-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 02 Jul 2026 16:19:48 +0200
Source: linux-signed-amd64
Architecture: source
Version: 5.10.259+1
Distribution: bullseye-security
Urgency: high
Maintainer: Debian Kernel Team <debian-kernel@lists.debian.org>
Changed-By: Ben Hutchings <benh@debian.org>
Changes:
linux-signed-amd64 (5.10.259+1) bullseye-security; urgency=high
.
* Sign kernel from linux 5.10.259-1
.
* New upstream stable update:
https://www.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.10.258
- [x86] ALSA: asihpi: avoid write overflow check warning
- can: mcp251x: add error handling for power enable in open and resume
- btrfs: tracepoints: get correct superblock from dentry in event
btrfs_sync_file() (CVE-2026-43117)
- [x86] ALSA: hda/realtek: Add mute LED quirk for HP Pavilion 15-eg0xxx
- [x86] netfilter: nft_set_pipapo_avx2: don't return non-matching entry on
expiry (CVE-2026-43114)
- [arm*] wifi: wl1251: validate packet IDs before indexing tx_frames
(CVE-2026-43113)
- ASoC: soc-core: call missing INIT_LIST_HEAD() for card_aux_list
- HID: quirks: add HID_QUIRK_ALWAYS_POLL for 8BitDo Pro 3
- HID: roccat: fix use-after-free in roccat_report_event (CVE-2026-43111)
- ata: ahci: force 32-bit DMA for JMicron JMB582/JMB585
- wifi: brcmfmac: validate bsscfg indices in IF events (CVE-2026-43110)
- [armhf] ASoC: stm32_sai: fix incorrect BCLK polarity for DSP_A/B, LEFT_J
- [arm64] dts: imx8mq: Set the correct gpu_ahb clock frequency
- [amd64] PCI: hv: Set default NUMA node to 0 for devices without affinity
info
- [arm*] drm/vc4: Fix memory leak of BO array in hang state
(CVE-2026-43105)
- [arm*] drm/vc4: Fix a memory leak in hang state error path
(CVE-2026-43104)
- [arm*] drm/vc4: Protect madv read in vc4_gem_object_mmap() with madv_lock
- net: sched: act_csum: validate nested VLAN headers (CVE-2026-31684)
- net: lapbether: Close the LAPB device before its underlying Ethernet
device closes
- net: lapbether: handle NETDEV_PRE_TYPE_CHANGE (CVE-2026-43103)
- tracing/probe: reject non-closed empty immediate strings
- e1000: check return value of e1000_read_eeprom
- xsk: tighten UMEM headroom validation to account for tailroom and min
frame (CVE-2026-43093)
- xfrm_user: fix info leak in build_mapping() (CVE-2026-43089)
- netfilter: nfnetlink_log: initialize nfgenmsg in NLMSG_DONE terminator
(CVE-2026-43085)
- netfilter: xt_multiport: validate range encoding in checkentry
(CVE-2026-31681)
- netfilter: ip6t_eui64: reject invalid MAC header for all packets
(CVE-2026-31685)
- af_unix: read UNIX_DIAG_VFS data under unix_state_lock (CVE-2026-31673)
- l2tp: Drop large packets with UDP encap (CVE-2026-43080)
- netfilter: conntrack: add missing netlink policy validations
(CVE-2026-31407)
- [x86] drm/i915/gt: fix refcount underflow in intel_engine_park_heartbeat
(CVE-2026-31656)
- netfilter: nft_set_pipapo: do not rely on ZERO_SIZE_PTR
- batman-adv: hold claim backbone gateways by reference (CVE-2026-31657)
- nfc: llcp: add missing return after LLCP_CLOSED checks (CVE-2026-31629)
- can: raw: fix ro->uniq use-after-free in raw_rcv() (CVE-2026-31532)
- [armhf] i2c: s3c24xx: check the size of the SMBUS message before using it
(CVE-2026-31627)
- staging: rtl8723bs: initialize le_tmp64 in rtw_BIP_verify()
(CVE-2026-31626)
- HID: alps: fix NULL pointer dereference in alps_raw_event()
(CVE-2026-31625)
- HID: core: clamp report_size in s32ton() to avoid undefined shift
(CVE-2026-31624)
- net: usb: cdc-phonet: fix skb frags[] overflow in rx_complete()
(CVE-2026-31623)
- NFC: digital: Bounds check NFC-A cascade depth in SDD response handler
(CVE-2026-31622)
- ALSA: fireworks: bound device-supplied status before string array lookup
(CVE-2026-31619)
- fbdev: tdfxfb: avoid divide-by-zero on FBIOPUT_VSCREENINFO
(CVE-2026-31618)
- usb: gadget: f_ncm: validate minimum block_len in ncm_unwrap_ntb()
(CVE-2026-31617)
- usb: gadget: f_phonet: fix skb frags[] overflow in pn_rx_complete()
(CVE-2026-31616)
- [arm*] usb: gadget: renesas_usb3: validate endpoint index in standard
request handlers (CVE-2026-31615)
- usbip: validate number_of_packets in usbip_pack_ret_submit()
(CVE-2026-31607)
- usb: storage: Expand range of matched versions for VL817 quirks entry
- fbdev: udlfb: avoid divide-by-zero on FBIOPUT_VSCREENINFO
(CVE-2026-31605)
- staging: sm750fb: fix division by zero in ps_to_hz() (CVE-2026-31603)
- USB: serial: option: add Telit Cinterion FN990A MBIM composition
- ALSA: ctxfi: Limit PTP to a single page (CVE-2026-31602)
- media: vidtv: fix NULL pointer dereference in
vidtv_channel_pmt_match_sections (CVE-2026-31599)
- ocfs2: fix use-after-free in ocfs2_fault() when VM_FAULT_RETRY
(CVE-2026-31597)
- ocfs2: handle invalid dinode in ocfs2_group_extend (CVE-2026-31596)
- [x86] KVM: SEV: Drop WARN on large size for KVM_MEMORY_ENCRYPT_REG_REGION
(CVE-2026-31590)
- rxrpc: Fix call removal to use RCU safe deletion (CVE-2026-31642)
- rxrpc: proc: size address buffers for %pISpc output (CVE-2026-31630)
- Revert "wifi: cfg80211: stop NAN and P2P in cfg80211_leave"
(regression in 5.10.252)
- media: uvcvideo: Allow extra entities
- [x86] KVM: x86: Use scratch field in MMIO fragment to hold small write
values (CVE-2026-31588)
- mm/kasan: fix double free for kasan pXds (CVE-2026-31686)
- media: vidtv: fix nfeeds state corruption on start_streaming failure
(CVE-2026-31585)
- media: em28xx: fix use-after-free in em28xx_v4l2_open() (CVE-2026-31583)
- ALSA: 6fire: fix use-after-free on disconnect (CVE-2026-31581)
- bcache: fix cached_dev.sb_bio use-after-free and crash (CVE-2026-31580)
- media: as102: fix to not free memory after the device is registered in
as102_usb_probe() (CVE-2026-31578)
- nilfs2: fix NULL i_assoc_inode dereference in nilfs_mdt_save_to_shadow_map
(CVE-2026-31577)
- media: vidtv: fix pass-by-value structs causing MSAN warnings
(CVE-2026-43058)
- media: hackrf: fix to not free memory after the device is registered in
hackrf_probe() (CVE-2026-31576)
- net: tap: NULL pointer derefence in dev_parse_header_protocol when
skb->dev is null (CVE-2022-50073)
- scsi: qla2xxx: Fix warning message due to adisc being flushed
(CVE-2022-49158)
- scsi: qla2xxx: Fix crash when I/O abort times out (CVE-2022-50493)
- net/sched: act_ct: fix ref leak when switching zones (CVE-2022-49183)
- bpf, sockmap: Fix an infinite loop error when len is 0 in
tcp_bpf_recvmsg_parser() (CVE-2023-53133)
- ipv6: add NULL checks for idev in SRv6 paths (CVE-2026-23442)
- drm/amd/display: Add null checker before passing variables
(CVE-2024-43902)
- wifi: mac80211: always free skb on ieee80211_tx_prepare_skb() failure
(CVE-2026-23444)
- drm/amd/display: Fix memory leak (CVE-2022-49135)
- [x86] thermal/int340x_thermal: handle data_vault when the value is
ZERO_SIZE_PTR (CVE-2022-48703)
- blk-cgroup: Reinit blkg_iostat_set after clearing in blkcg_reset_stats()
(CVE-2023-53421)
- scsi: ufs: core: Improve SCSI abort handling (CVE-2021-47188)
- IB/mad: Don't call to function that might sleep while in atomic context
