fix i_nlink underrun during async unlink
- time/jiffies: Mark jiffies_64_to_clock_t() notrace
- [arm*] irqchip/gic-v3-its: Limit number of per-device MSIs to the range
the ITS supports
- staging: rtl8723bs: fix potential out-of-bounds read in
rtw_restruct_wmm_ie
- staging: rtl8723bs: properly validate the data in rtw_get_ie_ex()
- media: dvb-net: fix OOB access in ULE extension header tables
(CVE-2026-31405)
- batman-adv: Avoid double-rtnl_lock ELP metric worker (regression in
5.10.235)
- nouveau/dpcd: return EBUSY for aux xfer if the device is asleep
- net: ncsi: fix skb leak in error paths
- drm/amdgpu: Fix use-after-free race in VM acquire
- tracing: Fix trace_buf_size= cmdline parameter with sizes >= 2G
- [x86] apic: Disable x2apic on resume if the kernel expects so
- btrfs: abort transaction on failure to update root in the received subvol
ioctl
- iio: dac: ds4424: reject -128 RAW value
- iio: chemical: bme680: Fix measurement wait duration calculation
- iio: imu: inv_icm42600: fix odr switch to the same value
- bpf: Forget ranges when refining tnum after JSET (CVE-2025-39748)
- l2tp: do not use sock_hold() in pppol2tp_session_get_sock()
- io_uring/io-wq: check IO_WQ_BIT_EXIT inside work run loop
- sunrpc: fix cache_request leak in cache_release (CVE-2026-31400)
- nvdimm/bus: Fix potential use after free in asynchronous initialization
(CVE-2026-31399)
- NFC: nxp-nci: allow GPIOs to sleep (CVE-2026-31545)
- net: macb: fix use-after-free access to PTP clock (CVE-2026-31396)
- Bluetooth: L2CAP: Fix type confusion in l2cap_ecred_reconf_rsp()
- Bluetooth: L2CAP: Validate L2CAP_INFO_RSP payload length before access
(CVE-2026-31393)
- mmc: sdhci-pci-gli: fix GL9750 DMA write corruption
- mmc: sdhci: fix timing selection for 1-bit bus width
- [x86] iommu/vt-d: Fix intel iommu iotlb sync hardlockup and retry
- serial: 8250_pci: add support for the AX99100
- serial: 8250: Fix TX deadlock when using DMA (regression in 5.10.235)
- serial: 8250: Add late synchronize_irq() to shutdown to handle DW UART
BUSY
- drm/radeon: apply state adjust rules to some additional HAINAN vairants
- net: Handle napi_schedule() calls from non-interrupt
- [armhf] drm/exynos: vidi: use priv->vidi_dev for ctx lookup in
vidi_connection_ioctl()
- [armhf] drm/exynos: vidi: fix to avoid directly dereferencing user
pointer
- [armhf] drm/exynos: vidi: use ctx->lock to protect struct vidi_context
member variables related to memory alloc/free (CVE-2026-23227)
- ext4: don't set EXT4_GET_BLOCKS_CONVERT when splitting before submitting
I/O
- ext4: drop extent cache when splitting extent fails
- ext4: fix dirtyclusters double decrement on fs shutdown
- ata: libata: remove pointless VPRINTK() calls
- ata: libata-scsi: refactor ata_scsi_translate()
- wifi: libertas: fix use-after-free in lbs_free_adapter() (CVE-2026-23281)
- wifi: mac80211: fix NULL pointer dereference in mesh_rx_csa_frame()
(CVE-2026-23279)
- wifi: cfg80211: cancel rfkill_block work in wiphy_unregister()
(CVE-2026-23336)
- smb: client: Don't log plaintext credentials in cifs_set_cifscreds
(CVE-2026-23303)
- net: phy: register phy led_triggers during probe to avoid AB-BA deadlock
(CVE-2026-23368)
- drm/amd/display: Use GFP_ATOMIC in dc_create_stream_for_sink
- net/sched: act_gate: snapshot parameters with RCU on replace
(CVE-2026-23245)
- iomap: reject delalloc mappings during writeback
- tracing: Fix syscall events activation by ensuring refcount hits zero
- [arm*] pmdomain: bcm: bcm2835-power: Fix broken reset status read
- iio: light: bh1780: fix PM runtime leak on error path
- smb: client: fix atomic open with O_DIRECT & O_SYNC
- smb: client: fix iface port assignment in parse_server_interfaces
