{
    "summary": {
        "snap": {
            "added": [],
            "removed": [],
            "diff": []
        },
        "deb": {
            "added": [
                "linux-headers-7.0.0-28",
                "linux-headers-7.0.0-28-generic",
                "linux-image-7.0.0-28-generic",
                "linux-main-modules-zfs-7.0.0-28-generic",
                "linux-modules-7.0.0-28-generic",
                "linux-tools-7.0.0-28",
                "linux-tools-7.0.0-28-generic"
            ],
            "removed": [
                "linux-headers-7.0.0-27",
                "linux-headers-7.0.0-27-generic",
                "linux-image-7.0.0-27-generic",
                "linux-main-modules-zfs-7.0.0-27-generic",
                "linux-modules-7.0.0-27-generic",
                "linux-tools-7.0.0-27",
                "linux-tools-7.0.0-27-generic"
            ],
            "diff": [
                "bpftool",
                "libntfs-3g89t64",
                "linux-headers-generic",
                "linux-headers-virtual",
                "linux-image-virtual",
                "linux-libc-dev",
                "linux-perf",
                "linux-tools-common",
                "linux-virtual",
                "ntfs-3g",
                "python3-httplib2",
                "python3-idna",
                "tar",
                "ubuntu-pro-client",
                "ubuntu-pro-client-l10n",
                "vim",
                "vim-common",
                "vim-runtime",
                "vim-tiny",
                "wget",
                "xxd"
            ]
        }
    },
    "diff": {
        "deb": [
            {
                "name": "bpftool",
                "from_version": {
                    "source_package_name": "linux",
                    "source_package_version": "7.0.0-27.27",
                    "version": "7.7.0+7.0.0-27.27"
                },
                "to_version": {
                    "source_package_name": "linux",
                    "source_package_version": "7.0.0-28.28",
                    "version": "7.7.0+7.0.0-28.28"
                },
                "cves": [
                    {
                        "cve": "CVE-2026-46318",
                        "url": "https://ubuntu.com/security/CVE-2026-46318",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Revert \"mm/hugetlbfs: update hugetlbfs to use mmap_prepare\"  This reverts commit ea52cb24cd3f (\"mm/hugetlbfs: update hugetlbfs to use mmap_prepare\") with conflict resolution to account for changes in commit ea52cb24cd3f (\"mm/hugetlbfs: update hugetlbfs to use mmap_prepare\").  The patch incorrectly handled hugetlb VMA lock allocation at the mmap_prepare stage, where a failed allocation occurring after mmap_prepare is called might result in the lock leaking.  There is no risk of a merge causing a similar issues, as VMA_DONTEXPAND_BIT is set for hugetlb mappings.  As a first step in addressing this issue, simply revert the change so we can rework how we do this having corrected the underlying issues.  We maintain the VMA flags changes as best we can, accounting for the fact that we were working with a VMA descriptor previously and propagating like-for-like changes for this.  Note that we invoke vma_set_flags() and do not call vma_start_write() as vm_flags_set() does.  This is OK as it's being done in an .mmap hook where the VMA is not yet linked into the tree so nobody else can be accessing it.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-06-09 13:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46322",
                        "url": "https://ubuntu.com/security/CVE-2026-46322",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  tun: free page on build_skb failure in tun_xdp_one()  When build_skb() fails in tun_xdp_one(), the function sets ret to -ENOMEM and jumps to the out label, which returns without freeing the page that vhost_net_build_xdp() allocated for the frame. As with the short-frame rejection path, tun_sendmsg() discards the per-buffer error and still returns total_len, so vhost_tx_batch() takes the success path and never frees the page. Each build_skb() failure in a batch leaks one page-frag chunk.  Free the page before taking the error path, matching the put_page() the other error exits of tun_xdp_one() already perform.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-09 13:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46320",
                        "url": "https://ubuntu.com/security/CVE-2026-46320",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  tap: free page on error paths in tap_get_user_xdp()  tap_get_user_xdp() rejects a frame shorter than ETH_HLEN with -EINVAL, and returns -ENOMEM when build_skb() fails. Both paths jump to the err label without freeing the page that vhost_net_build_xdp() allocated for the frame. tap_sendmsg() discards the per-buffer return value and always returns 0, so vhost_tx_batch() takes the success path and never frees the page; each rejected frame in a batch leaks one page-frag chunk.  Free the page on both error paths, before the skb is built. This is the tap counterpart of the same leak in tun_xdp_one().",
                        "cve_priority": "high",
                        "cve_public_date": "2026-06-09 13:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46321",
                        "url": "https://ubuntu.com/security/CVE-2026-46321",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  tun: free page on short-frame rejection in tun_xdp_one()  tun_xdp_one() returns -EINVAL on a frame shorter than ETH_HLEN without freeing the page that vhost_net_build_xdp() allocated for it. tun_sendmsg() discards that -EINVAL and still returns total_len, so vhost_tx_batch() takes the success path and never frees the page; each short frame in a batch leaks one page-frag chunk.  A local process that can open /dev/net/tun and /dev/vhost-net can hit this path: it attaches a tun/tap device as the vhost-net backend and feeds TX descriptors whose length minus the virtio-net header is below ETH_HLEN. Each kick leaks the page-frag chunks for that batch, and a tight submission loop exhausts host memory and triggers an OOM panic. Free the page before returning -EINVAL, matching the XDP-program error path in the same function.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-09 13:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46316",
                        "url": "https://ubuntu.com/security/CVE-2026-46316",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  KVM: arm64: vgic-its: Drop the translation cache reference only for the erased entry  vgic_its_invalidate_cache() walks the per-ITS translation cache with xa_for_each() and drops the cache's reference on each entry with vgic_put_irq(). It puts the iterated pointer, though, rather than the value returned by xa_erase().  The function is called from contexts that do not exclude one another: the ITS command handlers hold its_lock, the GITS_CTLR write path holds cmd_lock, and the path that clears EnableLPIs in a redistributor's GICR_CTLR holds neither. Two or more of them can drain the same cache concurrently, and if each one observes the same entry, erases it and then puts it, the single reference the cache holds on that entry is dropped more than once. The entry can then be freed while an ITE still maps it.  xa_erase() is atomic and returns the previous entry, so put only the entry that this context actually removed. The cache reference is then dropped exactly once per entry even when the invalidations run concurrently, and the behavior is unchanged when only one context runs.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-09 13:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46317",
                        "url": "https://ubuntu.com/security/CVE-2026-46317",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  KVM: arm64: Reassign nested_mmus array behind mmu_lock  kvm->arch.nested_mmus[] is walked under kvm->mmu_lock, including from the MMU notifier path (kvm_unmap_gfn_range() -> kvm_nested_s2_unmap()), which can run at any time. kvm_vcpu_init_nested() reallocates the array and frees the old buffer while holding only kvm->arch.config_lock, so such a walker can reference the freed array.  Allocate the new array outside of mmu_lock, as the allocation can sleep. Under the lock, copy the existing entries, fix up the back pointers and reassign the array. Free the old buffer after dropping the lock, as kvfree() can sleep as well.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-09 13:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-45846",
                        "url": "https://ubuntu.com/security/CVE-2026-45846",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  bareudp: fix NULL pointer dereference in bareudp_fill_metadata_dst()  bareudp_fill_metadata_dst() passes bareudp->sock to udp_tunnel6_dst_lookup() in the IPv6 path without a NULL check. The socket is only created in bareudp_open() and NULLed in bareudp_stop(), so calling this function while the device is down triggers a NULL dereference via sock->sk.   BUG: kernel NULL pointer dereference, address: 0000000000000018  RIP: 0010:udp_tunnel6_dst_lookup (net/ipv6/ip6_udp_tunnel.c:160)  Call Trace:   <TASK>   bareudp_fill_metadata_dst (drivers/net/bareudp.c:532)   do_execute_actions (net/openvswitch/actions.c:901)   ovs_execute_actions (net/openvswitch/actions.c:1589)   ovs_packet_cmd_execute (net/openvswitch/datapath.c:700)   genl_family_rcv_msg_doit (net/netlink/genetlink.c:1114)   genl_rcv_msg (net/netlink/genetlink.c:1209)   netlink_rcv_skb (net/netlink/af_netlink.c:2550)   </TASK>  Add a NULL check returning -ESHUTDOWN, consistent with the xmit paths in the same driver.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-27 11:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-45845",
                        "url": "https://ubuntu.com/security/CVE-2026-45845",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net/sched: taprio: fix NULL pointer dereference in class dump  When a TAPRIO child qdisc is deleted via RTM_DELQDISC, taprio_graft() is called with new == NULL and stores NULL into q->qdiscs[cl - 1]. Subsequent RTM_GETTCLASS dump operations walk all classes via taprio_walk() and call taprio_dump_class(), which calls taprio_leaf() returning the NULL pointer, then dereferences it to read child->handle, causing a kernel NULL pointer dereference.  The bug is reachable with namespace-scoped CAP_NET_ADMIN on any kernel with CONFIG_NET_SCH_TAPRIO enabled. On systems with unprivileged user namespaces enabled, an unprivileged local user can trigger a kernel panic by creating a taprio qdisc inside a new network namespace, grafting an explicit child qdisc, deleting it, and requesting a class dump. The RTM_GETTCLASS dump itself requires no capability.   Oops: general protection fault, probably for non-canonical address 0xdffffc0000000007: 0000 [#1] SMP KASAN NOPTI  KASAN: null-ptr-deref in range [0x0000000000000038-0x000000000000003f]  RIP: 0010:taprio_dump_class (net/sched/sch_taprio.c:2478)  Call Trace:   <TASK>   tc_fill_tclass (net/sched/sch_api.c:1966)   qdisc_class_dump (net/sched/sch_api.c:2326)   taprio_walk (net/sched/sch_taprio.c:2514)   tc_dump_tclass_qdisc (net/sched/sch_api.c:2352)   tc_dump_tclass_root (net/sched/sch_api.c:2370)   tc_dump_tclass (net/sched/sch_api.c:2431)   rtnl_dumpit (net/core/rtnetlink.c:6864)   netlink_dump (net/netlink/af_netlink.c:2325)   rtnetlink_rcv_msg (net/core/rtnetlink.c:6959)   netlink_rcv_skb (net/netlink/af_netlink.c:2550)   </TASK>  Fix this by substituting &noop_qdisc when new is NULL in taprio_graft(), a common pattern used by other qdiscs (e.g., multiq_graft()) to ensure the q->qdiscs[] slots are never NULL. This makes control-plane dump paths safe without requiring individual NULL checks.  Since the data-plane paths (taprio_enqueue and taprio_dequeue_from_txq) previously had explicit NULL guards that would drop/skip the packet cleanly, update those checks to test for &noop_qdisc instead. Without this, packets would reach taprio_enqueue_one() which increments the root qdisc's qlen and backlog before calling the child's enqueue; noop_qdisc drops the packet but those counters are never rolled back, permanently inflating the root qdisc's statistics.  After this change *old can be a valid qdisc, NULL, or &noop_qdisc. Only call qdisc_put(*old) in the first case to avoid decreasing noop_qdisc's refcount, which was never increased.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-27 11:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-45844",
                        "url": "https://ubuntu.com/security/CVE-2026-45844",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  netfilter: arp_tables: fix IEEE1394 ARP payload parsing  Weiming Shi says:  \"arp_packet_match() unconditionally parses the ARP payload assuming two hardware addresses are present (source and target). However, IPv4-over-IEEE1394 ARP (RFC 2734) omits the target hardware address field, and arp_hdr_len() already accounts for this by returning a shorter length for ARPHRD_IEEE1394 devices.  As a result, on IEEE1394 interfaces arp_packet_match() advances past a nonexistent target hardware address and reads the wrong bytes for both the target device address comparison and the target IP address. This causes arptables rules to match against garbage data, leading to incorrect filtering decisions: packets that should be accepted may be dropped and vice versa.  The ARP stack in net/ipv4/arp.c (arp_create and arp_process) already handles this correctly by skipping the target hardware address for ARPHRD_IEEE1394. Apply the same pattern to arp_packet_match().\"  Mangle the original patch to always return 0 (no match) in case user matches on the target hardware address which is never present in IEEE1394.  Note that this returns 0 (no match) for either normal and inverse match because matching in the target hardware address in ARPHRD_IEEE1394 has never been supported by arptables. This is intentional, matching on the target hardware address should never evaluate true for ARPHRD_IEEE1394.  Moreover, adjust arpt_mangle to drop the packet too as AI suggests:  In arpt_mangle, the logic assumes a standard ARP layout. Because IEEE1394 (FireWire) omits the target hardware address, the linear pointer arithmetic miscalculates the offset for the target IP address. This causes mangling operations to write to the wrong location, leading to packet corruption. To ensure safety, this patch drops packets (NF_DROP) when mangling is requested for these fields on IEEE1394 devices, as the current implementation cannot correctly map the FireWire ARP payload.  This omits both mangling target hardware and IP address. Even if IP address mangling should be possible in IEEE1394, this would require to adjust arpt_mangle offset calculation, which has never been supported.  Based on patch from Weiming Shi <bestswngs@gmail.com>.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-05-27 11:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46242",
                        "url": "https://ubuntu.com/security/CVE-2026-46242",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  eventpoll: fix ep_remove struct eventpoll / struct file UAF  ep_remove() (via ep_remove_file()) cleared file->f_ep under file->f_lock but then kept using @file inside the critical section (is_file_epoll(), hlist_del_rcu() through the head, spin_unlock). A concurrent __fput() taking the eventpoll_release() fastpath in that window observed the transient NULL, skipped eventpoll_release_file() and ran to f_op->release / file_free().  For the epoll-watches-epoll case, f_op->release is ep_eventpoll_release() -> ep_clear_and_put() -> ep_free(), which kfree()s the watched struct eventpoll. Its embedded ->refs hlist_head is exactly where epi->fllink.pprev points, so the subsequent hlist_del_rcu()'s \"*pprev = next\" scribbles into freed kmalloc-192 memory.  In addition, struct file is SLAB_TYPESAFE_BY_RCU, so the slot backing @file could be recycled by alloc_empty_file() -- reinitializing f_lock and f_ep -- while ep_remove() is still nominally inside that lock. The upshot is an attacker-controllable kmem_cache_free() against the wrong slab cache.  Pin @file via epi_fget() at the top of ep_remove() and gate the critical section on the pin succeeding. With the pin held @file cannot reach refcount zero, which holds __fput() off and transitively keeps the watched struct eventpoll alive across the hlist_del_rcu() and the f_lock use, closing both UAFs.  If the pin fails @file has already reached refcount zero and its __fput() is in flight. Because we bailed before clearing f_ep, that path takes the eventpoll_release() slow path into eventpoll_release_file() and blocks on ep->mtx until the waiter side's ep_clear_and_put() drops it. The bailed epi's share of ep->refcount stays intact, so the trailing ep_refcount_dec_and_test() in ep_clear_and_put() cannot free the eventpoll out from under eventpoll_release_file(); the orphaned epi is then cleaned up there.  A successful pin also proves we are not racing eventpoll_release_file() on this epi, so drop the now-redundant re-check of epi->dying under f_lock. The cheap lockless READ_ONCE(epi->dying) fast-path bailout stays.",
                        "cve_priority": "high",
                        "cve_public_date": "2026-05-30 13:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-45843",
                        "url": "https://ubuntu.com/security/CVE-2026-45843",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  slip: bound decode() reads against the compressed packet length  slhc_uncompress() parses a VJ-compressed TCP header by advancing a pointer through the packet via decode() and pull16(). Neither helper bounds-checks against isize, and decode() masks its return with & 0xffff so it can never return the -1 that callers test for -- those error paths are dead code.  A short compressed frame whose change byte requests optional fields lets decode() read past the end of the packet. The over-read bytes are folded into the cached cstate and reflected into subsequent reconstructed packets.  Make decode() and pull16() take the packet end pointer and return -1 when exhausted. Add a bounds check before the TCP-checksum read. The existing == -1 tests now do what they were always meant to.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-27 11:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-45842",
                        "url": "https://ubuntu.com/security/CVE-2026-45842",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  slip: reject VJ receive packets on instances with no rstate array  slhc_init() accepts rslots == 0 as a valid configuration, with the documented meaning of 'no receive compression'. In that case the allocation loop in slhc_init() is skipped, so comp->rstate stays NULL and comp->rslot_limit stays 0 (from the kzalloc of struct slcompress).  The receive helpers do not defend against that configuration. slhc_uncompress() dereferences comp->rstate[x] when the VJ header carries an explicit connection ID, and slhc_remember() later assigns cs = &comp->rstate[...] after only comparing the packet's slot number to comp->rslot_limit. Because rslot_limit is 0, slot 0 passes the range check, and the code dereferences a NULL rstate.  The configuration is reachable in-tree through PPP. PPPIOCSMAXCID stores its argument in a signed int, and (val >> 16) uses arithmetic shift. Passing 0xffff0000 therefore sign-extends to -1, so val2 + 1 is 0 and ppp_generic.c ends up calling slhc_init(0, 1). Because /dev/ppp open is gated by ns_capable(CAP_NET_ADMIN), the whole path is reachable from an unprivileged user namespace. Once the malformed VJ state is installed, any inbound VJ-compressed or VJ-uncompressed frame that selects slot 0 crashes the kernel in softirq context:   Oops: general protection fault, probably for non-canonical        address 0xdffffc0000000000: 0000 [#1] SMP KASAN NOPTI  KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]  RIP: 0010:slhc_uncompress (drivers/net/slip/slhc.c:519)  Call Trace:   <TASK>   ppp_receive_nonmp_frame (drivers/net/ppp/ppp_generic.c:2466)   ppp_input (drivers/net/ppp/ppp_generic.c:2359)   ppp_async_process (drivers/net/ppp/ppp_async.c:492)   tasklet_action_common (kernel/softirq.c:926)   handle_softirqs (kernel/softirq.c:623)   run_ksoftirqd (kernel/softirq.c:1055)   smpboot_thread_fn (kernel/smpboot.c:160)   kthread (kernel/kthread.c:436)   ret_from_fork (arch/x86/kernel/process.c:164)   </TASK>  Reject the receive side on such instances instead of touching rstate. slhc_uncompress() falls through to its existing 'bad' label, which bumps sls_i_error and enters the toss state. slhc_remember() mirrors that with an explicit sls_i_error increment followed by slhc_toss(); the sls_i_runt counter is not used here because a missing rstate is an internal configuration state, not a runt packet.  The transmit path is unaffected: the only in-tree caller that picks rslots from userspace (ppp_generic.c) still supplies tslots >= 1, and slip.c always calls slhc_init(16, 16), so comp->tstate remains valid and slhc_compress() continues to work.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-27 11:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-45841",
                        "url": "https://ubuntu.com/security/CVE-2026-45841",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  netfilter: nfnetlink_osf: fix divide-by-zero in OSF_WSS_MODULO  nf_osf_match_one() computes ctx->window % f->wss.val in the OSF_WSS_MODULO branch with no guard for f->wss.val == 0. A CAP_NET_ADMIN user can add such a fingerprint via nfnetlink; a subsequent matching TCP SYN divides by zero and panics the kernel.  Reject the bogus fingerprint in nfnl_osf_add_callback() above the per-option for-loop. f->wss is per-fingerprint, not per-option, so the check must run regardless of f->opt_num (including 0). Also reject wss.wc >= OSF_WSS_MAX; nf_osf_match_one() already treats that as \"should not happen\".  Crash:  Oops: divide error: 0000 [#1] SMP KASAN NOPTI  RIP: 0010:nf_osf_match_one (net/netfilter/nfnetlink_osf.c:98)  Call Trace:  <IRQ>   nf_osf_match (net/netfilter/nfnetlink_osf.c:220)   xt_osf_match_packet (net/netfilter/xt_osf.c:32)   ipt_do_table (net/ipv4/netfilter/ip_tables.c:348)   nf_hook_slow (net/netfilter/core.c:622)   ip_local_deliver (net/ipv4/ip_input.c:265)   ip_rcv (include/linux/skbuff.h:1162)   __netif_receive_skb_one_core (net/core/dev.c:6181)   process_backlog (net/core/dev.c:6642)   __napi_poll (net/core/dev.c:7710)   net_rx_action (net/core/dev.c:7945)   handle_softirqs (kernel/softirq.c:622)",
                        "cve_priority": "low",
                        "cve_public_date": "2026-05-27 11:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-45840",
                        "url": "https://ubuntu.com/security/CVE-2026-45840",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  openvswitch: cap upcall PID array size and pre-size vport replies  The vport netlink reply helpers allocate a fixed-size skb with nlmsg_new(NLMSG_DEFAULT_SIZE, ...) but serialize the full upcall PID array via ovs_vport_get_upcall_portids().  Since ovs_vport_set_upcall_portids() accepts any non-zero multiple of sizeof(u32) with no upper bound, a CAP_NET_ADMIN user can install a PID array large enough to overflow the reply buffer, causing nla_put() to fail with -EMSGSIZE and hitting BUG_ON(err < 0).  On systems with unprivileged user namespaces enabled (e.g., Ubuntu default), this is reachable via unshare -Urn since OVS vport mutation operations use GENL_UNS_ADMIN_PERM.   kernel BUG at net/openvswitch/datapath.c:2414!  Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI  CPU: 1 UID: 0 PID: 65 Comm: poc Not tainted 7.0.0-rc7-00195-geb216e422044 #1  RIP: 0010:ovs_vport_cmd_set+0x34c/0x400  Call Trace:   <TASK>   genl_family_rcv_msg_doit (net/netlink/genetlink.c:1116)   genl_rcv_msg (net/netlink/genetlink.c:1194)   netlink_rcv_skb (net/netlink/af_netlink.c:2550)   genl_rcv (net/netlink/genetlink.c:1219)   netlink_unicast (net/netlink/af_netlink.c:1344)   netlink_sendmsg (net/netlink/af_netlink.c:1894)   __sys_sendto (net/socket.c:2206)   __x64_sys_sendto (net/socket.c:2209)   do_syscall_64 (arch/x86/entry/syscall_64.c:63)   entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)   </TASK>  Kernel panic - not syncing: Fatal exception  Reject attempts to set more PIDs than nr_cpu_ids in ovs_vport_set_upcall_portids(), and pre-compute the worst-case reply size in ovs_vport_cmd_msg_size() based on that bound, similar to the existing ovs_dp_cmd_msg_size().  nr_cpu_ids matches the cap already used by the per-CPU dispatch configuration on the datapath side (ovs_dp_cmd_fill_info() serialises at most nr_cpu_ids PIDs), so the two sides stay consistent.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-27 11:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-45839",
                        "url": "https://ubuntu.com/security/CVE-2026-45839",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  bpf: reject negative CO-RE accessor indices in bpf_core_parse_spec()  CO-RE accessor strings are colon-separated indices that describe a path from a root BTF type to a target field, e.g. \"0:1:2\" walks through nested struct members. bpf_core_parse_spec() parses each component with sscanf(\"%d\"), so negative values like -1 are silently accepted.  The subsequent bounds checks (access_idx >= btf_vlen(t)) only guard the upper bound and always pass for negative values because C integer promotion converts the __u16 btf_vlen result to int, making the comparison (int)(-1) >= (int)(N) false for any positive N.  When -1 reaches btf_member_bit_offset() it gets cast to u32 0xffffffff, producing an out-of-bounds read far past the members array.  A crafted BPF program with a negative CO-RE accessor on any struct that exists in vmlinux BTF (e.g. task_struct) crashes the kernel deterministically during BPF_PROG_LOAD on any system with CONFIG_DEBUG_INFO_BTF=y (default on major distributions).  The bug is reachable with CAP_BPF:   BUG: unable to handle page fault for address: ffffed11818b6626  #PF: supervisor read access in kernel mode  #PF: error_code(0x0000) - not-present page  Oops: Oops: 0000 [#1] SMP KASAN NOPTI  CPU: 0 UID: 0 PID: 85 Comm: poc Not tainted 7.0.0-rc6 #18 PREEMPT(full)  RIP: 0010:bpf_core_parse_spec (tools/lib/bpf/relo_core.c:354)  RAX: 00000000ffffffff  Call Trace:   <TASK>   bpf_core_calc_relo_insn (tools/lib/bpf/relo_core.c:1321)   bpf_core_apply (kernel/bpf/btf.c:9507)   check_core_relo (kernel/bpf/verifier.c:19475)   bpf_check (kernel/bpf/verifier.c:26031)   bpf_prog_load (kernel/bpf/syscall.c:3089)   __sys_bpf (kernel/bpf/syscall.c:6228)   </TASK>  CO-RE accessor indices are inherently non-negative (struct member index, array element index, or enumerator index), so reject them immediately after parsing.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-27 11:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-45838",
                        "url": "https://ubuntu.com/security/CVE-2026-45838",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  bpf: fix end-of-list detection in cgroup_storage_get_next_key()  list_next_entry() never returns NULL -- when the current element is the last entry it wraps to the list head via container_of(). The subsequent NULL check is therefore dead code and get_next_key() never returns -ENOENT for the last element, instead reading storage->key from a bogus pointer that aliases internal map fields and copying the result to userspace.  Replace it with list_entry_is_head() so the function correctly returns -ENOENT when there are no more entries.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-05-27 11:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46214",
                        "url": "https://ubuntu.com/security/CVE-2026-46214",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  vsock/virtio: fix accept queue count leak on transport mismatch  virtio_transport_recv_listen() calls sk_acceptq_added() before vsock_assign_transport(). If vsock_assign_transport() fails or selects a different transport, the error path returns without calling sk_acceptq_removed(), permanently incrementing sk_ack_backlog.  After approximately backlog+1 such failures, sk_acceptq_is_full() returns true, causing the listener to reject all new connections.  Fix by moving sk_acceptq_added() to after the transport validation, matching the pattern used by vmci_transport and hyperv_transport.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46207",
                        "url": "https://ubuntu.com/security/CVE-2026-46207",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  vsock/virtio: fix empty payload in tap skb for non-linear buffers  For non-linear skbs, virtio_transport_build_skb() goes through virtio_transport_copy_nonlinear_skb() to copy the original payload in the new skb to be delivered to the vsockmon tap device. This manually initializes an iov_iter but does not set iov_iter.count. Since the iov_iter is zero-initialized, the copy length is zero and no payload is actually copied to the monitor interface, leaving data un-initialized.  Fix this by removing the linear vs non-linear split and using skb_copy_datagram_iter() with iov_iter_kvec() for all cases, as vhost-vsock already does. This handles both linear and non-linear skbs, properly initializes the iov_iter, and removes the now unused virtio_transport_copy_nonlinear_skb().  While touching this code, let's also check the return value of skb_copy_datagram_iter(), even though it's unlikely to fail.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46234",
                        "url": "https://ubuntu.com/security/CVE-2026-46234",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  vsock: fix buffer size clamping order  In vsock_update_buffer_size(), the buffer size was being clamped to the maximum first, and then to the minimum. If a user sets a minimum buffer size larger than the maximum, the minimum check overrides the maximum check, inverting the constraint.  This breaks the intended socket memory boundaries by allowing the vsk->buffer_size to grow beyond the configured vsk->buffer_max_size.  Fix this by checking the minimum first, and then the maximum. This ensures the buffer size never exceeds the buffer_max_size.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46223",
                        "url": "https://ubuntu.com/security/CVE-2026-46223",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  cgroup: Defer css percpu_ref kill on rmdir until cgroup is depopulated  A chain of commits going back to v7.0 reworked rmdir to satisfy the controller invariant that a subsystem's ->css_offline() must not run while tasks are still doing kernel-side work in the cgroup.  [1] d245698d727a (\"cgroup: Defer task cgroup unlink until after the task is done switching out\") [2] a72f73c4dd9b (\"cgroup: Don't expose dead tasks in cgroup\") [3] 1b164b876c36 (\"cgroup: Wait for dying tasks to leave on rmdir\") [4] 4c56a8ac6869 (\"cgroup: Fix cgroup_drain_dying() testing the wrong condition\") [5] 13e786b64bd3 (\"cgroup: Increment nr_dying_subsys_* from rmdir context\")  [1] moved task cset unlink from do_exit() to finish_task_switch() so a task's cset link drops only after the task has fully stopped scheduling. That made tasks past exit_signals() linger on cset->tasks until their final context switch, which led to a series of problems as what userspace expected to see after rmdir diverged from what the kernel needs to wait for. [2]-[5] tried to bridge that divergence: [2] filtered the exiting tasks from cgroup.procs; [3] had rmdir(2) sleep in TASK_UNINTERRUPTIBLE for them; [4] fixed the wait's condition; [5] made nr_dying_subsys_* visible synchronously.  The cgroup_drain_dying() wait in [3] turned out to be a dead end. When the rmdir caller is also the reaper of a zombie that pins a pidns teardown (e.g. host PID 1 systemd reaping orphan pids that were re-parented to it during the same teardown), rmdir blocks in TASK_UNINTERRUPTIBLE waiting for those pids to free, the pids can't free because PID 1 is the reaper and it's stuck in rmdir, and the system A-A deadlocks. No internal lock ordering breaks this; the wait itself is the bug.  The css killing side that drove the original reorder, however, can be made cleanly asynchronous: ->css_offline() is already async, run from css_killed_work_fn() driven by percpu_ref_kill_and_confirm(). The fix is to make that chain start only after all tasks have left the cgroup. rmdir's user-visible side then returns as soon as cgroup.procs and friends are empty, while ->css_offline() still runs only after the cgroup is fully drained.  Verified by the original reproducer (pidns teardown + zombie reaper, runs under vng) which hangs vanilla and succeeds here, and by per-commit deterministic repros for [2], [3], [4], [5] with a boot parameter that widens the post-exit_signals() window so each state is reliably reachable. Some stress tests on top of that.  cgroup_apply_control_disable() has the same shape of pre-existing race: when a controller is disabled via subtree_control, kill_css() ran synchronously while tasks past exit_signals() could still be linked to the cgroup's csets, and ->css_offline() could fire before they drained. This patch preserves the existing synchronous behavior at that call site (kill_css_sync() + kill_css_finish() back-to-back) and a follow-up patch will defer kill_css_finish() there using a per-css trigger.  This seems like the right approach and I don't see problems with it. The changes are somewhat invasive but not excessively so, so backporting to -stable should be okay. If something does turn out to be wrong, the fallback is to revert the entire chain ([1]-[5]) and rework in the development branch instead.  v2: Pin cgrp across the deferred destroy work with explicit     cgroup_get()/cgroup_put() around queue_work() and the work_fn. v1     wasn't actually broken (ordered cgroup_offline_wq + queue_work order     in cgroup_task_dead() saved it) but the explicit ref removes the     dependency on those non-obvious invariants. Also note the     pre-existing cgroup_apply_control_disable() race in the description;     a follow-up will defer kill_css_finish() there.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46221",
                        "url": "https://ubuntu.com/security/CVE-2026-46221",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  EDAC/versalnet: Fix device name memory leak  The device name allocated via kzalloc() in init_one_mc() is assigned to dev->init_name but never freed on the normal removal path. device_register() copies init_name and then sets dev->init_name to NULL, so the name pointer becomes unreachable from the device. Thus leaking memory.  Use a stack-local char array instead of using kzalloc() for name.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46231",
                        "url": "https://ubuntu.com/security/CVE-2026-46231",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  batman-adv: bla: put backbone reference on failed claim hash insert  When batadv_bla_add_claim() fails to insert a new claim into the hash, it leaked a reference to the backbone_gw for which the claim was intended. Call batadv_backbone_gw_put() on the error path to release the reference and avoid leaking the backbone_gw object.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46233",
                        "url": "https://ubuntu.com/security/CVE-2026-46233",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  batman-adv: bla: only purge non-released claims  When batadv_bla_purge_claims() goes through the list of claims, it is only traversing the hash list with an rcu_read_lock(). Due to a potential parallel batadv_claim_put(), it can happen that it encounters a claim which was actually in the process of being released+freed by batadv_claim_release(). In this case, backbone_gw is set to NULL before the delayed RCU kfree is started. Calling batadv_bla_claim_get_backbone_gw() is then no longer allowed because it would cause a NULL-ptr derefence.  To avoid this, only claims with a valid reference counter must be purged. All others are already taken care of.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46212",
                        "url": "https://ubuntu.com/security/CVE-2026-46212",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  batman-adv: bla: prevent use-after-free when deleting claims  When batadv_bla_del_backbone_claims() removes all claims for a backbone, it does this by dropping the link entry in the hash list. This list entry itself was one of the references which need to be dropped at the same time via batadv_claim_put().  But the batadv_claim_put() must not be done before the last access to the claim object in this function. Otherwise the claim might be freed already by the batadv_claim_release() function before the list entry was dropped.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46238",
                        "url": "https://ubuntu.com/security/CVE-2026-46238",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  batman-adv: stop caching unowned originator pointers in BAT IV  BAT IV keeps the last-hop neighbor address in each neigh_node, but some paths also cache an originator pointer derived from a temporary lookup. That pointer is not owned by the neigh_node and may no longer refer to a live originator entry after purge handling runs.  Stop storing the auxiliary originator pointer in the BAT IV neighbor state. When BAT IV needs the neighbor originator data, resolve it from the stored neighbor address and drop the reference again after use.  [sven: avoid bonding logic for outgoing OGM]",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46208",
                        "url": "https://ubuntu.com/security/CVE-2026-46208",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  batman-adv: stop tp_meter sessions during mesh teardown  TP meter sessions remain linked on bat_priv->tp_list after the netlink request has already finished. When the mesh interface is removed, batadv_mesh_free() currently tears down the mesh without first draining these sessions.  A running sender thread or a late incoming tp_meter packet can then keep processing against a mesh instance which is already shutting down. Synchronize tp_meter with the mesh lifetime by stopping all active sessions from batadv_mesh_free() and waiting for sender threads to exit before teardown continues.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46206",
                        "url": "https://ubuntu.com/security/CVE-2026-46206",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  batman-adv: reject new tp_meter sessions during teardown  Prevent tp_meter from starting new sender or receiver sessions after mesh_state has left BATADV_MESH_ACTIVE.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46198",
                        "url": "https://ubuntu.com/security/CVE-2026-46198",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  batman-adv: fix integer overflow on buff_pos  Fixing an integer overflow present in batadv_iv_ogm_send_to_if. The size check is done using the int type in batadv_iv_ogm_aggr_packet whereas the buff_pos variable uses the s16 type. This could lead to an out-of-bound read.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46227",
                        "url": "https://ubuntu.com/security/CVE-2026-46227",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  sctp: revalidate list cursor after sctp_sendmsg_to_asoc() in SCTP_SENDALL  The SCTP_SENDALL path in sctp_sendmsg() iterates ep->asocs with list_for_each_entry_safe(), which caches the next entry in @tmp before the loop body runs.  The body calls sctp_sendmsg_to_asoc(), which may drop the socket lock inside sctp_wait_for_sndbuf().  While the lock is dropped, another thread can SCTP_SOCKOPT_PEELOFF the association cached in @tmp, migrating it to a new endpoint via sctp_sock_migrate() (list_del_init() + list_add_tail() to newep->asocs), and optionally close the new socket which frees the association via kfree_rcu().  The cached @tmp can also be freed by a network ABORT for that association, processed in softirq while the lock is dropped.  sctp_wait_for_sndbuf() revalidates @asoc (the current entry) on re-lock via the \"sk != asoc->base.sk\" and \"asoc->base.dead\" checks, but nothing revalidates @tmp.  After a successful return, the iterator advances to the stale @tmp, yielding either a use-after-free (if the peeled socket was closed) or a list-walk onto the new endpoint's list head (type confusion of &newep->asocs as a struct sctp_association *).  Both are reachable from CapEff=0; the type-confusion path gives controlled indirect call via the outqueue.sched->init_sid pointer.  Fix by re-deriving @tmp from @asoc after sctp_sendmsg_to_asoc() returns.  @asoc is known to still be on ep->asocs at that point: the only callers that list_del an association from ep->asocs are sctp_association_free() (which sets asoc->base.dead) and sctp_assoc_migrate() (which changes asoc->base.sk), and sctp_wait_for_sndbuf() checks both under the lock before any successful return; a tripped check propagates as err < 0 and the loop bails before the re-derive.  The SCTP_ABORT path in sctp_sendmsg_check_sflags() returns 0 and the loop hits 'continue' before sctp_sendmsg_to_asoc() is ever called, so the @tmp cached by list_for_each_entry_safe() still covers the lock-held free that ba59fb027307 (\"sctp: walk the list of asoc safely\") was added for.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46220",
                        "url": "https://ubuntu.com/security/CVE-2026-46220",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/amdgpu/sdma4: replace BUG_ON with WARN_ON in fence emission  sdma_v4_0_ring_emit_fence() contains two BUG_ON(addr & 0x3) assertions that verify fence writeback addresses are dword-aligned.  These assertions can be reached from unprivileged userspace via crafted DRM_IOCTL_AMDGPU_CS submissions, causing a fatal kernel panic in a scheduler worker thread.  Replace both BUG_ON() calls with WARN_ON() to log the condition without crashing the kernel.  A misaligned fence address at this point indicates a driver bug, but crashing the kernel is never the correct response when the assertion is reachable from userspace.  The CS IOCTL path is the correct place to filter invalid submissions; the ring emission callback is too late to do anything about it.  (cherry picked from commit b90250bd933afd1ba94d86d6b13821997b22b18e)",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46215",
                        "url": "https://ubuntu.com/security/CVE-2026-46215",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm: Set old handle to NULL before prime swap in change_handle  There was a potential race condition in change_handle. The ioctl briefly had a single object with two idr entries; a concurrent gem_close could delete the object and remove one of the handles while leaving the other one dangling, which could subsequently be dereferenced for a use-after-free.  To fix this, do the same dance that gem_close itself does. (f6cd7daecff5 drm: Release driver references to handle before making it available again) First idr_replace the old handle to NULL. Later, if the prime operations are successful, actually close it.  create_tail required a similar dance to avoid a similar problem. (bd46cece51a3 drm/gem: Fix race in drm_gem_handle_create_tail()) It idr_allocs the new handle with NULL, then swaps in the correct object later to avoid races. We don't need to do that here, since the only operations that could race are drm_prime, and change_handle holds the prime lock for the entire duration.  v2: cleanups of error paths",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46201",
                        "url": "https://ubuntu.com/security/CVE-2026-46201",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/xe: Fix dma-buf attachment leak in xe_gem_prime_import()  When xe_dma_buf_init_obj() fails, the attachment from dma_buf_dynamic_attach() is not detached. Add dma_buf_detach() before returning the error. Note: we cannot use goto out_err here because xe_dma_buf_init_obj() already frees bo on failure, and out_err would double-free it.  (cherry picked from commit a828eb185aac41800df8eae4b60501ccc0dbbe51)",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46224",
                        "url": "https://ubuntu.com/security/CVE-2026-46224",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/xe: Fix bo leak in xe_dma_buf_init_obj() on allocation failure  When drm_gpuvm_resv_object_alloc() fails, the pre-allocated storage bo is not freed. Add xe_bo_free(storage) before returning the error.  xe_dma_buf_init_obj() calls xe_bo_init_locked(), which frees the bo on error. Therefore, xe_dma_buf_init_obj() must also free the bo on its own error paths. Otherwise, since xe_gem_prime_import() cannot distinguish whether the failure originated from xe_dma_buf_init_obj() or from xe_bo_init_locked(), it cannot safely decide whether the bo should be freed.  Add comments documenting the ownership semantics: on success, ownership of storage is transferred to the returned drm_gem_object; on failure, storage is freed before returning.  v2: Add comments to explain the free logic.  (cherry picked from commit 78a6c5f899f22338bbf48b44fb8950409c5a69b9)",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46197",
                        "url": "https://ubuntu.com/security/CVE-2026-46197",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/amdkfd: validate SVM ioctl nattr against buffer size  Validate nattr field against the buffer size, preventing out-of-bounds buffer access via user-controlled attribute count.  (cherry picked from commit 5eca8bfdfa456c3304ca77523718fe24254c172f)",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46209",
                        "url": "https://ubuntu.com/security/CVE-2026-46209",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/gem: Fix inconsistent plane dimension calculation in drm_gem_fb_init_with_funcs()  drm_gem_fb_init_with_funcs() computes sub-sampled plane dimensions using plain integer division:    unsigned int width  = mode_cmd->width  / (i ? info->hsub : 1);   unsigned int height = mode_cmd->height / (i ? info->vsub : 1);  However, the ioctl-level framebuffer_check() in drm_framebuffer.c uses drm_format_info_plane_width/height() which round up dimensions via DIV_ROUND_UP(). This inconsistency corrupts the subsequent GEM object size check for certain pixel format and dimension combinations.  For example, with NV12 (vsub=2) and a 1-pixel-tall framebuffer the GEM size validation path sees height=0 instead of height=1. The expression (height - 1) then wraps to UINT_MAX as an unsigned int, causing min_size to overflow and wrap back to a small value. A tiny GEM object therefore passes the size guard, yet when the GPU accesses the chroma plane it will read or write memory beyond the object's bounds.  Fix by replacing the open-coded divisions with drm_format_info_plane_width() and drm_format_info_plane_height(), which use DIV_ROUND_UP() and match the calculation already used in framebuffer_check().",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46230",
                        "url": "https://ubuntu.com/security/CVE-2026-46230",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/amdgpu/vcn3: Prevent OOB reads when parsing dec msg  Check bounds against the end of the BO whenever we access the msg.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46199",
                        "url": "https://ubuntu.com/security/CVE-2026-46199",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/amdgpu/vcn4: Prevent OOB reads when parsing dec msg  Check bounds against the end of the BO whenever we access the msg.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46204",
                        "url": "https://ubuntu.com/security/CVE-2026-46204",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/amdgpu/vcn4: Prevent OOB reads when parsing IB  Rewrite the IB parsing to use amdgpu_ib_get_value() which handles the bounds checks.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46218",
                        "url": "https://ubuntu.com/security/CVE-2026-46218",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/amdgpu: Add bounds checking to ib_{get,set}_value  The uvd/vce/vcn code accesses the IB at predefined offsets without checking that the IB is large enough. Check the bounds here. The caller is responsible for making sure it can handle arbitrary return values.  Also make the idx a uint32_t to prevent overflows causing the condition to fail.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46229",
                        "url": "https://ubuntu.com/security/CVE-2026-46229",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/amdkfd: Clear VRAM on allocation to prevent stale data exposure  KFD VRAM allocations set AMDGPU_GEM_CREATE_VRAM_WIPE_ON_RELEASE but not AMDGPU_GEM_CREATE_VRAM_CLEARED, leaving freshly allocated VRAM with stale data from prior use observable by compute kernels.  The GEM ioctl path already sets VRAM_CLEARED for all userspace allocations via amdgpu_gem_create_ioctl() and amdgpu_mode_dumb_create(). The KFD path was missing this flag, allowing stale page table remnants to leak into user buffers.  This causes crashes in RCCL P2P transport where non-zero data in ptrExchange/head/tail fields corrupts the protocol handshake.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46211",
                        "url": "https://ubuntu.com/security/CVE-2026-46211",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/msm/gem: fix error handling in msm_ioctl_gem_info_get_metadata()  msm_ioctl_gem_info_get_metadata() always returns 0 regardless of errors. When copy_to_user() fails or the user buffer is too small, the error code stored in ret is ignored because the function unconditionally returns 0. This causes userspace to believe the ioctl succeeded when it did not.  Additionally, kmemdup() can return NULL on allocation failure, but the return value is not checked. This leads to a NULL pointer dereference in the subsequent copy_to_user() call.  Add the missing NULL check for kmemdup() and return ret instead of 0.  Note that the SET counterpart (msm_ioctl_gem_info_set_metadata) correctly returns ret.  Patchwork: https://patchwork.freedesktop.org/patch/714478/",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46203",
                        "url": "https://ubuntu.com/security/CVE-2026-46203",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: cadence-quadspi: fix unclocked access on unbind  Make sure that the controller is runtime resumed before disabling it during driver unbind to avoid an unclocked register access.  This issue was flagged by Sashiko when reviewing a controller deregistration fix.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46219",
                        "url": "https://ubuntu.com/security/CVE-2026-46219",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: mpc52xx: fix use-after-free on unbind  The state machine work is scheduled by the interrupt handler and therefore needs to be cancelled after disabling interrupts to avoid a potential use-after-free.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46200",
                        "url": "https://ubuntu.com/security/CVE-2026-46200",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: mpc52xx: fix controller deregistration  Make sure to deregister the controller before disabling and releasing underlying resources like interrupts and gpios during driver unbind.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46241",
                        "url": "https://ubuntu.com/security/CVE-2026-46241",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: mpc52xx: fix use-after-free on registration failure  Make sure to disable and free the interrupts in case controller registration fails to avoid a potential use-after-free and resource leak.  This issue was flagged by Sashiko when reviewing a controller deregistration fix.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46225",
                        "url": "https://ubuntu.com/security/CVE-2026-46225",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: rspi: fix controller deregistration  Make sure to deregister the controller before releasing underlying resources like DMA during driver unbind.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46226",
                        "url": "https://ubuntu.com/security/CVE-2026-46226",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: fsl: fix controller deregistration  Make sure to deregister the controller before releasing underlying resources like DMA during driver unbind.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46228",
                        "url": "https://ubuntu.com/security/CVE-2026-46228",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: ch341: fix devres lifetime  USB drivers bind to USB interfaces and any device managed resources should have their lifetime tied to the interface rather than parent USB device. This avoids issues like memory leaks when drivers are unbound without their devices being physically disconnected (e.g. on probe deferral or configuration changes).  Fix the controller and driver data lifetime so that they are released on driver unbind.  Note that this also makes sure that the SPI controller is placed correctly under the USB interface in the device tree.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46216",
                        "url": "https://ubuntu.com/security/CVE-2026-46216",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/xe/hdcp: Add NULL check for media_gt in intel_hdcp_gsc_check_status()  When media GT is disabled via configfs, there is no allocation for media_gt, which is kept as NULL.  In such scenario, intel_hdcp_gsc_check_status() results in a kernel pagefault error due to &gt->uc.gsc being evaluated as an invalid memory address.  Fix that by introducing a NULL check on media_gt and bailing out early if so.  While at it, also drop the NULL check for gsc, since it can't be NULL if media_gt is not NULL.  v2:   - Get address for gsc only after checking that gt is not NULL.     (Shuicheng)   - Drop the NULL check for gsc. (Shuicheng) v3:   - Add \"Fixes\" and \"Cc: <stable...>\" tags. (Matt)  (cherry picked from commit bfaf87e84ca3ca3f6e275f9ae56da47a8b55ffd1)",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46210",
                        "url": "https://ubuntu.com/security/CVE-2026-46210",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  media: iris: fix use-after-free of fmt_src during MBPF check  During concurrency testing, multiple instances can run in parallel, and each instance uses its own inst->lock while the core->lock protects the list of active instances. The race happens because these locks cover different scopes, inst->lock protects only the internals of a single instance, while the Macro Blocks Per Frame (MBPF) checker walks the core list under core->lock and reads fields like fmt_src->width and fmt_src->height. At the same time, iris_close() may free fmt_src and fmt_dst under inst->lock while the instance is still present in the core list. This allows a situation where the MBPF checker, still iterating through the core list, reaches an instance whose fmt_src was already freed by another thread and ends up dereferencing a dangling pointer, resulting in a use-after-free. This happens because the MBPF checker assumes that any instance in the core list is fully valid, but the freeing of fmt_src and fmt_dst without removing the instance from the core list is not correct.  The correct ordering is to defer freeing fmt_src and fmt_dst until after the instance has been removed from the core list and all teardown under the core lock has completed, ensuring that no dangling pointers are ever exposed during MBPF checks.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46240",
                        "url": "https://ubuntu.com/security/CVE-2026-46240",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  media: iris: Fix use-after-free in iris_release_internal_buffers()  The recent change in commit 1dabf00ee206 (\"media: iris: gen1: Destroy internal buffers after FW releases\") introduced a regression where session_release_buf() may free the buffer. The caller, iris_release_internal_buffers(), continued to access `buffer` after the call, leading to a potential use-after-free.  Fix this by setting BUF_ATTR_PENDING_RELEASE before calling session_release_buf(), and reverting the flag if the call fails. This ensures no dereference occurs after potential freeing.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46235",
                        "url": "https://ubuntu.com/security/CVE-2026-46235",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  media: saa7164: add ioremap return checks and cleanups  Add checks for ioremap return values in saa7164_dev_setup(). If ioremap for BAR0 or BAR2 fails, release the already allocated PCI memory regions, remove the device from the global list, decrement the device count, and return -ENODEV.  This prevents potential null pointer dereferences and ensures proper cleanup on memory mapping failures.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46222",
                        "url": "https://ubuntu.com/security/CVE-2026-46222",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  media: rockchip: rkcif: Add missing MUST_CONNECT flag to pads  The pads missed checks for connected devices which may a null dereference when the stream is enabled.  Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020 pc : rkcif_interface_enable_streams+0x48/0xf0 lr : rkcif_interface_enable_streams+0x44/0xf0 Call trace:  rkcif_interface_enable_streams+0x48/0xf0  v4l2_subdev_enable_streams+0x26c/0x3f0  rkcif_stream_start_streaming+0x140/0x278  vb2_start_streaming+0x74/0x188  vb2_core_streamon+0xe0/0x1d8  vb2_ioctl_streamon+0x60/0xa8  v4l_streamon+0x2c/0x40  __video_do_ioctl+0x34c/0x400  video_usercopy+0x2d0/0x800  video_ioctl2+0x20/0x60  v4l2_ioctl+0x48/0x78",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46239",
                        "url": "https://ubuntu.com/security/CVE-2026-46239",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  media: i2c: ov5647: Fix runtime PM refcount leak in s_ctrl  Three control cases (AUTOGAIN, EXPOSURE_AUTO, ANALOGUE_GAIN) directly return without calling pm_runtime_put(), causing runtime PM reference count leaks.  Change these cases from 'return' to 'ret = ... break' pattern to ensure pm_runtime_put() is always called before function exit.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46236",
                        "url": "https://ubuntu.com/security/CVE-2026-46236",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  media: rc: xbox_remote: heed DMA restrictions  The buffer for IO must not be part of the device structure because that violates the DMA coherency rules.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46205",
                        "url": "https://ubuntu.com/security/CVE-2026-46205",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  staging: media: atomisp: Disallow all private IOCTLs  Disallow all private IOCTLs. These aren't quite as safe as one could assume of IOCTL handlers; disable them for now. Instead of removing the code, return in the beginning of the function if cmd is non-zero in order to keep static checkers happy.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46202",
                        "url": "https://ubuntu.com/security/CVE-2026-46202",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  HID: appletb-kbd: run inactivity autodim from workqueues  The autodim code in hid-appletb-kbd takes backlight_device->ops_lock via backlight_device_set_brightness() -> mutex_lock() from two different atomic contexts:   * appletb_inactivity_timer() is a struct timer_list callback, so it    runs in softirq context.  Every expiry triggers       BUG: sleeping function called from invalid context at kernel/locking/mutex.c:591      Call Trace:       <IRQ>       __might_resched       __mutex_lock       backlight_device_set_brightness       appletb_inactivity_timer       call_timer_fn       run_timer_softirq   * reset_inactivity_timer() is called from appletb_kbd_hid_event() and    appletb_kbd_inp_event().  On real USB hardware these run in    softirq/IRQ context (URB completion and input-event dispatch).    When the Touch Bar has already been dimmed or turned off, the    reset path calls backlight_device_set_brightness() directly to    restore brightness, producing the same warning.  Both call sites hit the same mutex_lock()-from-atomic bug.  Fix them together by moving the blocking work onto the system workqueue:   * Convert the inactivity timer from struct timer_list to    struct delayed_work; the callback (appletb_inactivity_work) now    runs in process context where mutex_lock() is legal.  * Add a dedicated struct work_struct restore_brightness_work and have    reset_inactivity_timer() schedule it instead of calling    backlight_device_set_brightness() directly.  Cancel both works synchronously during driver tear-down alongside the existing backlight reference drop.  The semantics are unchanged (same delays, same state transitions on dim, turn-off and user activity); only the execution context of the sleeping call changes.  The timer field and callback are renamed to match their new type; reset_inactivity_timer() keeps its name because it is invoked from input event paths that read naturally as \"reset the inactivity timer\".",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46213",
                        "url": "https://ubuntu.com/security/CVE-2026-46213",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  HID: appletb-kbd: fix UAF in inactivity-timer cleanup path  Commit 38224c472a03 (\"HID: appletb-kbd: fix slab use-after-free bug in appletb_kbd_probe\") added timer_delete_sync(&kbd->inactivity_timer) to both the probe close_hw error path and appletb_kbd_remove(), but the way it was wired in left the inactivity timer reachable during driver tear-down via two distinct windows.  Window A -- put_device() before timer_delete_sync():  \tput_device(&kbd->backlight_dev->dev); \ttimer_delete_sync(&kbd->inactivity_timer);  The inactivity_timer softirq reads kbd->backlight_dev and calls backlight_device_set_brightness() -> mutex_lock(&ops_lock).  If a concurrent hid_appletb_bl unbind drops the last devm reference between these two calls, the backlight_device is freed and the mutex_lock() touches freed memory.  Window B -- backlight cleanup before hid_hw_stop():  \tif (kbd->backlight_dev) { \t\ttimer_delete_sync(...); \t\tput_device(...); \t} \thid_hw_close(hdev); \thid_hw_stop(hdev);  Even after Window A is closed, hid_hw_close()/hid_hw_stop() still run afterwards, so a late \".event\" callback from the HID core (USB URB completion on real Apple hardware) can arrive after timer_delete_sync() drained the softirq but before put_device() drops the reference.  That callback reaches reset_inactivity_timer(), which calls mod_timer() and re-arms the timer.  The freshly re-armed timer can then fire on the about-to-be-freed backlight_device.  Both windows produce the same KASAN slab-use-after-free:    BUG: KASAN: slab-use-after-free in __mutex_lock+0x1aab/0x21c0   Read of size 8 at addr ffff88803ee9a108 by task swapper/0/0   Call Trace:    <IRQ>    __mutex_lock    backlight_device_set_brightness    appletb_inactivity_timer    call_timer_fn    run_timer_softirq    handle_softirqs   Allocated by task N:    devm_backlight_device_register    appletb_bl_probe   Freed by task M:    (concurrent hid_appletb_bl unbind path)  Close both windows at once by reworking the tear-down in appletb_kbd_remove() and in the probe close_hw error path so that   1) hid_hw_close()/hid_hw_stop() run before the backlight cleanup,     guaranteeing no further .event callback can fire and re-arm the     timer, and  2) inside the \"if (kbd->backlight_dev)\" block, timer_delete_sync()     runs before put_device(), so the softirq is drained before the     final reference is dropped.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46232",
                        "url": "https://ubuntu.com/security/CVE-2026-46232",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  HID: playstation: Clamp num_touch_reports  A device would never lie about the number of touch reports would it?  If it does the loop in dualshock4_parse_report will read off the end of the touch_reports array, up to about 2 KiB for the maximum number of 256 loop iteraions. The data that is read is emitted via evdev if the DS4_TOUCH_POINT_INACTIVE bit happens to be set. Protect against this by clamping the num_touch_reports value provided by the device to the maximum size of the touch_reports array.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-43490",
                        "url": "https://ubuntu.com/security/CVE-2026-43490",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ksmbd: validate inherited ACE SID length  smb_inherit_dacl() walks the parent directory DACL loaded from the security descriptor xattr. It verifies that each ACE contains the fixed SID header before using it, but does not verify that the variable-length SID described by sid.num_subauth is fully contained in the ACE.  A malformed inheritable ACE can advertise more subauthorities than are present in the ACE. compare_sids() may then read past the ACE. smb_set_ace() also clamps the copied destination SID, but used the unchecked source SID count to compute the inherited ACE size. That could advance the temporary inherited ACE buffer pointer and nt_size accounting past the allocated buffer.  Fix this by validating the parent ACE SID count and SID length before using the SID during inheritance. Compute the inherited ACE size from the copied SID so the size matches the bounded destination SID. Reject the inherited DACL if size accumulation would overflow smb_acl.size or the security descriptor allocation size.",
                        "cve_priority": "high",
                        "cve_public_date": "2026-05-15 06:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46174",
                        "url": "https://ubuntu.com/security/CVE-2026-46174",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  x86/CPU/AMD: Prevent improper isolation of shared resources in Zen2's op cache  Make sure resources are not improperly shared in the op cache and cause instruction corruption this way.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46110",
                        "url": "https://ubuntu.com/security/CVE-2026-46110",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net: stmmac: Prevent NULL deref when RX memory exhausted  The CPU receives frames from the MAC through conventional DMA: the CPU allocates buffers for the MAC, then the MAC fills them and returns ownership to the CPU. For each hardware RX queue, the CPU and MAC coordinate through a shared ring array of DMA descriptors: one descriptor per DMA buffer. Each descriptor includes the buffer's physical address and a status flag (\"OWN\") indicating which side owns the buffer: OWN=0 for CPU, OWN=1 for MAC. The CPU is only allowed to set the flag and the MAC is only allowed to clear it, and both must move through the ring in sequence: thus the ring is used for both \"submissions\" and \"completions.\"  In the stmmac driver, stmmac_rx() bookmarks its position in the ring with the `cur_rx` index. The main receive loop in that function checks for rx_descs[cur_rx].own=0, gives the corresponding buffer to the network stack (NULLing the pointer), and increments `cur_rx` modulo the ring size. After the loop exits, stmmac_rx_refill(), which bookmarks its position with `dirty_rx`, allocates fresh buffers and rearms the descriptors (setting OWN=1). If it fails any allocation, it simply stops early (leaving OWN=0) and will retry where it left off when next called.  This means descriptors have a three-stage lifecycle (terms my own): - `empty` (OWN=1, buffer valid) - `full` (OWN=0, buffer valid and populated) - `dirty` (OWN=0, buffer NULL)  But because stmmac_rx() only checks OWN, it confuses `full`/`dirty`. In the past (see 'Fixes:'), there was a bug where the loop could cycle `cur_rx` all the way back to the first descriptor it dirtied, resulting in a NULL dereference when mistaken for `full`. The aforementioned commit resolved that *specific* failure by capping the loop's iteration limit at `dma_rx_size - 1`, but this is only a partial fix: if the previous stmmac_rx_refill() didn't complete, then there are leftover `dirty` descriptors that the loop might encounter without needing to cycle fully around. The current code therefore panics (see 'Closes:') when stmmac_rx_refill() is memory-starved long enough for `cur_rx` to catch up to `dirty_rx`.  Fix this by explicitly checking, before advancing `cur_rx`, if the next entry is dirty; exit the loop if so. This prevents processing of the final, used descriptor until stmmac_rx_refill() succeeds, but fully prevents the `cur_rx == dirty_rx` ambiguity as the previous bugfix intended: so remove the clamp as well. Since stmmac_rx_zc() is a copy-paste-and-tweak of stmmac_rx() and the code structure is identical, any fix to stmmac_rx() will also need a corresponding fix for stmmac_rx_zc(). Therefore, apply the same check there.  In stmmac_rx() (not stmmac_rx_zc()), a related bug remains: after the MAC sets OWN=0 on the final descriptor, it will be unable to send any further DMA-complete IRQs until it's given more `empty` descriptors. Currently, the driver simply *hopes* that the next stmmac_rx_refill() succeeds, risking an indefinite stall of the receive process if not. But this is not a regression, so it can be addressed in a future change.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46153",
                        "url": "https://ubuntu.com/security/CVE-2026-46153",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  8021q: delete cleared egress QoS mappings  vlan_dev_set_egress_priority() currently keeps cleared egress priority mappings in the hash as tombstones. Repeated set/clear cycles with distinct skb priorities therefore accumulate mapping nodes until device teardown and leak memory.  Delete mappings when vlan_prio is cleared instead of keeping tombstones. Now that the egress mapping lists are RCU protected, the node can be unlinked safely and freed after a grace period.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46169",
                        "url": "https://ubuntu.com/security/CVE-2026-46169",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  hfsplus: fix uninit-value by validating catalog record size  Syzbot reported a KMSAN uninit-value issue in hfsplus_strcasecmp(). The root cause is that hfs_brec_read() doesn't validate that the on-disk record size matches the expected size for the record type being read.  When mounting a corrupted filesystem, hfs_brec_read() may read less data than expected. For example, when reading a catalog thread record, the debug output showed:    HFSPLUS_BREC_READ: rec_len=520, fd->entrylength=26   HFSPLUS_BREC_READ: WARNING - entrylength (26) < rec_len (520) - PARTIAL READ!  hfs_brec_read() only validates that entrylength is not greater than the buffer size, but doesn't check if it's less than expected. It successfully reads 26 bytes into a 520-byte structure and returns success, leaving 494 bytes uninitialized.  This uninitialized data in tmp.thread.nodeName then gets copied by hfsplus_cat_build_key_uni() and used by hfsplus_strcasecmp(), triggering the KMSAN warning when the uninitialized bytes are used as array indices in case_fold().  Fix by introducing hfsplus_brec_read_cat() wrapper that: 1. Calls hfs_brec_read() to read the data 2. Validates the record size based on the type field:    - Fixed size for folder and file records    - Variable size for thread records (depends on string length) 3. Returns -EIO if size doesn't match expected  For thread records, check against HFSPLUS_MIN_THREAD_SZ before reading nodeName.length to avoid reading uninitialized data at call sites that don't zero-initialize the entry structure.  Also initialize the tmp variable in hfsplus_find_cat() as defensive programming to ensure no uninitialized data even if validation is bypassed.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46188",
                        "url": "https://ubuntu.com/security/CVE-2026-46188",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  octeon_ep_vf: add NULL check for napi_build_skb()  napi_build_skb() can return NULL on allocation failure. In __octep_vf_oq_process_rx(), the result is used directly without a NULL check in both the single-buffer and multi-fragment paths, leading to a NULL pointer dereference.  Add NULL checks after both napi_build_skb() calls, properly advancing descriptors and consuming remaining fragments on failure.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-45837",
                        "url": "https://ubuntu.com/security/CVE-2026-45837",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  bpf: Fix use-after-free in arena_vm_close on fork  arena_vm_open() only bumps vml->mmap_count but never registers the child VMA in arena->vma_list. The vml->vma always points at the parent VMA, so after parent munmap the pointer dangles. If the child then calls bpf_arena_free_pages(), zap_pages() reads the stale vml->vma triggering use-after-free.  Fix this by preventing the arena VMA from being inherited across fork with VM_DONTCOPY, and preventing VMA splits via the may_split callback.  Also reject mremap with a .mremap callback returning -EINVAL. A same-size mremap(MREMAP_FIXED) on the full arena VMA reaches copy_vma() through the following path:    check_prep_vma()       - returns 0 early: new_len == old_len                            skips VM_DONTEXPAND check   prep_move_vma()        - vm_start == old_addr and                            vm_end == old_addr + old_len                            so may_split is never called   move_vma()     copy_vma_and_data()       copy_vma()         vm_area_dup()    - copies vm_private_data (vml pointer)         vm_ops->open()   - bumps vml->mmap_count       vm_ops->mremap()   - returns -EINVAL, rollback unmaps new VMA  The refcount ensures the rollback's arena_vm_close does not free the vml shared with the original VMA.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-05-27 11:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46156",
                        "url": "https://ubuntu.com/security/CVE-2026-46156",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  LoongArch: Fix potential ADE in loongson_gpu_fixup_dma_hang()  The switch case in loongson_gpu_fixup_dma_hang() may not DC2 or DC3, and readl(crtc_reg) will access with random address, because the \"device\" is from \"base+PCI_DEVICE_ID\", \"base\" is from \"pdev->devfn+1\". This is wrong when my platform inserts a discrete GPU:  lspci -tv -[0000:00]-+-00.0  Loongson Technology LLC Hyper Transport Bridge Controller ...            +-06.0  Loongson Technology LLC LG100 GPU            +-06.2  Loongson Technology LLC Device 7a37 ...  Add a default switch case to fix the panic as below:   Kernel ade access[#1]:  CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.6.136-loong64-desktop-hwe+ #4  pc 90000000017e5534 ra 90000000017e54c0 tp 90000001002f8000 sp 90000001002fb6c0  a0 80000efe00003100 a1 0000000000003100 a2 0000000000000000 a3 0000000000000002  a4 90000001002fb6b4 a5 900000087cdb58fd a6 90000000027af000 a7 0000000000000001  t0 00000000000085b9 t1 000000000000ffff t2 0000000000000000 t3 0000000000000000  t4 fffffffffffffffd t5 00000000fffb6d9c t6 0000000000083b00 t7 00000000000070c0  t8 900000087cdb4d94 u0 900000087cdb58fd s9 90000001002fb826 s0 90000000031c12c8  s1 7fffffffffffff00 s2 90000000031c12d0 s3 0000000000002710 s4 0000000000000000  s5 0000000000000000 s6 9000000100053000 s7 7fffffffffffff00 s8 90000000030d4000     ra: 90000000017e54c0 loongson_gpu_fixup_dma_hang+0x40/0x210    ERA: 90000000017e5534 loongson_gpu_fixup_dma_hang+0xb4/0x210   CRMD: 000000b0 (PLV0 -IE -DA +PG DACF=CC DACM=CC -WE)   PRMD: 00000004 (PPLV0 +PIE -PWE)   EUEN: 00000000 (-FPE -SXE -ASXE -BTE)   ECFG: 00071c1d (LIE=0,2-4,10-12 VS=7)  ESTAT: 00480000 [ADEM] (IS= ECode=8 EsubCode=1)   BADV: 7fffffffffffff00   PRID: 0014d000 (Loongson-64bit, Loongson-3A6000-HV)  Modules linked in:  Process swapper/0 (pid: 1, threadinfo=(____ptrval____), task=(____ptrval____))  Stack : 0000000000000006 90000001002fb778 90000001002fb704 0000000000000007          0000000016a65700 90000000017e5690 000000000000ffff ffffffffffffffff          900000000209f7c0 9000000100053000 900000000209f7a8 9000000000eebc08          0000000000000000 0000000000000000 0000000000000006 90000001002fb778          90000001000530b8 90000000027af000 0000000000000000 9000000100054000          9000000100053000 9000000000ebb70c 9000000100004c00 9000000004000001          90000001002fb7e4 bae765461f31cb12 0000000000000000 0000000000000000          0000000000000006 90000000027af000 0000000000000030 90000000027af000          900000087cd6f800 9000000100053000 0000000000000000 9000000000ebc560          7a2500147cdaf720 bae765461f31cb12 0000000000000001 0000000000000030          ...  Call Trace:  [<90000000017e5534>] loongson_gpu_fixup_dma_hang+0xb4/0x210  [<9000000000eebc08>] pci_fixup_device+0x108/0x280  [<9000000000ebb70c>] pci_setup_device+0x24c/0x690  [<9000000000ebc560>] pci_scan_single_device+0xe0/0x140  [<9000000000ebc684>] pci_scan_slot+0xc4/0x280  [<9000000000ebdd00>] pci_scan_child_bus_extend+0x60/0x3f0  [<9000000000f5bc94>] acpi_pci_root_create+0x2b4/0x420  [<90000000017e5e74>] pci_acpi_scan_root+0x2d4/0x440  [<9000000000f5b02c>] acpi_pci_root_add+0x21c/0x3a0  [<9000000000f4ee54>] acpi_bus_attach+0x1a4/0x3c0  [<90000000010e200c>] device_for_each_child+0x6c/0xe0  [<9000000000f4bbf4>] acpi_dev_for_each_child+0x44/0x70  [<9000000000f4ef40>] acpi_bus_attach+0x290/0x3c0  [<90000000010e200c>] device_for_each_child+0x6c/0xe0  [<9000000000f4bbf4>] acpi_dev_for_each_child+0x44/0x70  [<9000000000f4ef40>] acpi_bus_attach+0x290/0x3c0  [<9000000000f5211c>] acpi_bus_scan+0x6c/0x280  [<900000000189c028>] acpi_scan_init+0x194/0x310  [<900000000189bc6c>] acpi_init+0xcc/0x140  [<9000000000220cdc>] do_one_initcall+0x4c/0x310  [<90000000018618fc>] kernel_init_freeable+0x258/0x2d4  [<900000000184326c>] kernel_init+0x28/0x13c  [<9000000000222008>] ret_from_kernel_thread+0xc/0xa4",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46147",
                        "url": "https://ubuntu.com/security/CVE-2026-46147",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  KVM: arm64: Fix pin leak and publication ordering in __pkvm_init_vcpu()  Two bugs exist in the vCPU initialisation path:  1. If a check fails after hyp_pin_shared_mem() succeeds, the cleanup    path jumps to 'unlock' without calling unpin_host_vcpu() or    unpin_host_sve_state(), permanently leaking pin references on the    host vCPU and SVE state pages.     Extract a register_hyp_vcpu() helper that performs the checks and    the store. When register_hyp_vcpu() returns an error, call    unpin_host_vcpu() and unpin_host_sve_state() inline before falling    through to the existing 'unlock' label.  2. register_hyp_vcpu() publishes the new vCPU pointer into    'hyp_vm->vcpus[]' with a bare store, allowing a concurrent caller    of pkvm_load_hyp_vcpu() to observe a partially initialised vCPU    object.     Ensure the store uses smp_store_release() and the load uses    smp_load_acquire(). While 'vm_table_lock' currently serialises the    store and the load, these barriers ensure the reader sees the fully    initialised 'hyp_vcpu' object even if there were a lockless path or    if the lock's own ordering guarantees were insufficient for nested    object initialization.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46175",
                        "url": "https://ubuntu.com/security/CVE-2026-46175",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  f2fs: fix fsck inconsistency caused by FGGC of node block  During FGGC node block migration, fsck may incorrectly treat the migrated node block as fsync-written data.  The reproduction scenario: root@vm:/mnt/f2fs# seq 1 2048 | xargs -n 1 ./test_sync // write inline inode and sync root@vm:/mnt/f2fs# rm -f 1 root@vm:/mnt/f2fs# sync root@vm:/mnt/f2fs# f2fs_io gc_range // move data block in sync mode and not write CP   SPO, \"fsck --dry-run\" find inode has already checkpointed but still   with DENT_BIT_SHIFT set  The root cause is that GC does not clear the dentry mark and fsync mark during node block migration, leading fsck to misinterpret them as user-issued fsync writes.  In BGGC mode, node block migration is handled by f2fs_sync_node_pages(), which guarantees the dentry and fsync marks are cleared before writing.  This patch move the set/clear of the fsync|dentry marks into __write_node_folio to make the logic clearer, and ensures the fsync|dentry mark is cleared in FGGC.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46194",
                        "url": "https://ubuntu.com/security/CVE-2026-46194",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  f2fs: fix node_cnt race between extent node destroy and writeback  f2fs_destroy_extent_node() does not set FI_NO_EXTENT before clearing extent nodes. When called from f2fs_drop_inode() with I_SYNC set, concurrent kworker writeback can insert new extent nodes into the same extent tree, racing with the destroy and triggering f2fs_bug_on() in __destroy_extent_node(). The scenario is as follows:  drop inode                            writeback  - iput   - f2fs_drop_inode  // I_SYNC set    - f2fs_destroy_extent_node     - __destroy_extent_node      - while (node_cnt) {         write_lock(&et->lock)         __free_extent_tree         write_unlock(&et->lock)                                        - __writeback_single_inode                                         - f2fs_outplace_write_data                                          - f2fs_update_read_extent_cache                                           - __update_extent_tree_range                                            // FI_NO_EXTENT not set,                                            // insert new extent node        } // node_cnt == 0, exit while      - f2fs_bug_on(node_cnt)  // node_cnt > 0  Additionally, __update_extent_tree_range() only checks FI_NO_EXTENT for EX_READ type, leaving EX_BLOCK_AGE updates completely unprotected.  This patch set FI_NO_EXTENT under et->lock in __destroy_extent_node(), consistent with other callers (__update_extent_tree_range and __drop_extent_tree) and check FI_NO_EXTENT for both EX_READ and EX_BLOCK_AGE tree.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46170",
                        "url": "https://ubuntu.com/security/CVE-2026-46170",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  mptcp: pm: ADD_ADDR rtx: free sk if last  When an ADD_ADDR is retransmitted, the sk is held in sk_reset_timer(), and released at the end.  If at that moment, it was the last reference being held, the sk would not be freed. sock_put() should then be called instead of __sock_put().  But that's not enough: if it is the last reference, sock_put() will call sk_free(), which will end up calling sk_stop_timer_sync() on the same timer, and waiting indefinitely to finish. So it is needed to mark that the timer is done at the end of the timer handler when it has not been rescheduled, not to call sk_stop_timer_sync() on \"itself\".",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46158",
                        "url": "https://ubuntu.com/security/CVE-2026-46158",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  mptcp: pm: ADD_ADDR rtx: always decrease sk refcount  When an ADD_ADDR is retransmitted, the sk is held in sk_reset_timer(). It should then be released in all cases at the end.  Some (unlikely) checks were returning directly instead of calling sock_put() to decrease the refcount. Jump to a new 'exit' label to call __sock_put() (which will become sock_put() in the next commit) to fix this potential leak.  While at it, drop the '!msk' check which cannot happen because it is never reset, and explicitly mark the remaining one as \"unlikely\".",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46168",
                        "url": "https://ubuntu.com/security/CVE-2026-46168",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  mptcp: fix scheduling with atomic in timestamp sockopt  Using lock_sock_fast() (atomic context) around sock_set_timestamp() and sock_set_timestamping() is unsafe, as both helpers can sleep.  Replace lock_sock_fast() with sleepable lock_sock()/release_sock() to avoid scheduling while atomic panic.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46189",
                        "url": "https://ubuntu.com/security/CVE-2026-46189",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/vmw_pvrdma: Fix double free on pvrdma_alloc_ucontext() error path  Sashiko points out that pvrdma_uar_free() is already called within pvrdma_dealloc_ucontext(), so calling it before triggers a double free.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46133",
                        "url": "https://ubuntu.com/security/CVE-2026-46133",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/rxe: Reject unknown opcodes before ICRC processing  Even after applying commit 7244491dab34 (\"RDMA/rxe: Validate pad and ICRC before payload_size() in rxe_rcv\"), a single unauthenticated UDP packet can still trigger panic.  That patch handled payload_size() underflow only for valid opcodes with short packets, not for packets carrying an unknown opcode.  The unknown-opcode OOB read described below predates that commit and reaches back to the initial Soft RoCE driver.  The check added there reads      pkt->paylen < header_size(pkt) + bth_pad(pkt) + RXE_ICRC_SIZE  where header_size(pkt) expands to rxe_opcode[pkt->opcode].length.  The rxe_opcode[] array has 256 entries but is only populated for defined IB opcodes; any other entry (for example opcode 0xff) is zero-initialized, so length == 0 and the check degenerates to      pkt->paylen < 0 + bth_pad(pkt) + RXE_ICRC_SIZE  which does not constrain pkt->paylen enough.  rxe_icrc_hdr() then computes      rxe_opcode[pkt->opcode].length - RXE_BTH_BYTES  which underflows when length == 0 and passes a huge value to rxe_crc32(), causing an out-of-bounds read of the skb payload.  Reproduced on v7.0-rc7 with that fix applied, QEMU/KVM with CONFIG_RDMA_RXE=y and CONFIG_KASAN=y, after      rdma link add rxe0 type rxe netdev eth0  A single 48-byte UDP packet to port 4791 with BTH opcode=0xff and QPN=IB_MULTICAST_QPN triggers:      BUG: KASAN: slab-out-of-bounds in crc32_le+0x115/0x170     Read of size 1 at addr ...     The buggy address is located 0 bytes to the right of      allocated 704-byte region     Call Trace:      crc32_le+0x115/0x170      rxe_icrc_hdr.isra.0+0x226/0x300      rxe_icrc_check+0x13f/0x3a0      rxe_rcv+0x6e1/0x16e0      rxe_udp_encap_recv+0x20a/0x320      udp_queue_rcv_one_skb+0x7ed/0x12c0  Subsequent packets with the same shape fault on unmapped memory and panic the kernel.  The trigger requires only module load and \"rdma link add\"; no QP, no connection, and no authentication.  Fix this by rejecting packets whose opcode has no rxe_opcode[] entry, detected via the zero mask or zero length, before any length arithmetic runs.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46114",
                        "url": "https://ubuntu.com/security/CVE-2026-46114",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/rxe: Reject non-8-byte ATOMIC_WRITE payloads  atomic_write_reply() at drivers/infiniband/sw/rxe/rxe_resp.c unconditionally dereferences 8 bytes at payload_addr(pkt):      value = *(u64 *)payload_addr(pkt);  check_rkey() previously accepted an ATOMIC_WRITE request with pktlen == resid == 0 because the length validation only compared pktlen against resid. A remote initiator that sets the RETH length to 0 therefore reaches atomic_write_reply() with a zero-byte logical payload, and the responder reads sizeof(u64) bytes from past the logical end of the packet into skb->head tailroom, then writes those 8 bytes into the attacker's MR via rxe_mr_do_atomic_write(). That is a remote disclosure of 4 bytes of kernel tailroom per probe (the other 4 bytes are the packet's own trailing ICRC).  IBA oA19-28 defines ATOMIC_WRITE as exactly 8 bytes. Anything else is protocol-invalid. Hoist a strict length check into check_rkey() so the responder never reaches the unchecked dereference, and keep the existing WRITE-family length logic for the normal RDMA WRITE path.  Reproduced on mainline with an unmodified rxe driver: a sustained zero-length ATOMIC_WRITE probe repeatedly leaks adjacent skb head-buffer bytes into the attacker's MR, including recognisable kernel strings and partial kernel-direct-map pointer words.  With this patch applied the responder rejects the PDU and the MR stays all-zero.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46127",
                        "url": "https://ubuntu.com/security/CVE-2026-46127",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/ocrdma: Don't NULL deref uctx on errors in ocrdma_copy_pd_uresp()  Sashiko points out that pd->uctx isn't initialized until late in the function so all these error flow references are NULL and will crash. Use the uctx that isn't NULL.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46176",
                        "url": "https://ubuntu.com/security/CVE-2026-46176",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/mlx5: Fix error path fall-through in mlx5_ib_dev_res_srq_init()  mlx5_ib_dev_res_srq_init() allocates two SRQs, s0 and s1. When ib_create_srq() fails for s1, the error branch destroys s0 but falls through and unconditionally assigns the freed s0 and the ERR_PTR s1 to devr->s0 and devr->s1.  This leads to several problems: the lock-free fast path checks \"if (devr->s1) return 0;\" and treats the ERR_PTR as already initialised; users in mlx5_ib_create_qp() dereference the freed SRQ or ERR_PTR via to_msrq(devr->s0)->msrq.srqn; and mlx5_ib_dev_res_cleanup() dereferences the ERR_PTR and double-frees s0 on teardown.  Fix by adding the same `goto unlock` in the s1 failure path.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46178",
                        "url": "https://ubuntu.com/security/CVE-2026-46178",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/mlx4: Fix resource leak on error in mlx4_ib_create_srq()  Sashiko points out that mlx4_srq_alloc() was not undone during error unwind, add the missing call to mlx4_srq_free().",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46181",
                        "url": "https://ubuntu.com/security/CVE-2026-46181",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/mlx4: Fix mis-use of RCU in mlx4_srq_event()  Sashiko points out the radix_tree itself is RCU safe, but nothing ever frees the mlx4_srq struct with RCU, and it isn't even accessed within the RCU critical section. It also will crash if an event is delivered before the srq object is finished initializing.  Use the spinlock since it isn't easy to make RCU work, use refcount_inc_not_zero() to protect against partially initialized objects, and order the refcount_set() to be after the srq is fully initialized.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46145",
                        "url": "https://ubuntu.com/security/CVE-2026-46145",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/mana: Validate rx_hash_key_len  Sashiko points out that rx_hash_key_len comes from a uAPI structure and is blindly passed to memcpy, allowing the userspace to trash kernel memory. Bounds check it so the memcpy cannot overflow.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46117",
                        "url": "https://ubuntu.com/security/CVE-2026-46117",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/mana: Remove user triggerable WARN_ON() in mana_ib_create_qp_rss()  Sashiko points out that the user can specify WQs sharing the same CQ as a part of the uAPI and this will trigger the WARN_ON() then go on to corrupt the kernel.  Just reject it outright and fail the QP creation.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46126",
                        "url": "https://ubuntu.com/security/CVE-2026-46126",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/mana: Fix mana_destroy_wq_obj() cleanup in mana_ib_create_qp_rss()  Sashiko points out there are two bugs here in the error unwind flow, both related to how the WQ table is unwound.  First there is a double i-- on the first failure path due to the while loop having a i--, remove it.  Second if mana_ib_install_cq_cb() fails then mana_create_wq_obj() is not undone due to the above i--.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46144",
                        "url": "https://ubuntu.com/security/CVE-2026-46144",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/mana: Fix error unwind in mana_ib_create_qp_rss()  Sashiko points out that mana_ib_cfg_vport_steering() is leaked, the normal destroy path cleans it up.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46141",
                        "url": "https://ubuntu.com/security/CVE-2026-46141",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  powerpc/xive: fix kmemleak caused by incorrect chip_data lookup  The kmemleak reports the following memory leak:  Unreferenced object 0xc0000002a7fbc640 (size 64):   comm \"kworker/8:1\", pid 540, jiffies 4294937872   hex dump (first 32 bytes):     01 00 00 00 00 00 00 00 00 00 09 04 00 04 00 00  ................     00 00 a7 81 00 00 0a c0 00 00 08 04 00 04 00 00  ................   backtrace (crc 177d48f6):     __kmalloc_cache_noprof+0x520/0x730     xive_irq_alloc_data.constprop.0+0x40/0xe0     xive_irq_domain_alloc+0xd0/0x1b0     irq_domain_alloc_irqs_parent+0x44/0x6c     pseries_irq_domain_alloc+0x1cc/0x354     irq_domain_alloc_irqs_parent+0x44/0x6c     msi_domain_alloc+0xb0/0x220     irq_domain_alloc_irqs_locked+0x138/0x4d0     __irq_domain_alloc_irqs+0x8c/0xfc     __msi_domain_alloc_irqs+0x214/0x4d8     msi_domain_alloc_irqs_all_locked+0x70/0xf8     pci_msi_setup_msi_irqs+0x60/0x78     __pci_enable_msix_range+0x54c/0x98c     pci_alloc_irq_vectors_affinity+0x16c/0x1d4     nvme_pci_enable+0xac/0x9c0 [nvme]     nvme_probe+0x340/0x764 [nvme]  This occurs when allocating MSI-X vectors for an NVMe device. During allocation the XIVE code creates a struct xive_irq_data and stores it in irq_data->chip_data.  When the MSI-X irqdomain is later freed, xive_irq_free_data() is responsible for retrieving this structure and freeing it. However, after commit cc0cc23babc9 (\"powerpc/xive: Untangle xive from child interrupt controller drivers\"), xive_irq_free_data() retrieves the chip_data using irq_get_chip_data(), which looks up the data through the child domain.  This is incorrect because the XIVE-specific irq data is associated with the XIVE (parent) domain. As a result the lookup fails and the allocated struct xive_irq_data is never freed, leading to the kmemleak report shown above.  Fix this by retrieving the irq_data from the correct domain using irq_domain_get_irq_data() and then accessing the chip_data via irq_data_get_irq_chip_data().",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46183",
                        "url": "https://ubuntu.com/security/CVE-2026-46183",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  mm/damon/sysfs-schemes: protect path kfree() with damon_sysfs_lock  damon_sysfs_quot_goal->path can be read and written by users, via DAMON sysfs 'path' file.  It can also be indirectly read, for the parameters {on,off}line committing to DAMON.  The reads for parameters committing are protected by damon_sysfs_lock to avoid the sysfs files being destroyed while any of the parameters are being read.  But the user-driven direct reads and writes are not protected by any lock, while the write is deallocating the path-pointing buffer.  As a result, the readers could read the already freed buffer (user-after-free).  Note that the user-reads don't race when the same open file is used by the writer, due to kernfs's open file locking.  Nonetheless, doing the reads and writes with separate open files would be common.  Fix it by protecting both the user-direct reads and writes with damon_sysfs_lock.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46121",
                        "url": "https://ubuntu.com/security/CVE-2026-46121",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  mm/damon/sysfs-schemes: protect memcg_path kfree() with damon_sysfs_lock  Patch series \"mm/damon/sysfs-schemes: fix use-after-free for [memcg_]path\".  Reads of 'memcg_path' and 'path' files in DAMON sysfs interface could race with their writes, results in use-after-free.  Fix those.   This patch (of 2):  damon_sysfs_scheme_filter->mmecg_path can be read and written by users, via DAMON sysfs memcg_path file.  It can also be indirectly read, for the parameters {on,off}line committing to DAMON.  The reads for parameters committing are protected by damon_sysfs_lock to avoid the sysfs files being destroyed while any of the parameters are being read.  But the user-driven direct reads and writes are not protected by any lock, while the write is deallocating the memcg_path-pointing buffer.  As a result, the readers could read the already freed buffer (user-after-free).  Note that the user-reads don't race when the same open file is used by the writer, due to kernfs's open file locking.  Nonetheless, doing the reads and writes with separate open files would be common.  Fix it by protecting both the user-direct reads and writes with damon_sysfs_lock.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46131",
                        "url": "https://ubuntu.com/security/CVE-2026-46131",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  KVM: x86: check for nEPT/nNPT in slow flush hypercalls  Checking is_guest_mode(vcpu) is incorrect, because translate_nested_gpa() is only valid if an L2 guest is running *with nested EPT/NPT enabled*. Instead use the same condition as translate_nested_gpa() itself.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46139",
                        "url": "https://ubuntu.com/security/CVE-2026-46139",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  smb: client: use kzalloc to zero-initialize security descriptor buffer  Commit 62e7dd0a39c2d (\"smb: common: change the data type of num_aces to le16\") split struct smb_acl's __le32 num_aces field into __le16 num_aces and __le16 reserved. The reserved field corresponds to Sbz2 in the MS-DTYP ACL wire format, which must be zero [1].  When building an ACL descriptor in build_sec_desc(), we are using a kmalloc()'ed descriptor buffer and writing the fields explicitly using le16() writes now. This never writes to the 2 byte reserved field, leaving it as uninitialized heap data.  When the reserved field happens to contain non-zero slab garbage, Samba rejects the security descriptor with \"ndr_pull_security_descriptor failed: Range Error\", causing chmod to fail with EINVAL.  Change kmalloc() to kzalloc() to ensure the entire buffer is zero-initialized.   [1] https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/20233ed8-a6c6-4097-aafa-dd545ed24428",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46105",
                        "url": "https://ubuntu.com/security/CVE-2026-46105",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  scsi: mpt3sas: Limit NVMe request size to 2 MiB  The HBA firmware reports NVMe MDTS values based on the underlying drive capability. However, because the driver allocates a fixed 4K buffer for the PRP list, accommodating at most 512 entries, the driver supports a maximum I/O transfer size of 2 MiB.  Limit max_hw_sectors to the smaller of the reported MDTS and the 2 MiB driver limit to prevent issuing oversized I/O that may lead to a kernel oops.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46171",
                        "url": "https://ubuntu.com/security/CVE-2026-46171",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  riscv: kvm: fix vector context allocation leak  When the second kzalloc (host_context.vector.datap) fails in kvm_riscv_vcpu_alloc_vector_context, the first allocation (guest_context.vector.datap) is leaked. Free it before returning.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46112",
                        "url": "https://ubuntu.com/security/CVE-2026-46112",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/hns: Fix unlocked call to hns_roce_qp_remove()  Sashiko points out that hns_roce_qp_remove() requires the caller to hold locks.  The error flow in hns_roce_create_qp_common() doesn't hold those locks for the error unwind so it risks corrupting memory.  Grab the same locks the other two callers use.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46165",
                        "url": "https://ubuntu.com/security/CVE-2026-46165",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  openvswitch: vport: fix self-deadlock on release of tunnel ports  vports are used concurrently and protected by RCU, so netdev_put() must happen after the RCU grace period.  So, either in an RCU call or after the synchronize_net().  The rtnl_delete_link() must happen under RTNL and so can't be executed in RCU context.  Calling synchronize_net() while holding RTNL is not a good idea for performance and system stability under load in general, so calling netdev_put() in RCU call is the right solution here.  However, when the device is deleted, rtnl_unlock() will call netdev_run_todo() and block until all the references are gone.  In the current code this means that we never reach the call_rcu() and the vport is never freed and the reference is never released, causing a self-deadlock on device removal.  Fix that by moving the rcu_call() before the rtnl_unlock(), so the scheduled RCU callback will be executed when synchronize_net() is called from the rtnl_unlock()->netdev_run_todo() while the RTNL itself is already released.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46161",
                        "url": "https://ubuntu.com/security/CVE-2026-46161",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  md/raid10: fix divide-by-zero in setup_geo() with zero far_copies  setup_geo() extracts near_copies (nc) and far_copies (fc) from the user-provided layout parameter without checking for zero. When fc=0 with the \"improved\" far set layout selected, 'geo->far_set_size = disks / fc' triggers a divide-by-zero.  Validate nc and fc immediately after extraction, returning -1 if either is zero.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-43492",
                        "url": "https://ubuntu.com/security/CVE-2026-43492",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  lib/crypto: mpi: Fix integer underflow in mpi_read_raw_from_sgl()  Yiming reports an integer underflow in mpi_read_raw_from_sgl() when subtracting \"lzeros\" from the unsigned \"nbytes\".  For this to happen, the scatterlist \"sgl\" needs to occupy more bytes than the \"nbytes\" parameter and the first \"nbytes + 1\" bytes of the scatterlist must be zero.  Under these conditions, the while loop iterating over the scatterlist will count more zeroes than \"nbytes\", subtract the number of zeroes from \"nbytes\" and cause the underflow.  When commit 2d4d1eea540b (\"lib/mpi: Add mpi sgl helpers\") originally introduced the bug, it couldn't be triggered because all callers of mpi_read_raw_from_sgl() passed a scatterlist whose length was equal to \"nbytes\".  However since commit 63ba4d67594a (\"KEYS: asymmetric: Use new crypto interface without scatterlists\"), the underflow can now actually be triggered.  When invoking a KEYCTL_PKEY_ENCRYPT system call with a larger \"out_len\" than \"in_len\" and filling the \"in\" buffer with zeroes, crypto_akcipher_sync_prep() will create an all-zero scatterlist used for both the \"src\" and \"dst\" member of struct akcipher_request and thereby fulfil the conditions to trigger the bug:    sys_keyctl()     keyctl_pkey_e_d_s()       asymmetric_key_eds_op()         software_key_eds_op()           crypto_akcipher_sync_encrypt()             crypto_akcipher_sync_prep()               crypto_akcipher_encrypt()                 rsa_enc()                   mpi_read_raw_from_sgl()  To the user this will be visible as a DoS as the kernel spins forever, causing soft lockup splats as a side effect.  Fix it.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-19 12:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46124",
                        "url": "https://ubuntu.com/security/CVE-2026-46124",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  isofs: validate block number from NFS file handle in isofs_export_iget  isofs_fh_to_dentry() and isofs_fh_to_parent() pass an attacker- controlled block number (ifid->block or ifid->parent_block) from the NFS file handle to isofs_export_iget(), which only rejects block == 0 before calling isofs_iget() and ultimately sb_bread(). A crafted file handle with fh_len sufficient to pass the check added by commit 0405d4b63d08 (\"isofs: Prevent the use of too small fid\") can still drive the server to read any in-range block on the backing device as if it were an iso_directory_record.  That earlier fix was assigned CVE-2025-37780.  sb_bread() on an out-of-range block returns NULL cleanly via the EIO path, so there is no memory-safety violation.  For in-range reads of adjacent-partition data on the same block device, the unrelated bytes end up in iso_inode_info fields that reach the NFS client as dentry metadata.  The deployment surface (isofs exported over NFS from loop-mounted images) is narrow and requires an authenticated NFS peer, but the malformed-file-handle class is reportable as hardening next to the existing CVE-2025-37780 fix.  Reject block >= ISOFS_SB(sb)->s_nzones in isofs_export_iget() so the check covers both isofs_fh_to_dentry() and isofs_fh_to_parent() call sites with a single line.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46130",
                        "url": "https://ubuntu.com/security/CVE-2026-46130",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  dm-verity-fec: fix reading parity bytes split across blocks (take 3)  fec_decode_bufs() assumes that the parity bytes of the first RS codeword it decodes are never split across parity blocks.  This assumption is false.  Consider v->fec->block_size == 4096 && v->fec->roots == 17 && fio->nbufs == 1, for example.  In that case, each call to fec_decode_bufs() consumes v->fec->roots * (fio->nbufs << DM_VERITY_FEC_BUF_RS_BITS) = 272 parity bytes.  Considering that the parity data for each message block starts on a block boundary, the byte alignment in the parity data will iterate through 272*i mod 4096 until the 3 parity blocks have been consumed.  On the 16th call (i=15), the alignment will be 4080 bytes into the first block.  Only 16 bytes remain in that block, but 17 parity bytes will be needed.  The code reads out-of-bounds from the parity block buffer.  Fortunately this doesn't normally happen, since it can occur only for certain non-default values of fec_roots *and* when the maximum number of buffers couldn't be allocated due to low memory.  For example with block_size=4096 only the following cases are affected:      fec_roots=17: nbufs in [1, 3, 5, 15]     fec_roots=19: nbufs in [1, 229]     fec_roots=21: nbufs in [1, 3, 5, 13, 15, 39, 65, 195]     fec_roots=23: nbufs in [1, 89]  Regardless, fix it by refactoring how the parity blocks are read.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46106",
                        "url": "https://ubuntu.com/security/CVE-2026-46106",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  eventfs: Hold eventfs_mutex and SRCU when remount walks events  Commit 340f0c7067a9 (\"eventfs: Update all the eventfs_inodes from the events descriptor\") had eventfs_set_attrs() recurse through ei->children on remount.  The walk only holds the rcu_read_lock() taken by tracefs_apply_options() over tracefs_inodes, which is wrong:    - list_for_each_entry over ei->children races with the list_del_rcu()     in eventfs_remove_rec() -- LIST_POISON1 deref, same shape as     d2603279c7d6.   - eventfs_inodes are freed via call_srcu(&eventfs_srcu, ...).     rcu_read_lock() does not extend an SRCU grace period, so ti->private     can be reclaimed under the walk.   - The writes to ei->attr race with eventfs_set_attr(), which holds     eventfs_mutex.  Reproducer:    while :; do mount -o remount,uid=$((RANDOM%1000)) /sys/kernel/tracing; done &   while :; do       echo \"p:kp submit_bio\" > /sys/kernel/tracing/kprobe_events       echo > /sys/kernel/tracing/kprobe_events   done  Wrap the events portion of tracefs_apply_options() in eventfs_remount_lock()/_unlock() that take eventfs_mutex and srcu_read_lock(&eventfs_srcu).  eventfs_set_attrs() doesn't sleep so the nested rcu_read_lock() is fine; lockdep_assert_held() pins the contract.  Comment in tracefs_drop_inode() said \"RCU cycle\" -- it is SRCU.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46107",
                        "url": "https://ubuntu.com/security/CVE-2026-46107",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  dm-thin: fix metadata refcount underflow  There's a bug in dm-thin in the function rebalance_children. If the internal btree node has one entry, the code tries to copy all btree entries from the node's child to the node itself and then decrement the child's reference count.  If the child node is shared (it has reference count > 1), we won't free it, so there would be two pointers to each of the grandchildren nodes. But the reference counts of the grandchildren is not increased, thus the reference count doesn't match the number of pointers that point to the grandchildren. This results in \"device mapper: space map common: unable to decrement block\" errors.  Fix this bug by incrementing reference counts on the grandchildren if the btree node is shared.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46160",
                        "url": "https://ubuntu.com/security/CVE-2026-46160",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  btrfs: fix missing last_unlink_trans update when removing a directory  When removing a directory we are not updating its last_unlink_trans field, which can result in incorrect fsync behaviour in case some one fsyncs the directory after it was removed because it's holding a file descriptor on it.  Example scenario:     mkdir /mnt/dir1    mkdir /mnt/dir1/dir2    mkdir /mnt/dir3     sync -f /mnt     # Do some change to the directory and fsync it.    chmod 700 /mnt/dir1    xfs_io -c fsync /mnt/dir1     # Move dir2 out of dir1 so that dir1 becomes empty.    mv /mnt/dir1/dir2 /mnt/dir3/     open fd on /mnt/dir1    call rmdir(2) on path \"/mnt/dir1\"    fsync fd     <trigger power failure>  When attempting to mount the filesystem, the log replay will fail with an -EIO error and dmesg/syslog has the following:     [445771.626482] BTRFS info (device dm-0): first mount of filesystem 0368bbea-6c5e-44b5-b409-09abe496e650    [445771.626486] BTRFS info (device dm-0): using crc32c checksum algorithm    [445771.627912] BTRFS info (device dm-0): start tree-log replay    [445771.628335] page: refcount:2 mapcount:0 mapping:0000000061443ddc index:0x1d00 pfn:0x7072a5    [445771.629453] memcg:ffff89f400351b00    [445771.629892] aops:btree_aops [btrfs] ino:1    [445771.630737] flags: 0x17fffc00000402a(uptodate|lru|private|writeback|node=0|zone=2|lastcpupid=0x1ffff)    [445771.632359] raw: 017fffc00000402a fffff47284d950c8 fffff472907b7c08 ffff89f458e412b8    [445771.633713] raw: 0000000000001d00 ffff89f6c51d1a90 00000002ffffffff ffff89f400351b00    [445771.635029] page dumped because: eb page dump    [445771.635825] BTRFS critical (device dm-0): corrupt leaf: root=5 block=30408704 slot=10 ino=258, invalid nlink: has 2 expect no more than 1 for dir    [445771.638088] BTRFS info (device dm-0): leaf 30408704 gen 10 total ptrs 17 free space 14878 owner 5    [445771.638091] BTRFS info (device dm-0): refs 4 lock_owner 0 current 3581087    [445771.638094] \titem 0 key (256 INODE_ITEM 0) itemoff 16123 itemsize 160    [445771.638097] \t\tinode generation 3 transid 9 size 16 nbytes 16384    [445771.638098] \t\tblock group 0 mode 40755 links 1 uid 0 gid 0    [445771.638100] \t\trdev 0 sequence 2 flags 0x0    [445771.638102] \t\tatime 1775744884.0    [445771.660056] \t\tctime 1775744885.645502983    [445771.660058] \t\tmtime 1775744885.645502983    [445771.660060] \t\totime 1775744884.0    [445771.660062] \titem 1 key (256 INODE_REF 256) itemoff 16111 itemsize 12    [445771.660064] \t\tindex 0 name_len 2    [445771.660066] \titem 2 key (256 DIR_ITEM 1843588421) itemoff 16077 itemsize 34    [445771.660068] \t\tlocation key (259 1 0) type 2    [445771.660070] \t\ttransid 9 data_len 0 name_len 4    [445771.660075] \titem 3 key (256 DIR_ITEM 2363071922) itemoff 16043 itemsize 34    [445771.660076] \t\tlocation key (257 1 0) type 2    [445771.660077] \t\ttransid 9 data_len 0 name_len 4    [445771.660078] \titem 4 key (256 DIR_INDEX 2) itemoff 16009 itemsize 34    [445771.660079] \t\tlocation key (257 1 0) type 2    [445771.660080] \t\ttransid 9 data_len 0 name_len 4    [445771.660081] \titem 5 key (256 DIR_INDEX 3) itemoff 15975 itemsize 34    [445771.660082] \t\tlocation key (259 1 0) type 2    [445771.660083] \t\ttransid 9 data_len 0 name_len 4    [445771.660084] \titem 6 key (257 INODE_ITEM 0) itemoff 15815 itemsize 160    [445771.660086] \t\tinode generation 9 transid 9 size 8 nbytes 0    [445771.660087] \t\tblock group 0 mode 40777 links 1 uid 0 gid 0    [445771.660088] \t\trdev 0 sequence 2 flags 0x0    [445771.660089] \t\tatime 1775744885.641174097    [445771.660090] \t\tctime 1775744885.645502983    [445771.660091] \t\tmtime 1775744885.645502983    [445771.660105] \t\totime 1775744885.641174097    [445771.660106] \titem 7 key (257 INODE_REF 256) itemoff 15801 itemsize 14    [445771.660107] \t\tindex 2 name_len 4    [445771.660108] \titem 8 key (257 DIR_ITEM 2676584006) itemoff 15767 itemsize 34    [445771.660109] \t\tlocation key (2 ---truncated---",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46164",
                        "url": "https://ubuntu.com/security/CVE-2026-46164",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  btrfs: fix double free in create_space_info_sub_group() error path  When kobject_init_and_add() fails, the call chain is:  create_space_info_sub_group() -> btrfs_sysfs_add_space_info_type() -> kobject_init_and_add() -> failure -> kobject_put(&sub_group->kobj) -> space_info_release() -> kfree(sub_group)  Then control returns to create_space_info_sub_group(), where:  btrfs_sysfs_add_space_info_type() returns error -> kfree(sub_group)  Thus, sub_group is freed twice.  Keep parent->sub_group[index] = NULL for the failure path, but after btrfs_sysfs_add_space_info_type() has called kobject_put(), let the kobject release callback handle the cleanup.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46129",
                        "url": "https://ubuntu.com/security/CVE-2026-46129",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  btrfs: fix double free in create_space_info() error path  When kobject_init_and_add() fails, the call chain is:  create_space_info() -> btrfs_sysfs_add_space_info_type() -> kobject_init_and_add() -> failure -> kobject_put(&space_info->kobj) -> space_info_release() -> kfree(space_info)  Then control returns to create_space_info():  btrfs_sysfs_add_space_info_type() returns error -> goto out_free -> kfree(space_info)  This causes a double free.  Keep the direct kfree(space_info) for the earlier failure path, but after btrfs_sysfs_add_space_info_type() has called kobject_put(), let the kobject release callback handle the cleanup.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46159",
                        "url": "https://ubuntu.com/security/CVE-2026-46159",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  btrfs: fix btrfs_ioctl_space_info() slot_count TOCTOU which can lead to info-leak  btrfs_ioctl_space_info() has a TOCTOU race between two passes over the block group RAID type lists. The first pass counts entries to determine the allocation size, then the second pass fills the buffer. The groups_sem rwlock is released between passes, allowing concurrent block group removal to reduce the entry count.  When the second pass fills fewer entries than the first pass counted, copy_to_user() copies the full alloc_size bytes including trailing uninitialized kmalloc bytes to userspace.  Fix by copying only total_spaces entries (the actually-filled count from the second pass) instead of alloc_size bytes, and switch to kzalloc so any future copy size mismatch cannot leak heap data.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46143",
                        "url": "https://ubuntu.com/security/CVE-2026-46143",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ASoC: qcom: q6apm-lpass-dai: Fix multiple graph opens  As prepare can be called mulitple times, this can result in multiple graph opens for playback path.  This will result in a memory leaks, fix this by adding a check before opening.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46148",
                        "url": "https://ubuntu.com/security/CVE-2026-46148",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: microchip-core-qspi: control built-in cs manually  The coreQSPI IP supports only a single chip select, which is automagically operated by the hardware - set low when the transmit buffer first gets written to and set high when the number of bytes written to the TOTALBYTES field of the FRAMES register have been sent on the bus. Additional devices must use GPIOs for their chip selects. It was reported to me that if there are two devices attached to this QSPI controller that the in-built chip select is set low while linux tries to access the device attached to the GPIO.  This went undetected as the boards that connected multiple devices to the SPI controller all exclusively used GPIOs for chip selects, not relying on the built-in chip select at all. It turns out that this was because the built-in chip select, when controlled automagically, is set low when active and high when inactive, thereby ruling out its use for active-high devices or devices that need to transmit with the chip select disabled.  Modify the driver so that it controls chip select directly, retaining the behaviour for mem_ops of setting the chip select active for the entire duration of the transfer in the exec_op callback. For regular transfers, implement the set_cs callback for the core to use.  As part of this, the existing setup callback, mchp_coreqspi_setup_op(), is removed. Modifying the CLKIDLE field is not safe to do during operation when there are multiple devices, so this code is removed entirely. Setting the MASTER and ENABLE fields is something that can be done once at probe, it doesn't need to be re-run for each device. Instead the new setup callback sets the built-in chip select to its inactive state for active-low devices, as the reset value of the chip select in software controlled mode is low.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46192",
                        "url": "https://ubuntu.com/security/CVE-2026-46192",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: microchip-core-qspi: don't attempt to transmit during emulated read-only dual/quad operations  The core will deal with reads by creating clock cycles itself, there's no need to generate clock cycles by transmitting garbage data at the driver level. Further, transmitting garbage data just bricks the transfer since QSPI doesn't have a dedicated master-out line like MOSI in regular SPI. I'm not entirely sure if the transfer is bricked because of the garbage data being transmitted on the bus or because the core loses track of whether it is supposed to be sending or receiving data.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46162",
                        "url": "https://ubuntu.com/security/CVE-2026-46162",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ice: fix double free in ice_sf_eth_activate() error path  When auxiliary_device_add() fails, ice_sf_eth_activate() jumps to aux_dev_uninit and calls auxiliary_device_uninit(&sf_dev->adev).  The device release callback ice_sf_dev_release() frees sf_dev, but the current error path falls through to sf_dev_free and calls kfree(sf_dev) again, causing a double free.  Keep kfree(sf_dev) for the auxiliary_device_init() failure path, but avoid falling through to sf_dev_free after auxiliary_device_uninit().",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46273",
                        "url": "https://ubuntu.com/security/CVE-2026-46273",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ibmveth: Disable GSO for packets with small MSS  Some physical adapters on Power systems do not support segmentation offload when the MSS is less than 224 bytes. Attempting to send such packets causes the adapter to freeze, stopping all traffic until manually reset.  Implement ndo_features_check to disable GSO for packets with small MSS values. The network stack will perform software segmentation instead.  The 224-byte minimum matches ibmvnic commit <f10b09ef687f> (\"ibmvnic: Enforce stronger sanity checks on GSO packets\") which uses the same physical adapters in SEA configurations.  The issue occurs specifically when the hardware attempts to perform segmentation (gso_segs > 1) with a small MSS. Single-segment GSO packets (gso_segs == 1) do not trigger the problematic LSO code path and are transmitted normally without segmentation.  Add an ndo_features_check callback to disable GSO when MSS < 224 bytes. Also call vlan_features_check() to ensure proper handling of VLAN packets, particularly QinQ (802.1ad) configurations where the hardware parser may not support certain offload features.  Validated using iptables to force small MSS values. Without the fix, the adapter freezes. With the fix, packets are segmented in software and transmission succeeds. Comprehensive regression testing completedd (MSS tests, performance, stability).",
                        "cve_priority": "high",
                        "cve_public_date": "2026-06-03 18:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46191",
                        "url": "https://ubuntu.com/security/CVE-2026-46191",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  fbcon: Avoid OOB font access if console rotation fails  Clear the font buffer if the reallocation during console rotation fails in fbcon_rotate_font(). The putcs implementations for the rotated buffer will return early in this case. See [1] for an example.  Currently, fbcon_rotate_font() keeps the old buffer, which is too small for the rotated font. Printing to the rotated console with a high-enough character code will overflow the font buffer.  v2: - fix typos in commit message",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46134",
                        "url": "https://ubuntu.com/security/CVE-2026-46134",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  platform/chrome: cros_ec_typec: Init mutex in Thunderbolt registration  cros_typec_register_thunderbolt() missed initializing the `adata->lock` mutex.  This leads to a NULL dereference when the mutex is later acquired (e.g. in cros_typec_altmode_work()).  Initialize the mutex in cros_typec_register_thunderbolt() to fix the issue.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-43495",
                        "url": "https://ubuntu.com/security/CVE-2026-43495",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net: wwan: t7xx: validate port_count against message length in t7xx_port_enum_msg_handler  t7xx_port_enum_msg_handler() uses the modem-supplied port_count field as a loop bound over port_msg->data[] without checking that the message buffer contains sufficient data. A modem sending port_count=65535 in a 12-byte buffer triggers a slab-out-of-bounds read of up to 262140 bytes.  Add a sizeof(*port_msg) check before accessing the port message header fields to guard against undersized messages.  Add a struct_size() check after extracting port_count and before the loop.  In t7xx_parse_host_rt_data(), guard the rt_feature header read with a remaining-buffer check before accessing data_len, validate feat_data_len against the actual remaining buffer to prevent OOB reads and signed integer overflow on offset.  Pass msg_len from both call sites: skb->len at the DPMAIF path after skb_pull(), and the validated feat_data_len at the handshake path.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-21 13:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-43502",
                        "url": "https://ubuntu.com/security/CVE-2026-43502",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net/rds: handle zerocopy send cleanup before the message is queued  A zerocopy send can fail after user pages have been pinned but before the message is attached to the sending socket.  The purge path currently infers zerocopy state from rm->m_rs, so an unqueued message can be cleaned up as if it owned normal payload pages. However, zerocopy ownership is really determined by the presence of op_mmp_znotifier, regardless of whether the message has reached the socket queue.  Capture op_mmp_znotifier up front in rds_message_purge() and use it as the cleanup discriminator. If the message is already associated with a socket, keep the existing completion path. Otherwise, drop the pinned page accounting directly and release the notifier before putting the payload pages.  This keeps early send failure cleanup consistent with the zerocopy lifetime rules without changing the normal queued completion path.",
                        "cve_priority": "high",
                        "cve_public_date": "2026-05-21 13:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46120",
                        "url": "https://ubuntu.com/security/CVE-2026-46120",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ip6_gre: Use cached t->net in ip6erspan_changelink().  After commit 5e72ce3e3980 (\"net: ipv6: Use link netns in newlink() of rtnl_link_ops\"), ip6erspan_newlink() correctly resolves the per-netns ip6gre hash via link_net. ip6erspan_changelink() was not converted in that series and still uses dev_net(dev), which diverges from the device's creation netns after IFLA_NET_NS_FD migration.  This re-inserts the tunnel into the wrong per-netns hash. The original netns keeps a stale entry. When that netns is later destroyed, ip6gre_exit_rtnl_net() walks the stale entry, producing a slab-use-after-free reported by KASAN, followed by a kernel BUG at net/core/dev.c (LIST_POISON1) in unregister_netdevice_many_notify().  Reachable from an unprivileged user namespace (unshare --user --map-root-user --net).  ip6gre_changelink() earlier in the same file already uses the cached t->net; only ip6erspan_changelink() has the wrong shape.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46142",
                        "url": "https://ubuntu.com/security/CVE-2026-46142",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net: libwx: fix VF illegal register access  Register WX_CFG_PORT_ST is a PF restricted register. When a VF is initialized, attempting to read this register triggers an illegal register access, which lead to a system hang.  When the device is VF, the bus function ID can be obtained directly from the PCI_FUNC(pdev->devfn).",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46118",
                        "url": "https://ubuntu.com/security/CVE-2026-46118",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  pseries/papr-hvpipe: Fix null ptr deref in papr_hvpipe_dev_create_handle()  commit 6d3789d347a7 (\"papr-hvpipe: convert papr_hvpipe_dev_create_handle() to FD_PREPARE()\"), changed the create handle to FD_PREPARE(), but it caused kernel null-ptr-deref because after call to retain_and_null_ptr(src_info), src_info is re-used for adding it to the global list.  Getting the following kernel panic in papr_hvpipe_dev_create_handle() when trying to add src_info to the list.  Kernel attempted to write user page (0) - exploit attempt? (uid: 0)  BUG: Kernel NULL pointer dereference on write at 0x00000000  Faulting instruction address: 0xc0000000001b44a0  Oops: Kernel access of bad area, sig: 11 [#1]  ...  Call Trace:  papr_hvpipe_dev_ioctl+0x1f4/0x48c (unreliable)  sys_ioctl+0x528/0x1064  system_call_exception+0x128/0x360  system_call_vectored_common+0x15c/0x2ec  Now, the error handling with FD_PREPARE's file cleanup and __free(kfree) auto cleanup is getting too convoluted. This is mainly because we need to ensure only 1 user get the srcID handle. To simplify this, we allocate prepare the src_info in the beginning and add it to the global list under a spinlock after checking that no duplicates exist.  This simplify the error handling where if the FD_ADD fails, we can simply remove the src_info from the list and consume any pending msg in hvpipe to be cleared, after src_info became visible in the global list.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46182",
                        "url": "https://ubuntu.com/security/CVE-2026-46182",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  pseries/papr-hvpipe: Prevent kernel stack memory leak to userspace  The hdr variable is allocated on the stack and only hdr.version and hdr.flags are initialized explicitly. Because the struct papr_hvpipe_hdr contains reserved padding bytes (reserved[3] and reserved2[40]), these could leak the uninitialized bytes to userspace after copy_to_user().  This patch fixes that by initializing the whole struct to 0.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46184",
                        "url": "https://ubuntu.com/security/CVE-2026-46184",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  sound: ua101: fix division by zero at probe  Add a missing sanity check for bNrChannels in detect_usb_format() to prevent a division by zero in playback_urb_complete() and capture_urb_complete().  USB core does not validate class-specific descriptor fields such as bNrChannels, so drivers must verify them before use. If a device provides bNrChannels = 0, frame_bytes becomes zero and is later used as a divisor in the URB completion handlers, leading to a kernel crash.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-43498",
                        "url": "https://ubuntu.com/security/CVE-2026-43498",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  accel/ivpu: Disallow re-exporting imported GEM objects  Prevent re-exporting of imported GEM buffers by adding a custom prime_handle_to_fd callback that checks if the object is imported and returns -EOPNOTSUPP if so.  Re-exporting imported GEM buffers causes loss of buffer flags settings, leading to incorrect device access and data corruption.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-21 13:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46132",
                        "url": "https://ubuntu.com/security/CVE-2026-46132",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net: rtnetlink: zero ifla_vf_broadcast to avoid stack infoleak in rtnl_fill_vfinfo  rtnl_fill_vfinfo() declares struct ifla_vf_broadcast on the stack without initialisation:  \tstruct ifla_vf_broadcast vf_broadcast;  The struct contains a single fixed 32-byte field:  \t/* include/uapi/linux/if_link.h */ \tstruct ifla_vf_broadcast { \t\t__u8 broadcast[32]; \t};  The function then copies dev->broadcast into it using dev->addr_len as the length:  \tmemcpy(vf_broadcast.broadcast, dev->broadcast, dev->addr_len);  On Ethernet devices (the overwhelming majority of SR-IOV NICs) dev->addr_len is 6, so only the first 6 bytes of broadcast[] are written. The remaining 26 bytes retain whatever was previously on the kernel stack. The full struct is then handed to userspace via:  \tnla_put(skb, IFLA_VF_BROADCAST, \t\tsizeof(vf_broadcast), &vf_broadcast)  leaking up to 26 bytes of uninitialised kernel stack per VF per RTM_GETLINK request, repeatable.  The other vf_* structs in the same function are explicitly zeroed for exactly this reason - see the memset() calls for ivi, vf_vlan_info, node_guid and port_guid a few lines above. vf_broadcast was simply missed when it was added.  Reachability: any unprivileged local process can open AF_NETLINK / NETLINK_ROUTE without capabilities and send RTM_GETLINK with an IFLA_EXT_MASK attribute carrying RTEXT_FILTER_VF. The kernel walks each VF and emits IFLA_VF_BROADCAST, leaking 26 bytes of stack per VF per request. Stack residue at this call site can include return addresses and transient sensitive data; KASAN with stack instrumentation, or KMSAN, will flag the nla_put() when reproduced.  Zero the on-stack struct before the partial memcpy, matching the existing pattern used for the other vf_* structs in the same function.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46190",
                        "url": "https://ubuntu.com/security/CVE-2026-46190",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  mtd: spi-nor: debugfs: fix out-of-bounds read in spi_nor_params_show()  Sashiko noticed an out-of-bounds read [1].  In spi_nor_params_show(), the snor_f_names array is passed to spi_nor_print_flags() using sizeof(snor_f_names).  Since snor_f_names is an array of pointers, sizeof() returns the total number of bytes occupied by the pointers \t(element_count * sizeof(void *)) rather than the element count itself. On 64-bit systems, this makes the passed length 8x larger than intended.  Inside spi_nor_print_flags(), the 'names_len' argument is used to bounds-check the 'names' array access. An out-of-bounds read occurs if a flag bit is set that exceeds the array's actual element count but is within the inflated byte-size count.  Correct this by using ARRAY_SIZE() to pass the actual number of string pointers in the array.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46150",
                        "url": "https://ubuntu.com/security/CVE-2026-46150",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  fanotify: fix false positive on permission events  fsnotify_get_mark_safe() may return false for a mark on an unrelated group, which results in bypassing the permission check.  Fix by skipping over detached marks that are not in the current group.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-45836",
                        "url": "https://ubuntu.com/security/CVE-2026-45836",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_get_sndtimeo_cb()  Add the same NULL guard already present in l2cap_sock_resume_cb() and l2cap_sock_ready_cb().",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-26 17:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-45834",
                        "url": "https://ubuntu.com/security/CVE-2026-45834",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_state_change_cb()  Add the same NULL guard already present in l2cap_sock_resume_cb() and l2cap_sock_ready_cb().",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-26 17:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-45835",
                        "url": "https://ubuntu.com/security/CVE-2026-45835",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_new_connection_cb()  Add the same NULL guard already present in l2cap_sock_resume_cb() and l2cap_sock_ready_cb().",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-26 17:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46138",
                        "url": "https://ubuntu.com/security/CVE-2026-46138",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Bluetooth: hci_event: Fix OOB read and infinite loop in hci_le_create_big_complete_evt  hci_le_create_big_complete_evt() iterates over BT_BOUND connections for a BIG handle using a while loop, accessing ev->bis_handle[i++] on each iteration.  However, there is no check that i stays within ev->num_bis before the array access.  When a controller sends a LE_Create_BIG_Complete event with fewer bis_handle entries than there are BT_BOUND connections for that BIG, or with num_bis=0, the loop reads beyond the valid bis_handle[] flex array into adjacent heap memory.  Since the out-of-bounds values typically exceed HCI_CONN_HANDLE_MAX (0x0EFF), hci_conn_set_handle() rejects them and the connection remains in BT_BOUND state.  The same connection is then found again by hci_conn_hash_lookup_big_state(), creating an infinite loop with hci_dev_lock held.  Fix this by terminating the BIG if in case not all BIS could be setup properly.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46111",
                        "url": "https://ubuntu.com/security/CVE-2026-46111",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Bluetooth: hci_conn: fix potential UAF in create_big_sync  Add hci_conn_valid() check in create_big_sync() to detect stale connections before proceeding with BIG creation. Handle the resulting -ECANCELED in create_big_complete() and re-validate the connection under hci_dev_lock() before dereferencing, matching the pattern used by create_le_conn_complete() and create_pa_complete().  Keep the hci_conn object alive across the async boundary by taking a reference via hci_conn_get() when queueing create_big_sync(), and dropping it in the completion callback. The refcount and the lock are complementary: the refcount keeps the object allocated, while hci_dev_lock() serializes hci_conn_hash_del()'s list_del_rcu() on hdev->conn_hash, as required by hci_conn_del().  hci_conn_put() is called outside hci_dev_unlock() so the final put (which resolves to kfree() via bt_link_release) does not run under hdev->lock, though the release path would be safe either way.  Without this, create_big_complete() would unconditionally dereference the conn pointer on error, causing a use-after-free via hci_connect_cfm() and hci_conn_del().",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46140",
                        "url": "https://ubuntu.com/security/CVE-2026-46140",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Bluetooth: btmtk: validate WMT event SKB length before struct access  btmtk_usb_hci_wmt_sync() casts the WMT event response SKB data to struct btmtk_hci_wmt_evt (7 bytes) and struct btmtk_hci_wmt_evt_funcc (9 bytes) without first checking that the SKB contains enough data. A short firmware response causes out-of-bounds reads from SKB tailroom.  Use skb_pull_data() to validate and advance past the base WMT event header. For the FUNC_CTRL case, pull the additional status field bytes before accessing them.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46186",
                        "url": "https://ubuntu.com/security/CVE-2026-46186",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Bluetooth: virtio_bt: validate rx pkt_type header length  virtbt_rx_handle() reads the leading pkt_type byte from the RX skb and forwards the remainder to hci_recv_frame() for every event/ACL/SCO/ISO type, without checking that the remaining payload is at least the fixed HCI header for that type.  After the preceding patch bounds the backend-supplied used.len to [1, VIRTBT_RX_BUF_SIZE], a one-byte completion still reaches hci_recv_frame() with skb->len already pulled to 0. If the byte happened to be HCI_ACLDATA_PKT, the ACL-vs-ISO classification fast-path in hci_dev_classify_pkt_type() dereferences hci_acl_hdr(skb)->handle whenever the HCI device has an active CIS_LINK, BIS_LINK, or PA_LINK connection, reading two bytes of uninitialized RX-buffer data. The same hazard exists for every packet type the driver accepts because none of the switch cases in virtbt_rx_handle() check skb->len against the per-type minimum HCI header size before handing the frame to the core.  After stripping pkt_type, require skb->len to cover the fixed header size for the selected type (event 2, ACL 4, SCO 3, ISO 4) before calling hci_recv_frame(); drop ratelimited otherwise. Unknown pkt_type values still take the original kfree_skb() default path.  Use bt_dev_err_ratelimited() because both the length and pkt_type values come from an untrusted backend that can otherwise flood the kernel log.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46123",
                        "url": "https://ubuntu.com/security/CVE-2026-46123",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Bluetooth: virtio_bt: clamp rx length before skb_put  virtbt_rx_work() calls skb_put(skb, len) where len comes directly from virtqueue_get_buf() with no validation against the buffer we posted to the device. The RX skb is allocated in virtbt_add_inbuf() and exposed to virtio as exactly 1000 bytes via sg_init_one().  Checking len against skb_tailroom(skb) is not sufficient because alloc_skb() can leave more tailroom than the 1000 bytes actually handed to the device. A malicious or buggy backend can therefore report used.len between 1001 and skb_tailroom(skb), causing skb_put() to include uninitialized kernel heap bytes that were never written by the device.  The same path also accepts len == 0, in which case skb_put(skb, 0) leaves the skb empty but virtbt_rx_handle() still reads the pkt_type byte from skb->data, consuming uninitialized memory.  Define VIRTBT_RX_BUF_SIZE once and reuse it in alloc_skb() and sg_init_one(), and gate virtbt_rx_work() on that same constant so the bound checked matches the buffer actually exposed to the device. Reject used.len == 0 in the same gate so an empty completion can no longer reach virtbt_rx_handle().  Use bt_dev_err_ratelimited() because the length value comes from an untrusted backend that can otherwise flood the kernel log.  Same class of bug as commit c04db81cd028 (\"net/9p: Fix buffer overflow in USB transport layer\"), which hardened the USB 9p transport against unchecked device-reported length.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46104",
                        "url": "https://ubuntu.com/security/CVE-2026-46104",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  selinux: use sk blob accessor in socket permission helpers  SELinux socket state lives in the composite LSM socket blob.  sock_has_perm() and nlmsg_sock_has_extended_perms() currently dereference sk->sk_security directly, which assumes the SELinux socket blob is at offset zero.  In stacked configurations that assumption does not hold. If another LSM allocates socket blob storage before SELinux, these helpers may read the wrong blob and feed invalid SID and class values into AVC checks.  Use selinux_sock() instead of accessing sk->sk_security directly.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46193",
                        "url": "https://ubuntu.com/security/CVE-2026-46193",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  xfrm: ah: account for ESN high bits in async callbacks  AH allocates its temporary auth/ICV layout differently when ESN is enabled: the async ahash setup appends a 4-byte seqhi slot before the ICV or auth_data area, but the async completion callbacks still reconstruct the temporary layout as if seqhi were absent.  With an async AH implementation selected, that makes AH copy or compare the wrong bytes on both the IPv4 and IPv6 paths. In UML repro on IPv4 AH with ESN and forced async hmac(sha1), ping fails with 100% packet loss, and the callback logs show the pre-fix drift:    ah4 output_done: esn=1 err=0 icv_off=20 expected_off=24   ah4 input_done: esn=1 auth_off=20 expected_auth_off=24 icv_off=32 expected_icv_off=36  Reconstruct the callback-side layout the same way the setup path built it by skipping the ESN seqhi slot before locating the saved auth_data or ICV. Per RFC 4302, the ESN high-order 32 bits participate in the AH ICV computation, so the async callbacks must account for the seqhi slot.  Post-fix, the same IPv4 AH+ESN+forced-async-hmac(sha1) UML repro shows the corrected offset (ah4 output_done: esn=1 err=0 icv_off=24 expected_off=24) and ping succeeds; net/ipv4/ah4.o and net/ipv6/ah6.o build clean at W=1. IPv6 AH+ESN was not exercised at runtime, and the change has not been tested against a real async hardware AH engine.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46172",
                        "url": "https://ubuntu.com/security/CVE-2026-46172",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ipv6: xfrm6: release dst on error in xfrm6_rcv_encap()  xfrm6_rcv_encap() performs an IPv6 route lookup when the skb does not already have a dst attached. ip6_route_input_lookup() returns a referenced dst entry even when the lookup resolves to an error route.  If dst->error is set, xfrm6_rcv_encap() drops the skb without attaching the dst to the skb and without releasing the reference returned by the lookup. Repeated packets hitting this path therefore leak dst entries.  Release the dst before jumping to the drop path.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46116",
                        "url": "https://ubuntu.com/security/CVE-2026-46116",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  xfrm: defensively unhash xfrm_state lists in __xfrm_state_delete  KASAN reproduces a slab-use-after-free in __xfrm_state_delete()'s hlist_del_rcu calls under syzkaller load on linux-6.12.y stable (reproduced on 6.12.47, also reachable via the same code path on torvalds/master and on the ipsec tree). Nine unique signatures cluster in the xfrm_state lifecycle, the load-bearing one being:    BUG: KASAN: slab-use-after-free in __hlist_del include/linux/list.h:990 [inline]   BUG: KASAN: slab-use-after-free in hlist_del_rcu include/linux/rculist.h:516 [inline]   BUG: KASAN: slab-use-after-free in __xfrm_state_delete net/xfrm/xfrm_state.c   Write of size 8 at addr ffff8881198bcb70 by task kworker/u8:9/435    Workqueue: netns cleanup_net   Call Trace:    __hlist_del / hlist_del_rcu    __xfrm_state_delete    xfrm_state_delete    xfrm_state_flush    xfrm_state_fini    ops_exit_list    cleanup_net  The other observed signatures hit the same slab object from __xfrm_state_lookup, xfrm_alloc_spi, __xfrm_state_insert and an OOB write variant of __xfrm_state_delete, all on the byseq/byspi hash chains.  __xfrm_state_delete() guards its byseq and byspi unhashes with value-based predicates:  \tif (x->km.seq) \t\thlist_del_rcu(&x->byseq); \tif (x->id.spi) \t\thlist_del_rcu(&x->byspi);  while everywhere else in the file (e.g. state_cache, state_cache_input) the safer hlist_unhashed() check is used. xfrm_alloc_spi() sets x->id.spi = newspi inside xfrm_state_lock and then immediately inserts into byspi, but a path that observes x->id.spi != 0 outside of xfrm_state_lock can still skip-or-hit the byspi unhash inconsistently with whether x is actually on the list. The same holds for x->km.seq versus byseq, and the bydst/bysrc unhashes have no predicate at all, so a second __xfrm_state_delete() on the same object writes through LIST_POISON pprev.  The defensive change here:    - Use hlist_del_init_rcu() instead of hlist_del_rcu() on bydst,     bysrc, byseq and byspi so a second deletion is a no-op rather     than a write through LIST_POISON pprev. The byseq/byspi nodes     are already initialised in xfrm_state_alloc().   - Test hlist_unhashed() rather than the value predicate for     byseq/byspi, so the unhash decision tracks list state rather than     mutable scalar fields.  Empirical verification: applied this patch on top of v6.12.47, rebuilt, and re-ran the same syzkaller harness for 1h16m on a previously-crashy configuration that produced ~100 hits each of slab-use-after-free Read in xfrm_alloc_spi / Read in __xfrm_state_lookup / Write in __xfrm_state_delete. After the patch, 7.1M execs across 32 VMs at ~1550 exec/sec produced zero xfrm_state UAF/OOB hits. /proc/slabinfo confirms the xfrm_state slab is actively allocated and freed during the run (~143 KiB resident), so the fuzzer is still exercising those code paths -- they just no longer crash.  Reproduction:    - Linux 6.12.47 x86_64 + KASAN_GENERIC + KASAN_INLINE + KCOV   - syzkaller @ 746545b8b1e4c3a128db8652b340d3df90ce61db   - 32 QEMU/KVM VMs x 2 vCPU on AWS c5.metal bare metal   - 9 unique signatures collected in ~9h, all within xfrm_state     lifecycle",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46154",
                        "url": "https://ubuntu.com/security/CVE-2026-46154",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  sched_ext: Read scx_root under scx_cgroup_ops_rwsem in cgroup setters  scx_group_set_{weight,idle,bandwidth}() cache scx_root before acquiring scx_cgroup_ops_rwsem, so the pointer can be stale by the time the op runs. If the loaded scheduler is disabled and freed (via RCU work) and another is enabled between the naked load and the rwsem acquire, the reader sees scx_cgroup_enabled=true (the new scheduler's) but dereferences the freed one - UAF on SCX_HAS_OP(sch, ...) / SCX_CALL_OP(sch, ...).  scx_cgroup_enabled is toggled only under scx_cgroup_ops_rwsem write (scx_cgroup_{init,exit}), so reading scx_root inside the rwsem read section correlates @sch with the enabled snapshot.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46157",
                        "url": "https://ubuntu.com/security/CVE-2026-46157",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ALSA: pcm: oss: Fix data race at accessing runtime.oss.trigger  Currently the runtime.oss.trigger field may be accessed concurrently without protection, which may lead to the data race.  And, in this case, it may lead to more severe problem because it's a bit field; as writing the data, it may overwrite other bit fields as well, which confuses the operation completely, as spotted by fuzzing.  Fix it by covering runtime.oss.trigger bit fled also with the existing params_lock mutex in both snd_pcm_oss_get_trigger() and snd_pcm_oss_poll().",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46109",
                        "url": "https://ubuntu.com/security/CVE-2026-46109",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  usb: ulpi: fix memory leak on ulpi_register() error paths  Commit 01af542392b5 (\"usb: ulpi: fix double free in ulpi_register_interface() error path\") removed kfree(ulpi) from ulpi_register_interface() to fix a double-free when device_register() fails.  But when ulpi_of_register() or ulpi_read_id() fail before device_register() is called, the ulpi allocation is leaked.  Add kfree(ulpi) on both error paths to properly clean up the allocation.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46146",
                        "url": "https://ubuntu.com/security/CVE-2026-46146",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ALSA: usb-audio: Avoid potential endless loop in convert_chmap_v3()  The convert_chmap_v3() has a loop with its increment size of cs_desc->wLength, but we forgot to validate cs_desc->wLength itself, which may lead to potential endless loop by a malformed descriptor.  Add a proper size check to abort the loop for plugging the hole.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46167",
                        "url": "https://ubuntu.com/security/CVE-2026-46167",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  usb: usblp: fix uninitialized heap leak via LPGETSTATUS ioctl  Just like in a previous problem in this driver, usblp_ctrl_msg() will collapse the usb_control_msg() return value to 0/-errno, discarding the actual number of bytes transferred.  Ideally that short command should be detected and error out, but many printers are known to send \"incorrect\" responses back so we can't just do that.  statusbuf is kmalloc(8) at probe time and never filled before the first LPGETSTATUS ioctl.  usblp_read_status() requests 1 byte. If a malicious printer responds with zero bytes, *statusbuf is one byte of stale kmalloc heap, sign-extended into the local int status, which the LPGETSTATUS path then copy_to_user()s directly to the ioctl caller.  Fix this all by just zapping out the memory buffer when allocated at probe time.  If a later call does a short read, the data will be identical to what the device sent it the last time, so there is no \"leak\" of information happening.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46151",
                        "url": "https://ubuntu.com/security/CVE-2026-46151",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  usb: usblp: fix heap leak in IEEE 1284 device ID via short response  usblp_ctrl_msg() collapses the usb_control_msg() return value to 0/-errno, discarding the actual number of bytes transferred.  A broken printer can complete the GET_DEVICE_ID control transfer short and the driver has no way to know.  usblp_cache_device_id_string() reads the 2-byte big-endian length prefix from the response and trusts it (clamped only to the buffer bounds). The buffer is kmalloc(1024) at probe time. A device that sends exactly two bytes (e.g. 0x03 0xFF, claiming a 1023-byte ID) leaves device_id_string[2..1022] holding stale kmalloc heap.  That stale data is then exposed:   - via the ieee1284_id sysfs attribute (sprintf(\"%s\", buf+2), truncated     at the first NUL in the stale heap), and   - via the IOCNR_GET_DEVICE_ID ioctl, which copy_to_user()s the full     claimed length regardless of NULs, up to 1021 bytes of uninitialized     heap, with the leak size chosen by the device.  Fix this up by just zapping the buffer with zeros before each request sent to the device.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46180",
                        "url": "https://ubuntu.com/security/CVE-2026-46180",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  wifi: brcmfmac: Fix potential use-after-free issue when stopping watchdog task  Watchdog task might end between send_sig() and kthread_stop() calls, what results in the use-after-free issue. Fix this by increasing watchdog task reference count before calling send_sig() and dropping it by switching to kthread_stop_put().",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46122",
                        "url": "https://ubuntu.com/security/CVE-2026-46122",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  wifi: b43: enforce bounds check on firmware key index in b43_rx()  The firmware-controlled key index in b43_rx() can exceed the dev->key[] array size (58 entries). The existing B43_WARN_ON is non-enforcing in production builds, allowing an out-of-bounds read.  Make the B43_WARN_ON check enforcing by dropping the frame when the firmware returns an invalid key index.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46125",
                        "url": "https://ubuntu.com/security/CVE-2026-46125",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  wifi: mac80211: remove station if connection prep fails  If connection preparation fails for MLO connections, then the interface is completely reset to non-MLD. In this case, we must not keep the station since it's related to the link of the vif being removed. Delete an existing station. Any \"new_sta\" is already being removed, so that doesn't need changes.  This fixes a use-after-free/double-free in debugfs if that's enabled, because a vif going from MLD (and to MLD, but that's not relevant here) recreates its entire debugfs.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46166",
                        "url": "https://ubuntu.com/security/CVE-2026-46166",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  wifi: mac80211: use safe list iteration in radar detect work  The call to ieee80211_dfs_cac_cancel can cause the iterated chanctx to be freed and removed from the list. Guard against this to avoid a slab-use-after-free error.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46187",
                        "url": "https://ubuntu.com/security/CVE-2026-46187",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  wifi: rsi: fix kthread lifetime race between self-exit and external-stop  RSI driver use both self-exit(kthread_complete_and_exit) and external-stop (kthread_stop) when killing a kthread. Generally, kthread_stop() is called first, and in this case, no particular issues occur.  However, in rare instances where kthread_complete_and_exit() is called first and then kthread_stop() is called, a UAF occurs because the kthread object, which has already exited and been freed, is accessed again.  Therefore, to prevent this with minimal modification, you must remove kthread_stop() and change the code to wait until the self-exit operation is completed.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46152",
                        "url": "https://ubuntu.com/security/CVE-2026-46152",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  wifi: mac80211: drop stray 'static' from fast-RX rx_result  ieee80211_invoke_fast_rx() is documented as safe for parallel RX, but its per-invocation rx_result is declared static. Concurrent callers then share one instance and can overwrite each other's result between ieee80211_rx_mesh_data() and the switch on res.  That can make a packet that was queued or consumed by ieee80211_rx_mesh_data() fall through into ieee80211_rx_8023(), or make a packet that should continue return as queued.  Make res an automatic variable so each invocation keeps its own result.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46163",
                        "url": "https://ubuntu.com/security/CVE-2026-46163",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  wifi: b43legacy: enforce bounds check on firmware key index in RX path  Same fix as b43: the firmware-controlled key index in b43legacy_rx() can exceed dev->max_nr_keys. The existing B43legacy_WARN_ON is non-enforcing in production builds, allowing an out-of-bounds read of dev->key[].  Make the check enforcing by dropping the frame for invalid indices.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46136",
                        "url": "https://ubuntu.com/security/CVE-2026-46136",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  wifi: mt76: mt7921: fix a potential clc buffer length underflow  The buf_len is used to limit the iterations for retrieving the country power setting and may underflow under certain conditions due to changes in the power table in CLC.  This underflow leads to an almost infinite loop or an invalid power setting resulting in driver initialization failure.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46173",
                        "url": "https://ubuntu.com/security/CVE-2026-46173",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  exit: prevent preemption of oopsing TASK_DEAD task  When an already-exiting task oopses, make_task_dead() currently calls do_task_dead() with preemption enabled.  That is forbidden: do_task_dead() calls __schedule(), which has a comment saying \"WARNING: must be called with preemption disabled!\".  If an oopsing task is preempted in do_task_dead(), between becoming TASK_DEAD and entering the scheduler explicitly, bad things happen: finish_task_switch() assumes that once the scheduler has switched away from a TASK_DEAD task, the task can never run again and its stack is no longer needed; but that assumption apparently doesn't hold if the dead task was preempted (the SM_PREEMPT case).  This means that the scheduler ends up repeatedly dropping references on the dead task's stack, which can lead to use-after-free or double-free of the entire task stack; in other words, two tasks can end up running on the same stack, resulting in various kinds of memory corruption.  (This does not just affect \"recursively oopsing\" tasks; it is enough to oops once during task exit, for example in a file_operations::release handler)",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-43496",
                        "url": "https://ubuntu.com/security/CVE-2026-43496",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net/sched: sch_red: Replace direct dequeue call with peek and qdisc_dequeue_peeked  When red qdisc has children (eg qfq qdisc) whose peek() callback is qdisc_peek_dequeued(), we could get a kernel panic. When the parent of such qdiscs (eg illustrated in patch #3 as tbf) wants to retrieve an skb from its child (red in this case), it will do the following:  1a. do a peek() - and when sensing there's an skb the child can offer, then      - the child in this case(red) calls its child's (qfq) peek.         qfq does the right thing and will return the gso_skb queue packet.         Note: if there wasnt a gso_skb entry then qfq will store it there.  1b. invoke a dequeue() on the child (red). And herein lies the problem.      - red will call the child's dequeue() which will essentially just        try to grab something of qfq's queue.  [   78.667668][  T363] KASAN: null-ptr-deref in range [0x0000000000000048-0x000000000000004f] [   78.667927][  T363] CPU: 1 UID: 0 PID: 363 Comm: ping Not tainted 7.1.0-rc1-00033-g46f74a3f7d57-dirty #790 PREEMPT(full) [   78.668263][  T363] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 [   78.668486][  T363] RIP: 0010:qfq_dequeue+0x446/0xc90 [sch_qfq] [   78.668718][  T363] Code: 54 c0 e8 dd 90 00 f1 48 c7 c7 e0 03 54 c0 48 89 de e8 ce 90 00 f1 48 8d 7b 48 b8 ff ff 37 00 48 89 fa 48 c1 e0 2a 48 c1 ea 03 <80> 3c 02 00 74 05 e8 ef a1 e1 f1 48 8b 7b 48 48 8d 54 24 58 48 8d [   78.669312][  T363] RSP: 0018:ffff88810de573e0 EFLAGS: 00010216 [   78.669533][  T363] RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000 [   78.669790][  T363] RDX: 0000000000000009 RSI: 0000000000000004 RDI: 0000000000000048 [   78.670044][  T363] RBP: ffff888110dc4000 R08: ffffffffb1b0885a R09: fffffbfff6ba9078 [   78.670297][  T363] R10: 0000000000000003 R11: ffff888110e31c80 R12: 0000001880000000 [   78.670560][  T363] R13: ffff888110dc4150 R14: ffff888110dc42b8 R15: 0000000000000200 [   78.670814][  T363] FS:  00007f66a8f09c40(0000) GS:ffff888163428000(0000) knlGS:0000000000000000 [   78.671110][  T363] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [   78.671324][  T363] CR2: 000055db4c6a30a8 CR3: 000000010da67000 CR4: 0000000000750ef0 [   78.671585][  T363] PKRU: 55555554 [   78.671713][  T363] Call Trace: [   78.671843][  T363]  <TASK> [   78.671936][  T363]  ? __pfx_qfq_dequeue+0x10/0x10 [sch_qfq] [   78.672148][  T363]  ? __pfx__printk+0x10/0x10 [   78.672322][  T363]  ? srso_alias_return_thunk+0x5/0xfbef5 [   78.672496][  T363]  ? lockdep_hardirqs_on_prepare+0xa8/0x1a0 [   78.672706][  T363]  ? srso_alias_return_thunk+0x5/0xfbef5 [   78.672875][  T363]  ? trace_hardirqs_on+0x19/0x1a0 [   78.673047][  T363]  red_dequeue+0x65/0x270 [sch_red] [   78.673217][  T363]  ? srso_alias_return_thunk+0x5/0xfbef5 [   78.673385][  T363]  tbf_dequeue.cold+0xb0/0x70c [sch_tbf] [   78.673566][  T363]  __qdisc_run+0x169/0x1900  The right thing to do in #1b is to grab the skb off gso_skb queue. This patchset fixes that issue by changing #1b to use qdisc_dequeue_peeked() method instead.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-21 13:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46113",
                        "url": "https://ubuntu.com/security/CVE-2026-46113",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  KVM: x86: Fix shadow paging use-after-free due to unexpected GFN  The shadow MMU computes GFNs for direct shadow pages using sp->gfn plus the SPTE index. This assumption breaks for shadow paging if the guest page tables are modified between VM entries (similar to commit aad885e77496, \"KVM: x86/mmu: Drop/zap existing present SPTE even when creating an MMIO SPTE\", 2026-03-27).  The flow is as follows:  - a PDE is installed for a 2MB mapping, and a page in that area is   accessed.  KVM creates a kvm_mmu_page consisting of 512 4KB pages;   the kvm_mmu_page is marked by FNAME(fetch) as direct-mapped because   the guest's mapping is a huge page (and thus contiguous).  - the PDE mapping is changed from outside the guest.  - the guest accesses another page in the same 2MB area.  KVM installs   a new leaf SPTE and rmap entry; the SPTE uses the \"correct\" GFN   (i.e. based on the new mapping, as changed in the previous step) but   that GFN is outside of the [sp->gfn, sp->gfn + 511] range; therefore   the rmap entry cannot be found and removed when the kvm_mmu_page   is zapped.  - the memslot that covers the first 2MB mapping is deleted, and the   kvm_mmu_page for the now-invalid GPA is zapped.  However, rmap_remove()   only looks at the [sp->gfn, sp->gfn + 511] range established in step 1,   and fails to find the rmap entry that was recorded by step 3.  - any operation that causes an rmap walk for the same page accessed   by step 3 then walks a stale rmap and dereferences a freed kvm_mmu_page.   This includes dirty logging or MMU notifier invalidations (e.g., from   MADV_DONTNEED).  The underlying issue is that KVM's walking of shadow PTEs assumes that if a SPTE is present when KVM wants to install a non-leaf SPTE, then the existing kvm_mmu_page must be for the correct gfn.  Because the only way for the gfn to be wrong is if KVM messed up and failed to zap a SPTE... which shouldn't happen, but *actually* only happens in response to a guest write.  That bug dates back literally forever, as even the first version of KVM assumes that the GFN matches and walks into the \"wrong\" shadow page. However, that was only an imprecision until 2032a93d66fa (\"KVM: MMU: Don't allocate gfns page for direct mmu pages\") came along.  Fix it by checking for a target gfn mismatch and zapping the existing SPTE.  That way the old SP and rmap entries are gone, KVM installs the rmap in the right location, and everyone is happy.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46179",
                        "url": "https://ubuntu.com/security/CVE-2026-46179",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ASoC: SOF: Don't allow pointer operations on unconfigured streams  When reporting the pointer for a compressed stream we report the current I/O frame position by dividing the position by the number of channels multiplied by the number of container bytes. These values default to 0 and are only configured as part of setting the stream parameters so this allows a divide by zero to be configured. Validate that they are non zero, returning an error if not",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46196",
                        "url": "https://ubuntu.com/security/CVE-2026-46196",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  tracepoint: balance regfunc() on func_add() failure in tracepoint_add_func()  When a tracepoint goes through the 0 -> 1 transition, tracepoint_add_func() invokes the subsystem's ext->regfunc() before attempting to install the new probe via func_add(). If func_add() then fails (for example, when allocate_probes() cannot allocate a new probe array under memory pressure and returns -ENOMEM), the function returns the error without calling the matching ext->unregfunc(), leaving the side effects of regfunc() behind with no installed probe to justify them.  For syscall tracepoints this is particularly unpleasant: syscall_regfunc() bumps sys_tracepoint_refcount and sets SYSCALL_TRACEPOINT on every task. After a leaked failure, the refcount is stuck at a non-zero value with no consumer, and every task continues paying the syscall trace entry/exit overhead until reboot. Other subsystems providing regfunc()/unregfunc() pairs exhibit similarly scoped persistent state.  Mirror the existing 1 -> 0 cleanup and call ext->unregfunc() in the func_add() error path, gated on the same condition used there so the unwind is symmetric with the registration.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-43497",
                        "url": "https://ubuntu.com/security/CVE-2026-43497",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  fbdev: udlfb: add vm_ops to dlfb_ops_mmap to prevent use-after-free  dlfb_ops_mmap() uses remap_pfn_range() to map vmalloc framebuffer pages to userspace but sets no vm_ops on the VMA. This means the kernel cannot track active mmaps. When dlfb_realloc_framebuffer() replaces the backing buffer via FBIOPUT_VSCREENINFO, existing mmap PTEs are not invalidated. On USB disconnect, dlfb_ops_destroy() calls vfree() on the old pages while userspace PTEs still reference them, resulting in a use-after-free: the process retains read/write access to freed kernel pages.  Add vm_operations_struct with open/close callbacks that maintain an atomic mmap_count on struct dlfb_data. In dlfb_realloc_framebuffer(), check mmap_count and return -EBUSY if the buffer is currently mapped, preventing buffer replacement while userspace holds stale PTEs.  Tested with PoC using dummy_hcd + raw_gadget USB device emulation.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-05-21 13:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46108",
                        "url": "https://ubuntu.com/security/CVE-2026-46108",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ipmi:si: Return state to normal if message allocation fails  There were places where nothing would get started if a message allocation failed, so the driver needs to return to normal state.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46128",
                        "url": "https://ubuntu.com/security/CVE-2026-46128",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ipmi: Check event message buffer response for bad data  The event message buffer response data size got checked later when processing, but check it right after the response comes back.  It appears some BMCs may return an empty message instead of an error when fetching events.  There are apparently some new BMCs that make this error, so we need to compensate.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46177",
                        "url": "https://ubuntu.com/security/CVE-2026-46177",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ipmi: Add limits to event and receive message requests  The driver would just fetch events and receive messages until the BMC said it was done.  To avoid issues with BMCs that never say they are done, add a limit of 10 fetches at a time.  In addition, an si interface has an attn state it can return from the hardware which is supposed to cause a flag fetch to see if the driver needs to fetch events or message or a few other things.  If the attn bit gets stuck, it's a similar problem.  So allow messages in between flag fetches so the driver itself doesn't get stuck.  This is a more general fix than the previous fix for the specific bad BMC, but should fix the more general issue of a BMC that won't stop saying it has data.  This has been there from the beginning of the driver.  It's not a bug per-se, but it is accounting for bugs in BMCs.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46149",
                        "url": "https://ubuntu.com/security/CVE-2026-46149",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  scsi: target: configfs: Bound snprintf() return in tg_pt_gp_members_show()  target_tg_pt_gp_members_show() formats LUN paths with snprintf() into a 256-byte stack buffer, then will memcpy() cur_len bytes from that buffer.  snprintf() returns the length the output would have had, which can exceed the buffer size when the fabric WWN is long because iSCSI IQN names can be up to 223 bytes.  The check at the memcpy() site only guards the destination page write, not the source read, so memcpy() will read past the stack buffer and copy adjacent stack contents to the sysfs reader, which when CONFIG_FORTIFY_SOURCE is enabled, fortify_panic() will be triggered.  Commit 27e06650a5ea (\"scsi: target: target_core_configfs: Add length check to avoid buffer overflow\") added the same bound to the target_lu_gp_members_show() but the tg_pt_gp variant was missed so resolve that here.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46244",
                        "url": "https://ubuntu.com/security/CVE-2026-46244",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  netfilter: nft_inner: Fix IPv6 inner_thoff desync  In nft_inner_parse_l2l3(), when processing inner IPv6 packets, ipv6_find_hdr() correctly computes the transport header offset traversing all extension headers, but the result is immediately overwritten with nhoff + sizeof(_ip6h) (40 bytes), which only accounts for the IPv6 base header. This creates a desync between inner_thoff (wrong — points to extension header start) and l4proto (correct — e.g., IPPROTO_TCP), enabling transport header forgery and potential firewall bypass. This issue affects stable versions from Linux 6.2.  For comparison, the normal (non-inner) IPv6 path correctly preserves ipv6_find_hdr()'s result. Removing the incorrect overwrite ensures that ipv6_find_hdr()'s calculated transport header offset is preserved, thereby fixing the desynchronization.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-03 18:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46137",
                        "url": "https://ubuntu.com/security/CVE-2026-46137",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  mptcp: pm: ADD_ADDR rtx: fix potential data-race  This mptcp_pm_add_timer() helper is executed as a timer callback in softirq context. To avoid any data races, the socket lock needs to be held with bh_lock_sock().  If the socket is in use, retry again soon after, similar to what is done with the keepalive timer.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46185",
                        "url": "https://ubuntu.com/security/CVE-2026-46185",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  smb/client: fix out-of-bounds read in symlink_data()  Since smb2_check_message() returns success without length validation for the symlink error response, in symlink_data() it is possible for iov->iov_len to be smaller than sizeof(struct smb2_err_rsp). If the buffer only contains the base SMB2 header (64 bytes), accessing err->ErrorContextCount (at offset 66) or err->ByteCount later in symlink_data() will cause an out-of-bounds read.",
                        "cve_priority": "high",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46195",
                        "url": "https://ubuntu.com/security/CVE-2026-46195",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  smb: client: validate dacloffset before building DACL pointers  parse_sec_desc(), build_sec_desc(), and the chown path in id_mode_to_cifs_acl() all add the server-supplied dacloffset to pntsd before proving a DACL header fits inside the returned security descriptor.  On 32-bit builds a malicious server can return dacloffset near U32_MAX, wrap the derived DACL pointer below end_of_acl, and then slip past the later pointer-based bounds checks. build_sec_desc() and id_mode_to_cifs_acl() can then dereference DACL fields from the wrapped pointer in the chmod/chown rewrite paths.  Validate dacloffset numerically before building any DACL pointer and reuse the same helper at the three DACL entry points.",
                        "cve_priority": "high",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46289",
                        "url": "https://ubuntu.com/security/CVE-2026-46289",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  lib/scatterlist: fix length calculations in extract_kvec_to_sg  Patch series \"Fix bugs in extract_iter_to_sg()\", v3.  Fix bugs in the kvec and user variants of extract_iter_to_sg.  This series is growing due to useful remarks made by sashiko.dev.  The main bugs are: - The length for an sglist entry when extracting from   a kvec can exceed the number of bytes in the page. This   is obviously not intended. - When extracting a user buffer the sglist is temporarily   used as a scratch buffer for extracted page pointers.   If the sglist already contains some elements this scratch   buffer could overlap with existing entries in the sglist.  The series adds test cases to the kunit_iov_iter test that demonstrate all of these bugs.  Additionally, there is a memory leak fix for the test itself.  The bugs were orignally introduced into kernel v6.3 where the function lived in fs/netfs/iterator.c.  It was later moved to lib/scatterlist.c in v6.5.  Thus the actual fix is only marked for backports to v6.5+.   This patch (of 5):  When extracting from a kvec to a scatterlist, do not cross page boundaries.  The required length was already calculated but not used as intended.  Adjust the copied length if the loop runs out of sglist entries without extracting everything.  While there, return immediately from extract_iter_to_sg if there are no sglist entries at all.  A subsequent commit will add kunit test cases that demonstrate that the patch is necessary.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-08 17:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46119",
                        "url": "https://ubuntu.com/security/CVE-2026-46119",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  libceph: Fix slab-out-of-bounds access in auth message processing  If a (potentially corrupted) message of type CEPH_MSG_AUTH_REPLY contains a positive value in its result field, it is treated as an error code by ceph_handle_auth_reply() and returned to handle_auth_reply(). Thereafter, an attempt is made to send the preallocated message of type CEPH_MSG_AUTH, where the returned value is interpreted as the size of the front segment to send. If the result value in the message is greater than the size of the memory buffer allocated for the front segment, an out-of-bounds access occurs, and the content of the memory region beyond this buffer is sent out.  This patch fixes the issue by treating only negative values in the result field as errors. Positive values are therefore treated as success in the same way as a zero value. Additionally, a BUG_ON is added to __send_prepared_auth_request() comparing the len parameter to front_alloc_len to prevent sending the message if it exceeds the bounds of the allocation and to make it easier to catch any logic flaws leading to this.",
                        "cve_priority": "high",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46135",
                        "url": "https://ubuntu.com/security/CVE-2026-46135",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  nvmet-tcp: fix race between ICReq handling and queue teardown  nvmet_tcp_handle_icreq() updates queue->state after sending an Initialization Connection Response (ICResp), but it does so without serializing against target-side queue teardown.  If an NVMe/TCP host sends an Initialization Connection Request (ICReq) and immediately closes the connection, target-side teardown may start in softirq context before io_work drains the already buffered ICReq. In that case, nvmet_tcp_schedule_release_queue() sets queue->state to NVMET_TCP_Q_DISCONNECTING and drops the queue reference under state_lock.  If io_work later processes that ICReq, nvmet_tcp_handle_icreq() can still overwrite the state back to NVMET_TCP_Q_LIVE. That defeats the DISCONNECTING-state guard in nvmet_tcp_schedule_release_queue() and allows a later socket state change to re-enter teardown and issue a second kref_put() on an already released queue.  The ICResp send failure path has the same problem. If teardown has already moved the queue to DISCONNECTING, a send error can still overwrite the state with NVMET_TCP_Q_FAILED, again reopening the window for a second teardown path to drop the queue reference.  Fix this by serializing both post-send state transitions with state_lock and bailing out if teardown has already started.  Use -ESHUTDOWN as an internal sentinel for that bail-out path rather than propagating it as a transport error like -ECONNRESET. Keep nvmet_tcp_socket_error() setting rcv_state to NVMET_TCP_RECV_ERR before honoring that sentinel so receive-side parsing stays quiesced until the existing release path completes.",
                        "cve_priority": "critical",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46155",
                        "url": "https://ubuntu.com/security/CVE-2026-46155",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  smb/client: fix out-of-bounds read in smb2_compound_op()  If a server sends a truncated response but a large OutputBufferLength, and terminates the EA list early, check_wsl_eas() returns success without validating that the entire OutputBufferLength fits within iov_len.  Then smb2_compound_op() does:     memcpy(idata->wsl.eas, data[0], size[0]);  Where size[0] is OutputBufferLength. If iov_len is smaller than size[0], memcpy can read beyond the end of the rsp_iov allocation and leak adjacent kernel heap memory.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46115",
                        "url": "https://ubuntu.com/security/CVE-2026-46115",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  block: add pgmap check to biovec_phys_mergeable  biovec_phys_mergeable() is used by the request merge, DMA mapping, and integrity merge paths to decide if two physically contiguous bvec segments can be coalesced into one. It currently has no check for whether the segments belong to different dev_pagemaps.  When zone device memory is registered in multiple chunks, each chunk gets its own dev_pagemap. A single bio can legitimately contain bvecs from different pgmaps -- iov_iter_extract_bvecs() breaks at pgmap boundaries but the outer loop in bio_iov_iter_get_pages() continues filling the same bio. If such bvecs are physically contiguous, biovec_phys_mergeable() will coalesce them, making it impossible to recover the correct pgmap for the merged segment via page_pgmap().  Add a zone_device_pages_have_same_pgmap() check to prevent merging bvec segments that span different pgmaps.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46243",
                        "url": "https://ubuntu.com/security/CVE-2026-46243",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  smb: client: reject userspace cifs.spnego descriptions  cifs.spnego key descriptions contain authority-bearing fields such as pid, uid, creduid, and upcall_target that cifs.upcall treats as kernel-originating inputs. However, userspace can also create keys of this type through request_key(2) or add_key(2), allowing those fields to be supplied without CIFS origin.  Only accept cifs.spnego descriptions while CIFS is using its private spnego_cred to request the key.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-01 17:17:00 UTC"
                    }
                ],
                "launchpad_bugs_fixed": [
                    2157520,
                    2154418,
                    2155837,
                    2154174,
                    2154748,
                    2156559,
                    2156556,
                    2150640,
                    2156312,
                    2155096,
                    2154715,
                    2153159,
                    2150071,
                    2154343,
                    2149770,
                    2153155,
                    2152570,
                    2156636,
                    2156636,
                    2156636,
                    2156636,
                    2156636,
                    2156390,
                    2156385,
                    2156385,
                    2156385,
                    2156385,
                    2156385,
                    2156385,
                    2156385,
                    2156385,
                    2156385,
                    2156385,
                    2156385,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2150845
                ],
                "changes": [
                    {
                        "cves": [
                            {
                                "cve": "CVE-2026-46318",
                                "url": "https://ubuntu.com/security/CVE-2026-46318",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Revert \"mm/hugetlbfs: update hugetlbfs to use mmap_prepare\"  This reverts commit ea52cb24cd3f (\"mm/hugetlbfs: update hugetlbfs to use mmap_prepare\") with conflict resolution to account for changes in commit ea52cb24cd3f (\"mm/hugetlbfs: update hugetlbfs to use mmap_prepare\").  The patch incorrectly handled hugetlb VMA lock allocation at the mmap_prepare stage, where a failed allocation occurring after mmap_prepare is called might result in the lock leaking.  There is no risk of a merge causing a similar issues, as VMA_DONTEXPAND_BIT is set for hugetlb mappings.  As a first step in addressing this issue, simply revert the change so we can rework how we do this having corrected the underlying issues.  We maintain the VMA flags changes as best we can, accounting for the fact that we were working with a VMA descriptor previously and propagating like-for-like changes for this.  Note that we invoke vma_set_flags() and do not call vma_start_write() as vm_flags_set() does.  This is OK as it's being done in an .mmap hook where the VMA is not yet linked into the tree so nobody else can be accessing it.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-06-09 13:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46322",
                                "url": "https://ubuntu.com/security/CVE-2026-46322",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  tun: free page on build_skb failure in tun_xdp_one()  When build_skb() fails in tun_xdp_one(), the function sets ret to -ENOMEM and jumps to the out label, which returns without freeing the page that vhost_net_build_xdp() allocated for the frame. As with the short-frame rejection path, tun_sendmsg() discards the per-buffer error and still returns total_len, so vhost_tx_batch() takes the success path and never frees the page. Each build_skb() failure in a batch leaks one page-frag chunk.  Free the page before taking the error path, matching the put_page() the other error exits of tun_xdp_one() already perform.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-09 13:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46320",