(CVE-2022-50472)
- mailbox: Prevent out-of-bounds access in of_mbox_index_xlate()
(CVE-2026-43281)
- rxrpc: fix reference count leak in rxrpc_server_keyring()
(CVE-2026-31634)
- xfrm: clear trailing padding in build_polexpire() (CVE-2026-31664)
- ocfs2: add inline inode consistency check to ocfs2_validate_inode_block()
- ocfs2: validate inline data i_size during inode read (CVE-2026-43076)
- ocfs2: fix out-of-bounds write in ocfs2_write_end_inline (CVE-2026-43075)
- rxrpc: reject undecryptable rxkad response tickets (CVE-2026-31637)
- blk-mq: use quiesced elevator switch when reinitializing queues
(CVE-2022-50552)
- drivers: base: Free devm resources when unregistering a device
(CVE-2023-53596)
- [x86] uprobes: Fix XOL allocation failure for 32-bit tasks
- fs/ocfs2: fix comments mentioning i_mutex
- ocfs2: fix possible deadlock between unlink and dio_end_io_write
(CVE-2026-31598)
- mm: blk-cgroup: fix use-after-free in cgwb_release_workfn()
(CVE-2026-31586)
- [arm64] dts: imx8mq-librem5-r3: workaround i2c1 issue with 1GHz cpu
voltage
- [arm64] dts: imx8mq-librem5: Don't mark buck3 as always on
- [arm64] dts: imx8mq-librem5: set regulators boot-on
- [arm64] dts: imx8mq-librem5: Bump BUCK1 suspend voltage to 0.81V
- [arm64] dts: imx8mq-librem5: Bump BUCK1 suspend voltage up to 0.85V
- gfs2: Validate i_depth for exhash directories (CVE-2025-38710)
- i3c: fix uninitialized variable use in i2c setup
- rxrpc: Fix recvmsg() unconditional requeue (CVE-2026-23066)
- cifs: Fix connections leak when tlink setup failed (CVE-2022-49822)
- rxrpc: only handle RESPONSE during service challenge (CVE-2026-31676)
- rxrpc: Fix anonymous key handling
- fuse: reject oversized dirents in page cache (CVE-2026-31694)
- fuse: quiet down complaints in fuse_conn_limit_write
- ALSA: usb-audio: apply quirk for MOONDROP JU Jiu
- ALSA: caiaq: take a reference on the USB device in create_card()
(CVE-2026-31701)
- crypto: ccp: Don't attempt to copy CSR to userspace if PSP command failed
(CVE-2026-31699)
- crypto: ccp: Don't attempt to copy PDH cert to userspace if PSP command
failed (CVE-2026-31698)
- crypto: ccp: Don't attempt to copy ID to userspace if PSP command failed
(CVE-2026-31697)
- rxrpc: Fix missing validation of ticket length in non-XDR key preparsing
(CVE-2026-31696)
- ALSA: usb-audio: stop parsing UAC2 rates at MAX_NR_RATES (CVE-2026-46018)
- ALSA: usb-audio: Avoid false E-MU sample-rate notifications
- ALSA: usb-audio: Fix Audio Advantage Micro II SPDIF switch
- usb: xhci: Make usb_host_endpoint.hcpriv survive endpoint_disable()
- [x86] misc: ibmasm: fix OOB MMIO read in ibmasm_handle_mouse_interrupt()
(CVE-2026-46022)
- [x86] ibmasm: fix OOB reads in command_file_write due to missing size
checks (CVE-2026-45994)
- [x86] ibmasm: fix heap over-read in ibmasm_send_i2o_message()
(CVE-2026-46064)
- ocfs2: split transactions in dio completion to avoid credit exhaustion
(CVE-2026-46080)
- padata: Fix pd UAF once and for all (CVE-2025-38584)
- driver core: Don't let a device probe until it's ready
- crypto: pcrypt - Fix handling of MAY_BACKLOG requests (CVE-2026-43493)
- ALSA: control: Validate buf_len before strnlen() in
snd_ctl_elem_init_enum_names() (CVE-2026-46088)
- net: caif: clear client service pointer on teardown (CVE-2026-46098)
- net: strparser: fix skb_head leak in strp_abort_strp() (CVE-2026-46102)
- Revert "ALSA: usb: Increase volume range that triggers a warning"
(regression in 5.10.249)
- lib/ts_kmp: fix integer overflow in pattern length calculation
- net: qrtr: ns: Fix use-after-free in driver remove() (CVE-2026-46047)
- ext2: reject inodes with zero i_nlink and valid mode in ext2_iget()
(CVE-2026-46002)
- ALSA: ctxfi: Add fallback to default RSR for S/PDIF (CVE-2026-46049)
- ALSA: seq_oss: return full count for successful SEQ_FULLSIZE writes
- ALSA: caiaq: Fix control_put() result and cache rollback
- ALSA: caiaq: Handle probe errors properly (CVE-2026-46004)
- ALSA: 6fire: Fix input volume change detection
- iio: adc: ad7768-1: fix one-shot mode data acquisition
- net: rds: fix MR cleanup on copy error (CVE-2026-46053)
- net/smc: avoid early lgr access in smc_clc_wait_msg (CVE-2026-46027)
- RDMA/rxe: Validate pad and ICRC before payload_size() in rxe_rcv
(CVE-2026-46043)
- mmc: block: use single block write in retry
- tpm: tpm_tis: add error logging for data transfer
- userfaultfd: allow registration of ranges below mmap_min_addr
- [x86] KVM: nSVM: Sync interrupt shadow to cached vmcb12 after VMRUN of L2
(CVE-2026-45987)
- [x86] KVM: nSVM: Ensure AVIC is inhibited when restoring a vCPU to guest
mode
- [x86] KVM: nSVM: Clear GIF on nested #VMEXIT(INVALID)
- io_uring/poll: fix EPOLL_URING_WAKE sometimes not being honored
- io_uring/poll: fix backport of io_poll_add() changes
- mtd: docg3: fix use-after-free in docg3_release() (CVE-2026-46285)
- ext4: fix missing brelse() in ext4_xattr_inode_dec_ref_all()
(CVE-2026-46046)
- md/raid5: fix soft lockup in retry_aligned_read() (CVE-2026-46051)
- md/raid5: validate payload size before accessing journal metadata
(CVE-2026-46070)
- inotify: fix watch count leak when fsnotify_add_inode_mark_locked() fails
(CVE-2026-46040)
- taskstats: set version in TGID exit notifications
- [armhf] crypto: atmel-aes - Fix 3-page memory leak in
atmel_aes_buff_cleanup (CVE-2026-46019)
- [armhf] crypto: atmel-ecc - Release client on allocation failure
- [arm*] crypto: ccree - fix a memory leak in cc_mac_digest()
(CVE-2026-45986)
- [armhf] crypto: atmel-tdes - fix DMA sync direction (CVE-2026-46077)
- dm mirror: fix integer overflow in create_dirty_log() (CVE-2026-46023)
- IB/core: Fix zero dmac race in neighbor resolution
- crypto: authencesn - reject short ahash digests during instance creation
(CVE-2026-46033)
- ALSA: caiaq: Fix potentially leftover ep1_in_urb at error path
- ALSA: caiaq: Don't abort when no input device is available
- ipv6: rpl: reserve mac_len headroom when recompressed SRH grows
(CVE-2026-43501)
- drm/amdgpu: fix zero-size GDS range init on RDNA4 (CVE-2026-46276)
- ALSA: caiaq: fix usb_dev refcount leak on probe failure
- netfilter: reject zero shift in nft_bitwise (CVE-2026-46101)
- scsi: target: configfs: Bound snprintf() return in tg_pt_gp_members_show()
(CVE-2026-46149)
- ipmi: Add limits to event and receive message requests (CVE-2026-46177)
- ipmi: Check event message buffer response for bad data (CVE-2026-46128)
- ipmi:si: Return state to normal if message allocation fails
(CVE-2026-46108)
- fbdev: udlfb: add vm_ops to dlfb_ops_mmap to prevent use-after-free
(CVE-2026-43497)
- [x86] ACPI: video: force native backlight on HP OMEN 16 (8A44)
- net/sched: sch_red: Replace direct dequeue call with peek and
qdisc_dequeue_peeked (CVE-2026-43496)
- ipmi:ssif: Fix a shutdown race
- ipmi:ssif: Clean up kthread on errors (CVE-2026-46044)
- ipmi:ssif: Remove unnecessary indention
- ipmi:ssif: NULL thread on error
- wifi: b43legacy: enforce bounds check on firmware key index in RX path
