-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 02 Jul 2026 16:19:48 +0200 Source: linux Architecture: source Version: 5.10.259-1 Distribution: bullseye-security Urgency: high Maintainer: Debian Kernel Team <debian-kernel@lists.debian.org> Changed-By: Ben Hutchings <benh@debian.org> Closes: 1119093 1130365 Changes: linux (5.10.259-1) bullseye-security; urgency=high . * New upstream stable update: https://www.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.10.258 - [x86] ALSA: asihpi: avoid write overflow check warning - can: mcp251x: add error handling for power enable in open and resume - btrfs: tracepoints: get correct superblock from dentry in event btrfs_sync_file() (CVE-2026-43117) - [x86] ALSA: hda/realtek: Add mute LED quirk for HP Pavilion 15-eg0xxx - [x86] netfilter: nft_set_pipapo_avx2: don't return non-matching entry on expiry (CVE-2026-43114) - [arm*] wifi: wl1251: validate packet IDs before indexing tx_frames (CVE-2026-43113) - ASoC: soc-core: call missing INIT_LIST_HEAD() for card_aux_list - HID: quirks: add HID_QUIRK_ALWAYS_POLL for 8BitDo Pro 3 - HID: roccat: fix use-after-free in roccat_report_event (CVE-2026-43111) - ata: ahci: force 32-bit DMA for JMicron JMB582/JMB585 - wifi: brcmfmac: validate bsscfg indices in IF events (CVE-2026-43110) - [armhf] ASoC: stm32_sai: fix incorrect BCLK polarity for DSP_A/B, LEFT_J - [arm64] dts: imx8mq: Set the correct gpu_ahb clock frequency - [amd64] PCI: hv: Set default NUMA node to 0 for devices without affinity info - [arm*] drm/vc4: Fix memory leak of BO array in hang state (CVE-2026-43105) - [arm*] drm/vc4: Fix a memory leak in hang state error path (CVE-2026-43104) - [arm*] drm/vc4: Protect madv read in vc4_gem_object_mmap() with madv_lock - net: sched: act_csum: validate nested VLAN headers (CVE-2026-31684) - net: lapbether: Close the LAPB device before its underlying Ethernet device closes - net: lapbether: handle NETDEV_PRE_TYPE_CHANGE (CVE-2026-43103) - tracing/probe: reject non-closed empty immediate strings - e1000: check return value of e1000_read_eeprom - xsk: tighten UMEM headroom validation to account for tailroom and min frame (CVE-2026-43093) - xfrm_user: fix info leak in build_mapping() (CVE-2026-43089) - netfilter: nfnetlink_log: initialize nfgenmsg in NLMSG_DONE terminator (CVE-2026-43085) - netfilter: xt_multiport: validate range encoding in checkentry (CVE-2026-31681) - netfilter: ip6t_eui64: reject invalid MAC header for all packets (CVE-2026-31685) - af_unix: read UNIX_DIAG_VFS data under unix_state_lock (CVE-2026-31673) - l2tp: Drop large packets with UDP encap (CVE-2026-43080) - netfilter: conntrack: add missing netlink policy validations (CVE-2026-31407) - [x86] drm/i915/gt: fix refcount underflow in intel_engine_park_heartbeat (CVE-2026-31656) - netfilter: nft_set_pipapo: do not rely on ZERO_SIZE_PTR - batman-adv: hold claim backbone gateways by reference (CVE-2026-31657) - nfc: llcp: add missing return after LLCP_CLOSED checks (CVE-2026-31629) - can: raw: fix ro->uniq use-after-free in raw_rcv() (CVE-2026-31532) - [armhf] i2c: s3c24xx: check the size of the SMBUS message before using it (CVE-2026-31627) - staging: rtl8723bs: initialize le_tmp64 in rtw_BIP_verify() (CVE-2026-31626) - HID: alps: fix NULL pointer dereference in alps_raw_event() (CVE-2026-31625) - HID: core: clamp report_size in s32ton() to avoid undefined shift (CVE-2026-31624) - net: usb: cdc-phonet: fix skb frags[] overflow in rx_complete() (CVE-2026-31623) - NFC: digital: Bounds check NFC-A cascade depth in SDD response handler (CVE-2026-31622) - ALSA: fireworks: bound device-supplied status before string array lookup (CVE-2026-31619) - fbdev: tdfxfb: avoid divide-by-zero on FBIOPUT_VSCREENINFO (CVE-2026-31618) - usb: gadget: f_ncm: validate minimum block_len in ncm_unwrap_ntb() (CVE-2026-31617) - usb: gadget: f_phonet: fix skb frags[] overflow in pn_rx_complete() (CVE-2026-31616) - [arm*] usb: gadget: renesas_usb3: validate endpoint index in standard request handlers (CVE-2026-31615) - usbip: validate number_of_packets in usbip_pack_ret_submit() (CVE-2026-31607) - usb: storage: Expand range of matched versions for VL817 quirks entry - fbdev: udlfb: avoid divide-by-zero on FBIOPUT_VSCREENINFO (CVE-2026-31605) - staging: sm750fb: fix division by zero in ps_to_hz() (CVE-2026-31603) - USB: serial: option: add Telit Cinterion FN990A MBIM composition - ALSA: ctxfi: Limit PTP to a single page (CVE-2026-31602) - media: vidtv: fix NULL pointer dereference in vidtv_channel_pmt_match_sections (CVE-2026-31599) - ocfs2: fix use-after-free in ocfs2_fault() when VM_FAULT_RETRY (CVE-2026-31597) - ocfs2: handle invalid dinode in ocfs2_group_extend (CVE-2026-31596) - [x86] KVM: SEV: Drop WARN on large size for KVM_MEMORY_ENCRYPT_REG_REGION (CVE-2026-31590) - rxrpc: Fix call removal to use RCU safe deletion (CVE-2026-31642) - rxrpc: proc: size address buffers for %pISpc output (CVE-2026-31630) - Revert "wifi: cfg80211: stop NAN and P2P in cfg80211_leave" (regression in 5.10.252) - media: uvcvideo: Allow extra entities - [x86] KVM: x86: Use scratch field in MMIO fragment to hold small write values (CVE-2026-31588) - mm/kasan: fix double free for kasan pXds (CVE-2026-31686) - media: vidtv: fix nfeeds state corruption on start_streaming failure (CVE-2026-31585) - media: em28xx: fix use-after-free in em28xx_v4l2_open() (CVE-2026-31583) - ALSA: 6fire: fix use-after-free on disconnect (CVE-2026-31581) - bcache: fix cached_dev.sb_bio use-after-free and crash (CVE-2026-31580) - media: as102: fix to not free memory after the device is registered in as102_usb_probe() (CVE-2026-31578) - nilfs2: fix NULL i_assoc_inode dereference in nilfs_mdt_save_to_shadow_map (CVE-2026-31577) - media: vidtv: fix pass-by-value structs causing MSAN warnings (CVE-2026-43058) - media: hackrf: fix to not free memory after the device is registered in hackrf_probe() (CVE-2026-31576) - net: tap: NULL pointer derefence in dev_parse_header_protocol when skb->dev is null (CVE-2022-50073) - scsi: qla2xxx: Fix warning message due to adisc being flushed (CVE-2022-49158) - scsi: qla2xxx: Fix crash when I/O abort times out (CVE-2022-50493) - net/sched: act_ct: fix ref leak when switching zones (CVE-2022-49183) - bpf, sockmap: Fix an infinite loop error when len is 0 in tcp_bpf_recvmsg_parser() (CVE-2023-53133) - ipv6: add NULL checks for idev in SRv6 paths (CVE-2026-23442) - drm/amd/display: Add null checker before passing variables (CVE-2024-43902) - wifi: mac80211: always free skb on ieee80211_tx_prepare_skb() failure (CVE-2026-23444) - drm/amd/display: Fix memory leak (CVE-2022-49135) - [x86] thermal/int340x_thermal: handle data_vault when the value is ZERO_SIZE_PTR (CVE-2022-48703) - blk-cgroup: Reinit blkg_iostat_set after clearing in blkcg_reset_stats() (CVE-2023-53421) - scsi: ufs: core: Improve SCSI abort handling (CVE-2021-47188) - IB/mad: Don't call to function that might sleep while in atomic context (CVE-2022-50472) - mailbox: Prevent out-of-bounds access in of_mbox_index_xlate() (CVE-2026-43281) - rxrpc: fix reference count leak