- xfs: ensure dquot item is deleted from AIL only after log shutdown
- xfs: fix integer overflow in bmap intent sort comparator
- crypto: atmel-sha204a - Fix OOM ->tfm_count leak (CVE-2026-31391)
- [arm64] drm/msm: Fix dma_free_attrs() buffer size
- [arm64] mm: Add PTE_DIRTY back to PAGE_KERNEL* to fix kexec/hibernation
(regression in 5.10.246)
- NFSD: Hold net reference for the lifetime of /proc/fs/nfs/exports fd
(CVE-2026-31403)
- nfsd: fix heap overflow in NFSv4.0 LOCK replay cache (CVE-2026-31402)
- mtd: Avoid boot crash in RedBoot partition table parser (CVE-2026-23474)
- [arm*] pmdomain: bcm: bcm2835-power: Increase ASB control timeout
(CVE-2026-31550)
- iio: imu: inv_icm42600: fix odr switch when turning buffer off
- usb: roles: get usb role switch from parent only for usb-b-connector
- usb: gadget: f_tcm: Fix NULL pointer dereferences in nexus handling
- can: gs_usb: gs_can_open(): always configure bitrates before starting
device
- [x86] KVM: SVM: Initialize AVIC VMCB fields if AVIC is enabled with in-
kernel APIC
- ALSA: pcm: fix wait_time calculations
- ALSA: pcm: fix use-after-free on linked stream runtime in snd_pcm_drain()
- smb: client: Compare MACs in constant time
- net/tcp-md5: Fix MAC comparison to be constant-time
- staging: rtl8723bs: fix null dereference in find_network
- [arm64] soc: fsl: qbman: fix race condition in qman_destroy_fq
(CVE-2026-23463)
- Bluetooth: LE L2CAP: Disconnect if received packet's SDU exceeds IMTU
- Bluetooth: LE L2CAP: Disconnect if sum of payload sizes exceed SDU
- Bluetooth: SMP: make SM/PER/KDU/BI-04-C happy
- Bluetooth: HIDP: Fix possible UAF (CVE-2026-23462)
- net/rose: fix NULL pointer dereference in rose_transmit_link on reconnect
(CVE-2026-23460)
- netfilter: ctnetlink: remove refcounting in expectation dumpers
(CVE-2025-39764)
- netfilter: ctnetlink: fix use-after-free in ctnetlink_dump_exp_ct()
(CVE-2026-23458)
- netfilter: nf_conntrack_sip: fix Content-Length u32 truncation in
sip_help_tcp() (CVE-2026-23457)
- netfilter: nf_conntrack_h323: fix OOB read in decode_int() CONS case
(CVE-2026-23456)
- netfilter: nft_ct: add seqadj extension for natted connections
(CVE-2025-68206)
- netfilter: nft_ct: drop pending enqueued packets on removal
- netfilter: xt_CT: drop pending enqueued packets on template removal
(CVE-2026-23391)
- netfilter: xt_time: use unsigned int for monthday bit shift
- netfilter: nf_conntrack_h323: check for zero length in DecodeQ931()
(CVE-2026-23455)
- [arm64] net: bcmgenet: increase WoL poll timeout
- sched: idle: Consolidate the handling of two special cases
- PM: runtime: Fix a race condition related to device removal
(CVE-2026-23452)
- net: usb: aqc111: Do not perform PM inside suspend callback
(CVE-2026-23446)
- igc: fix missing update of skb->tail in igc_xmit_frame()
- wifi: mac80211: fix NULL deref in mesh_matches_local() (CVE-2026-23396)
- wifi: wlcore: Return -ENOMEM instead of -EAGAIN if there is not enough
headroom (CVE-2026-31552)
- [arm64] net: macb: fix uninitialized rx_fs_lock
- udp_tunnel: fix NULL deref caused by udp_sock_create6 when CONFIG_IPV6=n
(CVE-2026-23439)
- net: bonding: fix NULL deref in bond_debug_rlb_hash_show (CVE-2026-31546)
- nfnetlink_osf: validate individual option lengths in fingerprints
(CVE-2026-23397)
- [armhf] net: dsa: bcm_sf2: fix missing clk_disable_unprepare() in error
paths
- icmp: fix NULL pointer dereference in icmp_tag_validation()
(CVE-2026-23398)
- [armhf] i2c: fsi: Fix a potential leak in fsi_i2c_probe()
- mtd: rawnand: serialize lock/unlock against other NAND operations
(CVE-2026-23434)
- netfilter: nft_set_pipapo: split gc into unlink and reclaim phase
(CVE-2026-23351)
