-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 02 Jul 2026 15:50:42 +0200
Source: linux-signed-amd64
Architecture: source
Version: 6.1.176+1
Distribution: bookworm-security
Urgency: high
Maintainer: Debian Kernel Team <debian-kernel@lists.debian.org>
Changed-By: Ben Hutchings <benh@debian.org>
Changes:
linux-signed-amd64 (6.1.176+1) bookworm-security; urgency=high
.
* Sign kernel from linux 6.1.176-1
.
* New upstream stable update:
https://www.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.1.175
- [x86] ASoC: amd: yc: Add DMI quirk for ASUS EXPERTBOOK BM1403CDA
- [x86] ALSA: hda/realtek: Add HP ENVY Laptop 13-ba0xxx quirk
- [arm64] media: rkvdec: reduce stack usage in
rkvdec_init_v4l2_vp9_count_tbl()
- [x86] ALSA: asihpi: avoid write overflow check warning
- [x86] ASoC: amd: yc: Add DMI quirk for Thin A15 B7VF
- can: mcp251x: add error handling for power enable in open and resume
- btrfs: tracepoints: get correct superblock from dentry in event
btrfs_sync_file() (CVE-2026-43117)
- [x86] ALSA: hda/realtek: Add mute LED quirk for HP Pavilion 15-eg0xxx
- [x86] netfilter: nft_set_pipapo_avx2: don't return non-matching entry on
expiry (CVE-2026-43114)
- [x86] ALSA: hda/realtek: add quirk for Framework F111:000F
- wifi: wl1251: validate packet IDs before indexing tx_frames
(CVE-2026-43113)
- ASoC: soc-core: call missing INIT_LIST_HEAD() for card_aux_list
- ALSA: usb-audio: Fix quirk flags for NeuralDSP Quad Cortex
- fs/smb/client: fix out-of-bounds read in cifs_sanitize_prepath
(CVE-2026-43112)
- [x86] ASoC: amd: yc: Add DMI entry for HP Laptop 15-fc0xxx
- [x86] pinctrl: intel: Fix the revision for new features (1kOhm PD, HW
debouncer)
- HID: quirks: add HID_QUIRK_ALWAYS_POLL for 8BitDo Pro 3
- [x86] ALSA: hda/realtek: Add quirk for Lenovo Yoga Pro 7 14IAH10
- HID: roccat: fix use-after-free in roccat_report_event (CVE-2026-43111)
- ata: ahci: force 32-bit DMA for JMicron JMB582/JMB585
- wifi: brcmfmac: validate bsscfg indices in IF events (CVE-2026-43110)
- [armhf] ASoC: stm32_sai: fix incorrect BCLK polarity for DSP_A/B, LEFT_J
- [armhf] soc: aspeed: socinfo: Mask table entries for accurate SoC ID
matching
- [arm64] dts: imx8mq: Set the correct gpu_ahb clock frequency
- PCI: hv: Set default NUMA node to 0 for devices without affinity info
- [arm*] drm/vc4: Release runtime PM reference after binding V3D
- [arm*] drm/vc4: Fix memory leak of BO array in hang state
(CVE-2026-43105)
- [arm*] drm/vc4: Fix a memory leak in hang state error path
(CVE-2026-43104)
- [arm*] drm/vc4: Protect madv read in vc4_gem_object_mmap() with madv_lock
- epoll: use refcount to reduce ep_mutex contention
- eventpoll: defer struct eventpoll free to RCU grace period
(CVE-2026-43074)
- net: sched: act_csum: validate nested VLAN headers (CVE-2026-31684)
- net: lapbether: handle NETDEV_PRE_TYPE_CHANGE (CVE-2026-43103)
- ipv4: icmp: fix null-ptr-deref in icmp_build_probe() (CVE-2026-43099)
- nfc: s3fwrn5: allocate rx skb before consuming bytes (CVE-2026-43098)
- tracing/probe: reject non-closed empty immediate strings
- ixgbevf: add missing negotiate_features op to Hyper-V ops table
(CVE-2026-43094)
- e1000: check return value of e1000_read_eeprom
- xsk: tighten UMEM headroom validation to account for tailroom and min
frame (CVE-2026-43093)
- xfrm_user: fix info leak in build_mapping() (CVE-2026-43089)
- netfilter: nfnetlink_log: initialize nfgenmsg in NLMSG_DONE terminator
(CVE-2026-43085)
- netfilter: xt_multiport: validate range encoding in checkentry
(CVE-2026-31681)
- netfilter: ip6t_eui64: reject invalid MAC header for all packets
(CVE-2026-31685)
- af_unix: read UNIX_DIAG_VFS data under unix_state_lock (CVE-2026-31673)
- l2tp: Drop large packets with UDP encap (CVE-2026-43080)
- [arm64,armhf] gpio: tegra: fix irq_release_resources calling enable
instead of disable
- [x86] perf/x86/intel/uncore: Skip discovery table for offline dies
(CVE-2026-43079)
- Revert "drm: Fix use-after-free on framebuffers and property blobs when
calling drm_dev_unplug" (regression in 6.1.167)
- netfilter: conntrack: add missing netlink policy validations
(CVE-2026-31407)
- [x86] drm/i915/psr: Do not use pipe_src as borders for SU area
- nfc: llcp: add missing return after LLCP_CLOSED checks (CVE-2026-31629)
- can: raw: fix ro->uniq use-after-free in raw_rcv() (CVE-2026-31532)
- [arm*] i2c: s3c24xx: check the size of the SMBUS message before using it
(CVE-2026-31627)
- staging: rtl8723bs: initialize le_tmp64 in rtw_BIP_verify()
(CVE-2026-31626)
- HID: alps: fix NULL pointer dereference in alps_raw_event()
(CVE-2026-31625)
- HID: core: clamp report_size in s32ton() to avoid undefined shift
(CVE-2026-31624)
- net: usb: cdc-phonet: fix skb frags[] overflow in rx_complete()
(CVE-2026-31623)
- NFC: digital: Bounds check NFC-A cascade depth in SDD response handler
(CVE-2026-31622)
- [arm*] drm/vc4: platform_get_irq_byname() returns an int (CVE-2026-43072)
- ALSA: fireworks: bound device-supplied status before string array lookup
(CVE-2026-31619)
- fbdev: tdfxfb: avoid divide-by-zero on FBIOPUT_VSCREENINFO
(CVE-2026-31618)
- usb: gadget: f_ncm: validate minimum block_len in ncm_unwrap_ntb()
(CVE-2026-31617)
- usb: gadget: f_phonet: fix skb frags[] overflow in pn_rx_complete()
(CVE-2026-31616)
- [arm64,armhf] usb: gadget: renesas_usb3: validate endpoint index in
standard request handlers (CVE-2026-31615)
- ksmbd: validate EaNameLength in smb2_get_ea() (CVE-2026-31612)
- ksmbd: require 3 sub-authorities before reading sub_auth[2]
(CVE-2026-31611)
- usbip: validate number_of_packets in usbip_pack_ret_submit()
(CVE-2026-31607)
- usb: storage: Expand range of matched versions for VL817 quirks entry
- USB: cdc-acm: Add quirks for Yoga Book 9 14IAH10 INGENIC touchscreen
- usb: port: add delay after usb_hub_set_port_power()
- fbdev: udlfb: avoid divide-by-zero on FBIOPUT_VSCREENINFO
(CVE-2026-31605)
- staging: sm750fb: fix division by zero in ps_to_hz() (CVE-2026-31603)
- USB: serial: option: add Telit Cinterion FN990A MBIM composition
- ALSA: ctxfi: Limit PTP to a single page (CVE-2026-31602)
- dcache: Limit the minimal number of bucket to two (CVE-2026-43071)
- media: vidtv: fix NULL pointer dereference in
vidtv_channel_pmt_match_sections (CVE-2026-31599)
- ocfs2: fix possible deadlock between unlink and dio_end_io_write
(CVE-2026-31598)
- ocfs2: fix use-after-free in ocfs2_fault() when VM_FAULT_RETRY
(CVE-2026-31597)
- ocfs2: handle invalid dinode in ocfs2_group_extend (CVE-2026-31596)
- [x86] KVM: SEV: Drop WARN on large size for KVM_MEMORY_ENCRYPT_REG_REGION
(CVE-2026-31590)
- Revert "dmaengine: idxd: Fix not releasing workqueue on .release()"
(regression in 6.1.168)
- ALSA: usb-audio: fix race condition to UAF in snd_usbmidi_free
(CVE-2025-39997)
- net: add proper RCU protection to /proc/net/ptype (CVE-2026-23255)
- net: sched: fix TCF_LAYER_TRANSPORT handling in tcf_get_base_ptr()
- bonding: return detailed error when loading native XDP fails
- bonding: check xdp prog when set bond mode (CVE-2025-22105)
- drm/amdgpu: remove two invalid BUG_ON()s (CVE-2025-68201)
- nf_tables: nft_dynset: fix possible stateful expression memleak in error
path (CVE-2026-23399)
- rxrpc: proc: size address buffers for %pISpc output (CVE-2026-31630)
- [x86] KVM: x86: Use scratch field in MMIO fragment to hold small write
values (CVE-2026-31588)
- mm/kasan: fix double free for kasan pXds (CVE-2026-31686)
- mm: blk-cgroup: fix use-after-free in cgwb_release_workfn()
(CVE-2026-31586)
- media: vidtv: fix nfeeds state corruption on start_streaming failure
(CVE-2026-31585)
- media: em28xx: fix use-after-free in em28xx_v4l2_open() (CVE-2026-31583)
- ALSA: 6fire: fix use-after-free on disconnect (CVE-2026-31581)
- bcache: fix cached_dev.sb_bio use-after-free and crash (CVE-2026-31580)
- media: as102: fix to not free memory after the device is registered in
as102_usb_probe() (CVE-2026-31578)
- nilfs2: fix NULL i_assoc_inode dereference in nilfs_mdt_save_to_shadow_map
(CVE-2026-31577)
- media: vidtv: fix pass-by-value structs causing MSAN warnings
(CVE-2026-43058)
- media: hackrf: fix to not free memory after the device is registered in
hackrf_probe() (CVE-2026-31576)
- PCI: endpoint: pci-epf-vntb: Remove duplicate resource teardown
(CVE-2026-31594)
- ipv6: add NULL checks for idev in SRv6 paths (CVE-2026-23442)
- gfs2: Improve gfs2_consist_inode() usage
- gfs2: Validate i_depth for exhash directories (CVE-2025-38710)
- wifi: mac80211: always free skb on ieee80211_tx_prepare_skb() failure
(CVE-2026-23444)
- net: dsa: clean up FDB, MDB, VLAN entries on unbind (CVE-2025-37864)
- [arm64: dts: imx8mq-librem5: Bump BUCK1 suspend voltage to 0.81V
- [arm64] dts: imx8mq-librem5: Bump BUCK1 suspend voltage up to 0.85V
- ocfs2: add inline inode consistency check to ocfs2_validate_inode_block()
- ocfs2: validate inline data i_size during inode read (CVE-2026-43076)
- ocfs2: fix out-of-bounds write in ocfs2_write_end_inline (CVE-2026-43075)
- rxrpc: Fix key quota calculation for multitoken keys
- rxrpc: Fix call removal to use RCU safe deletion (CVE-2026-31642)
- rxrpc: reject undecryptable rxkad response tickets (CVE-2026-31637)
- [x86] KVM: x86: Use __DECLARE_FLEX_ARRAY() for UAPI structures with VLAs
- ublk: fix deadlock when reading partition table (CVE-2025-68823)
- PCI: endpoint: pci-epf-vntb: Stop cmd_handler work in epf_ntb_epc_cleanup
(CVE-2026-31595)
- [arm64,armhf] ASoC: qcom: q6apm: move component registration to unmanaged
version (CVE-2026-31587)
- rxrpc: Fix recvmsg() unconditional requeue (CVE-2026-23066)
- scsi: ufs: core: Fix use-after free in init error and remove paths
(CVE-2025-21739)
- ALSA: control: Avoid WARN() for symlink errors (CVE-2024-56657)
- f2fs: fix null-ptr-deref in f2fs_submit_page_bio() (CVE-2024-53221)
- wifi: iwlwifi: read txq->read_ptr under lock (CVE-2024-36922)
- [arm64] mm: fix VA-range sanity check (CVE-2023-53989)
- rxrpc: Fix anonymous key handling
- rxrpc: only handle RESPONSE during service challenge (CVE-2026-31676)
- fs/ntfs3: validate rec->used in journal-replay file record check
(CVE-2026-31716)
- fuse: reject oversized dirents in page cache (CVE-2026-31694)
- fuse: quiet down complaints in fuse_conn_limit_write
- smb: server: fix active_num_conn leak on transport allocation failure
(CVE-2026-31711)
- smb: server: fix max_connections off-by-one in tcp accept path
- smb: client: require a full NFS mode SID before reading mode bits
(CVE-2026-43350)
- smb: client: fix OOB read in smb2_ioctl_query_info QUERY_INFO path
(CVE-2026-31708)
- ksmbd: fix out-of-bounds write in smb2_get_ea() EA alignment
(CVE-2026-31705)
- ksmbd: use check_add_overflow() to prevent u16 DACL size overflow
(CVE-2026-31704)
- f2fs: fix use-after-free of sbi in f2fs_compress_write_end_io()
(CVE-2026-31702)
- ALSA: usb-audio: apply quirk for MOONDROP JU Jiu
- ALSA: caiaq: take a reference on the USB device in create_card()
(CVE-2026-31701)
- crypto: ccp: Don't attempt to copy CSR to userspace if PSP command failed
(CVE-2026-31699)
- crypto: ccp: Don't attempt to copy PDH cert to userspace if PSP command
failed (CVE-2026-31698)
- crypto: ccp: Don't attempt to copy ID to userspace if PSP command failed
(CVE-2026-31697)
- rxrpc: Fix missing validation of ticket length in non-XDR key preparsing
(CVE-2026-31696)
- ALSA: usb-audio: stop parsing UAC2 rates at MAX_NR_RATES (CVE-2026-46018)
- ALSA: usb-audio: Avoid false E-MU sample-rate notifications