in rxrpc_server_keyring() (CVE-2026-31634) - xfrm: clear trailing padding in build_polexpire() (CVE-2026-31664) - ocfs2: add inline inode consistency check to ocfs2_validate_inode_block() - ocfs2: validate inline data i_size during inode read (CVE-2026-43076) - ocfs2: fix out-of-bounds write in ocfs2_write_end_inline (CVE-2026-43075) - rxrpc: reject undecryptable rxkad response tickets (CVE-2026-31637) - blk-mq: use quiesced elevator switch when reinitializing queues (CVE-2022-50552) - drivers: base: Free devm resources when unregistering a device (CVE-2023-53596) - [x86] uprobes: Fix XOL allocation failure for 32-bit tasks - fs/ocfs2: fix comments mentioning i_mutex - ocfs2: fix possible deadlock between unlink and dio_end_io_write (CVE-2026-31598) - mm: blk-cgroup: fix use-after-free in cgwb_release_workfn() (CVE-2026-31586) - [arm64] dts: imx8mq-librem5-r3: workaround i2c1 issue with 1GHz cpu voltage - [arm64] dts: imx8mq-librem5: Don't mark buck3 as always on - [arm64] dts: imx8mq-librem5: set regulators boot-on - [arm64] dts: imx8mq-librem5: Bump BUCK1 suspend voltage to 0.81V - [arm64] dts: imx8mq-librem5: Bump BUCK1 suspend voltage up to 0.85V - gfs2: Validate i_depth for exhash directories (CVE-2025-38710) - i3c: fix uninitialized variable use in i2c setup - rxrpc: Fix recvmsg() unconditional requeue (CVE-2026-23066) - cifs: Fix connections leak when tlink setup failed (CVE-2022-49822) - rxrpc: only handle RESPONSE during service challenge (CVE-2026-31676) - rxrpc: Fix anonymous key handling - fuse: reject oversized dirents in page cache (CVE-2026-31694) - fuse: quiet down complaints in fuse_conn_limit_write - ALSA: usb-audio: apply quirk for MOONDROP JU Jiu - ALSA: caiaq: take a reference on the USB device in create_card() (CVE-2026-31701) - crypto: ccp: Don't attempt to copy CSR to userspace if PSP command failed (CVE-2026-31699) - crypto: ccp: Don't attempt to copy PDH cert to userspace if PSP command failed (CVE-2026-31698) - crypto: ccp: Don't attempt to copy ID to userspace if PSP command failed (CVE-2026-31697) - rxrpc: Fix missing validation of ticket length in non-XDR key preparsing (CVE-2026-31696) - ALSA: usb-audio: stop parsing UAC2 rates at MAX_NR_RATES (CVE-2026-46018) - ALSA: usb-audio: Avoid false E-MU sample-rate notifications - ALSA: usb-audio: Fix Audio Advantage Micro II SPDIF switch - usb: xhci: Make usb_host_endpoint.hcpriv survive endpoint_disable() - [x86] misc: ibmasm: fix OOB MMIO read in ibmasm_handle_mouse_interrupt() (CVE-2026-46022) - [x86] ibmasm: fix OOB reads in command_file_write due to missing size checks (CVE-2026-45994) - [x86] ibmasm: fix heap over-read in ibmasm_send_i2o_message() (CVE-2026-46064) - ocfs2: split transactions in dio completion to avoid credit exhaustion (CVE-2026-46080) - padata: Fix pd UAF once and for all (CVE-2025-38584) - driver core: Don't let a device probe until it's ready - crypto: pcrypt - Fix handling of MAY_BACKLOG requests (CVE-2026-43493) - ALSA: control: Validate buf_len before strnlen() in snd_ctl_elem_init_enum_names() (CVE-2026-46088) - net: caif: clear client service pointer on teardown (CVE-2026-46098) - net: strparser: fix skb_head leak in strp_abort_strp() (CVE-2026-46102) - Revert "ALSA: usb: Increase volume range that triggers a warning" (regression in 5.10.249) - lib/ts_kmp: fix integer overflow in pattern length calculation - net: qrtr: ns: Fix use-after-free in driver remove() (CVE-2026-46047) - ext2: reject inodes with zero i_nlink and valid mode in ext2_iget() (CVE-2026-46002) - ALSA: ctxfi: Add fallback to default RSR for S/PDIF (CVE-2026-46049) - ALSA: seq_oss: return full count for successful SEQ_FULLSIZE writes - ALSA: caiaq: Fix control_put() result and cache rollback - ALSA: caiaq: Handle probe errors properly (CVE-2026-46004) - ALSA: 6fire: Fix input volume change detection - iio: adc: ad7768-1: fix one-shot mode data acquisition - net: rds: fix MR cleanup on copy error (CVE-2026-46053) - net/smc: avoid early lgr access in smc_clc_wait_msg (CVE-2026-46027) - RDMA/rxe: Validate pad and ICRC before payload_size() in rxe_rcv (CVE-2026-46043) - mmc: block: use single block write in retry - tpm: tpm_tis: add error logging for data transfer - userfaultfd: allow registration of ranges below mmap_min_addr - [x86] KVM: nSVM: Sync interrupt shadow to cached vmcb12 after VMRUN of L2 (CVE-2026-45987) - [x86] KVM: nSVM: Ensure AVIC is inhibited when restoring a vCPU to guest mode - [x86] KVM: nSVM: Clear GIF on nested #VMEXIT(INVALID) - io_uring/poll: fix EPOLL_URING_WAKE sometimes not being honored - io_uring/poll: fix backport of io_poll_add() changes - mtd: docg3: fix use-after-free in docg3_release() (CVE-2026-46285) - ext4: fix missing brelse() in ext4_xattr_inode_dec_ref_all() (CVE-2026-46046) - md/raid5: fix soft lockup in retry_aligned_read() (CVE-2026-46051) - md/raid5: validate payload size before accessing journal metadata (CVE-2026-46070) - inotify: fix watch count leak when fsnotify_add_inode_mark_locked() fails (CVE-2026-46040) - taskstats: set version in TGID exit notifications - [armhf] crypto: atmel-aes - Fix 3-page memory leak in atmel_aes_buff_cleanup (CVE-2026-46019) - [armhf] crypto: atmel-ecc - Release client on allocation failure - [arm*] crypto: ccree - fix a memory leak in cc_mac_digest() (CVE-2026-45986) - [armhf] crypto: atmel-tdes - fix DMA sync direction (CVE-2026-46077) - dm mirror: fix integer overflow in create_dirty_log() (CVE-2026-46023) - IB/core: Fix zero dmac race in neighbor resolution - crypto: authencesn - reject short ahash digests during instance creation (CVE-2026-46033) - ALSA: caiaq: Fix potentially leftover ep1_in_urb at error path - ALSA: caiaq: Don't abort when no input device is available - ipv6: rpl: reserve mac_len headroom when recompressed SRH grows (CVE-2026-43501) - drm/amdgpu: fix zero-size GDS range init on RDNA4 (CVE-2026-46276) - ALSA: caiaq: fix usb_dev refcount leak on probe failure - netfilter: reject zero shift in nft_bitwise (CVE-2026-46101) - scsi: target: configfs: Bound snprintf() return in tg_pt_gp_members_show() (CVE-2026-46149) - ipmi: Add limits to event and receive message requests (CVE-2026-46177) - ipmi: Check event message buffer response for bad data (CVE-2026-46128) - ipmi:si: Return state to normal if message allocation fails (CVE-2026-46108) - fbdev: udlfb: add vm_ops to dlfb_ops_mmap to prevent use-after-free (CVE-2026-43497) - [x86] ACPI: video: force native backlight on HP OMEN 16 (8A44) - net/sched: sch_red: Replace direct dequeue call with peek and qdisc_dequeue_peeked (CVE-2026-43496) - ipmi:ssif: Fix a shutdown race - ipmi:ssif: Clean up kthread on errors (CVE-2026-46044) - ipmi:ssif: Remove unnecessary indention - ipmi:ssif: NULL thread on error - wifi: b43legacy: enforce bounds check on firmware key index in RX path (CVE-2026-46163) - wifi: rsi: fix kthread lifetime race between self-exit and external-stop (CVE-2026-46187) - wifi: ath5k: do not access array OOB (Closes: #1119093) (CVE-2026-46307) - wifi: b43: enforce bounds check on firmware key index in b43_rx() (CVE-2026-46122) - usb: usblp: fix heap leak in IEEE 1284 device ID via short response (CVE-2026-46151) - usb: usblp: fix uninitialized heap leak via LPGETSTATUS ioctl (CVE-2026-46167) - ALSA: usb-audio: Avoid potential endless loop in convert_chmap_v3() (CVE-2026-46146) - ALSA: usb-audio: Fix UAC3 cluster descriptor size check - USB: serial: option: add Telit Cinterion LE910Cx compositions - usb: ulpi: fix memory leak on ulpi_register() error paths (CVE-2026-46109) - ALSA: firewire-tascam: Do not drop unread control events - xfrm: provide message size for XFRM_MSG_MAPPING - ipv6: xfrm6: release dst on error in xfrm6_rcv_encap() (CVE-2026-46172) - Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_new_connection_cb() (CVE-2026-45835) - Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_state_change_cb() (CVE-2026-45834) - fanotify: fix false positive on permission events (CVE-2026-46150) - net: rtnetlink: zero ifla_vf_broadcast to avoid stack infoleak in rtnl_fill_vfinfo (CVE-2026-46132) - sound: ua101: fix division by zero at probe (CVE-2026-46184) - ip6_gre: Use cached t->net in ip6erspan_changelink(). (CVE-2026-46120) - net/rds: handle zerocopy send cleanup before the message is queued (CVE-2026-43502) - hv_sock: fix ARM64 support - udf: reject descriptors with oversized CRC length - [i386] spi: topcliff-pch: fix use-after-free on unbind (CVE-2026-46301) - dm: don't report warning when doing deferred remove - dm: fix a buffer overflow in ioctl processing (CVE-2026-46294) - dm-verity-fec: correctly reject too-small FEC devices - dm-verity-fec: correctly reject too-small hash devices - isofs: validate Rock Ridge CE continuation extent against volume size (CVE-2026-46303) - isofs: validate block number from NFS file handle in isofs_export_iget (CVE-2026-46124) - md/raid10: fix divide-by-zero in setup_geo() with zero far_copies (CVE-2026-46161) - nvmet: avoid recursive nvmet-wq flush in nvmet_ctrl_free (CVE-2026-46304) - PCI/AER: Clear only error bits in PCIe Device Status - PCI/AER: Stop ruling out unbound devices as error source - [x86] power: supply: max17042: avoid overflow when determining health - RDMA/mlx4: Fix resource leak on error in mlx4_ib_create_srq() (CVE-2026-46178) - RDMA/ocrdma: Don't NULL deref uctx on errors in ocrdma_copy_pd_uresp() (CVE-2026-46127) - RDMA/rxe: Reject unknown opcodes before ICRC processing (CVE-2026-46133) - [x86] RDMA/vmw_pvrdma: Fix double free on pvrdma_alloc_ucontext() error path (CVE-2026-46189) - media: uvcvideo: Enable VB2_DMABUF for metadata stream - [x86] staging: media: atomisp: Disallow all private IOCTLs (CVE-2026-46205) - regulator: max77650: fix OF node reference imbalance - media: rc: xbox_remote: heed DMA restrictions (CVE-2026-46236) - media: rc: streamzap: Error handling in probe - regulator: act8945a: fix OF node reference imbalance - media: dib8000: avoid division by 0 in dib8000_set_dds() - [armhf] spi: imx: fix runtime pm leak on probe deferral - [armhf] spi: orion: fix clock imbalance on registration failure - drm/gem: Fix inconsistent plane dimension calculation in drm_gem_fb_init_with_funcs() - drm/radeon: add missing revision check for CI - drm/amdgpu/gfx9: drop unnecessary 64-bit fence flag check in KIQ - drm/amdgpu/sdma4: replace BUG_ON with WARN_ON in fence emission (CVE-2026-46220) - drm/amdgpu/pm: add missing revision check for CI - drm/amdgpu/pm: align Hawaii mclk workaround with radeon - sctp: revalidate list cursor after sctp_sendmsg_to_asoc() in SCTP_SENDALL (CVE-2026-46227) - batman-adv: fix integer overflow on buff_pos (CVE-2026-46198) - batman-adv: reject new tp_meter sessions during teardown (CVE-2026-46206) - batman-adv: stop caching unowned originator pointers in BAT IV (CVE-2026-46238) - batman-adv: bla: prevent use-after-free when deleting claims (CVE-2026-46212) - batman-adv: bla: only purge non-released claims (CVE-2026-46233) - batman-adv: bla: put backbone reference on failed claim hash insert (CVE-2026-46231) - Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_get_sndtimeo_cb() (CVE-2026-45836) - vsock: fix buffer size clamping order (CVE-2026-46234) - vsock/virtio: fix accept queue count leak on transport mismatch (CVE-2026-46214) - bcache: fix uninitialized closure object - fs/omfs: reject s_sys_blocksize smaller than OMFS_DIR_START (CVE-2026-53130) - drbd: Balance RCU calls in drbd_adm_dump_devices() (CVE-2026-53128) - nilfs2: reject zero bd_oblocknr in nilfs_ioctl_mark_blocks_dirty() (CVE-2026-53320) - pstore/ram: fix resource leak when ioremap() fails - devres: fix missing node debug info in devm_krealloc() - firmware: dmi: Correct an indexing error in dmi.h - wifi: mwifiex: Fix memory leak in mwifiex_11n_aggregate_pkt() - wifi: rtlwifi: pci: fix possible use-after-free caused by unfinished irq_prepare_bcn_tasklet (CVE-2026-53112) - bpf: fix end-of-list detection in cgroup_storage_get_next_key() (CVE-2026-45838) - brcmfmac: support chipsets with different core enumeration space - wifi: brcmfmac: Fix error pointer dereference (CVE-2026-53093) - [arm64] net: bcmgenet: fix off-by-one in bcmgenet_put_txcb (CVE-2026-53088) - netfilter: nft_fwd_netdev: check ttl/hl before forwarding - 6pack: propagage new tty types - net: hamradio: 6pack: fix uninit-value in sixpack_receive_buf (CVE-2026-53082) - net/sched: act_ct: Only release RCU read lock after ct_ft (CVE-2026-46319) - net/rds: Optimize rds_ib_laddr_check - net/rds: Restrict use of RDS/IB to the initial network namespace (CVE-2026-53077) - ppp: require CAP_NET_ADMIN in target netns for unattached ioctls (CVE-2026-53075) - bpf: reject short IPv4/IPv6 inputs in bpf_prog_test_run_skb (CVE-2026-53074) - Bluetooth: L2CAP: Fix printing wrong information if SDU length exceeds MTU - Bluetooth: hci_ldisc: Clear HCI_UART_PROTO_INIT on error (CVE-2026-53073) - Bluetooth: fix locking in hci_conn_request_evt() with HCI_PROTO_DEFER (CVE-2026-53072) - Bluetooth: l2cap: Add missing chan lock in l2cap_ecred_reconf_rsp (CVE-2026-53071) - [arm*] drm/komeda: fix integer overflow in AFBC framebuffer size check (CVE-2026-53068) - [armhf] ASoC: sti: use managed regmap_field allocations (CVE-2026-53065) - dm cache: fix null-deref with concurrent writes in passthrough mode (CVE-2026-53064) - dm cache: fix write path cache coherency in passthrough mode - dm cache policy smq: fix missing locks in invalidating cache blocks (CVE-2026-53062) - dm cache: fix concurrent write failure in passthrough mode - dm cache: support shrinking the origin device - dm cache: fix dirty mapping checking in passthrough mode switching (CVE-2026-53061) - dm cache metadata: fix memory leak on metadata abort retry (CVE-2026-53060) - dm log: fix out-of-bounds write due to region_count overflow (CVE-2026-53059) - [arm*] drm/sun4i: Fix resource leaks - [arm*] drm/panel: simple: Correct G190EAN01 prepare timing - ALSA: compress: Drop unused functions - ALSA: core: Validate compress device numbers without dynamic minors - drm/amd/pm/ci: Use highest MCLK on CI when MCLK DPM is disabled - drm/amd/pm/ci: Disable MCLK DPM on problematic CI ASICs - drm/amd/pm/ci: Fix powertune