                                "url": "https://ubuntu.com/security/CVE-2026-46320",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  tap: free page on error paths in tap_get_user_xdp()  tap_get_user_xdp() rejects a frame shorter than ETH_HLEN with -EINVAL, and returns -ENOMEM when build_skb() fails. Both paths jump to the err label without freeing the page that vhost_net_build_xdp() allocated for the frame. tap_sendmsg() discards the per-buffer return value and always returns 0, so vhost_tx_batch() takes the success path and never frees the page; each rejected frame in a batch leaks one page-frag chunk.  Free the page on both error paths, before the skb is built. This is the tap counterpart of the same leak in tun_xdp_one().",
                                "cve_priority": "high",
                                "cve_public_date": "2026-06-09 13:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46321",
                                "url": "https://ubuntu.com/security/CVE-2026-46321",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  tun: free page on short-frame rejection in tun_xdp_one()  tun_xdp_one() returns -EINVAL on a frame shorter than ETH_HLEN without freeing the page that vhost_net_build_xdp() allocated for it. tun_sendmsg() discards that -EINVAL and still returns total_len, so vhost_tx_batch() takes the success path and never frees the page; each short frame in a batch leaks one page-frag chunk.  A local process that can open /dev/net/tun and /dev/vhost-net can hit this path: it attaches a tun/tap device as the vhost-net backend and feeds TX descriptors whose length minus the virtio-net header is below ETH_HLEN. Each kick leaks the page-frag chunks for that batch, and a tight submission loop exhausts host memory and triggers an OOM panic. Free the page before returning -EINVAL, matching the XDP-program error path in the same function.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-09 13:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46316",
                                "url": "https://ubuntu.com/security/CVE-2026-46316",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  KVM: arm64: vgic-its: Drop the translation cache reference only for the erased entry  vgic_its_invalidate_cache() walks the per-ITS translation cache with xa_for_each() and drops the cache's reference on each entry with vgic_put_irq(). It puts the iterated pointer, though, rather than the value returned by xa_erase().  The function is called from contexts that do not exclude one another: the ITS command handlers hold its_lock, the GITS_CTLR write path holds cmd_lock, and the path that clears EnableLPIs in a redistributor's GICR_CTLR holds neither. Two or more of them can drain the same cache concurrently, and if each one observes the same entry, erases it and then puts it, the single reference the cache holds on that entry is dropped more than once. The entry can then be freed while an ITE still maps it.  xa_erase() is atomic and returns the previous entry, so put only the entry that this context actually removed. The cache reference is then dropped exactly once per entry even when the invalidations run concurrently, and the behavior is unchanged when only one context runs.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-09 13:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46317",
                                "url": "https://ubuntu.com/security/CVE-2026-46317",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  KVM: arm64: Reassign nested_mmus array behind mmu_lock  kvm->arch.nested_mmus[] is walked under kvm->mmu_lock, including from the MMU notifier path (kvm_unmap_gfn_range() -> kvm_nested_s2_unmap()), which can run at any time. kvm_vcpu_init_nested() reallocates the array and frees the old buffer while holding only kvm->arch.config_lock, so such a walker can reference the freed array.  Allocate the new array outside of mmu_lock, as the allocation can sleep. Under the lock, copy the existing entries, fix up the back pointers and reassign the array. Free the old buffer after dropping the lock, as kvfree() can sleep as well.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-09 13:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-45846",
                                "url": "https://ubuntu.com/security/CVE-2026-45846",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  bareudp: fix NULL pointer dereference in bareudp_fill_metadata_dst()  bareudp_fill_metadata_dst() passes bareudp->sock to udp_tunnel6_dst_lookup() in the IPv6 path without a NULL check. The socket is only created in bareudp_open() and NULLed in bareudp_stop(), so calling this function while the device is down triggers a NULL dereference via sock->sk.   BUG: kernel NULL pointer dereference, address: 0000000000000018  RIP: 0010:udp_tunnel6_dst_lookup (net/ipv6/ip6_udp_tunnel.c:160)  Call Trace:   <TASK>   bareudp_fill_metadata_dst (drivers/net/bareudp.c:532)   do_execute_actions (net/openvswitch/actions.c:901)   ovs_execute_actions (net/openvswitch/actions.c:1589)   ovs_packet_cmd_execute (net/openvswitch/datapath.c:700)   genl_family_rcv_msg_doit (net/netlink/genetlink.c:1114)   genl_rcv_msg (net/netlink/genetlink.c:1209)   netlink_rcv_skb (net/netlink/af_netlink.c:2550)   </TASK>  Add a NULL check returning -ESHUTDOWN, consistent with the xmit paths in the same driver.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-27 11:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-45845",
                                "url": "https://ubuntu.com/security/CVE-2026-45845",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net/sched: taprio: fix NULL pointer dereference in class dump  When a TAPRIO child qdisc is deleted via RTM_DELQDISC, taprio_graft() is called with new == NULL and stores NULL into q->qdiscs[cl - 1]. Subsequent RTM_GETTCLASS dump operations walk all classes via taprio_walk() and call taprio_dump_class(), which calls taprio_leaf() returning the NULL pointer, then dereferences it to read child->handle, causing a kernel NULL pointer dereference.  The bug is reachable with namespace-scoped CAP_NET_ADMIN on any kernel with CONFIG_NET_SCH_TAPRIO enabled. On systems with unprivileged user namespaces enabled, an unprivileged local user can trigger a kernel panic by creating a taprio qdisc inside a new network namespace, grafting an explicit child qdisc, deleting it, and requesting a class dump. The RTM_GETTCLASS dump itself requires no capability.   Oops: general protection fault, probably for non-canonical address 0xdffffc0000000007: 0000 [#1] SMP KASAN NOPTI  KASAN: null-ptr-deref in range [0x0000000000000038-0x000000000000003f]  RIP: 0010:taprio_dump_class (net/sched/sch_taprio.c:2478)  Call Trace:   <TASK>   tc_fill_tclass (net/sched/sch_api.c:1966)   qdisc_class_dump (net/sched/sch_api.c:2326)   taprio_walk (net/sched/sch_taprio.c:2514)   tc_dump_tclass_qdisc (net/sched/sch_api.c:2352)   tc_dump_tclass_root (net/sched/sch_api.c:2370)   tc_dump_tclass (net/sched/sch_api.c:2431)   rtnl_dumpit (net/core/rtnetlink.c:6864)   netlink_dump (net/netlink/af_netlink.c:2325)   rtnetlink_rcv_msg (net/core/rtnetlink.c:6959)   netlink_rcv_skb (net/netlink/af_netlink.c:2550)   </TASK>  Fix this by substituting &noop_qdisc when new is NULL in taprio_graft(), a common pattern used by other qdiscs (e.g., multiq_graft()) to ensure the q->qdiscs[] slots are never NULL. This makes control-plane dump paths safe without requiring individual NULL checks.  Since the data-plane paths (taprio_enqueue and taprio_dequeue_from_txq) previously had explicit NULL guards that would drop/skip the packet cleanly, update those checks to test for &noop_qdisc instead. Without this, packets would reach taprio_enqueue_one() which increments the root qdisc's qlen and backlog before calling the child's enqueue; noop_qdisc drops the packet but those counters are never rolled back, permanently inflating the root qdisc's statistics.  After this change *old can be a valid qdisc, NULL, or &noop_qdisc. Only call qdisc_put(*old) in the first case to avoid decreasing noop_qdisc's refcount, which was never increased.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-27 11:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-45844",
                                "url": "https://ubuntu.com/security/CVE-2026-45844",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  netfilter: arp_tables: fix IEEE1394 ARP payload parsing  Weiming Shi says:  \"arp_packet_match() unconditionally parses the ARP payload assuming two hardware addresses are present (source and target). However, IPv4-over-IEEE1394 ARP (RFC 2734) omits the target hardware address field, and arp_hdr_len() already accounts for this by returning a shorter length for ARPHRD_IEEE1394 devices.  As a result, on IEEE1394 interfaces arp_packet_match() advances past a nonexistent target hardware address and reads the wrong bytes for both the target device address comparison and the target IP address. This causes arptables rules to match against garbage data, leading to incorrect filtering decisions: packets that should be accepted may be dropped and vice versa.  The ARP stack in net/ipv4/arp.c (arp_create and arp_process) already handles this correctly by skipping the target hardware address for ARPHRD_IEEE1394. Apply the same pattern to arp_packet_match().\"  Mangle the original patch to always return 0 (no match) in case user matches on the target hardware address which is never present in IEEE1394.  Note that this returns 0 (no match) for either normal and inverse match because matching in the target hardware address in ARPHRD_IEEE1394 has never been supported by arptables. This is intentional, matching on the target hardware address should never evaluate true for ARPHRD_IEEE1394.  Moreover, adjust arpt_mangle to drop the packet too as AI suggests:  In arpt_mangle, the logic assumes a standard ARP layout. Because IEEE1394 (FireWire) omits the target hardware address, the linear pointer arithmetic miscalculates the offset for the target IP address. This causes mangling operations to write to the wrong location, leading to packet corruption. To ensure safety, this patch drops packets (NF_DROP) when mangling is requested for these fields on IEEE1394 devices, as the current implementation cannot correctly map the FireWire ARP payload.  This omits both mangling target hardware and IP address. Even if IP address mangling should be possible in IEEE1394, this would require to adjust arpt_mangle offset calculation, which has never been supported.  Based on patch from Weiming Shi <bestswngs@gmail.com>.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-05-27 11:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46242",
                                "url": "https://ubuntu.com/security/CVE-2026-46242",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  eventpoll: fix ep_remove struct eventpoll / struct file UAF  ep_remove() (via ep_remove_file()) cleared file->f_ep under file->f_lock but then kept using @file inside the critical section (is_file_epoll(), hlist_del_rcu() through the head, spin_unlock). A concurrent __fput() taking the eventpoll_release() fastpath in that window observed the transient NULL, skipped eventpoll_release_file() and ran to f_op->release / file_free().  For the epoll-watches-epoll case, f_op->release is ep_eventpoll_release() -> ep_clear_and_put() -> ep_free(), which kfree()s the watched struct eventpoll. Its embedded ->refs hlist_head is exactly where epi->fllink.pprev points, so the subsequent hlist_del_rcu()'s \"*pprev = next\" scribbles into freed kmalloc-192 memory.  In addition, struct file is SLAB_TYPESAFE_BY_RCU, so the slot backing @file could be recycled by alloc_empty_file() -- reinitializing f_lock and f_ep -- while ep_remove() is still nominally inside that lock. The upshot is an attacker-controllable kmem_cache_free() against the wrong slab cache.  Pin @file via epi_fget() at the top of ep_remove() and gate the critical section on the pin succeeding. With the pin held @file cannot reach refcount zero, which holds __fput() off and transitively keeps the watched struct eventpoll alive across the hlist_del_rcu() and the f_lock use, closing both UAFs.  If the pin fails @file has already reached refcount zero and its __fput() is in flight. Because we bailed before clearing f_ep, that path takes the eventpoll_release() slow path into eventpoll_release_file() and blocks on ep->mtx until the waiter side's ep_clear_and_put() drops it. The bailed epi's share of ep->refcount stays intact, so the trailing ep_refcount_dec_and_test() in ep_clear_and_put() cannot free the eventpoll out from under eventpoll_release_file(); the orphaned epi is then cleaned up there.  A successful pin also proves we are not racing eventpoll_release_file() on this epi, so drop the now-redundant re-check of epi->dying under f_lock. The cheap lockless READ_ONCE(epi->dying) fast-path bailout stays.",
                                "cve_priority": "high",
                                "cve_public_date": "2026-05-30 13:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-45843",
                                "url": "https://ubuntu.com/security/CVE-2026-45843",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  slip: bound decode() reads against the compressed packet length  slhc_uncompress() parses a VJ-compressed TCP header by advancing a pointer through the packet via decode() and pull16(). Neither helper bounds-checks against isize, and decode() masks its return with & 0xffff so it can never return the -1 that callers test for -- those error paths are dead code.  A short compressed frame whose change byte requests optional fields lets decode() read past the end of the packet. The over-read bytes are folded into the cached cstate and reflected into subsequent reconstructed packets.  Make decode() and pull16() take the packet end pointer and return -1 when exhausted. Add a bounds check before the TCP-checksum read. The existing == -1 tests now do what they were always meant to.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-27 11:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-45842",
                                "url": "https://ubuntu.com/security/CVE-2026-45842",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  slip: reject VJ receive packets on instances with no rstate array  slhc_init() accepts rslots == 0 as a valid configuration, with the documented meaning of 'no receive compression'. In that case the allocation loop in slhc_init() is skipped, so comp->rstate stays NULL and comp->rslot_limit stays 0 (from the kzalloc of struct slcompress).  The receive helpers do not defend against that configuration. slhc_uncompress() dereferences comp->rstate[x] when the VJ header carries an explicit connection ID, and slhc_remember() later assigns cs = &comp->rstate[...] after only comparing the packet's slot number to comp->rslot_limit. Because rslot_limit is 0, slot 0 passes the range check, and the code dereferences a NULL rstate.  The configuration is reachable in-tree through PPP. PPPIOCSMAXCID stores its argument in a signed int, and (val >> 16) uses arithmetic shift. Passing 0xffff0000 therefore sign-extends to -1, so val2 + 1 is 0 and ppp_generic.c ends up calling slhc_init(0, 1). Because /dev/ppp open is gated by ns_capable(CAP_NET_ADMIN), the whole path is reachable from an unprivileged user namespace. Once the malformed VJ state is installed, any inbound VJ-compressed or VJ-uncompressed frame that selects slot 0 crashes the kernel in softirq context:   Oops: general protection fault, probably for non-canonical        address 0xdffffc0000000000: 0000 [#1] SMP KASAN NOPTI  KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]  RIP: 0010:slhc_uncompress (drivers/net/slip/slhc.c:519)  Call Trace:   <TASK>   ppp_receive_nonmp_frame (drivers/net/ppp/ppp_generic.c:2466)   ppp_input (drivers/net/ppp/ppp_generic.c:2359)   ppp_async_process (drivers/net/ppp/ppp_async.c:492)   tasklet_action_common (kernel/softirq.c:926)   handle_softirqs (kernel/softirq.c:623)   run_ksoftirqd (kernel/softirq.c:1055)   smpboot_thread_fn (kernel/smpboot.c:160)   kthread (kernel/kthread.c:436)   ret_from_fork (arch/x86/kernel/process.c:164)   </TASK>  Reject the receive side on such instances instead of touching rstate. slhc_uncompress() falls through to its existing 'bad' label, which bumps sls_i_error and enters the toss state. slhc_remember() mirrors that with an explicit sls_i_error increment followed by slhc_toss(); the sls_i_runt counter is not used here because a missing rstate is an internal configuration state, not a runt packet.  The transmit path is unaffected: the only in-tree caller that picks rslots from userspace (ppp_generic.c) still supplies tslots >= 1, and slip.c always calls slhc_init(16, 16), so comp->tstate remains valid and slhc_compress() continues to work.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-27 11:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-45841",
                                "url": "https://ubuntu.com/security/CVE-2026-45841",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  netfilter: nfnetlink_osf: fix divide-by-zero in OSF_WSS_MODULO  nf_osf_match_one() computes ctx->window % f->wss.val in the OSF_WSS_MODULO branch with no guard for f->wss.val == 0. A CAP_NET_ADMIN user can add such a fingerprint via nfnetlink; a subsequent matching TCP SYN divides by zero and panics the kernel.  Reject the bogus fingerprint in nfnl_osf_add_callback() above the per-option for-loop. f->wss is per-fingerprint, not per-option, so the check must run regardless of f->opt_num (including 0). Also reject wss.wc >= OSF_WSS_MAX; nf_osf_match_one() already treats that as \"should not happen\".  Crash:  Oops: divide error: 0000 [#1] SMP KASAN NOPTI  RIP: 0010:nf_osf_match_one (net/netfilter/nfnetlink_osf.c:98)  Call Trace:  <IRQ>   nf_osf_match (net/netfilter/nfnetlink_osf.c:220)   xt_osf_match_packet (net/netfilter/xt_osf.c:32)   ipt_do_table (net/ipv4/netfilter/ip_tables.c:348)   nf_hook_slow (net/netfilter/core.c:622)   ip_local_deliver (net/ipv4/ip_input.c:265)   ip_rcv (include/linux/skbuff.h:1162)   __netif_receive_skb_one_core (net/core/dev.c:6181)   process_backlog (net/core/dev.c:6642)   __napi_poll (net/core/dev.c:7710)   net_rx_action (net/core/dev.c:7945)   handle_softirqs (kernel/softirq.c:622)",
                                "cve_priority": "low",
                                "cve_public_date": "2026-05-27 11:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-45840",
                                "url": "https://ubuntu.com/security/CVE-2026-45840",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  openvswitch: cap upcall PID array size and pre-size vport replies  The vport netlink reply helpers allocate a fixed-size skb with nlmsg_new(NLMSG_DEFAULT_SIZE, ...) but serialize the full upcall PID array via ovs_vport_get_upcall_portids().  Since ovs_vport_set_upcall_portids() accepts any non-zero multiple of sizeof(u32) with no upper bound, a CAP_NET_ADMIN user can install a PID array large enough to overflow the reply buffer, causing nla_put() to fail with -EMSGSIZE and hitting BUG_ON(err < 0).  On systems with unprivileged user namespaces enabled (e.g., Ubuntu default), this is reachable via unshare -Urn since OVS vport mutation operations use GENL_UNS_ADMIN_PERM.   kernel BUG at net/openvswitch/datapath.c:2414!  Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI  CPU: 1 UID: 0 PID: 65 Comm: poc Not tainted 7.0.0-rc7-00195-geb216e422044 #1  RIP: 0010:ovs_vport_cmd_set+0x34c/0x400  Call Trace:   <TASK>   genl_family_rcv_msg_doit (net/netlink/genetlink.c:1116)   genl_rcv_msg (net/netlink/genetlink.c:1194)   netlink_rcv_skb (net/netlink/af_netlink.c:2550)   genl_rcv (net/netlink/genetlink.c:1219)   netlink_unicast (net/netlink/af_netlink.c:1344)   netlink_sendmsg (net/netlink/af_netlink.c:1894)   __sys_sendto (net/socket.c:2206)   __x64_sys_sendto (net/socket.c:2209)   do_syscall_64 (arch/x86/entry/syscall_64.c:63)   entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)   </TASK>  Kernel panic - not syncing: Fatal exception  Reject attempts to set more PIDs than nr_cpu_ids in ovs_vport_set_upcall_portids(), and pre-compute the worst-case reply size in ovs_vport_cmd_msg_size() based on that bound, similar to the existing ovs_dp_cmd_msg_size().  nr_cpu_ids matches the cap already used by the per-CPU dispatch configuration on the datapath side (ovs_dp_cmd_fill_info() serialises at most nr_cpu_ids PIDs), so the two sides stay consistent.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-27 11:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-45839",
                                "url": "https://ubuntu.com/security/CVE-2026-45839",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  bpf: reject negative CO-RE accessor indices in bpf_core_parse_spec()  CO-RE accessor strings are colon-separated indices that describe a path from a root BTF type to a target field, e.g. \"0:1:2\" walks through nested struct members. bpf_core_parse_spec() parses each component with sscanf(\"%d\"), so negative values like -1 are silently accepted.  The subsequent bounds checks (access_idx >= btf_vlen(t)) only guard the upper bound and always pass for negative values because C integer promotion converts the __u16 btf_vlen result to int, making the comparison (int)(-1) >= (int)(N) false for any positive N.  When -1 reaches btf_member_bit_offset() it gets cast to u32 0xffffffff, producing an out-of-bounds read far past the members array.  A crafted BPF program with a negative CO-RE accessor on any struct that exists in vmlinux BTF (e.g. task_struct) crashes the kernel deterministically during BPF_PROG_LOAD on any system with CONFIG_DEBUG_INFO_BTF=y (default on major distributions).  The bug is reachable with CAP_BPF:   BUG: unable to handle page fault for address: ffffed11818b6626  #PF: supervisor read access in kernel mode  #PF: error_code(0x0000) - not-present page  Oops: Oops: 0000 [#1] SMP KASAN NOPTI  CPU: 0 UID: 0 PID: 85 Comm: poc Not tainted 7.0.0-rc6 #18 PREEMPT(full)  RIP: 0010:bpf_core_parse_spec (tools/lib/bpf/relo_core.c:354)  RAX: 00000000ffffffff  Call Trace:   <TASK>   bpf_core_calc_relo_insn (tools/lib/bpf/relo_core.c:1321)   bpf_core_apply (kernel/bpf/btf.c:9507)   check_core_relo (kernel/bpf/verifier.c:19475)   bpf_check (kernel/bpf/verifier.c:26031)   bpf_prog_load (kernel/bpf/syscall.c:3089)   __sys_bpf (kernel/bpf/syscall.c:6228)   </TASK>  CO-RE accessor indices are inherently non-negative (struct member index, array element index, or enumerator index), so reject them immediately after parsing.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-27 11:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-45838",
                                "url": "https://ubuntu.com/security/CVE-2026-45838",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  bpf: fix end-of-list detection in cgroup_storage_get_next_key()  list_next_entry() never returns NULL -- when the current element is the last entry it wraps to the list head via container_of(). The subsequent NULL check is therefore dead code and get_next_key() never returns -ENOENT for the last element, instead reading storage->key from a bogus pointer that aliases internal map fields and copying the result to userspace.  Replace it with list_entry_is_head() so the function correctly returns -ENOENT when there are no more entries.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-05-27 11:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46214",
                                "url": "https://ubuntu.com/security/CVE-2026-46214",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  vsock/virtio: fix accept queue count leak on transport mismatch  virtio_transport_recv_listen() calls sk_acceptq_added() before vsock_assign_transport(). If vsock_assign_transport() fails or selects a different transport, the error path returns without calling sk_acceptq_removed(), permanently incrementing sk_ack_backlog.  After approximately backlog+1 such failures, sk_acceptq_is_full() returns true, causing the listener to reject all new connections.  Fix by moving sk_acceptq_added() to after the transport validation, matching the pattern used by vmci_transport and hyperv_transport.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46207",
                                "url": "https://ubuntu.com/security/CVE-2026-46207",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  vsock/virtio: fix empty payload in tap skb for non-linear buffers  For non-linear skbs, virtio_transport_build_skb() goes through virtio_transport_copy_nonlinear_skb() to copy the original payload in the new skb to be delivered to the vsockmon tap device. This manually initializes an iov_iter but does not set iov_iter.count. Since the iov_iter is zero-initialized, the copy length is zero and no payload is actually copied to the monitor interface, leaving data un-initialized.  Fix this by removing the linear vs non-linear split and using skb_copy_datagram_iter() with iov_iter_kvec() for all cases, as vhost-vsock already does. This handles both linear and non-linear skbs, properly initializes the iov_iter, and removes the now unused virtio_transport_copy_nonlinear_skb().  While touching this code, let's also check the return value of skb_copy_datagram_iter(), even though it's unlikely to fail.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46234",
                                "url": "https://ubuntu.com/security/CVE-2026-46234",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  vsock: fix buffer size clamping order  In vsock_update_buffer_size(), the buffer size was being clamped to the maximum first, and then to the minimum. If a user sets a minimum buffer size larger than the maximum, the minimum check overrides the maximum check, inverting the constraint.  This breaks the intended socket memory boundaries by allowing the vsk->buffer_size to grow beyond the configured vsk->buffer_max_size.  Fix this by checking the minimum first, and then the maximum. This ensures the buffer size never exceeds the buffer_max_size.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46223",
                                "url": "https://ubuntu.com/security/CVE-2026-46223",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  cgroup: Defer css percpu_ref kill on rmdir until cgroup is depopulated  A chain of commits going back to v7.0 reworked rmdir to satisfy the controller invariant that a subsystem's ->css_offline() must not run while tasks are still doing kernel-side work in the cgroup.  [1] d245698d727a (\"cgroup: Defer task cgroup unlink until after the task is done switching out\") [2] a72f73c4dd9b (\"cgroup: Don't expose dead tasks in cgroup\") [3] 1b164b876c36 (\"cgroup: Wait for dying tasks to leave on rmdir\") [4] 4c56a8ac6869 (\"cgroup: Fix cgroup_drain_dying() testing the wrong condition\") [5] 13e786b64bd3 (\"cgroup: Increment nr_dying_subsys_* from rmdir context\")  [1] moved task cset unlink from do_exit() to finish_task_switch() so a task's cset link drops only after the task has fully stopped scheduling. That made tasks past exit_signals() linger on cset->tasks until their final context switch, which led to a series of problems as what userspace expected to see after rmdir diverged from what the kernel needs to wait for. [2]-[5] tried to bridge that divergence: [2] filtered the exiting tasks from cgroup.procs; [3] had rmdir(2) sleep in TASK_UNINTERRUPTIBLE for them; [4] fixed the wait's condition; [5] made nr_dying_subsys_* visible synchronously.  The cgroup_drain_dying() wait in [3] turned out to be a dead end. When the rmdir caller is also the reaper of a zombie that pins a pidns teardown (e.g. host PID 1 systemd reaping orphan pids that were re-parented to it during the same teardown), rmdir blocks in TASK_UNINTERRUPTIBLE waiting for those pids to free, the pids can't free because PID 1 is the reaper and it's stuck in rmdir, and the system A-A deadlocks. No internal lock ordering breaks this; the wait itself is the bug.  The css killing side that drove the original reorder, however, can be made cleanly asynchronous: ->css_offline() is already async, run from css_killed_work_fn() driven by percpu_ref_kill_and_confirm(). The fix is to make that chain start only after all tasks have left the cgroup. rmdir's user-visible side then returns as soon as cgroup.procs and friends are empty, while ->css_offline() still runs only after the cgroup is fully drained.  Verified by the original reproducer (pidns teardown + zombie reaper, runs under vng) which hangs vanilla and succeeds here, and by per-commit deterministic repros for [2], [3], [4], [5] with a boot parameter that widens the post-exit_signals() window so each state is reliably reachable. Some stress tests on top of that.  cgroup_apply_control_disable() has the same shape of pre-existing race: when a controller is disabled via subtree_control, kill_css() ran synchronously while tasks past exit_signals() could still be linked to the cgroup's csets, and ->css_offline() could fire before they drained. This patch preserves the existing synchronous behavior at that call site (kill_css_sync() + kill_css_finish() back-to-back) and a follow-up patch will defer kill_css_finish() there using a per-css trigger.  This seems like the right approach and I don't see problems with it. The changes are somewhat invasive but not excessively so, so backporting to -stable should be okay. If something does turn out to be wrong, the fallback is to revert the entire chain ([1]-[5]) and rework in the development branch instead.  v2: Pin cgrp across the deferred destroy work with explicit     cgroup_get()/cgroup_put() around queue_work() and the work_fn. v1     wasn't actually broken (ordered cgroup_offline_wq + queue_work order     in cgroup_task_dead() saved it) but the explicit ref removes the     dependency on those non-obvious invariants. Also note the     pre-existing cgroup_apply_control_disable() race in the description;     a follow-up will defer kill_css_finish() there.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46221",
                                "url": "https://ubuntu.com/security/CVE-2026-46221",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  EDAC/versalnet: Fix device name memory leak  The device name allocated via kzalloc() in init_one_mc() is assigned to dev->init_name but never freed on the normal removal path. device_register() copies init_name and then sets dev->init_name to NULL, so the name pointer becomes unreachable from the device. Thus leaking memory.  Use a stack-local char array instead of using kzalloc() for name.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46231",
                                "url": "https://ubuntu.com/security/CVE-2026-46231",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  batman-adv: bla: put backbone reference on failed claim hash insert  When batadv_bla_add_claim() fails to insert a new claim into the hash, it leaked a reference to the backbone_gw for which the claim was intended. Call batadv_backbone_gw_put() on the error path to release the reference and avoid leaking the backbone_gw object.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46233",
                                "url": "https://ubuntu.com/security/CVE-2026-46233",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  batman-adv: bla: only purge non-released claims  When batadv_bla_purge_claims() goes through the list of claims, it is only traversing the hash list with an rcu_read_lock(). Due to a potential parallel batadv_claim_put(), it can happen that it encounters a claim which was actually in the process of being released+freed by batadv_claim_release(). In this case, backbone_gw is set to NULL before the delayed RCU kfree is started. Calling batadv_bla_claim_get_backbone_gw() is then no longer allowed because it would cause a NULL-ptr derefence.  To avoid this, only claims with a valid reference counter must be purged. All others are already taken care of.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46212",
                                "url": "https://ubuntu.com/security/CVE-2026-46212",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  batman-adv: bla: prevent use-after-free when deleting claims  When batadv_bla_del_backbone_claims() removes all claims for a backbone, it does this by dropping the link entry in the hash list. This list entry itself was one of the references which need to be dropped at the same time via batadv_claim_put().  But the batadv_claim_put() must not be done before the last access to the claim object in this function. Otherwise the claim might be freed already by the batadv_claim_release() function before the list entry was dropped.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46238",
                                "url": "https://ubuntu.com/security/CVE-2026-46238",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  batman-adv: stop caching unowned originator pointers in BAT IV  BAT IV keeps the last-hop neighbor address in each neigh_node, but some paths also cache an originator pointer derived from a temporary lookup. That pointer is not owned by the neigh_node and may no longer refer to a live originator entry after purge handling runs.  Stop storing the auxiliary originator pointer in the BAT IV neighbor state. When BAT IV needs the neighbor originator data, resolve it from the stored neighbor address and drop the reference again after use.  [sven: avoid bonding logic for outgoing OGM]",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46208",
                                "url": "https://ubuntu.com/security/CVE-2026-46208",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  batman-adv: stop tp_meter sessions during mesh teardown  TP meter sessions remain linked on bat_priv->tp_list after the netlink request has already finished. When the mesh interface is removed, batadv_mesh_free() currently tears down the mesh without first draining these sessions.  A running sender thread or a late incoming tp_meter packet can then keep processing against a mesh instance which is already shutting down. Synchronize tp_meter with the mesh lifetime by stopping all active sessions from batadv_mesh_free() and waiting for sender threads to exit before teardown continues.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46206",
                                "url": "https://ubuntu.com/security/CVE-2026-46206",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  batman-adv: reject new tp_meter sessions during teardown  Prevent tp_meter from starting new sender or receiver sessions after mesh_state has left BATADV_MESH_ACTIVE.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46198",
                                "url": "https://ubuntu.com/security/CVE-2026-46198",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  batman-adv: fix integer overflow on buff_pos  Fixing an integer overflow present in batadv_iv_ogm_send_to_if. The size check is done using the int type in batadv_iv_ogm_aggr_packet whereas the buff_pos variable uses the s16 type. This could lead to an out-of-bound read.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46227",
                                "url": "https://ubuntu.com/security/CVE-2026-46227",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  sctp: revalidate list cursor after sctp_sendmsg_to_asoc() in SCTP_SENDALL  The SCTP_SENDALL path in sctp_sendmsg() iterates ep->asocs with list_for_each_entry_safe(), which caches the next entry in @tmp before the loop body runs.  The body calls sctp_sendmsg_to_asoc(), which may drop the socket lock inside sctp_wait_for_sndbuf().  While the lock is dropped, another thread can SCTP_SOCKOPT_PEELOFF the association cached in @tmp, migrating it to a new endpoint via sctp_sock_migrate() (list_del_init() + list_add_tail() to newep->asocs), and optionally close the new socket which frees the association via kfree_rcu().  The cached @tmp can also be freed by a network ABORT for that association, processed in softirq while the lock is dropped.  sctp_wait_for_sndbuf() revalidates @asoc (the current entry) on re-lock via the \"sk != asoc->base.sk\" and \"asoc->base.dead\" checks, but nothing revalidates @tmp.  After a successful return, the iterator advances to the stale @tmp, yielding either a use-after-free (if the peeled socket was closed) or a list-walk onto the new endpoint's list head (type confusion of &newep->asocs as a struct sctp_association *).  Both are reachable from CapEff=0; the type-confusion path gives controlled indirect call via the outqueue.sched->init_sid pointer.  Fix by re-deriving @tmp from @asoc after sctp_sendmsg_to_asoc() returns.  @asoc is known to still be on ep->asocs at that point: the only callers that list_del an association from ep->asocs are sctp_association_free() (which sets asoc->base.dead) and sctp_assoc_migrate() (which changes asoc->base.sk), and sctp_wait_for_sndbuf() checks both under the lock before any successful return; a tripped check propagates as err < 0 and the loop bails before the re-derive.  The SCTP_ABORT path in sctp_sendmsg_check_sflags() returns 0 and the loop hits 'continue' before sctp_sendmsg_to_asoc() is ever called, so the @tmp cached by list_for_each_entry_safe() still covers the lock-held free that ba59fb027307 (\"sctp: walk the list of asoc safely\") was added for.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46220",
                                "url": "https://ubuntu.com/security/CVE-2026-46220",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/amdgpu/sdma4: replace BUG_ON with WARN_ON in fence emission  sdma_v4_0_ring_emit_fence() contains two BUG_ON(addr & 0x3) assertions that verify fence writeback addresses are dword-aligned.  These assertions can be reached from unprivileged userspace via crafted DRM_IOCTL_AMDGPU_CS submissions, causing a fatal kernel panic in a scheduler worker thread.  Replace both BUG_ON() calls with WARN_ON() to log the condition without crashing the kernel.  A misaligned fence address at this point indicates a driver bug, but crashing the kernel is never the correct response when the assertion is reachable from userspace.  The CS IOCTL path is the correct place to filter invalid submissions; the ring emission callback is too late to do anything about it.  (cherry picked from commit b90250bd933afd1ba94d86d6b13821997b22b18e)",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46215",
                                "url": "https://ubuntu.com/security/CVE-2026-46215",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm: Set old handle to NULL before prime swap in change_handle  There was a potential race condition in change_handle. The ioctl briefly had a single object with two idr entries; a concurrent gem_close could delete the object and remove one of the handles while leaving the other one dangling, which could subsequently be dereferenced for a use-after-free.  To fix this, do the same dance that gem_close itself does. (f6cd7daecff5 drm: Release driver references to handle before making it available again) First idr_replace the old handle to NULL. Later, if the prime operations are successful, actually close it.  create_tail required a similar dance to avoid a similar problem. (bd46cece51a3 drm/gem: Fix race in drm_gem_handle_create_tail()) It idr_allocs the new handle with NULL, then swaps in the correct object later to avoid races. We don't need to do that here, since the only operations that could race are drm_prime, and change_handle holds the prime lock for the entire duration.  v2: cleanups of error paths",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46201",
                                "url": "https://ubuntu.com/security/CVE-2026-46201",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/xe: Fix dma-buf attachment leak in xe_gem_prime_import()  When xe_dma_buf_init_obj() fails, the attachment from dma_buf_dynamic_attach() is not detached. Add dma_buf_detach() before returning the error. Note: we cannot use goto out_err here because xe_dma_buf_init_obj() already frees bo on failure, and out_err would double-free it.  (cherry picked from commit a828eb185aac41800df8eae4b60501ccc0dbbe51)",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46224",
                                "url": "https://ubuntu.com/security/CVE-2026-46224",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/xe: Fix bo leak in xe_dma_buf_init_obj() on allocation failure  When drm_gpuvm_resv_object_alloc() fails, the pre-allocated storage bo is not freed. Add xe_bo_free(storage) before returning the error.  xe_dma_buf_init_obj() calls xe_bo_init_locked(), which frees the bo on error. Therefore, xe_dma_buf_init_obj() must also free the bo on its own error paths. Otherwise, since xe_gem_prime_import() cannot distinguish whether the failure originated from xe_dma_buf_init_obj() or from xe_bo_init_locked(), it cannot safely decide whether the bo should be freed.  Add comments documenting the ownership semantics: on success, ownership of storage is transferred to the returned drm_gem_object; on failure, storage is freed before returning.  v2: Add comments to explain the free logic.  (cherry picked from commit 78a6c5f899f22338bbf48b44fb8950409c5a69b9)",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46197",
                                "url": "https://ubuntu.com/security/CVE-2026-46197",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/amdkfd: validate SVM ioctl nattr against buffer size  Validate nattr field against the buffer size, preventing out-of-bounds buffer access via user-controlled attribute count.  (cherry picked from commit 5eca8bfdfa456c3304ca77523718fe24254c172f)",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46209",
                                "url": "https://ubuntu.com/security/CVE-2026-46209",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/gem: Fix inconsistent plane dimension calculation in drm_gem_fb_init_with_funcs()  drm_gem_fb_init_with_funcs() computes sub-sampled plane dimensions using plain integer division:    unsigned int width  = mode_cmd->width  / (i ? info->hsub : 1);   unsigned int height = mode_cmd->height / (i ? info->vsub : 1);  However, the ioctl-level framebuffer_check() in drm_framebuffer.c uses drm_format_info_plane_width/height() which round up dimensions via DIV_ROUND_UP(). This inconsistency corrupts the subsequent GEM object size check for certain pixel format and dimension combinations.  For example, with NV12 (vsub=2) and a 1-pixel-tall framebuffer the GEM size validation path sees height=0 instead of height=1. The expression (height - 1) then wraps to UINT_MAX as an unsigned int, causing min_size to overflow and wrap back to a small value. A tiny GEM object therefore passes the size guard, yet when the GPU accesses the chroma plane it will read or write memory beyond the object's bounds.  Fix by replacing the open-coded divisions with drm_format_info_plane_width() and drm_format_info_plane_height(), which use DIV_ROUND_UP() and match the calculation already used in framebuffer_check().",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46230",
                                "url": "https://ubuntu.com/security/CVE-2026-46230",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/amdgpu/vcn3: Prevent OOB reads when parsing dec msg  Check bounds against the end of the BO whenever we access the msg.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46199",
                                "url": "https://ubuntu.com/security/CVE-2026-46199",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/amdgpu/vcn4: Prevent OOB reads when parsing dec msg  Check bounds against the end of the BO whenever we access the msg.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46204",
                                "url": "https://ubuntu.com/security/CVE-2026-46204",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/amdgpu/vcn4: Prevent OOB reads when parsing IB  Rewrite the IB parsing to use amdgpu_ib_get_value() which handles the bounds checks.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46218",
                                "url": "https://ubuntu.com/security/CVE-2026-46218",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/amdgpu: Add bounds checking to ib_{get,set}_value  The uvd/vce/vcn code accesses the IB at predefined offsets without checking that the IB is large enough. Check the bounds here. The caller is responsible for making sure it can handle arbitrary return values.  Also make the idx a uint32_t to prevent overflows causing the condition to fail.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46229",
                                "url": "https://ubuntu.com/security/CVE-2026-46229",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/amdkfd: Clear VRAM on allocation to prevent stale data exposure  KFD VRAM allocations set AMDGPU_GEM_CREATE_VRAM_WIPE_ON_RELEASE but not AMDGPU_GEM_CREATE_VRAM_CLEARED, leaving freshly allocated VRAM with stale data from prior use observable by compute kernels.  The GEM ioctl path already sets VRAM_CLEARED for all userspace allocations via amdgpu_gem_create_ioctl() and amdgpu_mode_dumb_create(). The KFD path was missing this flag, allowing stale page table remnants to leak into user buffers.  This causes crashes in RCCL P2P transport where non-zero data in ptrExchange/head/tail fields corrupts the protocol handshake.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46211",
                                "url": "https://ubuntu.com/security/CVE-2026-46211",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/msm/gem: fix error handling in msm_ioctl_gem_info_get_metadata()  msm_ioctl_gem_info_get_metadata() always returns 0 regardless of errors. When copy_to_user() fails or the user buffer is too small, the error code stored in ret is ignored because the function unconditionally returns 0. This causes userspace to believe the ioctl succeeded when it did not.  Additionally, kmemdup() can return NULL on allocation failure, but the return value is not checked. This leads to a NULL pointer dereference in the subsequent copy_to_user() call.  Add the missing NULL check for kmemdup() and return ret instead of 0.  Note that the SET counterpart (msm_ioctl_gem_info_set_metadata) correctly returns ret.  Patchwork: https://patchwork.freedesktop.org/patch/714478/",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46203",
                                "url": "https://ubuntu.com/security/CVE-2026-46203",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: cadence-quadspi: fix unclocked access on unbind  Make sure that the controller is runtime resumed before disabling it during driver unbind to avoid an unclocked register access.  This issue was flagged by Sashiko when reviewing a controller deregistration fix.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46219",
                                "url": "https://ubuntu.com/security/CVE-2026-46219",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: mpc52xx: fix use-after-free on unbind  The state machine work is scheduled by the interrupt handler and therefore needs to be cancelled after disabling interrupts to avoid a potential use-after-free.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46200",
                                "url": "https://ubuntu.com/security/CVE-2026-46200",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: mpc52xx: fix controller deregistration  Make sure to deregister the controller before disabling and releasing underlying resources like interrupts and gpios during driver unbind.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46241",
                                "url": "https://ubuntu.com/security/CVE-2026-46241",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: mpc52xx: fix use-after-free on registration failure  Make sure to disable and free the interrupts in case controller registration fails to avoid a potential use-after-free and resource leak.  This issue was flagged by Sashiko when reviewing a controller deregistration fix.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46225",
                                "url": "https://ubuntu.com/security/CVE-2026-46225",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: rspi: fix controller deregistration  Make sure to deregister the controller before releasing underlying resources like DMA during driver unbind.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46226",
                                "url": "https://ubuntu.com/security/CVE-2026-46226",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: fsl: fix controller deregistration  Make sure to deregister the controller before releasing underlying resources like DMA during driver unbind.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46228",
                                "url": "https://ubuntu.com/security/CVE-2026-46228",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: ch341: fix devres lifetime  USB drivers bind to USB interfaces and any device managed resources should have their lifetime tied to the interface rather than parent USB device. This avoids issues like memory leaks when drivers are unbound without their devices being physically disconnected (e.g. on probe deferral or configuration changes).  Fix the controller and driver data lifetime so that they are released on driver unbind.  Note that this also makes sure that the SPI controller is placed correctly under the USB interface in the device tree.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46216",
                                "url": "https://ubuntu.com/security/CVE-2026-46216",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/xe/hdcp: Add NULL check for media_gt in intel_hdcp_gsc_check_status()  When media GT is disabled via configfs, there is no allocation for media_gt, which is kept as NULL.  In such scenario, intel_hdcp_gsc_check_status() results in a kernel pagefault error due to &gt->uc.gsc being evaluated as an invalid memory address.  Fix that by introducing a NULL check on media_gt and bailing out early if so.  While at it, also drop the NULL check for gsc, since it can't be NULL if media_gt is not NULL.  v2:   - Get address for gsc only after checking that gt is not NULL.     (Shuicheng)   - Drop the NULL check for gsc. (Shuicheng) v3:   - Add \"Fixes\" and \"Cc: <stable...>\" tags. (Matt)  (cherry picked from commit bfaf87e84ca3ca3f6e275f9ae56da47a8b55ffd1)",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46210",
                                "url": "https://ubuntu.com/security/CVE-2026-46210",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  media: iris: fix use-after-free of fmt_src during MBPF check  During concurrency testing, multiple instances can run in parallel, and each instance uses its own inst->lock while the core->lock protects the list of active instances. The race happens because these locks cover different scopes, inst->lock protects only the internals of a single instance, while the Macro Blocks Per Frame (MBPF) checker walks the core list under core->lock and reads fields like fmt_src->width and fmt_src->height. At the same time, iris_close() may free fmt_src and fmt_dst under inst->lock while the instance is still present in the core list. This allows a situation where the MBPF checker, still iterating through the core list, reaches an instance whose fmt_src was already freed by another thread and ends up dereferencing a dangling pointer, resulting in a use-after-free. This happens because the MBPF checker assumes that any instance in the core list is fully valid, but the freeing of fmt_src and fmt_dst without removing the instance from the core list is not correct.  The correct ordering is to defer freeing fmt_src and fmt_dst until after the instance has been removed from the core list and all teardown under the core lock has completed, ensuring that no dangling pointers are ever exposed during MBPF checks.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46240",
                                "url": "https://ubuntu.com/security/CVE-2026-46240",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  media: iris: Fix use-after-free in iris_release_internal_buffers()  The recent change in commit 1dabf00ee206 (\"media: iris: gen1: Destroy internal buffers after FW releases\") introduced a regression where session_release_buf() may free the buffer. The caller, iris_release_internal_buffers(), continued to access `buffer` after the call, leading to a potential use-after-free.  Fix this by setting BUF_ATTR_PENDING_RELEASE before calling session_release_buf(), and reverting the flag if the call fails. This ensures no dereference occurs after potential freeing.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46235",
                                "url": "https://ubuntu.com/security/CVE-2026-46235",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  media: saa7164: add ioremap return checks and cleanups  Add checks for ioremap return values in saa7164_dev_setup(). If ioremap for BAR0 or BAR2 fails, release the already allocated PCI memory regions, remove the device from the global list, decrement the device count, and return -ENODEV.  This prevents potential null pointer dereferences and ensures proper cleanup on memory mapping failures.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46222",
                                "url": "https://ubuntu.com/security/CVE-2026-46222",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  media: rockchip: rkcif: Add missing MUST_CONNECT flag to pads  The pads missed checks for connected devices which may a null dereference when the stream is enabled.  Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020 pc : rkcif_interface_enable_streams+0x48/0xf0 lr : rkcif_interface_enable_streams+0x44/0xf0 Call trace:  rkcif_interface_enable_streams+0x48/0xf0  v4l2_subdev_enable_streams+0x26c/0x3f0  rkcif_stream_start_streaming+0x140/0x278  vb2_start_streaming+0x74/0x188  vb2_core_streamon+0xe0/0x1d8  vb2_ioctl_streamon+0x60/0xa8  v4l_streamon+0x2c/0x40  __video_do_ioctl+0x34c/0x400  video_usercopy+0x2d0/0x800  video_ioctl2+0x20/0x60  v4l2_ioctl+0x48/0x78",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46239",
                                "url": "https://ubuntu.com/security/CVE-2026-46239",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  media: i2c: ov5647: Fix runtime PM refcount leak in s_ctrl  Three control cases (AUTOGAIN, EXPOSURE_AUTO, ANALOGUE_GAIN) directly return without calling pm_runtime_put(), causing runtime PM reference count leaks.  Change these cases from 'return' to 'ret = ... break' pattern to ensure pm_runtime_put() is always called before function exit.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46236",
                                "url": "https://ubuntu.com/security/CVE-2026-46236",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  media: rc: xbox_remote: heed DMA restrictions  The buffer for IO must not be part of the device structure because that violates the DMA coherency rules.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46205",
                                "url": "https://ubuntu.com/security/CVE-2026-46205",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  staging: media: atomisp: Disallow all private IOCTLs  Disallow all private IOCTLs. These aren't quite as safe as one could assume of IOCTL handlers; disable them for now. Instead of removing the code, return in the beginning of the function if cmd is non-zero in order to keep static checkers happy.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46202",
                                "url": "https://ubuntu.com/security/CVE-2026-46202",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  HID: appletb-kbd: run inactivity autodim from workqueues  The autodim code in hid-appletb-kbd takes backlight_device->ops_lock via backlight_device_set_brightness() -> mutex_lock() from two different atomic contexts:   * appletb_inactivity_timer() is a struct timer_list callback, so it    runs in softirq context.  Every expiry triggers       BUG: sleeping function called from invalid context at kernel/locking/mutex.c:591      Call Trace:       <IRQ>       __might_resched       __mutex_lock       backlight_device_set_brightness       appletb_inactivity_timer       call_timer_fn       run_timer_softirq   * reset_inactivity_timer() is called from appletb_kbd_hid_event() and    appletb_kbd_inp_event().  On real USB hardware these run in    softirq/IRQ context (URB completion and input-event dispatch).    When the Touch Bar has already been dimmed or turned off, the    reset path calls backlight_device_set_brightness() directly to    restore brightness, producing the same warning.  Both call sites hit the same mutex_lock()-from-atomic bug.  Fix them together by moving the blocking work onto the system workqueue:   * Convert the inactivity timer from struct timer_list to    struct delayed_work; the callback (appletb_inactivity_work) now    runs in process context where mutex_lock() is legal.  * Add a dedicated struct work_struct restore_brightness_work and have    reset_inactivity_timer() schedule it instead of calling    backlight_device_set_brightness() directly.  Cancel both works synchronously during driver tear-down alongside the existing backlight reference drop.  The semantics are unchanged (same delays, same state transitions on dim, turn-off and user activity); only the execution context of the sleeping call changes.  The timer field and callback are renamed to match their new type; reset_inactivity_timer() keeps its name because it is invoked from input event paths that read naturally as \"reset the inactivity timer\".",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46213",
                                "url": "https://ubuntu.com/security/CVE-2026-46213",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  HID: appletb-kbd: fix UAF in inactivity-timer cleanup path  Commit 38224c472a03 (\"HID: appletb-kbd: fix slab use-after-free bug in appletb_kbd_probe\") added timer_delete_sync(&kbd->inactivity_timer) to both the probe close_hw error path and appletb_kbd_remove(), but the way it was wired in left the inactivity timer reachable during driver tear-down via two distinct windows.  Window A -- put_device() before timer_delete_sync():  \tput_device(&kbd->backlight_dev->dev); \ttimer_delete_sync(&kbd->inactivity_timer);  The inactivity_timer softirq reads kbd->backlight_dev and calls backlight_device_set_brightness() -> mutex_lock(&ops_lock).  If a concurrent hid_appletb_bl unbind drops the last devm reference between these two calls, the backlight_device is freed and the mutex_lock() touches freed memory.  Window B -- backlight cleanup before hid_hw_stop():  \tif (kbd->backlight_dev) { \t\ttimer_delete_sync(...); \t\tput_device(...); \t} \thid_hw_close(hdev); \thid_hw_stop(hdev);  Even after Window A is closed, hid_hw_close()/hid_hw_stop() still run afterwards, so a late \".event\" callback from the HID core (USB URB completion on real Apple hardware) can arrive after timer_delete_sync() drained the softirq but before put_device() drops the reference.  That callback reaches reset_inactivity_timer(), which calls mod_timer() and re-arms the timer.  The freshly re-armed timer can then fire on the about-to-be-freed backlight_device.  Both windows produce the same KASAN slab-use-after-free:    BUG: KASAN: slab-use-after-free in __mutex_lock+0x1aab/0x21c0   Read of size 8 at addr ffff88803ee9a108 by task swapper/0/0   Call Trace:    <IRQ>    __mutex_lock    backlight_device_set_brightness    appletb_inactivity_timer    call_timer_fn    run_timer_softirq    handle_softirqs   Allocated by task N:    devm_backlight_device_register    appletb_bl_probe   Freed by task M:    (concurrent hid_appletb_bl unbind path)  Close both windows at once by reworking the tear-down in appletb_kbd_remove() and in the probe close_hw error path so that   1) hid_hw_close()/hid_hw_stop() run before the backlight cleanup,     guaranteeing no further .event callback can fire and re-arm the     timer, and  2) inside the \"if (kbd->backlight_dev)\" block, timer_delete_sync()     runs before put_device(), so the softirq is drained before the     final reference is dropped.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46232",
                                "url": "https://ubuntu.com/security/CVE-2026-46232",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  HID: playstation: Clamp num_touch_reports  A device would never lie about the number of touch reports would it?  If it does the loop in dualshock4_parse_report will read off the end of the touch_reports array, up to about 2 KiB for the maximum number of 256 loop iteraions. The data that is read is emitted via evdev if the DS4_TOUCH_POINT_INACTIVE bit happens to be set. Protect against this by clamping the num_touch_reports value provided by the device to the maximum size of the touch_reports array.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-43490",
                                "url": "https://ubuntu.com/security/CVE-2026-43490",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ksmbd: validate inherited ACE SID length  smb_inherit_dacl() walks the parent directory DACL loaded from the security descriptor xattr. It verifies that each ACE contains the fixed SID header before using it, but does not verify that the variable-length SID described by sid.num_subauth is fully contained in the ACE.  A malformed inheritable ACE can advertise more subauthorities than are present in the ACE. compare_sids() may then read past the ACE. smb_set_ace() also clamps the copied destination SID, but used the unchecked source SID count to compute the inherited ACE size. That could advance the temporary inherited ACE buffer pointer and nt_size accounting past the allocated buffer.  Fix this by validating the parent ACE SID count and SID length before using the SID during inheritance. Compute the inherited ACE size from the copied SID so the size matches the bounded destination SID. Reject the inherited DACL if size accumulation would overflow smb_acl.size or the security descriptor allocation size.",
                                "cve_priority": "high",
                                "cve_public_date": "2026-05-15 06:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46174",
                                "url": "https://ubuntu.com/security/CVE-2026-46174",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  x86/CPU/AMD: Prevent improper isolation of shared resources in Zen2's op cache  Make sure resources are not improperly shared in the op cache and cause instruction corruption this way.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46110",
                                "url": "https://ubuntu.com/security/CVE-2026-46110",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net: stmmac: Prevent NULL deref when RX memory exhausted  The CPU receives frames from the MAC through conventional DMA: the CPU allocates buffers for the MAC, then the MAC fills them and returns ownership to the CPU. For each hardware RX queue, the CPU and MAC coordinate through a shared ring array of DMA descriptors: one descriptor per DMA buffer. Each descriptor includes the buffer's physical address and a status flag (\"OWN\") indicating which side owns the buffer: OWN=0 for CPU, OWN=1 for MAC. The CPU is only allowed to set the flag and the MAC is only allowed to clear it, and both must move through the ring in sequence: thus the ring is used for both \"submissions\" and \"completions.\"  In the stmmac driver, stmmac_rx() bookmarks its position in the ring with the `cur_rx` index. The main receive loop in that function checks for rx_descs[cur_rx].own=0, gives the corresponding buffer to the network stack (NULLing the pointer), and increments `cur_rx` modulo the ring size. After the loop exits, stmmac_rx_refill(), which bookmarks its position with `dirty_rx`, allocates fresh buffers and rearms the descriptors (setting OWN=1). If it fails any allocation, it simply stops early (leaving OWN=0) and will retry where it left off when next called.  This means descriptors have a three-stage lifecycle (terms my own): - `empty` (OWN=1, buffer valid) - `full` (OWN=0, buffer valid and populated) - `dirty` (OWN=0, buffer NULL)  But because stmmac_rx() only checks OWN, it confuses `full`/`dirty`. In the past (see 'Fixes:'), there was a bug where the loop could cycle `cur_rx` all the way back to the first descriptor it dirtied, resulting in a NULL dereference when mistaken for `full`. The aforementioned commit resolved that *specific* failure by capping the loop's iteration limit at `dma_rx_size - 1`, but this is only a partial fix: if the previous stmmac_rx_refill() didn't complete, then there are leftover `dirty` descriptors that the loop might encounter without needing to cycle fully around. The current code therefore panics (see 'Closes:') when stmmac_rx_refill() is memory-starved long enough for `cur_rx` to catch up to `dirty_rx`.  Fix this by explicitly checking, before advancing `cur_rx`, if the next entry is dirty; exit the loop if so. This prevents processing of the final, used descriptor until stmmac_rx_refill() succeeds, but fully prevents the `cur_rx == dirty_rx` ambiguity as the previous bugfix intended: so remove the clamp as well. Since stmmac_rx_zc() is a copy-paste-and-tweak of stmmac_rx() and the code structure is identical, any fix to stmmac_rx() will also need a corresponding fix for stmmac_rx_zc(). Therefore, apply the same check there.  In stmmac_rx() (not stmmac_rx_zc()), a related bug remains: after the MAC sets OWN=0 on the final descriptor, it will be unable to send any further DMA-complete IRQs until it's given more `empty` descriptors. Currently, the driver simply *hopes* that the next stmmac_rx_refill() succeeds, risking an indefinite stall of the receive process if not. But this is not a regression, so it can be addressed in a future change.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46153",
                                "url": "https://ubuntu.com/security/CVE-2026-46153",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  8021q: delete cleared egress QoS mappings  vlan_dev_set_egress_priority() currently keeps cleared egress priority mappings in the hash as tombstones. Repeated set/clear cycles with distinct skb priorities therefore accumulate mapping nodes until device teardown and leak memory.  Delete mappings when vlan_prio is cleared instead of keeping tombstones. Now that the egress mapping lists are RCU protected, the node can be unlinked safely and freed after a grace period.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46169",
                                "url": "https://ubuntu.com/security/CVE-2026-46169",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  hfsplus: fix uninit-value by validating catalog record size  Syzbot reported a KMSAN uninit-value issue in hfsplus_strcasecmp(). The root cause is that hfs_brec_read() doesn't validate that the on-disk record size matches the expected size for the record type being read.  When mounting a corrupted filesystem, hfs_brec_read() may read less data than expected. For example, when reading a catalog thread record, the debug output showed:    HFSPLUS_BREC_READ: rec_len=520, fd->entrylength=26   HFSPLUS_BREC_READ: WARNING - entrylength (26) < rec_len (520) - PARTIAL READ!  hfs_brec_read() only validates that entrylength is not greater than the buffer size, but doesn't check if it's less than expected. It successfully reads 26 bytes into a 520-byte structure and returns success, leaving 494 bytes uninitialized.  This uninitialized data in tmp.thread.nodeName then gets copied by hfsplus_cat_build_key_uni() and used by hfsplus_strcasecmp(), triggering the KMSAN warning when the uninitialized bytes are used as array indices in case_fold().  Fix by introducing hfsplus_brec_read_cat() wrapper that: 1. Calls hfs_brec_read() to read the data 2. Validates the record size based on the type field:    - Fixed size for folder and file records    - Variable size for thread records (depends on string length) 3. Returns -EIO if size doesn't match expected  For thread records, check against HFSPLUS_MIN_THREAD_SZ before reading nodeName.length to avoid reading uninitialized data at call sites that don't zero-initialize the entry structure.  Also initialize the tmp variable in hfsplus_find_cat() as defensive programming to ensure no uninitialized data even if validation is bypassed.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46188",
                                "url": "https://ubuntu.com/security/CVE-2026-46188",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  octeon_ep_vf: add NULL check for napi_build_skb()  napi_build_skb() can return NULL on allocation failure. In __octep_vf_oq_process_rx(), the result is used directly without a NULL check in both the single-buffer and multi-fragment paths, leading to a NULL pointer dereference.  Add NULL checks after both napi_build_skb() calls, properly advancing descriptors and consuming remaining fragments on failure.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-45837",
                                "url": "https://ubuntu.com/security/CVE-2026-45837",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  bpf: Fix use-after-free in arena_vm_close on fork  arena_vm_open() only bumps vml->mmap_count but never registers the child VMA in arena->vma_list. The vml->vma always points at the parent VMA, so after parent munmap the pointer dangles. If the child then calls bpf_arena_free_pages(), zap_pages() reads the stale vml->vma triggering use-after-free.  Fix this by preventing the arena VMA from being inherited across fork with VM_DONTCOPY, and preventing VMA splits via the may_split callback.  Also reject mremap with a .mremap callback returning -EINVAL. A same-size mremap(MREMAP_FIXED) on the full arena VMA reaches copy_vma() through the following path:    check_prep_vma()       - returns 0 early: new_len == old_len                            skips VM_DONTEXPAND check   prep_move_vma()        - vm_start == old_addr and                            vm_end == old_addr + old_len                            so may_split is never called   move_vma()     copy_vma_and_data()       copy_vma()         vm_area_dup()    - copies vm_private_data (vml pointer)         vm_ops->open()   - bumps vml->mmap_count       vm_ops->mremap()   - returns -EINVAL, rollback unmaps new VMA  The refcount ensures the rollback's arena_vm_close does not free the vml shared with the original VMA.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-05-27 11:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46156",
                                "url": "https://ubuntu.com/security/CVE-2026-46156",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  LoongArch: Fix potential ADE in loongson_gpu_fixup_dma_hang()  The switch case in loongson_gpu_fixup_dma_hang() may not DC2 or DC3, and readl(crtc_reg) will access with random address, because the \"device\" is from \"base+PCI_DEVICE_ID\", \"base\" is from \"pdev->devfn+1\". This is wrong when my platform inserts a discrete GPU:  lspci -tv -[0000:00]-+-00.0  Loongson Technology LLC Hyper Transport Bridge Controller ...            +-06.0  Loongson Technology LLC LG100 GPU            +-06.2  Loongson Technology LLC Device 7a37 ...  Add a default switch case to fix the panic as below:   Kernel ade access[#1]:  CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.6.136-loong64-desktop-hwe+ #4  pc 90000000017e5534 ra 90000000017e54c0 tp 90000001002f8000 sp 90000001002fb6c0  a0 80000efe00003100 a1 0000000000003100 a2 0000000000000000 a3 0000000000000002  a4 90000001002fb6b4 a5 900000087cdb58fd a6 90000000027af000 a7 0000000000000001  t0 00000000000085b9 t1 000000000000ffff t2 0000000000000000 t3 0000000000000000  t4 fffffffffffffffd t5 00000000fffb6d9c t6 0000000000083b00 t7 00000000000070c0  t8 900000087cdb4d94 u0 900000087cdb58fd s9 90000001002fb826 s0 90000000031c12c8  s1 7fffffffffffff00 s2 90000000031c12d0 s3 0000000000002710 s4 0000000000000000  s5 0000000000000000 s6 9000000100053000 s7 7fffffffffffff00 s8 90000000030d4000     ra: 90000000017e54c0 loongson_gpu_fixup_dma_hang+0x40/0x210    ERA: 90000000017e5534 loongson_gpu_fixup_dma_hang+0xb4/0x210   CRMD: 000000b0 (PLV0 -IE -DA +PG DACF=CC DACM=CC -WE)   PRMD: 00000004 (PPLV0 +PIE -PWE)   EUEN: 00000000 (-FPE -SXE -ASXE -BTE)   ECFG: 00071c1d (LIE=0,2-4,10-12 VS=7)  ESTAT: 00480000 [ADEM] (IS= ECode=8 EsubCode=1)   BADV: 7fffffffffffff00   PRID: 0014d000 (Loongson-64bit, Loongson-3A6000-HV)  Modules linked in:  Process swapper/0 (pid: 1, threadinfo=(____ptrval____), task=(____ptrval____))  Stack : 0000000000000006 90000001002fb778 90000001002fb704 0000000000000007          0000000016a65700 90000000017e5690 000000000000ffff ffffffffffffffff          900000000209f7c0 9000000100053000 900000000209f7a8 9000000000eebc08          0000000000000000 0000000000000000 0000000000000006 90000001002fb778          90000001000530b8 90000000027af000 0000000000000000 9000000100054000          9000000100053000 9000000000ebb70c 9000000100004c00 9000000004000001          90000001002fb7e4 bae765461f31cb12 0000000000000000 0000000000000000          0000000000000006 90000000027af000 0000000000000030 90000000027af000          900000087cd6f800 9000000100053000 0000000000000000 9000000000ebc560          7a2500147cdaf720 bae765461f31cb12 0000000000000001 0000000000000030          ...  Call Trace:  [<90000000017e5534>] loongson_gpu_fixup_dma_hang+0xb4/0x210  [<9000000000eebc08>] pci_fixup_device+0x108/0x280  [<9000000000ebb70c>] pci_setup_device+0x24c/0x690  [<9000000000ebc560>] pci_scan_single_device+0xe0/0x140  [<9000000000ebc684>] pci_scan_slot+0xc4/0x280  [<9000000000ebdd00>] pci_scan_child_bus_extend+0x60/0x3f0  [<9000000000f5bc94>] acpi_pci_root_create+0x2b4/0x420  [<90000000017e5e74>] pci_acpi_scan_root+0x2d4/0x440  [<9000000000f5b02c>] acpi_pci_root_add+0x21c/0x3a0  [<9000000000f4ee54>] acpi_bus_attach+0x1a4/0x3c0  [<90000000010e200c>] device_for_each_child+0x6c/0xe0  [<9000000000f4bbf4>] acpi_dev_for_each_child+0x44/0x70  [<9000000000f4ef40>] acpi_bus_attach+0x290/0x3c0  [<90000000010e200c>] device_for_each_child+0x6c/0xe0  [<9000000000f4bbf4>] acpi_dev_for_each_child+0x44/0x70  [<9000000000f4ef40>] acpi_bus_attach+0x290/0x3c0  [<9000000000f5211c>] acpi_bus_scan+0x6c/0x280  [<900000000189c028>] acpi_scan_init+0x194/0x310  [<900000000189bc6c>] acpi_init+0xcc/0x140  [<9000000000220cdc>] do_one_initcall+0x4c/0x310  [<90000000018618fc>] kernel_init_freeable+0x258/0x2d4  [<900000000184326c>] kernel_init+0x28/0x13c  [<9000000000222008>] ret_from_kernel_thread+0xc/0xa4",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46147",
                                "url": "https://ubuntu.com/security/CVE-2026-46147",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  KVM: arm64: Fix pin leak and publication ordering in __pkvm_init_vcpu()  Two bugs exist in the vCPU initialisation path:  1. If a check fails after hyp_pin_shared_mem() succeeds, the cleanup    path jumps to 'unlock' without calling unpin_host_vcpu() or    unpin_host_sve_state(), permanently leaking pin references on the    host vCPU and SVE state pages.     Extract a register_hyp_vcpu() helper that performs the checks and    the store. When register_hyp_vcpu() returns an error, call    unpin_host_vcpu() and unpin_host_sve_state() inline before falling    through to the existing 'unlock' label.  2. register_hyp_vcpu() publishes the new vCPU pointer into    'hyp_vm->vcpus[]' with a bare store, allowing a concurrent caller    of pkvm_load_hyp_vcpu() to observe a partially initialised vCPU    object.     Ensure the store uses smp_store_release() and the load uses    smp_load_acquire(). While 'vm_table_lock' currently serialises the    store and the load, these barriers ensure the reader sees the fully    initialised 'hyp_vcpu' object even if there were a lockless path or    if the lock's own ordering guarantees were insufficient for nested    object initialization.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46175",
                                "url": "https://ubuntu.com/security/CVE-2026-46175",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  f2fs: fix fsck inconsistency caused by FGGC of node block  During FGGC node block migration, fsck may incorrectly treat the migrated node block as fsync-written data.  The reproduction scenario: root@vm:/mnt/f2fs# seq 1 2048 | xargs -n 1 ./test_sync // write inline inode and sync root@vm:/mnt/f2fs# rm -f 1 root@vm:/mnt/f2fs# sync root@vm:/mnt/f2fs# f2fs_io gc_range // move data block in sync mode and not write CP   SPO, \"fsck --dry-run\" find inode has already checkpointed but still   with DENT_BIT_SHIFT set  The root cause is that GC does not clear the dentry mark and fsync mark during node block migration, leading fsck to misinterpret them as user-issued fsync writes.  In BGGC mode, node block migration is handled by f2fs_sync_node_pages(), which guarantees the dentry and fsync marks are cleared before writing.  This patch move the set/clear of the fsync|dentry marks into __write_node_folio to make the logic clearer, and ensures the fsync|dentry mark is cleared in FGGC.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46194",
                                "url": "https://ubuntu.com/security/CVE-2026-46194",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  f2fs: fix node_cnt race between extent node destroy and writeback  f2fs_destroy_extent_node() does not set FI_NO_EXTENT before clearing extent nodes. When called from f2fs_drop_inode() with I_SYNC set, concurrent kworker writeback can insert new extent nodes into the same extent tree, racing with the destroy and triggering f2fs_bug_on() in __destroy_extent_node(). The scenario is as follows:  drop inode                            writeback  - iput   - f2fs_drop_inode  // I_SYNC set    - f2fs_destroy_extent_node     - __destroy_extent_node      - while (node_cnt) {         write_lock(&et->lock)         __free_extent_tree         write_unlock(&et->lock)                                        - __writeback_single_inode                                         - f2fs_outplace_write_data                                          - f2fs_update_read_extent_cache                                           - __update_extent_tree_range                                            // FI_NO_EXTENT not set,                                            // insert new extent node        } // node_cnt == 0, exit while      - f2fs_bug_on(node_cnt)  // node_cnt > 0  Additionally, __update_extent_tree_range() only checks FI_NO_EXTENT for EX_READ type, leaving EX_BLOCK_AGE updates completely unprotected.  This patch set FI_NO_EXTENT under et->lock in __destroy_extent_node(), consistent with other callers (__update_extent_tree_range and __drop_extent_tree) and check FI_NO_EXTENT for both EX_READ and EX_BLOCK_AGE tree.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46170",
                                "url": "https://ubuntu.com/security/CVE-2026-46170",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  mptcp: pm: ADD_ADDR rtx: free sk if last  When an ADD_ADDR is retransmitted, the sk is held in sk_reset_timer(), and released at the end.  If at that moment, it was the last reference being held, the sk would not be freed. sock_put() should then be called instead of __sock_put().  But that's not enough: if it is the last reference, sock_put() will call sk_free(), which will end up calling sk_stop_timer_sync() on the same timer, and waiting indefinitely to finish. So it is needed to mark that the timer is done at the end of the timer handler when it has not been rescheduled, not to call sk_stop_timer_sync() on \"itself\".",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46158",
                                "url": "https://ubuntu.com/security/CVE-2026-46158",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  mptcp: pm: ADD_ADDR rtx: always decrease sk refcount  When an ADD_ADDR is retransmitted, the sk is held in sk_reset_timer(). It should then be released in all cases at the end.  Some (unlikely) checks were returning directly instead of calling sock_put() to decrease the refcount. Jump to a new 'exit' label to call __sock_put() (which will become sock_put() in the next commit) to fix this potential leak.  While at it, drop the '!msk' check which cannot happen because it is never reset, and explicitly mark the remaining one as \"unlikely\".",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46168",
                                "url": "https://ubuntu.com/security/CVE-2026-46168",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  mptcp: fix scheduling with atomic in timestamp sockopt  Using lock_sock_fast() (atomic context) around sock_set_timestamp() and sock_set_timestamping() is unsafe, as both helpers can sleep.  Replace lock_sock_fast() with sleepable lock_sock()/release_sock() to avoid scheduling while atomic panic.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46189",
                                "url": "https://ubuntu.com/security/CVE-2026-46189",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/vmw_pvrdma: Fix double free on pvrdma_alloc_ucontext() error path  Sashiko points out that pvrdma_uar_free() is already called within pvrdma_dealloc_ucontext(), so calling it before triggers a double free.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46133",
                                "url": "https://ubuntu.com/security/CVE-2026-46133",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/rxe: Reject unknown opcodes before ICRC processing  Even after applying commit 7244491dab34 (\"RDMA/rxe: Validate pad and ICRC before payload_size() in rxe_rcv\"), a single unauthenticated UDP packet can still trigger panic.  That patch handled payload_size() underflow only for valid opcodes with short packets, not for packets carrying an unknown opcode.  The unknown-opcode OOB read described below predates that commit and reaches back to the initial Soft RoCE driver.  The check added there reads      pkt->paylen < header_size(pkt) + bth_pad(pkt) + RXE_ICRC_SIZE  where header_size(pkt) expands to rxe_opcode[pkt->opcode].length.  The rxe_opcode[] array has 256 entries but is only populated for defined IB opcodes; any other entry (for example opcode 0xff) is zero-initialized, so length == 0 and the check degenerates to      pkt->paylen < 0 + bth_pad(pkt) + RXE_ICRC_SIZE  which does not constrain pkt->paylen enough.  rxe_icrc_hdr() then computes      rxe_opcode[pkt->opcode].length - RXE_BTH_BYTES  which underflows when length == 0 and passes a huge value to rxe_crc32(), causing an out-of-bounds read of the skb payload.  Reproduced on v7.0-rc7 with that fix applied, QEMU/KVM with CONFIG_RDMA_RXE=y and CONFIG_KASAN=y, after      rdma link add rxe0 type rxe netdev eth0  A single 48-byte UDP packet to port 4791 with BTH opcode=0xff and QPN=IB_MULTICAST_QPN triggers:      BUG: KASAN: slab-out-of-bounds in crc32_le+0x115/0x170     Read of size 1 at addr ...     The buggy address is located 0 bytes to the right of      allocated 704-byte region     Call Trace:      crc32_le+0x115/0x170      rxe_icrc_hdr.isra.0+0x226/0x300      rxe_icrc_check+0x13f/0x3a0      rxe_rcv+0x6e1/0x16e0      rxe_udp_encap_recv+0x20a/0x320      udp_queue_rcv_one_skb+0x7ed/0x12c0  Subsequent packets with the same shape fault on unmapped memory and panic the kernel.  The trigger requires only module load and \"rdma link add\"; no QP, no connection, and no authentication.  Fix this by rejecting packets whose opcode has no rxe_opcode[] entry, detected via the zero mask or zero length, before any length arithmetic runs.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46114",
                                "url": "https://ubuntu.com/security/CVE-2026-46114",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/rxe: Reject non-8-byte ATOMIC_WRITE payloads  atomic_write_reply() at drivers/infiniband/sw/rxe/rxe_resp.c unconditionally dereferences 8 bytes at payload_addr(pkt):      value = *(u64 *)payload_addr(pkt);  check_rkey() previously accepted an ATOMIC_WRITE request with pktlen == resid == 0 because the length validation only compared pktlen against resid. A remote initiator that sets the RETH length to 0 therefore reaches atomic_write_reply() with a zero-byte logical payload, and the responder reads sizeof(u64) bytes from past the logical end of the packet into skb->head tailroom, then writes those 8 bytes into the attacker's MR via rxe_mr_do_atomic_write(). That is a remote disclosure of 4 bytes of kernel tailroom per probe (the other 4 bytes are the packet's own trailing ICRC).  IBA oA19-28 defines ATOMIC_WRITE as exactly 8 bytes. Anything else is protocol-invalid. Hoist a strict length check into check_rkey() so the responder never reaches the unchecked dereference, and keep the existing WRITE-family length logic for the normal RDMA WRITE path.  Reproduced on mainline with an unmodified rxe driver: a sustained zero-length ATOMIC_WRITE probe repeatedly leaks adjacent skb head-buffer bytes into the attacker's MR, including recognisable kernel strings and partial kernel-direct-map pointer words.  With this patch applied the responder rejects the PDU and the MR stays all-zero.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46127",
                                "url": "https://ubuntu.com/security/CVE-2026-46127",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/ocrdma: Don't NULL deref uctx on errors in ocrdma_copy_pd_uresp()  Sashiko points out that pd->uctx isn't initialized until late in the function so all these error flow references are NULL and will crash. Use the uctx that isn't NULL.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46176",
                                "url": "https://ubuntu.com/security/CVE-2026-46176",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/mlx5: Fix error path fall-through in mlx5_ib_dev_res_srq_init()  mlx5_ib_dev_res_srq_init() allocates two SRQs, s0 and s1. When ib_create_srq() fails for s1, the error branch destroys s0 but falls through and unconditionally assigns the freed s0 and the ERR_PTR s1 to devr->s0 and devr->s1.  This leads to several problems: the lock-free fast path checks \"if (devr->s1) return 0;\" and treats the ERR_PTR as already initialised; users in mlx5_ib_create_qp() dereference the freed SRQ or ERR_PTR via to_msrq(devr->s0)->msrq.srqn; and mlx5_ib_dev_res_cleanup() dereferences the ERR_PTR and double-frees s0 on teardown.  Fix by adding the same `goto unlock` in the s1 failure path.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46178",
                                "url": "https://ubuntu.com/security/CVE-2026-46178",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/mlx4: Fix resource leak on error in mlx4_ib_create_srq()  Sashiko points out that mlx4_srq_alloc() was not undone during error unwind, add the missing call to mlx4_srq_free().",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46181",
                                "url": "https://ubuntu.com/security/CVE-2026-46181",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/mlx4: Fix mis-use of RCU in mlx4_srq_event()  Sashiko points out the radix_tree itself is RCU safe, but nothing ever frees the mlx4_srq struct with RCU, and it isn't even accessed within the RCU critical section. It also will crash if an event is delivered before the srq object is finished initializing.  Use the spinlock since it isn't easy to make RCU work, use refcount_inc_not_zero() to protect against partially initialized objects, and order the refcount_set() to be after the srq is fully initialized.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46145",
                                "url": "https://ubuntu.com/security/CVE-2026-46145",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/mana: Validate rx_hash_key_len  Sashiko points out that rx_hash_key_len comes from a uAPI structure and is blindly passed to memcpy, allowing the userspace to trash kernel memory. Bounds check it so the memcpy cannot overflow.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46117",
                                "url": "https://ubuntu.com/security/CVE-2026-46117",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/mana: Remove user triggerable WARN_ON() in mana_ib_create_qp_rss()  Sashiko points out that the user can specify WQs sharing the same CQ as a part of the uAPI and this will trigger the WARN_ON() then go on to corrupt the kernel.  Just reject it outright and fail the QP creation.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46126",
                                "url": "https://ubuntu.com/security/CVE-2026-46126",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/mana: Fix mana_destroy_wq_obj() cleanup in mana_ib_create_qp_rss()  Sashiko points out there are two bugs here in the error unwind flow, both related to how the WQ table is unwound.  First there is a double i-- on the first failure path due to the while loop having a i--, remove it.  Second if mana_ib_install_cq_cb() fails then mana_create_wq_obj() is not undone due to the above i--.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46144",
                                "url": "https://ubuntu.com/security/CVE-2026-46144",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/mana: Fix error unwind in mana_ib_create_qp_rss()  Sashiko points out that mana_ib_cfg_vport_steering() is leaked, the normal destroy path cleans it up.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46141",
                                "url": "https://ubuntu.com/security/CVE-2026-46141",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  powerpc/xive: fix kmemleak caused by incorrect chip_data lookup  The kmemleak reports the following memory leak:  Unreferenced object 0xc0000002a7fbc640 (size 64):   comm \"kworker/8:1\", pid 540, jiffies 4294937872   hex dump (first 32 bytes):     01 00 00 00 00 00 00 00 00 00 09 04 00 04 00 00  ................     00 00 a7 81 00 00 0a c0 00 00 08 04 00 04 00 00  ................   backtrace (crc 177d48f6):     __kmalloc_cache_noprof+0x520/0x730     xive_irq_alloc_data.constprop.0+0x40/0xe0     xive_irq_domain_alloc+0xd0/0x1b0     irq_domain_alloc_irqs_parent+0x44/0x6c     pseries_irq_domain_alloc+0x1cc/0x354     irq_domain_alloc_irqs_parent+0x44/0x6c     msi_domain_alloc+0xb0/0x220     irq_domain_alloc_irqs_locked+0x138/0x4d0     __irq_domain_alloc_irqs+0x8c/0xfc     __msi_domain_alloc_irqs+0x214/0x4d8     msi_domain_alloc_irqs_all_locked+0x70/0xf8     pci_msi_setup_msi_irqs+0x60/0x78     __pci_enable_msix_range+0x54c/0x98c     pci_alloc_irq_vectors_affinity+0x16c/0x1d4     nvme_pci_enable+0xac/0x9c0 [nvme]     nvme_probe+0x340/0x764 [nvme]  This occurs when allocating MSI-X vectors for an NVMe device. During allocation the XIVE code creates a struct xive_irq_data and stores it in irq_data->chip_data.  When the MSI-X irqdomain is later freed, xive_irq_free_data() is responsible for retrieving this structure and freeing it. However, after commit cc0cc23babc9 (\"powerpc/xive: Untangle xive from child interrupt controller drivers\"), xive_irq_free_data() retrieves the chip_data using irq_get_chip_data(), which looks up the data through the child domain.  This is incorrect because the XIVE-specific irq data is associated with the XIVE (parent) domain. As a result the lookup fails and the allocated struct xive_irq_data is never freed, leading to the kmemleak report shown above.  Fix this by retrieving the irq_data from the correct domain using irq_domain_get_irq_data() and then accessing the chip_data via irq_data_get_irq_chip_data().",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46183",
                                "url": "https://ubuntu.com/security/CVE-2026-46183",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  mm/damon/sysfs-schemes: protect path kfree() with damon_sysfs_lock  damon_sysfs_quot_goal->path can be read and written by users, via DAMON sysfs 'path' file.  It can also be indirectly read, for the parameters {on,off}line committing to DAMON.  The reads for parameters committing are protected by damon_sysfs_lock to avoid the sysfs files being destroyed while any of the parameters are being read.  But the user-driven direct reads and writes are not protected by any lock, while the write is deallocating the path-pointing buffer.  As a result, the readers could read the already freed buffer (user-after-free).  Note that the user-reads don't race when the same open file is used by the writer, due to kernfs's open file locking.  Nonetheless, doing the reads and writes with separate open files would be common.  Fix it by protecting both the user-direct reads and writes with damon_sysfs_lock.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46121",
                                "url": "https://ubuntu.com/security/CVE-2026-46121",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  mm/damon/sysfs-schemes: protect memcg_path kfree() with damon_sysfs_lock  Patch series \"mm/damon/sysfs-schemes: fix use-after-free for [memcg_]path\".  Reads of 'memcg_path' and 'path' files in DAMON sysfs interface could race with their writes, results in use-after-free.  Fix those.   This patch (of 2):  damon_sysfs_scheme_filter->mmecg_path can be read and written by users, via DAMON sysfs memcg_path file.  It can also be indirectly read, for the parameters {on,off}line committing to DAMON.  The reads for parameters committing are protected by damon_sysfs_lock to avoid the sysfs files being destroyed while any of the parameters are being read.  But the user-driven direct reads and writes are not protected by any lock, while the write is deallocating the memcg_path-pointing buffer.  As a result, the readers could read the already freed buffer (user-after-free).  Note that the user-reads don't race when the same open file is used by the writer, due to kernfs's open file locking.  Nonetheless, doing the reads and writes with separate open files would be common.  Fix it by protecting both the user-direct reads and writes with damon_sysfs_lock.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46131",
                                "url": "https://ubuntu.com/security/CVE-2026-46131",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  KVM: x86: check for nEPT/nNPT in slow flush hypercalls  Checking is_guest_mode(vcpu) is incorrect, because translate_nested_gpa() is only valid if an L2 guest is running *with nested EPT/NPT enabled*. Instead use the same condition as translate_nested_gpa() itself.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46139",
                                "url": "https://ubuntu.com/security/CVE-2026-46139",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  smb: client: use kzalloc to zero-initialize security descriptor buffer  Commit 62e7dd0a39c2d (\"smb: common: change the data type of num_aces to le16\") split struct smb_acl's __le32 num_aces field into __le16 num_aces and __le16 reserved. The reserved field corresponds to Sbz2 in the MS-DTYP ACL wire format, which must be zero [1].  When building an ACL descriptor in build_sec_desc(), we are using a kmalloc()'ed descriptor buffer and writing the fields explicitly using le16() writes now. This never writes to the 2 byte reserved field, leaving it as uninitialized heap data.  When the reserved field happens to contain non-zero slab garbage, Samba rejects the security descriptor with \"ndr_pull_security_descriptor failed: Range Error\", causing chmod to fail with EINVAL.  Change kmalloc() to kzalloc() to ensure the entire buffer is zero-initialized.   [1] https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/20233ed8-a6c6-4097-aafa-dd545ed24428",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46105",
                                "url": "https://ubuntu.com/security/CVE-2026-46105",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  scsi: mpt3sas: Limit NVMe request size to 2 MiB  The HBA firmware reports NVMe MDTS values based on the underlying drive capability. However, because the driver allocates a fixed 4K buffer for the PRP list, accommodating at most 512 entries, the driver supports a maximum I/O transfer size of 2 MiB.  Limit max_hw_sectors to the smaller of the reported MDTS and the 2 MiB driver limit to prevent issuing oversized I/O that may lead to a kernel oops.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46171",
                                "url": "https://ubuntu.com/security/CVE-2026-46171",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  riscv: kvm: fix vector context allocation leak  When the second kzalloc (host_context.vector.datap) fails in kvm_riscv_vcpu_alloc_vector_context, the first allocation (guest_context.vector.datap) is leaked. Free it before returning.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46112",
                                "url": "https://ubuntu.com/security/CVE-2026-46112",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/hns: Fix unlocked call to hns_roce_qp_remove()  Sashiko points out that hns_roce_qp_remove() requires the caller to hold locks.  The error flow in hns_roce_create_qp_common() doesn't hold those locks for the error unwind so it risks corrupting memory.  Grab the same locks the other two callers use.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46165",
                                "url": "https://ubuntu.com/security/CVE-2026-46165",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  openvswitch: vport: fix self-deadlock on release of tunnel ports  vports are used concurrently and protected by RCU, so netdev_put() must happen after the RCU grace period.  So, either in an RCU call or after the synchronize_net().  The rtnl_delete_link() must happen under RTNL and so can't be executed in RCU context.  Calling synchronize_net() while holding RTNL is not a good idea for performance and system stability under load in general, so calling netdev_put() in RCU call is the right solution here.  However, when the device is deleted, rtnl_unlock() will call netdev_run_todo() and block until all the references are gone.  In the current code this means that we never reach the call_rcu() and the vport is never freed and the reference is never released, causing a self-deadlock on device removal.  Fix that by moving the rcu_call() before the rtnl_unlock(), so the scheduled RCU callback will be executed when synchronize_net() is called from the rtnl_unlock()->netdev_run_todo() while the RTNL itself is already released.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46161",
                                "url": "https://ubuntu.com/security/CVE-2026-46161",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  md/raid10: fix divide-by-zero in setup_geo() with zero far_copies  setup_geo() extracts near_copies (nc) and far_copies (fc) from the user-provided layout parameter without checking for zero. When fc=0 with the \"improved\" far set layout selected, 'geo->far_set_size = disks / fc' triggers a divide-by-zero.  Validate nc and fc immediately after extraction, returning -1 if either is zero.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-43492",
                                "url": "https://ubuntu.com/security/CVE-2026-43492",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  lib/crypto: mpi: Fix integer underflow in mpi_read_raw_from_sgl()  Yiming reports an integer underflow in mpi_read_raw_from_sgl() when subtracting \"lzeros\" from the unsigned \"nbytes\".  For this to happen, the scatterlist \"sgl\" needs to occupy more bytes than the \"nbytes\" parameter and the first \"nbytes + 1\" bytes of the scatterlist must be zero.  Under these conditions, the while loop iterating over the scatterlist will count more zeroes than \"nbytes\", subtract the number of zeroes from \"nbytes\" and cause the underflow.  When commit 2d4d1eea540b (\"lib/mpi: Add mpi sgl helpers\") originally introduced the bug, it couldn't be triggered because all callers of mpi_read_raw_from_sgl() passed a scatterlist whose length was equal to \"nbytes\".  However since commit 63ba4d67594a (\"KEYS: asymmetric: Use new crypto interface without scatterlists\"), the underflow can now actually be triggered.  When invoking a KEYCTL_PKEY_ENCRYPT system call with a larger \"out_len\" than \"in_len\" and filling the \"in\" buffer with zeroes, crypto_akcipher_sync_prep() will create an all-zero scatterlist used for both the \"src\" and \"dst\" member of struct akcipher_request and thereby fulfil the conditions to trigger the bug:    sys_keyctl()     keyctl_pkey_e_d_s()       asymmetric_key_eds_op()         software_key_eds_op()           crypto_akcipher_sync_encrypt()             crypto_akcipher_sync_prep()               crypto_akcipher_encrypt()                 rsa_enc()                   mpi_read_raw_from_sgl()  To the user this will be visible as a DoS as the kernel spins forever, causing soft lockup splats as a side effect.  Fix it.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-19 12:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46124",
                                "url": "https://ubuntu.com/security/CVE-2026-46124",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  isofs: validate block number from NFS file handle in isofs_export_iget  isofs_fh_to_dentry() and isofs_fh_to_parent() pass an attacker- controlled block number (ifid->block or ifid->parent_block) from the NFS file handle to isofs_export_iget(), which only rejects block == 0 before calling isofs_iget() and ultimately sb_bread(). A crafted file handle with fh_len sufficient to pass the check added by commit 0405d4b63d08 (\"isofs: Prevent the use of too small fid\") can still drive the server to read any in-range block on the backing device as if it were an iso_directory_record.  That earlier fix was assigned CVE-2025-37780.  sb_bread() on an out-of-range block returns NULL cleanly via the EIO path, so there is no memory-safety violation.  For in-range reads of adjacent-partition data on the same block device, the unrelated bytes end up in iso_inode_info fields that reach the NFS client as dentry metadata.  The deployment surface (isofs exported over NFS from loop-mounted images) is narrow and requires an authenticated NFS peer, but the malformed-file-handle class is reportable as hardening next to the existing CVE-2025-37780 fix.  Reject block >= ISOFS_SB(sb)->s_nzones in isofs_export_iget() so the check covers both isofs_fh_to_dentry() and isofs_fh_to_parent() call sites with a single line.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46130",
                                "url": "https://ubuntu.com/security/CVE-2026-46130",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  dm-verity-fec: fix reading parity bytes split across blocks (take 3)  fec_decode_bufs() assumes that the parity bytes of the first RS codeword it decodes are never split across parity blocks.  This assumption is false.  Consider v->fec->block_size == 4096 && v->fec->roots == 17 && fio->nbufs == 1, for example.  In that case, each call to fec_decode_bufs() consumes v->fec->roots * (fio->nbufs << DM_VERITY_FEC_BUF_RS_BITS) = 272 parity bytes.  Considering that the parity data for each message block starts on a block boundary, the byte alignment in the parity data will iterate through 272*i mod 4096 until the 3 parity blocks have been consumed.  On the 16th call (i=15), the alignment will be 4080 bytes into the first block.  Only 16 bytes remain in that block, but 17 parity bytes will be needed.  The code reads out-of-bounds from the parity block buffer.  Fortunately this doesn't normally happen, since it can occur only for certain non-default values of fec_roots *and* when the maximum number of buffers couldn't be allocated due to low memory.  For example with block_size=4096 only the following cases are affected:      fec_roots=17: nbufs in [1, 3, 5, 15]     fec_roots=19: nbufs in [1, 229]     fec_roots=21: nbufs in [1, 3, 5, 13, 15, 39, 65, 195]     fec_roots=23: nbufs in [1, 89]  Regardless, fix it by refactoring how the parity blocks are read.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46106",
                                "url": "https://ubuntu.com/security/CVE-2026-46106",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  eventfs: Hold eventfs_mutex and SRCU when remount walks events  Commit 340f0c7067a9 (\"eventfs: Update all the eventfs_inodes from the events descriptor\") had eventfs_set_attrs() recurse through ei->children on remount.  The walk only holds the rcu_read_lock() taken by tracefs_apply_options() over tracefs_inodes, which is wrong:    - list_for_each_entry over ei->children races with the list_del_rcu()     in eventfs_remove_rec() -- LIST_POISON1 deref, same shape as     d2603279c7d6.   - eventfs_inodes are freed via call_srcu(&eventfs_srcu, ...).     rcu_read_lock() does not extend an SRCU grace period, so ti->private     can be reclaimed under the walk.   - The writes to ei->attr race with eventfs_set_attr(), which holds     eventfs_mutex.  Reproducer:    while :; do mount -o remount,uid=$((RANDOM%1000)) /sys/kernel/tracing; done &   while :; do       echo \"p:kp submit_bio\" > /sys/kernel/tracing/kprobe_events       echo > /sys/kernel/tracing/kprobe_events   done  Wrap the events portion of tracefs_apply_options() in eventfs_remount_lock()/_unlock() that take eventfs_mutex and srcu_read_lock(&eventfs_srcu).  eventfs_set_attrs() doesn't sleep so the nested rcu_read_lock() is fine; lockdep_assert_held() pins the contract.  Comment in tracefs_drop_inode() said \"RCU cycle\" -- it is SRCU.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46107",
                                "url": "https://ubuntu.com/security/CVE-2026-46107",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  dm-thin: fix metadata refcount underflow  There's a bug in dm-thin in the function rebalance_children. If the internal btree node has one entry, the code tries to copy all btree entries from the node's child to the node itself and then decrement the child's reference count.  If the child node is shared (it has reference count > 1), we won't free it, so there would be two pointers to each of the grandchildren nodes. But the reference counts of the grandchildren is not increased, thus the reference count doesn't match the number of pointers that point to the grandchildren. This results in \"device mapper: space map common: unable to decrement block\" errors.  Fix this bug by incrementing reference counts on the grandchildren if the btree node is shared.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46160",
                                "url": "https://ubuntu.com/security/CVE-2026-46160",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  btrfs: fix missing last_unlink_trans update when removing a directory  When removing a directory we are not updating its last_unlink_trans field, which can result in incorrect fsync behaviour in case some one fsyncs the directory after it was removed because it's holding a file descriptor on it.  Example scenario:     mkdir /mnt/dir1    mkdir /mnt/dir1/dir2    mkdir /mnt/dir3     sync -f /mnt     # Do some change to the directory and fsync it.    chmod 700 /mnt/dir1    xfs_io -c fsync /mnt/dir1     # Move dir2 out of dir1 so that dir1 becomes empty.    mv /mnt/dir1/dir2 /mnt/dir3/     open fd on /mnt/dir1    call rmdir(2) on path \"/mnt/dir1\"    fsync fd     <trigger power failure>  When attempting to mount the filesystem, the log replay will fail with an -EIO error and dmesg/syslog has the following:     [445771.626482] BTRFS info (device dm-0): first mount of filesystem 0368bbea-6c5e-44b5-b409-09abe496e650    [445771.626486] BTRFS info (device dm-0): using crc32c checksum algorithm    [445771.627912] BTRFS info (device dm-0): start tree-log replay    [445771.628335] page: refcount:2 mapcount:0 mapping:0000000061443ddc index:0x1d00 pfn:0x7072a5    [445771.629453] memcg:ffff89f400351b00    [445771.629892] aops:btree_aops [btrfs] ino:1    [445771.630737] flags: 0x17fffc00000402a(uptodate|lru|private|writeback|node=0|zone=2|lastcpupid=0x1ffff)    [445771.632359] raw: 017fffc00000402a fffff47284d950c8 fffff472907b7c08 ffff89f458e412b8    [445771.633713] raw: 0000000000001d00 ffff89f6c51d1a90 00000002ffffffff ffff89f400351b00    [445771.635029] page dumped because: eb page dump    [445771.635825] BTRFS critical (device dm-0): corrupt leaf: root=5 block=30408704 slot=10 ino=258, invalid nlink: has 2 expect no more than 1 for dir    [445771.638088] BTRFS info (device dm-0): leaf 30408704 gen 10 total ptrs 17 free space 14878 owner 5    [445771.638091] BTRFS info (device dm-0): refs 4 lock_owner 0 current 3581087    [445771.638094] \titem 0 key (256 INODE_ITEM 0) itemoff 16123 itemsize 160    [445771.638097] \t\tinode generation 3 transid 9 size 16 nbytes 16384    [445771.638098] \t\tblock group 0 mode 40755 links 1 uid 0 gid 0    [445771.638100] \t\trdev 0 sequence 2 flags 0x0    [445771.638102] \t\tatime 1775744884.0    [445771.660056] \t\tctime 1775744885.645502983    [445771.660058] \t\tmtime 1775744885.645502983    [445771.660060] \t\totime 1775744884.0    [445771.660062] \titem 1 key (256 INODE_REF 256) itemoff 16111 itemsize 12    [445771.660064] \t\tindex 0 name_len 2    [445771.660066] \titem 2 key (256 DIR_ITEM 1843588421) itemoff 16077 itemsize 34    [445771.660068] \t\tlocation key (259 1 0) type 2    [445771.660070] \t\ttransid 9 data_len 0 name_len 4    [445771.660075] \titem 3 key (256 DIR_ITEM 2363071922) itemoff 16043 itemsize 34    [445771.660076] \t\tlocation key (257 1 0) type 2    [445771.660077] \t\ttransid 9 data_len 0 name_len 4    [445771.660078] \titem 4 key (256 DIR_INDEX 2) itemoff 16009 itemsize 34    [445771.660079] \t\tlocation key (257 1 0) type 2    [445771.660080] \t\ttransid 9 data_len 0 name_len 4    [445771.660081] \titem 5 key (256 DIR_INDEX 3) itemoff 15975 itemsize 34    [445771.660082] \t\tlocation key (259 1 0) type 2    [445771.660083] \t\ttransid 9 data_len 0 name_len 4    [445771.660084] \titem 6 key (257 INODE_ITEM 0) itemoff 15815 itemsize 160    [445771.660086] \t\tinode generation 9 transid 9 size 8 nbytes 0    [445771.660087] \t\tblock group 0 mode 40777 links 1 uid 0 gid 0    [445771.660088] \t\trdev 0 sequence 2 flags 0x0    [445771.660089] \t\tatime 1775744885.641174097    [445771.660090] \t\tctime 1775744885.645502983    [445771.660091] \t\tmtime 1775744885.645502983    [445771.660105] \t\totime 1775744885.641174097    [445771.660106] \titem 7 key (257 INODE_REF 256) itemoff 15801 itemsize 14    [445771.660107] \t\tindex 2 name_len 4    [445771.660108] \titem 8 key (257 DIR_ITEM 2676584006) itemoff 15767 itemsize 34    [445771.660109] \t\tlocation key (2 ---truncated---",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46164",
                                "url": "https://ubuntu.com/security/CVE-2026-46164",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  btrfs: fix double free in create_space_info_sub_group() error path  When kobject_init_and_add() fails, the call chain is:  create_space_info_sub_group() -> btrfs_sysfs_add_space_info_type() -> kobject_init_and_add() -> failure -> kobject_put(&sub_group->kobj) -> space_info_release() -> kfree(sub_group)  Then control returns to create_space_info_sub_group(), where:  btrfs_sysfs_add_space_info_type() returns error -> kfree(sub_group)  Thus, sub_group is freed twice.  Keep parent->sub_group[index] = NULL for the failure path, but after btrfs_sysfs_add_space_info_type() has called kobject_put(), let the kobject release callback handle the cleanup.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46129",
                                "url": "https://ubuntu.com/security/CVE-2026-46129",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  btrfs: fix double free in create_space_info() error path  When kobject_init_and_add() fails, the call chain is:  create_space_info() -> btrfs_sysfs_add_space_info_type() -> kobject_init_and_add() -> failure -> kobject_put(&space_info->kobj) -> space_info_release() -> kfree(space_info)  Then control returns to create_space_info():  btrfs_sysfs_add_space_info_type() returns error -> goto out_free -> kfree(space_info)  This causes a double free.  Keep the direct kfree(space_info) for the earlier failure path, but after btrfs_sysfs_add_space_info_type() has called kobject_put(), let the kobject release callback handle the cleanup.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46159",
                                "url": "https://ubuntu.com/security/CVE-2026-46159",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  btrfs: fix btrfs_ioctl_space_info() slot_count TOCTOU which can lead to info-leak  btrfs_ioctl_space_info() has a TOCTOU race between two passes over the block group RAID type lists. The first pass counts entries to determine the allocation size, then the second pass fills the buffer. The groups_sem rwlock is released between passes, allowing concurrent block group removal to reduce the entry count.  When the second pass fills fewer entries than the first pass counted, copy_to_user() copies the full alloc_size bytes including trailing uninitialized kmalloc bytes to userspace.  Fix by copying only total_spaces entries (the actually-filled count from the second pass) instead of alloc_size bytes, and switch to kzalloc so any future copy size mismatch cannot leak heap data.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46143",
                                "url": "https://ubuntu.com/security/CVE-2026-46143",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ASoC: qcom: q6apm-lpass-dai: Fix multiple graph opens  As prepare can be called mulitple times, this can result in multiple graph opens for playback path.  This will result in a memory leaks, fix this by adding a check before opening.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46148",
                                "url": "https://ubuntu.com/security/CVE-2026-46148",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: microchip-core-qspi: control built-in cs manually  The coreQSPI IP supports only a single chip select, which is automagically operated by the hardware - set low when the transmit buffer first gets written to and set high when the number of bytes written to the TOTALBYTES field of the FRAMES register have been sent on the bus. Additional devices must use GPIOs for their chip selects. It was reported to me that if there are two devices attached to this QSPI controller that the in-built chip select is set low while linux tries to access the device attached to the GPIO.  This went undetected as the boards that connected multiple devices to the SPI controller all exclusively used GPIOs for chip selects, not relying on the built-in chip select at all. It turns out that this was because the built-in chip select, when controlled automagically, is set low when active and high when inactive, thereby ruling out its use for active-high devices or devices that need to transmit with the chip select disabled.  Modify the driver so that it controls chip select directly, retaining the behaviour for mem_ops of setting the chip select active for the entire duration of the transfer in the exec_op callback. For regular transfers, implement the set_cs callback for the core to use.  As part of this, the existing setup callback, mchp_coreqspi_setup_op(), is removed. Modifying the CLKIDLE field is not safe to do during operation when there are multiple devices, so this code is removed entirely. Setting the MASTER and ENABLE fields is something that can be done once at probe, it doesn't need to be re-run for each device. Instead the new setup callback sets the built-in chip select to its inactive state for active-low devices, as the reset value of the chip select in software controlled mode is low.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46192",
                                "url": "https://ubuntu.com/security/CVE-2026-46192",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: microchip-core-qspi: don't attempt to transmit during emulated read-only dual/quad operations  The core will deal with reads by creating clock cycles itself, there's no need to generate clock cycles by transmitting garbage data at the driver level. Further, transmitting garbage data just bricks the transfer since QSPI doesn't have a dedicated master-out line like MOSI in regular SPI. I'm not entirely sure if the transfer is bricked because of the garbage data being transmitted on the bus or because the core loses track of whether it is supposed to be sending or receiving data.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46162",
                                "url": "https://ubuntu.com/security/CVE-2026-46162",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ice: fix double free in ice_sf_eth_activate() error path  When auxiliary_device_add() fails, ice_sf_eth_activate() jumps to aux_dev_uninit and calls auxiliary_device_uninit(&sf_dev->adev).  The device release callback ice_sf_dev_release() frees sf_dev, but the current error path falls through to sf_dev_free and calls kfree(sf_dev) again, causing a double free.  Keep kfree(sf_dev) for the auxiliary_device_init() failure path, but avoid falling through to sf_dev_free after auxiliary_device_uninit().",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46273",
                                "url": "https://ubuntu.com/security/CVE-2026-46273",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ibmveth: Disable GSO for packets with small MSS  Some physical adapters on Power systems do not support segmentation offload when the MSS is less than 224 bytes. Attempting to send such packets causes the adapter to freeze, stopping all traffic until manually reset.  Implement ndo_features_check to disable GSO for packets with small MSS values. The network stack will perform software segmentation instead.  The 224-byte minimum matches ibmvnic commit <f10b09ef687f> (\"ibmvnic: Enforce stronger sanity checks on GSO packets\") which uses the same physical adapters in SEA configurations.  The issue occurs specifically when the hardware attempts to perform segmentation (gso_segs > 1) with a small MSS. Single-segment GSO packets (gso_segs == 1) do not trigger the problematic LSO code path and are transmitted normally without segmentation.  Add an ndo_features_check callback to disable GSO when MSS < 224 bytes. Also call vlan_features_check() to ensure proper handling of VLAN packets, particularly QinQ (802.1ad) configurations where the hardware parser may not support certain offload features.  Validated using iptables to force small MSS values. Without the fix, the adapter freezes. With the fix, packets are segmented in software and transmission succeeds. Comprehensive regression testing completedd (MSS tests, performance, stability).",
                                "cve_priority": "high",
                                "cve_public_date": "2026-06-03 18:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46191",
                                "url": "https://ubuntu.com/security/CVE-2026-46191",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  fbcon: Avoid OOB font access if console rotation fails  Clear the font buffer if the reallocation during console rotation fails in fbcon_rotate_font(). The putcs implementations for the rotated buffer will return early in this case. See [1] for an example.  Currently, fbcon_rotate_font() keeps the old buffer, which is too small for the rotated font. Printing to the rotated console with a high-enough character code will overflow the font buffer.  v2: - fix typos in commit message",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46134",
                                "url": "https://ubuntu.com/security/CVE-2026-46134",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  platform/chrome: cros_ec_typec: Init mutex in Thunderbolt registration  cros_typec_register_thunderbolt() missed initializing the `adata->lock` mutex.  This leads to a NULL dereference when the mutex is later acquired (e.g. in cros_typec_altmode_work()).  Initialize the mutex in cros_typec_register_thunderbolt() to fix the issue.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-43495",
                                "url": "https://ubuntu.com/security/CVE-2026-43495",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net: wwan: t7xx: validate port_count against message length in t7xx_port_enum_msg_handler  t7xx_port_enum_msg_handler() uses the modem-supplied port_count field as a loop bound over port_msg->data[] without checking that the message buffer contains sufficient data. A modem sending port_count=65535 in a 12-byte buffer triggers a slab-out-of-bounds read of up to 262140 bytes.  Add a sizeof(*port_msg) check before accessing the port message header fields to guard against undersized messages.  Add a struct_size() check after extracting port_count and before the loop.  In t7xx_parse_host_rt_data(), guard the rt_feature header read with a remaining-buffer check before accessing data_len, validate feat_data_len against the actual remaining buffer to prevent OOB reads and signed integer overflow on offset.  Pass msg_len from both call sites: skb->len at the DPMAIF path after skb_pull(), and the validated feat_data_len at the handshake path.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-21 13:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-43502",
                                "url": "https://ubuntu.com/security/CVE-2026-43502",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net/rds: handle zerocopy send cleanup before the message is queued  A zerocopy send can fail after user pages have been pinned but before the message is attached to the sending socket.  The purge path currently infers zerocopy state from rm->m_rs, so an unqueued message can be cleaned up as if it owned normal payload pages. However, zerocopy ownership is really determined by the presence of op_mmp_znotifier, regardless of whether the message has reached the socket queue.  Capture op_mmp_znotifier up front in rds_message_purge() and use it as the cleanup discriminator. If the message is already associated with a socket, keep the existing completion path. Otherwise, drop the pinned page accounting directly and release the notifier before putting the payload pages.  This keeps early send failure cleanup consistent with the zerocopy lifetime rules without changing the normal queued completion path.",
                                "cve_priority": "high",
                                "cve_public_date": "2026-05-21 13:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46120",
                                "url": "https://ubuntu.com/security/CVE-2026-46120",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ip6_gre: Use cached t->net in ip6erspan_changelink().  After commit 5e72ce3e3980 (\"net: ipv6: Use link netns in newlink() of rtnl_link_ops\"), ip6erspan_newlink() correctly resolves the per-netns ip6gre hash via link_net. ip6erspan_changelink() was not converted in that series and still uses dev_net(dev), which diverges from the device's creation netns after IFLA_NET_NS_FD migration.  This re-inserts the tunnel into the wrong per-netns hash. The original netns keeps a stale entry. When that netns is later destroyed, ip6gre_exit_rtnl_net() walks the stale entry, producing a slab-use-after-free reported by KASAN, followed by a kernel BUG at net/core/dev.c (LIST_POISON1) in unregister_netdevice_many_notify().  Reachable from an unprivileged user namespace (unshare --user --map-root-user --net).  ip6gre_changelink() earlier in the same file already uses the cached t->net; only ip6erspan_changelink() has the wrong shape.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46142",
                                "url": "https://ubuntu.com/security/CVE-2026-46142",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net: libwx: fix VF illegal register access  Register WX_CFG_PORT_ST is a PF restricted register. When a VF is initialized, attempting to read this register triggers an illegal register access, which lead to a system hang.  When the device is VF, the bus function ID can be obtained directly from the PCI_FUNC(pdev->devfn).",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46118",
                                "url": "https://ubuntu.com/security/CVE-2026-46118",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  pseries/papr-hvpipe: Fix null ptr deref in papr_hvpipe_dev_create_handle()  commit 6d3789d347a7 (\"papr-hvpipe: convert papr_hvpipe_dev_create_handle() to FD_PREPARE()\"), changed the create handle to FD_PREPARE(), but it caused kernel null-ptr-deref because after call to retain_and_null_ptr(src_info), src_info is re-used for adding it to the global list.  Getting the following kernel panic in papr_hvpipe_dev_create_handle() when trying to add src_info to the list.  Kernel attempted to write user page (0) - exploit attempt? (uid: 0)  BUG: Kernel NULL pointer dereference on write at 0x00000000  Faulting instruction address: 0xc0000000001b44a0  Oops: Kernel access of bad area, sig: 11 [#1]  ...  Call Trace:  papr_hvpipe_dev_ioctl+0x1f4/0x48c (unreliable)  sys_ioctl+0x528/0x1064  system_call_exception+0x128/0x360  system_call_vectored_common+0x15c/0x2ec  Now, the error handling with FD_PREPARE's file cleanup and __free(kfree) auto cleanup is getting too convoluted. This is mainly because we need to ensure only 1 user get the srcID handle. To simplify this, we allocate prepare the src_info in the beginning and add it to the global list under a spinlock after checking that no duplicates exist.  This simplify the error handling where if the FD_ADD fails, we can simply remove the src_info from the list and consume any pending msg in hvpipe to be cleared, after src_info became visible in the global list.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46182",
                                "url": "https://ubuntu.com/security/CVE-2026-46182",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  pseries/papr-hvpipe: Prevent kernel stack memory leak to userspace  The hdr variable is allocated on the stack and only hdr.version and hdr.flags are initialized explicitly. Because the struct papr_hvpipe_hdr contains reserved padding bytes (reserved[3] and reserved2[40]), these could leak the uninitialized bytes to userspace after copy_to_user().  This patch fixes that by initializing the whole struct to 0.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46184",
                                "url": "https://ubuntu.com/security/CVE-2026-46184",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  sound: ua101: fix division by zero at probe  Add a missing sanity check for bNrChannels in detect_usb_format() to prevent a division by zero in playback_urb_complete() and capture_urb_complete().  USB core does not validate class-specific descriptor fields such as bNrChannels, so drivers must verify them before use. If a device provides bNrChannels = 0, frame_bytes becomes zero and is later used as a divisor in the URB completion handlers, leading to a kernel crash.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-43498",
                                "url": "https://ubuntu.com/security/CVE-2026-43498",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  accel/ivpu: Disallow re-exporting imported GEM objects  Prevent re-exporting of imported GEM buffers by adding a custom prime_handle_to_fd callback that checks if the object is imported and returns -EOPNOTSUPP if so.  Re-exporting imported GEM buffers causes loss of buffer flags settings, leading to incorrect device access and data corruption.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-21 13:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46132",
                                "url": "https://ubuntu.com/security/CVE-2026-46132",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net: rtnetlink: zero ifla_vf_broadcast to avoid stack infoleak in rtnl_fill_vfinfo  rtnl_fill_vfinfo() declares struct ifla_vf_broadcast on the stack without initialisation:  \tstruct ifla_vf_broadcast vf_broadcast;  The struct contains a single fixed 32-byte field:  \t/* include/uapi/linux/if_link.h */ \tstruct ifla_vf_broadcast { \t\t__u8 broadcast[32]; \t};  The function then copies dev->broadcast into it using dev->addr_len as the length:  \tmemcpy(vf_broadcast.broadcast, dev->broadcast, dev->addr_len);  On Ethernet devices (the overwhelming majority of SR-IOV NICs) dev->addr_len is 6, so only the first 6 bytes of broadcast[] are written. The remaining 26 bytes retain whatever was previously on the kernel stack. The full struct is then handed to userspace via:  \tnla_put(skb, IFLA_VF_BROADCAST, \t\tsizeof(vf_broadcast), &vf_broadcast)  leaking up to 26 bytes of uninitialised kernel stack per VF per RTM_GETLINK request, repeatable.  The other vf_* structs in the same function are explicitly zeroed for exactly this reason - see the memset() calls for ivi, vf_vlan_info, node_guid and port_guid a few lines above. vf_broadcast was simply missed when it was added.  Reachability: any unprivileged local process can open AF_NETLINK / NETLINK_ROUTE without capabilities and send RTM_GETLINK with an IFLA_EXT_MASK attribute carrying RTEXT_FILTER_VF. The kernel walks each VF and emits IFLA_VF_BROADCAST, leaking 26 bytes of stack per VF per request. Stack residue at this call site can include return addresses and transient sensitive data; KASAN with stack instrumentation, or KMSAN, will flag the nla_put() when reproduced.  Zero the on-stack struct before the partial memcpy, matching the existing pattern used for the other vf_* structs in the same function.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46190",
                                "url": "https://ubuntu.com/security/CVE-2026-46190",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  mtd: spi-nor: debugfs: fix out-of-bounds read in spi_nor_params_show()  Sashiko noticed an out-of-bounds read [1].  In spi_nor_params_show(), the snor_f_names array is passed to spi_nor_print_flags() using sizeof(snor_f_names).  Since snor_f_names is an array of pointers, sizeof() returns the total number of bytes occupied by the pointers \t(element_count * sizeof(void *)) rather than the element count itself. On 64-bit systems, this makes the passed length 8x larger than intended.  Inside spi_nor_print_flags(), the 'names_len' argument is used to bounds-check the 'names' array access. An out-of-bounds read occurs if a flag bit is set that exceeds the array's actual element count but is within the inflated byte-size count.  Correct this by using ARRAY_SIZE() to pass the actual number of string pointers in the array.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46150",
                                "url": "https://ubuntu.com/security/CVE-2026-46150",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  fanotify: fix false positive on permission events  fsnotify_get_mark_safe() may return false for a mark on an unrelated group, which results in bypassing the permission check.  Fix by skipping over detached marks that are not in the current group.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-45836",
                                "url": "https://ubuntu.com/security/CVE-2026-45836",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_get_sndtimeo_cb()  Add the same NULL guard already present in l2cap_sock_resume_cb() and l2cap_sock_ready_cb().",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-26 17:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-45834",
                                "url": "https://ubuntu.com/security/CVE-2026-45834",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_state_change_cb()  Add the same NULL guard already present in l2cap_sock_resume_cb() and l2cap_sock_ready_cb().",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-26 17:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-45835",
                                "url": "https://ubuntu.com/security/CVE-2026-45835",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_new_connection_cb()  Add the same NULL guard already present in l2cap_sock_resume_cb() and l2cap_sock_ready_cb().",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-26 17:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46138",
                                "url": "https://ubuntu.com/security/CVE-2026-46138",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Bluetooth: hci_event: Fix OOB read and infinite loop in hci_le_create_big_complete_evt  hci_le_create_big_complete_evt() iterates over BT_BOUND connections for a BIG handle using a while loop, accessing ev->bis_handle[i++] on each iteration.  However, there is no check that i stays within ev->num_bis before the array access.  When a controller sends a LE_Create_BIG_Complete event with fewer bis_handle entries than there are BT_BOUND connections for that BIG, or with num_bis=0, the loop reads beyond the valid bis_handle[] flex array into adjacent heap memory.  Since the out-of-bounds values typically exceed HCI_CONN_HANDLE_MAX (0x0EFF), hci_conn_set_handle() rejects them and the connection remains in BT_BOUND state.  The same connection is then found again by hci_conn_hash_lookup_big_state(), creating an infinite loop with hci_dev_lock held.  Fix this by terminating the BIG if in case not all BIS could be setup properly.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46111",
                                "url": "https://ubuntu.com/security/CVE-2026-46111",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Bluetooth: hci_conn: fix potential UAF in create_big_sync  Add hci_conn_valid() check in create_big_sync() to detect stale connections before proceeding with BIG creation. Handle the resulting -ECANCELED in create_big_complete() and re-validate the connection under hci_dev_lock() before dereferencing, matching the pattern used by create_le_conn_complete() and create_pa_complete().  Keep the hci_conn object alive across the async boundary by taking a reference via hci_conn_get() when queueing create_big_sync(), and dropping it in the completion callback. The refcount and the lock are complementary: the refcount keeps the object allocated, while hci_dev_lock() serializes hci_conn_hash_del()'s list_del_rcu() on hdev->conn_hash, as required by hci_conn_del().  hci_conn_put() is called outside hci_dev_unlock() so the final put (which resolves to kfree() via bt_link_release) does not run under hdev->lock, though the release path would be safe either way.  Without this, create_big_complete() would unconditionally dereference the conn pointer on error, causing a use-after-free via hci_connect_cfm() and hci_conn_del().",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46140",
                                "url": "https://ubuntu.com/security/CVE-2026-46140",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Bluetooth: btmtk: validate WMT event SKB length before struct access  btmtk_usb_hci_wmt_sync() casts the WMT event response SKB data to struct btmtk_hci_wmt_evt (7 bytes) and struct btmtk_hci_wmt_evt_funcc (9 bytes) without first checking that the SKB contains enough data. A short firmware response causes out-of-bounds reads from SKB tailroom.  Use skb_pull_data() to validate and advance past the base WMT event header. For the FUNC_CTRL case, pull the additional status field bytes before accessing them.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46186",
                                "url": "https://ubuntu.com/security/CVE-2026-46186",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Bluetooth: virtio_bt: validate rx pkt_type header length  virtbt_rx_handle() reads the leading pkt_type byte from the RX skb and forwards the remainder to hci_recv_frame() for every event/ACL/SCO/ISO type, without checking that the remaining payload is at least the fixed HCI header for that type.  After the preceding patch bounds the backend-supplied used.len to [1, VIRTBT_RX_BUF_SIZE], a one-byte completion still reaches hci_recv_frame() with skb->len already pulled to 0. If the byte happened to be HCI_ACLDATA_PKT, the ACL-vs-ISO classification fast-path in hci_dev_classify_pkt_type() dereferences hci_acl_hdr(skb)->handle whenever the HCI device has an active CIS_LINK, BIS_LINK, or PA_LINK connection, reading two bytes of uninitialized RX-buffer data. The same hazard exists for every packet type the driver accepts because none of the switch cases in virtbt_rx_handle() check skb->len against the per-type minimum HCI header size before handing the frame to the core.  After stripping pkt_type, require skb->len to cover the fixed header size for the selected type (event 2, ACL 4, SCO 3, ISO 4) before calling hci_recv_frame(); drop ratelimited otherwise. Unknown pkt_type values still take the original kfree_skb() default path.  Use bt_dev_err_ratelimited() because both the length and pkt_type values come from an untrusted backend that can otherwise flood the kernel log.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46123",
                                "url": "https://ubuntu.com/security/CVE-2026-46123",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Bluetooth: virtio_bt: clamp rx length before skb_put  virtbt_rx_work() calls skb_put(skb, len) where len comes directly from virtqueue_get_buf() with no validation against the buffer we posted to the device. The RX skb is allocated in virtbt_add_inbuf() and exposed to virtio as exactly 1000 bytes via sg_init_one().  Checking len against skb_tailroom(skb) is not sufficient because alloc_skb() can leave more tailroom than the 1000 bytes actually handed to the device. A malicious or buggy backend can therefore report used.len between 1001 and skb_tailroom(skb), causing skb_put() to include uninitialized kernel heap bytes that were never written by the device.  The same path also accepts len == 0, in which case skb_put(skb, 0) leaves the skb empty but virtbt_rx_handle() still reads the pkt_type byte from skb->data, consuming uninitialized memory.  Define VIRTBT_RX_BUF_SIZE once and reuse it in alloc_skb() and sg_init_one(), and gate virtbt_rx_work() on that same constant so the bound checked matches the buffer actually exposed to the device. Reject used.len == 0 in the same gate so an empty completion can no longer reach virtbt_rx_handle().  Use bt_dev_err_ratelimited() because the length value comes from an untrusted backend that can otherwise flood the kernel log.  Same class of bug as commit c04db81cd028 (\"net/9p: Fix buffer overflow in USB transport layer\"), which hardened the USB 9p transport against unchecked device-reported length.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46104",
                                "url": "https://ubuntu.com/security/CVE-2026-46104",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  selinux: use sk blob accessor in socket permission helpers  SELinux socket state lives in the composite LSM socket blob.  sock_has_perm() and nlmsg_sock_has_extended_perms() currently dereference sk->sk_security directly, which assumes the SELinux socket blob is at offset zero.  In stacked configurations that assumption does not hold. If another LSM allocates socket blob storage before SELinux, these helpers may read the wrong blob and feed invalid SID and class values into AVC checks.  Use selinux_sock() instead of accessing sk->sk_security directly.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46193",
                                "url": "https://ubuntu.com/security/CVE-2026-46193",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  xfrm: ah: account for ESN high bits in async callbacks  AH allocates its temporary auth/ICV layout differently when ESN is enabled: the async ahash setup appends a 4-byte seqhi slot before the ICV or auth_data area, but the async completion callbacks still reconstruct the temporary layout as if seqhi were absent.  With an async AH implementation selected, that makes AH copy or compare the wrong bytes on both the IPv4 and IPv6 paths. In UML repro on IPv4 AH with ESN and forced async hmac(sha1), ping fails with 100% packet loss, and the callback logs show the pre-fix drift:    ah4 output_done: esn=1 err=0 icv_off=20 expected_off=24   ah4 input_done: esn=1 auth_off=20 expected_auth_off=24 icv_off=32 expected_icv_off=36  Reconstruct the callback-side layout the same way the setup path built it by skipping the ESN seqhi slot before locating the saved auth_data or ICV. Per RFC 4302, the ESN high-order 32 bits participate in the AH ICV computation, so the async callbacks must account for the seqhi slot.  Post-fix, the same IPv4 AH+ESN+forced-async-hmac(sha1) UML repro shows the corrected offset (ah4 output_done: esn=1 err=0 icv_off=24 expected_off=24) and ping succeeds; net/ipv4/ah4.o and net/ipv6/ah6.o build clean at W=1. IPv6 AH+ESN was not exercised at runtime, and the change has not been tested against a real async hardware AH engine.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46172",
                                "url": "https://ubuntu.com/security/CVE-2026-46172",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ipv6: xfrm6: release dst on error in xfrm6_rcv_encap()  xfrm6_rcv_encap() performs an IPv6 route lookup when the skb does not already have a dst attached. ip6_route_input_lookup() returns a referenced dst entry even when the lookup resolves to an error route.  If dst->error is set, xfrm6_rcv_encap() drops the skb without attaching the dst to the skb and without releasing the reference returned by the lookup. Repeated packets hitting this path therefore leak dst entries.  Release the dst before jumping to the drop path.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46116",
                                "url": "https://ubuntu.com/security/CVE-2026-46116",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  xfrm: defensively unhash xfrm_state lists in __xfrm_state_delete  KASAN reproduces a slab-use-after-free in __xfrm_state_delete()'s hlist_del_rcu calls under syzkaller load on linux-6.12.y stable (reproduced on 6.12.47, also reachable via the same code path on torvalds/master and on the ipsec tree). Nine unique signatures cluster in the xfrm_state lifecycle, the load-bearing one being:    BUG: KASAN: slab-use-after-free in __hlist_del include/linux/list.h:990 [inline]   BUG: KASAN: slab-use-after-free in hlist_del_rcu include/linux/rculist.h:516 [inline]   BUG: KASAN: slab-use-after-free in __xfrm_state_delete net/xfrm/xfrm_state.c   Write of size 8 at addr ffff8881198bcb70 by task kworker/u8:9/435    Workqueue: netns cleanup_net   Call Trace:    __hlist_del / hlist_del_rcu    __xfrm_state_delete    xfrm_state_delete    xfrm_state_flush    xfrm_state_fini    ops_exit_list    cleanup_net  The other observed signatures hit the same slab object from __xfrm_state_lookup, xfrm_alloc_spi, __xfrm_state_insert and an OOB write variant of __xfrm_state_delete, all on the byseq/byspi hash chains.  __xfrm_state_delete() guards its byseq and byspi unhashes with value-based predicates:  \tif (x->km.seq) \t\thlist_del_rcu(&x->byseq); \tif (x->id.spi) \t\thlist_del_rcu(&x->byspi);  while everywhere else in the file (e.g. state_cache, state_cache_input) the safer hlist_unhashed() check is used. xfrm_alloc_spi() sets x->id.spi = newspi inside xfrm_state_lock and then immediately inserts into byspi, but a path that observes x->id.spi != 0 outside of xfrm_state_lock can still skip-or-hit the byspi unhash inconsistently with whether x is actually on the list. The same holds for x->km.seq versus byseq, and the bydst/bysrc unhashes have no predicate at all, so a second __xfrm_state_delete() on the same object writes through LIST_POISON pprev.  The defensive change here:    - Use hlist_del_init_rcu() instead of hlist_del_rcu() on bydst,     bysrc, byseq and byspi so a second deletion is a no-op rather     than a write through LIST_POISON pprev. The byseq/byspi nodes     are already initialised in xfrm_state_alloc().   - Test hlist_unhashed() rather than the value predicate for     byseq/byspi, so the unhash decision tracks list state rather than     mutable scalar fields.  Empirical verification: applied this patch on top of v6.12.47, rebuilt, and re-ran the same syzkaller harness for 1h16m on a previously-crashy configuration that produced ~100 hits each of slab-use-after-free Read in xfrm_alloc_spi / Read in __xfrm_state_lookup / Write in __xfrm_state_delete. After the patch, 7.1M execs across 32 VMs at ~1550 exec/sec produced zero xfrm_state UAF/OOB hits. /proc/slabinfo confirms the xfrm_state slab is actively allocated and freed during the run (~143 KiB resident), so the fuzzer is still exercising those code paths -- they just no longer crash.  Reproduction:    - Linux 6.12.47 x86_64 + KASAN_GENERIC + KASAN_INLINE + KCOV   - syzkaller @ 746545b8b1e4c3a128db8652b340d3df90ce61db   - 32 QEMU/KVM VMs x 2 vCPU on AWS c5.metal bare metal   - 9 unique signatures collected in ~9h, all within xfrm_state     lifecycle",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46154",
                                "url": "https://ubuntu.com/security/CVE-2026-46154",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  sched_ext: Read scx_root under scx_cgroup_ops_rwsem in cgroup setters  scx_group_set_{weight,idle,bandwidth}() cache scx_root before acquiring scx_cgroup_ops_rwsem, so the pointer can be stale by the time the op runs. If the loaded scheduler is disabled and freed (via RCU work) and another is enabled between the naked load and the rwsem acquire, the reader sees scx_cgroup_enabled=true (the new scheduler's) but dereferences the freed one - UAF on SCX_HAS_OP(sch, ...) / SCX_CALL_OP(sch, ...).  scx_cgroup_enabled is toggled only under scx_cgroup_ops_rwsem write (scx_cgroup_{init,exit}), so reading scx_root inside the rwsem read section correlates @sch with the enabled snapshot.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46157",
                                "url": "https://ubuntu.com/security/CVE-2026-46157",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ALSA: pcm: oss: Fix data race at accessing runtime.oss.trigger  Currently the runtime.oss.trigger field may be accessed concurrently without protection, which may lead to the data race.  And, in this case, it may lead to more severe problem because it's a bit field; as writing the data, it may overwrite other bit fields as well, which confuses the operation completely, as spotted by fuzzing.  Fix it by covering runtime.oss.trigger bit fled also with the existing params_lock mutex in both snd_pcm_oss_get_trigger() and snd_pcm_oss_poll().",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46109",
                                "url": "https://ubuntu.com/security/CVE-2026-46109",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  usb: ulpi: fix memory leak on ulpi_register() error paths  Commit 01af542392b5 (\"usb: ulpi: fix double free in ulpi_register_interface() error path\") removed kfree(ulpi) from ulpi_register_interface() to fix a double-free when device_register() fails.  But when ulpi_of_register() or ulpi_read_id() fail before device_register() is called, the ulpi allocation is leaked.  Add kfree(ulpi) on both error paths to properly clean up the allocation.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46146",
                                "url": "https://ubuntu.com/security/CVE-2026-46146",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ALSA: usb-audio: Avoid potential endless loop in convert_chmap_v3()  The convert_chmap_v3() has a loop with its increment size of cs_desc->wLength, but we forgot to validate cs_desc->wLength itself, which may lead to potential endless loop by a malformed descriptor.  Add a proper size check to abort the loop for plugging the hole.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46167",
                                "url": "https://ubuntu.com/security/CVE-2026-46167",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  usb: usblp: fix uninitialized heap leak via LPGETSTATUS ioctl  Just like in a previous problem in this driver, usblp_ctrl_msg() will collapse the usb_control_msg() return value to 0/-errno, discarding the actual number of bytes transferred.  Ideally that short command should be detected and error out, but many printers are known to send \"incorrect\" responses back so we can't just do that.  statusbuf is kmalloc(8) at probe time and never filled before the first LPGETSTATUS ioctl.  usblp_read_status() requests 1 byte. If a malicious printer responds with zero bytes, *statusbuf is one byte of stale kmalloc heap, sign-extended into the local int status, which the LPGETSTATUS path then copy_to_user()s directly to the ioctl caller.  Fix this all by just zapping out the memory buffer when allocated at probe time.  If a later call does a short read, the data will be identical to what the device sent it the last time, so there is no \"leak\" of information happening.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46151",
                                "url": "https://ubuntu.com/security/CVE-2026-46151",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  usb: usblp: fix heap leak in IEEE 1284 device ID via short response  usblp_ctrl_msg() collapses the usb_control_msg() return value to 0/-errno, discarding the actual number of bytes transferred.  A broken printer can complete the GET_DEVICE_ID control transfer short and the driver has no way to know.  usblp_cache_device_id_string() reads the 2-byte big-endian length prefix from the response and trusts it (clamped only to the buffer bounds). The buffer is kmalloc(1024) at probe time. A device that sends exactly two bytes (e.g. 0x03 0xFF, claiming a 1023-byte ID) leaves device_id_string[2..1022] holding stale kmalloc heap.  That stale data is then exposed:   - via the ieee1284_id sysfs attribute (sprintf(\"%s\", buf+2), truncated     at the first NUL in the stale heap), and   - via the IOCNR_GET_DEVICE_ID ioctl, which copy_to_user()s the full     claimed length regardless of NULs, up to 1021 bytes of uninitialized     heap, with the leak size chosen by the device.  Fix this up by just zapping the buffer with zeros before each request sent to the device.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46180",
                                "url": "https://ubuntu.com/security/CVE-2026-46180",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  wifi: brcmfmac: Fix potential use-after-free issue when stopping watchdog task  Watchdog task might end between send_sig() and kthread_stop() calls, what results in the use-after-free issue. Fix this by increasing watchdog task reference count before calling send_sig() and dropping it by switching to kthread_stop_put().",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46122",
                                "url": "https://ubuntu.com/security/CVE-2026-46122",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  wifi: b43: enforce bounds check on firmware key index in b43_rx()  The firmware-controlled key index in b43_rx() can exceed the dev->key[] array size (58 entries). The existing B43_WARN_ON is non-enforcing in production builds, allowing an out-of-bounds read.  Make the B43_WARN_ON check enforcing by dropping the frame when the firmware returns an invalid key index.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46125",
                                "url": "https://ubuntu.com/security/CVE-2026-46125",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  wifi: mac80211: remove station if connection prep fails  If connection preparation fails for MLO connections, then the interface is completely reset to non-MLD. In this case, we must not keep the station since it's related to the link of the vif being removed. Delete an existing station. Any \"new_sta\" is already being removed, so that doesn't need changes.  This fixes a use-after-free/double-free in debugfs if that's enabled, because a vif going from MLD (and to MLD, but that's not relevant here) recreates its entire debugfs.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46166",
                                "url": "https://ubuntu.com/security/CVE-2026-46166",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  wifi: mac80211: use safe list iteration in radar detect work  The call to ieee80211_dfs_cac_cancel can cause the iterated chanctx to be freed and removed from the list. Guard against this to avoid a slab-use-after-free error.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46187",
                                "url": "https://ubuntu.com/security/CVE-2026-46187",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  wifi: rsi: fix kthread lifetime race between self-exit and external-stop  RSI driver use both self-exit(kthread_complete_and_exit) and external-stop (kthread_stop) when killing a kthread. Generally, kthread_stop() is called first, and in this case, no particular issues occur.  However, in rare instances where kthread_complete_and_exit() is called first and then kthread_stop() is called, a UAF occurs because the kthread object, which has already exited and been freed, is accessed again.  Therefore, to prevent this with minimal modification, you must remove kthread_stop() and change the code to wait until the self-exit operation is completed.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46152",
                                "url": "https://ubuntu.com/security/CVE-2026-46152",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  wifi: mac80211: drop stray 'static' from fast-RX rx_result  ieee80211_invoke_fast_rx() is documented as safe for parallel RX, but its per-invocation rx_result is declared static. Concurrent callers then share one instance and can overwrite each other's result between ieee80211_rx_mesh_data() and the switch on res.  That can make a packet that was queued or consumed by ieee80211_rx_mesh_data() fall through into ieee80211_rx_8023(), or make a packet that should continue return as queued.  Make res an automatic variable so each invocation keeps its own result.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46163",
                                "url": "https://ubuntu.com/security/CVE-2026-46163",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  wifi: b43legacy: enforce bounds check on firmware key index in RX path  Same fix as b43: the firmware-controlled key index in b43legacy_rx() can exceed dev->max_nr_keys. The existing B43legacy_WARN_ON is non-enforcing in production builds, allowing an out-of-bounds read of dev->key[].  Make the check enforcing by dropping the frame for invalid indices.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46136",
                                "url": "https://ubuntu.com/security/CVE-2026-46136",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  wifi: mt76: mt7921: fix a potential clc buffer length underflow  The buf_len is used to limit the iterations for retrieving the country power setting and may underflow under certain conditions due to changes in the power table in CLC.  This underflow leads to an almost infinite loop or an invalid power setting resulting in driver initialization failure.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46173",
                                "url": "https://ubuntu.com/security/CVE-2026-46173",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  exit: prevent preemption of oopsing TASK_DEAD task  When an already-exiting task oopses, make_task_dead() currently calls do_task_dead() with preemption enabled.  That is forbidden: do_task_dead() calls __schedule(), which has a comment saying \"WARNING: must be called with preemption disabled!\".  If an oopsing task is preempted in do_task_dead(), between becoming TASK_DEAD and entering the scheduler explicitly, bad things happen: finish_task_switch() assumes that once the scheduler has switched away from a TASK_DEAD task, the task can never run again and its stack is no longer needed; but that assumption apparently doesn't hold if the dead task was preempted (the SM_PREEMPT case).  This means that the scheduler ends up repeatedly dropping references on the dead task's stack, which can lead to use-after-free or double-free of the entire task stack; in other words, two tasks can end up running on the same stack, resulting in various kinds of memory corruption.  (This does not just affect \"recursively oopsing\" tasks; it is enough to oops once during task exit, for example in a file_operations::release handler)",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-43496",
                                "url": "https://ubuntu.com/security/CVE-2026-43496",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net/sched: sch_red: Replace direct dequeue call with peek and qdisc_dequeue_peeked  When red qdisc has children (eg qfq qdisc) whose peek() callback is qdisc_peek_dequeued(), we could get a kernel panic. When the parent of such qdiscs (eg illustrated in patch #3 as tbf) wants to retrieve an skb from its child (red in this case), it will do the following:  1a. do a peek() - and when sensing there's an skb the child can offer, then      - the child in this case(red) calls its child's (qfq) peek.         qfq does the right thing and will return the gso_skb queue packet.         Note: if there wasnt a gso_skb entry then qfq will store it there.  1b. invoke a dequeue() on the child (red). And herein lies the problem.      - red will call the child's dequeue() which will essentially just        try to grab something of qfq's queue.  [   78.667668][  T363] KASAN: null-ptr-deref in range [0x0000000000000048-0x000000000000004f] [   78.667927][  T363] CPU: 1 UID: 0 PID: 363 Comm: ping Not tainted 7.1.0-rc1-00033-g46f74a3f7d57-dirty #790 PREEMPT(full) [   78.668263][  T363] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 [   78.668486][  T363] RIP: 0010:qfq_dequeue+0x446/0xc90 [sch_qfq] [   78.668718][  T363] Code: 54 c0 e8 dd 90 00 f1 48 c7 c7 e0 03 54 c0 48 89 de e8 ce 90 00 f1 48 8d 7b 48 b8 ff ff 37 00 48 89 fa 48 c1 e0 2a 48 c1 ea 03 <80> 3c 02 00 74 05 e8 ef a1 e1 f1 48 8b 7b 48 48 8d 54 24 58 48 8d [   78.669312][  T363] RSP: 0018:ffff88810de573e0 EFLAGS: 00010216 [   78.669533][  T363] RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000 [   78.669790][  T363] RDX: 0000000000000009 RSI: 0000000000000004 RDI: 0000000000000048 [   78.670044][  T363] RBP: ffff888110dc4000 R08: ffffffffb1b0885a R09: fffffbfff6ba9078 [   78.670297][  T363] R10: 0000000000000003 R11: ffff888110e31c80 R12: 0000001880000000 [   78.670560][  T363] R13: ffff888110dc4150 R14: ffff888110dc42b8 R15: 0000000000000200 [   78.670814][  T363] FS:  00007f66a8f09c40(0000) GS:ffff888163428000(0000) knlGS:0000000000000000 [   78.671110][  T363] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [   78.671324][  T363] CR2: 000055db4c6a30a8 CR3: 000000010da67000 CR4: 0000000000750ef0 [   78.671585][  T363] PKRU: 55555554 [   78.671713][  T363] Call Trace: [   78.671843][  T363]  <TASK> [   78.671936][  T363]  ? __pfx_qfq_dequeue+0x10/0x10 [sch_qfq] [   78.672148][  T363]  ? __pfx__printk+0x10/0x10 [   78.672322][  T363]  ? srso_alias_return_thunk+0x5/0xfbef5 [   78.672496][  T363]  ? lockdep_hardirqs_on_prepare+0xa8/0x1a0 [   78.672706][  T363]  ? srso_alias_return_thunk+0x5/0xfbef5 [   78.672875][  T363]  ? trace_hardirqs_on+0x19/0x1a0 [   78.673047][  T363]  red_dequeue+0x65/0x270 [sch_red] [   78.673217][  T363]  ? srso_alias_return_thunk+0x5/0xfbef5 [   78.673385][  T363]  tbf_dequeue.cold+0xb0/0x70c [sch_tbf] [   78.673566][  T363]  __qdisc_run+0x169/0x1900  The right thing to do in #1b is to grab the skb off gso_skb queue. This patchset fixes that issue by changing #1b to use qdisc_dequeue_peeked() method instead.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-21 13:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46113",
                                "url": "https://ubuntu.com/security/CVE-2026-46113",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  KVM: x86: Fix shadow paging use-after-free due to unexpected GFN  The shadow MMU computes GFNs for direct shadow pages using sp->gfn plus the SPTE index. This assumption breaks for shadow paging if the guest page tables are modified between VM entries (similar to commit aad885e77496, \"KVM: x86/mmu: Drop/zap existing present SPTE even when creating an MMIO SPTE\", 2026-03-27).  The flow is as follows:  - a PDE is installed for a 2MB mapping, and a page in that area is   accessed.  KVM creates a kvm_mmu_page consisting of 512 4KB pages;   the kvm_mmu_page is marked by FNAME(fetch) as direct-mapped because   the guest's mapping is a huge page (and thus contiguous).  - the PDE mapping is changed from outside the guest.  - the guest accesses another page in the same 2MB area.  KVM installs   a new leaf SPTE and rmap entry; the SPTE uses the \"correct\" GFN   (i.e. based on the new mapping, as changed in the previous step) but   that GFN is outside of the [sp->gfn, sp->gfn + 511] range; therefore   the rmap entry cannot be found and removed when the kvm_mmu_page   is zapped.  - the memslot that covers the first 2MB mapping is deleted, and the   kvm_mmu_page for the now-invalid GPA is zapped.  However, rmap_remove()   only looks at the [sp->gfn, sp->gfn + 511] range established in step 1,   and fails to find the rmap entry that was recorded by step 3.  - any operation that causes an rmap walk for the same page accessed   by step 3 then walks a stale rmap and dereferences a freed kvm_mmu_page.   This includes dirty logging or MMU notifier invalidations (e.g., from   MADV_DONTNEED).  The underlying issue is that KVM's walking of shadow PTEs assumes that if a SPTE is present when KVM wants to install a non-leaf SPTE, then the existing kvm_mmu_page must be for the correct gfn.  Because the only way for the gfn to be wrong is if KVM messed up and failed to zap a SPTE... which shouldn't happen, but *actually* only happens in response to a guest write.  That bug dates back literally forever, as even the first version of KVM assumes that the GFN matches and walks into the \"wrong\" shadow page. However, that was only an imprecision until 2032a93d66fa (\"KVM: MMU: Don't allocate gfns page for direct mmu pages\") came along.  Fix it by checking for a target gfn mismatch and zapping the existing SPTE.  That way the old SP and rmap entries are gone, KVM installs the rmap in the right location, and everyone is happy.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46179",
                                "url": "https://ubuntu.com/security/CVE-2026-46179",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ASoC: SOF: Don't allow pointer operations on unconfigured streams  When reporting the pointer for a compressed stream we report the current I/O frame position by dividing the position by the number of channels multiplied by the number of container bytes. These values default to 0 and are only configured as part of setting the stream parameters so this allows a divide by zero to be configured. Validate that they are non zero, returning an error if not",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46196",
                                "url": "https://ubuntu.com/security/CVE-2026-46196",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  tracepoint: balance regfunc() on func_add() failure in tracepoint_add_func()  When a tracepoint goes through the 0 -> 1 transition, tracepoint_add_func() invokes the subsystem's ext->regfunc() before attempting to install the new probe via func_add(). If func_add() then fails (for example, when allocate_probes() cannot allocate a new probe array under memory pressure and returns -ENOMEM), the function returns the error without calling the matching ext->unregfunc(), leaving the side effects of regfunc() behind with no installed probe to justify them.  For syscall tracepoints this is particularly unpleasant: syscall_regfunc() bumps sys_tracepoint_refcount and sets SYSCALL_TRACEPOINT on every task. After a leaked failure, the refcount is stuck at a non-zero value with no consumer, and every task continues paying the syscall trace entry/exit overhead until reboot. Other subsystems providing regfunc()/unregfunc() pairs exhibit similarly scoped persistent state.  Mirror the existing 1 -> 0 cleanup and call ext->unregfunc() in the func_add() error path, gated on the same condition used there so the unwind is symmetric with the registration.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-43497",
                                "url": "https://ubuntu.com/security/CVE-2026-43497",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  fbdev: udlfb: add vm_ops to dlfb_ops_mmap to prevent use-after-free  dlfb_ops_mmap() uses remap_pfn_range() to map vmalloc framebuffer pages to userspace but sets no vm_ops on the VMA. This means the kernel cannot track active mmaps. When dlfb_realloc_framebuffer() replaces the backing buffer via FBIOPUT_VSCREENINFO, existing mmap PTEs are not invalidated. On USB disconnect, dlfb_ops_destroy() calls vfree() on the old pages while userspace PTEs still reference them, resulting in a use-after-free: the process retains read/write access to freed kernel pages.  Add vm_operations_struct with open/close callbacks that maintain an atomic mmap_count on struct dlfb_data. In dlfb_realloc_framebuffer(), check mmap_count and return -EBUSY if the buffer is currently mapped, preventing buffer replacement while userspace holds stale PTEs.  Tested with PoC using dummy_hcd + raw_gadget USB device emulation.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-05-21 13:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46108",
                                "url": "https://ubuntu.com/security/CVE-2026-46108",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ipmi:si: Return state to normal if message allocation fails  There were places where nothing would get started if a message allocation failed, so the driver needs to return to normal state.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46128",
                                "url": "https://ubuntu.com/security/CVE-2026-46128",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ipmi: Check event message buffer response for bad data  The event message buffer response data size got checked later when processing, but check it right after the response comes back.  It appears some BMCs may return an empty message instead of an error when fetching events.  There are apparently some new BMCs that make this error, so we need to compensate.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46177",
                                "url": "https://ubuntu.com/security/CVE-2026-46177",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ipmi: Add limits to event and receive message requests  The driver would just fetch events and receive messages until the BMC said it was done.  To avoid issues with BMCs that never say they are done, add a limit of 10 fetches at a time.  In addition, an si interface has an attn state it can return from the hardware which is supposed to cause a flag fetch to see if the driver needs to fetch events or message or a few other things.  If the attn bit gets stuck, it's a similar problem.  So allow messages in between flag fetches so the driver itself doesn't get stuck.  This is a more general fix than the previous fix for the specific bad BMC, but should fix the more general issue of a BMC that won't stop saying it has data.  This has been there from the beginning of the driver.  It's not a bug per-se, but it is accounting for bugs in BMCs.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46149",
                                "url": "https://ubuntu.com/security/CVE-2026-46149",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  scsi: target: configfs: Bound snprintf() return in tg_pt_gp_members_show()  target_tg_pt_gp_members_show() formats LUN paths with snprintf() into a 256-byte stack buffer, then will memcpy() cur_len bytes from that buffer.  snprintf() returns the length the output would have had, which can exceed the buffer size when the fabric WWN is long because iSCSI IQN names can be up to 223 bytes.  The check at the memcpy() site only guards the destination page write, not the source read, so memcpy() will read past the stack buffer and copy adjacent stack contents to the sysfs reader, which when CONFIG_FORTIFY_SOURCE is enabled, fortify_panic() will be triggered.  Commit 27e06650a5ea (\"scsi: target: target_core_configfs: Add length check to avoid buffer overflow\") added the same bound to the target_lu_gp_members_show() but the tg_pt_gp variant was missed so resolve that here.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46244",
                                "url": "https://ubuntu.com/security/CVE-2026-46244",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  netfilter: nft_inner: Fix IPv6 inner_thoff desync  In nft_inner_parse_l2l3(), when processing inner IPv6 packets, ipv6_find_hdr() correctly computes the transport header offset traversing all extension headers, but the result is immediately overwritten with nhoff + sizeof(_ip6h) (40 bytes), which only accounts for the IPv6 base header. This creates a desync between inner_thoff (wrong — points to extension header start) and l4proto (correct — e.g., IPPROTO_TCP), enabling transport header forgery and potential firewall bypass. This issue affects stable versions from Linux 6.2.  For comparison, the normal (non-inner) IPv6 path correctly preserves ipv6_find_hdr()'s result. Removing the incorrect overwrite ensures that ipv6_find_hdr()'s calculated transport header offset is preserved, thereby fixing the desynchronization.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-03 18:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46137",
                                "url": "https://ubuntu.com/security/CVE-2026-46137",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  mptcp: pm: ADD_ADDR rtx: fix potential data-race  This mptcp_pm_add_timer() helper is executed as a timer callback in softirq context. To avoid any data races, the socket lock needs to be held with bh_lock_sock().  If the socket is in use, retry again soon after, similar to what is done with the keepalive timer.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46185",
                                "url": "https://ubuntu.com/security/CVE-2026-46185",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  smb/client: fix out-of-bounds read in symlink_data()  Since smb2_check_message() returns success without length validation for the symlink error response, in symlink_data() it is possible for iov->iov_len to be smaller than sizeof(struct smb2_err_rsp). If the buffer only contains the base SMB2 header (64 bytes), accessing err->ErrorContextCount (at offset 66) or err->ByteCount later in symlink_data() will cause an out-of-bounds read.",
                                "cve_priority": "high",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46195",
                                "url": "https://ubuntu.com/security/CVE-2026-46195",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  smb: client: validate dacloffset before building DACL pointers  parse_sec_desc(), build_sec_desc(), and the chown path in id_mode_to_cifs_acl() all add the server-supplied dacloffset to pntsd before proving a DACL header fits inside the returned security descriptor.  On 32-bit builds a malicious server can return dacloffset near U32_MAX, wrap the derived DACL pointer below end_of_acl, and then slip past the later pointer-based bounds checks. build_sec_desc() and id_mode_to_cifs_acl() can then dereference DACL fields from the wrapped pointer in the chmod/chown rewrite paths.  Validate dacloffset numerically before building any DACL pointer and reuse the same helper at the three DACL entry points.",
                                "cve_priority": "high",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46289",
                                "url": "https://ubuntu.com/security/CVE-2026-46289",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  lib/scatterlist: fix length calculations in extract_kvec_to_sg  Patch series \"Fix bugs in extract_iter_to_sg()\", v3.  Fix bugs in the kvec and user variants of extract_iter_to_sg.  This series is growing due to useful remarks made by sashiko.dev.  The main bugs are: - The length for an sglist entry when extracting from   a kvec can exceed the number of bytes in the page. This   is obviously not intended. - When extracting a user buffer the sglist is temporarily   used as a scratch buffer for extracted page pointers.   If the sglist already contains some elements this scratch   buffer could overlap with existing entries in the sglist.  The series adds test cases to the kunit_iov_iter test that demonstrate all of these bugs.  Additionally, there is a memory leak fix for the test itself.  The bugs were orignally introduced into kernel v6.3 where the function lived in fs/netfs/iterator.c.  It was later moved to lib/scatterlist.c in v6.5.  Thus the actual fix is only marked for backports to v6.5+.   This patch (of 5):  When extracting from a kvec to a scatterlist, do not cross page boundaries.  The required length was already calculated but not used as intended.  Adjust the copied length if the loop runs out of sglist entries without extracting everything.  While there, return immediately from extract_iter_to_sg if there are no sglist entries at all.  A subsequent commit will add kunit test cases that demonstrate that the patch is necessary.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-08 17:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46119",
                                "url": "https://ubuntu.com/security/CVE-2026-46119",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  libceph: Fix slab-out-of-bounds access in auth message processing  If a (potentially corrupted) message of type CEPH_MSG_AUTH_REPLY contains a positive value in its result field, it is treated as an error code by ceph_handle_auth_reply() and returned to handle_auth_reply(). Thereafter, an attempt is made to send the preallocated message of type CEPH_MSG_AUTH, where the returned value is interpreted as the size of the front segment to send. If the result value in the message is greater than the size of the memory buffer allocated for the front segment, an out-of-bounds access occurs, and the content of the memory region beyond this buffer is sent out.  This patch fixes the issue by treating only negative values in the result field as errors. Positive values are therefore treated as success in the same way as a zero value. Additionally, a BUG_ON is added to __send_prepared_auth_request() comparing the len parameter to front_alloc_len to prevent sending the message if it exceeds the bounds of the allocation and to make it easier to catch any logic flaws leading to this.",
                                "cve_priority": "high",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46135",
                                "url": "https://ubuntu.com/security/CVE-2026-46135",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  nvmet-tcp: fix race between ICReq handling and queue teardown  nvmet_tcp_handle_icreq() updates queue->state after sending an Initialization Connection Response (ICResp), but it does so without serializing against target-side queue teardown.  If an NVMe/TCP host sends an Initialization Connection Request (ICReq) and immediately closes the connection, target-side teardown may start in softirq context before io_work drains the already buffered ICReq. In that case, nvmet_tcp_schedule_release_queue() sets queue->state to NVMET_TCP_Q_DISCONNECTING and drops the queue reference under state_lock.  If io_work later processes that ICReq, nvmet_tcp_handle_icreq() can still overwrite the state back to NVMET_TCP_Q_LIVE. That defeats the DISCONNECTING-state guard in nvmet_tcp_schedule_release_queue() and allows a later socket state change to re-enter teardown and issue a second kref_put() on an already released queue.  The ICResp send failure path has the same problem. If teardown has already moved the queue to DISCONNECTING, a send error can still overwrite the state with NVMET_TCP_Q_FAILED, again reopening the window for a second teardown path to drop the queue reference.  Fix this by serializing both post-send state transitions with state_lock and bailing out if teardown has already started.  Use -ESHUTDOWN as an internal sentinel for that bail-out path rather than propagating it as a transport error like -ECONNRESET. Keep nvmet_tcp_socket_error() setting rcv_state to NVMET_TCP_RECV_ERR before honoring that sentinel so receive-side parsing stays quiesced until the existing release path completes.",
                                "cve_priority": "critical",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46155",
                                "url": "https://ubuntu.com/security/CVE-2026-46155",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  smb/client: fix out-of-bounds read in smb2_compound_op()  If a server sends a truncated response but a large OutputBufferLength, and terminates the EA list early, check_wsl_eas() returns success without validating that the entire OutputBufferLength fits within iov_len.  Then smb2_compound_op() does:     memcpy(idata->wsl.eas, data[0], size[0]);  Where size[0] is OutputBufferLength. If iov_len is smaller than size[0], memcpy can read beyond the end of the rsp_iov allocation and leak adjacent kernel heap memory.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46115",
                                "url": "https://ubuntu.com/security/CVE-2026-46115",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  block: add pgmap check to biovec_phys_mergeable  biovec_phys_mergeable() is used by the request merge, DMA mapping, and integrity merge paths to decide if two physically contiguous bvec segments can be coalesced into one. It currently has no check for whether the segments belong to different dev_pagemaps.  When zone device memory is registered in multiple chunks, each chunk gets its own dev_pagemap. A single bio can legitimately contain bvecs from different pgmaps -- iov_iter_extract_bvecs() breaks at pgmap boundaries but the outer loop in bio_iov_iter_get_pages() continues filling the same bio. If such bvecs are physically contiguous, biovec_phys_mergeable() will coalesce them, making it impossible to recover the correct pgmap for the merged segment via page_pgmap().  Add a zone_device_pages_have_same_pgmap() check to prevent merging bvec segments that span different pgmaps.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46243",
                                "url": "https://ubuntu.com/security/CVE-2026-46243",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  smb: client: reject userspace cifs.spnego descriptions  cifs.spnego key descriptions contain authority-bearing fields such as pid, uid, creduid, and upcall_target that cifs.upcall treats as kernel-originating inputs. However, userspace can also create keys of this type through request_key(2) or add_key(2), allowing those fields to be supplied without CIFS origin.  Only accept cifs.spnego descriptions while CIFS is using its private spnego_cred to request the key.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-01 17:17:00 UTC"
                            }
                        ],
                        "log": [
                            "",
                            "  * resolute/linux: 7.0.0-28.28 -proposed tracker (LP: #2157520)",
                            "",
                            "  * Backport ASoC SDCA, AMD SoundWire, and RT722 audio fixes (LP: #2154418)",
                            "    - ASoC: amd: acp-sdw-legacy: rename the dmic component name",
                            "    - SAUCE: ASoC: rt722-sdca: add FU06 Playback Switch for speaker mute",
                            "      control",
                            "",
                            "  * MIPI camera of a BBG809N3A_B sensor SKU of the DELL Pro 14 Premium PA14260",
                            "    renders upside-down (LP: #2155837)",
                            "    - SAUCE: media: ipu-bridge: correct platform handling for DELL Pro 14",
                            "      Premium PA14260",
                            "",
                            "  * resolute ubuntu_kernel_selftests:seccomp_build test compilation issue",
                            "    (LP: #2154174)",
                            "    - SAUCE: selftests/seccomp fix compilation issue for amd64",
                            "",
                            "  * [Ubuntu 26.04] Severe Performance Degradation on kernel 7.0.0-15",
                            "    (LP: #2154748)",
                            "    - s390: Remove GENERIC_LOCKBREAK Kconfig option",
                            "    - UBUNTU [Config]: Remove GENERIC_LOCKBREAK in s390x",
                            "",
                            "  * Fix no sound output device on Dell GhostRider PTL no camera SKU",
                            "    (LP: #2156559)",
                            "    - ASoC: Intel: sof_sdw: append dai type to dai link name unconditionally",
                            "",
                            "  * Fix no audio from right built-in speaker on HP ZBook with TAS2781",
                            "    amplifier (LP: #2156556)",
                            "    - ALSA: hda/tas2781: Fix device-0 reset issue and handle -EXDEV in block",
                            "      data processing",
                            "",
                            "  * Installer fails internally with a RSync error due to page fault",
                            "    (LP: #2150640)",
                            "    - ovl: keep err zero after successful ovl_cache_get()",
                            "",
                            "  * Internal display black screen on Intel Lunar Lake with eDP panel",
                            "    (LP: #2156312)",
                            "    - drm/i915/alpm: Allow LOBF only for platform that have Always on VRR TG",
                            "",
                            "  * Thunderbolt DP tunnel torn down during boot with LUKS Full Disk Encryption",
                            "    (LP: #2155096)",
                            "    - SAUCE: thunderbolt: Defer DP tunnel teardown until display driver is",
                            "      ready",
                            "",
                            "  * watchdog: lenovo_se10_wdt: Add SE10 Gen 2 support (LP: #2154715)",
                            "    - watchdog: lenovo_se10_wdt: Add support for SE10 Gen 2 platform",
                            "    - watchdog: lenovo_se10_wdt: Fix use-after-free and resource leak risk",
                            "",
                            "  * [Ubuntu 26.04] KVM: IBM Test Accelerator for Z (TAZ) not working properly",
                            "    (LP: #2153159)",
                            "    - KVM: s390: only deliver service interrupt with payload",
                            "    - KVM: s390: vsie: Allow non-zarch guests",
                            "    - KVM: s390: vsie: Disable some bits when in ESA mode",
                            "    - KVM: s390: vsie: Accommodate ESA prefix pages",
                            "    - KVM: s390: Add KVM capability for ESA mode guests",
                            "",
                            "  * ubuntu_bpf failed to build on Resolute (error: expected ‘:’, ‘,’, ‘;’, ‘}’",
                            "    or ‘__attribute__’ before ‘__counted_by’) (LP: #2150071)",
                            "    - tools/headers: Regenerate stddef.h to fix BPF selftests",
                            "",
                            "  * ubuntu_bpf: FTBFS with clang 23 / gcc 15 (LP: #2154343)",
                            "    - selftests/bpf: Fix const qualifier warning in fexit_bpf2bpf.c",
                            "",
                            "  * ALSA: hda/tas2781 Audio Fix for the front-right speacker (LP: #2149770)",
                            "    - ALSA: hda/tas2781: Fix sound abnormal issue on some SPI device",
                            "",
                            "  * Fix bad audio record quality when volume above 50% on Framework PTL",
                            "    (LP: #2153155)",
                            "    - ALSA: hda/realtek: fix mic boost on Framework PTL",
                            "",
                            "  * Patchset for TUXEDO devices (LP: #2152570)",
                            "    - drm/i915/vbt: Add edp pipe joiner enable/disable bits",
                            "    - drm/i915/dp: Avoid joiner for eDP if not enabled in VBT",
                            "    - drm/amd/display: Add Idle state manager(ISM)",
                            "    - drm/i915/backlight: Remove try_vesa_interface",
                            "    - drm/i915/backlight: Use intel_panel variable instead of intel_connector",
                            "    - drm/i915/backlight: Take luminance_set into account for VESA backlight",
                            "    - drm/i915/backlight: Check luminance_set when disabling PWM via AUX VESA",
                            "      backlight",
                            "    - drm/i915/backlight: Short circuit intel_dp_aux_supports_hdr_backlight",
                            "    - drm/i915/backlight: Update debug log during backlight setup",
                            "    - drm/i915/backlight: Check if VESA backlight is possible",
                            "    - drm/i915/backlight: Provide clear description on how backlight level is",
                            "      controlled",
                            "    - drm/i915/backlight: Fix VESA backlight possible check condition",
                            "",
                            "  * Resolute update: v7.0.12 upstream stable release (LP: #2156636)",
                            "    - Input: usbtouchscreen - clamp NEXIO data_len/x_len to URB buffer size",