(CVE-2026-46163)
- wifi: rsi: fix kthread lifetime race between self-exit and external-stop
(CVE-2026-46187)
- wifi: ath5k: do not access array OOB (Closes: #1119093) (CVE-2026-46307)
- wifi: b43: enforce bounds check on firmware key index in b43_rx()
(CVE-2026-46122)
- usb: usblp: fix heap leak in IEEE 1284 device ID via short response
(CVE-2026-46151)
- usb: usblp: fix uninitialized heap leak via LPGETSTATUS ioctl
(CVE-2026-46167)
- ALSA: usb-audio: Avoid potential endless loop in convert_chmap_v3()
(CVE-2026-46146)
- ALSA: usb-audio: Fix UAC3 cluster descriptor size check
- USB: serial: option: add Telit Cinterion LE910Cx compositions
- usb: ulpi: fix memory leak on ulpi_register() error paths
(CVE-2026-46109)
- ALSA: firewire-tascam: Do not drop unread control events
- xfrm: provide message size for XFRM_MSG_MAPPING
- ipv6: xfrm6: release dst on error in xfrm6_rcv_encap() (CVE-2026-46172)
- Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_new_connection_cb()
(CVE-2026-45835)
- Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_state_change_cb()
(CVE-2026-45834)
- fanotify: fix false positive on permission events (CVE-2026-46150)
- net: rtnetlink: zero ifla_vf_broadcast to avoid stack infoleak in
rtnl_fill_vfinfo (CVE-2026-46132)
- sound: ua101: fix division by zero at probe (CVE-2026-46184)
- ip6_gre: Use cached t->net in ip6erspan_changelink(). (CVE-2026-46120)
- net/rds: handle zerocopy send cleanup before the message is queued
(CVE-2026-43502)
- hv_sock: fix ARM64 support
- udf: reject descriptors with oversized CRC length
- [i386] spi: topcliff-pch: fix use-after-free on unbind (CVE-2026-46301)
- dm: don't report warning when doing deferred remove
- dm: fix a buffer overflow in ioctl processing (CVE-2026-46294)
- dm-verity-fec: correctly reject too-small FEC devices
- dm-verity-fec: correctly reject too-small hash devices
- isofs: validate Rock Ridge CE continuation extent against volume size
(CVE-2026-46303)
- isofs: validate block number from NFS file handle in isofs_export_iget
(CVE-2026-46124)
- md/raid10: fix divide-by-zero in setup_geo() with zero far_copies
(CVE-2026-46161)
- nvmet: avoid recursive nvmet-wq flush in nvmet_ctrl_free (CVE-2026-46304)
- PCI/AER: Clear only error bits in PCIe Device Status
- PCI/AER: Stop ruling out unbound devices as error source
- [x86] power: supply: max17042: avoid overflow when determining health
- RDMA/mlx4: Fix resource leak on error in mlx4_ib_create_srq()
(CVE-2026-46178)
- RDMA/ocrdma: Don't NULL deref uctx on errors in ocrdma_copy_pd_uresp()
(CVE-2026-46127)
- RDMA/rxe: Reject unknown opcodes before ICRC processing (CVE-2026-46133)
- [x86] RDMA/vmw_pvrdma: Fix double free on pvrdma_alloc_ucontext() error
path (CVE-2026-46189)
- media: uvcvideo: Enable VB2_DMABUF for metadata stream
- [x86] staging: media: atomisp: Disallow all private IOCTLs
(CVE-2026-46205)
- regulator: max77650: fix OF node reference imbalance
- media: rc: xbox_remote: heed DMA restrictions (CVE-2026-46236)
- media: rc: streamzap: Error handling in probe
- regulator: act8945a: fix OF node reference imbalance
- media: dib8000: avoid division by 0 in dib8000_set_dds()
- [armhf] spi: imx: fix runtime pm leak on probe deferral
- [armhf] spi: orion: fix clock imbalance on registration failure
- drm/gem: Fix inconsistent plane dimension calculation in
drm_gem_fb_init_with_funcs()
- drm/radeon: add missing revision check for CI
- drm/amdgpu/gfx9: drop unnecessary 64-bit fence flag check in KIQ
- drm/amdgpu/sdma4: replace BUG_ON with WARN_ON in fence emission
(CVE-2026-46220)
- drm/amdgpu/pm: add missing revision check for CI
- drm/amdgpu/pm: align Hawaii mclk workaround with radeon
- sctp: revalidate list cursor after sctp_sendmsg_to_asoc() in SCTP_SENDALL
(CVE-2026-46227)
- batman-adv: fix integer overflow on buff_pos (CVE-2026-46198)
- batman-adv: reject new tp_meter sessions during teardown (CVE-2026-46206)
- batman-adv: stop caching unowned originator pointers in BAT IV
(CVE-2026-46238)
- batman-adv: bla: prevent use-after-free when deleting claims
(CVE-2026-46212)
- batman-adv: bla: only purge non-released claims (CVE-2026-46233)
- batman-adv: bla: put backbone reference on failed claim hash insert
(CVE-2026-46231)
- Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_get_sndtimeo_cb()
(CVE-2026-45836)
- vsock: fix buffer size clamping order (CVE-2026-46234)
- vsock/virtio: fix accept queue count leak on transport mismatch
(CVE-2026-46214)
- bcache: fix uninitialized closure object
- fs/omfs: reject s_sys_blocksize smaller than OMFS_DIR_START
(CVE-2026-53130)
- drbd: Balance RCU calls in drbd_adm_dump_devices() (CVE-2026-53128)
- nilfs2: reject zero bd_oblocknr in nilfs_ioctl_mark_blocks_dirty()
(CVE-2026-53320)
- pstore/ram: fix resource leak when ioremap() fails
- devres: fix missing node debug info in devm_krealloc()
- firmware: dmi: Correct an indexing error in dmi.h
- wifi: mwifiex: Fix memory leak in mwifiex_11n_aggregate_pkt()
- wifi: rtlwifi: pci: fix possible use-after-free caused by unfinished
irq_prepare_bcn_tasklet (CVE-2026-53112)
- bpf: fix end-of-list detection in cgroup_storage_get_next_key()
(CVE-2026-45838)
- brcmfmac: support chipsets with different core enumeration space
- wifi: brcmfmac: Fix error pointer dereference (CVE-2026-53093)
- [arm64] net: bcmgenet: fix off-by-one in bcmgenet_put_txcb
(CVE-2026-53088)
- netfilter: nft_fwd_netdev: check ttl/hl before forwarding
- 6pack: propagage new tty types
- net: hamradio: 6pack: fix uninit-value in sixpack_receive_buf
(CVE-2026-53082)
- net/sched: act_ct: Only release RCU read lock after ct_ft
(CVE-2026-46319)
- net/rds: Optimize rds_ib_laddr_check
- net/rds: Restrict use of RDS/IB to the initial network namespace
(CVE-2026-53077)
- ppp: require CAP_NET_ADMIN in target netns for unattached ioctls
(CVE-2026-53075)
- bpf: reject short IPv4/IPv6 inputs in bpf_prog_test_run_skb
(CVE-2026-53074)
- Bluetooth: L2CAP: Fix printing wrong information if SDU length exceeds MTU
- Bluetooth: hci_ldisc: Clear HCI_UART_PROTO_INIT on error (CVE-2026-53073)
- Bluetooth: fix locking in hci_conn_request_evt() with HCI_PROTO_DEFER
(CVE-2026-53072)
- Bluetooth: l2cap: Add missing chan lock in l2cap_ecred_reconf_rsp
(CVE-2026-53071)
- [arm*] drm/komeda: fix integer overflow in AFBC framebuffer size check
(CVE-2026-53068)
- [armhf] ASoC: sti: use managed regmap_field allocations (CVE-2026-53065)
- dm cache: fix null-deref with concurrent writes in passthrough mode
(CVE-2026-53064)
- dm cache: fix write path cache coherency in passthrough mode
- dm cache policy smq: fix missing locks in invalidating cache blocks
(CVE-2026-53062)
- dm cache: fix concurrent write failure in passthrough mode
- dm cache: support shrinking the origin device
- dm cache: fix dirty mapping checking in passthrough mode switching
(CVE-2026-53061)
- dm cache metadata: fix memory leak on metadata abort retry
(CVE-2026-53060)