defaults for Hawaii 0x67B0 - drm/amd/pm/ci: Clear EnabledForActivity field for memory levels - drm/amd/pm/ci: Fill DW8 fields from SMC - [arm64] drm/msm/a6xx: Fix HLSQ register dumping - [arm64] drm/msm/a6xx: Use barriers while updating HFI Q headers - [armhf] pmdomain: ti: omap_prm: Fix a reference leak on device node - PCI: Enable AtomicOps only if Root Port supports them - quota: Fix race of dquot_scan_active() with quota deactivation (CVE-2026-53050) - efi/capsule-loader: fix incorrect sizeof in phys array reallocation (CVE-2026-53047) - [armhf] dts: mediatek: mt7623: fix efuse fallback compatible - [armhf] memory: tegra124-emc: Fix dll_change check (CVE-2026-53045) - [arm64] dts: qcom: sdm845-xiaomi-beryllium: Add DSI and panel bits - [arm64] dts: qcom: sdm845-xiaomi-beryllium: Mark l1a regulator as powered during boot - ocfs2/dlm: validate qr_numregions in dlm_match_regions() (CVE-2026-53043) - ocfs2/dlm: fix off-by-one in dlm_match_regions() region comparison (CVE-2026-53309) - ocfs2: fix listxattr handling when the buffer is full (CVE-2026-53041) - ocfs2: validate bg_bits during freefrag scan (CVE-2026-53040) - ocfs2: validate group add input before caching (CVE-2026-53039) - [armhf] dmaengine: mxs-dma: Fix missing return value from of_dma_controller_register() - tracing: Rebuild full_name on each hist_field_name() call - ima: check return value of crypto_shash_final() in boot aggregate - HID: asus: do not abort probe when not necessary - [armhf] mtd: rawnand: sunxi: fix sunxi_nfc_hw_ecc_read_extra_oob - HID: usbhid: fix deadlock in hid_post_reset() (CVE-2026-53037) - bpf: Fix precedence bug in convert_bpf_ld_abs alignment check - perf branch: Avoid incrementing NULL - perf expr: Return -EINVAL for syntax error in expr__find_ids() - driver core: Move dev_err_probe() to where it belogs - dev_printk: add new dev_err_probe() helpers - [x86] platform/surface: surfacepro3_button: Drop wakeup source on remove - mfd: mc13xxx-core: Fix memory leak in mc13xxx_add_subdevice_pdata() - nfs/blocklayout: Fix compilation error (`make W=1`) in bl_write_pagelist() - [x86] platform/x86: dell_rbu: avoid uninit value usage in packet_size_write() - RDMA/core: Prefer NLA_NUL_STRING - scsi: sg: Resolve soft lockup issue when opening /dev/sgX (CVE-2026-53304) - scsi: target: core: Fix integer overflow in UNMAP bounds check (CVE-2026-53021) - [armhf] clk: imx: imx6q: Fix device node reference leak in pll6_bypassed() - [armhf] clk: imx: imx6q: Fix device node reference leak in of_assigned_ldb_sels() - [arm64] clk: imx8mq: Correct the CSI PHY sels - [arm64] clk: qoriq: avoid format string warning - [arm64] clk: xgene: Fix mapping leak in xgene_pllclk_init() - crypto: ccp - copy IV using skcipher ivsize (CVE-2026-53016) - [x86] PCMCIA: Fix garbled log messages for KERN_CONT - net/sched: sch_cake: fix NAT destination port not being updated in cake_update_flowkeys - nexthop: Emit a notification when a nexthop group is modified - nexthop: fix IPv6 route referencing IPv4 nexthop (CVE-2026-53012) - taprio: Handle short intervals and large packets - net: taprio offload: enforce qdisc to netdev queue mapping - net/sched: taprio: stop going through private ops for dequeue and peek - net/sched: taprio: replace safety precautions with comments - net/sched: taprio: continue with other TXQs if one dequeue() failed - net/sched: taprio: refactor one skb dequeue from TXQ to separate function - net/sched: taprio: rename close_time to end_time - net/sched: taprio: fix use-after-free in advance_sched() on schedule switch (CVE-2026-53011) - tcp: annotate data-races around (tp->write_seq - tp->snd_nxt) - i40e: don't advertise IFF_SUPP_NOFCS - e1000e: Unroll PTP in probe error handling - ipv6: fix possible UAF in icmpv6_rcv() (CVE-2026-53006) - sctp: fix OOB write to userspace in sctp_getsockopt_peer_auth_chunks (CVE-2026-53004) - dissector: do not set invalid PPP protocol - flow_dissector: Add number of vlan tags dissector - flow_dissector: Add PPPoE dissectors - pppoe: drop PFC frames (CVE-2026-53003) - openvswitch: cap upcall PID array size and pre-size vport replies (CVE-2026-45840) - netfilter: nft_osf: restrict it to ipv4 - netfilter: nfnetlink_osf: fix divide-by-zero in OSF_WSS_MODULO (CVE-2026-45841) - netfilter: conntrack: remove sprintf usage (CVE-2026-53002) - netfilter: xtables: restrict several matches to inet family (CVE-2026-53001) - ipvs: fix MTU check for GSO packets in tunnel mode - netfilter: nfnetlink_osf: fix out-of-bounds read on option matching (CVE-2026-52999) - netfilter: nfnetlink_osf: fix potential NULL dereference in ttl check (CVE-2026-52998) - slip: reject VJ receive packets on instances with no rstate array (CVE-2026-45842) - slip: bound decode() reads against the compressed packet length (CVE-2026-45843) - [arm64] dts: meson-gxl-p230: fix ethernet PHY interrupt number - net/rds: zero per-item info buffer before handing it to visitors (CVE-2026-52995) - net_sched: sch_hhf: annotate data-races in hhf_dump_stats() - net/sched: sch_pie: annotate data-races in pie_dump_stats() - net/sched: sch_fq_codel: remove data-races from fq_codel_dump_stats() - net: sched: gred/red: remove unused variables in struct red_stats - net/sched: sch_red: annotate data-races in red_dump_stats() - net/sched: sch_sfb: annotate data-races in sfb_dump_stats() - nfp: fix swapped arguments in nfp_encode_basic_qdr() calls - tipc: fix double-free in tipc_buf_append() (CVE-2026-52993) - vhost_net: fix sleeping with preempt-disabled in vhost_net_busy_poll() - fs/adfs: validate nzones in adfs_validate_bblk() (CVE-2026-52992) - rtc: introduce features bitfield - fbdev: offb: fix PCI device reference leak on probe failure - mailbox: mailbox-test: free channels on probe error (CVE-2026-53296) - cgroup/rdma: fix integer overflow in rdmacg_try_charge() - mailbox: add sanity check for channel array (CVE-2026-53295) - mailbox: mailbox-test: don't free the reused channel (CVE-2026-53294) - mailbox: mailbox-test: initialize struct earlier - mailbox: mailbox-test: make data_ready a per-instance variable - btrfs: merge PAGE_CLEAR_DIRTY and PAGE_SET_WRITEBACK to PAGE_START_WRITEBACK - btrfs: fix double-decrement of bytes_may_use in submit_one_async_extent() - tracing: branch: Fix inverted check on stat tracer registration - netfilter: arp_tables: fix IEEE1394 ARP payload parsing (CVE-2026-45844) - drm/amdgpu/gfx6: Support harvested SI chips with disabled TCCs (v2) - netfilter: xt_policy: fix strict mode inbound policy matching (CVE-2026-52920) - netfilter: nf_conntrack_sip: don't use simple_strtoul (CVE-2026-52986) - scsi: sr: Add memory allocation failure handling for get_capabilities() - cdrom, scsi: sr: propagate read-only status to block layer via set_disk_ro() - netdevsim: zero initialize struct iphdr in dummy sk_buff (CVE-2026-52985) - net: sched: sch_netem: Refactor code in 4-state loss generator - net/sched: netem: fix probability gaps in 4-state loss model - net/sched: netem: fix queue limit check to include reordered packets (CVE-2026-52984) - net/sched: netem: validate slot configuration - net: sched: choke: remove unused variables in struct choke_sched_data - net/sched: sch_choke: annotate data-races in choke_dump_stats() - net/sched: sch_fq_pie: annotate data-races in fq_pie_dump_stats() - vrf: Fix a potential NPD when removing a port from a VRF (CVE-2026-52925) - net: usb: rtl8150: fix use-after-free in rtl8150_start_xmit() (CVE-2026-52982) - net: usb: rtl8150: free skb on usb_submit_urb() failure in xmit - netfilter: skip recording stale or retransmitted INIT - sctp: discard stale INIT after handshake completion - ipv4: rename and move ip_route_output_tunnel() - ipv4: remove "proto" argument from udp_tunnel_dst_lookup() - ipv4: add new arguments to udp_tunnel_dst_lookup() - ipv6: rename and move ip6_dst_lookup_tunnel() - bareudp: fix NULL pointer dereference in bareudp_fill_metadata_dst() (CVE-2026-45846) - net/sched: sch_cake: annotate data-races in cake_dump_stats() (V) - drm/amd/display: Allow DCE link encoder without AUX registers - drm/amd/display: Read EDID from VBIOS embedded panel info - btrfs: tracepoints: fix sleep while in atomic context in btrfs_sync_file() - net/sched: taprio: Fix init procedure - flow_dissector: do not dissect PPPoE PFC frames - flow_dissector: Do not count vlan tags inside tunnel payload - net/sched: sch_pie: annotate more data-races in pie_dump_stats() - rtc: allow rtc_read_alarm without read_alarm callback - alarmtimer: Check RTC features instead of ops - crypto: af_alg - Cap AEAD AD length to 0x80000000 (CVE-2026-52972) - audit: fix incorrect inheritable capability in CAPSET records (CVE-2026-53287) - netfilter: nft_ct: fix missing expect put in obj eval (CVE-2026-52970) - net: atlantic: preserve PCI wake-from-D3 on shutdown when WOL enabled - audit: enforce AUDIT_LOCKED for AUDIT_TRIM and AUDIT_MAKE_EQUIV - [x86] drm/i915/dp: Fix VSC dynamic range signaling for RGB formats - ALSA: usb-audio: Bound MIDI endpoint descriptor scans (CVE-2026-52963 - ceph: fix a buffer leak in __ceph_setxattr() (CVE-2026-52962) - libceph: Fix potential out-of-bounds access in osdmap_decode() (CVE-2026-52958) - libceph: Fix potential null-ptr-deref in decode_choose_args() (CVE-2026-52957) - libceph: Fix potential out-of-bounds access in crush_decode() (CVE-2026-52955) - libceph: handle rbtree insertion error in decode_choose_args() (CVE-2026-52954) - [x86] iommu/vt-d: Disable DMAR for Intel Q35 IGFX - [arm*] drm/panfrost: Fix wait_bo ioctl leaking positive return from dma_resv_wait_timeout() - [x86] drm/gma500/oaktrail_hdmi: fix i2c adapter leak on setup - io-wq: check that the predecessor is hashed in io_wq_remove_pending() - net/rds: reset op_nents when zerocopy page pin fails (CVE-2026-43494) - [x86] Revert "x86/vdso: Fix output operand size of RDPID" - net: dsa: sja1105: fix kasan out-of-bounds warning in sja1105_table_delete_entry() (CVE-2025-22107) - sysfs: don't remove existing directory on update failure - hwmon: (pmbus/adm1266) widen blackbox-info buffer to I2C_SMBUS_BLOCK_MAX - ALSA: ua101: Reject too-short USB descriptors - ALSA: asihpi: Fix potential OOB array access at reading cache - Bluetooth: bnep: Fix UAF read of dev->name - Bluetooth: hci_uart: fix UAFs and race conditions in close and init paths (CVE-2026-46275) - phonet/pep: disable BH around forwarded sk_receive_skb() - [arm64] net: bcmgenet: keep RBUF EEE/PM disabled - netfilter: ip6t_hbh: reject oversized option lists (CVE-2026-52915) - netfilter: ipset: stop hash:* range iteration at end (CVE-2026-52921) - ring-buffer: Fix reporting of missed events in iterator - [x86] vsock/vmci: fix UAF when peer resets connection during handshake - wifi: ath11k: clear shared SRNG pointer state on restart - ipv4: raw: reject IP_HDRINCL packets with ihl < 5 - ixgbevf: fix use-after-free in VEPA multicast source pruning - wifi: cfg80211: advance loop vars in cfg80211_merge_profile() - tracing: Do not call map->ops->elt_free() if elt_alloc() fails - [x86] scsi: isci: Fix use-after-free in device removal path - [armhf] spi: ti-qspi: fix use-after-free after DMA setup failure - RDMA/siw: Reject MPA FPDU length underflow before signed receive math - drm/amd/display: Fix integer overflow in bios_get_image() - batman-adv: mcast: fix use-after-free in orig_node RCU release - batman-adv: clear current gateway during teardown (CVE-2026-52926) - batman-adv: dat: handle forward allocation error (CVE-2026-52922) - batman-adv: fix fragment reassembly length accounting (CVE-2026-52914) - batman-adv: fix tp_meter counter underflow during shutdown (CVE-2026-52919) - batman-adv: frag: disallow unicast fragment in fragment (CVE-2026-52916) - batman-adv: bla: fix report_work leak on backbone_gw purge - batman-adv: tp_meter: avoid use of uninit sender vars (CVE-2026-52931) - batman-adv: tt: fix negative last_changeset_len - batman-adv: tt: fix negative tt_buff_len - ice: fix locking in ice_dcb_rebuild() - [arm*] phy: marvell: mvebu-a3700-utmi: fix incorrect USB2_PHY_CTRL register access - net: ethernet: cortina: Make RX SKB per-port - net: ethernet: cortina: Drop half-assembled SKB - net: ethernet: cortina: Carry over frag counter - HID: quirks: really enable the intended work around for appledisplay - ethtool: fix ethnl_bitmap32_not_zero() bit interval semantics - net: tls: fix off-by-one in sg_chain entry count for wrapped sk_msg ring - net: tls: prevent chain-after-chain in plain text SG - [x86] platform/x86: intel-hid: Check ACPI_HANDLE() against NULL - tracing: Avoid NULL return from hist_field_name() on truncation - string: add mem_is_zero() helper to check if memory area is all zeros - gpiolib: cdev: use !mem_is_zero() instead of memchr_inv(s, 0, n) - gpio: cdev: check if uAPI v2 config attributes are correctly zeroed https://www.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.10.259 - Input: usbtouchscreen - clamp NEXIO data_len/x_len to URB buffer size - ALSA: usb-audio: fix null pointer dereference on pointer cs_desc (CVE-2021-47211) - net/sched: cls_fw: fix NULL dereference of "old" filters before change() (CVE-2026-53080) - net/sched: sch_sfb: Replace direct dequeue call with peek and qdisc_dequeue_peeked - nfc: llcp: protect nfc_llcp_sock_unlink() calls - nfc: llcp: Fix use-after-free in llcp_sock_release() - nfc: llcp: Fix use-after-free race in nfc_llcp_recv_cc() - xfrm: Check for underflow in xfrm_state_mtu - netfilter: synproxy: refresh tcphdr after skb_ensure_writable - netfilter: xt_cpu: prefer raw_smp_processor_id - netfilter: ebtables: fix OOB read in compat_mtw_from_user (CVE-2026-52927) - tun: free page on short-frame rejection in tun_xdp_one() (CVE-2026-46321) - net: netlink: fix sending unassigned nsid after assigned one - net: netlink: don't set nsid on local notifications - net/smc: Do not re-initialize smc hashtables - ipv4: free net->ipv4.sysctl_local_reserved_ports after unregister_net_sysctl_table() - [x86] ASoC: Intel: bytcht_es8316: Fix MCLK leak on init errors - tunnels: load network headers after skb_cow() in iptunnel_pmtud_build_icmp[v6]() - vxlan: do not reuse cached ip_hdr() value after skb_tunnel_check_pmtu() - tunnels: do not assume