                            "    - ACPI: button: Fix ACPI GPE handler leak during removal",
                            "    - ACPI: button: Enable wakeup GPEs for ACPI buttons at probe time",
                            "    - xfrm: move policy_bydst RCU sync from per-netns .exit to .pre_exit",
                            "    - net/sched: sch_sfb: Replace direct dequeue call with peek and",
                            "      qdisc_dequeue_peeked",
                            "    - bcache: fix uninitialized closure object",
                            "    - nfc: llcp: Fix use-after-free in llcp_sock_release()",
                            "    - nfc: llcp: Fix use-after-free race in nfc_llcp_recv_cc()",
                            "    - xfrm: Check for underflow in xfrm_state_mtu",
                            "    - nfc: nxp-nci: i2c: use rising-edge IRQ on ACPI systems",
                            "    - tools/bootconfig: Fix buf leaks in apply_xbc",
                            "    - HID: remove duplicate hid_warn_ratelimited definition",
                            "    - kunit: fix use-after-free in debugfs when using kunit.filter",
                            "    - accel/rocket: fix UAF via dangling GEM handle in create_bo",
                            "    - netfilter: synproxy: refresh tcphdr after skb_ensure_writable",
                            "    - netfilter: xt_cpu: prefer raw_smp_processor_id",
                            "    - netfilter: ebtables: fix OOB read in compat_mtw_from_user",
                            "    - netfilter: nf_tables: fix dst corruption in same register operation",
                            "    - vsock: keep poll shutdown state consistent",
                            "    - net: netlink: fix sending unassigned nsid after assigned one",
                            "    - net: netlink: don't set nsid on local notifications",
                            "    - net/smc: Do not re-initialize smc hashtables",
                            "    - net/iucv: fix locking in .getsockopt",
                            "    - scsi: core: Run queues for all non-SDEV_DEL devices from",
                            "      scsi_run_host_queues",
                            "    - scsi: scsi_debug: Add missing newline in scsi_debug_device_reset()",
                            "    - ipv4: free net->ipv4.sysctl_local_reserved_ports after",
                            "      unregister_net_sysctl_table()",
                            "    - ALSA: hda: cs35l56: Fix system name string leaks",
                            "    - ALSA: pcm: oss: Fix setup list UAF on proc write error",
                            "    - ASoC: Intel: bytcht_es8316: Fix MCLK leak on init errors",
                            "    - net/mlx5: HWS: Reject unsupported remove-header action",
                            "    - net: hsr: fix potential OOB access in supervision frame handling",
                            "    - accel/ivpu: prevent uninitialized data bug in debugfs",
                            "    - gpio: mxc: fix irq_high handling",
                            "    - drm/i915/aux: use polling when irqs are unavailable",
                            "    - net: Avoid checksumming unreadable skb tail on trim",
                            "    - ethtool: rss: avoid modifying the RSS context response",
                            "    - ethtool: rss: add missing errno on RSS context delete",
                            "    - ethtool: rss: fix falsely ignoring indir table updates",
                            "    - ethtool: rss: fix indir_table and hkey leak on get_rxfh failure",
                            "    - ethtool: rss: fix hkey leak when indir_size is 0",
                            "    - ethtool: rss: avoid device context leak on reply-build failure",
                            "    - ethtool: module: call ethnl_ops_complete() on module flash errors",
                            "    - ethtool: module: avoid leaking a netdev ref on module flash errors",
                            "    - ethtool: module: avoid racy updates to dev->ethtool bitfield",
                            "    - ethtool: module: check fw_flash_in_progress under rtnl_lock",
                            "    - ethtool: module: fix cleanup if socket used for flashing multiple",
                            "      devices",
                            "    - ethtool: cmis: require exact CDB reply length",
                            "    - ethtool: cmis: fix u16-to-u8 truncation of msleep_pre_rpl",
                            "    - ethtool: cmis: validate start_cmd_payload_size from module",
                            "    - ethtool: cmis: validate fw->size against start_cmd_payload_size",
                            "    - cxl/test: Update mock dev array before calling platform_device_add()",
                            "    - blk-mq: reinsert cached request to the list",
                            "    - tunnels: load network headers after skb_cow() in",
                            "      iptunnel_pmtud_build_icmp[v6]()",
                            "    - vxlan: do not reuse cached ip_hdr() value after skb_tunnel_check_pmtu()",
                            "    - tunnels: do not assume transport header in iptunnel_pmtud_check_icmp()",
                            "    - ksmbd: fix FSCTL permission bypass by adding a permission check for",
                            "      FSCTL_SET_SPARSE",
                            "    - ASoC: codecs: simple-mux: Fix enum control bounds check",
                            "    - drm/xe: Restore IDLEDLY regiter on engine reset",
                            "    - Bluetooth: 6lowpan: check skb_clone() return value in send_mcast_pkt()",
                            "    - bonding: refuse to enslave CAN devices",
                            "    - bridge: Fix sleep in atomic context in netlink path",
                            "    - bridge: Fix sleep in atomic context in sysfs path",
                            "    - ethtool: coalesce: cap profile updates at NET_DIM_PARAMS_NUM_PROFILES",
                            "    - ethtool: tsconfig: fix reply error handling",
                            "    - ethtool: linkstate: fix unbalanced ethnl_ops_complete() on PHY lookup",
                            "      error",
                            "    - ethtool: pse-pd: fix missing ethnl_ops_complete()",
                            "    - ethtool: tsconfig: fix missing ethnl_ops_complete()",
                            "    - ethtool: tsinfo: fix uninitialized stats on the by-PHC path",
                            "    - ethtool: tsinfo: don't pass ERR_PTR to genlmsg_cancel on prepare failure",
                            "    - ethtool: strset: fix header attribute index in ethnl_req_get_phydev()",
                            "    - ethtool: eeprom: add missing ethnl_ops_begin() / _complete() during",
                            "      fallback",
                            "    - ethtool: eeprom: add more safeties to EEPROM Netlink fallback",
                            "    - ipv6: rpl: fix hdrlen overflow in ipv6_rpl_srh_decompress()",
                            "    - net/sched: Revert \"net/sched: Restrict conditions for adding duplicating",
                            "      netems to qdisc tree\"",
                            "    - net/sched: fix packet loop on netem when duplicate is on",
                            "    - net: Introduce skb tc depth field to track packet loops",
                            "    - net/sched: Fix ethx:ingress -> ethy:egress -> ethx:ingress mirred loop",
                            "    - net/sched: act_mirred: Fix blockcast recursion bypass leading to stack",
                            "      overflow",
                            "    - net/sched: act_mirred: Fix return code in early mirred redirect error",
                            "      paths",
                            "    - net: hibmcge: disable Relaxed Ordering to fix RX packet corruption",
                            "    - net: hibmcge: move dma_rmb() after dma_sync_single_for_cpu() in RX path",
                            "    - net/handshake: Use spin_lock_bh for hn_lock",
                            "    - nvme-tcp: store negative errno in queue->tls_err",
                            "    - net/handshake: Pass negative errno through handshake_complete()",
                            "    - net/handshake: hand off the pinned file reference to accept_doit",
                            "    - net/handshake: Take a long-lived file reference at submit",
                            "    - net/handshake: Drain pending requests at net namespace exit",
                            "    - dpll: zl3073x: detect DPLL channel count from chip ID at runtime",
                            "    - dpll: zl3073x: add die temperature reporting for supported chips",
                            "    - dpll: export __dpll_device_change_ntf() for use under dpll_lock",
                            "    - dpll: zl3073x: use __dpll_device_change_ntf() and remove change_work",
                            "    - Bluetooth: l2cap: clear chan->ident on ECRED reconfiguration success",
                            "    - Bluetooth: L2CAP: Fix possible crash on l2cap_ecred_conn_rsp",
                            "    - Bluetooth: hci_sync: Set HCI_CMD_DRAIN_WORKQUEUE during device close",
                            "    - Bluetooth: hci_sync: Reset device counters in hci_dev_close_sync()",
                            "    - gpio: adnp: fix flow control regression caused by scoped_guard()",
                            "    - gpio: virtuser: Fix uninitialized data bug in",
                            "      gpio_virtuser_direction_do_write()",
                            "    - gpio: rockchip: convert bank->clk to devm_clk_get_enabled()",
                            "    - gpio: rockchip: teardown bugs and resource leaks",
                            "    - net: mana: Add NULL guards in teardown path to prevent panic on attach",
                            "      failure",
                            "    - net: mana: Skip redundant detach on already-detached port",
                            "    - sctp: fix race between sctp_wait_for_connect and peeloff",
                            "    - net: pcs: pcs-mtk-lynxi: fix bpi-r3 serdes configuration",
                            "    - vsock/virtio: bind uarg before filling zerocopy skb",
                            "    - ipv6: fix possible infinite loop in rt6_fill_node()",
                            "    - ipv6: fix possible infinite loop in fib6_select_path()",
                            "    - net: skbuff: fix pskb_carve leaking zcopy pages",
                            "    - Revert \"ipv6: preserve insertion order for same-scope addresses\"",
                            "    - Revert \"x86/fpu: Refine and simplify the magic number check during",
                            "      signal return\"",
                            "    - drm/i915/psr: Add defininitions for INTEL_WA_REGISTER_CAPS DPCD register",
                            "    - drm/i915/psr: Read Intel DPCD workaround register",
                            "    - drm/i915/psr: Apply Intel DPCD workaround when SDP on prior line used",
                            "    - iio: imu: st_lsm6dsx: fix stack leak in tagged FIFO buffer",
                            "    - iio: imu: adis16550: fix stack leak in trigger handler",
                            "    - iio: pressure: bmp280: fix stack leak in bmp580 trigger handler",
                            "    - usb: typec: ucsi: ccg: reject firmware images without a ':' record",
                            "      header",
                            "    - usb: typec: tcpm: validate VDO count in Discover Identity ACK handlers",
                            "    - usb: typec: tcpm: bound altmode_desc[] per iteration in",
                            "      svdm_consume_modes()",
                            "    - usb: typec: ucsi: displayport: NAK DP_CMD_CONFIGURE without a payload",
                            "      VDO",
                            "    - usb: typec: altmodes/displayport: validate count before reading Status",
                            "      Update VDO",
                            "    - usb: typec: wcove: don't write past struct pd_message in",
                            "      wcove_read_rx_buffer()",
                            "    - usb: typec: tcpm/tcpci_maxim: validate header NDO against RX_BYTE_CNT",
                            "    - usb: typec: ucsi: validate connector number in ucsi_connector_change()",
                            "    - USB: serial: safe_serial: fix memory corruption with small endpoint",
                            "    - media: rc: igorplugusb: fix control request setup packet",
                            "    - Input: ims-pcu - fix usb_free_coherent() size in ims_pcu_buffers_free()",
                            "    - USB: serial: cypress_m8: fix memory corruption with small endpoint",
                            "    - HID: quirks: Add ALWAYS_POLL quirk for SIGMACHIP USB mouse",
                            "    - Bluetooth: btusb: Allow firmware re-download when version matches",
                            "    - mm/vmalloc: do not trigger BUG() on BH disabled context",
                            "    - hpfs: fix a crash if hpfs_map_dnode_bitmap fails",
                            "    - mm/damon/sysfs-schemes: delete tried region in regions_rmdirs()",
                            "    - ipc: limit next_id allocation to the valid ID range",
                            "    - mm: memcontrol: propagate NMI slab stats to memcg vmstats",
                            "    - mm/migrate_device: fix pgtable leak in migrate_vma_insert_huge_pmd_page",
                            "    - memfd: deny writeable mappings when implying SEAL_WRITE",
                            "    - zram: fix use-after-free in zram_writeback_endio",
                            "    - mm/rmap: initialize nr_pages to 1 at loop start in try_to_unmap_one",
                            "    - auxdisplay: line-display: fix OOB read on zero-length message_store()",
                            "    - smb: client: fix uninitialized variable in smb2_writev_callback",
                            "    - Bluetooth: L2CAP: use chan timer to close channels in cleanup_listen()",
                            "    - Bluetooth: L2CAP: fix chan ref leak in l2cap_chan_timeout() on !conn",
                            "    - Bluetooth: HIDP: fix missing length checks in hidp_input_report()",
                            "    - Bluetooth: ISO: fix UAF in iso_recv_frame",
                            "    - Bluetooth: ISO: serialize iso_sock_clear_timer with socket lock",
                            "    - Bluetooth: hci_conn: Fix memory leak in hci_le_big_terminate()",
                            "    - Bluetooth: hci_qca: Use 100 ms SSR delay for rampatch and NVM loading",
                            "    - Bluetooth: hci_sync: fix UAF in hci_le_create_cis_sync",
                            "    - Input: xpad - fix out-of-bounds access for Share button",
                            "    - parport: Fix race between port and client registration",
                            "    - rust_binder: Avoid holding lock when dropping delivered_death",
                            "    - rust_binder: avoid calling pending_oneway_finished() on TF_UPDATE_TXN",
                            "    - USB: cdc-acm: Fix bit overlap and move quirk definitions to header",
                            "    - KVM: arm64: Correctly cap ZCR_EL2 provided by a guest hypervisor",
                            "    - KVM: arm64: PMU: Preserve AArch32 counter low bits",
                            "    - KVM: SVM: Flush the current TLB when transitioning from xAVIC => x2AVIC",
                            "    - KVM: SEV: Require in-GHCB scratch area if GHCB v2+ is in use",
                            "    - KVM: SEV: Ignore Port I/O requests of length '0'",
                            "    - KVM: SEV: Use the size of the PSC header as the minimum size for PSC",
                            "      requests",
                            "    - KVM: SEV: WARN if KVM attempts to setup scratch area with min_len==0",
                            "    - KVM: SEV: Compute the correct max length of the in-GHCB scratch area",
                            "    - KVM: SEV: Check PSC request indices against the actual size of the",
                            "      buffer",
                            "    - KVM: SEV: Use READ_ONCE() when reading entries/indices from PSC buffer",
                            "    - KVM: SEV: Don't explicitly pass PSC buffer to snp_begin_psc()",
                            "    - gpio: shared: undo the vote of the proxy on GPIO free",
                            "    - gpio: shared: fix deadlock on shared proxy's parent removal",
                            "    - gpio: shared: fix lockdep false positive by removing unneeded lock",
                            "    - Disable -Wattribute-alias for clang-23 and newer",
                            "    - iio: adc: xilinx-xadc: Fix sequencer mode in postdisable for dual mux",
                            "    - iio: adc: npcm: fix unbalanced clk_disable_unprepare()",
                            "    - iio: dac: ad3530r: Fix AD3531/AD3531R powerdown mode strings",
                            "    - iio: dac: max5821: fix return value check in powerdown sync",
                            "    - iio: dac: ad5686: fix ref bit initialization for single-channel parts",
                            "    - iio: dac: ad5686: fix input raw value check",
                            "    - iio: dac: ad5686: acquire lock when doing powerdown control",
                            "    - iio: dac: ad5686: fix powerdown control on dual-channel devices",
                            "    - iio: adc: mt6359: fix unchecked return value in mt6358_read_imp",
                            "    - iio: adc: viperboard: Fix error handling in vprbrd_iio_read_raw",
                            "    - iio: adc: ad4695: Fix call ordering in offload buffer postenable",
                            "    - iio: adc: nxp-sar-adc: fix division by zero in write_raw",
                            "    - iio: adc: nxp-sar-adc: Avoid division by zero",
                            "    - iio: adc: nxp-sar-adc: zero-initialize dma_slave_config",
                            "    - iio: gyro: itg3200: fix i2c read into the wrong stack location",
                            "    - iio: gyro: adis16260: fix division by zero in write_raw",
                            "    - iio: ssp_sensors: cancel delayed work_refresh on remove",
                            "    - iio: temperature: tsys01: fix broken PROM checksum validation",
                            "    - iio: magnetometer: st_magn: fix default DRDY pin selection for LIS2MDL",
                            "    - iio: light: veml6070: Fix resource leak in probe error path",
                            "    - iio: Fix iio_multiply_value use in iio_read_channel_processed_scale",
                            "    - iio: chemical: mhz19b: reject oversized serial replies",
                            "    - iio: chemical: scd30: fix division by zero in write_raw",
                            "    - iio: light: cm3323: fix reg_conf not being initialized correctly",
                            "    - iio: buffer: hw-consumer: fix use-after-free in error path",
                            "    - iio: buffer: Fix DMA fence leak in iio_buffer_enqueue_dmabuf()",
                            "    - USB: serial: omninet: fix memory corruption with small endpoint",
                            "    - usb: cdns3: gadget: fix request skipping after clearing halt",
                            "    - usb: cdns3: plat: fix leaked usb2_phy initialization on usb3_phy",
                            "      acquisition failure",
                            "    - usb: cdns3: plat: fix unbalanced pm_runtime_forbid() call permanently",
                            "      leaks the runtime PM usage counter across bind/unbind cycles",
                            "    - usb: dwc2: Fix use after free in debug code",
                            "    - Input: elan_i2c - validate firmware size before use",
                            "    - i2c: davinci: fix division by zero on missing clock-frequency",
                            "    - x86/ftrace: Relocate %rip-relative percpu refs in dynamic trampolines",
                            "    - wireguard: send: append trailer after expanding head",
                            "    - bpf: sockmap: fix tail fragment offset in bpf_msg_push_data",
                            "    - macsec: fix replay protection at XPN lower-PN wrap",
                            "    - ipv6: exthdrs: refresh nh pointer after ipv6_hop_jumbo()",
                            "    - ASoC: qcom: q6asm-dai: fix error handling in prepare and set_params",
                            "    - octeontx2-af: validate body pcifunc in rvu_mbox_handler_rep_event_notify",
                            "    - ipv6: exthdrs: refresh nh after handling HAO option",
                            "    - ip6: vti: Use ip6_tnl.net in vti6_siocdevprivate().",
                            "    - ipv6: validate extension header length before copying to cmsg",
                            "    - xfrm: input: hold netns during deferred transport reinjection",
                            "    - l2tp: use refcount_inc_not_zero in l2tp_session_get_by_ifname",
                            "    - ip6: vti: Use ip6_tnl.net in vti6_changelink().",
                            "    - net: skbuff: fix missing zerocopy reference in pskb_carve helpers",
                            "    - spi: spi-mem: avoid mutating op template in spi_mem_supports_op()",
                            "    - HID: wacom: Fix OOB write in wacom_hid_set_device_mode()",
                            "    - iommu, debugobjects: avoid gcc-16.1 section mismatch warnings",
                            "    - nfc: hci: fix out-of-bounds read in HCP header parsing",
                            "    - xfrm: route MIGRATE notifications to caller's netns",
                            "    - xfrm: ipcomp: Free destination pages on acomp errors",
                            "    - xfrm: ah: use skb_to_full_sk in async output callbacks",
                            "    - ALSA: scarlett2: Fix 2i2 Gen 4 direct monitor gain on firmware 2417",
                            "    - ALSA: firewire-motu: Protect register DSP event queue positions",
                            "    - netfilter: conntrack: tcp: do not force CLOSE on invalid-seq RST without",
                            "      direction check",
                            "    - ASoC: qcom: q6asm-dai: close stream only when running",
                            "    - ASoC: qcom: q6asm-dai: do not set stream state in event and trigger",
                            "      callbacks",
                            "    - xfrm: esp: restore combined single-frag length gate",
                            "    - ALSA: hda/realtek: Fix speaker output on ASUS ROG Strix G615LP",
                            "    - xfrm: iptfs: reset runtime state when cloning SAs",
                            "    - dma-buf: fix UAF in dma_buf_fd() tracepoint",
                            "    - Input: xpad - add \"Nova 2 Lite\" from GameSir",
                            "    - Input: xpad - add support for ASUS ROG RAIKIRI II",
                            "    - ksmbd: OOB read regression in smb_check_perm_dacl() ACE-walk loops",
                            "    - misc: rp1: Send IACK on IRQ activate to fix kdump/kexec",
                            "    - Input: atmel_mxt_ts - fix boundary check in mxt_prepare_cfg_mem",
                            "    - Input: synaptics - add LEN2058 to SMBus passlist for ThinkPad E490",
                            "    - dt-bindings: usb: Fix EIC7700 USB reset's issue",
                            "    - comedi: comedi_test: fix check for valid scan_begin_src in",
                            "      waveform_ai_cmdtest()",
                            "    - comedi: comedi_test: Fix limiting of convert_arg in",
                            "      waveform_ai_cmdtest()",
                            "    - counter: Fix refcount leak in counter_alloc() error path",
                            "    - tty: serial: pch_uart: add check for dma_alloc_coherent()",
                            "    - tty: serial: samsung: Remove redundant port lock acquisition in rx",
                            "      helpers",
                            "    - uio: uio_pci_generic_sva: fix double free of devm_kzalloc() memory",
                            "    - usb: chipidea: core: convert ci_role_switch to local variable",
                            "    - usb: core: Fix up Interrupt IN endpoints with bogus wBytesPerInterval",
                            "    - usb: dwc3: xilinx: fix error handling in zynqmp init error paths",
                            "    - usb: musb: omap2430: Fix use-after-free in omap2430_probe()",
                            "    - USB: quirks: add NO_LPM for Lenovo ThinkPad USB-C Dock Gen2 hub",
                            "      controllers",
                            "    - usb: storage: Add quirks for PNY Elite Portable SSD",
                            "    - usbip: vudc: Fix use after free bug in vudc_remove due to race condition",
                            "    - usb: usbtmc: check URB actual_length for interrupt-IN notifications",
                            "    - usb: usbtmc: reject interrupt endpoints with small wMaxPacketSize",
                            "    - usb: typec: tipd: Fix error code in tps6598x_probe()",
                            "    - usb: typec: tcpm: improve handling of DISCOVER_MODES failures",
                            "    - usb: typec: ucsi: Check if power role change actually happened before",
                            "      handling",
                            "    - usb: typec: ucsi: Don't update power_supply on power role change if not",
                            "      connected",
                            "    - USB: serial: option: add MeiG SRM813Q",
                            "    - USB: serial: option: add missing RSVD(5) flag for Rolling RW135R-GL",
                            "    - USB: serial: belkin_sa: validate interrupt status length",
                            "    - USB: serial: cypress_m8: validate interrupt packet headers",
                            "    - USB: serial: digi_acceleport: fix memory corruption with small endpoints",
                            "    - USB: serial: keyspan: fix missing indat transfer sanity check",
                            "    - USB: serial: mxuport: fix memory corruption with small endpoint",
                            "    - USB: serial: mct_u232: fix memory corruption with small endpoint",
                            "    - USB: serial: mct_u232: fix missing interrupt-in transfer sanity check",
                            "    - usb: gadget: uvc: hold opts->lock across XU walks in uvc_function_bind",
                            "    - usb: gadget: net2280: Fix double free in probe error path",
                            "    - usb: gadget: f_hid: fix device reference leak in hidg_alloc()",
                            "    - usb: gadget: composite: fix integer underflow in WebUSB GET_URL handling",
                            "    - usb: gadget: dummy_hcd: Reject hub port requests for non-existent ports",
                            "    - usb: gadget: f_fs: copy only received bytes on short ep0 read",
                            "    - usb: gadget: f_fs: serialize DMABUF cancel against request completion",
                            "    - thunderbolt: property: Reject u32 wrap in tb_property_entry_valid()",
                            "    - thunderbolt: property: Reject dir_len < 4 to prevent size_t underflow",
                            "    - thunderbolt: property: Cap recursion depth in __tb_property_parse_dir()",
                            "    - scsi: fcoe: Reject FIP descriptors with zero fip_dlen in CVL walker",
                            "    - scsi: scsi_transport_fc: Widen FPIN pname walker counter to u32",
                            "    - scsi: target: iscsi: Fix CRC overread and double-free in",
                            "      iscsit_handle_text_cmd()",
                            "    - scsi: target: iscsi: Bound iscsi_encode_text_output() appends to rsp_buf",
                            "    - scsi: target: iscsi: Validate CHAP_R length before base64 decode",
                            "    - drm/hyperv: validate resolution_count and fix WIN8 fallback",
                            "    - drm/hyperv: validate VMBus packet size in receive callback",
                            "    - drm/gem: fix race between change_handle and handle_delete",
                            "    - drm/i915/color: Fix HDR pre-CSC LUT programming loop",
                            "    - drm/i915/psr: Block DC states on vblank enable when Panel Replay",
                            "      supported",
                            "    - drm/i915/psr: Use DC_OFF wake reference to block DC6 on vblank enable",
                            "    - drm/i915: Fix potential UAF in TTM object purge",
                            "    - drm/amd/pm/si: Disregard vblank time when no displays are connected",
                            "    - serial: altera_jtaguart: handle uart_add_one_port() failures",
                            "    - serial: qcom-geni: fix UART_RX_PAR_EN bit position",
                            "    - serial: qcom_geni: fix kfifo underflow when flush precedes DMA",
                            "      completion IRQ",
                            "    - serial: sh-sci: fix memory region release in error path",
                            "    - serial: zs: Fix swapped RI/DSR modem line transition counting",
                            "    - serial: fsl_lpuart: fix rx buffer and DMA map leaks in start_rx_dma",
                            "    - drm/amdkfd: fix NULL pointer bug in svm_range_set_attr",
                            "    - drm/amdkfd: fix a vulnerability of integer overflow in kfd debugger",
                            "    - drm/amdkfd: Check for pdd drm file first in CRIU restore path",
                            "    - drm/amdgpu: fix lock leak on ENOMEM in AMDGPU_GEM_OP_GET_MAPPING_INFO",
                            "    - drm/amdgpu: fix calling VM invalidation in amdgpu_hmm_invalidate_gfx",
                            "    - drm/amdgpu: fix amdgpu_hmm_range_get_pages",
                            "    - drm/amdgpu: check num_entries in GEM_OP GET_MAPPING_INFO",
                            "    - serial: dz: Fix bootconsole message clobbering at chip reset",
                            "    - serial: dz: Fix bootconsole handover lockup",
                            "    - serial: dz: Convert to use a platform device",
                            "    - serial: zs: Fix bootconsole handover lockup",
                            "    - serial: zs: Switch to using channel reset",
                            "    - serial: zs: Convert to use a platform device",
                            "    - serial: core: introduce guard(uart_port_lock_check_sysrq_irqsave)",
                            "    - serial: 8250: dispatch SysRq character in serial8250_handle_irq()",
                            "    - serial: 8250_dw: dispatch SysRq character in dw8250_handle_irq()",
                            "    - platform/x86/intel/vsec: Refactor base_addr handling",
                            "    - platform/x86/intel/vsec: Make driver_data info const",
                            "    - platform/x86/intel/vsec: Fix enable_cnt imbalance on PCIe error recovery",
                            "    - rxrpc: Fix RESPONSE packet verification to extract skb to a linear",
                            "      buffer",
                            "    - ALSA: hda/realtek: Fix mute and mic-mute LEDs for HP Envy X360 15-fh0xxx",
                            "    - ALSA: hda/realtek: Fix mute and mic-mute LEDs for HP 16 Piston OmniBook",
                            "      X",
                            "    - arm64: tlb: Flush walk cache when unsharing PMD tables",
                            "    - i2c: tegra: make tegra_i2c_mutex_unlock() return void",
                            "    - hwmon: (pmbus) Add support for guarded PMBus lock",
                            "    - hwmon: (pmbus/adm1266) serialize sequencer_state debugfs read with",
                            "      pmbus_lock",
                            "    - hwmon: (pmbus/adm1266) serialize GPIO PMBus accesses with pmbus_lock",
                            "    - net: phy: micrel: fix LAN8814 QSGMII soft reset",
                            "    - xhci: tegra: Fix ghost USB device on dual-role port unplug",
                            "    - mailbox: Fix NULL message support in mbox_send_message()",
                            "    - usb: core: Fix SuperSpeed root hub wMaxPacketSize",
                            "    - tools: ynl: add scope qualifier for definitions",
                            "    - Linux 7.0.12",
                            "",
                            "  * Resolute update: v7.0.12 upstream stable release (LP: #2156636) //",
                            "    CVE-2026-46318",
                            "    - Revert \"mm/hugetlbfs: update hugetlbfs to use mmap_prepare\"",
                            "",
                            "  * Resolute update: v7.0.12 upstream stable release (LP: #2156636) //",
                            "    CVE-2026-46322",
                            "    - tun: free page on build_skb failure in tun_xdp_one()",
                            "",
                            "  * Resolute update: v7.0.12 upstream stable release (LP: #2156636) //",
                            "    CVE-2026-46320",
                            "    - tap: free page on error paths in tap_get_user_xdp()",
                            "",
                            "  * Resolute update: v7.0.12 upstream stable release (LP: #2156636) //",
                            "    CVE-2026-46321",
                            "    - tun: free page on short-frame rejection in tun_xdp_one()",
                            "",
                            "  * CVE-2026-46316 // CVE-2026-46317",
                            "    - KVM: arm64: Reassign nested_mmus array behind mmu_lock",
                            "",
                            "  * CVE-2026-46316",
                            "    - KVM: arm64: vgic-its: Drop the translation cache reference only for the",
                            "      erased entry",
                            "    - KVM: arm64: Take the SRCU lock for page table walks in fault injection",
                            "      and AT emulation",
                            "",
                            "  * Resolute update: v7.0.11 upstream stable release (LP: #2156390)",
                            "    - iommu/amd: Fix illegal cap/mmio access in IOMMU debugfs",
                            "    - iommu/amd: Remove latent out-of-bounds access in IOMMU debugfs",
                            "    - ksmbd: close durable scavenger races against m_fp_list lookups",
                            "    - ata: libata-scsi: improve readability of ata_scsi_qc_issue()",
                            "    - ata: libata-scsi: do not use the deferred QC feature for ATA_DEFER_PORT",
                            "    - ata: libata-scsi: do not use the deferred QC feature on PMPs with CBS",
                            "    - ata: libata-scsi: do not needlessly defer commands when using PMP with",
                            "      FBS",
                            "    - sysfs: don't remove existing directory on update failure",
                            "    - mm/damon/sysfs-schemes: call missing mem_cgroup_iter_break()",
                            "    - ksmbd: fix null pointer dereference in compare_guid_key()",
                            "    - ksmbd: fix null pointer dereference in proc_show_files()",
                            "    - ksmbd: fix SID memory leak in set_posix_acl_entries_dacl() on overflow",
                            "    - ksmbd: validate SID in parent security descriptor during ACL inheritance",
                            "    - regulator: tps65219: fix irq_data.rdev not being assigned",
                            "    - x86/mm: Disable broadcast TLB flush when PCID is disabled",
                            "    - scripts/gdb: mm: cast untyped symbols in x86_page_ops",
                            "    - smb: client: require net admin for CIFS SWN netlink",
                            "    - smb: client: protect tc_count increment in",
                            "      smb2_find_smb_sess_tcon_unlocked()",
                            "    - smb: client: use data_len for SMB2 READ encrypted folioq copy",
                            "    - smb/server: promote S_DEL_ON_CLS to S_DEL_PENDING when close",
                            "    - hwmon: (pmbus/adm1266) widen blackbox-info buffer to I2C_SMBUS_BLOCK_MAX",
                            "    - ALSA: ua101: Reject too-short USB descriptors",
                            "    - ALSA: pcm: Don't setup bogus iov_iter for silencing",
                            "    - ALSA: asihpi: Fix potential OOB array access at reading cache",
                            "    - ALSA: scarlett2: Allow flash writes ending at segment boundary",
                            "    - ACPI: battery: Fix system wakeup on critical battery status",
                            "    - efi: Allocate runtime workqueue before ACPI init",
                            "    - spi: amd: Set correct bus number in ACPI probe path",
                            "    - io_uring/waitid: clear waitid info before copying it to userspace",
                            "    - drivers/base/memory: fix memory block reference leak in poison",
                            "      accounting",
                            "    - ipv6: ioam: refresh hdr pointer before ioam6_event()",
                            "    - mm/memory: fix spurious warning when unmapping device-private/exclusive",
                            "      pages",
                            "    - mm: fix __vm_normal_page() to handle missing support for",
                            "      pmd_special()/pud_special()",
                            "    - mm/memory_hotplug: fix memory block reference leak on remove",
                            "    - mm/page_alloc: fix initialization of tags of the huge zero folio with",
                            "      init_on_free",
                            "    - mm/migrate_device: fix spinlock leak in migrate_vma_insert_huge_pmd_page",
                            "    - selftests/mm: run_vmtests.sh: fix destructive tests invocation",
                            "    - mm/damon: fix damos_stat tracepoint format for sz_applied",
                            "    - net: wwan: iosm: fix potential memory leaks in ipc_imem_init()",
                            "    - Bluetooth: fix UAF in l2cap_sock_cleanup_listen() vs l2cap_conn_del()",
                            "    - Bluetooth: ISO: drop ISO_END frames received without prior ISO_START",
                            "    - Bluetooth: bnep: Fix UAF read of dev->name",
                            "    - Bluetooth: hci_uart: fix UAFs and race conditions in close and init",
                            "      paths",
                            "    - Bluetooth: L2CAP: ecred_reconfigure: send packed pdu, not stack pointer",
                            "    - Bluetooth: hci_qca: Convert timeout from jiffies to ms",
                            "    - Bluetooth: MGMT: validate Add Extended Advertising Data length",
                            "    - Bluetooth: serialize accept_q access",
                            "    - phonet/pep: disable BH around forwarded sk_receive_skb()",
                            "    - net: bcmgenet: keep RBUF EEE/PM disabled",
                            "    - net: devmem: reject dma-buf bind with non-page-aligned size or SG length",
                            "    - net: phy: skip EEE advertisement write when autoneg is disabled",
                            "    - net: hsr: defer node table free until after RCU readers",
                            "    - net/mlx5e: Fix use-after-free in mlx5e_tx_reporter_timeout_recover",
                            "    - net: ifb: report ethtool stats over num_tx_queues",
                            "    - net: pse-pd: fix sign on -ENOENT check in of_load_pse_pis()",
                            "    - netfilter: ip6t_hbh: reject oversized option lists",
                            "    - netfilter: nf_queue: hold bridge skb->dev while queued",
                            "    - netfilter: ipset: stop hash:* range iteration at end",
                            "    - net: ethtool: fix NULL pointer dereference in phy_reply_size",
                            "    - net: ethtool: phy: avoid NULL deref when PHY driver is unbound",
                            "    - ACPI: driver: Check ACPI_COMPANION() against NULL during probe",
                            "    - sched_ext: Fix missing warning in scx_set_task_state() default case",
                            "    - sched_ext: Avoid UAF in scx_root_enable_workfn() init failure path",
                            "    - l2tp: use list_del_rcu in l2tp_session_unhash",
                            "    - qed: fix double free in qed_cxt_tables_alloc()",
                            "    - ring-buffer: Fix reporting of missed events in iterator",
                            "    - ring-buffer: Flush and stop persistent ring buffer on panic",
                            "    - wifi: mac80211: capture fast-RX rate before mesh reuses skb->cb",
                            "    - ipv6: ioam: add NULL check for idev in ipv6_hop_ioam()",
                            "    - selftests: mptcp: drop nanoseconds width specifier",
                            "    - mptcp: pm: fix ADD_ADDR timer infinite retry on option space",
                            "      insufficient",
                            "    - vsock/vmci: fix UAF when peer resets connection during handshake",
                            "    - vsock/virtio: reset connection on receiving queue overflow",
                            "    - ice: fix VF queue configuration with low MTU values",
                            "    - wifi: ath11k: clear shared SRNG pointer state on restart",
                            "    - wifi: iwlwifi: mvm: fix driver-set TX rates on old devices",
                            "    - wifi: iwlwifi: mld: stop TX during firmware restart",
                            "    - ipv4: raw: reject IP_HDRINCL packets with ihl < 5",
                            "    - ixgbevf: fix use-after-free in VEPA multicast source pruning",
                            "    - rbd: eliminate a race in lock_dwork draining on unmap",
                            "    - mptcp: do not drop partial packets",
                            "    - mptcp: reset rcv wnd on disconnect",
                            "    - lsm: hold cred_guard_mutex for lsm_set_self_attr()",
                            "    - octeontx2-af: CGX: add bounds check to cgx_speed_mbps index",
                            "    - octeontx2-pf: fix double free in rvu_rep_rsrc_init()",
                            "    - igc: fix potential skb leak in igc_fpe_xmit_smd_frame()",
                            "    - ice: fix locking around wait_event_interruptible_locked_irq",
                            "    - ice: fix setting promisc mode while adding VID filter",
                            "    - ice: restore PTP Rx timestamp config after ethtool set-channels",
                            "    - wifi: cfg80211: advance loop vars in cfg80211_merge_profile()",
                            "    - af_unix: Fix UAF read of tail->len in unix_stream_data_wait()",
                            "    - wifi: mac80211: consume only present negotiated TTLM maps",
                            "    - octeontx2-pf: avoid double free of pool->stack on AQ init failure",
                            "    - cifs: Fix busy dentry used after unmounting",
                            "    - tracing: Do not call map->ops->elt_free() if elt_alloc() fails",
                            "    - ASoC: codecs: pcm512x: fix null-ptr dereference in",
                            "      pcm512x_overclock_xxx_put()",
                            "    - arm64: probes: Handle probes on hinted conditional branch instructions",
                            "    - KVM: arm64: vgic-its: Reject restored DTE with out-of-range",
                            "      num_eventid_bits",
                            "    - KVM: arm64: vgic: Free private_irqs when init fails after allocation",
                            "    - KVM: SVM: Disable AVIC IPI virtualization on Hygon Family 18h (erratum",
                            "      #1235)",
                            "    - riscv: kvm: return SBI_ERR_FAILURE for pmu_snapshot_set_shmem() when OOM",
                            "    - riscv: kvm: return SBI_ERR_FAILURE for pmu_event_info() when OOM",
                            "    - virt: sev-guest: Explicitly leak pages in unknown state",
                            "    - i2c: tegra: fix pm_runtime leak on mutex_lock failure",
                            "    - drm/bridge: chipone-icn6211: use devm_drm_bridge_add in i2c probe",
                            "    - spi: qup: fix error pointer deref after DMA setup failure",
                            "    - phy: exynos5-usbdrd: fix USB 2.0 HS PHY tuning values for Exynos7870",
                            "    - phy: tegra: xusb: Fix per-pad high-speed termination calibration",
                            "    - phy: qcom-qmp-ufs: Fix kaanapali PHY PLL lock failure after SM8650 G4",
                            "      fix",
                            "    - phy: qcom: edp: Unify generic DP/eDP swing and pre-emphasis tables",
                            "    - phy: qcom: edp: Add eDP/DP mode switch support",
                            "    - phy: qcom: edp: Fix AUX_CFG8 programming for DP mode",
                            "    - scsi: isci: Fix use-after-free in device removal path",
                            "    - spi: ep93xx: fix error pointer deref after DMA setup failure",
                            "    - spi: sprd: fix error pointer deref after DMA setup failure",
                            "    - spi: ti-qspi: fix use-after-free after DMA setup failure",
                            "    - mm/slub: hold cpus_read_lock around flush_rcu_sheaves_on_cache()",
                            "    - RDMA/siw: Reject MPA FPDU length underflow before signed receive math",
                            "    - s390/cio: Restore GFP_DMA for CHSC allocation",
                            "    - s390/pai: Disable duplicate read of kernel PAI counter value",
                            "    - s390/pai: Fix missing PAI counter increments under heavy load",
                            "    - fwctl: pds: Validate RPC input size before parsing",
                            "    - LoongArch: kprobes: Use larch_insn_text_copy() to patch instructions",
                            "    - LoongArch: Remove unused code to avoid build warning",
                            "    - cpufreq: intel_pstate: Use correct scaling factor on Raptor Lake-E",
                            "    - device property: set fwnode->secondary to NULL in fwnode_init()",
                            "    - drm/i915/display: Copy color pipeline from plane in the primary joiner",
                            "      pipe",
                            "    - drm/msm: Fix shrinker deadlock",
                            "    - drm/v3d: Fix use-after-free of CPU job query arrays on error path",
                            "    - drm/v3d: Release indirect CSD GEM reference on CPU job free",
                            "    - drm/virtio: use uninterruptible resv lock for plane updates",
                            "    - drm/xe/multi_queue: Fix secondary queue error case",
                            "    - drm/amdgpu/vpe: Force collaborate sync after TRAP",
                            "    - drm/bridge: it66121: acquire reset GPIO in probe",
                            "    - drm/bridge: megachips: remove bridge when irq request fails",
                            "    - drm/amd/display: Fix integer overflow in bios_get_image()",
                            "    - drm/amd/display: Validate GPIO pin LUT table size before iterating",
                            "    - drm/amd/display: Validate payload length and link_index in",
                            "      dc_process_dmub_aux_transfer_async",
                            "    - batman-adv: v: stop OGMv2 on disabled interface",
                            "    - batman-adv: tvlv: abort OGM send on tvlv append failure",
                            "    - batman-adv: tvlv: reject oversized TVLV packets",
                            "    - batman-adv: iv: recover OGM scheduling after forward packet error",
                            "    - batman-adv: mcast: fix use-after-free in orig_node RCU release",
                            "    - batman-adv: clear current gateway during teardown",
                            "    - batman-adv: dat: handle forward allocation error",
                            "    - batman-adv: fix fragment reassembly length accounting",
                            "    - batman-adv: fix tp_meter counter underflow during shutdown",
                            "    - batman-adv: frag: disallow unicast fragment in fragment",
                            "    - batman-adv: bla: fix report_work leak on backbone_gw purge",
                            "    - batman-adv: bla: avoid double decrement of bla.num_requests",
                            "    - batman-adv: bla: avoid NULL-ptr deref for claim via dropped interface",
                            "    - batman-adv: tp_meter: avoid use of uninit sender vars",
                            "    - batman-adv: tp_meter: directly shut down timer on cleanup",
                            "    - batman-adv: tp_meter: fix tp_vars reference leak in receiver shutdown",
                            "    - batman-adv: tp_meter: fix race condition in send error reporting",
                            "    - batman-adv: tp_meter: avoid role confusion in tp_list",
                            "    - batman-adv: tt: fix TOCTOU race for reported vlans",
                            "    - batman-adv: tt: reject oversized local TVLV buffers",
                            "    - batman-adv: tt: avoid empty VLAN responses",
                            "    - batman-adv: tt: fix negative last_changeset_len",
                            "    - batman-adv: tt: fix negative tt_buff_len",
                            "    - batman-adv: tt: prevent TVLV entry number overflow",
                            "    - hwmon: (pmbus/adm1266) seed timestamp from the real-time clock",
                            "    - hwmon: (pmbus/adm1266) reject implausible blackbox record_count",
                            "    - hwmon: (pmbus/adm1266) include PEC byte in pmbus_block_xfer read buffer",
                            "    - hwmon: (pmbus/adm1266) bounce blackbox records through a protocol-sized",
                            "      buffer",
                            "    - hwmon: (pmbus/adm1266) cap PDIO scan in get_multiple at ADM1266_PDIO_NR",
                            "    - hwmon: (pmbus/adm1266) don't clobber GPIO bits before PDIO read in",
                            "      get_multiple",
                            "    - hwmon: (pmbus/adm1266) register the gpio_chip after pmbus_do_probe()",
                            "    - hwmon: (pmbus/adm1266) register the nvmem device after pmbus_do_probe()",
                            "    - hwmon: (pmbus/adm1266) reject short block-read responses in the GPIO",
                            "      accessors",
                            "    - pinctrl: mediatek: moore: implement gpio_chip::get_direction()",
                            "    - pinctrl: qcom: ipq4019: mark gpio as a GPIO pin function",
                            "    - arm64: dts: renesas: r8a78000: Fix SCIF brg_int clocks",
                            "    - ARM: dts: renesas: genmai: Drop superfluous cells",
                            "    - ARM: dts: renesas: rskrza1: Drop superfluous cells",
                            "    - pinctrl: renesas: rzg2l: Fix incorrect PUPD register offset for high",
                            "      pins during suspend/resume",
                            "    - pinctrl: renesas: rzg2l: Fix SMT register cache handling",
                            "    - pinctrl: meson: amlogic-a4: fix deadlock issue",
                            "    - pinctrl: qcom: Fix GPIO to PDC wake irq map for qcs615",
                            "    - kho: skip KHO for crash kernel",
                            "    - mm/memfd_luo: report error when restoring a folio fails mid-loop",
                            "    - HID: intel-thc-hid: Intel-quickspi: Fix some error codes",
                            "    - HID: uclogic: Fix regression of input name assignment",
                            "    - firmware: arm_ffa: Check for NULL FF-A ID table while driver",
                            "      registration",
                            "    - firmware: arm_ffa: Skip free_pages on RX buffer alloc failure",
                            "    - firmware: arm_ffa: Fix per-vcpu self notifications handling in workqueue",
                            "    - firmware: arm_ffa: Unregister bus notifier on teardown for FF-A v1.0",
                            "    - riscv: errata: Fix bitwise vs logical AND in MIPS errata patching",
                            "    - riscv: Fix register corruption from uninitialized cregs on error",
                            "    - riscv: mm: Fixup no5lvl failure when vaddr is invalid",
                            "    - kunit: config: Enable KUNIT_DEBUGFS by default",
                            "    - kunit: config: KUNIT_DEBUGFS should depend on DEBUG_FS",
                            "    - pinctrl: qcom: Fix wakeirq map by removing disconnected irqs for sm8150",
                            "    - firmware: arm_ffa: Bound PARTITION_INFO_GET_REGS copies",
                            "    - firmware: arm_ffa: Keep framework RX release under lock",
                            "    - firmware: arm_ffa: Validate framework notification message layout",
                            "    - firmware: arm_ffa: Align RxTx buffer size before mapping",
                            "    - firmware: arm_ffa: Snapshot notifier callbacks under lock",
                            "    - firmware: arm_ffa: Fix sched-recv callback partition lookup",
                            "    - ARM: integrator: Fix early initialization",
                            "    - ALSA: hda: cs35l56: Put ACPI device after setting companion",
                            "    - ALSA: hda: cs35l41: Put ACPI device on missing physical node",
                            "    - btrfs: tracepoints: fix sleep while in atomic context in",
                            "      btrfs_sync_file()",
                            "    - netfilter: x_tables: allow initial table replace without emitting audit",
                            "      log message",
                            "    - netfilter: x_tables: allocate hook ops while under mutex",
                            "    - netfilter: x_tables: unregister the templates first",
                            "    - netfilter: x_tables: add and use xt_unregister_table_pre_exit",
                            "    - netfilter: x_tables: add and use xtables_unregister_table_exit",
                            "    - netfilter: ebtables: move to two-stage removal scheme",
                            "    - netfilter: ebtables: close dangling table module init race",
                            "    - netfilter: x_tables: close dangling table module init race",
                            "    - netfilter: bridge: eb_tables: close module init race",
                            "    - netfilter: nf_conntrack_expect: restore helper propagation via",
                            "      expectation",
                            "    - kprobes: skip non-symbol addresses in kprobe_add_ksym_blacklist()",
                            "    - test_kprobes: clear kprobes between test runs",
                            "    - tcp: Fix imbalanced icsk_accept_queue count.",
                            "    - net: napi: Avoid gro timer misfiring at end of busypoll",
                            "    - net: shaper: Reject reparenting of existing nodes",
                            "    - idpf: fix read_dev_clk_lock spinlock init in idpf_ptp_init()",
                            "    - ice: fix setting RSS VSI hash for E830",
                            "    - ice: fix locking in ice_dcb_rebuild()",
                            "    - ice: dpll: fix rclk pin state get for E810",
                            "    - ice: dpll: fix misplaced header macros",
                            "    - net: lan966x: avoid unregistering netdev on register failure",
                            "    - net: ti: icssm-prueth: fix eth_ports_node leak in probe",
                            "    - phy: marvell: mvebu-a3700-utmi: fix incorrect USB2_PHY_CTRL register",
                            "      access",
                            "    - phy: spacemit: Remove incorrect clk_disable() in spacemit_usb2phy_init()",
                            "    - NFSD: Fix infinite loop in layout state revocation",
                            "    - ASoC: sdw_utils: Add quirk to ignore RT712 CODEC_MIC",
                            "    - ASoC: sdw_utils: Add quirk to ignore RT721 CODEC_MIC",
                            "    - fprobe: Fix unregister_fprobe() to wait for RCU grace period",
                            "    - fs/statmount: fix slab out-of-bounds write in statmount_mnt_idmap",
                            "    - fs: Fix return in jfs_mkdir and orangefs_mkdir",
                            "    - irqchip/ath79-cpu: Remove unused function",
                            "    - fs: fix forced iversion increment on lazytime timestamp updates",
                            "    - ublk: reject max_sectors smaller than PAGE_SECTORS in parameter",
                            "      validation",
                            "    - nsfs: fix wrong error code returned for pidns ioctls",
                            "    - irq_work: Fix use-after-free in irq_work_single() on PREEMPT_RT",
                            "    - nvme: fix bio leak on mapping failure",
                            "    - nvme-pci: fix use-after-free in nvme_free_host_mem()",
                            "    - zonefs: handle integer overflow in zonefs_fname_to_fno",
                            "    - tcp: Fix out-of-bounds access for twsk in tcp_ao_established_key().",
                            "    - ASoC: SOF: amd: Fix error code handling in psp_send_cmd()",
                            "    - powerpc: 82xx: fix uninitialized pointers with free attribute",
                            "    - powerpc: fix dead default for GUEST_STATE_BUFFER_TEST",
                            "    - powerpc/hv-gpci: fix preempt count leak in sysfs show paths",
                            "    - netfs: Fix cancellation of a DIO and single read subrequests",
                            "    - netfs: Fix missing locking around retry adding new subreqs",
                            "    - netfs: Fix missing barriers when accessing stream->subrequests",
                            "      locklessly",
                            "    - netfs: Fix netfs_read_to_pagecache() to pause on subreq failure",
                            "    - netfs: Fix potential for tearing in ->remote_i_size and ->zero_point",
                            "    - netfs: Fix zeropoint update where i_size > remote_i_size",
                            "    - netfs: fix VM_BUG_ON_FOLIO() issue in netfs_write_begin() call",
                            "    - netfs: Fix overrun check in netfs_extract_user_iter()",
                            "    - netfs: Fix netfs_invalidate_folio() to clear dirty bit if all changes",
                            "      gone",
                            "    - netfs: Defer the emission of trace_netfs_folio()",
                            "    - netfs: Fix streaming write being overwritten",
                            "    - netfs: Fix potential deadlock in write-through mode",
                            "    - netfs: Fix read-gaps to remove netfs_folio from filled folio",
                            "    - netfs: Fix write streaming disablement if fd open O_RDWR",
                            "    - netfs: Fix early put of sink folio in netfs_read_gaps()",
                            "    - netfs: Fix leak of request in netfs_write_begin() error handling",
                            "    - netfs: Fix potential UAF in netfs_unlock_abandoned_read_pages()",
                            "    - netfs: Fix partial invalidation of streaming-write folio",
                            "    - netfs: Fix folio->private handling in netfs_perform_write()",
                            "    - netfs: Fix netfs_read_folio() to wait on writeback",
                            "    - netfs, afs: Fix write skipping in dir/link writepages",
                            "    - afs: Fix the locking used by afs_get_link()",
                            "    - net: ethernet: cortina: Make RX SKB per-port",
                            "    - net: ethernet: cortina: Drop half-assembled SKB",
                            "    - net: ethernet: cortina: Carry over frag counter",
                            "    - net: ethernet: cs89x0: remove stale CONFIG_MACH_MX31ADS reference",
                            "    - wifi: ath11k: fix error path leaks in some WMI WOW calls",
                            "    - wifi: ath11k: fix error path leak in ath11k_tm_cmd_wmi_ftm()",
                            "    - wifi: ath10k: skip WMI and beacon transmission when device is wedged",
                            "    - net: shaper: flip the polarity of the valid flag",
                            "    - net: shaper: fix trivial ordering issue in net_shaper_commit()",
                            "    - net: shaper: reject duplicate leaves in GROUP request",
                            "    - net: shaper: set ret to -ENOMEM when genlmsg_new() fails in group_doit",
                            "    - net: shaper: fix undersized reply skb allocation in GROUP command",
                            "    - net: shaper: enforce singleton NETDEV scope with id 0",
                            "    - net: shaper: reject QUEUE scope handle with missing id",
                            "    - block: don't overwrite bip_vcnt in bio_integrity_copy_user()",
                            "    - block: recompute nr_integrity_segments in blk_insert_cloned_request",
                            "    - HID: quirks: really enable the intended work around for appledisplay",
                            "    - block: bio-integrity: Fix null-ptr-deref in bio_integrity_map_user()",
                            "    - accel/qaic: Add overflow check to remap_pfn_range during mmap",
                            "    - net/smc: avoid NULL deref of conn->lnk in smc_msg_event tracepoint",
                            "    - ethtool: fix ethnl_bitmap32_not_zero() bit interval semantics",
                            "    - drm/msm/dpu: fix UV scanlines calculation for YUV UBWC formats",
                            "    - drm/msm/dpu: Fix Kaanapali CWB register configuration",
                            "    - drm/msm/dsi: don't dump registers past the mapped region",
                            "    - drm/msm/dpu: don't mix devm and drmm functions",
                            "    - block: rename struct gendisk zone_wplugs_lock field",
                            "    - block: allow submitting all zone writes from a single context",
                            "    - block: fix handling of dead zone write plugs",
                            "    - selftests: ublk: cap nthreads to kernel's actual nr_hw_queues",
                            "    - x86/mce: Restore MCA polling interval halving",
                            "    - Documentation: intel_pstate: Fix description of asymmetric packing with",
                            "      SMT",
                            "    - drm/msm: Fix GMEM_BASE for A650",
                            "    - drm/msm/a6xx: Add soft fuse detection support",
                            "    - drm/msm/adreno: Fix a reference leak in a6xx_gpu_init()",
                            "    - drm/msm/adreno: fix userspace-triggered crash on a2xx-a4xx",
                            "    - drm/msm/a6xx: Restore sysprof_active",
                            "    - drm/msm: Fix iommu_map_sgtable() return value check and avoid WARN",
                            "    - drm/msm/a6xx: Check kzalloc return in a8xx_hfi_send_perf_table",
                            "    - ASoC: intel: sof_sdw: Prepare for configuration without a jack",
                            "    - ASoC: sdw_utils: cs42l43: allow spk component names to be combined",
                            "    - ASoC: sdw_utils: Check speaker component string allocation",
                            "    - riscv: Docs: fix unmatched quote warning",
                            "    - powerpc/time: Remove redundant preempt_disable|enable() calls from",
                            "      arch_irq_work_raise()",
                            "    - net/smc: reject CHID-0 ACCEPT that matches an empty ism_dev slot",
                            "    - net: tls: fix off-by-one in sg_chain entry count for wrapped sk_msg ring",
                            "    - net: tls: prevent chain-after-chain in plain text SG",
                            "    - net: phy: DP83TC811: add reading of abilities",
                            "    - ovpn: tcp - use cached peer pointer in ovpn_tcp_close()",
                            "    - ovpn: respect peer refcount in CMD_NEW_PEER error path",
                            "    - ovpn: fix race between deleting interface and adding new peer",
                            "    - cifs: client: stage smb3_reconfigure() updates and restore ctx on",
                            "      failure",
                            "    - phy: apple: atc: Fix typec switch/mux leak on unbind",
                            "    - gcc-plugins: Always define CONST_CAST_GIMPLE and CONST_CAST_TREE",
                            "    - x86/xen: Fix xen_e820_swap_entry_with_ram()",
                            "    - vfio/pci: Check BAR resources before exporting a DMABUF",
                            "    - ovpn: disable BHs when updating device stats",
                            "    - tls: Preserve sk_err across recvmsg() when data has been copied",
                            "    - net/mlx5: Do not restore destination-less TC rules",
                            "    - net/mlx5: Skip disabled vports when setting max TX speed",
                            "    - scsi: sd: Fix return code handling in sd_spinup_disk()",
                            "    - ASoC: codecs: fs210x: fix possible buffer overflow",
                            "    - iommupt: Directly call iommupt's unmap_range()",
                            "    - iommupt: Avoid rewalking during map",
                            "    - iommu: Fix loss of errno on map failure for classic ops",
                            "    - iommu: Fix up map/unmap debugging for iommupt domains",
                            "    - iommu: Handle unmap error when iommu_debug is enabled",
                            "    - iommupt: Check for missing PAGE_SIZE in the pgsize_bitmap",
                            "    - iommupt: Fix the end_index calculation in __map_range_leaf()",
                            "    - ALSA: scarlett2: Add missing error check when initialise Autogain Status",
                            "    - ALSA: hda/ca0132: Disable auto-detect on manual output select",
                            "    - cachefiles: Fix error return when vfs_mkdir() fails",
                            "    - io_uring/net: punt IORING_OP_BIND async if it needs file create",
                            "    - vsock/virtio: fix zerocopy completion for multi-skb sends",
                            "    - btrfs: check for subvolume before deleting squota qgroup",
                            "    - btrfs: fix squota accounting during enable generation",
                            "    - ASoC: amd: acp-sdw-legacy: check CPU DAI name before logging",
                            "    - spi: mtk-snfi: Fix resource leak in mtk_snand_read_page_cache()",
                            "    - netfilter: nft_inner: release local_lock before re-enabling softirqs",
                            "    - ALSA: hda/realtek: Use ALC287_FIXUP_TXNW2781_I2C for ASUS Strix Gxx5",
                            "    - drm/msm/snapshot: fix dumping of the unaligned regions",
                            "    - hwmon: (lm90) Stop work before releasing hwmon device",
                            "    - hwmon: (lm90) Add lock protection to lm90_alert",
                            "    - wifi: iwlwifi: mld: fix TSO segmentation explosion when AMSDU is",
                            "      disabled",
                            "    - wifi: iwlwifi: mld: don't dereference a pointer before NULL checking it",
                            "    - dma-mapping: move dma_map_resource() sanity check into debug code",
                            "    - drm/gem: Make the GEM LRU lock part of drm_device",
                            "    - drm/xe/gsc: Fix double-free of managed BO in error path",
                            "    - drm/xe/vf: Fix signature of print functions",
                            "    - drm/xe/pf: Fix CFI failure in debugfs access",
                            "    - drm/xe: Consolidate workaround entries for Wa_14019988906",
                            "    - drm/xe: Consolidate workaround entries for Wa_18033852989",
                            "    - drm/xe: Define and use MCR version of COMMON_SLICE_CHICKEN1",
                            "    - drm/xe/tuning: Apply windower hardware filtering setting on Xe3 and Xe3p",
                            "    - drm/xe: Define and use MCR version of COMMON_SLICE_CHICKEN4",
                            "    - wifi: ath11k: fix peer resolution on rx path when peer_id=0",
                            "    - wifi: ath12k: fix EHT TX MCS limitation due to wrong 20 MHz-only parsing",
                            "    - drm/mediatek: mtk_hdmi_ddc_v2: Fix non-static global variable",
                            "    - drm/mediatek: mtk_hdmi_v2: Fix non-static global variable",
                            "    - drm/mediatek: mtk_cec: Fix non-static global variable",
                            "    - drm/mediatek: mtk_hdmi_ddc: Fix non-static global variable",
                            "    - io_uring: propagate array_index_nospec opcode into req->opcode",
                            "    - srcu: Don't queue workqueue handlers to never-online CPUs",
                            "    - cgroup/rstat: validate cpu before css_rstat_cpu() access",
                            "    - net/mlx5e: xsk: Fix unlocked writing to ICOSQ",
                            "    - cifs: Fix undefined variables",
                            "    - ice: ptp: serialize E825 PHY timer start with PTP lock",
                            "    - ice: ptp: use primary NAC semaphore on E825",
                            "    - igc: set tx buffer type for SMD frames",
                            "    - drm/i915/dp: Fix readback for target_rr in Adaptive Sync SDP",
                            "    - phy: qcom: qmp-usbc: Fix out-of-bounds array access in dp swing config",
                            "    - kbuild: pacman-pkg: make \"rc\" releases adhere to pacman versioning",
                            "      scheme",
                            "    - net: dsa: mt7530: fix FDB entries not aging out with short timeout",
                            "    - net: dsa: mt7530: preserve VLAN tags on trapped link-local frames",
                            "    - net: mana: Fix TOCTOU double-fetch of hwc_msg_id from DMA buffer",
                            "    - platform/surface: aggregator_registry: omit battery & AC nodes on",
                            "      Surface Laptop 7",
                            "    - platform/x86: adv_swbutton: Check ACPI_HANDLE() against NULL",
                            "    - platform/x86: hp_accel: Check ACPI_COMPANION() against NULL",
                            "    - platform/x86: intel-hid: Check ACPI_HANDLE() against NULL",
                            "    - platform/x86: intel_sar: Check ACPI_HANDLE() against NULL",
                            "    - platform/x86: intel-vbtn: Check ACPI_HANDLE() against NULL",
                            "    - platform/x86: uniwill-laptop: Properly initialize charging threshold",
                            "    - platform/x86: uniwill-laptop: Accept charging threshold of 0",
                            "    - platform/x86: uniwill-laptop: Fix behavior of \"force\" module param",
                            "    - platform/x86: asus-armoury: fix mini-LED mode get/set on MODE2 devices",
                            "    - ASoC: soc-utils: Add missing va_end in snd_soc_ret()",
                            "    - drm/amdgpu: Align amdgpu_gtt_mgr entries to TLB size on Tahiti (v2)",
                            "    - drm/amdgpu/vce1: Check that the GPU address is < 128 MiB",
                            "    - drm/amdgpu/vce1: Fix VCE 1 firmware size and offsets",
                            "    - RDMA/mana_ib: Report max_msg_sz in mana_ib_query_port",
                            "    - RDMA/rtrs: Fix use-after-free in path file creation cleanup",
                            "    - bridge: mcast: Fix a possible use-after-free when removing a bridge port",
                            "    - net: phy: honor eee_disabled_modes in phy_support_eee()",
                            "    - net: phy: honor eee_disabled_modes in phy_advertise_eee_all()",
                            "    - net: airoha: Fix NPU RX DMA descriptor bits",
                            "    - pds_core: fix error handling in pdsc_devcmd_wait",
                            "    - pds_core: fix debugfs_lookup dentry leak and error handling",
                            "    - erofs: fix managed cache race for unaligned extents",
                            "    - erofs: harden h_shared_count in erofs_init_inode_xattrs()",
                            "    - erofs: fix metabuf leak in inode xattr initialization",
                            "    - wifi: mac80211: bounds-check link_id in ieee80211_ml_epcs",
                            "    - wifi: mac80211: fix MLE defragmentation",
                            "    - wifi: mac80211: fix multi-link element inheritance",
                            "    - wifi: wilc1000: fix dma_buffer leak on bus acquire failure",
                            "    - ALSA: seq: Serialize UMP output teardown with event_input",
                            "    - cgroup: rstat: relax NMI guard after switch to try_cmpxchg",
                            "    - tracing: Avoid NULL return from hist_field_name() on truncation",
                            "    - Bluetooth: hci_sync: Fix not setting mask for",
                            "      HCI_EVT_LE_ALL_REMOTE_FEATURES_COMPLETE",
                            "    - Bluetooth: btintel_pcie: Fix incorrect MAC access programming",
                            "    - Bluetooth: btmtk: fix urb->setup_packet leak in error paths",
                            "    - udp: gso: Fix handling checksum in __udp_gso_segment",
                            "    - udp: Fix UDP length on last GSO_PARTIAL segment",
                            "    - net/mlx5e: Fix eswitch mode block underflow on IPsec acquire SA",
                            "    - net: shaper: annotate the data races",
                            "    - net: shaper: rework the VALID marking (again)",
                            "    - crypto/krb5, rxrpc: Fix lack of pre-decrypt/pre-verify length checks",
                            "    - rxrpc: Fix DATA decrypt vs splice() by copying data to buffer in recvmsg",
                            "    - net: ag71xx: check error for platform_get_irq",
                            "    - bpf, skmsg: fix verdict sk_data_ready racing with ktls rx",
                            "    - tcp: fix stale per-CPU tcp_tw_isn leak enabling ISN prediction",
                            "    - net: stmmac: eswin: fix HSP CSR init ordering after clock enable",
                            "    - net: stmmac: eswin: clear TXD and RXD delay registers during",
                            "      initialization",
                            "    - net: stmmac: eswin: correct RGMII delay granularity to 20 ps",
                            "    - net: stmmac: eswin: validate RGMII delay values",
                            "    - gpio: cdev: check if uAPI v2 config attributes are correctly zeroed",
                            "    - gpio: aggregator: fix a potential use-after-free",
                            "    - gpio: aggregator: stop using dev-sync-probe",
                            "    - gpio: aggregator: remove the software node when deactivating the",
                            "      aggregator",
                            "    - gpio: aggregator: lock device when calling device_is_bound()",
                            "    - ASoC: cs35l56: Fix flushing of IRQ work in cs35l56_sdw_remove()",
                            "    - drm/xe/oa: Fix exec_queue leak on width check in stream open",
                            "    - ASoC: cs-amp-lib: Fix wrong sizeof() in",
                            "      _cs_amp_set_efi_calibration_data()",
                            "    - ASoC: cs-amp-lib: Fix missing dput() after debugfs_lookup()",
                            "    - selftests: net: Fix checksums in xdp_native",
                            "    - nvme-pci: fix dma_vecs leak on p2p memory",
                            "    - nvme-pci: fix dma mapping leak on data setup error",
                            "    - octeontx2-af: npc: Fix allmulticast skip logic for LBK and SDP VFs",
                            "    - net: mana: validate rx_req_idx to prevent out-of-bounds array access",
                            "    - tap: fix stack info leak in tap_ioctl() SIOCGIFHWADDR",
                            "    - net: airoha: Disable GDM2 forwarding before configuring GDM2 loopback",
                            "    - pds_core: ensure null-termination for firmware version strings",
                            "    - net: enetc: fix missing error code when pf->vf_state allocation fails",
                            "    - io_uring/nop: pass all errors to userspace",
                            "    - blk-mq: pop cached request if it is usable",
                            "    - ksmbd: fix durable reconnect error path file lifetime",
                            "    - LoongArch: kprobes: Fix handling of fatal unrecoverable recursions",
                            "    - block: avoid use-after-free in disk_free_zone_resources()",
                            "    - Documentation: laptops: Update documentation for uniwill laptops",
                            "    - platform/x86: uniwill-laptop: Do not enable the charging limit even when",
                            "      forced",
                            "    - drm/msm: Restore second parameter name in purge() and evict()",
                            "    - security/keys: fix missed RCU read section on lookup",
                            "    - Linux 7.0.11",
                            "",
                            "  * Resolute update: v7.0.10 upstream stable release (LP: #2156385)",
                            "    - blk-cgroup: wait for blkcg cleanup before initializing new disk",
                            "    - md: suppress spurious superblock update error message for dm-raid",
                            "    - fs/omfs: reject s_sys_blocksize smaller than OMFS_DIR_START",
                            "    - fs/mbcache: cancel shrink work before destroying the cache",
                            "    - md/raid1: fix the comparing region of interval tree",
                            "    - fs: fix archiecture-specific compat_ftruncate64",
                            "    - drbd: Balance RCU calls in drbd_adm_dump_devices()",
                            "    - loop: fix partition scan race between udev and loop_reread_partitions()",
                            "    - block: fix zones_cond memory leak on zone revalidation error paths",
                            "    - nilfs2: reject zero bd_oblocknr in nilfs_ioctl_mark_blocks_dirty()",
                            "    - blk-cgroup: fix disk reference leak in blkcg_maybe_throttle_current()",
                            "    - pstore/ram: fix resource leak when ioremap() fails",
                            "    - erofs: include the trailing NUL in FS_IOC_GETFSLABEL",
                            "    - md: fix array_state=clear sysfs deadlock",
                            "    - ublk: reset per-IO canceled flag on each fetch",
                            "    - blk-wbt: remove WARN_ON_ONCE from wbt_init_enable_default()",
                            "    - erofs: handle 48-bit blocks/uniaddr for extra devices",
                            "    - md: remove unused static md_wq workqueue",
                            "    - md: wake raid456 reshape waiters before suspend",
                            "    - dcache: permit dynamic_dname()s up to NAME_MAX",
                            "    - btrfs: fix the inline compressed extent check in inode_need_compress()",
                            "    - btrfs: fix deadlock between reflink and transaction commit when using",
                            "      flushoncommit",
                            "    - btrfs: do not reject a valid running dev-replace",
                            "    - OPP: debugfs: Use performance level if available to distinguish between",
                            "      rates",
                            "    - OPP: Move break out of scoped_guard in dev_pm_opp_xlate_required_opp()",
                            "    - ACPI: x86: cmos_rtc: Clean up address space handler driver",
                            "    - ACPI: x86: cmos_rtc: Improve coordination with ACPI TAD driver",
                            "    - devres: fix missing node debug info in devm_krealloc()",
                            "    - thermal/drivers/spear: Fix error condition for reading st,thermal-flags",
                            "    - debugfs: check for NULL pointer in debugfs_create_str()",
                            "    - debugfs: fix placement of EXPORT_SYMBOL_GPL for debugfs_create_str()",
                            "    - soundwire: debugfs: initialize firmware_file to empty string",
                            "    - amd-pstate: Fix memory leak in amd_pstate_epp_cpu_init()",
                            "    - amd-pstate: Update cppc_req_cached in fast_switch case",
                            "    - cpufreq: Pass the policy to cpufreq_driver->adjust_perf()",
                            "    - PCI: use generic driver_override infrastructure",
                            "    - platform/wmi: use generic driver_override infrastructure",
                            "    - vdpa: use generic driver_override infrastructure",
                            "    - s390/cio: use generic driver_override infrastructure",
                            "    - s390/ap: use generic driver_override infrastructure",
                            "    - bus: fsl-mc: use generic driver_override infrastructure",
                            "    - locking/mutex: Rename mutex_init_lockep()",
                            "    - locking/mutex: Fix wrong comment for CONFIG_DEBUG_LOCK_ALLOC",
                            "    - irqchip/irq-pic32-evic: Address warning related to wrong printf()",
                            "      formatter",
                            "    - hrtimer: Avoid pointless reprogramming in __hrtimer_start_range_ns()",
                            "    - hrtimer: Reduce trace noise in hrtimer_start()",
                            "    - locking: Fix rwlock and spinlock lock context annotations",
                            "    - signal: Fix the lock_task_sighand() annotation",
                            "    - ww-mutex: Fix the ww_acquire_ctx function annotations",
                            "    - perf/amd/ibs: Account interrupt for discarded samples",
                            "    - perf/amd/ibs: Preserve PhyAddrVal bit when clearing PhyAddr MSR",
                            "    - perf/amd/ibs: Avoid calling perf_allow_kernel() from the IBS NMI handler",
                            "    - x86/tdx: Fix the typo in TDX_ATTR_MIGRTABLE",
                            "    - rust: sync: atomic: Remove bound `T: Sync` for `Atomic::from_ptr()`",
                            "    - sparc64: vdso: Link with -z noexecstack",
                            "    - scripts/gdb: timerlist: Adapt to move of tk_core",
                            "    - locking: Fix rwlock support in <linux/spinlock_up.h>",
                            "    - sched/topology: Compute sd_weight considering cpuset partitions",
                            "    - x86/irqflags: Preemptively move include paravirt.h directive where it",
                            "      belongs",
                            "    - sched/topology: Fix sched_domain_span()",
                            "    - irqchip/renesas-rzg2l: Fix error path in rzg2l_irqc_common_probe()",
                            "    - ASoC: Intel: avs: Check maximum valid CPUID leaf",
                            "    - ASoC: Intel: avs: Include CPUID header at file scope",
                            "    - x86/vdso: Clean up remnants of VDSO32_NOTE_MASK",
                            "    - firmware: dmi: Correct an indexing error in dmi.h",
                            "    - fs/resctrl: Report invalid domain ID when parsing io_alloc_cbm",
                            "    - sched: Make class_schedulers avoid pushing current, and get rid of",
                            "      proxy_tag_curr()",
                            "    - sched/rt: Skip group schedulable check with rt_group_sched=0",
                            "    - wifi: ath11k: fix memory leaks in beacon template setup",
                            "    - wifi: mwifiex: Fix memory leak in mwifiex_11n_aggregate_pkt()",
                            "    - wifi: rtlwifi: pci: fix possible use-after-free caused by unfinished",
                            "      irq_prepare_bcn_tasklet",
                            "    - bpf: test_run: Fix the null pointer dereference issue in",
                            "      bpf_lwt_xmit_push_encap",
                            "    - wifi: ath12k: account TX stats only when ACK/BA status is present",
                            "    - wifi: ath12k: Fix legacy rate mapping for monitor mode capture",
                            "    - selftests/bpf: Handle !CONFIG_SMC in bpf_smc.c",
                            "    - wifi: ieee80211: fix definition of EHT-MCS 15 in MRU",
                            "    - dpaa2: add independent dependencies for FSL_DPAA2_SWITCH",
                            "    - [Config] Disable CONFIG_FSL_DPAA2_SWITCH on armhf and ppc64el",
                            "    - dpaa2: compile dpaa2 even CONFIG_FSL_DPAA2_ETH=n",
                            "    - s390/bpf: Zero-extend bpf prog return values and kfunc arguments",
                            "    - powerpc/pgtable-frag: Fix bad page state in pte_frag_destroy",
                            "    - powerpc/64s: Fix unmap race with PMD migration entries",
                            "    - module: Fix freeing of charp module parameters when CONFIG_SYSFS=n",
                            "    - wifi: libertas: use USB anchors for tracking in-flight URBs",
                            "    - wifi: libertas: don't kill URBs in interrupt context",
                            "    - bpf: Do not allow deleting local storage in NMI",
                            "    - selftests/nolibc: fix test_file_stream() on musl libc",
                            "    - selftests/nolibc: Fix build with host headers and libc",
                            "    - tools/nolibc/printf: Change variables 'c' to 'ch' and 'tmpbuf[]' to",
                            "      'outbuf[]'",
                            "    - tools/nolibc/printf: Move snprintf length check to callback",
                            "    - tools/nolibc: MIPS: fix clobbers of 'lo' and 'hi' registers on different",
                            "      ISAs",
                            "    - tools/nolibc: avoid -Wundef warning for __STDC_VERSION__",
                            "    - wifi: mt76: mt7996: fix the behavior of radar detection",
                            "    - wifi: mt76: mt7996: fix iface combination for different chipsets",
                            "    - wifi: mt76: mt7996: Set mtxq->wcid just for primary link",
                            "    - wifi: mt76: mt7996: Reset mtxq->idx if primary link is removed in",
                            "      mt7996_vif_link_remove()",
                            "    - wifi: mt76: mt7996: Switch to the secondary link if the default one is",
                            "      removed",
                            "    - wifi: mt76: mt7996: Clear wcid pointer in mt7996_mac_sta_deinit_link()",
                            "    - wifi: mt76: mt7996: Reset ampdu_state state in case of failure in",
                            "      mt7996_tx_check_aggr()",
                            "    - wifi: mt76: mt7921: Reset ampdu_state state in case of failure in",
                            "      mt76_connac2_tx_check_aggr()",
                            "    - wifi: mt76: mt7925: Fix incorrect MLO mode in firmware control",
                            "    - wifi: mt76: mt7615: fix use_cts_prot support",
                            "    - wifi: mt76: mt7915: fix use_cts_prot support",
                            "    - wifi: mt76: mt7925: prevent NULL pointer dereference in",
                            "      mt7925_tx_check_aggr()",
                            "    - wifi: mt76: mt7925: prevent NULL vif dereference in",
                            "      mt7925_mac_write_txwi",
                            "    - wifi: mt76: mt7996: fix FCS error flag check in RX descriptor",
                            "    - wifi: mt76: mt7921: Place upper limit on station AID",
                            "    - wifi: mt76: Fix memory leak destroying device",
                            "    - wifi: mt76: mt7996: Fix NPU stop procedure",
                            "    - wifi: mt76: npu: Add missing rx_token_size initialization",
                            "    - wifi: mt76: mt7925: drop puncturing handling from BSS change path",
                            "    - wifi: mt76: mt7925: fix potential deadlock in mt7925_roc_abort_sync",
                            "    - wifi: mt76: Fix memory leak after mt76_connac_mcu_alloc_sta_req()",
                            "    - wifi: mt76: mt7925: fix tx power setting failure after chip reset",
                            "    - wifi: mt76: mt7921: fix potential deadlock in mt7921_roc_abort_sync",
                            "    - wifi: mt76: fix deadlock in remain-on-channel",
                            "    - wifi: mt76: fix backoff fields and max_power calculation",
                            "    - arm64: cpufeature: Make PMUVer and PerfMon unsigned",
                            "    - bpf: Switch CONFIG_CFI_CLANG to CONFIG_CFI",
                            "    - wifi: mt76: mt7996: fix wrong DMAD length when using MAC TXP",
                            "    - wifi: mt76: mt7996: fix struct mt7996_mcu_uni_event",
                            "    - wifi: mt76: mt7915: fix use-after-free bugs in mt7915_mac_dump_work()",
                            "    - wifi: mt76: mt7996: fix use-after-free bugs in mt7996_mac_dump_work()",
                            "    - wifi: mt76: mt7921: fix 6GHz regulatory update on connection",
                            "    - wifi: mt76: mt7996: Add missing CHANCTX_STA_CSA property",
                            "    - wifi: mt76: mt7996: Remove link pointer dependency in",
                            "      mt7996_mac_sta_remove_links()",
                            "    - wifi: mt76: mt7996: Decrement sta counter removing the link in",
                            "      mt7996_mac_reset_sta_iter()",
                            "    - wifi: mt76: fix multi-radio on-channel scanning",
                            "    - wifi: mt76: support upgrading passive scans to active",
                            "    - wifi: mt76: mt7996: fix RRO EMU configuration",
                            "    - bpf: Fix refcount check in check_struct_ops_btf_id()",
                            "    - selftests/bpf: Fix sockmap_multi_channels reliability",
                            "    - bpf: Use RCU-safe iteration in dev_map_redirect_multi() SKB path",
                            "    - bpf: Fix variable length stack write over spilled pointers",
                            "    - arm_mpam: Ensure in_reset_state is false after applying configuration",
                            "    - arm_mpam: Reset when feature configuration bit unset",
                            "    - bpf,arc_jit: Fix missing newline in pr_err messages",
                            "    - wifi: rtw89: phy: fix uninitialized variable access in",
                            "      rtw89_phy_cfo_set_crystal_cap()",
                            "    - drivers/vfio_pci_core: Change PXD_ORDER check from switch case to",
                            "      if/else block",
                            "    - r8152: fix incorrect register write to USB_UPHY_XTAL",
                            "    - selftests/tracing: Fix to make --logdir option work again",
                            "    - selftests/tracing: Fix to check awk supports non POSIX strtonum()",
                            "    - powerpc/crash: fix backup region offset update to elfcorehdr",
                            "    - powerpc/crash: Update backup region offset in elfcorehdr on memory",
                            "      hotplug",
                            "    - bpf: Fix abuse of kprobe_write_ctx via freplace",
                            "    - macvlan: annotate data-races around port->bc_queue_len_used",
                            "    - bpf: Use copy_map_value_locked() in alloc_htab_elem() for BPF_F_LOCK",
                            "    - bpf: Fix stale offload->prog pointer after constant blinding",
                            "    - net: ethernet: ti-cpsw:: rename soft_reset() function",
                            "    - net: ethernet: ti-cpsw: fix linking built-in code to modules",
                            "    - wifi: brcmfmac: Fix error pointer dereference",
                            "    - wifi: mac80211: handle VHT EXT NSS in ieee80211_determine_our_sta_mode()",
                            "    - bpf: Drop task_to_inode and inet_conn_established from lsm sleepable",
                            "      hooks",
                            "    - bpf: Prefer vmlinux symbols over module symbols for unqualified kprobes",
                            "    - wifi: ath10k: fix station lookup failure during disconnect",
                            "    - bpf: Fix linked reg delta tracking when src_reg == dst_reg",
                            "    - net: dropreason: add SKB_DROP_REASON_RECURSION_LIMIT",
                            "    - net: plumb drop reasons to __dev_queue_xmit()",
                            "    - net: qdisc_pkt_len_segs_init() cleanup",
                            "    - net: pull headers in qdisc_pkt_len_segs_init()",
                            "    - arm64: entry: Don't preempt with SError or Debug masked",
                            "    - ACPI: AGDI: fix missing newline in error message",
                            "    - arm64: kexec: Remove duplicate allocation for trans_pgd",
                            "    - bpf: Propagate error from visit_tailcall_insn",
                            "    - bpf: Fix ld_{abs,ind} failure path analysis in subprogs",
                            "    - bpf: Remove static qualifier from local subprog pointer",
                            "    - mptcp: better mptcp-level RTT estimator",
                            "    - bpf: Fix use-after-free in offloaded map/prog info fill",
                            "    - macsec: Support VLAN-filtering lower devices",
                            "    - net: bcmgenet: fix off-by-one in bcmgenet_put_txcb",
                            "    - net: bcmgenet: fix leaking free_bds",
                            "    - net: bcmgenet: fix racing timeout handler",
                            "    - net: airoha: Add dma_rmb() and READ_ONCE() in airoha_qdma_rx_process()",
                            "    - eth: fbnic: Use wake instead of start",
                            "    - netfilter: xt_socket: enable defrag after all other checks",
                            "    - netfilter: nft_fwd_netdev: check ttl/hl before forwarding",
                            "    - bpf: fix mm lifecycle in open-coded task_vma iterator",
                            "    - bpf: switch task_vma iterator from mmap_lock to per-VMA locks",
                            "    - bpf: return VMA snapshot from task_vma iterator",
                            "    - bpf: Fix RCU stall in bpf_fd_array_map_clear()",
                            "    - net: hamradio: 6pack: fix uninit-value in sixpack_receive_buf",
                            "    - net: airoha: Fix FE_PSE_BUF_SET configuration if PPE2 is available",
                            "    - bpf: Enforce regsafe base id consistency for BPF_ADD_CONST scalars",
                            "    - selftests/bpf: fix __jited_unpriv tag name",
                            "    - net/sched: cls_fw: fix NULL dereference of \"old\" filters before change()",
                            "    - net/sched: act_ct: Only release RCU read lock after ct_ft",
                            "    - selftests: netfilter: nft_tproxy.sh: adjust to socat changes",
                            "    - net: mana: Use pci_name() for debugfs directory naming",
                            "    - net: mana: Move current_speed debugfs file to mana_init_port()",
                            "    - net: airoha: Add missing RX_CPU_IDX() configuration in",
                            "      airoha_qdma_cleanup_rx_queue()",
                            "    - net_sched: fix skb memory leak in deferred qdisc drops",
                            "    - bpf: Fix same-register dst/src OOB read and pointer leak in sock_ops",
                            "    - bpf: Allow instructions with arena source and non-arena dest registers",
                            "    - selftests/bpf: Fix reg_bounds to match new tnum-based refinement",
                            "    - net/rds: Optimize rds_ib_laddr_check",
                            "    - net/rds: Restrict use of RDS/IB to the initial network namespace",
                            "    - bpf: Fix OOB in pcpu_init_value",
                            "    - ppp: require CAP_NET_ADMIN in target netns for unattached ioctls",
                            "    - net: ipa: Fix programming of QTIME_TIMESTAMP_CFG",
                            "    - net: ipa: Fix decoding EV_PER_EE for IPA v5.0+",
                            "    - dt-bindings: net: dsa: nxp,sja1105: make spi-cpol optional for sja1110",
                            "    - net: phy: fix a return path in get_phy_c45_ids()",
                            "    - net/mlx5e: Fix features not applied during netdev registration",
                            "    - net/mlx5e: IPsec, fix ASO poll timeout with read_poll_timeout_atomic()",
                            "    - net: ethernet: mtk_eth_soc: initialize PPE per-tag-layer MTU registers",
                            "    - net: fix skb_ext_total_length() BUILD_BUG_ON with",
                            "      CONFIG_GCOV_PROFILE_ALL",
                            "    - bpf: reject short IPv4/IPv6 inputs in bpf_prog_test_run_skb",
                            "    - Bluetooth: L2CAP: Fix printing wrong information if SDU length exceeds",
                            "      MTU",
                            "    - Bluetooth: hci_ldisc: Clear HCI_UART_PROTO_INIT on error",
                            "    - Bluetooth: fix locking in hci_conn_request_evt() with HCI_PROTO_DEFER",
                            "    - Bluetooth: l2cap: Add missing chan lock in l2cap_ecred_reconf_rsp",
                            "    - Bluetooth: SCO: check for codecs->num_codecs == 1 before assigning to",
                            "      sco_pi(sk)->codec",
                            "    - net: phy: qcom: at803x: Use the correct bit to disable extended next",
                            "      page",
                            "    - udp: Force compute_score to always inline",
                            "    - tcp: Don't set treq->req_usec_ts in cookie_tcp_reqsk_init().",
                            "    - sctp: fix missing encap_port propagation for GSO fragments",
                            "    - sctp: disable BH before calling udp_tunnel_xmit_skb()",
                            "    - selftests/namespaces: remove unused utils.h include from",
                            "      listns_efault_test",
                            "    - net, bpf: fix null-ptr-deref in xdp_master_redirect() for down master",
                            "    - net: airoha: Fix VIP configuration for AN7583 SoC",
                            "    - net: airoha: Add missing PPE configurations in airoha_ppe_hw_init()",
                            "    - drm/panel: ilitek-ili9882t: Select DRM_DISPLAY_DSC_HELPER",
                            "    - selftests/futex: Fix incorrect result reporting of futex_requeue test",
                            "      item",
                            "    - drm/komeda: fix integer overflow in AFBC framebuffer size check",
                            "    - dma-fence: Fix sparse warnings due __rcu annotations",
                            "    - drm/gpusvm: Fix unbalanced unlock in drm_gpusvm_scan_mm()",
                            "    - drm/virtio: Allow importing prime buffers when 3D is enabled",
                            "    - ASoC: soc-compress: use function to clear symmetric params",
                            "    - PCI/TPH: Allow TPH enable for RCiEPs",
                            "    - PCI: endpoint: pci-epf-vntb: Fix MSI doorbell IRQ unwind",
                            "    - PCI: endpoint: pci-epf-test: Don't free doorbell IRQ unless requested",
                            "    - PCI: endpoint: pci-ep-msi: Fix error unwind and prevent double alloc",
                            "    - drm/sun4i: mixer: Fix layer init code",
                            "    - drm/sun4i: backend: fix error pointer dereference",
                            "    - drm/xe: Consolidate workaround entries for Wa_14019877138",
                            "    - drm/xe: Consolidate workaround entries for Wa_14019386621",
                            "    - drm/xe/xe2_hpg: Drop invalid workaround Wa_15010599737",
                            "    - gpu: nova-core: gsp: use empty slices instead of [0..0] ranges",
                            "    - gpu: nova-core: gsp: fix improper handling of empty slot in cmdq",
                            "    - drm/amdkfd: Removed commented line for MQD queue priority",
                            "    - PCI: imx6: Fix device node reference leak in imx_pcie_probe()",
                            "    - crypto: inside-secure/eip93 - fix register definition",
                            "    - ASoC: sti: Return errors from regmap_field_alloc()",
                            "    - ASoC: sti: use managed regmap_field allocations",
                            "    - dm cache: fix null-deref with concurrent writes in passthrough mode",
                            "    - dm cache: fix write path cache coherency in passthrough mode",
                            "    - dm cache: fix write hang in passthrough mode",
                            "    - dm cache policy smq: fix missing locks in invalidating cache blocks",
                            "    - dm cache: fix concurrent write failure in passthrough mode",
                            "    - dm cache: fix dirty mapping checking in passthrough mode switching",
                            "    - dm-mpath: don't stop probing paths at presuspend",
                            "    - drm/amd/ras: Fix type size of remainder argument",
                            "    - dt-bindings: mmc: dwcmshc-sdhci: Fix resets array validation",
                            "    - drm/amdgpu: GFX12.1 scratch memory limit up to 57-bit",
                            "    - platform/chrome: chromeos_tbmc: Drop wakeup source on remove",
                            "    - gpu: nova-core: use checked arithmetic in FWSEC firmware parsing",
                            "    - gpu: nova-core: create falcon firmware DMA objects lazily",
                            "    - gpu: nova-core: falcon: rename load parameters to reflect DMA dependency",
                            "    - gpu: nova-core: firmware: fix and explain v2 header offsets computations",
                            "    - PCI: dwc: ep: Fix MSI-X Table Size configuration in",
                            "      dw_pcie_ep_set_msix()",
                            "    - PCI: dwc: ep: Mirror the max link width and speed fields to all",
                            "      functions",
                            "    - PCI: dwc: Perform cleanup in the error path of dw_pcie_resume_noirq()",
                            "    - dm cache metadata: fix memory leak on metadata abort retry",
                            "    - dm log: fix out-of-bounds write due to region_count overflow",
                            "    - iopoll: fix function parameter names in read_poll_timeout_atomic()",
                            "    - drm/bridge: cadence: cdns-mhdp8546-core: Set the mhdp connector earlier",
                            "      in atomic_enable()",
                            "    - drm/bridge: cadence: cdns-mhdp8546-core: Add mode_valid hook to",
                            "      drm_bridge_funcs",
                            "    - drm/bridge: cadence: cdns-mhdp8546-core: Handle HDCP state in bridge",
                            "      atomic check",
                            "    - spi: nxp-xspi: Use reinit_completion() for repeated operations",
                            "    - spi: nxp-fspi: Use reinit_completion() for repeated operations",
                            "    - spi: fsl-qspi: Use reinit_completion() for repeated operations",
                            "    - spi: axiado: Remove redundant pm_runtime_mark_last_busy() call",
                            "    - media: i2c: og01a1b: Fix V4L2 subdevice data initialization on probe",
                            "    - media: synopsys: VIDEO_DW_MIPI_CSI2RX should depend on ARCH_ROCKCHIP",
                            "    - [Config] VIDEO_DW_MIPI_CSI2RX depends on ARCH_ROCKCHIP",
                            "    - drm/amd/pm: Fix xgmi max speed reporting",
                            "    - spi: atcspi200: fix mutex initialization order",
                            "    - selftests/sched_ext: Add missing error check for exit__load()",
                            "    - drm/v3d: Handle error from drm_sched_entity_init()",
                            "    - drm/sun4i: Fix resource leaks",
                            "    - crypto: inside-secure/eip93 - register hash before authenc algorithms",
                            "    - PCI: rzg3s-host: Fix reset handling in probe error path",
                            "    - PCI: rzg3s-host: Reorder reset assertion during suspend",
                            "    - dt-bindings: PCI: renesas,r9a08g045s33-pcie: Fix naming properties",
                            "    - iommu/riscv: Add IOTINVAL after updating DDT/PDT entries",
                            "    - iommu/riscv: Skip IRQ count check when using MSI interrupts",
                            "    - iommu/riscv: Add missing GENERIC_MSI_IRQ",
                            "    - iommu/riscv: Stop polling when CQCSR reports an error",
                            "    - drm/amdkfd: Update queue properties for metadata ring",
                            "    - drm/amd/ras: Fix NULL deref in ras_core_ras_interrupt_detected()",
                            "    - drm/amdgpu: Add default case in DVI mode validation",
                            "    - regulator: dt-bindings: fp9931: Make vin-supply property as required",
                            "    - regulator: fp9931: Fix handling of mandatory \"vin\" supply",
                            "    - drm/amd/ras: Fix NULL deref in ras_core_get_utc_second_timestamp()",
                            "    - drm/amdgpu: Drop redundant queue NULL check in hang detect worker",
                            "    - drm/amdgpu: Remove dead negative offset check in",
                            "      amdgpu_virt_init_critical_region()",
                            "    - dm init: ensure device probing has finished in dm-mod.waitfor=",
                            "    - fbdev: matroxfb: Mark variable with __maybe_unused to avoid W=1 build",
                            "      break",
                            "    - crypto: simd - reject compat registrations without __ prefixes",
                            "    - crypto: tegra - Disable softirqs before finalizing request",
                            "    - crypto: atmel-aes - guard unregister on error in atmel_aes_register_algs",
                            "    - padata: Remove cpu online check from cpu add and removal",
                            "    - padata: Put CPU offline callback in ONLINE section to allow failure",
                            "    - PCI: dwc: rcar-gen4: Change EPC BAR alignment to 4K as per the",
                            "      documentation",
                            "    - accel/amdxdna: fix missing newline in pr_err message",
                            "    - drm/amd/ras: Remove redundant NULL check in pending bad-bank list",
                            "      iteration",
                            "    - drm/amdgpu/gfx10: look at the right prop for gfx queue priority",
                            "    - drm/amdgpu/gfx11: look at the right prop for gfx queue priority",
                            "    - spi: hisi-kunpeng: prevent infinite while() loop in hisi_spi_flush_fifo",
                            "    - PCI: sky1: Fix missing cleanup of ECAM config on probe failure",
                            "    - drm/imagination: Switch reset_reason fields from enum to u32",
                            "    - iommu/tegra241-cmdqv: Set supports_cmd op in tegra241_vcmdq_hw_init()",
                            "    - iommu/tegra241-cmdqv: Update uAPI to clarify HYP_OWN requirement",
                            "    - drm/msm: add missing MODULE_DEVICE_ID definitions",
                            "    - drm/msm/dpu: fix mismatch between power and frequency",
                            "    - drm/msm/dsi: add the missing parameter description",
                            "    - drm/msm/dpu: don't try using 2 LMs if only one DSC is available",
                            "    - drm/msm/dsi: fix bits_per_pclk",
                            "    - drm/msm/dsi: fix hdisplay calculation for CMD mode panel",
                            "    - drm/msm/dsi: rename MSM8998 DSI version from V2_2_0 to V2_0_0",
                            "    - ASoC: rockchip: rockchip_sai: Set slot width for non-TDM mode",
                            "    - tools/sched_ext: scx_pair: fix pair_ctx indexing for CPU pairs",
                            "    - drm/panel: sharp-ls043t1le01: make use of prepare_prev_first",
                            "    - drm/panel: simple: Correct G190EAN01 prepare timing",
                            "    - PCI: qcom: Advertise Hotplug Slot Capability with no Command Completion",
                            "      support",
                            "    - PCI: Prevent shrinking bridge window from its required size",
                            "    - PCI: Fix premature removal from realloc_head list during resource",
                            "      assignment",
                            "    - crypto: hisilicon/sec2 - prevent req used-after-free for sec",
                            "    - PCI: Fix alignment calculation for resource size larger than align",
                            "    - iommu/riscv: Fix signedness bug",
                            "    - ALSA: core: Validate compress device numbers without dynamic minors",
                            "    - drm/amd/display: Avoid NULL dereference in dc_dmub_srv error paths",
                            "    - ASoC: amd: acp: update dmic_num logic for acp pdm dmic",
                            "    - drm/amd/pm/ci: Use highest MCLK on CI when MCLK DPM is disabled",
                            "    - drm/amd/pm/ci: Disable MCLK DPM on problematic CI ASICs",
                            "    - drm/amd/pm/smu7: Fix SMU7 voltage dependency on display clock",
                            "    - drm/amd/pm/ci: Fix powertune defaults for Hawaii 0x67B0",
                            "    - drm/amd/pm/ci: Clear EnabledForActivity field for memory levels",
                            "    - drm/amd/pm/ci: Fill DW8 fields from SMC",
                            "    - drm/amd/pm/smu7: Add SCLK cap for quirky Hawaii board",
                            "    - drm/amdgpu/uvd4.2: Don't initialize UVD 4.2 when DPM is disabled",
                            "    - PCI/DPC: Log AER error info for DPC/EDR uncorrectable errors",
                            "    - hwmon: (aspeed-g6-pwm-tach): remove redundant driver remove callback",
                            "    - ALSA: hda/realtek: fix bad indentation for alc269",
                            "    - ALSA: hda/realtek: fix code style (ERROR: else should follow close brace",
                            "      '}')",
                            "    - ASoC: SOF: Intel: hda: Place check before dereference",
                            "    - drm/msm/vma: Avoid lock in VM_BIND fence signaling path",
                            "    - drm/msm/a6xx: Add missing aperture_lock init",
                            "    - drm/msm: Reject fb creation from _NO_SHARE objs",
                            "    - drm/msm: Fix VM_BIND UNMAP locking",
                            "    - drm/msm/a6xx: Fix HLSQ register dumping",
                            "    - drm/msm/shrinker: Fix can_block() logic",
                            "    - drm/msm/a6xx: Fix dumping A650+ debugbus blocks",
                            "    - drm/msm/a6xx: Use barriers while updating HFI Q headers",
                            "    - drm/msm/a8xx: Fix the ticks used in submit traces",
                            "    - drm/msm/a6xx: Switch to preemption safe AO counter",
                            "    - drm/msm/a6xx: Correct OOB usage",
                            "    - drm/msm/adreno: Implement gx_is_on() for A8x",
                            "    - drm/msm/a6xx: Fix gpu init from secure world",
                            "    - ALSA: hda/cmedia: Remove duplicate pin configuration parsing",
                            "    - pmdomain: ti: omap_prm: Fix a reference leak on device node",
                            "    - pmdomain: imx: scu-pd: Fix device_node reference leak during ->probe()",
                            "    - PM: domains: De-constify fields in struct dev_pm_domain_attach_data",
                            "    - drm/msm/dpu: drop INTF_0 on MSM8953",
                            "    - ASoC: fsl_micfil: Add access property for \"VAD Detected\"",
                            "    - ASoC: fsl_micfil: Fix event generation in hwvad_put_enable()",
                            "    - ASoC: fsl_micfil: Fix event generation in hwvad_put_init_mode()",
                            "    - ASoC: fsl_micfil: Fix event generation in micfil_range_set()",
                            "    - ASoC: fsl_micfil: Fix event generation in micfil_put_dc_remover_state()",
                            "    - ASoC: fsl_micfil: Fix event generation in micfil_quality_set()",
                            "    - ASoC: fsl_xcvr: Fix event generation in fsl_xcvr_arc_mode_put()",
                            "    - ASoC: fsl_xcvr: Fix event generation in fsl_xcvr_mode_put()",
                            "    - ASoC: fsl_easrc: Check the variable range in fsl_easrc_iec958_put_bits()",
                            "    - ASoC: fsl_easrc: Fix value type in fsl_easrc_iec958_get_bits()",
                            "    - ASoC: fsl_easrc: Change the type for iec958 channel status controls",
                            "    - iommu/amd: Fix clone_alias() to use the original device's devid",
                            "    - iommu/riscv: Remove overflows on the invalidation path",
                            "    - ASoC: qcom: qdsp6: topology: check widget type before accessing data",
                            "    - PCI: dwc: Fix type mismatch for kstrtou32_from_user() return value",
                            "    - crypto: qat - disable 4xxx AE cluster when lead engine is fused off",
                            "    - crypto: qat - disable 420xx AE cluster when lead engine is fused off",
                            "    - crypto: qat - fix compression instance leak",
                            "    - crypto: qat - fix type mismatch in RAS sysfs show functions",
                            "    - crypto: iaa - fix per-node CPU counter reset in rebalance_wq_table()",
                            "    - crypto: qat - use swab32 macro",
                            "    - ALSA: hda: Notify IEC958 Default PCM switch state changes",
                            "    - ASoC: rsnd: Fix potential out-of-bounds access of component_dais[]",
                            "    - PCI: Enable AtomicOps only if Root Port supports them",
                            "    - PCI: imx6: Keep Root Port MSI capability with iMSI-RX to work around",
                            "      hardware bug",
                            "    - PCI: aspeed: Fix IRQ domain leak on platform_get_irq() failure",
                            "    - dt-bindings: PCI: imx6q-pcie: Fix maxItems of clocks and clock-names",
                            "    - PCI: mediatek-gen3: Prevent leaking IRQ domains when IRQ not found",
                            "    - gpu: nova-core: bitfield: fix broken Default implementation",
                            "    - selftests/mm: skip migration tests if NUMA is unavailable",
                            "    - Documentation: fix a hugetlbfs reservation statement",
                            "    - Docs/admin-guide/mm/damn/lru_sort: fix intervals autotune parameter name",
                            "    - Docs/mm/damon/index: fix typo: autoamted -> automated",
                            "    - zram: do not permit params change after init",
                            "    - selftest: memcg: skip memcg_sock test if address family not supported",
                            "    - gpu: nova-core: remove redundant `.as_ref()` for `dev_*` print",
                            "    - gpu: nova-core: fix missing colon in SEC2 boot debug message",
                            "    - ALSA: scarlett2: Add missing sentinel initializer field",
                            "    - ASoC: qcom: audioreach: explicitly enable speaker protection modules",
                            "    - ASoC: SOF: compress: return the configured codec from get_params",
                            "    - PCI/NPEM: Set LED_HW_PLUGGABLE for hotplug-capable ports",
                            "    - tools/sched_ext: Fix off-by-one in scx_sdt payload zeroing",
                            "    - ASoC: soc-component: re-add pcm_new()/pcm_free()",
                            "    - ASoC: amd: name back to pcm_new()/pcm_free()",
                            "    - ASoC: amd: ps: fix the pcm device numbering for acp pdm dmic",
                            "    - ALSA: usb-audio: qcom: Fix incorrect type in enable_audio_stream",
                            "    - PCI: tegra194: Fix polling delay for L2 state",
                            "    - PCI: tegra194: Increase LTSSM poll time on surprise link down",
                            "    - PCI: tegra194: Disable LTSSM after transition to Detect on surprise link",
                            "      down",
                            "    - PCI: tegra194: Don't force the device into the D0 state before L2",
                            "    - PCI: tegra194: Disable PERST# IRQ only in Endpoint mode",
                            "    - PCI: tegra194: Use devm_gpiod_get_optional() to parse \"nvidia,refclk-",
                            "      select\"",
                            "    - PCI: tegra194: Disable direct speed change for Endpoint mode",
                            "    - PCI: tegra194: Set LTR message request before PCIe link up in Endpoint",
                            "      mode",
                            "    - PCI: tegra194: Allow system suspend when the Endpoint link is not up",
                            "    - PCI: tegra194: Free up Endpoint resources during remove()",
                            "    - PCI: tegra194: Use DWC IP core version",
                            "    - PCI: dwc: Apply ECRC workaround to DesignWare 5.00a as well",
                            "    - PCI: tegra194: Disable L1.2 capability of Tegra234 EP",
                            "    - PCI: tegra194: Fix CBB timeout caused by DBI access before core power-on",
                            "    - drm/fb-helper: Fix a locking bug in an error path",
                            "    - PCI: cadence: Add flags for disabling ASPM capability for broken Root",
                            "      Ports",
                            "    - PCI: sg2042: Avoid L0s and L1 on Sophgo 2042 PCIe Root Ports",
                            "    - ASoC: SDCA: Fix cleanup inversion in class driver",
                            "    - spi: rzv2h-rspi: Fix invalid SPR=0/BRDV=0 clock configuration",
                            "    - spi: mtk-snfi: unregister ECC engine on probe failure and remove()",
                            "      callback",
                            "    - ALSA: sc6000: Keep the programmed board state in card-private data",
                            "    - dm cache: fix missing return in invalidate_committed's error path",
                            "    - sched_ext: Track @p's rq lock across set_cpus_allowed_scx ->",
                            "      ops.set_cpumask",
                            "    - sched_ext: Fix ops.cgroup_move() invocation kf_mask and rq tracking",
                            "    - spi: cadence-qspi: Revert the filtering of certain opcodes in ODTR",
                            "    - crypto: jitterentropy - replace long-held spinlock with mutex",
                            "    - ALSA: usb-audio: Exclude Scarlett 18i20 1st Gen from SKIP_IFACE_SETUP",
                            "    - ALSA: hda/realtek - fixed speaker no sound update",
                            "    - gfs2: Call unlock_new_inode before d_instantiate",
                            "    - fanotify: avoid/silence premature LSM capability checks",
                            "    - fanotify: call fanotify_events_supported() before path_permission() and",
                            "      security_path_notify()",
                            "    - fuse: fix uninit-value in fuse_dentry_revalidate()",
                            "    - ktest: Avoid undef warning when WARNINGS_FILE is unset",
                            "    - ktest: Honor empty per-test option overrides",
                            "    - ktest: Run POST_KTEST hooks on failure and cancellation",
                            "    - vfio: selftests: fix crash in vfio_dma_mapping_mmio_test",
                            "    - rtla/utils: Fix resource leak in set_comm_sched_attr()",
                            "    - tools/rtla: Generate optstring from long options",
                            "    - rtla: Fix segfault on multiple SIGINTs",
                            "    - vfio: selftests: Build tests on aarch64",
                            "    - gfs2: less aggressive low-memory log flushing",
                            "    - quota: Fix race of dquot_scan_active() with quota deactivation",
                            "    - vfio: unhide vdev->debug_root",
                            "    - gfs2: add some missing log locking",
                            "    - gfs2: prevent NULL pointer dereference during unmount",
                            "    - efi/capsule-loader: fix incorrect sizeof in phys array reallocation",
                            "    - ksmbd: fix use-after-free from async crypto on Qualcomm crypto engine",
                            "    - arm64: dts: mediatek: mt8365: Describe infracfg-nao as a pure syscon",
                            "    - ARM: dts: mediatek: mt7623: fix efuse fallback compatible",
                            "    - memory: tegra124-emc: Fix dll_change check",
                            "    - memory: tegra30-emc: Fix dll_change check",
                            "    - arm64: dts: imx8-apalis: Fix LEDs name collision",
                            "    - arm64: dts: imx91-11x11-evk: change usdhc tuning step for eMMC and SD",
                            "    - riscv: dts: spacemit: pcie: fix missing power regulator",
                            "    - arm64: dts: mediatek: mt7988a-bpi-r4pro: fix model string",
                            "    - arm64: dts: rockchip: Make Jaguar PCIe-refclk pin use pull-up config",
                            "    - arm64: dts: imx8mp-evk: Enable pull select bit for PCIe regulator GPIO",
                            "      (M.2 W_DISABLE1)",
                            "    - iommufd: vfio compatibility extension check for noiommu mode",
                            "    - arm64: dts: qcom: sm6125-xiaomi-ginkgo: Remove board-id",
                            "    - arm64: dts: qcom: sm6125-xiaomi-ginkgo: Correct reserved memory ranges",
                            "    - arm64: dts: qcom: sm6125-xiaomi-ginkgo: Remove extcon",
                            "    - arm64: dts: qcom: sm6125-xiaomi-ginkgo: Fix reserved gpio ranges",
                            "    - arm64: dts: qcom: qcs6490-rubikpi3: Use lt9611 DSI Port B",
                            "    - arm64: dts: qcom: talos: Add missing clock-names to GCC",
                            "    - arm64: dts: ti: k3-am62l: include WKUP_UART0 in wakeup peripheral window",
                            "    - arm64: dts: mediatek: mt6795: Fix gpio-ranges pin count",
                            "    - arm64: dts: mediatek: mt7981b: Fix gpio-ranges pin count",
                            "    - arm64: dts: mediatek: mt7986a: Fix gpio-ranges pin count",
                            "    - iommufd/selftest: Fix page leaks in mock_viommu_{init,destroy}",
                            "    - arm64: dts: imx8mp-kontron: Fix touch reset configuration on DL devices",
                            "    - arm64: dts: imx8mp-kontron: Drop vmmc-supply to fix SD card on SMARC",
                            "      eval carrier",
                            "    - arm64: dts: imx8mp-hummingboard-pulse/cubox-m: fix vmmc gpio polarity",
                            "    - arm64: dts: imx8mp-hummingboard-pulse: fix mini-hdmi dsi port reference",
                            "    - ARM: dts: BCM5301X: Drop extra NAND controller compatible",
                            "    - arm64: dts: qcom: msm8953-xiaomi-vince: correct wled ovp value",
                            "    - arm64: dts: qcom: msm8937-xiaomi-land: correct wled ovp value",
                            "    - arm64: dts: qcom: msm8953-xiaomi-daisy: fix backlight",
                            "    - firmware: qcom_scm: don't opencode kmemdup",
                            "    - soc: qcom: ubwc: disable bank swizzling for Glymur platform",
                            "    - arm64: dts: rockchip: Fix Bluetooth stability on LCKFB TaiShan Pi",
                            "    - Revert \"arm64: dts: rockchip: add SPDIF audio to Beelink A1\"",
                            "    - arm64: dts: rockchip: Correct Fan Supply for Gameforce Ace",
                            "    - arm64: dts: rockchip: Correct Joystick Axes on Gameforce Ace",
                            "    - soc: qcom: ocmem: make the core clock optional",
                            "    - soc: qcom: ocmem: register reasons for probe deferrals",
                            "    - soc: qcom: ocmem: return -EPROBE_DEFER is ocmem is not available",
                            "    - riscv: dts: spacemit: drop incorrect pinctrl for combo PHY",
                            "    - arm64: dts: rockchip: Fix RK3562 EVB2 model name",
                            "    - arm64: dts: rockchip: Add mphy reset to ufshc node",
                            "    - bus: rifsc: fix RIF configuration check for peripherals",
                            "    - arm64: dts: qcom: arduino-imola: fix faulty spidev node",
                            "    - Revert \"UBUNTU: SAUCE: arm64: dts: add missing denali-oled.dtb to",
                            "      Makefile\"",
                            "    - arm64: dts: qcom: add missing denali-oled.dtb to Makefile",
                            "    - arm64: dts: qcom: hamoa: correct Iris corners for the MXC rail",
                            "    - arm64: dts: qcom: lemans: correct Iris corners for the MXC rail",
                            "    - arm64: dts: qcom: monaco: correct Iris corners for the MXC rail",
                            "    - arm64: dts: qcom: sm8550: correct Iris corners for the MXC rail",
                            "    - arm64: dts: qcom: sm8650: correct Iris corners for the MXC rail",
                            "    - arm64: dts: qcom: sm8750: correct Iris corners for the MXC rail",
                            "    - arm64: dts: qcom: kaanapali: Fix GIC_ITS range length",
                            "    - arm64: dts: qcom: milos: Fix GIC_ITS range length",
                            "    - arm64: dts: qcom: sm8450: Fix GIC_ITS range length",
                            "    - arm64: dts: qcom: sm8550: Fix GIC_ITS range length",
                            "    - arm64: dts: qcom: sm8650: Fix GIC_ITS range length",
                            "    - arm64: dts: qcom: sm8750: Fix GIC_ITS range length",
                            "    - arm64: dts: qcom: sm8550: Fix xo clock supply of platform SD host",
                            "      controller",
                            "    - arm64: dts: qcom: sm8650: Fix xo clock supply of SD host controller",
                            "    - arm64: dts: qcom: hamoa: Fix xo clock supply of platform SD host",
                            "      controller",
                            "    - arm64: dts: qcom: sm8450: Enable UHS-I SDR50 and SDR104 SD card modes",
                            "    - arm64: dts: qcom: sm8550: Enable UHS-I SDR50 and SDR104 SD card modes",
                            "    - arm64: dts: qcom: sm8650: Enable UHS-I SDR50 and SDR104 SD card modes",
                            "    - arm64: dts: qcom: sm7225-fairphone-fp4: Fix conflicting bias pinctrl",
                            "    - arm64: dts: qcom: sdm845-xiaomi-beryllium: Mark l1a regulator as powered",
                            "      during boot",
                            "    - arm64: dts: qcom: msm8917-xiaomi-riva: Fix board-id for all bootloader",
                            "    - arm64: dts: ti: k3-am62p5-sk: Disable MMC1 internal pulls on data pins",
                            "    - arm64: dts: ti: k3-am62l3-evm: Disable MMC1 internal pulls on data pins",
                            "    - arm64: dts: ti: k3-am62-lp-sk: Enable internal pulls for MMC0 data pins",
                            "    - arm64: dts: ti: k3-am62-verdin: Fix SPI_1 GPIO CS pinctrl label",
                            "    - arm64: dts: freescale: imx8mp-tqma8mpql-mba8mp-ras314: fix UART1 RTS/CTS",
                            "      muxing",
                            "    - arm64: dts: imx91: Remove TMU's superfluous sensor ID",
                            "    - arm64: dts: imx8mp-kontron: Fix boot order for PMIC and RTC",
                            "    - arm64: dts: imx8dxl-evk: Use audio-graph-card2 for wm8960-2 and wm8960-3",
                            "    - arm64: dts: imx8mp-evk: Specify ADV7535 register addresses",
                            "    - arm64: dts: lx2160a: change i2c0 (iic1) pinmux mask to one bit",
                            "    - arm64: dts: lx2160a: remove duplicate pinmux nodes",
                            "    - arm64: dts: lx2160a: rename pinmux nodes for readability",
                            "    - arm64: dts: lx2160a: add sda gpio references for i2c bus recovery",
                            "    - arm64: dts: lx2160a: change zeros to hexadecimal in pinmux nodes",
                            "    - arm64: dts: lx2160a: complete pinmux for rcwsr12 configuration word",
                            "    - arm64: dts: imx8qm-mek: switch Type-C connector power-role to dual",
                            "    - arm64: dts: imx8qxp-mek: switch Type-C connector power-role to dual",
                            "    - soc/tegra: cbb: Set ERD on resume for err interrupt",
                            "    - soc/tegra: cbb: Fix incorrect ARRAY_SIZE in fabric lookup tables",
                            "    - soc/tegra: cbb: Fix cross-fabric target timeout lookup",
                            "    - arm64: tegra: Fix RTC aliases",
                            "    - soc/tegra: pmc: Add kerneldoc for reboot notifier",
                            "    - soc/tegra: pmc: Correct function names in kerneldoc",
                            "    - soc/tegra: pmc: Add kerneldoc for wake-up variables",
                            "    - unshare: fix nsproxy leak in ksys_unshare() on set_cred_ucounts()",
                            "      failure",
                            "    - ocfs2/dlm: validate qr_numregions in dlm_match_regions()",
                            "    - ocfs2/dlm: fix off-by-one in dlm_match_regions() region comparison",
                            "    - soc: qcom: llcc: fix v1 SB syndrome register offset",
                            "    - soc: qcom: aoss: compare against normalized cooling state",
                            "    - arm64: dts: qcom: milos: Add missing CX power domain to GCC",
                            "    - arm64: dts: qcom: sm8250: Add missing CPU7 3.09GHz OPP",
                            "    - ARM: OMAP1: Fix DEBUG_LL and earlyprintk on OMAP16XX",
                            "    - arm64/xor: fix conflicting attributes for xor_block_template",
                            "    - lib: kunit_iov_iter: fix memory leaks",
                            "    - ARM: dts: imx27-eukrea: replace interrupts with interrupts-extended",
                            "    - firmware: arm_ffa: Use the correct buffer size during RXTX_MAP",
                            "    - fwctl: Fix class init ordering to avoid NULL pointer dereference on",
                            "      device removal",
                            "    - ocfs2: fix listxattr handling when the buffer is full",
                            "    - ocfs2: validate bg_bits during freefrag scan",
                            "    - ocfs2: validate group add input before caching",
                            "    - dmaengine: dw-axi-dmac: fix Alignment should match open parenthesis",
                            "    - dmaengine: dw-axi-dmac: Remove unnecessary return statement from void",
                            "      function",
                            "    - phy: apple: apple: Use local variable for ioremap return value",
                            "    - soundwire: bus: demote UNATTACHED state warnings to dev_dbg()",
                            "    - soundwire: Intel: test bus.bpt_stream before assigning it",
                            "    - dmaengine: mxs-dma: Fix missing return value from",
                            "      of_dma_controller_register()",
                            "    - soundwire: cadence: Clear message complete before signaling waiting",
                            "      thread",
                            "    - tracing: move __printf() attribute on __ftrace_vbprintk()",
                            "    - tracing: Rebuild full_name on each hist_field_name() call",
                            "    - hte: tegra194: remove Kconfig dependency on Tegra194 SoC",
                            "    - [Config] Enable CONFIG_HTE_TEGRA194 on armhf",
                            "    - remoteproc: xlnx: Fix sram property parsing",
                            "    - stop_machine: Fix the documentation for a NULL cpus argument",
                            "    - remoteproc: imx_rproc: Check return value of regmap_attach_dev() in",
                            "      imx_rproc_mmio_detect_mode()",
                            "    - ima: check return value of crypto_shash_final() in boot aggregate",
                            "    - HID: asus: make asus_resume adhere to linux kernel coding standards",
                            "    - HID: asus: do not abort probe when not necessary",
                            "    - workqueue: devres: Add device-managed allocate workqueue",
                            "    - power: supply: max77705: Drop duplicated IRQ error message",
                            "    - power: supply: max77705: Free allocated workqueue and fix removal order",
                            "    - mtd: physmap_of_gemini: Fix disabled pinctrl state check",
                            "    - ima_fs: Correctly create securityfs files for unsupported hash algos",
                            "    - dt-bindings: interrupt-controller: arm,gic-v3: Fix EPPI range",
                            "    - mtd: spi-nor: core: correct the op.dummy.nbytes when check read",
                            "      operations",
                            "    - mtd: spi-nor: update spi_nor_fixups::post_sfdp() documentation",
                            "    - mtd: spi-nor: micron-st: add SNOR_CMD_PP_8_8_8_DTR sfdp fixup for",
                            "      mt35xu512aba",
                            "    - mtd: spi-nor: swp: check SR_TB flag when getting tb_mask",
                            "    - mtd: parsers: ofpart: call of_node_put() only in ofpart_fail path",
                            "    - mtd: parsers: ofpart: call of_node_get() for dedicated subpartitions",
                            "    - cxl/pci: Check memdev driver binding status in cxl_reset_done()",
                            "    - mtd: rawnand: sunxi: fix sunxi_nfc_hw_ecc_read_extra_oob",
                            "    - mtd: spinand: winbond: Clarify when to enable the HS bit",
                            "    - HID: usbhid: fix deadlock in hid_post_reset()",
                            "    - ext4: fix miss unlock 'sb->s_umount' in extents_kunit_init()",
                            "    - ext4: call deactivate_super() in extents_kunit_exit()",
                            "    - ext4: fix the error handling process in extents_kunit_init).",
                            "    - ext4: fix possible null-ptr-deref in extents_kunit_exit()",
                            "    - ext4: fix possible null-ptr-deref in mbt_kunit_exit()",
                            "    - bpf, arm64: Reject out-of-range B.cond targets",
                            "    - bpf, arm64: Fix off-by-one in check_imm signed range check",
                            "    - bpf, arm64: Remove redundant bpf_flush_icache() after pack allocator",
                            "      finalize",
                            "    - bpf, riscv: Remove redundant bpf_flush_icache() after pack allocator",
                            "      finalize",
                            "    - bpf, sockmap: Fix af_unix iter deadlock",
                            "    - bpf, sockmap: Fix af_unix null-ptr-deref in proto update",
                            "    - bpf, sockmap: Take state lock for af_unix iter",
                            "    - bpf: Fix precedence bug in convert_bpf_ld_abs alignment check",
                            "    - bpf: Fix NULL deref in map_kptr_match_type for scalar regs",
                            "    - bpf: allow UTF-8 literals in bpf_bprintf_prepare()",
                            "    - libbpf: Prevent double close and leak of btf objects",
                            "    - bpf: Validate node_id in arena_alloc_pages()",
                            "    - bpf, arm32: Reject BPF-to-BPF calls and callbacks in the JIT",
                            "    - perf trace: Fix IS_ERR() vs NULL check bug",
                            "    - dt-bindings: pinctrl: marvell,armada3710-xb-pinctrl: add missing items",
                            "      keyword",
                            "    - pinctrl: pinctrl-pic32: Fix resource leak",
                            "    - perf trace: Avoid an ERR_PTR in syscall_stats",
                            "    - pinctrl: microchip-mssio: Fix missing return in probe",
                            "    - perf test type profiling: Remote typedef on struct",
                            "    - pinctrl: cy8c95x0: remove duplicate error message",
                            "    - pinctrl: cy8c95x0: Unify messages with help of dev_err_probe()",
                            "    - pinctrl: cy8c95x0: Avoid returning positive values to user space",
                            "    - perf branch: Avoid incrementing NULL",
                            "    - perf: tools: cs-etm: Fix print issue for Coresight debug in ETE/TRBE",
                            "      trace",
                            "    - pinctrl: pinconf-generic: Fully validate 'pinmux' property",
                            "    - pinctrl: realtek: Fix function signature for config argument",
                            "    - pinctrl: abx500: Fix type of 'argument' variable",
                            "    - pinctrl: renesas: rzg2l: Fix save/restore of {IOLH,IEN,PUPD,SMT}",
                            "      registers",
                            "    - tools build: Correct link flags for libopenssl",
                            "    - perf lock: Fix option value type in parse_max_stack",
                            "    - perf stat: Fix opt->value type for parse_cache_level",
                            "    - memblock: reserve_mem: fix end caclulation in",
                            "      reserve_mem_release_by_name()",
                            "    - perf stat: Fix crash on arm64",
                            "    - perf tools: Fix module symbol resolution for non-zero .text sh_addr",
                            "    - perf test: Fix ratio_to_prev event parsing test",
                            "    - perf test: Skip perf data type profiling tests for s390",
                            "    - perf expr: Return -EINVAL for syntax error in expr__find_ids()",
                            "    - perf metrics: Make common stalled metrics conditional on having the",
                            "      event",
                            "    - ipmi: ssif_bmc: fix missing check for copy_to_user() partial failure",
                            "    - ipmi: ssif_bmc: fix message desynchronization after truncated response",
                            "    - ipmi: ssif_bmc: change log level to dbg in irq callback",
                            "    - perf cgroup: Update metric leader in evlist__expand_cgroup",
                            "    - pinctrl: sophgo: pinctrl-sg2042: Fix wrong module description",
                            "    - pinctrl: sophgo: pinctrl-sg2044: Fix wrong module description",
                            "    - perf maps: Fix fixup_overlap_and_insert that can break sorted by name",
                            "      order",
                            "    - perf maps: Fix copy_from that can break sorted by name order",
                            "    - perf util: Kill die() prototype, dead for a long time",
                            "    - i3c: master: dw-i3c: Fix missing reset assertion in remove() callback",
                            "    - i3c: master: dw-i3c: Balance PM runtime usage count on probe failure",
                            "    - i3c: master: renesas: Fix memory leak in renesas_i3c_i3c_xfers()",
                            "    - i3c: dw: Fix memory leak in dw_i3c_master_i3c_xfers()",
                            "    - i3c: master: adi: Fix error propagation for CCCs",
                            "    - i3c: mipi-i3c-hci: fix IBI payload length calculation for final status",
                            "    - fs/ntfs3: prevent uninitialized lcn caused by zero len",
                            "    - backlight: sky81452-backlight: Check return value of",
                            "      devm_gpiod_get_optional() in sky81452_bl_parse_dt()",
                            "    - platform/surface: surfacepro3_button: Drop wakeup source on remove",
                            "    - leds: lgm-sso: Remove duplicate assignments for priv->mmap",
                            "    - usb: typec: Fix error pointer dereference",
                            "    - tty: hvc_iucv: fix off-by-one in number of supported devices",
                            "    - usb: typec: ps883x: Fix Oops at unbind",
                            "    - platform/x86: panasonic-laptop: Fix OPTD notifier registration and",
                            "      cleanup",
                            "    - platform/x86: barco-p50-gpio: normalize return value of gpio_get",
                            "    - fs/ntfs3: fix missing run load for vcn0 in attr_data_get_block_locked()",
                            "    - mfd: mc13xxx-core: Fix memory leak in mc13xxx_add_subdevice_pdata()",
                            "    - nfs/blocklayout: Fix compilation error (`make W=1`) in",
                            "      bl_write_pagelist()",
                            "    - sunrpc: Kill RPC_IFDEBUG()",
                            "    - sunrpc: Fix compilation error (`make W=1`) when dprintk() is no-op",
                            "    - NFSD: fix nfs4_file access extra count in nfsd4_add_rdaccess_to_wrdeleg",
                            "    - nfsd: use dynamic allocation for oversized NFSv4.0 replay cache",
                            "    - RDMA/umem: Use consistent DMA attributes when unmapping entries",
                            "    - greybus: raw: fix use-after-free on cdev close",
                            "    - greybus: raw: fix use-after-free if write is called after disconnect",
                            "    - platform/x86: asus-wmi: adjust screenpad power/brightness handling",
                            "    - platform/x86: asus-wmi: fix screenpad brightness range",
                            "    - tty: serial: ip22zilog: Fix section mispatch warning",
                            "    - fs/ntfs3: terminate the cached volume label after UTF-8 conversion",
                            "    - platform/x86: hp-wmi: fix ignored return values in fan settings",
                            "    - platform/x86: hp-wmi: avoid cancel_delayed_work_sync from work handler",
                            "    - platform/x86: hp-wmi: use mod_delayed_work to reset keep-alive timer",
                            "    - platform/x86: hp-wmi: fix u8 underflow in gpu_delta calculation",
                            "    - platform/x86: hp-wmi: add locking for concurrent hwmon access",
                            "    - platform/x86: dell_rbu: avoid uninit value usage in packet_size_write()",
                            "    - platform/x86: dell-wmi-sysman: bound enumeration string aggregation",
                            "    - RDMA/core: Prefer NLA_NUL_STRING",
                            "    - platform/x86: hp-wmi: fix fan table parsing",
                            "    - dt-bindings: clock: qcom: Add GCC video axi reset clock for Glymur",
                            "    - clk: qcom: gcc-glymur: Add video axi clock resets for glymur",
                            "    - clk: qcom: dispcc-glymur: use RCG2 ops for DPTX1 AUX clock source",
                            "    - clk: qcom: dispcc-sm8450: use RCG2 ops for DPTX1 AUX clock source",
                            "    - clk: renesas: r9a09g057: Fix ordering of module clocks array",
                            "    - clk: renesas: r9a09g056: Fix ordering of module clocks array",
                            "    - clk: sunxi-ng: sun55i-a523-r: Add missing r-spi module clock",
                            "    - scsi: sg: Fix sysctl sg-big-buff register during sg_init()",
                            "    - scsi: sg: Resolve soft lockup issue when opening /dev/sgX",
                            "    - clk: qcom: dispcc-sc8280xp: remove CLK_SET_RATE_PARENT from",
                            "      byte_div_clk_src dividers",
                            "    - clk: qcom: dispcc-glymur: Fix DSI byte clock rate setting",
                            "    - clk: qcom: dispcc-kaanapali: Fix DSI byte clock rate setting",
                            "    - clk: qcom: dispcc-milos: Fix DSI byte clock rate setting",
                            "    - clk: qcom: dispcc-sm4450: Fix DSI byte clock rate setting",
                            "    - clk: qcom: dispcc[01]-sa8775p: Fix DSI byte clock rate setting",
                            "    - clk: renesas: r9a09g057: Remove entries for WDT{0,2,3}",
                            "    - scsi: target: core: Fix integer overflow in UNMAP bounds check",
                            "    - scsi: ufs: rockchip,rk3576-ufshc: dt-bindings: Add new mphy reset item",
                            "    - dt-bindings: clock: qcom,gcc-sc8180x: Add missing GDSCs",
                            "    - clk: qcom: gcc-sc8180x: Add missing GDSCs",
                            "    - clk: qcom: gcc-sc8180x: Use retention for USB power domains",
                            "    - clk: qcom: gcc-sc8180x: Use retention for PCIe power domains",
                            "    - clk: qcom: dispcc-sm8250: Use shared ops on the mdss vsync clk",
                            "    - clk: qcom: dispcc-sm8250: Enable parents for pixel clocks",
                            "    - clk: imx: imx6q: Fix device node reference leak in pll6_bypassed()",
                            "    - clk: imx: imx6q: Fix device node reference leak in",
                            "      of_assigned_ldb_sels()",
                            "    - clk: imx8mq: Correct the CSI PHY sels",
                            "    - um: Fix potential race condition in TLB sync",
                            "    - x86/um: fix vDSO installation",
                            "    - clk: qoriq: avoid format string warning",
                            "    - clk: xgene: Fix mapping leak in xgene_pllclk_init()",
                            "    - clk: spacemit: ccu_mix: fix inverted condition in ccu_mix_trigger_fc()",
                            "    - f2fs: avoid reading already updated pages during GC",
                            "    - printk_ringbuffer: Fix get_data() size sanity check",
                            "    - clk: qcom: gdsc: Fix error path on registration of multiple pm",
                            "      subdomains",
                            "    - lib/hexdump: print_hex_dump_bytes() calls print_hex_dump_debug()",
                            "    - f2fs: fix data loss caused by incorrect use of nat_entry flag",
                            "    - f2fs: fix to preserve previous reserve_{blocks,node} value when remount",
                            "    - scsi: hpsa: Enlarge controller and IRQ name buffers",
                            "    - drm/amd/display: Fix parameter mismatch in panel self-refresh helper",
                            "    - clk: qcom: gcc-x1e80100: Keep GCC USB QTB clock always ON",
                            "    - clk: visconti: pll: initialize clk_init_data to zero",
                            "    - f2fs: allow empty mount string for Opt_usr|grp|projjquota",
                            "    - f2fs: protect extension_list reading with sb_lock in f2fs_sbi_show()",
                            "    - drm/i915/wm: Verify the correct plane DDB entry",
                            "    - virt: arm-cca-guest: fix error check for RSI_INCOMPLETE",
                            "    - crypto: eip93 - fix hmac setkey algo selection",
                            "    - crypto: sa2ul - Fix AEAD fallback algorithm names",
                            "    - crypto: ccp - copy IV using skcipher ivsize",
                            "    - sh: Include <linux/io.h> in dac.h",
                            "    - erofs: unify lcn as u64 for 32-bit platforms",
                            "    - tools: hv: Fix cross-compilation",
                            "    - Drivers: hv: vmbus: fix hyperv_cpuhp_online variable shadowing",
                            "    - arm64: dts: imx8mp-debix-model-a: Correct PAD settings for PMIC_nINT",
                            "    - arm64: dts: imx8mp-debix-som-a: Correct PAD settings for PMIC_nINT",
                            "    - arm64: dts: imx8mp-navqp: Correct PAD settings for PMIC_nINT",
                            "    - arm64: dts: imx8mp-icore-mx8mp: Correct PAD settings for PMIC_nINT",
                            "    - arm64: dts: imx8mp-edm-g: Correct PAD settings for PMIC_nINT",
                            "    - arm64: dts: imx8mp-aristainetos3a-som-v1: Correct PAD settings for",
                            "      PMIC_nINT",
                            "    - arm64: dts: imx8mp-nitrogen-som: Correct PAD settings for PMIC_nINT",
                            "    - arm64: dts: imx8mp-sr-som: Correct PAD settings for PMIC_nINT",
                            "    - arm64: dts: imx8mp-ultra-mach-sbc: Correct PAD settings for PMIC_nINT",
                            "    - arm64: dts: imx8mp-dhcom-som: Correct PAD settings for PMIC_nINT",
                            "    - arm64: dts: imx8mp-data-modul-edm-sbc: Correct PAD settings for",
                            "      PMIC_nINT",
                            "    - PCMCIA: Fix garbled log messages for KERN_CONT",
                            "    - reset: amlogic: t7: Fix null reset ops",
                            "    - arm64: dts: imx8mm-emtop-som: Correct PAD settings for PMIC_nINT",
                            "    - arm64: dts: imx8mn-tqma8mqnl: Correct PAD settings for PMIC_nINT",
                            "    - arm64: dts: imx8mm-tqma8mqml: Correct PAD settings for PMIC_nINT",
                            "    - arm64: dts: marvell: armada-37xx: use 'usb2-phy' in USB3 controller's",
                            "      phy-names",
                            "    - pwm: stm32: Fix rounding issue for requests with inverted polarity",
                            "    - net/sched: act_mirred: fix wrong device for mac_header_xmit check in",
                            "      tcf_blockcast_redir",
                            "    - macvlan: fix macvlan_get_size() not reserving space for",
                            "      IFLA_MACVLAN_BC_CUTOFF",
                            "    - net/sched: sch_cake: fix NAT destination port not being updated in",
                            "      cake_update_flowkeys",
                            "    - nexthop: fix IPv6 route referencing IPv4 nexthop",
                            "    - net: airoha: Wait for NPU PPE configuration to complete in",
                            "      airoha_ppe_offload_setup()",
                            "    - net/sched: taprio: fix use-after-free in advance_sched() on schedule",
                            "      switch",
                            "    - net: dsa: remove redundant netdev_lock_ops() from conduit ethtool ops",
                            "    - net: enetc: correct the command BD ring consumer index",
                            "    - net: enetc: fix NTMP DMA use-after-free issue",
                            "    - ksmbd: fix use-after-free in smb2_open during durable reconnect",
                            "    - tcp: move tp->chrono_type next tp->chrono_stat[]",
                            "    - tcp: inline tcp_chrono_start()",
                            "    - tcp: annotate data-races in tcp_get_info_chrono_stats()",
                            "    - tcp: add data-race annotations around tp->data_segs_out and",
                            "      tp->total_retrans",
                            "    - tcp: add data-races annotations around tp->reordering, tp->snd_cwnd",
                            "    - tcp: annotate data-races around tp->snd_ssthresh",
                            "    - tcp: annotate data-races around tp->delivered and tp->delivered_ce",
                            "    - tcp: add data-race annotations for TCP_NLA_SNDQ_SIZE",
                            "    - tcp: annotate data-races around tp->bytes_sent",
                            "    - tcp: annotate data-races around tp->bytes_retrans",
                            "    - tcp: annotate data-races around tp->dsack_dups",
                            "    - tcp: annotate data-races around tp->reord_seen",
                            "    - tcp: annotate data-races around tp->srtt_us",
                            "    - tcp: annotate data-races around tp->timeout_rehash",
                            "    - tcp: annotate data-races around (tp->write_seq - tp->snd_nxt)",
                            "    - tcp: annotate data-races around tp->plb_rehash",
                            "    - ice: fix 'adjust' timer programming for E830 devices",
                            "    - ice: update PCS latency settings for E825 10G/25Gb modes",
                            "    - ice: fix double-free of tx_buf skb",
                            "    - ice: fix PHY config on media change with link-down-on-close",
                            "    - ice: fix ICE_AQ_LINK_SPEED_M for 200G",
                            "    - ice: fix race condition in TX timestamp ring cleanup",
                            "    - ice: fix potential NULL pointer deref in error path of",
                            "      ice_set_ringparam()",
                            "    - i40e: don't advertise IFF_SUPP_NOFCS",
                            "    - iavf: fix wrong VLAN mask for legacy Rx descriptors L2TAG2",
                            "    - e1000e: Unroll PTP in probe error handling",
                            "    - ipv6: fix possible UAF in icmpv6_rcv()",
                            "    - af_unix: Drop all SCM attributes for SOCKMAP.",
                            "    - sctp: fix OOB write to userspace in sctp_getsockopt_peer_auth_chunks",
                            "    - pppoe: drop PFC frames",
                            "    - net/mlx5: Fix HCA caps leak on notifier init failure",
                            "    - net: airoha: Fix possible TX queue stall in airoha_qdma_tx_napi_poll()",
                            "    - netfilter: nft_osf: restrict it to ipv4",
                            "    - netfilter: conntrack: remove sprintf usage",
                            "    - netfilter: xtables: restrict several matches to inet family",
                            "    - netfilter: nat: use kfree_rcu to release ops",
                            "    - ipvs: fix MTU check for GSO packets in tunnel mode",
                            "    - netfilter: nfnetlink_osf: fix out-of-bounds read on option matching",
                            "    - netfilter: nfnetlink_osf: fix potential NULL dereference in ttl check",
                            "    - net/sched: sch_dualpi2: drain both C-queue and L-queue in",
                            "      dualpi2_change()",
                            "    - arm64: dts: amlogic: meson-axg: Add missing cache information to cpu0",
                            "    - arm64: dts: meson-gxl-p230: fix ethernet PHY interrupt number",
                            "    - vfio/pci: Clean up DMABUFs before disabling function",
                            "    - pwm: atmel-tcb: Cache clock rates and mark chip as atomic",
                            "    - ksmbd: destroy tree_conn_ida in ksmbd_session_destroy()",
                            "    - ksmbd: destroy async_ida in ksmbd_conn_free()",
                            "    - ksmbd: fix durable fd leak on ClientGUID mismatch in durable v2 open",
                            "    - ksmbd: scope conn->binding slowpath to bound sessions only",
                            "    - net: validate skb->napi_id in RX tracepoints",
                            "    - bnge: fix initial HWRM sequence",
                            "    - bnge: remove unsupported backing store type",
                            "    - sctp: fix sockets_allocated imbalance after sk_clone()",
                            "    - net/rds: zero per-item info buffer before handing it to visitors",
                            "    - ice: fix timestamp interrupt configuration for E825C",
                            "    - ice: perform PHY soft reset for E825C ports at initialization",
                            "    - ice: fix ready bitmap check for non-E822 devices",
                            "    - ice: fix ice_ptp_read_tx_hwtstamp_status_eth56g",
                            "    - net_sched: sch_hhf: annotate data-races in hhf_dump_stats()",
                            "    - net/sched: sch_pie: annotate data-races in pie_dump_stats()",
                            "    - net/sched: sch_fq_codel: remove data-races from fq_codel_dump_stats()",
                            "    - net/sched: sch_red: annotate data-races in red_dump_stats()",
                            "    - net/sched: sch_sfb: annotate data-races in sfb_dump_stats()",
                            "    - net: airoha: Move ndesc initialization at end of airoha_qdma_init_tx()",
                            "    - net: airoha: Add missing bits in airoha_qdma_cleanup_tx_queue()",
                            "    - net: dsa: realtek: rtl8365mb: fix mode mask calculation",
                            "    - net: airoha: Move ndesc initialization at end of",
                            "      airoha_qdma_init_rx_queue()",
                            "    - net: airoha: Rework the code flow in airoha_remove() and in",
                            "      airoha_probe() error path",
                            "    - net: airoha: Add size check for TX NAPIs in airoha_qdma_cleanup()",
                            "    - net: mana: Init link_change_work before potential error paths in probe",
                            "    - net: mana: Init gf_stats_work before potential error paths in probe",
                            "    - net: mana: Guard mana_remove against double invocation",
                            "    - net: mana: Don't overwrite port probe error with add_adev result",
                            "    - net: mana: Fix EQ leak in mana_remove on NULL port",
                            "    - vsock/virtio: fix MSG_ZEROCOPY pinned-pages accounting",
                            "    - virtio_net: sync rss_trailer.max_tx_vq on queue_pairs change via",
                            "      VQ_PAIRS_SET",
                            "    - nfp: fix swapped arguments in nfp_encode_basic_qdr() calls",
                            "    - tcp: send a challenge ACK on SEG.ACK > SND.NXT",
                            "    - tipc: fix double-free in tipc_buf_append()",
                            "    - vhost_net: fix sleeping with preempt-disabled in vhost_net_busy_poll()",
                            "    - nstree: fix func. parameter kernel-doc warnings",
                            "    - eventpoll: use hlist_is_singular_node() in __ep_remove()",
                            "    - eventpoll: split __ep_remove()",
                            "    - eventpoll: kill __ep_remove()",
                            "    - eventpoll: drop vestigial __ prefix from ep_remove_{file,epi}()",
                            "    - eventpoll: move epi_fget() up",
                            "    - fs/adfs: validate nzones in adfs_validate_bblk()",
                            "    - rtc: abx80x: Disable alarm feature if no interrupt attached",
                            "    - kbuild: builddeb - avoid recompiles for non-cross-compiles",
                            "    - tools/power turbostat: Fix AMD RAPL regression on big systems",
                            "    - fbdev: offb: fix PCI device reference leak on probe failure",
                            "    - tools/power turbostat: Fix unrecognized option '-P'",
                            "    - tools/power turbostat: Fix --cpu-set 0 regression on HT systems",
                            "    - tools/power turbostat: Fix --cpu-set 1 regression on HT systems",
                            "    - kbuild: Never respect CONFIG_WERROR / W=e to fixdep",
                            "    - mailbox: mtk-vcp-mailbox: Fix the return value in mtk_vcp_mbox_xlate()",
                            "    - mailbox: mtk-cmdq: Fix CURR and END addr for task insert case",
                            "    - mailbox: mailbox-test: free channels on probe error",
                            "    - sched/psi: fix race between file release and pressure write",
                            "    - cgroup/rdma: fix integer overflow in rdmacg_try_charge()",
                            "    - cgroup/cpuset: record DL BW alloc CPU for attach rollback",
                            "    - mailbox: add sanity check for channel array",
                            "    - mailbox: mailbox-test: handle channel errors consistently",
                            "    - mailbox: mailbox-test: don't free the reused channel",
                            "    - mailbox: mailbox-test: initialize struct earlier",
                            "    - mailbox: mailbox-test: make data_ready a per-instance variable",
                            "    - fsnotify: fix inode reference leak in fsnotify_recalc_mask()",
                            "    - btrfs: fix bytes_may_use leak in move_existing_remap()",
                            "    - btrfs: fix bytes_may_use leak in do_remap_reloc_trans()",
                            "    - btrfs: don't clobber errors in add_remap_tree_entries()",
                            "    - btrfs: fix double-decrement of bytes_may_use in",
                            "      submit_one_async_extent()",
                            "    - tracing: branch: Fix inverted check on stat tracer registration",
                            "    - nvmet-tcp: propagate nvmet_tcp_build_pdu_iovec() errors to its callers",
                            "    - netfilter: nf_tables: use list_del_rcu for netlink hooks",
                            "    - rculist: add list_splice_rcu() for private lists",
                            "    - netfilter: nf_tables: join hook list via splice_list_rcu() in commit",
                            "      phase",
                            "    - netfilter: nf_tables: add hook transactions for device deletions",
                            "    - nvme-pci: fix missed admin queue sq doorbell write",
                            "    - drm/amdgpu: avoid double drm_exec_fini() in userq validate",
                            "    - drm/amdgpu/gmc: Fix AMDGPU_GART_PLACEMENT_LOW to not overlap with VRAM",
                            "    - drm/amd/pm: fix missing fine-grained dpm table flag on aldebaran",
                            "    - drm/amdgpu: fix AMDGPU_INFO_READ_MMR_REG",
                            "    - drm/amdgpu/uvd3.1: Don't validate the firmware when already validated",
                            "    - drm/amdgpu/gfx6: Support harvested SI chips with disabled TCCs (v2)",
                            "    - drm/amdgpu: Only send RMA CPER when threshold is exceeded",
                            "    - netfilter: xt_policy: fix strict mode inbound policy matching",
                            "    - netfilter: nf_conntrack_sip: don't use simple_strtoul",
                            "    - spi: rzv2h-rspi: Fix silent failure in clock setup error path",
                            "    - ASoC: amd: acp: Add DMI quirk for Valve Steam Deck OLED",
                            "    - ASoC: SOF: Intel: add an empty adr_link",
                            "    - spi: rockchip: Read ISR, not IMR, to detect cs-inactive IRQ",
                            "    - ASoC: tas2764: Mark die temp register as volatile",
                            "    - ASoC: tas2770: Fix order of operations for temperature calculation",
                            "    - drm/sysfb: ofdrm: fix PCI device reference leaks",
                            "    - drm/color-mgmt: Typo s/R332/RGB332/",
                            "    - arm64/scs: Fix potential sign extension issue of advance_loc4",
                            "    - spi: spi-mem: Add a packed command operation",
                            "    - mtd: spinand: Add support for packed read data ODTR commands",
                            "    - mtd: spinand: winbond: Set the packed page read flag to W35N02/04JW",
                            "    - mtd: spinand: winbond: Fix ODTR write VCR on W35NxxJW",
                            "    - ACPICA: Provide #defines for EINJV2 error types",
                            "    - ACPI: APEI: EINJ: Fix EINJV2 memory error injection",
                            "    - cdrom, scsi: sr: propagate read-only status to block layer via",
                            "      set_disk_ro()",
                            "    - spi: axiado: replace usleep_range() with udelay() in IRQ path",
                            "    - netdevsim: zero initialize struct iphdr in dummy sk_buff",
                            "    - net/sched: netem: fix probability gaps in 4-state loss model",
                            "    - net/sched: netem: fix queue limit check to include reordered packets",
                            "    - net/sched: netem: only reseed PRNG when seed is explicitly provided",
                            "    - net/sched: netem: validate slot configuration",
                            "    - net/sched: netem: fix slot delay calculation overflow",
                            "    - net/sched: netem: check for negative latency and jitter",
                            "    - net: airoha: fix BQL imbalance in TX path",
                            "    - net: airoha: stop net_device TX queue before updating CPU index",
                            "    - net: airoha: fix typo in function name",
                            "    - net: airoha: Do not wake all netdev TX queues in",
                            "      airoha_qdma_wake_netdev_txqs()",
                            "    - net: airoha: Do not read uninitialized fragment address in",
                            "      airoha_dev_xmit()",
                            "    - net/sched: sch_choke: annotate data-races in choke_dump_stats()",
                            "    - net/sched: sch_fq_pie: annotate data-races in fq_pie_dump_stats()",
                            "    - vrf: Fix a potential NPD when removing a port from a VRF",
                            "    - net: usb: rtl8150: fix use-after-free in rtl8150_start_xmit()",
                            "    - net: usb: rtl8150: free skb on usb_submit_urb() failure in xmit",
                            "    - spi: amlogic-spisg: initialize completion before requesting IRQ",
                            "    - NFC: trf7970a: Ignore antenna noise when checking for RF field",
                            "    - net: phonet: do not BUG_ON() in pn_socket_autobind() on failed bind",
                            "    - neigh: let neigh_xmit take skb ownership",
                            "    - tcp: make probe0 timer handle expired user timeout",
                            "    - netpoll: fix IPv6 local-address corruption",
                            "    - ALSA: usb-audio: Fix potential leak of pd at parsing UAC3 streams",
                            "    - sched/fair: Fix wakeup_preempt_fair() vs delayed dequeue",
                            "    - sched/fair: Clear rel_deadline when initializing forked entities",
                            "    - net: mctp i2c: check length before marking flow active",
                            "    - md/raid1,raid10: don't fail devices for invalid IO errors",
                            "    - md: add fallback to correct bitmap_ops on version mismatch",
                            "    - md: factor bitmap creation away from sysfs handling",
                            "    - md/md-bitmap: split bitmap sysfs groups",
                            "    - md/md-bitmap: add a none backend for bitmap grow",
                            "    - s390/mm: Fix phys_to_folio() usage in do_secure_storage_access()",
                            "    - net: phy: dp83869: fix setting CLK_O_SEL field.",
                            "    - drm/amd/display: properly handle family setting for early GC 11.5.4",
                            "    - drm/amdgpu/vcn: set no_user_fence for VCN v2.0 enc/dec rings",
                            "    - drm/amdgpu/vcn: set no_user_fence for VCN v2.5 enc/dec rings",
                            "    - drm/amdgpu/vcn: set no_user_fence for VCN v3.0 enc/dec rings",
                            "    - drm/amdgpu/vcn: set no_user_fence for VCN v4.0 enc ring",
                            "    - drm/amdgpu/vcn: set no_user_fence for VCN v4.0.3 enc ring",
                            "    - drm/amdgpu/vcn: set no_user_fence for VCN v4.0.5 enc ring",
                            "    - drm/amdgpu/vcn: set no_user_fence for VCN v5.0.0 enc ring",
                            "    - drm/amdgpu/vcn: set no_user_fence for VCN v5.0.1 enc ring",
                            "    - drm/amdgpu/jpeg: set no_user_fence for JPEG v2.0 ring",
                            "    - drm/amdgpu/jpeg: set no_user_fence for JPEG v2.5 ring",
                            "    - drm/amdgpu/jpeg: set no_user_fence for JPEG v3.0 ring",
                            "    - drm/amdgpu/jpeg: set no_user_fence for JPEG v4.0 ring",
                            "    - drm/amdgpu/jpeg: set no_user_fence for JPEG v4.0.3 ring",
                            "    - drm/amdgpu/jpeg: set no_user_fence for JPEG v4.0.5 ring",
                            "    - drm/amdgpu/jpeg: set no_user_fence for JPEG v5.0.0 ring",
                            "    - drm/amdgpu/jpeg: set no_user_fence for JPEG v5.0.1 ring",
                            "    - drm/amdgpu/jpeg: set no_user_fence for JPEG v5.3.0 ring",
                            "    - drm/amd/pm: Add fine grained flag to SMU v13.0.6",
                            "    - io_uring/napi: cap busy_poll_to 10 msec",
                            "    - ASoC: cs35l56: Fix illegal writes to OTP_MEM registers",
                            "    - net: psp: check for device unregister when creating assoc",
                            "    - net: psp: require admin permission for dev-set and key-rotate",
                            "    - ASoC: codecs: ab8500: Fix casting of private data",
                            "    - netfilter: skip recording stale or retransmitted INIT",
                            "    - sctp: discard stale INIT after handshake completion",
                            "    - net/sched: sch_cake: annotate data-races in cake_dump_stats() (I)",
                            "    - net/sched: sch_cake: annotate data-races in cake_dump_stats() (II)",
                            "    - net/sched: sch_cake: annotate data-races in cake_dump_stats() (III)",
                            "    - net/sched: sch_cake: annotate data-races in cake_dump_stats() (IV)",
                            "    - net/sched: sch_cake: annotate data-races in cake_dump_stats() (V)",
                            "    - netconsole: return count instead of strnlen(buf, count) from store",
                            "      callbacks",
                            "    - netconsole: avoid clobbering userdatum value on truncated write",
                            "    - netconsole: propagate device name truncation in dev_name_store()",
                            "    - netconsole: restore userdatum value on update_userdata() failure",
                            "    - ALSA: hda/conexant: Fix missing error check for jack detection",
                            "    - ALSA: hda: cs35l56: Fix uninitialized value in cs35l56_hda_read_acpi()",
                            "    - ALSA: hda/tas2781: Fix incorrect bit update for non-book-zero or book 0",
                            "      pages >1",
                            "    - futex: Prevent lockup in requeue-PI during signal/ timeout wakeup",
                            "    - drm/amd/display: Allow embedded connectors without DDC",
                            "    - drm/amd/display: Allow DCE link encoder without AUX registers",
                            "    - drm/amd/display: Allow constructing DCE6 link encoder without DDC",
                            "    - drm/amd/display: Allow constructing DCE8 link encoder without DDC",
                            "    - drm/amd/display: Read EDID from VBIOS embedded panel info",
                            "    - drm/amd/display: Use EDID from VBIOS embedded panel info",
                            "    - drm/xe: Use XE_WEDGED_MODE_UPON_ANY_HANG_NO_RESET enum instead of magic",
                            "      number",
                            "    - drm/xe: Drop registration of guc_submit_wedged_fini from",
                            "      xe_guc_submit_wedge()",
                            "    - drm/xe/debugfs: Correct printing of register whitelist ranges",
                            "    - drm/xe: Fix potential NULL deref in",
                            "      xe_exec_queue_tlb_inval_last_fence_put_unlocked",
                            "    - drm/xe: Fix error cleanup in xe_exec_queue_create_ioctl()",
                            "    - drm/xe/eustall: Fix drm_dev_put called before stream disable in close",
                            "    - drm/xe/gsc: Fix BO leak on error in query_compatibility_version()",
                            "    - drm/xe/xelp: Fix Wa_18022495364",
                            "    - net: airoha: Do not return err in ndo_stop() callback",
                            "    - bonding: print churn state via netlink",
                            "    - bonding: 3ad: implement proper RCU rules for port->aggregator",
                            "    - page_pool: fix memory-provider leak in page_pool_create_percpu() error",
                            "      path",
                            "    - iavf: rename IAVF_VLAN_IS_NEW to IAVF_VLAN_ADDING",
                            "    - iavf: stop removing VLAN filters from PF on interface down",
                            "    - iavf: wait for PF confirmation before removing VLAN filters",
                            "    - iavf: add VIRTCHNL_OP_ADD_VLAN to success completion handler",
                            "    - ice: fix NULL pointer dereference in ice_reset_all_vfs()",
                            "    - ice: fix infinite recursion in ice_cfg_tx_topo via ice_init_dev_hw",
                            "    - ice: fix missing SMA pin initialization in DPLL subsystem",
                            "    - ice: fix SMA and U.FL pin state changes affecting paired pin",
                            "    - ice: fix missing dpll notifications for SW pins",
                            "    - dpll: export __dpll_pin_change_ntf() for use under dpll_lock",
                            "    - ice: add dpll peer notification for paired SMA and U.FL pins",
                            "    - net: tls: fix strparser anchor skb leak on offload RX setup failure",
                            "    - sfc: fix error code in efx_devlink_info_running_versions()",
                            "    - net/sched: cls_flower: revert unintended changes",
                            "    - kselftest/arm64: Include <asm/ptrace.h> for user_gcs definition",
                            "    - arm64: Reserve an extra page for early kernel mapping",
                            "    - futex: Drop CLONE_THREAD requirement for private default hash alloc",
                            "    - PCI: Initialize temporary device in new_id_store()",
                            "    - workqueue: fix devm_alloc_workqueue() va_list misuse",
                            "    - net/sched: sch_pie: annotate more data-races in pie_dump_stats()",
                            "    - sched/fair: Fix wakeup_preempt_fair() for not waking up task",
                            "    - crypto: af_alg - Cap AEAD AD length to 0x80000000",
                            "    - i40e: Cleanup PTP pins on probe failure",
                            "    - workqueue: Fix wq->cpu_pwq leak in alloc_and_link_pwqs() WQ_UNBOUND path",
                            "    - net: ena: PHC: Fix potential use-after-free in get_timestamp",
                            "    - cgroup/cpuset: Reset DL migration state on can_attach() failure",
                            "    - netfilter: nf_conntrack_sip: get helper before allocating expectation",
                            "    - audit: fix incorrect inheritable capability in CAPSET records",
                            "    - net: ena: PHC: Check return code before setting timestamp output",
                            "    - cgroup/dmem: Return -ENOMEM on failed pool preallocation",
                            "    - idpf: fix double free and use-after-free in aux device error paths",
                            "    - cgroup/cpuset: Reserve DL bandwidth only for root-domain moves",
                            "    - Revert \"ACPI: CPPC: Adjust debug messages in amd_set_max_freq_ratio() to",
                            "      warn\"",
                            "    - netfilter: nft_ct: fix missing expect put in obj eval",
                            "    - net: atlantic: preserve PCI wake-from-D3 on shutdown when WOL enabled",
                            "    - audit: enforce AUDIT_LOCKED for AUDIT_TRIM and AUDIT_MAKE_EQUIV",
                            "    - cgroup/cpuset: Return only actually allocated CPUs during partition",
                            "      invalidation",
                            "    - KVM: x86: Swap the dst and src operand for MOVNTDQA",
                            "    - KVM: Reject wrapped offset in kvm_reset_dirty_gfn()",
                            "    - KVM: s390: pci: fix GAIT table indexing due to double-scaling pointer",
                            "      arithmetic",
                            "    - KVM: x86: Fix Xen hypercall tracepoint argument assignment",
                            "    - HID: pass the buffer size to hid_report_raw_event",
                            "    - HID: core: introduce hid_safe_input_report()",
                            "    - rseq: Revert to historical performance killing behaviour",
                            "    - rseq: Implement read only ABI enforcement for optimized RSEQ V2 mode",
                            "    - rseq: Reenable performance optimizations conditionally",
                            "    - HID: core: Fix size_t specifier in hid_report_raw_event()",
                            "    - ata: libata-scsi: fix requeue of deferred ATA PASS-THROUGH commands",
                            "    - media: staging: imx: configure src_mux in csi_start",
                            "    - Bluetooth: btmtk: accept too short WMT FUNC_CTRL events",
                            "    - nvme-apple: Reset q->sq_tail during queue init",