- ALSA: usb-audio: Fix Audio Advantage Micro II SPDIF switch
- usb: xhci: Make usb_host_endpoint.hcpriv survive endpoint_disable()
- ALSA: usb-audio: Evaluate packsize caps at the right place
- drm/nouveau: fix u32 overflow in pushbuf reloc bounds check
(CVE-2026-46006)
- [x86] misc: ibmasm: fix OOB MMIO read in ibmasm_handle_mouse_interrupt()
(CVE-2026-46022)
- [x86] ibmasm: fix OOB reads in command_file_write due to missing size
checks (CVE-2026-45994)
- [x86] ibmasm: fix heap over-read in ibmasm_send_i2o_message()
(CVE-2026-46064)
- firmware: google: framebuffer: Do not mark framebuffer as busy
- padata: Fix pd UAF once and for all (CVE-2025-38584)
- padata: Remove comment for reorder_work
- drm/amdgpu: Use vmemdup_array_user in amdgpu_bo_create_list_entry_array
- drm/amdgpu: Limit BO list entry count to prevent resource exhaustion
(CVE-2026-23468)
- net: enetc: fix the deadlock of enetc_mdio_lock (CVE-2025-40347)
- blk-mq: fix NULL dereference on q->elevator in blk_mq_elv_switch_none
(CVE-2023-53292)
- [arm64] set __exception_irq_entry with __irq_entry as a default
(CVE-2023-54322)
- regset: use kvzalloc() for regset_get_alloc()
- device property: Make modifications of fwnode "flags" thread safe
- ocfs2: split transactions in dio completion to avoid credit exhaustion
(CVE-2026-46080)
- driver core: Don't let a device probe until it's ready
- wifi: rtw88: check for PCI upstream bridge existence
- f2fs: fix to detect potential corrupted nid in free_nid_list
(CVE-2025-68315)
- crypto: pcrypt - Fix handling of MAY_BACKLOG requests (CVE-2026-43493)
- [arm*] media: amphion: Fix race between m2m job_abort and device_run
(CVE-2026-46058)
- ALSA: control: Validate buf_len before strnlen() in
snd_ctl_elem_init_enum_names() (CVE-2026-46088)
- net: caif: clear client service pointer on teardown (CVE-2026-46098)
- net: strparser: fix skb_head leak in strp_abort_strp() (CVE-2026-46102)
- PCI: endpoint: pci-epf-ntb: Remove duplicate resource teardown
(CVE-2026-46009)
- Revert "ALSA: usb: Increase volume range that triggers a warning"
(regression in 6.1.162)
- lib/ts_kmp: fix integer overflow in pattern length calculation
- net: qrtr: ns: Fix use-after-free in driver remove() (CVE-2026-46047)
- ext2: reject inodes with zero i_nlink and valid mode in ext2_iget()
(CVE-2026-46002)
- ALSA: ctxfi: Add fallback to default RSR for S/PDIF (CVE-2026-46049)
- ALSA: seq_oss: return full count for successful SEQ_FULLSIZE writes
- erofs: fix the out-of-bounds nameoff handling for trailing dirents
(CVE-2026-46078)
- md/raid10: fix deadlock with check operation and nowait requests
(CVE-2026-46050)
- nvme-pci: add NVME_QUIRK_DISABLE_WRITE_ZEROES for Kingston OM3SGP4
- nvme: respect NVME_QUIRK_DISABLE_WRITE_ZEROES when wzsl is set
- rbd: fix null-ptr-deref when device_add_disk() fails (CVE-2026-46079)
- io_uring/timeout: check unused sqe fields
- iio: adc: ti-ads7950: use iio_push_to_buffers_with_ts_unaligned()
- io_uring/poll: fix signed comparison in io_poll_get_ownership()
(CVE-2026-52933)
- io_uring/poll: ensure EPOLL_ONESHOT is propagated for EPOLL_URING_WAKE
- ALSA: core: Fix potential data race at fasync handling
- ALSA: caiaq: Fix control_put() result and cache rollback
- ALSA: caiaq: Handle probe errors properly (CVE-2026-46004)
- ALSA: 6fire: Fix input volume change detection
- iio: adc: ad7768-1: fix one-shot mode data acquisition
- net: rds: fix MR cleanup on copy error (CVE-2026-46053)
- net/smc: avoid early lgr access in smc_clc_wait_msg (CVE-2026-46027)
- net: ks8851: Reinstate disabling of BHs around IRQ handler
(CVE-2026-46031)
- RDMA/rxe: Validate pad and ICRC before payload_size() in rxe_rcv
(CVE-2026-46043)
- ipv4: icmp: validate reply type before using icmp_pointers
(CVE-2026-46037)
- libceph: Prevent potential null-ptr-deref in ceph_handle_auth_reply()
(CVE-2026-46024)
- power: supply: axp288_charger: Do not cancel work before initializing it
- randomize_kstack: Maintain kstack_offset per task
- mmc: block: use single block write in retry
- [arm64] mmc: sdhci-of-dwcmshc: Disable clock before DLL configuration
- tpm: tpm_tis: add error logging for data transfer
- userfaultfd: allow registration of ranges below mmap_min_addr
- [x86] KVM: nSVM: Mark all of vmcb02 dirty when restoring nested state
- [x86] KVM: nSVM: Sync NextRIP to cached vmcb12 after VMRUN of L2
- [x86] KVM: nSVM: Sync interrupt shadow to cached vmcb12 after VMRUN of L2
(CVE-2026-45987)
- [x86] KVM: SVM: Inject #UD for INVLPGA if EFER.SVME=0 (CVE-2026-46082)
- [x86] KVM: SVM: Explicitly mark vmcb01 dirty after modifying VMCB
intercepts
- [x86] KVM: nSVM: Ensure AVIC is inhibited when restoring a vCPU to guest
mode
- [x86] KVM: nSVM: Use vcpu->arch.cr2 when updating vmcb12 on nested #VMEXIT
- [x86] KVM: nSVM: Always inject a #GP if mapping VMCB12 fails on nested
VMRUN
- [x86] KVM: nSVM: Clear GIF on nested #VMEXIT(INVALID)
- [x86] KVM: nSVM: Clear tracking of L1->L2 NMI and soft IRQ on nested
#VMEXIT
- [x86] KVM: nSVM: Add missing consistency check for EFER, CR0, CR4, and CS
- [x86] KVM: nSVM: Add missing consistency check for nCR3 validity
- mtd: docg3: fix use-after-free in docg3_release() (CVE-2026-46285)
- io_uring/poll: fix multishot recv missing EOF on wakeup race
- ext4: fix missing brelse() in ext4_xattr_inode_dec_ref_all()
(CVE-2026-46046)
- md/raid5: fix soft lockup in retry_aligned_read() (CVE-2026-46051)
- md/raid5: validate payload size before accessing journal metadata
(CVE-2026-46070)
- inotify: fix watch count leak when fsnotify_add_inode_mark_locked() fails
(CVE-2026-46040)
- tcp: call sk_data_ready() after listener migration (CVE-2026-46015)
- taskstats: set version in TGID exit notifications
- Bluetooth: hci_event: fix potential UAF in SSP passkey handlers
(CVE-2026-46056)
- can: ucan: fix devres lifetime (CVE-2026-46103)
- [arm64] crypto: arm64/aes - Fix 32-bit aes_mac_update() arg treated as
64-bit
- [armel,armhf] crypto: atmel-aes - Fix 3-page memory leak in
atmel_aes_buff_cleanup (CVE-2026-46019)
- [arm*] crypto: ccree - fix a memory leak in cc_mac_digest()
(CVE-2026-45986)
- [armel,armhf] crypto: atmel-tdes - fix DMA sync direction
(CVE-2026-46077)
- crypto: atmel-sha204a - Fix potential UAF and memory leak in remove path
(CVE-2026-46075)
- dm mirror: fix integer overflow in create_dirty_log() (CVE-2026-46023)
- IB/core: Fix zero dmac race in neighbor resolution
- ntfs3: add buffer boundary checks to run_unpack() (CVE-2026-46072)
- ntfs3: fix integer overflow in run_unpack() volume boundary check
(CVE-2026-46062)
- rtmutex: Use waiter::task instead of current in remove_waiter()
(CVE-2026-43499)
- scsi: sd: fix missing put_disk() when device_add(&disk_dev) fails
(CVE-2026-45997)
- seg6: fix seg6 lwtunnel output redirect for L2 reduced encap mode
- crypto: authencesn - reject short ahash digests during instance creation
(CVE-2026-46033)
- ALSA: caiaq: Fix potentially leftover ep1_in_urb at error path
- ALSA: caiaq: Don't abort when no input device is available
- ipv6: rpl: reserve mac_len headroom when recompressed SRH grows
(CVE-2026-43501)
- drm/amdgpu: fix zero-size GDS range init on RDNA4 (CVE-2026-46276)
- ALSA: caiaq: fix usb_dev refcount leak on probe failure
- net: ipv6: fix NOREF dst use in seg6 and rpl lwtunnels (CVE-2026-46099)
- netfilter: reject zero shift in nft_bitwise (CVE-2026-46101)
- scsi: target: configfs: Bound snprintf() return in tg_pt_gp_members_show()
(CVE-2026-46149)
- ipmi: Add limits to event and receive message requests (CVE-2026-46177)
- ipmi: Check event message buffer response for bad data (CVE-2026-46128)
- ipmi:si: Return state to normal if message allocation fails
(CVE-2026-46108)
- fbdev: udlfb: add vm_ops to dlfb_ops_mmap to prevent use-after-free
(CVE-2026-43497)
- ACPI: scan: Use acpi_dev_put() in object add error paths
- ACPI: CPPC: Fix related_cpus inconsistency during CPU hotplug
- [x86] ACPI: video: force native backlight on HP OMEN 16 (8A44)
- ASoC: SOF: Don't allow pointer operations on unconfigured streams
(CVE-2026-46179)
- [arm64,armhf] spi: rockchip: fix controller deregistration
- drm/amd/display: Do not skip unrelated mode changes in DSC validation
(CVE-2026-31488)
- [arm64,armhf] spi: meson-spicc: Fix double-put in remove path
(CVE-2026-31489)
- ext4: validate p_idx bounds in ext4_ext_correct_indexes (CVE-2026-31449)
- [x86] KVM: x86: Fix shadow paging use-after-free due to unexpected GFN
(CVE-2026-46113)
- flow_dissector: do not dissect PPPoE PFC frames (CVE-2026-46306)
- net/sched: sch_red: Replace direct dequeue call with peek and
qdisc_dequeue_peeked (CVE-2026-43496)
- Bluetooth: hci_sync: Remove remaining dependencies of hci_request
- Bluetooth: btintel: serialize btintel_hw_error() with hci_req_sync_lock
(CVE-2026-31500)
- ice: Fix memory leak in ice_set_ringparam() (CVE-2026-23389)
- exit: prevent preemption of oopsing TASK_DEAD task (CVE-2026-46173)
- wifi: mt76: mt7921: fix a potential clc buffer length underflow
(CVE-2026-46136)
- wifi: b43legacy: enforce bounds check on firmware key index in RX path
(CVE-2026-46163)
- wifi: rsi: fix kthread lifetime race between self-exit and external-stop
(CVE-2026-46187)
- wifi: ath5k: do not access array OOB (CVE-2026-46307)
- wifi: b43: enforce bounds check on firmware key index in b43_rx()
(CVE-2026-46122)
- usb: usblp: fix heap leak in IEEE 1284 device ID via short response
(CVE-2026-46151)
- usb: usblp: fix uninitialized heap leak via LPGETSTATUS ioctl
(CVE-2026-46167)
- ALSA: usb-audio: Avoid potential endless loop in convert_chmap_v3()
(CVE-2026-46146)
- ALSA: usb-audio: Fix UAC3 cluster descriptor size check
- USB: serial: option: add Telit Cinterion LE910Cx compositions
- usb: ulpi: fix memory leak on ulpi_register() error paths
(CVE-2026-46109)
- ALSA: firewire-tascam: Do not drop unread control events
- xfrm: provide message size for XFRM_MSG_MAPPING
- ipv6: xfrm6: release dst on error in xfrm6_rcv_encap() (CVE-2026-46172)
- Bluetooth: virtio_bt: clamp rx length before skb_put (CVE-2026-46123)
- Bluetooth: virtio_bt: validate rx pkt_type header length (CVE-2026-46186)
- Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_new_connection_cb()
(CVE-2026-45835)
- Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_state_change_cb()
(CVE-2026-45834)
- fanotify: fix false positive on permission events (CVE-2026-46150)
- net: rtnetlink: zero ifla_vf_broadcast to avoid stack infoleak in
rtnl_fill_vfinfo (CVE-2026-46132)
- sound: ua101: fix division by zero at probe (CVE-2026-46184)
- ip6_gre: Use cached t->net in ip6erspan_changelink(). (CVE-2026-46120)
- net/rds: handle zerocopy send cleanup before the message is queued
(CVE-2026-43502)
- [x86] hwmon: (corsair-psu) Close HID device on probe errors
- cifs: abort open_cached_dir if we don't request leases
- cifs: change_conf needs to be called for session setup
- [arm64] extcon: ptn5150: handle pending IRQ events during system resume
- [arm64] hv_sock: fix ARM64 support
- [ppc64el] ibmveth: Disable GSO for packets with small MSS
(CVE-2026-46273)
- udf: reject descriptors with oversized CRC length
- spi: topcliff-pch: fix use-after-free on unbind (CVE-2026-46301)
- [ppc64el] cpuidle: powerpc: avoid double clear when breaking snooze
- [x86] ASoC: amd: yc: Add HP OMEN Gaming Laptop 16-ap0xxx product line in
quirk table
- [arm64,armhf] ASoC: qcom: q6apm-dai: reset queue ptr on trigger stop