- dm log: fix out-of-bounds write due to region_count overflow
(CVE-2026-53059)
- [arm*] drm/sun4i: Fix resource leaks
- [arm*] drm/panel: simple: Correct G190EAN01 prepare timing
- ALSA: compress: Drop unused functions
- ALSA: core: Validate compress device numbers without dynamic minors
- drm/amd/pm/ci: Use highest MCLK on CI when MCLK DPM is disabled
- drm/amd/pm/ci: Disable MCLK DPM on problematic CI ASICs
- drm/amd/pm/ci: Fix powertune defaults for Hawaii 0x67B0
- drm/amd/pm/ci: Clear EnabledForActivity field for memory levels
- drm/amd/pm/ci: Fill DW8 fields from SMC
- [arm64] drm/msm/a6xx: Fix HLSQ register dumping
- [arm64] drm/msm/a6xx: Use barriers while updating HFI Q headers
- [armhf] pmdomain: ti: omap_prm: Fix a reference leak on device node
- PCI: Enable AtomicOps only if Root Port supports them
- quota: Fix race of dquot_scan_active() with quota deactivation
(CVE-2026-53050)
- efi/capsule-loader: fix incorrect sizeof in phys array reallocation
(CVE-2026-53047)
- [armhf] dts: mediatek: mt7623: fix efuse fallback compatible
- [armhf] memory: tegra124-emc: Fix dll_change check (CVE-2026-53045)
- [arm64] dts: qcom: sdm845-xiaomi-beryllium: Add DSI and panel bits
- [arm64] dts: qcom: sdm845-xiaomi-beryllium: Mark l1a regulator as powered
during boot
- ocfs2/dlm: validate qr_numregions in dlm_match_regions() (CVE-2026-53043)
- ocfs2/dlm: fix off-by-one in dlm_match_regions() region comparison
(CVE-2026-53309)
- ocfs2: fix listxattr handling when the buffer is full (CVE-2026-53041)
- ocfs2: validate bg_bits during freefrag scan (CVE-2026-53040)
- ocfs2: validate group add input before caching (CVE-2026-53039)
- [armhf] dmaengine: mxs-dma: Fix missing return value from
of_dma_controller_register()
- tracing: Rebuild full_name on each hist_field_name() call
- ima: check return value of crypto_shash_final() in boot aggregate
- HID: asus: do not abort probe when not necessary
- [armhf] mtd: rawnand: sunxi: fix sunxi_nfc_hw_ecc_read_extra_oob
- HID: usbhid: fix deadlock in hid_post_reset() (CVE-2026-53037)
- bpf: Fix precedence bug in convert_bpf_ld_abs alignment check
- perf branch: Avoid incrementing NULL
- perf expr: Return -EINVAL for syntax error in expr__find_ids()
- driver core: Move dev_err_probe() to where it belogs
- dev_printk: add new dev_err_probe() helpers
- [x86] platform/surface: surfacepro3_button: Drop wakeup source on remove
- mfd: mc13xxx-core: Fix memory leak in mc13xxx_add_subdevice_pdata()
- nfs/blocklayout: Fix compilation error (`make W=1`) in bl_write_pagelist()
- [x86] platform/x86: dell_rbu: avoid uninit value usage in
packet_size_write()
- RDMA/core: Prefer NLA_NUL_STRING
- scsi: sg: Resolve soft lockup issue when opening /dev/sgX
(CVE-2026-53304)
- scsi: target: core: Fix integer overflow in UNMAP bounds check
(CVE-2026-53021)
- [armhf] clk: imx: imx6q: Fix device node reference leak in
pll6_bypassed()
- [armhf] clk: imx: imx6q: Fix device node reference leak in
of_assigned_ldb_sels()
- [arm64] clk: imx8mq: Correct the CSI PHY sels
- [arm64] clk: qoriq: avoid format string warning
- [arm64] clk: xgene: Fix mapping leak in xgene_pllclk_init()
- crypto: ccp - copy IV using skcipher ivsize (CVE-2026-53016)
- [x86] PCMCIA: Fix garbled log messages for KERN_CONT
- net/sched: sch_cake: fix NAT destination port not being updated in
cake_update_flowkeys
- nexthop: Emit a notification when a nexthop group is modified
- nexthop: fix IPv6 route referencing IPv4 nexthop (CVE-2026-53012)
- taprio: Handle short intervals and large packets
- net: taprio offload: enforce qdisc to netdev queue mapping
- net/sched: taprio: stop going through private ops for dequeue and peek
- net/sched: taprio: replace safety precautions with comments
- net/sched: taprio: continue with other TXQs if one dequeue() failed
- net/sched: taprio: refactor one skb dequeue from TXQ to separate function
- net/sched: taprio: rename close_time to end_time
- net/sched: taprio: fix use-after-free in advance_sched() on schedule
switch (CVE-2026-53011)
- tcp: annotate data-races around (tp->write_seq - tp->snd_nxt)
- i40e: don't advertise IFF_SUPP_NOFCS
- e1000e: Unroll PTP in probe error handling
- ipv6: fix possible UAF in icmpv6_rcv() (CVE-2026-53006)
- sctp: fix OOB write to userspace in sctp_getsockopt_peer_auth_chunks
(CVE-2026-53004)
- dissector: do not set invalid PPP protocol
- flow_dissector: Add number of vlan tags dissector
- flow_dissector: Add PPPoE dissectors
- pppoe: drop PFC frames (CVE-2026-53003)
- openvswitch: cap upcall PID array size and pre-size vport replies
(CVE-2026-45840)
- netfilter: nft_osf: restrict it to ipv4
- netfilter: nfnetlink_osf: fix divide-by-zero in OSF_WSS_MODULO
(CVE-2026-45841)
- netfilter: conntrack: remove sprintf usage (CVE-2026-53002)
- netfilter: xtables: restrict several matches to inet family
(CVE-2026-53001)
- ipvs: fix MTU check for GSO packets in tunnel mode
- netfilter: nfnetlink_osf: fix out-of-bounds read on option matching
(CVE-2026-52999)
- netfilter: nfnetlink_osf: fix potential NULL dereference in ttl check
(CVE-2026-52998)
- slip: reject VJ receive packets on instances with no rstate array
(CVE-2026-45842)
- slip: bound decode() reads against the compressed packet length
(CVE-2026-45843)
- [arm64] dts: meson-gxl-p230: fix ethernet PHY interrupt number
- net/rds: zero per-item info buffer before handing it to visitors
(CVE-2026-52995)
- net_sched: sch_hhf: annotate data-races in hhf_dump_stats()
- net/sched: sch_pie: annotate data-races in pie_dump_stats()
- net/sched: sch_fq_codel: remove data-races from fq_codel_dump_stats()
- net: sched: gred/red: remove unused variables in struct red_stats
- net/sched: sch_red: annotate data-races in red_dump_stats()
- net/sched: sch_sfb: annotate data-races in sfb_dump_stats()
- nfp: fix swapped arguments in nfp_encode_basic_qdr() calls
- tipc: fix double-free in tipc_buf_append() (CVE-2026-52993)
- vhost_net: fix sleeping with preempt-disabled in vhost_net_busy_poll()
- fs/adfs: validate nzones in adfs_validate_bblk() (CVE-2026-52992)
- rtc: introduce features bitfield
- fbdev: offb: fix PCI device reference leak on probe failure
- mailbox: mailbox-test: free channels on probe error (CVE-2026-53296)
- cgroup/rdma: fix integer overflow in rdmacg_try_charge()
- mailbox: add sanity check for channel array (CVE-2026-53295)
- mailbox: mailbox-test: don't free the reused channel (CVE-2026-53294)
- mailbox: mailbox-test: initialize struct earlier
- mailbox: mailbox-test: make data_ready a per-instance variable
- btrfs: merge PAGE_CLEAR_DIRTY and PAGE_SET_WRITEBACK to
PAGE_START_WRITEBACK
- btrfs: fix double-decrement of bytes_may_use in submit_one_async_extent()
- tracing: branch: Fix inverted check on stat tracer registration
- netfilter: arp_tables: fix IEEE1394 ARP payload parsing (CVE-2026-45844)
- drm/amdgpu/gfx6: Support harvested SI chips with disabled TCCs (v2)
- netfilter: xt_policy: fix strict mode inbound policy matching
(CVE-2026-52920)