                            "    - smb/client: fix possible infinite loop and oob read in symlink_data()",
                            "    - drm/loongson: Use managed KMS polling",
                            "    - drm: Replace old pointer to new idr",
                            "    - drm/bridge: imx8qxp-pxl2dpi: avoid ERR_PTR with device_node cleanup",
                            "    - drm/i915/dp: Fix VSC dynamic range signaling for RGB formats",
                            "    - drm/amd/display: Wrap DCN32 phantom-plane allocation in",
                            "      DC_RUN_WITH_PREEMPTION_ENABLED",
                            "    - drm/ttm: Fix ttm_bo_swapout() infinite LRU walk on swapout failure",
                            "    - platform/x86: intel: Move debugfs register before creating devices",
                            "    - platform/x86: lenovo-wmi-helpers: Move gamezone enums to wmi-helpers",
                            "    - platform/x86: lenovo-wmi-helpers: Fix memory leak in",
                            "      lwmi_dev_evaluate_int()",
                            "    - platform/x86: lenovo-wmi-other: Balance IDA id allocation and free",
                            "    - platform/x86: lenovo-wmi-other: Balance component bind and unbind",
                            "    - platform/x86: lenovo-wmi-other: Zero initialize WMI arguments",
                            "    - platform/x86: lenovo-wmi-other: Fix tunable_attr_01 struct members",
                            "    - platform/x86: lenovo-wmi-other: Add Attribute ID helper functions",
                            "    - platform/x86: lenovo-wmi-other: Limit adding attributes to supported",
                            "      devices",
                            "    - accel/rocket: Fix prep_bo ioctl leaking positive return from",
                            "      dma_resv_wait_timeout()",
                            "    - ALSA: hda/realtek: Add mute LED quirk for HP Pavilion Laptop 16-ag0xxx",
                            "    - ALSA: hda/realtek: Add quirk for Samsung Galaxy Book5 360 headphone",
                            "    - ALSA: usb-audio: Bound MIDI 2.0 endpoint descriptor scans",
                            "    - ALSA: usb-audio: Bound MIDI endpoint descriptor scans",
                            "    - ALSA: usb-audio: qcom: Check offload mapping failures",
                            "    - btrfs: only release the dirty pages io tree after successful writes",
                            "    - ceph: fix a buffer leak in __ceph_setxattr()",
                            "    - ceph: fix BUG_ON in __ceph_build_xattrs_blob() due to stale blob size",
                            "    - ceph: put folios not suitable for writeback",
                            "    - io-wq: check that the predecessor is hashed in io_wq_remove_pending()",
                            "    - iommu/amd: Bounds-check devid in __rlookup_amd_iommu()",
                            "    - x86/kexec: Push kjump return address even for non-kjump kexec",
                            "    - xfs: fix memory leak on error in xfs_alloc_zone_info()",
                            "    - virt: sev-guest: Do not use host-controlled page order in cleanup path",
                            "    - powerpc/warp: Fix error handling in pika_dtm_thread",
                            "    - netfs: fix error handling in netfs_extract_user_iter()",
                            "    - nfsd: fix GET_DIR_DELEGATION when VFS leases are disabled",
                            "    - nfsd: fix file change detection in CB_GETATTR",
                            "    - nfsd: update mtime/ctime on CLONE in presense of delegated attributes",
                            "    - nfsd: update mtime/ctime on COPY in presence of delegated attributes",
                            "    - irqchip/riscv-imsic: Clear interrupt move state during CPU offlining",
                            "    - irqchip/meson-gpio: Use the correct register in",
                            "      meson_s4_gpio_irq_set_type()",
                            "    - irqchip/gic-v5: Move LPI allocation into the LPI domain",
                            "    - irqchip/gic-v5: Support range allocation for LPIs",
                            "    - irqchip/gic-v5: Allocate ITS parent LPIs as a range",
                            "    - libceph: Fix potential out-of-bounds access in osdmap_decode()",
                            "    - libceph: Fix potential null-ptr-deref in decode_choose_args()",
                            "    - libceph: Fix potential out-of-bounds access in __ceph_x_decrypt()",
                            "    - libceph: Fix potential out-of-bounds access in crush_decode()",
                            "    - libceph: handle rbtree insertion error in decode_choose_args()",
                            "    - iommu/vt-d: Disable DMAR for Intel Q35 IGFX",
                            "    - iommu/vt-d: Fix oops due to out of scope access",
                            "    - iommu/vt-d: Avoid NULL pointer dereference or refcount corruption",
                            "    - iommu: Fix NULL group->domain dereference in pci_dev_reset_iommu_done()",
                            "    - iommu: Replace per-group resetting_domain with per-gdev blocked flag",
                            "    - iommu: Fix WARN_ON in __iommu_group_set_domain_nofail() due to reset",
                            "    - iommu: Fix pasid attach in pci_dev_reset_iommu_prepare/done()",
                            "    - iommu: Fix nested pci_dev_reset_iommu_prepare/done()",
                            "    - iommu: Fix ATS invalidation timeouts during __iommu_remove_group_pasid()",
                            "    - drm/i915: skip __i915_request_skip() for already signaled requests",
                            "    - drm/panfrost: Fix wait_bo ioctl leaking positive return from",
                            "      dma_resv_wait_timeout()",
                            "    - drm/xe/dma-buf: handle empty bo and UAF races",
                            "    - drm/xe/dma-buf: fix UAF with retry loop",
                            "    - drm/ttm: Fix ttm_bo_shrink() infinite LRU walk on backup failure",
                            "    - drm/ttm: Convert -EAGAIN from dmem_cgroup_try_charge to -ENOSPC",
                            "    - drm/gma500/oaktrail_hdmi: fix i2c adapter leak on setup",
                            "    - drm/gma500/oaktrail_lvds: fix hang on init failure",
                            "    - drm/gma500/oaktrail_lvds: fix i2c adapter leaks on init",
                            "    - arm_mpam: Fix monitor instance selection when checking for hardware NRDY",
                            "    - arm_mpam: Pretend that NRDY is always hardware managed",
                            "    - arm_mpam: Improve check for whether or not NRDY is hardware managed",
                            "    - arm_mpam: Fix false positive assert failure during mpam_disable()",
                            "    - arm_mpam: Check whether the config array is allocated before destroying",
                            "      it",
                            "    - eventfs: Simplify code using guard()s",
                            "    - eventfs: Use list_add_tail_rcu() for SRCU-protected children list",
                            "    - smb: client: Use FullSessionKey for AES-256 encryption key derivation",
                            "    - spi: sifive: Simplify clock handling with devm_clk_get_enabled()",
                            "    - spi: sifive: fix controller deregistration",
                            "    - tracefs: Removed unused 'ret' variable in eventfs_iterate()",
                            "    - workqueue: Annotate alloc_workqueue_va() with __printf(1, 0)",
                            "    - selftests/bpf: Remove test_access_variable_array",
                            "    - netfs: Fix potential uninitialised var in netfs_extract_user_iter()",
                            "    - Linux 7.0.10",
                            "",
                            "  * Resolute update: v7.0.10 upstream stable release (LP: #2156385) //",
                            "    CVE-2026-45846",
                            "    - bareudp: fix NULL pointer dereference in bareudp_fill_metadata_dst()",
                            "",
                            "  * Resolute update: v7.0.10 upstream stable release (LP: #2156385) //",
                            "    CVE-2026-45845",
                            "    - net/sched: taprio: fix NULL pointer dereference in class dump",
                            "",
                            "  * Resolute update: v7.0.10 upstream stable release (LP: #2156385) //",
                            "    CVE-2026-45844",
                            "    - netfilter: arp_tables: fix IEEE1394 ARP payload parsing",
                            "",
                            "  * Resolute update: v7.0.10 upstream stable release (LP: #2156385) //",
                            "    CVE-2026-46242",
                            "    - eventpoll: fix ep_remove struct eventpoll / struct file UAF",
                            "",
                            "  * Resolute update: v7.0.10 upstream stable release (LP: #2156385) //",
                            "    CVE-2026-45843",
                            "    - slip: bound decode() reads against the compressed packet length",
                            "",
                            "  * Resolute update: v7.0.10 upstream stable release (LP: #2156385) //",
                            "    CVE-2026-45842",
                            "    - slip: reject VJ receive packets on instances with no rstate array",
                            "",
                            "  * Resolute update: v7.0.10 upstream stable release (LP: #2156385) //",
                            "    CVE-2026-45841",
                            "    - netfilter: nfnetlink_osf: fix divide-by-zero in OSF_WSS_MODULO",
                            "",
                            "  * Resolute update: v7.0.10 upstream stable release (LP: #2156385) //",
                            "    CVE-2026-45840",
                            "    - openvswitch: cap upcall PID array size and pre-size vport replies",
                            "",
                            "  * Resolute update: v7.0.10 upstream stable release (LP: #2156385) //",
                            "    CVE-2026-45839",
                            "    - bpf: reject negative CO-RE accessor indices in bpf_core_parse_spec()",
                            "",
                            "  * Resolute update: v7.0.10 upstream stable release (LP: #2156385) //",
                            "    CVE-2026-45838",
                            "    - bpf: fix end-of-list detection in cgroup_storage_get_next_key()",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006)",
                            "    - Linux 7.0.8",
                            "    - HID: pidff: Fix integer overflow in pidff_rescale",
                            "    - media: uvcvideo: Enable VB2_DMABUF for metadata stream",
                            "    - drm/msm/hdmi: Fix wrong CTRL1 register used in writing info frames",
                            "    - media: rzv2h-ivc: Avoid double job scheduling",
                            "    - media: nxp: imx8-isi: Reduce minimum queued buffers from 2 to 0",
                            "    - media: rzv2h-ivc: Write AXIRX_PIXFMT once",
                            "    - media: rzv2h-ivc: Fix FM_STOP register write",
                            "    - media: rzv2h-ivc: Fix concurrent buffer list access",
                            "    - media: mali-c55: Initialize the ISP in enable_streams()",
                            "    - media: mali-c55: Fix Iridix bypass macros",
                            "    - media: renesas: vsp1: Fix NULL pointer deref on module unload",
                            "    - media: renesas: vin: Fix RAW8 (again)",
                            "    - media: i2c: ov8856: free control handler on error in",
                            "      ov8856_init_controls()",
                            "    - media: dt-bindings: rockchip,vdec: Add alternative reg-names order for",
                            "      RK35{76,88}",
                            "    - media: dt-bindings: rockchip,vdec: Mark reg-names required for",
                            "      RK35{76,88}",
                            "    - media: chips-media: wave5: fix a potential memory leak in",
                            "      wave5_vdi_init()",
                            "    - media: chips-media: wave5: add missing spinlock protection for",
                            "      send_eos_event()",
                            "    - media: chips-media: wave5: add missing spinlock protection for",
                            "      handle_dynamic_resolution_change()",
                            "    - arm64: dts: freescale: imx95-toradex-smarc: fix PMIC_SD2_VSEL label",
                            "      position",
                            "    - drm/gpusvm: Allow device pages to be mapped in mixed mappings after",
                            "      system pages",
                            "    - drm/gpusvm: Force unmapping on error in drm_gpusvm_get_pages",
                            "    - spi: bcm63xx: fix controller deregistration",
                            "    - spi: atmel: fix controller deregistration",
                            "    - arm64: dts: lx2160a-cex7/lx2162a-sr-som: fix usd-cd & gpio pinmux",
                            "    - regulator: mt6357: fix OF node reference imbalance",
                            "    - spi: st-ssc4: fix controller deregistration",
                            "    - regulator: max77650: fix OF node reference imbalance",
                            "    - media: ti: vpe: Add missing v4l2_device_unregister in vip_remove()",
                            "    - media: rc: streamzap: Error handling in probe",
                            "    - media: i2c: imx283: Enter full standby when stopping streaming",
                            "    - regulator: bq257xx: fix OF node reference imbalance",
                            "    - regulator: rk808: fix OF node reference imbalance",
                            "    - media: videobuf2: Set vma_flags in vb2_dma_sg_mmap",
                            "    - media: mali-c55: Fully reset the ISP configuration",
                            "    - media: intel/ipu6: fix error pointer dereference",
                            "    - media: i2c: imx283: Fix hang when going from large to small resolution",
                            "    - regulator: act8945a: fix OF node reference imbalance",
                            "    - regulator: s2dos05: fix OF node reference imbalance",
                            "    - regulator: bd9571mwv: fix OF node reference imbalance",
                            "    - spi: lantiq-ssc: fix controller deregistration",
                            "    - spi: meson-spicc: fix controller deregistration",
                            "    - spi: qup: fix controller deregistration",
                            "    - arm64: dts: ti: k3-am69-aquila-clover: Fix DP regulator enable GPIO",
                            "    - spi: at91-usart: fix controller deregistration",
                            "    - media: ipu-bridge: Add upside-down sensor DMI quirk for Dell XPS 13 9340",
                            "      and XPS 14 9440",
                            "    - spi: amlogic-spisg: fix controller deregistration",
                            "    - spi: aspeed-smc: fix controller deregistration",
                            "    - drm/colorop: Preserve bypass value in duplicate_state()",
                            "    - drm/atomic: Add affected colorops with affected planes",
                            "    - platform/x86: hp-wmi: Ignore backlight and FnLock events",
                            "    - vsock/virtio: fix MSG_PEEK ignoring skb offset when calculating bytes to",
                            "      copy",
                            "    - arm64: dts: broadcom: bcm2712-d-rpi-5-b: add fixes for",
                            "      pinctrl/pinctrl_aon",
                            "    - arm64: dts: broadcom: bcm2712-d-rpi-5-b: update uart10 interrupt",
                            "    - media: pci: zoran: fix potential memory leak in zoran_probe()",
                            "    - media: dib8000: avoid division by 0 in dib8000_set_dds()",
                            "    - media: i2c: imx412: Assert reset GPIO during probe",
                            "    - media: staging: imx: request mbus_config in csi_start",
                            "    - media: i2c: ov08d10: fix image vertical start setting",
                            "    - media: i2c: ov08d10: fix runtime PM handling in probe",
                            "    - media: omap3isp: drop the use count of v4l2 pipeline",
                            "    - media: iris: fix QCOM_MDT_LOADER dependency",
                            "    - media: qcom: camss: Fix csid clock configuration for sa8775p",
                            "    - media: qcom: camss: Fix csid IRQ offset for sa8775p",
                            "    - media: qcom: iris: increase H265D_MAX_SLICE to fix H.265 decoding on",
                            "      SC7280",
                            "    - media: venus: fix QCOM_MDT_LOADER dependency",
                            "    - media: iris: Fix dma_free_attrs() size in iris_hfi_queues_init()",
                            "    - media: iris: switch to hardware mode after firmware boot",
                            "    - media: qcom: camss: Add missing clocks for VFE lite on sa8775p",
                            "    - spi: mxs: fix controller deregistration",
                            "    - spi: mt65xx: fix controller deregistration",
                            "    - spi: dln2: fix controller deregistration",
                            "    - spi: s3c64xx: fix controller deregistration",
                            "    - spi: fsl-espi: fix controller deregistration",
                            "    - spi: omap2-mcspi: fix controller deregistration",
                            "    - spi: pic32: fix controller deregistration",
                            "    - spi: ep93xx: fix controller deregistration",
                            "    - spi: mtk-nor: fix controller deregistration",
                            "    - spi: pl022: fix controller deregistration",
                            "    - spi: sh-hspi: fix controller deregistration",
                            "    - spi: bcmbca-hsspi: fix controller deregistration",
                            "    - spi: coldfire-qspi: fix controller deregistration",
                            "    - spi: npcm-pspi: fix controller deregistration",
                            "    - spi: cavium-thunderx: fix controller deregistration",
                            "    - spi: pic32-sqi: fix controller deregistration",
                            "    - spi: sprd: fix controller deregistration",
                            "    - spi: sh-msiof: fix controller deregistration",
                            "    - spi: slave-mt27xx: fix controller deregistration",
                            "    - spi: img-spfi: fix controller deregistration",
                            "    - spi: mpfs: fix controller deregistration",
                            "    - spi: octeon: fix controller deregistration",
                            "    - spi: imx: fix runtime pm leak on probe deferral",
                            "    - spi: mxic: fix controller deregistration",
                            "    - spi: orion: fix controller deregistration",
                            "    - spi: orion: fix runtime pm leak on unbind",
                            "    - spi: orion: fix clock imbalance on registration failure",
                            "    - spi: cadence: fix controller deregistration",
                            "    - spi: cadence-quadspi: fix controller deregistration",
                            "    - spi: cadence: fix unclocked access on unbind",
                            "    - spi: cadence: fix clock imbalance on probe failure",
                            "    - spi: cadence-quadspi: fix runtime pm disable imbalance on probe failure",
                            "    - spi: cadence-quadspi: fix clock imbalance on probe failure",
                            "    - spi: cadence-quadspi: fix runtime pm and clock imbalance on unbind",
                            "    - drm/colorop: Fix blob property reference tracking in state lifecycle",
                            "    - drm/imx: parallel-display: Prefer bus format set via legacy \"interface-",
                            "      pix-fmt\" DT property",
                            "    - drm/msm: always recover the gpu",
                            "    - drm/v3d: Reject empty multisync extension to prevent infinite loop",
                            "    - drm/i915/psr: Init variable to avoid early exit from et alignment loop",
                            "    - drm/amd/display: fix math_mod() using arg1 instead of arg2",
                            "    - drm/amd: Add missing firmware declaration for PSP v15.0.0",
                            "    - drm/amdgpu: Use NBIF offset for register RCC_STRAP0_RCC_DEV0_EPF0_STRAP0",
                            "      .",
                            "    - drm/amdgpu: Use SMUIO 15.0.0 offsets for TSC upper and lower count.",
                            "    - drm/amdgpu: gate VM CPU HDP flush on reset lock",
                            "    - drm/amd/pm: fix incorrect FeatureCtrlMask setting on smu v14.0.x",
                            "    - drm/amdkfd: Add upper bound check for num_of_nodes",
                            "    - drm/amdgpu/vce: Prevent partial address patches",
                            "    - drm/amd/display: Change dither policy for 10 bpc output back to",
                            "      dithering",
                            "    - drm/appletbdrm: Use kvzalloc for big allocations",
                            "    - drm/amdgpu: Avoid reset in AMDGPU unload path for APUs with GFX V11 and",
                            "      higher.",
                            "    - drm/udl: Increase GET_URB_TIMEOUT",
                            "    - drm/xe/bo: Fix bo leak on GGTT flag validation in xe_bo_init_locked()",
                            "    - drm/xe/bo: Fix bo leak on unaligned size validation in",
                            "      xe_bo_init_locked()",
                            "    - drm/xe/uapi: Reject coh_none PAT index for CPU cached memory in madvise",
                            "    - drm/radeon: add missing revision check for CI",
                            "    - drm/amdgpu: zero-initialize GART table on allocation",
                            "    - drm/exynos: remove bridge when component_add fails",
                            "    - drm/amdgpu/userq: fix access to stale wptr mapping",
                            "    - drm/panel: himax-hx83102: restore MODE_LPM after sending disable cmds",
                            "    - drm/amdgpu/gfx9: drop unnecessary 64-bit fence flag check in KIQ",
                            "    - drm/bridge: tda998x: Use __be32 for audio port OF property pointer",
                            "    - drm/sti: remove bridge when sti_hda component_add fails",
                            "    - drm/panel: boe-tv101wum-nl6: restore MODE_LPM after sending disable cmds",
                            "    - drm/amdkfd: Make all TLB-flushes heavy-weight",
                            "    - drm/amdgpu/pm: add missing revision check for CI",
                            "    - drm/amdgpu/pm: align Hawaii mclk workaround with radeon",
                            "    - arm64: dts: qcom: kodiak: Fix PCIe1 PHY ref clock voting",
                            "    - arm64: dts: qcom: lemans: Correct QUP interrupt numbers",
                            "    - arm64: dts: ti: k3-am62a7-sk: Fix pin name in comment from M19 to N22",
                            "    - arm64: dts: ti: k3-am69-aquila-dev: Fix DP regulator enable GPIO",
                            "    - batman-adv: tp_meter: fix tp_num leak on kmalloc failure",
                            "    - sched_ext: Use HK_TYPE_DOMAIN_BOOT to detect isolcpus= domain isolation",
                            "    - usb: typec: tcpm: reset internal port states on soft reset AMS",
                            "    - io_uring/zcrx: use guards for locking",
                            "    - io_uring/zcrx: warn on freelist violations",
                            "    - kho: fix error handling in kho_add_subtree()",
                            "    - EDAC/versalnet: Refactor memory controller initialization and cleanup",
                            "    - spi: uniphier: Simplify clock handling with devm_clk_get_enabled()",
                            "    - spi: uniphier: fix controller deregistration",
                            "    - cgroup: Increment nr_dying_subsys_* from rmdir context",
                            "    - sched_ext: Skip tasks with stale task_rq in bypass_lb_cpu()",
                            "    - perf build: fix \"argument list too long\" in second location",
                            "    - mm/vma: do not try to unmap a VMA if mmap_prepare() invoked from mmap()",
                            "    - vsock/virtio: fix length and offset in tap skb for split packets",
                            "    - drm/amdgpu/vcn3: Avoid overflow on msg bound check",
                            "    - drm/amdgpu/vcn4: Avoid overflow on msg bound check",
                            "    - Linux 7.0.9",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46214",
                            "    - vsock/virtio: fix accept queue count leak on transport mismatch",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46207",
                            "    - vsock/virtio: fix empty payload in tap skb for non-linear buffers",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46234",
                            "    - vsock: fix buffer size clamping order",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46223",
                            "    - cgroup: Defer css percpu_ref kill on rmdir until cgroup is depopulated",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46221",
                            "    - EDAC/versalnet: Fix device name memory leak",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46231",
                            "    - batman-adv: bla: put backbone reference on failed claim hash insert",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46233",
                            "    - batman-adv: bla: only purge non-released claims",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46212",
                            "    - batman-adv: bla: prevent use-after-free when deleting claims",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46238",
                            "    - batman-adv: stop caching unowned originator pointers in BAT IV",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46208",
                            "    - batman-adv: stop tp_meter sessions during mesh teardown",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46206",
                            "    - batman-adv: reject new tp_meter sessions during teardown",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46198",
                            "    - batman-adv: fix integer overflow on buff_pos",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46227",
                            "    - sctp: revalidate list cursor after sctp_sendmsg_to_asoc() in",
                            "      SCTP_SENDALL",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46220",
                            "    - drm/amdgpu/sdma4: replace BUG_ON with WARN_ON in fence emission",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46215",
                            "    - drm: Set old handle to NULL before prime swap in change_handle",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46201",
                            "    - drm/xe: Fix dma-buf attachment leak in xe_gem_prime_import()",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46224",
                            "    - drm/xe: Fix bo leak in xe_dma_buf_init_obj() on allocation failure",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46197",
                            "    - drm/amdkfd: validate SVM ioctl nattr against buffer size",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46209",
                            "    - drm/gem: Fix inconsistent plane dimension calculation in",
                            "      drm_gem_fb_init_with_funcs()",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46230",
                            "    - drm/amdgpu/vcn3: Prevent OOB reads when parsing dec msg",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46199",
                            "    - drm/amdgpu/vcn4: Prevent OOB reads when parsing dec msg",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46204",
                            "    - drm/amdgpu/vcn4: Prevent OOB reads when parsing IB",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46218",
                            "    - drm/amdgpu: Add bounds checking to ib_{get,set}_value",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46229",
                            "    - drm/amdkfd: Clear VRAM on allocation to prevent stale data exposure",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46211",
                            "    - drm/msm/gem: fix error handling in msm_ioctl_gem_info_get_metadata()",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46203",
                            "    - spi: cadence-quadspi: fix unclocked access on unbind",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46219",
                            "    - spi: mpc52xx: fix use-after-free on unbind",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46200",
                            "    - spi: mpc52xx: fix controller deregistration",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46241",
                            "    - spi: mpc52xx: fix use-after-free on registration failure",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46225",
                            "    - spi: rspi: fix controller deregistration",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46226",
                            "    - spi: fsl: fix controller deregistration",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46228",
                            "    - spi: ch341: fix devres lifetime",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46216",
                            "    - drm/xe/hdcp: Add NULL check for media_gt in",
                            "      intel_hdcp_gsc_check_status()",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46210",
                            "    - media: iris: fix use-after-free of fmt_src during MBPF check",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46240",
                            "    - media: iris: Fix use-after-free in iris_release_internal_buffers()",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46235",
                            "    - media: saa7164: add ioremap return checks and cleanups",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46222",
                            "    - media: rockchip: rkcif: Add missing MUST_CONNECT flag to pads",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46239",
                            "    - media: i2c: ov5647: Fix runtime PM refcount leak in s_ctrl",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46236",
                            "    - media: rc: xbox_remote: heed DMA restrictions",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46205",
                            "    - staging: media: atomisp: Disallow all private IOCTLs",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46202",
                            "    - HID: appletb-kbd: run inactivity autodim from workqueues",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46213",
                            "    - HID: appletb-kbd: fix UAF in inactivity-timer cleanup path",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46232",
                            "    - HID: playstation: Clamp num_touch_reports",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988)",
                            "    - ACPI: arm64: cpuidle: Tolerate platforms with no deep PSCI idle states",
                            "    - ACPI: scan: Use acpi_dev_put() in object add error paths",
                            "    - ACPI: video: Add backlight=native quirk for Dell OptiPlex 7770 AIO",
                            "    - ACPI: CPPC: Fix related_cpus inconsistency during CPU hotplug",
                            "    - ACPI: video: force native backlight on HP OMEN 16 (8A44)",
                            "    - iommufd: Fix a race with concurrent allocation and unmap",
                            "    - wifi: mt76: mt7925: fix incorrect TLV length in CLC command",
                            "    - spi: rockchip: fix controller deregistration",
                            "    - ksmbd: rewrite stop_sessions() with restartable iteration",
                            "    - flow_dissector: do not dissect PPPoE PFC frames",
                            "    - smb: client/smbdirect: fix MR registration for coalesced SG lists",
                            "    - wifi: mt76: mt7925: fix AMPDU state handling in mt7925_tx_check_aggr",
                            "    - wifi: mt76: mt7925: fix incorrect length field in txpower command",
                            "    - wifi: mt76: mt7921: fix ROC abort flow interruption in mt7921_roc_work",
                            "    - wifi: ath5k: do not access array OOB",
                            "    - ALSA: usb-audio: midi2: Restart output URBs on resume",
                            "    - ALSA: usb-audio: Fix UAC3 cluster descriptor size check",
                            "    - usb: dwc3: Move GUID programming after PHY initialization",
                            "    - USB: omap_udc: DMA: Don't enable burst 4 mode",
                            "    - USB: serial: option: add Telit Cinterion LE910Cx compositions",
                            "    - usb: typec: tcpm: fix debug accessory mode detection for sink ports",
                            "    - ALSA: hda: cs35l56: Propagate ASP TX source control errors",
                            "    - ALSA: hda/realtek: Fix speaker silence after S3 resume on Xiaomi Mi",
                            "      Laptop Pro 15",
                            "    - ALSA: firewire-tascam: Do not drop unread control events",
                            "    - ALSA: core: Serialize deferred fasync state checks",
                            "    - ALSA: seq: Fix UMP group 16 filtering",
                            "    - powerpc/kdump: fix KASAN sanitization flag for core_$(BITS).o",
                            "    - x86/efi: Restore IRQ state in EFI page fault handler",
                            "    - xfrm: provide message size for XFRM_MSG_MAPPING",
                            "    - selinux: fix avdcache auditing",
                            "    - selinux: don't reserve xattr slot when we won't fill it",
                            "    - selinux: shrink critical section in sel_write_load()",
                            "    - selinux: prune /sys/fs/selinux/checkreqprot",
                            "    - selinux: prune /sys/fs/selinux/disable",
                            "    - selinux: prune /sys/fs/selinux/user",
                            "    - selinux: allow multiple opens of /sys/fs/selinux/policy",
                            "    - io_uring/kbuf: support min length left for incremental buffers",
                            "    - io_uring/tw: serialize ctx->retry_llist with ->uring_lock",
                            "    - LoongArch: KVM: Fix missing EMULATE_FAIL in kvm_emu_mmio_read()",
                            "    - rust: drm: gem: clean up GEM state in init failure case",
                            "    - rust: allow `clippy::collapsible_match` globally",
                            "    - rust: allow `clippy::collapsible_if` globally",
                            "    - rust: pin-init: internal: move alignment check to `make_field_check`",
                            "    - spi: syncuacer: fix controller deregistration",
                            "    - spi: sun4i: fix controller deregistration",
                            "    - spi: zynq-qspi: fix controller deregistration",
                            "    - spi: ti-qspi: fix controller deregistration",
                            "    - spi: sun6i: fix controller deregistration",
                            "    - spi: tegra114: fix controller deregistration",
                            "    - spi: zynqmp-gqspi: fix controller deregistration",
                            "    - spi: tegra20-sflash: fix controller deregistration",
                            "    - spi: s3c64xx: fix NULL-deref on driver unbind",
                            "    - staging: rtl8723bs: os_dep: avoid NULL pointer dereference in",
                            "      rtw_cbuf_alloc",
                            "    - staging: vme_user: fix root device leak on init failure",
                            "    - KVM: arm64: Fix kvm_vcpu_initialized() macro parameter",
                            "    - arm64: signal: Preserve POR_EL0 if poe_context is missing",
                            "    - mm/hugetlb_cma: round up per_node before logging it",
                            "    - LoongArch: Fix SYM_SIGFUNC_START definition for 32BIT",
                            "    - LoongArch: KVM: Compile switch.S directly into the kernel",
                            "    - mptcp: pm: ADD_ADDR rtx: skip inactive subflows",
                            "    - perf/x86/intel: Improve validation and configuration of ACR masks",
                            "    - selftests/rseq: Don't run tests with runner scripts outside of the",
                            "      scripts",
                            "    - rseq: Set rseq::cpu_id_start to 0 on unregistration",
                            "    - rseq: Protect rseq_reset() against interrupts",
                            "    - rseq: Don't advertise time slice extensions if disabled",
                            "    - selftests/rseq: Make registration flexible for legacy and optimized mode",
                            "    - selftests/rseq: Skip tests if time slice extensions are not available",
                            "    - selftests/rseq: Validate legacy behavior",
                            "    - selftests/rseq: Expand for optimized RSEQ ABI v2",
                            "    - pseries/papr-hvpipe: Fix race with interrupt handler",
                            "    - pseries/papr-hvpipe: Fix & simplify error handling in papr_hvpipe_init()",
                            "    - pseries/papr-hvpipe: Fix the usage of copy_to_user()",
                            "    - net: libwx: use request_irq for VF misc interrupt",
                            "    - netpoll: pass buffer size to egress_dev() to avoid MAC truncation",
                            "    - ovl: fix verity lazy-load guard broken by fsverity_active() semantic",
                            "      change",
                            "    - parisc: Fix IRQ leak in LASI driver",
                            "    - x86/efi: Fix graceful fault handling after FPU softirq changes",
                            "    - hwmon: (ltc2992) Clamp threshold writes to hardware range",
                            "    - hwmon: (ltc2992) Fix u32 overflow in power read path",
                            "    - clk: rk808: fix OF node reference imbalance",
                            "    - hwmon: (corsair-psu) Close HID device on probe errors",
                            "    - af_unix: Reject SIOCATMARK on non-stream sockets",
                            "    - arm64/fpsimd: ptrace: zero target's fpsimd_state, not the tracer's",
                            "    - pmdomain: mediatek: fix use-after-free in",
                            "      scpsys_get_bus_protection_legacy()",
                            "    - block: fix zone write plug removal",
                            "    - block: only read from sqe on initial invocation of blkdev_uring_cmd()",
                            "    - cifs: abort open_cached_dir if we don't request leases",
                            "    - cifs: change_conf needs to be called for session setup",
                            "    - extcon: ptn5150: handle pending IRQ events during system resume",
                            "    - gpio: of: clear OF_POPULATED on hog nodes in remove path",
                            "    - hv: Select CONFIG_SYSFB only for CONFIG_HYPERV_VMBUS",
                            "    - hv_sock: fix ARM64 support",
                            "    - hv_sock: Report EOF instead of -EIO for FIN",
                            "    - hv_sock: Return -EIO for malformed/short packets",
                            "    - spi: microchip-core-qspi: fix controller deregistration",
                            "    - spi: microchip-core-spi: fix controller deregistration",
                            "    - tracefs: Fix default permissions not being applied on initial mount",
                            "    - udf: reject descriptors with oversized CRC length",
                            "    - x86/boot/e820: Re-enable BIOS fallback if e820 table is empty",
                            "    - thermal: core: Free thermal zone ID later during removal",
                            "    - thermal/drivers/sprd: Fix temperature clamping in",
                            "      sprd_thm_temp_to_rawdata",
                            "    - thermal/drivers/sprd: Fix raw temperature clamping in",
                            "      sprd_thm_rawdata_to_temp",
                            "    - spi: topcliff-pch: fix controller deregistration",
                            "    - spi: topcliff-pch: fix use-after-free on unbind",
                            "    - tracing/fprobe: Avoid kcalloc() in rcu_read_lock section",
                            "    - tracing/fprobe: Remove fprobe from hash in failure path",
                            "    - tracing/fprobe: Unregister fprobe even if memory allocation fails",
                            "    - tracing/probes: Limit size of event probe to 3K",
                            "    - tracing/fprobe: Check the same type fprobe on table as the unregistered",
                            "      one",
                            "    - clk: imx: imx8-acm: fix flags for acm clocks",
                            "    - clk: microchip: mpfs-ccc: fix out of bounds access during output",
                            "      registration",
                            "    - cpuidle: powerpc: avoid double clear when breaking snooze",
                            "    - ASoC: amd: yc: Add HP OMEN Gaming Laptop 16-ap0xxx product line in quirk",
                            "      table",
                            "    - ASoC: ES8389: convert to devm_clk_get_optional() to get clock",
                            "    - ASoC: fsl_easrc: fix comment typo",
                            "    - ASoC: Intel: bytcr_wm5102: Fix MCLK leak on platform_clock_control error",
                            "    - ASoC: qcom: q6apm-dai: reset queue ptr on trigger stop",
                            "    - ASoC: qcom: q6apm: remove child devices when apm is removed",
                            "    - btrfs: do not mark inode incompressible after inline attempt fails",
                            "    - dm: don't report warning when doing deferred remove",
                            "    - dm: fix a buffer overflow in ioctl processing",
                            "    - dm-verity-fec: correctly reject too-small FEC devices",
                            "    - dm-verity-fec: correctly reject too-small hash devices",
                            "    - dm-verity-fec: fix corrected block count stat",
                            "    - dm-verity-fec: fix the size of dm_verity_fec_io::erasures",
                            "    - isofs: validate Rock Ridge CE continuation extent against volume size",
                            "    - iommufd: Fix return value of iommufd_fault_fops_write()",
                            "    - iommu/vt-d: Block PASID attachment to nested domain with dirty tracking",
                            "    - iommu/arm-smmu-v3: Add a missing dma_wmb() for hitless STE update",
                            "    - lib/crc: tests: Make crc_kunit test only the enabled CRC variants",
                            "    - lib/scatterlist: fix temp buffer in extract_user_to_sg()",
                            "    - nvme-apple: drop invalid put of admin queue reference count",
                            "    - nvmet: avoid recursive nvmet-wq flush in nvmet_ctrl_free",
                            "    - pmdomain: core: Fix detach procedure for virtual devices in genpd",
                            "    - psp: strip variable-length PSP header in psp_dev_rcv()",
                            "    - s390/debug: Reject zero-length input in debug_input_flush_fn()",
                            "    - s390/debug: Reject zero-length input before trimming a newline",
                            "    - KVM: x86: Do IRR scan in __kvm_apic_update_irr even if PIR is empty",
                            "    - mm/damon/lru_sort: detect and use fresh enabled and kdamond_pid values",
                            "    - mm/damon/reclaim: detect and use fresh enabled and kdamond_pid values",
                            "    - mm/damon/stat: detect and use fresh enabled value",
                            "    - PCI: Update saved_config_space upon resource assignment",
                            "    - PCI/AER: Clear only error bits in PCIe Device Status",
                            "    - PCI/AER: Stop ruling out unbound devices as error source",
                            "    - PCI/ASPM: Fix pci_clear_and_set_config_dword() usage",
                            "    - power: supply: max17042: avoid overflow when determining health",
                            "    - perf/x86/intel: Always reprogram ACR events to prevent stale masks",
                            "    - perf/x86/intel: Disable PMI for self-reloaded ACR events",
                            "    - perf/x86/intel: Enable auto counter reload for DMR",
                            "    - RDMA/ionic: bound node_desc sysfs read with %.64s",
                            "    - RDMA/ionic: Fix typo in format string",
                            "    - remoteproc: imx_rproc: Fix NULL vs IS_ERR() bug in imx_rproc_addr_init()",
                            "    - remoteproc: k3: Fix NULL vs IS_ERR() bug in k3_reserved_mem_init()",
                            "    - sched_ext: idle: Recheck prev_cpu after narrowing allowed mask",
                            "    - sched_ext: Use dsq->first_task instead of list_empty() in",
                            "      dispatch_enqueue() FIFO-tail",
                            "    - selftests: mptcp: check output: catch cmd errors",
                            "    - selftests: mptcp: pm: restrict 'unknown' check to pm_nl_ctl",
                            "    - mptcp: fastclose msk when linger time is 0",
                            "    - mptcp: use MPJoinSynAckHMacFailure for SynAck HMAC failure",
                            "    - mptcp: use MPTCP_RST_EMPTCP for ACK HMAC validation failure",
                            "    - mptcp: sockopt: set timestamp flags on subflow socket, not msk",
                            "    - mptcp: sockopt: increase seq in mptcp_setsockopt_all_sf",
                            "    - mptcp: fix rx timestamp corruption on fastopen",
                            "    - mptcp: pm: prio: skip closed subflows",
                            "    - mptcp: pm: kernel: reset fullmesh counter after flush",
                            "    - mptcp: pm: kernel: correctly retransmit ADD_ADDR ID 0",
                            "    - mptcp: pm: ADD_ADDR rtx: resched blocked ADD_ADDR quicker",
                            "    - mptcp: pm: ADD_ADDR rtx: return early if no retrans",
                            "    - f2fs: add READ_ONCE() for i_blocks in f2fs_update_inode()",
                            "    - f2fs: fix false alarm of lockdep on cp_global_sem lock",
                            "    - f2fs: fix fiemap boundary handling when read extent cache is incomplete",
                            "    - f2fs: fix fsck inconsistency caused by incorrect nat_entry flag usage",
                            "    - f2fs: fix incorrect file address mapping when inline inode is unwritten",
                            "    - f2fs: fix incorrect multidevice info in trace_f2fs_map_blocks()",
                            "    - f2fs: fix uninitialized kobject put in f2fs_init_sysfs()",
                            "    - f2fs: refactor f2fs_move_node_folio function",
                            "    - f2fs: fix inline data not being written to disk in writeback path",
                            "    - KVM: arm64: Wake-up from WFI when iqrchip is in userspace",
                            "    - KVM: arm64: vgic: Fix IIDR revision field extracted from wrong value",
                            "    - KVM: arm64: Fix initialisation order in __pkvm_init_finalise()",
                            "    - KVM: arm64: Fix FEAT_SPE_FnE to use PMSIDR_EL1.FnE, not PMSVer",
                            "    - KVM: arm64: Fix FEAT_Debugv8p9 to check DebugVer, not PMUVer",
                            "    - LoongArch: KVM: Cap KVM_CAP_NR_VCPUS by KVM_CAP_MAX_VCPUS",
                            "    - LoongArch: KVM: Fix \"unreliable stack\" for kvm_exc_entry",
                            "    - LoongArch: KVM: Fix HW timer interrupt lost when inject interrupt by",
                            "      software",
                            "    - LoongArch: KVM: Move unconditional delay into timer clear scenery",
                            "    - LoongArch: KVM: Use kvm_set_pte() in kvm_flush_pte()",
                            "    - LoongArch: Use per-root-bridge PCIH flag to skip mem resource fixup",
                            "    - mmc: core: Adjust MDT beyond 2025",
                            "    - mmc: core: Add quirk for incorrect manufacturing date",
                            "    - mmc: core: Optimize time for secure erase/trim for some Kingston eMMCs",
                            "    - crypto: qat - fix indentation of macros in qat_hal.c",
                            "    - crypto: qat - fix firmware loading failure for GEN6 devices",
                            "    - hfsplus: fix held lock freed on hfsplus_fill_super()",
                            "    - 8021q: use RCU for egress QoS mappings",
                            "    - printk: add print_hex_dump_devel()",
                            "    - crypto: caam - guard HMAC key hex dumps in hash_digest_key",
                            "    - net: stmmac: rename STMMAC_GET_ENTRY() -> STMMAC_NEXT_ENTRY()",
                            "    - rust: pin-init: fix incorrect accessor reference lifetime",
                            "    - Linux 7.0.7",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-43490",
                            "    - ksmbd: validate inherited ACE SID length",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46174",
                            "    - x86/CPU/AMD: Prevent improper isolation of shared resources in Zen2's op",
                            "      cache",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46110",
                            "    - net: stmmac: Prevent NULL deref when RX memory exhausted",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46153",
                            "    - 8021q: delete cleared egress QoS mappings",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46169",
                            "    - hfsplus: fix uninit-value by validating catalog record size",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46188",
                            "    - octeon_ep_vf: add NULL check for napi_build_skb()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-45837",
                            "    - bpf: Fix use-after-free in arena_vm_close on fork",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46156",
                            "    - LoongArch: Fix potential ADE in loongson_gpu_fixup_dma_hang()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46147",
                            "    - KVM: arm64: Fix pin leak and publication ordering in __pkvm_init_vcpu()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46175",
                            "    - f2fs: fix fsck inconsistency caused by FGGC of node block",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46194",
                            "    - f2fs: fix node_cnt race between extent node destroy and writeback",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46170",
                            "    - mptcp: pm: ADD_ADDR rtx: free sk if last",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46158",
                            "    - mptcp: pm: ADD_ADDR rtx: always decrease sk refcount",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46168",
                            "    - mptcp: fix scheduling with atomic in timestamp sockopt",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46189",
                            "    - RDMA/vmw_pvrdma: Fix double free on pvrdma_alloc_ucontext() error path",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46133",
                            "    - RDMA/rxe: Reject unknown opcodes before ICRC processing",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46114",
                            "    - RDMA/rxe: Reject non-8-byte ATOMIC_WRITE payloads",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46127",
                            "    - RDMA/ocrdma: Don't NULL deref uctx on errors in ocrdma_copy_pd_uresp()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46176",
                            "    - RDMA/mlx5: Fix error path fall-through in mlx5_ib_dev_res_srq_init()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46178",
                            "    - RDMA/mlx4: Fix resource leak on error in mlx4_ib_create_srq()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46181",
                            "    - RDMA/mlx4: Fix mis-use of RCU in mlx4_srq_event()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46145",
                            "    - RDMA/mana: Validate rx_hash_key_len",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46117",
                            "    - RDMA/mana: Remove user triggerable WARN_ON() in mana_ib_create_qp_rss()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46126",
                            "    - RDMA/mana: Fix mana_destroy_wq_obj() cleanup in mana_ib_create_qp_rss()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46144",
                            "    - RDMA/mana: Fix error unwind in mana_ib_create_qp_rss()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46141",
                            "    - powerpc/xive: fix kmemleak caused by incorrect chip_data lookup",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46183",
                            "    - mm/damon/sysfs-schemes: protect path kfree() with damon_sysfs_lock",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46121",
                            "    - mm/damon/sysfs-schemes: protect memcg_path kfree() with damon_sysfs_lock",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46131",
                            "    - KVM: x86: check for nEPT/nNPT in slow flush hypercalls",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46139",
                            "    - smb: client: use kzalloc to zero-initialize security descriptor buffer",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46105",
                            "    - scsi: mpt3sas: Limit NVMe request size to 2 MiB",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46171",
                            "    - riscv: kvm: fix vector context allocation leak",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46112",
                            "    - RDMA/hns: Fix unlocked call to hns_roce_qp_remove()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46165",
                            "    - openvswitch: vport: fix self-deadlock on release of tunnel ports",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46161",
                            "    - md/raid10: fix divide-by-zero in setup_geo() with zero far_copies",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-43492",
                            "    - lib/crypto: mpi: Fix integer underflow in mpi_read_raw_from_sgl()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46124",
                            "    - isofs: validate block number from NFS file handle in isofs_export_iget",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46130",
                            "    - dm-verity-fec: fix reading parity bytes split across blocks (take 3)",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46106",
                            "    - eventfs: Hold eventfs_mutex and SRCU when remount walks events",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46107",
                            "    - dm-thin: fix metadata refcount underflow",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46160",
                            "    - btrfs: fix missing last_unlink_trans update when removing a directory",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46164",
                            "    - btrfs: fix double free in create_space_info_sub_group() error path",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46129",
                            "    - btrfs: fix double free in create_space_info() error path",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46159",
                            "    - btrfs: fix btrfs_ioctl_space_info() slot_count TOCTOU which can lead to",
                            "      info-leak",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46143",
                            "    - ASoC: qcom: q6apm-lpass-dai: Fix multiple graph opens",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46148",
                            "    - spi: microchip-core-qspi: control built-in cs manually",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46192",
                            "    - spi: microchip-core-qspi: don't attempt to transmit during emulated",
                            "      read-only dual/quad operations",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46162",
                            "    - ice: fix double free in ice_sf_eth_activate() error path",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46273",
                            "    - ibmveth: Disable GSO for packets with small MSS",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46191",
                            "    - fbcon: Avoid OOB font access if console rotation fails",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46134",
                            "    - platform/chrome: cros_ec_typec: Init mutex in Thunderbolt registration",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-43495",
                            "    - net: wwan: t7xx: validate port_count against message length in",
                            "      t7xx_port_enum_msg_handler",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-43502",
                            "    - net/rds: handle zerocopy send cleanup before the message is queued",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46120",
                            "    - ip6_gre: Use cached t->net in ip6erspan_changelink().",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46142",
                            "    - net: libwx: fix VF illegal register access",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46118",
                            "    - pseries/papr-hvpipe: Fix null ptr deref in",
                            "      papr_hvpipe_dev_create_handle()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46182",
                            "    - pseries/papr-hvpipe: Prevent kernel stack memory leak to userspace",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46184",
                            "    - sound: ua101: fix division by zero at probe",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-43498",
                            "    - accel/ivpu: Disallow re-exporting imported GEM objects",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46132",
                            "    - net: rtnetlink: zero ifla_vf_broadcast to avoid stack infoleak in",
                            "      rtnl_fill_vfinfo",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46190",
                            "    - mtd: spi-nor: debugfs: fix out-of-bounds read in spi_nor_params_show()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46150",
                            "    - fanotify: fix false positive on permission events",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-45836",
                            "    - Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_get_sndtimeo_cb()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-45834",
                            "    - Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_state_change_cb()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-45835",
                            "    - Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_new_connection_cb()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46138",
                            "    - Bluetooth: hci_event: Fix OOB read and infinite loop in",
                            "      hci_le_create_big_complete_evt",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46111",
                            "    - Bluetooth: hci_conn: fix potential UAF in create_big_sync",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46140",
                            "    - Bluetooth: btmtk: validate WMT event SKB length before struct access",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46186",
                            "    - Bluetooth: virtio_bt: validate rx pkt_type header length",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46123",
                            "    - Bluetooth: virtio_bt: clamp rx length before skb_put",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46104",
                            "    - selinux: use sk blob accessor in socket permission helpers",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46193",
                            "    - xfrm: ah: account for ESN high bits in async callbacks",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46172",
                            "    - ipv6: xfrm6: release dst on error in xfrm6_rcv_encap()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46116",
                            "    - xfrm: defensively unhash xfrm_state lists in __xfrm_state_delete",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46154",
                            "    - sched_ext: Read scx_root under scx_cgroup_ops_rwsem in cgroup setters",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46157",
                            "    - ALSA: pcm: oss: Fix data race at accessing runtime.oss.trigger",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46109",
                            "    - usb: ulpi: fix memory leak on ulpi_register() error paths",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46146",
                            "    - ALSA: usb-audio: Avoid potential endless loop in convert_chmap_v3()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46167",
                            "    - usb: usblp: fix uninitialized heap leak via LPGETSTATUS ioctl",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46151",
                            "    - usb: usblp: fix heap leak in IEEE 1284 device ID via short response",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46180",
                            "    - wifi: brcmfmac: Fix potential use-after-free issue when stopping",
                            "      watchdog task",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46122",
                            "    - wifi: b43: enforce bounds check on firmware key index in b43_rx()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46125",
                            "    - wifi: mac80211: remove station if connection prep fails",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46166",
                            "    - wifi: mac80211: use safe list iteration in radar detect work",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46187",
                            "    - wifi: rsi: fix kthread lifetime race between self-exit and external-stop",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46152",
                            "    - wifi: mac80211: drop stray 'static' from fast-RX rx_result",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46163",
                            "    - wifi: b43legacy: enforce bounds check on firmware key index in RX path",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46136",
                            "    - wifi: mt76: mt7921: fix a potential clc buffer length underflow",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46173",
                            "    - exit: prevent preemption of oopsing TASK_DEAD task",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-43496",
                            "    - net/sched: sch_red: Replace direct dequeue call with peek and",
                            "      qdisc_dequeue_peeked",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46113",
                            "    - KVM: x86: Fix shadow paging use-after-free due to unexpected GFN",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46179",
                            "    - ASoC: SOF: Don't allow pointer operations on unconfigured streams",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46196",
                            "    - tracepoint: balance regfunc() on func_add() failure in",
                            "      tracepoint_add_func()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-43497",
                            "    - fbdev: udlfb: add vm_ops to dlfb_ops_mmap to prevent use-after-free",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46108",
                            "    - ipmi:si: Return state to normal if message allocation fails",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46128",
                            "    - ipmi: Check event message buffer response for bad data",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46177",
                            "    - ipmi: Add limits to event and receive message requests",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46149",
                            "    - scsi: target: configfs: Bound snprintf() return in",
                            "      tg_pt_gp_members_show()",
                            "",
                            "  * Ubuntu 26.04 linux kernel has non-functional nova-core GPU driver enabled,",
                            "    conflicting with nouveau (LP: #2150845)",
                            "    - [Config] Disable NOVA_CORE",
                            "",
                            "  * CVE-2026-46244",
                            "    - netfilter: nft_inner: Fix IPv6 inner_thoff desync",
                            "",
                            "  * CVE-2026-46137",
                            "    - mptcp: pm: ADD_ADDR rtx: allow ID 0",
                            "    - mptcp: pm: ADD_ADDR rtx: fix potential data-race",
                            "",
                            "  * CVE-2026-46185",
                            "    - smb/client: fix out-of-bounds read in symlink_data()",
                            "",
                            "  * CVE-2026-46195",
                            "    - smb: client: validate dacloffset before building DACL pointers",
                            "",
                            "  * CVE-2026-46289",
                            "    - lib/scatterlist: fix length calculations in extract_kvec_to_sg",
                            "",
                            "  * CVE-2026-46119",
                            "    - libceph: Fix slab-out-of-bounds access in auth message processing",
                            "",
                            "  * CVE-2026-46135",
                            "    - nvmet-tcp: fix race between ICReq handling and queue teardown",
                            "",
                            "  * CVE-2026-46155",
                            "    - smb/client: fix out-of-bounds read in smb2_compound_op()",
                            "",
                            "  * CVE-2026-46115",
                            "    - block: add pgmap check to biovec_phys_mergeable",
                            "",
                            "  * CVE-2026-46243",
                            "    - smb: client: reject userspace cifs.spnego descriptions",
                            ""
                        ],
                        "package": "linux",
                        "version": "7.0.0-28.28",
                        "urgency": "medium",
                        "distributions": "resolute",
                        "launchpad_bugs_fixed": [
                            2157520,
                            2154418,
                            2155837,
                            2154174,
                            2154748,
                            2156559,
                            2156556,
                            2150640,
                            2156312,
                            2155096,
                            2154715,
                            2153159,
                            2150071,
                            2154343,
                            2149770,
                            2153155,
                            2152570,
                            2156636,
                            2156636,
                            2156636,
                            2156636,
                            2156636,
                            2156390,
                            2156385,
                            2156385,
                            2156385,
                            2156385,
                            2156385,
                            2156385,
                            2156385,
                            2156385,
                            2156385,
                            2156385,
                            2156385,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2150845
                        ],
                        "author": "Mehmet Basaran <mehmet.basaran@canonical.com>",
                        "date": "Sun, 21 Jun 2026 02:37:29 +0300"
                    }
                ],
                "notes": null,
                "is_version_downgrade": false
            },
            {
                "name": "libntfs-3g89t64",
                "from_version": {
                    "source_package_name": "ntfs-3g",
                    "source_package_version": "1:2022.10.3-5ubuntu1",
                    "version": "1:2022.10.3-5ubuntu1"
                },
                "to_version": {
                    "source_package_name": "ntfs-3g",
                    "source_package_version": "1:2022.10.3-5ubuntu1.1",
                    "version": "1:2022.10.3-5ubuntu1.1"
                },
                "cves": [
                    {
                        "cve": "CVE-2026-42616",
                        "url": "https://ubuntu.com/security/CVE-2026-42616",
                        "cve_description": "In NTFS-3G through 2026.2.25, a heap buffer overflow exists in cat() in  cat.c that allows an attacker to corrupt heap memory in the ntfscat  binary by crafting a malicious NTFS image. The overflow is triggered by  reading a file.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-07-15 12:00:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-42617",
                        "url": "https://ubuntu.com/security/CVE-2026-42617",
                        "cve_description": "In NTFS-3G through 2026.2.25, a heap buffer overflow exists in  ntfs_ir_to_ib() in index.c that allows an attacker to corrupt heap  memory in the SUID-root ntfs-3g binary by crafting a malicious NTFS  image. The overflow is triggered by extending a directory, e.g., by  creating a file.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-07-15 12:00:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46572",
                        "url": "https://ubuntu.com/security/CVE-2026-46572",
                        "cve_description": "In NTFS-3G through 2026.2.25, a heap buffer overflow exists in  ntfs_ib_cut_tail() in libntfs-3g/index.c that allows an attacker to  corrupt heap memory in the SUID-root ntfs-3g binary by crafting a  malicious NTFS image. The overflow is triggered by creating a file in a  crafted directory.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-07-15 12:00:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-56136",
                        "url": "https://ubuntu.com/security/CVE-2026-56136",
                        "cve_description": "In NTFS-3G through 2026.2.25, an out-of-bounds read exists in  ntfs_ir_nill() in libntfs-3g/index.c that allows an attacker to read  possibly confidential information in an ntfs-3g process by crafting a  malicious NTFS image. This read operation is triggered by creation of a  file with a crafted name.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-07-15 12:00:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-42618",
                        "url": "https://ubuntu.com/security/CVE-2026-42618",
                        "cve_description": "In NTFS-3G through 2026.2.25, a heap buffer overflow exists in  ntfs_decompress() in compress.c that allows an attacker to corrupt one  byte of heap memory in the SUID-root ntfs-3g binary by crafting a  malicious NTFS image. The overflow is triggered by reading the special  crafted file.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-07-15 12:00:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46569",
                        "url": "https://ubuntu.com/security/CVE-2026-46569",
                        "cve_description": "In NTFS-3G through 2026.2.25, a heap buffer overflow exists in  ntfs_ib_copy_tail(), in libntfs-3g/index.c, that allows an attacker to  corrupt heap memory in the SUID-root ntfs-3g binary by crafting a  malicious NTFS image. The overflow is triggered by extending a  directory, e.g., by creating a file.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-07-15 12:00:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46570",
                        "url": "https://ubuntu.com/security/CVE-2026-46570",
                        "cve_description": "In NTFS-3G through 2026.2.25, a heap buffer overflow exists in  ntfs_index_walk_down() in libntfs-3g/index.c that allows an attacker to  corrupt heap memory in the SUID-root ntfs-3g binary by crafting a  malicious NTFS image. The overflow is triggered by reading crafted file  metadata.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-07-15 12:00:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46571",
                        "url": "https://ubuntu.com/security/CVE-2026-46571",
                        "cve_description": "In NTFS-3G through 2026.2.25, a out-of-bounds read exists in  ntfs_fix_file_name() in libntfs-3g/reparse.c that allows an attacker to  read possibly confidential information in ntfs-3g process memory by  crafting a malicious NTFS image. The out-of-bounds read is triggered by  a readlink on a corrupted file.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-07-15 12:00:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-56135",
                        "url": "https://ubuntu.com/security/CVE-2026-56135",
                        "cve_description": "In NTFS-3G through 2026.2.25, a heap-based buffer overflow exists in the  function build_inherited_id() in libntfs-3g/security.c that allows an  attacker to corrupt heap memory in the SUID-root ntfs-3g binary by  crafting a malicious NTFS image. The overflow is triggered by creating a  file in a crafted directory.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-07-15 12:00:00 UTC"
                    }
                ],
                "launchpad_bugs_fixed": [],
                "changes": [
                    {
                        "cves": [
                            {
                                "cve": "CVE-2026-42616",
                                "url": "https://ubuntu.com/security/CVE-2026-42616",
                                "cve_description": "In NTFS-3G through 2026.2.25, a heap buffer overflow exists in cat() in  cat.c that allows an attacker to corrupt heap memory in the ntfscat  binary by crafting a malicious NTFS image. The overflow is triggered by  reading a file.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-07-15 12:00:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-42617",
                                "url": "https://ubuntu.com/security/CVE-2026-42617",
                                "cve_description": "In NTFS-3G through 2026.2.25, a heap buffer overflow exists in  ntfs_ir_to_ib() in index.c that allows an attacker to corrupt heap  memory in the SUID-root ntfs-3g binary by crafting a malicious NTFS  image. The overflow is triggered by extending a directory, e.g., by  creating a file.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-07-15 12:00:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46572",
                                "url": "https://ubuntu.com/security/CVE-2026-46572",
                                "cve_description": "In NTFS-3G through 2026.2.25, a heap buffer overflow exists in  ntfs_ib_cut_tail() in libntfs-3g/index.c that allows an attacker to  corrupt heap memory in the SUID-root ntfs-3g binary by crafting a  malicious NTFS image. The overflow is triggered by creating a file in a  crafted directory.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-07-15 12:00:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-56136",
                                "url": "https://ubuntu.com/security/CVE-2026-56136",
                                "cve_description": "In NTFS-3G through 2026.2.25, an out-of-bounds read exists in  ntfs_ir_nill() in libntfs-3g/index.c that allows an attacker to read  possibly confidential information in an ntfs-3g process by crafting a  malicious NTFS image. This read operation is triggered by creation of a  file with a crafted name.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-07-15 12:00:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-42618",
                                "url": "https://ubuntu.com/security/CVE-2026-42618",
                                "cve_description": "In NTFS-3G through 2026.2.25, a heap buffer overflow exists in  ntfs_decompress() in compress.c that allows an attacker to corrupt one  byte of heap memory in the SUID-root ntfs-3g binary by crafting a  malicious NTFS image. The overflow is triggered by reading the special  crafted file.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-07-15 12:00:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46569",
                                "url": "https://ubuntu.com/security/CVE-2026-46569",
                                "cve_description": "In NTFS-3G through 2026.2.25, a heap buffer overflow exists in  ntfs_ib_copy_tail(), in libntfs-3g/index.c, that allows an attacker to  corrupt heap memory in the SUID-root ntfs-3g binary by crafting a  malicious NTFS image. The overflow is triggered by extending a  directory, e.g., by creating a file.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-07-15 12:00:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46570",
                                "url": "https://ubuntu.com/security/CVE-2026-46570",
                                "cve_description": "In NTFS-3G through 2026.2.25, a heap buffer overflow exists in  ntfs_index_walk_down() in libntfs-3g/index.c that allows an attacker to  corrupt heap memory in the SUID-root ntfs-3g binary by crafting a  malicious NTFS image. The overflow is triggered by reading crafted file  metadata.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-07-15 12:00:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46571",
                                "url": "https://ubuntu.com/security/CVE-2026-46571",
                                "cve_description": "In NTFS-3G through 2026.2.25, a out-of-bounds read exists in  ntfs_fix_file_name() in libntfs-3g/reparse.c that allows an attacker to  read possibly confidential information in ntfs-3g process memory by  crafting a malicious NTFS image. The out-of-bounds read is triggered by  a readlink on a corrupted file.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-07-15 12:00:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-56135",
                                "url": "https://ubuntu.com/security/CVE-2026-56135",
                                "cve_description": "In NTFS-3G through 2026.2.25, a heap-based buffer overflow exists in the  function build_inherited_id() in libntfs-3g/security.c that allows an  attacker to corrupt heap memory in the SUID-root ntfs-3g binary by  crafting a malicious NTFS image. The overflow is triggered by creating a  file in a crafted directory.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-07-15 12:00:00 UTC"
                            }
                        ],
                        "log": [
                            "",
                            "  * SECURITY UPDATE: heap buffer overflow in cat()",
                            "    - debian/patches/CVE-2026-42616.patch: Fix logic in ntfsprogs/ntfscat.c.",
                            "    - CVE-2026-42616",
                            "  * SECURITY UPDATE: buffer overflows and OOB read",
                            "    - debian/patches/CVE-2026-42617_46572_56136.patch: Fix logic in",
                            "      include/ntfs-3g/index.h, libntfs-3g/attrib.c, libntfs-3g/index.c.",
                            "    - CVE-2026-42617",
                            "    - CVE-2026-46572",
                            "    - CVE-2026-56136",
                            "  * SECURITY UPDATE: heap buffer overflow in ntfs_decompress()",
                            "    - debian/patches/CVE-2026-42618.patch: Fix logic in libntfs-3g/compress.c.",
                            "    - CVE-2026-42618",
                            "  * SECURITY UPDATE: heap buffer overflow in ntfs_ib_copy_tail()",
                            "    - debian/patches/CVE-2026-46569.patch: Fix logic in libntfs-3g/index.c.",
                            "    - CVE-2026-46569",
                            "  * SECURITY UPDATE: heap buffer overflow in ntfs_index_walk_down()",
                            "    - debian/patches/CVE-2026-46570.patch: Fix logic in libntfs-3g/index.c.",
                            "    - CVE-2026-46570",
                            "  * SECURITY UPDATE: out-of-bounds read in ntfs_fix_file_name()",
                            "    - debian/patches/CVE-2026-46571.patch: Fix logic in libntfs-3g/reparse.c.",
                            "    - CVE-2026-46571",
                            "  * SECURITY UPDATE: heap-based overflow in function build_inherited_id()",
                            "    - debian/patches/CVE-2026-56135.patch: Fix logic in include/ntfs-3g/acls.h,",
                            "      libntfs-3g/acls.c, libntfs-3g/security.c.",
                            "    - CVE-2026-56135",
                            ""
                        ],
                        "package": "ntfs-3g",
                        "version": "1:2022.10.3-5ubuntu1.1",
                        "urgency": "medium",
                        "distributions": "resolute-security",
                        "launchpad_bugs_fixed": [],
                        "author": "Marc Deslauriers <marc.deslauriers@ubuntu.com>",
                        "date": "Sat, 11 Jul 2026 11:55:48 -0400"
                    }
                ],
                "notes": null,
                "is_version_downgrade": false
            },
            {
                "name": "linux-headers-generic",
                "from_version": {
                    "source_package_name": "linux-meta",
                    "source_package_version": "7.0.0-27.27",
                    "version": "7.0.0-27.27"
                },
                "to_version": {
                    "source_package_name": "linux-meta",
                    "source_package_version": "7.0.0-28.28",
                    "version": "7.0.0-28.28"
                },
                "cves": [],
                "launchpad_bugs_fixed": [],
                "changes": [
                    {
                        "cves": [],
                        "log": [
                            "",
                            "  * Main version: 7.0.0-28.28",
                            ""
                        ],
                        "package": "linux-meta",
                        "version": "7.0.0-28.28",
                        "urgency": "medium",
                        "distributions": "resolute",
                        "launchpad_bugs_fixed": [],
                        "author": "Mehmet Basaran <mehmet.basaran@canonical.com>",
                        "date": "Sun, 21 Jun 2026 00:59:14 +0300"
                    }
                ],
                "notes": null,
                "is_version_downgrade": false
            },
            {
                "name": "linux-headers-virtual",
                "from_version": {
                    "source_package_name": "linux-meta",
                    "source_package_version": "7.0.0-27.27",
                    "version": "7.0.0-27.27"
                },
                "to_version": {
                    "source_package_name": "linux-meta",
                    "source_package_version": "7.0.0-28.28",
                    "version": "7.0.0-28.28"
                },
                "cves": [],
                "launchpad_bugs_fixed": [],
                "changes": [
                    {
                        "cves": [],
                        "log": [
                            "",
                            "  * Main version: 7.0.0-28.28",
                            ""
                        ],
                        "package": "linux-meta",
                        "version": "7.0.0-28.28",
                        "urgency": "medium",
                        "distributions": "resolute",
                        "launchpad_bugs_fixed": [],
                        "author": "Mehmet Basaran <mehmet.basaran@canonical.com>",
                        "date": "Sun, 21 Jun 2026 00:59:14 +0300"
                    }
                ],
                "notes": null,
                "is_version_downgrade": false
            },
            {
                "name": "linux-image-virtual",
                "from_version": {
                    "source_package_name": "linux-meta",
                    "source_package_version": "7.0.0-27.27",
                    "version": "7.0.0-27.27"
                },
                "to_version": {
                    "source_package_name": "linux-meta",
                    "source_package_version": "7.0.0-28.28",
                    "version": "7.0.0-28.28"
                },
                "cves": [],
                "launchpad_bugs_fixed": [],
                "changes": [
                    {
                        "cves": [],
                        "log": [
                            "",
                            "  * Main version: 7.0.0-28.28",
                            ""
                        ],
                        "package": "linux-meta",
                        "version": "7.0.0-28.28",
                        "urgency": "medium",
                        "distributions": "resolute",
                        "launchpad_bugs_fixed": [],
                        "author": "Mehmet Basaran <mehmet.basaran@canonical.com>",
                        "date": "Sun, 21 Jun 2026 00:59:14 +0300"
                    }
                ],
                "notes": null,
                "is_version_downgrade": false
            },
            {
                "name": "linux-libc-dev",
                "from_version": {
                    "source_package_name": "linux",
                    "source_package_version": "7.0.0-27.27",
                    "version": "7.0.0-27.27"
                },
                "to_version": {
                    "source_package_name": "linux",
                    "source_package_version": "7.0.0-28.28",
                    "version": "7.0.0-28.28"
                },
                "cves": [
                    {
                        "cve": "CVE-2026-46318",
                        "url": "https://ubuntu.com/security/CVE-2026-46318",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Revert \"mm/hugetlbfs: update hugetlbfs to use mmap_prepare\"  This reverts commit ea52cb24cd3f (\"mm/hugetlbfs: update hugetlbfs to use mmap_prepare\") with conflict resolution to account for changes in commit ea52cb24cd3f (\"mm/hugetlbfs: update hugetlbfs to use mmap_prepare\").  The patch incorrectly handled hugetlb VMA lock allocation at the mmap_prepare stage, where a failed allocation occurring after mmap_prepare is called might result in the lock leaking.  There is no risk of a merge causing a similar issues, as VMA_DONTEXPAND_BIT is set for hugetlb mappings.  As a first step in addressing this issue, simply revert the change so we can rework how we do this having corrected the underlying issues.  We maintain the VMA flags changes as best we can, accounting for the fact that we were working with a VMA descriptor previously and propagating like-for-like changes for this.  Note that we invoke vma_set_flags() and do not call vma_start_write() as vm_flags_set() does.  This is OK as it's being done in an .mmap hook where the VMA is not yet linked into the tree so nobody else can be accessing it.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-06-09 13:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46322",
                        "url": "https://ubuntu.com/security/CVE-2026-46322",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  tun: free page on build_skb failure in tun_xdp_one()  When build_skb() fails in tun_xdp_one(), the function sets ret to -ENOMEM and jumps to the out label, which returns without freeing the page that vhost_net_build_xdp() allocated for the frame. As with the short-frame rejection path, tun_sendmsg() discards the per-buffer error and still returns total_len, so vhost_tx_batch() takes the success path and never frees the page. Each build_skb() failure in a batch leaks one page-frag chunk.  Free the page before taking the error path, matching the put_page() the other error exits of tun_xdp_one() already perform.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-09 13:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46320",
                        "url": "https://ubuntu.com/security/CVE-2026-46320",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  tap: free page on error paths in tap_get_user_xdp()  tap_get_user_xdp() rejects a frame shorter than ETH_HLEN with -EINVAL, and returns -ENOMEM when build_skb() fails. Both paths jump to the err label without freeing the page that vhost_net_build_xdp() allocated for the frame. tap_sendmsg() discards the per-buffer return value and always returns 0, so vhost_tx_batch() takes the success path and never frees the page; each rejected frame in a batch leaks one page-frag chunk.  Free the page on both error paths, before the skb is built. This is the tap counterpart of the same leak in tun_xdp_one().",
                        "cve_priority": "high",
                        "cve_public_date": "2026-06-09 13:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46321",
                        "url": "https://ubuntu.com/security/CVE-2026-46321",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  tun: free page on short-frame rejection in tun_xdp_one()  tun_xdp_one() returns -EINVAL on a frame shorter than ETH_HLEN without freeing the page that vhost_net_build_xdp() allocated for it. tun_sendmsg() discards that -EINVAL and still returns total_len, so vhost_tx_batch() takes the success path and never frees the page; each short frame in a batch leaks one page-frag chunk.  A local process that can open /dev/net/tun and /dev/vhost-net can hit this path: it attaches a tun/tap device as the vhost-net backend and feeds TX descriptors whose length minus the virtio-net header is below ETH_HLEN. Each kick leaks the page-frag chunks for that batch, and a tight submission loop exhausts host memory and triggers an OOM panic. Free the page before returning -EINVAL, matching the XDP-program error path in the same function.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-09 13:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46316",
                        "url": "https://ubuntu.com/security/CVE-2026-46316",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  KVM: arm64: vgic-its: Drop the translation cache reference only for the erased entry  vgic_its_invalidate_cache() walks the per-ITS translation cache with xa_for_each() and drops the cache's reference on each entry with vgic_put_irq(). It puts the iterated pointer, though, rather than the value returned by xa_erase().  The function is called from contexts that do not exclude one another: the ITS command handlers hold its_lock, the GITS_CTLR write path holds cmd_lock, and the path that clears EnableLPIs in a redistributor's GICR_CTLR holds neither. Two or more of them can drain the same cache concurrently, and if each one observes the same entry, erases it and then puts it, the single reference the cache holds on that entry is dropped more than once. The entry can then be freed while an ITE still maps it.  xa_erase() is atomic and returns the previous entry, so put only the entry that this context actually removed. The cache reference is then dropped exactly once per entry even when the invalidations run concurrently, and the behavior is unchanged when only one context runs.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-09 13:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46317",
                        "url": "https://ubuntu.com/security/CVE-2026-46317",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  KVM: arm64: Reassign nested_mmus array behind mmu_lock  kvm->arch.nested_mmus[] is walked under kvm->mmu_lock, including from the MMU notifier path (kvm_unmap_gfn_range() -> kvm_nested_s2_unmap()), which can run at any time. kvm_vcpu_init_nested() reallocates the array and frees the old buffer while holding only kvm->arch.config_lock, so such a walker can reference the freed array.  Allocate the new array outside of mmu_lock, as the allocation can sleep. Under the lock, copy the existing entries, fix up the back pointers and reassign the array. Free the old buffer after dropping the lock, as kvfree() can sleep as well.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-09 13:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-45846",
                        "url": "https://ubuntu.com/security/CVE-2026-45846",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  bareudp: fix NULL pointer dereference in bareudp_fill_metadata_dst()  bareudp_fill_metadata_dst() passes bareudp->sock to udp_tunnel6_dst_lookup() in the IPv6 path without a NULL check. The socket is only created in bareudp_open() and NULLed in bareudp_stop(), so calling this function while the device is down triggers a NULL dereference via sock->sk.   BUG: kernel NULL pointer dereference, address: 0000000000000018  RIP: 0010:udp_tunnel6_dst_lookup (net/ipv6/ip6_udp_tunnel.c:160)  Call Trace:   <TASK>   bareudp_fill_metadata_dst (drivers/net/bareudp.c:532)   do_execute_actions (net/openvswitch/actions.c:901)   ovs_execute_actions (net/openvswitch/actions.c:1589)   ovs_packet_cmd_execute (net/openvswitch/datapath.c:700)   genl_family_rcv_msg_doit (net/netlink/genetlink.c:1114)   genl_rcv_msg (net/netlink/genetlink.c:1209)   netlink_rcv_skb (net/netlink/af_netlink.c:2550)   </TASK>  Add a NULL check returning -ESHUTDOWN, consistent with the xmit paths in the same driver.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-27 11:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-45845",
                        "url": "https://ubuntu.com/security/CVE-2026-45845",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net/sched: taprio: fix NULL pointer dereference in class dump  When a TAPRIO child qdisc is deleted via RTM_DELQDISC, taprio_graft() is called with new == NULL and stores NULL into q->qdiscs[cl - 1]. Subsequent RTM_GETTCLASS dump operations walk all classes via taprio_walk() and call taprio_dump_class(), which calls taprio_leaf() returning the NULL pointer, then dereferences it to read child->handle, causing a kernel NULL pointer dereference.  The bug is reachable with namespace-scoped CAP_NET_ADMIN on any kernel with CONFIG_NET_SCH_TAPRIO enabled. On systems with unprivileged user namespaces enabled, an unprivileged local user can trigger a kernel panic by creating a taprio qdisc inside a new network namespace, grafting an explicit child qdisc, deleting it, and requesting a class dump. The RTM_GETTCLASS dump itself requires no capability.   Oops: general protection fault, probably for non-canonical address 0xdffffc0000000007: 0000 [#1] SMP KASAN NOPTI  KASAN: null-ptr-deref in range [0x0000000000000038-0x000000000000003f]  RIP: 0010:taprio_dump_class (net/sched/sch_taprio.c:2478)  Call Trace:   <TASK>   tc_fill_tclass (net/sched/sch_api.c:1966)   qdisc_class_dump (net/sched/sch_api.c:2326)   taprio_walk (net/sched/sch_taprio.c:2514)   tc_dump_tclass_qdisc (net/sched/sch_api.c:2352)   tc_dump_tclass_root (net/sched/sch_api.c:2370)   tc_dump_tclass (net/sched/sch_api.c:2431)   rtnl_dumpit (net/core/rtnetlink.c:6864)   netlink_dump (net/netlink/af_netlink.c:2325)   rtnetlink_rcv_msg (net/core/rtnetlink.c:6959)   netlink_rcv_skb (net/netlink/af_netlink.c:2550)   </TASK>  Fix this by substituting &noop_qdisc when new is NULL in taprio_graft(), a common pattern used by other qdiscs (e.g., multiq_graft()) to ensure the q->qdiscs[] slots are never NULL. This makes control-plane dump paths safe without requiring individual NULL checks.  Since the data-plane paths (taprio_enqueue and taprio_dequeue_from_txq) previously had explicit NULL guards that would drop/skip the packet cleanly, update those checks to test for &noop_qdisc instead. Without this, packets would reach taprio_enqueue_one() which increments the root qdisc's qlen and backlog before calling the child's enqueue; noop_qdisc drops the packet but those counters are never rolled back, permanently inflating the root qdisc's statistics.  After this change *old can be a valid qdisc, NULL, or &noop_qdisc. Only call qdisc_put(*old) in the first case to avoid decreasing noop_qdisc's refcount, which was never increased.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-27 11:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-45844",
                        "url": "https://ubuntu.com/security/CVE-2026-45844",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  netfilter: arp_tables: fix IEEE1394 ARP payload parsing  Weiming Shi says:  \"arp_packet_match() unconditionally parses the ARP payload assuming two hardware addresses are present (source and target). However, IPv4-over-IEEE1394 ARP (RFC 2734) omits the target hardware address field, and arp_hdr_len() already accounts for this by returning a shorter length for ARPHRD_IEEE1394 devices.  As a result, on IEEE1394 interfaces arp_packet_match() advances past a nonexistent target hardware address and reads the wrong bytes for both the target device address comparison and the target IP address. This causes arptables rules to match against garbage data, leading to incorrect filtering decisions: packets that should be accepted may be dropped and vice versa.  The ARP stack in net/ipv4/arp.c (arp_create and arp_process) already handles this correctly by skipping the target hardware address for ARPHRD_IEEE1394. Apply the same pattern to arp_packet_match().\"  Mangle the original patch to always return 0 (no match) in case user matches on the target hardware address which is never present in IEEE1394.  Note that this returns 0 (no match) for either normal and inverse match because matching in the target hardware address in ARPHRD_IEEE1394 has never been supported by arptables. This is intentional, matching on the target hardware address should never evaluate true for ARPHRD_IEEE1394.  Moreover, adjust arpt_mangle to drop the packet too as AI suggests:  In arpt_mangle, the logic assumes a standard ARP layout. Because IEEE1394 (FireWire) omits the target hardware address, the linear pointer arithmetic miscalculates the offset for the target IP address. This causes mangling operations to write to the wrong location, leading to packet corruption. To ensure safety, this patch drops packets (NF_DROP) when mangling is requested for these fields on IEEE1394 devices, as the current implementation cannot correctly map the FireWire ARP payload.  This omits both mangling target hardware and IP address. Even if IP address mangling should be possible in IEEE1394, this would require to adjust arpt_mangle offset calculation, which has never been supported.  Based on patch from Weiming Shi <bestswngs@gmail.com>.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-05-27 11:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46242",
                        "url": "https://ubuntu.com/security/CVE-2026-46242",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  eventpoll: fix ep_remove struct eventpoll / struct file UAF  ep_remove() (via ep_remove_file()) cleared file->f_ep under file->f_lock but then kept using @file inside the critical section (is_file_epoll(), hlist_del_rcu() through the head, spin_unlock). A concurrent __fput() taking the eventpoll_release() fastpath in that window observed the transient NULL, skipped eventpoll_release_file() and ran to f_op->release / file_free().  For the epoll-watches-epoll case, f_op->release is ep_eventpoll_release() -> ep_clear_and_put() -> ep_free(), which kfree()s the watched struct eventpoll. Its embedded ->refs hlist_head is exactly where epi->fllink.pprev points, so the subsequent hlist_del_rcu()'s \"*pprev = next\" scribbles into freed kmalloc-192 memory.  In addition, struct file is SLAB_TYPESAFE_BY_RCU, so the slot backing @file could be recycled by alloc_empty_file() -- reinitializing f_lock and f_ep -- while ep_remove() is still nominally inside that lock. The upshot is an attacker-controllable kmem_cache_free() against the wrong slab cache.  Pin @file via epi_fget() at the top of ep_remove() and gate the critical section on the pin succeeding. With the pin held @file cannot reach refcount zero, which holds __fput() off and transitively keeps the watched struct eventpoll alive across the hlist_del_rcu() and the f_lock use, closing both UAFs.  If the pin fails @file has already reached refcount zero and its __fput() is in flight. Because we bailed before clearing f_ep, that path takes the eventpoll_release() slow path into eventpoll_release_file() and blocks on ep->mtx until the waiter side's ep_clear_and_put() drops it. The bailed epi's share of ep->refcount stays intact, so the trailing ep_refcount_dec_and_test() in ep_clear_and_put() cannot free the eventpoll out from under eventpoll_release_file(); the orphaned epi is then cleaned up there.  A successful pin also proves we are not racing eventpoll_release_file() on this epi, so drop the now-redundant re-check of epi->dying under f_lock. The cheap lockless READ_ONCE(epi->dying) fast-path bailout stays.",
                        "cve_priority": "high",
                        "cve_public_date": "2026-05-30 13:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-45843",
                        "url": "https://ubuntu.com/security/CVE-2026-45843",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  slip: bound decode() reads against the compressed packet length  slhc_uncompress() parses a VJ-compressed TCP header by advancing a pointer through the packet via decode() and pull16(). Neither helper bounds-checks against isize, and decode() masks its return with & 0xffff so it can never return the -1 that callers test for -- those error paths are dead code.  A short compressed frame whose change byte requests optional fields lets decode() read past the end of the packet. The over-read bytes are folded into the cached cstate and reflected into subsequent reconstructed packets.  Make decode() and pull16() take the packet end pointer and return -1 when exhausted. Add a bounds check before the TCP-checksum read. The existing == -1 tests now do what they were always meant to.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-27 11:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-45842",
                        "url": "https://ubuntu.com/security/CVE-2026-45842",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  slip: reject VJ receive packets on instances with no rstate array  slhc_init() accepts rslots == 0 as a valid configuration, with the documented meaning of 'no receive compression'. In that case the allocation loop in slhc_init() is skipped, so comp->rstate stays NULL and comp->rslot_limit stays 0 (from the kzalloc of struct slcompress).  The receive helpers do not defend against that configuration. slhc_uncompress() dereferences comp->rstate[x] when the VJ header carries an explicit connection ID, and slhc_remember() later assigns cs = &comp->rstate[...] after only comparing the packet's slot number to comp->rslot_limit. Because rslot_limit is 0, slot 0 passes the range check, and the code dereferences a NULL rstate.  The configuration is reachable in-tree through PPP. PPPIOCSMAXCID stores its argument in a signed int, and (val >> 16) uses arithmetic shift. Passing 0xffff0000 therefore sign-extends to -1, so val2 + 1 is 0 and ppp_generic.c ends up calling slhc_init(0, 1). Because /dev/ppp open is gated by ns_capable(CAP_NET_ADMIN), the whole path is reachable from an unprivileged user namespace. Once the malformed VJ state is installed, any inbound VJ-compressed or VJ-uncompressed frame that selects slot 0 crashes the kernel in softirq context:   Oops: general protection fault, probably for non-canonical        address 0xdffffc0000000000: 0000 [#1] SMP KASAN NOPTI  KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]  RIP: 0010:slhc_uncompress (drivers/net/slip/slhc.c:519)  Call Trace:   <TASK>   ppp_receive_nonmp_frame (drivers/net/ppp/ppp_generic.c:2466)   ppp_input (drivers/net/ppp/ppp_generic.c:2359)   ppp_async_process (drivers/net/ppp/ppp_async.c:492)   tasklet_action_common (kernel/softirq.c:926)   handle_softirqs (kernel/softirq.c:623)   run_ksoftirqd (kernel/softirq.c:1055)   smpboot_thread_fn (kernel/smpboot.c:160)   kthread (kernel/kthread.c:436)   ret_from_fork (arch/x86/kernel/process.c:164)   </TASK>  Reject the receive side on such instances instead of touching rstate. slhc_uncompress() falls through to its existing 'bad' label, which bumps sls_i_error and enters the toss state. slhc_remember() mirrors that with an explicit sls_i_error increment followed by slhc_toss(); the sls_i_runt counter is not used here because a missing rstate is an internal configuration state, not a runt packet.  The transmit path is unaffected: the only in-tree caller that picks rslots from userspace (ppp_generic.c) still supplies tslots >= 1, and slip.c always calls slhc_init(16, 16), so comp->tstate remains valid and slhc_compress() continues to work.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-27 11:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-45841",
                        "url": "https://ubuntu.com/security/CVE-2026-45841",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  netfilter: nfnetlink_osf: fix divide-by-zero in OSF_WSS_MODULO  nf_osf_match_one() computes ctx->window % f->wss.val in the OSF_WSS_MODULO branch with no guard for f->wss.val == 0. A CAP_NET_ADMIN user can add such a fingerprint via nfnetlink; a subsequent matching TCP SYN divides by zero and panics the kernel.  Reject the bogus fingerprint in nfnl_osf_add_callback() above the per-option for-loop. f->wss is per-fingerprint, not per-option, so the check must run regardless of f->opt_num (including 0). Also reject wss.wc >= OSF_WSS_MAX; nf_osf_match_one() already treats that as \"should not happen\".  Crash:  Oops: divide error: 0000 [#1] SMP KASAN NOPTI  RIP: 0010:nf_osf_match_one (net/netfilter/nfnetlink_osf.c:98)  Call Trace:  <IRQ>   nf_osf_match (net/netfilter/nfnetlink_osf.c:220)   xt_osf_match_packet (net/netfilter/xt_osf.c:32)   ipt_do_table (net/ipv4/netfilter/ip_tables.c:348)   nf_hook_slow (net/netfilter/core.c:622)   ip_local_deliver (net/ipv4/ip_input.c:265)   ip_rcv (include/linux/skbuff.h:1162)   __netif_receive_skb_one_core (net/core/dev.c:6181)   process_backlog (net/core/dev.c:6642)   __napi_poll (net/core/dev.c:7710)   net_rx_action (net/core/dev.c:7945)   handle_softirqs (kernel/softirq.c:622)",
                        "cve_priority": "low",
                        "cve_public_date": "2026-05-27 11:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-45840",
                        "url": "https://ubuntu.com/security/CVE-2026-45840",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  openvswitch: cap upcall PID array size and pre-size vport replies  The vport netlink reply helpers allocate a fixed-size skb with nlmsg_new(NLMSG_DEFAULT_SIZE, ...) but serialize the full upcall PID array via ovs_vport_get_upcall_portids().  Since ovs_vport_set_upcall_portids() accepts any non-zero multiple of sizeof(u32) with no upper bound, a CAP_NET_ADMIN user can install a PID array large enough to overflow the reply buffer, causing nla_put() to fail with -EMSGSIZE and hitting BUG_ON(err < 0).  On systems with unprivileged user namespaces enabled (e.g., Ubuntu default), this is reachable via unshare -Urn since OVS vport mutation operations use GENL_UNS_ADMIN_PERM.   kernel BUG at net/openvswitch/datapath.c:2414!  Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI  CPU: 1 UID: 0 PID: 65 Comm: poc Not tainted 7.0.0-rc7-00195-geb216e422044 #1  RIP: 0010:ovs_vport_cmd_set+0x34c/0x400  Call Trace:   <TASK>   genl_family_rcv_msg_doit (net/netlink/genetlink.c:1116)   genl_rcv_msg (net/netlink/genetlink.c:1194)   netlink_rcv_skb (net/netlink/af_netlink.c:2550)   genl_rcv (net/netlink/genetlink.c:1219)   netlink_unicast (net/netlink/af_netlink.c:1344)   netlink_sendmsg (net/netlink/af_netlink.c:1894)   __sys_sendto (net/socket.c:2206)   __x64_sys_sendto (net/socket.c:2209)   do_syscall_64 (arch/x86/entry/syscall_64.c:63)   entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)   </TASK>  Kernel panic - not syncing: Fatal exception  Reject attempts to set more PIDs than nr_cpu_ids in ovs_vport_set_upcall_portids(), and pre-compute the worst-case reply size in ovs_vport_cmd_msg_size() based on that bound, similar to the existing ovs_dp_cmd_msg_size().  nr_cpu_ids matches the cap already used by the per-CPU dispatch configuration on the datapath side (ovs_dp_cmd_fill_info() serialises at most nr_cpu_ids PIDs), so the two sides stay consistent.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-27 11:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-45839",
                        "url": "https://ubuntu.com/security/CVE-2026-45839",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  bpf: reject negative CO-RE accessor indices in bpf_core_parse_spec()  CO-RE accessor strings are colon-separated indices that describe a path from a root BTF type to a target field, e.g. \"0:1:2\" walks through nested struct members. bpf_core_parse_spec() parses each component with sscanf(\"%d\"), so negative values like -1 are silently accepted.  The subsequent bounds checks (access_idx >= btf_vlen(t)) only guard the upper bound and always pass for negative values because C integer promotion converts the __u16 btf_vlen result to int, making the comparison (int)(-1) >= (int)(N) false for any positive N.  When -1 reaches btf_member_bit_offset() it gets cast to u32 0xffffffff, producing an out-of-bounds read far past the members array.  A crafted BPF program with a negative CO-RE accessor on any struct that exists in vmlinux BTF (e.g. task_struct) crashes the kernel deterministically during BPF_PROG_LOAD on any system with CONFIG_DEBUG_INFO_BTF=y (default on major distributions).  The bug is reachable with CAP_BPF:   BUG: unable to handle page fault for address: ffffed11818b6626  #PF: supervisor read access in kernel mode  #PF: error_code(0x0000) - not-present page  Oops: Oops: 0000 [#1] SMP KASAN NOPTI  CPU: 0 UID: 0 PID: 85 Comm: poc Not tainted 7.0.0-rc6 #18 PREEMPT(full)  RIP: 0010:bpf_core_parse_spec (tools/lib/bpf/relo_core.c:354)  RAX: 00000000ffffffff  Call Trace:   <TASK>   bpf_core_calc_relo_insn (tools/lib/bpf/relo_core.c:1321)   bpf_core_apply (kernel/bpf/btf.c:9507)   check_core_relo (kernel/bpf/verifier.c:19475)   bpf_check (kernel/bpf/verifier.c:26031)   bpf_prog_load (kernel/bpf/syscall.c:3089)   __sys_bpf (kernel/bpf/syscall.c:6228)   </TASK>  CO-RE accessor indices are inherently non-negative (struct member index, array element index, or enumerator index), so reject them immediately after parsing.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-27 11:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-45838",
                        "url": "https://ubuntu.com/security/CVE-2026-45838",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  bpf: fix end-of-list detection in cgroup_storage_get_next_key()  list_next_entry() never returns NULL -- when the current element is the last entry it wraps to the list head via container_of(). The subsequent NULL check is therefore dead code and get_next_key() never returns -ENOENT for the last element, instead reading storage->key from a bogus pointer that aliases internal map fields and copying the result to userspace.  Replace it with list_entry_is_head() so the function correctly returns -ENOENT when there are no more entries.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-05-27 11:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46214",
                        "url": "https://ubuntu.com/security/CVE-2026-46214",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  vsock/virtio: fix accept queue count leak on transport mismatch  virtio_transport_recv_listen() calls sk_acceptq_added() before vsock_assign_transport(). If vsock_assign_transport() fails or selects a different transport, the error path returns without calling sk_acceptq_removed(), permanently incrementing sk_ack_backlog.  After approximately backlog+1 such failures, sk_acceptq_is_full() returns true, causing the listener to reject all new connections.  Fix by moving sk_acceptq_added() to after the transport validation, matching the pattern used by vmci_transport and hyperv_transport.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46207",
                        "url": "https://ubuntu.com/security/CVE-2026-46207",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  vsock/virtio: fix empty payload in tap skb for non-linear buffers  For non-linear skbs, virtio_transport_build_skb() goes through virtio_transport_copy_nonlinear_skb() to copy the original payload in the new skb to be delivered to the vsockmon tap device. This manually initializes an iov_iter but does not set iov_iter.count. Since the iov_iter is zero-initialized, the copy length is zero and no payload is actually copied to the monitor interface, leaving data un-initialized.  Fix this by removing the linear vs non-linear split and using skb_copy_datagram_iter() with iov_iter_kvec() for all cases, as vhost-vsock already does. This handles both linear and non-linear skbs, properly initializes the iov_iter, and removes the now unused virtio_transport_copy_nonlinear_skb().  While touching this code, let's also check the return value of skb_copy_datagram_iter(), even though it's unlikely to fail.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46234",
                        "url": "https://ubuntu.com/security/CVE-2026-46234",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  vsock: fix buffer size clamping order  In vsock_update_buffer_size(), the buffer size was being clamped to the maximum first, and then to the minimum. If a user sets a minimum buffer size larger than the maximum, the minimum check overrides the maximum check, inverting the constraint.  This breaks the intended socket memory boundaries by allowing the vsk->buffer_size to grow beyond the configured vsk->buffer_max_size.  Fix this by checking the minimum first, and then the maximum. This ensures the buffer size never exceeds the buffer_max_size.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46223",
                        "url": "https://ubuntu.com/security/CVE-2026-46223",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  cgroup: Defer css percpu_ref kill on rmdir until cgroup is depopulated  A chain of commits going back to v7.0 reworked rmdir to satisfy the controller invariant that a subsystem's ->css_offline() must not run while tasks are still doing kernel-side work in the cgroup.  [1] d245698d727a (\"cgroup: Defer task cgroup unlink until after the task is done switching out\") [2] a72f73c4dd9b (\"cgroup: Don't expose dead tasks in cgroup\") [3] 1b164b876c36 (\"cgroup: Wait for dying tasks to leave on rmdir\") [4] 4c56a8ac6869 (\"cgroup: Fix cgroup_drain_dying() testing the wrong condition\") [5] 13e786b64bd3 (\"cgroup: Increment nr_dying_subsys_* from rmdir context\")  [1] moved task cset unlink from do_exit() to finish_task_switch() so a task's cset link drops only after the task has fully stopped scheduling. That made tasks past exit_signals() linger on cset->tasks until their final context switch, which led to a series of problems as what userspace expected to see after rmdir diverged from what the kernel needs to wait for. [2]-[5] tried to bridge that divergence: [2] filtered the exiting tasks from cgroup.procs; [3] had rmdir(2) sleep in TASK_UNINTERRUPTIBLE for them; [4] fixed the wait's condition; [5] made nr_dying_subsys_* visible synchronously.  The cgroup_drain_dying() wait in [3] turned out to be a dead end. When the rmdir caller is also the reaper of a zombie that pins a pidns teardown (e.g. host PID 1 systemd reaping orphan pids that were re-parented to it during the same teardown), rmdir blocks in TASK_UNINTERRUPTIBLE waiting for those pids to free, the pids can't free because PID 1 is the reaper and it's stuck in rmdir, and the system A-A deadlocks. No internal lock ordering breaks this; the wait itself is the bug.  The css killing side that drove the original reorder, however, can be made cleanly asynchronous: ->css_offline() is already async, run from css_killed_work_fn() driven by percpu_ref_kill_and_confirm(). The fix is to make that chain start only after all tasks have left the cgroup. rmdir's user-visible side then returns as soon as cgroup.procs and friends are empty, while ->css_offline() still runs only after the cgroup is fully drained.  Verified by the original reproducer (pidns teardown + zombie reaper, runs under vng) which hangs vanilla and succeeds here, and by per-commit deterministic repros for [2], [3], [4], [5] with a boot parameter that widens the post-exit_signals() window so each state is reliably reachable. Some stress tests on top of that.  cgroup_apply_control_disable() has the same shape of pre-existing race: when a controller is disabled via subtree_control, kill_css() ran synchronously while tasks past exit_signals() could still be linked to the cgroup's csets, and ->css_offline() could fire before they drained. This patch preserves the existing synchronous behavior at that call site (kill_css_sync() + kill_css_finish() back-to-back) and a follow-up patch will defer kill_css_finish() there using a per-css trigger.  This seems like the right approach and I don't see problems with it. The changes are somewhat invasive but not excessively so, so backporting to -stable should be okay. If something does turn out to be wrong, the fallback is to revert the entire chain ([1]-[5]) and rework in the development branch instead.  v2: Pin cgrp across the deferred destroy work with explicit     cgroup_get()/cgroup_put() around queue_work() and the work_fn. v1     wasn't actually broken (ordered cgroup_offline_wq + queue_work order     in cgroup_task_dead() saved it) but the explicit ref removes the     dependency on those non-obvious invariants. Also note the     pre-existing cgroup_apply_control_disable() race in the description;     a follow-up will defer kill_css_finish() there.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46221",
                        "url": "https://ubuntu.com/security/CVE-2026-46221",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  EDAC/versalnet: Fix device name memory leak  The device name allocated via kzalloc() in init_one_mc() is assigned to dev->init_name but never freed on the normal removal path. device_register() copies init_name and then sets dev->init_name to NULL, so the name pointer becomes unreachable from the device. Thus leaking memory.  Use a stack-local char array instead of using kzalloc() for name.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46231",
                        "url": "https://ubuntu.com/security/CVE-2026-46231",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  batman-adv: bla: put backbone reference on failed claim hash insert  When batadv_bla_add_claim() fails to insert a new claim into the hash, it leaked a reference to the backbone_gw for which the claim was intended. Call batadv_backbone_gw_put() on the error path to release the reference and avoid leaking the backbone_gw object.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46233",
                        "url": "https://ubuntu.com/security/CVE-2026-46233",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  batman-adv: bla: only purge non-released claims  When batadv_bla_purge_claims() goes through the list of claims, it is only traversing the hash list with an rcu_read_lock(). Due to a potential parallel batadv_claim_put(), it can happen that it encounters a claim which was actually in the process of being released+freed by batadv_claim_release(). In this case, backbone_gw is set to NULL before the delayed RCU kfree is started. Calling batadv_bla_claim_get_backbone_gw() is then no longer allowed because it would cause a NULL-ptr derefence.  To avoid this, only claims with a valid reference counter must be purged. All others are already taken care of.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46212",
                        "url": "https://ubuntu.com/security/CVE-2026-46212",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  batman-adv: bla: prevent use-after-free when deleting claims  When batadv_bla_del_backbone_claims() removes all claims for a backbone, it does this by dropping the link entry in the hash list. This list entry itself was one of the references which need to be dropped at the same time via batadv_claim_put().  But the batadv_claim_put() must not be done before the last access to the claim object in this function. Otherwise the claim might be freed already by the batadv_claim_release() function before the list entry was dropped.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46238",
                        "url": "https://ubuntu.com/security/CVE-2026-46238",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  batman-adv: stop caching unowned originator pointers in BAT IV  BAT IV keeps the last-hop neighbor address in each neigh_node, but some paths also cache an originator pointer derived from a temporary lookup. That pointer is not owned by the neigh_node and may no longer refer to a live originator entry after purge handling runs.  Stop storing the auxiliary originator pointer in the BAT IV neighbor state. When BAT IV needs the neighbor originator data, resolve it from the stored neighbor address and drop the reference again after use.  [sven: avoid bonding logic for outgoing OGM]",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46208",
                        "url": "https://ubuntu.com/security/CVE-2026-46208",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  batman-adv: stop tp_meter sessions during mesh teardown  TP meter sessions remain linked on bat_priv->tp_list after the netlink request has already finished. When the mesh interface is removed, batadv_mesh_free() currently tears down the mesh without first draining these sessions.  A running sender thread or a late incoming tp_meter packet can then keep processing against a mesh instance which is already shutting down. Synchronize tp_meter with the mesh lifetime by stopping all active sessions from batadv_mesh_free() and waiting for sender threads to exit before teardown continues.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46206",
                        "url": "https://ubuntu.com/security/CVE-2026-46206",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  batman-adv: reject new tp_meter sessions during teardown  Prevent tp_meter from starting new sender or receiver sessions after mesh_state has left BATADV_MESH_ACTIVE.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46198",
                        "url": "https://ubuntu.com/security/CVE-2026-46198",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  batman-adv: fix integer overflow on buff_pos  Fixing an integer overflow present in batadv_iv_ogm_send_to_if. The size check is done using the int type in batadv_iv_ogm_aggr_packet whereas the buff_pos variable uses the s16 type. This could lead to an out-of-bound read.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46227",
                        "url": "https://ubuntu.com/security/CVE-2026-46227",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  sctp: revalidate list cursor after sctp_sendmsg_to_asoc() in SCTP_SENDALL  The SCTP_SENDALL path in sctp_sendmsg() iterates ep->asocs with list_for_each_entry_safe(), which caches the next entry in @tmp before the loop body runs.  The body calls sctp_sendmsg_to_asoc(), which may drop the socket lock inside sctp_wait_for_sndbuf().  While the lock is dropped, another thread can SCTP_SOCKOPT_PEELOFF the association cached in @tmp, migrating it to a new endpoint via sctp_sock_migrate() (list_del_init() + list_add_tail() to newep->asocs), and optionally close the new socket which frees the association via kfree_rcu().  The cached @tmp can also be freed by a network ABORT for that association, processed in softirq while the lock is dropped.  sctp_wait_for_sndbuf() revalidates @asoc (the current entry) on re-lock via the \"sk != asoc->base.sk\" and \"asoc->base.dead\" checks, but nothing revalidates @tmp.  After a successful return, the iterator advances to the stale @tmp, yielding either a use-after-free (if the peeled socket was closed) or a list-walk onto the new endpoint's list head (type confusion of &newep->asocs as a struct sctp_association *).  Both are reachable from CapEff=0; the type-confusion path gives controlled indirect call via the outqueue.sched->init_sid pointer.  Fix by re-deriving @tmp from @asoc after sctp_sendmsg_to_asoc() returns.  @asoc is known to still be on ep->asocs at that point: the only callers that list_del an association from ep->asocs are sctp_association_free() (which sets asoc->base.dead) and sctp_assoc_migrate() (which changes asoc->base.sk), and sctp_wait_for_sndbuf() checks both under the lock before any successful return; a tripped check propagates as err < 0 and the loop bails before the re-derive.  The SCTP_ABORT path in sctp_sendmsg_check_sflags() returns 0 and the loop hits 'continue' before sctp_sendmsg_to_asoc() is ever called, so the @tmp cached by list_for_each_entry_safe() still covers the lock-held free that ba59fb027307 (\"sctp: walk the list of asoc safely\") was added for.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46220",
                        "url": "https://ubuntu.com/security/CVE-2026-46220",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/amdgpu/sdma4: replace BUG_ON with WARN_ON in fence emission  sdma_v4_0_ring_emit_fence() contains two BUG_ON(addr & 0x3) assertions that verify fence writeback addresses are dword-aligned.  These assertions can be reached from unprivileged userspace via crafted DRM_IOCTL_AMDGPU_CS submissions, causing a fatal kernel panic in a scheduler worker thread.  Replace both BUG_ON() calls with WARN_ON() to log the condition without crashing the kernel.  A misaligned fence address at this point indicates a driver bug, but crashing the kernel is never the correct response when the assertion is reachable from userspace.  The CS IOCTL path is the correct place to filter invalid submissions; the ring emission callback is too late to do anything about it.  (cherry picked from commit b90250bd933afd1ba94d86d6b13821997b22b18e)",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46215",
                        "url": "https://ubuntu.com/security/CVE-2026-46215",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm: Set old handle to NULL before prime swap in change_handle  There was a potential race condition in change_handle. The ioctl briefly had a single object with two idr entries; a concurrent gem_close could delete the object and remove one of the handles while leaving the other one dangling, which could subsequently be dereferenced for a use-after-free.  To fix this, do the same dance that gem_close itself does. (f6cd7daecff5 drm: Release driver references to handle before making it available again) First idr_replace the old handle to NULL. Later, if the prime operations are successful, actually close it.  create_tail required a similar dance to avoid a similar problem. (bd46cece51a3 drm/gem: Fix race in drm_gem_handle_create_tail()) It idr_allocs the new handle with NULL, then swaps in the correct object later to avoid races. We don't need to do that here, since the only operations that could race are drm_prime, and change_handle holds the prime lock for the entire duration.  v2: cleanups of error paths",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46201",
                        "url": "https://ubuntu.com/security/CVE-2026-46201",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/xe: Fix dma-buf attachment leak in xe_gem_prime_import()  When xe_dma_buf_init_obj() fails, the attachment from dma_buf_dynamic_attach() is not detached. Add dma_buf_detach() before returning the error. Note: we cannot use goto out_err here because xe_dma_buf_init_obj() already frees bo on failure, and out_err would double-free it.  (cherry picked from commit a828eb185aac41800df8eae4b60501ccc0dbbe51)",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46224",
                        "url": "https://ubuntu.com/security/CVE-2026-46224",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/xe: Fix bo leak in xe_dma_buf_init_obj() on allocation failure  When drm_gpuvm_resv_object_alloc() fails, the pre-allocated storage bo is not freed. Add xe_bo_free(storage) before returning the error.  xe_dma_buf_init_obj() calls xe_bo_init_locked(), which frees the bo on error. Therefore, xe_dma_buf_init_obj() must also free the bo on its own error paths. Otherwise, since xe_gem_prime_import() cannot distinguish whether the failure originated from xe_dma_buf_init_obj() or from xe_bo_init_locked(), it cannot safely decide whether the bo should be freed.  Add comments documenting the ownership semantics: on success, ownership of storage is transferred to the returned drm_gem_object; on failure, storage is freed before returning.  v2: Add comments to explain the free logic.  (cherry picked from commit 78a6c5f899f22338bbf48b44fb8950409c5a69b9)",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46197",
                        "url": "https://ubuntu.com/security/CVE-2026-46197",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/amdkfd: validate SVM ioctl nattr against buffer size  Validate nattr field against the buffer size, preventing out-of-bounds buffer access via user-controlled attribute count.  (cherry picked from commit 5eca8bfdfa456c3304ca77523718fe24254c172f)",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46209",
                        "url": "https://ubuntu.com/security/CVE-2026-46209",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/gem: Fix inconsistent plane dimension calculation in drm_gem_fb_init_with_funcs()  drm_gem_fb_init_with_funcs() computes sub-sampled plane dimensions using plain integer division:    unsigned int width  = mode_cmd->width  / (i ? info->hsub : 1);   unsigned int height = mode_cmd->height / (i ? info->vsub : 1);  However, the ioctl-level framebuffer_check() in drm_framebuffer.c uses drm_format_info_plane_width/height() which round up dimensions via DIV_ROUND_UP(). This inconsistency corrupts the subsequent GEM object size check for certain pixel format and dimension combinations.  For example, with NV12 (vsub=2) and a 1-pixel-tall framebuffer the GEM size validation path sees height=0 instead of height=1. The expression (height - 1) then wraps to UINT_MAX as an unsigned int, causing min_size to overflow and wrap back to a small value. A tiny GEM object therefore passes the size guard, yet when the GPU accesses the chroma plane it will read or write memory beyond the object's bounds.  Fix by replacing the open-coded divisions with drm_format_info_plane_width() and drm_format_info_plane_height(), which use DIV_ROUND_UP() and match the calculation already used in framebuffer_check().",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46230",
                        "url": "https://ubuntu.com/security/CVE-2026-46230",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/amdgpu/vcn3: Prevent OOB reads when parsing dec msg  Check bounds against the end of the BO whenever we access the msg.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46199",
                        "url": "https://ubuntu.com/security/CVE-2026-46199",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/amdgpu/vcn4: Prevent OOB reads when parsing dec msg  Check bounds against the end of the BO whenever we access the msg.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46204",
                        "url": "https://ubuntu.com/security/CVE-2026-46204",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/amdgpu/vcn4: Prevent OOB reads when parsing IB  Rewrite the IB parsing to use amdgpu_ib_get_value() which handles the bounds checks.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46218",
                        "url": "https://ubuntu.com/security/CVE-2026-46218",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/amdgpu: Add bounds checking to ib_{get,set}_value  The uvd/vce/vcn code accesses the IB at predefined offsets without checking that the IB is large enough. Check the bounds here. The caller is responsible for making sure it can handle arbitrary return values.  Also make the idx a uint32_t to prevent overflows causing the condition to fail.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46229",
                        "url": "https://ubuntu.com/security/CVE-2026-46229",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/amdkfd: Clear VRAM on allocation to prevent stale data exposure  KFD VRAM allocations set AMDGPU_GEM_CREATE_VRAM_WIPE_ON_RELEASE but not AMDGPU_GEM_CREATE_VRAM_CLEARED, leaving freshly allocated VRAM with stale data from prior use observable by compute kernels.  The GEM ioctl path already sets VRAM_CLEARED for all userspace allocations via amdgpu_gem_create_ioctl() and amdgpu_mode_dumb_create(). The KFD path was missing this flag, allowing stale page table remnants to leak into user buffers.  This causes crashes in RCCL P2P transport where non-zero data in ptrExchange/head/tail fields corrupts the protocol handshake.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46211",
                        "url": "https://ubuntu.com/security/CVE-2026-46211",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/msm/gem: fix error handling in msm_ioctl_gem_info_get_metadata()  msm_ioctl_gem_info_get_metadata() always returns 0 regardless of errors. When copy_to_user() fails or the user buffer is too small, the error code stored in ret is ignored because the function unconditionally returns 0. This causes userspace to believe the ioctl succeeded when it did not.  Additionally, kmemdup() can return NULL on allocation failure, but the return value is not checked. This leads to a NULL pointer dereference in the subsequent copy_to_user() call.  Add the missing NULL check for kmemdup() and return ret instead of 0.  Note that the SET counterpart (msm_ioctl_gem_info_set_metadata) correctly returns ret.  Patchwork: https://patchwork.freedesktop.org/patch/714478/",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46203",
                        "url": "https://ubuntu.com/security/CVE-2026-46203",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: cadence-quadspi: fix unclocked access on unbind  Make sure that the controller is runtime resumed before disabling it during driver unbind to avoid an unclocked register access.  This issue was flagged by Sashiko when reviewing a controller deregistration fix.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46219",
                        "url": "https://ubuntu.com/security/CVE-2026-46219",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: mpc52xx: fix use-after-free on unbind  The state machine work is scheduled by the interrupt handler and therefore needs to be cancelled after disabling interrupts to avoid a potential use-after-free.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46200",
                        "url": "https://ubuntu.com/security/CVE-2026-46200",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: mpc52xx: fix controller deregistration  Make sure to deregister the controller before disabling and releasing underlying resources like interrupts and gpios during driver unbind.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46241",
                        "url": "https://ubuntu.com/security/CVE-2026-46241",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: mpc52xx: fix use-after-free on registration failure  Make sure to disable and free the interrupts in case controller registration fails to avoid a potential use-after-free and resource leak.  This issue was flagged by Sashiko when reviewing a controller deregistration fix.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46225",
                        "url": "https://ubuntu.com/security/CVE-2026-46225",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: rspi: fix controller deregistration  Make sure to deregister the controller before releasing underlying resources like DMA during driver unbind.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46226",
                        "url": "https://ubuntu.com/security/CVE-2026-46226",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: fsl: fix controller deregistration  Make sure to deregister the controller before releasing underlying resources like DMA during driver unbind.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46228",
                        "url": "https://ubuntu.com/security/CVE-2026-46228",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: ch341: fix devres lifetime  USB drivers bind to USB interfaces and any device managed resources should have their lifetime tied to the interface rather than parent USB device. This avoids issues like memory leaks when drivers are unbound without their devices being physically disconnected (e.g. on probe deferral or configuration changes).  Fix the controller and driver data lifetime so that they are released on driver unbind.  Note that this also makes sure that the SPI controller is placed correctly under the USB interface in the device tree.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46216",
                        "url": "https://ubuntu.com/security/CVE-2026-46216",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/xe/hdcp: Add NULL check for media_gt in intel_hdcp_gsc_check_status()  When media GT is disabled via configfs, there is no allocation for media_gt, which is kept as NULL.  In such scenario, intel_hdcp_gsc_check_status() results in a kernel pagefault error due to &gt->uc.gsc being evaluated as an invalid memory address.  Fix that by introducing a NULL check on media_gt and bailing out early if so.  While at it, also drop the NULL check for gsc, since it can't be NULL if media_gt is not NULL.  v2:   - Get address for gsc only after checking that gt is not NULL.     (Shuicheng)   - Drop the NULL check for gsc. (Shuicheng) v3:   - Add \"Fixes\" and \"Cc: <stable...>\" tags. (Matt)  (cherry picked from commit bfaf87e84ca3ca3f6e275f9ae56da47a8b55ffd1)",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46210",
                        "url": "https://ubuntu.com/security/CVE-2026-46210",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  media: iris: fix use-after-free of fmt_src during MBPF check  During concurrency testing, multiple instances can run in parallel, and each instance uses its own inst->lock while the core->lock protects the list of active instances. The race happens because these locks cover different scopes, inst->lock protects only the internals of a single instance, while the Macro Blocks Per Frame (MBPF) checker walks the core list under core->lock and reads fields like fmt_src->width and fmt_src->height. At the same time, iris_close() may free fmt_src and fmt_dst under inst->lock while the instance is still present in the core list. This allows a situation where the MBPF checker, still iterating through the core list, reaches an instance whose fmt_src was already freed by another thread and ends up dereferencing a dangling pointer, resulting in a use-after-free. This happens because the MBPF checker assumes that any instance in the core list is fully valid, but the freeing of fmt_src and fmt_dst without removing the instance from the core list is not correct.  The correct ordering is to defer freeing fmt_src and fmt_dst until after the instance has been removed from the core list and all teardown under the core lock has completed, ensuring that no dangling pointers are ever exposed during MBPF checks.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46240",
                        "url": "https://ubuntu.com/security/CVE-2026-46240",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  media: iris: Fix use-after-free in iris_release_internal_buffers()  The recent change in commit 1dabf00ee206 (\"media: iris: gen1: Destroy internal buffers after FW releases\") introduced a regression where session_release_buf() may free the buffer. The caller, iris_release_internal_buffers(), continued to access `buffer` after the call, leading to a potential use-after-free.  Fix this by setting BUF_ATTR_PENDING_RELEASE before calling session_release_buf(), and reverting the flag if the call fails. This ensures no dereference occurs after potential freeing.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46235",
                        "url": "https://ubuntu.com/security/CVE-2026-46235",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  media: saa7164: add ioremap return checks and cleanups  Add checks for ioremap return values in saa7164_dev_setup(). If ioremap for BAR0 or BAR2 fails, release the already allocated PCI memory regions, remove the device from the global list, decrement the device count, and return -ENODEV.  This prevents potential null pointer dereferences and ensures proper cleanup on memory mapping failures.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46222",
                        "url": "https://ubuntu.com/security/CVE-2026-46222",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  media: rockchip: rkcif: Add missing MUST_CONNECT flag to pads  The pads missed checks for connected devices which may a null dereference when the stream is enabled.  Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020 pc : rkcif_interface_enable_streams+0x48/0xf0 lr : rkcif_interface_enable_streams+0x44/0xf0 Call trace:  rkcif_interface_enable_streams+0x48/0xf0  v4l2_subdev_enable_streams+0x26c/0x3f0  rkcif_stream_start_streaming+0x140/0x278  vb2_start_streaming+0x74/0x188  vb2_core_streamon+0xe0/0x1d8  vb2_ioctl_streamon+0x60/0xa8  v4l_streamon+0x2c/0x40  __video_do_ioctl+0x34c/0x400  video_usercopy+0x2d0/0x800  video_ioctl2+0x20/0x60  v4l2_ioctl+0x48/0x78",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46239",
                        "url": "https://ubuntu.com/security/CVE-2026-46239",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  media: i2c: ov5647: Fix runtime PM refcount leak in s_ctrl  Three control cases (AUTOGAIN, EXPOSURE_AUTO, ANALOGUE_GAIN) directly return without calling pm_runtime_put(), causing runtime PM reference count leaks.  Change these cases from 'return' to 'ret = ... break' pattern to ensure pm_runtime_put() is always called before function exit.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46236",
                        "url": "https://ubuntu.com/security/CVE-2026-46236",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  media: rc: xbox_remote: heed DMA restrictions  The buffer for IO must not be part of the device structure because that violates the DMA coherency rules.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46205",
                        "url": "https://ubuntu.com/security/CVE-2026-46205",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  staging: media: atomisp: Disallow all private IOCTLs  Disallow all private IOCTLs. These aren't quite as safe as one could assume of IOCTL handlers; disable them for now. Instead of removing the code, return in the beginning of the function if cmd is non-zero in order to keep static checkers happy.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46202",
                        "url": "https://ubuntu.com/security/CVE-2026-46202",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  HID: appletb-kbd: run inactivity autodim from workqueues  The autodim code in hid-appletb-kbd takes backlight_device->ops_lock via backlight_device_set_brightness() -> mutex_lock() from two different atomic contexts:   * appletb_inactivity_timer() is a struct timer_list callback, so it    runs in softirq context.  Every expiry triggers       BUG: sleeping function called from invalid context at kernel/locking/mutex.c:591      Call Trace:       <IRQ>       __might_resched       __mutex_lock       backlight_device_set_brightness       appletb_inactivity_timer       call_timer_fn       run_timer_softirq   * reset_inactivity_timer() is called from appletb_kbd_hid_event() and    appletb_kbd_inp_event().  On real USB hardware these run in    softirq/IRQ context (URB completion and input-event dispatch).    When the Touch Bar has already been dimmed or turned off, the    reset path calls backlight_device_set_brightness() directly to    restore brightness, producing the same warning.  Both call sites hit the same mutex_lock()-from-atomic bug.  Fix them together by moving the blocking work onto the system workqueue:   * Convert the inactivity timer from struct timer_list to    struct delayed_work; the callback (appletb_inactivity_work) now    runs in process context where mutex_lock() is legal.  * Add a dedicated struct work_struct restore_brightness_work and have    reset_inactivity_timer() schedule it instead of calling    backlight_device_set_brightness() directly.  Cancel both works synchronously during driver tear-down alongside the existing backlight reference drop.  The semantics are unchanged (same delays, same state transitions on dim, turn-off and user activity); only the execution context of the sleeping call changes.  The timer field and callback are renamed to match their new type; reset_inactivity_timer() keeps its name because it is invoked from input event paths that read naturally as \"reset the inactivity timer\".",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46213",
                        "url": "https://ubuntu.com/security/CVE-2026-46213",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  HID: appletb-kbd: fix UAF in inactivity-timer cleanup path  Commit 38224c472a03 (\"HID: appletb-kbd: fix slab use-after-free bug in appletb_kbd_probe\") added timer_delete_sync(&kbd->inactivity_timer) to both the probe close_hw error path and appletb_kbd_remove(), but the way it was wired in left the inactivity timer reachable during driver tear-down via two distinct windows.  Window A -- put_device() before timer_delete_sync():  \tput_device(&kbd->backlight_dev->dev); \ttimer_delete_sync(&kbd->inactivity_timer);  The inactivity_timer softirq reads kbd->backlight_dev and calls backlight_device_set_brightness() -> mutex_lock(&ops_lock).  If a concurrent hid_appletb_bl unbind drops the last devm reference between these two calls, the backlight_device is freed and the mutex_lock() touches freed memory.  Window B -- backlight cleanup before hid_hw_stop():  \tif (kbd->backlight_dev) { \t\ttimer_delete_sync(...); \t\tput_device(...); \t} \thid_hw_close(hdev); \thid_hw_stop(hdev);  Even after Window A is closed, hid_hw_close()/hid_hw_stop() still run afterwards, so a late \".event\" callback from the HID core (USB URB completion on real Apple hardware) can arrive after timer_delete_sync() drained the softirq but before put_device() drops the reference.  That callback reaches reset_inactivity_timer(), which calls mod_timer() and re-arms the timer.  The freshly re-armed timer can then fire on the about-to-be-freed backlight_device.  Both windows produce the same KASAN slab-use-after-free:    BUG: KASAN: slab-use-after-free in __mutex_lock+0x1aab/0x21c0   Read of size 8 at addr ffff88803ee9a108 by task swapper/0/0   Call Trace:    <IRQ>    __mutex_lock    backlight_device_set_brightness    appletb_inactivity_timer    call_timer_fn    run_timer_softirq    handle_softirqs   Allocated by task N:    devm_backlight_device_register    appletb_bl_probe   Freed by task M:    (concurrent hid_appletb_bl unbind path)  Close both windows at once by reworking the tear-down in appletb_kbd_remove() and in the probe close_hw error path so that   1) hid_hw_close()/hid_hw_stop() run before the backlight cleanup,     guaranteeing no further .event callback can fire and re-arm the     timer, and  2) inside the \"if (kbd->backlight_dev)\" block, timer_delete_sync()     runs before put_device(), so the softirq is drained before the     final reference is dropped.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46232",
                        "url": "https://ubuntu.com/security/CVE-2026-46232",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  HID: playstation: Clamp num_touch_reports  A device would never lie about the number of touch reports would it?  If it does the loop in dualshock4_parse_report will read off the end of the touch_reports array, up to about 2 KiB for the maximum number of 256 loop iteraions. The data that is read is emitted via evdev if the DS4_TOUCH_POINT_INACTIVE bit happens to be set. Protect against this by clamping the num_touch_reports value provided by the device to the maximum size of the touch_reports array.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-43490",
                        "url": "https://ubuntu.com/security/CVE-2026-43490",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ksmbd: validate inherited ACE SID length  smb_inherit_dacl() walks the parent directory DACL loaded from the security descriptor xattr. It verifies that each ACE contains the fixed SID header before using it, but does not verify that the variable-length SID described by sid.num_subauth is fully contained in the ACE.  A malformed inheritable ACE can advertise more subauthorities than are present in the ACE. compare_sids() may then read past the ACE. smb_set_ace() also clamps the copied destination SID, but used the unchecked source SID count to compute the inherited ACE size. That could advance the temporary inherited ACE buffer pointer and nt_size accounting past the allocated buffer.  Fix this by validating the parent ACE SID count and SID length before using the SID during inheritance. Compute the inherited ACE size from the copied SID so the size matches the bounded destination SID. Reject the inherited DACL if size accumulation would overflow smb_acl.size or the security descriptor allocation size.",
                        "cve_priority": "high",
                        "cve_public_date": "2026-05-15 06:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46174",
                        "url": "https://ubuntu.com/security/CVE-2026-46174",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  x86/CPU/AMD: Prevent improper isolation of shared resources in Zen2's op cache  Make sure resources are not improperly shared in the op cache and cause instruction corruption this way.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46110",
                        "url": "https://ubuntu.com/security/CVE-2026-46110",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net: stmmac: Prevent NULL deref when RX memory exhausted  The CPU receives frames from the MAC through conventional DMA: the CPU allocates buffers for the MAC, then the MAC fills them and returns ownership to the CPU. For each hardware RX queue, the CPU and MAC coordinate through a shared ring array of DMA descriptors: one descriptor per DMA buffer. Each descriptor includes the buffer's physical address and a status flag (\"OWN\") indicating which side owns the buffer: OWN=0 for CPU, OWN=1 for MAC. The CPU is only allowed to set the flag and the MAC is only allowed to clear it, and both must move through the ring in sequence: thus the ring is used for both \"submissions\" and \"completions.\"  In the stmmac driver, stmmac_rx() bookmarks its position in the ring with the `cur_rx` index. The main receive loop in that function checks for rx_descs[cur_rx].own=0, gives the corresponding buffer to the network stack (NULLing the pointer), and increments `cur_rx` modulo the ring size. After the loop exits, stmmac_rx_refill(), which bookmarks its position with `dirty_rx`, allocates fresh buffers and rearms the descriptors (setting OWN=1). If it fails any allocation, it simply stops early (leaving OWN=0) and will retry where it left off when next called.  This means descriptors have a three-stage lifecycle (terms my own): - `empty` (OWN=1, buffer valid) - `full` (OWN=0, buffer valid and populated) - `dirty` (OWN=0, buffer NULL)  But because stmmac_rx() only checks OWN, it confuses `full`/`dirty`. In the past (see 'Fixes:'), there was a bug where the loop could cycle `cur_rx` all the way back to the first descriptor it dirtied, resulting in a NULL dereference when mistaken for `full`. The aforementioned commit resolved that *specific* failure by capping the loop's iteration limit at `dma_rx_size - 1`, but this is only a partial fix: if the previous stmmac_rx_refill() didn't complete, then there are leftover `dirty` descriptors that the loop might encounter without needing to cycle fully around. The current code therefore panics (see 'Closes:') when stmmac_rx_refill() is memory-starved long enough for `cur_rx` to catch up to `dirty_rx`.  Fix this by explicitly checking, before advancing `cur_rx`, if the next entry is dirty; exit the loop if so. This prevents processing of the final, used descriptor until stmmac_rx_refill() succeeds, but fully prevents the `cur_rx == dirty_rx` ambiguity as the previous bugfix intended: so remove the clamp as well. Since stmmac_rx_zc() is a copy-paste-and-tweak of stmmac_rx() and the code structure is identical, any fix to stmmac_rx() will also need a corresponding fix for stmmac_rx_zc(). Therefore, apply the same check there.  In stmmac_rx() (not stmmac_rx_zc()), a related bug remains: after the MAC sets OWN=0 on the final descriptor, it will be unable to send any further DMA-complete IRQs until it's given more `empty` descriptors. Currently, the driver simply *hopes* that the next stmmac_rx_refill() succeeds, risking an indefinite stall of the receive process if not. But this is not a regression, so it can be addressed in a future change.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46153",
                        "url": "https://ubuntu.com/security/CVE-2026-46153",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  8021q: delete cleared egress QoS mappings  vlan_dev_set_egress_priority() currently keeps cleared egress priority mappings in the hash as tombstones. Repeated set/clear cycles with distinct skb priorities therefore accumulate mapping nodes until device teardown and leak memory.  Delete mappings when vlan_prio is cleared instead of keeping tombstones. Now that the egress mapping lists are RCU protected, the node can be unlinked safely and freed after a grace period.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46169",
                        "url": "https://ubuntu.com/security/CVE-2026-46169",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  hfsplus: fix uninit-value by validating catalog record size  Syzbot reported a KMSAN uninit-value issue in hfsplus_strcasecmp(). The root cause is that hfs_brec_read() doesn't validate that the on-disk record size matches the expected size for the record type being read.  When mounting a corrupted filesystem, hfs_brec_read() may read less data than expected. For example, when reading a catalog thread record, the debug output showed:    HFSPLUS_BREC_READ: rec_len=520, fd->entrylength=26   HFSPLUS_BREC_READ: WARNING - entrylength (26) < rec_len (520) - PARTIAL READ!  hfs_brec_read() only validates that entrylength is not greater than the buffer size, but doesn't check if it's less than expected. It successfully reads 26 bytes into a 520-byte structure and returns success, leaving 494 bytes uninitialized.  This uninitialized data in tmp.thread.nodeName then gets copied by hfsplus_cat_build_key_uni() and used by hfsplus_strcasecmp(), triggering the KMSAN warning when the uninitialized bytes are used as array indices in case_fold().  Fix by introducing hfsplus_brec_read_cat() wrapper that: 1. Calls hfs_brec_read() to read the data 2. Validates the record size based on the type field:    - Fixed size for folder and file records    - Variable size for thread records (depends on string length) 3. Returns -EIO if size doesn't match expected  For thread records, check against HFSPLUS_MIN_THREAD_SZ before reading nodeName.length to avoid reading uninitialized data at call sites that don't zero-initialize the entry structure.  Also initialize the tmp variable in hfsplus_find_cat() as defensive programming to ensure no uninitialized data even if validation is bypassed.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46188",
                        "url": "https://ubuntu.com/security/CVE-2026-46188",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  octeon_ep_vf: add NULL check for napi_build_skb()  napi_build_skb() can return NULL on allocation failure. In __octep_vf_oq_process_rx(), the result is used directly without a NULL check in both the single-buffer and multi-fragment paths, leading to a NULL pointer dereference.  Add NULL checks after both napi_build_skb() calls, properly advancing descriptors and consuming remaining fragments on failure.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-45837",
                        "url": "https://ubuntu.com/security/CVE-2026-45837",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  bpf: Fix use-after-free in arena_vm_close on fork  arena_vm_open() only bumps vml->mmap_count but never registers the child VMA in arena->vma_list. The vml->vma always points at the parent VMA, so after parent munmap the pointer dangles. If the child then calls bpf_arena_free_pages(), zap_pages() reads the stale vml->vma triggering use-after-free.  Fix this by preventing the arena VMA from being inherited across fork with VM_DONTCOPY, and preventing VMA splits via the may_split callback.  Also reject mremap with a .mremap callback returning -EINVAL. A same-size mremap(MREMAP_FIXED) on the full arena VMA reaches copy_vma() through the following path:    check_prep_vma()       - returns 0 early: new_len == old_len                            skips VM_DONTEXPAND check   prep_move_vma()        - vm_start == old_addr and                            vm_end == old_addr + old_len                            so may_split is never called   move_vma()     copy_vma_and_data()       copy_vma()         vm_area_dup()    - copies vm_private_data (vml pointer)         vm_ops->open()   - bumps vml->mmap_count       vm_ops->mremap()   - returns -EINVAL, rollback unmaps new VMA  The refcount ensures the rollback's arena_vm_close does not free the vml shared with the original VMA.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-05-27 11:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46156",
                        "url": "https://ubuntu.com/security/CVE-2026-46156",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  LoongArch: Fix potential ADE in loongson_gpu_fixup_dma_hang()  The switch case in loongson_gpu_fixup_dma_hang() may not DC2 or DC3, and readl(crtc_reg) will access with random address, because the \"device\" is from \"base+PCI_DEVICE_ID\", \"base\" is from \"pdev->devfn+1\". This is wrong when my platform inserts a discrete GPU:  lspci -tv -[0000:00]-+-00.0  Loongson Technology LLC Hyper Transport Bridge Controller ...            +-06.0  Loongson Technology LLC LG100 GPU            +-06.2  Loongson Technology LLC Device 7a37 ...  Add a default switch case to fix the panic as below:   Kernel ade access[#1]:  CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.6.136-loong64-desktop-hwe+ #4  pc 90000000017e5534 ra 90000000017e54c0 tp 90000001002f8000 sp 90000001002fb6c0  a0 80000efe00003100 a1 0000000000003100 a2 0000000000000000 a3 0000000000000002  a4 90000001002fb6b4 a5 900000087cdb58fd a6 90000000027af000 a7 0000000000000001  t0 00000000000085b9 t1 000000000000ffff t2 0000000000000000 t3 0000000000000000  t4 fffffffffffffffd t5 00000000fffb6d9c t6 0000000000083b00 t7 00000000000070c0  t8 900000087cdb4d94 u0 900000087cdb58fd s9 90000001002fb826 s0 90000000031c12c8  s1 7fffffffffffff00 s2 90000000031c12d0 s3 0000000000002710 s4 0000000000000000  s5 0000000000000000 s6 9000000100053000 s7 7fffffffffffff00 s8 90000000030d4000     ra: 90000000017e54c0 loongson_gpu_fixup_dma_hang+0x40/0x210    ERA: 90000000017e5534 loongson_gpu_fixup_dma_hang+0xb4/0x210   CRMD: 000000b0 (PLV0 -IE -DA +PG DACF=CC DACM=CC -WE)   PRMD: 00000004 (PPLV0 +PIE -PWE)   EUEN: 00000000 (-FPE -SXE -ASXE -BTE)   ECFG: 00071c1d (LIE=0,2-4,10-12 VS=7)  ESTAT: 00480000 [ADEM] (IS= ECode=8 EsubCode=1)   BADV: 7fffffffffffff00   PRID: 0014d000 (Loongson-64bit, Loongson-3A6000-HV)  Modules linked in:  Process swapper/0 (pid: 1, threadinfo=(____ptrval____), task=(____ptrval____))  Stack : 0000000000000006 90000001002fb778 90000001002fb704 0000000000000007          0000000016a65700 90000000017e5690 000000000000ffff ffffffffffffffff          900000000209f7c0 9000000100053000 900000000209f7a8 9000000000eebc08          0000000000000000 0000000000000000 0000000000000006 90000001002fb778          90000001000530b8 90000000027af000 0000000000000000 9000000100054000          9000000100053000 9000000000ebb70c 9000000100004c00 9000000004000001          90000001002fb7e4 bae765461f31cb12 0000000000000000 0000000000000000          0000000000000006 90000000027af000 0000000000000030 90000000027af000          900000087cd6f800 9000000100053000 0000000000000000 9000000000ebc560          7a2500147cdaf720 bae765461f31cb12 0000000000000001 0000000000000030          ...  Call Trace:  [<90000000017e5534>] loongson_gpu_fixup_dma_hang+0xb4/0x210  [<9000000000eebc08>] pci_fixup_device+0x108/0x280  [<9000000000ebb70c>] pci_setup_device+0x24c/0x690  [<9000000000ebc560>] pci_scan_single_device+0xe0/0x140  [<9000000000ebc684>] pci_scan_slot+0xc4/0x280  [<9000000000ebdd00>] pci_scan_child_bus_extend+0x60/0x3f0  [<9000000000f5bc94>] acpi_pci_root_create+0x2b4/0x420  [<90000000017e5e74>] pci_acpi_scan_root+0x2d4/0x440  [<9000000000f5b02c>] acpi_pci_root_add+0x21c/0x3a0  [<9000000000f4ee54>] acpi_bus_attach+0x1a4/0x3c0  [<90000000010e200c>] device_for_each_child+0x6c/0xe0  [<9000000000f4bbf4>] acpi_dev_for_each_child+0x44/0x70  [<9000000000f4ef40>] acpi_bus_attach+0x290/0x3c0  [<90000000010e200c>] device_for_each_child+0x6c/0xe0  [<9000000000f4bbf4>] acpi_dev_for_each_child+0x44/0x70  [<9000000000f4ef40>] acpi_bus_attach+0x290/0x3c0  [<9000000000f5211c>] acpi_bus_scan+0x6c/0x280  [<900000000189c028>] acpi_scan_init+0x194/0x310  [<900000000189bc6c>] acpi_init+0xcc/0x140  [<9000000000220cdc>] do_one_initcall+0x4c/0x310  [<90000000018618fc>] kernel_init_freeable+0x258/0x2d4  [<900000000184326c>] kernel_init+0x28/0x13c  [<9000000000222008>] ret_from_kernel_thread+0xc/0xa4",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46147",
                        "url": "https://ubuntu.com/security/CVE-2026-46147",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  KVM: arm64: Fix pin leak and publication ordering in __pkvm_init_vcpu()  Two bugs exist in the vCPU initialisation path:  1. If a check fails after hyp_pin_shared_mem() succeeds, the cleanup    path jumps to 'unlock' without calling unpin_host_vcpu() or    unpin_host_sve_state(), permanently leaking pin references on the    host vCPU and SVE state pages.     Extract a register_hyp_vcpu() helper that performs the checks and    the store. When register_hyp_vcpu() returns an error, call    unpin_host_vcpu() and unpin_host_sve_state() inline before falling    through to the existing 'unlock' label.  2. register_hyp_vcpu() publishes the new vCPU pointer into    'hyp_vm->vcpus[]' with a bare store, allowing a concurrent caller    of pkvm_load_hyp_vcpu() to observe a partially initialised vCPU    object.     Ensure the store uses smp_store_release() and the load uses    smp_load_acquire(). While 'vm_table_lock' currently serialises the    store and the load, these barriers ensure the reader sees the fully    initialised 'hyp_vcpu' object even if there were a lockless path or    if the lock's own ordering guarantees were insufficient for nested    object initialization.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46175",
                        "url": "https://ubuntu.com/security/CVE-2026-46175",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  f2fs: fix fsck inconsistency caused by FGGC of node block  During FGGC node block migration, fsck may incorrectly treat the migrated node block as fsync-written data.  The reproduction scenario: root@vm:/mnt/f2fs# seq 1 2048 | xargs -n 1 ./test_sync // write inline inode and sync root@vm:/mnt/f2fs# rm -f 1 root@vm:/mnt/f2fs# sync root@vm:/mnt/f2fs# f2fs_io gc_range // move data block in sync mode and not write CP   SPO, \"fsck --dry-run\" find inode has already checkpointed but still   with DENT_BIT_SHIFT set  The root cause is that GC does not clear the dentry mark and fsync mark during node block migration, leading fsck to misinterpret them as user-issued fsync writes.  In BGGC mode, node block migration is handled by f2fs_sync_node_pages(), which guarantees the dentry and fsync marks are cleared before writing.  This patch move the set/clear of the fsync|dentry marks into __write_node_folio to make the logic clearer, and ensures the fsync|dentry mark is cleared in FGGC.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46194",
                        "url": "https://ubuntu.com/security/CVE-2026-46194",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  f2fs: fix node_cnt race between extent node destroy and writeback  f2fs_destroy_extent_node() does not set FI_NO_EXTENT before clearing extent nodes. When called from f2fs_drop_inode() with I_SYNC set, concurrent kworker writeback can insert new extent nodes into the same extent tree, racing with the destroy and triggering f2fs_bug_on() in __destroy_extent_node(). The scenario is as follows:  drop inode                            writeback  - iput   - f2fs_drop_inode  // I_SYNC set    - f2fs_destroy_extent_node     - __destroy_extent_node      - while (node_cnt) {         write_lock(&et->lock)         __free_extent_tree         write_unlock(&et->lock)                                        - __writeback_single_inode                                         - f2fs_outplace_write_data                                          - f2fs_update_read_extent_cache                                           - __update_extent_tree_range                                            // FI_NO_EXTENT not set,                                            // insert new extent node        } // node_cnt == 0, exit while      - f2fs_bug_on(node_cnt)  // node_cnt > 0  Additionally, __update_extent_tree_range() only checks FI_NO_EXTENT for EX_READ type, leaving EX_BLOCK_AGE updates completely unprotected.  This patch set FI_NO_EXTENT under et->lock in __destroy_extent_node(), consistent with other callers (__update_extent_tree_range and __drop_extent_tree) and check FI_NO_EXTENT for both EX_READ and EX_BLOCK_AGE tree.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46170",
                        "url": "https://ubuntu.com/security/CVE-2026-46170",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  mptcp: pm: ADD_ADDR rtx: free sk if last  When an ADD_ADDR is retransmitted, the sk is held in sk_reset_timer(), and released at the end.  If at that moment, it was the last reference being held, the sk would not be freed. sock_put() should then be called instead of __sock_put().  But that's not enough: if it is the last reference, sock_put() will call sk_free(), which will end up calling sk_stop_timer_sync() on the same timer, and waiting indefinitely to finish. So it is needed to mark that the timer is done at the end of the timer handler when it has not been rescheduled, not to call sk_stop_timer_sync() on \"itself\".",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46158",
                        "url": "https://ubuntu.com/security/CVE-2026-46158",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  mptcp: pm: ADD_ADDR rtx: always decrease sk refcount  When an ADD_ADDR is retransmitted, the sk is held in sk_reset_timer(). It should then be released in all cases at the end.  Some (unlikely) checks were returning directly instead of calling sock_put() to decrease the refcount. Jump to a new 'exit' label to call __sock_put() (which will become sock_put() in the next commit) to fix this potential leak.  While at it, drop the '!msk' check which cannot happen because it is never reset, and explicitly mark the remaining one as \"unlikely\".",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46168",
                        "url": "https://ubuntu.com/security/CVE-2026-46168",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  mptcp: fix scheduling with atomic in timestamp sockopt  Using lock_sock_fast() (atomic context) around sock_set_timestamp() and sock_set_timestamping() is unsafe, as both helpers can sleep.  Replace lock_sock_fast() with sleepable lock_sock()/release_sock() to avoid scheduling while atomic panic.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46189",
                        "url": "https://ubuntu.com/security/CVE-2026-46189",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/vmw_pvrdma: Fix double free on pvrdma_alloc_ucontext() error path  Sashiko points out that pvrdma_uar_free() is already called within pvrdma_dealloc_ucontext(), so calling it before triggers a double free.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46133",
                        "url": "https://ubuntu.com/security/CVE-2026-46133",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/rxe: Reject unknown opcodes before ICRC processing  Even after applying commit 7244491dab34 (\"RDMA/rxe: Validate pad and ICRC before payload_size() in rxe_rcv\"), a single unauthenticated UDP packet can still trigger panic.  That patch handled payload_size() underflow only for valid opcodes with short packets, not for packets carrying an unknown opcode.  The unknown-opcode OOB read described below predates that commit and reaches back to the initial Soft RoCE driver.  The check added there reads      pkt->paylen < header_size(pkt) + bth_pad(pkt) + RXE_ICRC_SIZE  where header_size(pkt) expands to rxe_opcode[pkt->opcode].length.  The rxe_opcode[] array has 256 entries but is only populated for defined IB opcodes; any other entry (for example opcode 0xff) is zero-initialized, so length == 0 and the check degenerates to      pkt->paylen < 0 + bth_pad(pkt) + RXE_ICRC_SIZE  which does not constrain pkt->paylen enough.  rxe_icrc_hdr() then computes      rxe_opcode[pkt->opcode].length - RXE_BTH_BYTES  which underflows when length == 0 and passes a huge value to rxe_crc32(), causing an out-of-bounds read of the skb payload.  Reproduced on v7.0-rc7 with that fix applied, QEMU/KVM with CONFIG_RDMA_RXE=y and CONFIG_KASAN=y, after      rdma link add rxe0 type rxe netdev eth0  A single 48-byte UDP packet to port 4791 with BTH opcode=0xff and QPN=IB_MULTICAST_QPN triggers:      BUG: KASAN: slab-out-of-bounds in crc32_le+0x115/0x170     Read of size 1 at addr ...     The buggy address is located 0 bytes to the right of      allocated 704-byte region     Call Trace:      crc32_le+0x115/0x170      rxe_icrc_hdr.isra.0+0x226/0x300      rxe_icrc_check+0x13f/0x3a0      rxe_rcv+0x6e1/0x16e0      rxe_udp_encap_recv+0x20a/0x320      udp_queue_rcv_one_skb+0x7ed/0x12c0  Subsequent packets with the same shape fault on unmapped memory and panic the kernel.  The trigger requires only module load and \"rdma link add\"; no QP, no connection, and no authentication.  Fix this by rejecting packets whose opcode has no rxe_opcode[] entry, detected via the zero mask or zero length, before any length arithmetic runs.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46114",
                        "url": "https://ubuntu.com/security/CVE-2026-46114",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/rxe: Reject non-8-byte ATOMIC_WRITE payloads  atomic_write_reply() at drivers/infiniband/sw/rxe/rxe_resp.c unconditionally dereferences 8 bytes at payload_addr(pkt):      value = *(u64 *)payload_addr(pkt);  check_rkey() previously accepted an ATOMIC_WRITE request with pktlen == resid == 0 because the length validation only compared pktlen against resid. A remote initiator that sets the RETH length to 0 therefore reaches atomic_write_reply() with a zero-byte logical payload, and the responder reads sizeof(u64) bytes from past the logical end of the packet into skb->head tailroom, then writes those 8 bytes into the attacker's MR via rxe_mr_do_atomic_write(). That is a remote disclosure of 4 bytes of kernel tailroom per probe (the other 4 bytes are the packet's own trailing ICRC).  IBA oA19-28 defines ATOMIC_WRITE as exactly 8 bytes. Anything else is protocol-invalid. Hoist a strict length check into check_rkey() so the responder never reaches the unchecked dereference, and keep the existing WRITE-family length logic for the normal RDMA WRITE path.  Reproduced on mainline with an unmodified rxe driver: a sustained zero-length ATOMIC_WRITE probe repeatedly leaks adjacent skb head-buffer bytes into the attacker's MR, including recognisable kernel strings and partial kernel-direct-map pointer words.  With this patch applied the responder rejects the PDU and the MR stays all-zero.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46127",
                        "url": "https://ubuntu.com/security/CVE-2026-46127",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/ocrdma: Don't NULL deref uctx on errors in ocrdma_copy_pd_uresp()  Sashiko points out that pd->uctx isn't initialized until late in the function so all these error flow references are NULL and will crash. Use the uctx that isn't NULL.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46176",
                        "url": "https://ubuntu.com/security/CVE-2026-46176",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/mlx5: Fix error path fall-through in mlx5_ib_dev_res_srq_init()  mlx5_ib_dev_res_srq_init() allocates two SRQs, s0 and s1. When ib_create_srq() fails for s1, the error branch destroys s0 but falls through and unconditionally assigns the freed s0 and the ERR_PTR s1 to devr->s0 and devr->s1.  This leads to several problems: the lock-free fast path checks \"if (devr->s1) return 0;\" and treats the ERR_PTR as already initialised; users in mlx5_ib_create_qp() dereference the freed SRQ or ERR_PTR via to_msrq(devr->s0)->msrq.srqn; and mlx5_ib_dev_res_cleanup() dereferences the ERR_PTR and double-frees s0 on teardown.  Fix by adding the same `goto unlock` in the s1 failure path.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46178",
                        "url": "https://ubuntu.com/security/CVE-2026-46178",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/mlx4: Fix resource leak on error in mlx4_ib_create_srq()  Sashiko points out that mlx4_srq_alloc() was not undone during error unwind, add the missing call to mlx4_srq_free().",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46181",
                        "url": "https://ubuntu.com/security/CVE-2026-46181",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/mlx4: Fix mis-use of RCU in mlx4_srq_event()  Sashiko points out the radix_tree itself is RCU safe, but nothing ever frees the mlx4_srq struct with RCU, and it isn't even accessed within the RCU critical section. It also will crash if an event is delivered before the srq object is finished initializing.  Use the spinlock since it isn't easy to make RCU work, use refcount_inc_not_zero() to protect against partially initialized objects, and order the refcount_set() to be after the srq is fully initialized.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46145",
                        "url": "https://ubuntu.com/security/CVE-2026-46145",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/mana: Validate rx_hash_key_len  Sashiko points out that rx_hash_key_len comes from a uAPI structure and is blindly passed to memcpy, allowing the userspace to trash kernel memory. Bounds check it so the memcpy cannot overflow.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46117",
                        "url": "https://ubuntu.com/security/CVE-2026-46117",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/mana: Remove user triggerable WARN_ON() in mana_ib_create_qp_rss()  Sashiko points out that the user can specify WQs sharing the same CQ as a part of the uAPI and this will trigger the WARN_ON() then go on to corrupt the kernel.  Just reject it outright and fail the QP creation.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46126",
                        "url": "https://ubuntu.com/security/CVE-2026-46126",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/mana: Fix mana_destroy_wq_obj() cleanup in mana_ib_create_qp_rss()  Sashiko points out there are two bugs here in the error unwind flow, both related to how the WQ table is unwound.  First there is a double i-- on the first failure path due to the while loop having a i--, remove it.  Second if mana_ib_install_cq_cb() fails then mana_create_wq_obj() is not undone due to the above i--.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46144",
                        "url": "https://ubuntu.com/security/CVE-2026-46144",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/mana: Fix error unwind in mana_ib_create_qp_rss()  Sashiko points out that mana_ib_cfg_vport_steering() is leaked, the normal destroy path cleans it up.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46141",
                        "url": "https://ubuntu.com/security/CVE-2026-46141",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  powerpc/xive: fix kmemleak caused by incorrect chip_data lookup  The kmemleak reports the following memory leak:  Unreferenced object 0xc0000002a7fbc640 (size 64):   comm \"kworker/8:1\", pid 540, jiffies 4294937872   hex dump (first 32 bytes):     01 00 00 00 00 00 00 00 00 00 09 04 00 04 00 00  ................     00 00 a7 81 00 00 0a c0 00 00 08 04 00 04 00 00  ................   backtrace (crc 177d48f6):     __kmalloc_cache_noprof+0x520/0x730     xive_irq_alloc_data.constprop.0+0x40/0xe0     xive_irq_domain_alloc+0xd0/0x1b0     irq_domain_alloc_irqs_parent+0x44/0x6c     pseries_irq_domain_alloc+0x1cc/0x354     irq_domain_alloc_irqs_parent+0x44/0x6c     msi_domain_alloc+0xb0/0x220     irq_domain_alloc_irqs_locked+0x138/0x4d0     __irq_domain_alloc_irqs+0x8c/0xfc     __msi_domain_alloc_irqs+0x214/0x4d8     msi_domain_alloc_irqs_all_locked+0x70/0xf8     pci_msi_setup_msi_irqs+0x60/0x78     __pci_enable_msix_range+0x54c/0x98c     pci_alloc_irq_vectors_affinity+0x16c/0x1d4     nvme_pci_enable+0xac/0x9c0 [nvme]     nvme_probe+0x340/0x764 [nvme]  This occurs when allocating MSI-X vectors for an NVMe device. During allocation the XIVE code creates a struct xive_irq_data and stores it in irq_data->chip_data.  When the MSI-X irqdomain is later freed, xive_irq_free_data() is responsible for retrieving this structure and freeing it. However, after commit cc0cc23babc9 (\"powerpc/xive: Untangle xive from child interrupt controller drivers\"), xive_irq_free_data() retrieves the chip_data using irq_get_chip_data(), which looks up the data through the child domain.  This is incorrect because the XIVE-specific irq data is associated with the XIVE (parent) domain. As a result the lookup fails and the allocated struct xive_irq_data is never freed, leading to the kmemleak report shown above.  Fix this by retrieving the irq_data from the correct domain using irq_domain_get_irq_data() and then accessing the chip_data via irq_data_get_irq_chip_data().",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46183",
                        "url": "https://ubuntu.com/security/CVE-2026-46183",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  mm/damon/sysfs-schemes: protect path kfree() with damon_sysfs_lock  damon_sysfs_quot_goal->path can be read and written by users, via DAMON sysfs 'path' file.  It can also be indirectly read, for the parameters {on,off}line committing to DAMON.  The reads for parameters committing are protected by damon_sysfs_lock to avoid the sysfs files being destroyed while any of the parameters are being read.  But the user-driven direct reads and writes are not protected by any lock, while the write is deallocating the path-pointing buffer.  As a result, the readers could read the already freed buffer (user-after-free).  Note that the user-reads don't race when the same open file is used by the writer, due to kernfs's open file locking.  Nonetheless, doing the reads and writes with separate open files would be common.  Fix it by protecting both the user-direct reads and writes with damon_sysfs_lock.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46121",
                        "url": "https://ubuntu.com/security/CVE-2026-46121",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  mm/damon/sysfs-schemes: protect memcg_path kfree() with damon_sysfs_lock  Patch series \"mm/damon/sysfs-schemes: fix use-after-free for [memcg_]path\".  Reads of 'memcg_path' and 'path' files in DAMON sysfs interface could race with their writes, results in use-after-free.  Fix those.   This patch (of 2):  damon_sysfs_scheme_filter->mmecg_path can be read and written by users, via DAMON sysfs memcg_path file.  It can also be indirectly read, for the parameters {on,off}line committing to DAMON.  The reads for parameters committing are protected by damon_sysfs_lock to avoid the sysfs files being destroyed while any of the parameters are being read.  But the user-driven direct reads and writes are not protected by any lock, while the write is deallocating the memcg_path-pointing buffer.  As a result, the readers could read the already freed buffer (user-after-free).  Note that the user-reads don't race when the same open file is used by the writer, due to kernfs's open file locking.  Nonetheless, doing the reads and writes with separate open files would be common.  Fix it by protecting both the user-direct reads and writes with damon_sysfs_lock.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46131",
                        "url": "https://ubuntu.com/security/CVE-2026-46131",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  KVM: x86: check for nEPT/nNPT in slow flush hypercalls  Checking is_guest_mode(vcpu) is incorrect, because translate_nested_gpa() is only valid if an L2 guest is running *with nested EPT/NPT enabled*. Instead use the same condition as translate_nested_gpa() itself.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46139",