- [arm64,armhf] ASoC: qcom: q6apm-lpass-dai: Fix multiple graph opens
(CVE-2026-46143)
- [arm64,armhf] ASoC: qcom: q6apm: remove child devices when apm is removed
- btrfs: fix double free in create_space_info() error path (CVE-2026-46129)
- dm-thin: fix metadata refcount underflow (CVE-2026-46107)
- dm: don't report warning when doing deferred remove
- dm: fix a buffer overflow in ioctl processing (CVE-2026-46294)
- dm-verity-fec: correctly reject too-small FEC devices
- dm-verity-fec: correctly reject too-small hash devices
- isofs: validate Rock Ridge CE continuation extent against volume size
(CVE-2026-46303)
- isofs: validate block number from NFS file handle in isofs_export_iget
(CVE-2026-46124)
- libceph: Fix slab-out-of-bounds access in auth message processing
(CVE-2026-46119)
- md/raid10: fix divide-by-zero in setup_geo() with zero far_copies
(CVE-2026-46161)
- nvmet: avoid recursive nvmet-wq flush in nvmet_ctrl_free (CVE-2026-46304)
- openvswitch: vport: fix self-deadlock on release of tunnel ports
(CVE-2026-46165)
- [arm64] RDMA/hns: Fix unlocked call to hns_roce_qp_remove()
(CVE-2026-46112)
- [s390x] debug: Reject zero-length input in debug_input_flush_fn()
- smb/client: fix out-of-bounds read in symlink_data() (CVE-2026-46185)
- PCI/AER: Clear only error bits in PCIe Device Status
- PCI/AER: Stop ruling out unbound devices as error source
- [x86] power: supply: max17042: avoid overflow when determining health
- RDMA/mlx4: Fix resource leak on error in mlx4_ib_create_srq()
(CVE-2026-46178)
- RDMA/ocrdma: Don't NULL deref uctx on errors in ocrdma_copy_pd_uresp()
(CVE-2026-46127)
- RDMA/rxe: Reject unknown opcodes before ICRC processing (CVE-2026-46133)
- RDMA/vmw_pvrdma: Fix double free on pvrdma_alloc_ucontext() error path
(CVE-2026-46189)
- mptcp: use MPJoinSynAckHMacFailure for SynAck HMAC failure
- mptcp: use MPTCP_RST_EMPTCP for ACK HMAC validation failure
- mptcp: sockopt: set timestamp flags on subflow socket, not msk
- mptcp: fix scheduling with atomic in timestamp sockopt (CVE-2026-46168)
- f2fs: add READ_ONCE() for i_blocks in f2fs_update_inode()
- f2fs: fix fiemap boundary handling when read extent cache is incomplete
- f2fs: fix incorrect multidevice info in trace_f2fs_map_blocks()
- [arm64] KVM: arm64: vgic: Fix IIDR revision field extracted from wrong
value
- f2fs: compress: change the first parameter of page_array_{alloc,free} to
sbi
- f2fs: compress: fix UAF of f2fs_inode_info in f2fs_free_dic
(CVE-2025-38627)
- exit: Sleep at TASK_IDLE when waiting for application core dump
- media: uvcvideo: Enable VB2_DMABUF for metadata stream
- [x86] staging: media: atomisp: Disallow all private IOCTLs
(CVE-2026-46205)
- media: rc: xbox_remote: heed DMA restrictions (CVE-2026-46236)
- media: rc: streamzap: Error handling in probe
- media: saa7164: add ioremap return checks and cleanups (CVE-2026-46235)
- [x86] platform/x86: hp-wmi: Ignore backlight and FnLock events
- media: pci: zoran: fix potential memory leak in zoran_probe()
- media: dib8000: avoid division by 0 in dib8000_set_dds()
- [armhf] media: omap3isp: drop the use count of v4l2 pipeline
- [arm64,armhf] spi: imx: fix runtime pm leak on probe deferral
- [armel,armhf] spi: orion: fix clock imbalance on registration failure
- drm/amdgpu: Add bounds checking to ib_{get,set}_value (CVE-2026-46218)
- drm/amdgpu/vce: Prevent partial address patches
- drm/amdgpu/vcn4: Prevent OOB reads when parsing dec msg (CVE-2026-46199)
- drm/amdgpu/vcn3: Prevent OOB reads when parsing dec msg (CVE-2026-46230)
- drm/gem: Fix inconsistent plane dimension calculation in
drm_gem_fb_init_with_funcs() (CVE-2026-46209)
- drm/amdkfd: validate SVM ioctl nattr against buffer size (CVE-2026-46197)
- drm/radeon: add missing revision check for CI
- drm/amdgpu: zero-initialize GART table on allocation
- drm/amdgpu/gfx9: drop unnecessary 64-bit fence flag check in KIQ
- drm/amdgpu/sdma4: replace BUG_ON with WARN_ON in fence emission
(CVE-2026-46220)
- drm/amdgpu/pm: add missing revision check for CI
- drm/amdgpu/pm: align Hawaii mclk workaround with radeon
- sctp: revalidate list cursor after sctp_sendmsg_to_asoc() in SCTP_SENDALL
(CVE-2026-46227)
- batman-adv: fix integer overflow on buff_pos (CVE-2026-46198)
- batman-adv: reject new tp_meter sessions during teardown (CVE-2026-46206)
- batman-adv: stop caching unowned originator pointers in BAT IV
(CVE-2026-46238)
- batman-adv: bla: prevent use-after-free when deleting claims
(CVE-2026-46212)
- batman-adv: bla: only purge non-released claims (CVE-2026-46233)
- batman-adv: bla: put backbone reference on failed claim hash insert
(CVE-2026-46231)
- Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_get_sndtimeo_cb()
(CVE-2026-45836)
- mtd: spi-nor: sst: Factor out common write operation to
`sst_nor_write_data()`
- mtd: spi-nor: sst: Fix write enable before AAI sequence
- vsock: fix buffer size clamping order (CVE-2026-46234)
- vsock/virtio: fix accept queue count leak on transport mismatch
(CVE-2026-46214)
- drm/amdgpu/vcn3: Avoid overflow on msg bound check
- drm/amdgpu/vcn4: Avoid overflow on msg bound check
- mtd: spi-nor: sst: Fix SST write failure
- bcache: fix uninitialized closure object
- blk-cgroup: wait for blkcg cleanup before initializing new disk
- fs/omfs: reject s_sys_blocksize smaller than OMFS_DIR_START
(CVE-2026-53130)
- drbd: Balance RCU calls in drbd_adm_dump_devices() (CVE-2026-53128)
- nilfs2: reject zero bd_oblocknr in nilfs_ioctl_mark_blocks_dirty()
(CVE-2026-53320)
- pstore/ram: fix resource leak when ioremap() fails
- devres: fix missing node debug info in devm_krealloc()
- debugfs: check for NULL pointer in debugfs_create_str()
- hrtimers: Update the return type of enqueue_hrtimer()
- hrtimer: Avoid pointless reprogramming in __hrtimer_start_range_ns()
- hrtimer: Reduce trace noise in hrtimer_start()
- locking: Fix rwlock support in <linux/spinlock_up.h>
- firmware: dmi: Correct an indexing error in dmi.h
- wifi: mwifiex: Fix memory leak in mwifiex_11n_aggregate_pkt()
- wifi: rtlwifi: pci: fix possible use-after-free caused by unfinished
irq_prepare_bcn_tasklet (CVE-2026-53112)
- bpf: Add CHECKSUM_COMPLETE to bpf test progs
- bpf: test_run: Fix the null pointer dereference issue in
bpf_lwt_xmit_push_encap (CVE-2026-53111)
- kernel: param: rename locate_module_kobject
- kernel: globalize lookup_or_create_module_kobject()
- bpf, devmap: Remove unnecessary if check in for loop
- bpf: Use RCU-safe iteration in dev_map_redirect_multi() SKB path
(CVE-2026-53096)
- wifi: rtw89: phy: fix uninitialized variable access in
rtw89_phy_cfo_set_crystal_cap()
- r8152: fix incorrect register write to USB_UPHY_XTAL
- [ppc64el] powerpc/crash: fix backup region offset update to elfcorehdr
- macvlan: annotate data-races around port->bc_queue_len_used
- bpf: fix end-of-list detection in cgroup_storage_get_next_key()
(CVE-2026-45838)
- wifi: brcmfmac: Fix error pointer dereference (CVE-2026-53093)
- bpf: Drop task_to_inode and inet_conn_established from lsm sleepable hooks
- bpf: reject negative CO-RE accessor indices in bpf_core_parse_spec()
(CVE-2026-45839)
- [arm64] ACPI: AGDI: fix missing newline in error message
- [arm64] kexec: Remove duplicate allocation for trans_pgd
- [arm64] net: bcmgenet: fix off-by-one in bcmgenet_put_txcb
(CVE-2026-53088)
- [arm64] net: bcmgenet: Remove TX ring full logging
- [arm64] net: bcmgenet: Remove custom ndo_poll_controller()
- [arm64] net: bcmgenet: add bcmgenet_has_* helpers
- [arm64] net: bcmgenet: move DESC_INDEX flow to ring 0
- [arm64] net: bcmgenet: support reclaiming unsent Tx packets
- [arm64] net: bcmgenet: switch to use 64bit statistics
- [arm64] net: bcmgenet: fix racing timeout handler (CVE-2026-53086)
- netfilter: xt_socket: enable defrag after all other checks
- netfilter: nft_fwd_netdev: check ttl/hl before forwarding
- 6pack: propagage new tty types
- net: hamradio: 6pack: fix uninit-value in sixpack_receive_buf
(CVE-2026-53082)
- net/sched: act_ct: Only release RCU read lock after ct_ft
(CVE-2026-46319)
- net/rds: Optimize rds_ib_laddr_check
- net/rds: Restrict use of RDS/IB to the initial network namespace
(CVE-2026-53077)
- ppp: require CAP_NET_ADMIN in target netns for unattached ioctls
(CVE-2026-53075)
- bpf: reject short IPv4/IPv6 inputs in bpf_prog_test_run_skb
(CVE-2026-53074)
- Bluetooth: L2CAP: Fix printing wrong information if SDU length exceeds MTU
- Bluetooth: hci_ldisc: Clear HCI_UART_PROTO_INIT on error (CVE-2026-53073)
- Bluetooth: fix locking in hci_conn_request_evt() with HCI_PROTO_DEFER
(CVE-2026-53072)
- Bluetooth: l2cap: Add missing chan lock in l2cap_ecred_reconf_rsp
(CVE-2026-53071)
- sctp: fix missing encap_port propagation for GSO fragments
- net, bpf: fix null-ptr-deref in xdp_master_redirect() for down master
(CVE-2026-53069)
- [arm*] drm/komeda: fix integer overflow in AFBC framebuffer size check
(CVE-2026-53068)
- [arm*] drm/sun4i: backend: fix error pointer dereference (CVE-2026-53066)
* [armhf] ASoC: sti: use managed regmap_field allocations (CVE-2026-53065)
- dm cache: fix null-deref with concurrent writes in passthrough mode
(CVE-2026-53064)
- dm cache: fix write path cache coherency in passthrough mode
- dm cache: fix write hang in passthrough mode (CVE-2026-53063)
- dm cache policy smq: fix missing locks in invalidating cache blocks
(CVE-2026-53062)
- dm cache: fix concurrent write failure in passthrough mode
- dm cache: support shrinking the origin device
- dm cache: fix dirty mapping checking in passthrough mode switching
(CVE-2026-53061)
- dm cache metadata: fix memory leak on metadata abort retry
(CVE-2026-53060)
- dm log: fix out-of-bounds write due to region_count overflow
(CVE-2026-53059)
- [arm64] spi: fsl-qspi: Use reinit_completion() for repeated operations
- [arm*] drm/sun4i: Fix resource leaks
- drm/amdgpu: Add default case in DVI mode validation
- dm init: ensure device probing has finished in dm-mod.waitfor=
- padata: Remove cpu online check from cpu add and removal
- padata: Put CPU offline callback in ONLINE section to allow failure
(CVE-2026-53314)
- drm/amdgpu/gfx10: look at the right prop for gfx queue priority
- [arm64] drm/msm/dpu: fix mismatch between power and frequency
(CVE-2026-53056)
- [arm64] drm/msm/dsi: rename MSM8998 DSI version from V2_2_0 to V2_0_0
- [arm64,armhf] drm/panel: simple: Correct G190EAN01 prepare timing
- ALSA: core: Validate compress device numbers without dynamic minors
- drm/amd/pm/ci: Use highest MCLK on CI when MCLK DPM is disabled
- drm/amd/pm/ci: Disable MCLK DPM on problematic CI ASICs
- drm/amd/pm/smu7: Fix SMU7 voltage dependency on display clock
- drm/amd/pm/ci: Fix powertune defaults for Hawaii 0x67B0
- drm/amd/pm/ci: Clear EnabledForActivity field for memory levels
- drm/amd/pm/ci: Fill DW8 fields from SMC
- drm/amd/pm/smu7: Add SCLK cap for quirky Hawaii board
- [arm64] drm/msm/a6xx: Fix HLSQ register dumping
- [arm64] drm/msm/shrinker: Fix can_block() logic
- [arm64] drm/msm/a6xx: Use barriers while updating HFI Q headers
- [armhf] pmdomain: ti: omap_prm: Fix a reference leak on device node
- [arm64] ASoC: fsl_micfil: Fix event generation in micfil_quality_set()
- [arm*] ASoC: qcom: qdsp6: topology: check widget type before accessing
data (CVE-2026-53052)
- PCI: Enable AtomicOps only if Root Port supports them
- ALSA: scarlett2: Add missing sentinel initializer field
- [x86] ASoC: SOF: amd: Fix for reading position updates from stream box.