- netfilter: nf_conntrack_sip: don't use simple_strtoul (CVE-2026-52986)
- scsi: sr: Add memory allocation failure handling for get_capabilities()
- cdrom, scsi: sr: propagate read-only status to block layer via
set_disk_ro()
- netdevsim: zero initialize struct iphdr in dummy sk_buff (CVE-2026-52985)
- net: sched: sch_netem: Refactor code in 4-state loss generator
- net/sched: netem: fix probability gaps in 4-state loss model
- net/sched: netem: fix queue limit check to include reordered packets
(CVE-2026-52984)
- net/sched: netem: validate slot configuration
- net: sched: choke: remove unused variables in struct choke_sched_data
- net/sched: sch_choke: annotate data-races in choke_dump_stats()
- net/sched: sch_fq_pie: annotate data-races in fq_pie_dump_stats()
- vrf: Fix a potential NPD when removing a port from a VRF (CVE-2026-52925)
- net: usb: rtl8150: fix use-after-free in rtl8150_start_xmit()
(CVE-2026-52982)
- net: usb: rtl8150: free skb on usb_submit_urb() failure in xmit
- netfilter: skip recording stale or retransmitted INIT
- sctp: discard stale INIT after handshake completion
- ipv4: rename and move ip_route_output_tunnel()
- ipv4: remove "proto" argument from udp_tunnel_dst_lookup()
- ipv4: add new arguments to udp_tunnel_dst_lookup()
- ipv6: rename and move ip6_dst_lookup_tunnel()
- bareudp: fix NULL pointer dereference in bareudp_fill_metadata_dst()
(CVE-2026-45846)
- net/sched: sch_cake: annotate data-races in cake_dump_stats() (V)
- drm/amd/display: Allow DCE link encoder without AUX registers
- drm/amd/display: Read EDID from VBIOS embedded panel info
- btrfs: tracepoints: fix sleep while in atomic context in btrfs_sync_file()
- net/sched: taprio: Fix init procedure
- flow_dissector: do not dissect PPPoE PFC frames
- flow_dissector: Do not count vlan tags inside tunnel payload
- net/sched: sch_pie: annotate more data-races in pie_dump_stats()
- rtc: allow rtc_read_alarm without read_alarm callback
- alarmtimer: Check RTC features instead of ops
- crypto: af_alg - Cap AEAD AD length to 0x80000000 (CVE-2026-52972)
- audit: fix incorrect inheritable capability in CAPSET records
(CVE-2026-53287)
- netfilter: nft_ct: fix missing expect put in obj eval (CVE-2026-52970)
- net: atlantic: preserve PCI wake-from-D3 on shutdown when WOL enabled
- audit: enforce AUDIT_LOCKED for AUDIT_TRIM and AUDIT_MAKE_EQUIV
- [x86] drm/i915/dp: Fix VSC dynamic range signaling for RGB formats
- ALSA: usb-audio: Bound MIDI endpoint descriptor scans (CVE-2026-52963
- ceph: fix a buffer leak in __ceph_setxattr() (CVE-2026-52962)
- libceph: Fix potential out-of-bounds access in osdmap_decode()
(CVE-2026-52958)
- libceph: Fix potential null-ptr-deref in decode_choose_args()
(CVE-2026-52957)
- libceph: Fix potential out-of-bounds access in crush_decode()
(CVE-2026-52955)
- libceph: handle rbtree insertion error in decode_choose_args()
(CVE-2026-52954)
- [x86] iommu/vt-d: Disable DMAR for Intel Q35 IGFX
- [arm*] drm/panfrost: Fix wait_bo ioctl leaking positive return from
dma_resv_wait_timeout()
- [x86] drm/gma500/oaktrail_hdmi: fix i2c adapter leak on setup
- io-wq: check that the predecessor is hashed in io_wq_remove_pending()
- net/rds: reset op_nents when zerocopy page pin fails (CVE-2026-43494)
- [x86] Revert "x86/vdso: Fix output operand size of RDPID"
- net: dsa: sja1105: fix kasan out-of-bounds warning in
sja1105_table_delete_entry() (CVE-2025-22107)
- sysfs: don't remove existing directory on update failure
- hwmon: (pmbus/adm1266) widen blackbox-info buffer to I2C_SMBUS_BLOCK_MAX
- ALSA: ua101: Reject too-short USB descriptors
- ALSA: asihpi: Fix potential OOB array access at reading cache
- Bluetooth: bnep: Fix UAF read of dev->name
- Bluetooth: hci_uart: fix UAFs and race conditions in close and init paths
(CVE-2026-46275)
- phonet/pep: disable BH around forwarded sk_receive_skb()
- [arm64] net: bcmgenet: keep RBUF EEE/PM disabled
- netfilter: ip6t_hbh: reject oversized option lists (CVE-2026-52915)
- netfilter: ipset: stop hash:* range iteration at end (CVE-2026-52921)
- ring-buffer: Fix reporting of missed events in iterator
- [x86] vsock/vmci: fix UAF when peer resets connection during handshake
- wifi: ath11k: clear shared SRNG pointer state on restart
- ipv4: raw: reject IP_HDRINCL packets with ihl < 5
- ixgbevf: fix use-after-free in VEPA multicast source pruning
- wifi: cfg80211: advance loop vars in cfg80211_merge_profile()
- tracing: Do not call map->ops->elt_free() if elt_alloc() fails
- [x86] scsi: isci: Fix use-after-free in device removal path
- [armhf] spi: ti-qspi: fix use-after-free after DMA setup failure
- RDMA/siw: Reject MPA FPDU length underflow before signed receive math
- drm/amd/display: Fix integer overflow in bios_get_image()
- batman-adv: mcast: fix use-after-free in orig_node RCU release
- batman-adv: clear current gateway during teardown (CVE-2026-52926)
- batman-adv: dat: handle forward allocation error (CVE-2026-52922)
- batman-adv: fix fragment reassembly length accounting (CVE-2026-52914)
- batman-adv: fix tp_meter counter underflow during shutdown
(CVE-2026-52919)
- batman-adv: frag: disallow unicast fragment in fragment (CVE-2026-52916)
- batman-adv: bla: fix report_work leak on backbone_gw purge
- batman-adv: tp_meter: avoid use of uninit sender vars (CVE-2026-52931)
- batman-adv: tt: fix negative last_changeset_len
- batman-adv: tt: fix negative tt_buff_len
- ice: fix locking in ice_dcb_rebuild()
- [arm*] phy: marvell: mvebu-a3700-utmi: fix incorrect USB2_PHY_CTRL
register access
- net: ethernet: cortina: Make RX SKB per-port
- net: ethernet: cortina: Drop half-assembled SKB
- net: ethernet: cortina: Carry over frag counter
- HID: quirks: really enable the intended work around for appledisplay
- ethtool: fix ethnl_bitmap32_not_zero() bit interval semantics
- net: tls: fix off-by-one in sg_chain entry count for wrapped sk_msg ring
- net: tls: prevent chain-after-chain in plain text SG
- [x86] platform/x86: intel-hid: Check ACPI_HANDLE() against NULL
- tracing: Avoid NULL return from hist_field_name() on truncation
- string: add mem_is_zero() helper to check if memory area is all zeros
- gpiolib: cdev: use !mem_is_zero() instead of memchr_inv(s, 0, n)
- gpio: cdev: check if uAPI v2 config attributes are correctly zeroed
https://www.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.10.259
- Input: usbtouchscreen - clamp NEXIO data_len/x_len to URB buffer size
- ALSA: usb-audio: fix null pointer dereference on pointer cs_desc
(CVE-2021-47211)
- net/sched: cls_fw: fix NULL dereference of "old" filters before change()
(CVE-2026-53080)
- net/sched: sch_sfb: Replace direct dequeue call with peek and
qdisc_dequeue_peeked
- nfc: llcp: protect nfc_llcp_sock_unlink() calls
- nfc: llcp: Fix use-after-free in llcp_sock_release()
- nfc: llcp: Fix use-after-free race in nfc_llcp_recv_cc()
- xfrm: Check for underflow in xfrm_state_mtu
- netfilter: synproxy: refresh tcphdr after skb_ensure_writable