- xen/privcmd: restrict usage in unprivileged domU (CVE-2026-31788)
- xen/privcmd: add boot control for restricted usage in domU
- HID: asus: avoid memory leak in asus_report_fixup() (CVE-2026-31524)
- [x86] platform/x86: intel-hid: Enable 5-button array on ThinkPad X1 Fold
16 Gen 1
- [x86] platform/x86: touchscreen_dmi: Add quirk for y-inverted Goodix
touchscreen on SUPI S10
- nvme-pci: ensure we're polling a polled queue (CVE-2026-31523)
- dma-buf: Include ioctl.h in UAPI header
- [x86] ALSA: hda/realtek: Add headset jack quirk for Thinkpad X390
- xfrm: call xdo_dev_state_delete during state update
- xfrm: Fix the usage of skb->sk
- esp: fix skb leak with espintcp and async crypto (CVE-2026-31518)
- af_key: validate families in pfkey_send_migrate() (CVE-2026-31515)
- can: statistics: add missing atomic access in hot path
- Bluetooth: L2CAP: Validate PDU length before reading SDU length in
l2cap_ecred_data_rcv() (CVE-2026-31512)
- Bluetooth: hci_ll: Fix firmware leak on error path
- Bluetooth: L2CAP: Fix null-ptr-deref on l2cap_sock_ready_cb
(CVE-2026-31510)
- nfc: nci: fix circular locking dependency in nci_close_device
(CVE-2026-31509)
- net: openvswitch: Avoid releasing netdev before teardown completes
(regression in 5.10.248) (CVE-2026-31508)
- openvswitch: validate MPLS set/set_masked payload length (CVE-2026-31679)
- net/smc: fix double-free of smc_spd_priv when tee() duplicates splice
pipe buffer (CVE-2026-31507)
- rtnetlink: count IFLA_INFO_SLAVE_KIND in if_nlmsg_size
- [armhf] platform/olpc: olpc-xo175-ec: Fix overflow error message to print
inlen
- net: fix fanout UAF in packet_release() via NETDEV_UP race
(CVE-2026-31504)
- [arm64] net: enetc: fix the output issue of 'ethtool --show-ring'
- dma-mapping: add missing `inline` for `dma_free_attrs`
- Bluetooth: L2CAP: Fix ERTM re-init and zero pdu_len infinite loop
(CVE-2026-31498)
- Bluetooth: btusb: clamp SCO altsetting table indices (CVE-2026-31497)
- netfilter: nfnetlink_log: fix uninitialized padding leak in NFULA_PAYLOAD
(CVE-2026-31428)
- netfilter: ip6t_rt: reject oversized addrnr in rt_mt6_check()
(CVE-2026-31674)
- netfilter: nf_conntrack_sip: fix use of uninitialized rtp_addr in
process_sdp (CVE-2026-31427)
- netlink: introduce NLA_POLICY_MAX_BE
- netfilter: nft_payload: reject out-of-range attributes via policy
- netlink: hide validation union fields from kdoc
- netlink: introduce bigendian integer types
- netlink: allow be16 and be32 types in all uint policy checks
- netfilter: ctnetlink: use netlink policy range checks (CVE-2026-31495)
- [arm64] net: macb: use the current queue number for stats
(CVE-2026-31494)
- regmap: Synchronize cache for the page selector
- RDMA/rw: Fall back to direct SGE on MR pool exhaustion
- scsi: scsi_transport_sas: Fix the maximum channel scanning issue
(regression in 5.10.241)
- [x86] fault: Fold mm_fault_error() into do_user_addr_fault()
- [x86] fault: Improve kernel-executing-user-memory handling
- [x86] efi: efi_unmap_boot_services: fix calculation of ranges_to_free
size
- [x86] drm/i915/gmbus: fix spurious timeout on 512-byte burst reads
- [x86] ASoC: Intel: catpt: Fix the device initialization
- ACPICA: include/acpi/acpixf.h: Fix indentation
- ACPICA: Allow address_space_handler Install and _REG execution as 2
separate steps
- ACPI: EC: Fix EC address space handler unregistration
- ACPI: EC: Fix ECDT probe ordering issues
- sysctl: fix uninitialized variable in proc_do_large_bitmap
- [arm*] spi: spi-fsl-lpspi: fix teardown order issue (UAF)
(CVE-2026-31485)
- can: gw: fix OOB heap access in cgw_csum_crc8_rel() (CVE-2026-31570)
- cpufreq: conservative: Reset requested_freq on limits change
- media: mc, v4l2: serialize REINIT and REQBUFS with req_queue_mutex