- [x86] ASoC: SOF: Prepare ipc_msg_data to be used with compress API
- [x86] ASoC: SOF: Prepare set_stream_data_offset for compress API
- [x86] ASoC: SOF: Add support for compress API for stream data/offset
- [x86] ASoC: SOF: compress: return the configured codec from get_params
- [i386] ALSA: sc6000: Use standard print API
- [i386] ALSA: sc6000: Keep the programmed board state in card-private data
- dm cache: fix missing return in invalidate_committed's error path
- gfs2: Call unlock_new_inode before d_instantiate
- quota: Fix race of dquot_scan_active() with quota deactivation
(CVE-2026-53050)
- gfs2: add some missing log locking (CVE-2026-53049)
- gfs2: prevent NULL pointer dereference during unmount (CVE-2026-53048)
- efi/capsule-loader: fix incorrect sizeof in phys array reallocation
(CVE-2026-53047)
- ksmbd: fix use-after-free from async crypto on Qualcomm crypto engine
(CVE-2026-53046)
- [armhf] dts: mediatek: mt7623: fix efuse fallback compatible
- [armhf] memory: tegra124-emc: Fix dll_change check (CVE-2026-53045)
- [arm64] dts: imx8mp-evk: Enable pull select bit for PCIe regulator GPIO
(M.2 W_DISABLE1)
- [arm64] dts: mediatek: mt6795: Fix gpio-ranges pin count
- [arm64] dts: mediatek: mt7986a: Fix gpio-ranges pin count
- [arm64] dts: qcom: sm8450: Fix GIC_ITS range length
- [arm64] dts: qcom: sm8450: Enable UHS-I SDR50 and SDR104 SD card modes
- [arm64] dts: qcom: sdm845-xiaomi-beryllium: Mark l1a regulator as powered
during boot
- unshare: fix nsproxy leak in ksys_unshare() on set_cred_ucounts() failure
- ocfs2/dlm: validate qr_numregions in dlm_match_regions() (CVE-2026-53043)
- ocfs2/dlm: fix off-by-one in dlm_match_regions() region comparison
(CVE-2026-53309)
- [arm64] soc: qcom: aoss: compare against normalized cooling state
- [arm64] dts: qcom: sm8250: Add missing CPU7 3.09GHz OPP
- [arm64] xor: fix conflicting attributes for xor_block_template
- ocfs2: fix listxattr handling when the buffer is full (CVE-2026-53041)
- ocfs2: validate bg_bits during freefrag scan (CVE-2026-53040)
- ocfs2: validate group add input before caching (CVE-2026-53039)
- soundwire: bus: demote UNATTACHED state warnings to dev_dbg()
- [armhf] dmaengine: mxs-dma: Fix missing return value from
of_dma_controller_register()
- tracing: Rebuild full_name on each hist_field_name() call
- ima: check return value of crypto_shash_final() in boot aggregate
- HID: asus: make asus_resume adhere to linux kernel coding standards
- HID: asus: do not abort probe when not necessary
- mtd: spi-nor: core: correct the op.dummy.nbytes when check read operations
- mtd: spi-nor: spansion: Rename s28hs512t prefix
- mtd: spi-nor: spansion: Replace hardcoded values for addr_nbytes/
addr_mode_nbytes
- mtd: spi-nor: spansion: Make RD_ANY_REG_OP macro take number of dummy
bytes
- mtd: spi-nor: spansion: Add support for Infineon S25FS256T
- mtd: spi-nor: Allow post_sfdp hook to return errors
- mtd: spi-nor: sfdp: introduce smpt_read_dummy fixup hook
- mtd: spi-nor: sfdp: introduce smpt_map_id fixup hook
- mtd: spi-nor: update spi_nor_fixups::post_sfdp() documentation
- mtd: spi-nor: swp: check SR_TB flag when getting tb_mask
- mtd: parsers: ofpart: call of_node_put() only in ofpart_fail path
- mtd: parsers: ofpart: call of_node_get() for dedicated subpartitions
- [armhf] mtd: rawnand: sunxi: fix sunxi_nfc_hw_ecc_read_extra_oob
- HID: usbhid: fix deadlock in hid_post_reset() (CVE-2026-53037)
- [arm64] bpf, arm64: Fix off-by-one in check_imm signed range check
(CVE-2026-53036)
- bpf, sockmap: Fix af_unix iter deadlock (CVE-2026-53035)
- bpf, sockmap: Fix af_unix null-ptr-deref in proto update (CVE-2026-53034)
- bpf, sockmap: Take state lock for af_unix iter (CVE-2026-53033)
- bpf: Fix precedence bug in convert_bpf_ld_abs alignment check
- bpf: allow UTF-8 literals in bpf_bprintf_prepare()
- [armel,armhf] bpf, arm32: Reject BPF-to-BPF calls and callbacks in the
JIT
- perf branch: Avoid incrementing NULL
- perf: tools: cs-etm: Fix print issue for Coresight debug in ETE/TRBE trace
- perf expr: Return -EINVAL for syntax error in expr__find_ids()
- perf util: Kill die() prototype, dead for a long time
- i3c: mipi-i3c-hci: fix IBI payload length calculation for final status
- dev_printk: add new dev_err_probe() helpers
- [x86] platform/surface: surfacepro3_button: Drop wakeup source on remove
- [s390x] tty: hvc_iucv: fix off-by-one in number of supported devices
(CVE-2026-53306)
- [x86] platform/x86: panasonic-laptop: Fix OPTD notifier registration and
cleanup
- [armhf] mfd: mc13xxx-core: Fix memory leak in
mc13xxx_add_subdevice_pdata()
- nfs/blocklayout: Fix compilation error (`make W=1`) in bl_write_pagelist()
- fs/ntfs3: terminate the cached volume label after UTF-8 conversion
(CVE-2026-53023)
- [x86] platform/x86: dell_rbu: avoid uninit value usage in
packet_size_write()
- [x86] platform/x86: dell-wmi-sysman: bound enumeration string aggregation
(CVE-2026-53022)
- RDMA/core: Prefer NLA_NUL_STRING
- scsi: sg: Resolve soft lockup issue when opening /dev/sgX
(CVE-2026-53304)
- scsi: target: core: Fix integer overflow in UNMAP bounds check
(CVE-2026-53021)
- [armhf] clk: imx: imx6q: Fix device node reference leak in pll6_bypassed()
- [armhf] clk: imx: imx6q: Fix device node reference leak in
of_assigned_ldb_sels()
- [arm64] clk: imx8mq: Correct the CSI PHY sels
- [arm64] clk: qoriq: avoid format string warning
- [arm64] clk: xgene: Fix mapping leak in xgene_pllclk_init()
- f2fs: Use sysfs_emit_at() to simplify code
- f2fs: protect extension_list reading with sb_lock in f2fs_sbi_show()
(CVE-2026-53303)
- [x86] drm/i915: Constify watermark state checker
- [x86] drm/i915: Extract intel_dbuf_mdclk_cdclk_ratio_update()
- [x86] drm/i915: Loop over all active pipes in intel_mbus_dbox_update
- [x86] drm/i915/wm: Verify the correct plane DDB entry
- crypto: ccp - copy IV using skcipher ivsize (CVE-2026-53016)
- [arm64] dts: imx8mp-icore-mx8mp: Correct PAD settings for PMIC_nINT
- [arm64] dts: imx8mp-dhcom-som: Correct PAD settings for PMIC_nINT
- [x86] PCMCIA: Fix garbled log messages for KERN_CONT
- [arm64] dts: imx8mn-tqma8mqnl: Correct PAD settings for PMIC_nINT
- [arm64] dts: imx8mm-tqma8mqml: Correct PAD settings for PMIC_nINT
- net/sched: sch_cake: fix NAT destination port not being updated in
cake_update_flowkeys
- nexthop: fix IPv6 route referencing IPv4 nexthop (CVE-2026-53012)
- net/sched: taprio: continue with other TXQs if one dequeue() failed
- net/sched: taprio: refactor one skb dequeue from TXQ to separate function
- net/sched: taprio: rename close_time to end_time
- net/sched: taprio: fix use-after-free in advance_sched() on schedule
switch (CVE-2026-53011)
- container_of: remove container_of_safe()
- container_of: add container_of_const() that preserves const-ness of the
pointer
- tcp: preserve const qualifier in tcp_sk()
- tcp: add data-race annotations around tp->data_segs_out and
tp->total_retrans
- tcp: annotate data-races around tp->bytes_sent
- tcp: annotate data-races around tp->bytes_retrans
- tcp: annotate data-races around tp->dsack_dups
- tcp: annotate data-races around (tp->write_seq - tp->snd_nxt)
- i40e: don't advertise IFF_SUPP_NOFCS
- e1000e: Unroll PTP in probe error handling
- ipv6: fix possible UAF in icmpv6_rcv() (CVE-2026-53006)
- sctp: fix OOB write to userspace in sctp_getsockopt_peer_auth_chunks
(CVE-2026-53004)
- pppoe: drop PFC frames (CVE-2026-53003)
- openvswitch: cap upcall PID array size and pre-size vport replies
(CVE-2026-45840)
- netfilter: nft_osf: restrict it to ipv4
- netfilter: nfnetlink_osf: fix divide-by-zero in OSF_WSS_MODULO
(CVE-2026-45841)
- netfilter: conntrack: remove sprintf usage (CVE-2026-53002)
- netfilter: xtables: restrict several matches to inet family
(CVE-2026-53001)
- ipvs: fix MTU check for GSO packets in tunnel mode
- netfilter: nfnetlink_osf: fix out-of-bounds read on option matching
(CVE-2026-52999)
- netfilter: nfnetlink_osf: fix potential NULL dereference in ttl check
(CVE-2026-52998)
- slip: reject VJ receive packets on instances with no rstate array
(CVE-2026-45842)
- slip: bound decode() reads against the compressed packet length
(CVE-2026-45843)
- [arm64] dts: meson-gxl-p230: fix ethernet PHY interrupt number
- ksmbd: destroy tree_conn_ida in ksmbd_session_destroy()
- ksmbd: scope conn->binding slowpath to bound sessions only
(CVE-2026-52911)
- net/rds: zero per-item info buffer before handing it to visitors
(CVE-2026-52995)
- net_sched: sch_hhf: annotate data-races in hhf_dump_stats()
- net/sched: sch_pie: annotate data-races in pie_dump_stats()
- net/sched: sch_fq_codel: remove data-races from fq_codel_dump_stats()
- net/sched: sch_red: annotate data-races in red_dump_stats()
- net/sched: sch_sfb: annotate data-races in sfb_dump_stats()
- nfp: fix swapped arguments in nfp_encode_basic_qdr() calls
- tipc: fix double-free in tipc_buf_append() (CVE-2026-52993)
- vhost_net: fix sleeping with preempt-disabled in vhost_net_busy_poll()
- fs/adfs: validate nzones in adfs_validate_bblk() (CVE-2026-52992)
- fbdev: offb: fix PCI device reference leak on probe failure
- mailbox: mailbox-test: free channels on probe error (CVE-2026-53296)
- cgroup/rdma: fix integer overflow in rdmacg_try_charge()
- mailbox: add sanity check for channel array (CVE-2026-53295)
- mailbox: mailbox-test: don't free the reused channel (CVE-2026-53294)
- btrfs: fix double-decrement of bytes_may_use in submit_one_async_extent()
- tracing: branch: Fix inverted check on stat tracer registration
- nvmet-tcp: propagate nvmet_tcp_build_pdu_iovec() errors to its callers
(CVE-2026-52989)
- netfilter: arp_tables: fix IEEE1394 ARP payload parsing (CVE-2026-45844)