- netfilter: xt_cpu: prefer raw_smp_processor_id
- netfilter: ebtables: fix OOB read in compat_mtw_from_user
(CVE-2026-52927)
- tun: free page on short-frame rejection in tun_xdp_one() (CVE-2026-46321)
- net: netlink: fix sending unassigned nsid after assigned one
- net: netlink: don't set nsid on local notifications
- net/smc: Do not re-initialize smc hashtables
- ipv4: free net->ipv4.sysctl_local_reserved_ports after
unregister_net_sysctl_table()
- [x86] ASoC: Intel: bytcht_es8316: Fix MCLK leak on init errors
- tunnels: load network headers after skb_cow() in
iptunnel_pmtud_build_icmp[v6]()
- vxlan: do not reuse cached ip_hdr() value after skb_tunnel_check_pmtu()
- tunnels: do not assume transport header in iptunnel_pmtud_check_icmp()
- Bluetooth: 6lowpan: check skb_clone() return value in send_mcast_pkt()
- ipv6: rpl: fix hdrlen overflow in ipv6_rpl_srh_decompress()
- Bluetooth: l2cap: clear chan->ident on ECRED reconfiguration success
- Bluetooth: L2CAP: Fix possible crash on l2cap_ecred_conn_rsp
- sctp: fix race between sctp_wait_for_connect and peeloff
- batman-adv: v: stop OGMv2 on disabled interface (CVE-2026-52913)
- batman-adv: tvlv: abort OGM send on tvlv append failure
- batman-adv: bla: avoid NULL-ptr deref for claim via dropped interface
- batman-adv: tvlv: reject oversized TVLV packets (CVE-2026-52934)
- batman-adv: iv: recover OGM scheduling after forward packet error
- batman-adv: tp_meter: fix race condition in send error reporting
- batman-adv: tp_meter: avoid role confusion in tp_list
- batman-adv: tt: fix TOCTOU race for reported vlans
- batman-adv: tt: avoid empty VLAN responses
- batman-adv: bla: avoid double decrement of bla.num_requests
- smb: client: fix smbdirect_recv_io leak in smbd_negotiate() error path
(CVE-2025-39929)
- iio: imu: st_lsm6dsx: fix stack leak in tagged FIFO buffer
- usb: typec: ucsi: ccg: reject firmware images without a ':' record header
- usb: typec: ucsi: displayport: NAK DP_CMD_CONFIGURE without a payload VDO
- usb: typec: altmodes/displayport: validate count before reading Status
Update VDO
- [x86] usb: typec: wcove: don't write past struct pd_message in
wcove_read_rx_buffer()
- USB: serial: safe_serial: fix memory corruption with small endpoint
- Bluetooth: btusb: Allow firmware re-download when version matches
- hpfs: fix a crash if hpfs_map_dnode_bitmap fails
- ipc: limit next_id allocation to the valid ID range (CVE-2026-52923)
- Bluetooth: L2CAP: fix chan ref leak in l2cap_chan_timeout() on !conn
- parport: Fix race between port and client registration (Closes: #1130365)
- iio: dac: ad5686: fix input raw value check
- iio: adc: viperboard: Fix error handling in vprbrd_iio_read_raw
- iio: gyro: itg3200: fix i2c read into the wrong stack location
- iio: ssp_sensors: cancel delayed work_refresh on remove
- iio: temperature: tsys01: fix broken PROM checksum validation
- iio: light: cm3323: fix reg_conf not being initialized correctly
- iio: buffer: hw-consumer: fix use-after-free in error path
- USB: serial: omninet: fix memory corruption with small endpoint
- usb: dwc2: Fix use after free in debug code
- Input: elan_i2c - validate firmware size before use
- wireguard: send: append trailer after expanding head
- bpf: sockmap: fix tail fragment offset in bpf_msg_push_data
- macsec: fix replay protection at XPN lower-PN wrap
- ipv6: exthdrs: refresh nh pointer after ipv6_hop_jumbo()
- [arm64] ASoC: qcom: q6asm-dai: fix error handling in prepare and
set_params
- ip6: vti: Use ip6_tnl.net in vti6_siocdevprivate().
- ipv6: validate extension header length before copying to cmsg
- ip6: vti: Use ip6_tnl.net in vti6_changelink().
- HID: wacom: Fix OOB write in wacom_hid_set_device_mode()
- iommu, debugobjects: avoid gcc-16.1 section mismatch warnings
- nfc: hci: fix out-of-bounds read in HCP header parsing
- xfrm: route MIGRATE notifications to caller's netns
- xfrm: ah: use skb_to_full_sk in async output callbacks
- netfilter: conntrack: tcp: do not force CLOSE on invalid-seq RST without
direction check
- [arm64] ASoC: qcom: q6asm-dai: close stream only when running
- [arm64] ASoC: qcom: q6asm-dai: do not set stream state in event and
trigger callbacks
- xfrm: esp: restore combined single-frag length gate
- Input: atmel_mxt_ts - fix boundary check in mxt_prepare_cfg_mem
- [x86] Input: synaptics - add LEN2058 to SMBus passlist for ThinkPad E490
- [x86] comedi: comedi_test: fix check for valid scan_begin_src in
waveform_ai_cmdtest()
- [x86] comedi: comedi_test: Fix limiting of convert_arg in
waveform_ai_cmdtest()
- [i386] tty: serial: pch_uart: add check for dma_alloc_coherent()
- [arm*] usb: chipidea: core: convert ci_role_switch to local variable
- usb: core: Fix up Interrupt IN endpoints with bogus wBytesPerInterval
- USB: quirks: add NO_LPM for Lenovo ThinkPad USB-C Dock Gen2 hub
controllers
- usb: storage: Add quirks for PNY Elite Portable SSD
- usbip: vudc: Fix use after free bug in vudc_remove due to race condition
- usb: usbtmc: check URB actual_length for interrupt-IN notifications
- usb: usbtmc: reject interrupt endpoints with small wMaxPacketSize
- USB: serial: option: add MeiG SRM813Q
- USB: serial: option: add missing RSVD(5) flag for Rolling RW135R-GL
- USB: serial: belkin_sa: validate interrupt status length
- USB: serial: cypress_m8: validate interrupt packet headers
- USB: serial: keyspan: fix missing indat transfer sanity check
- USB: serial: mxuport: fix memory corruption with small endpoint
- USB: serial: mct_u232: fix missing interrupt-in transfer sanity check
- usb: gadget: net2280: Fix double free in probe error path
- usb: gadget: dummy_hcd: Reject hub port requests for non-existent ports
- thunderbolt: property: Reject u32 wrap in tb_property_entry_valid()
- thunderbolt: property: Reject dir_len < 4 to prevent size_t underflow
- scsi: fcoe: Reject FIP descriptors with zero fip_dlen in CVL walker
- serial: fsl_lpuart: fix rx buffer and DMA map leaks in start_rx_dma
- Bluetooth: hci_core: Fix use-after-free in vhci_flush() (CVE-2025-38250)
- USB: serial: cypress_m8: fix memory corruption with small endpoint
- USB: serial: digi_acceleport: fix memory corruption with small endpoints
- [arm*] xhci: tegra: Fix ghost USB device on dual-role port unplug
- page_pool: Fix use-after-free in page_pool_recycle_in_ring
(CVE-2025-38129)
- team: Move team device type change at the end of team_port_add
(CVE-2025-68340)
- usb: core: Fix SuperSpeed root hub wMaxPacketSize
- bpf: Free reuseport cBPF prog after RCU grace period. (CVE-2026-52910)
- HID: core: Add printk_ratelimited variants to hid_warn() etc
- HID: pass the buffer size to hid_report_raw_event
- HID: core: Fix size_t specifier in hid_report_raw_event()
- USB: serial: mct_u232: fix memory corruption with small endpoint
- i2c: dev: prevent integer overflow in I2C_TIMEOUT ioctl (CVE-2026-52948)
- tee: optee: prevent use-after-free when the client exits before the
supplicant (CVE-2026-53273)