transport header in iptunnel_pmtud_check_icmp() - Bluetooth: 6lowpan: check skb_clone() return value in send_mcast_pkt() - ipv6: rpl: fix hdrlen overflow in ipv6_rpl_srh_decompress() - Bluetooth: l2cap: clear chan->ident on ECRED reconfiguration success - Bluetooth: L2CAP: Fix possible crash on l2cap_ecred_conn_rsp - sctp: fix race between sctp_wait_for_connect and peeloff - batman-adv: v: stop OGMv2 on disabled interface (CVE-2026-52913) - batman-adv: tvlv: abort OGM send on tvlv append failure - batman-adv: bla: avoid NULL-ptr deref for claim via dropped interface - batman-adv: tvlv: reject oversized TVLV packets (CVE-2026-52934) - batman-adv: iv: recover OGM scheduling after forward packet error - batman-adv: tp_meter: fix race condition in send error reporting - batman-adv: tp_meter: avoid role confusion in tp_list - batman-adv: tt: fix TOCTOU race for reported vlans - batman-adv: tt: avoid empty VLAN responses - batman-adv: bla: avoid double decrement of bla.num_requests - smb: client: fix smbdirect_recv_io leak in smbd_negotiate() error path (CVE-2025-39929) - iio: imu: st_lsm6dsx: fix stack leak in tagged FIFO buffer - usb: typec: ucsi: ccg: reject firmware images without a ':' record header - usb: typec: ucsi: displayport: NAK DP_CMD_CONFIGURE without a payload VDO - usb: typec: altmodes/displayport: validate count before reading Status Update VDO - [x86] usb: typec: wcove: don't write past struct pd_message in wcove_read_rx_buffer() - USB: serial: safe_serial: fix memory corruption with small endpoint - Bluetooth: btusb: Allow firmware re-download when version matches - hpfs: fix a crash if hpfs_map_dnode_bitmap fails - ipc: limit next_id allocation to the valid ID range (CVE-2026-52923) - Bluetooth: L2CAP: fix chan ref leak in l2cap_chan_timeout() on !conn - parport: Fix race between port and client registration (Closes: #1130365) - iio: dac: ad5686: fix input raw value check - iio: adc: viperboard: Fix error handling in vprbrd_iio_read_raw - iio: gyro: itg3200: fix i2c read into the wrong stack location - iio: ssp_sensors: cancel delayed work_refresh on remove - iio: temperature: tsys01: fix broken PROM checksum validation - iio: light: cm3323: fix reg_conf not being initialized correctly - iio: buffer: hw-consumer: fix use-after-free in error path - USB: serial: omninet: fix memory corruption with small endpoint - usb: dwc2: Fix use after free in debug code - Input: elan_i2c - validate firmware size before use - wireguard: send: append trailer after expanding head - bpf: sockmap: fix tail fragment offset in bpf_msg_push_data - macsec: fix replay protection at XPN lower-PN wrap - ipv6: exthdrs: refresh nh pointer after ipv6_hop_jumbo() - [arm64] ASoC: qcom: q6asm-dai: fix error handling in prepare and set_params - ip6: vti: Use ip6_tnl.net in vti6_siocdevprivate(). - ipv6: validate extension header length before copying to cmsg - ip6: vti: Use ip6_tnl.net in vti6_changelink(). - HID: wacom: Fix OOB write in wacom_hid_set_device_mode() - iommu, debugobjects: avoid gcc-16.1 section mismatch warnings - nfc: hci: fix out-of-bounds read in HCP header parsing - xfrm: route MIGRATE notifications to caller's netns - xfrm: ah: use skb_to_full_sk in async output callbacks - netfilter: conntrack: tcp: do not force CLOSE on invalid-seq RST without direction check - [arm64] ASoC: qcom: q6asm-dai: close stream only when running - [arm64] ASoC: qcom: q6asm-dai: do not set stream state in event and trigger callbacks - xfrm: esp: restore combined single-frag length gate - Input: atmel_mxt_ts - fix boundary check in mxt_prepare_cfg_mem - [x86] Input: synaptics - add LEN2058 to SMBus passlist for ThinkPad E490 - [x86] comedi: comedi_test: fix check for valid scan_begin_src in waveform_ai_cmdtest() - [x86] comedi: comedi_test: Fix limiting of convert_arg in waveform_ai_cmdtest() - [i386] tty: serial: pch_uart: add check for dma_alloc_coherent() - [arm*] usb: chipidea: core: convert ci_role_switch to local variable - usb: core: Fix up Interrupt IN endpoints with bogus wBytesPerInterval - USB: quirks: add NO_LPM for Lenovo ThinkPad USB-C Dock Gen2 hub controllers - usb: storage: Add quirks for PNY Elite Portable SSD - usbip: vudc: Fix use after free bug in vudc_remove due to race condition - usb: usbtmc: check URB actual_length for interrupt-IN notifications - usb: usbtmc: reject interrupt endpoints with small wMaxPacketSize - USB: serial: option: add MeiG SRM813Q - USB: serial: option: add missing RSVD(5) flag for Rolling RW135R-GL - USB: serial: belkin_sa: validate interrupt status length - USB: serial: cypress_m8: validate interrupt packet headers - USB: serial: keyspan: fix missing indat transfer sanity check - USB: serial: mxuport: fix memory corruption with small endpoint - USB: serial: mct_u232: fix missing interrupt-in transfer sanity check - usb: gadget: net2280: Fix double free in probe error path - usb: gadget: dummy_hcd: Reject hub port requests for non-existent ports - thunderbolt: property: Reject u32 wrap in tb_property_entry_valid() - thunderbolt: property: Reject dir_len < 4 to prevent size_t underflow - scsi: fcoe: Reject FIP descriptors with zero fip_dlen in CVL walker - serial: fsl_lpuart: fix rx buffer and DMA map leaks in start_rx_dma - Bluetooth: hci_core: Fix use-after-free in vhci_flush() (CVE-2025-38250) - USB: serial: cypress_m8: fix memory corruption with small endpoint - USB: serial: digi_acceleport: fix memory corruption with small endpoints - [arm*] xhci: tegra: Fix ghost USB device on dual-role port unplug - page_pool: Fix use-after-free in page_pool_recycle_in_ring (CVE-2025-38129) - team: Move team device type change at the end of team_port_add (CVE-2025-68340) - usb: core: Fix SuperSpeed root hub wMaxPacketSize - bpf: Free reuseport cBPF prog after RCU grace period. (CVE-2026-52910) - HID: core: Add printk_ratelimited variants to hid_warn() etc - HID: pass the buffer size to hid_report_raw_event - HID: core: Fix size_t specifier in hid_report_raw_event() - USB: serial: mct_u232: fix memory corruption with small endpoint - i2c: dev: prevent integer overflow in I2C_TIMEOUT ioctl (CVE-2026-52948) - tee: optee: prevent use-after-free when the client exits before the supplicant (CVE-2026-53273) - netfilter: xt_NFQUEUE: prefer raw_smp_processor_id - ipvs: clear the svc scheduler ptr early on edit (CVE-2026-53270) - netfilter: synproxy: add mutex to guard hook reference counting (CVE-2026-53269) - netfilter: conntrack_irc: fix possible out-of-bounds read (CVE-2026-53268) - netfilter: bridge: make ebt_snat ARP rewrite writable (CVE-2026-53266) - dm cache policy smq: check allocation under invalidate lock (CVE-2026-53265) - net/sched: act_api: use RCU with deferred freeing for action lifecycle (CVE-2026-53264) - 6lowpan: fix off-by-one in multicast context address compression (CVE-2026-53263) - pcnet32: stop holding device spin lock during napi_complete_done - net: garp: fix unsigned integer underflow in garp_pdu_parse_attr - net: lan743x: permit VLAN-tagged packets up to configured MTU - Bluetooth: RFCOMM: hold listener socket