                        "url": "https://ubuntu.com/security/CVE-2026-46139",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  smb: client: use kzalloc to zero-initialize security descriptor buffer  Commit 62e7dd0a39c2d (\"smb: common: change the data type of num_aces to le16\") split struct smb_acl's __le32 num_aces field into __le16 num_aces and __le16 reserved. The reserved field corresponds to Sbz2 in the MS-DTYP ACL wire format, which must be zero [1].  When building an ACL descriptor in build_sec_desc(), we are using a kmalloc()'ed descriptor buffer and writing the fields explicitly using le16() writes now. This never writes to the 2 byte reserved field, leaving it as uninitialized heap data.  When the reserved field happens to contain non-zero slab garbage, Samba rejects the security descriptor with \"ndr_pull_security_descriptor failed: Range Error\", causing chmod to fail with EINVAL.  Change kmalloc() to kzalloc() to ensure the entire buffer is zero-initialized.   [1] https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/20233ed8-a6c6-4097-aafa-dd545ed24428",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46105",
                        "url": "https://ubuntu.com/security/CVE-2026-46105",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  scsi: mpt3sas: Limit NVMe request size to 2 MiB  The HBA firmware reports NVMe MDTS values based on the underlying drive capability. However, because the driver allocates a fixed 4K buffer for the PRP list, accommodating at most 512 entries, the driver supports a maximum I/O transfer size of 2 MiB.  Limit max_hw_sectors to the smaller of the reported MDTS and the 2 MiB driver limit to prevent issuing oversized I/O that may lead to a kernel oops.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46171",
                        "url": "https://ubuntu.com/security/CVE-2026-46171",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  riscv: kvm: fix vector context allocation leak  When the second kzalloc (host_context.vector.datap) fails in kvm_riscv_vcpu_alloc_vector_context, the first allocation (guest_context.vector.datap) is leaked. Free it before returning.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46112",
                        "url": "https://ubuntu.com/security/CVE-2026-46112",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/hns: Fix unlocked call to hns_roce_qp_remove()  Sashiko points out that hns_roce_qp_remove() requires the caller to hold locks.  The error flow in hns_roce_create_qp_common() doesn't hold those locks for the error unwind so it risks corrupting memory.  Grab the same locks the other two callers use.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46165",
                        "url": "https://ubuntu.com/security/CVE-2026-46165",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  openvswitch: vport: fix self-deadlock on release of tunnel ports  vports are used concurrently and protected by RCU, so netdev_put() must happen after the RCU grace period.  So, either in an RCU call or after the synchronize_net().  The rtnl_delete_link() must happen under RTNL and so can't be executed in RCU context.  Calling synchronize_net() while holding RTNL is not a good idea for performance and system stability under load in general, so calling netdev_put() in RCU call is the right solution here.  However, when the device is deleted, rtnl_unlock() will call netdev_run_todo() and block until all the references are gone.  In the current code this means that we never reach the call_rcu() and the vport is never freed and the reference is never released, causing a self-deadlock on device removal.  Fix that by moving the rcu_call() before the rtnl_unlock(), so the scheduled RCU callback will be executed when synchronize_net() is called from the rtnl_unlock()->netdev_run_todo() while the RTNL itself is already released.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46161",
                        "url": "https://ubuntu.com/security/CVE-2026-46161",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  md/raid10: fix divide-by-zero in setup_geo() with zero far_copies  setup_geo() extracts near_copies (nc) and far_copies (fc) from the user-provided layout parameter without checking for zero. When fc=0 with the \"improved\" far set layout selected, 'geo->far_set_size = disks / fc' triggers a divide-by-zero.  Validate nc and fc immediately after extraction, returning -1 if either is zero.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-43492",
                        "url": "https://ubuntu.com/security/CVE-2026-43492",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  lib/crypto: mpi: Fix integer underflow in mpi_read_raw_from_sgl()  Yiming reports an integer underflow in mpi_read_raw_from_sgl() when subtracting \"lzeros\" from the unsigned \"nbytes\".  For this to happen, the scatterlist \"sgl\" needs to occupy more bytes than the \"nbytes\" parameter and the first \"nbytes + 1\" bytes of the scatterlist must be zero.  Under these conditions, the while loop iterating over the scatterlist will count more zeroes than \"nbytes\", subtract the number of zeroes from \"nbytes\" and cause the underflow.  When commit 2d4d1eea540b (\"lib/mpi: Add mpi sgl helpers\") originally introduced the bug, it couldn't be triggered because all callers of mpi_read_raw_from_sgl() passed a scatterlist whose length was equal to \"nbytes\".  However since commit 63ba4d67594a (\"KEYS: asymmetric: Use new crypto interface without scatterlists\"), the underflow can now actually be triggered.  When invoking a KEYCTL_PKEY_ENCRYPT system call with a larger \"out_len\" than \"in_len\" and filling the \"in\" buffer with zeroes, crypto_akcipher_sync_prep() will create an all-zero scatterlist used for both the \"src\" and \"dst\" member of struct akcipher_request and thereby fulfil the conditions to trigger the bug:    sys_keyctl()     keyctl_pkey_e_d_s()       asymmetric_key_eds_op()         software_key_eds_op()           crypto_akcipher_sync_encrypt()             crypto_akcipher_sync_prep()               crypto_akcipher_encrypt()                 rsa_enc()                   mpi_read_raw_from_sgl()  To the user this will be visible as a DoS as the kernel spins forever, causing soft lockup splats as a side effect.  Fix it.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-19 12:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46124",
                        "url": "https://ubuntu.com/security/CVE-2026-46124",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  isofs: validate block number from NFS file handle in isofs_export_iget  isofs_fh_to_dentry() and isofs_fh_to_parent() pass an attacker- controlled block number (ifid->block or ifid->parent_block) from the NFS file handle to isofs_export_iget(), which only rejects block == 0 before calling isofs_iget() and ultimately sb_bread(). A crafted file handle with fh_len sufficient to pass the check added by commit 0405d4b63d08 (\"isofs: Prevent the use of too small fid\") can still drive the server to read any in-range block on the backing device as if it were an iso_directory_record.  That earlier fix was assigned CVE-2025-37780.  sb_bread() on an out-of-range block returns NULL cleanly via the EIO path, so there is no memory-safety violation.  For in-range reads of adjacent-partition data on the same block device, the unrelated bytes end up in iso_inode_info fields that reach the NFS client as dentry metadata.  The deployment surface (isofs exported over NFS from loop-mounted images) is narrow and requires an authenticated NFS peer, but the malformed-file-handle class is reportable as hardening next to the existing CVE-2025-37780 fix.  Reject block >= ISOFS_SB(sb)->s_nzones in isofs_export_iget() so the check covers both isofs_fh_to_dentry() and isofs_fh_to_parent() call sites with a single line.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46130",
                        "url": "https://ubuntu.com/security/CVE-2026-46130",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  dm-verity-fec: fix reading parity bytes split across blocks (take 3)  fec_decode_bufs() assumes that the parity bytes of the first RS codeword it decodes are never split across parity blocks.  This assumption is false.  Consider v->fec->block_size == 4096 && v->fec->roots == 17 && fio->nbufs == 1, for example.  In that case, each call to fec_decode_bufs() consumes v->fec->roots * (fio->nbufs << DM_VERITY_FEC_BUF_RS_BITS) = 272 parity bytes.  Considering that the parity data for each message block starts on a block boundary, the byte alignment in the parity data will iterate through 272*i mod 4096 until the 3 parity blocks have been consumed.  On the 16th call (i=15), the alignment will be 4080 bytes into the first block.  Only 16 bytes remain in that block, but 17 parity bytes will be needed.  The code reads out-of-bounds from the parity block buffer.  Fortunately this doesn't normally happen, since it can occur only for certain non-default values of fec_roots *and* when the maximum number of buffers couldn't be allocated due to low memory.  For example with block_size=4096 only the following cases are affected:      fec_roots=17: nbufs in [1, 3, 5, 15]     fec_roots=19: nbufs in [1, 229]     fec_roots=21: nbufs in [1, 3, 5, 13, 15, 39, 65, 195]     fec_roots=23: nbufs in [1, 89]  Regardless, fix it by refactoring how the parity blocks are read.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46106",
                        "url": "https://ubuntu.com/security/CVE-2026-46106",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  eventfs: Hold eventfs_mutex and SRCU when remount walks events  Commit 340f0c7067a9 (\"eventfs: Update all the eventfs_inodes from the events descriptor\") had eventfs_set_attrs() recurse through ei->children on remount.  The walk only holds the rcu_read_lock() taken by tracefs_apply_options() over tracefs_inodes, which is wrong:    - list_for_each_entry over ei->children races with the list_del_rcu()     in eventfs_remove_rec() -- LIST_POISON1 deref, same shape as     d2603279c7d6.   - eventfs_inodes are freed via call_srcu(&eventfs_srcu, ...).     rcu_read_lock() does not extend an SRCU grace period, so ti->private     can be reclaimed under the walk.   - The writes to ei->attr race with eventfs_set_attr(), which holds     eventfs_mutex.  Reproducer:    while :; do mount -o remount,uid=$((RANDOM%1000)) /sys/kernel/tracing; done &   while :; do       echo \"p:kp submit_bio\" > /sys/kernel/tracing/kprobe_events       echo > /sys/kernel/tracing/kprobe_events   done  Wrap the events portion of tracefs_apply_options() in eventfs_remount_lock()/_unlock() that take eventfs_mutex and srcu_read_lock(&eventfs_srcu).  eventfs_set_attrs() doesn't sleep so the nested rcu_read_lock() is fine; lockdep_assert_held() pins the contract.  Comment in tracefs_drop_inode() said \"RCU cycle\" -- it is SRCU.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46107",
                        "url": "https://ubuntu.com/security/CVE-2026-46107",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  dm-thin: fix metadata refcount underflow  There's a bug in dm-thin in the function rebalance_children. If the internal btree node has one entry, the code tries to copy all btree entries from the node's child to the node itself and then decrement the child's reference count.  If the child node is shared (it has reference count > 1), we won't free it, so there would be two pointers to each of the grandchildren nodes. But the reference counts of the grandchildren is not increased, thus the reference count doesn't match the number of pointers that point to the grandchildren. This results in \"device mapper: space map common: unable to decrement block\" errors.  Fix this bug by incrementing reference counts on the grandchildren if the btree node is shared.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46160",
                        "url": "https://ubuntu.com/security/CVE-2026-46160",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  btrfs: fix missing last_unlink_trans update when removing a directory  When removing a directory we are not updating its last_unlink_trans field, which can result in incorrect fsync behaviour in case some one fsyncs the directory after it was removed because it's holding a file descriptor on it.  Example scenario:     mkdir /mnt/dir1    mkdir /mnt/dir1/dir2    mkdir /mnt/dir3     sync -f /mnt     # Do some change to the directory and fsync it.    chmod 700 /mnt/dir1    xfs_io -c fsync /mnt/dir1     # Move dir2 out of dir1 so that dir1 becomes empty.    mv /mnt/dir1/dir2 /mnt/dir3/     open fd on /mnt/dir1    call rmdir(2) on path \"/mnt/dir1\"    fsync fd     <trigger power failure>  When attempting to mount the filesystem, the log replay will fail with an -EIO error and dmesg/syslog has the following:     [445771.626482] BTRFS info (device dm-0): first mount of filesystem 0368bbea-6c5e-44b5-b409-09abe496e650    [445771.626486] BTRFS info (device dm-0): using crc32c checksum algorithm    [445771.627912] BTRFS info (device dm-0): start tree-log replay    [445771.628335] page: refcount:2 mapcount:0 mapping:0000000061443ddc index:0x1d00 pfn:0x7072a5    [445771.629453] memcg:ffff89f400351b00    [445771.629892] aops:btree_aops [btrfs] ino:1    [445771.630737] flags: 0x17fffc00000402a(uptodate|lru|private|writeback|node=0|zone=2|lastcpupid=0x1ffff)    [445771.632359] raw: 017fffc00000402a fffff47284d950c8 fffff472907b7c08 ffff89f458e412b8    [445771.633713] raw: 0000000000001d00 ffff89f6c51d1a90 00000002ffffffff ffff89f400351b00    [445771.635029] page dumped because: eb page dump    [445771.635825] BTRFS critical (device dm-0): corrupt leaf: root=5 block=30408704 slot=10 ino=258, invalid nlink: has 2 expect no more than 1 for dir    [445771.638088] BTRFS info (device dm-0): leaf 30408704 gen 10 total ptrs 17 free space 14878 owner 5    [445771.638091] BTRFS info (device dm-0): refs 4 lock_owner 0 current 3581087    [445771.638094] \titem 0 key (256 INODE_ITEM 0) itemoff 16123 itemsize 160    [445771.638097] \t\tinode generation 3 transid 9 size 16 nbytes 16384    [445771.638098] \t\tblock group 0 mode 40755 links 1 uid 0 gid 0    [445771.638100] \t\trdev 0 sequence 2 flags 0x0    [445771.638102] \t\tatime 1775744884.0    [445771.660056] \t\tctime 1775744885.645502983    [445771.660058] \t\tmtime 1775744885.645502983    [445771.660060] \t\totime 1775744884.0    [445771.660062] \titem 1 key (256 INODE_REF 256) itemoff 16111 itemsize 12    [445771.660064] \t\tindex 0 name_len 2    [445771.660066] \titem 2 key (256 DIR_ITEM 1843588421) itemoff 16077 itemsize 34    [445771.660068] \t\tlocation key (259 1 0) type 2    [445771.660070] \t\ttransid 9 data_len 0 name_len 4    [445771.660075] \titem 3 key (256 DIR_ITEM 2363071922) itemoff 16043 itemsize 34    [445771.660076] \t\tlocation key (257 1 0) type 2    [445771.660077] \t\ttransid 9 data_len 0 name_len 4    [445771.660078] \titem 4 key (256 DIR_INDEX 2) itemoff 16009 itemsize 34    [445771.660079] \t\tlocation key (257 1 0) type 2    [445771.660080] \t\ttransid 9 data_len 0 name_len 4    [445771.660081] \titem 5 key (256 DIR_INDEX 3) itemoff 15975 itemsize 34    [445771.660082] \t\tlocation key (259 1 0) type 2    [445771.660083] \t\ttransid 9 data_len 0 name_len 4    [445771.660084] \titem 6 key (257 INODE_ITEM 0) itemoff 15815 itemsize 160    [445771.660086] \t\tinode generation 9 transid 9 size 8 nbytes 0    [445771.660087] \t\tblock group 0 mode 40777 links 1 uid 0 gid 0    [445771.660088] \t\trdev 0 sequence 2 flags 0x0    [445771.660089] \t\tatime 1775744885.641174097    [445771.660090] \t\tctime 1775744885.645502983    [445771.660091] \t\tmtime 1775744885.645502983    [445771.660105] \t\totime 1775744885.641174097    [445771.660106] \titem 7 key (257 INODE_REF 256) itemoff 15801 itemsize 14    [445771.660107] \t\tindex 2 name_len 4    [445771.660108] \titem 8 key (257 DIR_ITEM 2676584006) itemoff 15767 itemsize 34    [445771.660109] \t\tlocation key (2 ---truncated---",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46164",
                        "url": "https://ubuntu.com/security/CVE-2026-46164",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  btrfs: fix double free in create_space_info_sub_group() error path  When kobject_init_and_add() fails, the call chain is:  create_space_info_sub_group() -> btrfs_sysfs_add_space_info_type() -> kobject_init_and_add() -> failure -> kobject_put(&sub_group->kobj) -> space_info_release() -> kfree(sub_group)  Then control returns to create_space_info_sub_group(), where:  btrfs_sysfs_add_space_info_type() returns error -> kfree(sub_group)  Thus, sub_group is freed twice.  Keep parent->sub_group[index] = NULL for the failure path, but after btrfs_sysfs_add_space_info_type() has called kobject_put(), let the kobject release callback handle the cleanup.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46129",
                        "url": "https://ubuntu.com/security/CVE-2026-46129",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  btrfs: fix double free in create_space_info() error path  When kobject_init_and_add() fails, the call chain is:  create_space_info() -> btrfs_sysfs_add_space_info_type() -> kobject_init_and_add() -> failure -> kobject_put(&space_info->kobj) -> space_info_release() -> kfree(space_info)  Then control returns to create_space_info():  btrfs_sysfs_add_space_info_type() returns error -> goto out_free -> kfree(space_info)  This causes a double free.  Keep the direct kfree(space_info) for the earlier failure path, but after btrfs_sysfs_add_space_info_type() has called kobject_put(), let the kobject release callback handle the cleanup.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46159",
                        "url": "https://ubuntu.com/security/CVE-2026-46159",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  btrfs: fix btrfs_ioctl_space_info() slot_count TOCTOU which can lead to info-leak  btrfs_ioctl_space_info() has a TOCTOU race between two passes over the block group RAID type lists. The first pass counts entries to determine the allocation size, then the second pass fills the buffer. The groups_sem rwlock is released between passes, allowing concurrent block group removal to reduce the entry count.  When the second pass fills fewer entries than the first pass counted, copy_to_user() copies the full alloc_size bytes including trailing uninitialized kmalloc bytes to userspace.  Fix by copying only total_spaces entries (the actually-filled count from the second pass) instead of alloc_size bytes, and switch to kzalloc so any future copy size mismatch cannot leak heap data.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46143",
                        "url": "https://ubuntu.com/security/CVE-2026-46143",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ASoC: qcom: q6apm-lpass-dai: Fix multiple graph opens  As prepare can be called mulitple times, this can result in multiple graph opens for playback path.  This will result in a memory leaks, fix this by adding a check before opening.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46148",
                        "url": "https://ubuntu.com/security/CVE-2026-46148",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: microchip-core-qspi: control built-in cs manually  The coreQSPI IP supports only a single chip select, which is automagically operated by the hardware - set low when the transmit buffer first gets written to and set high when the number of bytes written to the TOTALBYTES field of the FRAMES register have been sent on the bus. Additional devices must use GPIOs for their chip selects. It was reported to me that if there are two devices attached to this QSPI controller that the in-built chip select is set low while linux tries to access the device attached to the GPIO.  This went undetected as the boards that connected multiple devices to the SPI controller all exclusively used GPIOs for chip selects, not relying on the built-in chip select at all. It turns out that this was because the built-in chip select, when controlled automagically, is set low when active and high when inactive, thereby ruling out its use for active-high devices or devices that need to transmit with the chip select disabled.  Modify the driver so that it controls chip select directly, retaining the behaviour for mem_ops of setting the chip select active for the entire duration of the transfer in the exec_op callback. For regular transfers, implement the set_cs callback for the core to use.  As part of this, the existing setup callback, mchp_coreqspi_setup_op(), is removed. Modifying the CLKIDLE field is not safe to do during operation when there are multiple devices, so this code is removed entirely. Setting the MASTER and ENABLE fields is something that can be done once at probe, it doesn't need to be re-run for each device. Instead the new setup callback sets the built-in chip select to its inactive state for active-low devices, as the reset value of the chip select in software controlled mode is low.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46192",
                        "url": "https://ubuntu.com/security/CVE-2026-46192",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: microchip-core-qspi: don't attempt to transmit during emulated read-only dual/quad operations  The core will deal with reads by creating clock cycles itself, there's no need to generate clock cycles by transmitting garbage data at the driver level. Further, transmitting garbage data just bricks the transfer since QSPI doesn't have a dedicated master-out line like MOSI in regular SPI. I'm not entirely sure if the transfer is bricked because of the garbage data being transmitted on the bus or because the core loses track of whether it is supposed to be sending or receiving data.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46162",
                        "url": "https://ubuntu.com/security/CVE-2026-46162",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ice: fix double free in ice_sf_eth_activate() error path  When auxiliary_device_add() fails, ice_sf_eth_activate() jumps to aux_dev_uninit and calls auxiliary_device_uninit(&sf_dev->adev).  The device release callback ice_sf_dev_release() frees sf_dev, but the current error path falls through to sf_dev_free and calls kfree(sf_dev) again, causing a double free.  Keep kfree(sf_dev) for the auxiliary_device_init() failure path, but avoid falling through to sf_dev_free after auxiliary_device_uninit().",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46273",
                        "url": "https://ubuntu.com/security/CVE-2026-46273",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ibmveth: Disable GSO for packets with small MSS  Some physical adapters on Power systems do not support segmentation offload when the MSS is less than 224 bytes. Attempting to send such packets causes the adapter to freeze, stopping all traffic until manually reset.  Implement ndo_features_check to disable GSO for packets with small MSS values. The network stack will perform software segmentation instead.  The 224-byte minimum matches ibmvnic commit <f10b09ef687f> (\"ibmvnic: Enforce stronger sanity checks on GSO packets\") which uses the same physical adapters in SEA configurations.  The issue occurs specifically when the hardware attempts to perform segmentation (gso_segs > 1) with a small MSS. Single-segment GSO packets (gso_segs == 1) do not trigger the problematic LSO code path and are transmitted normally without segmentation.  Add an ndo_features_check callback to disable GSO when MSS < 224 bytes. Also call vlan_features_check() to ensure proper handling of VLAN packets, particularly QinQ (802.1ad) configurations where the hardware parser may not support certain offload features.  Validated using iptables to force small MSS values. Without the fix, the adapter freezes. With the fix, packets are segmented in software and transmission succeeds. Comprehensive regression testing completedd (MSS tests, performance, stability).",
                        "cve_priority": "high",
                        "cve_public_date": "2026-06-03 18:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46191",
                        "url": "https://ubuntu.com/security/CVE-2026-46191",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  fbcon: Avoid OOB font access if console rotation fails  Clear the font buffer if the reallocation during console rotation fails in fbcon_rotate_font(). The putcs implementations for the rotated buffer will return early in this case. See [1] for an example.  Currently, fbcon_rotate_font() keeps the old buffer, which is too small for the rotated font. Printing to the rotated console with a high-enough character code will overflow the font buffer.  v2: - fix typos in commit message",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46134",
                        "url": "https://ubuntu.com/security/CVE-2026-46134",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  platform/chrome: cros_ec_typec: Init mutex in Thunderbolt registration  cros_typec_register_thunderbolt() missed initializing the `adata->lock` mutex.  This leads to a NULL dereference when the mutex is later acquired (e.g. in cros_typec_altmode_work()).  Initialize the mutex in cros_typec_register_thunderbolt() to fix the issue.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-43495",
                        "url": "https://ubuntu.com/security/CVE-2026-43495",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net: wwan: t7xx: validate port_count against message length in t7xx_port_enum_msg_handler  t7xx_port_enum_msg_handler() uses the modem-supplied port_count field as a loop bound over port_msg->data[] without checking that the message buffer contains sufficient data. A modem sending port_count=65535 in a 12-byte buffer triggers a slab-out-of-bounds read of up to 262140 bytes.  Add a sizeof(*port_msg) check before accessing the port message header fields to guard against undersized messages.  Add a struct_size() check after extracting port_count and before the loop.  In t7xx_parse_host_rt_data(), guard the rt_feature header read with a remaining-buffer check before accessing data_len, validate feat_data_len against the actual remaining buffer to prevent OOB reads and signed integer overflow on offset.  Pass msg_len from both call sites: skb->len at the DPMAIF path after skb_pull(), and the validated feat_data_len at the handshake path.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-21 13:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-43502",
                        "url": "https://ubuntu.com/security/CVE-2026-43502",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net/rds: handle zerocopy send cleanup before the message is queued  A zerocopy send can fail after user pages have been pinned but before the message is attached to the sending socket.  The purge path currently infers zerocopy state from rm->m_rs, so an unqueued message can be cleaned up as if it owned normal payload pages. However, zerocopy ownership is really determined by the presence of op_mmp_znotifier, regardless of whether the message has reached the socket queue.  Capture op_mmp_znotifier up front in rds_message_purge() and use it as the cleanup discriminator. If the message is already associated with a socket, keep the existing completion path. Otherwise, drop the pinned page accounting directly and release the notifier before putting the payload pages.  This keeps early send failure cleanup consistent with the zerocopy lifetime rules without changing the normal queued completion path.",
                        "cve_priority": "high",
                        "cve_public_date": "2026-05-21 13:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46120",
                        "url": "https://ubuntu.com/security/CVE-2026-46120",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ip6_gre: Use cached t->net in ip6erspan_changelink().  After commit 5e72ce3e3980 (\"net: ipv6: Use link netns in newlink() of rtnl_link_ops\"), ip6erspan_newlink() correctly resolves the per-netns ip6gre hash via link_net. ip6erspan_changelink() was not converted in that series and still uses dev_net(dev), which diverges from the device's creation netns after IFLA_NET_NS_FD migration.  This re-inserts the tunnel into the wrong per-netns hash. The original netns keeps a stale entry. When that netns is later destroyed, ip6gre_exit_rtnl_net() walks the stale entry, producing a slab-use-after-free reported by KASAN, followed by a kernel BUG at net/core/dev.c (LIST_POISON1) in unregister_netdevice_many_notify().  Reachable from an unprivileged user namespace (unshare --user --map-root-user --net).  ip6gre_changelink() earlier in the same file already uses the cached t->net; only ip6erspan_changelink() has the wrong shape.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46142",
                        "url": "https://ubuntu.com/security/CVE-2026-46142",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net: libwx: fix VF illegal register access  Register WX_CFG_PORT_ST is a PF restricted register. When a VF is initialized, attempting to read this register triggers an illegal register access, which lead to a system hang.  When the device is VF, the bus function ID can be obtained directly from the PCI_FUNC(pdev->devfn).",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46118",
                        "url": "https://ubuntu.com/security/CVE-2026-46118",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  pseries/papr-hvpipe: Fix null ptr deref in papr_hvpipe_dev_create_handle()  commit 6d3789d347a7 (\"papr-hvpipe: convert papr_hvpipe_dev_create_handle() to FD_PREPARE()\"), changed the create handle to FD_PREPARE(), but it caused kernel null-ptr-deref because after call to retain_and_null_ptr(src_info), src_info is re-used for adding it to the global list.  Getting the following kernel panic in papr_hvpipe_dev_create_handle() when trying to add src_info to the list.  Kernel attempted to write user page (0) - exploit attempt? (uid: 0)  BUG: Kernel NULL pointer dereference on write at 0x00000000  Faulting instruction address: 0xc0000000001b44a0  Oops: Kernel access of bad area, sig: 11 [#1]  ...  Call Trace:  papr_hvpipe_dev_ioctl+0x1f4/0x48c (unreliable)  sys_ioctl+0x528/0x1064  system_call_exception+0x128/0x360  system_call_vectored_common+0x15c/0x2ec  Now, the error handling with FD_PREPARE's file cleanup and __free(kfree) auto cleanup is getting too convoluted. This is mainly because we need to ensure only 1 user get the srcID handle. To simplify this, we allocate prepare the src_info in the beginning and add it to the global list under a spinlock after checking that no duplicates exist.  This simplify the error handling where if the FD_ADD fails, we can simply remove the src_info from the list and consume any pending msg in hvpipe to be cleared, after src_info became visible in the global list.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46182",
                        "url": "https://ubuntu.com/security/CVE-2026-46182",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  pseries/papr-hvpipe: Prevent kernel stack memory leak to userspace  The hdr variable is allocated on the stack and only hdr.version and hdr.flags are initialized explicitly. Because the struct papr_hvpipe_hdr contains reserved padding bytes (reserved[3] and reserved2[40]), these could leak the uninitialized bytes to userspace after copy_to_user().  This patch fixes that by initializing the whole struct to 0.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46184",
                        "url": "https://ubuntu.com/security/CVE-2026-46184",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  sound: ua101: fix division by zero at probe  Add a missing sanity check for bNrChannels in detect_usb_format() to prevent a division by zero in playback_urb_complete() and capture_urb_complete().  USB core does not validate class-specific descriptor fields such as bNrChannels, so drivers must verify them before use. If a device provides bNrChannels = 0, frame_bytes becomes zero and is later used as a divisor in the URB completion handlers, leading to a kernel crash.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-43498",
                        "url": "https://ubuntu.com/security/CVE-2026-43498",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  accel/ivpu: Disallow re-exporting imported GEM objects  Prevent re-exporting of imported GEM buffers by adding a custom prime_handle_to_fd callback that checks if the object is imported and returns -EOPNOTSUPP if so.  Re-exporting imported GEM buffers causes loss of buffer flags settings, leading to incorrect device access and data corruption.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-21 13:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46132",
                        "url": "https://ubuntu.com/security/CVE-2026-46132",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net: rtnetlink: zero ifla_vf_broadcast to avoid stack infoleak in rtnl_fill_vfinfo  rtnl_fill_vfinfo() declares struct ifla_vf_broadcast on the stack without initialisation:  \tstruct ifla_vf_broadcast vf_broadcast;  The struct contains a single fixed 32-byte field:  \t/* include/uapi/linux/if_link.h */ \tstruct ifla_vf_broadcast { \t\t__u8 broadcast[32]; \t};  The function then copies dev->broadcast into it using dev->addr_len as the length:  \tmemcpy(vf_broadcast.broadcast, dev->broadcast, dev->addr_len);  On Ethernet devices (the overwhelming majority of SR-IOV NICs) dev->addr_len is 6, so only the first 6 bytes of broadcast[] are written. The remaining 26 bytes retain whatever was previously on the kernel stack. The full struct is then handed to userspace via:  \tnla_put(skb, IFLA_VF_BROADCAST, \t\tsizeof(vf_broadcast), &vf_broadcast)  leaking up to 26 bytes of uninitialised kernel stack per VF per RTM_GETLINK request, repeatable.  The other vf_* structs in the same function are explicitly zeroed for exactly this reason - see the memset() calls for ivi, vf_vlan_info, node_guid and port_guid a few lines above. vf_broadcast was simply missed when it was added.  Reachability: any unprivileged local process can open AF_NETLINK / NETLINK_ROUTE without capabilities and send RTM_GETLINK with an IFLA_EXT_MASK attribute carrying RTEXT_FILTER_VF. The kernel walks each VF and emits IFLA_VF_BROADCAST, leaking 26 bytes of stack per VF per request. Stack residue at this call site can include return addresses and transient sensitive data; KASAN with stack instrumentation, or KMSAN, will flag the nla_put() when reproduced.  Zero the on-stack struct before the partial memcpy, matching the existing pattern used for the other vf_* structs in the same function.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46190",
                        "url": "https://ubuntu.com/security/CVE-2026-46190",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  mtd: spi-nor: debugfs: fix out-of-bounds read in spi_nor_params_show()  Sashiko noticed an out-of-bounds read [1].  In spi_nor_params_show(), the snor_f_names array is passed to spi_nor_print_flags() using sizeof(snor_f_names).  Since snor_f_names is an array of pointers, sizeof() returns the total number of bytes occupied by the pointers \t(element_count * sizeof(void *)) rather than the element count itself. On 64-bit systems, this makes the passed length 8x larger than intended.  Inside spi_nor_print_flags(), the 'names_len' argument is used to bounds-check the 'names' array access. An out-of-bounds read occurs if a flag bit is set that exceeds the array's actual element count but is within the inflated byte-size count.  Correct this by using ARRAY_SIZE() to pass the actual number of string pointers in the array.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46150",
                        "url": "https://ubuntu.com/security/CVE-2026-46150",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  fanotify: fix false positive on permission events  fsnotify_get_mark_safe() may return false for a mark on an unrelated group, which results in bypassing the permission check.  Fix by skipping over detached marks that are not in the current group.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-45836",
                        "url": "https://ubuntu.com/security/CVE-2026-45836",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_get_sndtimeo_cb()  Add the same NULL guard already present in l2cap_sock_resume_cb() and l2cap_sock_ready_cb().",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-26 17:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-45834",
                        "url": "https://ubuntu.com/security/CVE-2026-45834",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_state_change_cb()  Add the same NULL guard already present in l2cap_sock_resume_cb() and l2cap_sock_ready_cb().",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-26 17:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-45835",
                        "url": "https://ubuntu.com/security/CVE-2026-45835",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_new_connection_cb()  Add the same NULL guard already present in l2cap_sock_resume_cb() and l2cap_sock_ready_cb().",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-26 17:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46138",
                        "url": "https://ubuntu.com/security/CVE-2026-46138",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Bluetooth: hci_event: Fix OOB read and infinite loop in hci_le_create_big_complete_evt  hci_le_create_big_complete_evt() iterates over BT_BOUND connections for a BIG handle using a while loop, accessing ev->bis_handle[i++] on each iteration.  However, there is no check that i stays within ev->num_bis before the array access.  When a controller sends a LE_Create_BIG_Complete event with fewer bis_handle entries than there are BT_BOUND connections for that BIG, or with num_bis=0, the loop reads beyond the valid bis_handle[] flex array into adjacent heap memory.  Since the out-of-bounds values typically exceed HCI_CONN_HANDLE_MAX (0x0EFF), hci_conn_set_handle() rejects them and the connection remains in BT_BOUND state.  The same connection is then found again by hci_conn_hash_lookup_big_state(), creating an infinite loop with hci_dev_lock held.  Fix this by terminating the BIG if in case not all BIS could be setup properly.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46111",
                        "url": "https://ubuntu.com/security/CVE-2026-46111",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Bluetooth: hci_conn: fix potential UAF in create_big_sync  Add hci_conn_valid() check in create_big_sync() to detect stale connections before proceeding with BIG creation. Handle the resulting -ECANCELED in create_big_complete() and re-validate the connection under hci_dev_lock() before dereferencing, matching the pattern used by create_le_conn_complete() and create_pa_complete().  Keep the hci_conn object alive across the async boundary by taking a reference via hci_conn_get() when queueing create_big_sync(), and dropping it in the completion callback. The refcount and the lock are complementary: the refcount keeps the object allocated, while hci_dev_lock() serializes hci_conn_hash_del()'s list_del_rcu() on hdev->conn_hash, as required by hci_conn_del().  hci_conn_put() is called outside hci_dev_unlock() so the final put (which resolves to kfree() via bt_link_release) does not run under hdev->lock, though the release path would be safe either way.  Without this, create_big_complete() would unconditionally dereference the conn pointer on error, causing a use-after-free via hci_connect_cfm() and hci_conn_del().",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46140",
                        "url": "https://ubuntu.com/security/CVE-2026-46140",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Bluetooth: btmtk: validate WMT event SKB length before struct access  btmtk_usb_hci_wmt_sync() casts the WMT event response SKB data to struct btmtk_hci_wmt_evt (7 bytes) and struct btmtk_hci_wmt_evt_funcc (9 bytes) without first checking that the SKB contains enough data. A short firmware response causes out-of-bounds reads from SKB tailroom.  Use skb_pull_data() to validate and advance past the base WMT event header. For the FUNC_CTRL case, pull the additional status field bytes before accessing them.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46186",
                        "url": "https://ubuntu.com/security/CVE-2026-46186",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Bluetooth: virtio_bt: validate rx pkt_type header length  virtbt_rx_handle() reads the leading pkt_type byte from the RX skb and forwards the remainder to hci_recv_frame() for every event/ACL/SCO/ISO type, without checking that the remaining payload is at least the fixed HCI header for that type.  After the preceding patch bounds the backend-supplied used.len to [1, VIRTBT_RX_BUF_SIZE], a one-byte completion still reaches hci_recv_frame() with skb->len already pulled to 0. If the byte happened to be HCI_ACLDATA_PKT, the ACL-vs-ISO classification fast-path in hci_dev_classify_pkt_type() dereferences hci_acl_hdr(skb)->handle whenever the HCI device has an active CIS_LINK, BIS_LINK, or PA_LINK connection, reading two bytes of uninitialized RX-buffer data. The same hazard exists for every packet type the driver accepts because none of the switch cases in virtbt_rx_handle() check skb->len against the per-type minimum HCI header size before handing the frame to the core.  After stripping pkt_type, require skb->len to cover the fixed header size for the selected type (event 2, ACL 4, SCO 3, ISO 4) before calling hci_recv_frame(); drop ratelimited otherwise. Unknown pkt_type values still take the original kfree_skb() default path.  Use bt_dev_err_ratelimited() because both the length and pkt_type values come from an untrusted backend that can otherwise flood the kernel log.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46123",
                        "url": "https://ubuntu.com/security/CVE-2026-46123",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Bluetooth: virtio_bt: clamp rx length before skb_put  virtbt_rx_work() calls skb_put(skb, len) where len comes directly from virtqueue_get_buf() with no validation against the buffer we posted to the device. The RX skb is allocated in virtbt_add_inbuf() and exposed to virtio as exactly 1000 bytes via sg_init_one().  Checking len against skb_tailroom(skb) is not sufficient because alloc_skb() can leave more tailroom than the 1000 bytes actually handed to the device. A malicious or buggy backend can therefore report used.len between 1001 and skb_tailroom(skb), causing skb_put() to include uninitialized kernel heap bytes that were never written by the device.  The same path also accepts len == 0, in which case skb_put(skb, 0) leaves the skb empty but virtbt_rx_handle() still reads the pkt_type byte from skb->data, consuming uninitialized memory.  Define VIRTBT_RX_BUF_SIZE once and reuse it in alloc_skb() and sg_init_one(), and gate virtbt_rx_work() on that same constant so the bound checked matches the buffer actually exposed to the device. Reject used.len == 0 in the same gate so an empty completion can no longer reach virtbt_rx_handle().  Use bt_dev_err_ratelimited() because the length value comes from an untrusted backend that can otherwise flood the kernel log.  Same class of bug as commit c04db81cd028 (\"net/9p: Fix buffer overflow in USB transport layer\"), which hardened the USB 9p transport against unchecked device-reported length.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46104",
                        "url": "https://ubuntu.com/security/CVE-2026-46104",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  selinux: use sk blob accessor in socket permission helpers  SELinux socket state lives in the composite LSM socket blob.  sock_has_perm() and nlmsg_sock_has_extended_perms() currently dereference sk->sk_security directly, which assumes the SELinux socket blob is at offset zero.  In stacked configurations that assumption does not hold. If another LSM allocates socket blob storage before SELinux, these helpers may read the wrong blob and feed invalid SID and class values into AVC checks.  Use selinux_sock() instead of accessing sk->sk_security directly.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46193",
                        "url": "https://ubuntu.com/security/CVE-2026-46193",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  xfrm: ah: account for ESN high bits in async callbacks  AH allocates its temporary auth/ICV layout differently when ESN is enabled: the async ahash setup appends a 4-byte seqhi slot before the ICV or auth_data area, but the async completion callbacks still reconstruct the temporary layout as if seqhi were absent.  With an async AH implementation selected, that makes AH copy or compare the wrong bytes on both the IPv4 and IPv6 paths. In UML repro on IPv4 AH with ESN and forced async hmac(sha1), ping fails with 100% packet loss, and the callback logs show the pre-fix drift:    ah4 output_done: esn=1 err=0 icv_off=20 expected_off=24   ah4 input_done: esn=1 auth_off=20 expected_auth_off=24 icv_off=32 expected_icv_off=36  Reconstruct the callback-side layout the same way the setup path built it by skipping the ESN seqhi slot before locating the saved auth_data or ICV. Per RFC 4302, the ESN high-order 32 bits participate in the AH ICV computation, so the async callbacks must account for the seqhi slot.  Post-fix, the same IPv4 AH+ESN+forced-async-hmac(sha1) UML repro shows the corrected offset (ah4 output_done: esn=1 err=0 icv_off=24 expected_off=24) and ping succeeds; net/ipv4/ah4.o and net/ipv6/ah6.o build clean at W=1. IPv6 AH+ESN was not exercised at runtime, and the change has not been tested against a real async hardware AH engine.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46172",
                        "url": "https://ubuntu.com/security/CVE-2026-46172",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ipv6: xfrm6: release dst on error in xfrm6_rcv_encap()  xfrm6_rcv_encap() performs an IPv6 route lookup when the skb does not already have a dst attached. ip6_route_input_lookup() returns a referenced dst entry even when the lookup resolves to an error route.  If dst->error is set, xfrm6_rcv_encap() drops the skb without attaching the dst to the skb and without releasing the reference returned by the lookup. Repeated packets hitting this path therefore leak dst entries.  Release the dst before jumping to the drop path.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46116",
                        "url": "https://ubuntu.com/security/CVE-2026-46116",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  xfrm: defensively unhash xfrm_state lists in __xfrm_state_delete  KASAN reproduces a slab-use-after-free in __xfrm_state_delete()'s hlist_del_rcu calls under syzkaller load on linux-6.12.y stable (reproduced on 6.12.47, also reachable via the same code path on torvalds/master and on the ipsec tree). Nine unique signatures cluster in the xfrm_state lifecycle, the load-bearing one being:    BUG: KASAN: slab-use-after-free in __hlist_del include/linux/list.h:990 [inline]   BUG: KASAN: slab-use-after-free in hlist_del_rcu include/linux/rculist.h:516 [inline]   BUG: KASAN: slab-use-after-free in __xfrm_state_delete net/xfrm/xfrm_state.c   Write of size 8 at addr ffff8881198bcb70 by task kworker/u8:9/435    Workqueue: netns cleanup_net   Call Trace:    __hlist_del / hlist_del_rcu    __xfrm_state_delete    xfrm_state_delete    xfrm_state_flush    xfrm_state_fini    ops_exit_list    cleanup_net  The other observed signatures hit the same slab object from __xfrm_state_lookup, xfrm_alloc_spi, __xfrm_state_insert and an OOB write variant of __xfrm_state_delete, all on the byseq/byspi hash chains.  __xfrm_state_delete() guards its byseq and byspi unhashes with value-based predicates:  \tif (x->km.seq) \t\thlist_del_rcu(&x->byseq); \tif (x->id.spi) \t\thlist_del_rcu(&x->byspi);  while everywhere else in the file (e.g. state_cache, state_cache_input) the safer hlist_unhashed() check is used. xfrm_alloc_spi() sets x->id.spi = newspi inside xfrm_state_lock and then immediately inserts into byspi, but a path that observes x->id.spi != 0 outside of xfrm_state_lock can still skip-or-hit the byspi unhash inconsistently with whether x is actually on the list. The same holds for x->km.seq versus byseq, and the bydst/bysrc unhashes have no predicate at all, so a second __xfrm_state_delete() on the same object writes through LIST_POISON pprev.  The defensive change here:    - Use hlist_del_init_rcu() instead of hlist_del_rcu() on bydst,     bysrc, byseq and byspi so a second deletion is a no-op rather     than a write through LIST_POISON pprev. The byseq/byspi nodes     are already initialised in xfrm_state_alloc().   - Test hlist_unhashed() rather than the value predicate for     byseq/byspi, so the unhash decision tracks list state rather than     mutable scalar fields.  Empirical verification: applied this patch on top of v6.12.47, rebuilt, and re-ran the same syzkaller harness for 1h16m on a previously-crashy configuration that produced ~100 hits each of slab-use-after-free Read in xfrm_alloc_spi / Read in __xfrm_state_lookup / Write in __xfrm_state_delete. After the patch, 7.1M execs across 32 VMs at ~1550 exec/sec produced zero xfrm_state UAF/OOB hits. /proc/slabinfo confirms the xfrm_state slab is actively allocated and freed during the run (~143 KiB resident), so the fuzzer is still exercising those code paths -- they just no longer crash.  Reproduction:    - Linux 6.12.47 x86_64 + KASAN_GENERIC + KASAN_INLINE + KCOV   - syzkaller @ 746545b8b1e4c3a128db8652b340d3df90ce61db   - 32 QEMU/KVM VMs x 2 vCPU on AWS c5.metal bare metal   - 9 unique signatures collected in ~9h, all within xfrm_state     lifecycle",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46154",
                        "url": "https://ubuntu.com/security/CVE-2026-46154",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  sched_ext: Read scx_root under scx_cgroup_ops_rwsem in cgroup setters  scx_group_set_{weight,idle,bandwidth}() cache scx_root before acquiring scx_cgroup_ops_rwsem, so the pointer can be stale by the time the op runs. If the loaded scheduler is disabled and freed (via RCU work) and another is enabled between the naked load and the rwsem acquire, the reader sees scx_cgroup_enabled=true (the new scheduler's) but dereferences the freed one - UAF on SCX_HAS_OP(sch, ...) / SCX_CALL_OP(sch, ...).  scx_cgroup_enabled is toggled only under scx_cgroup_ops_rwsem write (scx_cgroup_{init,exit}), so reading scx_root inside the rwsem read section correlates @sch with the enabled snapshot.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46157",
                        "url": "https://ubuntu.com/security/CVE-2026-46157",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ALSA: pcm: oss: Fix data race at accessing runtime.oss.trigger  Currently the runtime.oss.trigger field may be accessed concurrently without protection, which may lead to the data race.  And, in this case, it may lead to more severe problem because it's a bit field; as writing the data, it may overwrite other bit fields as well, which confuses the operation completely, as spotted by fuzzing.  Fix it by covering runtime.oss.trigger bit fled also with the existing params_lock mutex in both snd_pcm_oss_get_trigger() and snd_pcm_oss_poll().",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46109",
                        "url": "https://ubuntu.com/security/CVE-2026-46109",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  usb: ulpi: fix memory leak on ulpi_register() error paths  Commit 01af542392b5 (\"usb: ulpi: fix double free in ulpi_register_interface() error path\") removed kfree(ulpi) from ulpi_register_interface() to fix a double-free when device_register() fails.  But when ulpi_of_register() or ulpi_read_id() fail before device_register() is called, the ulpi allocation is leaked.  Add kfree(ulpi) on both error paths to properly clean up the allocation.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46146",
                        "url": "https://ubuntu.com/security/CVE-2026-46146",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ALSA: usb-audio: Avoid potential endless loop in convert_chmap_v3()  The convert_chmap_v3() has a loop with its increment size of cs_desc->wLength, but we forgot to validate cs_desc->wLength itself, which may lead to potential endless loop by a malformed descriptor.  Add a proper size check to abort the loop for plugging the hole.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46167",
                        "url": "https://ubuntu.com/security/CVE-2026-46167",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  usb: usblp: fix uninitialized heap leak via LPGETSTATUS ioctl  Just like in a previous problem in this driver, usblp_ctrl_msg() will collapse the usb_control_msg() return value to 0/-errno, discarding the actual number of bytes transferred.  Ideally that short command should be detected and error out, but many printers are known to send \"incorrect\" responses back so we can't just do that.  statusbuf is kmalloc(8) at probe time and never filled before the first LPGETSTATUS ioctl.  usblp_read_status() requests 1 byte. If a malicious printer responds with zero bytes, *statusbuf is one byte of stale kmalloc heap, sign-extended into the local int status, which the LPGETSTATUS path then copy_to_user()s directly to the ioctl caller.  Fix this all by just zapping out the memory buffer when allocated at probe time.  If a later call does a short read, the data will be identical to what the device sent it the last time, so there is no \"leak\" of information happening.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46151",
                        "url": "https://ubuntu.com/security/CVE-2026-46151",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  usb: usblp: fix heap leak in IEEE 1284 device ID via short response  usblp_ctrl_msg() collapses the usb_control_msg() return value to 0/-errno, discarding the actual number of bytes transferred.  A broken printer can complete the GET_DEVICE_ID control transfer short and the driver has no way to know.  usblp_cache_device_id_string() reads the 2-byte big-endian length prefix from the response and trusts it (clamped only to the buffer bounds). The buffer is kmalloc(1024) at probe time. A device that sends exactly two bytes (e.g. 0x03 0xFF, claiming a 1023-byte ID) leaves device_id_string[2..1022] holding stale kmalloc heap.  That stale data is then exposed:   - via the ieee1284_id sysfs attribute (sprintf(\"%s\", buf+2), truncated     at the first NUL in the stale heap), and   - via the IOCNR_GET_DEVICE_ID ioctl, which copy_to_user()s the full     claimed length regardless of NULs, up to 1021 bytes of uninitialized     heap, with the leak size chosen by the device.  Fix this up by just zapping the buffer with zeros before each request sent to the device.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46180",
                        "url": "https://ubuntu.com/security/CVE-2026-46180",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  wifi: brcmfmac: Fix potential use-after-free issue when stopping watchdog task  Watchdog task might end between send_sig() and kthread_stop() calls, what results in the use-after-free issue. Fix this by increasing watchdog task reference count before calling send_sig() and dropping it by switching to kthread_stop_put().",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46122",
                        "url": "https://ubuntu.com/security/CVE-2026-46122",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  wifi: b43: enforce bounds check on firmware key index in b43_rx()  The firmware-controlled key index in b43_rx() can exceed the dev->key[] array size (58 entries). The existing B43_WARN_ON is non-enforcing in production builds, allowing an out-of-bounds read.  Make the B43_WARN_ON check enforcing by dropping the frame when the firmware returns an invalid key index.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46125",
                        "url": "https://ubuntu.com/security/CVE-2026-46125",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  wifi: mac80211: remove station if connection prep fails  If connection preparation fails for MLO connections, then the interface is completely reset to non-MLD. In this case, we must not keep the station since it's related to the link of the vif being removed. Delete an existing station. Any \"new_sta\" is already being removed, so that doesn't need changes.  This fixes a use-after-free/double-free in debugfs if that's enabled, because a vif going from MLD (and to MLD, but that's not relevant here) recreates its entire debugfs.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46166",
                        "url": "https://ubuntu.com/security/CVE-2026-46166",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  wifi: mac80211: use safe list iteration in radar detect work  The call to ieee80211_dfs_cac_cancel can cause the iterated chanctx to be freed and removed from the list. Guard against this to avoid a slab-use-after-free error.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46187",
                        "url": "https://ubuntu.com/security/CVE-2026-46187",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  wifi: rsi: fix kthread lifetime race between self-exit and external-stop  RSI driver use both self-exit(kthread_complete_and_exit) and external-stop (kthread_stop) when killing a kthread. Generally, kthread_stop() is called first, and in this case, no particular issues occur.  However, in rare instances where kthread_complete_and_exit() is called first and then kthread_stop() is called, a UAF occurs because the kthread object, which has already exited and been freed, is accessed again.  Therefore, to prevent this with minimal modification, you must remove kthread_stop() and change the code to wait until the self-exit operation is completed.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46152",
                        "url": "https://ubuntu.com/security/CVE-2026-46152",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  wifi: mac80211: drop stray 'static' from fast-RX rx_result  ieee80211_invoke_fast_rx() is documented as safe for parallel RX, but its per-invocation rx_result is declared static. Concurrent callers then share one instance and can overwrite each other's result between ieee80211_rx_mesh_data() and the switch on res.  That can make a packet that was queued or consumed by ieee80211_rx_mesh_data() fall through into ieee80211_rx_8023(), or make a packet that should continue return as queued.  Make res an automatic variable so each invocation keeps its own result.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46163",
                        "url": "https://ubuntu.com/security/CVE-2026-46163",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  wifi: b43legacy: enforce bounds check on firmware key index in RX path  Same fix as b43: the firmware-controlled key index in b43legacy_rx() can exceed dev->max_nr_keys. The existing B43legacy_WARN_ON is non-enforcing in production builds, allowing an out-of-bounds read of dev->key[].  Make the check enforcing by dropping the frame for invalid indices.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46136",
                        "url": "https://ubuntu.com/security/CVE-2026-46136",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  wifi: mt76: mt7921: fix a potential clc buffer length underflow  The buf_len is used to limit the iterations for retrieving the country power setting and may underflow under certain conditions due to changes in the power table in CLC.  This underflow leads to an almost infinite loop or an invalid power setting resulting in driver initialization failure.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46173",
                        "url": "https://ubuntu.com/security/CVE-2026-46173",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  exit: prevent preemption of oopsing TASK_DEAD task  When an already-exiting task oopses, make_task_dead() currently calls do_task_dead() with preemption enabled.  That is forbidden: do_task_dead() calls __schedule(), which has a comment saying \"WARNING: must be called with preemption disabled!\".  If an oopsing task is preempted in do_task_dead(), between becoming TASK_DEAD and entering the scheduler explicitly, bad things happen: finish_task_switch() assumes that once the scheduler has switched away from a TASK_DEAD task, the task can never run again and its stack is no longer needed; but that assumption apparently doesn't hold if the dead task was preempted (the SM_PREEMPT case).  This means that the scheduler ends up repeatedly dropping references on the dead task's stack, which can lead to use-after-free or double-free of the entire task stack; in other words, two tasks can end up running on the same stack, resulting in various kinds of memory corruption.  (This does not just affect \"recursively oopsing\" tasks; it is enough to oops once during task exit, for example in a file_operations::release handler)",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-43496",
                        "url": "https://ubuntu.com/security/CVE-2026-43496",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net/sched: sch_red: Replace direct dequeue call with peek and qdisc_dequeue_peeked  When red qdisc has children (eg qfq qdisc) whose peek() callback is qdisc_peek_dequeued(), we could get a kernel panic. When the parent of such qdiscs (eg illustrated in patch #3 as tbf) wants to retrieve an skb from its child (red in this case), it will do the following:  1a. do a peek() - and when sensing there's an skb the child can offer, then      - the child in this case(red) calls its child's (qfq) peek.         qfq does the right thing and will return the gso_skb queue packet.         Note: if there wasnt a gso_skb entry then qfq will store it there.  1b. invoke a dequeue() on the child (red). And herein lies the problem.      - red will call the child's dequeue() which will essentially just        try to grab something of qfq's queue.  [   78.667668][  T363] KASAN: null-ptr-deref in range [0x0000000000000048-0x000000000000004f] [   78.667927][  T363] CPU: 1 UID: 0 PID: 363 Comm: ping Not tainted 7.1.0-rc1-00033-g46f74a3f7d57-dirty #790 PREEMPT(full) [   78.668263][  T363] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 [   78.668486][  T363] RIP: 0010:qfq_dequeue+0x446/0xc90 [sch_qfq] [   78.668718][  T363] Code: 54 c0 e8 dd 90 00 f1 48 c7 c7 e0 03 54 c0 48 89 de e8 ce 90 00 f1 48 8d 7b 48 b8 ff ff 37 00 48 89 fa 48 c1 e0 2a 48 c1 ea 03 <80> 3c 02 00 74 05 e8 ef a1 e1 f1 48 8b 7b 48 48 8d 54 24 58 48 8d [   78.669312][  T363] RSP: 0018:ffff88810de573e0 EFLAGS: 00010216 [   78.669533][  T363] RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000 [   78.669790][  T363] RDX: 0000000000000009 RSI: 0000000000000004 RDI: 0000000000000048 [   78.670044][  T363] RBP: ffff888110dc4000 R08: ffffffffb1b0885a R09: fffffbfff6ba9078 [   78.670297][  T363] R10: 0000000000000003 R11: ffff888110e31c80 R12: 0000001880000000 [   78.670560][  T363] R13: ffff888110dc4150 R14: ffff888110dc42b8 R15: 0000000000000200 [   78.670814][  T363] FS:  00007f66a8f09c40(0000) GS:ffff888163428000(0000) knlGS:0000000000000000 [   78.671110][  T363] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [   78.671324][  T363] CR2: 000055db4c6a30a8 CR3: 000000010da67000 CR4: 0000000000750ef0 [   78.671585][  T363] PKRU: 55555554 [   78.671713][  T363] Call Trace: [   78.671843][  T363]  <TASK> [   78.671936][  T363]  ? __pfx_qfq_dequeue+0x10/0x10 [sch_qfq] [   78.672148][  T363]  ? __pfx__printk+0x10/0x10 [   78.672322][  T363]  ? srso_alias_return_thunk+0x5/0xfbef5 [   78.672496][  T363]  ? lockdep_hardirqs_on_prepare+0xa8/0x1a0 [   78.672706][  T363]  ? srso_alias_return_thunk+0x5/0xfbef5 [   78.672875][  T363]  ? trace_hardirqs_on+0x19/0x1a0 [   78.673047][  T363]  red_dequeue+0x65/0x270 [sch_red] [   78.673217][  T363]  ? srso_alias_return_thunk+0x5/0xfbef5 [   78.673385][  T363]  tbf_dequeue.cold+0xb0/0x70c [sch_tbf] [   78.673566][  T363]  __qdisc_run+0x169/0x1900  The right thing to do in #1b is to grab the skb off gso_skb queue. This patchset fixes that issue by changing #1b to use qdisc_dequeue_peeked() method instead.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-21 13:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46113",
                        "url": "https://ubuntu.com/security/CVE-2026-46113",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  KVM: x86: Fix shadow paging use-after-free due to unexpected GFN  The shadow MMU computes GFNs for direct shadow pages using sp->gfn plus the SPTE index. This assumption breaks for shadow paging if the guest page tables are modified between VM entries (similar to commit aad885e77496, \"KVM: x86/mmu: Drop/zap existing present SPTE even when creating an MMIO SPTE\", 2026-03-27).  The flow is as follows:  - a PDE is installed for a 2MB mapping, and a page in that area is   accessed.  KVM creates a kvm_mmu_page consisting of 512 4KB pages;   the kvm_mmu_page is marked by FNAME(fetch) as direct-mapped because   the guest's mapping is a huge page (and thus contiguous).  - the PDE mapping is changed from outside the guest.  - the guest accesses another page in the same 2MB area.  KVM installs   a new leaf SPTE and rmap entry; the SPTE uses the \"correct\" GFN   (i.e. based on the new mapping, as changed in the previous step) but   that GFN is outside of the [sp->gfn, sp->gfn + 511] range; therefore   the rmap entry cannot be found and removed when the kvm_mmu_page   is zapped.  - the memslot that covers the first 2MB mapping is deleted, and the   kvm_mmu_page for the now-invalid GPA is zapped.  However, rmap_remove()   only looks at the [sp->gfn, sp->gfn + 511] range established in step 1,   and fails to find the rmap entry that was recorded by step 3.  - any operation that causes an rmap walk for the same page accessed   by step 3 then walks a stale rmap and dereferences a freed kvm_mmu_page.   This includes dirty logging or MMU notifier invalidations (e.g., from   MADV_DONTNEED).  The underlying issue is that KVM's walking of shadow PTEs assumes that if a SPTE is present when KVM wants to install a non-leaf SPTE, then the existing kvm_mmu_page must be for the correct gfn.  Because the only way for the gfn to be wrong is if KVM messed up and failed to zap a SPTE... which shouldn't happen, but *actually* only happens in response to a guest write.  That bug dates back literally forever, as even the first version of KVM assumes that the GFN matches and walks into the \"wrong\" shadow page. However, that was only an imprecision until 2032a93d66fa (\"KVM: MMU: Don't allocate gfns page for direct mmu pages\") came along.  Fix it by checking for a target gfn mismatch and zapping the existing SPTE.  That way the old SP and rmap entries are gone, KVM installs the rmap in the right location, and everyone is happy.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46179",
                        "url": "https://ubuntu.com/security/CVE-2026-46179",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ASoC: SOF: Don't allow pointer operations on unconfigured streams  When reporting the pointer for a compressed stream we report the current I/O frame position by dividing the position by the number of channels multiplied by the number of container bytes. These values default to 0 and are only configured as part of setting the stream parameters so this allows a divide by zero to be configured. Validate that they are non zero, returning an error if not",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46196",
                        "url": "https://ubuntu.com/security/CVE-2026-46196",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  tracepoint: balance regfunc() on func_add() failure in tracepoint_add_func()  When a tracepoint goes through the 0 -> 1 transition, tracepoint_add_func() invokes the subsystem's ext->regfunc() before attempting to install the new probe via func_add(). If func_add() then fails (for example, when allocate_probes() cannot allocate a new probe array under memory pressure and returns -ENOMEM), the function returns the error without calling the matching ext->unregfunc(), leaving the side effects of regfunc() behind with no installed probe to justify them.  For syscall tracepoints this is particularly unpleasant: syscall_regfunc() bumps sys_tracepoint_refcount and sets SYSCALL_TRACEPOINT on every task. After a leaked failure, the refcount is stuck at a non-zero value with no consumer, and every task continues paying the syscall trace entry/exit overhead until reboot. Other subsystems providing regfunc()/unregfunc() pairs exhibit similarly scoped persistent state.  Mirror the existing 1 -> 0 cleanup and call ext->unregfunc() in the func_add() error path, gated on the same condition used there so the unwind is symmetric with the registration.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-43497",
                        "url": "https://ubuntu.com/security/CVE-2026-43497",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  fbdev: udlfb: add vm_ops to dlfb_ops_mmap to prevent use-after-free  dlfb_ops_mmap() uses remap_pfn_range() to map vmalloc framebuffer pages to userspace but sets no vm_ops on the VMA. This means the kernel cannot track active mmaps. When dlfb_realloc_framebuffer() replaces the backing buffer via FBIOPUT_VSCREENINFO, existing mmap PTEs are not invalidated. On USB disconnect, dlfb_ops_destroy() calls vfree() on the old pages while userspace PTEs still reference them, resulting in a use-after-free: the process retains read/write access to freed kernel pages.  Add vm_operations_struct with open/close callbacks that maintain an atomic mmap_count on struct dlfb_data. In dlfb_realloc_framebuffer(), check mmap_count and return -EBUSY if the buffer is currently mapped, preventing buffer replacement while userspace holds stale PTEs.  Tested with PoC using dummy_hcd + raw_gadget USB device emulation.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-05-21 13:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46108",
                        "url": "https://ubuntu.com/security/CVE-2026-46108",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ipmi:si: Return state to normal if message allocation fails  There were places where nothing would get started if a message allocation failed, so the driver needs to return to normal state.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46128",
                        "url": "https://ubuntu.com/security/CVE-2026-46128",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ipmi: Check event message buffer response for bad data  The event message buffer response data size got checked later when processing, but check it right after the response comes back.  It appears some BMCs may return an empty message instead of an error when fetching events.  There are apparently some new BMCs that make this error, so we need to compensate.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46177",
                        "url": "https://ubuntu.com/security/CVE-2026-46177",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ipmi: Add limits to event and receive message requests  The driver would just fetch events and receive messages until the BMC said it was done.  To avoid issues with BMCs that never say they are done, add a limit of 10 fetches at a time.  In addition, an si interface has an attn state it can return from the hardware which is supposed to cause a flag fetch to see if the driver needs to fetch events or message or a few other things.  If the attn bit gets stuck, it's a similar problem.  So allow messages in between flag fetches so the driver itself doesn't get stuck.  This is a more general fix than the previous fix for the specific bad BMC, but should fix the more general issue of a BMC that won't stop saying it has data.  This has been there from the beginning of the driver.  It's not a bug per-se, but it is accounting for bugs in BMCs.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46149",
                        "url": "https://ubuntu.com/security/CVE-2026-46149",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  scsi: target: configfs: Bound snprintf() return in tg_pt_gp_members_show()  target_tg_pt_gp_members_show() formats LUN paths with snprintf() into a 256-byte stack buffer, then will memcpy() cur_len bytes from that buffer.  snprintf() returns the length the output would have had, which can exceed the buffer size when the fabric WWN is long because iSCSI IQN names can be up to 223 bytes.  The check at the memcpy() site only guards the destination page write, not the source read, so memcpy() will read past the stack buffer and copy adjacent stack contents to the sysfs reader, which when CONFIG_FORTIFY_SOURCE is enabled, fortify_panic() will be triggered.  Commit 27e06650a5ea (\"scsi: target: target_core_configfs: Add length check to avoid buffer overflow\") added the same bound to the target_lu_gp_members_show() but the tg_pt_gp variant was missed so resolve that here.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46244",
                        "url": "https://ubuntu.com/security/CVE-2026-46244",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  netfilter: nft_inner: Fix IPv6 inner_thoff desync  In nft_inner_parse_l2l3(), when processing inner IPv6 packets, ipv6_find_hdr() correctly computes the transport header offset traversing all extension headers, but the result is immediately overwritten with nhoff + sizeof(_ip6h) (40 bytes), which only accounts for the IPv6 base header. This creates a desync between inner_thoff (wrong — points to extension header start) and l4proto (correct — e.g., IPPROTO_TCP), enabling transport header forgery and potential firewall bypass. This issue affects stable versions from Linux 6.2.  For comparison, the normal (non-inner) IPv6 path correctly preserves ipv6_find_hdr()'s result. Removing the incorrect overwrite ensures that ipv6_find_hdr()'s calculated transport header offset is preserved, thereby fixing the desynchronization.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-03 18:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46137",
                        "url": "https://ubuntu.com/security/CVE-2026-46137",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  mptcp: pm: ADD_ADDR rtx: fix potential data-race  This mptcp_pm_add_timer() helper is executed as a timer callback in softirq context. To avoid any data races, the socket lock needs to be held with bh_lock_sock().  If the socket is in use, retry again soon after, similar to what is done with the keepalive timer.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46185",
                        "url": "https://ubuntu.com/security/CVE-2026-46185",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  smb/client: fix out-of-bounds read in symlink_data()  Since smb2_check_message() returns success without length validation for the symlink error response, in symlink_data() it is possible for iov->iov_len to be smaller than sizeof(struct smb2_err_rsp). If the buffer only contains the base SMB2 header (64 bytes), accessing err->ErrorContextCount (at offset 66) or err->ByteCount later in symlink_data() will cause an out-of-bounds read.",
                        "cve_priority": "high",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46195",
                        "url": "https://ubuntu.com/security/CVE-2026-46195",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  smb: client: validate dacloffset before building DACL pointers  parse_sec_desc(), build_sec_desc(), and the chown path in id_mode_to_cifs_acl() all add the server-supplied dacloffset to pntsd before proving a DACL header fits inside the returned security descriptor.  On 32-bit builds a malicious server can return dacloffset near U32_MAX, wrap the derived DACL pointer below end_of_acl, and then slip past the later pointer-based bounds checks. build_sec_desc() and id_mode_to_cifs_acl() can then dereference DACL fields from the wrapped pointer in the chmod/chown rewrite paths.  Validate dacloffset numerically before building any DACL pointer and reuse the same helper at the three DACL entry points.",
                        "cve_priority": "high",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46289",
                        "url": "https://ubuntu.com/security/CVE-2026-46289",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  lib/scatterlist: fix length calculations in extract_kvec_to_sg  Patch series \"Fix bugs in extract_iter_to_sg()\", v3.  Fix bugs in the kvec and user variants of extract_iter_to_sg.  This series is growing due to useful remarks made by sashiko.dev.  The main bugs are: - The length for an sglist entry when extracting from   a kvec can exceed the number of bytes in the page. This   is obviously not intended. - When extracting a user buffer the sglist is temporarily   used as a scratch buffer for extracted page pointers.   If the sglist already contains some elements this scratch   buffer could overlap with existing entries in the sglist.  The series adds test cases to the kunit_iov_iter test that demonstrate all of these bugs.  Additionally, there is a memory leak fix for the test itself.  The bugs were orignally introduced into kernel v6.3 where the function lived in fs/netfs/iterator.c.  It was later moved to lib/scatterlist.c in v6.5.  Thus the actual fix is only marked for backports to v6.5+.   This patch (of 5):  When extracting from a kvec to a scatterlist, do not cross page boundaries.  The required length was already calculated but not used as intended.  Adjust the copied length if the loop runs out of sglist entries without extracting everything.  While there, return immediately from extract_iter_to_sg if there are no sglist entries at all.  A subsequent commit will add kunit test cases that demonstrate that the patch is necessary.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-08 17:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46119",
                        "url": "https://ubuntu.com/security/CVE-2026-46119",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  libceph: Fix slab-out-of-bounds access in auth message processing  If a (potentially corrupted) message of type CEPH_MSG_AUTH_REPLY contains a positive value in its result field, it is treated as an error code by ceph_handle_auth_reply() and returned to handle_auth_reply(). Thereafter, an attempt is made to send the preallocated message of type CEPH_MSG_AUTH, where the returned value is interpreted as the size of the front segment to send. If the result value in the message is greater than the size of the memory buffer allocated for the front segment, an out-of-bounds access occurs, and the content of the memory region beyond this buffer is sent out.  This patch fixes the issue by treating only negative values in the result field as errors. Positive values are therefore treated as success in the same way as a zero value. Additionally, a BUG_ON is added to __send_prepared_auth_request() comparing the len parameter to front_alloc_len to prevent sending the message if it exceeds the bounds of the allocation and to make it easier to catch any logic flaws leading to this.",
                        "cve_priority": "high",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46135",
                        "url": "https://ubuntu.com/security/CVE-2026-46135",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  nvmet-tcp: fix race between ICReq handling and queue teardown  nvmet_tcp_handle_icreq() updates queue->state after sending an Initialization Connection Response (ICResp), but it does so without serializing against target-side queue teardown.  If an NVMe/TCP host sends an Initialization Connection Request (ICReq) and immediately closes the connection, target-side teardown may start in softirq context before io_work drains the already buffered ICReq. In that case, nvmet_tcp_schedule_release_queue() sets queue->state to NVMET_TCP_Q_DISCONNECTING and drops the queue reference under state_lock.  If io_work later processes that ICReq, nvmet_tcp_handle_icreq() can still overwrite the state back to NVMET_TCP_Q_LIVE. That defeats the DISCONNECTING-state guard in nvmet_tcp_schedule_release_queue() and allows a later socket state change to re-enter teardown and issue a second kref_put() on an already released queue.  The ICResp send failure path has the same problem. If teardown has already moved the queue to DISCONNECTING, a send error can still overwrite the state with NVMET_TCP_Q_FAILED, again reopening the window for a second teardown path to drop the queue reference.  Fix this by serializing both post-send state transitions with state_lock and bailing out if teardown has already started.  Use -ESHUTDOWN as an internal sentinel for that bail-out path rather than propagating it as a transport error like -ECONNRESET. Keep nvmet_tcp_socket_error() setting rcv_state to NVMET_TCP_RECV_ERR before honoring that sentinel so receive-side parsing stays quiesced until the existing release path completes.",
                        "cve_priority": "critical",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46155",
                        "url": "https://ubuntu.com/security/CVE-2026-46155",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  smb/client: fix out-of-bounds read in smb2_compound_op()  If a server sends a truncated response but a large OutputBufferLength, and terminates the EA list early, check_wsl_eas() returns success without validating that the entire OutputBufferLength fits within iov_len.  Then smb2_compound_op() does:     memcpy(idata->wsl.eas, data[0], size[0]);  Where size[0] is OutputBufferLength. If iov_len is smaller than size[0], memcpy can read beyond the end of the rsp_iov allocation and leak adjacent kernel heap memory.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46115",
                        "url": "https://ubuntu.com/security/CVE-2026-46115",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  block: add pgmap check to biovec_phys_mergeable  biovec_phys_mergeable() is used by the request merge, DMA mapping, and integrity merge paths to decide if two physically contiguous bvec segments can be coalesced into one. It currently has no check for whether the segments belong to different dev_pagemaps.  When zone device memory is registered in multiple chunks, each chunk gets its own dev_pagemap. A single bio can legitimately contain bvecs from different pgmaps -- iov_iter_extract_bvecs() breaks at pgmap boundaries but the outer loop in bio_iov_iter_get_pages() continues filling the same bio. If such bvecs are physically contiguous, biovec_phys_mergeable() will coalesce them, making it impossible to recover the correct pgmap for the merged segment via page_pgmap().  Add a zone_device_pages_have_same_pgmap() check to prevent merging bvec segments that span different pgmaps.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46243",
                        "url": "https://ubuntu.com/security/CVE-2026-46243",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  smb: client: reject userspace cifs.spnego descriptions  cifs.spnego key descriptions contain authority-bearing fields such as pid, uid, creduid, and upcall_target that cifs.upcall treats as kernel-originating inputs. However, userspace can also create keys of this type through request_key(2) or add_key(2), allowing those fields to be supplied without CIFS origin.  Only accept cifs.spnego descriptions while CIFS is using its private spnego_cred to request the key.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-01 17:17:00 UTC"
                    }
                ],
                "launchpad_bugs_fixed": [
                    2157520,
                    2154418,
                    2155837,
                    2154174,
                    2154748,
                    2156559,
                    2156556,
                    2150640,
                    2156312,
                    2155096,
                    2154715,
                    2153159,
                    2150071,
                    2154343,
                    2149770,
                    2153155,
                    2152570,
                    2156636,
                    2156636,
                    2156636,
                    2156636,
                    2156636,
                    2156390,
                    2156385,
                    2156385,
                    2156385,
                    2156385,
                    2156385,
                    2156385,
                    2156385,
                    2156385,
                    2156385,
                    2156385,
                    2156385,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2150845
                ],
                "changes": [
                    {
                        "cves": [
                            {
                                "cve": "CVE-2026-46318",
                                "url": "https://ubuntu.com/security/CVE-2026-46318",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Revert \"mm/hugetlbfs: update hugetlbfs to use mmap_prepare\"  This reverts commit ea52cb24cd3f (\"mm/hugetlbfs: update hugetlbfs to use mmap_prepare\") with conflict resolution to account for changes in commit ea52cb24cd3f (\"mm/hugetlbfs: update hugetlbfs to use mmap_prepare\").  The patch incorrectly handled hugetlb VMA lock allocation at the mmap_prepare stage, where a failed allocation occurring after mmap_prepare is called might result in the lock leaking.  There is no risk of a merge causing a similar issues, as VMA_DONTEXPAND_BIT is set for hugetlb mappings.  As a first step in addressing this issue, simply revert the change so we can rework how we do this having corrected the underlying issues.  We maintain the VMA flags changes as best we can, accounting for the fact that we were working with a VMA descriptor previously and propagating like-for-like changes for this.  Note that we invoke vma_set_flags() and do not call vma_start_write() as vm_flags_set() does.  This is OK as it's being done in an .mmap hook where the VMA is not yet linked into the tree so nobody else can be accessing it.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-06-09 13:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46322",
                                "url": "https://ubuntu.com/security/CVE-2026-46322",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  tun: free page on build_skb failure in tun_xdp_one()  When build_skb() fails in tun_xdp_one(), the function sets ret to -ENOMEM and jumps to the out label, which returns without freeing the page that vhost_net_build_xdp() allocated for the frame. As with the short-frame rejection path, tun_sendmsg() discards the per-buffer error and still returns total_len, so vhost_tx_batch() takes the success path and never frees the page. Each build_skb() failure in a batch leaks one page-frag chunk.  Free the page before taking the error path, matching the put_page() the other error exits of tun_xdp_one() already perform.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-09 13:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46320",
                                "url": "https://ubuntu.com/security/CVE-2026-46320",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  tap: free page on error paths in tap_get_user_xdp()  tap_get_user_xdp() rejects a frame shorter than ETH_HLEN with -EINVAL, and returns -ENOMEM when build_skb() fails. Both paths jump to the err label without freeing the page that vhost_net_build_xdp() allocated for the frame. tap_sendmsg() discards the per-buffer return value and always returns 0, so vhost_tx_batch() takes the success path and never frees the page; each rejected frame in a batch leaks one page-frag chunk.  Free the page on both error paths, before the skb is built. This is the tap counterpart of the same leak in tun_xdp_one().",
                                "cve_priority": "high",
                                "cve_public_date": "2026-06-09 13:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46321",
                                "url": "https://ubuntu.com/security/CVE-2026-46321",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  tun: free page on short-frame rejection in tun_xdp_one()  tun_xdp_one() returns -EINVAL on a frame shorter than ETH_HLEN without freeing the page that vhost_net_build_xdp() allocated for it. tun_sendmsg() discards that -EINVAL and still returns total_len, so vhost_tx_batch() takes the success path and never frees the page; each short frame in a batch leaks one page-frag chunk.  A local process that can open /dev/net/tun and /dev/vhost-net can hit this path: it attaches a tun/tap device as the vhost-net backend and feeds TX descriptors whose length minus the virtio-net header is below ETH_HLEN. Each kick leaks the page-frag chunks for that batch, and a tight submission loop exhausts host memory and triggers an OOM panic. Free the page before returning -EINVAL, matching the XDP-program error path in the same function.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-09 13:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46316",
                                "url": "https://ubuntu.com/security/CVE-2026-46316",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  KVM: arm64: vgic-its: Drop the translation cache reference only for the erased entry  vgic_its_invalidate_cache() walks the per-ITS translation cache with xa_for_each() and drops the cache's reference on each entry with vgic_put_irq(). It puts the iterated pointer, though, rather than the value returned by xa_erase().  The function is called from contexts that do not exclude one another: the ITS command handlers hold its_lock, the GITS_CTLR write path holds cmd_lock, and the path that clears EnableLPIs in a redistributor's GICR_CTLR holds neither. Two or more of them can drain the same cache concurrently, and if each one observes the same entry, erases it and then puts it, the single reference the cache holds on that entry is dropped more than once. The entry can then be freed while an ITE still maps it.  xa_erase() is atomic and returns the previous entry, so put only the entry that this context actually removed. The cache reference is then dropped exactly once per entry even when the invalidations run concurrently, and the behavior is unchanged when only one context runs.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-09 13:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46317",
                                "url": "https://ubuntu.com/security/CVE-2026-46317",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  KVM: arm64: Reassign nested_mmus array behind mmu_lock  kvm->arch.nested_mmus[] is walked under kvm->mmu_lock, including from the MMU notifier path (kvm_unmap_gfn_range() -> kvm_nested_s2_unmap()), which can run at any time. kvm_vcpu_init_nested() reallocates the array and frees the old buffer while holding only kvm->arch.config_lock, so such a walker can reference the freed array.  Allocate the new array outside of mmu_lock, as the allocation can sleep. Under the lock, copy the existing entries, fix up the back pointers and reassign the array. Free the old buffer after dropping the lock, as kvfree() can sleep as well.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-09 13:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-45846",
                                "url": "https://ubuntu.com/security/CVE-2026-45846",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  bareudp: fix NULL pointer dereference in bareudp_fill_metadata_dst()  bareudp_fill_metadata_dst() passes bareudp->sock to udp_tunnel6_dst_lookup() in the IPv6 path without a NULL check. The socket is only created in bareudp_open() and NULLed in bareudp_stop(), so calling this function while the device is down triggers a NULL dereference via sock->sk.   BUG: kernel NULL pointer dereference, address: 0000000000000018  RIP: 0010:udp_tunnel6_dst_lookup (net/ipv6/ip6_udp_tunnel.c:160)  Call Trace:   <TASK>   bareudp_fill_metadata_dst (drivers/net/bareudp.c:532)   do_execute_actions (net/openvswitch/actions.c:901)   ovs_execute_actions (net/openvswitch/actions.c:1589)   ovs_packet_cmd_execute (net/openvswitch/datapath.c:700)   genl_family_rcv_msg_doit (net/netlink/genetlink.c:1114)   genl_rcv_msg (net/netlink/genetlink.c:1209)   netlink_rcv_skb (net/netlink/af_netlink.c:2550)   </TASK>  Add a NULL check returning -ESHUTDOWN, consistent with the xmit paths in the same driver.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-27 11:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-45845",
                                "url": "https://ubuntu.com/security/CVE-2026-45845",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net/sched: taprio: fix NULL pointer dereference in class dump  When a TAPRIO child qdisc is deleted via RTM_DELQDISC, taprio_graft() is called with new == NULL and stores NULL into q->qdiscs[cl - 1]. Subsequent RTM_GETTCLASS dump operations walk all classes via taprio_walk() and call taprio_dump_class(), which calls taprio_leaf() returning the NULL pointer, then dereferences it to read child->handle, causing a kernel NULL pointer dereference.  The bug is reachable with namespace-scoped CAP_NET_ADMIN on any kernel with CONFIG_NET_SCH_TAPRIO enabled. On systems with unprivileged user namespaces enabled, an unprivileged local user can trigger a kernel panic by creating a taprio qdisc inside a new network namespace, grafting an explicit child qdisc, deleting it, and requesting a class dump. The RTM_GETTCLASS dump itself requires no capability.   Oops: general protection fault, probably for non-canonical address 0xdffffc0000000007: 0000 [#1] SMP KASAN NOPTI  KASAN: null-ptr-deref in range [0x0000000000000038-0x000000000000003f]  RIP: 0010:taprio_dump_class (net/sched/sch_taprio.c:2478)  Call Trace:   <TASK>   tc_fill_tclass (net/sched/sch_api.c:1966)   qdisc_class_dump (net/sched/sch_api.c:2326)   taprio_walk (net/sched/sch_taprio.c:2514)   tc_dump_tclass_qdisc (net/sched/sch_api.c:2352)   tc_dump_tclass_root (net/sched/sch_api.c:2370)   tc_dump_tclass (net/sched/sch_api.c:2431)   rtnl_dumpit (net/core/rtnetlink.c:6864)   netlink_dump (net/netlink/af_netlink.c:2325)   rtnetlink_rcv_msg (net/core/rtnetlink.c:6959)   netlink_rcv_skb (net/netlink/af_netlink.c:2550)   </TASK>  Fix this by substituting &noop_qdisc when new is NULL in taprio_graft(), a common pattern used by other qdiscs (e.g., multiq_graft()) to ensure the q->qdiscs[] slots are never NULL. This makes control-plane dump paths safe without requiring individual NULL checks.  Since the data-plane paths (taprio_enqueue and taprio_dequeue_from_txq) previously had explicit NULL guards that would drop/skip the packet cleanly, update those checks to test for &noop_qdisc instead. Without this, packets would reach taprio_enqueue_one() which increments the root qdisc's qlen and backlog before calling the child's enqueue; noop_qdisc drops the packet but those counters are never rolled back, permanently inflating the root qdisc's statistics.  After this change *old can be a valid qdisc, NULL, or &noop_qdisc. Only call qdisc_put(*old) in the first case to avoid decreasing noop_qdisc's refcount, which was never increased.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-27 11:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-45844",
                                "url": "https://ubuntu.com/security/CVE-2026-45844",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  netfilter: arp_tables: fix IEEE1394 ARP payload parsing  Weiming Shi says:  \"arp_packet_match() unconditionally parses the ARP payload assuming two hardware addresses are present (source and target). However, IPv4-over-IEEE1394 ARP (RFC 2734) omits the target hardware address field, and arp_hdr_len() already accounts for this by returning a shorter length for ARPHRD_IEEE1394 devices.  As a result, on IEEE1394 interfaces arp_packet_match() advances past a nonexistent target hardware address and reads the wrong bytes for both the target device address comparison and the target IP address. This causes arptables rules to match against garbage data, leading to incorrect filtering decisions: packets that should be accepted may be dropped and vice versa.  The ARP stack in net/ipv4/arp.c (arp_create and arp_process) already handles this correctly by skipping the target hardware address for ARPHRD_IEEE1394. Apply the same pattern to arp_packet_match().\"  Mangle the original patch to always return 0 (no match) in case user matches on the target hardware address which is never present in IEEE1394.  Note that this returns 0 (no match) for either normal and inverse match because matching in the target hardware address in ARPHRD_IEEE1394 has never been supported by arptables. This is intentional, matching on the target hardware address should never evaluate true for ARPHRD_IEEE1394.  Moreover, adjust arpt_mangle to drop the packet too as AI suggests:  In arpt_mangle, the logic assumes a standard ARP layout. Because IEEE1394 (FireWire) omits the target hardware address, the linear pointer arithmetic miscalculates the offset for the target IP address. This causes mangling operations to write to the wrong location, leading to packet corruption. To ensure safety, this patch drops packets (NF_DROP) when mangling is requested for these fields on IEEE1394 devices, as the current implementation cannot correctly map the FireWire ARP payload.  This omits both mangling target hardware and IP address. Even if IP address mangling should be possible in IEEE1394, this would require to adjust arpt_mangle offset calculation, which has never been supported.  Based on patch from Weiming Shi <bestswngs@gmail.com>.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-05-27 11:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46242",
                                "url": "https://ubuntu.com/security/CVE-2026-46242",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  eventpoll: fix ep_remove struct eventpoll / struct file UAF  ep_remove() (via ep_remove_file()) cleared file->f_ep under file->f_lock but then kept using @file inside the critical section (is_file_epoll(), hlist_del_rcu() through the head, spin_unlock). A concurrent __fput() taking the eventpoll_release() fastpath in that window observed the transient NULL, skipped eventpoll_release_file() and ran to f_op->release / file_free().  For the epoll-watches-epoll case, f_op->release is ep_eventpoll_release() -> ep_clear_and_put() -> ep_free(), which kfree()s the watched struct eventpoll. Its embedded ->refs hlist_head is exactly where epi->fllink.pprev points, so the subsequent hlist_del_rcu()'s \"*pprev = next\" scribbles into freed kmalloc-192 memory.  In addition, struct file is SLAB_TYPESAFE_BY_RCU, so the slot backing @file could be recycled by alloc_empty_file() -- reinitializing f_lock and f_ep -- while ep_remove() is still nominally inside that lock. The upshot is an attacker-controllable kmem_cache_free() against the wrong slab cache.  Pin @file via epi_fget() at the top of ep_remove() and gate the critical section on the pin succeeding. With the pin held @file cannot reach refcount zero, which holds __fput() off and transitively keeps the watched struct eventpoll alive across the hlist_del_rcu() and the f_lock use, closing both UAFs.  If the pin fails @file has already reached refcount zero and its __fput() is in flight. Because we bailed before clearing f_ep, that path takes the eventpoll_release() slow path into eventpoll_release_file() and blocks on ep->mtx until the waiter side's ep_clear_and_put() drops it. The bailed epi's share of ep->refcount stays intact, so the trailing ep_refcount_dec_and_test() in ep_clear_and_put() cannot free the eventpoll out from under eventpoll_release_file(); the orphaned epi is then cleaned up there.  A successful pin also proves we are not racing eventpoll_release_file() on this epi, so drop the now-redundant re-check of epi->dying under f_lock. The cheap lockless READ_ONCE(epi->dying) fast-path bailout stays.",
                                "cve_priority": "high",
                                "cve_public_date": "2026-05-30 13:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-45843",
                                "url": "https://ubuntu.com/security/CVE-2026-45843",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  slip: bound decode() reads against the compressed packet length  slhc_uncompress() parses a VJ-compressed TCP header by advancing a pointer through the packet via decode() and pull16(). Neither helper bounds-checks against isize, and decode() masks its return with & 0xffff so it can never return the -1 that callers test for -- those error paths are dead code.  A short compressed frame whose change byte requests optional fields lets decode() read past the end of the packet. The over-read bytes are folded into the cached cstate and reflected into subsequent reconstructed packets.  Make decode() and pull16() take the packet end pointer and return -1 when exhausted. Add a bounds check before the TCP-checksum read. The existing == -1 tests now do what they were always meant to.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-27 11:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-45842",
                                "url": "https://ubuntu.com/security/CVE-2026-45842",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  slip: reject VJ receive packets on instances with no rstate array  slhc_init() accepts rslots == 0 as a valid configuration, with the documented meaning of 'no receive compression'. In that case the allocation loop in slhc_init() is skipped, so comp->rstate stays NULL and comp->rslot_limit stays 0 (from the kzalloc of struct slcompress).  The receive helpers do not defend against that configuration. slhc_uncompress() dereferences comp->rstate[x] when the VJ header carries an explicit connection ID, and slhc_remember() later assigns cs = &comp->rstate[...] after only comparing the packet's slot number to comp->rslot_limit. Because rslot_limit is 0, slot 0 passes the range check, and the code dereferences a NULL rstate.  The configuration is reachable in-tree through PPP. PPPIOCSMAXCID stores its argument in a signed int, and (val >> 16) uses arithmetic shift. Passing 0xffff0000 therefore sign-extends to -1, so val2 + 1 is 0 and ppp_generic.c ends up calling slhc_init(0, 1). Because /dev/ppp open is gated by ns_capable(CAP_NET_ADMIN), the whole path is reachable from an unprivileged user namespace. Once the malformed VJ state is installed, any inbound VJ-compressed or VJ-uncompressed frame that selects slot 0 crashes the kernel in softirq context:   Oops: general protection fault, probably for non-canonical        address 0xdffffc0000000000: 0000 [#1] SMP KASAN NOPTI  KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]  RIP: 0010:slhc_uncompress (drivers/net/slip/slhc.c:519)  Call Trace:   <TASK>   ppp_receive_nonmp_frame (drivers/net/ppp/ppp_generic.c:2466)   ppp_input (drivers/net/ppp/ppp_generic.c:2359)   ppp_async_process (drivers/net/ppp/ppp_async.c:492)   tasklet_action_common (kernel/softirq.c:926)   handle_softirqs (kernel/softirq.c:623)   run_ksoftirqd (kernel/softirq.c:1055)   smpboot_thread_fn (kernel/smpboot.c:160)   kthread (kernel/kthread.c:436)   ret_from_fork (arch/x86/kernel/process.c:164)   </TASK>  Reject the receive side on such instances instead of touching rstate. slhc_uncompress() falls through to its existing 'bad' label, which bumps sls_i_error and enters the toss state. slhc_remember() mirrors that with an explicit sls_i_error increment followed by slhc_toss(); the sls_i_runt counter is not used here because a missing rstate is an internal configuration state, not a runt packet.  The transmit path is unaffected: the only in-tree caller that picks rslots from userspace (ppp_generic.c) still supplies tslots >= 1, and slip.c always calls slhc_init(16, 16), so comp->tstate remains valid and slhc_compress() continues to work.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-27 11:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-45841",
                                "url": "https://ubuntu.com/security/CVE-2026-45841",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  netfilter: nfnetlink_osf: fix divide-by-zero in OSF_WSS_MODULO  nf_osf_match_one() computes ctx->window % f->wss.val in the OSF_WSS_MODULO branch with no guard for f->wss.val == 0. A CAP_NET_ADMIN user can add such a fingerprint via nfnetlink; a subsequent matching TCP SYN divides by zero and panics the kernel.  Reject the bogus fingerprint in nfnl_osf_add_callback() above the per-option for-loop. f->wss is per-fingerprint, not per-option, so the check must run regardless of f->opt_num (including 0). Also reject wss.wc >= OSF_WSS_MAX; nf_osf_match_one() already treats that as \"should not happen\".  Crash:  Oops: divide error: 0000 [#1] SMP KASAN NOPTI  RIP: 0010:nf_osf_match_one (net/netfilter/nfnetlink_osf.c:98)  Call Trace:  <IRQ>   nf_osf_match (net/netfilter/nfnetlink_osf.c:220)   xt_osf_match_packet (net/netfilter/xt_osf.c:32)   ipt_do_table (net/ipv4/netfilter/ip_tables.c:348)   nf_hook_slow (net/netfilter/core.c:622)   ip_local_deliver (net/ipv4/ip_input.c:265)   ip_rcv (include/linux/skbuff.h:1162)   __netif_receive_skb_one_core (net/core/dev.c:6181)   process_backlog (net/core/dev.c:6642)   __napi_poll (net/core/dev.c:7710)   net_rx_action (net/core/dev.c:7945)   handle_softirqs (kernel/softirq.c:622)",
                                "cve_priority": "low",
                                "cve_public_date": "2026-05-27 11:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-45840",
                                "url": "https://ubuntu.com/security/CVE-2026-45840",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  openvswitch: cap upcall PID array size and pre-size vport replies  The vport netlink reply helpers allocate a fixed-size skb with nlmsg_new(NLMSG_DEFAULT_SIZE, ...) but serialize the full upcall PID array via ovs_vport_get_upcall_portids().  Since ovs_vport_set_upcall_portids() accepts any non-zero multiple of sizeof(u32) with no upper bound, a CAP_NET_ADMIN user can install a PID array large enough to overflow the reply buffer, causing nla_put() to fail with -EMSGSIZE and hitting BUG_ON(err < 0).  On systems with unprivileged user namespaces enabled (e.g., Ubuntu default), this is reachable via unshare -Urn since OVS vport mutation operations use GENL_UNS_ADMIN_PERM.   kernel BUG at net/openvswitch/datapath.c:2414!  Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI  CPU: 1 UID: 0 PID: 65 Comm: poc Not tainted 7.0.0-rc7-00195-geb216e422044 #1  RIP: 0010:ovs_vport_cmd_set+0x34c/0x400  Call Trace:   <TASK>   genl_family_rcv_msg_doit (net/netlink/genetlink.c:1116)   genl_rcv_msg (net/netlink/genetlink.c:1194)   netlink_rcv_skb (net/netlink/af_netlink.c:2550)   genl_rcv (net/netlink/genetlink.c:1219)   netlink_unicast (net/netlink/af_netlink.c:1344)   netlink_sendmsg (net/netlink/af_netlink.c:1894)   __sys_sendto (net/socket.c:2206)   __x64_sys_sendto (net/socket.c:2209)   do_syscall_64 (arch/x86/entry/syscall_64.c:63)   entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)   </TASK>  Kernel panic - not syncing: Fatal exception  Reject attempts to set more PIDs than nr_cpu_ids in ovs_vport_set_upcall_portids(), and pre-compute the worst-case reply size in ovs_vport_cmd_msg_size() based on that bound, similar to the existing ovs_dp_cmd_msg_size().  nr_cpu_ids matches the cap already used by the per-CPU dispatch configuration on the datapath side (ovs_dp_cmd_fill_info() serialises at most nr_cpu_ids PIDs), so the two sides stay consistent.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-27 11:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-45839",
                                "url": "https://ubuntu.com/security/CVE-2026-45839",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  bpf: reject negative CO-RE accessor indices in bpf_core_parse_spec()  CO-RE accessor strings are colon-separated indices that describe a path from a root BTF type to a target field, e.g. \"0:1:2\" walks through nested struct members. bpf_core_parse_spec() parses each component with sscanf(\"%d\"), so negative values like -1 are silently accepted.  The subsequent bounds checks (access_idx >= btf_vlen(t)) only guard the upper bound and always pass for negative values because C integer promotion converts the __u16 btf_vlen result to int, making the comparison (int)(-1) >= (int)(N) false for any positive N.  When -1 reaches btf_member_bit_offset() it gets cast to u32 0xffffffff, producing an out-of-bounds read far past the members array.  A crafted BPF program with a negative CO-RE accessor on any struct that exists in vmlinux BTF (e.g. task_struct) crashes the kernel deterministically during BPF_PROG_LOAD on any system with CONFIG_DEBUG_INFO_BTF=y (default on major distributions).  The bug is reachable with CAP_BPF:   BUG: unable to handle page fault for address: ffffed11818b6626  #PF: supervisor read access in kernel mode  #PF: error_code(0x0000) - not-present page  Oops: Oops: 0000 [#1] SMP KASAN NOPTI  CPU: 0 UID: 0 PID: 85 Comm: poc Not tainted 7.0.0-rc6 #18 PREEMPT(full)  RIP: 0010:bpf_core_parse_spec (tools/lib/bpf/relo_core.c:354)  RAX: 00000000ffffffff  Call Trace:   <TASK>   bpf_core_calc_relo_insn (tools/lib/bpf/relo_core.c:1321)   bpf_core_apply (kernel/bpf/btf.c:9507)   check_core_relo (kernel/bpf/verifier.c:19475)   bpf_check (kernel/bpf/verifier.c:26031)   bpf_prog_load (kernel/bpf/syscall.c:3089)   __sys_bpf (kernel/bpf/syscall.c:6228)   </TASK>  CO-RE accessor indices are inherently non-negative (struct member index, array element index, or enumerator index), so reject them immediately after parsing.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-27 11:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-45838",
                                "url": "https://ubuntu.com/security/CVE-2026-45838",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  bpf: fix end-of-list detection in cgroup_storage_get_next_key()  list_next_entry() never returns NULL -- when the current element is the last entry it wraps to the list head via container_of(). The subsequent NULL check is therefore dead code and get_next_key() never returns -ENOENT for the last element, instead reading storage->key from a bogus pointer that aliases internal map fields and copying the result to userspace.  Replace it with list_entry_is_head() so the function correctly returns -ENOENT when there are no more entries.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-05-27 11:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46214",
                                "url": "https://ubuntu.com/security/CVE-2026-46214",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  vsock/virtio: fix accept queue count leak on transport mismatch  virtio_transport_recv_listen() calls sk_acceptq_added() before vsock_assign_transport(). If vsock_assign_transport() fails or selects a different transport, the error path returns without calling sk_acceptq_removed(), permanently incrementing sk_ack_backlog.  After approximately backlog+1 such failures, sk_acceptq_is_full() returns true, causing the listener to reject all new connections.  Fix by moving sk_acceptq_added() to after the transport validation, matching the pattern used by vmci_transport and hyperv_transport.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46207",
                                "url": "https://ubuntu.com/security/CVE-2026-46207",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  vsock/virtio: fix empty payload in tap skb for non-linear buffers  For non-linear skbs, virtio_transport_build_skb() goes through virtio_transport_copy_nonlinear_skb() to copy the original payload in the new skb to be delivered to the vsockmon tap device. This manually initializes an iov_iter but does not set iov_iter.count. Since the iov_iter is zero-initialized, the copy length is zero and no payload is actually copied to the monitor interface, leaving data un-initialized.  Fix this by removing the linear vs non-linear split and using skb_copy_datagram_iter() with iov_iter_kvec() for all cases, as vhost-vsock already does. This handles both linear and non-linear skbs, properly initializes the iov_iter, and removes the now unused virtio_transport_copy_nonlinear_skb().  While touching this code, let's also check the return value of skb_copy_datagram_iter(), even though it's unlikely to fail.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46234",
                                "url": "https://ubuntu.com/security/CVE-2026-46234",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  vsock: fix buffer size clamping order  In vsock_update_buffer_size(), the buffer size was being clamped to the maximum first, and then to the minimum. If a user sets a minimum buffer size larger than the maximum, the minimum check overrides the maximum check, inverting the constraint.  This breaks the intended socket memory boundaries by allowing the vsk->buffer_size to grow beyond the configured vsk->buffer_max_size.  Fix this by checking the minimum first, and then the maximum. This ensures the buffer size never exceeds the buffer_max_size.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46223",
                                "url": "https://ubuntu.com/security/CVE-2026-46223",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  cgroup: Defer css percpu_ref kill on rmdir until cgroup is depopulated  A chain of commits going back to v7.0 reworked rmdir to satisfy the controller invariant that a subsystem's ->css_offline() must not run while tasks are still doing kernel-side work in the cgroup.  [1] d245698d727a (\"cgroup: Defer task cgroup unlink until after the task is done switching out\") [2] a72f73c4dd9b (\"cgroup: Don't expose dead tasks in cgroup\") [3] 1b164b876c36 (\"cgroup: Wait for dying tasks to leave on rmdir\") [4] 4c56a8ac6869 (\"cgroup: Fix cgroup_drain_dying() testing the wrong condition\") [5] 13e786b64bd3 (\"cgroup: Increment nr_dying_subsys_* from rmdir context\")  [1] moved task cset unlink from do_exit() to finish_task_switch() so a task's cset link drops only after the task has fully stopped scheduling. That made tasks past exit_signals() linger on cset->tasks until their final context switch, which led to a series of problems as what userspace expected to see after rmdir diverged from what the kernel needs to wait for. [2]-[5] tried to bridge that divergence: [2] filtered the exiting tasks from cgroup.procs; [3] had rmdir(2) sleep in TASK_UNINTERRUPTIBLE for them; [4] fixed the wait's condition; [5] made nr_dying_subsys_* visible synchronously.  The cgroup_drain_dying() wait in [3] turned out to be a dead end. When the rmdir caller is also the reaper of a zombie that pins a pidns teardown (e.g. host PID 1 systemd reaping orphan pids that were re-parented to it during the same teardown), rmdir blocks in TASK_UNINTERRUPTIBLE waiting for those pids to free, the pids can't free because PID 1 is the reaper and it's stuck in rmdir, and the system A-A deadlocks. No internal lock ordering breaks this; the wait itself is the bug.  The css killing side that drove the original reorder, however, can be made cleanly asynchronous: ->css_offline() is already async, run from css_killed_work_fn() driven by percpu_ref_kill_and_confirm(). The fix is to make that chain start only after all tasks have left the cgroup. rmdir's user-visible side then returns as soon as cgroup.procs and friends are empty, while ->css_offline() still runs only after the cgroup is fully drained.  Verified by the original reproducer (pidns teardown + zombie reaper, runs under vng) which hangs vanilla and succeeds here, and by per-commit deterministic repros for [2], [3], [4], [5] with a boot parameter that widens the post-exit_signals() window so each state is reliably reachable. Some stress tests on top of that.  cgroup_apply_control_disable() has the same shape of pre-existing race: when a controller is disabled via subtree_control, kill_css() ran synchronously while tasks past exit_signals() could still be linked to the cgroup's csets, and ->css_offline() could fire before they drained. This patch preserves the existing synchronous behavior at that call site (kill_css_sync() + kill_css_finish() back-to-back) and a follow-up patch will defer kill_css_finish() there using a per-css trigger.  This seems like the right approach and I don't see problems with it. The changes are somewhat invasive but not excessively so, so backporting to -stable should be okay. If something does turn out to be wrong, the fallback is to revert the entire chain ([1]-[5]) and rework in the development branch instead.  v2: Pin cgrp across the deferred destroy work with explicit     cgroup_get()/cgroup_put() around queue_work() and the work_fn. v1     wasn't actually broken (ordered cgroup_offline_wq + queue_work order     in cgroup_task_dead() saved it) but the explicit ref removes the     dependency on those non-obvious invariants. Also note the     pre-existing cgroup_apply_control_disable() race in the description;     a follow-up will defer kill_css_finish() there.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46221",
                                "url": "https://ubuntu.com/security/CVE-2026-46221",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  EDAC/versalnet: Fix device name memory leak  The device name allocated via kzalloc() in init_one_mc() is assigned to dev->init_name but never freed on the normal removal path. device_register() copies init_name and then sets dev->init_name to NULL, so the name pointer becomes unreachable from the device. Thus leaking memory.  Use a stack-local char array instead of using kzalloc() for name.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46231",
                                "url": "https://ubuntu.com/security/CVE-2026-46231",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  batman-adv: bla: put backbone reference on failed claim hash insert  When batadv_bla_add_claim() fails to insert a new claim into the hash, it leaked a reference to the backbone_gw for which the claim was intended. Call batadv_backbone_gw_put() on the error path to release the reference and avoid leaking the backbone_gw object.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46233",
                                "url": "https://ubuntu.com/security/CVE-2026-46233",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  batman-adv: bla: only purge non-released claims  When batadv_bla_purge_claims() goes through the list of claims, it is only traversing the hash list with an rcu_read_lock(). Due to a potential parallel batadv_claim_put(), it can happen that it encounters a claim which was actually in the process of being released+freed by batadv_claim_release(). In this case, backbone_gw is set to NULL before the delayed RCU kfree is started. Calling batadv_bla_claim_get_backbone_gw() is then no longer allowed because it would cause a NULL-ptr derefence.  To avoid this, only claims with a valid reference counter must be purged. All others are already taken care of.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46212",
                                "url": "https://ubuntu.com/security/CVE-2026-46212",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  batman-adv: bla: prevent use-after-free when deleting claims  When batadv_bla_del_backbone_claims() removes all claims for a backbone, it does this by dropping the link entry in the hash list. This list entry itself was one of the references which need to be dropped at the same time via batadv_claim_put().  But the batadv_claim_put() must not be done before the last access to the claim object in this function. Otherwise the claim might be freed already by the batadv_claim_release() function before the list entry was dropped.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46238",
                                "url": "https://ubuntu.com/security/CVE-2026-46238",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  batman-adv: stop caching unowned originator pointers in BAT IV  BAT IV keeps the last-hop neighbor address in each neigh_node, but some paths also cache an originator pointer derived from a temporary lookup. That pointer is not owned by the neigh_node and may no longer refer to a live originator entry after purge handling runs.  Stop storing the auxiliary originator pointer in the BAT IV neighbor state. When BAT IV needs the neighbor originator data, resolve it from the stored neighbor address and drop the reference again after use.  [sven: avoid bonding logic for outgoing OGM]",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46208",
                                "url": "https://ubuntu.com/security/CVE-2026-46208",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  batman-adv: stop tp_meter sessions during mesh teardown  TP meter sessions remain linked on bat_priv->tp_list after the netlink request has already finished. When the mesh interface is removed, batadv_mesh_free() currently tears down the mesh without first draining these sessions.  A running sender thread or a late incoming tp_meter packet can then keep processing against a mesh instance which is already shutting down. Synchronize tp_meter with the mesh lifetime by stopping all active sessions from batadv_mesh_free() and waiting for sender threads to exit before teardown continues.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46206",
                                "url": "https://ubuntu.com/security/CVE-2026-46206",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  batman-adv: reject new tp_meter sessions during teardown  Prevent tp_meter from starting new sender or receiver sessions after mesh_state has left BATADV_MESH_ACTIVE.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46198",
                                "url": "https://ubuntu.com/security/CVE-2026-46198",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  batman-adv: fix integer overflow on buff_pos  Fixing an integer overflow present in batadv_iv_ogm_send_to_if. The size check is done using the int type in batadv_iv_ogm_aggr_packet whereas the buff_pos variable uses the s16 type. This could lead to an out-of-bound read.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46227",
                                "url": "https://ubuntu.com/security/CVE-2026-46227",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  sctp: revalidate list cursor after sctp_sendmsg_to_asoc() in SCTP_SENDALL  The SCTP_SENDALL path in sctp_sendmsg() iterates ep->asocs with list_for_each_entry_safe(), which caches the next entry in @tmp before the loop body runs.  The body calls sctp_sendmsg_to_asoc(), which may drop the socket lock inside sctp_wait_for_sndbuf().  While the lock is dropped, another thread can SCTP_SOCKOPT_PEELOFF the association cached in @tmp, migrating it to a new endpoint via sctp_sock_migrate() (list_del_init() + list_add_tail() to newep->asocs), and optionally close the new socket which frees the association via kfree_rcu().  The cached @tmp can also be freed by a network ABORT for that association, processed in softirq while the lock is dropped.  sctp_wait_for_sndbuf() revalidates @asoc (the current entry) on re-lock via the \"sk != asoc->base.sk\" and \"asoc->base.dead\" checks, but nothing revalidates @tmp.  After a successful return, the iterator advances to the stale @tmp, yielding either a use-after-free (if the peeled socket was closed) or a list-walk onto the new endpoint's list head (type confusion of &newep->asocs as a struct sctp_association *).  Both are reachable from CapEff=0; the type-confusion path gives controlled indirect call via the outqueue.sched->init_sid pointer.  Fix by re-deriving @tmp from @asoc after sctp_sendmsg_to_asoc() returns.  @asoc is known to still be on ep->asocs at that point: the only callers that list_del an association from ep->asocs are sctp_association_free() (which sets asoc->base.dead) and sctp_assoc_migrate() (which changes asoc->base.sk), and sctp_wait_for_sndbuf() checks both under the lock before any successful return; a tripped check propagates as err < 0 and the loop bails before the re-derive.  The SCTP_ABORT path in sctp_sendmsg_check_sflags() returns 0 and the loop hits 'continue' before sctp_sendmsg_to_asoc() is ever called, so the @tmp cached by list_for_each_entry_safe() still covers the lock-held free that ba59fb027307 (\"sctp: walk the list of asoc safely\") was added for.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46220",
                                "url": "https://ubuntu.com/security/CVE-2026-46220",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/amdgpu/sdma4: replace BUG_ON with WARN_ON in fence emission  sdma_v4_0_ring_emit_fence() contains two BUG_ON(addr & 0x3) assertions that verify fence writeback addresses are dword-aligned.  These assertions can be reached from unprivileged userspace via crafted DRM_IOCTL_AMDGPU_CS submissions, causing a fatal kernel panic in a scheduler worker thread.  Replace both BUG_ON() calls with WARN_ON() to log the condition without crashing the kernel.  A misaligned fence address at this point indicates a driver bug, but crashing the kernel is never the correct response when the assertion is reachable from userspace.  The CS IOCTL path is the correct place to filter invalid submissions; the ring emission callback is too late to do anything about it.  (cherry picked from commit b90250bd933afd1ba94d86d6b13821997b22b18e)",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46215",
                                "url": "https://ubuntu.com/security/CVE-2026-46215",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm: Set old handle to NULL before prime swap in change_handle  There was a potential race condition in change_handle. The ioctl briefly had a single object with two idr entries; a concurrent gem_close could delete the object and remove one of the handles while leaving the other one dangling, which could subsequently be dereferenced for a use-after-free.  To fix this, do the same dance that gem_close itself does. (f6cd7daecff5 drm: Release driver references to handle before making it available again) First idr_replace the old handle to NULL. Later, if the prime operations are successful, actually close it.  create_tail required a similar dance to avoid a similar problem. (bd46cece51a3 drm/gem: Fix race in drm_gem_handle_create_tail()) It idr_allocs the new handle with NULL, then swaps in the correct object later to avoid races. We don't need to do that here, since the only operations that could race are drm_prime, and change_handle holds the prime lock for the entire duration.  v2: cleanups of error paths",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46201",
                                "url": "https://ubuntu.com/security/CVE-2026-46201",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/xe: Fix dma-buf attachment leak in xe_gem_prime_import()  When xe_dma_buf_init_obj() fails, the attachment from dma_buf_dynamic_attach() is not detached. Add dma_buf_detach() before returning the error. Note: we cannot use goto out_err here because xe_dma_buf_init_obj() already frees bo on failure, and out_err would double-free it.  (cherry picked from commit a828eb185aac41800df8eae4b60501ccc0dbbe51)",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46224",
                                "url": "https://ubuntu.com/security/CVE-2026-46224",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/xe: Fix bo leak in xe_dma_buf_init_obj() on allocation failure  When drm_gpuvm_resv_object_alloc() fails, the pre-allocated storage bo is not freed. Add xe_bo_free(storage) before returning the error.  xe_dma_buf_init_obj() calls xe_bo_init_locked(), which frees the bo on error. Therefore, xe_dma_buf_init_obj() must also free the bo on its own error paths. Otherwise, since xe_gem_prime_import() cannot distinguish whether the failure originated from xe_dma_buf_init_obj() or from xe_bo_init_locked(), it cannot safely decide whether the bo should be freed.  Add comments documenting the ownership semantics: on success, ownership of storage is transferred to the returned drm_gem_object; on failure, storage is freed before returning.  v2: Add comments to explain the free logic.  (cherry picked from commit 78a6c5f899f22338bbf48b44fb8950409c5a69b9)",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46197",
                                "url": "https://ubuntu.com/security/CVE-2026-46197",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/amdkfd: validate SVM ioctl nattr against buffer size  Validate nattr field against the buffer size, preventing out-of-bounds buffer access via user-controlled attribute count.  (cherry picked from commit 5eca8bfdfa456c3304ca77523718fe24254c172f)",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46209",
                                "url": "https://ubuntu.com/security/CVE-2026-46209",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/gem: Fix inconsistent plane dimension calculation in drm_gem_fb_init_with_funcs()  drm_gem_fb_init_with_funcs() computes sub-sampled plane dimensions using plain integer division:    unsigned int width  = mode_cmd->width  / (i ? info->hsub : 1);   unsigned int height = mode_cmd->height / (i ? info->vsub : 1);  However, the ioctl-level framebuffer_check() in drm_framebuffer.c uses drm_format_info_plane_width/height() which round up dimensions via DIV_ROUND_UP(). This inconsistency corrupts the subsequent GEM object size check for certain pixel format and dimension combinations.  For example, with NV12 (vsub=2) and a 1-pixel-tall framebuffer the GEM size validation path sees height=0 instead of height=1. The expression (height - 1) then wraps to UINT_MAX as an unsigned int, causing min_size to overflow and wrap back to a small value. A tiny GEM object therefore passes the size guard, yet when the GPU accesses the chroma plane it will read or write memory beyond the object's bounds.  Fix by replacing the open-coded divisions with drm_format_info_plane_width() and drm_format_info_plane_height(), which use DIV_ROUND_UP() and match the calculation already used in framebuffer_check().",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46230",
                                "url": "https://ubuntu.com/security/CVE-2026-46230",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/amdgpu/vcn3: Prevent OOB reads when parsing dec msg  Check bounds against the end of the BO whenever we access the msg.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46199",
                                "url": "https://ubuntu.com/security/CVE-2026-46199",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/amdgpu/vcn4: Prevent OOB reads when parsing dec msg  Check bounds against the end of the BO whenever we access the msg.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46204",
                                "url": "https://ubuntu.com/security/CVE-2026-46204",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/amdgpu/vcn4: Prevent OOB reads when parsing IB  Rewrite the IB parsing to use amdgpu_ib_get_value() which handles the bounds checks.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46218",
                                "url": "https://ubuntu.com/security/CVE-2026-46218",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/amdgpu: Add bounds checking to ib_{get,set}_value  The uvd/vce/vcn code accesses the IB at predefined offsets without checking that the IB is large enough. Check the bounds here. The caller is responsible for making sure it can handle arbitrary return values.  Also make the idx a uint32_t to prevent overflows causing the condition to fail.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46229",
                                "url": "https://ubuntu.com/security/CVE-2026-46229",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/amdkfd: Clear VRAM on allocation to prevent stale data exposure  KFD VRAM allocations set AMDGPU_GEM_CREATE_VRAM_WIPE_ON_RELEASE but not AMDGPU_GEM_CREATE_VRAM_CLEARED, leaving freshly allocated VRAM with stale data from prior use observable by compute kernels.  The GEM ioctl path already sets VRAM_CLEARED for all userspace allocations via amdgpu_gem_create_ioctl() and amdgpu_mode_dumb_create(). The KFD path was missing this flag, allowing stale page table remnants to leak into user buffers.  This causes crashes in RCCL P2P transport where non-zero data in ptrExchange/head/tail fields corrupts the protocol handshake.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46211",
                                "url": "https://ubuntu.com/security/CVE-2026-46211",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/msm/gem: fix error handling in msm_ioctl_gem_info_get_metadata()  msm_ioctl_gem_info_get_metadata() always returns 0 regardless of errors. When copy_to_user() fails or the user buffer is too small, the error code stored in ret is ignored because the function unconditionally returns 0. This causes userspace to believe the ioctl succeeded when it did not.  Additionally, kmemdup() can return NULL on allocation failure, but the return value is not checked. This leads to a NULL pointer dereference in the subsequent copy_to_user() call.  Add the missing NULL check for kmemdup() and return ret instead of 0.  Note that the SET counterpart (msm_ioctl_gem_info_set_metadata) correctly returns ret.  Patchwork: https://patchwork.freedesktop.org/patch/714478/",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46203",
                                "url": "https://ubuntu.com/security/CVE-2026-46203",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: cadence-quadspi: fix unclocked access on unbind  Make sure that the controller is runtime resumed before disabling it during driver unbind to avoid an unclocked register access.  This issue was flagged by Sashiko when reviewing a controller deregistration fix.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46219",
                                "url": "https://ubuntu.com/security/CVE-2026-46219",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: mpc52xx: fix use-after-free on unbind  The state machine work is scheduled by the interrupt handler and therefore needs to be cancelled after disabling interrupts to avoid a potential use-after-free.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46200",
                                "url": "https://ubuntu.com/security/CVE-2026-46200",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: mpc52xx: fix controller deregistration  Make sure to deregister the controller before disabling and releasing underlying resources like interrupts and gpios during driver unbind.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46241",
                                "url": "https://ubuntu.com/security/CVE-2026-46241",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: mpc52xx: fix use-after-free on registration failure  Make sure to disable and free the interrupts in case controller registration fails to avoid a potential use-after-free and resource leak.  This issue was flagged by Sashiko when reviewing a controller deregistration fix.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46225",
                                "url": "https://ubuntu.com/security/CVE-2026-46225",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: rspi: fix controller deregistration  Make sure to deregister the controller before releasing underlying resources like DMA during driver unbind.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46226",
                                "url": "https://ubuntu.com/security/CVE-2026-46226",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: fsl: fix controller deregistration  Make sure to deregister the controller before releasing underlying resources like DMA during driver unbind.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46228",
                                "url": "https://ubuntu.com/security/CVE-2026-46228",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: ch341: fix devres lifetime  USB drivers bind to USB interfaces and any device managed resources should have their lifetime tied to the interface rather than parent USB device. This avoids issues like memory leaks when drivers are unbound without their devices being physically disconnected (e.g. on probe deferral or configuration changes).  Fix the controller and driver data lifetime so that they are released on driver unbind.  Note that this also makes sure that the SPI controller is placed correctly under the USB interface in the device tree.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46216",
                                "url": "https://ubuntu.com/security/CVE-2026-46216",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/xe/hdcp: Add NULL check for media_gt in intel_hdcp_gsc_check_status()  When media GT is disabled via configfs, there is no allocation for media_gt, which is kept as NULL.  In such scenario, intel_hdcp_gsc_check_status() results in a kernel pagefault error due to &gt->uc.gsc being evaluated as an invalid memory address.  Fix that by introducing a NULL check on media_gt and bailing out early if so.  While at it, also drop the NULL check for gsc, since it can't be NULL if media_gt is not NULL.  v2:   - Get address for gsc only after checking that gt is not NULL.     (Shuicheng)   - Drop the NULL check for gsc. (Shuicheng) v3:   - Add \"Fixes\" and \"Cc: <stable...>\" tags. (Matt)  (cherry picked from commit bfaf87e84ca3ca3f6e275f9ae56da47a8b55ffd1)",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46210",
                                "url": "https://ubuntu.com/security/CVE-2026-46210",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  media: iris: fix use-after-free of fmt_src during MBPF check  During concurrency testing, multiple instances can run in parallel, and each instance uses its own inst->lock while the core->lock protects the list of active instances. The race happens because these locks cover different scopes, inst->lock protects only the internals of a single instance, while the Macro Blocks Per Frame (MBPF) checker walks the core list under core->lock and reads fields like fmt_src->width and fmt_src->height. At the same time, iris_close() may free fmt_src and fmt_dst under inst->lock while the instance is still present in the core list. This allows a situation where the MBPF checker, still iterating through the core list, reaches an instance whose fmt_src was already freed by another thread and ends up dereferencing a dangling pointer, resulting in a use-after-free. This happens because the MBPF checker assumes that any instance in the core list is fully valid, but the freeing of fmt_src and fmt_dst without removing the instance from the core list is not correct.  The correct ordering is to defer freeing fmt_src and fmt_dst until after the instance has been removed from the core list and all teardown under the core lock has completed, ensuring that no dangling pointers are ever exposed during MBPF checks.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46240",
                                "url": "https://ubuntu.com/security/CVE-2026-46240",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  media: iris: Fix use-after-free in iris_release_internal_buffers()  The recent change in commit 1dabf00ee206 (\"media: iris: gen1: Destroy internal buffers after FW releases\") introduced a regression where session_release_buf() may free the buffer. The caller, iris_release_internal_buffers(), continued to access `buffer` after the call, leading to a potential use-after-free.  Fix this by setting BUF_ATTR_PENDING_RELEASE before calling session_release_buf(), and reverting the flag if the call fails. This ensures no dereference occurs after potential freeing.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46235",
                                "url": "https://ubuntu.com/security/CVE-2026-46235",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  media: saa7164: add ioremap return checks and cleanups  Add checks for ioremap return values in saa7164_dev_setup(). If ioremap for BAR0 or BAR2 fails, release the already allocated PCI memory regions, remove the device from the global list, decrement the device count, and return -ENODEV.  This prevents potential null pointer dereferences and ensures proper cleanup on memory mapping failures.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46222",
                                "url": "https://ubuntu.com/security/CVE-2026-46222",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  media: rockchip: rkcif: Add missing MUST_CONNECT flag to pads  The pads missed checks for connected devices which may a null dereference when the stream is enabled.  Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020 pc : rkcif_interface_enable_streams+0x48/0xf0 lr : rkcif_interface_enable_streams+0x44/0xf0 Call trace:  rkcif_interface_enable_streams+0x48/0xf0  v4l2_subdev_enable_streams+0x26c/0x3f0  rkcif_stream_start_streaming+0x140/0x278  vb2_start_streaming+0x74/0x188  vb2_core_streamon+0xe0/0x1d8  vb2_ioctl_streamon+0x60/0xa8  v4l_streamon+0x2c/0x40  __video_do_ioctl+0x34c/0x400  video_usercopy+0x2d0/0x800  video_ioctl2+0x20/0x60  v4l2_ioctl+0x48/0x78",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46239",
                                "url": "https://ubuntu.com/security/CVE-2026-46239",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  media: i2c: ov5647: Fix runtime PM refcount leak in s_ctrl  Three control cases (AUTOGAIN, EXPOSURE_AUTO, ANALOGUE_GAIN) directly return without calling pm_runtime_put(), causing runtime PM reference count leaks.  Change these cases from 'return' to 'ret = ... break' pattern to ensure pm_runtime_put() is always called before function exit.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46236",
                                "url": "https://ubuntu.com/security/CVE-2026-46236",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  media: rc: xbox_remote: heed DMA restrictions  The buffer for IO must not be part of the device structure because that violates the DMA coherency rules.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46205",
                                "url": "https://ubuntu.com/security/CVE-2026-46205",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  staging: media: atomisp: Disallow all private IOCTLs  Disallow all private IOCTLs. These aren't quite as safe as one could assume of IOCTL handlers; disable them for now. Instead of removing the code, return in the beginning of the function if cmd is non-zero in order to keep static checkers happy.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46202",
                                "url": "https://ubuntu.com/security/CVE-2026-46202",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  HID: appletb-kbd: run inactivity autodim from workqueues  The autodim code in hid-appletb-kbd takes backlight_device->ops_lock via backlight_device_set_brightness() -> mutex_lock() from two different atomic contexts:   * appletb_inactivity_timer() is a struct timer_list callback, so it    runs in softirq context.  Every expiry triggers       BUG: sleeping function called from invalid context at kernel/locking/mutex.c:591      Call Trace:       <IRQ>       __might_resched       __mutex_lock       backlight_device_set_brightness       appletb_inactivity_timer       call_timer_fn       run_timer_softirq   * reset_inactivity_timer() is called from appletb_kbd_hid_event() and    appletb_kbd_inp_event().  On real USB hardware these run in    softirq/IRQ context (URB completion and input-event dispatch).    When the Touch Bar has already been dimmed or turned off, the    reset path calls backlight_device_set_brightness() directly to    restore brightness, producing the same warning.  Both call sites hit the same mutex_lock()-from-atomic bug.  Fix them together by moving the blocking work onto the system workqueue:   * Convert the inactivity timer from struct timer_list to    struct delayed_work; the callback (appletb_inactivity_work) now    runs in process context where mutex_lock() is legal.  * Add a dedicated struct work_struct restore_brightness_work and have    reset_inactivity_timer() schedule it instead of calling    backlight_device_set_brightness() directly.  Cancel both works synchronously during driver tear-down alongside the existing backlight reference drop.  The semantics are unchanged (same delays, same state transitions on dim, turn-off and user activity); only the execution context of the sleeping call changes.  The timer field and callback are renamed to match their new type; reset_inactivity_timer() keeps its name because it is invoked from input event paths that read naturally as \"reset the inactivity timer\".",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46213",
                                "url": "https://ubuntu.com/security/CVE-2026-46213",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  HID: appletb-kbd: fix UAF in inactivity-timer cleanup path  Commit 38224c472a03 (\"HID: appletb-kbd: fix slab use-after-free bug in appletb_kbd_probe\") added timer_delete_sync(&kbd->inactivity_timer) to both the probe close_hw error path and appletb_kbd_remove(), but the way it was wired in left the inactivity timer reachable during driver tear-down via two distinct windows.  Window A -- put_device() before timer_delete_sync():  \tput_device(&kbd->backlight_dev->dev); \ttimer_delete_sync(&kbd->inactivity_timer);  The inactivity_timer softirq reads kbd->backlight_dev and calls backlight_device_set_brightness() -> mutex_lock(&ops_lock).  If a concurrent hid_appletb_bl unbind drops the last devm reference between these two calls, the backlight_device is freed and the mutex_lock() touches freed memory.  Window B -- backlight cleanup before hid_hw_stop():  \tif (kbd->backlight_dev) { \t\ttimer_delete_sync(...); \t\tput_device(...); \t} \thid_hw_close(hdev); \thid_hw_stop(hdev);  Even after Window A is closed, hid_hw_close()/hid_hw_stop() still run afterwards, so a late \".event\" callback from the HID core (USB URB completion on real Apple hardware) can arrive after timer_delete_sync() drained the softirq but before put_device() drops the reference.  That callback reaches reset_inactivity_timer(), which calls mod_timer() and re-arms the timer.  The freshly re-armed timer can then fire on the about-to-be-freed backlight_device.  Both windows produce the same KASAN slab-use-after-free:    BUG: KASAN: slab-use-after-free in __mutex_lock+0x1aab/0x21c0   Read of size 8 at addr ffff88803ee9a108 by task swapper/0/0   Call Trace:    <IRQ>    __mutex_lock    backlight_device_set_brightness    appletb_inactivity_timer    call_timer_fn    run_timer_softirq    handle_softirqs   Allocated by task N:    devm_backlight_device_register    appletb_bl_probe   Freed by task M:    (concurrent hid_appletb_bl unbind path)  Close both windows at once by reworking the tear-down in appletb_kbd_remove() and in the probe close_hw error path so that   1) hid_hw_close()/hid_hw_stop() run before the backlight cleanup,     guaranteeing no further .event callback can fire and re-arm the     timer, and  2) inside the \"if (kbd->backlight_dev)\" block, timer_delete_sync()     runs before put_device(), so the softirq is drained before the     final reference is dropped.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46232",
                                "url": "https://ubuntu.com/security/CVE-2026-46232",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  HID: playstation: Clamp num_touch_reports  A device would never lie about the number of touch reports would it?  If it does the loop in dualshock4_parse_report will read off the end of the touch_reports array, up to about 2 KiB for the maximum number of 256 loop iteraions. The data that is read is emitted via evdev if the DS4_TOUCH_POINT_INACTIVE bit happens to be set. Protect against this by clamping the num_touch_reports value provided by the device to the maximum size of the touch_reports array.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-43490",
                                "url": "https://ubuntu.com/security/CVE-2026-43490",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ksmbd: validate inherited ACE SID length  smb_inherit_dacl() walks the parent directory DACL loaded from the security descriptor xattr. It verifies that each ACE contains the fixed SID header before using it, but does not verify that the variable-length SID described by sid.num_subauth is fully contained in the ACE.  A malformed inheritable ACE can advertise more subauthorities than are present in the ACE. compare_sids() may then read past the ACE. smb_set_ace() also clamps the copied destination SID, but used the unchecked source SID count to compute the inherited ACE size. That could advance the temporary inherited ACE buffer pointer and nt_size accounting past the allocated buffer.  Fix this by validating the parent ACE SID count and SID length before using the SID during inheritance. Compute the inherited ACE size from the copied SID so the size matches the bounded destination SID. Reject the inherited DACL if size accumulation would overflow smb_acl.size or the security descriptor allocation size.",
                                "cve_priority": "high",
                                "cve_public_date": "2026-05-15 06:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46174",
                                "url": "https://ubuntu.com/security/CVE-2026-46174",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  x86/CPU/AMD: Prevent improper isolation of shared resources in Zen2's op cache  Make sure resources are not improperly shared in the op cache and cause instruction corruption this way.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46110",
                                "url": "https://ubuntu.com/security/CVE-2026-46110",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net: stmmac: Prevent NULL deref when RX memory exhausted  The CPU receives frames from the MAC through conventional DMA: the CPU allocates buffers for the MAC, then the MAC fills them and returns ownership to the CPU. For each hardware RX queue, the CPU and MAC coordinate through a shared ring array of DMA descriptors: one descriptor per DMA buffer. Each descriptor includes the buffer's physical address and a status flag (\"OWN\") indicating which side owns the buffer: OWN=0 for CPU, OWN=1 for MAC. The CPU is only allowed to set the flag and the MAC is only allowed to clear it, and both must move through the ring in sequence: thus the ring is used for both \"submissions\" and \"completions.\"  In the stmmac driver, stmmac_rx() bookmarks its position in the ring with the `cur_rx` index. The main receive loop in that function checks for rx_descs[cur_rx].own=0, gives the corresponding buffer to the network stack (NULLing the pointer), and increments `cur_rx` modulo the ring size. After the loop exits, stmmac_rx_refill(), which bookmarks its position with `dirty_rx`, allocates fresh buffers and rearms the descriptors (setting OWN=1). If it fails any allocation, it simply stops early (leaving OWN=0) and will retry where it left off when next called.  This means descriptors have a three-stage lifecycle (terms my own): - `empty` (OWN=1, buffer valid) - `full` (OWN=0, buffer valid and populated) - `dirty` (OWN=0, buffer NULL)  But because stmmac_rx() only checks OWN, it confuses `full`/`dirty`. In the past (see 'Fixes:'), there was a bug where the loop could cycle `cur_rx` all the way back to the first descriptor it dirtied, resulting in a NULL dereference when mistaken for `full`. The aforementioned commit resolved that *specific* failure by capping the loop's iteration limit at `dma_rx_size - 1`, but this is only a partial fix: if the previous stmmac_rx_refill() didn't complete, then there are leftover `dirty` descriptors that the loop might encounter without needing to cycle fully around. The current code therefore panics (see 'Closes:') when stmmac_rx_refill() is memory-starved long enough for `cur_rx` to catch up to `dirty_rx`.  Fix this by explicitly checking, before advancing `cur_rx`, if the next entry is dirty; exit the loop if so. This prevents processing of the final, used descriptor until stmmac_rx_refill() succeeds, but fully prevents the `cur_rx == dirty_rx` ambiguity as the previous bugfix intended: so remove the clamp as well. Since stmmac_rx_zc() is a copy-paste-and-tweak of stmmac_rx() and the code structure is identical, any fix to stmmac_rx() will also need a corresponding fix for stmmac_rx_zc(). Therefore, apply the same check there.  In stmmac_rx() (not stmmac_rx_zc()), a related bug remains: after the MAC sets OWN=0 on the final descriptor, it will be unable to send any further DMA-complete IRQs until it's given more `empty` descriptors. Currently, the driver simply *hopes* that the next stmmac_rx_refill() succeeds, risking an indefinite stall of the receive process if not. But this is not a regression, so it can be addressed in a future change.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46153",
                                "url": "https://ubuntu.com/security/CVE-2026-46153",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  8021q: delete cleared egress QoS mappings  vlan_dev_set_egress_priority() currently keeps cleared egress priority mappings in the hash as tombstones. Repeated set/clear cycles with distinct skb priorities therefore accumulate mapping nodes until device teardown and leak memory.  Delete mappings when vlan_prio is cleared instead of keeping tombstones. Now that the egress mapping lists are RCU protected, the node can be unlinked safely and freed after a grace period.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46169",
                                "url": "https://ubuntu.com/security/CVE-2026-46169",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  hfsplus: fix uninit-value by validating catalog record size  Syzbot reported a KMSAN uninit-value issue in hfsplus_strcasecmp(). The root cause is that hfs_brec_read() doesn't validate that the on-disk record size matches the expected size for the record type being read.  When mounting a corrupted filesystem, hfs_brec_read() may read less data than expected. For example, when reading a catalog thread record, the debug output showed:    HFSPLUS_BREC_READ: rec_len=520, fd->entrylength=26   HFSPLUS_BREC_READ: WARNING - entrylength (26) < rec_len (520) - PARTIAL READ!  hfs_brec_read() only validates that entrylength is not greater than the buffer size, but doesn't check if it's less than expected. It successfully reads 26 bytes into a 520-byte structure and returns success, leaving 494 bytes uninitialized.  This uninitialized data in tmp.thread.nodeName then gets copied by hfsplus_cat_build_key_uni() and used by hfsplus_strcasecmp(), triggering the KMSAN warning when the uninitialized bytes are used as array indices in case_fold().  Fix by introducing hfsplus_brec_read_cat() wrapper that: 1. Calls hfs_brec_read() to read the data 2. Validates the record size based on the type field:    - Fixed size for folder and file records    - Variable size for thread records (depends on string length) 3. Returns -EIO if size doesn't match expected  For thread records, check against HFSPLUS_MIN_THREAD_SZ before reading nodeName.length to avoid reading uninitialized data at call sites that don't zero-initialize the entry structure.  Also initialize the tmp variable in hfsplus_find_cat() as defensive programming to ensure no uninitialized data even if validation is bypassed.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46188",
                                "url": "https://ubuntu.com/security/CVE-2026-46188",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  octeon_ep_vf: add NULL check for napi_build_skb()  napi_build_skb() can return NULL on allocation failure. In __octep_vf_oq_process_rx(), the result is used directly without a NULL check in both the single-buffer and multi-fragment paths, leading to a NULL pointer dereference.  Add NULL checks after both napi_build_skb() calls, properly advancing descriptors and consuming remaining fragments on failure.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-45837",
                                "url": "https://ubuntu.com/security/CVE-2026-45837",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  bpf: Fix use-after-free in arena_vm_close on fork  arena_vm_open() only bumps vml->mmap_count but never registers the child VMA in arena->vma_list. The vml->vma always points at the parent VMA, so after parent munmap the pointer dangles. If the child then calls bpf_arena_free_pages(), zap_pages() reads the stale vml->vma triggering use-after-free.  Fix this by preventing the arena VMA from being inherited across fork with VM_DONTCOPY, and preventing VMA splits via the may_split callback.  Also reject mremap with a .mremap callback returning -EINVAL. A same-size mremap(MREMAP_FIXED) on the full arena VMA reaches copy_vma() through the following path:    check_prep_vma()       - returns 0 early: new_len == old_len                            skips VM_DONTEXPAND check   prep_move_vma()        - vm_start == old_addr and                            vm_end == old_addr + old_len                            so may_split is never called   move_vma()     copy_vma_and_data()       copy_vma()         vm_area_dup()    - copies vm_private_data (vml pointer)         vm_ops->open()   - bumps vml->mmap_count       vm_ops->mremap()   - returns -EINVAL, rollback unmaps new VMA  The refcount ensures the rollback's arena_vm_close does not free the vml shared with the original VMA.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-05-27 11:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46156",
                                "url": "https://ubuntu.com/security/CVE-2026-46156",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  LoongArch: Fix potential ADE in loongson_gpu_fixup_dma_hang()  The switch case in loongson_gpu_fixup_dma_hang() may not DC2 or DC3, and readl(crtc_reg) will access with random address, because the \"device\" is from \"base+PCI_DEVICE_ID\", \"base\" is from \"pdev->devfn+1\". This is wrong when my platform inserts a discrete GPU:  lspci -tv -[0000:00]-+-00.0  Loongson Technology LLC Hyper Transport Bridge Controller ...            +-06.0  Loongson Technology LLC LG100 GPU            +-06.2  Loongson Technology LLC Device 7a37 ...  Add a default switch case to fix the panic as below:   Kernel ade access[#1]:  CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.6.136-loong64-desktop-hwe+ #4  pc 90000000017e5534 ra 90000000017e54c0 tp 90000001002f8000 sp 90000001002fb6c0  a0 80000efe00003100 a1 0000000000003100 a2 0000000000000000 a3 0000000000000002  a4 90000001002fb6b4 a5 900000087cdb58fd a6 90000000027af000 a7 0000000000000001  t0 00000000000085b9 t1 000000000000ffff t2 0000000000000000 t3 0000000000000000  t4 fffffffffffffffd t5 00000000fffb6d9c t6 0000000000083b00 t7 00000000000070c0  t8 900000087cdb4d94 u0 900000087cdb58fd s9 90000001002fb826 s0 90000000031c12c8  s1 7fffffffffffff00 s2 90000000031c12d0 s3 0000000000002710 s4 0000000000000000  s5 0000000000000000 s6 9000000100053000 s7 7fffffffffffff00 s8 90000000030d4000     ra: 90000000017e54c0 loongson_gpu_fixup_dma_hang+0x40/0x210    ERA: 90000000017e5534 loongson_gpu_fixup_dma_hang+0xb4/0x210   CRMD: 000000b0 (PLV0 -IE -DA +PG DACF=CC DACM=CC -WE)   PRMD: 00000004 (PPLV0 +PIE -PWE)   EUEN: 00000000 (-FPE -SXE -ASXE -BTE)   ECFG: 00071c1d (LIE=0,2-4,10-12 VS=7)  ESTAT: 00480000 [ADEM] (IS= ECode=8 EsubCode=1)   BADV: 7fffffffffffff00   PRID: 0014d000 (Loongson-64bit, Loongson-3A6000-HV)  Modules linked in:  Process swapper/0 (pid: 1, threadinfo=(____ptrval____), task=(____ptrval____))  Stack : 0000000000000006 90000001002fb778 90000001002fb704 0000000000000007          0000000016a65700 90000000017e5690 000000000000ffff ffffffffffffffff          900000000209f7c0 9000000100053000 900000000209f7a8 9000000000eebc08          0000000000000000 0000000000000000 0000000000000006 90000001002fb778          90000001000530b8 90000000027af000 0000000000000000 9000000100054000          9000000100053000 9000000000ebb70c 9000000100004c00 9000000004000001          90000001002fb7e4 bae765461f31cb12 0000000000000000 0000000000000000          0000000000000006 90000000027af000 0000000000000030 90000000027af000          900000087cd6f800 9000000100053000 0000000000000000 9000000000ebc560          7a2500147cdaf720 bae765461f31cb12 0000000000000001 0000000000000030          ...  Call Trace:  [<90000000017e5534>] loongson_gpu_fixup_dma_hang+0xb4/0x210  [<9000000000eebc08>] pci_fixup_device+0x108/0x280  [<9000000000ebb70c>] pci_setup_device+0x24c/0x690  [<9000000000ebc560>] pci_scan_single_device+0xe0/0x140  [<9000000000ebc684>] pci_scan_slot+0xc4/0x280  [<9000000000ebdd00>] pci_scan_child_bus_extend+0x60/0x3f0  [<9000000000f5bc94>] acpi_pci_root_create+0x2b4/0x420  [<90000000017e5e74>] pci_acpi_scan_root+0x2d4/0x440  [<9000000000f5b02c>] acpi_pci_root_add+0x21c/0x3a0  [<9000000000f4ee54>] acpi_bus_attach+0x1a4/0x3c0  [<90000000010e200c>] device_for_each_child+0x6c/0xe0  [<9000000000f4bbf4>] acpi_dev_for_each_child+0x44/0x70  [<9000000000f4ef40>] acpi_bus_attach+0x290/0x3c0  [<90000000010e200c>] device_for_each_child+0x6c/0xe0  [<9000000000f4bbf4>] acpi_dev_for_each_child+0x44/0x70  [<9000000000f4ef40>] acpi_bus_attach+0x290/0x3c0  [<9000000000f5211c>] acpi_bus_scan+0x6c/0x280  [<900000000189c028>] acpi_scan_init+0x194/0x310  [<900000000189bc6c>] acpi_init+0xcc/0x140  [<9000000000220cdc>] do_one_initcall+0x4c/0x310  [<90000000018618fc>] kernel_init_freeable+0x258/0x2d4  [<900000000184326c>] kernel_init+0x28/0x13c  [<9000000000222008>] ret_from_kernel_thread+0xc/0xa4",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46147",
                                "url": "https://ubuntu.com/security/CVE-2026-46147",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  KVM: arm64: Fix pin leak and publication ordering in __pkvm_init_vcpu()  Two bugs exist in the vCPU initialisation path:  1. If a check fails after hyp_pin_shared_mem() succeeds, the cleanup    path jumps to 'unlock' without calling unpin_host_vcpu() or    unpin_host_sve_state(), permanently leaking pin references on the    host vCPU and SVE state pages.     Extract a register_hyp_vcpu() helper that performs the checks and    the store. When register_hyp_vcpu() returns an error, call    unpin_host_vcpu() and unpin_host_sve_state() inline before falling    through to the existing 'unlock' label.  2. register_hyp_vcpu() publishes the new vCPU pointer into    'hyp_vm->vcpus[]' with a bare store, allowing a concurrent caller    of pkvm_load_hyp_vcpu() to observe a partially initialised vCPU    object.     Ensure the store uses smp_store_release() and the load uses    smp_load_acquire(). While 'vm_table_lock' currently serialises the    store and the load, these barriers ensure the reader sees the fully    initialised 'hyp_vcpu' object even if there were a lockless path or    if the lock's own ordering guarantees were insufficient for nested    object initialization.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46175",
                                "url": "https://ubuntu.com/security/CVE-2026-46175",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  f2fs: fix fsck inconsistency caused by FGGC of node block  During FGGC node block migration, fsck may incorrectly treat the migrated node block as fsync-written data.  The reproduction scenario: root@vm:/mnt/f2fs# seq 1 2048 | xargs -n 1 ./test_sync // write inline inode and sync root@vm:/mnt/f2fs# rm -f 1 root@vm:/mnt/f2fs# sync root@vm:/mnt/f2fs# f2fs_io gc_range // move data block in sync mode and not write CP   SPO, \"fsck --dry-run\" find inode has already checkpointed but still   with DENT_BIT_SHIFT set  The root cause is that GC does not clear the dentry mark and fsync mark during node block migration, leading fsck to misinterpret them as user-issued fsync writes.  In BGGC mode, node block migration is handled by f2fs_sync_node_pages(), which guarantees the dentry and fsync marks are cleared before writing.  This patch move the set/clear of the fsync|dentry marks into __write_node_folio to make the logic clearer, and ensures the fsync|dentry mark is cleared in FGGC.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46194",
                                "url": "https://ubuntu.com/security/CVE-2026-46194",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  f2fs: fix node_cnt race between extent node destroy and writeback  f2fs_destroy_extent_node() does not set FI_NO_EXTENT before clearing extent nodes. When called from f2fs_drop_inode() with I_SYNC set, concurrent kworker writeback can insert new extent nodes into the same extent tree, racing with the destroy and triggering f2fs_bug_on() in __destroy_extent_node(). The scenario is as follows:  drop inode                            writeback  - iput   - f2fs_drop_inode  // I_SYNC set    - f2fs_destroy_extent_node     - __destroy_extent_node      - while (node_cnt) {         write_lock(&et->lock)         __free_extent_tree         write_unlock(&et->lock)                                        - __writeback_single_inode                                         - f2fs_outplace_write_data                                          - f2fs_update_read_extent_cache                                           - __update_extent_tree_range                                            // FI_NO_EXTENT not set,                                            // insert new extent node        } // node_cnt == 0, exit while      - f2fs_bug_on(node_cnt)  // node_cnt > 0  Additionally, __update_extent_tree_range() only checks FI_NO_EXTENT for EX_READ type, leaving EX_BLOCK_AGE updates completely unprotected.  This patch set FI_NO_EXTENT under et->lock in __destroy_extent_node(), consistent with other callers (__update_extent_tree_range and __drop_extent_tree) and check FI_NO_EXTENT for both EX_READ and EX_BLOCK_AGE tree.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46170",
                                "url": "https://ubuntu.com/security/CVE-2026-46170",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  mptcp: pm: ADD_ADDR rtx: free sk if last  When an ADD_ADDR is retransmitted, the sk is held in sk_reset_timer(), and released at the end.  If at that moment, it was the last reference being held, the sk would not be freed. sock_put() should then be called instead of __sock_put().  But that's not enough: if it is the last reference, sock_put() will call sk_free(), which will end up calling sk_stop_timer_sync() on the same timer, and waiting indefinitely to finish. So it is needed to mark that the timer is done at the end of the timer handler when it has not been rescheduled, not to call sk_stop_timer_sync() on \"itself\".",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46158",
                                "url": "https://ubuntu.com/security/CVE-2026-46158",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  mptcp: pm: ADD_ADDR rtx: always decrease sk refcount  When an ADD_ADDR is retransmitted, the sk is held in sk_reset_timer(). It should then be released in all cases at the end.  Some (unlikely) checks were returning directly instead of calling sock_put() to decrease the refcount. Jump to a new 'exit' label to call __sock_put() (which will become sock_put() in the next commit) to fix this potential leak.  While at it, drop the '!msk' check which cannot happen because it is never reset, and explicitly mark the remaining one as \"unlikely\".",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46168",
                                "url": "https://ubuntu.com/security/CVE-2026-46168",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  mptcp: fix scheduling with atomic in timestamp sockopt  Using lock_sock_fast() (atomic context) around sock_set_timestamp() and sock_set_timestamping() is unsafe, as both helpers can sleep.  Replace lock_sock_fast() with sleepable lock_sock()/release_sock() to avoid scheduling while atomic panic.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46189",
                                "url": "https://ubuntu.com/security/CVE-2026-46189",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/vmw_pvrdma: Fix double free on pvrdma_alloc_ucontext() error path  Sashiko points out that pvrdma_uar_free() is already called within pvrdma_dealloc_ucontext(), so calling it before triggers a double free.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46133",
                                "url": "https://ubuntu.com/security/CVE-2026-46133",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/rxe: Reject unknown opcodes before ICRC processing  Even after applying commit 7244491dab34 (\"RDMA/rxe: Validate pad and ICRC before payload_size() in rxe_rcv\"), a single unauthenticated UDP packet can still trigger panic.  That patch handled payload_size() underflow only for valid opcodes with short packets, not for packets carrying an unknown opcode.  The unknown-opcode OOB read described below predates that commit and reaches back to the initial Soft RoCE driver.  The check added there reads      pkt->paylen < header_size(pkt) + bth_pad(pkt) + RXE_ICRC_SIZE  where header_size(pkt) expands to rxe_opcode[pkt->opcode].length.  The rxe_opcode[] array has 256 entries but is only populated for defined IB opcodes; any other entry (for example opcode 0xff) is zero-initialized, so length == 0 and the check degenerates to      pkt->paylen < 0 + bth_pad(pkt) + RXE_ICRC_SIZE  which does not constrain pkt->paylen enough.  rxe_icrc_hdr() then computes      rxe_opcode[pkt->opcode].length - RXE_BTH_BYTES  which underflows when length == 0 and passes a huge value to rxe_crc32(), causing an out-of-bounds read of the skb payload.  Reproduced on v7.0-rc7 with that fix applied, QEMU/KVM with CONFIG_RDMA_RXE=y and CONFIG_KASAN=y, after      rdma link add rxe0 type rxe netdev eth0  A single 48-byte UDP packet to port 4791 with BTH opcode=0xff and QPN=IB_MULTICAST_QPN triggers:      BUG: KASAN: slab-out-of-bounds in crc32_le+0x115/0x170     Read of size 1 at addr ...     The buggy address is located 0 bytes to the right of      allocated 704-byte region     Call Trace:      crc32_le+0x115/0x170      rxe_icrc_hdr.isra.0+0x226/0x300      rxe_icrc_check+0x13f/0x3a0      rxe_rcv+0x6e1/0x16e0      rxe_udp_encap_recv+0x20a/0x320      udp_queue_rcv_one_skb+0x7ed/0x12c0  Subsequent packets with the same shape fault on unmapped memory and panic the kernel.  The trigger requires only module load and \"rdma link add\"; no QP, no connection, and no authentication.  Fix this by rejecting packets whose opcode has no rxe_opcode[] entry, detected via the zero mask or zero length, before any length arithmetic runs.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46114",
                                "url": "https://ubuntu.com/security/CVE-2026-46114",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/rxe: Reject non-8-byte ATOMIC_WRITE payloads  atomic_write_reply() at drivers/infiniband/sw/rxe/rxe_resp.c unconditionally dereferences 8 bytes at payload_addr(pkt):      value = *(u64 *)payload_addr(pkt);  check_rkey() previously accepted an ATOMIC_WRITE request with pktlen == resid == 0 because the length validation only compared pktlen against resid. A remote initiator that sets the RETH length to 0 therefore reaches atomic_write_reply() with a zero-byte logical payload, and the responder reads sizeof(u64) bytes from past the logical end of the packet into skb->head tailroom, then writes those 8 bytes into the attacker's MR via rxe_mr_do_atomic_write(). That is a remote disclosure of 4 bytes of kernel tailroom per probe (the other 4 bytes are the packet's own trailing ICRC).  IBA oA19-28 defines ATOMIC_WRITE as exactly 8 bytes. Anything else is protocol-invalid. Hoist a strict length check into check_rkey() so the responder never reaches the unchecked dereference, and keep the existing WRITE-family length logic for the normal RDMA WRITE path.  Reproduced on mainline with an unmodified rxe driver: a sustained zero-length ATOMIC_WRITE probe repeatedly leaks adjacent skb head-buffer bytes into the attacker's MR, including recognisable kernel strings and partial kernel-direct-map pointer words.  With this patch applied the responder rejects the PDU and the MR stays all-zero.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46127",
                                "url": "https://ubuntu.com/security/CVE-2026-46127",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/ocrdma: Don't NULL deref uctx on errors in ocrdma_copy_pd_uresp()  Sashiko points out that pd->uctx isn't initialized until late in the function so all these error flow references are NULL and will crash. Use the uctx that isn't NULL.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46176",
                                "url": "https://ubuntu.com/security/CVE-2026-46176",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/mlx5: Fix error path fall-through in mlx5_ib_dev_res_srq_init()  mlx5_ib_dev_res_srq_init() allocates two SRQs, s0 and s1. When ib_create_srq() fails for s1, the error branch destroys s0 but falls through and unconditionally assigns the freed s0 and the ERR_PTR s1 to devr->s0 and devr->s1.  This leads to several problems: the lock-free fast path checks \"if (devr->s1) return 0;\" and treats the ERR_PTR as already initialised; users in mlx5_ib_create_qp() dereference the freed SRQ or ERR_PTR via to_msrq(devr->s0)->msrq.srqn; and mlx5_ib_dev_res_cleanup() dereferences the ERR_PTR and double-frees s0 on teardown.  Fix by adding the same `goto unlock` in the s1 failure path.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46178",
                                "url": "https://ubuntu.com/security/CVE-2026-46178",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/mlx4: Fix resource leak on error in mlx4_ib_create_srq()  Sashiko points out that mlx4_srq_alloc() was not undone during error unwind, add the missing call to mlx4_srq_free().",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46181",
                                "url": "https://ubuntu.com/security/CVE-2026-46181",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/mlx4: Fix mis-use of RCU in mlx4_srq_event()  Sashiko points out the radix_tree itself is RCU safe, but nothing ever frees the mlx4_srq struct with RCU, and it isn't even accessed within the RCU critical section. It also will crash if an event is delivered before the srq object is finished initializing.  Use the spinlock since it isn't easy to make RCU work, use refcount_inc_not_zero() to protect against partially initialized objects, and order the refcount_set() to be after the srq is fully initialized.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46145",
                                "url": "https://ubuntu.com/security/CVE-2026-46145",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/mana: Validate rx_hash_key_len  Sashiko points out that rx_hash_key_len comes from a uAPI structure and is blindly passed to memcpy, allowing the userspace to trash kernel memory. Bounds check it so the memcpy cannot overflow.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46117",
                                "url": "https://ubuntu.com/security/CVE-2026-46117",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/mana: Remove user triggerable WARN_ON() in mana_ib_create_qp_rss()  Sashiko points out that the user can specify WQs sharing the same CQ as a part of the uAPI and this will trigger the WARN_ON() then go on to corrupt the kernel.  Just reject it outright and fail the QP creation.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46126",
                                "url": "https://ubuntu.com/security/CVE-2026-46126",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/mana: Fix mana_destroy_wq_obj() cleanup in mana_ib_create_qp_rss()  Sashiko points out there are two bugs here in the error unwind flow, both related to how the WQ table is unwound.  First there is a double i-- on the first failure path due to the while loop having a i--, remove it.  Second if mana_ib_install_cq_cb() fails then mana_create_wq_obj() is not undone due to the above i--.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46144",
                                "url": "https://ubuntu.com/security/CVE-2026-46144",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/mana: Fix error unwind in mana_ib_create_qp_rss()  Sashiko points out that mana_ib_cfg_vport_steering() is leaked, the normal destroy path cleans it up.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46141",
                                "url": "https://ubuntu.com/security/CVE-2026-46141",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  powerpc/xive: fix kmemleak caused by incorrect chip_data lookup  The kmemleak reports the following memory leak:  Unreferenced object 0xc0000002a7fbc640 (size 64):   comm \"kworker/8:1\", pid 540, jiffies 4294937872   hex dump (first 32 bytes):     01 00 00 00 00 00 00 00 00 00 09 04 00 04 00 00  ................     00 00 a7 81 00 00 0a c0 00 00 08 04 00 04 00 00  ................   backtrace (crc 177d48f6):     __kmalloc_cache_noprof+0x520/0x730     xive_irq_alloc_data.constprop.0+0x40/0xe0     xive_irq_domain_alloc+0xd0/0x1b0     irq_domain_alloc_irqs_parent+0x44/0x6c     pseries_irq_domain_alloc+0x1cc/0x354     irq_domain_alloc_irqs_parent+0x44/0x6c     msi_domain_alloc+0xb0/0x220     irq_domain_alloc_irqs_locked+0x138/0x4d0     __irq_domain_alloc_irqs+0x8c/0xfc     __msi_domain_alloc_irqs+0x214/0x4d8     msi_domain_alloc_irqs_all_locked+0x70/0xf8     pci_msi_setup_msi_irqs+0x60/0x78     __pci_enable_msix_range+0x54c/0x98c     pci_alloc_irq_vectors_affinity+0x16c/0x1d4     nvme_pci_enable+0xac/0x9c0 [nvme]     nvme_probe+0x340/0x764 [nvme]  This occurs when allocating MSI-X vectors for an NVMe device. During allocation the XIVE code creates a struct xive_irq_data and stores it in irq_data->chip_data.  When the MSI-X irqdomain is later freed, xive_irq_free_data() is responsible for retrieving this structure and freeing it. However, after commit cc0cc23babc9 (\"powerpc/xive: Untangle xive from child interrupt controller drivers\"), xive_irq_free_data() retrieves the chip_data using irq_get_chip_data(), which looks up the data through the child domain.  This is incorrect because the XIVE-specific irq data is associated with the XIVE (parent) domain. As a result the lookup fails and the allocated struct xive_irq_data is never freed, leading to the kmemleak report shown above.  Fix this by retrieving the irq_data from the correct domain using irq_domain_get_irq_data() and then accessing the chip_data via irq_data_get_irq_chip_data().",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46183",
                                "url": "https://ubuntu.com/security/CVE-2026-46183",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  mm/damon/sysfs-schemes: protect path kfree() with damon_sysfs_lock  damon_sysfs_quot_goal->path can be read and written by users, via DAMON sysfs 'path' file.  It can also be indirectly read, for the parameters {on,off}line committing to DAMON.  The reads for parameters committing are protected by damon_sysfs_lock to avoid the sysfs files being destroyed while any of the parameters are being read.  But the user-driven direct reads and writes are not protected by any lock, while the write is deallocating the path-pointing buffer.  As a result, the readers could read the already freed buffer (user-after-free).  Note that the user-reads don't race when the same open file is used by the writer, due to kernfs's open file locking.  Nonetheless, doing the reads and writes with separate open files would be common.  Fix it by protecting both the user-direct reads and writes with damon_sysfs_lock.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46121",
                                "url": "https://ubuntu.com/security/CVE-2026-46121",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  mm/damon/sysfs-schemes: protect memcg_path kfree() with damon_sysfs_lock  Patch series \"mm/damon/sysfs-schemes: fix use-after-free for [memcg_]path\".  Reads of 'memcg_path' and 'path' files in DAMON sysfs interface could race with their writes, results in use-after-free.  Fix those.   This patch (of 2):  damon_sysfs_scheme_filter->mmecg_path can be read and written by users, via DAMON sysfs memcg_path file.  It can also be indirectly read, for the parameters {on,off}line committing to DAMON.  The reads for parameters committing are protected by damon_sysfs_lock to avoid the sysfs files being destroyed while any of the parameters are being read.  But the user-driven direct reads and writes are not protected by any lock, while the write is deallocating the memcg_path-pointing buffer.  As a result, the readers could read the already freed buffer (user-after-free).  Note that the user-reads don't race when the same open file is used by the writer, due to kernfs's open file locking.  Nonetheless, doing the reads and writes with separate open files would be common.  Fix it by protecting both the user-direct reads and writes with damon_sysfs_lock.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46131",
                                "url": "https://ubuntu.com/security/CVE-2026-46131",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  KVM: x86: check for nEPT/nNPT in slow flush hypercalls  Checking is_guest_mode(vcpu) is incorrect, because translate_nested_gpa() is only valid if an L2 guest is running *with nested EPT/NPT enabled*. Instead use the same condition as translate_nested_gpa() itself.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46139",
                                "url": "https://ubuntu.com/security/CVE-2026-46139",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  smb: client: use kzalloc to zero-initialize security descriptor buffer  Commit 62e7dd0a39c2d (\"smb: common: change the data type of num_aces to le16\") split struct smb_acl's __le32 num_aces field into __le16 num_aces and __le16 reserved. The reserved field corresponds to Sbz2 in the MS-DTYP ACL wire format, which must be zero [1].  When building an ACL descriptor in build_sec_desc(), we are using a kmalloc()'ed descriptor buffer and writing the fields explicitly using le16() writes now. This never writes to the 2 byte reserved field, leaving it as uninitialized heap data.  When the reserved field happens to contain non-zero slab garbage, Samba rejects the security descriptor with \"ndr_pull_security_descriptor failed: Range Error\", causing chmod to fail with EINVAL.  Change kmalloc() to kzalloc() to ensure the entire buffer is zero-initialized.   [1] https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/20233ed8-a6c6-4097-aafa-dd545ed24428",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46105",
                                "url": "https://ubuntu.com/security/CVE-2026-46105",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  scsi: mpt3sas: Limit NVMe request size to 2 MiB  The HBA firmware reports NVMe MDTS values based on the underlying drive capability. However, because the driver allocates a fixed 4K buffer for the PRP list, accommodating at most 512 entries, the driver supports a maximum I/O transfer size of 2 MiB.  Limit max_hw_sectors to the smaller of the reported MDTS and the 2 MiB driver limit to prevent issuing oversized I/O that may lead to a kernel oops.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46171",
                                "url": "https://ubuntu.com/security/CVE-2026-46171",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  riscv: kvm: fix vector context allocation leak  When the second kzalloc (host_context.vector.datap) fails in kvm_riscv_vcpu_alloc_vector_context, the first allocation (guest_context.vector.datap) is leaked. Free it before returning.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46112",
                                "url": "https://ubuntu.com/security/CVE-2026-46112",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/hns: Fix unlocked call to hns_roce_qp_remove()  Sashiko points out that hns_roce_qp_remove() requires the caller to hold locks.  The error flow in hns_roce_create_qp_common() doesn't hold those locks for the error unwind so it risks corrupting memory.  Grab the same locks the other two callers use.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46165",
                                "url": "https://ubuntu.com/security/CVE-2026-46165",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  openvswitch: vport: fix self-deadlock on release of tunnel ports  vports are used concurrently and protected by RCU, so netdev_put() must happen after the RCU grace period.  So, either in an RCU call or after the synchronize_net().  The rtnl_delete_link() must happen under RTNL and so can't be executed in RCU context.  Calling synchronize_net() while holding RTNL is not a good idea for performance and system stability under load in general, so calling netdev_put() in RCU call is the right solution here.  However, when the device is deleted, rtnl_unlock() will call netdev_run_todo() and block until all the references are gone.  In the current code this means that we never reach the call_rcu() and the vport is never freed and the reference is never released, causing a self-deadlock on device removal.  Fix that by moving the rcu_call() before the rtnl_unlock(), so the scheduled RCU callback will be executed when synchronize_net() is called from the rtnl_unlock()->netdev_run_todo() while the RTNL itself is already released.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46161",