- nvme-pci: fix missed admin queue sq doorbell write
- drm/amdgpu: fix spelling typos
- drm/amdgpu/uvd3.1: Don't validate the firmware when already validated
- drm/amdgpu/gfx6: Support harvested SI chips with disabled TCCs (v2)
- netfilter: xt_policy: fix strict mode inbound policy matching
(CVE-2026-52920)
- netfilter: nf_conntrack_sip: don't use simple_strtoul (CVE-2026-52986)
- [arm64,armhf] drivers/spi-rockchip.c : Remove redundant variable slave
- [arm64,armhf] spi: rockchip: switch to use modern name
- [arm64.armhf] spi: rockchip: Read ISR, not IMR, to detect cs-inactive IRQ
- cdrom, scsi: sr: propagate read-only status to block layer via
set_disk_ro()
- netdevsim: zero initialize struct iphdr in dummy sk_buff (CVE-2026-52985)
- net/sched: netem: fix probability gaps in 4-state loss model
- net/sched: netem: fix queue limit check to include reordered packets
(CVE-2026-52984)
- net/sched: netem: validate slot configuration
- net/sched: netem: fix slot delay calculation overflow
- net/sched: sch_choke: annotate data-races in choke_dump_stats()
- net/sched: sch_fq_pie: annotate data-races in fq_pie_dump_stats()
- vrf: Fix a potential NPD when removing a port from a VRF (CVE-2026-52925)
- net: usb: rtl8150: fix use-after-free in rtl8150_start_xmit()
(CVE-2026-52982)
- net: usb: rtl8150: free skb on usb_submit_urb() failure in xmit
- neighbour: add RCU protection to neigh_tables[]
- neigh: let neigh_xmit take skb ownership (CVE-2026-52981)
- ALSA: usb-audio: Fix potential leak of pd at parsing UAC3 streams
- net: mctp i2c: check length before marking flow active
- netfilter: skip recording stale or retransmitted INIT
- sctp: discard stale INIT after handshake completion
- ipv4: rename and move ip_route_output_tunnel()
- ipv4: remove "proto" argument from udp_tunnel_dst_lookup()
- ipv4: add new arguments to udp_tunnel_dst_lookup()
- ipv6: rename and move ip6_dst_lookup_tunnel()
- bareudp: fix NULL pointer dereference in bareudp_fill_metadata_dst()
(CVE-2026-45846)
- net/sched: sch_cake: annotate data-races in cake_dump_stats() (V)
- net: netconsole: move newline trimming to function
- netconsole: propagate device name truncation in dev_name_store()
- ALSA: hda/conexant: fix some typos
- ALSA: hda/conexant: Renaming the codec with device ID 0x1f86 and 0x1f87
- ALSA: hda/conexant: Fix missing error check for jack detection
(CVE-2026-53291)
- futex: Prevent lockup in requeue-PI during signal/ timeout wakeup
(CVE-2026-52977)
- drm/amd/display: Allow DCE link encoder without AUX registers
- drm/amd/display: Read EDID from VBIOS embedded panel info
- bonding: 802.3ad replace MAC_ADDRESS_EQUAL with __agg_has_partner
- net: bonding: add broadcast_neighbor option for 802.3ad
- bonding: add support for per-port LACP actor priority
- bonding: print churn state via netlink
- bonding: 3ad: implement proper RCU rules for port->aggregator
(CVE-2026-52975)
- iavf: stop removing VLAN filters from PF on interface down
- iavf: wait for PF confirmation before removing VLAN filters
- iavf: add VIRTCHNL_OP_ADD_VLAN to success completion handler
- ice: Pull common tasks into ice_vf_post_vsi_rebuild
- ice: fix NULL pointer dereference in ice_reset_all_vfs()
(CVE-2026-53289)
- net: tls: fix strparser anchor skb leak on offload RX setup failure
(CVE-2026-52974)
- net/sched: cls_flower: revert unintended changes
- smb: client: correctly handle ErrorContextData as a flexible array
- smb: client: fix OOB reads parsing symlink error response
(CVE-2026-31613)
- net/sched: sch_pie: annotate more data-races in pie_dump_stats()
- [arm64] net: bcmgenet: Initialize u64 stats seq counter
- [arm64] net: bcmgenet: fix leaking free_bds
- btrfs: tracepoints: fix sleep while in atomic context in
btrfs_sync_file()
- ALSA: misc: Use guard() for spin locks
- ALSA: core: Serialize deferred fasync state checks
- [x86] ASoC: SOF: pcm: Clear the susbstream pointer to NULL on close
- [x86] ASoC: SOF: stream-ipc: Check for cstream nullity in
sof_ipc_msg_data()
- mtd: spi-nor: spansion: Enable JFFS2 write buffer for S25FS256T
- netconsole: avoid out-of-bounds access on empty string in trim_newline()
- bonding: fix NULL pointer dereference in actor_port_prio setting
- net: bonding: update the slave array for broadcast mode
- crypto: af_alg - Cap AEAD AD length to 0x80000000 (CVE-2026-52972)
- i40e: Cleanup PTP pins on probe failure
- netfilter: nf_conntrack_sip: get helper before allocating expectation
- audit: fix incorrect inheritable capability in CAPSET records
(CVE-2026-53287)
- netfilter: nft_ct: fix missing expect put in obj eval (CVE-2026-52970)
- net: atlantic: preserve PCI wake-from-D3 on shutdown when WOL enabled
- audit: enforce AUDIT_LOCKED for AUDIT_TRIM and AUDIT_MAKE_EQUIV
- KVM: Reject wrapped offset in kvm_reset_dirty_gfn() (CVE-2026-52969)
- [s390x] KVM: s390: pci: fix GAIT table indexing due to double-scaling
pointer arithmetic (CVE-2026-52968)
- [x86] KVM: x86: Fix Xen hypercall tracepoint argument assignment
- smb/client: fix possible infinite loop and oob read in symlink_data()
(CVE-2026-52967)
- [x86] drm/i915/dp: Fix VSC dynamic range signaling for RGB formats
- ALSA: usb-audio: Bound MIDI endpoint descriptor scans (CVE-2026-52963)
- ceph: fix a buffer leak in __ceph_setxattr() (CVE-2026-52962)
- libceph: Fix potential out-of-bounds access in osdmap_decode()
(CVE-2026-52958)
- libceph: Fix potential null-ptr-deref in decode_choose_args()
(CVE-2026-52957)
- libceph: Fix potential out-of-bounds access in crush_decode()
(CVE-2026-52955)
- libceph: handle rbtree insertion error in decode_choose_args()
(CVE-2026-52954)
- [x86] iommu/vt-d: Disable DMAR for Intel Q35 IGFX
- [x86] drm/i915: skip __i915_request_skip() for already signaled requests
- [arm64,armhf] drm/panfrost: Fix wait_bo ioctl leaking positive return
from dma_resv_wait_timeout()
- [x86] drm/gma500/oaktrail_hdmi: fix i2c adapter leak on setup
- [x86] drm/gma500/oaktrail_lvds: fix hang on init failure (CVE-2026-53279)
- [x86] drm/gma500/oaktrail_lvds: fix i2c adapter leaks on init
- io-wq: check that the predecessor is hashed in io_wq_remove_pending()
- net/rds: reset op_nents when zerocopy page pin fails (CVE-2026-43494)
- io_uring: prevent opcode speculation (CVE-2025-21863)
- [s390x] debug: Reject zero-length input before trimming a newline
- wifi: mac80211: check tdls flag in ieee80211_tdls_oper (CVE-2026-43052)
- [x86] Revert "x86/vdso: Fix output operand size of RDPID"
- [s390x] Revert "s390/cio: Fix device lifecycle handling in
css_alloc_subchannel()" (regression in 6.1.165)
- sysfs: don't remove existing directory on update failure
- ALSA: ua101: Reject too-short USB descriptors
- ALSA: asihpi: Fix potential OOB array access at reading cache
- net: wwan: iosm: fix potential memory leaks in ipc_imem_init()
- Bluetooth: fix UAF in l2cap_sock_cleanup_listen() vs l2cap_conn_del()
- Bluetooth: ISO: drop ISO_END frames received without prior ISO_START
- Bluetooth: bnep: Fix UAF read of dev->name
- Bluetooth: hci_uart: fix UAFs and race conditions in close and init paths
(CVE-2026-46275)
- Bluetooth: MGMT: validate Add Extended Advertising Data length
- phonet/pep: disable BH around forwarded sk_receive_skb()
- [arm64] net: bcmgenet: keep RBUF EEE/PM disabled
- net: ifb: report ethtool stats over num_tx_queues
- netfilter: ip6t_hbh: reject oversized option lists (CVE-2026-52915)
- netfilter: nf_queue: hold bridge skb->dev while queued (CVE-2026-52912)
- netfilter: ipset: stop hash:* range iteration at end (CVE-2026-52921)
- qed: fix double free in qed_cxt_tables_alloc()
- ring-buffer: Fix reporting of missed events in iterator
- vsock/vmci: fix UAF when peer resets connection during handshake
- vsock/virtio: reset connection on receiving queue overflow
- wifi: ath11k: clear shared SRNG pointer state on restart
- ipv4: raw: reject IP_HDRINCL packets with ihl < 5
- ixgbevf: fix use-after-free in VEPA multicast source pruning
- ice: fix setting promisc mode while adding VID filter
- wifi: cfg80211: advance loop vars in cfg80211_merge_profile()
- cifs: Fix busy dentry used after unmounting
- tracing: Do not call map->ops->elt_free() if elt_alloc() fails
- [arm64] KVM: arm64: vgic-its: Reject restored DTE with out-of-range
num_eventid_bits
- [x86] scsi: isci: Fix use-after-free in device removal path
- [armhf] spi: ti-qspi: fix use-after-free after DMA setup failure
- RDMA/siw: Reject MPA FPDU length underflow before signed receive math
- device property: set fwnode->secondary to NULL in fwnode_init()
- drm/virtio: use uninterruptible resv lock for plane updates
- drm/amd/display: Fix integer overflow in bios_get_image()
- drm/amd/display: Validate GPIO pin LUT table size before iterating
- drm/amd/display: Validate payload length and link_index in
dc_process_dmub_aux_transfer_async
- batman-adv: mcast: fix use-after-free in orig_node RCU release
- batman-adv: clear current gateway during teardown (CVE-2026-52926)
- batman-adv: dat: handle forward allocation error (CVE-2026-52922)
- batman-adv: fix fragment reassembly length accounting (CVE-2026-52914)
- batman-adv: fix tp_meter counter underflow during shutdown
(CVE-2026-52919)
- batman-adv: frag: disallow unicast fragment in fragment (CVE-2026-52916)
- batman-adv: bla: fix report_work leak on backbone_gw purge
- batman-adv: tp_meter: avoid use of uninit sender vars (CVE-2026-52931)
- batman-adv: tt: fix negative last_changeset_len
- batman-adv: tt: fix negative tt_buff_len
- HID: uclogic: Fix regression of input name assignment
- netfilter: x_tables: unregister the templates first
- tcp: Fix imbalanced icsk_accept_queue count.