(CVE-2026-31473)
- virtio_net: Fix UAF on dst_ops when IFF_XMIT_DST_RELEASE is cleared and
napi_tx is false (CVE-2026-31469)
- alarmtimer: Fix argument order in alarm_timer_forward()
- scsi: ses: Handle positive SCSI error from ses_recv_diag()
- jbd2: gracefully abort on checkpointing state corruptions
- ext4: convert inline data to extents when truncate exceeds inline size
(CVE-2026-31452)
- ext4: make recently_deleted() properly work with lazy itable
initialization
- ext4: avoid allocate block from corrupted group in ext4_mb_find_by_goal()
- ext4: reject mount if bigalloc with s_first_data_block != 0
(CVE-2026-31447)
- btrfs: fix super block offset in error message in btrfs_validate_super()
- btrfs: fix lost error when running device stats on multiple devices fs
- futex: Clear stale exiting pointer in futex_lock_pi() retry path
(CVE-2026-31555)
- HID: wacom: fix out-of-bounds read in wacom_intuos_bt_irq
- atm: lec: fix use-after-free in sock_def_readable()
- objtool: Fix Clang jump table detection
- HID: multitouch: Check to ensure report responses match the request
- crypto: af-alg - fix NULL pointer dereference in scatterwalk
- net: qrtr: Add GFP flags parameter to qrtr_alloc_ctrl_packet
- net: qrtr: Release distant nodes along the bridge node
- net: qrtr: replace qrtr_tx_flow radix_tree with xarray to fix memory leak
- net: ipv6: ndisc: fix ndisc_ra_useropt to initialize nduseropt_padX
fields to zero to prevent an info-leak
- tg3: Fix race for querying speed/duplex
- ipv6: icmp: clear skb2->cb[] in ip6_err_gen_icmpv6_unreach()
- ip6_tunnel: clear skb2->cb[] in ip4ip6_err()
- bridge: br_nd_send: linearize skb before parsing ND options
(CVE-2026-31682)
- net/sched: sch_hfsc: fix divide-by-zero in rtsc_min() (CVE-2026-31423)
- ipv6: prevent possible UaF in addrconf_permanent_addr()
- net: sched: cls_api: fix tc_chain_fill_node to initialize tcm_info to
zero to prevent an info-leak
- NFC: pn533: bound the UART receive buffer
- bpf: Fix regsafe() for pointers to packet (regresion in 5.10.155)
- net: ipv6: flowlabel: defer exclusive option free until RCU teardown
(CVE-2026-31680)
- netfilter: nfnetlink_log: account for netlink header size
(CVE-2026-31416)
- netfilter: x_tables: ensure names are nul-terminated
- netfilter: ipset: use nla_strcmp for IPSET_ATTR_NAME attr
- netfilter: nf_conntrack_helper: pass helper to expect cleanup
- netfilter: ctnetlink: zero expect NAT fields when CTA_EXPECT_NAT absent
- netfilter: x_tables: restrict xt_check_match/xt_check_target extensions
for NFPROTO_ARP (CVE-2026-31424)
- netfilter: nf_tables: reject immediate NF_QUEUE verdict
- Bluetooth: MGMT: validate LTK enc_size on load
- rds: ib: reject FRMR registration before IB connection is established
(CVE-2026-31425)
- [arm64] net: macb: fix clk handling on PCI glue driver removal
(regression in 5.10.70)
- [arm64] net: macb: properly unregister fixed rate clocks
- net/mlx5: Avoid "No data available" when FW version queries fail
- net/x25: Fix potential double free of skb
- net/x25: Fix overflow when accumulating packets (CVE-2026-31417)
- net/sched: cls_fw: fix NULL pointer dereference on shared blocks
(CVE-2026-31421)
- net/sched: cls_flow: fix NULL pointer dereference on shared blocks
(CVE-2026-31422)
- ipv6: avoid overflows in ip6_datagram_send_ctl() (CVE-2026-31415)
- efi/mokvar-table: Avoid repeated map/unmap of the same page
- [armhf] hwmon: (occ) Fix missing newline in occ_show_extended()
- drm/ioc32: stop speculation on the drm_compat_ioctl path
- wifi: wilc1000: fix u8 overflow in SSID scan buffer size calculation
- USB: serial: option: add MeiG Smart SRM825WN
- ALSA: caiaq: fix stack out-of-bounds read in init_card