                                "url": "https://ubuntu.com/security/CVE-2026-46161",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  md/raid10: fix divide-by-zero in setup_geo() with zero far_copies  setup_geo() extracts near_copies (nc) and far_copies (fc) from the user-provided layout parameter without checking for zero. When fc=0 with the \"improved\" far set layout selected, 'geo->far_set_size = disks / fc' triggers a divide-by-zero.  Validate nc and fc immediately after extraction, returning -1 if either is zero.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-43492",
                                "url": "https://ubuntu.com/security/CVE-2026-43492",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  lib/crypto: mpi: Fix integer underflow in mpi_read_raw_from_sgl()  Yiming reports an integer underflow in mpi_read_raw_from_sgl() when subtracting \"lzeros\" from the unsigned \"nbytes\".  For this to happen, the scatterlist \"sgl\" needs to occupy more bytes than the \"nbytes\" parameter and the first \"nbytes + 1\" bytes of the scatterlist must be zero.  Under these conditions, the while loop iterating over the scatterlist will count more zeroes than \"nbytes\", subtract the number of zeroes from \"nbytes\" and cause the underflow.  When commit 2d4d1eea540b (\"lib/mpi: Add mpi sgl helpers\") originally introduced the bug, it couldn't be triggered because all callers of mpi_read_raw_from_sgl() passed a scatterlist whose length was equal to \"nbytes\".  However since commit 63ba4d67594a (\"KEYS: asymmetric: Use new crypto interface without scatterlists\"), the underflow can now actually be triggered.  When invoking a KEYCTL_PKEY_ENCRYPT system call with a larger \"out_len\" than \"in_len\" and filling the \"in\" buffer with zeroes, crypto_akcipher_sync_prep() will create an all-zero scatterlist used for both the \"src\" and \"dst\" member of struct akcipher_request and thereby fulfil the conditions to trigger the bug:    sys_keyctl()     keyctl_pkey_e_d_s()       asymmetric_key_eds_op()         software_key_eds_op()           crypto_akcipher_sync_encrypt()             crypto_akcipher_sync_prep()               crypto_akcipher_encrypt()                 rsa_enc()                   mpi_read_raw_from_sgl()  To the user this will be visible as a DoS as the kernel spins forever, causing soft lockup splats as a side effect.  Fix it.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-19 12:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46124",
                                "url": "https://ubuntu.com/security/CVE-2026-46124",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  isofs: validate block number from NFS file handle in isofs_export_iget  isofs_fh_to_dentry() and isofs_fh_to_parent() pass an attacker- controlled block number (ifid->block or ifid->parent_block) from the NFS file handle to isofs_export_iget(), which only rejects block == 0 before calling isofs_iget() and ultimately sb_bread(). A crafted file handle with fh_len sufficient to pass the check added by commit 0405d4b63d08 (\"isofs: Prevent the use of too small fid\") can still drive the server to read any in-range block on the backing device as if it were an iso_directory_record.  That earlier fix was assigned CVE-2025-37780.  sb_bread() on an out-of-range block returns NULL cleanly via the EIO path, so there is no memory-safety violation.  For in-range reads of adjacent-partition data on the same block device, the unrelated bytes end up in iso_inode_info fields that reach the NFS client as dentry metadata.  The deployment surface (isofs exported over NFS from loop-mounted images) is narrow and requires an authenticated NFS peer, but the malformed-file-handle class is reportable as hardening next to the existing CVE-2025-37780 fix.  Reject block >= ISOFS_SB(sb)->s_nzones in isofs_export_iget() so the check covers both isofs_fh_to_dentry() and isofs_fh_to_parent() call sites with a single line.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46130",
                                "url": "https://ubuntu.com/security/CVE-2026-46130",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  dm-verity-fec: fix reading parity bytes split across blocks (take 3)  fec_decode_bufs() assumes that the parity bytes of the first RS codeword it decodes are never split across parity blocks.  This assumption is false.  Consider v->fec->block_size == 4096 && v->fec->roots == 17 && fio->nbufs == 1, for example.  In that case, each call to fec_decode_bufs() consumes v->fec->roots * (fio->nbufs << DM_VERITY_FEC_BUF_RS_BITS) = 272 parity bytes.  Considering that the parity data for each message block starts on a block boundary, the byte alignment in the parity data will iterate through 272*i mod 4096 until the 3 parity blocks have been consumed.  On the 16th call (i=15), the alignment will be 4080 bytes into the first block.  Only 16 bytes remain in that block, but 17 parity bytes will be needed.  The code reads out-of-bounds from the parity block buffer.  Fortunately this doesn't normally happen, since it can occur only for certain non-default values of fec_roots *and* when the maximum number of buffers couldn't be allocated due to low memory.  For example with block_size=4096 only the following cases are affected:      fec_roots=17: nbufs in [1, 3, 5, 15]     fec_roots=19: nbufs in [1, 229]     fec_roots=21: nbufs in [1, 3, 5, 13, 15, 39, 65, 195]     fec_roots=23: nbufs in [1, 89]  Regardless, fix it by refactoring how the parity blocks are read.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46106",
                                "url": "https://ubuntu.com/security/CVE-2026-46106",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  eventfs: Hold eventfs_mutex and SRCU when remount walks events  Commit 340f0c7067a9 (\"eventfs: Update all the eventfs_inodes from the events descriptor\") had eventfs_set_attrs() recurse through ei->children on remount.  The walk only holds the rcu_read_lock() taken by tracefs_apply_options() over tracefs_inodes, which is wrong:    - list_for_each_entry over ei->children races with the list_del_rcu()     in eventfs_remove_rec() -- LIST_POISON1 deref, same shape as     d2603279c7d6.   - eventfs_inodes are freed via call_srcu(&eventfs_srcu, ...).     rcu_read_lock() does not extend an SRCU grace period, so ti->private     can be reclaimed under the walk.   - The writes to ei->attr race with eventfs_set_attr(), which holds     eventfs_mutex.  Reproducer:    while :; do mount -o remount,uid=$((RANDOM%1000)) /sys/kernel/tracing; done &   while :; do       echo \"p:kp submit_bio\" > /sys/kernel/tracing/kprobe_events       echo > /sys/kernel/tracing/kprobe_events   done  Wrap the events portion of tracefs_apply_options() in eventfs_remount_lock()/_unlock() that take eventfs_mutex and srcu_read_lock(&eventfs_srcu).  eventfs_set_attrs() doesn't sleep so the nested rcu_read_lock() is fine; lockdep_assert_held() pins the contract.  Comment in tracefs_drop_inode() said \"RCU cycle\" -- it is SRCU.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46107",
                                "url": "https://ubuntu.com/security/CVE-2026-46107",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  dm-thin: fix metadata refcount underflow  There's a bug in dm-thin in the function rebalance_children. If the internal btree node has one entry, the code tries to copy all btree entries from the node's child to the node itself and then decrement the child's reference count.  If the child node is shared (it has reference count > 1), we won't free it, so there would be two pointers to each of the grandchildren nodes. But the reference counts of the grandchildren is not increased, thus the reference count doesn't match the number of pointers that point to the grandchildren. This results in \"device mapper: space map common: unable to decrement block\" errors.  Fix this bug by incrementing reference counts on the grandchildren if the btree node is shared.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46160",
                                "url": "https://ubuntu.com/security/CVE-2026-46160",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  btrfs: fix missing last_unlink_trans update when removing a directory  When removing a directory we are not updating its last_unlink_trans field, which can result in incorrect fsync behaviour in case some one fsyncs the directory after it was removed because it's holding a file descriptor on it.  Example scenario:     mkdir /mnt/dir1    mkdir /mnt/dir1/dir2    mkdir /mnt/dir3     sync -f /mnt     # Do some change to the directory and fsync it.    chmod 700 /mnt/dir1    xfs_io -c fsync /mnt/dir1     # Move dir2 out of dir1 so that dir1 becomes empty.    mv /mnt/dir1/dir2 /mnt/dir3/     open fd on /mnt/dir1    call rmdir(2) on path \"/mnt/dir1\"    fsync fd     <trigger power failure>  When attempting to mount the filesystem, the log replay will fail with an -EIO error and dmesg/syslog has the following:     [445771.626482] BTRFS info (device dm-0): first mount of filesystem 0368bbea-6c5e-44b5-b409-09abe496e650    [445771.626486] BTRFS info (device dm-0): using crc32c checksum algorithm    [445771.627912] BTRFS info (device dm-0): start tree-log replay    [445771.628335] page: refcount:2 mapcount:0 mapping:0000000061443ddc index:0x1d00 pfn:0x7072a5    [445771.629453] memcg:ffff89f400351b00    [445771.629892] aops:btree_aops [btrfs] ino:1    [445771.630737] flags: 0x17fffc00000402a(uptodate|lru|private|writeback|node=0|zone=2|lastcpupid=0x1ffff)    [445771.632359] raw: 017fffc00000402a fffff47284d950c8 fffff472907b7c08 ffff89f458e412b8    [445771.633713] raw: 0000000000001d00 ffff89f6c51d1a90 00000002ffffffff ffff89f400351b00    [445771.635029] page dumped because: eb page dump    [445771.635825] BTRFS critical (device dm-0): corrupt leaf: root=5 block=30408704 slot=10 ino=258, invalid nlink: has 2 expect no more than 1 for dir    [445771.638088] BTRFS info (device dm-0): leaf 30408704 gen 10 total ptrs 17 free space 14878 owner 5    [445771.638091] BTRFS info (device dm-0): refs 4 lock_owner 0 current 3581087    [445771.638094] \titem 0 key (256 INODE_ITEM 0) itemoff 16123 itemsize 160    [445771.638097] \t\tinode generation 3 transid 9 size 16 nbytes 16384    [445771.638098] \t\tblock group 0 mode 40755 links 1 uid 0 gid 0    [445771.638100] \t\trdev 0 sequence 2 flags 0x0    [445771.638102] \t\tatime 1775744884.0    [445771.660056] \t\tctime 1775744885.645502983    [445771.660058] \t\tmtime 1775744885.645502983    [445771.660060] \t\totime 1775744884.0    [445771.660062] \titem 1 key (256 INODE_REF 256) itemoff 16111 itemsize 12    [445771.660064] \t\tindex 0 name_len 2    [445771.660066] \titem 2 key (256 DIR_ITEM 1843588421) itemoff 16077 itemsize 34    [445771.660068] \t\tlocation key (259 1 0) type 2    [445771.660070] \t\ttransid 9 data_len 0 name_len 4    [445771.660075] \titem 3 key (256 DIR_ITEM 2363071922) itemoff 16043 itemsize 34    [445771.660076] \t\tlocation key (257 1 0) type 2    [445771.660077] \t\ttransid 9 data_len 0 name_len 4    [445771.660078] \titem 4 key (256 DIR_INDEX 2) itemoff 16009 itemsize 34    [445771.660079] \t\tlocation key (257 1 0) type 2    [445771.660080] \t\ttransid 9 data_len 0 name_len 4    [445771.660081] \titem 5 key (256 DIR_INDEX 3) itemoff 15975 itemsize 34    [445771.660082] \t\tlocation key (259 1 0) type 2    [445771.660083] \t\ttransid 9 data_len 0 name_len 4    [445771.660084] \titem 6 key (257 INODE_ITEM 0) itemoff 15815 itemsize 160    [445771.660086] \t\tinode generation 9 transid 9 size 8 nbytes 0    [445771.660087] \t\tblock group 0 mode 40777 links 1 uid 0 gid 0    [445771.660088] \t\trdev 0 sequence 2 flags 0x0    [445771.660089] \t\tatime 1775744885.641174097    [445771.660090] \t\tctime 1775744885.645502983    [445771.660091] \t\tmtime 1775744885.645502983    [445771.660105] \t\totime 1775744885.641174097    [445771.660106] \titem 7 key (257 INODE_REF 256) itemoff 15801 itemsize 14    [445771.660107] \t\tindex 2 name_len 4    [445771.660108] \titem 8 key (257 DIR_ITEM 2676584006) itemoff 15767 itemsize 34    [445771.660109] \t\tlocation key (2 ---truncated---",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46164",
                                "url": "https://ubuntu.com/security/CVE-2026-46164",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  btrfs: fix double free in create_space_info_sub_group() error path  When kobject_init_and_add() fails, the call chain is:  create_space_info_sub_group() -> btrfs_sysfs_add_space_info_type() -> kobject_init_and_add() -> failure -> kobject_put(&sub_group->kobj) -> space_info_release() -> kfree(sub_group)  Then control returns to create_space_info_sub_group(), where:  btrfs_sysfs_add_space_info_type() returns error -> kfree(sub_group)  Thus, sub_group is freed twice.  Keep parent->sub_group[index] = NULL for the failure path, but after btrfs_sysfs_add_space_info_type() has called kobject_put(), let the kobject release callback handle the cleanup.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46129",
                                "url": "https://ubuntu.com/security/CVE-2026-46129",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  btrfs: fix double free in create_space_info() error path  When kobject_init_and_add() fails, the call chain is:  create_space_info() -> btrfs_sysfs_add_space_info_type() -> kobject_init_and_add() -> failure -> kobject_put(&space_info->kobj) -> space_info_release() -> kfree(space_info)  Then control returns to create_space_info():  btrfs_sysfs_add_space_info_type() returns error -> goto out_free -> kfree(space_info)  This causes a double free.  Keep the direct kfree(space_info) for the earlier failure path, but after btrfs_sysfs_add_space_info_type() has called kobject_put(), let the kobject release callback handle the cleanup.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46159",
                                "url": "https://ubuntu.com/security/CVE-2026-46159",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  btrfs: fix btrfs_ioctl_space_info() slot_count TOCTOU which can lead to info-leak  btrfs_ioctl_space_info() has a TOCTOU race between two passes over the block group RAID type lists. The first pass counts entries to determine the allocation size, then the second pass fills the buffer. The groups_sem rwlock is released between passes, allowing concurrent block group removal to reduce the entry count.  When the second pass fills fewer entries than the first pass counted, copy_to_user() copies the full alloc_size bytes including trailing uninitialized kmalloc bytes to userspace.  Fix by copying only total_spaces entries (the actually-filled count from the second pass) instead of alloc_size bytes, and switch to kzalloc so any future copy size mismatch cannot leak heap data.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46143",
                                "url": "https://ubuntu.com/security/CVE-2026-46143",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ASoC: qcom: q6apm-lpass-dai: Fix multiple graph opens  As prepare can be called mulitple times, this can result in multiple graph opens for playback path.  This will result in a memory leaks, fix this by adding a check before opening.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46148",
                                "url": "https://ubuntu.com/security/CVE-2026-46148",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: microchip-core-qspi: control built-in cs manually  The coreQSPI IP supports only a single chip select, which is automagically operated by the hardware - set low when the transmit buffer first gets written to and set high when the number of bytes written to the TOTALBYTES field of the FRAMES register have been sent on the bus. Additional devices must use GPIOs for their chip selects. It was reported to me that if there are two devices attached to this QSPI controller that the in-built chip select is set low while linux tries to access the device attached to the GPIO.  This went undetected as the boards that connected multiple devices to the SPI controller all exclusively used GPIOs for chip selects, not relying on the built-in chip select at all. It turns out that this was because the built-in chip select, when controlled automagically, is set low when active and high when inactive, thereby ruling out its use for active-high devices or devices that need to transmit with the chip select disabled.  Modify the driver so that it controls chip select directly, retaining the behaviour for mem_ops of setting the chip select active for the entire duration of the transfer in the exec_op callback. For regular transfers, implement the set_cs callback for the core to use.  As part of this, the existing setup callback, mchp_coreqspi_setup_op(), is removed. Modifying the CLKIDLE field is not safe to do during operation when there are multiple devices, so this code is removed entirely. Setting the MASTER and ENABLE fields is something that can be done once at probe, it doesn't need to be re-run for each device. Instead the new setup callback sets the built-in chip select to its inactive state for active-low devices, as the reset value of the chip select in software controlled mode is low.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46192",
                                "url": "https://ubuntu.com/security/CVE-2026-46192",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: microchip-core-qspi: don't attempt to transmit during emulated read-only dual/quad operations  The core will deal with reads by creating clock cycles itself, there's no need to generate clock cycles by transmitting garbage data at the driver level. Further, transmitting garbage data just bricks the transfer since QSPI doesn't have a dedicated master-out line like MOSI in regular SPI. I'm not entirely sure if the transfer is bricked because of the garbage data being transmitted on the bus or because the core loses track of whether it is supposed to be sending or receiving data.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46162",
                                "url": "https://ubuntu.com/security/CVE-2026-46162",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ice: fix double free in ice_sf_eth_activate() error path  When auxiliary_device_add() fails, ice_sf_eth_activate() jumps to aux_dev_uninit and calls auxiliary_device_uninit(&sf_dev->adev).  The device release callback ice_sf_dev_release() frees sf_dev, but the current error path falls through to sf_dev_free and calls kfree(sf_dev) again, causing a double free.  Keep kfree(sf_dev) for the auxiliary_device_init() failure path, but avoid falling through to sf_dev_free after auxiliary_device_uninit().",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46273",
                                "url": "https://ubuntu.com/security/CVE-2026-46273",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ibmveth: Disable GSO for packets with small MSS  Some physical adapters on Power systems do not support segmentation offload when the MSS is less than 224 bytes. Attempting to send such packets causes the adapter to freeze, stopping all traffic until manually reset.  Implement ndo_features_check to disable GSO for packets with small MSS values. The network stack will perform software segmentation instead.  The 224-byte minimum matches ibmvnic commit <f10b09ef687f> (\"ibmvnic: Enforce stronger sanity checks on GSO packets\") which uses the same physical adapters in SEA configurations.  The issue occurs specifically when the hardware attempts to perform segmentation (gso_segs > 1) with a small MSS. Single-segment GSO packets (gso_segs == 1) do not trigger the problematic LSO code path and are transmitted normally without segmentation.  Add an ndo_features_check callback to disable GSO when MSS < 224 bytes. Also call vlan_features_check() to ensure proper handling of VLAN packets, particularly QinQ (802.1ad) configurations where the hardware parser may not support certain offload features.  Validated using iptables to force small MSS values. Without the fix, the adapter freezes. With the fix, packets are segmented in software and transmission succeeds. Comprehensive regression testing completedd (MSS tests, performance, stability).",
                                "cve_priority": "high",
                                "cve_public_date": "2026-06-03 18:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46191",
                                "url": "https://ubuntu.com/security/CVE-2026-46191",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  fbcon: Avoid OOB font access if console rotation fails  Clear the font buffer if the reallocation during console rotation fails in fbcon_rotate_font(). The putcs implementations for the rotated buffer will return early in this case. See [1] for an example.  Currently, fbcon_rotate_font() keeps the old buffer, which is too small for the rotated font. Printing to the rotated console with a high-enough character code will overflow the font buffer.  v2: - fix typos in commit message",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46134",
                                "url": "https://ubuntu.com/security/CVE-2026-46134",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  platform/chrome: cros_ec_typec: Init mutex in Thunderbolt registration  cros_typec_register_thunderbolt() missed initializing the `adata->lock` mutex.  This leads to a NULL dereference when the mutex is later acquired (e.g. in cros_typec_altmode_work()).  Initialize the mutex in cros_typec_register_thunderbolt() to fix the issue.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-43495",
                                "url": "https://ubuntu.com/security/CVE-2026-43495",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net: wwan: t7xx: validate port_count against message length in t7xx_port_enum_msg_handler  t7xx_port_enum_msg_handler() uses the modem-supplied port_count field as a loop bound over port_msg->data[] without checking that the message buffer contains sufficient data. A modem sending port_count=65535 in a 12-byte buffer triggers a slab-out-of-bounds read of up to 262140 bytes.  Add a sizeof(*port_msg) check before accessing the port message header fields to guard against undersized messages.  Add a struct_size() check after extracting port_count and before the loop.  In t7xx_parse_host_rt_data(), guard the rt_feature header read with a remaining-buffer check before accessing data_len, validate feat_data_len against the actual remaining buffer to prevent OOB reads and signed integer overflow on offset.  Pass msg_len from both call sites: skb->len at the DPMAIF path after skb_pull(), and the validated feat_data_len at the handshake path.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-21 13:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-43502",
                                "url": "https://ubuntu.com/security/CVE-2026-43502",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net/rds: handle zerocopy send cleanup before the message is queued  A zerocopy send can fail after user pages have been pinned but before the message is attached to the sending socket.  The purge path currently infers zerocopy state from rm->m_rs, so an unqueued message can be cleaned up as if it owned normal payload pages. However, zerocopy ownership is really determined by the presence of op_mmp_znotifier, regardless of whether the message has reached the socket queue.  Capture op_mmp_znotifier up front in rds_message_purge() and use it as the cleanup discriminator. If the message is already associated with a socket, keep the existing completion path. Otherwise, drop the pinned page accounting directly and release the notifier before putting the payload pages.  This keeps early send failure cleanup consistent with the zerocopy lifetime rules without changing the normal queued completion path.",
                                "cve_priority": "high",
                                "cve_public_date": "2026-05-21 13:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46120",
                                "url": "https://ubuntu.com/security/CVE-2026-46120",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ip6_gre: Use cached t->net in ip6erspan_changelink().  After commit 5e72ce3e3980 (\"net: ipv6: Use link netns in newlink() of rtnl_link_ops\"), ip6erspan_newlink() correctly resolves the per-netns ip6gre hash via link_net. ip6erspan_changelink() was not converted in that series and still uses dev_net(dev), which diverges from the device's creation netns after IFLA_NET_NS_FD migration.  This re-inserts the tunnel into the wrong per-netns hash. The original netns keeps a stale entry. When that netns is later destroyed, ip6gre_exit_rtnl_net() walks the stale entry, producing a slab-use-after-free reported by KASAN, followed by a kernel BUG at net/core/dev.c (LIST_POISON1) in unregister_netdevice_many_notify().  Reachable from an unprivileged user namespace (unshare --user --map-root-user --net).  ip6gre_changelink() earlier in the same file already uses the cached t->net; only ip6erspan_changelink() has the wrong shape.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46142",
                                "url": "https://ubuntu.com/security/CVE-2026-46142",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net: libwx: fix VF illegal register access  Register WX_CFG_PORT_ST is a PF restricted register. When a VF is initialized, attempting to read this register triggers an illegal register access, which lead to a system hang.  When the device is VF, the bus function ID can be obtained directly from the PCI_FUNC(pdev->devfn).",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46118",
                                "url": "https://ubuntu.com/security/CVE-2026-46118",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  pseries/papr-hvpipe: Fix null ptr deref in papr_hvpipe_dev_create_handle()  commit 6d3789d347a7 (\"papr-hvpipe: convert papr_hvpipe_dev_create_handle() to FD_PREPARE()\"), changed the create handle to FD_PREPARE(), but it caused kernel null-ptr-deref because after call to retain_and_null_ptr(src_info), src_info is re-used for adding it to the global list.  Getting the following kernel panic in papr_hvpipe_dev_create_handle() when trying to add src_info to the list.  Kernel attempted to write user page (0) - exploit attempt? (uid: 0)  BUG: Kernel NULL pointer dereference on write at 0x00000000  Faulting instruction address: 0xc0000000001b44a0  Oops: Kernel access of bad area, sig: 11 [#1]  ...  Call Trace:  papr_hvpipe_dev_ioctl+0x1f4/0x48c (unreliable)  sys_ioctl+0x528/0x1064  system_call_exception+0x128/0x360  system_call_vectored_common+0x15c/0x2ec  Now, the error handling with FD_PREPARE's file cleanup and __free(kfree) auto cleanup is getting too convoluted. This is mainly because we need to ensure only 1 user get the srcID handle. To simplify this, we allocate prepare the src_info in the beginning and add it to the global list under a spinlock after checking that no duplicates exist.  This simplify the error handling where if the FD_ADD fails, we can simply remove the src_info from the list and consume any pending msg in hvpipe to be cleared, after src_info became visible in the global list.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46182",
                                "url": "https://ubuntu.com/security/CVE-2026-46182",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  pseries/papr-hvpipe: Prevent kernel stack memory leak to userspace  The hdr variable is allocated on the stack and only hdr.version and hdr.flags are initialized explicitly. Because the struct papr_hvpipe_hdr contains reserved padding bytes (reserved[3] and reserved2[40]), these could leak the uninitialized bytes to userspace after copy_to_user().  This patch fixes that by initializing the whole struct to 0.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46184",
                                "url": "https://ubuntu.com/security/CVE-2026-46184",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  sound: ua101: fix division by zero at probe  Add a missing sanity check for bNrChannels in detect_usb_format() to prevent a division by zero in playback_urb_complete() and capture_urb_complete().  USB core does not validate class-specific descriptor fields such as bNrChannels, so drivers must verify them before use. If a device provides bNrChannels = 0, frame_bytes becomes zero and is later used as a divisor in the URB completion handlers, leading to a kernel crash.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-43498",
                                "url": "https://ubuntu.com/security/CVE-2026-43498",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  accel/ivpu: Disallow re-exporting imported GEM objects  Prevent re-exporting of imported GEM buffers by adding a custom prime_handle_to_fd callback that checks if the object is imported and returns -EOPNOTSUPP if so.  Re-exporting imported GEM buffers causes loss of buffer flags settings, leading to incorrect device access and data corruption.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-21 13:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46132",
                                "url": "https://ubuntu.com/security/CVE-2026-46132",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net: rtnetlink: zero ifla_vf_broadcast to avoid stack infoleak in rtnl_fill_vfinfo  rtnl_fill_vfinfo() declares struct ifla_vf_broadcast on the stack without initialisation:  \tstruct ifla_vf_broadcast vf_broadcast;  The struct contains a single fixed 32-byte field:  \t/* include/uapi/linux/if_link.h */ \tstruct ifla_vf_broadcast { \t\t__u8 broadcast[32]; \t};  The function then copies dev->broadcast into it using dev->addr_len as the length:  \tmemcpy(vf_broadcast.broadcast, dev->broadcast, dev->addr_len);  On Ethernet devices (the overwhelming majority of SR-IOV NICs) dev->addr_len is 6, so only the first 6 bytes of broadcast[] are written. The remaining 26 bytes retain whatever was previously on the kernel stack. The full struct is then handed to userspace via:  \tnla_put(skb, IFLA_VF_BROADCAST, \t\tsizeof(vf_broadcast), &vf_broadcast)  leaking up to 26 bytes of uninitialised kernel stack per VF per RTM_GETLINK request, repeatable.  The other vf_* structs in the same function are explicitly zeroed for exactly this reason - see the memset() calls for ivi, vf_vlan_info, node_guid and port_guid a few lines above. vf_broadcast was simply missed when it was added.  Reachability: any unprivileged local process can open AF_NETLINK / NETLINK_ROUTE without capabilities and send RTM_GETLINK with an IFLA_EXT_MASK attribute carrying RTEXT_FILTER_VF. The kernel walks each VF and emits IFLA_VF_BROADCAST, leaking 26 bytes of stack per VF per request. Stack residue at this call site can include return addresses and transient sensitive data; KASAN with stack instrumentation, or KMSAN, will flag the nla_put() when reproduced.  Zero the on-stack struct before the partial memcpy, matching the existing pattern used for the other vf_* structs in the same function.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46190",
                                "url": "https://ubuntu.com/security/CVE-2026-46190",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  mtd: spi-nor: debugfs: fix out-of-bounds read in spi_nor_params_show()  Sashiko noticed an out-of-bounds read [1].  In spi_nor_params_show(), the snor_f_names array is passed to spi_nor_print_flags() using sizeof(snor_f_names).  Since snor_f_names is an array of pointers, sizeof() returns the total number of bytes occupied by the pointers \t(element_count * sizeof(void *)) rather than the element count itself. On 64-bit systems, this makes the passed length 8x larger than intended.  Inside spi_nor_print_flags(), the 'names_len' argument is used to bounds-check the 'names' array access. An out-of-bounds read occurs if a flag bit is set that exceeds the array's actual element count but is within the inflated byte-size count.  Correct this by using ARRAY_SIZE() to pass the actual number of string pointers in the array.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46150",
                                "url": "https://ubuntu.com/security/CVE-2026-46150",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  fanotify: fix false positive on permission events  fsnotify_get_mark_safe() may return false for a mark on an unrelated group, which results in bypassing the permission check.  Fix by skipping over detached marks that are not in the current group.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-45836",
                                "url": "https://ubuntu.com/security/CVE-2026-45836",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_get_sndtimeo_cb()  Add the same NULL guard already present in l2cap_sock_resume_cb() and l2cap_sock_ready_cb().",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-26 17:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-45834",
                                "url": "https://ubuntu.com/security/CVE-2026-45834",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_state_change_cb()  Add the same NULL guard already present in l2cap_sock_resume_cb() and l2cap_sock_ready_cb().",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-26 17:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-45835",
                                "url": "https://ubuntu.com/security/CVE-2026-45835",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_new_connection_cb()  Add the same NULL guard already present in l2cap_sock_resume_cb() and l2cap_sock_ready_cb().",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-26 17:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46138",
                                "url": "https://ubuntu.com/security/CVE-2026-46138",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Bluetooth: hci_event: Fix OOB read and infinite loop in hci_le_create_big_complete_evt  hci_le_create_big_complete_evt() iterates over BT_BOUND connections for a BIG handle using a while loop, accessing ev->bis_handle[i++] on each iteration.  However, there is no check that i stays within ev->num_bis before the array access.  When a controller sends a LE_Create_BIG_Complete event with fewer bis_handle entries than there are BT_BOUND connections for that BIG, or with num_bis=0, the loop reads beyond the valid bis_handle[] flex array into adjacent heap memory.  Since the out-of-bounds values typically exceed HCI_CONN_HANDLE_MAX (0x0EFF), hci_conn_set_handle() rejects them and the connection remains in BT_BOUND state.  The same connection is then found again by hci_conn_hash_lookup_big_state(), creating an infinite loop with hci_dev_lock held.  Fix this by terminating the BIG if in case not all BIS could be setup properly.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46111",
                                "url": "https://ubuntu.com/security/CVE-2026-46111",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Bluetooth: hci_conn: fix potential UAF in create_big_sync  Add hci_conn_valid() check in create_big_sync() to detect stale connections before proceeding with BIG creation. Handle the resulting -ECANCELED in create_big_complete() and re-validate the connection under hci_dev_lock() before dereferencing, matching the pattern used by create_le_conn_complete() and create_pa_complete().  Keep the hci_conn object alive across the async boundary by taking a reference via hci_conn_get() when queueing create_big_sync(), and dropping it in the completion callback. The refcount and the lock are complementary: the refcount keeps the object allocated, while hci_dev_lock() serializes hci_conn_hash_del()'s list_del_rcu() on hdev->conn_hash, as required by hci_conn_del().  hci_conn_put() is called outside hci_dev_unlock() so the final put (which resolves to kfree() via bt_link_release) does not run under hdev->lock, though the release path would be safe either way.  Without this, create_big_complete() would unconditionally dereference the conn pointer on error, causing a use-after-free via hci_connect_cfm() and hci_conn_del().",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46140",
                                "url": "https://ubuntu.com/security/CVE-2026-46140",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Bluetooth: btmtk: validate WMT event SKB length before struct access  btmtk_usb_hci_wmt_sync() casts the WMT event response SKB data to struct btmtk_hci_wmt_evt (7 bytes) and struct btmtk_hci_wmt_evt_funcc (9 bytes) without first checking that the SKB contains enough data. A short firmware response causes out-of-bounds reads from SKB tailroom.  Use skb_pull_data() to validate and advance past the base WMT event header. For the FUNC_CTRL case, pull the additional status field bytes before accessing them.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46186",
                                "url": "https://ubuntu.com/security/CVE-2026-46186",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Bluetooth: virtio_bt: validate rx pkt_type header length  virtbt_rx_handle() reads the leading pkt_type byte from the RX skb and forwards the remainder to hci_recv_frame() for every event/ACL/SCO/ISO type, without checking that the remaining payload is at least the fixed HCI header for that type.  After the preceding patch bounds the backend-supplied used.len to [1, VIRTBT_RX_BUF_SIZE], a one-byte completion still reaches hci_recv_frame() with skb->len already pulled to 0. If the byte happened to be HCI_ACLDATA_PKT, the ACL-vs-ISO classification fast-path in hci_dev_classify_pkt_type() dereferences hci_acl_hdr(skb)->handle whenever the HCI device has an active CIS_LINK, BIS_LINK, or PA_LINK connection, reading two bytes of uninitialized RX-buffer data. The same hazard exists for every packet type the driver accepts because none of the switch cases in virtbt_rx_handle() check skb->len against the per-type minimum HCI header size before handing the frame to the core.  After stripping pkt_type, require skb->len to cover the fixed header size for the selected type (event 2, ACL 4, SCO 3, ISO 4) before calling hci_recv_frame(); drop ratelimited otherwise. Unknown pkt_type values still take the original kfree_skb() default path.  Use bt_dev_err_ratelimited() because both the length and pkt_type values come from an untrusted backend that can otherwise flood the kernel log.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46123",
                                "url": "https://ubuntu.com/security/CVE-2026-46123",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Bluetooth: virtio_bt: clamp rx length before skb_put  virtbt_rx_work() calls skb_put(skb, len) where len comes directly from virtqueue_get_buf() with no validation against the buffer we posted to the device. The RX skb is allocated in virtbt_add_inbuf() and exposed to virtio as exactly 1000 bytes via sg_init_one().  Checking len against skb_tailroom(skb) is not sufficient because alloc_skb() can leave more tailroom than the 1000 bytes actually handed to the device. A malicious or buggy backend can therefore report used.len between 1001 and skb_tailroom(skb), causing skb_put() to include uninitialized kernel heap bytes that were never written by the device.  The same path also accepts len == 0, in which case skb_put(skb, 0) leaves the skb empty but virtbt_rx_handle() still reads the pkt_type byte from skb->data, consuming uninitialized memory.  Define VIRTBT_RX_BUF_SIZE once and reuse it in alloc_skb() and sg_init_one(), and gate virtbt_rx_work() on that same constant so the bound checked matches the buffer actually exposed to the device. Reject used.len == 0 in the same gate so an empty completion can no longer reach virtbt_rx_handle().  Use bt_dev_err_ratelimited() because the length value comes from an untrusted backend that can otherwise flood the kernel log.  Same class of bug as commit c04db81cd028 (\"net/9p: Fix buffer overflow in USB transport layer\"), which hardened the USB 9p transport against unchecked device-reported length.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46104",
                                "url": "https://ubuntu.com/security/CVE-2026-46104",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  selinux: use sk blob accessor in socket permission helpers  SELinux socket state lives in the composite LSM socket blob.  sock_has_perm() and nlmsg_sock_has_extended_perms() currently dereference sk->sk_security directly, which assumes the SELinux socket blob is at offset zero.  In stacked configurations that assumption does not hold. If another LSM allocates socket blob storage before SELinux, these helpers may read the wrong blob and feed invalid SID and class values into AVC checks.  Use selinux_sock() instead of accessing sk->sk_security directly.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46193",
                                "url": "https://ubuntu.com/security/CVE-2026-46193",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  xfrm: ah: account for ESN high bits in async callbacks  AH allocates its temporary auth/ICV layout differently when ESN is enabled: the async ahash setup appends a 4-byte seqhi slot before the ICV or auth_data area, but the async completion callbacks still reconstruct the temporary layout as if seqhi were absent.  With an async AH implementation selected, that makes AH copy or compare the wrong bytes on both the IPv4 and IPv6 paths. In UML repro on IPv4 AH with ESN and forced async hmac(sha1), ping fails with 100% packet loss, and the callback logs show the pre-fix drift:    ah4 output_done: esn=1 err=0 icv_off=20 expected_off=24   ah4 input_done: esn=1 auth_off=20 expected_auth_off=24 icv_off=32 expected_icv_off=36  Reconstruct the callback-side layout the same way the setup path built it by skipping the ESN seqhi slot before locating the saved auth_data or ICV. Per RFC 4302, the ESN high-order 32 bits participate in the AH ICV computation, so the async callbacks must account for the seqhi slot.  Post-fix, the same IPv4 AH+ESN+forced-async-hmac(sha1) UML repro shows the corrected offset (ah4 output_done: esn=1 err=0 icv_off=24 expected_off=24) and ping succeeds; net/ipv4/ah4.o and net/ipv6/ah6.o build clean at W=1. IPv6 AH+ESN was not exercised at runtime, and the change has not been tested against a real async hardware AH engine.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46172",
                                "url": "https://ubuntu.com/security/CVE-2026-46172",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ipv6: xfrm6: release dst on error in xfrm6_rcv_encap()  xfrm6_rcv_encap() performs an IPv6 route lookup when the skb does not already have a dst attached. ip6_route_input_lookup() returns a referenced dst entry even when the lookup resolves to an error route.  If dst->error is set, xfrm6_rcv_encap() drops the skb without attaching the dst to the skb and without releasing the reference returned by the lookup. Repeated packets hitting this path therefore leak dst entries.  Release the dst before jumping to the drop path.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46116",
                                "url": "https://ubuntu.com/security/CVE-2026-46116",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  xfrm: defensively unhash xfrm_state lists in __xfrm_state_delete  KASAN reproduces a slab-use-after-free in __xfrm_state_delete()'s hlist_del_rcu calls under syzkaller load on linux-6.12.y stable (reproduced on 6.12.47, also reachable via the same code path on torvalds/master and on the ipsec tree). Nine unique signatures cluster in the xfrm_state lifecycle, the load-bearing one being:    BUG: KASAN: slab-use-after-free in __hlist_del include/linux/list.h:990 [inline]   BUG: KASAN: slab-use-after-free in hlist_del_rcu include/linux/rculist.h:516 [inline]   BUG: KASAN: slab-use-after-free in __xfrm_state_delete net/xfrm/xfrm_state.c   Write of size 8 at addr ffff8881198bcb70 by task kworker/u8:9/435    Workqueue: netns cleanup_net   Call Trace:    __hlist_del / hlist_del_rcu    __xfrm_state_delete    xfrm_state_delete    xfrm_state_flush    xfrm_state_fini    ops_exit_list    cleanup_net  The other observed signatures hit the same slab object from __xfrm_state_lookup, xfrm_alloc_spi, __xfrm_state_insert and an OOB write variant of __xfrm_state_delete, all on the byseq/byspi hash chains.  __xfrm_state_delete() guards its byseq and byspi unhashes with value-based predicates:  \tif (x->km.seq) \t\thlist_del_rcu(&x->byseq); \tif (x->id.spi) \t\thlist_del_rcu(&x->byspi);  while everywhere else in the file (e.g. state_cache, state_cache_input) the safer hlist_unhashed() check is used. xfrm_alloc_spi() sets x->id.spi = newspi inside xfrm_state_lock and then immediately inserts into byspi, but a path that observes x->id.spi != 0 outside of xfrm_state_lock can still skip-or-hit the byspi unhash inconsistently with whether x is actually on the list. The same holds for x->km.seq versus byseq, and the bydst/bysrc unhashes have no predicate at all, so a second __xfrm_state_delete() on the same object writes through LIST_POISON pprev.  The defensive change here:    - Use hlist_del_init_rcu() instead of hlist_del_rcu() on bydst,     bysrc, byseq and byspi so a second deletion is a no-op rather     than a write through LIST_POISON pprev. The byseq/byspi nodes     are already initialised in xfrm_state_alloc().   - Test hlist_unhashed() rather than the value predicate for     byseq/byspi, so the unhash decision tracks list state rather than     mutable scalar fields.  Empirical verification: applied this patch on top of v6.12.47, rebuilt, and re-ran the same syzkaller harness for 1h16m on a previously-crashy configuration that produced ~100 hits each of slab-use-after-free Read in xfrm_alloc_spi / Read in __xfrm_state_lookup / Write in __xfrm_state_delete. After the patch, 7.1M execs across 32 VMs at ~1550 exec/sec produced zero xfrm_state UAF/OOB hits. /proc/slabinfo confirms the xfrm_state slab is actively allocated and freed during the run (~143 KiB resident), so the fuzzer is still exercising those code paths -- they just no longer crash.  Reproduction:    - Linux 6.12.47 x86_64 + KASAN_GENERIC + KASAN_INLINE + KCOV   - syzkaller @ 746545b8b1e4c3a128db8652b340d3df90ce61db   - 32 QEMU/KVM VMs x 2 vCPU on AWS c5.metal bare metal   - 9 unique signatures collected in ~9h, all within xfrm_state     lifecycle",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46154",
                                "url": "https://ubuntu.com/security/CVE-2026-46154",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  sched_ext: Read scx_root under scx_cgroup_ops_rwsem in cgroup setters  scx_group_set_{weight,idle,bandwidth}() cache scx_root before acquiring scx_cgroup_ops_rwsem, so the pointer can be stale by the time the op runs. If the loaded scheduler is disabled and freed (via RCU work) and another is enabled between the naked load and the rwsem acquire, the reader sees scx_cgroup_enabled=true (the new scheduler's) but dereferences the freed one - UAF on SCX_HAS_OP(sch, ...) / SCX_CALL_OP(sch, ...).  scx_cgroup_enabled is toggled only under scx_cgroup_ops_rwsem write (scx_cgroup_{init,exit}), so reading scx_root inside the rwsem read section correlates @sch with the enabled snapshot.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46157",
                                "url": "https://ubuntu.com/security/CVE-2026-46157",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ALSA: pcm: oss: Fix data race at accessing runtime.oss.trigger  Currently the runtime.oss.trigger field may be accessed concurrently without protection, which may lead to the data race.  And, in this case, it may lead to more severe problem because it's a bit field; as writing the data, it may overwrite other bit fields as well, which confuses the operation completely, as spotted by fuzzing.  Fix it by covering runtime.oss.trigger bit fled also with the existing params_lock mutex in both snd_pcm_oss_get_trigger() and snd_pcm_oss_poll().",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46109",
                                "url": "https://ubuntu.com/security/CVE-2026-46109",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  usb: ulpi: fix memory leak on ulpi_register() error paths  Commit 01af542392b5 (\"usb: ulpi: fix double free in ulpi_register_interface() error path\") removed kfree(ulpi) from ulpi_register_interface() to fix a double-free when device_register() fails.  But when ulpi_of_register() or ulpi_read_id() fail before device_register() is called, the ulpi allocation is leaked.  Add kfree(ulpi) on both error paths to properly clean up the allocation.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46146",
                                "url": "https://ubuntu.com/security/CVE-2026-46146",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ALSA: usb-audio: Avoid potential endless loop in convert_chmap_v3()  The convert_chmap_v3() has a loop with its increment size of cs_desc->wLength, but we forgot to validate cs_desc->wLength itself, which may lead to potential endless loop by a malformed descriptor.  Add a proper size check to abort the loop for plugging the hole.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46167",
                                "url": "https://ubuntu.com/security/CVE-2026-46167",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  usb: usblp: fix uninitialized heap leak via LPGETSTATUS ioctl  Just like in a previous problem in this driver, usblp_ctrl_msg() will collapse the usb_control_msg() return value to 0/-errno, discarding the actual number of bytes transferred.  Ideally that short command should be detected and error out, but many printers are known to send \"incorrect\" responses back so we can't just do that.  statusbuf is kmalloc(8) at probe time and never filled before the first LPGETSTATUS ioctl.  usblp_read_status() requests 1 byte. If a malicious printer responds with zero bytes, *statusbuf is one byte of stale kmalloc heap, sign-extended into the local int status, which the LPGETSTATUS path then copy_to_user()s directly to the ioctl caller.  Fix this all by just zapping out the memory buffer when allocated at probe time.  If a later call does a short read, the data will be identical to what the device sent it the last time, so there is no \"leak\" of information happening.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46151",
                                "url": "https://ubuntu.com/security/CVE-2026-46151",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  usb: usblp: fix heap leak in IEEE 1284 device ID via short response  usblp_ctrl_msg() collapses the usb_control_msg() return value to 0/-errno, discarding the actual number of bytes transferred.  A broken printer can complete the GET_DEVICE_ID control transfer short and the driver has no way to know.  usblp_cache_device_id_string() reads the 2-byte big-endian length prefix from the response and trusts it (clamped only to the buffer bounds). The buffer is kmalloc(1024) at probe time. A device that sends exactly two bytes (e.g. 0x03 0xFF, claiming a 1023-byte ID) leaves device_id_string[2..1022] holding stale kmalloc heap.  That stale data is then exposed:   - via the ieee1284_id sysfs attribute (sprintf(\"%s\", buf+2), truncated     at the first NUL in the stale heap), and   - via the IOCNR_GET_DEVICE_ID ioctl, which copy_to_user()s the full     claimed length regardless of NULs, up to 1021 bytes of uninitialized     heap, with the leak size chosen by the device.  Fix this up by just zapping the buffer with zeros before each request sent to the device.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46180",
                                "url": "https://ubuntu.com/security/CVE-2026-46180",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  wifi: brcmfmac: Fix potential use-after-free issue when stopping watchdog task  Watchdog task might end between send_sig() and kthread_stop() calls, what results in the use-after-free issue. Fix this by increasing watchdog task reference count before calling send_sig() and dropping it by switching to kthread_stop_put().",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46122",
                                "url": "https://ubuntu.com/security/CVE-2026-46122",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  wifi: b43: enforce bounds check on firmware key index in b43_rx()  The firmware-controlled key index in b43_rx() can exceed the dev->key[] array size (58 entries). The existing B43_WARN_ON is non-enforcing in production builds, allowing an out-of-bounds read.  Make the B43_WARN_ON check enforcing by dropping the frame when the firmware returns an invalid key index.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46125",
                                "url": "https://ubuntu.com/security/CVE-2026-46125",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  wifi: mac80211: remove station if connection prep fails  If connection preparation fails for MLO connections, then the interface is completely reset to non-MLD. In this case, we must not keep the station since it's related to the link of the vif being removed. Delete an existing station. Any \"new_sta\" is already being removed, so that doesn't need changes.  This fixes a use-after-free/double-free in debugfs if that's enabled, because a vif going from MLD (and to MLD, but that's not relevant here) recreates its entire debugfs.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46166",
                                "url": "https://ubuntu.com/security/CVE-2026-46166",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  wifi: mac80211: use safe list iteration in radar detect work  The call to ieee80211_dfs_cac_cancel can cause the iterated chanctx to be freed and removed from the list. Guard against this to avoid a slab-use-after-free error.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46187",
                                "url": "https://ubuntu.com/security/CVE-2026-46187",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  wifi: rsi: fix kthread lifetime race between self-exit and external-stop  RSI driver use both self-exit(kthread_complete_and_exit) and external-stop (kthread_stop) when killing a kthread. Generally, kthread_stop() is called first, and in this case, no particular issues occur.  However, in rare instances where kthread_complete_and_exit() is called first and then kthread_stop() is called, a UAF occurs because the kthread object, which has already exited and been freed, is accessed again.  Therefore, to prevent this with minimal modification, you must remove kthread_stop() and change the code to wait until the self-exit operation is completed.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46152",
                                "url": "https://ubuntu.com/security/CVE-2026-46152",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  wifi: mac80211: drop stray 'static' from fast-RX rx_result  ieee80211_invoke_fast_rx() is documented as safe for parallel RX, but its per-invocation rx_result is declared static. Concurrent callers then share one instance and can overwrite each other's result between ieee80211_rx_mesh_data() and the switch on res.  That can make a packet that was queued or consumed by ieee80211_rx_mesh_data() fall through into ieee80211_rx_8023(), or make a packet that should continue return as queued.  Make res an automatic variable so each invocation keeps its own result.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46163",
                                "url": "https://ubuntu.com/security/CVE-2026-46163",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  wifi: b43legacy: enforce bounds check on firmware key index in RX path  Same fix as b43: the firmware-controlled key index in b43legacy_rx() can exceed dev->max_nr_keys. The existing B43legacy_WARN_ON is non-enforcing in production builds, allowing an out-of-bounds read of dev->key[].  Make the check enforcing by dropping the frame for invalid indices.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46136",
                                "url": "https://ubuntu.com/security/CVE-2026-46136",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  wifi: mt76: mt7921: fix a potential clc buffer length underflow  The buf_len is used to limit the iterations for retrieving the country power setting and may underflow under certain conditions due to changes in the power table in CLC.  This underflow leads to an almost infinite loop or an invalid power setting resulting in driver initialization failure.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46173",
                                "url": "https://ubuntu.com/security/CVE-2026-46173",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  exit: prevent preemption of oopsing TASK_DEAD task  When an already-exiting task oopses, make_task_dead() currently calls do_task_dead() with preemption enabled.  That is forbidden: do_task_dead() calls __schedule(), which has a comment saying \"WARNING: must be called with preemption disabled!\".  If an oopsing task is preempted in do_task_dead(), between becoming TASK_DEAD and entering the scheduler explicitly, bad things happen: finish_task_switch() assumes that once the scheduler has switched away from a TASK_DEAD task, the task can never run again and its stack is no longer needed; but that assumption apparently doesn't hold if the dead task was preempted (the SM_PREEMPT case).  This means that the scheduler ends up repeatedly dropping references on the dead task's stack, which can lead to use-after-free or double-free of the entire task stack; in other words, two tasks can end up running on the same stack, resulting in various kinds of memory corruption.  (This does not just affect \"recursively oopsing\" tasks; it is enough to oops once during task exit, for example in a file_operations::release handler)",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-43496",
                                "url": "https://ubuntu.com/security/CVE-2026-43496",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net/sched: sch_red: Replace direct dequeue call with peek and qdisc_dequeue_peeked  When red qdisc has children (eg qfq qdisc) whose peek() callback is qdisc_peek_dequeued(), we could get a kernel panic. When the parent of such qdiscs (eg illustrated in patch #3 as tbf) wants to retrieve an skb from its child (red in this case), it will do the following:  1a. do a peek() - and when sensing there's an skb the child can offer, then      - the child in this case(red) calls its child's (qfq) peek.         qfq does the right thing and will return the gso_skb queue packet.         Note: if there wasnt a gso_skb entry then qfq will store it there.  1b. invoke a dequeue() on the child (red). And herein lies the problem.      - red will call the child's dequeue() which will essentially just        try to grab something of qfq's queue.  [   78.667668][  T363] KASAN: null-ptr-deref in range [0x0000000000000048-0x000000000000004f] [   78.667927][  T363] CPU: 1 UID: 0 PID: 363 Comm: ping Not tainted 7.1.0-rc1-00033-g46f74a3f7d57-dirty #790 PREEMPT(full) [   78.668263][  T363] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 [   78.668486][  T363] RIP: 0010:qfq_dequeue+0x446/0xc90 [sch_qfq] [   78.668718][  T363] Code: 54 c0 e8 dd 90 00 f1 48 c7 c7 e0 03 54 c0 48 89 de e8 ce 90 00 f1 48 8d 7b 48 b8 ff ff 37 00 48 89 fa 48 c1 e0 2a 48 c1 ea 03 <80> 3c 02 00 74 05 e8 ef a1 e1 f1 48 8b 7b 48 48 8d 54 24 58 48 8d [   78.669312][  T363] RSP: 0018:ffff88810de573e0 EFLAGS: 00010216 [   78.669533][  T363] RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000 [   78.669790][  T363] RDX: 0000000000000009 RSI: 0000000000000004 RDI: 0000000000000048 [   78.670044][  T363] RBP: ffff888110dc4000 R08: ffffffffb1b0885a R09: fffffbfff6ba9078 [   78.670297][  T363] R10: 0000000000000003 R11: ffff888110e31c80 R12: 0000001880000000 [   78.670560][  T363] R13: ffff888110dc4150 R14: ffff888110dc42b8 R15: 0000000000000200 [   78.670814][  T363] FS:  00007f66a8f09c40(0000) GS:ffff888163428000(0000) knlGS:0000000000000000 [   78.671110][  T363] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [   78.671324][  T363] CR2: 000055db4c6a30a8 CR3: 000000010da67000 CR4: 0000000000750ef0 [   78.671585][  T363] PKRU: 55555554 [   78.671713][  T363] Call Trace: [   78.671843][  T363]  <TASK> [   78.671936][  T363]  ? __pfx_qfq_dequeue+0x10/0x10 [sch_qfq] [   78.672148][  T363]  ? __pfx__printk+0x10/0x10 [   78.672322][  T363]  ? srso_alias_return_thunk+0x5/0xfbef5 [   78.672496][  T363]  ? lockdep_hardirqs_on_prepare+0xa8/0x1a0 [   78.672706][  T363]  ? srso_alias_return_thunk+0x5/0xfbef5 [   78.672875][  T363]  ? trace_hardirqs_on+0x19/0x1a0 [   78.673047][  T363]  red_dequeue+0x65/0x270 [sch_red] [   78.673217][  T363]  ? srso_alias_return_thunk+0x5/0xfbef5 [   78.673385][  T363]  tbf_dequeue.cold+0xb0/0x70c [sch_tbf] [   78.673566][  T363]  __qdisc_run+0x169/0x1900  The right thing to do in #1b is to grab the skb off gso_skb queue. This patchset fixes that issue by changing #1b to use qdisc_dequeue_peeked() method instead.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-21 13:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46113",
                                "url": "https://ubuntu.com/security/CVE-2026-46113",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  KVM: x86: Fix shadow paging use-after-free due to unexpected GFN  The shadow MMU computes GFNs for direct shadow pages using sp->gfn plus the SPTE index. This assumption breaks for shadow paging if the guest page tables are modified between VM entries (similar to commit aad885e77496, \"KVM: x86/mmu: Drop/zap existing present SPTE even when creating an MMIO SPTE\", 2026-03-27).  The flow is as follows:  - a PDE is installed for a 2MB mapping, and a page in that area is   accessed.  KVM creates a kvm_mmu_page consisting of 512 4KB pages;   the kvm_mmu_page is marked by FNAME(fetch) as direct-mapped because   the guest's mapping is a huge page (and thus contiguous).  - the PDE mapping is changed from outside the guest.  - the guest accesses another page in the same 2MB area.  KVM installs   a new leaf SPTE and rmap entry; the SPTE uses the \"correct\" GFN   (i.e. based on the new mapping, as changed in the previous step) but   that GFN is outside of the [sp->gfn, sp->gfn + 511] range; therefore   the rmap entry cannot be found and removed when the kvm_mmu_page   is zapped.  - the memslot that covers the first 2MB mapping is deleted, and the   kvm_mmu_page for the now-invalid GPA is zapped.  However, rmap_remove()   only looks at the [sp->gfn, sp->gfn + 511] range established in step 1,   and fails to find the rmap entry that was recorded by step 3.  - any operation that causes an rmap walk for the same page accessed   by step 3 then walks a stale rmap and dereferences a freed kvm_mmu_page.   This includes dirty logging or MMU notifier invalidations (e.g., from   MADV_DONTNEED).  The underlying issue is that KVM's walking of shadow PTEs assumes that if a SPTE is present when KVM wants to install a non-leaf SPTE, then the existing kvm_mmu_page must be for the correct gfn.  Because the only way for the gfn to be wrong is if KVM messed up and failed to zap a SPTE... which shouldn't happen, but *actually* only happens in response to a guest write.  That bug dates back literally forever, as even the first version of KVM assumes that the GFN matches and walks into the \"wrong\" shadow page. However, that was only an imprecision until 2032a93d66fa (\"KVM: MMU: Don't allocate gfns page for direct mmu pages\") came along.  Fix it by checking for a target gfn mismatch and zapping the existing SPTE.  That way the old SP and rmap entries are gone, KVM installs the rmap in the right location, and everyone is happy.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46179",
                                "url": "https://ubuntu.com/security/CVE-2026-46179",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ASoC: SOF: Don't allow pointer operations on unconfigured streams  When reporting the pointer for a compressed stream we report the current I/O frame position by dividing the position by the number of channels multiplied by the number of container bytes. These values default to 0 and are only configured as part of setting the stream parameters so this allows a divide by zero to be configured. Validate that they are non zero, returning an error if not",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46196",
                                "url": "https://ubuntu.com/security/CVE-2026-46196",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  tracepoint: balance regfunc() on func_add() failure in tracepoint_add_func()  When a tracepoint goes through the 0 -> 1 transition, tracepoint_add_func() invokes the subsystem's ext->regfunc() before attempting to install the new probe via func_add(). If func_add() then fails (for example, when allocate_probes() cannot allocate a new probe array under memory pressure and returns -ENOMEM), the function returns the error without calling the matching ext->unregfunc(), leaving the side effects of regfunc() behind with no installed probe to justify them.  For syscall tracepoints this is particularly unpleasant: syscall_regfunc() bumps sys_tracepoint_refcount and sets SYSCALL_TRACEPOINT on every task. After a leaked failure, the refcount is stuck at a non-zero value with no consumer, and every task continues paying the syscall trace entry/exit overhead until reboot. Other subsystems providing regfunc()/unregfunc() pairs exhibit similarly scoped persistent state.  Mirror the existing 1 -> 0 cleanup and call ext->unregfunc() in the func_add() error path, gated on the same condition used there so the unwind is symmetric with the registration.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-43497",
                                "url": "https://ubuntu.com/security/CVE-2026-43497",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  fbdev: udlfb: add vm_ops to dlfb_ops_mmap to prevent use-after-free  dlfb_ops_mmap() uses remap_pfn_range() to map vmalloc framebuffer pages to userspace but sets no vm_ops on the VMA. This means the kernel cannot track active mmaps. When dlfb_realloc_framebuffer() replaces the backing buffer via FBIOPUT_VSCREENINFO, existing mmap PTEs are not invalidated. On USB disconnect, dlfb_ops_destroy() calls vfree() on the old pages while userspace PTEs still reference them, resulting in a use-after-free: the process retains read/write access to freed kernel pages.  Add vm_operations_struct with open/close callbacks that maintain an atomic mmap_count on struct dlfb_data. In dlfb_realloc_framebuffer(), check mmap_count and return -EBUSY if the buffer is currently mapped, preventing buffer replacement while userspace holds stale PTEs.  Tested with PoC using dummy_hcd + raw_gadget USB device emulation.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-05-21 13:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46108",
                                "url": "https://ubuntu.com/security/CVE-2026-46108",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ipmi:si: Return state to normal if message allocation fails  There were places where nothing would get started if a message allocation failed, so the driver needs to return to normal state.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46128",
                                "url": "https://ubuntu.com/security/CVE-2026-46128",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ipmi: Check event message buffer response for bad data  The event message buffer response data size got checked later when processing, but check it right after the response comes back.  It appears some BMCs may return an empty message instead of an error when fetching events.  There are apparently some new BMCs that make this error, so we need to compensate.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46177",
                                "url": "https://ubuntu.com/security/CVE-2026-46177",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ipmi: Add limits to event and receive message requests  The driver would just fetch events and receive messages until the BMC said it was done.  To avoid issues with BMCs that never say they are done, add a limit of 10 fetches at a time.  In addition, an si interface has an attn state it can return from the hardware which is supposed to cause a flag fetch to see if the driver needs to fetch events or message or a few other things.  If the attn bit gets stuck, it's a similar problem.  So allow messages in between flag fetches so the driver itself doesn't get stuck.  This is a more general fix than the previous fix for the specific bad BMC, but should fix the more general issue of a BMC that won't stop saying it has data.  This has been there from the beginning of the driver.  It's not a bug per-se, but it is accounting for bugs in BMCs.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46149",
                                "url": "https://ubuntu.com/security/CVE-2026-46149",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  scsi: target: configfs: Bound snprintf() return in tg_pt_gp_members_show()  target_tg_pt_gp_members_show() formats LUN paths with snprintf() into a 256-byte stack buffer, then will memcpy() cur_len bytes from that buffer.  snprintf() returns the length the output would have had, which can exceed the buffer size when the fabric WWN is long because iSCSI IQN names can be up to 223 bytes.  The check at the memcpy() site only guards the destination page write, not the source read, so memcpy() will read past the stack buffer and copy adjacent stack contents to the sysfs reader, which when CONFIG_FORTIFY_SOURCE is enabled, fortify_panic() will be triggered.  Commit 27e06650a5ea (\"scsi: target: target_core_configfs: Add length check to avoid buffer overflow\") added the same bound to the target_lu_gp_members_show() but the tg_pt_gp variant was missed so resolve that here.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46244",
                                "url": "https://ubuntu.com/security/CVE-2026-46244",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  netfilter: nft_inner: Fix IPv6 inner_thoff desync  In nft_inner_parse_l2l3(), when processing inner IPv6 packets, ipv6_find_hdr() correctly computes the transport header offset traversing all extension headers, but the result is immediately overwritten with nhoff + sizeof(_ip6h) (40 bytes), which only accounts for the IPv6 base header. This creates a desync between inner_thoff (wrong — points to extension header start) and l4proto (correct — e.g., IPPROTO_TCP), enabling transport header forgery and potential firewall bypass. This issue affects stable versions from Linux 6.2.  For comparison, the normal (non-inner) IPv6 path correctly preserves ipv6_find_hdr()'s result. Removing the incorrect overwrite ensures that ipv6_find_hdr()'s calculated transport header offset is preserved, thereby fixing the desynchronization.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-03 18:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46137",
                                "url": "https://ubuntu.com/security/CVE-2026-46137",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  mptcp: pm: ADD_ADDR rtx: fix potential data-race  This mptcp_pm_add_timer() helper is executed as a timer callback in softirq context. To avoid any data races, the socket lock needs to be held with bh_lock_sock().  If the socket is in use, retry again soon after, similar to what is done with the keepalive timer.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46185",
                                "url": "https://ubuntu.com/security/CVE-2026-46185",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  smb/client: fix out-of-bounds read in symlink_data()  Since smb2_check_message() returns success without length validation for the symlink error response, in symlink_data() it is possible for iov->iov_len to be smaller than sizeof(struct smb2_err_rsp). If the buffer only contains the base SMB2 header (64 bytes), accessing err->ErrorContextCount (at offset 66) or err->ByteCount later in symlink_data() will cause an out-of-bounds read.",
                                "cve_priority": "high",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46195",
                                "url": "https://ubuntu.com/security/CVE-2026-46195",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  smb: client: validate dacloffset before building DACL pointers  parse_sec_desc(), build_sec_desc(), and the chown path in id_mode_to_cifs_acl() all add the server-supplied dacloffset to pntsd before proving a DACL header fits inside the returned security descriptor.  On 32-bit builds a malicious server can return dacloffset near U32_MAX, wrap the derived DACL pointer below end_of_acl, and then slip past the later pointer-based bounds checks. build_sec_desc() and id_mode_to_cifs_acl() can then dereference DACL fields from the wrapped pointer in the chmod/chown rewrite paths.  Validate dacloffset numerically before building any DACL pointer and reuse the same helper at the three DACL entry points.",
                                "cve_priority": "high",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46289",
                                "url": "https://ubuntu.com/security/CVE-2026-46289",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  lib/scatterlist: fix length calculations in extract_kvec_to_sg  Patch series \"Fix bugs in extract_iter_to_sg()\", v3.  Fix bugs in the kvec and user variants of extract_iter_to_sg.  This series is growing due to useful remarks made by sashiko.dev.  The main bugs are: - The length for an sglist entry when extracting from   a kvec can exceed the number of bytes in the page. This   is obviously not intended. - When extracting a user buffer the sglist is temporarily   used as a scratch buffer for extracted page pointers.   If the sglist already contains some elements this scratch   buffer could overlap with existing entries in the sglist.  The series adds test cases to the kunit_iov_iter test that demonstrate all of these bugs.  Additionally, there is a memory leak fix for the test itself.  The bugs were orignally introduced into kernel v6.3 where the function lived in fs/netfs/iterator.c.  It was later moved to lib/scatterlist.c in v6.5.  Thus the actual fix is only marked for backports to v6.5+.   This patch (of 5):  When extracting from a kvec to a scatterlist, do not cross page boundaries.  The required length was already calculated but not used as intended.  Adjust the copied length if the loop runs out of sglist entries without extracting everything.  While there, return immediately from extract_iter_to_sg if there are no sglist entries at all.  A subsequent commit will add kunit test cases that demonstrate that the patch is necessary.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-08 17:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46119",
                                "url": "https://ubuntu.com/security/CVE-2026-46119",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  libceph: Fix slab-out-of-bounds access in auth message processing  If a (potentially corrupted) message of type CEPH_MSG_AUTH_REPLY contains a positive value in its result field, it is treated as an error code by ceph_handle_auth_reply() and returned to handle_auth_reply(). Thereafter, an attempt is made to send the preallocated message of type CEPH_MSG_AUTH, where the returned value is interpreted as the size of the front segment to send. If the result value in the message is greater than the size of the memory buffer allocated for the front segment, an out-of-bounds access occurs, and the content of the memory region beyond this buffer is sent out.  This patch fixes the issue by treating only negative values in the result field as errors. Positive values are therefore treated as success in the same way as a zero value. Additionally, a BUG_ON is added to __send_prepared_auth_request() comparing the len parameter to front_alloc_len to prevent sending the message if it exceeds the bounds of the allocation and to make it easier to catch any logic flaws leading to this.",
                                "cve_priority": "high",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46135",
                                "url": "https://ubuntu.com/security/CVE-2026-46135",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  nvmet-tcp: fix race between ICReq handling and queue teardown  nvmet_tcp_handle_icreq() updates queue->state after sending an Initialization Connection Response (ICResp), but it does so without serializing against target-side queue teardown.  If an NVMe/TCP host sends an Initialization Connection Request (ICReq) and immediately closes the connection, target-side teardown may start in softirq context before io_work drains the already buffered ICReq. In that case, nvmet_tcp_schedule_release_queue() sets queue->state to NVMET_TCP_Q_DISCONNECTING and drops the queue reference under state_lock.  If io_work later processes that ICReq, nvmet_tcp_handle_icreq() can still overwrite the state back to NVMET_TCP_Q_LIVE. That defeats the DISCONNECTING-state guard in nvmet_tcp_schedule_release_queue() and allows a later socket state change to re-enter teardown and issue a second kref_put() on an already released queue.  The ICResp send failure path has the same problem. If teardown has already moved the queue to DISCONNECTING, a send error can still overwrite the state with NVMET_TCP_Q_FAILED, again reopening the window for a second teardown path to drop the queue reference.  Fix this by serializing both post-send state transitions with state_lock and bailing out if teardown has already started.  Use -ESHUTDOWN as an internal sentinel for that bail-out path rather than propagating it as a transport error like -ECONNRESET. Keep nvmet_tcp_socket_error() setting rcv_state to NVMET_TCP_RECV_ERR before honoring that sentinel so receive-side parsing stays quiesced until the existing release path completes.",
                                "cve_priority": "critical",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46155",
                                "url": "https://ubuntu.com/security/CVE-2026-46155",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  smb/client: fix out-of-bounds read in smb2_compound_op()  If a server sends a truncated response but a large OutputBufferLength, and terminates the EA list early, check_wsl_eas() returns success without validating that the entire OutputBufferLength fits within iov_len.  Then smb2_compound_op() does:     memcpy(idata->wsl.eas, data[0], size[0]);  Where size[0] is OutputBufferLength. If iov_len is smaller than size[0], memcpy can read beyond the end of the rsp_iov allocation and leak adjacent kernel heap memory.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46115",
                                "url": "https://ubuntu.com/security/CVE-2026-46115",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  block: add pgmap check to biovec_phys_mergeable  biovec_phys_mergeable() is used by the request merge, DMA mapping, and integrity merge paths to decide if two physically contiguous bvec segments can be coalesced into one. It currently has no check for whether the segments belong to different dev_pagemaps.  When zone device memory is registered in multiple chunks, each chunk gets its own dev_pagemap. A single bio can legitimately contain bvecs from different pgmaps -- iov_iter_extract_bvecs() breaks at pgmap boundaries but the outer loop in bio_iov_iter_get_pages() continues filling the same bio. If such bvecs are physically contiguous, biovec_phys_mergeable() will coalesce them, making it impossible to recover the correct pgmap for the merged segment via page_pgmap().  Add a zone_device_pages_have_same_pgmap() check to prevent merging bvec segments that span different pgmaps.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46243",
                                "url": "https://ubuntu.com/security/CVE-2026-46243",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  smb: client: reject userspace cifs.spnego descriptions  cifs.spnego key descriptions contain authority-bearing fields such as pid, uid, creduid, and upcall_target that cifs.upcall treats as kernel-originating inputs. However, userspace can also create keys of this type through request_key(2) or add_key(2), allowing those fields to be supplied without CIFS origin.  Only accept cifs.spnego descriptions while CIFS is using its private spnego_cred to request the key.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-01 17:17:00 UTC"
                            }
                        ],
                        "log": [
                            "",
                            "  * resolute/linux: 7.0.0-28.28 -proposed tracker (LP: #2157520)",
                            "",
                            "  * Backport ASoC SDCA, AMD SoundWire, and RT722 audio fixes (LP: #2154418)",
                            "    - ASoC: amd: acp-sdw-legacy: rename the dmic component name",
                            "    - SAUCE: ASoC: rt722-sdca: add FU06 Playback Switch for speaker mute",
                            "      control",
                            "",
                            "  * MIPI camera of a BBG809N3A_B sensor SKU of the DELL Pro 14 Premium PA14260",
                            "    renders upside-down (LP: #2155837)",
                            "    - SAUCE: media: ipu-bridge: correct platform handling for DELL Pro 14",
                            "      Premium PA14260",
                            "",
                            "  * resolute ubuntu_kernel_selftests:seccomp_build test compilation issue",
                            "    (LP: #2154174)",
                            "    - SAUCE: selftests/seccomp fix compilation issue for amd64",
                            "",
                            "  * [Ubuntu 26.04] Severe Performance Degradation on kernel 7.0.0-15",
                            "    (LP: #2154748)",
                            "    - s390: Remove GENERIC_LOCKBREAK Kconfig option",
                            "    - UBUNTU [Config]: Remove GENERIC_LOCKBREAK in s390x",
                            "",
                            "  * Fix no sound output device on Dell GhostRider PTL no camera SKU",
                            "    (LP: #2156559)",
                            "    - ASoC: Intel: sof_sdw: append dai type to dai link name unconditionally",
                            "",
                            "  * Fix no audio from right built-in speaker on HP ZBook with TAS2781",
                            "    amplifier (LP: #2156556)",
                            "    - ALSA: hda/tas2781: Fix device-0 reset issue and handle -EXDEV in block",
                            "      data processing",
                            "",
                            "  * Installer fails internally with a RSync error due to page fault",
                            "    (LP: #2150640)",
                            "    - ovl: keep err zero after successful ovl_cache_get()",
                            "",
                            "  * Internal display black screen on Intel Lunar Lake with eDP panel",
                            "    (LP: #2156312)",
                            "    - drm/i915/alpm: Allow LOBF only for platform that have Always on VRR TG",
                            "",
                            "  * Thunderbolt DP tunnel torn down during boot with LUKS Full Disk Encryption",
                            "    (LP: #2155096)",
                            "    - SAUCE: thunderbolt: Defer DP tunnel teardown until display driver is",
                            "      ready",
                            "",
                            "  * watchdog: lenovo_se10_wdt: Add SE10 Gen 2 support (LP: #2154715)",
                            "    - watchdog: lenovo_se10_wdt: Add support for SE10 Gen 2 platform",
                            "    - watchdog: lenovo_se10_wdt: Fix use-after-free and resource leak risk",
                            "",
                            "  * [Ubuntu 26.04] KVM: IBM Test Accelerator for Z (TAZ) not working properly",
                            "    (LP: #2153159)",
                            "    - KVM: s390: only deliver service interrupt with payload",
                            "    - KVM: s390: vsie: Allow non-zarch guests",
                            "    - KVM: s390: vsie: Disable some bits when in ESA mode",
                            "    - KVM: s390: vsie: Accommodate ESA prefix pages",
                            "    - KVM: s390: Add KVM capability for ESA mode guests",
                            "",
                            "  * ubuntu_bpf failed to build on Resolute (error: expected ‘:’, ‘,’, ‘;’, ‘}’",
                            "    or ‘__attribute__’ before ‘__counted_by’) (LP: #2150071)",
                            "    - tools/headers: Regenerate stddef.h to fix BPF selftests",
                            "",
                            "  * ubuntu_bpf: FTBFS with clang 23 / gcc 15 (LP: #2154343)",
                            "    - selftests/bpf: Fix const qualifier warning in fexit_bpf2bpf.c",
                            "",
                            "  * ALSA: hda/tas2781 Audio Fix for the front-right speacker (LP: #2149770)",
                            "    - ALSA: hda/tas2781: Fix sound abnormal issue on some SPI device",
                            "",
                            "  * Fix bad audio record quality when volume above 50% on Framework PTL",
                            "    (LP: #2153155)",
                            "    - ALSA: hda/realtek: fix mic boost on Framework PTL",
                            "",
                            "  * Patchset for TUXEDO devices (LP: #2152570)",
                            "    - drm/i915/vbt: Add edp pipe joiner enable/disable bits",
                            "    - drm/i915/dp: Avoid joiner for eDP if not enabled in VBT",
                            "    - drm/amd/display: Add Idle state manager(ISM)",
                            "    - drm/i915/backlight: Remove try_vesa_interface",
                            "    - drm/i915/backlight: Use intel_panel variable instead of intel_connector",
                            "    - drm/i915/backlight: Take luminance_set into account for VESA backlight",
                            "    - drm/i915/backlight: Check luminance_set when disabling PWM via AUX VESA",
                            "      backlight",
                            "    - drm/i915/backlight: Short circuit intel_dp_aux_supports_hdr_backlight",
                            "    - drm/i915/backlight: Update debug log during backlight setup",
                            "    - drm/i915/backlight: Check if VESA backlight is possible",
                            "    - drm/i915/backlight: Provide clear description on how backlight level is",
                            "      controlled",
                            "    - drm/i915/backlight: Fix VESA backlight possible check condition",
                            "",
                            "  * Resolute update: v7.0.12 upstream stable release (LP: #2156636)",
                            "    - Input: usbtouchscreen - clamp NEXIO data_len/x_len to URB buffer size",
                            "    - ACPI: button: Fix ACPI GPE handler leak during removal",
                            "    - ACPI: button: Enable wakeup GPEs for ACPI buttons at probe time",
                            "    - xfrm: move policy_bydst RCU sync from per-netns .exit to .pre_exit",
                            "    - net/sched: sch_sfb: Replace direct dequeue call with peek and",
                            "      qdisc_dequeue_peeked",
                            "    - bcache: fix uninitialized closure object",
                            "    - nfc: llcp: Fix use-after-free in llcp_sock_release()",
                            "    - nfc: llcp: Fix use-after-free race in nfc_llcp_recv_cc()",
                            "    - xfrm: Check for underflow in xfrm_state_mtu",
                            "    - nfc: nxp-nci: i2c: use rising-edge IRQ on ACPI systems",
                            "    - tools/bootconfig: Fix buf leaks in apply_xbc",
                            "    - HID: remove duplicate hid_warn_ratelimited definition",
                            "    - kunit: fix use-after-free in debugfs when using kunit.filter",
                            "    - accel/rocket: fix UAF via dangling GEM handle in create_bo",
                            "    - netfilter: synproxy: refresh tcphdr after skb_ensure_writable",
                            "    - netfilter: xt_cpu: prefer raw_smp_processor_id",
                            "    - netfilter: ebtables: fix OOB read in compat_mtw_from_user",
                            "    - netfilter: nf_tables: fix dst corruption in same register operation",
                            "    - vsock: keep poll shutdown state consistent",
                            "    - net: netlink: fix sending unassigned nsid after assigned one",
                            "    - net: netlink: don't set nsid on local notifications",
                            "    - net/smc: Do not re-initialize smc hashtables",
                            "    - net/iucv: fix locking in .getsockopt",
                            "    - scsi: core: Run queues for all non-SDEV_DEL devices from",
                            "      scsi_run_host_queues",
                            "    - scsi: scsi_debug: Add missing newline in scsi_debug_device_reset()",
                            "    - ipv4: free net->ipv4.sysctl_local_reserved_ports after",
                            "      unregister_net_sysctl_table()",
                            "    - ALSA: hda: cs35l56: Fix system name string leaks",
                            "    - ALSA: pcm: oss: Fix setup list UAF on proc write error",
                            "    - ASoC: Intel: bytcht_es8316: Fix MCLK leak on init errors",
                            "    - net/mlx5: HWS: Reject unsupported remove-header action",
                            "    - net: hsr: fix potential OOB access in supervision frame handling",
                            "    - accel/ivpu: prevent uninitialized data bug in debugfs",
                            "    - gpio: mxc: fix irq_high handling",
                            "    - drm/i915/aux: use polling when irqs are unavailable",
                            "    - net: Avoid checksumming unreadable skb tail on trim",
                            "    - ethtool: rss: avoid modifying the RSS context response",
                            "    - ethtool: rss: add missing errno on RSS context delete",
                            "    - ethtool: rss: fix falsely ignoring indir table updates",
                            "    - ethtool: rss: fix indir_table and hkey leak on get_rxfh failure",
                            "    - ethtool: rss: fix hkey leak when indir_size is 0",
                            "    - ethtool: rss: avoid device context leak on reply-build failure",
                            "    - ethtool: module: call ethnl_ops_complete() on module flash errors",
                            "    - ethtool: module: avoid leaking a netdev ref on module flash errors",
                            "    - ethtool: module: avoid racy updates to dev->ethtool bitfield",
                            "    - ethtool: module: check fw_flash_in_progress under rtnl_lock",
                            "    - ethtool: module: fix cleanup if socket used for flashing multiple",
                            "      devices",
                            "    - ethtool: cmis: require exact CDB reply length",
                            "    - ethtool: cmis: fix u16-to-u8 truncation of msleep_pre_rpl",
                            "    - ethtool: cmis: validate start_cmd_payload_size from module",
                            "    - ethtool: cmis: validate fw->size against start_cmd_payload_size",
                            "    - cxl/test: Update mock dev array before calling platform_device_add()",
                            "    - blk-mq: reinsert cached request to the list",
                            "    - tunnels: load network headers after skb_cow() in",
                            "      iptunnel_pmtud_build_icmp[v6]()",
                            "    - vxlan: do not reuse cached ip_hdr() value after skb_tunnel_check_pmtu()",
                            "    - tunnels: do not assume transport header in iptunnel_pmtud_check_icmp()",
                            "    - ksmbd: fix FSCTL permission bypass by adding a permission check for",
                            "      FSCTL_SET_SPARSE",
                            "    - ASoC: codecs: simple-mux: Fix enum control bounds check",
                            "    - drm/xe: Restore IDLEDLY regiter on engine reset",
                            "    - Bluetooth: 6lowpan: check skb_clone() return value in send_mcast_pkt()",
                            "    - bonding: refuse to enslave CAN devices",
                            "    - bridge: Fix sleep in atomic context in netlink path",
                            "    - bridge: Fix sleep in atomic context in sysfs path",
                            "    - ethtool: coalesce: cap profile updates at NET_DIM_PARAMS_NUM_PROFILES",
                            "    - ethtool: tsconfig: fix reply error handling",
                            "    - ethtool: linkstate: fix unbalanced ethnl_ops_complete() on PHY lookup",
                            "      error",
                            "    - ethtool: pse-pd: fix missing ethnl_ops_complete()",
                            "    - ethtool: tsconfig: fix missing ethnl_ops_complete()",
                            "    - ethtool: tsinfo: fix uninitialized stats on the by-PHC path",
                            "    - ethtool: tsinfo: don't pass ERR_PTR to genlmsg_cancel on prepare failure",
                            "    - ethtool: strset: fix header attribute index in ethnl_req_get_phydev()",
                            "    - ethtool: eeprom: add missing ethnl_ops_begin() / _complete() during",
                            "      fallback",
                            "    - ethtool: eeprom: add more safeties to EEPROM Netlink fallback",
                            "    - ipv6: rpl: fix hdrlen overflow in ipv6_rpl_srh_decompress()",
                            "    - net/sched: Revert \"net/sched: Restrict conditions for adding duplicating",
                            "      netems to qdisc tree\"",
                            "    - net/sched: fix packet loop on netem when duplicate is on",
                            "    - net: Introduce skb tc depth field to track packet loops",
                            "    - net/sched: Fix ethx:ingress -> ethy:egress -> ethx:ingress mirred loop",
                            "    - net/sched: act_mirred: Fix blockcast recursion bypass leading to stack",
                            "      overflow",
                            "    - net/sched: act_mirred: Fix return code in early mirred redirect error",
                            "      paths",
                            "    - net: hibmcge: disable Relaxed Ordering to fix RX packet corruption",
                            "    - net: hibmcge: move dma_rmb() after dma_sync_single_for_cpu() in RX path",
                            "    - net/handshake: Use spin_lock_bh for hn_lock",
                            "    - nvme-tcp: store negative errno in queue->tls_err",
                            "    - net/handshake: Pass negative errno through handshake_complete()",
                            "    - net/handshake: hand off the pinned file reference to accept_doit",
                            "    - net/handshake: Take a long-lived file reference at submit",
                            "    - net/handshake: Drain pending requests at net namespace exit",
                            "    - dpll: zl3073x: detect DPLL channel count from chip ID at runtime",
                            "    - dpll: zl3073x: add die temperature reporting for supported chips",
                            "    - dpll: export __dpll_device_change_ntf() for use under dpll_lock",
                            "    - dpll: zl3073x: use __dpll_device_change_ntf() and remove change_work",
                            "    - Bluetooth: l2cap: clear chan->ident on ECRED reconfiguration success",
                            "    - Bluetooth: L2CAP: Fix possible crash on l2cap_ecred_conn_rsp",
                            "    - Bluetooth: hci_sync: Set HCI_CMD_DRAIN_WORKQUEUE during device close",
                            "    - Bluetooth: hci_sync: Reset device counters in hci_dev_close_sync()",
                            "    - gpio: adnp: fix flow control regression caused by scoped_guard()",
                            "    - gpio: virtuser: Fix uninitialized data bug in",
                            "      gpio_virtuser_direction_do_write()",
                            "    - gpio: rockchip: convert bank->clk to devm_clk_get_enabled()",
                            "    - gpio: rockchip: teardown bugs and resource leaks",
                            "    - net: mana: Add NULL guards in teardown path to prevent panic on attach",
                            "      failure",
                            "    - net: mana: Skip redundant detach on already-detached port",
                            "    - sctp: fix race between sctp_wait_for_connect and peeloff",
                            "    - net: pcs: pcs-mtk-lynxi: fix bpi-r3 serdes configuration",
                            "    - vsock/virtio: bind uarg before filling zerocopy skb",
                            "    - ipv6: fix possible infinite loop in rt6_fill_node()",
                            "    - ipv6: fix possible infinite loop in fib6_select_path()",
                            "    - net: skbuff: fix pskb_carve leaking zcopy pages",
                            "    - Revert \"ipv6: preserve insertion order for same-scope addresses\"",
                            "    - Revert \"x86/fpu: Refine and simplify the magic number check during",
                            "      signal return\"",
                            "    - drm/i915/psr: Add defininitions for INTEL_WA_REGISTER_CAPS DPCD register",
                            "    - drm/i915/psr: Read Intel DPCD workaround register",
                            "    - drm/i915/psr: Apply Intel DPCD workaround when SDP on prior line used",
                            "    - iio: imu: st_lsm6dsx: fix stack leak in tagged FIFO buffer",
                            "    - iio: imu: adis16550: fix stack leak in trigger handler",
                            "    - iio: pressure: bmp280: fix stack leak in bmp580 trigger handler",
                            "    - usb: typec: ucsi: ccg: reject firmware images without a ':' record",
                            "      header",
                            "    - usb: typec: tcpm: validate VDO count in Discover Identity ACK handlers",
                            "    - usb: typec: tcpm: bound altmode_desc[] per iteration in",
                            "      svdm_consume_modes()",
                            "    - usb: typec: ucsi: displayport: NAK DP_CMD_CONFIGURE without a payload",
                            "      VDO",
                            "    - usb: typec: altmodes/displayport: validate count before reading Status",
                            "      Update VDO",
                            "    - usb: typec: wcove: don't write past struct pd_message in",
                            "      wcove_read_rx_buffer()",
                            "    - usb: typec: tcpm/tcpci_maxim: validate header NDO against RX_BYTE_CNT",
                            "    - usb: typec: ucsi: validate connector number in ucsi_connector_change()",
                            "    - USB: serial: safe_serial: fix memory corruption with small endpoint",
                            "    - media: rc: igorplugusb: fix control request setup packet",
                            "    - Input: ims-pcu - fix usb_free_coherent() size in ims_pcu_buffers_free()",
                            "    - USB: serial: cypress_m8: fix memory corruption with small endpoint",
                            "    - HID: quirks: Add ALWAYS_POLL quirk for SIGMACHIP USB mouse",
                            "    - Bluetooth: btusb: Allow firmware re-download when version matches",
                            "    - mm/vmalloc: do not trigger BUG() on BH disabled context",
                            "    - hpfs: fix a crash if hpfs_map_dnode_bitmap fails",
                            "    - mm/damon/sysfs-schemes: delete tried region in regions_rmdirs()",
                            "    - ipc: limit next_id allocation to the valid ID range",
                            "    - mm: memcontrol: propagate NMI slab stats to memcg vmstats",
                            "    - mm/migrate_device: fix pgtable leak in migrate_vma_insert_huge_pmd_page",
                            "    - memfd: deny writeable mappings when implying SEAL_WRITE",
                            "    - zram: fix use-after-free in zram_writeback_endio",
                            "    - mm/rmap: initialize nr_pages to 1 at loop start in try_to_unmap_one",
                            "    - auxdisplay: line-display: fix OOB read on zero-length message_store()",
                            "    - smb: client: fix uninitialized variable in smb2_writev_callback",
                            "    - Bluetooth: L2CAP: use chan timer to close channels in cleanup_listen()",
                            "    - Bluetooth: L2CAP: fix chan ref leak in l2cap_chan_timeout() on !conn",
                            "    - Bluetooth: HIDP: fix missing length checks in hidp_input_report()",
                            "    - Bluetooth: ISO: fix UAF in iso_recv_frame",
                            "    - Bluetooth: ISO: serialize iso_sock_clear_timer with socket lock",
                            "    - Bluetooth: hci_conn: Fix memory leak in hci_le_big_terminate()",
                            "    - Bluetooth: hci_qca: Use 100 ms SSR delay for rampatch and NVM loading",
                            "    - Bluetooth: hci_sync: fix UAF in hci_le_create_cis_sync",
                            "    - Input: xpad - fix out-of-bounds access for Share button",
                            "    - parport: Fix race between port and client registration",
                            "    - rust_binder: Avoid holding lock when dropping delivered_death",
                            "    - rust_binder: avoid calling pending_oneway_finished() on TF_UPDATE_TXN",
                            "    - USB: cdc-acm: Fix bit overlap and move quirk definitions to header",
                            "    - KVM: arm64: Correctly cap ZCR_EL2 provided by a guest hypervisor",
                            "    - KVM: arm64: PMU: Preserve AArch32 counter low bits",
                            "    - KVM: SVM: Flush the current TLB when transitioning from xAVIC => x2AVIC",
                            "    - KVM: SEV: Require in-GHCB scratch area if GHCB v2+ is in use",
                            "    - KVM: SEV: Ignore Port I/O requests of length '0'",
                            "    - KVM: SEV: Use the size of the PSC header as the minimum size for PSC",
                            "      requests",
                            "    - KVM: SEV: WARN if KVM attempts to setup scratch area with min_len==0",
                            "    - KVM: SEV: Compute the correct max length of the in-GHCB scratch area",
                            "    - KVM: SEV: Check PSC request indices against the actual size of the",
                            "      buffer",
                            "    - KVM: SEV: Use READ_ONCE() when reading entries/indices from PSC buffer",
                            "    - KVM: SEV: Don't explicitly pass PSC buffer to snp_begin_psc()",
                            "    - gpio: shared: undo the vote of the proxy on GPIO free",
                            "    - gpio: shared: fix deadlock on shared proxy's parent removal",
                            "    - gpio: shared: fix lockdep false positive by removing unneeded lock",
                            "    - Disable -Wattribute-alias for clang-23 and newer",
                            "    - iio: adc: xilinx-xadc: Fix sequencer mode in postdisable for dual mux",
                            "    - iio: adc: npcm: fix unbalanced clk_disable_unprepare()",
                            "    - iio: dac: ad3530r: Fix AD3531/AD3531R powerdown mode strings",
                            "    - iio: dac: max5821: fix return value check in powerdown sync",
                            "    - iio: dac: ad5686: fix ref bit initialization for single-channel parts",
                            "    - iio: dac: ad5686: fix input raw value check",
                            "    - iio: dac: ad5686: acquire lock when doing powerdown control",
                            "    - iio: dac: ad5686: fix powerdown control on dual-channel devices",
                            "    - iio: adc: mt6359: fix unchecked return value in mt6358_read_imp",
                            "    - iio: adc: viperboard: Fix error handling in vprbrd_iio_read_raw",
                            "    - iio: adc: ad4695: Fix call ordering in offload buffer postenable",
                            "    - iio: adc: nxp-sar-adc: fix division by zero in write_raw",
                            "    - iio: adc: nxp-sar-adc: Avoid division by zero",
                            "    - iio: adc: nxp-sar-adc: zero-initialize dma_slave_config",
                            "    - iio: gyro: itg3200: fix i2c read into the wrong stack location",
                            "    - iio: gyro: adis16260: fix division by zero in write_raw",
                            "    - iio: ssp_sensors: cancel delayed work_refresh on remove",
                            "    - iio: temperature: tsys01: fix broken PROM checksum validation",
                            "    - iio: magnetometer: st_magn: fix default DRDY pin selection for LIS2MDL",
                            "    - iio: light: veml6070: Fix resource leak in probe error path",
                            "    - iio: Fix iio_multiply_value use in iio_read_channel_processed_scale",
                            "    - iio: chemical: mhz19b: reject oversized serial replies",
                            "    - iio: chemical: scd30: fix division by zero in write_raw",
                            "    - iio: light: cm3323: fix reg_conf not being initialized correctly",
                            "    - iio: buffer: hw-consumer: fix use-after-free in error path",
                            "    - iio: buffer: Fix DMA fence leak in iio_buffer_enqueue_dmabuf()",
                            "    - USB: serial: omninet: fix memory corruption with small endpoint",
                            "    - usb: cdns3: gadget: fix request skipping after clearing halt",
                            "    - usb: cdns3: plat: fix leaked usb2_phy initialization on usb3_phy",
                            "      acquisition failure",
                            "    - usb: cdns3: plat: fix unbalanced pm_runtime_forbid() call permanently",
                            "      leaks the runtime PM usage counter across bind/unbind cycles",
                            "    - usb: dwc2: Fix use after free in debug code",
                            "    - Input: elan_i2c - validate firmware size before use",
                            "    - i2c: davinci: fix division by zero on missing clock-frequency",
                            "    - x86/ftrace: Relocate %rip-relative percpu refs in dynamic trampolines",
                            "    - wireguard: send: append trailer after expanding head",
                            "    - bpf: sockmap: fix tail fragment offset in bpf_msg_push_data",
                            "    - macsec: fix replay protection at XPN lower-PN wrap",
                            "    - ipv6: exthdrs: refresh nh pointer after ipv6_hop_jumbo()",
                            "    - ASoC: qcom: q6asm-dai: fix error handling in prepare and set_params",
                            "    - octeontx2-af: validate body pcifunc in rvu_mbox_handler_rep_event_notify",
                            "    - ipv6: exthdrs: refresh nh after handling HAO option",
                            "    - ip6: vti: Use ip6_tnl.net in vti6_siocdevprivate().",
                            "    - ipv6: validate extension header length before copying to cmsg",
                            "    - xfrm: input: hold netns during deferred transport reinjection",
                            "    - l2tp: use refcount_inc_not_zero in l2tp_session_get_by_ifname",
                            "    - ip6: vti: Use ip6_tnl.net in vti6_changelink().",
                            "    - net: skbuff: fix missing zerocopy reference in pskb_carve helpers",
                            "    - spi: spi-mem: avoid mutating op template in spi_mem_supports_op()",
                            "    - HID: wacom: Fix OOB write in wacom_hid_set_device_mode()",
                            "    - iommu, debugobjects: avoid gcc-16.1 section mismatch warnings",
                            "    - nfc: hci: fix out-of-bounds read in HCP header parsing",
                            "    - xfrm: route MIGRATE notifications to caller's netns",
                            "    - xfrm: ipcomp: Free destination pages on acomp errors",
                            "    - xfrm: ah: use skb_to_full_sk in async output callbacks",
                            "    - ALSA: scarlett2: Fix 2i2 Gen 4 direct monitor gain on firmware 2417",
                            "    - ALSA: firewire-motu: Protect register DSP event queue positions",
                            "    - netfilter: conntrack: tcp: do not force CLOSE on invalid-seq RST without",
                            "      direction check",
                            "    - ASoC: qcom: q6asm-dai: close stream only when running",
                            "    - ASoC: qcom: q6asm-dai: do not set stream state in event and trigger",
                            "      callbacks",
                            "    - xfrm: esp: restore combined single-frag length gate",
                            "    - ALSA: hda/realtek: Fix speaker output on ASUS ROG Strix G615LP",
                            "    - xfrm: iptfs: reset runtime state when cloning SAs",
                            "    - dma-buf: fix UAF in dma_buf_fd() tracepoint",
                            "    - Input: xpad - add \"Nova 2 Lite\" from GameSir",
                            "    - Input: xpad - add support for ASUS ROG RAIKIRI II",
                            "    - ksmbd: OOB read regression in smb_check_perm_dacl() ACE-walk loops",
                            "    - misc: rp1: Send IACK on IRQ activate to fix kdump/kexec",
                            "    - Input: atmel_mxt_ts - fix boundary check in mxt_prepare_cfg_mem",
                            "    - Input: synaptics - add LEN2058 to SMBus passlist for ThinkPad E490",
                            "    - dt-bindings: usb: Fix EIC7700 USB reset's issue",
                            "    - comedi: comedi_test: fix check for valid scan_begin_src in",
                            "      waveform_ai_cmdtest()",
                            "    - comedi: comedi_test: Fix limiting of convert_arg in",
                            "      waveform_ai_cmdtest()",
                            "    - counter: Fix refcount leak in counter_alloc() error path",
                            "    - tty: serial: pch_uart: add check for dma_alloc_coherent()",
                            "    - tty: serial: samsung: Remove redundant port lock acquisition in rx",
                            "      helpers",
                            "    - uio: uio_pci_generic_sva: fix double free of devm_kzalloc() memory",
                            "    - usb: chipidea: core: convert ci_role_switch to local variable",
                            "    - usb: core: Fix up Interrupt IN endpoints with bogus wBytesPerInterval",
                            "    - usb: dwc3: xilinx: fix error handling in zynqmp init error paths",
                            "    - usb: musb: omap2430: Fix use-after-free in omap2430_probe()",
                            "    - USB: quirks: add NO_LPM for Lenovo ThinkPad USB-C Dock Gen2 hub",
                            "      controllers",
                            "    - usb: storage: Add quirks for PNY Elite Portable SSD",
                            "    - usbip: vudc: Fix use after free bug in vudc_remove due to race condition",
                            "    - usb: usbtmc: check URB actual_length for interrupt-IN notifications",
                            "    - usb: usbtmc: reject interrupt endpoints with small wMaxPacketSize",
                            "    - usb: typec: tipd: Fix error code in tps6598x_probe()",
                            "    - usb: typec: tcpm: improve handling of DISCOVER_MODES failures",
                            "    - usb: typec: ucsi: Check if power role change actually happened before",
                            "      handling",
                            "    - usb: typec: ucsi: Don't update power_supply on power role change if not",
                            "      connected",
                            "    - USB: serial: option: add MeiG SRM813Q",
                            "    - USB: serial: option: add missing RSVD(5) flag for Rolling RW135R-GL",
                            "    - USB: serial: belkin_sa: validate interrupt status length",
                            "    - USB: serial: cypress_m8: validate interrupt packet headers",
                            "    - USB: serial: digi_acceleport: fix memory corruption with small endpoints",
                            "    - USB: serial: keyspan: fix missing indat transfer sanity check",
                            "    - USB: serial: mxuport: fix memory corruption with small endpoint",
                            "    - USB: serial: mct_u232: fix memory corruption with small endpoint",
                            "    - USB: serial: mct_u232: fix missing interrupt-in transfer sanity check",
                            "    - usb: gadget: uvc: hold opts->lock across XU walks in uvc_function_bind",
                            "    - usb: gadget: net2280: Fix double free in probe error path",
                            "    - usb: gadget: f_hid: fix device reference leak in hidg_alloc()",
                            "    - usb: gadget: composite: fix integer underflow in WebUSB GET_URL handling",
                            "    - usb: gadget: dummy_hcd: Reject hub port requests for non-existent ports",
                            "    - usb: gadget: f_fs: copy only received bytes on short ep0 read",
                            "    - usb: gadget: f_fs: serialize DMABUF cancel against request completion",
                            "    - thunderbolt: property: Reject u32 wrap in tb_property_entry_valid()",
                            "    - thunderbolt: property: Reject dir_len < 4 to prevent size_t underflow",
                            "    - thunderbolt: property: Cap recursion depth in __tb_property_parse_dir()",
                            "    - scsi: fcoe: Reject FIP descriptors with zero fip_dlen in CVL walker",
                            "    - scsi: scsi_transport_fc: Widen FPIN pname walker counter to u32",
                            "    - scsi: target: iscsi: Fix CRC overread and double-free in",
                            "      iscsit_handle_text_cmd()",
                            "    - scsi: target: iscsi: Bound iscsi_encode_text_output() appends to rsp_buf",
                            "    - scsi: target: iscsi: Validate CHAP_R length before base64 decode",
                            "    - drm/hyperv: validate resolution_count and fix WIN8 fallback",
                            "    - drm/hyperv: validate VMBus packet size in receive callback",
                            "    - drm/gem: fix race between change_handle and handle_delete",
                            "    - drm/i915/color: Fix HDR pre-CSC LUT programming loop",
                            "    - drm/i915/psr: Block DC states on vblank enable when Panel Replay",
                            "      supported",
                            "    - drm/i915/psr: Use DC_OFF wake reference to block DC6 on vblank enable",
                            "    - drm/i915: Fix potential UAF in TTM object purge",
                            "    - drm/amd/pm/si: Disregard vblank time when no displays are connected",
                            "    - serial: altera_jtaguart: handle uart_add_one_port() failures",
                            "    - serial: qcom-geni: fix UART_RX_PAR_EN bit position",
                            "    - serial: qcom_geni: fix kfifo underflow when flush precedes DMA",
                            "      completion IRQ",
                            "    - serial: sh-sci: fix memory region release in error path",
                            "    - serial: zs: Fix swapped RI/DSR modem line transition counting",
                            "    - serial: fsl_lpuart: fix rx buffer and DMA map leaks in start_rx_dma",
                            "    - drm/amdkfd: fix NULL pointer bug in svm_range_set_attr",
                            "    - drm/amdkfd: fix a vulnerability of integer overflow in kfd debugger",
                            "    - drm/amdkfd: Check for pdd drm file first in CRIU restore path",
                            "    - drm/amdgpu: fix lock leak on ENOMEM in AMDGPU_GEM_OP_GET_MAPPING_INFO",
                            "    - drm/amdgpu: fix calling VM invalidation in amdgpu_hmm_invalidate_gfx",
                            "    - drm/amdgpu: fix amdgpu_hmm_range_get_pages",
                            "    - drm/amdgpu: check num_entries in GEM_OP GET_MAPPING_INFO",
                            "    - serial: dz: Fix bootconsole message clobbering at chip reset",
                            "    - serial: dz: Fix bootconsole handover lockup",
                            "    - serial: dz: Convert to use a platform device",
                            "    - serial: zs: Fix bootconsole handover lockup",
                            "    - serial: zs: Switch to using channel reset",
                            "    - serial: zs: Convert to use a platform device",
                            "    - serial: core: introduce guard(uart_port_lock_check_sysrq_irqsave)",
                            "    - serial: 8250: dispatch SysRq character in serial8250_handle_irq()",
                            "    - serial: 8250_dw: dispatch SysRq character in dw8250_handle_irq()",
                            "    - platform/x86/intel/vsec: Refactor base_addr handling",
                            "    - platform/x86/intel/vsec: Make driver_data info const",
                            "    - platform/x86/intel/vsec: Fix enable_cnt imbalance on PCIe error recovery",
                            "    - rxrpc: Fix RESPONSE packet verification to extract skb to a linear",
                            "      buffer",
                            "    - ALSA: hda/realtek: Fix mute and mic-mute LEDs for HP Envy X360 15-fh0xxx",
                            "    - ALSA: hda/realtek: Fix mute and mic-mute LEDs for HP 16 Piston OmniBook",
                            "      X",
                            "    - arm64: tlb: Flush walk cache when unsharing PMD tables",
                            "    - i2c: tegra: make tegra_i2c_mutex_unlock() return void",
                            "    - hwmon: (pmbus) Add support for guarded PMBus lock",
                            "    - hwmon: (pmbus/adm1266) serialize sequencer_state debugfs read with",
                            "      pmbus_lock",
                            "    - hwmon: (pmbus/adm1266) serialize GPIO PMBus accesses with pmbus_lock",
                            "    - net: phy: micrel: fix LAN8814 QSGMII soft reset",
                            "    - xhci: tegra: Fix ghost USB device on dual-role port unplug",
                            "    - mailbox: Fix NULL message support in mbox_send_message()",
                            "    - usb: core: Fix SuperSpeed root hub wMaxPacketSize",
                            "    - tools: ynl: add scope qualifier for definitions",
                            "    - Linux 7.0.12",
                            "",
                            "  * Resolute update: v7.0.12 upstream stable release (LP: #2156636) //",
                            "    CVE-2026-46318",
                            "    - Revert \"mm/hugetlbfs: update hugetlbfs to use mmap_prepare\"",
                            "",
                            "  * Resolute update: v7.0.12 upstream stable release (LP: #2156636) //",
                            "    CVE-2026-46322",
                            "    - tun: free page on build_skb failure in tun_xdp_one()",
                            "",
                            "  * Resolute update: v7.0.12 upstream stable release (LP: #2156636) //",
                            "    CVE-2026-46320",
                            "    - tap: free page on error paths in tap_get_user_xdp()",
                            "",
                            "  * Resolute update: v7.0.12 upstream stable release (LP: #2156636) //",
                            "    CVE-2026-46321",
                            "    - tun: free page on short-frame rejection in tun_xdp_one()",
                            "",
                            "  * CVE-2026-46316 // CVE-2026-46317",
                            "    - KVM: arm64: Reassign nested_mmus array behind mmu_lock",
                            "",
                            "  * CVE-2026-46316",
                            "    - KVM: arm64: vgic-its: Drop the translation cache reference only for the",
                            "      erased entry",
                            "    - KVM: arm64: Take the SRCU lock for page table walks in fault injection",
                            "      and AT emulation",
                            "",
                            "  * Resolute update: v7.0.11 upstream stable release (LP: #2156390)",
                            "    - iommu/amd: Fix illegal cap/mmio access in IOMMU debugfs",
                            "    - iommu/amd: Remove latent out-of-bounds access in IOMMU debugfs",
                            "    - ksmbd: close durable scavenger races against m_fp_list lookups",
                            "    - ata: libata-scsi: improve readability of ata_scsi_qc_issue()",
                            "    - ata: libata-scsi: do not use the deferred QC feature for ATA_DEFER_PORT",
                            "    - ata: libata-scsi: do not use the deferred QC feature on PMPs with CBS",
                            "    - ata: libata-scsi: do not needlessly defer commands when using PMP with",
                            "      FBS",
                            "    - sysfs: don't remove existing directory on update failure",
                            "    - mm/damon/sysfs-schemes: call missing mem_cgroup_iter_break()",
                            "    - ksmbd: fix null pointer dereference in compare_guid_key()",
                            "    - ksmbd: fix null pointer dereference in proc_show_files()",
                            "    - ksmbd: fix SID memory leak in set_posix_acl_entries_dacl() on overflow",
                            "    - ksmbd: validate SID in parent security descriptor during ACL inheritance",
                            "    - regulator: tps65219: fix irq_data.rdev not being assigned",
                            "    - x86/mm: Disable broadcast TLB flush when PCID is disabled",
                            "    - scripts/gdb: mm: cast untyped symbols in x86_page_ops",
                            "    - smb: client: require net admin for CIFS SWN netlink",
                            "    - smb: client: protect tc_count increment in",
                            "      smb2_find_smb_sess_tcon_unlocked()",
                            "    - smb: client: use data_len for SMB2 READ encrypted folioq copy",
                            "    - smb/server: promote S_DEL_ON_CLS to S_DEL_PENDING when close",
                            "    - hwmon: (pmbus/adm1266) widen blackbox-info buffer to I2C_SMBUS_BLOCK_MAX",
                            "    - ALSA: ua101: Reject too-short USB descriptors",
                            "    - ALSA: pcm: Don't setup bogus iov_iter for silencing",
                            "    - ALSA: asihpi: Fix potential OOB array access at reading cache",
                            "    - ALSA: scarlett2: Allow flash writes ending at segment boundary",
                            "    - ACPI: battery: Fix system wakeup on critical battery status",
                            "    - efi: Allocate runtime workqueue before ACPI init",
                            "    - spi: amd: Set correct bus number in ACPI probe path",
                            "    - io_uring/waitid: clear waitid info before copying it to userspace",
                            "    - drivers/base/memory: fix memory block reference leak in poison",
                            "      accounting",
                            "    - ipv6: ioam: refresh hdr pointer before ioam6_event()",
                            "    - mm/memory: fix spurious warning when unmapping device-private/exclusive",
                            "      pages",
                            "    - mm: fix __vm_normal_page() to handle missing support for",
                            "      pmd_special()/pud_special()",
                            "    - mm/memory_hotplug: fix memory block reference leak on remove",
                            "    - mm/page_alloc: fix initialization of tags of the huge zero folio with",
                            "      init_on_free",
                            "    - mm/migrate_device: fix spinlock leak in migrate_vma_insert_huge_pmd_page",
                            "    - selftests/mm: run_vmtests.sh: fix destructive tests invocation",
                            "    - mm/damon: fix damos_stat tracepoint format for sz_applied",
                            "    - net: wwan: iosm: fix potential memory leaks in ipc_imem_init()",
                            "    - Bluetooth: fix UAF in l2cap_sock_cleanup_listen() vs l2cap_conn_del()",
                            "    - Bluetooth: ISO: drop ISO_END frames received without prior ISO_START",
                            "    - Bluetooth: bnep: Fix UAF read of dev->name",
                            "    - Bluetooth: hci_uart: fix UAFs and race conditions in close and init",
                            "      paths",
                            "    - Bluetooth: L2CAP: ecred_reconfigure: send packed pdu, not stack pointer",
                            "    - Bluetooth: hci_qca: Convert timeout from jiffies to ms",
                            "    - Bluetooth: MGMT: validate Add Extended Advertising Data length",
                            "    - Bluetooth: serialize accept_q access",
                            "    - phonet/pep: disable BH around forwarded sk_receive_skb()",
                            "    - net: bcmgenet: keep RBUF EEE/PM disabled",
                            "    - net: devmem: reject dma-buf bind with non-page-aligned size or SG length",
                            "    - net: phy: skip EEE advertisement write when autoneg is disabled",
                            "    - net: hsr: defer node table free until after RCU readers",
                            "    - net/mlx5e: Fix use-after-free in mlx5e_tx_reporter_timeout_recover",
                            "    - net: ifb: report ethtool stats over num_tx_queues",
                            "    - net: pse-pd: fix sign on -ENOENT check in of_load_pse_pis()",
                            "    - netfilter: ip6t_hbh: reject oversized option lists",
                            "    - netfilter: nf_queue: hold bridge skb->dev while queued",
                            "    - netfilter: ipset: stop hash:* range iteration at end",
                            "    - net: ethtool: fix NULL pointer dereference in phy_reply_size",
                            "    - net: ethtool: phy: avoid NULL deref when PHY driver is unbound",
                            "    - ACPI: driver: Check ACPI_COMPANION() against NULL during probe",
                            "    - sched_ext: Fix missing warning in scx_set_task_state() default case",
                            "    - sched_ext: Avoid UAF in scx_root_enable_workfn() init failure path",
                            "    - l2tp: use list_del_rcu in l2tp_session_unhash",
                            "    - qed: fix double free in qed_cxt_tables_alloc()",
                            "    - ring-buffer: Fix reporting of missed events in iterator",
                            "    - ring-buffer: Flush and stop persistent ring buffer on panic",
                            "    - wifi: mac80211: capture fast-RX rate before mesh reuses skb->cb",
                            "    - ipv6: ioam: add NULL check for idev in ipv6_hop_ioam()",
                            "    - selftests: mptcp: drop nanoseconds width specifier",
                            "    - mptcp: pm: fix ADD_ADDR timer infinite retry on option space",
                            "      insufficient",
                            "    - vsock/vmci: fix UAF when peer resets connection during handshake",
                            "    - vsock/virtio: reset connection on receiving queue overflow",
                            "    - ice: fix VF queue configuration with low MTU values",
                            "    - wifi: ath11k: clear shared SRNG pointer state on restart",
                            "    - wifi: iwlwifi: mvm: fix driver-set TX rates on old devices",
                            "    - wifi: iwlwifi: mld: stop TX during firmware restart",
                            "    - ipv4: raw: reject IP_HDRINCL packets with ihl < 5",
                            "    - ixgbevf: fix use-after-free in VEPA multicast source pruning",
                            "    - rbd: eliminate a race in lock_dwork draining on unmap",
                            "    - mptcp: do not drop partial packets",
                            "    - mptcp: reset rcv wnd on disconnect",
                            "    - lsm: hold cred_guard_mutex for lsm_set_self_attr()",
                            "    - octeontx2-af: CGX: add bounds check to cgx_speed_mbps index",
                            "    - octeontx2-pf: fix double free in rvu_rep_rsrc_init()",
                            "    - igc: fix potential skb leak in igc_fpe_xmit_smd_frame()",
                            "    - ice: fix locking around wait_event_interruptible_locked_irq",
                            "    - ice: fix setting promisc mode while adding VID filter",
                            "    - ice: restore PTP Rx timestamp config after ethtool set-channels",
                            "    - wifi: cfg80211: advance loop vars in cfg80211_merge_profile()",
                            "    - af_unix: Fix UAF read of tail->len in unix_stream_data_wait()",
                            "    - wifi: mac80211: consume only present negotiated TTLM maps",
                            "    - octeontx2-pf: avoid double free of pool->stack on AQ init failure",
                            "    - cifs: Fix busy dentry used after unmounting",
                            "    - tracing: Do not call map->ops->elt_free() if elt_alloc() fails",
                            "    - ASoC: codecs: pcm512x: fix null-ptr dereference in",
                            "      pcm512x_overclock_xxx_put()",
                            "    - arm64: probes: Handle probes on hinted conditional branch instructions",
                            "    - KVM: arm64: vgic-its: Reject restored DTE with out-of-range",
                            "      num_eventid_bits",
                            "    - KVM: arm64: vgic: Free private_irqs when init fails after allocation",
                            "    - KVM: SVM: Disable AVIC IPI virtualization on Hygon Family 18h (erratum",
                            "      #1235)",
                            "    - riscv: kvm: return SBI_ERR_FAILURE for pmu_snapshot_set_shmem() when OOM",
                            "    - riscv: kvm: return SBI_ERR_FAILURE for pmu_event_info() when OOM",
                            "    - virt: sev-guest: Explicitly leak pages in unknown state",
                            "    - i2c: tegra: fix pm_runtime leak on mutex_lock failure",
                            "    - drm/bridge: chipone-icn6211: use devm_drm_bridge_add in i2c probe",
                            "    - spi: qup: fix error pointer deref after DMA setup failure",
                            "    - phy: exynos5-usbdrd: fix USB 2.0 HS PHY tuning values for Exynos7870",
                            "    - phy: tegra: xusb: Fix per-pad high-speed termination calibration",
                            "    - phy: qcom-qmp-ufs: Fix kaanapali PHY PLL lock failure after SM8650 G4",
                            "      fix",
                            "    - phy: qcom: edp: Unify generic DP/eDP swing and pre-emphasis tables",
                            "    - phy: qcom: edp: Add eDP/DP mode switch support",
                            "    - phy: qcom: edp: Fix AUX_CFG8 programming for DP mode",
                            "    - scsi: isci: Fix use-after-free in device removal path",
                            "    - spi: ep93xx: fix error pointer deref after DMA setup failure",
                            "    - spi: sprd: fix error pointer deref after DMA setup failure",
                            "    - spi: ti-qspi: fix use-after-free after DMA setup failure",
                            "    - mm/slub: hold cpus_read_lock around flush_rcu_sheaves_on_cache()",
                            "    - RDMA/siw: Reject MPA FPDU length underflow before signed receive math",
                            "    - s390/cio: Restore GFP_DMA for CHSC allocation",
                            "    - s390/pai: Disable duplicate read of kernel PAI counter value",
                            "    - s390/pai: Fix missing PAI counter increments under heavy load",
                            "    - fwctl: pds: Validate RPC input size before parsing",
                            "    - LoongArch: kprobes: Use larch_insn_text_copy() to patch instructions",
                            "    - LoongArch: Remove unused code to avoid build warning",
                            "    - cpufreq: intel_pstate: Use correct scaling factor on Raptor Lake-E",
                            "    - device property: set fwnode->secondary to NULL in fwnode_init()",
                            "    - drm/i915/display: Copy color pipeline from plane in the primary joiner",
                            "      pipe",
                            "    - drm/msm: Fix shrinker deadlock",
                            "    - drm/v3d: Fix use-after-free of CPU job query arrays on error path",
                            "    - drm/v3d: Release indirect CSD GEM reference on CPU job free",
                            "    - drm/virtio: use uninterruptible resv lock for plane updates",
                            "    - drm/xe/multi_queue: Fix secondary queue error case",
                            "    - drm/amdgpu/vpe: Force collaborate sync after TRAP",
                            "    - drm/bridge: it66121: acquire reset GPIO in probe",
                            "    - drm/bridge: megachips: remove bridge when irq request fails",
                            "    - drm/amd/display: Fix integer overflow in bios_get_image()",
                            "    - drm/amd/display: Validate GPIO pin LUT table size before iterating",
                            "    - drm/amd/display: Validate payload length and link_index in",
                            "      dc_process_dmub_aux_transfer_async",
                            "    - batman-adv: v: stop OGMv2 on disabled interface",
                            "    - batman-adv: tvlv: abort OGM send on tvlv append failure",
                            "    - batman-adv: tvlv: reject oversized TVLV packets",
                            "    - batman-adv: iv: recover OGM scheduling after forward packet error",
                            "    - batman-adv: mcast: fix use-after-free in orig_node RCU release",
                            "    - batman-adv: clear current gateway during teardown",
                            "    - batman-adv: dat: handle forward allocation error",
                            "    - batman-adv: fix fragment reassembly length accounting",
                            "    - batman-adv: fix tp_meter counter underflow during shutdown",
                            "    - batman-adv: frag: disallow unicast fragment in fragment",
                            "    - batman-adv: bla: fix report_work leak on backbone_gw purge",
                            "    - batman-adv: bla: avoid double decrement of bla.num_requests",
                            "    - batman-adv: bla: avoid NULL-ptr deref for claim via dropped interface",
                            "    - batman-adv: tp_meter: avoid use of uninit sender vars",
                            "    - batman-adv: tp_meter: directly shut down timer on cleanup",
                            "    - batman-adv: tp_meter: fix tp_vars reference leak in receiver shutdown",
                            "    - batman-adv: tp_meter: fix race condition in send error reporting",
                            "    - batman-adv: tp_meter: avoid role confusion in tp_list",
                            "    - batman-adv: tt: fix TOCTOU race for reported vlans",
                            "    - batman-adv: tt: reject oversized local TVLV buffers",
                            "    - batman-adv: tt: avoid empty VLAN responses",
                            "    - batman-adv: tt: fix negative last_changeset_len",
                            "    - batman-adv: tt: fix negative tt_buff_len",
                            "    - batman-adv: tt: prevent TVLV entry number overflow",
                            "    - hwmon: (pmbus/adm1266) seed timestamp from the real-time clock",
                            "    - hwmon: (pmbus/adm1266) reject implausible blackbox record_count",
                            "    - hwmon: (pmbus/adm1266) include PEC byte in pmbus_block_xfer read buffer",
                            "    - hwmon: (pmbus/adm1266) bounce blackbox records through a protocol-sized",
                            "      buffer",
                            "    - hwmon: (pmbus/adm1266) cap PDIO scan in get_multiple at ADM1266_PDIO_NR",
                            "    - hwmon: (pmbus/adm1266) don't clobber GPIO bits before PDIO read in",
                            "      get_multiple",
                            "    - hwmon: (pmbus/adm1266) register the gpio_chip after pmbus_do_probe()",
                            "    - hwmon: (pmbus/adm1266) register the nvmem device after pmbus_do_probe()",
                            "    - hwmon: (pmbus/adm1266) reject short block-read responses in the GPIO",
                            "      accessors",
                            "    - pinctrl: mediatek: moore: implement gpio_chip::get_direction()",
                            "    - pinctrl: qcom: ipq4019: mark gpio as a GPIO pin function",
                            "    - arm64: dts: renesas: r8a78000: Fix SCIF brg_int clocks",
                            "    - ARM: dts: renesas: genmai: Drop superfluous cells",
                            "    - ARM: dts: renesas: rskrza1: Drop superfluous cells",
                            "    - pinctrl: renesas: rzg2l: Fix incorrect PUPD register offset for high",
                            "      pins during suspend/resume",
                            "    - pinctrl: renesas: rzg2l: Fix SMT register cache handling",
                            "    - pinctrl: meson: amlogic-a4: fix deadlock issue",
                            "    - pinctrl: qcom: Fix GPIO to PDC wake irq map for qcs615",
                            "    - kho: skip KHO for crash kernel",
                            "    - mm/memfd_luo: report error when restoring a folio fails mid-loop",
                            "    - HID: intel-thc-hid: Intel-quickspi: Fix some error codes",
                            "    - HID: uclogic: Fix regression of input name assignment",
                            "    - firmware: arm_ffa: Check for NULL FF-A ID table while driver",
                            "      registration",
                            "    - firmware: arm_ffa: Skip free_pages on RX buffer alloc failure",
                            "    - firmware: arm_ffa: Fix per-vcpu self notifications handling in workqueue",
                            "    - firmware: arm_ffa: Unregister bus notifier on teardown for FF-A v1.0",
                            "    - riscv: errata: Fix bitwise vs logical AND in MIPS errata patching",
                            "    - riscv: Fix register corruption from uninitialized cregs on error",
                            "    - riscv: mm: Fixup no5lvl failure when vaddr is invalid",
                            "    - kunit: config: Enable KUNIT_DEBUGFS by default",
                            "    - kunit: config: KUNIT_DEBUGFS should depend on DEBUG_FS",
                            "    - pinctrl: qcom: Fix wakeirq map by removing disconnected irqs for sm8150",
                            "    - firmware: arm_ffa: Bound PARTITION_INFO_GET_REGS copies",
                            "    - firmware: arm_ffa: Keep framework RX release under lock",
                            "    - firmware: arm_ffa: Validate framework notification message layout",
                            "    - firmware: arm_ffa: Align RxTx buffer size before mapping",
                            "    - firmware: arm_ffa: Snapshot notifier callbacks under lock",
                            "    - firmware: arm_ffa: Fix sched-recv callback partition lookup",
                            "    - ARM: integrator: Fix early initialization",
                            "    - ALSA: hda: cs35l56: Put ACPI device after setting companion",
                            "    - ALSA: hda: cs35l41: Put ACPI device on missing physical node",
                            "    - btrfs: tracepoints: fix sleep while in atomic context in",
                            "      btrfs_sync_file()",
                            "    - netfilter: x_tables: allow initial table replace without emitting audit",
                            "      log message",
                            "    - netfilter: x_tables: allocate hook ops while under mutex",
                            "    - netfilter: x_tables: unregister the templates first",
                            "    - netfilter: x_tables: add and use xt_unregister_table_pre_exit",
                            "    - netfilter: x_tables: add and use xtables_unregister_table_exit",
                            "    - netfilter: ebtables: move to two-stage removal scheme",
                            "    - netfilter: ebtables: close dangling table module init race",
                            "    - netfilter: x_tables: close dangling table module init race",
                            "    - netfilter: bridge: eb_tables: close module init race",
                            "    - netfilter: nf_conntrack_expect: restore helper propagation via",
                            "      expectation",
                            "    - kprobes: skip non-symbol addresses in kprobe_add_ksym_blacklist()",
                            "    - test_kprobes: clear kprobes between test runs",
                            "    - tcp: Fix imbalanced icsk_accept_queue count.",
                            "    - net: napi: Avoid gro timer misfiring at end of busypoll",
                            "    - net: shaper: Reject reparenting of existing nodes",
                            "    - idpf: fix read_dev_clk_lock spinlock init in idpf_ptp_init()",
                            "    - ice: fix setting RSS VSI hash for E830",
                            "    - ice: fix locking in ice_dcb_rebuild()",
                            "    - ice: dpll: fix rclk pin state get for E810",
                            "    - ice: dpll: fix misplaced header macros",
                            "    - net: lan966x: avoid unregistering netdev on register failure",
                            "    - net: ti: icssm-prueth: fix eth_ports_node leak in probe",
                            "    - phy: marvell: mvebu-a3700-utmi: fix incorrect USB2_PHY_CTRL register",
                            "      access",
                            "    - phy: spacemit: Remove incorrect clk_disable() in spacemit_usb2phy_init()",
                            "    - NFSD: Fix infinite loop in layout state revocation",
                            "    - ASoC: sdw_utils: Add quirk to ignore RT712 CODEC_MIC",
                            "    - ASoC: sdw_utils: Add quirk to ignore RT721 CODEC_MIC",
                            "    - fprobe: Fix unregister_fprobe() to wait for RCU grace period",
                            "    - fs/statmount: fix slab out-of-bounds write in statmount_mnt_idmap",
                            "    - fs: Fix return in jfs_mkdir and orangefs_mkdir",
                            "    - irqchip/ath79-cpu: Remove unused function",
                            "    - fs: fix forced iversion increment on lazytime timestamp updates",
                            "    - ublk: reject max_sectors smaller than PAGE_SECTORS in parameter",
                            "      validation",
                            "    - nsfs: fix wrong error code returned for pidns ioctls",
                            "    - irq_work: Fix use-after-free in irq_work_single() on PREEMPT_RT",
                            "    - nvme: fix bio leak on mapping failure",
                            "    - nvme-pci: fix use-after-free in nvme_free_host_mem()",
                            "    - zonefs: handle integer overflow in zonefs_fname_to_fno",
                            "    - tcp: Fix out-of-bounds access for twsk in tcp_ao_established_key().",
                            "    - ASoC: SOF: amd: Fix error code handling in psp_send_cmd()",
                            "    - powerpc: 82xx: fix uninitialized pointers with free attribute",
                            "    - powerpc: fix dead default for GUEST_STATE_BUFFER_TEST",
                            "    - powerpc/hv-gpci: fix preempt count leak in sysfs show paths",
                            "    - netfs: Fix cancellation of a DIO and single read subrequests",
                            "    - netfs: Fix missing locking around retry adding new subreqs",
                            "    - netfs: Fix missing barriers when accessing stream->subrequests",
                            "      locklessly",
                            "    - netfs: Fix netfs_read_to_pagecache() to pause on subreq failure",
                            "    - netfs: Fix potential for tearing in ->remote_i_size and ->zero_point",
                            "    - netfs: Fix zeropoint update where i_size > remote_i_size",
                            "    - netfs: fix VM_BUG_ON_FOLIO() issue in netfs_write_begin() call",
                            "    - netfs: Fix overrun check in netfs_extract_user_iter()",
                            "    - netfs: Fix netfs_invalidate_folio() to clear dirty bit if all changes",
                            "      gone",
                            "    - netfs: Defer the emission of trace_netfs_folio()",
                            "    - netfs: Fix streaming write being overwritten",
                            "    - netfs: Fix potential deadlock in write-through mode",
                            "    - netfs: Fix read-gaps to remove netfs_folio from filled folio",
                            "    - netfs: Fix write streaming disablement if fd open O_RDWR",
                            "    - netfs: Fix early put of sink folio in netfs_read_gaps()",
                            "    - netfs: Fix leak of request in netfs_write_begin() error handling",
                            "    - netfs: Fix potential UAF in netfs_unlock_abandoned_read_pages()",
                            "    - netfs: Fix partial invalidation of streaming-write folio",
                            "    - netfs: Fix folio->private handling in netfs_perform_write()",
                            "    - netfs: Fix netfs_read_folio() to wait on writeback",
                            "    - netfs, afs: Fix write skipping in dir/link writepages",
                            "    - afs: Fix the locking used by afs_get_link()",
                            "    - net: ethernet: cortina: Make RX SKB per-port",
                            "    - net: ethernet: cortina: Drop half-assembled SKB",
                            "    - net: ethernet: cortina: Carry over frag counter",
                            "    - net: ethernet: cs89x0: remove stale CONFIG_MACH_MX31ADS reference",
                            "    - wifi: ath11k: fix error path leaks in some WMI WOW calls",
                            "    - wifi: ath11k: fix error path leak in ath11k_tm_cmd_wmi_ftm()",
                            "    - wifi: ath10k: skip WMI and beacon transmission when device is wedged",
                            "    - net: shaper: flip the polarity of the valid flag",
                            "    - net: shaper: fix trivial ordering issue in net_shaper_commit()",
                            "    - net: shaper: reject duplicate leaves in GROUP request",
                            "    - net: shaper: set ret to -ENOMEM when genlmsg_new() fails in group_doit",
                            "    - net: shaper: fix undersized reply skb allocation in GROUP command",
                            "    - net: shaper: enforce singleton NETDEV scope with id 0",
                            "    - net: shaper: reject QUEUE scope handle with missing id",
                            "    - block: don't overwrite bip_vcnt in bio_integrity_copy_user()",
                            "    - block: recompute nr_integrity_segments in blk_insert_cloned_request",
                            "    - HID: quirks: really enable the intended work around for appledisplay",
                            "    - block: bio-integrity: Fix null-ptr-deref in bio_integrity_map_user()",
                            "    - accel/qaic: Add overflow check to remap_pfn_range during mmap",
                            "    - net/smc: avoid NULL deref of conn->lnk in smc_msg_event tracepoint",
                            "    - ethtool: fix ethnl_bitmap32_not_zero() bit interval semantics",
                            "    - drm/msm/dpu: fix UV scanlines calculation for YUV UBWC formats",
                            "    - drm/msm/dpu: Fix Kaanapali CWB register configuration",
                            "    - drm/msm/dsi: don't dump registers past the mapped region",
                            "    - drm/msm/dpu: don't mix devm and drmm functions",
                            "    - block: rename struct gendisk zone_wplugs_lock field",
                            "    - block: allow submitting all zone writes from a single context",
                            "    - block: fix handling of dead zone write plugs",
                            "    - selftests: ublk: cap nthreads to kernel's actual nr_hw_queues",
                            "    - x86/mce: Restore MCA polling interval halving",
                            "    - Documentation: intel_pstate: Fix description of asymmetric packing with",
                            "      SMT",
                            "    - drm/msm: Fix GMEM_BASE for A650",
                            "    - drm/msm/a6xx: Add soft fuse detection support",
                            "    - drm/msm/adreno: Fix a reference leak in a6xx_gpu_init()",
                            "    - drm/msm/adreno: fix userspace-triggered crash on a2xx-a4xx",
                            "    - drm/msm/a6xx: Restore sysprof_active",
                            "    - drm/msm: Fix iommu_map_sgtable() return value check and avoid WARN",
                            "    - drm/msm/a6xx: Check kzalloc return in a8xx_hfi_send_perf_table",
                            "    - ASoC: intel: sof_sdw: Prepare for configuration without a jack",
                            "    - ASoC: sdw_utils: cs42l43: allow spk component names to be combined",
                            "    - ASoC: sdw_utils: Check speaker component string allocation",
                            "    - riscv: Docs: fix unmatched quote warning",
                            "    - powerpc/time: Remove redundant preempt_disable|enable() calls from",
                            "      arch_irq_work_raise()",
                            "    - net/smc: reject CHID-0 ACCEPT that matches an empty ism_dev slot",
                            "    - net: tls: fix off-by-one in sg_chain entry count for wrapped sk_msg ring",
                            "    - net: tls: prevent chain-after-chain in plain text SG",
                            "    - net: phy: DP83TC811: add reading of abilities",
                            "    - ovpn: tcp - use cached peer pointer in ovpn_tcp_close()",
                            "    - ovpn: respect peer refcount in CMD_NEW_PEER error path",
                            "    - ovpn: fix race between deleting interface and adding new peer",
                            "    - cifs: client: stage smb3_reconfigure() updates and restore ctx on",
                            "      failure",
                            "    - phy: apple: atc: Fix typec switch/mux leak on unbind",
                            "    - gcc-plugins: Always define CONST_CAST_GIMPLE and CONST_CAST_TREE",
                            "    - x86/xen: Fix xen_e820_swap_entry_with_ram()",
                            "    - vfio/pci: Check BAR resources before exporting a DMABUF",
                            "    - ovpn: disable BHs when updating device stats",
                            "    - tls: Preserve sk_err across recvmsg() when data has been copied",
                            "    - net/mlx5: Do not restore destination-less TC rules",
                            "    - net/mlx5: Skip disabled vports when setting max TX speed",
                            "    - scsi: sd: Fix return code handling in sd_spinup_disk()",
                            "    - ASoC: codecs: fs210x: fix possible buffer overflow",
                            "    - iommupt: Directly call iommupt's unmap_range()",
                            "    - iommupt: Avoid rewalking during map",
                            "    - iommu: Fix loss of errno on map failure for classic ops",
                            "    - iommu: Fix up map/unmap debugging for iommupt domains",
                            "    - iommu: Handle unmap error when iommu_debug is enabled",
                            "    - iommupt: Check for missing PAGE_SIZE in the pgsize_bitmap",
                            "    - iommupt: Fix the end_index calculation in __map_range_leaf()",
                            "    - ALSA: scarlett2: Add missing error check when initialise Autogain Status",
                            "    - ALSA: hda/ca0132: Disable auto-detect on manual output select",
                            "    - cachefiles: Fix error return when vfs_mkdir() fails",
                            "    - io_uring/net: punt IORING_OP_BIND async if it needs file create",
                            "    - vsock/virtio: fix zerocopy completion for multi-skb sends",
                            "    - btrfs: check for subvolume before deleting squota qgroup",
                            "    - btrfs: fix squota accounting during enable generation",
                            "    - ASoC: amd: acp-sdw-legacy: check CPU DAI name before logging",
                            "    - spi: mtk-snfi: Fix resource leak in mtk_snand_read_page_cache()",
                            "    - netfilter: nft_inner: release local_lock before re-enabling softirqs",
                            "    - ALSA: hda/realtek: Use ALC287_FIXUP_TXNW2781_I2C for ASUS Strix Gxx5",
                            "    - drm/msm/snapshot: fix dumping of the unaligned regions",
                            "    - hwmon: (lm90) Stop work before releasing hwmon device",
                            "    - hwmon: (lm90) Add lock protection to lm90_alert",
                            "    - wifi: iwlwifi: mld: fix TSO segmentation explosion when AMSDU is",
                            "      disabled",
                            "    - wifi: iwlwifi: mld: don't dereference a pointer before NULL checking it",
                            "    - dma-mapping: move dma_map_resource() sanity check into debug code",
                            "    - drm/gem: Make the GEM LRU lock part of drm_device",
                            "    - drm/xe/gsc: Fix double-free of managed BO in error path",
                            "    - drm/xe/vf: Fix signature of print functions",
                            "    - drm/xe/pf: Fix CFI failure in debugfs access",
                            "    - drm/xe: Consolidate workaround entries for Wa_14019988906",
                            "    - drm/xe: Consolidate workaround entries for Wa_18033852989",
                            "    - drm/xe: Define and use MCR version of COMMON_SLICE_CHICKEN1",
                            "    - drm/xe/tuning: Apply windower hardware filtering setting on Xe3 and Xe3p",
                            "    - drm/xe: Define and use MCR version of COMMON_SLICE_CHICKEN4",
                            "    - wifi: ath11k: fix peer resolution on rx path when peer_id=0",
                            "    - wifi: ath12k: fix EHT TX MCS limitation due to wrong 20 MHz-only parsing",
                            "    - drm/mediatek: mtk_hdmi_ddc_v2: Fix non-static global variable",
                            "    - drm/mediatek: mtk_hdmi_v2: Fix non-static global variable",
                            "    - drm/mediatek: mtk_cec: Fix non-static global variable",
                            "    - drm/mediatek: mtk_hdmi_ddc: Fix non-static global variable",
                            "    - io_uring: propagate array_index_nospec opcode into req->opcode",
                            "    - srcu: Don't queue workqueue handlers to never-online CPUs",
                            "    - cgroup/rstat: validate cpu before css_rstat_cpu() access",
                            "    - net/mlx5e: xsk: Fix unlocked writing to ICOSQ",
                            "    - cifs: Fix undefined variables",
                            "    - ice: ptp: serialize E825 PHY timer start with PTP lock",
                            "    - ice: ptp: use primary NAC semaphore on E825",
                            "    - igc: set tx buffer type for SMD frames",
                            "    - drm/i915/dp: Fix readback for target_rr in Adaptive Sync SDP",
                            "    - phy: qcom: qmp-usbc: Fix out-of-bounds array access in dp swing config",
                            "    - kbuild: pacman-pkg: make \"rc\" releases adhere to pacman versioning",
                            "      scheme",
                            "    - net: dsa: mt7530: fix FDB entries not aging out with short timeout",
                            "    - net: dsa: mt7530: preserve VLAN tags on trapped link-local frames",
                            "    - net: mana: Fix TOCTOU double-fetch of hwc_msg_id from DMA buffer",
                            "    - platform/surface: aggregator_registry: omit battery & AC nodes on",
                            "      Surface Laptop 7",
                            "    - platform/x86: adv_swbutton: Check ACPI_HANDLE() against NULL",
                            "    - platform/x86: hp_accel: Check ACPI_COMPANION() against NULL",
                            "    - platform/x86: intel-hid: Check ACPI_HANDLE() against NULL",
                            "    - platform/x86: intel_sar: Check ACPI_HANDLE() against NULL",
                            "    - platform/x86: intel-vbtn: Check ACPI_HANDLE() against NULL",
                            "    - platform/x86: uniwill-laptop: Properly initialize charging threshold",
                            "    - platform/x86: uniwill-laptop: Accept charging threshold of 0",
                            "    - platform/x86: uniwill-laptop: Fix behavior of \"force\" module param",
                            "    - platform/x86: asus-armoury: fix mini-LED mode get/set on MODE2 devices",
                            "    - ASoC: soc-utils: Add missing va_end in snd_soc_ret()",
                            "    - drm/amdgpu: Align amdgpu_gtt_mgr entries to TLB size on Tahiti (v2)",
                            "    - drm/amdgpu/vce1: Check that the GPU address is < 128 MiB",
                            "    - drm/amdgpu/vce1: Fix VCE 1 firmware size and offsets",
                            "    - RDMA/mana_ib: Report max_msg_sz in mana_ib_query_port",
                            "    - RDMA/rtrs: Fix use-after-free in path file creation cleanup",
                            "    - bridge: mcast: Fix a possible use-after-free when removing a bridge port",
                            "    - net: phy: honor eee_disabled_modes in phy_support_eee()",
                            "    - net: phy: honor eee_disabled_modes in phy_advertise_eee_all()",
                            "    - net: airoha: Fix NPU RX DMA descriptor bits",
                            "    - pds_core: fix error handling in pdsc_devcmd_wait",
                            "    - pds_core: fix debugfs_lookup dentry leak and error handling",
                            "    - erofs: fix managed cache race for unaligned extents",
                            "    - erofs: harden h_shared_count in erofs_init_inode_xattrs()",
                            "    - erofs: fix metabuf leak in inode xattr initialization",
                            "    - wifi: mac80211: bounds-check link_id in ieee80211_ml_epcs",
                            "    - wifi: mac80211: fix MLE defragmentation",
                            "    - wifi: mac80211: fix multi-link element inheritance",
                            "    - wifi: wilc1000: fix dma_buffer leak on bus acquire failure",
                            "    - ALSA: seq: Serialize UMP output teardown with event_input",
                            "    - cgroup: rstat: relax NMI guard after switch to try_cmpxchg",
                            "    - tracing: Avoid NULL return from hist_field_name() on truncation",
                            "    - Bluetooth: hci_sync: Fix not setting mask for",
                            "      HCI_EVT_LE_ALL_REMOTE_FEATURES_COMPLETE",
                            "    - Bluetooth: btintel_pcie: Fix incorrect MAC access programming",
                            "    - Bluetooth: btmtk: fix urb->setup_packet leak in error paths",
                            "    - udp: gso: Fix handling checksum in __udp_gso_segment",
                            "    - udp: Fix UDP length on last GSO_PARTIAL segment",
                            "    - net/mlx5e: Fix eswitch mode block underflow on IPsec acquire SA",
                            "    - net: shaper: annotate the data races",
                            "    - net: shaper: rework the VALID marking (again)",
                            "    - crypto/krb5, rxrpc: Fix lack of pre-decrypt/pre-verify length checks",
                            "    - rxrpc: Fix DATA decrypt vs splice() by copying data to buffer in recvmsg",
                            "    - net: ag71xx: check error for platform_get_irq",
                            "    - bpf, skmsg: fix verdict sk_data_ready racing with ktls rx",
                            "    - tcp: fix stale per-CPU tcp_tw_isn leak enabling ISN prediction",
                            "    - net: stmmac: eswin: fix HSP CSR init ordering after clock enable",
                            "    - net: stmmac: eswin: clear TXD and RXD delay registers during",
                            "      initialization",
                            "    - net: stmmac: eswin: correct RGMII delay granularity to 20 ps",
                            "    - net: stmmac: eswin: validate RGMII delay values",
                            "    - gpio: cdev: check if uAPI v2 config attributes are correctly zeroed",
                            "    - gpio: aggregator: fix a potential use-after-free",
                            "    - gpio: aggregator: stop using dev-sync-probe",
                            "    - gpio: aggregator: remove the software node when deactivating the",
                            "      aggregator",
                            "    - gpio: aggregator: lock device when calling device_is_bound()",
                            "    - ASoC: cs35l56: Fix flushing of IRQ work in cs35l56_sdw_remove()",
                            "    - drm/xe/oa: Fix exec_queue leak on width check in stream open",
                            "    - ASoC: cs-amp-lib: Fix wrong sizeof() in",
                            "      _cs_amp_set_efi_calibration_data()",
                            "    - ASoC: cs-amp-lib: Fix missing dput() after debugfs_lookup()",
                            "    - selftests: net: Fix checksums in xdp_native",
                            "    - nvme-pci: fix dma_vecs leak on p2p memory",
                            "    - nvme-pci: fix dma mapping leak on data setup error",
                            "    - octeontx2-af: npc: Fix allmulticast skip logic for LBK and SDP VFs",
                            "    - net: mana: validate rx_req_idx to prevent out-of-bounds array access",
                            "    - tap: fix stack info leak in tap_ioctl() SIOCGIFHWADDR",
                            "    - net: airoha: Disable GDM2 forwarding before configuring GDM2 loopback",
                            "    - pds_core: ensure null-termination for firmware version strings",
                            "    - net: enetc: fix missing error code when pf->vf_state allocation fails",
                            "    - io_uring/nop: pass all errors to userspace",
                            "    - blk-mq: pop cached request if it is usable",
                            "    - ksmbd: fix durable reconnect error path file lifetime",
                            "    - LoongArch: kprobes: Fix handling of fatal unrecoverable recursions",
                            "    - block: avoid use-after-free in disk_free_zone_resources()",
                            "    - Documentation: laptops: Update documentation for uniwill laptops",
                            "    - platform/x86: uniwill-laptop: Do not enable the charging limit even when",
                            "      forced",
                            "    - drm/msm: Restore second parameter name in purge() and evict()",
                            "    - security/keys: fix missed RCU read section on lookup",
                            "    - Linux 7.0.11",
                            "",
                            "  * Resolute update: v7.0.10 upstream stable release (LP: #2156385)",
                            "    - blk-cgroup: wait for blkcg cleanup before initializing new disk",
                            "    - md: suppress spurious superblock update error message for dm-raid",
                            "    - fs/omfs: reject s_sys_blocksize smaller than OMFS_DIR_START",
                            "    - fs/mbcache: cancel shrink work before destroying the cache",
                            "    - md/raid1: fix the comparing region of interval tree",
                            "    - fs: fix archiecture-specific compat_ftruncate64",
                            "    - drbd: Balance RCU calls in drbd_adm_dump_devices()",
                            "    - loop: fix partition scan race between udev and loop_reread_partitions()",
                            "    - block: fix zones_cond memory leak on zone revalidation error paths",
                            "    - nilfs2: reject zero bd_oblocknr in nilfs_ioctl_mark_blocks_dirty()",
                            "    - blk-cgroup: fix disk reference leak in blkcg_maybe_throttle_current()",
                            "    - pstore/ram: fix resource leak when ioremap() fails",
                            "    - erofs: include the trailing NUL in FS_IOC_GETFSLABEL",
                            "    - md: fix array_state=clear sysfs deadlock",
                            "    - ublk: reset per-IO canceled flag on each fetch",
                            "    - blk-wbt: remove WARN_ON_ONCE from wbt_init_enable_default()",
                            "    - erofs: handle 48-bit blocks/uniaddr for extra devices",
                            "    - md: remove unused static md_wq workqueue",
                            "    - md: wake raid456 reshape waiters before suspend",
                            "    - dcache: permit dynamic_dname()s up to NAME_MAX",
                            "    - btrfs: fix the inline compressed extent check in inode_need_compress()",
                            "    - btrfs: fix deadlock between reflink and transaction commit when using",
                            "      flushoncommit",
                            "    - btrfs: do not reject a valid running dev-replace",
                            "    - OPP: debugfs: Use performance level if available to distinguish between",
                            "      rates",
                            "    - OPP: Move break out of scoped_guard in dev_pm_opp_xlate_required_opp()",
                            "    - ACPI: x86: cmos_rtc: Clean up address space handler driver",
                            "    - ACPI: x86: cmos_rtc: Improve coordination with ACPI TAD driver",
                            "    - devres: fix missing node debug info in devm_krealloc()",
                            "    - thermal/drivers/spear: Fix error condition for reading st,thermal-flags",
                            "    - debugfs: check for NULL pointer in debugfs_create_str()",
                            "    - debugfs: fix placement of EXPORT_SYMBOL_GPL for debugfs_create_str()",
                            "    - soundwire: debugfs: initialize firmware_file to empty string",
                            "    - amd-pstate: Fix memory leak in amd_pstate_epp_cpu_init()",
                            "    - amd-pstate: Update cppc_req_cached in fast_switch case",
                            "    - cpufreq: Pass the policy to cpufreq_driver->adjust_perf()",
                            "    - PCI: use generic driver_override infrastructure",
                            "    - platform/wmi: use generic driver_override infrastructure",
                            "    - vdpa: use generic driver_override infrastructure",
                            "    - s390/cio: use generic driver_override infrastructure",
                            "    - s390/ap: use generic driver_override infrastructure",
                            "    - bus: fsl-mc: use generic driver_override infrastructure",
                            "    - locking/mutex: Rename mutex_init_lockep()",
                            "    - locking/mutex: Fix wrong comment for CONFIG_DEBUG_LOCK_ALLOC",
                            "    - irqchip/irq-pic32-evic: Address warning related to wrong printf()",
                            "      formatter",
                            "    - hrtimer: Avoid pointless reprogramming in __hrtimer_start_range_ns()",
                            "    - hrtimer: Reduce trace noise in hrtimer_start()",
                            "    - locking: Fix rwlock and spinlock lock context annotations",
                            "    - signal: Fix the lock_task_sighand() annotation",
                            "    - ww-mutex: Fix the ww_acquire_ctx function annotations",
                            "    - perf/amd/ibs: Account interrupt for discarded samples",
                            "    - perf/amd/ibs: Preserve PhyAddrVal bit when clearing PhyAddr MSR",
                            "    - perf/amd/ibs: Avoid calling perf_allow_kernel() from the IBS NMI handler",
                            "    - x86/tdx: Fix the typo in TDX_ATTR_MIGRTABLE",
                            "    - rust: sync: atomic: Remove bound `T: Sync` for `Atomic::from_ptr()`",
                            "    - sparc64: vdso: Link with -z noexecstack",
                            "    - scripts/gdb: timerlist: Adapt to move of tk_core",
                            "    - locking: Fix rwlock support in <linux/spinlock_up.h>",
                            "    - sched/topology: Compute sd_weight considering cpuset partitions",
                            "    - x86/irqflags: Preemptively move include paravirt.h directive where it",
                            "      belongs",
                            "    - sched/topology: Fix sched_domain_span()",
                            "    - irqchip/renesas-rzg2l: Fix error path in rzg2l_irqc_common_probe()",
                            "    - ASoC: Intel: avs: Check maximum valid CPUID leaf",
                            "    - ASoC: Intel: avs: Include CPUID header at file scope",
                            "    - x86/vdso: Clean up remnants of VDSO32_NOTE_MASK",
                            "    - firmware: dmi: Correct an indexing error in dmi.h",
                            "    - fs/resctrl: Report invalid domain ID when parsing io_alloc_cbm",
                            "    - sched: Make class_schedulers avoid pushing current, and get rid of",
                            "      proxy_tag_curr()",
                            "    - sched/rt: Skip group schedulable check with rt_group_sched=0",
                            "    - wifi: ath11k: fix memory leaks in beacon template setup",
                            "    - wifi: mwifiex: Fix memory leak in mwifiex_11n_aggregate_pkt()",
                            "    - wifi: rtlwifi: pci: fix possible use-after-free caused by unfinished",
                            "      irq_prepare_bcn_tasklet",
                            "    - bpf: test_run: Fix the null pointer dereference issue in",
                            "      bpf_lwt_xmit_push_encap",
                            "    - wifi: ath12k: account TX stats only when ACK/BA status is present",
                            "    - wifi: ath12k: Fix legacy rate mapping for monitor mode capture",
                            "    - selftests/bpf: Handle !CONFIG_SMC in bpf_smc.c",
                            "    - wifi: ieee80211: fix definition of EHT-MCS 15 in MRU",
                            "    - dpaa2: add independent dependencies for FSL_DPAA2_SWITCH",
                            "    - [Config] Disable CONFIG_FSL_DPAA2_SWITCH on armhf and ppc64el",
                            "    - dpaa2: compile dpaa2 even CONFIG_FSL_DPAA2_ETH=n",
                            "    - s390/bpf: Zero-extend bpf prog return values and kfunc arguments",
                            "    - powerpc/pgtable-frag: Fix bad page state in pte_frag_destroy",
                            "    - powerpc/64s: Fix unmap race with PMD migration entries",
                            "    - module: Fix freeing of charp module parameters when CONFIG_SYSFS=n",
                            "    - wifi: libertas: use USB anchors for tracking in-flight URBs",
                            "    - wifi: libertas: don't kill URBs in interrupt context",
                            "    - bpf: Do not allow deleting local storage in NMI",
                            "    - selftests/nolibc: fix test_file_stream() on musl libc",
                            "    - selftests/nolibc: Fix build with host headers and libc",
                            "    - tools/nolibc/printf: Change variables 'c' to 'ch' and 'tmpbuf[]' to",
                            "      'outbuf[]'",
                            "    - tools/nolibc/printf: Move snprintf length check to callback",
                            "    - tools/nolibc: MIPS: fix clobbers of 'lo' and 'hi' registers on different",
                            "      ISAs",
                            "    - tools/nolibc: avoid -Wundef warning for __STDC_VERSION__",
                            "    - wifi: mt76: mt7996: fix the behavior of radar detection",
                            "    - wifi: mt76: mt7996: fix iface combination for different chipsets",
                            "    - wifi: mt76: mt7996: Set mtxq->wcid just for primary link",
                            "    - wifi: mt76: mt7996: Reset mtxq->idx if primary link is removed in",
                            "      mt7996_vif_link_remove()",
                            "    - wifi: mt76: mt7996: Switch to the secondary link if the default one is",
                            "      removed",
                            "    - wifi: mt76: mt7996: Clear wcid pointer in mt7996_mac_sta_deinit_link()",
                            "    - wifi: mt76: mt7996: Reset ampdu_state state in case of failure in",
                            "      mt7996_tx_check_aggr()",
                            "    - wifi: mt76: mt7921: Reset ampdu_state state in case of failure in",
                            "      mt76_connac2_tx_check_aggr()",
                            "    - wifi: mt76: mt7925: Fix incorrect MLO mode in firmware control",
                            "    - wifi: mt76: mt7615: fix use_cts_prot support",
                            "    - wifi: mt76: mt7915: fix use_cts_prot support",
                            "    - wifi: mt76: mt7925: prevent NULL pointer dereference in",
                            "      mt7925_tx_check_aggr()",
                            "    - wifi: mt76: mt7925: prevent NULL vif dereference in",
                            "      mt7925_mac_write_txwi",
                            "    - wifi: mt76: mt7996: fix FCS error flag check in RX descriptor",
                            "    - wifi: mt76: mt7921: Place upper limit on station AID",
                            "    - wifi: mt76: Fix memory leak destroying device",
                            "    - wifi: mt76: mt7996: Fix NPU stop procedure",
                            "    - wifi: mt76: npu: Add missing rx_token_size initialization",
                            "    - wifi: mt76: mt7925: drop puncturing handling from BSS change path",
                            "    - wifi: mt76: mt7925: fix potential deadlock in mt7925_roc_abort_sync",
                            "    - wifi: mt76: Fix memory leak after mt76_connac_mcu_alloc_sta_req()",
                            "    - wifi: mt76: mt7925: fix tx power setting failure after chip reset",
                            "    - wifi: mt76: mt7921: fix potential deadlock in mt7921_roc_abort_sync",
                            "    - wifi: mt76: fix deadlock in remain-on-channel",
                            "    - wifi: mt76: fix backoff fields and max_power calculation",
                            "    - arm64: cpufeature: Make PMUVer and PerfMon unsigned",
                            "    - bpf: Switch CONFIG_CFI_CLANG to CONFIG_CFI",
                            "    - wifi: mt76: mt7996: fix wrong DMAD length when using MAC TXP",
                            "    - wifi: mt76: mt7996: fix struct mt7996_mcu_uni_event",
                            "    - wifi: mt76: mt7915: fix use-after-free bugs in mt7915_mac_dump_work()",
                            "    - wifi: mt76: mt7996: fix use-after-free bugs in mt7996_mac_dump_work()",
                            "    - wifi: mt76: mt7921: fix 6GHz regulatory update on connection",
                            "    - wifi: mt76: mt7996: Add missing CHANCTX_STA_CSA property",
                            "    - wifi: mt76: mt7996: Remove link pointer dependency in",
                            "      mt7996_mac_sta_remove_links()",
                            "    - wifi: mt76: mt7996: Decrement sta counter removing the link in",
                            "      mt7996_mac_reset_sta_iter()",
                            "    - wifi: mt76: fix multi-radio on-channel scanning",
                            "    - wifi: mt76: support upgrading passive scans to active",
                            "    - wifi: mt76: mt7996: fix RRO EMU configuration",
                            "    - bpf: Fix refcount check in check_struct_ops_btf_id()",
                            "    - selftests/bpf: Fix sockmap_multi_channels reliability",
                            "    - bpf: Use RCU-safe iteration in dev_map_redirect_multi() SKB path",
                            "    - bpf: Fix variable length stack write over spilled pointers",
                            "    - arm_mpam: Ensure in_reset_state is false after applying configuration",
                            "    - arm_mpam: Reset when feature configuration bit unset",
                            "    - bpf,arc_jit: Fix missing newline in pr_err messages",
                            "    - wifi: rtw89: phy: fix uninitialized variable access in",
                            "      rtw89_phy_cfo_set_crystal_cap()",
                            "    - drivers/vfio_pci_core: Change PXD_ORDER check from switch case to",
                            "      if/else block",
                            "    - r8152: fix incorrect register write to USB_UPHY_XTAL",
                            "    - selftests/tracing: Fix to make --logdir option work again",
                            "    - selftests/tracing: Fix to check awk supports non POSIX strtonum()",
                            "    - powerpc/crash: fix backup region offset update to elfcorehdr",
                            "    - powerpc/crash: Update backup region offset in elfcorehdr on memory",
                            "      hotplug",
                            "    - bpf: Fix abuse of kprobe_write_ctx via freplace",
                            "    - macvlan: annotate data-races around port->bc_queue_len_used",
                            "    - bpf: Use copy_map_value_locked() in alloc_htab_elem() for BPF_F_LOCK",
                            "    - bpf: Fix stale offload->prog pointer after constant blinding",
                            "    - net: ethernet: ti-cpsw:: rename soft_reset() function",
                            "    - net: ethernet: ti-cpsw: fix linking built-in code to modules",
                            "    - wifi: brcmfmac: Fix error pointer dereference",
                            "    - wifi: mac80211: handle VHT EXT NSS in ieee80211_determine_our_sta_mode()",
                            "    - bpf: Drop task_to_inode and inet_conn_established from lsm sleepable",
                            "      hooks",
                            "    - bpf: Prefer vmlinux symbols over module symbols for unqualified kprobes",
                            "    - wifi: ath10k: fix station lookup failure during disconnect",
                            "    - bpf: Fix linked reg delta tracking when src_reg == dst_reg",
                            "    - net: dropreason: add SKB_DROP_REASON_RECURSION_LIMIT",
                            "    - net: plumb drop reasons to __dev_queue_xmit()",
                            "    - net: qdisc_pkt_len_segs_init() cleanup",
                            "    - net: pull headers in qdisc_pkt_len_segs_init()",
                            "    - arm64: entry: Don't preempt with SError or Debug masked",
                            "    - ACPI: AGDI: fix missing newline in error message",
                            "    - arm64: kexec: Remove duplicate allocation for trans_pgd",
                            "    - bpf: Propagate error from visit_tailcall_insn",
                            "    - bpf: Fix ld_{abs,ind} failure path analysis in subprogs",
                            "    - bpf: Remove static qualifier from local subprog pointer",
                            "    - mptcp: better mptcp-level RTT estimator",
                            "    - bpf: Fix use-after-free in offloaded map/prog info fill",
                            "    - macsec: Support VLAN-filtering lower devices",
                            "    - net: bcmgenet: fix off-by-one in bcmgenet_put_txcb",
                            "    - net: bcmgenet: fix leaking free_bds",
                            "    - net: bcmgenet: fix racing timeout handler",
                            "    - net: airoha: Add dma_rmb() and READ_ONCE() in airoha_qdma_rx_process()",
                            "    - eth: fbnic: Use wake instead of start",
                            "    - netfilter: xt_socket: enable defrag after all other checks",