- netfilter: xt_NFQUEUE: prefer raw_smp_processor_id
- ipvs: clear the svc scheduler ptr early on edit (CVE-2026-53270)
- netfilter: synproxy: add mutex to guard hook reference counting
(CVE-2026-53269)
- netfilter: conntrack_irc: fix possible out-of-bounds read
(CVE-2026-53268)
- netfilter: bridge: make ebt_snat ARP rewrite writable (CVE-2026-53266)
- dm cache policy smq: check allocation under invalidate lock
(CVE-2026-53265)
- net/sched: act_api: use RCU with deferred freeing for action lifecycle
(CVE-2026-53264)
- 6lowpan: fix off-by-one in multicast context address compression
(CVE-2026-53263)
- pcnet32: stop holding device spin lock during napi_complete_done
- net: garp: fix unsigned integer underflow in garp_pdu_parse_attr
- net: lan743x: permit VLAN-tagged packets up to configured MTU
- Bluetooth: RFCOMM: hold listener socket in rfcomm_connect_ind()
(CVE-2026-53256)
- Bluetooth: MGMT: validate advertising TLV before type checks
(CVE-2026-53255)
- ipv4: restrict IPOPT_SSRR and IPOPT_LSRR options (CVE-2026-53249)
- ieee802154: 6lowpan: only accept IPv6 packets in lowpan_xmit()
- net/802/mrp: fix vector attribute parsing in mrp_pdu_parse_vecattr
(CVE-2026-53245)
- sctp: purge outqueue on stale COOKIE-ECHO handling (CVE-2026-52924)
- signal: clear JOBCTL_PENDING_MASK for caller in zap_other_threads()
- time: Fix off-by-one in settimeofday() usec validation
- ALSA: PCM: Fix wait queue list corruption in snd_pcm_drain() on linked
streams (CVE-2026-53242)
- ext4: validate p_idx bounds in ext4_ext_correct_indexes (CVE-2026-31449)
- bonding: limit BOND_MODE_8023AD to Ethernet devices (CVE-2026-23099)
- usbnet: Fix using smp_processor_id() in preemptible code warnings
(CVE-2025-40164)
- nfsd: don't ignore the return code of svc_proc_register()
(CVE-2025-22026)
- wifi: mac80211: check tdls flag in ieee80211_tdls_oper (CVE-2026-43052)
- [arm*] spi: meson-spicc: Fix double-put in remove path (CVE-2026-31489)
- io_uring: prevent opcode speculation (CVE-2025-21863)
- tap: free page on error paths in tap_get_user_xdp() (CVE-2026-46320)
- tun: free page on build_skb failure in tun_xdp_one() (CVE-2026-46322)
- [arm64] KVM: arm64: Remove VPIPT I-cache handling
- [arm64] tlb: Allow XZR argument to TLBI ops
- [arm64] tlb: Optimize ARM64_WORKAROUND_REPEAT_TLBI
- xfrm: policy: fix use-after-free on inexact bin in
xfrm_policy_bysel_ctx() (CVE-2026-53239)
- netlabel: validate unlabeled address and mask attribute lengths
(CVE-2026-53238)
- net: qrtr: fix refcount saturation and potential UAF in qrtr_port_remove
(CVE-2026-52947)
- ipv6: sit: reload inner IPv6 header after GSO offloads (CVE-2026-53228)
- net: openvswitch: fix possible kfree_skb of ERR_PTR (CVE-2026-53227)
- sctp: fix uninit-value in __sctp_rcv_asconf_lookup() (CVE-2026-53225)
- net: guard timestamp cmsgs to real error queue skbs (CVE-2026-53223)
- net/rds: fix NULL deref in rds_ib_send_cqe_handler() on masked atomic
completion (CVE-2026-52939)
- ip6_vti: fix incorrect tunnel matching in vti6_tnl_lookup()
(CVE-2026-53221)
- rds: mark snapshot pages dirty in rds_info_getsockopt()
- netfilter: x_tables: avoid leaking percpu counter pointers
(CVE-2026-53219)
- netfilter: nft_exthdr: fix register tracking for F_PRESENT flag
(CVE-2026-53218)
- [arm*] net: mvpp2: sync RX data at the hardware packet offset
(CVE-2026-53217)
- netfilter: nft_tunnel: fix use-after-free on object destroy
(CVE-2026-53212)
- Bluetooth: L2CAP: reject BR/EDR signaling packets over MTUsig
(CVE-2026-53208)
- [x86] drm/i915/gem: Fix phys BO pread/pwrite with offset
- xfrm: espintcp: do not reuse an in-progress partial send (CVE-2026-52935)
- USB: serial: io_ti: fix heap overflow in get_manuf_info()
(CVE-2026-53196)
- USB: serial: io_ti: fix heap overflow in build_i2c_fw_hdr()
(CVE-2026-53195)
- USB: serial: option: add usb-id for Dell Wireless DW5826e-m
- USB: serial: kl5kusb105: fix bulk-out buffer overflow (CVE-2026-53194)
- ALSA: timer: Fix UAF at snd_timer_user_params()
- drm/amd/display: Reject gpio_bitshift >= 32 in
bios_parser_get_gpio_pin_info()
- RDMA/srp: bound SRP_RSP sense copy by the received length
(CVE-2026-53186)
- [armhf] socfpga: Fix OF node refcount leak in SMP setup
- vsock/vmci: fix sk_ack_backlog leak on failed handshake (CVE-2026-53181)
- IB/isert: Reject login PDUs shorter than ISER_HEADERS_LEN
(CVE-2026-53176)
- pidfd: refuse access to tasks that have started exiting harder
- fuse: reject fuse_notify() pagecache ops on directories (CVE-2026-53168)
- [arm*] i2c: tegra: Fix NOIRQ suspend/resume
- [x86] Input: atkbd - add DMI quirk for Lenovo Yoga Air 14 (83QK)
- [x86] Input: atkbd - skip deactivate for HONOR BCC-N's internal keyboard
- ipc/shm: serialize orphan cleanup with shm_nattch updates
(CVE-2026-52930)
- [arm*] misc: fastrpc: fix use-after-free of fastrpc_user in workqueue
context (CVE-2026-53161)
- net: bonding: fix NULL pointer dereference in bond_do_ioctl()
- [armhf] net: mv643xx: fix OF node refcount
- net: rds: clear i_sends on setup unwind
- mmc: core: Fix host controller programming for fixed driver type
- mmc: sdhci: add signal voltage switch in sdhci_resume_host
- sctp: diag: reject stale associations in dump_one path (CVE-2026-52917)
- sctp: stream: fully roll back denied add-stream state (CVE-2026-52929)
- thunderbolt: Reject zero-length property entries in validator
(CVE-2026-53150)
- thunderbolt: Bound root directory content to block size
(CVE-2026-53149)
- thunderbolt: Clamp XDomain response data copy to allocation size
(CVE-2026-53148)
- thunderbolt: Limit XDomain response copy to actual frame size
(CVE-2026-53146)
- drm/amd/display: Clamp HDMI HDCP2 rx_id_list read to buffer size
(CVE-2026-53137)
- drm/amd/display: Fix NULL deref and buffer over-read in SDP debugfs
(CVE-2026-53135)
- fs/fcntl: fix SOFTIRQ-unsafe lock order in fasync signaling
(CVE-2026-52946)
- io_uring/poll: fix signed comparison in io_poll_get_ownership()
- ipvs: skip ipv6 extension headers for csum checks (CVE-2026-45850)
- batman-adv: stop tp_meter sessions during mesh teardown (CVE-2026-46208)
- batman-adv: tp_meter: fix tp_num leak on kmalloc failure
- f2fs: fix UAF caused by decrementing sbi->nr_pages[] in
f2fs_write_end_io() (CVE-2026-31715)
- smb: client: require a full NFS mode SID before reading mode bits
(CVE-2026-43350)
- smb: client: fix OOB read in smb2_ioctl_query_info QUERY_INFO path
(CVE-2026-31708)
- net/packet: fix TOCTOU race on mmap'd vnet_hdr in tpacket_snd()
(CVE-2026-31700)
- drm/nouveau: fix u32 overflow in pushbuf reloc bounds check
(CVE-2026-46006)
- [arm64] mm: Enable batched TLB flush in unmap_hotplug_range()
- thermal: core: Fix thermal zone governor cleanup issues (CVE-2026-46021)
- wifi: mwifiex: fix use-after-free in mwifiex_adapter_cleanup()
(CVE-2026-46069)
- media: rc: ttusbir: respect DMA coherency rules
- erofs: fix the out-of-bounds nameoff handling for trailing dirents
(CVE-2026-46078)
- media: rc: igorplugusb: heed coherency rules
- sched: Use u64 for bandwidth ratio calculations