in rfcomm_connect_ind() (CVE-2026-53256) - Bluetooth: MGMT: validate advertising TLV before type checks (CVE-2026-53255) - ipv4: restrict IPOPT_SSRR and IPOPT_LSRR options (CVE-2026-53249) - ieee802154: 6lowpan: only accept IPv6 packets in lowpan_xmit() - net/802/mrp: fix vector attribute parsing in mrp_pdu_parse_vecattr (CVE-2026-53245) - sctp: purge outqueue on stale COOKIE-ECHO handling (CVE-2026-52924) - signal: clear JOBCTL_PENDING_MASK for caller in zap_other_threads() - time: Fix off-by-one in settimeofday() usec validation - ALSA: PCM: Fix wait queue list corruption in snd_pcm_drain() on linked streams (CVE-2026-53242) - ext4: validate p_idx bounds in ext4_ext_correct_indexes (CVE-2026-31449) - bonding: limit BOND_MODE_8023AD to Ethernet devices (CVE-2026-23099) - usbnet: Fix using smp_processor_id() in preemptible code warnings (CVE-2025-40164) - nfsd: don't ignore the return code of svc_proc_register() (CVE-2025-22026) - wifi: mac80211: check tdls flag in ieee80211_tdls_oper (CVE-2026-43052) - [arm*] spi: meson-spicc: Fix double-put in remove path (CVE-2026-31489) - io_uring: prevent opcode speculation (CVE-2025-21863) - tap: free page on error paths in tap_get_user_xdp() (CVE-2026-46320) - tun: free page on build_skb failure in tun_xdp_one() (CVE-2026-46322) - [arm64] KVM: arm64: Remove VPIPT I-cache handling - [arm64] tlb: Allow XZR argument to TLBI ops - [arm64] tlb: Optimize ARM64_WORKAROUND_REPEAT_TLBI - xfrm: policy: fix use-after-free on inexact bin in xfrm_policy_bysel_ctx() (CVE-2026-53239) - netlabel: validate unlabeled address and mask attribute lengths (CVE-2026-53238) - net: qrtr: fix refcount saturation and potential UAF in qrtr_port_remove (CVE-2026-52947) - ipv6: sit: reload inner IPv6 header after GSO offloads (CVE-2026-53228) - net: openvswitch: fix possible kfree_skb of ERR_PTR (CVE-2026-53227) - sctp: fix uninit-value in __sctp_rcv_asconf_lookup() (CVE-2026-53225) - net: guard timestamp cmsgs to real error queue skbs (CVE-2026-53223) - net/rds: fix NULL deref in rds_ib_send_cqe_handler() on masked atomic completion (CVE-2026-52939) - ip6_vti: fix incorrect tunnel matching in vti6_tnl_lookup() (CVE-2026-53221) - rds: mark snapshot pages dirty in rds_info_getsockopt() - netfilter: x_tables: avoid leaking percpu counter pointers (CVE-2026-53219) - netfilter: nft_exthdr: fix register tracking for F_PRESENT flag (CVE-2026-53218) - [arm*] net: mvpp2: sync RX data at the hardware packet offset (CVE-2026-53217) - netfilter: nft_tunnel: fix use-after-free on object destroy (CVE-2026-53212) - Bluetooth: L2CAP: reject BR/EDR signaling packets over MTUsig (CVE-2026-53208) - [x86] drm/i915/gem: Fix phys BO pread/pwrite with offset - xfrm: espintcp: do not reuse an in-progress partial send (CVE-2026-52935) - USB: serial: io_ti: fix heap overflow in get_manuf_info() (CVE-2026-53196) - USB: serial: io_ti: fix heap overflow in build_i2c_fw_hdr() (CVE-2026-53195) - USB: serial: option: add usb-id for Dell Wireless DW5826e-m - USB: serial: kl5kusb105: fix bulk-out buffer overflow (CVE-2026-53194) - ALSA: timer: Fix UAF at snd_timer_user_params() - drm/amd/display: Reject gpio_bitshift >= 32 in bios_parser_get_gpio_pin_info() - RDMA/srp: bound SRP_RSP sense copy by the received length (CVE-2026-53186) - [armhf] socfpga: Fix OF node refcount leak in SMP setup - vsock/vmci: fix sk_ack_backlog leak on failed handshake (CVE-2026-53181) - IB/isert: Reject login PDUs shorter than ISER_HEADERS_LEN (CVE-2026-53176) - pidfd: refuse access to tasks that have started exiting harder - fuse: reject fuse_notify() pagecache ops on directories (CVE-2026-53168) - [arm*] i2c: tegra: Fix NOIRQ suspend/resume - [x86] Input: atkbd - add DMI quirk for Lenovo Yoga Air 14 (83QK) - [x86] Input: atkbd - skip deactivate for HONOR BCC-N's internal keyboard - ipc/shm: serialize orphan cleanup with shm_nattch updates (CVE-2026-52930) - [arm*] misc: fastrpc: fix use-after-free of fastrpc_user in workqueue context (CVE-2026-53161) - net: bonding: fix NULL pointer dereference in bond_do_ioctl() - [armhf] net: mv643xx: fix OF node refcount - net: rds: clear i_sends on setup unwind - mmc: core: Fix host controller programming for fixed driver type - mmc: sdhci: add signal voltage switch in sdhci_resume_host - sctp: diag: reject stale associations in dump_one path (CVE-2026-52917) - sctp: stream: fully roll back denied add-stream state (CVE-2026-52929) - thunderbolt: Reject zero-length property entries in validator (CVE-2026-53150) - thunderbolt: Bound root directory content to block size (CVE-2026-53149) - thunderbolt: Clamp XDomain response data copy to allocation size (CVE-2026-53148) - thunderbolt: Limit XDomain response copy to actual frame size (CVE-2026-53146) - drm/amd/display: Clamp HDMI HDCP2 rx_id_list read to buffer size (CVE-2026-53137) - drm/amd/display: Fix NULL deref and buffer over-read in SDP debugfs (CVE-2026-53135) - fs/fcntl: fix SOFTIRQ-unsafe lock order in fasync signaling (CVE-2026-52946) - io_uring/poll: fix signed comparison in io_poll_get_ownership() - ipvs: skip ipv6 extension headers for csum checks (CVE-2026-45850) - batman-adv: stop tp_meter sessions during mesh teardown (CVE-2026-46208) - batman-adv: tp_meter: fix tp_num leak on kmalloc failure - f2fs: fix UAF caused by decrementing sbi->nr_pages[] in f2fs_write_end_io() (CVE-2026-31715) - smb: client: require a full NFS mode SID before reading mode bits (CVE-2026-43350) - smb: client: fix OOB read in smb2_ioctl_query_info QUERY_INFO path (CVE-2026-31708) - net/packet: fix TOCTOU race on mmap'd vnet_hdr in tpacket_snd() (CVE-2026-31700) - drm/nouveau: fix u32 overflow in pushbuf reloc bounds check (CVE-2026-46006) - [arm64] mm: Enable batched TLB flush in unmap_hotplug_range() - thermal: core: Fix thermal zone governor cleanup issues (CVE-2026-46021) - wifi: mwifiex: fix use-after-free in mwifiex_adapter_cleanup() (CVE-2026-46069) - media: rc: ttusbir: respect DMA coherency rules - erofs: fix the out-of-bounds nameoff handling for trailing dirents (CVE-2026-46078) - media: rc: igorplugusb: heed coherency rules - sched: Use u64 for bandwidth ratio calculations - ALSA: core: Fix potential data race at fasync handling - net: qrtr: ns: Limit the maximum number of lookups (CVE-2026-46026) - net: qrtr: ns: Change servers radix tree to xarray - net: qrtr: ns: Free the node during ctrl_cmd_bye() (CVE-2026-46038) - net: qrtr: ns: Limit the total number of nodes (CVE-2026-46003) - net: bridge: use a stable FDB dst snapshot in RCU readers (CVE-2026-46086) - mtd: spi-nor: sst: Fix write enable before AAI sequence - udf: fix partition descriptor append bookkeeping (CVE-2026-45991) - hfsplus: fix uninit-value by validating catalog record size (CVE-2026-46169) - hfsplus: fix held lock freed on hfsplus_fill_super() (CVE-2026-46299) - Bluetooth: hci_event: fix potential UAF in SSP passkey handlers (CVE-2026-46056) - can: ucan: fix devres lifetime (CVE-2026-46103) - ceph: only d_add() negative dentries when they are unhashed (CVE-2026-46052) - ALSA: aloop: Fix peer runtime UAF during format-change stop (CVE-2026-46090) - printk: add print_hex_dump_devel() - [arm*] crypto: caam - guard HMAC key hex dumps in hash_digest_key (CVE-2026-46291) - ACPI: scan: Use acpi_dev_put() in object add error paths - tracepoint: balance regfunc() on func_add() failure in tracepoint_add_func() (CVE-2026-46196) - wifi: brcmfmac: Fix potential use-after-free issue when stopping watchdog task (CVE-2026-46180) - [arm*] usb: dwc3: Move GUID programming after PHY initialization - [armhf] spi: sun4i: fix controller deregistration - [armhf] spi: ti-qspi: fix controller deregistration - [armhf] spi: sun6i: fix controller deregistration - [arm*] spi: tegra20-sflash: fix controller deregistration - [arm*] spi: tegra114: fix controller deregistration - mm/hugetlb_cma: round up per_node before logging it - fbcon: Avoid OOB font access if console rotation fails (CVE-2026-46191) - [i386] spi: topcliff-pch: fix controller deregistration - btrfs: fix btrfs_ioctl_space_info() slot_count TOCTOU which can lead to info-leak (CVE-2026-46159) - tracing/probes: Limit size of event probe to 3K - pmdomain: core: Fix detach procedure for virtual devices in genpd (CVE-2026-46292) - dm btree: improve btree residency - dm-thin: fix metadata refcount underflow (CVE-2026-46107) - btrfs: fix missing last_unlink_trans update when removing a directory (CVE-2026-46160) - smb: client: Use FullSessionKey for AES-256 encryption key derivation - mptcp: pm: ADD_ADDR rtx: fix potential data-race (CVE-2026-46137) - f2fs: fix incorrect file address mapping when inline inode is unwritten - Bluetooth: fix UAF in l2cap_sock_cleanup_listen() vs l2cap_conn_del() - Bluetooth: hci_qca: Convert timeout from jiffies to ms - qed: Use the bitmap API to simplify some functions - qed: fix double free in qed_cxt_tables_alloc() - net: Remove redundant if statements - netfilter: nf_queue: hold bridge skb->dev while queued (CVE-2026-52912) - Bluetooth: Consolidate code around sk_alloc into a helper function - Bluetooth: Init sk_peer_* on bt_sock_alloc - Bluetooth: serialize accept_q access (CVE-2026-52918) - net: hsr: defer node table free until after RCU readers - ice: fix VF queue configuration with low MTU values - use less confusing names for iov_iter direction initializers - [arm64] octeontx2-af: Add validation for lmac type (CVE-2023-54129) - [arm64] spi: qup: switch to use modern name - [arm64] spi: qup: fix error pointer deref after DMA setup failure - [arm64] tlb: Flush walk cache when unsharing PMD tables - scsi: target: iscsi: Bound iscsi_encode_text_output() appends to rsp_buf - usb: typec: ucsi: Check if power role change actually happened before handling - thunderbolt: property: Cap recursion depth in __tb_property_parse_dir() - scsi: target: iscsi: Fix CRC overread and double-free in iscsit_handle_text_cmd() - usb: typec: ucsi: Don't update power_supply on power role change if not connected - netfilter: nft_fib: fix stale stack leak via the OIFNAME register (CVE-2026-53134) - [x86] hv_netvsc: use kmap_local_page in netvsc_copy_to_send_buf (CVE-2026-53199) - mm/huge_memory: update file PMD counter before folio_put() (CVE-2026-53189) - RDMA/umem: fix kernel-doc warnings - RDMA: Move DMA block iterator logic into dedicated files - RDMA/umem: Fix truncation for block sizes >= 4G (CVE-2026-53133) - Bluetooth: L2CAP: use chan timer to close channels in cleanup_listen() - [x86] ALSA: hda/hdmi: Add quirk for TUXEDO IBS14G6 - iio: chemical: scd30: fix division by zero in write_raw - iio: gyro: adis16260: fix division by zero in write_raw - iio: dac: ad5686: fix ref bit initialization for single-channel parts - xfrm: input: hold netns during deferred transport reinjection - net: skbuff: fix missing zerocopy reference in pskb_carve helpers (CVE-2026-52943) - [armhf] serial: samsung_tty: Use port lock wrappers - [armhf] tty: serial: samsung: use u32 for register interactions - [armhf] tty: serial: samsung: Remove redundant port lock acquisition in rx helpers - usb: gadget: f_hid: tidy error handling in hidg_alloc - usb: gadget: f_hid: fix device reference leak in hidg_alloc() - lib/crypto: mpi: Fix integer underflow in mpi_read_raw_from_sgl() (CVE-2026-43492) - [arm64] Mitigate TLBI errata on various CPU cores (CVE-2025-10263): + Subscribe Microsoft Azure Cobalt 100 to ARM Neoverse N2 errata + cputype: Add NVIDIA Olympus definitions + cputype: Add C1-Ultra definitions + cputype: Add C1-Premium definitions + errata: Mitigate TLBI errata on various Arm CPUs + errata: Mitigate TLBI errata on NVIDIA Olympus CPU + errata: Mitigate TLBI errata on Microsoft Azure Cobalt 100 CPU - media: rc: ttusbir: fix inverted error logic - media: rc: igorplugusb: fix control request setup packet (CVE-2026-46091) . [ Ben Hutchings ] * [rt] Update to 5.10.259-rt155 * Drop "Revert "io_uring/poll: correctly handle io_poll_add() return value on update"" * Revert "Bluetooth: L2CAP: use chan timer to close channels in cleanup_listen()" * Revert "media: rc: streamzap: Error handling in probe" * usb: type: ucsi: Fix misplaced call to ucsi_port_psy_changed() (regression in 5.10.241) . [ Salvatore Bonaccorso ] * ip6_vti: set netns_immutable on the fallback device. (CVE-2026-52909) Checksums-Sha1: 9069093dc907ce2d22d0d22600719b7e6cd59752 193221 linux_5.10.259-1.dsc 52c14a63ab9933f5c852fb4747073241a2a0f533 122193944 linux_5.10.259.orig.tar.xz 4214f03ddfdc20e0de9d7021d63f18cb9e15f770 1802400 linux_5.10.259-1.debian.tar.xz 6c8465eb957a65dab30328386565ba596997c9c5 6321 linux_5.10.259-1_source.buildinfo Checksums-Sha256: 564040abcb53b72de34044b9a4433092a1f7f721420276d6f3e62457fbddcc53 193221 linux_5.10.259-1.dsc eb46eb4553f655eba232db67415fbfb82de34a348768eddefebe77a88f9bb574 122193944 linux_5.10.259.orig.tar.xz af96af51ac3d7a31d95dffd14d0a5b6160fb5cf8e7103a8b1992f5958b77891a 1802400 linux_5.10.259-1.debian.tar.xz 79b33b9aee796f2c876e97edac3a6cf885c14255c2cc1bd0c601b70f630f2ccf 6321 linux_5.10.259-1_source.buildinfo Files: 3a8309ff457856f821ea4dfea6b82566 193221 kernel optional linux_5.10.259-1.dsc fee82df996afc4d1554a6ebbb7e710df 122193944 kernel optional linux_5.10.259.orig.tar.xz 12666d7fe40f02900565f567430063a1 1802400 kernel optional linux_5.10.259-1.debian.tar.xz b09ee89f07ea015fce6854114fbe4ee2 6321 kernel optional linux_5.10.259-1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEErCspvTSmr92z9o8157/I7JWGEQkFAmpG1moACgkQ57/I7JWG EQlnvA/+NahlrnVg9AdQKc6AJ1aUkLrdl4+EEH9dC2Xe2PKq/sTDGJhYhv+auSfG e3ISOYsSARzlPfUxYlK2mSHxrt4u02yO+6m7HluU2yqmZ69E0GcjZQq1vC8O8hrR 0eAKHX6IkvIk7T2KQQ/2pApx66fX1fk+02BBlQsaQv9r0xfrZ9l5Ol4k47gC1jpH IF7hPGTcFpOpb6qDRwHvyZd9QtI9F4BlfsTkLZNfiso9hhYZvqCK4H5h6brrQ/Jl InuV9G3x6ZUKC02UDHM5P/IH99gUqtZQBhTBjTy4fHt1TwZwMorsggACLAb8MhWU qsnp3rEzQZDARhsRB3njSeU3MMeXBOAgikvAivKomcpbrdIIHvOaXGul2s08IhZH 7v/XXAceZ+Nhp62WQBMsXQcQQeNS9Olni1n4wi0O1b/0jiVyjgUeBxHFCcwDfNHQ e0349V1uuh8yV12lDRWrF08lQpXM14Ig07rzWWajMkaHBu7hcGf0AUSasHHY39bq LJta8vGMu2A+2lVePofSDL0l09J2nTpowFmzTdqvLs7c2IEdg/5yhGasIzvQdlQN AAWOeuQbk+1FNDqdA0elHW5xXBxakf7ImyuPdqfn0gB/qN2dBIUp+5zPYI0Sgon5 gVgqz2as/8kTQFHoIhMC+yPFDnu3HLVR1G9ypAAGsAXI6vpJdtw= =85hx -----END PGP SIGNATURE-----