                            "    - netfilter: nft_fwd_netdev: check ttl/hl before forwarding",
                            "    - bpf: fix mm lifecycle in open-coded task_vma iterator",
                            "    - bpf: switch task_vma iterator from mmap_lock to per-VMA locks",
                            "    - bpf: return VMA snapshot from task_vma iterator",
                            "    - bpf: Fix RCU stall in bpf_fd_array_map_clear()",
                            "    - net: hamradio: 6pack: fix uninit-value in sixpack_receive_buf",
                            "    - net: airoha: Fix FE_PSE_BUF_SET configuration if PPE2 is available",
                            "    - bpf: Enforce regsafe base id consistency for BPF_ADD_CONST scalars",
                            "    - selftests/bpf: fix __jited_unpriv tag name",
                            "    - net/sched: cls_fw: fix NULL dereference of \"old\" filters before change()",
                            "    - net/sched: act_ct: Only release RCU read lock after ct_ft",
                            "    - selftests: netfilter: nft_tproxy.sh: adjust to socat changes",
                            "    - net: mana: Use pci_name() for debugfs directory naming",
                            "    - net: mana: Move current_speed debugfs file to mana_init_port()",
                            "    - net: airoha: Add missing RX_CPU_IDX() configuration in",
                            "      airoha_qdma_cleanup_rx_queue()",
                            "    - net_sched: fix skb memory leak in deferred qdisc drops",
                            "    - bpf: Fix same-register dst/src OOB read and pointer leak in sock_ops",
                            "    - bpf: Allow instructions with arena source and non-arena dest registers",
                            "    - selftests/bpf: Fix reg_bounds to match new tnum-based refinement",
                            "    - net/rds: Optimize rds_ib_laddr_check",
                            "    - net/rds: Restrict use of RDS/IB to the initial network namespace",
                            "    - bpf: Fix OOB in pcpu_init_value",
                            "    - ppp: require CAP_NET_ADMIN in target netns for unattached ioctls",
                            "    - net: ipa: Fix programming of QTIME_TIMESTAMP_CFG",
                            "    - net: ipa: Fix decoding EV_PER_EE for IPA v5.0+",
                            "    - dt-bindings: net: dsa: nxp,sja1105: make spi-cpol optional for sja1110",
                            "    - net: phy: fix a return path in get_phy_c45_ids()",
                            "    - net/mlx5e: Fix features not applied during netdev registration",
                            "    - net/mlx5e: IPsec, fix ASO poll timeout with read_poll_timeout_atomic()",
                            "    - net: ethernet: mtk_eth_soc: initialize PPE per-tag-layer MTU registers",
                            "    - net: fix skb_ext_total_length() BUILD_BUG_ON with",
                            "      CONFIG_GCOV_PROFILE_ALL",
                            "    - bpf: reject short IPv4/IPv6 inputs in bpf_prog_test_run_skb",
                            "    - Bluetooth: L2CAP: Fix printing wrong information if SDU length exceeds",
                            "      MTU",
                            "    - Bluetooth: hci_ldisc: Clear HCI_UART_PROTO_INIT on error",
                            "    - Bluetooth: fix locking in hci_conn_request_evt() with HCI_PROTO_DEFER",
                            "    - Bluetooth: l2cap: Add missing chan lock in l2cap_ecred_reconf_rsp",
                            "    - Bluetooth: SCO: check for codecs->num_codecs == 1 before assigning to",
                            "      sco_pi(sk)->codec",
                            "    - net: phy: qcom: at803x: Use the correct bit to disable extended next",
                            "      page",
                            "    - udp: Force compute_score to always inline",
                            "    - tcp: Don't set treq->req_usec_ts in cookie_tcp_reqsk_init().",
                            "    - sctp: fix missing encap_port propagation for GSO fragments",
                            "    - sctp: disable BH before calling udp_tunnel_xmit_skb()",
                            "    - selftests/namespaces: remove unused utils.h include from",
                            "      listns_efault_test",
                            "    - net, bpf: fix null-ptr-deref in xdp_master_redirect() for down master",
                            "    - net: airoha: Fix VIP configuration for AN7583 SoC",
                            "    - net: airoha: Add missing PPE configurations in airoha_ppe_hw_init()",
                            "    - drm/panel: ilitek-ili9882t: Select DRM_DISPLAY_DSC_HELPER",
                            "    - selftests/futex: Fix incorrect result reporting of futex_requeue test",
                            "      item",
                            "    - drm/komeda: fix integer overflow in AFBC framebuffer size check",
                            "    - dma-fence: Fix sparse warnings due __rcu annotations",
                            "    - drm/gpusvm: Fix unbalanced unlock in drm_gpusvm_scan_mm()",
                            "    - drm/virtio: Allow importing prime buffers when 3D is enabled",
                            "    - ASoC: soc-compress: use function to clear symmetric params",
                            "    - PCI/TPH: Allow TPH enable for RCiEPs",
                            "    - PCI: endpoint: pci-epf-vntb: Fix MSI doorbell IRQ unwind",
                            "    - PCI: endpoint: pci-epf-test: Don't free doorbell IRQ unless requested",
                            "    - PCI: endpoint: pci-ep-msi: Fix error unwind and prevent double alloc",
                            "    - drm/sun4i: mixer: Fix layer init code",
                            "    - drm/sun4i: backend: fix error pointer dereference",
                            "    - drm/xe: Consolidate workaround entries for Wa_14019877138",
                            "    - drm/xe: Consolidate workaround entries for Wa_14019386621",
                            "    - drm/xe/xe2_hpg: Drop invalid workaround Wa_15010599737",
                            "    - gpu: nova-core: gsp: use empty slices instead of [0..0] ranges",
                            "    - gpu: nova-core: gsp: fix improper handling of empty slot in cmdq",
                            "    - drm/amdkfd: Removed commented line for MQD queue priority",
                            "    - PCI: imx6: Fix device node reference leak in imx_pcie_probe()",
                            "    - crypto: inside-secure/eip93 - fix register definition",
                            "    - ASoC: sti: Return errors from regmap_field_alloc()",
                            "    - ASoC: sti: use managed regmap_field allocations",
                            "    - dm cache: fix null-deref with concurrent writes in passthrough mode",
                            "    - dm cache: fix write path cache coherency in passthrough mode",
                            "    - dm cache: fix write hang in passthrough mode",
                            "    - dm cache policy smq: fix missing locks in invalidating cache blocks",
                            "    - dm cache: fix concurrent write failure in passthrough mode",
                            "    - dm cache: fix dirty mapping checking in passthrough mode switching",
                            "    - dm-mpath: don't stop probing paths at presuspend",
                            "    - drm/amd/ras: Fix type size of remainder argument",
                            "    - dt-bindings: mmc: dwcmshc-sdhci: Fix resets array validation",
                            "    - drm/amdgpu: GFX12.1 scratch memory limit up to 57-bit",
                            "    - platform/chrome: chromeos_tbmc: Drop wakeup source on remove",
                            "    - gpu: nova-core: use checked arithmetic in FWSEC firmware parsing",
                            "    - gpu: nova-core: create falcon firmware DMA objects lazily",
                            "    - gpu: nova-core: falcon: rename load parameters to reflect DMA dependency",
                            "    - gpu: nova-core: firmware: fix and explain v2 header offsets computations",
                            "    - PCI: dwc: ep: Fix MSI-X Table Size configuration in",
                            "      dw_pcie_ep_set_msix()",
                            "    - PCI: dwc: ep: Mirror the max link width and speed fields to all",
                            "      functions",
                            "    - PCI: dwc: Perform cleanup in the error path of dw_pcie_resume_noirq()",
                            "    - dm cache metadata: fix memory leak on metadata abort retry",
                            "    - dm log: fix out-of-bounds write due to region_count overflow",
                            "    - iopoll: fix function parameter names in read_poll_timeout_atomic()",
                            "    - drm/bridge: cadence: cdns-mhdp8546-core: Set the mhdp connector earlier",
                            "      in atomic_enable()",
                            "    - drm/bridge: cadence: cdns-mhdp8546-core: Add mode_valid hook to",
                            "      drm_bridge_funcs",
                            "    - drm/bridge: cadence: cdns-mhdp8546-core: Handle HDCP state in bridge",
                            "      atomic check",
                            "    - spi: nxp-xspi: Use reinit_completion() for repeated operations",
                            "    - spi: nxp-fspi: Use reinit_completion() for repeated operations",
                            "    - spi: fsl-qspi: Use reinit_completion() for repeated operations",
                            "    - spi: axiado: Remove redundant pm_runtime_mark_last_busy() call",
                            "    - media: i2c: og01a1b: Fix V4L2 subdevice data initialization on probe",
                            "    - media: synopsys: VIDEO_DW_MIPI_CSI2RX should depend on ARCH_ROCKCHIP",
                            "    - [Config] VIDEO_DW_MIPI_CSI2RX depends on ARCH_ROCKCHIP",
                            "    - drm/amd/pm: Fix xgmi max speed reporting",
                            "    - spi: atcspi200: fix mutex initialization order",
                            "    - selftests/sched_ext: Add missing error check for exit__load()",
                            "    - drm/v3d: Handle error from drm_sched_entity_init()",
                            "    - drm/sun4i: Fix resource leaks",
                            "    - crypto: inside-secure/eip93 - register hash before authenc algorithms",
                            "    - PCI: rzg3s-host: Fix reset handling in probe error path",
                            "    - PCI: rzg3s-host: Reorder reset assertion during suspend",
                            "    - dt-bindings: PCI: renesas,r9a08g045s33-pcie: Fix naming properties",
                            "    - iommu/riscv: Add IOTINVAL after updating DDT/PDT entries",
                            "    - iommu/riscv: Skip IRQ count check when using MSI interrupts",
                            "    - iommu/riscv: Add missing GENERIC_MSI_IRQ",
                            "    - iommu/riscv: Stop polling when CQCSR reports an error",
                            "    - drm/amdkfd: Update queue properties for metadata ring",
                            "    - drm/amd/ras: Fix NULL deref in ras_core_ras_interrupt_detected()",
                            "    - drm/amdgpu: Add default case in DVI mode validation",
                            "    - regulator: dt-bindings: fp9931: Make vin-supply property as required",
                            "    - regulator: fp9931: Fix handling of mandatory \"vin\" supply",
                            "    - drm/amd/ras: Fix NULL deref in ras_core_get_utc_second_timestamp()",
                            "    - drm/amdgpu: Drop redundant queue NULL check in hang detect worker",
                            "    - drm/amdgpu: Remove dead negative offset check in",
                            "      amdgpu_virt_init_critical_region()",
                            "    - dm init: ensure device probing has finished in dm-mod.waitfor=",
                            "    - fbdev: matroxfb: Mark variable with __maybe_unused to avoid W=1 build",
                            "      break",
                            "    - crypto: simd - reject compat registrations without __ prefixes",
                            "    - crypto: tegra - Disable softirqs before finalizing request",
                            "    - crypto: atmel-aes - guard unregister on error in atmel_aes_register_algs",
                            "    - padata: Remove cpu online check from cpu add and removal",
                            "    - padata: Put CPU offline callback in ONLINE section to allow failure",
                            "    - PCI: dwc: rcar-gen4: Change EPC BAR alignment to 4K as per the",
                            "      documentation",
                            "    - accel/amdxdna: fix missing newline in pr_err message",
                            "    - drm/amd/ras: Remove redundant NULL check in pending bad-bank list",
                            "      iteration",
                            "    - drm/amdgpu/gfx10: look at the right prop for gfx queue priority",
                            "    - drm/amdgpu/gfx11: look at the right prop for gfx queue priority",
                            "    - spi: hisi-kunpeng: prevent infinite while() loop in hisi_spi_flush_fifo",
                            "    - PCI: sky1: Fix missing cleanup of ECAM config on probe failure",
                            "    - drm/imagination: Switch reset_reason fields from enum to u32",
                            "    - iommu/tegra241-cmdqv: Set supports_cmd op in tegra241_vcmdq_hw_init()",
                            "    - iommu/tegra241-cmdqv: Update uAPI to clarify HYP_OWN requirement",
                            "    - drm/msm: add missing MODULE_DEVICE_ID definitions",
                            "    - drm/msm/dpu: fix mismatch between power and frequency",
                            "    - drm/msm/dsi: add the missing parameter description",
                            "    - drm/msm/dpu: don't try using 2 LMs if only one DSC is available",
                            "    - drm/msm/dsi: fix bits_per_pclk",
                            "    - drm/msm/dsi: fix hdisplay calculation for CMD mode panel",
                            "    - drm/msm/dsi: rename MSM8998 DSI version from V2_2_0 to V2_0_0",
                            "    - ASoC: rockchip: rockchip_sai: Set slot width for non-TDM mode",
                            "    - tools/sched_ext: scx_pair: fix pair_ctx indexing for CPU pairs",
                            "    - drm/panel: sharp-ls043t1le01: make use of prepare_prev_first",
                            "    - drm/panel: simple: Correct G190EAN01 prepare timing",
                            "    - PCI: qcom: Advertise Hotplug Slot Capability with no Command Completion",
                            "      support",
                            "    - PCI: Prevent shrinking bridge window from its required size",
                            "    - PCI: Fix premature removal from realloc_head list during resource",
                            "      assignment",
                            "    - crypto: hisilicon/sec2 - prevent req used-after-free for sec",
                            "    - PCI: Fix alignment calculation for resource size larger than align",
                            "    - iommu/riscv: Fix signedness bug",
                            "    - ALSA: core: Validate compress device numbers without dynamic minors",
                            "    - drm/amd/display: Avoid NULL dereference in dc_dmub_srv error paths",
                            "    - ASoC: amd: acp: update dmic_num logic for acp pdm dmic",
                            "    - drm/amd/pm/ci: Use highest MCLK on CI when MCLK DPM is disabled",
                            "    - drm/amd/pm/ci: Disable MCLK DPM on problematic CI ASICs",
                            "    - drm/amd/pm/smu7: Fix SMU7 voltage dependency on display clock",
                            "    - drm/amd/pm/ci: Fix powertune defaults for Hawaii 0x67B0",
                            "    - drm/amd/pm/ci: Clear EnabledForActivity field for memory levels",
                            "    - drm/amd/pm/ci: Fill DW8 fields from SMC",
                            "    - drm/amd/pm/smu7: Add SCLK cap for quirky Hawaii board",
                            "    - drm/amdgpu/uvd4.2: Don't initialize UVD 4.2 when DPM is disabled",
                            "    - PCI/DPC: Log AER error info for DPC/EDR uncorrectable errors",
                            "    - hwmon: (aspeed-g6-pwm-tach): remove redundant driver remove callback",
                            "    - ALSA: hda/realtek: fix bad indentation for alc269",
                            "    - ALSA: hda/realtek: fix code style (ERROR: else should follow close brace",
                            "      '}')",
                            "    - ASoC: SOF: Intel: hda: Place check before dereference",
                            "    - drm/msm/vma: Avoid lock in VM_BIND fence signaling path",
                            "    - drm/msm/a6xx: Add missing aperture_lock init",
                            "    - drm/msm: Reject fb creation from _NO_SHARE objs",
                            "    - drm/msm: Fix VM_BIND UNMAP locking",
                            "    - drm/msm/a6xx: Fix HLSQ register dumping",
                            "    - drm/msm/shrinker: Fix can_block() logic",
                            "    - drm/msm/a6xx: Fix dumping A650+ debugbus blocks",
                            "    - drm/msm/a6xx: Use barriers while updating HFI Q headers",
                            "    - drm/msm/a8xx: Fix the ticks used in submit traces",
                            "    - drm/msm/a6xx: Switch to preemption safe AO counter",
                            "    - drm/msm/a6xx: Correct OOB usage",
                            "    - drm/msm/adreno: Implement gx_is_on() for A8x",
                            "    - drm/msm/a6xx: Fix gpu init from secure world",
                            "    - ALSA: hda/cmedia: Remove duplicate pin configuration parsing",
                            "    - pmdomain: ti: omap_prm: Fix a reference leak on device node",
                            "    - pmdomain: imx: scu-pd: Fix device_node reference leak during ->probe()",
                            "    - PM: domains: De-constify fields in struct dev_pm_domain_attach_data",
                            "    - drm/msm/dpu: drop INTF_0 on MSM8953",
                            "    - ASoC: fsl_micfil: Add access property for \"VAD Detected\"",
                            "    - ASoC: fsl_micfil: Fix event generation in hwvad_put_enable()",
                            "    - ASoC: fsl_micfil: Fix event generation in hwvad_put_init_mode()",
                            "    - ASoC: fsl_micfil: Fix event generation in micfil_range_set()",
                            "    - ASoC: fsl_micfil: Fix event generation in micfil_put_dc_remover_state()",
                            "    - ASoC: fsl_micfil: Fix event generation in micfil_quality_set()",
                            "    - ASoC: fsl_xcvr: Fix event generation in fsl_xcvr_arc_mode_put()",
                            "    - ASoC: fsl_xcvr: Fix event generation in fsl_xcvr_mode_put()",
                            "    - ASoC: fsl_easrc: Check the variable range in fsl_easrc_iec958_put_bits()",
                            "    - ASoC: fsl_easrc: Fix value type in fsl_easrc_iec958_get_bits()",
                            "    - ASoC: fsl_easrc: Change the type for iec958 channel status controls",
                            "    - iommu/amd: Fix clone_alias() to use the original device's devid",
                            "    - iommu/riscv: Remove overflows on the invalidation path",
                            "    - ASoC: qcom: qdsp6: topology: check widget type before accessing data",
                            "    - PCI: dwc: Fix type mismatch for kstrtou32_from_user() return value",
                            "    - crypto: qat - disable 4xxx AE cluster when lead engine is fused off",
                            "    - crypto: qat - disable 420xx AE cluster when lead engine is fused off",
                            "    - crypto: qat - fix compression instance leak",
                            "    - crypto: qat - fix type mismatch in RAS sysfs show functions",
                            "    - crypto: iaa - fix per-node CPU counter reset in rebalance_wq_table()",
                            "    - crypto: qat - use swab32 macro",
                            "    - ALSA: hda: Notify IEC958 Default PCM switch state changes",
                            "    - ASoC: rsnd: Fix potential out-of-bounds access of component_dais[]",
                            "    - PCI: Enable AtomicOps only if Root Port supports them",
                            "    - PCI: imx6: Keep Root Port MSI capability with iMSI-RX to work around",
                            "      hardware bug",
                            "    - PCI: aspeed: Fix IRQ domain leak on platform_get_irq() failure",
                            "    - dt-bindings: PCI: imx6q-pcie: Fix maxItems of clocks and clock-names",
                            "    - PCI: mediatek-gen3: Prevent leaking IRQ domains when IRQ not found",
                            "    - gpu: nova-core: bitfield: fix broken Default implementation",
                            "    - selftests/mm: skip migration tests if NUMA is unavailable",
                            "    - Documentation: fix a hugetlbfs reservation statement",
                            "    - Docs/admin-guide/mm/damn/lru_sort: fix intervals autotune parameter name",
                            "    - Docs/mm/damon/index: fix typo: autoamted -> automated",
                            "    - zram: do not permit params change after init",
                            "    - selftest: memcg: skip memcg_sock test if address family not supported",
                            "    - gpu: nova-core: remove redundant `.as_ref()` for `dev_*` print",
                            "    - gpu: nova-core: fix missing colon in SEC2 boot debug message",
                            "    - ALSA: scarlett2: Add missing sentinel initializer field",
                            "    - ASoC: qcom: audioreach: explicitly enable speaker protection modules",
                            "    - ASoC: SOF: compress: return the configured codec from get_params",
                            "    - PCI/NPEM: Set LED_HW_PLUGGABLE for hotplug-capable ports",
                            "    - tools/sched_ext: Fix off-by-one in scx_sdt payload zeroing",
                            "    - ASoC: soc-component: re-add pcm_new()/pcm_free()",
                            "    - ASoC: amd: name back to pcm_new()/pcm_free()",
                            "    - ASoC: amd: ps: fix the pcm device numbering for acp pdm dmic",
                            "    - ALSA: usb-audio: qcom: Fix incorrect type in enable_audio_stream",
                            "    - PCI: tegra194: Fix polling delay for L2 state",
                            "    - PCI: tegra194: Increase LTSSM poll time on surprise link down",
                            "    - PCI: tegra194: Disable LTSSM after transition to Detect on surprise link",
                            "      down",
                            "    - PCI: tegra194: Don't force the device into the D0 state before L2",
                            "    - PCI: tegra194: Disable PERST# IRQ only in Endpoint mode",
                            "    - PCI: tegra194: Use devm_gpiod_get_optional() to parse \"nvidia,refclk-",
                            "      select\"",
                            "    - PCI: tegra194: Disable direct speed change for Endpoint mode",
                            "    - PCI: tegra194: Set LTR message request before PCIe link up in Endpoint",
                            "      mode",
                            "    - PCI: tegra194: Allow system suspend when the Endpoint link is not up",
                            "    - PCI: tegra194: Free up Endpoint resources during remove()",
                            "    - PCI: tegra194: Use DWC IP core version",
                            "    - PCI: dwc: Apply ECRC workaround to DesignWare 5.00a as well",
                            "    - PCI: tegra194: Disable L1.2 capability of Tegra234 EP",
                            "    - PCI: tegra194: Fix CBB timeout caused by DBI access before core power-on",
                            "    - drm/fb-helper: Fix a locking bug in an error path",
                            "    - PCI: cadence: Add flags for disabling ASPM capability for broken Root",
                            "      Ports",
                            "    - PCI: sg2042: Avoid L0s and L1 on Sophgo 2042 PCIe Root Ports",
                            "    - ASoC: SDCA: Fix cleanup inversion in class driver",
                            "    - spi: rzv2h-rspi: Fix invalid SPR=0/BRDV=0 clock configuration",
                            "    - spi: mtk-snfi: unregister ECC engine on probe failure and remove()",
                            "      callback",
                            "    - ALSA: sc6000: Keep the programmed board state in card-private data",
                            "    - dm cache: fix missing return in invalidate_committed's error path",
                            "    - sched_ext: Track @p's rq lock across set_cpus_allowed_scx ->",
                            "      ops.set_cpumask",
                            "    - sched_ext: Fix ops.cgroup_move() invocation kf_mask and rq tracking",
                            "    - spi: cadence-qspi: Revert the filtering of certain opcodes in ODTR",
                            "    - crypto: jitterentropy - replace long-held spinlock with mutex",
                            "    - ALSA: usb-audio: Exclude Scarlett 18i20 1st Gen from SKIP_IFACE_SETUP",
                            "    - ALSA: hda/realtek - fixed speaker no sound update",
                            "    - gfs2: Call unlock_new_inode before d_instantiate",
                            "    - fanotify: avoid/silence premature LSM capability checks",
                            "    - fanotify: call fanotify_events_supported() before path_permission() and",
                            "      security_path_notify()",
                            "    - fuse: fix uninit-value in fuse_dentry_revalidate()",
                            "    - ktest: Avoid undef warning when WARNINGS_FILE is unset",
                            "    - ktest: Honor empty per-test option overrides",
                            "    - ktest: Run POST_KTEST hooks on failure and cancellation",
                            "    - vfio: selftests: fix crash in vfio_dma_mapping_mmio_test",
                            "    - rtla/utils: Fix resource leak in set_comm_sched_attr()",
                            "    - tools/rtla: Generate optstring from long options",
                            "    - rtla: Fix segfault on multiple SIGINTs",
                            "    - vfio: selftests: Build tests on aarch64",
                            "    - gfs2: less aggressive low-memory log flushing",
                            "    - quota: Fix race of dquot_scan_active() with quota deactivation",
                            "    - vfio: unhide vdev->debug_root",
                            "    - gfs2: add some missing log locking",
                            "    - gfs2: prevent NULL pointer dereference during unmount",
                            "    - efi/capsule-loader: fix incorrect sizeof in phys array reallocation",
                            "    - ksmbd: fix use-after-free from async crypto on Qualcomm crypto engine",
                            "    - arm64: dts: mediatek: mt8365: Describe infracfg-nao as a pure syscon",
                            "    - ARM: dts: mediatek: mt7623: fix efuse fallback compatible",
                            "    - memory: tegra124-emc: Fix dll_change check",
                            "    - memory: tegra30-emc: Fix dll_change check",
                            "    - arm64: dts: imx8-apalis: Fix LEDs name collision",
                            "    - arm64: dts: imx91-11x11-evk: change usdhc tuning step for eMMC and SD",
                            "    - riscv: dts: spacemit: pcie: fix missing power regulator",
                            "    - arm64: dts: mediatek: mt7988a-bpi-r4pro: fix model string",
                            "    - arm64: dts: rockchip: Make Jaguar PCIe-refclk pin use pull-up config",
                            "    - arm64: dts: imx8mp-evk: Enable pull select bit for PCIe regulator GPIO",
                            "      (M.2 W_DISABLE1)",
                            "    - iommufd: vfio compatibility extension check for noiommu mode",
                            "    - arm64: dts: qcom: sm6125-xiaomi-ginkgo: Remove board-id",
                            "    - arm64: dts: qcom: sm6125-xiaomi-ginkgo: Correct reserved memory ranges",
                            "    - arm64: dts: qcom: sm6125-xiaomi-ginkgo: Remove extcon",
                            "    - arm64: dts: qcom: sm6125-xiaomi-ginkgo: Fix reserved gpio ranges",
                            "    - arm64: dts: qcom: qcs6490-rubikpi3: Use lt9611 DSI Port B",
                            "    - arm64: dts: qcom: talos: Add missing clock-names to GCC",
                            "    - arm64: dts: ti: k3-am62l: include WKUP_UART0 in wakeup peripheral window",
                            "    - arm64: dts: mediatek: mt6795: Fix gpio-ranges pin count",
                            "    - arm64: dts: mediatek: mt7981b: Fix gpio-ranges pin count",
                            "    - arm64: dts: mediatek: mt7986a: Fix gpio-ranges pin count",
                            "    - iommufd/selftest: Fix page leaks in mock_viommu_{init,destroy}",
                            "    - arm64: dts: imx8mp-kontron: Fix touch reset configuration on DL devices",
                            "    - arm64: dts: imx8mp-kontron: Drop vmmc-supply to fix SD card on SMARC",
                            "      eval carrier",
                            "    - arm64: dts: imx8mp-hummingboard-pulse/cubox-m: fix vmmc gpio polarity",
                            "    - arm64: dts: imx8mp-hummingboard-pulse: fix mini-hdmi dsi port reference",
                            "    - ARM: dts: BCM5301X: Drop extra NAND controller compatible",
                            "    - arm64: dts: qcom: msm8953-xiaomi-vince: correct wled ovp value",
                            "    - arm64: dts: qcom: msm8937-xiaomi-land: correct wled ovp value",
                            "    - arm64: dts: qcom: msm8953-xiaomi-daisy: fix backlight",
                            "    - firmware: qcom_scm: don't opencode kmemdup",
                            "    - soc: qcom: ubwc: disable bank swizzling for Glymur platform",
                            "    - arm64: dts: rockchip: Fix Bluetooth stability on LCKFB TaiShan Pi",
                            "    - Revert \"arm64: dts: rockchip: add SPDIF audio to Beelink A1\"",
                            "    - arm64: dts: rockchip: Correct Fan Supply for Gameforce Ace",
                            "    - arm64: dts: rockchip: Correct Joystick Axes on Gameforce Ace",
                            "    - soc: qcom: ocmem: make the core clock optional",
                            "    - soc: qcom: ocmem: register reasons for probe deferrals",
                            "    - soc: qcom: ocmem: return -EPROBE_DEFER is ocmem is not available",
                            "    - riscv: dts: spacemit: drop incorrect pinctrl for combo PHY",
                            "    - arm64: dts: rockchip: Fix RK3562 EVB2 model name",
                            "    - arm64: dts: rockchip: Add mphy reset to ufshc node",
                            "    - bus: rifsc: fix RIF configuration check for peripherals",
                            "    - arm64: dts: qcom: arduino-imola: fix faulty spidev node",
                            "    - Revert \"UBUNTU: SAUCE: arm64: dts: add missing denali-oled.dtb to",
                            "      Makefile\"",
                            "    - arm64: dts: qcom: add missing denali-oled.dtb to Makefile",
                            "    - arm64: dts: qcom: hamoa: correct Iris corners for the MXC rail",
                            "    - arm64: dts: qcom: lemans: correct Iris corners for the MXC rail",
                            "    - arm64: dts: qcom: monaco: correct Iris corners for the MXC rail",
                            "    - arm64: dts: qcom: sm8550: correct Iris corners for the MXC rail",
                            "    - arm64: dts: qcom: sm8650: correct Iris corners for the MXC rail",
                            "    - arm64: dts: qcom: sm8750: correct Iris corners for the MXC rail",
                            "    - arm64: dts: qcom: kaanapali: Fix GIC_ITS range length",
                            "    - arm64: dts: qcom: milos: Fix GIC_ITS range length",
                            "    - arm64: dts: qcom: sm8450: Fix GIC_ITS range length",
                            "    - arm64: dts: qcom: sm8550: Fix GIC_ITS range length",
                            "    - arm64: dts: qcom: sm8650: Fix GIC_ITS range length",
                            "    - arm64: dts: qcom: sm8750: Fix GIC_ITS range length",
                            "    - arm64: dts: qcom: sm8550: Fix xo clock supply of platform SD host",
                            "      controller",
                            "    - arm64: dts: qcom: sm8650: Fix xo clock supply of SD host controller",
                            "    - arm64: dts: qcom: hamoa: Fix xo clock supply of platform SD host",
                            "      controller",
                            "    - arm64: dts: qcom: sm8450: Enable UHS-I SDR50 and SDR104 SD card modes",
                            "    - arm64: dts: qcom: sm8550: Enable UHS-I SDR50 and SDR104 SD card modes",
                            "    - arm64: dts: qcom: sm8650: Enable UHS-I SDR50 and SDR104 SD card modes",
                            "    - arm64: dts: qcom: sm7225-fairphone-fp4: Fix conflicting bias pinctrl",
                            "    - arm64: dts: qcom: sdm845-xiaomi-beryllium: Mark l1a regulator as powered",
                            "      during boot",
                            "    - arm64: dts: qcom: msm8917-xiaomi-riva: Fix board-id for all bootloader",
                            "    - arm64: dts: ti: k3-am62p5-sk: Disable MMC1 internal pulls on data pins",
                            "    - arm64: dts: ti: k3-am62l3-evm: Disable MMC1 internal pulls on data pins",
                            "    - arm64: dts: ti: k3-am62-lp-sk: Enable internal pulls for MMC0 data pins",
                            "    - arm64: dts: ti: k3-am62-verdin: Fix SPI_1 GPIO CS pinctrl label",
                            "    - arm64: dts: freescale: imx8mp-tqma8mpql-mba8mp-ras314: fix UART1 RTS/CTS",
                            "      muxing",
                            "    - arm64: dts: imx91: Remove TMU's superfluous sensor ID",
                            "    - arm64: dts: imx8mp-kontron: Fix boot order for PMIC and RTC",
                            "    - arm64: dts: imx8dxl-evk: Use audio-graph-card2 for wm8960-2 and wm8960-3",
                            "    - arm64: dts: imx8mp-evk: Specify ADV7535 register addresses",
                            "    - arm64: dts: lx2160a: change i2c0 (iic1) pinmux mask to one bit",
                            "    - arm64: dts: lx2160a: remove duplicate pinmux nodes",
                            "    - arm64: dts: lx2160a: rename pinmux nodes for readability",
                            "    - arm64: dts: lx2160a: add sda gpio references for i2c bus recovery",
                            "    - arm64: dts: lx2160a: change zeros to hexadecimal in pinmux nodes",
                            "    - arm64: dts: lx2160a: complete pinmux for rcwsr12 configuration word",
                            "    - arm64: dts: imx8qm-mek: switch Type-C connector power-role to dual",
                            "    - arm64: dts: imx8qxp-mek: switch Type-C connector power-role to dual",
                            "    - soc/tegra: cbb: Set ERD on resume for err interrupt",
                            "    - soc/tegra: cbb: Fix incorrect ARRAY_SIZE in fabric lookup tables",
                            "    - soc/tegra: cbb: Fix cross-fabric target timeout lookup",
                            "    - arm64: tegra: Fix RTC aliases",
                            "    - soc/tegra: pmc: Add kerneldoc for reboot notifier",
                            "    - soc/tegra: pmc: Correct function names in kerneldoc",
                            "    - soc/tegra: pmc: Add kerneldoc for wake-up variables",
                            "    - unshare: fix nsproxy leak in ksys_unshare() on set_cred_ucounts()",
                            "      failure",
                            "    - ocfs2/dlm: validate qr_numregions in dlm_match_regions()",
                            "    - ocfs2/dlm: fix off-by-one in dlm_match_regions() region comparison",
                            "    - soc: qcom: llcc: fix v1 SB syndrome register offset",
                            "    - soc: qcom: aoss: compare against normalized cooling state",
                            "    - arm64: dts: qcom: milos: Add missing CX power domain to GCC",
                            "    - arm64: dts: qcom: sm8250: Add missing CPU7 3.09GHz OPP",
                            "    - ARM: OMAP1: Fix DEBUG_LL and earlyprintk on OMAP16XX",
                            "    - arm64/xor: fix conflicting attributes for xor_block_template",
                            "    - lib: kunit_iov_iter: fix memory leaks",
                            "    - ARM: dts: imx27-eukrea: replace interrupts with interrupts-extended",
                            "    - firmware: arm_ffa: Use the correct buffer size during RXTX_MAP",
                            "    - fwctl: Fix class init ordering to avoid NULL pointer dereference on",
                            "      device removal",
                            "    - ocfs2: fix listxattr handling when the buffer is full",
                            "    - ocfs2: validate bg_bits during freefrag scan",
                            "    - ocfs2: validate group add input before caching",
                            "    - dmaengine: dw-axi-dmac: fix Alignment should match open parenthesis",
                            "    - dmaengine: dw-axi-dmac: Remove unnecessary return statement from void",
                            "      function",
                            "    - phy: apple: apple: Use local variable for ioremap return value",
                            "    - soundwire: bus: demote UNATTACHED state warnings to dev_dbg()",
                            "    - soundwire: Intel: test bus.bpt_stream before assigning it",
                            "    - dmaengine: mxs-dma: Fix missing return value from",
                            "      of_dma_controller_register()",
                            "    - soundwire: cadence: Clear message complete before signaling waiting",
                            "      thread",
                            "    - tracing: move __printf() attribute on __ftrace_vbprintk()",
                            "    - tracing: Rebuild full_name on each hist_field_name() call",
                            "    - hte: tegra194: remove Kconfig dependency on Tegra194 SoC",
                            "    - [Config] Enable CONFIG_HTE_TEGRA194 on armhf",
                            "    - remoteproc: xlnx: Fix sram property parsing",
                            "    - stop_machine: Fix the documentation for a NULL cpus argument",
                            "    - remoteproc: imx_rproc: Check return value of regmap_attach_dev() in",
                            "      imx_rproc_mmio_detect_mode()",
                            "    - ima: check return value of crypto_shash_final() in boot aggregate",
                            "    - HID: asus: make asus_resume adhere to linux kernel coding standards",
                            "    - HID: asus: do not abort probe when not necessary",
                            "    - workqueue: devres: Add device-managed allocate workqueue",
                            "    - power: supply: max77705: Drop duplicated IRQ error message",
                            "    - power: supply: max77705: Free allocated workqueue and fix removal order",
                            "    - mtd: physmap_of_gemini: Fix disabled pinctrl state check",
                            "    - ima_fs: Correctly create securityfs files for unsupported hash algos",
                            "    - dt-bindings: interrupt-controller: arm,gic-v3: Fix EPPI range",
                            "    - mtd: spi-nor: core: correct the op.dummy.nbytes when check read",
                            "      operations",
                            "    - mtd: spi-nor: update spi_nor_fixups::post_sfdp() documentation",
                            "    - mtd: spi-nor: micron-st: add SNOR_CMD_PP_8_8_8_DTR sfdp fixup for",
                            "      mt35xu512aba",
                            "    - mtd: spi-nor: swp: check SR_TB flag when getting tb_mask",
                            "    - mtd: parsers: ofpart: call of_node_put() only in ofpart_fail path",
                            "    - mtd: parsers: ofpart: call of_node_get() for dedicated subpartitions",
                            "    - cxl/pci: Check memdev driver binding status in cxl_reset_done()",
                            "    - mtd: rawnand: sunxi: fix sunxi_nfc_hw_ecc_read_extra_oob",
                            "    - mtd: spinand: winbond: Clarify when to enable the HS bit",
                            "    - HID: usbhid: fix deadlock in hid_post_reset()",
                            "    - ext4: fix miss unlock 'sb->s_umount' in extents_kunit_init()",
                            "    - ext4: call deactivate_super() in extents_kunit_exit()",
                            "    - ext4: fix the error handling process in extents_kunit_init).",
                            "    - ext4: fix possible null-ptr-deref in extents_kunit_exit()",
                            "    - ext4: fix possible null-ptr-deref in mbt_kunit_exit()",
                            "    - bpf, arm64: Reject out-of-range B.cond targets",
                            "    - bpf, arm64: Fix off-by-one in check_imm signed range check",
                            "    - bpf, arm64: Remove redundant bpf_flush_icache() after pack allocator",
                            "      finalize",
                            "    - bpf, riscv: Remove redundant bpf_flush_icache() after pack allocator",
                            "      finalize",
                            "    - bpf, sockmap: Fix af_unix iter deadlock",
                            "    - bpf, sockmap: Fix af_unix null-ptr-deref in proto update",
                            "    - bpf, sockmap: Take state lock for af_unix iter",
                            "    - bpf: Fix precedence bug in convert_bpf_ld_abs alignment check",
                            "    - bpf: Fix NULL deref in map_kptr_match_type for scalar regs",
                            "    - bpf: allow UTF-8 literals in bpf_bprintf_prepare()",
                            "    - libbpf: Prevent double close and leak of btf objects",
                            "    - bpf: Validate node_id in arena_alloc_pages()",
                            "    - bpf, arm32: Reject BPF-to-BPF calls and callbacks in the JIT",
                            "    - perf trace: Fix IS_ERR() vs NULL check bug",
                            "    - dt-bindings: pinctrl: marvell,armada3710-xb-pinctrl: add missing items",
                            "      keyword",
                            "    - pinctrl: pinctrl-pic32: Fix resource leak",
                            "    - perf trace: Avoid an ERR_PTR in syscall_stats",
                            "    - pinctrl: microchip-mssio: Fix missing return in probe",
                            "    - perf test type profiling: Remote typedef on struct",
                            "    - pinctrl: cy8c95x0: remove duplicate error message",
                            "    - pinctrl: cy8c95x0: Unify messages with help of dev_err_probe()",
                            "    - pinctrl: cy8c95x0: Avoid returning positive values to user space",
                            "    - perf branch: Avoid incrementing NULL",
                            "    - perf: tools: cs-etm: Fix print issue for Coresight debug in ETE/TRBE",
                            "      trace",
                            "    - pinctrl: pinconf-generic: Fully validate 'pinmux' property",
                            "    - pinctrl: realtek: Fix function signature for config argument",
                            "    - pinctrl: abx500: Fix type of 'argument' variable",
                            "    - pinctrl: renesas: rzg2l: Fix save/restore of {IOLH,IEN,PUPD,SMT}",
                            "      registers",
                            "    - tools build: Correct link flags for libopenssl",
                            "    - perf lock: Fix option value type in parse_max_stack",
                            "    - perf stat: Fix opt->value type for parse_cache_level",
                            "    - memblock: reserve_mem: fix end caclulation in",
                            "      reserve_mem_release_by_name()",
                            "    - perf stat: Fix crash on arm64",
                            "    - perf tools: Fix module symbol resolution for non-zero .text sh_addr",
                            "    - perf test: Fix ratio_to_prev event parsing test",
                            "    - perf test: Skip perf data type profiling tests for s390",
                            "    - perf expr: Return -EINVAL for syntax error in expr__find_ids()",
                            "    - perf metrics: Make common stalled metrics conditional on having the",
                            "      event",
                            "    - ipmi: ssif_bmc: fix missing check for copy_to_user() partial failure",
                            "    - ipmi: ssif_bmc: fix message desynchronization after truncated response",
                            "    - ipmi: ssif_bmc: change log level to dbg in irq callback",
                            "    - perf cgroup: Update metric leader in evlist__expand_cgroup",
                            "    - pinctrl: sophgo: pinctrl-sg2042: Fix wrong module description",
                            "    - pinctrl: sophgo: pinctrl-sg2044: Fix wrong module description",
                            "    - perf maps: Fix fixup_overlap_and_insert that can break sorted by name",
                            "      order",
                            "    - perf maps: Fix copy_from that can break sorted by name order",
                            "    - perf util: Kill die() prototype, dead for a long time",
                            "    - i3c: master: dw-i3c: Fix missing reset assertion in remove() callback",
                            "    - i3c: master: dw-i3c: Balance PM runtime usage count on probe failure",
                            "    - i3c: master: renesas: Fix memory leak in renesas_i3c_i3c_xfers()",
                            "    - i3c: dw: Fix memory leak in dw_i3c_master_i3c_xfers()",
                            "    - i3c: master: adi: Fix error propagation for CCCs",
                            "    - i3c: mipi-i3c-hci: fix IBI payload length calculation for final status",
                            "    - fs/ntfs3: prevent uninitialized lcn caused by zero len",
                            "    - backlight: sky81452-backlight: Check return value of",
                            "      devm_gpiod_get_optional() in sky81452_bl_parse_dt()",
                            "    - platform/surface: surfacepro3_button: Drop wakeup source on remove",
                            "    - leds: lgm-sso: Remove duplicate assignments for priv->mmap",
                            "    - usb: typec: Fix error pointer dereference",
                            "    - tty: hvc_iucv: fix off-by-one in number of supported devices",
                            "    - usb: typec: ps883x: Fix Oops at unbind",
                            "    - platform/x86: panasonic-laptop: Fix OPTD notifier registration and",
                            "      cleanup",
                            "    - platform/x86: barco-p50-gpio: normalize return value of gpio_get",
                            "    - fs/ntfs3: fix missing run load for vcn0 in attr_data_get_block_locked()",
                            "    - mfd: mc13xxx-core: Fix memory leak in mc13xxx_add_subdevice_pdata()",
                            "    - nfs/blocklayout: Fix compilation error (`make W=1`) in",
                            "      bl_write_pagelist()",
                            "    - sunrpc: Kill RPC_IFDEBUG()",
                            "    - sunrpc: Fix compilation error (`make W=1`) when dprintk() is no-op",
                            "    - NFSD: fix nfs4_file access extra count in nfsd4_add_rdaccess_to_wrdeleg",
                            "    - nfsd: use dynamic allocation for oversized NFSv4.0 replay cache",
                            "    - RDMA/umem: Use consistent DMA attributes when unmapping entries",
                            "    - greybus: raw: fix use-after-free on cdev close",
                            "    - greybus: raw: fix use-after-free if write is called after disconnect",
                            "    - platform/x86: asus-wmi: adjust screenpad power/brightness handling",
                            "    - platform/x86: asus-wmi: fix screenpad brightness range",
                            "    - tty: serial: ip22zilog: Fix section mispatch warning",
                            "    - fs/ntfs3: terminate the cached volume label after UTF-8 conversion",
                            "    - platform/x86: hp-wmi: fix ignored return values in fan settings",
                            "    - platform/x86: hp-wmi: avoid cancel_delayed_work_sync from work handler",
                            "    - platform/x86: hp-wmi: use mod_delayed_work to reset keep-alive timer",
                            "    - platform/x86: hp-wmi: fix u8 underflow in gpu_delta calculation",
                            "    - platform/x86: hp-wmi: add locking for concurrent hwmon access",
                            "    - platform/x86: dell_rbu: avoid uninit value usage in packet_size_write()",
                            "    - platform/x86: dell-wmi-sysman: bound enumeration string aggregation",
                            "    - RDMA/core: Prefer NLA_NUL_STRING",
                            "    - platform/x86: hp-wmi: fix fan table parsing",
                            "    - dt-bindings: clock: qcom: Add GCC video axi reset clock for Glymur",
                            "    - clk: qcom: gcc-glymur: Add video axi clock resets for glymur",
                            "    - clk: qcom: dispcc-glymur: use RCG2 ops for DPTX1 AUX clock source",
                            "    - clk: qcom: dispcc-sm8450: use RCG2 ops for DPTX1 AUX clock source",
                            "    - clk: renesas: r9a09g057: Fix ordering of module clocks array",
                            "    - clk: renesas: r9a09g056: Fix ordering of module clocks array",
                            "    - clk: sunxi-ng: sun55i-a523-r: Add missing r-spi module clock",
                            "    - scsi: sg: Fix sysctl sg-big-buff register during sg_init()",
                            "    - scsi: sg: Resolve soft lockup issue when opening /dev/sgX",
                            "    - clk: qcom: dispcc-sc8280xp: remove CLK_SET_RATE_PARENT from",
                            "      byte_div_clk_src dividers",
                            "    - clk: qcom: dispcc-glymur: Fix DSI byte clock rate setting",
                            "    - clk: qcom: dispcc-kaanapali: Fix DSI byte clock rate setting",
                            "    - clk: qcom: dispcc-milos: Fix DSI byte clock rate setting",
                            "    - clk: qcom: dispcc-sm4450: Fix DSI byte clock rate setting",
                            "    - clk: qcom: dispcc[01]-sa8775p: Fix DSI byte clock rate setting",
                            "    - clk: renesas: r9a09g057: Remove entries for WDT{0,2,3}",
                            "    - scsi: target: core: Fix integer overflow in UNMAP bounds check",
                            "    - scsi: ufs: rockchip,rk3576-ufshc: dt-bindings: Add new mphy reset item",
                            "    - dt-bindings: clock: qcom,gcc-sc8180x: Add missing GDSCs",
                            "    - clk: qcom: gcc-sc8180x: Add missing GDSCs",
                            "    - clk: qcom: gcc-sc8180x: Use retention for USB power domains",
                            "    - clk: qcom: gcc-sc8180x: Use retention for PCIe power domains",
                            "    - clk: qcom: dispcc-sm8250: Use shared ops on the mdss vsync clk",
                            "    - clk: qcom: dispcc-sm8250: Enable parents for pixel clocks",
                            "    - clk: imx: imx6q: Fix device node reference leak in pll6_bypassed()",
                            "    - clk: imx: imx6q: Fix device node reference leak in",
                            "      of_assigned_ldb_sels()",
                            "    - clk: imx8mq: Correct the CSI PHY sels",
                            "    - um: Fix potential race condition in TLB sync",
                            "    - x86/um: fix vDSO installation",
                            "    - clk: qoriq: avoid format string warning",
                            "    - clk: xgene: Fix mapping leak in xgene_pllclk_init()",
                            "    - clk: spacemit: ccu_mix: fix inverted condition in ccu_mix_trigger_fc()",
                            "    - f2fs: avoid reading already updated pages during GC",
                            "    - printk_ringbuffer: Fix get_data() size sanity check",
                            "    - clk: qcom: gdsc: Fix error path on registration of multiple pm",
                            "      subdomains",
                            "    - lib/hexdump: print_hex_dump_bytes() calls print_hex_dump_debug()",
                            "    - f2fs: fix data loss caused by incorrect use of nat_entry flag",
                            "    - f2fs: fix to preserve previous reserve_{blocks,node} value when remount",
                            "    - scsi: hpsa: Enlarge controller and IRQ name buffers",
                            "    - drm/amd/display: Fix parameter mismatch in panel self-refresh helper",
                            "    - clk: qcom: gcc-x1e80100: Keep GCC USB QTB clock always ON",
                            "    - clk: visconti: pll: initialize clk_init_data to zero",
                            "    - f2fs: allow empty mount string for Opt_usr|grp|projjquota",
                            "    - f2fs: protect extension_list reading with sb_lock in f2fs_sbi_show()",
                            "    - drm/i915/wm: Verify the correct plane DDB entry",
                            "    - virt: arm-cca-guest: fix error check for RSI_INCOMPLETE",
                            "    - crypto: eip93 - fix hmac setkey algo selection",
                            "    - crypto: sa2ul - Fix AEAD fallback algorithm names",
                            "    - crypto: ccp - copy IV using skcipher ivsize",
                            "    - sh: Include <linux/io.h> in dac.h",
                            "    - erofs: unify lcn as u64 for 32-bit platforms",
                            "    - tools: hv: Fix cross-compilation",
                            "    - Drivers: hv: vmbus: fix hyperv_cpuhp_online variable shadowing",
                            "    - arm64: dts: imx8mp-debix-model-a: Correct PAD settings for PMIC_nINT",
                            "    - arm64: dts: imx8mp-debix-som-a: Correct PAD settings for PMIC_nINT",
                            "    - arm64: dts: imx8mp-navqp: Correct PAD settings for PMIC_nINT",
                            "    - arm64: dts: imx8mp-icore-mx8mp: Correct PAD settings for PMIC_nINT",
                            "    - arm64: dts: imx8mp-edm-g: Correct PAD settings for PMIC_nINT",
                            "    - arm64: dts: imx8mp-aristainetos3a-som-v1: Correct PAD settings for",
                            "      PMIC_nINT",
                            "    - arm64: dts: imx8mp-nitrogen-som: Correct PAD settings for PMIC_nINT",
                            "    - arm64: dts: imx8mp-sr-som: Correct PAD settings for PMIC_nINT",
                            "    - arm64: dts: imx8mp-ultra-mach-sbc: Correct PAD settings for PMIC_nINT",
                            "    - arm64: dts: imx8mp-dhcom-som: Correct PAD settings for PMIC_nINT",
                            "    - arm64: dts: imx8mp-data-modul-edm-sbc: Correct PAD settings for",
                            "      PMIC_nINT",
                            "    - PCMCIA: Fix garbled log messages for KERN_CONT",
                            "    - reset: amlogic: t7: Fix null reset ops",
                            "    - arm64: dts: imx8mm-emtop-som: Correct PAD settings for PMIC_nINT",
                            "    - arm64: dts: imx8mn-tqma8mqnl: Correct PAD settings for PMIC_nINT",
                            "    - arm64: dts: imx8mm-tqma8mqml: Correct PAD settings for PMIC_nINT",
                            "    - arm64: dts: marvell: armada-37xx: use 'usb2-phy' in USB3 controller's",
                            "      phy-names",
                            "    - pwm: stm32: Fix rounding issue for requests with inverted polarity",
                            "    - net/sched: act_mirred: fix wrong device for mac_header_xmit check in",
                            "      tcf_blockcast_redir",
                            "    - macvlan: fix macvlan_get_size() not reserving space for",
                            "      IFLA_MACVLAN_BC_CUTOFF",
                            "    - net/sched: sch_cake: fix NAT destination port not being updated in",
                            "      cake_update_flowkeys",
                            "    - nexthop: fix IPv6 route referencing IPv4 nexthop",
                            "    - net: airoha: Wait for NPU PPE configuration to complete in",
                            "      airoha_ppe_offload_setup()",
                            "    - net/sched: taprio: fix use-after-free in advance_sched() on schedule",
                            "      switch",
                            "    - net: dsa: remove redundant netdev_lock_ops() from conduit ethtool ops",
                            "    - net: enetc: correct the command BD ring consumer index",
                            "    - net: enetc: fix NTMP DMA use-after-free issue",
                            "    - ksmbd: fix use-after-free in smb2_open during durable reconnect",
                            "    - tcp: move tp->chrono_type next tp->chrono_stat[]",
                            "    - tcp: inline tcp_chrono_start()",
                            "    - tcp: annotate data-races in tcp_get_info_chrono_stats()",
                            "    - tcp: add data-race annotations around tp->data_segs_out and",
                            "      tp->total_retrans",
                            "    - tcp: add data-races annotations around tp->reordering, tp->snd_cwnd",
                            "    - tcp: annotate data-races around tp->snd_ssthresh",
                            "    - tcp: annotate data-races around tp->delivered and tp->delivered_ce",
                            "    - tcp: add data-race annotations for TCP_NLA_SNDQ_SIZE",
                            "    - tcp: annotate data-races around tp->bytes_sent",
                            "    - tcp: annotate data-races around tp->bytes_retrans",
                            "    - tcp: annotate data-races around tp->dsack_dups",
                            "    - tcp: annotate data-races around tp->reord_seen",
                            "    - tcp: annotate data-races around tp->srtt_us",
                            "    - tcp: annotate data-races around tp->timeout_rehash",
                            "    - tcp: annotate data-races around (tp->write_seq - tp->snd_nxt)",
                            "    - tcp: annotate data-races around tp->plb_rehash",
                            "    - ice: fix 'adjust' timer programming for E830 devices",
                            "    - ice: update PCS latency settings for E825 10G/25Gb modes",
                            "    - ice: fix double-free of tx_buf skb",
                            "    - ice: fix PHY config on media change with link-down-on-close",
                            "    - ice: fix ICE_AQ_LINK_SPEED_M for 200G",
                            "    - ice: fix race condition in TX timestamp ring cleanup",
                            "    - ice: fix potential NULL pointer deref in error path of",
                            "      ice_set_ringparam()",
                            "    - i40e: don't advertise IFF_SUPP_NOFCS",
                            "    - iavf: fix wrong VLAN mask for legacy Rx descriptors L2TAG2",
                            "    - e1000e: Unroll PTP in probe error handling",
                            "    - ipv6: fix possible UAF in icmpv6_rcv()",
                            "    - af_unix: Drop all SCM attributes for SOCKMAP.",
                            "    - sctp: fix OOB write to userspace in sctp_getsockopt_peer_auth_chunks",
                            "    - pppoe: drop PFC frames",
                            "    - net/mlx5: Fix HCA caps leak on notifier init failure",
                            "    - net: airoha: Fix possible TX queue stall in airoha_qdma_tx_napi_poll()",
                            "    - netfilter: nft_osf: restrict it to ipv4",
                            "    - netfilter: conntrack: remove sprintf usage",
                            "    - netfilter: xtables: restrict several matches to inet family",
                            "    - netfilter: nat: use kfree_rcu to release ops",
                            "    - ipvs: fix MTU check for GSO packets in tunnel mode",
                            "    - netfilter: nfnetlink_osf: fix out-of-bounds read on option matching",
                            "    - netfilter: nfnetlink_osf: fix potential NULL dereference in ttl check",
                            "    - net/sched: sch_dualpi2: drain both C-queue and L-queue in",
                            "      dualpi2_change()",
                            "    - arm64: dts: amlogic: meson-axg: Add missing cache information to cpu0",
                            "    - arm64: dts: meson-gxl-p230: fix ethernet PHY interrupt number",
                            "    - vfio/pci: Clean up DMABUFs before disabling function",
                            "    - pwm: atmel-tcb: Cache clock rates and mark chip as atomic",
                            "    - ksmbd: destroy tree_conn_ida in ksmbd_session_destroy()",
                            "    - ksmbd: destroy async_ida in ksmbd_conn_free()",
                            "    - ksmbd: fix durable fd leak on ClientGUID mismatch in durable v2 open",
                            "    - ksmbd: scope conn->binding slowpath to bound sessions only",
                            "    - net: validate skb->napi_id in RX tracepoints",
                            "    - bnge: fix initial HWRM sequence",
                            "    - bnge: remove unsupported backing store type",
                            "    - sctp: fix sockets_allocated imbalance after sk_clone()",
                            "    - net/rds: zero per-item info buffer before handing it to visitors",
                            "    - ice: fix timestamp interrupt configuration for E825C",
                            "    - ice: perform PHY soft reset for E825C ports at initialization",
                            "    - ice: fix ready bitmap check for non-E822 devices",
                            "    - ice: fix ice_ptp_read_tx_hwtstamp_status_eth56g",
                            "    - net_sched: sch_hhf: annotate data-races in hhf_dump_stats()",
                            "    - net/sched: sch_pie: annotate data-races in pie_dump_stats()",
                            "    - net/sched: sch_fq_codel: remove data-races from fq_codel_dump_stats()",
                            "    - net/sched: sch_red: annotate data-races in red_dump_stats()",
                            "    - net/sched: sch_sfb: annotate data-races in sfb_dump_stats()",
                            "    - net: airoha: Move ndesc initialization at end of airoha_qdma_init_tx()",
                            "    - net: airoha: Add missing bits in airoha_qdma_cleanup_tx_queue()",
                            "    - net: dsa: realtek: rtl8365mb: fix mode mask calculation",
                            "    - net: airoha: Move ndesc initialization at end of",
                            "      airoha_qdma_init_rx_queue()",
                            "    - net: airoha: Rework the code flow in airoha_remove() and in",
                            "      airoha_probe() error path",
                            "    - net: airoha: Add size check for TX NAPIs in airoha_qdma_cleanup()",
                            "    - net: mana: Init link_change_work before potential error paths in probe",
                            "    - net: mana: Init gf_stats_work before potential error paths in probe",
                            "    - net: mana: Guard mana_remove against double invocation",
                            "    - net: mana: Don't overwrite port probe error with add_adev result",
                            "    - net: mana: Fix EQ leak in mana_remove on NULL port",
                            "    - vsock/virtio: fix MSG_ZEROCOPY pinned-pages accounting",
                            "    - virtio_net: sync rss_trailer.max_tx_vq on queue_pairs change via",
                            "      VQ_PAIRS_SET",
                            "    - nfp: fix swapped arguments in nfp_encode_basic_qdr() calls",
                            "    - tcp: send a challenge ACK on SEG.ACK > SND.NXT",
                            "    - tipc: fix double-free in tipc_buf_append()",
                            "    - vhost_net: fix sleeping with preempt-disabled in vhost_net_busy_poll()",
                            "    - nstree: fix func. parameter kernel-doc warnings",
                            "    - eventpoll: use hlist_is_singular_node() in __ep_remove()",
                            "    - eventpoll: split __ep_remove()",
                            "    - eventpoll: kill __ep_remove()",
                            "    - eventpoll: drop vestigial __ prefix from ep_remove_{file,epi}()",
                            "    - eventpoll: move epi_fget() up",
                            "    - fs/adfs: validate nzones in adfs_validate_bblk()",
                            "    - rtc: abx80x: Disable alarm feature if no interrupt attached",
                            "    - kbuild: builddeb - avoid recompiles for non-cross-compiles",
                            "    - tools/power turbostat: Fix AMD RAPL regression on big systems",
                            "    - fbdev: offb: fix PCI device reference leak on probe failure",
                            "    - tools/power turbostat: Fix unrecognized option '-P'",
                            "    - tools/power turbostat: Fix --cpu-set 0 regression on HT systems",
                            "    - tools/power turbostat: Fix --cpu-set 1 regression on HT systems",
                            "    - kbuild: Never respect CONFIG_WERROR / W=e to fixdep",
                            "    - mailbox: mtk-vcp-mailbox: Fix the return value in mtk_vcp_mbox_xlate()",
                            "    - mailbox: mtk-cmdq: Fix CURR and END addr for task insert case",
                            "    - mailbox: mailbox-test: free channels on probe error",
                            "    - sched/psi: fix race between file release and pressure write",
                            "    - cgroup/rdma: fix integer overflow in rdmacg_try_charge()",
                            "    - cgroup/cpuset: record DL BW alloc CPU for attach rollback",
                            "    - mailbox: add sanity check for channel array",
                            "    - mailbox: mailbox-test: handle channel errors consistently",
                            "    - mailbox: mailbox-test: don't free the reused channel",
                            "    - mailbox: mailbox-test: initialize struct earlier",
                            "    - mailbox: mailbox-test: make data_ready a per-instance variable",
                            "    - fsnotify: fix inode reference leak in fsnotify_recalc_mask()",
                            "    - btrfs: fix bytes_may_use leak in move_existing_remap()",
                            "    - btrfs: fix bytes_may_use leak in do_remap_reloc_trans()",
                            "    - btrfs: don't clobber errors in add_remap_tree_entries()",
                            "    - btrfs: fix double-decrement of bytes_may_use in",
                            "      submit_one_async_extent()",
                            "    - tracing: branch: Fix inverted check on stat tracer registration",
                            "    - nvmet-tcp: propagate nvmet_tcp_build_pdu_iovec() errors to its callers",
                            "    - netfilter: nf_tables: use list_del_rcu for netlink hooks",
                            "    - rculist: add list_splice_rcu() for private lists",
                            "    - netfilter: nf_tables: join hook list via splice_list_rcu() in commit",
                            "      phase",
                            "    - netfilter: nf_tables: add hook transactions for device deletions",
                            "    - nvme-pci: fix missed admin queue sq doorbell write",
                            "    - drm/amdgpu: avoid double drm_exec_fini() in userq validate",
                            "    - drm/amdgpu/gmc: Fix AMDGPU_GART_PLACEMENT_LOW to not overlap with VRAM",
                            "    - drm/amd/pm: fix missing fine-grained dpm table flag on aldebaran",
                            "    - drm/amdgpu: fix AMDGPU_INFO_READ_MMR_REG",
                            "    - drm/amdgpu/uvd3.1: Don't validate the firmware when already validated",
                            "    - drm/amdgpu/gfx6: Support harvested SI chips with disabled TCCs (v2)",
                            "    - drm/amdgpu: Only send RMA CPER when threshold is exceeded",
                            "    - netfilter: xt_policy: fix strict mode inbound policy matching",
                            "    - netfilter: nf_conntrack_sip: don't use simple_strtoul",
                            "    - spi: rzv2h-rspi: Fix silent failure in clock setup error path",
                            "    - ASoC: amd: acp: Add DMI quirk for Valve Steam Deck OLED",
                            "    - ASoC: SOF: Intel: add an empty adr_link",
                            "    - spi: rockchip: Read ISR, not IMR, to detect cs-inactive IRQ",
                            "    - ASoC: tas2764: Mark die temp register as volatile",
                            "    - ASoC: tas2770: Fix order of operations for temperature calculation",
                            "    - drm/sysfb: ofdrm: fix PCI device reference leaks",
                            "    - drm/color-mgmt: Typo s/R332/RGB332/",
                            "    - arm64/scs: Fix potential sign extension issue of advance_loc4",
                            "    - spi: spi-mem: Add a packed command operation",
                            "    - mtd: spinand: Add support for packed read data ODTR commands",
                            "    - mtd: spinand: winbond: Set the packed page read flag to W35N02/04JW",
                            "    - mtd: spinand: winbond: Fix ODTR write VCR on W35NxxJW",
                            "    - ACPICA: Provide #defines for EINJV2 error types",
                            "    - ACPI: APEI: EINJ: Fix EINJV2 memory error injection",
                            "    - cdrom, scsi: sr: propagate read-only status to block layer via",
                            "      set_disk_ro()",
                            "    - spi: axiado: replace usleep_range() with udelay() in IRQ path",
                            "    - netdevsim: zero initialize struct iphdr in dummy sk_buff",
                            "    - net/sched: netem: fix probability gaps in 4-state loss model",
                            "    - net/sched: netem: fix queue limit check to include reordered packets",
                            "    - net/sched: netem: only reseed PRNG when seed is explicitly provided",
                            "    - net/sched: netem: validate slot configuration",
                            "    - net/sched: netem: fix slot delay calculation overflow",
                            "    - net/sched: netem: check for negative latency and jitter",
                            "    - net: airoha: fix BQL imbalance in TX path",
                            "    - net: airoha: stop net_device TX queue before updating CPU index",
                            "    - net: airoha: fix typo in function name",
                            "    - net: airoha: Do not wake all netdev TX queues in",
                            "      airoha_qdma_wake_netdev_txqs()",
                            "    - net: airoha: Do not read uninitialized fragment address in",
                            "      airoha_dev_xmit()",
                            "    - net/sched: sch_choke: annotate data-races in choke_dump_stats()",
                            "    - net/sched: sch_fq_pie: annotate data-races in fq_pie_dump_stats()",
                            "    - vrf: Fix a potential NPD when removing a port from a VRF",
                            "    - net: usb: rtl8150: fix use-after-free in rtl8150_start_xmit()",
                            "    - net: usb: rtl8150: free skb on usb_submit_urb() failure in xmit",
                            "    - spi: amlogic-spisg: initialize completion before requesting IRQ",
                            "    - NFC: trf7970a: Ignore antenna noise when checking for RF field",
                            "    - net: phonet: do not BUG_ON() in pn_socket_autobind() on failed bind",
                            "    - neigh: let neigh_xmit take skb ownership",
                            "    - tcp: make probe0 timer handle expired user timeout",
                            "    - netpoll: fix IPv6 local-address corruption",
                            "    - ALSA: usb-audio: Fix potential leak of pd at parsing UAC3 streams",
                            "    - sched/fair: Fix wakeup_preempt_fair() vs delayed dequeue",
                            "    - sched/fair: Clear rel_deadline when initializing forked entities",
                            "    - net: mctp i2c: check length before marking flow active",
                            "    - md/raid1,raid10: don't fail devices for invalid IO errors",
                            "    - md: add fallback to correct bitmap_ops on version mismatch",
                            "    - md: factor bitmap creation away from sysfs handling",
                            "    - md/md-bitmap: split bitmap sysfs groups",
                            "    - md/md-bitmap: add a none backend for bitmap grow",
                            "    - s390/mm: Fix phys_to_folio() usage in do_secure_storage_access()",
                            "    - net: phy: dp83869: fix setting CLK_O_SEL field.",
                            "    - drm/amd/display: properly handle family setting for early GC 11.5.4",
                            "    - drm/amdgpu/vcn: set no_user_fence for VCN v2.0 enc/dec rings",
                            "    - drm/amdgpu/vcn: set no_user_fence for VCN v2.5 enc/dec rings",
                            "    - drm/amdgpu/vcn: set no_user_fence for VCN v3.0 enc/dec rings",
                            "    - drm/amdgpu/vcn: set no_user_fence for VCN v4.0 enc ring",
                            "    - drm/amdgpu/vcn: set no_user_fence for VCN v4.0.3 enc ring",
                            "    - drm/amdgpu/vcn: set no_user_fence for VCN v4.0.5 enc ring",
                            "    - drm/amdgpu/vcn: set no_user_fence for VCN v5.0.0 enc ring",
                            "    - drm/amdgpu/vcn: set no_user_fence for VCN v5.0.1 enc ring",
                            "    - drm/amdgpu/jpeg: set no_user_fence for JPEG v2.0 ring",
                            "    - drm/amdgpu/jpeg: set no_user_fence for JPEG v2.5 ring",
                            "    - drm/amdgpu/jpeg: set no_user_fence for JPEG v3.0 ring",
                            "    - drm/amdgpu/jpeg: set no_user_fence for JPEG v4.0 ring",
                            "    - drm/amdgpu/jpeg: set no_user_fence for JPEG v4.0.3 ring",
                            "    - drm/amdgpu/jpeg: set no_user_fence for JPEG v4.0.5 ring",
                            "    - drm/amdgpu/jpeg: set no_user_fence for JPEG v5.0.0 ring",
                            "    - drm/amdgpu/jpeg: set no_user_fence for JPEG v5.0.1 ring",
                            "    - drm/amdgpu/jpeg: set no_user_fence for JPEG v5.3.0 ring",
                            "    - drm/amd/pm: Add fine grained flag to SMU v13.0.6",
                            "    - io_uring/napi: cap busy_poll_to 10 msec",
                            "    - ASoC: cs35l56: Fix illegal writes to OTP_MEM registers",
                            "    - net: psp: check for device unregister when creating assoc",
                            "    - net: psp: require admin permission for dev-set and key-rotate",
                            "    - ASoC: codecs: ab8500: Fix casting of private data",
                            "    - netfilter: skip recording stale or retransmitted INIT",
                            "    - sctp: discard stale INIT after handshake completion",
                            "    - net/sched: sch_cake: annotate data-races in cake_dump_stats() (I)",
                            "    - net/sched: sch_cake: annotate data-races in cake_dump_stats() (II)",
                            "    - net/sched: sch_cake: annotate data-races in cake_dump_stats() (III)",
                            "    - net/sched: sch_cake: annotate data-races in cake_dump_stats() (IV)",
                            "    - net/sched: sch_cake: annotate data-races in cake_dump_stats() (V)",
                            "    - netconsole: return count instead of strnlen(buf, count) from store",
                            "      callbacks",
                            "    - netconsole: avoid clobbering userdatum value on truncated write",
                            "    - netconsole: propagate device name truncation in dev_name_store()",
                            "    - netconsole: restore userdatum value on update_userdata() failure",
                            "    - ALSA: hda/conexant: Fix missing error check for jack detection",
                            "    - ALSA: hda: cs35l56: Fix uninitialized value in cs35l56_hda_read_acpi()",
                            "    - ALSA: hda/tas2781: Fix incorrect bit update for non-book-zero or book 0",
                            "      pages >1",
                            "    - futex: Prevent lockup in requeue-PI during signal/ timeout wakeup",
                            "    - drm/amd/display: Allow embedded connectors without DDC",
                            "    - drm/amd/display: Allow DCE link encoder without AUX registers",
                            "    - drm/amd/display: Allow constructing DCE6 link encoder without DDC",
                            "    - drm/amd/display: Allow constructing DCE8 link encoder without DDC",
                            "    - drm/amd/display: Read EDID from VBIOS embedded panel info",
                            "    - drm/amd/display: Use EDID from VBIOS embedded panel info",
                            "    - drm/xe: Use XE_WEDGED_MODE_UPON_ANY_HANG_NO_RESET enum instead of magic",
                            "      number",
                            "    - drm/xe: Drop registration of guc_submit_wedged_fini from",
                            "      xe_guc_submit_wedge()",
                            "    - drm/xe/debugfs: Correct printing of register whitelist ranges",
                            "    - drm/xe: Fix potential NULL deref in",
                            "      xe_exec_queue_tlb_inval_last_fence_put_unlocked",
                            "    - drm/xe: Fix error cleanup in xe_exec_queue_create_ioctl()",
                            "    - drm/xe/eustall: Fix drm_dev_put called before stream disable in close",
                            "    - drm/xe/gsc: Fix BO leak on error in query_compatibility_version()",
                            "    - drm/xe/xelp: Fix Wa_18022495364",
                            "    - net: airoha: Do not return err in ndo_stop() callback",
                            "    - bonding: print churn state via netlink",
                            "    - bonding: 3ad: implement proper RCU rules for port->aggregator",
                            "    - page_pool: fix memory-provider leak in page_pool_create_percpu() error",
                            "      path",
                            "    - iavf: rename IAVF_VLAN_IS_NEW to IAVF_VLAN_ADDING",
                            "    - iavf: stop removing VLAN filters from PF on interface down",
                            "    - iavf: wait for PF confirmation before removing VLAN filters",
                            "    - iavf: add VIRTCHNL_OP_ADD_VLAN to success completion handler",
                            "    - ice: fix NULL pointer dereference in ice_reset_all_vfs()",
                            "    - ice: fix infinite recursion in ice_cfg_tx_topo via ice_init_dev_hw",
                            "    - ice: fix missing SMA pin initialization in DPLL subsystem",
                            "    - ice: fix SMA and U.FL pin state changes affecting paired pin",
                            "    - ice: fix missing dpll notifications for SW pins",
                            "    - dpll: export __dpll_pin_change_ntf() for use under dpll_lock",
                            "    - ice: add dpll peer notification for paired SMA and U.FL pins",
                            "    - net: tls: fix strparser anchor skb leak on offload RX setup failure",
                            "    - sfc: fix error code in efx_devlink_info_running_versions()",
                            "    - net/sched: cls_flower: revert unintended changes",
                            "    - kselftest/arm64: Include <asm/ptrace.h> for user_gcs definition",
                            "    - arm64: Reserve an extra page for early kernel mapping",
                            "    - futex: Drop CLONE_THREAD requirement for private default hash alloc",
                            "    - PCI: Initialize temporary device in new_id_store()",
                            "    - workqueue: fix devm_alloc_workqueue() va_list misuse",
                            "    - net/sched: sch_pie: annotate more data-races in pie_dump_stats()",
                            "    - sched/fair: Fix wakeup_preempt_fair() for not waking up task",
                            "    - crypto: af_alg - Cap AEAD AD length to 0x80000000",
                            "    - i40e: Cleanup PTP pins on probe failure",
                            "    - workqueue: Fix wq->cpu_pwq leak in alloc_and_link_pwqs() WQ_UNBOUND path",
                            "    - net: ena: PHC: Fix potential use-after-free in get_timestamp",
                            "    - cgroup/cpuset: Reset DL migration state on can_attach() failure",
                            "    - netfilter: nf_conntrack_sip: get helper before allocating expectation",
                            "    - audit: fix incorrect inheritable capability in CAPSET records",
                            "    - net: ena: PHC: Check return code before setting timestamp output",
                            "    - cgroup/dmem: Return -ENOMEM on failed pool preallocation",
                            "    - idpf: fix double free and use-after-free in aux device error paths",
                            "    - cgroup/cpuset: Reserve DL bandwidth only for root-domain moves",
                            "    - Revert \"ACPI: CPPC: Adjust debug messages in amd_set_max_freq_ratio() to",
                            "      warn\"",
                            "    - netfilter: nft_ct: fix missing expect put in obj eval",
                            "    - net: atlantic: preserve PCI wake-from-D3 on shutdown when WOL enabled",
                            "    - audit: enforce AUDIT_LOCKED for AUDIT_TRIM and AUDIT_MAKE_EQUIV",
                            "    - cgroup/cpuset: Return only actually allocated CPUs during partition",
                            "      invalidation",
                            "    - KVM: x86: Swap the dst and src operand for MOVNTDQA",
                            "    - KVM: Reject wrapped offset in kvm_reset_dirty_gfn()",
                            "    - KVM: s390: pci: fix GAIT table indexing due to double-scaling pointer",
                            "      arithmetic",
                            "    - KVM: x86: Fix Xen hypercall tracepoint argument assignment",
                            "    - HID: pass the buffer size to hid_report_raw_event",
                            "    - HID: core: introduce hid_safe_input_report()",
                            "    - rseq: Revert to historical performance killing behaviour",
                            "    - rseq: Implement read only ABI enforcement for optimized RSEQ V2 mode",
                            "    - rseq: Reenable performance optimizations conditionally",
                            "    - HID: core: Fix size_t specifier in hid_report_raw_event()",
                            "    - ata: libata-scsi: fix requeue of deferred ATA PASS-THROUGH commands",
                            "    - media: staging: imx: configure src_mux in csi_start",
                            "    - Bluetooth: btmtk: accept too short WMT FUNC_CTRL events",
                            "    - nvme-apple: Reset q->sq_tail during queue init",
                            "    - smb/client: fix possible infinite loop and oob read in symlink_data()",
                            "    - drm/loongson: Use managed KMS polling",
                            "    - drm: Replace old pointer to new idr",
                            "    - drm/bridge: imx8qxp-pxl2dpi: avoid ERR_PTR with device_node cleanup",
                            "    - drm/i915/dp: Fix VSC dynamic range signaling for RGB formats",
                            "    - drm/amd/display: Wrap DCN32 phantom-plane allocation in",
                            "      DC_RUN_WITH_PREEMPTION_ENABLED",
                            "    - drm/ttm: Fix ttm_bo_swapout() infinite LRU walk on swapout failure",
                            "    - platform/x86: intel: Move debugfs register before creating devices",
                            "    - platform/x86: lenovo-wmi-helpers: Move gamezone enums to wmi-helpers",
                            "    - platform/x86: lenovo-wmi-helpers: Fix memory leak in",
                            "      lwmi_dev_evaluate_int()",
                            "    - platform/x86: lenovo-wmi-other: Balance IDA id allocation and free",
                            "    - platform/x86: lenovo-wmi-other: Balance component bind and unbind",
                            "    - platform/x86: lenovo-wmi-other: Zero initialize WMI arguments",
                            "    - platform/x86: lenovo-wmi-other: Fix tunable_attr_01 struct members",
                            "    - platform/x86: lenovo-wmi-other: Add Attribute ID helper functions",
                            "    - platform/x86: lenovo-wmi-other: Limit adding attributes to supported",
                            "      devices",
                            "    - accel/rocket: Fix prep_bo ioctl leaking positive return from",
                            "      dma_resv_wait_timeout()",
                            "    - ALSA: hda/realtek: Add mute LED quirk for HP Pavilion Laptop 16-ag0xxx",
                            "    - ALSA: hda/realtek: Add quirk for Samsung Galaxy Book5 360 headphone",
                            "    - ALSA: usb-audio: Bound MIDI 2.0 endpoint descriptor scans",
                            "    - ALSA: usb-audio: Bound MIDI endpoint descriptor scans",
                            "    - ALSA: usb-audio: qcom: Check offload mapping failures",
                            "    - btrfs: only release the dirty pages io tree after successful writes",
                            "    - ceph: fix a buffer leak in __ceph_setxattr()",
                            "    - ceph: fix BUG_ON in __ceph_build_xattrs_blob() due to stale blob size",
                            "    - ceph: put folios not suitable for writeback",
                            "    - io-wq: check that the predecessor is hashed in io_wq_remove_pending()",
                            "    - iommu/amd: Bounds-check devid in __rlookup_amd_iommu()",
                            "    - x86/kexec: Push kjump return address even for non-kjump kexec",
                            "    - xfs: fix memory leak on error in xfs_alloc_zone_info()",
                            "    - virt: sev-guest: Do not use host-controlled page order in cleanup path",
                            "    - powerpc/warp: Fix error handling in pika_dtm_thread",
                            "    - netfs: fix error handling in netfs_extract_user_iter()",
                            "    - nfsd: fix GET_DIR_DELEGATION when VFS leases are disabled",
                            "    - nfsd: fix file change detection in CB_GETATTR",
                            "    - nfsd: update mtime/ctime on CLONE in presense of delegated attributes",
                            "    - nfsd: update mtime/ctime on COPY in presence of delegated attributes",
                            "    - irqchip/riscv-imsic: Clear interrupt move state during CPU offlining",
                            "    - irqchip/meson-gpio: Use the correct register in",
                            "      meson_s4_gpio_irq_set_type()",
                            "    - irqchip/gic-v5: Move LPI allocation into the LPI domain",
                            "    - irqchip/gic-v5: Support range allocation for LPIs",
                            "    - irqchip/gic-v5: Allocate ITS parent LPIs as a range",
                            "    - libceph: Fix potential out-of-bounds access in osdmap_decode()",
                            "    - libceph: Fix potential null-ptr-deref in decode_choose_args()",
                            "    - libceph: Fix potential out-of-bounds access in __ceph_x_decrypt()",
                            "    - libceph: Fix potential out-of-bounds access in crush_decode()",
                            "    - libceph: handle rbtree insertion error in decode_choose_args()",
                            "    - iommu/vt-d: Disable DMAR for Intel Q35 IGFX",
                            "    - iommu/vt-d: Fix oops due to out of scope access",
                            "    - iommu/vt-d: Avoid NULL pointer dereference or refcount corruption",
                            "    - iommu: Fix NULL group->domain dereference in pci_dev_reset_iommu_done()",
                            "    - iommu: Replace per-group resetting_domain with per-gdev blocked flag",
                            "    - iommu: Fix WARN_ON in __iommu_group_set_domain_nofail() due to reset",
                            "    - iommu: Fix pasid attach in pci_dev_reset_iommu_prepare/done()",
                            "    - iommu: Fix nested pci_dev_reset_iommu_prepare/done()",
                            "    - iommu: Fix ATS invalidation timeouts during __iommu_remove_group_pasid()",
                            "    - drm/i915: skip __i915_request_skip() for already signaled requests",
                            "    - drm/panfrost: Fix wait_bo ioctl leaking positive return from",
                            "      dma_resv_wait_timeout()",
                            "    - drm/xe/dma-buf: handle empty bo and UAF races",
                            "    - drm/xe/dma-buf: fix UAF with retry loop",
                            "    - drm/ttm: Fix ttm_bo_shrink() infinite LRU walk on backup failure",
                            "    - drm/ttm: Convert -EAGAIN from dmem_cgroup_try_charge to -ENOSPC",
                            "    - drm/gma500/oaktrail_hdmi: fix i2c adapter leak on setup",
                            "    - drm/gma500/oaktrail_lvds: fix hang on init failure",
                            "    - drm/gma500/oaktrail_lvds: fix i2c adapter leaks on init",
                            "    - arm_mpam: Fix monitor instance selection when checking for hardware NRDY",
                            "    - arm_mpam: Pretend that NRDY is always hardware managed",
                            "    - arm_mpam: Improve check for whether or not NRDY is hardware managed",
                            "    - arm_mpam: Fix false positive assert failure during mpam_disable()",
                            "    - arm_mpam: Check whether the config array is allocated before destroying",
                            "      it",
                            "    - eventfs: Simplify code using guard()s",
                            "    - eventfs: Use list_add_tail_rcu() for SRCU-protected children list",
                            "    - smb: client: Use FullSessionKey for AES-256 encryption key derivation",
                            "    - spi: sifive: Simplify clock handling with devm_clk_get_enabled()",
                            "    - spi: sifive: fix controller deregistration",
                            "    - tracefs: Removed unused 'ret' variable in eventfs_iterate()",
                            "    - workqueue: Annotate alloc_workqueue_va() with __printf(1, 0)",
                            "    - selftests/bpf: Remove test_access_variable_array",
                            "    - netfs: Fix potential uninitialised var in netfs_extract_user_iter()",
                            "    - Linux 7.0.10",
                            "",
                            "  * Resolute update: v7.0.10 upstream stable release (LP: #2156385) //",
                            "    CVE-2026-45846",
                            "    - bareudp: fix NULL pointer dereference in bareudp_fill_metadata_dst()",
                            "",
                            "  * Resolute update: v7.0.10 upstream stable release (LP: #2156385) //",
                            "    CVE-2026-45845",
                            "    - net/sched: taprio: fix NULL pointer dereference in class dump",
                            "",
                            "  * Resolute update: v7.0.10 upstream stable release (LP: #2156385) //",
                            "    CVE-2026-45844",
                            "    - netfilter: arp_tables: fix IEEE1394 ARP payload parsing",
                            "",
                            "  * Resolute update: v7.0.10 upstream stable release (LP: #2156385) //",
                            "    CVE-2026-46242",
                            "    - eventpoll: fix ep_remove struct eventpoll / struct file UAF",
                            "",
                            "  * Resolute update: v7.0.10 upstream stable release (LP: #2156385) //",
                            "    CVE-2026-45843",
                            "    - slip: bound decode() reads against the compressed packet length",
                            "",
                            "  * Resolute update: v7.0.10 upstream stable release (LP: #2156385) //",
                            "    CVE-2026-45842",
                            "    - slip: reject VJ receive packets on instances with no rstate array",
                            "",
                            "  * Resolute update: v7.0.10 upstream stable release (LP: #2156385) //",
                            "    CVE-2026-45841",
                            "    - netfilter: nfnetlink_osf: fix divide-by-zero in OSF_WSS_MODULO",
                            "",
                            "  * Resolute update: v7.0.10 upstream stable release (LP: #2156385) //",
                            "    CVE-2026-45840",
                            "    - openvswitch: cap upcall PID array size and pre-size vport replies",
                            "",
                            "  * Resolute update: v7.0.10 upstream stable release (LP: #2156385) //",
                            "    CVE-2026-45839",
                            "    - bpf: reject negative CO-RE accessor indices in bpf_core_parse_spec()",
                            "",
                            "  * Resolute update: v7.0.10 upstream stable release (LP: #2156385) //",
                            "    CVE-2026-45838",
                            "    - bpf: fix end-of-list detection in cgroup_storage_get_next_key()",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006)",
                            "    - Linux 7.0.8",
                            "    - HID: pidff: Fix integer overflow in pidff_rescale",
                            "    - media: uvcvideo: Enable VB2_DMABUF for metadata stream",
                            "    - drm/msm/hdmi: Fix wrong CTRL1 register used in writing info frames",
                            "    - media: rzv2h-ivc: Avoid double job scheduling",
                            "    - media: nxp: imx8-isi: Reduce minimum queued buffers from 2 to 0",
                            "    - media: rzv2h-ivc: Write AXIRX_PIXFMT once",
                            "    - media: rzv2h-ivc: Fix FM_STOP register write",
                            "    - media: rzv2h-ivc: Fix concurrent buffer list access",
                            "    - media: mali-c55: Initialize the ISP in enable_streams()",
                            "    - media: mali-c55: Fix Iridix bypass macros",
                            "    - media: renesas: vsp1: Fix NULL pointer deref on module unload",
                            "    - media: renesas: vin: Fix RAW8 (again)",
                            "    - media: i2c: ov8856: free control handler on error in",
                            "      ov8856_init_controls()",
                            "    - media: dt-bindings: rockchip,vdec: Add alternative reg-names order for",
                            "      RK35{76,88}",
                            "    - media: dt-bindings: rockchip,vdec: Mark reg-names required for",
                            "      RK35{76,88}",
                            "    - media: chips-media: wave5: fix a potential memory leak in",
                            "      wave5_vdi_init()",
                            "    - media: chips-media: wave5: add missing spinlock protection for",
                            "      send_eos_event()",
                            "    - media: chips-media: wave5: add missing spinlock protection for",
                            "      handle_dynamic_resolution_change()",
                            "    - arm64: dts: freescale: imx95-toradex-smarc: fix PMIC_SD2_VSEL label",
                            "      position",
                            "    - drm/gpusvm: Allow device pages to be mapped in mixed mappings after",
                            "      system pages",
                            "    - drm/gpusvm: Force unmapping on error in drm_gpusvm_get_pages",
                            "    - spi: bcm63xx: fix controller deregistration",
                            "    - spi: atmel: fix controller deregistration",
                            "    - arm64: dts: lx2160a-cex7/lx2162a-sr-som: fix usd-cd & gpio pinmux",
                            "    - regulator: mt6357: fix OF node reference imbalance",
                            "    - spi: st-ssc4: fix controller deregistration",
                            "    - regulator: max77650: fix OF node reference imbalance",
                            "    - media: ti: vpe: Add missing v4l2_device_unregister in vip_remove()",
                            "    - media: rc: streamzap: Error handling in probe",
                            "    - media: i2c: imx283: Enter full standby when stopping streaming",
                            "    - regulator: bq257xx: fix OF node reference imbalance",
                            "    - regulator: rk808: fix OF node reference imbalance",
                            "    - media: videobuf2: Set vma_flags in vb2_dma_sg_mmap",
                            "    - media: mali-c55: Fully reset the ISP configuration",
                            "    - media: intel/ipu6: fix error pointer dereference",
                            "    - media: i2c: imx283: Fix hang when going from large to small resolution",
                            "    - regulator: act8945a: fix OF node reference imbalance",
                            "    - regulator: s2dos05: fix OF node reference imbalance",
                            "    - regulator: bd9571mwv: fix OF node reference imbalance",
                            "    - spi: lantiq-ssc: fix controller deregistration",
                            "    - spi: meson-spicc: fix controller deregistration",
                            "    - spi: qup: fix controller deregistration",
                            "    - arm64: dts: ti: k3-am69-aquila-clover: Fix DP regulator enable GPIO",
                            "    - spi: at91-usart: fix controller deregistration",
                            "    - media: ipu-bridge: Add upside-down sensor DMI quirk for Dell XPS 13 9340",
                            "      and XPS 14 9440",
                            "    - spi: amlogic-spisg: fix controller deregistration",
                            "    - spi: aspeed-smc: fix controller deregistration",
                            "    - drm/colorop: Preserve bypass value in duplicate_state()",
                            "    - drm/atomic: Add affected colorops with affected planes",
                            "    - platform/x86: hp-wmi: Ignore backlight and FnLock events",
                            "    - vsock/virtio: fix MSG_PEEK ignoring skb offset when calculating bytes to",
                            "      copy",
                            "    - arm64: dts: broadcom: bcm2712-d-rpi-5-b: add fixes for",
                            "      pinctrl/pinctrl_aon",
                            "    - arm64: dts: broadcom: bcm2712-d-rpi-5-b: update uart10 interrupt",
                            "    - media: pci: zoran: fix potential memory leak in zoran_probe()",
                            "    - media: dib8000: avoid division by 0 in dib8000_set_dds()",
                            "    - media: i2c: imx412: Assert reset GPIO during probe",
                            "    - media: staging: imx: request mbus_config in csi_start",
                            "    - media: i2c: ov08d10: fix image vertical start setting",
                            "    - media: i2c: ov08d10: fix runtime PM handling in probe",
                            "    - media: omap3isp: drop the use count of v4l2 pipeline",
                            "    - media: iris: fix QCOM_MDT_LOADER dependency",
                            "    - media: qcom: camss: Fix csid clock configuration for sa8775p",
                            "    - media: qcom: camss: Fix csid IRQ offset for sa8775p",
                            "    - media: qcom: iris: increase H265D_MAX_SLICE to fix H.265 decoding on",
                            "      SC7280",
                            "    - media: venus: fix QCOM_MDT_LOADER dependency",
                            "    - media: iris: Fix dma_free_attrs() size in iris_hfi_queues_init()",
                            "    - media: iris: switch to hardware mode after firmware boot",
                            "    - media: qcom: camss: Add missing clocks for VFE lite on sa8775p",
                            "    - spi: mxs: fix controller deregistration",
                            "    - spi: mt65xx: fix controller deregistration",
                            "    - spi: dln2: fix controller deregistration",
                            "    - spi: s3c64xx: fix controller deregistration",
                            "    - spi: fsl-espi: fix controller deregistration",
                            "    - spi: omap2-mcspi: fix controller deregistration",
                            "    - spi: pic32: fix controller deregistration",
                            "    - spi: ep93xx: fix controller deregistration",
                            "    - spi: mtk-nor: fix controller deregistration",
                            "    - spi: pl022: fix controller deregistration",
                            "    - spi: sh-hspi: fix controller deregistration",
                            "    - spi: bcmbca-hsspi: fix controller deregistration",
                            "    - spi: coldfire-qspi: fix controller deregistration",
                            "    - spi: npcm-pspi: fix controller deregistration",
                            "    - spi: cavium-thunderx: fix controller deregistration",
                            "    - spi: pic32-sqi: fix controller deregistration",
                            "    - spi: sprd: fix controller deregistration",
                            "    - spi: sh-msiof: fix controller deregistration",
                            "    - spi: slave-mt27xx: fix controller deregistration",
                            "    - spi: img-spfi: fix controller deregistration",
                            "    - spi: mpfs: fix controller deregistration",
                            "    - spi: octeon: fix controller deregistration",
                            "    - spi: imx: fix runtime pm leak on probe deferral",
                            "    - spi: mxic: fix controller deregistration",
                            "    - spi: orion: fix controller deregistration",
                            "    - spi: orion: fix runtime pm leak on unbind",
                            "    - spi: orion: fix clock imbalance on registration failure",
                            "    - spi: cadence: fix controller deregistration",
                            "    - spi: cadence-quadspi: fix controller deregistration",
                            "    - spi: cadence: fix unclocked access on unbind",
                            "    - spi: cadence: fix clock imbalance on probe failure",
                            "    - spi: cadence-quadspi: fix runtime pm disable imbalance on probe failure",
                            "    - spi: cadence-quadspi: fix clock imbalance on probe failure",
                            "    - spi: cadence-quadspi: fix runtime pm and clock imbalance on unbind",
                            "    - drm/colorop: Fix blob property reference tracking in state lifecycle",
                            "    - drm/imx: parallel-display: Prefer bus format set via legacy \"interface-",
                            "      pix-fmt\" DT property",
                            "    - drm/msm: always recover the gpu",
                            "    - drm/v3d: Reject empty multisync extension to prevent infinite loop",
                            "    - drm/i915/psr: Init variable to avoid early exit from et alignment loop",
                            "    - drm/amd/display: fix math_mod() using arg1 instead of arg2",
                            "    - drm/amd: Add missing firmware declaration for PSP v15.0.0",
                            "    - drm/amdgpu: Use NBIF offset for register RCC_STRAP0_RCC_DEV0_EPF0_STRAP0",
                            "      .",
                            "    - drm/amdgpu: Use SMUIO 15.0.0 offsets for TSC upper and lower count.",
                            "    - drm/amdgpu: gate VM CPU HDP flush on reset lock",
                            "    - drm/amd/pm: fix incorrect FeatureCtrlMask setting on smu v14.0.x",
                            "    - drm/amdkfd: Add upper bound check for num_of_nodes",
                            "    - drm/amdgpu/vce: Prevent partial address patches",
                            "    - drm/amd/display: Change dither policy for 10 bpc output back to",
                            "      dithering",
                            "    - drm/appletbdrm: Use kvzalloc for big allocations",
                            "    - drm/amdgpu: Avoid reset in AMDGPU unload path for APUs with GFX V11 and",
                            "      higher.",
                            "    - drm/udl: Increase GET_URB_TIMEOUT",
                            "    - drm/xe/bo: Fix bo leak on GGTT flag validation in xe_bo_init_locked()",
                            "    - drm/xe/bo: Fix bo leak on unaligned size validation in",
                            "      xe_bo_init_locked()",
                            "    - drm/xe/uapi: Reject coh_none PAT index for CPU cached memory in madvise",
                            "    - drm/radeon: add missing revision check for CI",
                            "    - drm/amdgpu: zero-initialize GART table on allocation",
                            "    - drm/exynos: remove bridge when component_add fails",
                            "    - drm/amdgpu/userq: fix access to stale wptr mapping",
                            "    - drm/panel: himax-hx83102: restore MODE_LPM after sending disable cmds",
                            "    - drm/amdgpu/gfx9: drop unnecessary 64-bit fence flag check in KIQ",
                            "    - drm/bridge: tda998x: Use __be32 for audio port OF property pointer",
                            "    - drm/sti: remove bridge when sti_hda component_add fails",
                            "    - drm/panel: boe-tv101wum-nl6: restore MODE_LPM after sending disable cmds",
                            "    - drm/amdkfd: Make all TLB-flushes heavy-weight",
                            "    - drm/amdgpu/pm: add missing revision check for CI",
                            "    - drm/amdgpu/pm: align Hawaii mclk workaround with radeon",
                            "    - arm64: dts: qcom: kodiak: Fix PCIe1 PHY ref clock voting",
                            "    - arm64: dts: qcom: lemans: Correct QUP interrupt numbers",
                            "    - arm64: dts: ti: k3-am62a7-sk: Fix pin name in comment from M19 to N22",
                            "    - arm64: dts: ti: k3-am69-aquila-dev: Fix DP regulator enable GPIO",
                            "    - batman-adv: tp_meter: fix tp_num leak on kmalloc failure",
                            "    - sched_ext: Use HK_TYPE_DOMAIN_BOOT to detect isolcpus= domain isolation",
                            "    - usb: typec: tcpm: reset internal port states on soft reset AMS",
                            "    - io_uring/zcrx: use guards for locking",
                            "    - io_uring/zcrx: warn on freelist violations",
                            "    - kho: fix error handling in kho_add_subtree()",
                            "    - EDAC/versalnet: Refactor memory controller initialization and cleanup",
                            "    - spi: uniphier: Simplify clock handling with devm_clk_get_enabled()",
                            "    - spi: uniphier: fix controller deregistration",
                            "    - cgroup: Increment nr_dying_subsys_* from rmdir context",
                            "    - sched_ext: Skip tasks with stale task_rq in bypass_lb_cpu()",
                            "    - perf build: fix \"argument list too long\" in second location",
                            "    - mm/vma: do not try to unmap a VMA if mmap_prepare() invoked from mmap()",
                            "    - vsock/virtio: fix length and offset in tap skb for split packets",
                            "    - drm/amdgpu/vcn3: Avoid overflow on msg bound check",
                            "    - drm/amdgpu/vcn4: Avoid overflow on msg bound check",
                            "    - Linux 7.0.9",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46214",
                            "    - vsock/virtio: fix accept queue count leak on transport mismatch",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46207",
                            "    - vsock/virtio: fix empty payload in tap skb for non-linear buffers",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46234",
                            "    - vsock: fix buffer size clamping order",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46223",
                            "    - cgroup: Defer css percpu_ref kill on rmdir until cgroup is depopulated",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46221",
                            "    - EDAC/versalnet: Fix device name memory leak",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46231",
                            "    - batman-adv: bla: put backbone reference on failed claim hash insert",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46233",
                            "    - batman-adv: bla: only purge non-released claims",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46212",
                            "    - batman-adv: bla: prevent use-after-free when deleting claims",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46238",
                            "    - batman-adv: stop caching unowned originator pointers in BAT IV",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46208",
                            "    - batman-adv: stop tp_meter sessions during mesh teardown",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46206",
                            "    - batman-adv: reject new tp_meter sessions during teardown",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46198",
                            "    - batman-adv: fix integer overflow on buff_pos",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46227",
                            "    - sctp: revalidate list cursor after sctp_sendmsg_to_asoc() in",
                            "      SCTP_SENDALL",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46220",
                            "    - drm/amdgpu/sdma4: replace BUG_ON with WARN_ON in fence emission",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46215",
                            "    - drm: Set old handle to NULL before prime swap in change_handle",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46201",
                            "    - drm/xe: Fix dma-buf attachment leak in xe_gem_prime_import()",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46224",
                            "    - drm/xe: Fix bo leak in xe_dma_buf_init_obj() on allocation failure",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46197",
                            "    - drm/amdkfd: validate SVM ioctl nattr against buffer size",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46209",
                            "    - drm/gem: Fix inconsistent plane dimension calculation in",
                            "      drm_gem_fb_init_with_funcs()",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46230",
                            "    - drm/amdgpu/vcn3: Prevent OOB reads when parsing dec msg",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46199",
                            "    - drm/amdgpu/vcn4: Prevent OOB reads when parsing dec msg",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46204",
                            "    - drm/amdgpu/vcn4: Prevent OOB reads when parsing IB",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46218",
                            "    - drm/amdgpu: Add bounds checking to ib_{get,set}_value",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46229",
                            "    - drm/amdkfd: Clear VRAM on allocation to prevent stale data exposure",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46211",
                            "    - drm/msm/gem: fix error handling in msm_ioctl_gem_info_get_metadata()",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46203",
                            "    - spi: cadence-quadspi: fix unclocked access on unbind",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46219",
                            "    - spi: mpc52xx: fix use-after-free on unbind",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46200",
                            "    - spi: mpc52xx: fix controller deregistration",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46241",
                            "    - spi: mpc52xx: fix use-after-free on registration failure",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46225",
                            "    - spi: rspi: fix controller deregistration",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46226",
                            "    - spi: fsl: fix controller deregistration",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46228",
                            "    - spi: ch341: fix devres lifetime",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46216",
                            "    - drm/xe/hdcp: Add NULL check for media_gt in",
                            "      intel_hdcp_gsc_check_status()",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46210",
                            "    - media: iris: fix use-after-free of fmt_src during MBPF check",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46240",
                            "    - media: iris: Fix use-after-free in iris_release_internal_buffers()",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46235",
                            "    - media: saa7164: add ioremap return checks and cleanups",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46222",
                            "    - media: rockchip: rkcif: Add missing MUST_CONNECT flag to pads",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46239",
                            "    - media: i2c: ov5647: Fix runtime PM refcount leak in s_ctrl",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46236",
                            "    - media: rc: xbox_remote: heed DMA restrictions",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46205",
                            "    - staging: media: atomisp: Disallow all private IOCTLs",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46202",
                            "    - HID: appletb-kbd: run inactivity autodim from workqueues",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46213",
                            "    - HID: appletb-kbd: fix UAF in inactivity-timer cleanup path",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46232",
                            "    - HID: playstation: Clamp num_touch_reports",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988)",
                            "    - ACPI: arm64: cpuidle: Tolerate platforms with no deep PSCI idle states",
                            "    - ACPI: scan: Use acpi_dev_put() in object add error paths",
                            "    - ACPI: video: Add backlight=native quirk for Dell OptiPlex 7770 AIO",
                            "    - ACPI: CPPC: Fix related_cpus inconsistency during CPU hotplug",
                            "    - ACPI: video: force native backlight on HP OMEN 16 (8A44)",
                            "    - iommufd: Fix a race with concurrent allocation and unmap",
                            "    - wifi: mt76: mt7925: fix incorrect TLV length in CLC command",
                            "    - spi: rockchip: fix controller deregistration",
                            "    - ksmbd: rewrite stop_sessions() with restartable iteration",
                            "    - flow_dissector: do not dissect PPPoE PFC frames",
                            "    - smb: client/smbdirect: fix MR registration for coalesced SG lists",
                            "    - wifi: mt76: mt7925: fix AMPDU state handling in mt7925_tx_check_aggr",
                            "    - wifi: mt76: mt7925: fix incorrect length field in txpower command",
                            "    - wifi: mt76: mt7921: fix ROC abort flow interruption in mt7921_roc_work",
                            "    - wifi: ath5k: do not access array OOB",
                            "    - ALSA: usb-audio: midi2: Restart output URBs on resume",
                            "    - ALSA: usb-audio: Fix UAC3 cluster descriptor size check",
                            "    - usb: dwc3: Move GUID programming after PHY initialization",
                            "    - USB: omap_udc: DMA: Don't enable burst 4 mode",
                            "    - USB: serial: option: add Telit Cinterion LE910Cx compositions",
                            "    - usb: typec: tcpm: fix debug accessory mode detection for sink ports",
                            "    - ALSA: hda: cs35l56: Propagate ASP TX source control errors",
                            "    - ALSA: hda/realtek: Fix speaker silence after S3 resume on Xiaomi Mi",
                            "      Laptop Pro 15",
                            "    - ALSA: firewire-tascam: Do not drop unread control events",
                            "    - ALSA: core: Serialize deferred fasync state checks",
                            "    - ALSA: seq: Fix UMP group 16 filtering",
                            "    - powerpc/kdump: fix KASAN sanitization flag for core_$(BITS).o",
                            "    - x86/efi: Restore IRQ state in EFI page fault handler",
                            "    - xfrm: provide message size for XFRM_MSG_MAPPING",
                            "    - selinux: fix avdcache auditing",
                            "    - selinux: don't reserve xattr slot when we won't fill it",
                            "    - selinux: shrink critical section in sel_write_load()",
                            "    - selinux: prune /sys/fs/selinux/checkreqprot",
                            "    - selinux: prune /sys/fs/selinux/disable",
                            "    - selinux: prune /sys/fs/selinux/user",
                            "    - selinux: allow multiple opens of /sys/fs/selinux/policy",
                            "    - io_uring/kbuf: support min length left for incremental buffers",
                            "    - io_uring/tw: serialize ctx->retry_llist with ->uring_lock",
                            "    - LoongArch: KVM: Fix missing EMULATE_FAIL in kvm_emu_mmio_read()",
                            "    - rust: drm: gem: clean up GEM state in init failure case",
                            "    - rust: allow `clippy::collapsible_match` globally",
                            "    - rust: allow `clippy::collapsible_if` globally",
                            "    - rust: pin-init: internal: move alignment check to `make_field_check`",
                            "    - spi: syncuacer: fix controller deregistration",
                            "    - spi: sun4i: fix controller deregistration",
                            "    - spi: zynq-qspi: fix controller deregistration",
                            "    - spi: ti-qspi: fix controller deregistration",
                            "    - spi: sun6i: fix controller deregistration",
                            "    - spi: tegra114: fix controller deregistration",
                            "    - spi: zynqmp-gqspi: fix controller deregistration",
                            "    - spi: tegra20-sflash: fix controller deregistration",
                            "    - spi: s3c64xx: fix NULL-deref on driver unbind",
                            "    - staging: rtl8723bs: os_dep: avoid NULL pointer dereference in",
                            "      rtw_cbuf_alloc",
                            "    - staging: vme_user: fix root device leak on init failure",
                            "    - KVM: arm64: Fix kvm_vcpu_initialized() macro parameter",
                            "    - arm64: signal: Preserve POR_EL0 if poe_context is missing",
                            "    - mm/hugetlb_cma: round up per_node before logging it",
                            "    - LoongArch: Fix SYM_SIGFUNC_START definition for 32BIT",
                            "    - LoongArch: KVM: Compile switch.S directly into the kernel",
                            "    - mptcp: pm: ADD_ADDR rtx: skip inactive subflows",
                            "    - perf/x86/intel: Improve validation and configuration of ACR masks",
                            "    - selftests/rseq: Don't run tests with runner scripts outside of the",
                            "      scripts",
                            "    - rseq: Set rseq::cpu_id_start to 0 on unregistration",
                            "    - rseq: Protect rseq_reset() against interrupts",
                            "    - rseq: Don't advertise time slice extensions if disabled",
                            "    - selftests/rseq: Make registration flexible for legacy and optimized mode",
                            "    - selftests/rseq: Skip tests if time slice extensions are not available",
                            "    - selftests/rseq: Validate legacy behavior",
                            "    - selftests/rseq: Expand for optimized RSEQ ABI v2",
                            "    - pseries/papr-hvpipe: Fix race with interrupt handler",
                            "    - pseries/papr-hvpipe: Fix & simplify error handling in papr_hvpipe_init()",
                            "    - pseries/papr-hvpipe: Fix the usage of copy_to_user()",
                            "    - net: libwx: use request_irq for VF misc interrupt",
                            "    - netpoll: pass buffer size to egress_dev() to avoid MAC truncation",
                            "    - ovl: fix verity lazy-load guard broken by fsverity_active() semantic",
                            "      change",
                            "    - parisc: Fix IRQ leak in LASI driver",
                            "    - x86/efi: Fix graceful fault handling after FPU softirq changes",
                            "    - hwmon: (ltc2992) Clamp threshold writes to hardware range",
                            "    - hwmon: (ltc2992) Fix u32 overflow in power read path",
                            "    - clk: rk808: fix OF node reference imbalance",
                            "    - hwmon: (corsair-psu) Close HID device on probe errors",
                            "    - af_unix: Reject SIOCATMARK on non-stream sockets",
                            "    - arm64/fpsimd: ptrace: zero target's fpsimd_state, not the tracer's",
                            "    - pmdomain: mediatek: fix use-after-free in",
                            "      scpsys_get_bus_protection_legacy()",
                            "    - block: fix zone write plug removal",
                            "    - block: only read from sqe on initial invocation of blkdev_uring_cmd()",
                            "    - cifs: abort open_cached_dir if we don't request leases",
                            "    - cifs: change_conf needs to be called for session setup",
                            "    - extcon: ptn5150: handle pending IRQ events during system resume",
                            "    - gpio: of: clear OF_POPULATED on hog nodes in remove path",
                            "    - hv: Select CONFIG_SYSFB only for CONFIG_HYPERV_VMBUS",
                            "    - hv_sock: fix ARM64 support",
                            "    - hv_sock: Report EOF instead of -EIO for FIN",
                            "    - hv_sock: Return -EIO for malformed/short packets",
                            "    - spi: microchip-core-qspi: fix controller deregistration",
                            "    - spi: microchip-core-spi: fix controller deregistration",
                            "    - tracefs: Fix default permissions not being applied on initial mount",
                            "    - udf: reject descriptors with oversized CRC length",
                            "    - x86/boot/e820: Re-enable BIOS fallback if e820 table is empty",
                            "    - thermal: core: Free thermal zone ID later during removal",
                            "    - thermal/drivers/sprd: Fix temperature clamping in",
                            "      sprd_thm_temp_to_rawdata",
                            "    - thermal/drivers/sprd: Fix raw temperature clamping in",
                            "      sprd_thm_rawdata_to_temp",
                            "    - spi: topcliff-pch: fix controller deregistration",
                            "    - spi: topcliff-pch: fix use-after-free on unbind",
                            "    - tracing/fprobe: Avoid kcalloc() in rcu_read_lock section",
                            "    - tracing/fprobe: Remove fprobe from hash in failure path",
                            "    - tracing/fprobe: Unregister fprobe even if memory allocation fails",
                            "    - tracing/probes: Limit size of event probe to 3K",
                            "    - tracing/fprobe: Check the same type fprobe on table as the unregistered",
                            "      one",
                            "    - clk: imx: imx8-acm: fix flags for acm clocks",
                            "    - clk: microchip: mpfs-ccc: fix out of bounds access during output",
                            "      registration",
                            "    - cpuidle: powerpc: avoid double clear when breaking snooze",
                            "    - ASoC: amd: yc: Add HP OMEN Gaming Laptop 16-ap0xxx product line in quirk",
                            "      table",
                            "    - ASoC: ES8389: convert to devm_clk_get_optional() to get clock",
                            "    - ASoC: fsl_easrc: fix comment typo",
                            "    - ASoC: Intel: bytcr_wm5102: Fix MCLK leak on platform_clock_control error",
                            "    - ASoC: qcom: q6apm-dai: reset queue ptr on trigger stop",
                            "    - ASoC: qcom: q6apm: remove child devices when apm is removed",
                            "    - btrfs: do not mark inode incompressible after inline attempt fails",
                            "    - dm: don't report warning when doing deferred remove",
                            "    - dm: fix a buffer overflow in ioctl processing",
                            "    - dm-verity-fec: correctly reject too-small FEC devices",
                            "    - dm-verity-fec: correctly reject too-small hash devices",
                            "    - dm-verity-fec: fix corrected block count stat",
                            "    - dm-verity-fec: fix the size of dm_verity_fec_io::erasures",
                            "    - isofs: validate Rock Ridge CE continuation extent against volume size",
                            "    - iommufd: Fix return value of iommufd_fault_fops_write()",
                            "    - iommu/vt-d: Block PASID attachment to nested domain with dirty tracking",
                            "    - iommu/arm-smmu-v3: Add a missing dma_wmb() for hitless STE update",
                            "    - lib/crc: tests: Make crc_kunit test only the enabled CRC variants",
                            "    - lib/scatterlist: fix temp buffer in extract_user_to_sg()",
                            "    - nvme-apple: drop invalid put of admin queue reference count",
                            "    - nvmet: avoid recursive nvmet-wq flush in nvmet_ctrl_free",
                            "    - pmdomain: core: Fix detach procedure for virtual devices in genpd",
                            "    - psp: strip variable-length PSP header in psp_dev_rcv()",
                            "    - s390/debug: Reject zero-length input in debug_input_flush_fn()",
                            "    - s390/debug: Reject zero-length input before trimming a newline",
                            "    - KVM: x86: Do IRR scan in __kvm_apic_update_irr even if PIR is empty",
                            "    - mm/damon/lru_sort: detect and use fresh enabled and kdamond_pid values",
                            "    - mm/damon/reclaim: detect and use fresh enabled and kdamond_pid values",
                            "    - mm/damon/stat: detect and use fresh enabled value",
                            "    - PCI: Update saved_config_space upon resource assignment",
                            "    - PCI/AER: Clear only error bits in PCIe Device Status",
                            "    - PCI/AER: Stop ruling out unbound devices as error source",
                            "    - PCI/ASPM: Fix pci_clear_and_set_config_dword() usage",
                            "    - power: supply: max17042: avoid overflow when determining health",
                            "    - perf/x86/intel: Always reprogram ACR events to prevent stale masks",
                            "    - perf/x86/intel: Disable PMI for self-reloaded ACR events",
                            "    - perf/x86/intel: Enable auto counter reload for DMR",
                            "    - RDMA/ionic: bound node_desc sysfs read with %.64s",
                            "    - RDMA/ionic: Fix typo in format string",
                            "    - remoteproc: imx_rproc: Fix NULL vs IS_ERR() bug in imx_rproc_addr_init()",
                            "    - remoteproc: k3: Fix NULL vs IS_ERR() bug in k3_reserved_mem_init()",
                            "    - sched_ext: idle: Recheck prev_cpu after narrowing allowed mask",
                            "    - sched_ext: Use dsq->first_task instead of list_empty() in",
                            "      dispatch_enqueue() FIFO-tail",
                            "    - selftests: mptcp: check output: catch cmd errors",
                            "    - selftests: mptcp: pm: restrict 'unknown' check to pm_nl_ctl",
                            "    - mptcp: fastclose msk when linger time is 0",
                            "    - mptcp: use MPJoinSynAckHMacFailure for SynAck HMAC failure",
                            "    - mptcp: use MPTCP_RST_EMPTCP for ACK HMAC validation failure",
                            "    - mptcp: sockopt: set timestamp flags on subflow socket, not msk",
                            "    - mptcp: sockopt: increase seq in mptcp_setsockopt_all_sf",
                            "    - mptcp: fix rx timestamp corruption on fastopen",
                            "    - mptcp: pm: prio: skip closed subflows",
                            "    - mptcp: pm: kernel: reset fullmesh counter after flush",
                            "    - mptcp: pm: kernel: correctly retransmit ADD_ADDR ID 0",
                            "    - mptcp: pm: ADD_ADDR rtx: resched blocked ADD_ADDR quicker",
                            "    - mptcp: pm: ADD_ADDR rtx: return early if no retrans",
                            "    - f2fs: add READ_ONCE() for i_blocks in f2fs_update_inode()",
                            "    - f2fs: fix false alarm of lockdep on cp_global_sem lock",
                            "    - f2fs: fix fiemap boundary handling when read extent cache is incomplete",
                            "    - f2fs: fix fsck inconsistency caused by incorrect nat_entry flag usage",
                            "    - f2fs: fix incorrect file address mapping when inline inode is unwritten",
                            "    - f2fs: fix incorrect multidevice info in trace_f2fs_map_blocks()",
                            "    - f2fs: fix uninitialized kobject put in f2fs_init_sysfs()",
                            "    - f2fs: refactor f2fs_move_node_folio function",
                            "    - f2fs: fix inline data not being written to disk in writeback path",
                            "    - KVM: arm64: Wake-up from WFI when iqrchip is in userspace",
                            "    - KVM: arm64: vgic: Fix IIDR revision field extracted from wrong value",
                            "    - KVM: arm64: Fix initialisation order in __pkvm_init_finalise()",
                            "    - KVM: arm64: Fix FEAT_SPE_FnE to use PMSIDR_EL1.FnE, not PMSVer",
                            "    - KVM: arm64: Fix FEAT_Debugv8p9 to check DebugVer, not PMUVer",
                            "    - LoongArch: KVM: Cap KVM_CAP_NR_VCPUS by KVM_CAP_MAX_VCPUS",
                            "    - LoongArch: KVM: Fix \"unreliable stack\" for kvm_exc_entry",
                            "    - LoongArch: KVM: Fix HW timer interrupt lost when inject interrupt by",
                            "      software",
                            "    - LoongArch: KVM: Move unconditional delay into timer clear scenery",
                            "    - LoongArch: KVM: Use kvm_set_pte() in kvm_flush_pte()",
                            "    - LoongArch: Use per-root-bridge PCIH flag to skip mem resource fixup",
                            "    - mmc: core: Adjust MDT beyond 2025",
                            "    - mmc: core: Add quirk for incorrect manufacturing date",
                            "    - mmc: core: Optimize time for secure erase/trim for some Kingston eMMCs",
                            "    - crypto: qat - fix indentation of macros in qat_hal.c",
                            "    - crypto: qat - fix firmware loading failure for GEN6 devices",
                            "    - hfsplus: fix held lock freed on hfsplus_fill_super()",
                            "    - 8021q: use RCU for egress QoS mappings",
                            "    - printk: add print_hex_dump_devel()",
                            "    - crypto: caam - guard HMAC key hex dumps in hash_digest_key",
                            "    - net: stmmac: rename STMMAC_GET_ENTRY() -> STMMAC_NEXT_ENTRY()",
                            "    - rust: pin-init: fix incorrect accessor reference lifetime",
                            "    - Linux 7.0.7",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-43490",
                            "    - ksmbd: validate inherited ACE SID length",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46174",
                            "    - x86/CPU/AMD: Prevent improper isolation of shared resources in Zen2's op",
                            "      cache",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46110",
                            "    - net: stmmac: Prevent NULL deref when RX memory exhausted",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46153",
                            "    - 8021q: delete cleared egress QoS mappings",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46169",
                            "    - hfsplus: fix uninit-value by validating catalog record size",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46188",
                            "    - octeon_ep_vf: add NULL check for napi_build_skb()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-45837",
                            "    - bpf: Fix use-after-free in arena_vm_close on fork",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46156",
                            "    - LoongArch: Fix potential ADE in loongson_gpu_fixup_dma_hang()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46147",
                            "    - KVM: arm64: Fix pin leak and publication ordering in __pkvm_init_vcpu()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46175",
                            "    - f2fs: fix fsck inconsistency caused by FGGC of node block",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46194",
                            "    - f2fs: fix node_cnt race between extent node destroy and writeback",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46170",
                            "    - mptcp: pm: ADD_ADDR rtx: free sk if last",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46158",
                            "    - mptcp: pm: ADD_ADDR rtx: always decrease sk refcount",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46168",
                            "    - mptcp: fix scheduling with atomic in timestamp sockopt",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46189",
                            "    - RDMA/vmw_pvrdma: Fix double free on pvrdma_alloc_ucontext() error path",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46133",
                            "    - RDMA/rxe: Reject unknown opcodes before ICRC processing",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46114",
                            "    - RDMA/rxe: Reject non-8-byte ATOMIC_WRITE payloads",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46127",
                            "    - RDMA/ocrdma: Don't NULL deref uctx on errors in ocrdma_copy_pd_uresp()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46176",
                            "    - RDMA/mlx5: Fix error path fall-through in mlx5_ib_dev_res_srq_init()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46178",
                            "    - RDMA/mlx4: Fix resource leak on error in mlx4_ib_create_srq()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46181",
                            "    - RDMA/mlx4: Fix mis-use of RCU in mlx4_srq_event()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46145",
                            "    - RDMA/mana: Validate rx_hash_key_len",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46117",
                            "    - RDMA/mana: Remove user triggerable WARN_ON() in mana_ib_create_qp_rss()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46126",
                            "    - RDMA/mana: Fix mana_destroy_wq_obj() cleanup in mana_ib_create_qp_rss()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46144",
                            "    - RDMA/mana: Fix error unwind in mana_ib_create_qp_rss()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46141",
                            "    - powerpc/xive: fix kmemleak caused by incorrect chip_data lookup",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46183",
                            "    - mm/damon/sysfs-schemes: protect path kfree() with damon_sysfs_lock",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46121",
                            "    - mm/damon/sysfs-schemes: protect memcg_path kfree() with damon_sysfs_lock",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46131",
                            "    - KVM: x86: check for nEPT/nNPT in slow flush hypercalls",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46139",
                            "    - smb: client: use kzalloc to zero-initialize security descriptor buffer",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46105",
                            "    - scsi: mpt3sas: Limit NVMe request size to 2 MiB",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46171",
                            "    - riscv: kvm: fix vector context allocation leak",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46112",
                            "    - RDMA/hns: Fix unlocked call to hns_roce_qp_remove()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46165",
                            "    - openvswitch: vport: fix self-deadlock on release of tunnel ports",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46161",
                            "    - md/raid10: fix divide-by-zero in setup_geo() with zero far_copies",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-43492",
                            "    - lib/crypto: mpi: Fix integer underflow in mpi_read_raw_from_sgl()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46124",
                            "    - isofs: validate block number from NFS file handle in isofs_export_iget",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46130",
                            "    - dm-verity-fec: fix reading parity bytes split across blocks (take 3)",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46106",
                            "    - eventfs: Hold eventfs_mutex and SRCU when remount walks events",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46107",
                            "    - dm-thin: fix metadata refcount underflow",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46160",
                            "    - btrfs: fix missing last_unlink_trans update when removing a directory",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46164",
                            "    - btrfs: fix double free in create_space_info_sub_group() error path",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46129",
                            "    - btrfs: fix double free in create_space_info() error path",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46159",
                            "    - btrfs: fix btrfs_ioctl_space_info() slot_count TOCTOU which can lead to",
                            "      info-leak",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46143",
                            "    - ASoC: qcom: q6apm-lpass-dai: Fix multiple graph opens",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46148",
                            "    - spi: microchip-core-qspi: control built-in cs manually",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46192",
                            "    - spi: microchip-core-qspi: don't attempt to transmit during emulated",
                            "      read-only dual/quad operations",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46162",
                            "    - ice: fix double free in ice_sf_eth_activate() error path",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46273",
                            "    - ibmveth: Disable GSO for packets with small MSS",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46191",
                            "    - fbcon: Avoid OOB font access if console rotation fails",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46134",
                            "    - platform/chrome: cros_ec_typec: Init mutex in Thunderbolt registration",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-43495",
                            "    - net: wwan: t7xx: validate port_count against message length in",
                            "      t7xx_port_enum_msg_handler",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-43502",
                            "    - net/rds: handle zerocopy send cleanup before the message is queued",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46120",
                            "    - ip6_gre: Use cached t->net in ip6erspan_changelink().",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46142",
                            "    - net: libwx: fix VF illegal register access",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46118",
                            "    - pseries/papr-hvpipe: Fix null ptr deref in",
                            "      papr_hvpipe_dev_create_handle()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46182",
                            "    - pseries/papr-hvpipe: Prevent kernel stack memory leak to userspace",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46184",
                            "    - sound: ua101: fix division by zero at probe",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-43498",
                            "    - accel/ivpu: Disallow re-exporting imported GEM objects",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46132",
                            "    - net: rtnetlink: zero ifla_vf_broadcast to avoid stack infoleak in",
                            "      rtnl_fill_vfinfo",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46190",
                            "    - mtd: spi-nor: debugfs: fix out-of-bounds read in spi_nor_params_show()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46150",
                            "    - fanotify: fix false positive on permission events",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-45836",
                            "    - Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_get_sndtimeo_cb()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-45834",
                            "    - Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_state_change_cb()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-45835",
                            "    - Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_new_connection_cb()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46138",
                            "    - Bluetooth: hci_event: Fix OOB read and infinite loop in",
                            "      hci_le_create_big_complete_evt",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46111",
                            "    - Bluetooth: hci_conn: fix potential UAF in create_big_sync",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46140",
                            "    - Bluetooth: btmtk: validate WMT event SKB length before struct access",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46186",
                            "    - Bluetooth: virtio_bt: validate rx pkt_type header length",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46123",
                            "    - Bluetooth: virtio_bt: clamp rx length before skb_put",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46104",
                            "    - selinux: use sk blob accessor in socket permission helpers",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46193",
                            "    - xfrm: ah: account for ESN high bits in async callbacks",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46172",
                            "    - ipv6: xfrm6: release dst on error in xfrm6_rcv_encap()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46116",
                            "    - xfrm: defensively unhash xfrm_state lists in __xfrm_state_delete",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46154",
                            "    - sched_ext: Read scx_root under scx_cgroup_ops_rwsem in cgroup setters",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46157",
                            "    - ALSA: pcm: oss: Fix data race at accessing runtime.oss.trigger",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46109",
                            "    - usb: ulpi: fix memory leak on ulpi_register() error paths",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46146",
                            "    - ALSA: usb-audio: Avoid potential endless loop in convert_chmap_v3()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46167",
                            "    - usb: usblp: fix uninitialized heap leak via LPGETSTATUS ioctl",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46151",
                            "    - usb: usblp: fix heap leak in IEEE 1284 device ID via short response",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46180",
                            "    - wifi: brcmfmac: Fix potential use-after-free issue when stopping",
                            "      watchdog task",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46122",
                            "    - wifi: b43: enforce bounds check on firmware key index in b43_rx()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46125",
                            "    - wifi: mac80211: remove station if connection prep fails",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46166",
                            "    - wifi: mac80211: use safe list iteration in radar detect work",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46187",
                            "    - wifi: rsi: fix kthread lifetime race between self-exit and external-stop",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46152",
                            "    - wifi: mac80211: drop stray 'static' from fast-RX rx_result",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46163",
                            "    - wifi: b43legacy: enforce bounds check on firmware key index in RX path",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46136",
                            "    - wifi: mt76: mt7921: fix a potential clc buffer length underflow",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46173",
                            "    - exit: prevent preemption of oopsing TASK_DEAD task",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-43496",
                            "    - net/sched: sch_red: Replace direct dequeue call with peek and",
                            "      qdisc_dequeue_peeked",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46113",
                            "    - KVM: x86: Fix shadow paging use-after-free due to unexpected GFN",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46179",
                            "    - ASoC: SOF: Don't allow pointer operations on unconfigured streams",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46196",
                            "    - tracepoint: balance regfunc() on func_add() failure in",
                            "      tracepoint_add_func()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-43497",
                            "    - fbdev: udlfb: add vm_ops to dlfb_ops_mmap to prevent use-after-free",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46108",
                            "    - ipmi:si: Return state to normal if message allocation fails",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46128",
                            "    - ipmi: Check event message buffer response for bad data",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46177",
                            "    - ipmi: Add limits to event and receive message requests",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46149",
                            "    - scsi: target: configfs: Bound snprintf() return in",
                            "      tg_pt_gp_members_show()",
                            "",
                            "  * Ubuntu 26.04 linux kernel has non-functional nova-core GPU driver enabled,",
                            "    conflicting with nouveau (LP: #2150845)",
                            "    - [Config] Disable NOVA_CORE",
                            "",
                            "  * CVE-2026-46244",
                            "    - netfilter: nft_inner: Fix IPv6 inner_thoff desync",
                            "",
                            "  * CVE-2026-46137",
                            "    - mptcp: pm: ADD_ADDR rtx: allow ID 0",
                            "    - mptcp: pm: ADD_ADDR rtx: fix potential data-race",
                            "",
                            "  * CVE-2026-46185",
                            "    - smb/client: fix out-of-bounds read in symlink_data()",
                            "",
                            "  * CVE-2026-46195",
                            "    - smb: client: validate dacloffset before building DACL pointers",
                            "",
                            "  * CVE-2026-46289",
                            "    - lib/scatterlist: fix length calculations in extract_kvec_to_sg",
                            "",
                            "  * CVE-2026-46119",
                            "    - libceph: Fix slab-out-of-bounds access in auth message processing",
                            "",
                            "  * CVE-2026-46135",
                            "    - nvmet-tcp: fix race between ICReq handling and queue teardown",
                            "",
                            "  * CVE-2026-46155",
                            "    - smb/client: fix out-of-bounds read in smb2_compound_op()",
                            "",
                            "  * CVE-2026-46115",
                            "    - block: add pgmap check to biovec_phys_mergeable",
                            "",
                            "  * CVE-2026-46243",
                            "    - smb: client: reject userspace cifs.spnego descriptions",
                            ""
                        ],
                        "package": "linux",
                        "version": "7.0.0-28.28",
                        "urgency": "medium",
                        "distributions": "resolute",
                        "launchpad_bugs_fixed": [
                            2157520,
                            2154418,
                            2155837,
                            2154174,
                            2154748,
                            2156559,
                            2156556,
                            2150640,
                            2156312,
                            2155096,
                            2154715,
                            2153159,
                            2150071,
                            2154343,
                            2149770,
                            2153155,
                            2152570,
                            2156636,
                            2156636,
                            2156636,
                            2156636,
                            2156636,
                            2156390,
                            2156385,
                            2156385,
                            2156385,
                            2156385,
                            2156385,
                            2156385,
                            2156385,
                            2156385,
                            2156385,
                            2156385,
                            2156385,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2150845
                        ],
                        "author": "Mehmet Basaran <mehmet.basaran@canonical.com>",
                        "date": "Sun, 21 Jun 2026 02:37:29 +0300"
                    }
                ],
                "notes": null,
                "is_version_downgrade": false
            },
            {
                "name": "linux-perf",
                "from_version": {
                    "source_package_name": "linux",
                    "source_package_version": "7.0.0-27.27",
                    "version": "7.0.0-27.27"
                },
                "to_version": {
                    "source_package_name": "linux",
                    "source_package_version": "7.0.0-28.28",
                    "version": "7.0.0-28.28"
                },
                "cves": [
                    {
                        "cve": "CVE-2026-46318",
                        "url": "https://ubuntu.com/security/CVE-2026-46318",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Revert \"mm/hugetlbfs: update hugetlbfs to use mmap_prepare\"  This reverts commit ea52cb24cd3f (\"mm/hugetlbfs: update hugetlbfs to use mmap_prepare\") with conflict resolution to account for changes in commit ea52cb24cd3f (\"mm/hugetlbfs: update hugetlbfs to use mmap_prepare\").  The patch incorrectly handled hugetlb VMA lock allocation at the mmap_prepare stage, where a failed allocation occurring after mmap_prepare is called might result in the lock leaking.  There is no risk of a merge causing a similar issues, as VMA_DONTEXPAND_BIT is set for hugetlb mappings.  As a first step in addressing this issue, simply revert the change so we can rework how we do this having corrected the underlying issues.  We maintain the VMA flags changes as best we can, accounting for the fact that we were working with a VMA descriptor previously and propagating like-for-like changes for this.  Note that we invoke vma_set_flags() and do not call vma_start_write() as vm_flags_set() does.  This is OK as it's being done in an .mmap hook where the VMA is not yet linked into the tree so nobody else can be accessing it.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-06-09 13:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46322",
                        "url": "https://ubuntu.com/security/CVE-2026-46322",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  tun: free page on build_skb failure in tun_xdp_one()  When build_skb() fails in tun_xdp_one(), the function sets ret to -ENOMEM and jumps to the out label, which returns without freeing the page that vhost_net_build_xdp() allocated for the frame. As with the short-frame rejection path, tun_sendmsg() discards the per-buffer error and still returns total_len, so vhost_tx_batch() takes the success path and never frees the page. Each build_skb() failure in a batch leaks one page-frag chunk.  Free the page before taking the error path, matching the put_page() the other error exits of tun_xdp_one() already perform.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-09 13:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46320",
                        "url": "https://ubuntu.com/security/CVE-2026-46320",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  tap: free page on error paths in tap_get_user_xdp()  tap_get_user_xdp() rejects a frame shorter than ETH_HLEN with -EINVAL, and returns -ENOMEM when build_skb() fails. Both paths jump to the err label without freeing the page that vhost_net_build_xdp() allocated for the frame. tap_sendmsg() discards the per-buffer return value and always returns 0, so vhost_tx_batch() takes the success path and never frees the page; each rejected frame in a batch leaks one page-frag chunk.  Free the page on both error paths, before the skb is built. This is the tap counterpart of the same leak in tun_xdp_one().",
                        "cve_priority": "high",
                        "cve_public_date": "2026-06-09 13:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46321",
                        "url": "https://ubuntu.com/security/CVE-2026-46321",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  tun: free page on short-frame rejection in tun_xdp_one()  tun_xdp_one() returns -EINVAL on a frame shorter than ETH_HLEN without freeing the page that vhost_net_build_xdp() allocated for it. tun_sendmsg() discards that -EINVAL and still returns total_len, so vhost_tx_batch() takes the success path and never frees the page; each short frame in a batch leaks one page-frag chunk.  A local process that can open /dev/net/tun and /dev/vhost-net can hit this path: it attaches a tun/tap device as the vhost-net backend and feeds TX descriptors whose length minus the virtio-net header is below ETH_HLEN. Each kick leaks the page-frag chunks for that batch, and a tight submission loop exhausts host memory and triggers an OOM panic. Free the page before returning -EINVAL, matching the XDP-program error path in the same function.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-09 13:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46316",
                        "url": "https://ubuntu.com/security/CVE-2026-46316",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  KVM: arm64: vgic-its: Drop the translation cache reference only for the erased entry  vgic_its_invalidate_cache() walks the per-ITS translation cache with xa_for_each() and drops the cache's reference on each entry with vgic_put_irq(). It puts the iterated pointer, though, rather than the value returned by xa_erase().  The function is called from contexts that do not exclude one another: the ITS command handlers hold its_lock, the GITS_CTLR write path holds cmd_lock, and the path that clears EnableLPIs in a redistributor's GICR_CTLR holds neither. Two or more of them can drain the same cache concurrently, and if each one observes the same entry, erases it and then puts it, the single reference the cache holds on that entry is dropped more than once. The entry can then be freed while an ITE still maps it.  xa_erase() is atomic and returns the previous entry, so put only the entry that this context actually removed. The cache reference is then dropped exactly once per entry even when the invalidations run concurrently, and the behavior is unchanged when only one context runs.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-09 13:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46317",
                        "url": "https://ubuntu.com/security/CVE-2026-46317",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  KVM: arm64: Reassign nested_mmus array behind mmu_lock  kvm->arch.nested_mmus[] is walked under kvm->mmu_lock, including from the MMU notifier path (kvm_unmap_gfn_range() -> kvm_nested_s2_unmap()), which can run at any time. kvm_vcpu_init_nested() reallocates the array and frees the old buffer while holding only kvm->arch.config_lock, so such a walker can reference the freed array.  Allocate the new array outside of mmu_lock, as the allocation can sleep. Under the lock, copy the existing entries, fix up the back pointers and reassign the array. Free the old buffer after dropping the lock, as kvfree() can sleep as well.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-09 13:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-45846",
                        "url": "https://ubuntu.com/security/CVE-2026-45846",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  bareudp: fix NULL pointer dereference in bareudp_fill_metadata_dst()  bareudp_fill_metadata_dst() passes bareudp->sock to udp_tunnel6_dst_lookup() in the IPv6 path without a NULL check. The socket is only created in bareudp_open() and NULLed in bareudp_stop(), so calling this function while the device is down triggers a NULL dereference via sock->sk.   BUG: kernel NULL pointer dereference, address: 0000000000000018  RIP: 0010:udp_tunnel6_dst_lookup (net/ipv6/ip6_udp_tunnel.c:160)  Call Trace:   <TASK>   bareudp_fill_metadata_dst (drivers/net/bareudp.c:532)   do_execute_actions (net/openvswitch/actions.c:901)   ovs_execute_actions (net/openvswitch/actions.c:1589)   ovs_packet_cmd_execute (net/openvswitch/datapath.c:700)   genl_family_rcv_msg_doit (net/netlink/genetlink.c:1114)   genl_rcv_msg (net/netlink/genetlink.c:1209)   netlink_rcv_skb (net/netlink/af_netlink.c:2550)   </TASK>  Add a NULL check returning -ESHUTDOWN, consistent with the xmit paths in the same driver.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-27 11:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-45845",
                        "url": "https://ubuntu.com/security/CVE-2026-45845",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net/sched: taprio: fix NULL pointer dereference in class dump  When a TAPRIO child qdisc is deleted via RTM_DELQDISC, taprio_graft() is called with new == NULL and stores NULL into q->qdiscs[cl - 1]. Subsequent RTM_GETTCLASS dump operations walk all classes via taprio_walk() and call taprio_dump_class(), which calls taprio_leaf() returning the NULL pointer, then dereferences it to read child->handle, causing a kernel NULL pointer dereference.  The bug is reachable with namespace-scoped CAP_NET_ADMIN on any kernel with CONFIG_NET_SCH_TAPRIO enabled. On systems with unprivileged user namespaces enabled, an unprivileged local user can trigger a kernel panic by creating a taprio qdisc inside a new network namespace, grafting an explicit child qdisc, deleting it, and requesting a class dump. The RTM_GETTCLASS dump itself requires no capability.   Oops: general protection fault, probably for non-canonical address 0xdffffc0000000007: 0000 [#1] SMP KASAN NOPTI  KASAN: null-ptr-deref in range [0x0000000000000038-0x000000000000003f]  RIP: 0010:taprio_dump_class (net/sched/sch_taprio.c:2478)  Call Trace:   <TASK>   tc_fill_tclass (net/sched/sch_api.c:1966)   qdisc_class_dump (net/sched/sch_api.c:2326)   taprio_walk (net/sched/sch_taprio.c:2514)   tc_dump_tclass_qdisc (net/sched/sch_api.c:2352)   tc_dump_tclass_root (net/sched/sch_api.c:2370)   tc_dump_tclass (net/sched/sch_api.c:2431)   rtnl_dumpit (net/core/rtnetlink.c:6864)   netlink_dump (net/netlink/af_netlink.c:2325)   rtnetlink_rcv_msg (net/core/rtnetlink.c:6959)   netlink_rcv_skb (net/netlink/af_netlink.c:2550)   </TASK>  Fix this by substituting &noop_qdisc when new is NULL in taprio_graft(), a common pattern used by other qdiscs (e.g., multiq_graft()) to ensure the q->qdiscs[] slots are never NULL. This makes control-plane dump paths safe without requiring individual NULL checks.  Since the data-plane paths (taprio_enqueue and taprio_dequeue_from_txq) previously had explicit NULL guards that would drop/skip the packet cleanly, update those checks to test for &noop_qdisc instead. Without this, packets would reach taprio_enqueue_one() which increments the root qdisc's qlen and backlog before calling the child's enqueue; noop_qdisc drops the packet but those counters are never rolled back, permanently inflating the root qdisc's statistics.  After this change *old can be a valid qdisc, NULL, or &noop_qdisc. Only call qdisc_put(*old) in the first case to avoid decreasing noop_qdisc's refcount, which was never increased.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-27 11:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-45844",
                        "url": "https://ubuntu.com/security/CVE-2026-45844",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  netfilter: arp_tables: fix IEEE1394 ARP payload parsing  Weiming Shi says:  \"arp_packet_match() unconditionally parses the ARP payload assuming two hardware addresses are present (source and target). However, IPv4-over-IEEE1394 ARP (RFC 2734) omits the target hardware address field, and arp_hdr_len() already accounts for this by returning a shorter length for ARPHRD_IEEE1394 devices.  As a result, on IEEE1394 interfaces arp_packet_match() advances past a nonexistent target hardware address and reads the wrong bytes for both the target device address comparison and the target IP address. This causes arptables rules to match against garbage data, leading to incorrect filtering decisions: packets that should be accepted may be dropped and vice versa.  The ARP stack in net/ipv4/arp.c (arp_create and arp_process) already handles this correctly by skipping the target hardware address for ARPHRD_IEEE1394. Apply the same pattern to arp_packet_match().\"  Mangle the original patch to always return 0 (no match) in case user matches on the target hardware address which is never present in IEEE1394.  Note that this returns 0 (no match) for either normal and inverse match because matching in the target hardware address in ARPHRD_IEEE1394 has never been supported by arptables. This is intentional, matching on the target hardware address should never evaluate true for ARPHRD_IEEE1394.  Moreover, adjust arpt_mangle to drop the packet too as AI suggests:  In arpt_mangle, the logic assumes a standard ARP layout. Because IEEE1394 (FireWire) omits the target hardware address, the linear pointer arithmetic miscalculates the offset for the target IP address. This causes mangling operations to write to the wrong location, leading to packet corruption. To ensure safety, this patch drops packets (NF_DROP) when mangling is requested for these fields on IEEE1394 devices, as the current implementation cannot correctly map the FireWire ARP payload.  This omits both mangling target hardware and IP address. Even if IP address mangling should be possible in IEEE1394, this would require to adjust arpt_mangle offset calculation, which has never been supported.  Based on patch from Weiming Shi <bestswngs@gmail.com>.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-05-27 11:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46242",
                        "url": "https://ubuntu.com/security/CVE-2026-46242",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  eventpoll: fix ep_remove struct eventpoll / struct file UAF  ep_remove() (via ep_remove_file()) cleared file->f_ep under file->f_lock but then kept using @file inside the critical section (is_file_epoll(), hlist_del_rcu() through the head, spin_unlock). A concurrent __fput() taking the eventpoll_release() fastpath in that window observed the transient NULL, skipped eventpoll_release_file() and ran to f_op->release / file_free().  For the epoll-watches-epoll case, f_op->release is ep_eventpoll_release() -> ep_clear_and_put() -> ep_free(), which kfree()s the watched struct eventpoll. Its embedded ->refs hlist_head is exactly where epi->fllink.pprev points, so the subsequent hlist_del_rcu()'s \"*pprev = next\" scribbles into freed kmalloc-192 memory.  In addition, struct file is SLAB_TYPESAFE_BY_RCU, so the slot backing @file could be recycled by alloc_empty_file() -- reinitializing f_lock and f_ep -- while ep_remove() is still nominally inside that lock. The upshot is an attacker-controllable kmem_cache_free() against the wrong slab cache.  Pin @file via epi_fget() at the top of ep_remove() and gate the critical section on the pin succeeding. With the pin held @file cannot reach refcount zero, which holds __fput() off and transitively keeps the watched struct eventpoll alive across the hlist_del_rcu() and the f_lock use, closing both UAFs.  If the pin fails @file has already reached refcount zero and its __fput() is in flight. Because we bailed before clearing f_ep, that path takes the eventpoll_release() slow path into eventpoll_release_file() and blocks on ep->mtx until the waiter side's ep_clear_and_put() drops it. The bailed epi's share of ep->refcount stays intact, so the trailing ep_refcount_dec_and_test() in ep_clear_and_put() cannot free the eventpoll out from under eventpoll_release_file(); the orphaned epi is then cleaned up there.  A successful pin also proves we are not racing eventpoll_release_file() on this epi, so drop the now-redundant re-check of epi->dying under f_lock. The cheap lockless READ_ONCE(epi->dying) fast-path bailout stays.",
                        "cve_priority": "high",
                        "cve_public_date": "2026-05-30 13:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-45843",
                        "url": "https://ubuntu.com/security/CVE-2026-45843",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  slip: bound decode() reads against the compressed packet length  slhc_uncompress() parses a VJ-compressed TCP header by advancing a pointer through the packet via decode() and pull16(). Neither helper bounds-checks against isize, and decode() masks its return with & 0xffff so it can never return the -1 that callers test for -- those error paths are dead code.  A short compressed frame whose change byte requests optional fields lets decode() read past the end of the packet. The over-read bytes are folded into the cached cstate and reflected into subsequent reconstructed packets.  Make decode() and pull16() take the packet end pointer and return -1 when exhausted. Add a bounds check before the TCP-checksum read. The existing == -1 tests now do what they were always meant to.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-27 11:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-45842",
                        "url": "https://ubuntu.com/security/CVE-2026-45842",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  slip: reject VJ receive packets on instances with no rstate array  slhc_init() accepts rslots == 0 as a valid configuration, with the documented meaning of 'no receive compression'. In that case the allocation loop in slhc_init() is skipped, so comp->rstate stays NULL and comp->rslot_limit stays 0 (from the kzalloc of struct slcompress).  The receive helpers do not defend against that configuration. slhc_uncompress() dereferences comp->rstate[x] when the VJ header carries an explicit connection ID, and slhc_remember() later assigns cs = &comp->rstate[...] after only comparing the packet's slot number to comp->rslot_limit. Because rslot_limit is 0, slot 0 passes the range check, and the code dereferences a NULL rstate.  The configuration is reachable in-tree through PPP. PPPIOCSMAXCID stores its argument in a signed int, and (val >> 16) uses arithmetic shift. Passing 0xffff0000 therefore sign-extends to -1, so val2 + 1 is 0 and ppp_generic.c ends up calling slhc_init(0, 1). Because /dev/ppp open is gated by ns_capable(CAP_NET_ADMIN), the whole path is reachable from an unprivileged user namespace. Once the malformed VJ state is installed, any inbound VJ-compressed or VJ-uncompressed frame that selects slot 0 crashes the kernel in softirq context:   Oops: general protection fault, probably for non-canonical        address 0xdffffc0000000000: 0000 [#1] SMP KASAN NOPTI  KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]  RIP: 0010:slhc_uncompress (drivers/net/slip/slhc.c:519)  Call Trace:   <TASK>   ppp_receive_nonmp_frame (drivers/net/ppp/ppp_generic.c:2466)   ppp_input (drivers/net/ppp/ppp_generic.c:2359)   ppp_async_process (drivers/net/ppp/ppp_async.c:492)   tasklet_action_common (kernel/softirq.c:926)   handle_softirqs (kernel/softirq.c:623)   run_ksoftirqd (kernel/softirq.c:1055)   smpboot_thread_fn (kernel/smpboot.c:160)   kthread (kernel/kthread.c:436)   ret_from_fork (arch/x86/kernel/process.c:164)   </TASK>  Reject the receive side on such instances instead of touching rstate. slhc_uncompress() falls through to its existing 'bad' label, which bumps sls_i_error and enters the toss state. slhc_remember() mirrors that with an explicit sls_i_error increment followed by slhc_toss(); the sls_i_runt counter is not used here because a missing rstate is an internal configuration state, not a runt packet.  The transmit path is unaffected: the only in-tree caller that picks rslots from userspace (ppp_generic.c) still supplies tslots >= 1, and slip.c always calls slhc_init(16, 16), so comp->tstate remains valid and slhc_compress() continues to work.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-27 11:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-45841",
                        "url": "https://ubuntu.com/security/CVE-2026-45841",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  netfilter: nfnetlink_osf: fix divide-by-zero in OSF_WSS_MODULO  nf_osf_match_one() computes ctx->window % f->wss.val in the OSF_WSS_MODULO branch with no guard for f->wss.val == 0. A CAP_NET_ADMIN user can add such a fingerprint via nfnetlink; a subsequent matching TCP SYN divides by zero and panics the kernel.  Reject the bogus fingerprint in nfnl_osf_add_callback() above the per-option for-loop. f->wss is per-fingerprint, not per-option, so the check must run regardless of f->opt_num (including 0). Also reject wss.wc >= OSF_WSS_MAX; nf_osf_match_one() already treats that as \"should not happen\".  Crash:  Oops: divide error: 0000 [#1] SMP KASAN NOPTI  RIP: 0010:nf_osf_match_one (net/netfilter/nfnetlink_osf.c:98)  Call Trace:  <IRQ>   nf_osf_match (net/netfilter/nfnetlink_osf.c:220)   xt_osf_match_packet (net/netfilter/xt_osf.c:32)   ipt_do_table (net/ipv4/netfilter/ip_tables.c:348)   nf_hook_slow (net/netfilter/core.c:622)   ip_local_deliver (net/ipv4/ip_input.c:265)   ip_rcv (include/linux/skbuff.h:1162)   __netif_receive_skb_one_core (net/core/dev.c:6181)   process_backlog (net/core/dev.c:6642)   __napi_poll (net/core/dev.c:7710)   net_rx_action (net/core/dev.c:7945)   handle_softirqs (kernel/softirq.c:622)",
                        "cve_priority": "low",
                        "cve_public_date": "2026-05-27 11:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-45840",
                        "url": "https://ubuntu.com/security/CVE-2026-45840",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  openvswitch: cap upcall PID array size and pre-size vport replies  The vport netlink reply helpers allocate a fixed-size skb with nlmsg_new(NLMSG_DEFAULT_SIZE, ...) but serialize the full upcall PID array via ovs_vport_get_upcall_portids().  Since ovs_vport_set_upcall_portids() accepts any non-zero multiple of sizeof(u32) with no upper bound, a CAP_NET_ADMIN user can install a PID array large enough to overflow the reply buffer, causing nla_put() to fail with -EMSGSIZE and hitting BUG_ON(err < 0).  On systems with unprivileged user namespaces enabled (e.g., Ubuntu default), this is reachable via unshare -Urn since OVS vport mutation operations use GENL_UNS_ADMIN_PERM.   kernel BUG at net/openvswitch/datapath.c:2414!  Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI  CPU: 1 UID: 0 PID: 65 Comm: poc Not tainted 7.0.0-rc7-00195-geb216e422044 #1  RIP: 0010:ovs_vport_cmd_set+0x34c/0x400  Call Trace:   <TASK>   genl_family_rcv_msg_doit (net/netlink/genetlink.c:1116)   genl_rcv_msg (net/netlink/genetlink.c:1194)   netlink_rcv_skb (net/netlink/af_netlink.c:2550)   genl_rcv (net/netlink/genetlink.c:1219)   netlink_unicast (net/netlink/af_netlink.c:1344)   netlink_sendmsg (net/netlink/af_netlink.c:1894)   __sys_sendto (net/socket.c:2206)   __x64_sys_sendto (net/socket.c:2209)   do_syscall_64 (arch/x86/entry/syscall_64.c:63)   entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)   </TASK>  Kernel panic - not syncing: Fatal exception  Reject attempts to set more PIDs than nr_cpu_ids in ovs_vport_set_upcall_portids(), and pre-compute the worst-case reply size in ovs_vport_cmd_msg_size() based on that bound, similar to the existing ovs_dp_cmd_msg_size().  nr_cpu_ids matches the cap already used by the per-CPU dispatch configuration on the datapath side (ovs_dp_cmd_fill_info() serialises at most nr_cpu_ids PIDs), so the two sides stay consistent.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-27 11:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-45839",
                        "url": "https://ubuntu.com/security/CVE-2026-45839",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  bpf: reject negative CO-RE accessor indices in bpf_core_parse_spec()  CO-RE accessor strings are colon-separated indices that describe a path from a root BTF type to a target field, e.g. \"0:1:2\" walks through nested struct members. bpf_core_parse_spec() parses each component with sscanf(\"%d\"), so negative values like -1 are silently accepted.  The subsequent bounds checks (access_idx >= btf_vlen(t)) only guard the upper bound and always pass for negative values because C integer promotion converts the __u16 btf_vlen result to int, making the comparison (int)(-1) >= (int)(N) false for any positive N.  When -1 reaches btf_member_bit_offset() it gets cast to u32 0xffffffff, producing an out-of-bounds read far past the members array.  A crafted BPF program with a negative CO-RE accessor on any struct that exists in vmlinux BTF (e.g. task_struct) crashes the kernel deterministically during BPF_PROG_LOAD on any system with CONFIG_DEBUG_INFO_BTF=y (default on major distributions).  The bug is reachable with CAP_BPF:   BUG: unable to handle page fault for address: ffffed11818b6626  #PF: supervisor read access in kernel mode  #PF: error_code(0x0000) - not-present page  Oops: Oops: 0000 [#1] SMP KASAN NOPTI  CPU: 0 UID: 0 PID: 85 Comm: poc Not tainted 7.0.0-rc6 #18 PREEMPT(full)  RIP: 0010:bpf_core_parse_spec (tools/lib/bpf/relo_core.c:354)  RAX: 00000000ffffffff  Call Trace:   <TASK>   bpf_core_calc_relo_insn (tools/lib/bpf/relo_core.c:1321)   bpf_core_apply (kernel/bpf/btf.c:9507)   check_core_relo (kernel/bpf/verifier.c:19475)   bpf_check (kernel/bpf/verifier.c:26031)   bpf_prog_load (kernel/bpf/syscall.c:3089)   __sys_bpf (kernel/bpf/syscall.c:6228)   </TASK>  CO-RE accessor indices are inherently non-negative (struct member index, array element index, or enumerator index), so reject them immediately after parsing.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-27 11:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-45838",
                        "url": "https://ubuntu.com/security/CVE-2026-45838",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  bpf: fix end-of-list detection in cgroup_storage_get_next_key()  list_next_entry() never returns NULL -- when the current element is the last entry it wraps to the list head via container_of(). The subsequent NULL check is therefore dead code and get_next_key() never returns -ENOENT for the last element, instead reading storage->key from a bogus pointer that aliases internal map fields and copying the result to userspace.  Replace it with list_entry_is_head() so the function correctly returns -ENOENT when there are no more entries.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-05-27 11:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46214",