- ice: fix locking in ice_dcb_rebuild()
- [arm64,armhf] phy: marvell: mvebu-a3700-utmi: fix incorrect
USB2_PHY_CTRL register access
- irq_work: Fix use-after-free in irq_work_single() on PREEMPT_RT
- wifi: ath11k: fix error path leaks in some WMI WOW calls
- HID: quirks: really enable the intended work around for appledisplay
- net/smc: avoid NULL deref of conn->lnk in smc_msg_event tracepoint
(CVE-2026-52941)
- ethtool: fix ethnl_bitmap32_not_zero() bit interval semantics
- [arm64] drm/msm/dsi: don't dump registers past the mapped region
- [arm64] drm/msm: Fix iommu_map_sgtable() return value check and avoid
WARN
- [ppc64el] powerpc/time: Remove redundant preempt_disable|enable() calls
from arch_irq_work_raise()
- net/smc: reject CHID-0 ACCEPT that matches an empty ism_dev slot
- net: tls: fix off-by-one in sg_chain entry count for wrapped sk_msg ring
- net: tls: prevent chain-after-chain in plain text SG
- [arm64] drm/msm/snapshot: fix dumping of the unaligned regions
- wifi: ath11k: Trigger sta disconnect on hardware restart
- wifi: ath11k: update hw params for IPQ5018
- wifi: ath11k: update ce configurations for IPQ5018
- wifi: ath11k: remap ce register space for IPQ5018
- wifi: ath11k: update hal srng regs for IPQ5018
- wifi: ath11k: initialize hw_ops for IPQ5018
- wifi: ath11k: add new hw ops for IPQ5018 to get rx dest ring hashmap
- wifi: ath11k: fix rssi station dump not updated in QCN9074
- wifi: ath11k: fix peer resolution on rx path when peer_id=0
- net: mana: Fix TOCTOU double-fetch of hwc_msg_id from DMA buffer
- [x86] platform/x86: hp_accel: Check ACPI_COMPANION() against NULL
- [x86] platform/x86: intel-hid: Check ACPI_HANDLE() against NULL
- [x86] platform/x86: intel-vbtn: Check ACPI_HANDLE() against NULL
- RDMA/rtrs: Fix use-after-free in path file creation cleanup
- net: bridge: Flush multicast groups when snooping is disabled
- bridge: mcast: Fix a possible use-after-free when removing a bridge port
- tracing: Avoid NULL return from hist_field_name() on truncation
- string: add mem_is_zero() helper to check if memory area is all zeros
- gpiolib: cdev: use !mem_is_zero() instead of memchr_inv(s, 0, n)
- gpio: cdev: check if uAPI v2 config attributes are correctly zeroed
- net: mana: validate rx_req_idx to prevent out-of-bounds array access
- security/keys: fix missed RCU read section on lookup
https://www.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.1.176
- Input: usbtouchscreen - clamp NEXIO data_len/x_len to URB buffer size
- net/sched: cls_fw: fix NULL dereference of "old" filters before change()
(CVE-2026-53080)
- net: mctp: ensure our nlmsg responses are initialised (CVE-2026-45930)
- net/sched: sch_sfb: Replace direct dequeue call with peek and
qdisc_dequeue_peeked
- drm: Remove plane hsub/vsub alignment requirement for core helpers
- [armhf] net: cpsw_new: Fix potential unregister of netdev that has not
been registered yet (CVE-2026-43219)
- nfc: llcp: Fix use-after-free in llcp_sock_release()
- nfc: llcp: Fix use-after-free race in nfc_llcp_recv_cc()
- xfrm: Check for underflow in xfrm_state_mtu
- nfc: nxp-nci: i2c: use rising-edge IRQ on ACPI systems
- netfilter: synproxy: refresh tcphdr after skb_ensure_writable
- netfilter: xt_cpu: prefer raw_smp_processor_id
- netfilter: ebtables: fix OOB read in compat_mtw_from_user
(CVE-2026-52927)
- tun: free page on short-frame rejection in tun_xdp_one() (CVE-2026-46321)
- tun: free page on build_skb failure in tun_xdp_one() (CVE-2026-46322)
- net: netlink: fix sending unassigned nsid after assigned one
- net: netlink: don't set nsid on local notifications
- net/smc: Do not re-initialize smc hashtables
- [s390x] net/iucv: fix locking in .getsockopt
- ipv4: free net->ipv4.sysctl_local_reserved_ports after
unregister_net_sysctl_table()
- [x86] ASoC: Intel: bytcht_es8316: Fix MCLK leak on init errors
- net: hsr: fix potential OOB access in supervision frame handling
- tunnels: load network headers after skb_cow() in
iptunnel_pmtud_build_icmp[v6]()
- vxlan: do not reuse cached ip_hdr() value after skb_tunnel_check_pmtu()
- tunnels: do not assume transport header in iptunnel_pmtud_check_icmp()
- ASoC: codecs: simple-mux: Fix enum control bounds check
- Bluetooth: 6lowpan: check skb_clone() return value in send_mcast_pkt()
- bonding: refuse to enslave CAN devices
- ethtool: eeprom: add more safeties to EEPROM Netlink fallback
- ipv6: rpl: fix hdrlen overflow in ipv6_rpl_srh_decompress()
- Bluetooth: l2cap: clear chan->ident on ECRED reconfiguration success
- Bluetooth: L2CAP: Fix possible crash on l2cap_ecred_conn_rsp
- [arm*] gpio: rockchip: convert bank->clk to devm_clk_get_enabled()
- net: mana: Add NULL guards in teardown path to prevent panic on attach
failure
- sctp: fix race between sctp_wait_for_connect and peeloff
- ipv6: fix possible infinite loop in rt6_fill_node()
- ipv6: fix possible infinite loop in fib6_select_path()
- net: skbuff: fix pskb_carve leaking zcopy pages
- batman-adv: v: stop OGMv2 on disabled interface (CVE-2026-52913)
- batman-adv: tvlv: abort OGM send on tvlv append failure
- batman-adv: tt: reject oversized local TVLV buffers
- batman-adv: bla: avoid NULL-ptr deref for claim via dropped interface
- batman-adv: tvlv: reject oversized TVLV packets (CVE-2026-52934)
- batman-adv: iv: recover OGM scheduling after forward packet error
- batman-adv: tp_meter: directly shut down timer on cleanup
- batman-adv: tt: fix TOCTOU race for reported vlans
- batman-adv: tt: avoid empty VLAN responses
- batman-adv: bla: avoid double decrement of bla.num_requests
- mm/page_alloc: clear page->private in free_pages_prepare()
(CVE-2026-43303)
- bpf: Fix a few selftest failures due to llvm18 change
- net/packet: convert po->tp_tx_has_off to an atomic flag
- net/packet: convert po->tp_loss to an atomic flag
- net/packet: convert po->has_vnet_hdr to an atomic flag
- net/packet: convert po->running to an atomic flag
- net/packet: fix TOCTOU race on mmap'd vnet_hdr in tpacket_snd()
(CVE-2026-31700)
- [x86] drm/i915/psr: Add defininitions for INTEL_WA_REGISTER_CAPS DPCD
register
- drm/dp: Add eDP 1.5 bit definition
- [x86] drm/i915/psr: Read Intel DPCD workaround register
- [x86] drm/i915/psr: Apply Intel DPCD workaround when SDP on prior line
used
- net: gro: don't merge zcopy skbs (CVE-2026-46323)
- phy: mscc: Use PHY_ID_MATCH_VENDOR to minimize PHY ID table
- phy: mscc: Use PHY_ID_MATCH_EXACT for VSC8584, VSC8582, VSC8575, VSC856X
- hwmon: (pmbus/adm1266) serialize GPIO PMBus accesses with pmbus_lock
- hwmon: (pmbus/adm1266) serialize sequencer_state debugfs read with
pmbus_lock
- hwmon: (pmbus/adm1266) serialize NVMEM blackbox read with pmbus_lock
- iio: imu: st_lsm6dsx: fix stack leak in tagged FIFO buffer
- usb: typec: ucsi: ccg: reject firmware images without a ':' record header
- usb: typec: ucsi: displayport: NAK DP_CMD_CONFIGURE without a payload VDO
- usb: typec: altmodes/displayport: validate count before reading Status
Update VDO
- [x86] usb: typec: wcove: don't write past struct pd_message in
wcove_read_rx_buffer()
- usb: typec: ucsi: validate connector number in ucsi_connector_change()
- USB: serial: safe_serial: fix memory corruption with small endpoint
- HID: quirks: Add ALWAYS_POLL quirk for SIGMACHIP USB mouse
- Bluetooth: btusb: Allow firmware re-download when version matches
- hpfs: fix a crash if hpfs_map_dnode_bitmap fails
- ipc: limit next_id allocation to the valid ID range (CVE-2026-52923)
- auxdisplay: line-display: fix OOB read on zero-length message_store()
- Bluetooth: L2CAP: use chan timer to close channels in cleanup_listen()
- Bluetooth: L2CAP: fix chan ref leak in l2cap_chan_timeout() on !conn
- Bluetooth: HIDP: fix missing length checks in hidp_input_report()
- Bluetooth: ISO: fix UAF in iso_recv_frame
- Bluetooth: ISO: serialize iso_sock_clear_timer with socket lock
- parport: Fix race between port and client registration (Closes: #1130365)
- USB: cdc-acm: Fix bit overlap and move quirk definitions to header
- wireguard: send: append trailer after expanding head
- iio: dac: ad5686: fix input raw value check
- iio: dac: ad5686: acquire lock when doing powerdown control
- iio: adc: viperboard: Fix error handling in vprbrd_iio_read_raw
- iio: gyro: itg3200: fix i2c read into the wrong stack location
- iio: ssp_sensors: cancel delayed work_refresh on remove
- iio: temperature: tsys01: fix broken PROM checksum validation
- iio: magnetometer: st_magn: fix default DRDY pin selection for LIS2MDL
- iio: light: cm3323: fix reg_conf not being initialized correctly
- iio: buffer: hw-consumer: fix use-after-free in error path
- USB: serial: omninet: fix memory corruption with small endpoint
- usb: dwc2: Fix use after free in debug code
- Input: elan_i2c - validate firmware size before use
- bpf: sockmap: fix tail fragment offset in bpf_msg_push_data
- macsec: fix replay protection at XPN lower-PN wrap
- ipv6: exthdrs: refresh nh pointer after ipv6_hop_jumbo()
- [arm64] ASoC: qcom: q6asm-dai: fix error handling in prepare and
set_params
- ipv6: exthdrs: refresh nh after handling HAO option
- ip6: vti: Use ip6_tnl.net in vti6_siocdevprivate().
- ipv6: validate extension header length before copying to cmsg
- xfrm: input: hold netns during deferred transport reinjection
- ip6: vti: Use ip6_tnl.net in vti6_changelink().
- HID: wacom: Fix OOB write in wacom_hid_set_device_mode()
- iommu, debugobjects: avoid gcc-16.1 section mismatch warnings
- nfc: hci: fix out-of-bounds read in HCP header parsing
- xfrm: route MIGRATE notifications to caller's netns
- xfrm: ah: use skb_to_full_sk in async output callbacks
- netfilter: conntrack: tcp: do not force CLOSE on invalid-seq RST without
direction check
- [arm64] ASoC: qcom: q6asm-dai: close stream only when running
- [arm64] ASoC: qcom: q6asm-dai: do not set stream state in event and
trigger callbacks
- xfrm: esp: restore combined single-frag length gate
- Input: atmel_mxt_ts - fix boundary check in mxt_prepare_cfg_mem
- [x86] Input: synaptics - add LEN2058 to SMBus passlist for ThinkPad E490
- [x86] comedi: comedi_test: fix check for valid scan_begin_src in
waveform_ai_cmdtest()
- [x86] comedi: comedi_test: Fix limiting of convert_arg in
waveform_ai_cmdtest()
- counter: Fix refcount leak in counter_alloc() error path
- [i386] tty: serial: pch_uart: add check for dma_alloc_coherent()
- [arm*] usb: chipidea: core: convert ci_role_switch to local variable
- usb: core: Fix up Interrupt IN endpoints with bogus wBytesPerInterval
- USB: quirks: add NO_LPM for Lenovo ThinkPad USB-C Dock Gen2 hub
controllers
- usb: storage: Add quirks for PNY Elite Portable SSD
- usbip: vudc: Fix use after free bug in vudc_remove due to race condition
- usb: usbtmc: check URB actual_length for interrupt-IN notifications
- usb: usbtmc: reject interrupt endpoints with small wMaxPacketSize
- USB: serial: option: add MeiG SRM813Q
- USB: serial: option: add missing RSVD(5) flag for Rolling RW135R-GL
- USB: serial: belkin_sa: validate interrupt status length
- USB: serial: cypress_m8: validate interrupt packet headers
- USB: serial: keyspan: fix missing indat transfer sanity check
- USB: serial: mxuport: fix memory corruption with small endpoint
- USB: serial: mct_u232: fix missing interrupt-in transfer sanity check
- usb: gadget: net2280: Fix double free in probe error path
- usb: gadget: dummy_hcd: Reject hub port requests for non-existent ports
- usb: gadget: f_fs: copy only received bytes on short ep0 read
- thunderbolt: property: Reject u32 wrap in tb_property_entry_valid()
- thunderbolt: property: Reject dir_len < 4 to prevent size_t underflow
- scsi: fcoe: Reject FIP descriptors with zero fip_dlen in CVL walker
- scsi: scsi_transport_fc: Widen FPIN pname walker counter to u32
- scsi: target: iscsi: Bound iscsi_encode_text_output() appends to rsp_buf
- scsi: target: iscsi: Validate CHAP_R length before base64 decode
- drm/hyperv: validate resolution_count and fix WIN8 fallback
- drm/hyperv: validate VMBus packet size in receive callback
- [x86] drm/i915: Fix potential UAF in TTM object purge
- drm/amd/pm/si: Disregard vblank time when no displays are connected
- [arm64] serial: sh-sci: fix memory region release in error path
- [arm64] serial: fsl_lpuart: fix rx buffer and DMA map leaks in
start_rx_dma
- drm/amdkfd: fix NULL pointer bug in svm_range_set_attr
- drm/amdkfd: Check for pdd drm file first in CRIU restore path
- HID: core: Add printk_ratelimited variants to hid_warn() etc
- HID: pass the buffer size to hid_report_raw_event
- HID: core: Fix size_t specifier in hid_report_raw_event()
- RDMA/rxe: Complete the rxe_cleanup_task backport
- USB: serial: digi_acceleport: fix memory corruption with small endpoints
- [arm*] xhci: tegra: Fix ghost USB device on dual-role port unplug
- netfilter: nf_tables: restore set elements when delete set fails
(CVE-2024-27012)
- USB: serial: cypress_m8: fix memory corruption with small endpoint
- bpf/bonding: reject vlan+srcmac xmit_hash_policy change when XDP is
loaded (CVE-2026-23310)
- usb: core: Fix SuperSpeed root hub wMaxPacketSize
- bpf: Free reuseport cBPF prog after RCU grace period. (CVE-2026-52910)
- USB: serial: mct_u232: fix memory corruption with small endpoint
- [amd64] dmaengine: idxd: Fix not releasing workqueue on .release()
(CVE-2026-43064)
- i2c: dev: prevent integer overflow in I2C_TIMEOUT ioctl (CVE-2026-52948)
- ipv6: mcast: Fix use-after-free when processing MLD queries
(CVE-2026-53275)
- net/smc: fix sleep-inside-lock in __smc_setsockopt() causing local DoS
(CVE-2026-53274)
- tee: optee: prevent use-after-free when the client exits before the
supplicant (CVE-2026-53273)
- netfilter: xt_NFQUEUE: prefer raw_smp_processor_id
- ipvs: clear the svc scheduler ptr early on edit (CVE-2026-53270)
- netfilter: synproxy: add mutex to guard hook reference counting
(CVE-2026-53269)
- netfilter: conntrack_irc: fix possible out-of-bounds read
(CVE-2026-53268)
- netfilter: bridge: make ebt_snat ARP rewrite writable (CVE-2026-53266)
- dm cache policy smq: check allocation under invalidate lock
(CVE-2026-53265)
- net/sched: act_api: use RCU with deferred freeing for action lifecycle
(CVE-2026-53264)
- 6lowpan: fix off-by-one in multicast context address compression
(CVE-2026-53263)
- pcnet32: stop holding device spin lock during napi_complete_done
- net: Annotate sk->sk_write_space() for UDP SOCKMAP.