- ALSA: ctxfi: Fix missing SPDIFI1 index handling
- Bluetooth: SMP: derive legacy responder STK authentication from MITM
state
- Bluetooth: SMP: force responder MITM requirements before building the
pairing response
- [armhf] hwmon: (occ) Fix division by zero in occ_show_power_1()
- drm/ast: dp501: Fix initialization of SCU2C
- USB: serial: io_edgeport: add support for Blackbox IC135A
- USB: serial: option: add support for Rolling Wireless RW135R-GL
- USB: core: add NO_LPM quirk for Razer Kiyo Pro webcam
- Input: synaptics-rmi4 - fix a locking bug in an error path
- [x86] Input: i8042 - add TUXEDO InfinityBook Max 16 Gen10 AMD to i8042
quirk table
- [x86] Input: xpad - add support for Razer Wolverine V3 Pro
- iio: dac: ad5770r: fix error return in ad5770r_read_raw()
- iio: light: vcnl4035: fix scan buffer on big-endian
- iio: imu: st_lsm6dsx: Set FIFO ODR for accelerometer and gyroscope only
- iio: gyro: mpu3050: Fix incorrect free_irq() variable
- iio: gyro: mpu3050: Fix irq resource leak
- iio: gyro: mpu3050: Move iio_device_register() to correct location
- iio: gyro: mpu3050: Fix out-of-sequence free_irq()
- usb: quirks: add DELAY_INIT quirk for another Silicon Motion flash drive
- usb: ulpi: fix double free in ulpi_register_interface() error path
- usb: usbtmc: Flush anchored URBs in usbtmc_release
- bridge: br_nd_send: validate ND option lengths
- cdc-acm: new quirk for EPSON HMD
- comedi: dt2815: add hardware detection to prevent crash
- comedi: Reinit dev->spinlock between attachments to low-level drivers
- comedi: ni_atmio16d: Fix invalid clean-up after failed attach
- comedi: me_daq: Fix potential overrun of firmware buffer
- comedi: me4000: Fix potential overrun of firmware buffer
- netfilter: ipset: drop logically empty buckets in mtype_del
(CVE-2026-31418)
- vxlan: validate ND option lengths in vxlan_na_create
- [armhf] net: ftgmac100: fix ring allocation unwind on open failure
- thunderbolt: Fix property read in nhi_wake_supported()
- USB: dummy-hcd: Fix locking/synchronization error
- usb: gadget: dummy_hcd: fix premature URB completion when ZLP follows
partial transfer
- nvmet-tcp: fix use-before-check of sg in bounds validation
(CVE-2026-23112)
- usb: gadget: f_subset: Fix unbalanced refcnt in geth_free
- usb: gadget: f_rndis: Protect RNDIS options with mutex
- usb: gadget: f_uac1_legacy: validate control request size
- io_uring/tctx: work around xa_store() allocation error issue
(CVE-2024-56584)
- lib/crypto: chacha: Zeroize permuted_state before it leaves scope
- wifi: rt2x00usb: fix devres lifetime (CVE-2026-31672)
- xfrm_user: fix info leak in build_report() (CVE-2026-31671)
- Input: uinput - fix circular locking dependency with ff-core
(CVE-2026-31667)
- Input: uinput - take event lock when submitting FF request "event"
- mm/hugetlb: fix skipping of unsharing of pmd page tables (regression in
5.10.239)
- mm/hugetlb: make detecting shared pte more reliable
- mm/hugetlb: fix copy_hugetlb_page_range() to use ->pt_share_count
(regression in 5.10.239)
- mm/hugetlb: fix hugetlb_pmd_shared() (CVE-2026-23100) (regression in
5.10.239)
- mm/hugetlb: fix two comments related to huge_pmd_unshare()
- mm/rmap: fix two comments related to huge_pmd_unshare()
- mm/hugetlb: fix excessive IPI broadcasts when unsharing PMD tables using
mmu_gather (regression in 5.10.239)
- netfilter: nft_ct: fix use-after-free in timeout object destroy
(CVE-2026-31665)
- tipc: fix bc_ackers underflow on duplicate GRP_ACK_MSG (CVE-2026-31662)
- wifi: brcmsmac: Fix dma_free_coherent() size (CVE-2026-31661)
- [arm64] dts: hisilicon: poplar: Correct PCIe reset GPIO polarity
- [arm64] dts: hisilicon: hi3798cv200: Add missing dma-ranges