- ALSA: core: Fix potential data race at fasync handling
- net: qrtr: ns: Limit the maximum number of lookups (CVE-2026-46026)
- net: qrtr: ns: Change servers radix tree to xarray
- net: qrtr: ns: Free the node during ctrl_cmd_bye() (CVE-2026-46038)
- net: qrtr: ns: Limit the total number of nodes (CVE-2026-46003)
- net: bridge: use a stable FDB dst snapshot in RCU readers
(CVE-2026-46086)
- mtd: spi-nor: sst: Fix write enable before AAI sequence
- udf: fix partition descriptor append bookkeeping (CVE-2026-45991)
- hfsplus: fix uninit-value by validating catalog record size
(CVE-2026-46169)
- hfsplus: fix held lock freed on hfsplus_fill_super() (CVE-2026-46299)
- Bluetooth: hci_event: fix potential UAF in SSP passkey handlers
(CVE-2026-46056)
- can: ucan: fix devres lifetime (CVE-2026-46103)
- ceph: only d_add() negative dentries when they are unhashed
(CVE-2026-46052)
- ALSA: aloop: Fix peer runtime UAF during format-change stop
(CVE-2026-46090)
- printk: add print_hex_dump_devel()
- [arm*] crypto: caam - guard HMAC key hex dumps in hash_digest_key
(CVE-2026-46291)
- ACPI: scan: Use acpi_dev_put() in object add error paths
- tracepoint: balance regfunc() on func_add() failure in
tracepoint_add_func() (CVE-2026-46196)
- wifi: brcmfmac: Fix potential use-after-free issue when stopping watchdog
task (CVE-2026-46180)
- [arm*] usb: dwc3: Move GUID programming after PHY initialization
- [armhf] spi: sun4i: fix controller deregistration
- [armhf] spi: ti-qspi: fix controller deregistration
- [armhf] spi: sun6i: fix controller deregistration
- [arm*] spi: tegra20-sflash: fix controller deregistration
- [arm*] spi: tegra114: fix controller deregistration
- mm/hugetlb_cma: round up per_node before logging it
- fbcon: Avoid OOB font access if console rotation fails (CVE-2026-46191)
- [i386] spi: topcliff-pch: fix controller deregistration
- btrfs: fix btrfs_ioctl_space_info() slot_count TOCTOU which can lead to
info-leak (CVE-2026-46159)
- tracing/probes: Limit size of event probe to 3K
- pmdomain: core: Fix detach procedure for virtual devices in genpd
(CVE-2026-46292)
- dm btree: improve btree residency
- dm-thin: fix metadata refcount underflow (CVE-2026-46107)
- btrfs: fix missing last_unlink_trans update when removing a directory
(CVE-2026-46160)
- smb: client: Use FullSessionKey for AES-256 encryption key derivation
- mptcp: pm: ADD_ADDR rtx: fix potential data-race (CVE-2026-46137)
- f2fs: fix incorrect file address mapping when inline inode is unwritten
- Bluetooth: fix UAF in l2cap_sock_cleanup_listen() vs l2cap_conn_del()
- Bluetooth: hci_qca: Convert timeout from jiffies to ms
- qed: Use the bitmap API to simplify some functions
- qed: fix double free in qed_cxt_tables_alloc()
- net: Remove redundant if statements
- netfilter: nf_queue: hold bridge skb->dev while queued (CVE-2026-52912)
- Bluetooth: Consolidate code around sk_alloc into a helper function
- Bluetooth: Init sk_peer_* on bt_sock_alloc
- Bluetooth: serialize accept_q access (CVE-2026-52918)
- net: hsr: defer node table free until after RCU readers
- ice: fix VF queue configuration with low MTU values
- use less confusing names for iov_iter direction initializers
- [arm64] octeontx2-af: Add validation for lmac type (CVE-2023-54129)
- [arm64] spi: qup: switch to use modern name
- [arm64] spi: qup: fix error pointer deref after DMA setup failure
- [arm64] tlb: Flush walk cache when unsharing PMD tables
- scsi: target: iscsi: Bound iscsi_encode_text_output() appends to rsp_buf
- usb: typec: ucsi: Check if power role change actually happened before
handling
- thunderbolt: property: Cap recursion depth in __tb_property_parse_dir()
- scsi: target: iscsi: Fix CRC overread and double-free in
iscsit_handle_text_cmd()
- usb: typec: ucsi: Don't update power_supply on power role change if not
connected
- netfilter: nft_fib: fix stale stack leak via the OIFNAME register
(CVE-2026-53134)
- [x86] hv_netvsc: use kmap_local_page in netvsc_copy_to_send_buf
(CVE-2026-53199)
- mm/huge_memory: update file PMD counter before folio_put()
(CVE-2026-53189)
- RDMA/umem: fix kernel-doc warnings
- RDMA: Move DMA block iterator logic into dedicated files
- RDMA/umem: Fix truncation for block sizes >= 4G (CVE-2026-53133)
- Bluetooth: L2CAP: use chan timer to close channels in cleanup_listen()
- [x86] ALSA: hda/hdmi: Add quirk for TUXEDO IBS14G6
- iio: chemical: scd30: fix division by zero in write_raw
- iio: gyro: adis16260: fix division by zero in write_raw
- iio: dac: ad5686: fix ref bit initialization for single-channel parts
- xfrm: input: hold netns during deferred transport reinjection
- net: skbuff: fix missing zerocopy reference in pskb_carve helpers
(CVE-2026-52943)
- [armhf] serial: samsung_tty: Use port lock wrappers
- [armhf] tty: serial: samsung: use u32 for register interactions
- [armhf] tty: serial: samsung: Remove redundant port lock acquisition in
rx helpers
- usb: gadget: f_hid: tidy error handling in hidg_alloc
- usb: gadget: f_hid: fix device reference leak in hidg_alloc()
- lib/crypto: mpi: Fix integer underflow in mpi_read_raw_from_sgl()
(CVE-2026-43492)
- [arm64] Mitigate TLBI errata on various CPU cores (CVE-2025-10263):
+ Subscribe Microsoft Azure Cobalt 100 to ARM Neoverse N2 errata
+ cputype: Add NVIDIA Olympus definitions
+ cputype: Add C1-Ultra definitions
+ cputype: Add C1-Premium definitions
+ errata: Mitigate TLBI errata on various Arm CPUs
+ errata: Mitigate TLBI errata on NVIDIA Olympus CPU
+ errata: Mitigate TLBI errata on Microsoft Azure Cobalt 100 CPU
- media: rc: ttusbir: fix inverted error logic
- media: rc: igorplugusb: fix control request setup packet (CVE-2026-46091)
.
[ Ben Hutchings ]
* [rt] Update to 5.10.259-rt155
* Drop "Revert "io_uring/poll: correctly handle io_poll_add() return value
on update""
* Revert "Bluetooth: L2CAP: use chan timer to close channels in
cleanup_listen()"
* Revert "media: rc: streamzap: Error handling in probe"
* usb: type: ucsi: Fix misplaced call to ucsi_port_psy_changed() (regression
in 5.10.241)
.
[ Salvatore Bonaccorso ]
* ip6_vti: set netns_immutable on the fallback device. (CVE-2026-52909)
Checksums-Sha1:
89ea187903e5688de75f2c699544e323db09383f 8001 linux-signed-amd64_5.10.259+1.dsc
e3c41d252404ddb554f1425a9a5d41e9b6392e17 659884 linux-signed-amd64_5.10.259+1.tar.xz
Checksums-Sha256:
e1da8d7abf6418e317b07084372e490ccb8621103a97d2f79f8e58fdafee5f71 8001 linux-signed-amd64_5.10.259+1.dsc
fcbef67df5d7597c7797bbd56b1d85b139dce5c43d7ca46950a4a86b86153f02 659884 linux-signed-amd64_5.10.259+1.tar.xz
Files:
9b532d6b7501f763710563e921ba06a6 8001 kernel optional linux-signed-amd64_5.10.259+1.dsc
2c696dd00c49fb48d2c872546842707d 659884 kernel optional linux-signed-amd64_5.10.259+1.tar.xz
-----BEGIN PGP SIGNATURE-----
iHUEARYKAB0WIQSInBJdRTWyTRy0ztFCTVFtUgONCgUCake19wAKCRBCTVFtUgON
Csd7AP47SpxzO2tCpNOCGd44itlPDmhP8s874n/Jb3neB1ZDngEAzHdvCU+C/nmx
zrOjiyzqUr1t7C3C6JInBH5Dej6fEgY=
=F70O
-----END PGP SIGNATURE-----