- net: garp: fix unsigned integer underflow in garp_pdu_parse_attr
- net: lan743x: permit VLAN-tagged packets up to configured MTU
- [arm*] net: fec: fix pinctrl default state restore order on resume
- Bluetooth: RFCOMM: hold listener socket in rfcomm_connect_ind()
(CVE-2026-53256)
- Bluetooth: MGMT: validate advertising TLV before type checks
(CVE-2026-53255)
- Bluetooth: RFCOMM: validate skb length in MCC handlers (CVE-2026-53254)
- Bluetooth: bnep: fix incorrect length parsing in bnep_rx_frame()
extension handling
- Bluetooth: bnep: reject short frames before parsing (CVE-2026-53253)
- Bluetooth: fix memory leak in error path of hci_alloc_dev()
(CVE-2026-53252)
- Bluetooth: MGMT: Fix backward compatibility with userspace
- ipv4: restrict IPOPT_SSRR and IPOPT_LSRR options (CVE-2026-53249)
- ptp: vclock: Switch from RCU to SRCU
- vxlan: vnifilter: send notification on VNI add
- vxlan: vnifilter: fix spurious notification on VNI update
- ieee802154: 6lowpan: only accept IPv6 packets in lowpan_xmit()
- net/802/mrp: fix vector attribute parsing in mrp_pdu_parse_vecattr
(CVE-2026-53245)
- sctp: purge outqueue on stale COOKIE-ECHO handling (CVE-2026-52924)
- ipmi: Fix rcu_read_unlock to srcu_read_unlock in handle_read_event_rsp
- signal: clear JOBCTL_PENDING_MASK for caller in zap_other_threads()
(CVE-2026-53352)
- time: Fix off-by-one in settimeofday() usec validation
- ALSA: PCM: Fix wait queue list corruption in snd_pcm_drain() on linked
streams (CVE-2026-53242)
- fs/ntfs3: Return error for inconsistent extended attributes
(CVE-2023-54125)
- usb: gadget: f_ncm: Fix net_device lifecycle with device_move
(CVE-2026-43421)
- usb: gadget: u_ether: Fix NULL pointer deref in eth_get_drvinfo
- net: skbuff: fix missing zerocopy reference in pskb_carve helpers
(CVE-2026-52943)
- tap: free page on error paths in tap_get_user_xdp() (CVE-2026-46320)
- [arm64] KVM: arm64: Remove VPIPT I-cache handling
- [arm64] tlb: Allow XZR argument to TLBI ops
- [arm64] tlb: Optimize ARM64_WORKAROUND_REPEAT_TLBI
- iomap: don't revert iov_iter on partially completed buffered writes
- xfrm: policy: fix use-after-free on inexact bin in
xfrm_policy_bysel_ctx() (CVE-2026-53239)
- netlabel: validate unlabeled address and mask attribute lengths
(CVE-2026-53238)
- ASoC: wm_adsp: Fix NULL dereference when removing firmware controls
(CVE-2026-53350)
- tcp: restrict SO_ATTACH_FILTER to priv users (CVE-2026-53236)
- net/mlx4: avoid GCC 10 __bad_copy_from() false positive
- net: qrtr: fix refcount saturation and potential UAF in qrtr_port_remove
(CVE-2026-52947)
- ipv6: sit: reload inner IPv6 header after GSO offloads (CVE-2026-53228)
- net: openvswitch: fix possible kfree_skb of ERR_PTR (CVE-2026-53227)
- r8152: reduce the control transfer of rtl8152_get_version()
- r8152: Block future register access if register access fails
- r8152: handle the return value of usb_reset_device()
- sctp: fix uninit-value in __sctp_rcv_asconf_lookup() (CVE-2026-53225)
- net: guard timestamp cmsgs to real error queue skbs (CVE-2026-53223)
- net/rds: fix NULL deref in rds_ib_send_cqe_handler() on masked atomic
completion (CVE-2026-52939)
- ip6_vti: fix incorrect tunnel matching in vti6_tnl_lookup()
(CVE-2026-53221)
- rds: mark snapshot pages dirty in rds_info_getsockopt()
- netfilter: nf_conntrack: destroy stale expectfn expectations on
unregister (CVE-2026-53349)
- netfilter: x_tables: avoid leaking percpu counter pointers
(CVE-2026-53219)
- netfilter: nf_log: validate MAC header was set before dumping it
(CVE-2026-52942)
- netfilter: nft_exthdr: fix register tracking for F_PRESENT flag
(CVE-2026-53218)
- [arm*] net: mvpp2: sync RX data at the hardware packet offset
(CVE-2026-53217)
- [arm*] net: mvpp2: limit XDP frame size to the RX buffer (CVE-2026-53216)
- [arm*] net: mvpp2: Add metadata support for xdp mode
- [arm*] net: mvpp2: refill RX buffers before XDP or skb use
(CVE-2026-53215)
- [arm*] net: mvpp2: build skb from XDP-adjusted data on XDP_PASS
- netfilter: ctnetlink: ensure safe access to master conntrack
(CVE-2026-43116)
- [arm*] drm/vc4: fix krealloc() memory leak (CVE-2026-53213)
- netfilter: nft_tunnel: fix use-after-free on object destroy
(CVE-2026-53212)
- Bluetooth: hci_sync: reject oversized Broadcast Announcement prepend
(CVE-2026-53209)
- Bluetooth: L2CAP: reject BR/EDR signaling packets over MTUsig
(CVE-2026-53208)
- [x86] drm/i915/gem: Fix phys BO pread/pwrite with offset (CVE-2026-53356)
- ksmbd: fix use-after-free of a deferred file_lock on double SMB2_CANCEL
(CVE-2026-53198)
- xfrm: espintcp: do not reuse an in-progress partial send (CVE-2026-52935)
- USB: serial: io_ti: fix heap overflow in get_manuf_info()
(CVE-2026-53196)
- USB: serial: io_ti: fix heap overflow in build_i2c_fw_hdr()
(CVE-2026-53195)
- USB: serial: option: add usb-id for Dell Wireless DW5826e-m
- USB: serial: kl5kusb105: fix bulk-out buffer overflow (CVE-2026-53194)
- ALSA: timer: Fix UAF at snd_timer_user_params()
- drm/amd/display: Reject gpio_bitshift >= 32 in
bios_parser_get_gpio_pin_info()
- RDMA/srp: bound SRP_RSP sense copy by the received length
(CVE-2026-53186)
- udp: clear skb->dev before running a sockmap verdict (CVE-2026-53184)
- [armhf] socfpga: Fix OF node refcount leak in SMP setup
- [armel,armhf] 9474/1: io: avoid KASAN instrumentation of raw halfword I/O
- [armel,armhf] 9475/1: entry: use byte load for KASAN VMAP stack shadow
(CVE-2026-53343)
- mptcp: fix retransmission loop when csum is enabled
- mptcp: close TOCTOU race while computing rcv_wnd
- mptcp: allow subflow rcv wnd to shrink (CVE-2026-53183)
- mptcp: sockopt: check timestamping ret value
- wifi: nl80211: reject oversized EMA RNR lists (CVE-2026-53182)
- vsock/vmci: fix sk_ack_backlog leak on failed handshake (CVE-2026-53181)
- bnxt_en: Fix NULL pointer dereference (CVE-2026-53177)
- IB/isert: Reject login PDUs shorter than ISER_HEADERS_LEN
(CVE-2026-53176)
- pidfd: refuse access to tasks that have started exiting harder
- fuse: reject fuse_notify() pagecache ops on directories (CVE-2026-53168)
- [arm*] i2c: qcom-cci: Fix NULL pointer dereference in cci_remove()
(CVE-2026-53339)
- [armhf] i2c: stm32f7: fix timing computation ignoring i2c-analog-filter
- [arm*] i2c: tegra: Fix NOIRQ suspend/resume
- [x86] Input: atkbd - add DMI quirk for Lenovo Yoga Air 14 (83QK)
- [x86] Input: atkbd - skip deactivate for HONOR BCC-N's internal keyboard
- ipc/shm: serialize orphan cleanup with shm_nattch updates
(CVE-2026-52930)
- [arm*] misc: fastrpc: fix use-after-free of fastrpc_user in workqueue
context (CVE-2026-53161)
- [arm*] misc: fastrpc: fix use-after-free race in fastrpc_map_create
(CVE-2026-53160)
- [arm*] misc: fastrpc: fix DMA address corruption due to find_vma misuse
(CVE-2026-53159)
- net/mlx5: Reorder completion before putting command entry in
cmd_work_handler
- net: bonding: fix NULL pointer dereference in bond_do_ioctl()
(CVE-2026-53337)
- [armel,armhf] net: mv643xx: fix OF node refcount
- net: rds: clear i_sends on setup unwind (CVE-2026-53355)
- mmc: core: Fix host controller programming for fixed driver type
- [arm64] mmc: renesas_sdhi: Add OF entry for RZ/G2H SoC
- mmc: sdhci: add signal voltage switch in sdhci_resume_host
- sctp: diag: reject stale associations in dump_one path (CVE-2026-52917)
- sctp: stream: fully roll back denied add-stream state (CVE-2026-52929)
- thunderbolt: Reject zero-length property entries in validator
(CVE-2026-53150)
- thunderbolt: Bound root directory content to block size (CVE-2026-53149)
- thunderbolt: Clamp XDomain response data copy to allocation size
(CVE-2026-53148)
- thunderbolt: Validate XDomain request packet size before type cast
(CVE-2026-53147)
- thunderbolt: Limit XDomain response copy to actual frame size
(CVE-2026-53146)
- slimbus: qcom-ngd-ctrl: Avoid ABBA on tx_lock/ctrl->lock (CVE-2026-53331)
- drm/amdgpu: restart the CS if some parts of the VM are still invalidated
- drm/amd/display: Clamp HDMI HDCP2 rx_id_list read to buffer size
(CVE-2026-53137)
- drm/amd/display: Clamp VBIOS HDMI retimer register count to array size
(CVE-2026-53136)
- drm/amd/display: Fix NULL deref and buffer over-read in SDP debugfs
(CVE-2026-53135)
- drm/amd/display: Use krealloc_array() in dal_vector_reserve()
(CVE-2026-53329)
- fs/fcntl: fix SOFTIRQ-unsafe lock order in fasync signaling
(CVE-2026-52946)
- mm/hugetlb: avoid false positive lockdep assertion
- mm/damon/ops-common: call folio_test_lru() after folio_get()
- mm/huge_memory: update file PMD counter before folio_put()
(CVE-2026-53189)
- f2fs: use kfree() instead of kvfree() to free some memory
- f2fs: fix to do sanity check on dcc->discard_cmd_cnt conditionally
- f2fs: fix UAF caused by decrementing sbi->nr_pages[] in
f2fs_write_end_io() (CVE-2026-31715)
- ksmbd: require minimum ACE size in smb_check_perm_dacl() (CVE-2026-31712)
- smb: client: validate the whole DACL before rewriting it in cifsacl
(CVE-2026-31709)
- [arm64] mm: Enable batched TLB flush in unmap_hotplug_range()
- lib: test_hmm: evict device pages on file close to avoid use-after-free
(CVE-2026-46280)
- wifi: mwifiex: fix use-after-free in mwifiex_adapter_cleanup()
(CVE-2026-46069)
- [arm*] spi: imx: Convert to platform remove callback returning void
- [arm*] spi: imx: fix use-after-free on unbind (CVE-2026-45996)
- thermal: core: Fix thermal zone governor cleanup issues (CVE-2026-46021)
- media: rc: ttusbir: respect DMA coherency rules
- media: rc: igorplugusb: heed coherency rules
- sched: Use u64 for bandwidth ratio calculations
- net: qrtr: ns: Limit the maximum number of lookups (CVE-2026-46026)
- net: qrtr: ns: Change servers radix tree to xarray
- net: qrtr: ns: Free the node during ctrl_cmd_bye() (CVE-2026-46038)
- net: qrtr: ns: Limit the total number of nodes (CVE-2026-46003)
- net: bridge: use a stable FDB dst snapshot in RCU readers
(CVE-2026-46086)
- spi: fix resource leaks on device setup failure (CVE-2026-46083)
- fbdev: defio: Disconnect deferred I/O from the lifetime of struct fb_info
(CVE-2026-46065)
- xfs: fix a resource leak in xfs_alloc_buftarg() (CVE-2026-46005)
- udf: fix partition descriptor append bookkeeping (CVE-2026-45991)
- hfsplus: fix uninit-value by validating catalog record size
(CVE-2026-46169)
- hfsplus: fix held lock freed on hfsplus_fill_super() (CVE-2026-46299)
- erofs: fix unsigned underflow in z_erofs_lz4_handle_overlap()
(CVE-2026-45999)
- ceph: only d_add() negative dentries when they are unhashed
(CVE-2026-46052)
- printk: add print_hex_dump_devel()