- nfc: pn533: allocate rx skb before consuming bytes (CVE-2026-31660)
- batman-adv: reject oversized global TT response buffers (CVE-2026-31659)
- net: altera-tse: fix skb leak on DMA mapping error in tse_start_xmit()
(CVE-2026-31658)
- mmc: vub300: fix NULL-deref on disconnect (CVE-2026-31651)
- net: stmmac: fix integer underflow in chain mode (CVE-2026-31649)
- rxrpc: Fix key/keyring checks in setsockopt(RXRPC_SECURITY_KEY/KEYRING)
- xen/privcmd: unregister xenstore notifier on module exit
- ASoC: soc-core: don't use discriminatory terms on
snd_soc_runtime_get_dai_fmt()
- [arm*] ASoC: tegra: Fix Master Volume Control
- netlink: add nla be16/32 types to minlen array
- cpufreq: governor: Free dbs_data directly when gov->init() fails
- cpufreq: governor: fix double free in cpufreq_dbs_governor_init() error
path
- seg6: separate dst_cache for input and output paths in seg6 lwtunnel
(CVE-2026-31668)
- net: rfkill: prevent unlimited numbers of rfkill events from being
created (CVE-2026-31670)
- usb: gadget: f_hid: move list and spinlock inits from bind to alloc
- usb: gadget: u_ether: Fix race between gether_disconnect and eth_stop
- usb: gadget: uvc: fix NULL pointer dereference during unbind race
- [arm64] net: macb: Move devm_{free,request}_irq() out of spin lock area
- mm/huge_memory: fix folio isn't locked in softleaf_to_folio()
(CVE-2026-31466)
- ext4: fix the might_sleep() warnings in kvfree()
- xfs: save ailp before dropping the AIL lock in push callbacks
(CVE-2026-31454)
- xfs: stop reclaim before pushing AIL during unmount (CVE-2026-31455)
- ext4: fix iloc.bh leak in ext4_fc_replay_inode() error paths
- ext4: publish jinode after initialization (CVE-2026-31450)
- Bluetooth: L2CAP: Fix accepting multiple L2CAP_ECRED_CONN_REQ
(CVE-2026-23395)
- Revert "nvme: nvme-fc: Ensure ->ioerr_work is cancelled in
nvme_fc_delete_ctrl()"
- nvme: nvme-fc: Ensure ->ioerr_work is cancelled in nvme_fc_delete_ctrl()
(CVE-2025-40261)
- device property: Add fwnode_is_ancestor_of() and
fwnode_get_next_parent_dev()
- media: device property: Return true in fwnode_device_is_available for
NULL ops
- device property: Retrieve fwnode from of_node via accessor
- device property: Unify access to of_node
- device property: Check fwnode->secondary in
fwnode_graph_get_next_endpoint()
- device property: Check fwnode->secondary when finding properties
- device property: Allow error pointer to be passed to fwnode APIs
- device property: Allow secondary lookup in
fwnode_get_next_child_node()
- batman-adv: avoid OGM aggregation when skb tailroom is insufficient
(CVE-2026-31683)
- device property: fix of node refcount leak in
fwnode_graph_get_next_endpoint()
- io_uring/poll: correctly handle io_poll_add() return value on update
- [x86] CPU: Fix FPDSS on Zen1 (CVE-2025-54505, CVE-2026-31628)
https://www.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.10.254
- xen/privcmd: fix double free via VMA splitting (CVE-2026-31787)
- Buffer overflow in drivers/xen/sys-hypervisor.c (CVE-2026-31786)
https://www.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.10.255
https://www.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.10.256
- [x86] CPU/AMD: Add ZenX generations flags
- [x86] CPU/AMD: Call the spectral chicken in the Zen2 init function
- [x86] CPU/AMD: Rename init_amd_zn() to init_amd_zen_common()
- [x86] CPU/AMD: Add X86_FEATURE_ZEN1
- [x86] CPU/AMD: Prevent improper isolation of shared resources in Zen2's
op cache
https://www.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.10.257
- net: skbuff: preserve shared-frag marker during coalescing
(CVE-2026-46300)
- net: skbuff: propagate shared-frag marker through frag-transfer helpers
(CVE-2026-43503)
.
[ Ben Hutchings ]
* [rt] Update to 5.10.255-rt151:
- ipv6: fix a BUG in rt6_get_pcpu_route() under PREEMPT_RT
* Redo backport of "RDMA/rxe: Fix double free in rxe_srq_from_init"
* [armhf] fbdev: vt8500lcdfb: Fix dma_free_coherent() cpu_addr parameter
* [x86] CPU/AMD: Move the Zen3 BTC_NO detection to the Zen3 init function
* Revert "io_uring/poll: correctly handle io_poll_add() return value on
update"
* net: usb: lan78xx: Fix double free issue with interrupt buffer allocation
(CVE-2024-53213)
.
[ Salvatore Bonaccorso ]
* smb: client: reject userspace cifs.spnego descriptions
Checksums-Sha1:
36fd8e01e321ec0b9fe719619d7a53f69ac9de23 193221 linux_5.10.257-1.dsc
85c57b03ec932e22cbbdf6cb93eb4bca3c85f59f 122158232 linux_5.10.257.orig.tar.xz
66a85d83f73628058fd0cbcc16ea8c8d73eae3b3 1791756 linux_5.10.257-1.debian.tar.xz
7f54e190bbf5184c4253ee057034d4b437d98339 6215 linux_5.10.257-1_source.buildinfo
Checksums-Sha256:
f69300049a14428c27677532590221b69d18f907903fe760d93881a7d73266a7 193221 linux_5.10.257-1.dsc
8771a2cc25566ac0925a94f21e64ddd13896fcadad70d23cf013c77648636b16 122158232 linux_5.10.257.orig.tar.xz
2383cd192c0922b58a31d695c633d3aee19b8b05e9fb55c88e48e4a97f03087a 1791756 linux_5.10.257-1.debian.tar.xz
e47292275279787d0d9b0705b5cdc6a88b4237a4091ac3491bb044a9d7961087 6215 linux_5.10.257-1_source.buildinfo
Files:
c644b04c06f55c8dab711e8ef65e778d 193221 kernel optional linux_5.10.257-1.dsc
9a915345464aca3162c59a191badae3e 122158232 kernel optional linux_5.10.257.orig.tar.xz
05d4bbc5a73a5f6241fe7a1df8e811bb 1791756 kernel optional linux_5.10.257-1.debian.tar.xz
7fd267be4e3aa0fa29b80b8702dcda93 6215 kernel optional linux_5.10.257-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEErCspvTSmr92z9o8157/I7JWGEQkFAmoX7/YACgkQ57/I7JWG
EQkIAw//b3DJ5uk5ng0t2Mqw8Z1hVaj9qGjO6iSd03g0zklwrOsyCbfqwC0vuUfR
loDEbBI2foxG8rbSipszMbA/IN/JeEbE29ElcYHARr42xtIZkA47Idn47VZ0iLUD
HumUUk1IAtttHxBcBgZTa/7ehOkoklN7e7eW8gbirxijCLCHAAjc188+mpqEtFft
JBH5RZB6+c2OIIukdXMYscnFtcuB0CE4y4DtepJ7tkw2Hd1WghbpuGv7/26/bXmi
72dXtN1RdmHEQHcVYgybSYMrN26IJWYrUXLUyr3wIhmMoHbjf+GIOPqYUynmbnFV
regsai9kp6JB5Ux0BIydsNyDHRuG+epYiJr2nXW9N1Q+efdTUP3xv8zbzzw0PKZY
rnY3ofRUcD0lN9lI6oBsi0rP2k0ljSTyppalUpJ5juaE5HtOH6/jzsQm/ovGLxHX
QCPGUk2422egNETuCi2DWYRzLYIMjp5/QgC7Jw0u2Bn6Z2sR6r1mGO8jsHhZlmQd
svJCRNrucevVeoPLnaXD9EnkYHKB4onWeM6S9RoHecv15wS7wEa0VGOySjSlTjRs
pDIiYC56vKE1r2976gCh1BTdyO7RoAscPSyKBU2KP6c/NLF9XlYedq5bJ6gwS4YV
Y9bhC2aTCi1AItETGgXFTwe2ERcRNGihOonmwbb5pK5trip3UNw=
=N9Q1
-----END PGP SIGNATURE-----