- [arm*] crypto: caam - guard HMAC key hex dumps in hash_digest_key
(CVE-2026-46291)
- net: stmmac: avoid shadowing global buf_sz
- net: stmmac: rename STMMAC_GET_ENTRY() -> STMMAC_NEXT_ENTRY()
- net: stmmac: Prevent NULL deref when RX memory exhausted (CVE-2026-46110)
- tracepoint: balance regfunc() on func_add() failure in
tracepoint_add_func() (CVE-2026-46196)
- wifi: mac80211: remove station if connection prep fails (CVE-2026-46125)
- wifi: brcmfmac: Fix potential use-after-free issue when stopping watchdog
task (CVE-2026-46180)
- [arm*] usb: dwc3: Move GUID programming after PHY initialization
- net: ipv4: stop checking crypto_ahash_alignmask
- net: ipv6: stop checking crypto_ahash_alignmask
- xfrm: ah: account for ESN high bits in async callbacks (CVE-2026-46193)
- xfrm: defensively unhash xfrm_state lists in __xfrm_state_delete
(CVE-2026-46116)
- [armhf] spi: sun4i: Convert to platform remove callback returning void
- [armfh] spi: sun4i: switch to use modern name
- [armhf] spi: sun4i: fix controller deregistration
- spi: Convert to SPI_CONTROLLER_HALF_DUPLEX
- [armhf] spi: spi-ti-qspi: Convert to platform remove callback returning
void
- [armhf] spi: spi-ti-qspi: switch to use modern name
- [armhf] spi: ti-qspi: fix controller deregistration
- [arm*] spi: sun6i: fix controller deregistration
- [arm*] spi: s3c64xx: Use devm_clk_get_enabled()
- [arm*] spi: s3c64xx: fix NULL-deref on driver unbind (CVE-2026-46296)
- mtd: spi-nor: core: fix implicit declaration warning
- mtd: spi-nor: debugfs: fix out-of-bounds read in spi_nor_params_show()
(CVE-2026-46190)
- [arm*] spi: tegra114: fix controller deregistration
- [arm*] spi: tegra20-sflash: fix controller deregistration
- mm/hugetlb_cma: round up per_node before logging it
- net: wwan: t7xx: validate port_count against message length in
t7xx_port_enum_msg_handler (CVE-2026-43495)
- fbcon: Avoid OOB font access if console rotation fails (CVE-2026-46191)
- [i386] spi: topcliff-pch: Convert to platform remove callback returning
void
- btrfs: fix btrfs_ioctl_space_info() slot_count TOCTOU which can lead to
info-leak (CVE-2026-46159)
- tracing/probes: Limit size of event probe to 3K
- btrfs: remove fs_info argument from btrfs_sysfs_add_space_info_type()
- btrfs: fix double free in create_space_info_sub_group() error path
(CVE-2026-46164)
- pmdomain: core: Fix detach procedure for virtual devices in genpd
(CVE-2026-46292)
- smb: client: validate dacloffset before building DACL pointers
(CVE-2026-46195)
- smb: client: Use FullSessionKey for AES-256 encryption key derivation
- btrfs: fix missing last_unlink_trans update when removing a directory
(CVE-2026-46160)
- mptcp: fastclose msk when linger time is 0
- mptcp: pm: prio: skip closed subflows
- mptcp: pm: kernel: correctly retransmit ADD_ADDR ID 0
- mptcp: pm: ADD_ADDR rtx: allow ID 0
- mptcp: pm: ADD_ADDR rtx: fix potential data-race (CVE-2026-46137)
- mptcp: pm: ADD_ADDR rtx: resched blocked ADD_ADDR quicker
- f2fs: fix incorrect file address mapping when inline inode is unwritten
- f2fs: fix false alarm of lockdep on cp_global_sem lock
- cgroup/cpuset: Reset DL migration state on can_attach() failure
- genetlink: Use internal flags for multicast groups
- smb: client: require net admin for CIFS SWN netlink
- Bluetooth: hci_qca: Convert timeout from jiffies to ms
- mm/memory: fix spurious warning when unmapping device-private/exclusive
pages
- Bluetooth: Init sk_peer_* on bt_sock_alloc
- Bluetooth: serialize accept_q access (CVE-2026-52918)
- net: hsr: defer node table free until after RCU readers
- ipv6: ioam: add NULL check for idev in ipv6_hop_ioam()
- ice: fix VF queue configuration with low MTU values
- mptcp: pm: fix ADD_ADDR timer infinite retry on option space insufficient
- [arm64] octeontx2-af: CGX: add bounds check to cgx_speed_mbps index
- mptcp: reset rcv wnd on disconnect
- mptcp: do not drop partial packets
- [x86] platform/x86/intel/vsec: Add private data for per-device data
- [x86] platform/x86/intel/vsec: Create wrapper to walk PCI config space
- [x86] platform/x86/intel/vsec: Make driver_data info const
- [x86] platform/x86/intel/vsec: Fix enable_cnt imbalance on PCIe error
recovery
- [arm64] spi: qup: switch to use modern name
- [arm64] spi: qup: fix error pointer deref after DMA setup failure
- [arm64] tlb: Flush walk cache when unsharing PMD tables
- phy: tegra: xusb: Disable trk clk when not in use
- phy: tegra: xusb: Fix per-pad high-speed termination calibration
- iio: gyro: adis16260: fix division by zero in write_raw
- iio: dac: ad5686: fix ref bit initialization for single-channel parts
- ALSA: firewire-motu: Protect register DSP event queue positions
- [armhf] serial: samsung_tty: Use port lock wrappers
- [armhf] tty: serial: samsung: use u32 for register interactions
- [armhf] tty: serial: samsung: Remove redundant port lock acquisition in
rx helpers
- [arm64] usb: dwc3: xilinx: fix error handling in zynqmp init error paths
- [armhf] usb: musb: omap2430: Fix use-after-free in omap2430_probe()
- usb: gadget: f_hid: tidy error handling in hidg_alloc
- usb: gadget: f_hid: fix device reference leak in hidg_alloc()
- usb: typec: ucsi: Check if power role change actually happened before
handling
- thunderbolt: property: Cap recursion depth in __tb_property_parse_dir()
- [arm64] tty: serial: qcom-geni-serial: remove unused symbols
- [arm64] tty: serial: qcom-geni-serial: align #define values
- [arm64] serial: qcom-geni: fix UART_RX_PAR_EN bit position
- scsi: target: iscsi: Fix CRC overread and double-free in
iscsit_handle_text_cmd()
- usb: typec: ucsi: Don't update power_supply on power role change if not
connected
- netfilter: nft_fib: fix stale stack leak via the OIFNAME register
(CVE-2026-53134)
- hv_netvsc: use kmap_local_page in netvsc_copy_to_send_buf
(CVE-2026-53199)
- mm/hugetlb: rename isolate_hugetlb() to folio_isolate_hugetlb()
- mm/migrate: don't call folio_putback_active_hugetlb() on dst hugetlb
folio
- mm/hugetlb: rename folio_putback_active_hugetlb() to
folio_putback_hugetlb()
- mm/memory-failure: fix missing ->mf_stats count in hugetlb poison
- mm/memory-failure: fix hugetlb_lock AA deadlock in
get_huge_page_for_hwpoison (CVE-2026-53207)
- RDMA: Move DMA block iterator logic into dedicated files
- RDMA/umem: Fix truncation for block sizes >= 4G (CVE-2026-53133)
- ipvs: skip ipv6 extension headers for csum checks (CVE-2026-45850)
- blk-cgroup: Fix NULL deref caused by blkg_policy_data being installed
before init (CVE-2023-54271)
- batman-adv: stop tp_meter sessions during mesh teardown (CVE-2026-46208)
- batman-adv: tp_meter: fix tp_num leak on kmalloc failure
- [x86] ALSA: hda/hdmi: Add quirk for TUXEDO IBS14G6
- perf build: Conditionally define NDEBUG
- perf parse-events: Make YYDEBUG dependent on doing a debug build
- perf build: Disable fewer bison warnings
- [arm64] KVM: arm64: Wake-up from WFI when iqrchip is in userspace
- ipmi:ssif: Fix a shutdown race
- ipmi:ssif: Clean up kthread on errors (CVE-2026-46044)
- usb: typec: tcpm: reset internal port states on soft reset AMS
- lib/crypto: mpi: Fix integer underflow in mpi_read_raw_from_sgl()
(CVE-2026-43492)
- ipmi:ssif: Remove unnecessary indention
- ipmi:ssif: NULL thread on error
- [arm*] drm/v3d: Reject empty multisync extension to prevent infinite
loop (CVE-2026-46314)
- [arm64] Mitigate TLBI errata on various CPU cores (CVE-2025-10263):
+ cputype: Add NVIDIA Olympus definitions
+ cputype: Add C1-Ultra definitions
+ cputype: Add C1-Premium definitions
+ errata: Mitigate TLBI errata on various Arm CPUs (CVE-2026-53354)
+ errata: Mitigate TLBI errata on NVIDIA Olympus CPU
+ errata: Mitigate TLBI errata on Microsoft Azure Cobalt 100 CPU
- [armhf] fbdev: vt8500lcdfb: Fix dma_free_coherent() cpu_addr parameter
(regression in 6.1.165)
- [x86] CPU/AMD: Move the Zen3 BTC_NO detection to the Zen3 init function
(regression in 6.1.173)
- r8152: Hold the rtnl_lock for all of reset
- media: rc: ttusbir: fix inverted error logic
- batman-adv: tp_meter: fix tp_vars reference leak in receiver shutdown
- media: rc: igorplugusb: fix control request setup packet (CVE-2026-46091)
- ksmbd: OOB read regression in smb_check_perm_dacl() ACE-walk loops
- batman-adv: tp_meter: fix race condition in send error reporting
- batman-adv: tp_meter: avoid role confusion in tp_list
- netfilter: require Ethernet MAC header before using eth_hdr()
(CVE-2026-53131)
.
[ Ben Hutchings ]
* Refresh "rxrpc: Fix conn-level packet handling to unshare RESPONSE packets"
* [rt] Add new signing key for Clark Williams
* [rt] Update to 6.1.176-rt64:
- ipv6: fix a BUG in rt6_get_pcpu_route() under PREEMPT_RT
- [x86] kvm/vmx: guard regparm(0) on vmread_error_trampoline for x86_32
only
* [x86] Revert "x86/CPU: Only try to mitigate FPDSS on Zen1" as redundant
* Revert "net: ipv4: stop checking crypto_ahash_alignmask"
* Revert "net: ipv6: stop checking crypto_ahash_alignmask"
* Revert "Bluetooth: L2CAP: use chan timer to close channels in
cleanup_listen()"
* cgroup/cpuset: Fix misplaced call to reset_migrate_dl_data()
* media: uvcvideo: Create an ID namespace for streaming output terminals
* [ppc64el] cpuidle: Set CPUIDLE_FLAG_POLLING for snooze state
* Revert "media: rc: streamzap: Error handling in probe"
* Revert "epoll: use refcount to reduce ep_mutex contention"
(CVE-2025-38349, CVE-2026-46242)
.
[ Salvatore Bonaccorso ]
* ip6_vti: set netns_immutable on the fallback device. (CVE-2026-52909)
* net/sched: act_pedit: check static offsets a priori
* net/sched: act_pedit: rate limit datapath messages
* net/sched: fix pedit partial COW leading to page cache corruption
(CVE-2026-46331)
* net/sched: act_pedit: free pedit keys on bail from offset check
Checksums-Sha1:
6109f73c7610a8fc36a5368744e6e88269e9627f 7882 linux-signed-amd64_6.1.176+1.dsc
1ccd86f37fa9f4cc8410b7d3c8eb6013f438e762 849012 linux-signed-amd64_6.1.176+1.tar.xz
Checksums-Sha256:
778dff3a2b6232648d62cb88752246b94320ff404845cc9d395928335fc0188e 7882 linux-signed-amd64_6.1.176+1.dsc
9e7cfbc1843ad59e6ca54dc747d9febb7e261e6f380008f4b4caf0c2fb0dc5b6 849012 linux-signed-amd64_6.1.176+1.tar.xz
Files:
6820c4d667582a244349da6e6dafb886 7882 kernel optional linux-signed-amd64_6.1.176+1.dsc
5b2687842e1ebb7e74eb116a4da8ca20 849012 kernel optional linux-signed-amd64_6.1.176+1.tar.xz
-----BEGIN PGP SIGNATURE-----
iHUEARYKAB0WIQSInBJdRTWyTRy0ztFCTVFtUgONCgUCake2HgAKCRBCTVFtUgON
CsL5AP9fciVSmjAxBpjknJod7//b1PBVzmUH1ehWGWXPXPKpzQEAozM08i+J7NrT
7i0NQkeoLnhfGkvXR/TSI+ESElpphQI=
=UW8l
-----END PGP SIGNATURE-----