                        "url": "https://ubuntu.com/security/CVE-2026-46214",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  vsock/virtio: fix accept queue count leak on transport mismatch  virtio_transport_recv_listen() calls sk_acceptq_added() before vsock_assign_transport(). If vsock_assign_transport() fails or selects a different transport, the error path returns without calling sk_acceptq_removed(), permanently incrementing sk_ack_backlog.  After approximately backlog+1 such failures, sk_acceptq_is_full() returns true, causing the listener to reject all new connections.  Fix by moving sk_acceptq_added() to after the transport validation, matching the pattern used by vmci_transport and hyperv_transport.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46207",
                        "url": "https://ubuntu.com/security/CVE-2026-46207",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  vsock/virtio: fix empty payload in tap skb for non-linear buffers  For non-linear skbs, virtio_transport_build_skb() goes through virtio_transport_copy_nonlinear_skb() to copy the original payload in the new skb to be delivered to the vsockmon tap device. This manually initializes an iov_iter but does not set iov_iter.count. Since the iov_iter is zero-initialized, the copy length is zero and no payload is actually copied to the monitor interface, leaving data un-initialized.  Fix this by removing the linear vs non-linear split and using skb_copy_datagram_iter() with iov_iter_kvec() for all cases, as vhost-vsock already does. This handles both linear and non-linear skbs, properly initializes the iov_iter, and removes the now unused virtio_transport_copy_nonlinear_skb().  While touching this code, let's also check the return value of skb_copy_datagram_iter(), even though it's unlikely to fail.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46234",
                        "url": "https://ubuntu.com/security/CVE-2026-46234",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  vsock: fix buffer size clamping order  In vsock_update_buffer_size(), the buffer size was being clamped to the maximum first, and then to the minimum. If a user sets a minimum buffer size larger than the maximum, the minimum check overrides the maximum check, inverting the constraint.  This breaks the intended socket memory boundaries by allowing the vsk->buffer_size to grow beyond the configured vsk->buffer_max_size.  Fix this by checking the minimum first, and then the maximum. This ensures the buffer size never exceeds the buffer_max_size.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46223",
                        "url": "https://ubuntu.com/security/CVE-2026-46223",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  cgroup: Defer css percpu_ref kill on rmdir until cgroup is depopulated  A chain of commits going back to v7.0 reworked rmdir to satisfy the controller invariant that a subsystem's ->css_offline() must not run while tasks are still doing kernel-side work in the cgroup.  [1] d245698d727a (\"cgroup: Defer task cgroup unlink until after the task is done switching out\") [2] a72f73c4dd9b (\"cgroup: Don't expose dead tasks in cgroup\") [3] 1b164b876c36 (\"cgroup: Wait for dying tasks to leave on rmdir\") [4] 4c56a8ac6869 (\"cgroup: Fix cgroup_drain_dying() testing the wrong condition\") [5] 13e786b64bd3 (\"cgroup: Increment nr_dying_subsys_* from rmdir context\")  [1] moved task cset unlink from do_exit() to finish_task_switch() so a task's cset link drops only after the task has fully stopped scheduling. That made tasks past exit_signals() linger on cset->tasks until their final context switch, which led to a series of problems as what userspace expected to see after rmdir diverged from what the kernel needs to wait for. [2]-[5] tried to bridge that divergence: [2] filtered the exiting tasks from cgroup.procs; [3] had rmdir(2) sleep in TASK_UNINTERRUPTIBLE for them; [4] fixed the wait's condition; [5] made nr_dying_subsys_* visible synchronously.  The cgroup_drain_dying() wait in [3] turned out to be a dead end. When the rmdir caller is also the reaper of a zombie that pins a pidns teardown (e.g. host PID 1 systemd reaping orphan pids that were re-parented to it during the same teardown), rmdir blocks in TASK_UNINTERRUPTIBLE waiting for those pids to free, the pids can't free because PID 1 is the reaper and it's stuck in rmdir, and the system A-A deadlocks. No internal lock ordering breaks this; the wait itself is the bug.  The css killing side that drove the original reorder, however, can be made cleanly asynchronous: ->css_offline() is already async, run from css_killed_work_fn() driven by percpu_ref_kill_and_confirm(). The fix is to make that chain start only after all tasks have left the cgroup. rmdir's user-visible side then returns as soon as cgroup.procs and friends are empty, while ->css_offline() still runs only after the cgroup is fully drained.  Verified by the original reproducer (pidns teardown + zombie reaper, runs under vng) which hangs vanilla and succeeds here, and by per-commit deterministic repros for [2], [3], [4], [5] with a boot parameter that widens the post-exit_signals() window so each state is reliably reachable. Some stress tests on top of that.  cgroup_apply_control_disable() has the same shape of pre-existing race: when a controller is disabled via subtree_control, kill_css() ran synchronously while tasks past exit_signals() could still be linked to the cgroup's csets, and ->css_offline() could fire before they drained. This patch preserves the existing synchronous behavior at that call site (kill_css_sync() + kill_css_finish() back-to-back) and a follow-up patch will defer kill_css_finish() there using a per-css trigger.  This seems like the right approach and I don't see problems with it. The changes are somewhat invasive but not excessively so, so backporting to -stable should be okay. If something does turn out to be wrong, the fallback is to revert the entire chain ([1]-[5]) and rework in the development branch instead.  v2: Pin cgrp across the deferred destroy work with explicit     cgroup_get()/cgroup_put() around queue_work() and the work_fn. v1     wasn't actually broken (ordered cgroup_offline_wq + queue_work order     in cgroup_task_dead() saved it) but the explicit ref removes the     dependency on those non-obvious invariants. Also note the     pre-existing cgroup_apply_control_disable() race in the description;     a follow-up will defer kill_css_finish() there.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46221",
                        "url": "https://ubuntu.com/security/CVE-2026-46221",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  EDAC/versalnet: Fix device name memory leak  The device name allocated via kzalloc() in init_one_mc() is assigned to dev->init_name but never freed on the normal removal path. device_register() copies init_name and then sets dev->init_name to NULL, so the name pointer becomes unreachable from the device. Thus leaking memory.  Use a stack-local char array instead of using kzalloc() for name.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46231",
                        "url": "https://ubuntu.com/security/CVE-2026-46231",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  batman-adv: bla: put backbone reference on failed claim hash insert  When batadv_bla_add_claim() fails to insert a new claim into the hash, it leaked a reference to the backbone_gw for which the claim was intended. Call batadv_backbone_gw_put() on the error path to release the reference and avoid leaking the backbone_gw object.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46233",
                        "url": "https://ubuntu.com/security/CVE-2026-46233",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  batman-adv: bla: only purge non-released claims  When batadv_bla_purge_claims() goes through the list of claims, it is only traversing the hash list with an rcu_read_lock(). Due to a potential parallel batadv_claim_put(), it can happen that it encounters a claim which was actually in the process of being released+freed by batadv_claim_release(). In this case, backbone_gw is set to NULL before the delayed RCU kfree is started. Calling batadv_bla_claim_get_backbone_gw() is then no longer allowed because it would cause a NULL-ptr derefence.  To avoid this, only claims with a valid reference counter must be purged. All others are already taken care of.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46212",
                        "url": "https://ubuntu.com/security/CVE-2026-46212",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  batman-adv: bla: prevent use-after-free when deleting claims  When batadv_bla_del_backbone_claims() removes all claims for a backbone, it does this by dropping the link entry in the hash list. This list entry itself was one of the references which need to be dropped at the same time via batadv_claim_put().  But the batadv_claim_put() must not be done before the last access to the claim object in this function. Otherwise the claim might be freed already by the batadv_claim_release() function before the list entry was dropped.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46238",
                        "url": "https://ubuntu.com/security/CVE-2026-46238",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  batman-adv: stop caching unowned originator pointers in BAT IV  BAT IV keeps the last-hop neighbor address in each neigh_node, but some paths also cache an originator pointer derived from a temporary lookup. That pointer is not owned by the neigh_node and may no longer refer to a live originator entry after purge handling runs.  Stop storing the auxiliary originator pointer in the BAT IV neighbor state. When BAT IV needs the neighbor originator data, resolve it from the stored neighbor address and drop the reference again after use.  [sven: avoid bonding logic for outgoing OGM]",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46208",
                        "url": "https://ubuntu.com/security/CVE-2026-46208",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  batman-adv: stop tp_meter sessions during mesh teardown  TP meter sessions remain linked on bat_priv->tp_list after the netlink request has already finished. When the mesh interface is removed, batadv_mesh_free() currently tears down the mesh without first draining these sessions.  A running sender thread or a late incoming tp_meter packet can then keep processing against a mesh instance which is already shutting down. Synchronize tp_meter with the mesh lifetime by stopping all active sessions from batadv_mesh_free() and waiting for sender threads to exit before teardown continues.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46206",
                        "url": "https://ubuntu.com/security/CVE-2026-46206",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  batman-adv: reject new tp_meter sessions during teardown  Prevent tp_meter from starting new sender or receiver sessions after mesh_state has left BATADV_MESH_ACTIVE.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46198",
                        "url": "https://ubuntu.com/security/CVE-2026-46198",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  batman-adv: fix integer overflow on buff_pos  Fixing an integer overflow present in batadv_iv_ogm_send_to_if. The size check is done using the int type in batadv_iv_ogm_aggr_packet whereas the buff_pos variable uses the s16 type. This could lead to an out-of-bound read.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46227",
                        "url": "https://ubuntu.com/security/CVE-2026-46227",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  sctp: revalidate list cursor after sctp_sendmsg_to_asoc() in SCTP_SENDALL  The SCTP_SENDALL path in sctp_sendmsg() iterates ep->asocs with list_for_each_entry_safe(), which caches the next entry in @tmp before the loop body runs.  The body calls sctp_sendmsg_to_asoc(), which may drop the socket lock inside sctp_wait_for_sndbuf().  While the lock is dropped, another thread can SCTP_SOCKOPT_PEELOFF the association cached in @tmp, migrating it to a new endpoint via sctp_sock_migrate() (list_del_init() + list_add_tail() to newep->asocs), and optionally close the new socket which frees the association via kfree_rcu().  The cached @tmp can also be freed by a network ABORT for that association, processed in softirq while the lock is dropped.  sctp_wait_for_sndbuf() revalidates @asoc (the current entry) on re-lock via the \"sk != asoc->base.sk\" and \"asoc->base.dead\" checks, but nothing revalidates @tmp.  After a successful return, the iterator advances to the stale @tmp, yielding either a use-after-free (if the peeled socket was closed) or a list-walk onto the new endpoint's list head (type confusion of &newep->asocs as a struct sctp_association *).  Both are reachable from CapEff=0; the type-confusion path gives controlled indirect call via the outqueue.sched->init_sid pointer.  Fix by re-deriving @tmp from @asoc after sctp_sendmsg_to_asoc() returns.  @asoc is known to still be on ep->asocs at that point: the only callers that list_del an association from ep->asocs are sctp_association_free() (which sets asoc->base.dead) and sctp_assoc_migrate() (which changes asoc->base.sk), and sctp_wait_for_sndbuf() checks both under the lock before any successful return; a tripped check propagates as err < 0 and the loop bails before the re-derive.  The SCTP_ABORT path in sctp_sendmsg_check_sflags() returns 0 and the loop hits 'continue' before sctp_sendmsg_to_asoc() is ever called, so the @tmp cached by list_for_each_entry_safe() still covers the lock-held free that ba59fb027307 (\"sctp: walk the list of asoc safely\") was added for.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46220",
                        "url": "https://ubuntu.com/security/CVE-2026-46220",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/amdgpu/sdma4: replace BUG_ON with WARN_ON in fence emission  sdma_v4_0_ring_emit_fence() contains two BUG_ON(addr & 0x3) assertions that verify fence writeback addresses are dword-aligned.  These assertions can be reached from unprivileged userspace via crafted DRM_IOCTL_AMDGPU_CS submissions, causing a fatal kernel panic in a scheduler worker thread.  Replace both BUG_ON() calls with WARN_ON() to log the condition without crashing the kernel.  A misaligned fence address at this point indicates a driver bug, but crashing the kernel is never the correct response when the assertion is reachable from userspace.  The CS IOCTL path is the correct place to filter invalid submissions; the ring emission callback is too late to do anything about it.  (cherry picked from commit b90250bd933afd1ba94d86d6b13821997b22b18e)",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46215",
                        "url": "https://ubuntu.com/security/CVE-2026-46215",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm: Set old handle to NULL before prime swap in change_handle  There was a potential race condition in change_handle. The ioctl briefly had a single object with two idr entries; a concurrent gem_close could delete the object and remove one of the handles while leaving the other one dangling, which could subsequently be dereferenced for a use-after-free.  To fix this, do the same dance that gem_close itself does. (f6cd7daecff5 drm: Release driver references to handle before making it available again) First idr_replace the old handle to NULL. Later, if the prime operations are successful, actually close it.  create_tail required a similar dance to avoid a similar problem. (bd46cece51a3 drm/gem: Fix race in drm_gem_handle_create_tail()) It idr_allocs the new handle with NULL, then swaps in the correct object later to avoid races. We don't need to do that here, since the only operations that could race are drm_prime, and change_handle holds the prime lock for the entire duration.  v2: cleanups of error paths",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46201",
                        "url": "https://ubuntu.com/security/CVE-2026-46201",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/xe: Fix dma-buf attachment leak in xe_gem_prime_import()  When xe_dma_buf_init_obj() fails, the attachment from dma_buf_dynamic_attach() is not detached. Add dma_buf_detach() before returning the error. Note: we cannot use goto out_err here because xe_dma_buf_init_obj() already frees bo on failure, and out_err would double-free it.  (cherry picked from commit a828eb185aac41800df8eae4b60501ccc0dbbe51)",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46224",
                        "url": "https://ubuntu.com/security/CVE-2026-46224",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/xe: Fix bo leak in xe_dma_buf_init_obj() on allocation failure  When drm_gpuvm_resv_object_alloc() fails, the pre-allocated storage bo is not freed. Add xe_bo_free(storage) before returning the error.  xe_dma_buf_init_obj() calls xe_bo_init_locked(), which frees the bo on error. Therefore, xe_dma_buf_init_obj() must also free the bo on its own error paths. Otherwise, since xe_gem_prime_import() cannot distinguish whether the failure originated from xe_dma_buf_init_obj() or from xe_bo_init_locked(), it cannot safely decide whether the bo should be freed.  Add comments documenting the ownership semantics: on success, ownership of storage is transferred to the returned drm_gem_object; on failure, storage is freed before returning.  v2: Add comments to explain the free logic.  (cherry picked from commit 78a6c5f899f22338bbf48b44fb8950409c5a69b9)",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46197",
                        "url": "https://ubuntu.com/security/CVE-2026-46197",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/amdkfd: validate SVM ioctl nattr against buffer size  Validate nattr field against the buffer size, preventing out-of-bounds buffer access via user-controlled attribute count.  (cherry picked from commit 5eca8bfdfa456c3304ca77523718fe24254c172f)",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46209",
                        "url": "https://ubuntu.com/security/CVE-2026-46209",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/gem: Fix inconsistent plane dimension calculation in drm_gem_fb_init_with_funcs()  drm_gem_fb_init_with_funcs() computes sub-sampled plane dimensions using plain integer division:    unsigned int width  = mode_cmd->width  / (i ? info->hsub : 1);   unsigned int height = mode_cmd->height / (i ? info->vsub : 1);  However, the ioctl-level framebuffer_check() in drm_framebuffer.c uses drm_format_info_plane_width/height() which round up dimensions via DIV_ROUND_UP(). This inconsistency corrupts the subsequent GEM object size check for certain pixel format and dimension combinations.  For example, with NV12 (vsub=2) and a 1-pixel-tall framebuffer the GEM size validation path sees height=0 instead of height=1. The expression (height - 1) then wraps to UINT_MAX as an unsigned int, causing min_size to overflow and wrap back to a small value. A tiny GEM object therefore passes the size guard, yet when the GPU accesses the chroma plane it will read or write memory beyond the object's bounds.  Fix by replacing the open-coded divisions with drm_format_info_plane_width() and drm_format_info_plane_height(), which use DIV_ROUND_UP() and match the calculation already used in framebuffer_check().",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46230",
                        "url": "https://ubuntu.com/security/CVE-2026-46230",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/amdgpu/vcn3: Prevent OOB reads when parsing dec msg  Check bounds against the end of the BO whenever we access the msg.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46199",
                        "url": "https://ubuntu.com/security/CVE-2026-46199",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/amdgpu/vcn4: Prevent OOB reads when parsing dec msg  Check bounds against the end of the BO whenever we access the msg.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46204",
                        "url": "https://ubuntu.com/security/CVE-2026-46204",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/amdgpu/vcn4: Prevent OOB reads when parsing IB  Rewrite the IB parsing to use amdgpu_ib_get_value() which handles the bounds checks.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46218",
                        "url": "https://ubuntu.com/security/CVE-2026-46218",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/amdgpu: Add bounds checking to ib_{get,set}_value  The uvd/vce/vcn code accesses the IB at predefined offsets without checking that the IB is large enough. Check the bounds here. The caller is responsible for making sure it can handle arbitrary return values.  Also make the idx a uint32_t to prevent overflows causing the condition to fail.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46229",
                        "url": "https://ubuntu.com/security/CVE-2026-46229",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/amdkfd: Clear VRAM on allocation to prevent stale data exposure  KFD VRAM allocations set AMDGPU_GEM_CREATE_VRAM_WIPE_ON_RELEASE but not AMDGPU_GEM_CREATE_VRAM_CLEARED, leaving freshly allocated VRAM with stale data from prior use observable by compute kernels.  The GEM ioctl path already sets VRAM_CLEARED for all userspace allocations via amdgpu_gem_create_ioctl() and amdgpu_mode_dumb_create(). The KFD path was missing this flag, allowing stale page table remnants to leak into user buffers.  This causes crashes in RCCL P2P transport where non-zero data in ptrExchange/head/tail fields corrupts the protocol handshake.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46211",
                        "url": "https://ubuntu.com/security/CVE-2026-46211",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/msm/gem: fix error handling in msm_ioctl_gem_info_get_metadata()  msm_ioctl_gem_info_get_metadata() always returns 0 regardless of errors. When copy_to_user() fails or the user buffer is too small, the error code stored in ret is ignored because the function unconditionally returns 0. This causes userspace to believe the ioctl succeeded when it did not.  Additionally, kmemdup() can return NULL on allocation failure, but the return value is not checked. This leads to a NULL pointer dereference in the subsequent copy_to_user() call.  Add the missing NULL check for kmemdup() and return ret instead of 0.  Note that the SET counterpart (msm_ioctl_gem_info_set_metadata) correctly returns ret.  Patchwork: https://patchwork.freedesktop.org/patch/714478/",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46203",
                        "url": "https://ubuntu.com/security/CVE-2026-46203",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: cadence-quadspi: fix unclocked access on unbind  Make sure that the controller is runtime resumed before disabling it during driver unbind to avoid an unclocked register access.  This issue was flagged by Sashiko when reviewing a controller deregistration fix.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46219",
                        "url": "https://ubuntu.com/security/CVE-2026-46219",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: mpc52xx: fix use-after-free on unbind  The state machine work is scheduled by the interrupt handler and therefore needs to be cancelled after disabling interrupts to avoid a potential use-after-free.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46200",
                        "url": "https://ubuntu.com/security/CVE-2026-46200",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: mpc52xx: fix controller deregistration  Make sure to deregister the controller before disabling and releasing underlying resources like interrupts and gpios during driver unbind.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46241",
                        "url": "https://ubuntu.com/security/CVE-2026-46241",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: mpc52xx: fix use-after-free on registration failure  Make sure to disable and free the interrupts in case controller registration fails to avoid a potential use-after-free and resource leak.  This issue was flagged by Sashiko when reviewing a controller deregistration fix.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46225",
                        "url": "https://ubuntu.com/security/CVE-2026-46225",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: rspi: fix controller deregistration  Make sure to deregister the controller before releasing underlying resources like DMA during driver unbind.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46226",
                        "url": "https://ubuntu.com/security/CVE-2026-46226",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: fsl: fix controller deregistration  Make sure to deregister the controller before releasing underlying resources like DMA during driver unbind.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46228",
                        "url": "https://ubuntu.com/security/CVE-2026-46228",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: ch341: fix devres lifetime  USB drivers bind to USB interfaces and any device managed resources should have their lifetime tied to the interface rather than parent USB device. This avoids issues like memory leaks when drivers are unbound without their devices being physically disconnected (e.g. on probe deferral or configuration changes).  Fix the controller and driver data lifetime so that they are released on driver unbind.  Note that this also makes sure that the SPI controller is placed correctly under the USB interface in the device tree.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46216",
                        "url": "https://ubuntu.com/security/CVE-2026-46216",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/xe/hdcp: Add NULL check for media_gt in intel_hdcp_gsc_check_status()  When media GT is disabled via configfs, there is no allocation for media_gt, which is kept as NULL.  In such scenario, intel_hdcp_gsc_check_status() results in a kernel pagefault error due to &gt->uc.gsc being evaluated as an invalid memory address.  Fix that by introducing a NULL check on media_gt and bailing out early if so.  While at it, also drop the NULL check for gsc, since it can't be NULL if media_gt is not NULL.  v2:   - Get address for gsc only after checking that gt is not NULL.     (Shuicheng)   - Drop the NULL check for gsc. (Shuicheng) v3:   - Add \"Fixes\" and \"Cc: <stable...>\" tags. (Matt)  (cherry picked from commit bfaf87e84ca3ca3f6e275f9ae56da47a8b55ffd1)",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46210",
                        "url": "https://ubuntu.com/security/CVE-2026-46210",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  media: iris: fix use-after-free of fmt_src during MBPF check  During concurrency testing, multiple instances can run in parallel, and each instance uses its own inst->lock while the core->lock protects the list of active instances. The race happens because these locks cover different scopes, inst->lock protects only the internals of a single instance, while the Macro Blocks Per Frame (MBPF) checker walks the core list under core->lock and reads fields like fmt_src->width and fmt_src->height. At the same time, iris_close() may free fmt_src and fmt_dst under inst->lock while the instance is still present in the core list. This allows a situation where the MBPF checker, still iterating through the core list, reaches an instance whose fmt_src was already freed by another thread and ends up dereferencing a dangling pointer, resulting in a use-after-free. This happens because the MBPF checker assumes that any instance in the core list is fully valid, but the freeing of fmt_src and fmt_dst without removing the instance from the core list is not correct.  The correct ordering is to defer freeing fmt_src and fmt_dst until after the instance has been removed from the core list and all teardown under the core lock has completed, ensuring that no dangling pointers are ever exposed during MBPF checks.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46240",
                        "url": "https://ubuntu.com/security/CVE-2026-46240",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  media: iris: Fix use-after-free in iris_release_internal_buffers()  The recent change in commit 1dabf00ee206 (\"media: iris: gen1: Destroy internal buffers after FW releases\") introduced a regression where session_release_buf() may free the buffer. The caller, iris_release_internal_buffers(), continued to access `buffer` after the call, leading to a potential use-after-free.  Fix this by setting BUF_ATTR_PENDING_RELEASE before calling session_release_buf(), and reverting the flag if the call fails. This ensures no dereference occurs after potential freeing.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46235",
                        "url": "https://ubuntu.com/security/CVE-2026-46235",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  media: saa7164: add ioremap return checks and cleanups  Add checks for ioremap return values in saa7164_dev_setup(). If ioremap for BAR0 or BAR2 fails, release the already allocated PCI memory regions, remove the device from the global list, decrement the device count, and return -ENODEV.  This prevents potential null pointer dereferences and ensures proper cleanup on memory mapping failures.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46222",
                        "url": "https://ubuntu.com/security/CVE-2026-46222",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  media: rockchip: rkcif: Add missing MUST_CONNECT flag to pads  The pads missed checks for connected devices which may a null dereference when the stream is enabled.  Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020 pc : rkcif_interface_enable_streams+0x48/0xf0 lr : rkcif_interface_enable_streams+0x44/0xf0 Call trace:  rkcif_interface_enable_streams+0x48/0xf0  v4l2_subdev_enable_streams+0x26c/0x3f0  rkcif_stream_start_streaming+0x140/0x278  vb2_start_streaming+0x74/0x188  vb2_core_streamon+0xe0/0x1d8  vb2_ioctl_streamon+0x60/0xa8  v4l_streamon+0x2c/0x40  __video_do_ioctl+0x34c/0x400  video_usercopy+0x2d0/0x800  video_ioctl2+0x20/0x60  v4l2_ioctl+0x48/0x78",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46239",
                        "url": "https://ubuntu.com/security/CVE-2026-46239",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  media: i2c: ov5647: Fix runtime PM refcount leak in s_ctrl  Three control cases (AUTOGAIN, EXPOSURE_AUTO, ANALOGUE_GAIN) directly return without calling pm_runtime_put(), causing runtime PM reference count leaks.  Change these cases from 'return' to 'ret = ... break' pattern to ensure pm_runtime_put() is always called before function exit.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46236",
                        "url": "https://ubuntu.com/security/CVE-2026-46236",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  media: rc: xbox_remote: heed DMA restrictions  The buffer for IO must not be part of the device structure because that violates the DMA coherency rules.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46205",
                        "url": "https://ubuntu.com/security/CVE-2026-46205",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  staging: media: atomisp: Disallow all private IOCTLs  Disallow all private IOCTLs. These aren't quite as safe as one could assume of IOCTL handlers; disable them for now. Instead of removing the code, return in the beginning of the function if cmd is non-zero in order to keep static checkers happy.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46202",
                        "url": "https://ubuntu.com/security/CVE-2026-46202",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  HID: appletb-kbd: run inactivity autodim from workqueues  The autodim code in hid-appletb-kbd takes backlight_device->ops_lock via backlight_device_set_brightness() -> mutex_lock() from two different atomic contexts:   * appletb_inactivity_timer() is a struct timer_list callback, so it    runs in softirq context.  Every expiry triggers       BUG: sleeping function called from invalid context at kernel/locking/mutex.c:591      Call Trace:       <IRQ>       __might_resched       __mutex_lock       backlight_device_set_brightness       appletb_inactivity_timer       call_timer_fn       run_timer_softirq   * reset_inactivity_timer() is called from appletb_kbd_hid_event() and    appletb_kbd_inp_event().  On real USB hardware these run in    softirq/IRQ context (URB completion and input-event dispatch).    When the Touch Bar has already been dimmed or turned off, the    reset path calls backlight_device_set_brightness() directly to    restore brightness, producing the same warning.  Both call sites hit the same mutex_lock()-from-atomic bug.  Fix them together by moving the blocking work onto the system workqueue:   * Convert the inactivity timer from struct timer_list to    struct delayed_work; the callback (appletb_inactivity_work) now    runs in process context where mutex_lock() is legal.  * Add a dedicated struct work_struct restore_brightness_work and have    reset_inactivity_timer() schedule it instead of calling    backlight_device_set_brightness() directly.  Cancel both works synchronously during driver tear-down alongside the existing backlight reference drop.  The semantics are unchanged (same delays, same state transitions on dim, turn-off and user activity); only the execution context of the sleeping call changes.  The timer field and callback are renamed to match their new type; reset_inactivity_timer() keeps its name because it is invoked from input event paths that read naturally as \"reset the inactivity timer\".",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46213",
                        "url": "https://ubuntu.com/security/CVE-2026-46213",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  HID: appletb-kbd: fix UAF in inactivity-timer cleanup path  Commit 38224c472a03 (\"HID: appletb-kbd: fix slab use-after-free bug in appletb_kbd_probe\") added timer_delete_sync(&kbd->inactivity_timer) to both the probe close_hw error path and appletb_kbd_remove(), but the way it was wired in left the inactivity timer reachable during driver tear-down via two distinct windows.  Window A -- put_device() before timer_delete_sync():  \tput_device(&kbd->backlight_dev->dev); \ttimer_delete_sync(&kbd->inactivity_timer);  The inactivity_timer softirq reads kbd->backlight_dev and calls backlight_device_set_brightness() -> mutex_lock(&ops_lock).  If a concurrent hid_appletb_bl unbind drops the last devm reference between these two calls, the backlight_device is freed and the mutex_lock() touches freed memory.  Window B -- backlight cleanup before hid_hw_stop():  \tif (kbd->backlight_dev) { \t\ttimer_delete_sync(...); \t\tput_device(...); \t} \thid_hw_close(hdev); \thid_hw_stop(hdev);  Even after Window A is closed, hid_hw_close()/hid_hw_stop() still run afterwards, so a late \".event\" callback from the HID core (USB URB completion on real Apple hardware) can arrive after timer_delete_sync() drained the softirq but before put_device() drops the reference.  That callback reaches reset_inactivity_timer(), which calls mod_timer() and re-arms the timer.  The freshly re-armed timer can then fire on the about-to-be-freed backlight_device.  Both windows produce the same KASAN slab-use-after-free:    BUG: KASAN: slab-use-after-free in __mutex_lock+0x1aab/0x21c0   Read of size 8 at addr ffff88803ee9a108 by task swapper/0/0   Call Trace:    <IRQ>    __mutex_lock    backlight_device_set_brightness    appletb_inactivity_timer    call_timer_fn    run_timer_softirq    handle_softirqs   Allocated by task N:    devm_backlight_device_register    appletb_bl_probe   Freed by task M:    (concurrent hid_appletb_bl unbind path)  Close both windows at once by reworking the tear-down in appletb_kbd_remove() and in the probe close_hw error path so that   1) hid_hw_close()/hid_hw_stop() run before the backlight cleanup,     guaranteeing no further .event callback can fire and re-arm the     timer, and  2) inside the \"if (kbd->backlight_dev)\" block, timer_delete_sync()     runs before put_device(), so the softirq is drained before the     final reference is dropped.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46232",
                        "url": "https://ubuntu.com/security/CVE-2026-46232",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  HID: playstation: Clamp num_touch_reports  A device would never lie about the number of touch reports would it?  If it does the loop in dualshock4_parse_report will read off the end of the touch_reports array, up to about 2 KiB for the maximum number of 256 loop iteraions. The data that is read is emitted via evdev if the DS4_TOUCH_POINT_INACTIVE bit happens to be set. Protect against this by clamping the num_touch_reports value provided by the device to the maximum size of the touch_reports array.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-43490",
                        "url": "https://ubuntu.com/security/CVE-2026-43490",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ksmbd: validate inherited ACE SID length  smb_inherit_dacl() walks the parent directory DACL loaded from the security descriptor xattr. It verifies that each ACE contains the fixed SID header before using it, but does not verify that the variable-length SID described by sid.num_subauth is fully contained in the ACE.  A malformed inheritable ACE can advertise more subauthorities than are present in the ACE. compare_sids() may then read past the ACE. smb_set_ace() also clamps the copied destination SID, but used the unchecked source SID count to compute the inherited ACE size. That could advance the temporary inherited ACE buffer pointer and nt_size accounting past the allocated buffer.  Fix this by validating the parent ACE SID count and SID length before using the SID during inheritance. Compute the inherited ACE size from the copied SID so the size matches the bounded destination SID. Reject the inherited DACL if size accumulation would overflow smb_acl.size or the security descriptor allocation size.",
                        "cve_priority": "high",
                        "cve_public_date": "2026-05-15 06:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46174",
                        "url": "https://ubuntu.com/security/CVE-2026-46174",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  x86/CPU/AMD: Prevent improper isolation of shared resources in Zen2's op cache  Make sure resources are not improperly shared in the op cache and cause instruction corruption this way.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46110",
                        "url": "https://ubuntu.com/security/CVE-2026-46110",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net: stmmac: Prevent NULL deref when RX memory exhausted  The CPU receives frames from the MAC through conventional DMA: the CPU allocates buffers for the MAC, then the MAC fills them and returns ownership to the CPU. For each hardware RX queue, the CPU and MAC coordinate through a shared ring array of DMA descriptors: one descriptor per DMA buffer. Each descriptor includes the buffer's physical address and a status flag (\"OWN\") indicating which side owns the buffer: OWN=0 for CPU, OWN=1 for MAC. The CPU is only allowed to set the flag and the MAC is only allowed to clear it, and both must move through the ring in sequence: thus the ring is used for both \"submissions\" and \"completions.\"  In the stmmac driver, stmmac_rx() bookmarks its position in the ring with the `cur_rx` index. The main receive loop in that function checks for rx_descs[cur_rx].own=0, gives the corresponding buffer to the network stack (NULLing the pointer), and increments `cur_rx` modulo the ring size. After the loop exits, stmmac_rx_refill(), which bookmarks its position with `dirty_rx`, allocates fresh buffers and rearms the descriptors (setting OWN=1). If it fails any allocation, it simply stops early (leaving OWN=0) and will retry where it left off when next called.  This means descriptors have a three-stage lifecycle (terms my own): - `empty` (OWN=1, buffer valid) - `full` (OWN=0, buffer valid and populated) - `dirty` (OWN=0, buffer NULL)  But because stmmac_rx() only checks OWN, it confuses `full`/`dirty`. In the past (see 'Fixes:'), there was a bug where the loop could cycle `cur_rx` all the way back to the first descriptor it dirtied, resulting in a NULL dereference when mistaken for `full`. The aforementioned commit resolved that *specific* failure by capping the loop's iteration limit at `dma_rx_size - 1`, but this is only a partial fix: if the previous stmmac_rx_refill() didn't complete, then there are leftover `dirty` descriptors that the loop might encounter without needing to cycle fully around. The current code therefore panics (see 'Closes:') when stmmac_rx_refill() is memory-starved long enough for `cur_rx` to catch up to `dirty_rx`.  Fix this by explicitly checking, before advancing `cur_rx`, if the next entry is dirty; exit the loop if so. This prevents processing of the final, used descriptor until stmmac_rx_refill() succeeds, but fully prevents the `cur_rx == dirty_rx` ambiguity as the previous bugfix intended: so remove the clamp as well. Since stmmac_rx_zc() is a copy-paste-and-tweak of stmmac_rx() and the code structure is identical, any fix to stmmac_rx() will also need a corresponding fix for stmmac_rx_zc(). Therefore, apply the same check there.  In stmmac_rx() (not stmmac_rx_zc()), a related bug remains: after the MAC sets OWN=0 on the final descriptor, it will be unable to send any further DMA-complete IRQs until it's given more `empty` descriptors. Currently, the driver simply *hopes* that the next stmmac_rx_refill() succeeds, risking an indefinite stall of the receive process if not. But this is not a regression, so it can be addressed in a future change.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46153",
                        "url": "https://ubuntu.com/security/CVE-2026-46153",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  8021q: delete cleared egress QoS mappings  vlan_dev_set_egress_priority() currently keeps cleared egress priority mappings in the hash as tombstones. Repeated set/clear cycles with distinct skb priorities therefore accumulate mapping nodes until device teardown and leak memory.  Delete mappings when vlan_prio is cleared instead of keeping tombstones. Now that the egress mapping lists are RCU protected, the node can be unlinked safely and freed after a grace period.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46169",
                        "url": "https://ubuntu.com/security/CVE-2026-46169",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  hfsplus: fix uninit-value by validating catalog record size  Syzbot reported a KMSAN uninit-value issue in hfsplus_strcasecmp(). The root cause is that hfs_brec_read() doesn't validate that the on-disk record size matches the expected size for the record type being read.  When mounting a corrupted filesystem, hfs_brec_read() may read less data than expected. For example, when reading a catalog thread record, the debug output showed:    HFSPLUS_BREC_READ: rec_len=520, fd->entrylength=26   HFSPLUS_BREC_READ: WARNING - entrylength (26) < rec_len (520) - PARTIAL READ!  hfs_brec_read() only validates that entrylength is not greater than the buffer size, but doesn't check if it's less than expected. It successfully reads 26 bytes into a 520-byte structure and returns success, leaving 494 bytes uninitialized.  This uninitialized data in tmp.thread.nodeName then gets copied by hfsplus_cat_build_key_uni() and used by hfsplus_strcasecmp(), triggering the KMSAN warning when the uninitialized bytes are used as array indices in case_fold().  Fix by introducing hfsplus_brec_read_cat() wrapper that: 1. Calls hfs_brec_read() to read the data 2. Validates the record size based on the type field:    - Fixed size for folder and file records    - Variable size for thread records (depends on string length) 3. Returns -EIO if size doesn't match expected  For thread records, check against HFSPLUS_MIN_THREAD_SZ before reading nodeName.length to avoid reading uninitialized data at call sites that don't zero-initialize the entry structure.  Also initialize the tmp variable in hfsplus_find_cat() as defensive programming to ensure no uninitialized data even if validation is bypassed.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46188",
                        "url": "https://ubuntu.com/security/CVE-2026-46188",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  octeon_ep_vf: add NULL check for napi_build_skb()  napi_build_skb() can return NULL on allocation failure. In __octep_vf_oq_process_rx(), the result is used directly without a NULL check in both the single-buffer and multi-fragment paths, leading to a NULL pointer dereference.  Add NULL checks after both napi_build_skb() calls, properly advancing descriptors and consuming remaining fragments on failure.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-45837",
                        "url": "https://ubuntu.com/security/CVE-2026-45837",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  bpf: Fix use-after-free in arena_vm_close on fork  arena_vm_open() only bumps vml->mmap_count but never registers the child VMA in arena->vma_list. The vml->vma always points at the parent VMA, so after parent munmap the pointer dangles. If the child then calls bpf_arena_free_pages(), zap_pages() reads the stale vml->vma triggering use-after-free.  Fix this by preventing the arena VMA from being inherited across fork with VM_DONTCOPY, and preventing VMA splits via the may_split callback.  Also reject mremap with a .mremap callback returning -EINVAL. A same-size mremap(MREMAP_FIXED) on the full arena VMA reaches copy_vma() through the following path:    check_prep_vma()       - returns 0 early: new_len == old_len                            skips VM_DONTEXPAND check   prep_move_vma()        - vm_start == old_addr and                            vm_end == old_addr + old_len                            so may_split is never called   move_vma()     copy_vma_and_data()       copy_vma()         vm_area_dup()    - copies vm_private_data (vml pointer)         vm_ops->open()   - bumps vml->mmap_count       vm_ops->mremap()   - returns -EINVAL, rollback unmaps new VMA  The refcount ensures the rollback's arena_vm_close does not free the vml shared with the original VMA.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-05-27 11:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46156",
                        "url": "https://ubuntu.com/security/CVE-2026-46156",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  LoongArch: Fix potential ADE in loongson_gpu_fixup_dma_hang()  The switch case in loongson_gpu_fixup_dma_hang() may not DC2 or DC3, and readl(crtc_reg) will access with random address, because the \"device\" is from \"base+PCI_DEVICE_ID\", \"base\" is from \"pdev->devfn+1\". This is wrong when my platform inserts a discrete GPU:  lspci -tv -[0000:00]-+-00.0  Loongson Technology LLC Hyper Transport Bridge Controller ...            +-06.0  Loongson Technology LLC LG100 GPU            +-06.2  Loongson Technology LLC Device 7a37 ...  Add a default switch case to fix the panic as below:   Kernel ade access[#1]:  CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.6.136-loong64-desktop-hwe+ #4  pc 90000000017e5534 ra 90000000017e54c0 tp 90000001002f8000 sp 90000001002fb6c0  a0 80000efe00003100 a1 0000000000003100 a2 0000000000000000 a3 0000000000000002  a4 90000001002fb6b4 a5 900000087cdb58fd a6 90000000027af000 a7 0000000000000001  t0 00000000000085b9 t1 000000000000ffff t2 0000000000000000 t3 0000000000000000  t4 fffffffffffffffd t5 00000000fffb6d9c t6 0000000000083b00 t7 00000000000070c0  t8 900000087cdb4d94 u0 900000087cdb58fd s9 90000001002fb826 s0 90000000031c12c8  s1 7fffffffffffff00 s2 90000000031c12d0 s3 0000000000002710 s4 0000000000000000  s5 0000000000000000 s6 9000000100053000 s7 7fffffffffffff00 s8 90000000030d4000     ra: 90000000017e54c0 loongson_gpu_fixup_dma_hang+0x40/0x210    ERA: 90000000017e5534 loongson_gpu_fixup_dma_hang+0xb4/0x210   CRMD: 000000b0 (PLV0 -IE -DA +PG DACF=CC DACM=CC -WE)   PRMD: 00000004 (PPLV0 +PIE -PWE)   EUEN: 00000000 (-FPE -SXE -ASXE -BTE)   ECFG: 00071c1d (LIE=0,2-4,10-12 VS=7)  ESTAT: 00480000 [ADEM] (IS= ECode=8 EsubCode=1)   BADV: 7fffffffffffff00   PRID: 0014d000 (Loongson-64bit, Loongson-3A6000-HV)  Modules linked in:  Process swapper/0 (pid: 1, threadinfo=(____ptrval____), task=(____ptrval____))  Stack : 0000000000000006 90000001002fb778 90000001002fb704 0000000000000007          0000000016a65700 90000000017e5690 000000000000ffff ffffffffffffffff          900000000209f7c0 9000000100053000 900000000209f7a8 9000000000eebc08          0000000000000000 0000000000000000 0000000000000006 90000001002fb778          90000001000530b8 90000000027af000 0000000000000000 9000000100054000          9000000100053000 9000000000ebb70c 9000000100004c00 9000000004000001          90000001002fb7e4 bae765461f31cb12 0000000000000000 0000000000000000          0000000000000006 90000000027af000 0000000000000030 90000000027af000          900000087cd6f800 9000000100053000 0000000000000000 9000000000ebc560          7a2500147cdaf720 bae765461f31cb12 0000000000000001 0000000000000030          ...  Call Trace:  [<90000000017e5534>] loongson_gpu_fixup_dma_hang+0xb4/0x210  [<9000000000eebc08>] pci_fixup_device+0x108/0x280  [<9000000000ebb70c>] pci_setup_device+0x24c/0x690  [<9000000000ebc560>] pci_scan_single_device+0xe0/0x140  [<9000000000ebc684>] pci_scan_slot+0xc4/0x280  [<9000000000ebdd00>] pci_scan_child_bus_extend+0x60/0x3f0  [<9000000000f5bc94>] acpi_pci_root_create+0x2b4/0x420  [<90000000017e5e74>] pci_acpi_scan_root+0x2d4/0x440  [<9000000000f5b02c>] acpi_pci_root_add+0x21c/0x3a0  [<9000000000f4ee54>] acpi_bus_attach+0x1a4/0x3c0  [<90000000010e200c>] device_for_each_child+0x6c/0xe0  [<9000000000f4bbf4>] acpi_dev_for_each_child+0x44/0x70  [<9000000000f4ef40>] acpi_bus_attach+0x290/0x3c0  [<90000000010e200c>] device_for_each_child+0x6c/0xe0  [<9000000000f4bbf4>] acpi_dev_for_each_child+0x44/0x70  [<9000000000f4ef40>] acpi_bus_attach+0x290/0x3c0  [<9000000000f5211c>] acpi_bus_scan+0x6c/0x280  [<900000000189c028>] acpi_scan_init+0x194/0x310  [<900000000189bc6c>] acpi_init+0xcc/0x140  [<9000000000220cdc>] do_one_initcall+0x4c/0x310  [<90000000018618fc>] kernel_init_freeable+0x258/0x2d4  [<900000000184326c>] kernel_init+0x28/0x13c  [<9000000000222008>] ret_from_kernel_thread+0xc/0xa4",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46147",
                        "url": "https://ubuntu.com/security/CVE-2026-46147",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  KVM: arm64: Fix pin leak and publication ordering in __pkvm_init_vcpu()  Two bugs exist in the vCPU initialisation path:  1. If a check fails after hyp_pin_shared_mem() succeeds, the cleanup    path jumps to 'unlock' without calling unpin_host_vcpu() or    unpin_host_sve_state(), permanently leaking pin references on the    host vCPU and SVE state pages.     Extract a register_hyp_vcpu() helper that performs the checks and    the store. When register_hyp_vcpu() returns an error, call    unpin_host_vcpu() and unpin_host_sve_state() inline before falling    through to the existing 'unlock' label.  2. register_hyp_vcpu() publishes the new vCPU pointer into    'hyp_vm->vcpus[]' with a bare store, allowing a concurrent caller    of pkvm_load_hyp_vcpu() to observe a partially initialised vCPU    object.     Ensure the store uses smp_store_release() and the load uses    smp_load_acquire(). While 'vm_table_lock' currently serialises the    store and the load, these barriers ensure the reader sees the fully    initialised 'hyp_vcpu' object even if there were a lockless path or    if the lock's own ordering guarantees were insufficient for nested    object initialization.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46175",
                        "url": "https://ubuntu.com/security/CVE-2026-46175",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  f2fs: fix fsck inconsistency caused by FGGC of node block  During FGGC node block migration, fsck may incorrectly treat the migrated node block as fsync-written data.  The reproduction scenario: root@vm:/mnt/f2fs# seq 1 2048 | xargs -n 1 ./test_sync // write inline inode and sync root@vm:/mnt/f2fs# rm -f 1 root@vm:/mnt/f2fs# sync root@vm:/mnt/f2fs# f2fs_io gc_range // move data block in sync mode and not write CP   SPO, \"fsck --dry-run\" find inode has already checkpointed but still   with DENT_BIT_SHIFT set  The root cause is that GC does not clear the dentry mark and fsync mark during node block migration, leading fsck to misinterpret them as user-issued fsync writes.  In BGGC mode, node block migration is handled by f2fs_sync_node_pages(), which guarantees the dentry and fsync marks are cleared before writing.  This patch move the set/clear of the fsync|dentry marks into __write_node_folio to make the logic clearer, and ensures the fsync|dentry mark is cleared in FGGC.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46194",
                        "url": "https://ubuntu.com/security/CVE-2026-46194",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  f2fs: fix node_cnt race between extent node destroy and writeback  f2fs_destroy_extent_node() does not set FI_NO_EXTENT before clearing extent nodes. When called from f2fs_drop_inode() with I_SYNC set, concurrent kworker writeback can insert new extent nodes into the same extent tree, racing with the destroy and triggering f2fs_bug_on() in __destroy_extent_node(). The scenario is as follows:  drop inode                            writeback  - iput   - f2fs_drop_inode  // I_SYNC set    - f2fs_destroy_extent_node     - __destroy_extent_node      - while (node_cnt) {         write_lock(&et->lock)         __free_extent_tree         write_unlock(&et->lock)                                        - __writeback_single_inode                                         - f2fs_outplace_write_data                                          - f2fs_update_read_extent_cache                                           - __update_extent_tree_range                                            // FI_NO_EXTENT not set,                                            // insert new extent node        } // node_cnt == 0, exit while      - f2fs_bug_on(node_cnt)  // node_cnt > 0  Additionally, __update_extent_tree_range() only checks FI_NO_EXTENT for EX_READ type, leaving EX_BLOCK_AGE updates completely unprotected.  This patch set FI_NO_EXTENT under et->lock in __destroy_extent_node(), consistent with other callers (__update_extent_tree_range and __drop_extent_tree) and check FI_NO_EXTENT for both EX_READ and EX_BLOCK_AGE tree.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46170",
                        "url": "https://ubuntu.com/security/CVE-2026-46170",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  mptcp: pm: ADD_ADDR rtx: free sk if last  When an ADD_ADDR is retransmitted, the sk is held in sk_reset_timer(), and released at the end.  If at that moment, it was the last reference being held, the sk would not be freed. sock_put() should then be called instead of __sock_put().  But that's not enough: if it is the last reference, sock_put() will call sk_free(), which will end up calling sk_stop_timer_sync() on the same timer, and waiting indefinitely to finish. So it is needed to mark that the timer is done at the end of the timer handler when it has not been rescheduled, not to call sk_stop_timer_sync() on \"itself\".",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46158",
                        "url": "https://ubuntu.com/security/CVE-2026-46158",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  mptcp: pm: ADD_ADDR rtx: always decrease sk refcount  When an ADD_ADDR is retransmitted, the sk is held in sk_reset_timer(). It should then be released in all cases at the end.  Some (unlikely) checks were returning directly instead of calling sock_put() to decrease the refcount. Jump to a new 'exit' label to call __sock_put() (which will become sock_put() in the next commit) to fix this potential leak.  While at it, drop the '!msk' check which cannot happen because it is never reset, and explicitly mark the remaining one as \"unlikely\".",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46168",
                        "url": "https://ubuntu.com/security/CVE-2026-46168",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  mptcp: fix scheduling with atomic in timestamp sockopt  Using lock_sock_fast() (atomic context) around sock_set_timestamp() and sock_set_timestamping() is unsafe, as both helpers can sleep.  Replace lock_sock_fast() with sleepable lock_sock()/release_sock() to avoid scheduling while atomic panic.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46189",
                        "url": "https://ubuntu.com/security/CVE-2026-46189",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/vmw_pvrdma: Fix double free on pvrdma_alloc_ucontext() error path  Sashiko points out that pvrdma_uar_free() is already called within pvrdma_dealloc_ucontext(), so calling it before triggers a double free.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46133",
                        "url": "https://ubuntu.com/security/CVE-2026-46133",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/rxe: Reject unknown opcodes before ICRC processing  Even after applying commit 7244491dab34 (\"RDMA/rxe: Validate pad and ICRC before payload_size() in rxe_rcv\"), a single unauthenticated UDP packet can still trigger panic.  That patch handled payload_size() underflow only for valid opcodes with short packets, not for packets carrying an unknown opcode.  The unknown-opcode OOB read described below predates that commit and reaches back to the initial Soft RoCE driver.  The check added there reads      pkt->paylen < header_size(pkt) + bth_pad(pkt) + RXE_ICRC_SIZE  where header_size(pkt) expands to rxe_opcode[pkt->opcode].length.  The rxe_opcode[] array has 256 entries but is only populated for defined IB opcodes; any other entry (for example opcode 0xff) is zero-initialized, so length == 0 and the check degenerates to      pkt->paylen < 0 + bth_pad(pkt) + RXE_ICRC_SIZE  which does not constrain pkt->paylen enough.  rxe_icrc_hdr() then computes      rxe_opcode[pkt->opcode].length - RXE_BTH_BYTES  which underflows when length == 0 and passes a huge value to rxe_crc32(), causing an out-of-bounds read of the skb payload.  Reproduced on v7.0-rc7 with that fix applied, QEMU/KVM with CONFIG_RDMA_RXE=y and CONFIG_KASAN=y, after      rdma link add rxe0 type rxe netdev eth0  A single 48-byte UDP packet to port 4791 with BTH opcode=0xff and QPN=IB_MULTICAST_QPN triggers:      BUG: KASAN: slab-out-of-bounds in crc32_le+0x115/0x170     Read of size 1 at addr ...     The buggy address is located 0 bytes to the right of      allocated 704-byte region     Call Trace:      crc32_le+0x115/0x170      rxe_icrc_hdr.isra.0+0x226/0x300      rxe_icrc_check+0x13f/0x3a0      rxe_rcv+0x6e1/0x16e0      rxe_udp_encap_recv+0x20a/0x320      udp_queue_rcv_one_skb+0x7ed/0x12c0  Subsequent packets with the same shape fault on unmapped memory and panic the kernel.  The trigger requires only module load and \"rdma link add\"; no QP, no connection, and no authentication.  Fix this by rejecting packets whose opcode has no rxe_opcode[] entry, detected via the zero mask or zero length, before any length arithmetic runs.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46114",
                        "url": "https://ubuntu.com/security/CVE-2026-46114",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/rxe: Reject non-8-byte ATOMIC_WRITE payloads  atomic_write_reply() at drivers/infiniband/sw/rxe/rxe_resp.c unconditionally dereferences 8 bytes at payload_addr(pkt):      value = *(u64 *)payload_addr(pkt);  check_rkey() previously accepted an ATOMIC_WRITE request with pktlen == resid == 0 because the length validation only compared pktlen against resid. A remote initiator that sets the RETH length to 0 therefore reaches atomic_write_reply() with a zero-byte logical payload, and the responder reads sizeof(u64) bytes from past the logical end of the packet into skb->head tailroom, then writes those 8 bytes into the attacker's MR via rxe_mr_do_atomic_write(). That is a remote disclosure of 4 bytes of kernel tailroom per probe (the other 4 bytes are the packet's own trailing ICRC).  IBA oA19-28 defines ATOMIC_WRITE as exactly 8 bytes. Anything else is protocol-invalid. Hoist a strict length check into check_rkey() so the responder never reaches the unchecked dereference, and keep the existing WRITE-family length logic for the normal RDMA WRITE path.  Reproduced on mainline with an unmodified rxe driver: a sustained zero-length ATOMIC_WRITE probe repeatedly leaks adjacent skb head-buffer bytes into the attacker's MR, including recognisable kernel strings and partial kernel-direct-map pointer words.  With this patch applied the responder rejects the PDU and the MR stays all-zero.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46127",
                        "url": "https://ubuntu.com/security/CVE-2026-46127",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/ocrdma: Don't NULL deref uctx on errors in ocrdma_copy_pd_uresp()  Sashiko points out that pd->uctx isn't initialized until late in the function so all these error flow references are NULL and will crash. Use the uctx that isn't NULL.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46176",
                        "url": "https://ubuntu.com/security/CVE-2026-46176",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/mlx5: Fix error path fall-through in mlx5_ib_dev_res_srq_init()  mlx5_ib_dev_res_srq_init() allocates two SRQs, s0 and s1. When ib_create_srq() fails for s1, the error branch destroys s0 but falls through and unconditionally assigns the freed s0 and the ERR_PTR s1 to devr->s0 and devr->s1.  This leads to several problems: the lock-free fast path checks \"if (devr->s1) return 0;\" and treats the ERR_PTR as already initialised; users in mlx5_ib_create_qp() dereference the freed SRQ or ERR_PTR via to_msrq(devr->s0)->msrq.srqn; and mlx5_ib_dev_res_cleanup() dereferences the ERR_PTR and double-frees s0 on teardown.  Fix by adding the same `goto unlock` in the s1 failure path.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46178",
                        "url": "https://ubuntu.com/security/CVE-2026-46178",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/mlx4: Fix resource leak on error in mlx4_ib_create_srq()  Sashiko points out that mlx4_srq_alloc() was not undone during error unwind, add the missing call to mlx4_srq_free().",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46181",
                        "url": "https://ubuntu.com/security/CVE-2026-46181",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/mlx4: Fix mis-use of RCU in mlx4_srq_event()  Sashiko points out the radix_tree itself is RCU safe, but nothing ever frees the mlx4_srq struct with RCU, and it isn't even accessed within the RCU critical section. It also will crash if an event is delivered before the srq object is finished initializing.  Use the spinlock since it isn't easy to make RCU work, use refcount_inc_not_zero() to protect against partially initialized objects, and order the refcount_set() to be after the srq is fully initialized.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46145",
                        "url": "https://ubuntu.com/security/CVE-2026-46145",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/mana: Validate rx_hash_key_len  Sashiko points out that rx_hash_key_len comes from a uAPI structure and is blindly passed to memcpy, allowing the userspace to trash kernel memory. Bounds check it so the memcpy cannot overflow.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46117",
                        "url": "https://ubuntu.com/security/CVE-2026-46117",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/mana: Remove user triggerable WARN_ON() in mana_ib_create_qp_rss()  Sashiko points out that the user can specify WQs sharing the same CQ as a part of the uAPI and this will trigger the WARN_ON() then go on to corrupt the kernel.  Just reject it outright and fail the QP creation.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46126",
                        "url": "https://ubuntu.com/security/CVE-2026-46126",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/mana: Fix mana_destroy_wq_obj() cleanup in mana_ib_create_qp_rss()  Sashiko points out there are two bugs here in the error unwind flow, both related to how the WQ table is unwound.  First there is a double i-- on the first failure path due to the while loop having a i--, remove it.  Second if mana_ib_install_cq_cb() fails then mana_create_wq_obj() is not undone due to the above i--.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46144",
                        "url": "https://ubuntu.com/security/CVE-2026-46144",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/mana: Fix error unwind in mana_ib_create_qp_rss()  Sashiko points out that mana_ib_cfg_vport_steering() is leaked, the normal destroy path cleans it up.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46141",
                        "url": "https://ubuntu.com/security/CVE-2026-46141",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  powerpc/xive: fix kmemleak caused by incorrect chip_data lookup  The kmemleak reports the following memory leak:  Unreferenced object 0xc0000002a7fbc640 (size 64):   comm \"kworker/8:1\", pid 540, jiffies 4294937872   hex dump (first 32 bytes):     01 00 00 00 00 00 00 00 00 00 09 04 00 04 00 00  ................     00 00 a7 81 00 00 0a c0 00 00 08 04 00 04 00 00  ................   backtrace (crc 177d48f6):     __kmalloc_cache_noprof+0x520/0x730     xive_irq_alloc_data.constprop.0+0x40/0xe0     xive_irq_domain_alloc+0xd0/0x1b0     irq_domain_alloc_irqs_parent+0x44/0x6c     pseries_irq_domain_alloc+0x1cc/0x354     irq_domain_alloc_irqs_parent+0x44/0x6c     msi_domain_alloc+0xb0/0x220     irq_domain_alloc_irqs_locked+0x138/0x4d0     __irq_domain_alloc_irqs+0x8c/0xfc     __msi_domain_alloc_irqs+0x214/0x4d8     msi_domain_alloc_irqs_all_locked+0x70/0xf8     pci_msi_setup_msi_irqs+0x60/0x78     __pci_enable_msix_range+0x54c/0x98c     pci_alloc_irq_vectors_affinity+0x16c/0x1d4     nvme_pci_enable+0xac/0x9c0 [nvme]     nvme_probe+0x340/0x764 [nvme]  This occurs when allocating MSI-X vectors for an NVMe device. During allocation the XIVE code creates a struct xive_irq_data and stores it in irq_data->chip_data.  When the MSI-X irqdomain is later freed, xive_irq_free_data() is responsible for retrieving this structure and freeing it. However, after commit cc0cc23babc9 (\"powerpc/xive: Untangle xive from child interrupt controller drivers\"), xive_irq_free_data() retrieves the chip_data using irq_get_chip_data(), which looks up the data through the child domain.  This is incorrect because the XIVE-specific irq data is associated with the XIVE (parent) domain. As a result the lookup fails and the allocated struct xive_irq_data is never freed, leading to the kmemleak report shown above.  Fix this by retrieving the irq_data from the correct domain using irq_domain_get_irq_data() and then accessing the chip_data via irq_data_get_irq_chip_data().",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46183",
                        "url": "https://ubuntu.com/security/CVE-2026-46183",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  mm/damon/sysfs-schemes: protect path kfree() with damon_sysfs_lock  damon_sysfs_quot_goal->path can be read and written by users, via DAMON sysfs 'path' file.  It can also be indirectly read, for the parameters {on,off}line committing to DAMON.  The reads for parameters committing are protected by damon_sysfs_lock to avoid the sysfs files being destroyed while any of the parameters are being read.  But the user-driven direct reads and writes are not protected by any lock, while the write is deallocating the path-pointing buffer.  As a result, the readers could read the already freed buffer (user-after-free).  Note that the user-reads don't race when the same open file is used by the writer, due to kernfs's open file locking.  Nonetheless, doing the reads and writes with separate open files would be common.  Fix it by protecting both the user-direct reads and writes with damon_sysfs_lock.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46121",
                        "url": "https://ubuntu.com/security/CVE-2026-46121",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  mm/damon/sysfs-schemes: protect memcg_path kfree() with damon_sysfs_lock  Patch series \"mm/damon/sysfs-schemes: fix use-after-free for [memcg_]path\".  Reads of 'memcg_path' and 'path' files in DAMON sysfs interface could race with their writes, results in use-after-free.  Fix those.   This patch (of 2):  damon_sysfs_scheme_filter->mmecg_path can be read and written by users, via DAMON sysfs memcg_path file.  It can also be indirectly read, for the parameters {on,off}line committing to DAMON.  The reads for parameters committing are protected by damon_sysfs_lock to avoid the sysfs files being destroyed while any of the parameters are being read.  But the user-driven direct reads and writes are not protected by any lock, while the write is deallocating the memcg_path-pointing buffer.  As a result, the readers could read the already freed buffer (user-after-free).  Note that the user-reads don't race when the same open file is used by the writer, due to kernfs's open file locking.  Nonetheless, doing the reads and writes with separate open files would be common.  Fix it by protecting both the user-direct reads and writes with damon_sysfs_lock.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46131",
                        "url": "https://ubuntu.com/security/CVE-2026-46131",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  KVM: x86: check for nEPT/nNPT in slow flush hypercalls  Checking is_guest_mode(vcpu) is incorrect, because translate_nested_gpa() is only valid if an L2 guest is running *with nested EPT/NPT enabled*. Instead use the same condition as translate_nested_gpa() itself.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46139",
                        "url": "https://ubuntu.com/security/CVE-2026-46139",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  smb: client: use kzalloc to zero-initialize security descriptor buffer  Commit 62e7dd0a39c2d (\"smb: common: change the data type of num_aces to le16\") split struct smb_acl's __le32 num_aces field into __le16 num_aces and __le16 reserved. The reserved field corresponds to Sbz2 in the MS-DTYP ACL wire format, which must be zero [1].  When building an ACL descriptor in build_sec_desc(), we are using a kmalloc()'ed descriptor buffer and writing the fields explicitly using le16() writes now. This never writes to the 2 byte reserved field, leaving it as uninitialized heap data.  When the reserved field happens to contain non-zero slab garbage, Samba rejects the security descriptor with \"ndr_pull_security_descriptor failed: Range Error\", causing chmod to fail with EINVAL.  Change kmalloc() to kzalloc() to ensure the entire buffer is zero-initialized.   [1] https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/20233ed8-a6c6-4097-aafa-dd545ed24428",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46105",
                        "url": "https://ubuntu.com/security/CVE-2026-46105",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  scsi: mpt3sas: Limit NVMe request size to 2 MiB  The HBA firmware reports NVMe MDTS values based on the underlying drive capability. However, because the driver allocates a fixed 4K buffer for the PRP list, accommodating at most 512 entries, the driver supports a maximum I/O transfer size of 2 MiB.  Limit max_hw_sectors to the smaller of the reported MDTS and the 2 MiB driver limit to prevent issuing oversized I/O that may lead to a kernel oops.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46171",
                        "url": "https://ubuntu.com/security/CVE-2026-46171",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  riscv: kvm: fix vector context allocation leak  When the second kzalloc (host_context.vector.datap) fails in kvm_riscv_vcpu_alloc_vector_context, the first allocation (guest_context.vector.datap) is leaked. Free it before returning.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46112",
                        "url": "https://ubuntu.com/security/CVE-2026-46112",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/hns: Fix unlocked call to hns_roce_qp_remove()  Sashiko points out that hns_roce_qp_remove() requires the caller to hold locks.  The error flow in hns_roce_create_qp_common() doesn't hold those locks for the error unwind so it risks corrupting memory.  Grab the same locks the other two callers use.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46165",
                        "url": "https://ubuntu.com/security/CVE-2026-46165",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  openvswitch: vport: fix self-deadlock on release of tunnel ports  vports are used concurrently and protected by RCU, so netdev_put() must happen after the RCU grace period.  So, either in an RCU call or after the synchronize_net().  The rtnl_delete_link() must happen under RTNL and so can't be executed in RCU context.  Calling synchronize_net() while holding RTNL is not a good idea for performance and system stability under load in general, so calling netdev_put() in RCU call is the right solution here.  However, when the device is deleted, rtnl_unlock() will call netdev_run_todo() and block until all the references are gone.  In the current code this means that we never reach the call_rcu() and the vport is never freed and the reference is never released, causing a self-deadlock on device removal.  Fix that by moving the rcu_call() before the rtnl_unlock(), so the scheduled RCU callback will be executed when synchronize_net() is called from the rtnl_unlock()->netdev_run_todo() while the RTNL itself is already released.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46161",
                        "url": "https://ubuntu.com/security/CVE-2026-46161",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  md/raid10: fix divide-by-zero in setup_geo() with zero far_copies  setup_geo() extracts near_copies (nc) and far_copies (fc) from the user-provided layout parameter without checking for zero. When fc=0 with the \"improved\" far set layout selected, 'geo->far_set_size = disks / fc' triggers a divide-by-zero.  Validate nc and fc immediately after extraction, returning -1 if either is zero.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-43492",
                        "url": "https://ubuntu.com/security/CVE-2026-43492",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  lib/crypto: mpi: Fix integer underflow in mpi_read_raw_from_sgl()  Yiming reports an integer underflow in mpi_read_raw_from_sgl() when subtracting \"lzeros\" from the unsigned \"nbytes\".  For this to happen, the scatterlist \"sgl\" needs to occupy more bytes than the \"nbytes\" parameter and the first \"nbytes + 1\" bytes of the scatterlist must be zero.  Under these conditions, the while loop iterating over the scatterlist will count more zeroes than \"nbytes\", subtract the number of zeroes from \"nbytes\" and cause the underflow.  When commit 2d4d1eea540b (\"lib/mpi: Add mpi sgl helpers\") originally introduced the bug, it couldn't be triggered because all callers of mpi_read_raw_from_sgl() passed a scatterlist whose length was equal to \"nbytes\".  However since commit 63ba4d67594a (\"KEYS: asymmetric: Use new crypto interface without scatterlists\"), the underflow can now actually be triggered.  When invoking a KEYCTL_PKEY_ENCRYPT system call with a larger \"out_len\" than \"in_len\" and filling the \"in\" buffer with zeroes, crypto_akcipher_sync_prep() will create an all-zero scatterlist used for both the \"src\" and \"dst\" member of struct akcipher_request and thereby fulfil the conditions to trigger the bug:    sys_keyctl()     keyctl_pkey_e_d_s()       asymmetric_key_eds_op()         software_key_eds_op()           crypto_akcipher_sync_encrypt()             crypto_akcipher_sync_prep()               crypto_akcipher_encrypt()                 rsa_enc()                   mpi_read_raw_from_sgl()  To the user this will be visible as a DoS as the kernel spins forever, causing soft lockup splats as a side effect.  Fix it.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-19 12:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46124",
                        "url": "https://ubuntu.com/security/CVE-2026-46124",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  isofs: validate block number from NFS file handle in isofs_export_iget  isofs_fh_to_dentry() and isofs_fh_to_parent() pass an attacker- controlled block number (ifid->block or ifid->parent_block) from the NFS file handle to isofs_export_iget(), which only rejects block == 0 before calling isofs_iget() and ultimately sb_bread(). A crafted file handle with fh_len sufficient to pass the check added by commit 0405d4b63d08 (\"isofs: Prevent the use of too small fid\") can still drive the server to read any in-range block on the backing device as if it were an iso_directory_record.  That earlier fix was assigned CVE-2025-37780.  sb_bread() on an out-of-range block returns NULL cleanly via the EIO path, so there is no memory-safety violation.  For in-range reads of adjacent-partition data on the same block device, the unrelated bytes end up in iso_inode_info fields that reach the NFS client as dentry metadata.  The deployment surface (isofs exported over NFS from loop-mounted images) is narrow and requires an authenticated NFS peer, but the malformed-file-handle class is reportable as hardening next to the existing CVE-2025-37780 fix.  Reject block >= ISOFS_SB(sb)->s_nzones in isofs_export_iget() so the check covers both isofs_fh_to_dentry() and isofs_fh_to_parent() call sites with a single line.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46130",
                        "url": "https://ubuntu.com/security/CVE-2026-46130",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  dm-verity-fec: fix reading parity bytes split across blocks (take 3)  fec_decode_bufs() assumes that the parity bytes of the first RS codeword it decodes are never split across parity blocks.  This assumption is false.  Consider v->fec->block_size == 4096 && v->fec->roots == 17 && fio->nbufs == 1, for example.  In that case, each call to fec_decode_bufs() consumes v->fec->roots * (fio->nbufs << DM_VERITY_FEC_BUF_RS_BITS) = 272 parity bytes.  Considering that the parity data for each message block starts on a block boundary, the byte alignment in the parity data will iterate through 272*i mod 4096 until the 3 parity blocks have been consumed.  On the 16th call (i=15), the alignment will be 4080 bytes into the first block.  Only 16 bytes remain in that block, but 17 parity bytes will be needed.  The code reads out-of-bounds from the parity block buffer.  Fortunately this doesn't normally happen, since it can occur only for certain non-default values of fec_roots *and* when the maximum number of buffers couldn't be allocated due to low memory.  For example with block_size=4096 only the following cases are affected:      fec_roots=17: nbufs in [1, 3, 5, 15]     fec_roots=19: nbufs in [1, 229]     fec_roots=21: nbufs in [1, 3, 5, 13, 15, 39, 65, 195]     fec_roots=23: nbufs in [1, 89]  Regardless, fix it by refactoring how the parity blocks are read.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46106",
                        "url": "https://ubuntu.com/security/CVE-2026-46106",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  eventfs: Hold eventfs_mutex and SRCU when remount walks events  Commit 340f0c7067a9 (\"eventfs: Update all the eventfs_inodes from the events descriptor\") had eventfs_set_attrs() recurse through ei->children on remount.  The walk only holds the rcu_read_lock() taken by tracefs_apply_options() over tracefs_inodes, which is wrong:    - list_for_each_entry over ei->children races with the list_del_rcu()     in eventfs_remove_rec() -- LIST_POISON1 deref, same shape as     d2603279c7d6.   - eventfs_inodes are freed via call_srcu(&eventfs_srcu, ...).     rcu_read_lock() does not extend an SRCU grace period, so ti->private     can be reclaimed under the walk.   - The writes to ei->attr race with eventfs_set_attr(), which holds     eventfs_mutex.  Reproducer:    while :; do mount -o remount,uid=$((RANDOM%1000)) /sys/kernel/tracing; done &   while :; do       echo \"p:kp submit_bio\" > /sys/kernel/tracing/kprobe_events       echo > /sys/kernel/tracing/kprobe_events   done  Wrap the events portion of tracefs_apply_options() in eventfs_remount_lock()/_unlock() that take eventfs_mutex and srcu_read_lock(&eventfs_srcu).  eventfs_set_attrs() doesn't sleep so the nested rcu_read_lock() is fine; lockdep_assert_held() pins the contract.  Comment in tracefs_drop_inode() said \"RCU cycle\" -- it is SRCU.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46107",
                        "url": "https://ubuntu.com/security/CVE-2026-46107",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  dm-thin: fix metadata refcount underflow  There's a bug in dm-thin in the function rebalance_children. If the internal btree node has one entry, the code tries to copy all btree entries from the node's child to the node itself and then decrement the child's reference count.  If the child node is shared (it has reference count > 1), we won't free it, so there would be two pointers to each of the grandchildren nodes. But the reference counts of the grandchildren is not increased, thus the reference count doesn't match the number of pointers that point to the grandchildren. This results in \"device mapper: space map common: unable to decrement block\" errors.  Fix this bug by incrementing reference counts on the grandchildren if the btree node is shared.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46160",
                        "url": "https://ubuntu.com/security/CVE-2026-46160",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  btrfs: fix missing last_unlink_trans update when removing a directory  When removing a directory we are not updating its last_unlink_trans field, which can result in incorrect fsync behaviour in case some one fsyncs the directory after it was removed because it's holding a file descriptor on it.  Example scenario:     mkdir /mnt/dir1    mkdir /mnt/dir1/dir2    mkdir /mnt/dir3     sync -f /mnt     # Do some change to the directory and fsync it.    chmod 700 /mnt/dir1    xfs_io -c fsync /mnt/dir1     # Move dir2 out of dir1 so that dir1 becomes empty.    mv /mnt/dir1/dir2 /mnt/dir3/     open fd on /mnt/dir1    call rmdir(2) on path \"/mnt/dir1\"    fsync fd     <trigger power failure>  When attempting to mount the filesystem, the log replay will fail with an -EIO error and dmesg/syslog has the following:     [445771.626482] BTRFS info (device dm-0): first mount of filesystem 0368bbea-6c5e-44b5-b409-09abe496e650    [445771.626486] BTRFS info (device dm-0): using crc32c checksum algorithm    [445771.627912] BTRFS info (device dm-0): start tree-log replay    [445771.628335] page: refcount:2 mapcount:0 mapping:0000000061443ddc index:0x1d00 pfn:0x7072a5    [445771.629453] memcg:ffff89f400351b00    [445771.629892] aops:btree_aops [btrfs] ino:1    [445771.630737] flags: 0x17fffc00000402a(uptodate|lru|private|writeback|node=0|zone=2|lastcpupid=0x1ffff)    [445771.632359] raw: 017fffc00000402a fffff47284d950c8 fffff472907b7c08 ffff89f458e412b8    [445771.633713] raw: 0000000000001d00 ffff89f6c51d1a90 00000002ffffffff ffff89f400351b00    [445771.635029] page dumped because: eb page dump    [445771.635825] BTRFS critical (device dm-0): corrupt leaf: root=5 block=30408704 slot=10 ino=258, invalid nlink: has 2 expect no more than 1 for dir    [445771.638088] BTRFS info (device dm-0): leaf 30408704 gen 10 total ptrs 17 free space 14878 owner 5    [445771.638091] BTRFS info (device dm-0): refs 4 lock_owner 0 current 3581087    [445771.638094] \titem 0 key (256 INODE_ITEM 0) itemoff 16123 itemsize 160    [445771.638097] \t\tinode generation 3 transid 9 size 16 nbytes 16384    [445771.638098] \t\tblock group 0 mode 40755 links 1 uid 0 gid 0    [445771.638100] \t\trdev 0 sequence 2 flags 0x0    [445771.638102] \t\tatime 1775744884.0    [445771.660056] \t\tctime 1775744885.645502983    [445771.660058] \t\tmtime 1775744885.645502983    [445771.660060] \t\totime 1775744884.0    [445771.660062] \titem 1 key (256 INODE_REF 256) itemoff 16111 itemsize 12    [445771.660064] \t\tindex 0 name_len 2    [445771.660066] \titem 2 key (256 DIR_ITEM 1843588421) itemoff 16077 itemsize 34    [445771.660068] \t\tlocation key (259 1 0) type 2    [445771.660070] \t\ttransid 9 data_len 0 name_len 4    [445771.660075] \titem 3 key (256 DIR_ITEM 2363071922) itemoff 16043 itemsize 34    [445771.660076] \t\tlocation key (257 1 0) type 2    [445771.660077] \t\ttransid 9 data_len 0 name_len 4    [445771.660078] \titem 4 key (256 DIR_INDEX 2) itemoff 16009 itemsize 34    [445771.660079] \t\tlocation key (257 1 0) type 2    [445771.660080] \t\ttransid 9 data_len 0 name_len 4    [445771.660081] \titem 5 key (256 DIR_INDEX 3) itemoff 15975 itemsize 34    [445771.660082] \t\tlocation key (259 1 0) type 2    [445771.660083] \t\ttransid 9 data_len 0 name_len 4    [445771.660084] \titem 6 key (257 INODE_ITEM 0) itemoff 15815 itemsize 160    [445771.660086] \t\tinode generation 9 transid 9 size 8 nbytes 0    [445771.660087] \t\tblock group 0 mode 40777 links 1 uid 0 gid 0    [445771.660088] \t\trdev 0 sequence 2 flags 0x0    [445771.660089] \t\tatime 1775744885.641174097    [445771.660090] \t\tctime 1775744885.645502983    [445771.660091] \t\tmtime 1775744885.645502983    [445771.660105] \t\totime 1775744885.641174097    [445771.660106] \titem 7 key (257 INODE_REF 256) itemoff 15801 itemsize 14    [445771.660107] \t\tindex 2 name_len 4    [445771.660108] \titem 8 key (257 DIR_ITEM 2676584006) itemoff 15767 itemsize 34    [445771.660109] \t\tlocation key (2 ---truncated---",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46164",
                        "url": "https://ubuntu.com/security/CVE-2026-46164",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  btrfs: fix double free in create_space_info_sub_group() error path  When kobject_init_and_add() fails, the call chain is:  create_space_info_sub_group() -> btrfs_sysfs_add_space_info_type() -> kobject_init_and_add() -> failure -> kobject_put(&sub_group->kobj) -> space_info_release() -> kfree(sub_group)  Then control returns to create_space_info_sub_group(), where:  btrfs_sysfs_add_space_info_type() returns error -> kfree(sub_group)  Thus, sub_group is freed twice.  Keep parent->sub_group[index] = NULL for the failure path, but after btrfs_sysfs_add_space_info_type() has called kobject_put(), let the kobject release callback handle the cleanup.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46129",
                        "url": "https://ubuntu.com/security/CVE-2026-46129",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  btrfs: fix double free in create_space_info() error path  When kobject_init_and_add() fails, the call chain is:  create_space_info() -> btrfs_sysfs_add_space_info_type() -> kobject_init_and_add() -> failure -> kobject_put(&space_info->kobj) -> space_info_release() -> kfree(space_info)  Then control returns to create_space_info():  btrfs_sysfs_add_space_info_type() returns error -> goto out_free -> kfree(space_info)  This causes a double free.  Keep the direct kfree(space_info) for the earlier failure path, but after btrfs_sysfs_add_space_info_type() has called kobject_put(), let the kobject release callback handle the cleanup.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46159",
                        "url": "https://ubuntu.com/security/CVE-2026-46159",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  btrfs: fix btrfs_ioctl_space_info() slot_count TOCTOU which can lead to info-leak  btrfs_ioctl_space_info() has a TOCTOU race between two passes over the block group RAID type lists. The first pass counts entries to determine the allocation size, then the second pass fills the buffer. The groups_sem rwlock is released between passes, allowing concurrent block group removal to reduce the entry count.  When the second pass fills fewer entries than the first pass counted, copy_to_user() copies the full alloc_size bytes including trailing uninitialized kmalloc bytes to userspace.  Fix by copying only total_spaces entries (the actually-filled count from the second pass) instead of alloc_size bytes, and switch to kzalloc so any future copy size mismatch cannot leak heap data.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46143",
                        "url": "https://ubuntu.com/security/CVE-2026-46143",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ASoC: qcom: q6apm-lpass-dai: Fix multiple graph opens  As prepare can be called mulitple times, this can result in multiple graph opens for playback path.  This will result in a memory leaks, fix this by adding a check before opening.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46148",
                        "url": "https://ubuntu.com/security/CVE-2026-46148",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: microchip-core-qspi: control built-in cs manually  The coreQSPI IP supports only a single chip select, which is automagically operated by the hardware - set low when the transmit buffer first gets written to and set high when the number of bytes written to the TOTALBYTES field of the FRAMES register have been sent on the bus. Additional devices must use GPIOs for their chip selects. It was reported to me that if there are two devices attached to this QSPI controller that the in-built chip select is set low while linux tries to access the device attached to the GPIO.  This went undetected as the boards that connected multiple devices to the SPI controller all exclusively used GPIOs for chip selects, not relying on the built-in chip select at all. It turns out that this was because the built-in chip select, when controlled automagically, is set low when active and high when inactive, thereby ruling out its use for active-high devices or devices that need to transmit with the chip select disabled.  Modify the driver so that it controls chip select directly, retaining the behaviour for mem_ops of setting the chip select active for the entire duration of the transfer in the exec_op callback. For regular transfers, implement the set_cs callback for the core to use.  As part of this, the existing setup callback, mchp_coreqspi_setup_op(), is removed. Modifying the CLKIDLE field is not safe to do during operation when there are multiple devices, so this code is removed entirely. Setting the MASTER and ENABLE fields is something that can be done once at probe, it doesn't need to be re-run for each device. Instead the new setup callback sets the built-in chip select to its inactive state for active-low devices, as the reset value of the chip select in software controlled mode is low.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46192",
                        "url": "https://ubuntu.com/security/CVE-2026-46192",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: microchip-core-qspi: don't attempt to transmit during emulated read-only dual/quad operations  The core will deal with reads by creating clock cycles itself, there's no need to generate clock cycles by transmitting garbage data at the driver level. Further, transmitting garbage data just bricks the transfer since QSPI doesn't have a dedicated master-out line like MOSI in regular SPI. I'm not entirely sure if the transfer is bricked because of the garbage data being transmitted on the bus or because the core loses track of whether it is supposed to be sending or receiving data.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46162",
                        "url": "https://ubuntu.com/security/CVE-2026-46162",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ice: fix double free in ice_sf_eth_activate() error path  When auxiliary_device_add() fails, ice_sf_eth_activate() jumps to aux_dev_uninit and calls auxiliary_device_uninit(&sf_dev->adev).  The device release callback ice_sf_dev_release() frees sf_dev, but the current error path falls through to sf_dev_free and calls kfree(sf_dev) again, causing a double free.  Keep kfree(sf_dev) for the auxiliary_device_init() failure path, but avoid falling through to sf_dev_free after auxiliary_device_uninit().",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46273",
                        "url": "https://ubuntu.com/security/CVE-2026-46273",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ibmveth: Disable GSO for packets with small MSS  Some physical adapters on Power systems do not support segmentation offload when the MSS is less than 224 bytes. Attempting to send such packets causes the adapter to freeze, stopping all traffic until manually reset.  Implement ndo_features_check to disable GSO for packets with small MSS values. The network stack will perform software segmentation instead.  The 224-byte minimum matches ibmvnic commit <f10b09ef687f> (\"ibmvnic: Enforce stronger sanity checks on GSO packets\") which uses the same physical adapters in SEA configurations.  The issue occurs specifically when the hardware attempts to perform segmentation (gso_segs > 1) with a small MSS. Single-segment GSO packets (gso_segs == 1) do not trigger the problematic LSO code path and are transmitted normally without segmentation.  Add an ndo_features_check callback to disable GSO when MSS < 224 bytes. Also call vlan_features_check() to ensure proper handling of VLAN packets, particularly QinQ (802.1ad) configurations where the hardware parser may not support certain offload features.  Validated using iptables to force small MSS values. Without the fix, the adapter freezes. With the fix, packets are segmented in software and transmission succeeds. Comprehensive regression testing completedd (MSS tests, performance, stability).",
                        "cve_priority": "high",
                        "cve_public_date": "2026-06-03 18:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46191",
                        "url": "https://ubuntu.com/security/CVE-2026-46191",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  fbcon: Avoid OOB font access if console rotation fails  Clear the font buffer if the reallocation during console rotation fails in fbcon_rotate_font(). The putcs implementations for the rotated buffer will return early in this case. See [1] for an example.  Currently, fbcon_rotate_font() keeps the old buffer, which is too small for the rotated font. Printing to the rotated console with a high-enough character code will overflow the font buffer.  v2: - fix typos in commit message",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46134",
                        "url": "https://ubuntu.com/security/CVE-2026-46134",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  platform/chrome: cros_ec_typec: Init mutex in Thunderbolt registration  cros_typec_register_thunderbolt() missed initializing the `adata->lock` mutex.  This leads to a NULL dereference when the mutex is later acquired (e.g. in cros_typec_altmode_work()).  Initialize the mutex in cros_typec_register_thunderbolt() to fix the issue.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-43495",
                        "url": "https://ubuntu.com/security/CVE-2026-43495",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net: wwan: t7xx: validate port_count against message length in t7xx_port_enum_msg_handler  t7xx_port_enum_msg_handler() uses the modem-supplied port_count field as a loop bound over port_msg->data[] without checking that the message buffer contains sufficient data. A modem sending port_count=65535 in a 12-byte buffer triggers a slab-out-of-bounds read of up to 262140 bytes.  Add a sizeof(*port_msg) check before accessing the port message header fields to guard against undersized messages.  Add a struct_size() check after extracting port_count and before the loop.  In t7xx_parse_host_rt_data(), guard the rt_feature header read with a remaining-buffer check before accessing data_len, validate feat_data_len against the actual remaining buffer to prevent OOB reads and signed integer overflow on offset.  Pass msg_len from both call sites: skb->len at the DPMAIF path after skb_pull(), and the validated feat_data_len at the handshake path.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-21 13:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-43502",
                        "url": "https://ubuntu.com/security/CVE-2026-43502",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net/rds: handle zerocopy send cleanup before the message is queued  A zerocopy send can fail after user pages have been pinned but before the message is attached to the sending socket.  The purge path currently infers zerocopy state from rm->m_rs, so an unqueued message can be cleaned up as if it owned normal payload pages. However, zerocopy ownership is really determined by the presence of op_mmp_znotifier, regardless of whether the message has reached the socket queue.  Capture op_mmp_znotifier up front in rds_message_purge() and use it as the cleanup discriminator. If the message is already associated with a socket, keep the existing completion path. Otherwise, drop the pinned page accounting directly and release the notifier before putting the payload pages.  This keeps early send failure cleanup consistent with the zerocopy lifetime rules without changing the normal queued completion path.",
                        "cve_priority": "high",
                        "cve_public_date": "2026-05-21 13:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46120",
                        "url": "https://ubuntu.com/security/CVE-2026-46120",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ip6_gre: Use cached t->net in ip6erspan_changelink().  After commit 5e72ce3e3980 (\"net: ipv6: Use link netns in newlink() of rtnl_link_ops\"), ip6erspan_newlink() correctly resolves the per-netns ip6gre hash via link_net. ip6erspan_changelink() was not converted in that series and still uses dev_net(dev), which diverges from the device's creation netns after IFLA_NET_NS_FD migration.  This re-inserts the tunnel into the wrong per-netns hash. The original netns keeps a stale entry. When that netns is later destroyed, ip6gre_exit_rtnl_net() walks the stale entry, producing a slab-use-after-free reported by KASAN, followed by a kernel BUG at net/core/dev.c (LIST_POISON1) in unregister_netdevice_many_notify().  Reachable from an unprivileged user namespace (unshare --user --map-root-user --net).  ip6gre_changelink() earlier in the same file already uses the cached t->net; only ip6erspan_changelink() has the wrong shape.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46142",
                        "url": "https://ubuntu.com/security/CVE-2026-46142",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net: libwx: fix VF illegal register access  Register WX_CFG_PORT_ST is a PF restricted register. When a VF is initialized, attempting to read this register triggers an illegal register access, which lead to a system hang.  When the device is VF, the bus function ID can be obtained directly from the PCI_FUNC(pdev->devfn).",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46118",
                        "url": "https://ubuntu.com/security/CVE-2026-46118",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  pseries/papr-hvpipe: Fix null ptr deref in papr_hvpipe_dev_create_handle()  commit 6d3789d347a7 (\"papr-hvpipe: convert papr_hvpipe_dev_create_handle() to FD_PREPARE()\"), changed the create handle to FD_PREPARE(), but it caused kernel null-ptr-deref because after call to retain_and_null_ptr(src_info), src_info is re-used for adding it to the global list.  Getting the following kernel panic in papr_hvpipe_dev_create_handle() when trying to add src_info to the list.  Kernel attempted to write user page (0) - exploit attempt? (uid: 0)  BUG: Kernel NULL pointer dereference on write at 0x00000000  Faulting instruction address: 0xc0000000001b44a0  Oops: Kernel access of bad area, sig: 11 [#1]  ...  Call Trace:  papr_hvpipe_dev_ioctl+0x1f4/0x48c (unreliable)  sys_ioctl+0x528/0x1064  system_call_exception+0x128/0x360  system_call_vectored_common+0x15c/0x2ec  Now, the error handling with FD_PREPARE's file cleanup and __free(kfree) auto cleanup is getting too convoluted. This is mainly because we need to ensure only 1 user get the srcID handle. To simplify this, we allocate prepare the src_info in the beginning and add it to the global list under a spinlock after checking that no duplicates exist.  This simplify the error handling where if the FD_ADD fails, we can simply remove the src_info from the list and consume any pending msg in hvpipe to be cleared, after src_info became visible in the global list.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46182",
                        "url": "https://ubuntu.com/security/CVE-2026-46182",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  pseries/papr-hvpipe: Prevent kernel stack memory leak to userspace  The hdr variable is allocated on the stack and only hdr.version and hdr.flags are initialized explicitly. Because the struct papr_hvpipe_hdr contains reserved padding bytes (reserved[3] and reserved2[40]), these could leak the uninitialized bytes to userspace after copy_to_user().  This patch fixes that by initializing the whole struct to 0.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46184",
                        "url": "https://ubuntu.com/security/CVE-2026-46184",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  sound: ua101: fix division by zero at probe  Add a missing sanity check for bNrChannels in detect_usb_format() to prevent a division by zero in playback_urb_complete() and capture_urb_complete().  USB core does not validate class-specific descriptor fields such as bNrChannels, so drivers must verify them before use. If a device provides bNrChannels = 0, frame_bytes becomes zero and is later used as a divisor in the URB completion handlers, leading to a kernel crash.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-43498",
                        "url": "https://ubuntu.com/security/CVE-2026-43498",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  accel/ivpu: Disallow re-exporting imported GEM objects  Prevent re-exporting of imported GEM buffers by adding a custom prime_handle_to_fd callback that checks if the object is imported and returns -EOPNOTSUPP if so.  Re-exporting imported GEM buffers causes loss of buffer flags settings, leading to incorrect device access and data corruption.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-21 13:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46132",
                        "url": "https://ubuntu.com/security/CVE-2026-46132",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net: rtnetlink: zero ifla_vf_broadcast to avoid stack infoleak in rtnl_fill_vfinfo  rtnl_fill_vfinfo() declares struct ifla_vf_broadcast on the stack without initialisation:  \tstruct ifla_vf_broadcast vf_broadcast;  The struct contains a single fixed 32-byte field:  \t/* include/uapi/linux/if_link.h */ \tstruct ifla_vf_broadcast { \t\t__u8 broadcast[32]; \t};  The function then copies dev->broadcast into it using dev->addr_len as the length:  \tmemcpy(vf_broadcast.broadcast, dev->broadcast, dev->addr_len);  On Ethernet devices (the overwhelming majority of SR-IOV NICs) dev->addr_len is 6, so only the first 6 bytes of broadcast[] are written. The remaining 26 bytes retain whatever was previously on the kernel stack. The full struct is then handed to userspace via:  \tnla_put(skb, IFLA_VF_BROADCAST, \t\tsizeof(vf_broadcast), &vf_broadcast)  leaking up to 26 bytes of uninitialised kernel stack per VF per RTM_GETLINK request, repeatable.  The other vf_* structs in the same function are explicitly zeroed for exactly this reason - see the memset() calls for ivi, vf_vlan_info, node_guid and port_guid a few lines above. vf_broadcast was simply missed when it was added.  Reachability: any unprivileged local process can open AF_NETLINK / NETLINK_ROUTE without capabilities and send RTM_GETLINK with an IFLA_EXT_MASK attribute carrying RTEXT_FILTER_VF. The kernel walks each VF and emits IFLA_VF_BROADCAST, leaking 26 bytes of stack per VF per request. Stack residue at this call site can include return addresses and transient sensitive data; KASAN with stack instrumentation, or KMSAN, will flag the nla_put() when reproduced.  Zero the on-stack struct before the partial memcpy, matching the existing pattern used for the other vf_* structs in the same function.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46190",
                        "url": "https://ubuntu.com/security/CVE-2026-46190",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  mtd: spi-nor: debugfs: fix out-of-bounds read in spi_nor_params_show()  Sashiko noticed an out-of-bounds read [1].  In spi_nor_params_show(), the snor_f_names array is passed to spi_nor_print_flags() using sizeof(snor_f_names).  Since snor_f_names is an array of pointers, sizeof() returns the total number of bytes occupied by the pointers \t(element_count * sizeof(void *)) rather than the element count itself. On 64-bit systems, this makes the passed length 8x larger than intended.  Inside spi_nor_print_flags(), the 'names_len' argument is used to bounds-check the 'names' array access. An out-of-bounds read occurs if a flag bit is set that exceeds the array's actual element count but is within the inflated byte-size count.  Correct this by using ARRAY_SIZE() to pass the actual number of string pointers in the array.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46150",
                        "url": "https://ubuntu.com/security/CVE-2026-46150",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  fanotify: fix false positive on permission events  fsnotify_get_mark_safe() may return false for a mark on an unrelated group, which results in bypassing the permission check.  Fix by skipping over detached marks that are not in the current group.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-45836",
                        "url": "https://ubuntu.com/security/CVE-2026-45836",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_get_sndtimeo_cb()  Add the same NULL guard already present in l2cap_sock_resume_cb() and l2cap_sock_ready_cb().",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-26 17:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-45834",
                        "url": "https://ubuntu.com/security/CVE-2026-45834",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_state_change_cb()  Add the same NULL guard already present in l2cap_sock_resume_cb() and l2cap_sock_ready_cb().",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-26 17:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-45835",
                        "url": "https://ubuntu.com/security/CVE-2026-45835",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_new_connection_cb()  Add the same NULL guard already present in l2cap_sock_resume_cb() and l2cap_sock_ready_cb().",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-26 17:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46138",
                        "url": "https://ubuntu.com/security/CVE-2026-46138",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Bluetooth: hci_event: Fix OOB read and infinite loop in hci_le_create_big_complete_evt  hci_le_create_big_complete_evt() iterates over BT_BOUND connections for a BIG handle using a while loop, accessing ev->bis_handle[i++] on each iteration.  However, there is no check that i stays within ev->num_bis before the array access.  When a controller sends a LE_Create_BIG_Complete event with fewer bis_handle entries than there are BT_BOUND connections for that BIG, or with num_bis=0, the loop reads beyond the valid bis_handle[] flex array into adjacent heap memory.  Since the out-of-bounds values typically exceed HCI_CONN_HANDLE_MAX (0x0EFF), hci_conn_set_handle() rejects them and the connection remains in BT_BOUND state.  The same connection is then found again by hci_conn_hash_lookup_big_state(), creating an infinite loop with hci_dev_lock held.  Fix this by terminating the BIG if in case not all BIS could be setup properly.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46111",
                        "url": "https://ubuntu.com/security/CVE-2026-46111",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Bluetooth: hci_conn: fix potential UAF in create_big_sync  Add hci_conn_valid() check in create_big_sync() to detect stale connections before proceeding with BIG creation. Handle the resulting -ECANCELED in create_big_complete() and re-validate the connection under hci_dev_lock() before dereferencing, matching the pattern used by create_le_conn_complete() and create_pa_complete().  Keep the hci_conn object alive across the async boundary by taking a reference via hci_conn_get() when queueing create_big_sync(), and dropping it in the completion callback. The refcount and the lock are complementary: the refcount keeps the object allocated, while hci_dev_lock() serializes hci_conn_hash_del()'s list_del_rcu() on hdev->conn_hash, as required by hci_conn_del().  hci_conn_put() is called outside hci_dev_unlock() so the final put (which resolves to kfree() via bt_link_release) does not run under hdev->lock, though the release path would be safe either way.  Without this, create_big_complete() would unconditionally dereference the conn pointer on error, causing a use-after-free via hci_connect_cfm() and hci_conn_del().",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46140",
                        "url": "https://ubuntu.com/security/CVE-2026-46140",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Bluetooth: btmtk: validate WMT event SKB length before struct access  btmtk_usb_hci_wmt_sync() casts the WMT event response SKB data to struct btmtk_hci_wmt_evt (7 bytes) and struct btmtk_hci_wmt_evt_funcc (9 bytes) without first checking that the SKB contains enough data. A short firmware response causes out-of-bounds reads from SKB tailroom.  Use skb_pull_data() to validate and advance past the base WMT event header. For the FUNC_CTRL case, pull the additional status field bytes before accessing them.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46186",
                        "url": "https://ubuntu.com/security/CVE-2026-46186",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Bluetooth: virtio_bt: validate rx pkt_type header length  virtbt_rx_handle() reads the leading pkt_type byte from the RX skb and forwards the remainder to hci_recv_frame() for every event/ACL/SCO/ISO type, without checking that the remaining payload is at least the fixed HCI header for that type.  After the preceding patch bounds the backend-supplied used.len to [1, VIRTBT_RX_BUF_SIZE], a one-byte completion still reaches hci_recv_frame() with skb->len already pulled to 0. If the byte happened to be HCI_ACLDATA_PKT, the ACL-vs-ISO classification fast-path in hci_dev_classify_pkt_type() dereferences hci_acl_hdr(skb)->handle whenever the HCI device has an active CIS_LINK, BIS_LINK, or PA_LINK connection, reading two bytes of uninitialized RX-buffer data. The same hazard exists for every packet type the driver accepts because none of the switch cases in virtbt_rx_handle() check skb->len against the per-type minimum HCI header size before handing the frame to the core.  After stripping pkt_type, require skb->len to cover the fixed header size for the selected type (event 2, ACL 4, SCO 3, ISO 4) before calling hci_recv_frame(); drop ratelimited otherwise. Unknown pkt_type values still take the original kfree_skb() default path.  Use bt_dev_err_ratelimited() because both the length and pkt_type values come from an untrusted backend that can otherwise flood the kernel log.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46123",
                        "url": "https://ubuntu.com/security/CVE-2026-46123",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Bluetooth: virtio_bt: clamp rx length before skb_put  virtbt_rx_work() calls skb_put(skb, len) where len comes directly from virtqueue_get_buf() with no validation against the buffer we posted to the device. The RX skb is allocated in virtbt_add_inbuf() and exposed to virtio as exactly 1000 bytes via sg_init_one().  Checking len against skb_tailroom(skb) is not sufficient because alloc_skb() can leave more tailroom than the 1000 bytes actually handed to the device. A malicious or buggy backend can therefore report used.len between 1001 and skb_tailroom(skb), causing skb_put() to include uninitialized kernel heap bytes that were never written by the device.  The same path also accepts len == 0, in which case skb_put(skb, 0) leaves the skb empty but virtbt_rx_handle() still reads the pkt_type byte from skb->data, consuming uninitialized memory.  Define VIRTBT_RX_BUF_SIZE once and reuse it in alloc_skb() and sg_init_one(), and gate virtbt_rx_work() on that same constant so the bound checked matches the buffer actually exposed to the device. Reject used.len == 0 in the same gate so an empty completion can no longer reach virtbt_rx_handle().  Use bt_dev_err_ratelimited() because the length value comes from an untrusted backend that can otherwise flood the kernel log.  Same class of bug as commit c04db81cd028 (\"net/9p: Fix buffer overflow in USB transport layer\"), which hardened the USB 9p transport against unchecked device-reported length.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46104",
                        "url": "https://ubuntu.com/security/CVE-2026-46104",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  selinux: use sk blob accessor in socket permission helpers  SELinux socket state lives in the composite LSM socket blob.  sock_has_perm() and nlmsg_sock_has_extended_perms() currently dereference sk->sk_security directly, which assumes the SELinux socket blob is at offset zero.  In stacked configurations that assumption does not hold. If another LSM allocates socket blob storage before SELinux, these helpers may read the wrong blob and feed invalid SID and class values into AVC checks.  Use selinux_sock() instead of accessing sk->sk_security directly.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46193",
                        "url": "https://ubuntu.com/security/CVE-2026-46193",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  xfrm: ah: account for ESN high bits in async callbacks  AH allocates its temporary auth/ICV layout differently when ESN is enabled: the async ahash setup appends a 4-byte seqhi slot before the ICV or auth_data area, but the async completion callbacks still reconstruct the temporary layout as if seqhi were absent.  With an async AH implementation selected, that makes AH copy or compare the wrong bytes on both the IPv4 and IPv6 paths. In UML repro on IPv4 AH with ESN and forced async hmac(sha1), ping fails with 100% packet loss, and the callback logs show the pre-fix drift:    ah4 output_done: esn=1 err=0 icv_off=20 expected_off=24   ah4 input_done: esn=1 auth_off=20 expected_auth_off=24 icv_off=32 expected_icv_off=36  Reconstruct the callback-side layout the same way the setup path built it by skipping the ESN seqhi slot before locating the saved auth_data or ICV. Per RFC 4302, the ESN high-order 32 bits participate in the AH ICV computation, so the async callbacks must account for the seqhi slot.  Post-fix, the same IPv4 AH+ESN+forced-async-hmac(sha1) UML repro shows the corrected offset (ah4 output_done: esn=1 err=0 icv_off=24 expected_off=24) and ping succeeds; net/ipv4/ah4.o and net/ipv6/ah6.o build clean at W=1. IPv6 AH+ESN was not exercised at runtime, and the change has not been tested against a real async hardware AH engine.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46172",
                        "url": "https://ubuntu.com/security/CVE-2026-46172",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ipv6: xfrm6: release dst on error in xfrm6_rcv_encap()  xfrm6_rcv_encap() performs an IPv6 route lookup when the skb does not already have a dst attached. ip6_route_input_lookup() returns a referenced dst entry even when the lookup resolves to an error route.  If dst->error is set, xfrm6_rcv_encap() drops the skb without attaching the dst to the skb and without releasing the reference returned by the lookup. Repeated packets hitting this path therefore leak dst entries.  Release the dst before jumping to the drop path.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46116",
                        "url": "https://ubuntu.com/security/CVE-2026-46116",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  xfrm: defensively unhash xfrm_state lists in __xfrm_state_delete  KASAN reproduces a slab-use-after-free in __xfrm_state_delete()'s hlist_del_rcu calls under syzkaller load on linux-6.12.y stable (reproduced on 6.12.47, also reachable via the same code path on torvalds/master and on the ipsec tree). Nine unique signatures cluster in the xfrm_state lifecycle, the load-bearing one being:    BUG: KASAN: slab-use-after-free in __hlist_del include/linux/list.h:990 [inline]   BUG: KASAN: slab-use-after-free in hlist_del_rcu include/linux/rculist.h:516 [inline]   BUG: KASAN: slab-use-after-free in __xfrm_state_delete net/xfrm/xfrm_state.c   Write of size 8 at addr ffff8881198bcb70 by task kworker/u8:9/435    Workqueue: netns cleanup_net   Call Trace:    __hlist_del / hlist_del_rcu    __xfrm_state_delete    xfrm_state_delete    xfrm_state_flush    xfrm_state_fini    ops_exit_list    cleanup_net  The other observed signatures hit the same slab object from __xfrm_state_lookup, xfrm_alloc_spi, __xfrm_state_insert and an OOB write variant of __xfrm_state_delete, all on the byseq/byspi hash chains.  __xfrm_state_delete() guards its byseq and byspi unhashes with value-based predicates:  \tif (x->km.seq) \t\thlist_del_rcu(&x->byseq); \tif (x->id.spi) \t\thlist_del_rcu(&x->byspi);  while everywhere else in the file (e.g. state_cache, state_cache_input) the safer hlist_unhashed() check is used. xfrm_alloc_spi() sets x->id.spi = newspi inside xfrm_state_lock and then immediately inserts into byspi, but a path that observes x->id.spi != 0 outside of xfrm_state_lock can still skip-or-hit the byspi unhash inconsistently with whether x is actually on the list. The same holds for x->km.seq versus byseq, and the bydst/bysrc unhashes have no predicate at all, so a second __xfrm_state_delete() on the same object writes through LIST_POISON pprev.  The defensive change here:    - Use hlist_del_init_rcu() instead of hlist_del_rcu() on bydst,     bysrc, byseq and byspi so a second deletion is a no-op rather     than a write through LIST_POISON pprev. The byseq/byspi nodes     are already initialised in xfrm_state_alloc().   - Test hlist_unhashed() rather than the value predicate for     byseq/byspi, so the unhash decision tracks list state rather than     mutable scalar fields.  Empirical verification: applied this patch on top of v6.12.47, rebuilt, and re-ran the same syzkaller harness for 1h16m on a previously-crashy configuration that produced ~100 hits each of slab-use-after-free Read in xfrm_alloc_spi / Read in __xfrm_state_lookup / Write in __xfrm_state_delete. After the patch, 7.1M execs across 32 VMs at ~1550 exec/sec produced zero xfrm_state UAF/OOB hits. /proc/slabinfo confirms the xfrm_state slab is actively allocated and freed during the run (~143 KiB resident), so the fuzzer is still exercising those code paths -- they just no longer crash.  Reproduction:    - Linux 6.12.47 x86_64 + KASAN_GENERIC + KASAN_INLINE + KCOV   - syzkaller @ 746545b8b1e4c3a128db8652b340d3df90ce61db   - 32 QEMU/KVM VMs x 2 vCPU on AWS c5.metal bare metal   - 9 unique signatures collected in ~9h, all within xfrm_state     lifecycle",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46154",
                        "url": "https://ubuntu.com/security/CVE-2026-46154",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  sched_ext: Read scx_root under scx_cgroup_ops_rwsem in cgroup setters  scx_group_set_{weight,idle,bandwidth}() cache scx_root before acquiring scx_cgroup_ops_rwsem, so the pointer can be stale by the time the op runs. If the loaded scheduler is disabled and freed (via RCU work) and another is enabled between the naked load and the rwsem acquire, the reader sees scx_cgroup_enabled=true (the new scheduler's) but dereferences the freed one - UAF on SCX_HAS_OP(sch, ...) / SCX_CALL_OP(sch, ...).  scx_cgroup_enabled is toggled only under scx_cgroup_ops_rwsem write (scx_cgroup_{init,exit}), so reading scx_root inside the rwsem read section correlates @sch with the enabled snapshot.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46157",
                        "url": "https://ubuntu.com/security/CVE-2026-46157",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ALSA: pcm: oss: Fix data race at accessing runtime.oss.trigger  Currently the runtime.oss.trigger field may be accessed concurrently without protection, which may lead to the data race.  And, in this case, it may lead to more severe problem because it's a bit field; as writing the data, it may overwrite other bit fields as well, which confuses the operation completely, as spotted by fuzzing.  Fix it by covering runtime.oss.trigger bit fled also with the existing params_lock mutex in both snd_pcm_oss_get_trigger() and snd_pcm_oss_poll().",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46109",
                        "url": "https://ubuntu.com/security/CVE-2026-46109",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  usb: ulpi: fix memory leak on ulpi_register() error paths  Commit 01af542392b5 (\"usb: ulpi: fix double free in ulpi_register_interface() error path\") removed kfree(ulpi) from ulpi_register_interface() to fix a double-free when device_register() fails.  But when ulpi_of_register() or ulpi_read_id() fail before device_register() is called, the ulpi allocation is leaked.  Add kfree(ulpi) on both error paths to properly clean up the allocation.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46146",
                        "url": "https://ubuntu.com/security/CVE-2026-46146",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ALSA: usb-audio: Avoid potential endless loop in convert_chmap_v3()  The convert_chmap_v3() has a loop with its increment size of cs_desc->wLength, but we forgot to validate cs_desc->wLength itself, which may lead to potential endless loop by a malformed descriptor.  Add a proper size check to abort the loop for plugging the hole.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46167",
                        "url": "https://ubuntu.com/security/CVE-2026-46167",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  usb: usblp: fix uninitialized heap leak via LPGETSTATUS ioctl  Just like in a previous problem in this driver, usblp_ctrl_msg() will collapse the usb_control_msg() return value to 0/-errno, discarding the actual number of bytes transferred.  Ideally that short command should be detected and error out, but many printers are known to send \"incorrect\" responses back so we can't just do that.  statusbuf is kmalloc(8) at probe time and never filled before the first LPGETSTATUS ioctl.  usblp_read_status() requests 1 byte. If a malicious printer responds with zero bytes, *statusbuf is one byte of stale kmalloc heap, sign-extended into the local int status, which the LPGETSTATUS path then copy_to_user()s directly to the ioctl caller.  Fix this all by just zapping out the memory buffer when allocated at probe time.  If a later call does a short read, the data will be identical to what the device sent it the last time, so there is no \"leak\" of information happening.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46151",
                        "url": "https://ubuntu.com/security/CVE-2026-46151",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  usb: usblp: fix heap leak in IEEE 1284 device ID via short response  usblp_ctrl_msg() collapses the usb_control_msg() return value to 0/-errno, discarding the actual number of bytes transferred.  A broken printer can complete the GET_DEVICE_ID control transfer short and the driver has no way to know.  usblp_cache_device_id_string() reads the 2-byte big-endian length prefix from the response and trusts it (clamped only to the buffer bounds). The buffer is kmalloc(1024) at probe time. A device that sends exactly two bytes (e.g. 0x03 0xFF, claiming a 1023-byte ID) leaves device_id_string[2..1022] holding stale kmalloc heap.  That stale data is then exposed:   - via the ieee1284_id sysfs attribute (sprintf(\"%s\", buf+2), truncated     at the first NUL in the stale heap), and   - via the IOCNR_GET_DEVICE_ID ioctl, which copy_to_user()s the full     claimed length regardless of NULs, up to 1021 bytes of uninitialized     heap, with the leak size chosen by the device.  Fix this up by just zapping the buffer with zeros before each request sent to the device.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46180",
                        "url": "https://ubuntu.com/security/CVE-2026-46180",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  wifi: brcmfmac: Fix potential use-after-free issue when stopping watchdog task  Watchdog task might end between send_sig() and kthread_stop() calls, what results in the use-after-free issue. Fix this by increasing watchdog task reference count before calling send_sig() and dropping it by switching to kthread_stop_put().",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46122",
                        "url": "https://ubuntu.com/security/CVE-2026-46122",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  wifi: b43: enforce bounds check on firmware key index in b43_rx()  The firmware-controlled key index in b43_rx() can exceed the dev->key[] array size (58 entries). The existing B43_WARN_ON is non-enforcing in production builds, allowing an out-of-bounds read.  Make the B43_WARN_ON check enforcing by dropping the frame when the firmware returns an invalid key index.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46125",
                        "url": "https://ubuntu.com/security/CVE-2026-46125",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  wifi: mac80211: remove station if connection prep fails  If connection preparation fails for MLO connections, then the interface is completely reset to non-MLD. In this case, we must not keep the station since it's related to the link of the vif being removed. Delete an existing station. Any \"new_sta\" is already being removed, so that doesn't need changes.  This fixes a use-after-free/double-free in debugfs if that's enabled, because a vif going from MLD (and to MLD, but that's not relevant here) recreates its entire debugfs.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46166",
                        "url": "https://ubuntu.com/security/CVE-2026-46166",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  wifi: mac80211: use safe list iteration in radar detect work  The call to ieee80211_dfs_cac_cancel can cause the iterated chanctx to be freed and removed from the list. Guard against this to avoid a slab-use-after-free error.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46187",
                        "url": "https://ubuntu.com/security/CVE-2026-46187",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  wifi: rsi: fix kthread lifetime race between self-exit and external-stop  RSI driver use both self-exit(kthread_complete_and_exit) and external-stop (kthread_stop) when killing a kthread. Generally, kthread_stop() is called first, and in this case, no particular issues occur.  However, in rare instances where kthread_complete_and_exit() is called first and then kthread_stop() is called, a UAF occurs because the kthread object, which has already exited and been freed, is accessed again.  Therefore, to prevent this with minimal modification, you must remove kthread_stop() and change the code to wait until the self-exit operation is completed.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46152",
                        "url": "https://ubuntu.com/security/CVE-2026-46152",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  wifi: mac80211: drop stray 'static' from fast-RX rx_result  ieee80211_invoke_fast_rx() is documented as safe for parallel RX, but its per-invocation rx_result is declared static. Concurrent callers then share one instance and can overwrite each other's result between ieee80211_rx_mesh_data() and the switch on res.  That can make a packet that was queued or consumed by ieee80211_rx_mesh_data() fall through into ieee80211_rx_8023(), or make a packet that should continue return as queued.  Make res an automatic variable so each invocation keeps its own result.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46163",
                        "url": "https://ubuntu.com/security/CVE-2026-46163",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  wifi: b43legacy: enforce bounds check on firmware key index in RX path  Same fix as b43: the firmware-controlled key index in b43legacy_rx() can exceed dev->max_nr_keys. The existing B43legacy_WARN_ON is non-enforcing in production builds, allowing an out-of-bounds read of dev->key[].  Make the check enforcing by dropping the frame for invalid indices.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46136",
                        "url": "https://ubuntu.com/security/CVE-2026-46136",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  wifi: mt76: mt7921: fix a potential clc buffer length underflow  The buf_len is used to limit the iterations for retrieving the country power setting and may underflow under certain conditions due to changes in the power table in CLC.  This underflow leads to an almost infinite loop or an invalid power setting resulting in driver initialization failure.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46173",
                        "url": "https://ubuntu.com/security/CVE-2026-46173",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  exit: prevent preemption of oopsing TASK_DEAD task  When an already-exiting task oopses, make_task_dead() currently calls do_task_dead() with preemption enabled.  That is forbidden: do_task_dead() calls __schedule(), which has a comment saying \"WARNING: must be called with preemption disabled!\".  If an oopsing task is preempted in do_task_dead(), between becoming TASK_DEAD and entering the scheduler explicitly, bad things happen: finish_task_switch() assumes that once the scheduler has switched away from a TASK_DEAD task, the task can never run again and its stack is no longer needed; but that assumption apparently doesn't hold if the dead task was preempted (the SM_PREEMPT case).  This means that the scheduler ends up repeatedly dropping references on the dead task's stack, which can lead to use-after-free or double-free of the entire task stack; in other words, two tasks can end up running on the same stack, resulting in various kinds of memory corruption.  (This does not just affect \"recursively oopsing\" tasks; it is enough to oops once during task exit, for example in a file_operations::release handler)",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-43496",
                        "url": "https://ubuntu.com/security/CVE-2026-43496",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net/sched: sch_red: Replace direct dequeue call with peek and qdisc_dequeue_peeked  When red qdisc has children (eg qfq qdisc) whose peek() callback is qdisc_peek_dequeued(), we could get a kernel panic. When the parent of such qdiscs (eg illustrated in patch #3 as tbf) wants to retrieve an skb from its child (red in this case), it will do the following:  1a. do a peek() - and when sensing there's an skb the child can offer, then      - the child in this case(red) calls its child's (qfq) peek.         qfq does the right thing and will return the gso_skb queue packet.         Note: if there wasnt a gso_skb entry then qfq will store it there.  1b. invoke a dequeue() on the child (red). And herein lies the problem.      - red will call the child's dequeue() which will essentially just        try to grab something of qfq's queue.  [   78.667668][  T363] KASAN: null-ptr-deref in range [0x0000000000000048-0x000000000000004f] [   78.667927][  T363] CPU: 1 UID: 0 PID: 363 Comm: ping Not tainted 7.1.0-rc1-00033-g46f74a3f7d57-dirty #790 PREEMPT(full) [   78.668263][  T363] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 [   78.668486][  T363] RIP: 0010:qfq_dequeue+0x446/0xc90 [sch_qfq] [   78.668718][  T363] Code: 54 c0 e8 dd 90 00 f1 48 c7 c7 e0 03 54 c0 48 89 de e8 ce 90 00 f1 48 8d 7b 48 b8 ff ff 37 00 48 89 fa 48 c1 e0 2a 48 c1 ea 03 <80> 3c 02 00 74 05 e8 ef a1 e1 f1 48 8b 7b 48 48 8d 54 24 58 48 8d [   78.669312][  T363] RSP: 0018:ffff88810de573e0 EFLAGS: 00010216 [   78.669533][  T363] RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000 [   78.669790][  T363] RDX: 0000000000000009 RSI: 0000000000000004 RDI: 0000000000000048 [   78.670044][  T363] RBP: ffff888110dc4000 R08: ffffffffb1b0885a R09: fffffbfff6ba9078 [   78.670297][  T363] R10: 0000000000000003 R11: ffff888110e31c80 R12: 0000001880000000 [   78.670560][  T363] R13: ffff888110dc4150 R14: ffff888110dc42b8 R15: 0000000000000200 [   78.670814][  T363] FS:  00007f66a8f09c40(0000) GS:ffff888163428000(0000) knlGS:0000000000000000 [   78.671110][  T363] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [   78.671324][  T363] CR2: 000055db4c6a30a8 CR3: 000000010da67000 CR4: 0000000000750ef0 [   78.671585][  T363] PKRU: 55555554 [   78.671713][  T363] Call Trace: [   78.671843][  T363]  <TASK> [   78.671936][  T363]  ? __pfx_qfq_dequeue+0x10/0x10 [sch_qfq] [   78.672148][  T363]  ? __pfx__printk+0x10/0x10 [   78.672322][  T363]  ? srso_alias_return_thunk+0x5/0xfbef5 [   78.672496][  T363]  ? lockdep_hardirqs_on_prepare+0xa8/0x1a0 [   78.672706][  T363]  ? srso_alias_return_thunk+0x5/0xfbef5 [   78.672875][  T363]  ? trace_hardirqs_on+0x19/0x1a0 [   78.673047][  T363]  red_dequeue+0x65/0x270 [sch_red] [   78.673217][  T363]  ? srso_alias_return_thunk+0x5/0xfbef5 [   78.673385][  T363]  tbf_dequeue.cold+0xb0/0x70c [sch_tbf] [   78.673566][  T363]  __qdisc_run+0x169/0x1900  The right thing to do in #1b is to grab the skb off gso_skb queue. This patchset fixes that issue by changing #1b to use qdisc_dequeue_peeked() method instead.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-21 13:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46113",
                        "url": "https://ubuntu.com/security/CVE-2026-46113",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  KVM: x86: Fix shadow paging use-after-free due to unexpected GFN  The shadow MMU computes GFNs for direct shadow pages using sp->gfn plus the SPTE index. This assumption breaks for shadow paging if the guest page tables are modified between VM entries (similar to commit aad885e77496, \"KVM: x86/mmu: Drop/zap existing present SPTE even when creating an MMIO SPTE\", 2026-03-27).  The flow is as follows:  - a PDE is installed for a 2MB mapping, and a page in that area is   accessed.  KVM creates a kvm_mmu_page consisting of 512 4KB pages;   the kvm_mmu_page is marked by FNAME(fetch) as direct-mapped because   the guest's mapping is a huge page (and thus contiguous).  - the PDE mapping is changed from outside the guest.  - the guest accesses another page in the same 2MB area.  KVM installs   a new leaf SPTE and rmap entry; the SPTE uses the \"correct\" GFN   (i.e. based on the new mapping, as changed in the previous step) but   that GFN is outside of the [sp->gfn, sp->gfn + 511] range; therefore   the rmap entry cannot be found and removed when the kvm_mmu_page   is zapped.  - the memslot that covers the first 2MB mapping is deleted, and the   kvm_mmu_page for the now-invalid GPA is zapped.  However, rmap_remove()   only looks at the [sp->gfn, sp->gfn + 511] range established in step 1,   and fails to find the rmap entry that was recorded by step 3.  - any operation that causes an rmap walk for the same page accessed   by step 3 then walks a stale rmap and dereferences a freed kvm_mmu_page.   This includes dirty logging or MMU notifier invalidations (e.g., from   MADV_DONTNEED).  The underlying issue is that KVM's walking of shadow PTEs assumes that if a SPTE is present when KVM wants to install a non-leaf SPTE, then the existing kvm_mmu_page must be for the correct gfn.  Because the only way for the gfn to be wrong is if KVM messed up and failed to zap a SPTE... which shouldn't happen, but *actually* only happens in response to a guest write.  That bug dates back literally forever, as even the first version of KVM assumes that the GFN matches and walks into the \"wrong\" shadow page. However, that was only an imprecision until 2032a93d66fa (\"KVM: MMU: Don't allocate gfns page for direct mmu pages\") came along.  Fix it by checking for a target gfn mismatch and zapping the existing SPTE.  That way the old SP and rmap entries are gone, KVM installs the rmap in the right location, and everyone is happy.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46179",
                        "url": "https://ubuntu.com/security/CVE-2026-46179",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ASoC: SOF: Don't allow pointer operations on unconfigured streams  When reporting the pointer for a compressed stream we report the current I/O frame position by dividing the position by the number of channels multiplied by the number of container bytes. These values default to 0 and are only configured as part of setting the stream parameters so this allows a divide by zero to be configured. Validate that they are non zero, returning an error if not",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46196",
                        "url": "https://ubuntu.com/security/CVE-2026-46196",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  tracepoint: balance regfunc() on func_add() failure in tracepoint_add_func()  When a tracepoint goes through the 0 -> 1 transition, tracepoint_add_func() invokes the subsystem's ext->regfunc() before attempting to install the new probe via func_add(). If func_add() then fails (for example, when allocate_probes() cannot allocate a new probe array under memory pressure and returns -ENOMEM), the function returns the error without calling the matching ext->unregfunc(), leaving the side effects of regfunc() behind with no installed probe to justify them.  For syscall tracepoints this is particularly unpleasant: syscall_regfunc() bumps sys_tracepoint_refcount and sets SYSCALL_TRACEPOINT on every task. After a leaked failure, the refcount is stuck at a non-zero value with no consumer, and every task continues paying the syscall trace entry/exit overhead until reboot. Other subsystems providing regfunc()/unregfunc() pairs exhibit similarly scoped persistent state.  Mirror the existing 1 -> 0 cleanup and call ext->unregfunc() in the func_add() error path, gated on the same condition used there so the unwind is symmetric with the registration.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-43497",
                        "url": "https://ubuntu.com/security/CVE-2026-43497",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  fbdev: udlfb: add vm_ops to dlfb_ops_mmap to prevent use-after-free  dlfb_ops_mmap() uses remap_pfn_range() to map vmalloc framebuffer pages to userspace but sets no vm_ops on the VMA. This means the kernel cannot track active mmaps. When dlfb_realloc_framebuffer() replaces the backing buffer via FBIOPUT_VSCREENINFO, existing mmap PTEs are not invalidated. On USB disconnect, dlfb_ops_destroy() calls vfree() on the old pages while userspace PTEs still reference them, resulting in a use-after-free: the process retains read/write access to freed kernel pages.  Add vm_operations_struct with open/close callbacks that maintain an atomic mmap_count on struct dlfb_data. In dlfb_realloc_framebuffer(), check mmap_count and return -EBUSY if the buffer is currently mapped, preventing buffer replacement while userspace holds stale PTEs.  Tested with PoC using dummy_hcd + raw_gadget USB device emulation.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-05-21 13:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46108",
                        "url": "https://ubuntu.com/security/CVE-2026-46108",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ipmi:si: Return state to normal if message allocation fails  There were places where nothing would get started if a message allocation failed, so the driver needs to return to normal state.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46128",
                        "url": "https://ubuntu.com/security/CVE-2026-46128",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ipmi: Check event message buffer response for bad data  The event message buffer response data size got checked later when processing, but check it right after the response comes back.  It appears some BMCs may return an empty message instead of an error when fetching events.  There are apparently some new BMCs that make this error, so we need to compensate.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46177",
                        "url": "https://ubuntu.com/security/CVE-2026-46177",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ipmi: Add limits to event and receive message requests  The driver would just fetch events and receive messages until the BMC said it was done.  To avoid issues with BMCs that never say they are done, add a limit of 10 fetches at a time.  In addition, an si interface has an attn state it can return from the hardware which is supposed to cause a flag fetch to see if the driver needs to fetch events or message or a few other things.  If the attn bit gets stuck, it's a similar problem.  So allow messages in between flag fetches so the driver itself doesn't get stuck.  This is a more general fix than the previous fix for the specific bad BMC, but should fix the more general issue of a BMC that won't stop saying it has data.  This has been there from the beginning of the driver.  It's not a bug per-se, but it is accounting for bugs in BMCs.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46149",
                        "url": "https://ubuntu.com/security/CVE-2026-46149",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  scsi: target: configfs: Bound snprintf() return in tg_pt_gp_members_show()  target_tg_pt_gp_members_show() formats LUN paths with snprintf() into a 256-byte stack buffer, then will memcpy() cur_len bytes from that buffer.  snprintf() returns the length the output would have had, which can exceed the buffer size when the fabric WWN is long because iSCSI IQN names can be up to 223 bytes.  The check at the memcpy() site only guards the destination page write, not the source read, so memcpy() will read past the stack buffer and copy adjacent stack contents to the sysfs reader, which when CONFIG_FORTIFY_SOURCE is enabled, fortify_panic() will be triggered.  Commit 27e06650a5ea (\"scsi: target: target_core_configfs: Add length check to avoid buffer overflow\") added the same bound to the target_lu_gp_members_show() but the tg_pt_gp variant was missed so resolve that here.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46244",
                        "url": "https://ubuntu.com/security/CVE-2026-46244",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  netfilter: nft_inner: Fix IPv6 inner_thoff desync  In nft_inner_parse_l2l3(), when processing inner IPv6 packets, ipv6_find_hdr() correctly computes the transport header offset traversing all extension headers, but the result is immediately overwritten with nhoff + sizeof(_ip6h) (40 bytes), which only accounts for the IPv6 base header. This creates a desync between inner_thoff (wrong — points to extension header start) and l4proto (correct — e.g., IPPROTO_TCP), enabling transport header forgery and potential firewall bypass. This issue affects stable versions from Linux 6.2.  For comparison, the normal (non-inner) IPv6 path correctly preserves ipv6_find_hdr()'s result. Removing the incorrect overwrite ensures that ipv6_find_hdr()'s calculated transport header offset is preserved, thereby fixing the desynchronization.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-03 18:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46137",
                        "url": "https://ubuntu.com/security/CVE-2026-46137",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  mptcp: pm: ADD_ADDR rtx: fix potential data-race  This mptcp_pm_add_timer() helper is executed as a timer callback in softirq context. To avoid any data races, the socket lock needs to be held with bh_lock_sock().  If the socket is in use, retry again soon after, similar to what is done with the keepalive timer.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46185",
                        "url": "https://ubuntu.com/security/CVE-2026-46185",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  smb/client: fix out-of-bounds read in symlink_data()  Since smb2_check_message() returns success without length validation for the symlink error response, in symlink_data() it is possible for iov->iov_len to be smaller than sizeof(struct smb2_err_rsp). If the buffer only contains the base SMB2 header (64 bytes), accessing err->ErrorContextCount (at offset 66) or err->ByteCount later in symlink_data() will cause an out-of-bounds read.",
                        "cve_priority": "high",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46195",
                        "url": "https://ubuntu.com/security/CVE-2026-46195",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  smb: client: validate dacloffset before building DACL pointers  parse_sec_desc(), build_sec_desc(), and the chown path in id_mode_to_cifs_acl() all add the server-supplied dacloffset to pntsd before proving a DACL header fits inside the returned security descriptor.  On 32-bit builds a malicious server can return dacloffset near U32_MAX, wrap the derived DACL pointer below end_of_acl, and then slip past the later pointer-based bounds checks. build_sec_desc() and id_mode_to_cifs_acl() can then dereference DACL fields from the wrapped pointer in the chmod/chown rewrite paths.  Validate dacloffset numerically before building any DACL pointer and reuse the same helper at the three DACL entry points.",
                        "cve_priority": "high",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46289",
                        "url": "https://ubuntu.com/security/CVE-2026-46289",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  lib/scatterlist: fix length calculations in extract_kvec_to_sg  Patch series \"Fix bugs in extract_iter_to_sg()\", v3.  Fix bugs in the kvec and user variants of extract_iter_to_sg.  This series is growing due to useful remarks made by sashiko.dev.  The main bugs are: - The length for an sglist entry when extracting from   a kvec can exceed the number of bytes in the page. This   is obviously not intended. - When extracting a user buffer the sglist is temporarily   used as a scratch buffer for extracted page pointers.   If the sglist already contains some elements this scratch   buffer could overlap with existing entries in the sglist.  The series adds test cases to the kunit_iov_iter test that demonstrate all of these bugs.  Additionally, there is a memory leak fix for the test itself.  The bugs were orignally introduced into kernel v6.3 where the function lived in fs/netfs/iterator.c.  It was later moved to lib/scatterlist.c in v6.5.  Thus the actual fix is only marked for backports to v6.5+.   This patch (of 5):  When extracting from a kvec to a scatterlist, do not cross page boundaries.  The required length was already calculated but not used as intended.  Adjust the copied length if the loop runs out of sglist entries without extracting everything.  While there, return immediately from extract_iter_to_sg if there are no sglist entries at all.  A subsequent commit will add kunit test cases that demonstrate that the patch is necessary.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-08 17:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46119",
                        "url": "https://ubuntu.com/security/CVE-2026-46119",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  libceph: Fix slab-out-of-bounds access in auth message processing  If a (potentially corrupted) message of type CEPH_MSG_AUTH_REPLY contains a positive value in its result field, it is treated as an error code by ceph_handle_auth_reply() and returned to handle_auth_reply(). Thereafter, an attempt is made to send the preallocated message of type CEPH_MSG_AUTH, where the returned value is interpreted as the size of the front segment to send. If the result value in the message is greater than the size of the memory buffer allocated for the front segment, an out-of-bounds access occurs, and the content of the memory region beyond this buffer is sent out.  This patch fixes the issue by treating only negative values in the result field as errors. Positive values are therefore treated as success in the same way as a zero value. Additionally, a BUG_ON is added to __send_prepared_auth_request() comparing the len parameter to front_alloc_len to prevent sending the message if it exceeds the bounds of the allocation and to make it easier to catch any logic flaws leading to this.",
                        "cve_priority": "high",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46135",
                        "url": "https://ubuntu.com/security/CVE-2026-46135",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  nvmet-tcp: fix race between ICReq handling and queue teardown  nvmet_tcp_handle_icreq() updates queue->state after sending an Initialization Connection Response (ICResp), but it does so without serializing against target-side queue teardown.  If an NVMe/TCP host sends an Initialization Connection Request (ICReq) and immediately closes the connection, target-side teardown may start in softirq context before io_work drains the already buffered ICReq. In that case, nvmet_tcp_schedule_release_queue() sets queue->state to NVMET_TCP_Q_DISCONNECTING and drops the queue reference under state_lock.  If io_work later processes that ICReq, nvmet_tcp_handle_icreq() can still overwrite the state back to NVMET_TCP_Q_LIVE. That defeats the DISCONNECTING-state guard in nvmet_tcp_schedule_release_queue() and allows a later socket state change to re-enter teardown and issue a second kref_put() on an already released queue.  The ICResp send failure path has the same problem. If teardown has already moved the queue to DISCONNECTING, a send error can still overwrite the state with NVMET_TCP_Q_FAILED, again reopening the window for a second teardown path to drop the queue reference.  Fix this by serializing both post-send state transitions with state_lock and bailing out if teardown has already started.  Use -ESHUTDOWN as an internal sentinel for that bail-out path rather than propagating it as a transport error like -ECONNRESET. Keep nvmet_tcp_socket_error() setting rcv_state to NVMET_TCP_RECV_ERR before honoring that sentinel so receive-side parsing stays quiesced until the existing release path completes.",
                        "cve_priority": "critical",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46155",
                        "url": "https://ubuntu.com/security/CVE-2026-46155",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  smb/client: fix out-of-bounds read in smb2_compound_op()  If a server sends a truncated response but a large OutputBufferLength, and terminates the EA list early, check_wsl_eas() returns success without validating that the entire OutputBufferLength fits within iov_len.  Then smb2_compound_op() does:     memcpy(idata->wsl.eas, data[0], size[0]);  Where size[0] is OutputBufferLength. If iov_len is smaller than size[0], memcpy can read beyond the end of the rsp_iov allocation and leak adjacent kernel heap memory.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46115",
                        "url": "https://ubuntu.com/security/CVE-2026-46115",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  block: add pgmap check to biovec_phys_mergeable  biovec_phys_mergeable() is used by the request merge, DMA mapping, and integrity merge paths to decide if two physically contiguous bvec segments can be coalesced into one. It currently has no check for whether the segments belong to different dev_pagemaps.  When zone device memory is registered in multiple chunks, each chunk gets its own dev_pagemap. A single bio can legitimately contain bvecs from different pgmaps -- iov_iter_extract_bvecs() breaks at pgmap boundaries but the outer loop in bio_iov_iter_get_pages() continues filling the same bio. If such bvecs are physically contiguous, biovec_phys_mergeable() will coalesce them, making it impossible to recover the correct pgmap for the merged segment via page_pgmap().  Add a zone_device_pages_have_same_pgmap() check to prevent merging bvec segments that span different pgmaps.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46243",
                        "url": "https://ubuntu.com/security/CVE-2026-46243",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  smb: client: reject userspace cifs.spnego descriptions  cifs.spnego key descriptions contain authority-bearing fields such as pid, uid, creduid, and upcall_target that cifs.upcall treats as kernel-originating inputs. However, userspace can also create keys of this type through request_key(2) or add_key(2), allowing those fields to be supplied without CIFS origin.  Only accept cifs.spnego descriptions while CIFS is using its private spnego_cred to request the key.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-01 17:17:00 UTC"
                    }
                ],
                "launchpad_bugs_fixed": [
                    2157520,
                    2154418,
                    2155837,
                    2154174,
                    2154748,
                    2156559,
                    2156556,
                    2150640,
                    2156312,
                    2155096,
                    2154715,
                    2153159,
                    2150071,
                    2154343,
                    2149770,
                    2153155,
                    2152570,
                    2156636,
                    2156636,
                    2156636,
                    2156636,
                    2156636,
                    2156390,
                    2156385,
                    2156385,
                    2156385,
                    2156385,
                    2156385,
                    2156385,
                    2156385,
                    2156385,
                    2156385,
                    2156385,
                    2156385,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2150845
                ],
                "changes": [
                    {
                        "cves": [
                            {
                                "cve": "CVE-2026-46318",
                                "url": "https://ubuntu.com/security/CVE-2026-46318",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Revert \"mm/hugetlbfs: update hugetlbfs to use mmap_prepare\"  This reverts commit ea52cb24cd3f (\"mm/hugetlbfs: update hugetlbfs to use mmap_prepare\") with conflict resolution to account for changes in commit ea52cb24cd3f (\"mm/hugetlbfs: update hugetlbfs to use mmap_prepare\").  The patch incorrectly handled hugetlb VMA lock allocation at the mmap_prepare stage, where a failed allocation occurring after mmap_prepare is called might result in the lock leaking.  There is no risk of a merge causing a similar issues, as VMA_DONTEXPAND_BIT is set for hugetlb mappings.  As a first step in addressing this issue, simply revert the change so we can rework how we do this having corrected the underlying issues.  We maintain the VMA flags changes as best we can, accounting for the fact that we were working with a VMA descriptor previously and propagating like-for-like changes for this.  Note that we invoke vma_set_flags() and do not call vma_start_write() as vm_flags_set() does.  This is OK as it's being done in an .mmap hook where the VMA is not yet linked into the tree so nobody else can be accessing it.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-06-09 13:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46322",
                                "url": "https://ubuntu.com/security/CVE-2026-46322",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  tun: free page on build_skb failure in tun_xdp_one()  When build_skb() fails in tun_xdp_one(), the function sets ret to -ENOMEM and jumps to the out label, which returns without freeing the page that vhost_net_build_xdp() allocated for the frame. As with the short-frame rejection path, tun_sendmsg() discards the per-buffer error and still returns total_len, so vhost_tx_batch() takes the success path and never frees the page. Each build_skb() failure in a batch leaks one page-frag chunk.  Free the page before taking the error path, matching the put_page() the other error exits of tun_xdp_one() already perform.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-09 13:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46320",
                                "url": "https://ubuntu.com/security/CVE-2026-46320",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  tap: free page on error paths in tap_get_user_xdp()  tap_get_user_xdp() rejects a frame shorter than ETH_HLEN with -EINVAL, and returns -ENOMEM when build_skb() fails. Both paths jump to the err label without freeing the page that vhost_net_build_xdp() allocated for the frame. tap_sendmsg() discards the per-buffer return value and always returns 0, so vhost_tx_batch() takes the success path and never frees the page; each rejected frame in a batch leaks one page-frag chunk.  Free the page on both error paths, before the skb is built. This is the tap counterpart of the same leak in tun_xdp_one().",
                                "cve_priority": "high",
                                "cve_public_date": "2026-06-09 13:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46321",
                                "url": "https://ubuntu.com/security/CVE-2026-46321",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  tun: free page on short-frame rejection in tun_xdp_one()  tun_xdp_one() returns -EINVAL on a frame shorter than ETH_HLEN without freeing the page that vhost_net_build_xdp() allocated for it. tun_sendmsg() discards that -EINVAL and still returns total_len, so vhost_tx_batch() takes the success path and never frees the page; each short frame in a batch leaks one page-frag chunk.  A local process that can open /dev/net/tun and /dev/vhost-net can hit this path: it attaches a tun/tap device as the vhost-net backend and feeds TX descriptors whose length minus the virtio-net header is below ETH_HLEN. Each kick leaks the page-frag chunks for that batch, and a tight submission loop exhausts host memory and triggers an OOM panic. Free the page before returning -EINVAL, matching the XDP-program error path in the same function.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-09 13:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46316",
                                "url": "https://ubuntu.com/security/CVE-2026-46316",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  KVM: arm64: vgic-its: Drop the translation cache reference only for the erased entry  vgic_its_invalidate_cache() walks the per-ITS translation cache with xa_for_each() and drops the cache's reference on each entry with vgic_put_irq(). It puts the iterated pointer, though, rather than the value returned by xa_erase().  The function is called from contexts that do not exclude one another: the ITS command handlers hold its_lock, the GITS_CTLR write path holds cmd_lock, and the path that clears EnableLPIs in a redistributor's GICR_CTLR holds neither. Two or more of them can drain the same cache concurrently, and if each one observes the same entry, erases it and then puts it, the single reference the cache holds on that entry is dropped more than once. The entry can then be freed while an ITE still maps it.  xa_erase() is atomic and returns the previous entry, so put only the entry that this context actually removed. The cache reference is then dropped exactly once per entry even when the invalidations run concurrently, and the behavior is unchanged when only one context runs.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-09 13:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46317",
                                "url": "https://ubuntu.com/security/CVE-2026-46317",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  KVM: arm64: Reassign nested_mmus array behind mmu_lock  kvm->arch.nested_mmus[] is walked under kvm->mmu_lock, including from the MMU notifier path (kvm_unmap_gfn_range() -> kvm_nested_s2_unmap()), which can run at any time. kvm_vcpu_init_nested() reallocates the array and frees the old buffer while holding only kvm->arch.config_lock, so such a walker can reference the freed array.  Allocate the new array outside of mmu_lock, as the allocation can sleep. Under the lock, copy the existing entries, fix up the back pointers and reassign the array. Free the old buffer after dropping the lock, as kvfree() can sleep as well.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-09 13:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-45846",
                                "url": "https://ubuntu.com/security/CVE-2026-45846",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  bareudp: fix NULL pointer dereference in bareudp_fill_metadata_dst()  bareudp_fill_metadata_dst() passes bareudp->sock to udp_tunnel6_dst_lookup() in the IPv6 path without a NULL check. The socket is only created in bareudp_open() and NULLed in bareudp_stop(), so calling this function while the device is down triggers a NULL dereference via sock->sk.   BUG: kernel NULL pointer dereference, address: 0000000000000018  RIP: 0010:udp_tunnel6_dst_lookup (net/ipv6/ip6_udp_tunnel.c:160)  Call Trace:   <TASK>   bareudp_fill_metadata_dst (drivers/net/bareudp.c:532)   do_execute_actions (net/openvswitch/actions.c:901)   ovs_execute_actions (net/openvswitch/actions.c:1589)   ovs_packet_cmd_execute (net/openvswitch/datapath.c:700)   genl_family_rcv_msg_doit (net/netlink/genetlink.c:1114)   genl_rcv_msg (net/netlink/genetlink.c:1209)   netlink_rcv_skb (net/netlink/af_netlink.c:2550)   </TASK>  Add a NULL check returning -ESHUTDOWN, consistent with the xmit paths in the same driver.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-27 11:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-45845",
                                "url": "https://ubuntu.com/security/CVE-2026-45845",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net/sched: taprio: fix NULL pointer dereference in class dump  When a TAPRIO child qdisc is deleted via RTM_DELQDISC, taprio_graft() is called with new == NULL and stores NULL into q->qdiscs[cl - 1]. Subsequent RTM_GETTCLASS dump operations walk all classes via taprio_walk() and call taprio_dump_class(), which calls taprio_leaf() returning the NULL pointer, then dereferences it to read child->handle, causing a kernel NULL pointer dereference.  The bug is reachable with namespace-scoped CAP_NET_ADMIN on any kernel with CONFIG_NET_SCH_TAPRIO enabled. On systems with unprivileged user namespaces enabled, an unprivileged local user can trigger a kernel panic by creating a taprio qdisc inside a new network namespace, grafting an explicit child qdisc, deleting it, and requesting a class dump. The RTM_GETTCLASS dump itself requires no capability.   Oops: general protection fault, probably for non-canonical address 0xdffffc0000000007: 0000 [#1] SMP KASAN NOPTI  KASAN: null-ptr-deref in range [0x0000000000000038-0x000000000000003f]  RIP: 0010:taprio_dump_class (net/sched/sch_taprio.c:2478)  Call Trace:   <TASK>   tc_fill_tclass (net/sched/sch_api.c:1966)   qdisc_class_dump (net/sched/sch_api.c:2326)   taprio_walk (net/sched/sch_taprio.c:2514)   tc_dump_tclass_qdisc (net/sched/sch_api.c:2352)   tc_dump_tclass_root (net/sched/sch_api.c:2370)   tc_dump_tclass (net/sched/sch_api.c:2431)   rtnl_dumpit (net/core/rtnetlink.c:6864)   netlink_dump (net/netlink/af_netlink.c:2325)   rtnetlink_rcv_msg (net/core/rtnetlink.c:6959)   netlink_rcv_skb (net/netlink/af_netlink.c:2550)   </TASK>  Fix this by substituting &noop_qdisc when new is NULL in taprio_graft(), a common pattern used by other qdiscs (e.g., multiq_graft()) to ensure the q->qdiscs[] slots are never NULL. This makes control-plane dump paths safe without requiring individual NULL checks.  Since the data-plane paths (taprio_enqueue and taprio_dequeue_from_txq) previously had explicit NULL guards that would drop/skip the packet cleanly, update those checks to test for &noop_qdisc instead. Without this, packets would reach taprio_enqueue_one() which increments the root qdisc's qlen and backlog before calling the child's enqueue; noop_qdisc drops the packet but those counters are never rolled back, permanently inflating the root qdisc's statistics.  After this change *old can be a valid qdisc, NULL, or &noop_qdisc. Only call qdisc_put(*old) in the first case to avoid decreasing noop_qdisc's refcount, which was never increased.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-27 11:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-45844",
                                "url": "https://ubuntu.com/security/CVE-2026-45844",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  netfilter: arp_tables: fix IEEE1394 ARP payload parsing  Weiming Shi says:  \"arp_packet_match() unconditionally parses the ARP payload assuming two hardware addresses are present (source and target). However, IPv4-over-IEEE1394 ARP (RFC 2734) omits the target hardware address field, and arp_hdr_len() already accounts for this by returning a shorter length for ARPHRD_IEEE1394 devices.  As a result, on IEEE1394 interfaces arp_packet_match() advances past a nonexistent target hardware address and reads the wrong bytes for both the target device address comparison and the target IP address. This causes arptables rules to match against garbage data, leading to incorrect filtering decisions: packets that should be accepted may be dropped and vice versa.  The ARP stack in net/ipv4/arp.c (arp_create and arp_process) already handles this correctly by skipping the target hardware address for ARPHRD_IEEE1394. Apply the same pattern to arp_packet_match().\"  Mangle the original patch to always return 0 (no match) in case user matches on the target hardware address which is never present in IEEE1394.  Note that this returns 0 (no match) for either normal and inverse match because matching in the target hardware address in ARPHRD_IEEE1394 has never been supported by arptables. This is intentional, matching on the target hardware address should never evaluate true for ARPHRD_IEEE1394.  Moreover, adjust arpt_mangle to drop the packet too as AI suggests:  In arpt_mangle, the logic assumes a standard ARP layout. Because IEEE1394 (FireWire) omits the target hardware address, the linear pointer arithmetic miscalculates the offset for the target IP address. This causes mangling operations to write to the wrong location, leading to packet corruption. To ensure safety, this patch drops packets (NF_DROP) when mangling is requested for these fields on IEEE1394 devices, as the current implementation cannot correctly map the FireWire ARP payload.  This omits both mangling target hardware and IP address. Even if IP address mangling should be possible in IEEE1394, this would require to adjust arpt_mangle offset calculation, which has never been supported.  Based on patch from Weiming Shi <bestswngs@gmail.com>.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-05-27 11:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46242",
                                "url": "https://ubuntu.com/security/CVE-2026-46242",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  eventpoll: fix ep_remove struct eventpoll / struct file UAF  ep_remove() (via ep_remove_file()) cleared file->f_ep under file->f_lock but then kept using @file inside the critical section (is_file_epoll(), hlist_del_rcu() through the head, spin_unlock). A concurrent __fput() taking the eventpoll_release() fastpath in that window observed the transient NULL, skipped eventpoll_release_file() and ran to f_op->release / file_free().  For the epoll-watches-epoll case, f_op->release is ep_eventpoll_release() -> ep_clear_and_put() -> ep_free(), which kfree()s the watched struct eventpoll. Its embedded ->refs hlist_head is exactly where epi->fllink.pprev points, so the subsequent hlist_del_rcu()'s \"*pprev = next\" scribbles into freed kmalloc-192 memory.  In addition, struct file is SLAB_TYPESAFE_BY_RCU, so the slot backing @file could be recycled by alloc_empty_file() -- reinitializing f_lock and f_ep -- while ep_remove() is still nominally inside that lock. The upshot is an attacker-controllable kmem_cache_free() against the wrong slab cache.  Pin @file via epi_fget() at the top of ep_remove() and gate the critical section on the pin succeeding. With the pin held @file cannot reach refcount zero, which holds __fput() off and transitively keeps the watched struct eventpoll alive across the hlist_del_rcu() and the f_lock use, closing both UAFs.  If the pin fails @file has already reached refcount zero and its __fput() is in flight. Because we bailed before clearing f_ep, that path takes the eventpoll_release() slow path into eventpoll_release_file() and blocks on ep->mtx until the waiter side's ep_clear_and_put() drops it. The bailed epi's share of ep->refcount stays intact, so the trailing ep_refcount_dec_and_test() in ep_clear_and_put() cannot free the eventpoll out from under eventpoll_release_file(); the orphaned epi is then cleaned up there.  A successful pin also proves we are not racing eventpoll_release_file() on this epi, so drop the now-redundant re-check of epi->dying under f_lock. The cheap lockless READ_ONCE(epi->dying) fast-path bailout stays.",
                                "cve_priority": "high",
                                "cve_public_date": "2026-05-30 13:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-45843",
                                "url": "https://ubuntu.com/security/CVE-2026-45843",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  slip: bound decode() reads against the compressed packet length  slhc_uncompress() parses a VJ-compressed TCP header by advancing a pointer through the packet via decode() and pull16(). Neither helper bounds-checks against isize, and decode() masks its return with & 0xffff so it can never return the -1 that callers test for -- those error paths are dead code.  A short compressed frame whose change byte requests optional fields lets decode() read past the end of the packet. The over-read bytes are folded into the cached cstate and reflected into subsequent reconstructed packets.  Make decode() and pull16() take the packet end pointer and return -1 when exhausted. Add a bounds check before the TCP-checksum read. The existing == -1 tests now do what they were always meant to.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-27 11:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-45842",
                                "url": "https://ubuntu.com/security/CVE-2026-45842",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  slip: reject VJ receive packets on instances with no rstate array  slhc_init() accepts rslots == 0 as a valid configuration, with the documented meaning of 'no receive compression'. In that case the allocation loop in slhc_init() is skipped, so comp->rstate stays NULL and comp->rslot_limit stays 0 (from the kzalloc of struct slcompress).  The receive helpers do not defend against that configuration. slhc_uncompress() dereferences comp->rstate[x] when the VJ header carries an explicit connection ID, and slhc_remember() later assigns cs = &comp->rstate[...] after only comparing the packet's slot number to comp->rslot_limit. Because rslot_limit is 0, slot 0 passes the range check, and the code dereferences a NULL rstate.  The configuration is reachable in-tree through PPP. PPPIOCSMAXCID stores its argument in a signed int, and (val >> 16) uses arithmetic shift. Passing 0xffff0000 therefore sign-extends to -1, so val2 + 1 is 0 and ppp_generic.c ends up calling slhc_init(0, 1). Because /dev/ppp open is gated by ns_capable(CAP_NET_ADMIN), the whole path is reachable from an unprivileged user namespace. Once the malformed VJ state is installed, any inbound VJ-compressed or VJ-uncompressed frame that selects slot 0 crashes the kernel in softirq context:   Oops: general protection fault, probably for non-canonical        address 0xdffffc0000000000: 0000 [#1] SMP KASAN NOPTI  KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]  RIP: 0010:slhc_uncompress (drivers/net/slip/slhc.c:519)  Call Trace:   <TASK>   ppp_receive_nonmp_frame (drivers/net/ppp/ppp_generic.c:2466)   ppp_input (drivers/net/ppp/ppp_generic.c:2359)   ppp_async_process (drivers/net/ppp/ppp_async.c:492)   tasklet_action_common (kernel/softirq.c:926)   handle_softirqs (kernel/softirq.c:623)   run_ksoftirqd (kernel/softirq.c:1055)   smpboot_thread_fn (kernel/smpboot.c:160)   kthread (kernel/kthread.c:436)   ret_from_fork (arch/x86/kernel/process.c:164)   </TASK>  Reject the receive side on such instances instead of touching rstate. slhc_uncompress() falls through to its existing 'bad' label, which bumps sls_i_error and enters the toss state. slhc_remember() mirrors that with an explicit sls_i_error increment followed by slhc_toss(); the sls_i_runt counter is not used here because a missing rstate is an internal configuration state, not a runt packet.  The transmit path is unaffected: the only in-tree caller that picks rslots from userspace (ppp_generic.c) still supplies tslots >= 1, and slip.c always calls slhc_init(16, 16), so comp->tstate remains valid and slhc_compress() continues to work.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-27 11:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-45841",
                                "url": "https://ubuntu.com/security/CVE-2026-45841",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  netfilter: nfnetlink_osf: fix divide-by-zero in OSF_WSS_MODULO  nf_osf_match_one() computes ctx->window % f->wss.val in the OSF_WSS_MODULO branch with no guard for f->wss.val == 0. A CAP_NET_ADMIN user can add such a fingerprint via nfnetlink; a subsequent matching TCP SYN divides by zero and panics the kernel.  Reject the bogus fingerprint in nfnl_osf_add_callback() above the per-option for-loop. f->wss is per-fingerprint, not per-option, so the check must run regardless of f->opt_num (including 0). Also reject wss.wc >= OSF_WSS_MAX; nf_osf_match_one() already treats that as \"should not happen\".  Crash:  Oops: divide error: 0000 [#1] SMP KASAN NOPTI  RIP: 0010:nf_osf_match_one (net/netfilter/nfnetlink_osf.c:98)  Call Trace:  <IRQ>   nf_osf_match (net/netfilter/nfnetlink_osf.c:220)   xt_osf_match_packet (net/netfilter/xt_osf.c:32)   ipt_do_table (net/ipv4/netfilter/ip_tables.c:348)   nf_hook_slow (net/netfilter/core.c:622)   ip_local_deliver (net/ipv4/ip_input.c:265)   ip_rcv (include/linux/skbuff.h:1162)   __netif_receive_skb_one_core (net/core/dev.c:6181)   process_backlog (net/core/dev.c:6642)   __napi_poll (net/core/dev.c:7710)   net_rx_action (net/core/dev.c:7945)   handle_softirqs (kernel/softirq.c:622)",
                                "cve_priority": "low",
                                "cve_public_date": "2026-05-27 11:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-45840",
                                "url": "https://ubuntu.com/security/CVE-2026-45840",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  openvswitch: cap upcall PID array size and pre-size vport replies  The vport netlink reply helpers allocate a fixed-size skb with nlmsg_new(NLMSG_DEFAULT_SIZE, ...) but serialize the full upcall PID array via ovs_vport_get_upcall_portids().  Since ovs_vport_set_upcall_portids() accepts any non-zero multiple of sizeof(u32) with no upper bound, a CAP_NET_ADMIN user can install a PID array large enough to overflow the reply buffer, causing nla_put() to fail with -EMSGSIZE and hitting BUG_ON(err < 0).  On systems with unprivileged user namespaces enabled (e.g., Ubuntu default), this is reachable via unshare -Urn since OVS vport mutation operations use GENL_UNS_ADMIN_PERM.   kernel BUG at net/openvswitch/datapath.c:2414!  Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI  CPU: 1 UID: 0 PID: 65 Comm: poc Not tainted 7.0.0-rc7-00195-geb216e422044 #1  RIP: 0010:ovs_vport_cmd_set+0x34c/0x400  Call Trace:   <TASK>   genl_family_rcv_msg_doit (net/netlink/genetlink.c:1116)   genl_rcv_msg (net/netlink/genetlink.c:1194)   netlink_rcv_skb (net/netlink/af_netlink.c:2550)   genl_rcv (net/netlink/genetlink.c:1219)   netlink_unicast (net/netlink/af_netlink.c:1344)   netlink_sendmsg (net/netlink/af_netlink.c:1894)   __sys_sendto (net/socket.c:2206)   __x64_sys_sendto (net/socket.c:2209)   do_syscall_64 (arch/x86/entry/syscall_64.c:63)   entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)   </TASK>  Kernel panic - not syncing: Fatal exception  Reject attempts to set more PIDs than nr_cpu_ids in ovs_vport_set_upcall_portids(), and pre-compute the worst-case reply size in ovs_vport_cmd_msg_size() based on that bound, similar to the existing ovs_dp_cmd_msg_size().  nr_cpu_ids matches the cap already used by the per-CPU dispatch configuration on the datapath side (ovs_dp_cmd_fill_info() serialises at most nr_cpu_ids PIDs), so the two sides stay consistent.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-27 11:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-45839",
                                "url": "https://ubuntu.com/security/CVE-2026-45839",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  bpf: reject negative CO-RE accessor indices in bpf_core_parse_spec()  CO-RE accessor strings are colon-separated indices that describe a path from a root BTF type to a target field, e.g. \"0:1:2\" walks through nested struct members. bpf_core_parse_spec() parses each component with sscanf(\"%d\"), so negative values like -1 are silently accepted.  The subsequent bounds checks (access_idx >= btf_vlen(t)) only guard the upper bound and always pass for negative values because C integer promotion converts the __u16 btf_vlen result to int, making the comparison (int)(-1) >= (int)(N) false for any positive N.  When -1 reaches btf_member_bit_offset() it gets cast to u32 0xffffffff, producing an out-of-bounds read far past the members array.  A crafted BPF program with a negative CO-RE accessor on any struct that exists in vmlinux BTF (e.g. task_struct) crashes the kernel deterministically during BPF_PROG_LOAD on any system with CONFIG_DEBUG_INFO_BTF=y (default on major distributions).  The bug is reachable with CAP_BPF:   BUG: unable to handle page fault for address: ffffed11818b6626  #PF: supervisor read access in kernel mode  #PF: error_code(0x0000) - not-present page  Oops: Oops: 0000 [#1] SMP KASAN NOPTI  CPU: 0 UID: 0 PID: 85 Comm: poc Not tainted 7.0.0-rc6 #18 PREEMPT(full)  RIP: 0010:bpf_core_parse_spec (tools/lib/bpf/relo_core.c:354)  RAX: 00000000ffffffff  Call Trace:   <TASK>   bpf_core_calc_relo_insn (tools/lib/bpf/relo_core.c:1321)   bpf_core_apply (kernel/bpf/btf.c:9507)   check_core_relo (kernel/bpf/verifier.c:19475)   bpf_check (kernel/bpf/verifier.c:26031)   bpf_prog_load (kernel/bpf/syscall.c:3089)   __sys_bpf (kernel/bpf/syscall.c:6228)   </TASK>  CO-RE accessor indices are inherently non-negative (struct member index, array element index, or enumerator index), so reject them immediately after parsing.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-27 11:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-45838",
                                "url": "https://ubuntu.com/security/CVE-2026-45838",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  bpf: fix end-of-list detection in cgroup_storage_get_next_key()  list_next_entry() never returns NULL -- when the current element is the last entry it wraps to the list head via container_of(). The subsequent NULL check is therefore dead code and get_next_key() never returns -ENOENT for the last element, instead reading storage->key from a bogus pointer that aliases internal map fields and copying the result to userspace.  Replace it with list_entry_is_head() so the function correctly returns -ENOENT when there are no more entries.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-05-27 11:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46214",
                                "url": "https://ubuntu.com/security/CVE-2026-46214",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  vsock/virtio: fix accept queue count leak on transport mismatch  virtio_transport_recv_listen() calls sk_acceptq_added() before vsock_assign_transport(). If vsock_assign_transport() fails or selects a different transport, the error path returns without calling sk_acceptq_removed(), permanently incrementing sk_ack_backlog.  After approximately backlog+1 such failures, sk_acceptq_is_full() returns true, causing the listener to reject all new connections.  Fix by moving sk_acceptq_added() to after the transport validation, matching the pattern used by vmci_transport and hyperv_transport.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46207",
                                "url": "https://ubuntu.com/security/CVE-2026-46207",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  vsock/virtio: fix empty payload in tap skb for non-linear buffers  For non-linear skbs, virtio_transport_build_skb() goes through virtio_transport_copy_nonlinear_skb() to copy the original payload in the new skb to be delivered to the vsockmon tap device. This manually initializes an iov_iter but does not set iov_iter.count. Since the iov_iter is zero-initialized, the copy length is zero and no payload is actually copied to the monitor interface, leaving data un-initialized.  Fix this by removing the linear vs non-linear split and using skb_copy_datagram_iter() with iov_iter_kvec() for all cases, as vhost-vsock already does. This handles both linear and non-linear skbs, properly initializes the iov_iter, and removes the now unused virtio_transport_copy_nonlinear_skb().  While touching this code, let's also check the return value of skb_copy_datagram_iter(), even though it's unlikely to fail.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46234",
                                "url": "https://ubuntu.com/security/CVE-2026-46234",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  vsock: fix buffer size clamping order  In vsock_update_buffer_size(), the buffer size was being clamped to the maximum first, and then to the minimum. If a user sets a minimum buffer size larger than the maximum, the minimum check overrides the maximum check, inverting the constraint.  This breaks the intended socket memory boundaries by allowing the vsk->buffer_size to grow beyond the configured vsk->buffer_max_size.  Fix this by checking the minimum first, and then the maximum. This ensures the buffer size never exceeds the buffer_max_size.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46223",
                                "url": "https://ubuntu.com/security/CVE-2026-46223",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  cgroup: Defer css percpu_ref kill on rmdir until cgroup is depopulated  A chain of commits going back to v7.0 reworked rmdir to satisfy the controller invariant that a subsystem's ->css_offline() must not run while tasks are still doing kernel-side work in the cgroup.  [1] d245698d727a (\"cgroup: Defer task cgroup unlink until after the task is done switching out\") [2] a72f73c4dd9b (\"cgroup: Don't expose dead tasks in cgroup\") [3] 1b164b876c36 (\"cgroup: Wait for dying tasks to leave on rmdir\") [4] 4c56a8ac6869 (\"cgroup: Fix cgroup_drain_dying() testing the wrong condition\") [5] 13e786b64bd3 (\"cgroup: Increment nr_dying_subsys_* from rmdir context\")  [1] moved task cset unlink from do_exit() to finish_task_switch() so a task's cset link drops only after the task has fully stopped scheduling. That made tasks past exit_signals() linger on cset->tasks until their final context switch, which led to a series of problems as what userspace expected to see after rmdir diverged from what the kernel needs to wait for. [2]-[5] tried to bridge that divergence: [2] filtered the exiting tasks from cgroup.procs; [3] had rmdir(2) sleep in TASK_UNINTERRUPTIBLE for them; [4] fixed the wait's condition; [5] made nr_dying_subsys_* visible synchronously.  The cgroup_drain_dying() wait in [3] turned out to be a dead end. When the rmdir caller is also the reaper of a zombie that pins a pidns teardown (e.g. host PID 1 systemd reaping orphan pids that were re-parented to it during the same teardown), rmdir blocks in TASK_UNINTERRUPTIBLE waiting for those pids to free, the pids can't free because PID 1 is the reaper and it's stuck in rmdir, and the system A-A deadlocks. No internal lock ordering breaks this; the wait itself is the bug.  The css killing side that drove the original reorder, however, can be made cleanly asynchronous: ->css_offline() is already async, run from css_killed_work_fn() driven by percpu_ref_kill_and_confirm(). The fix is to make that chain start only after all tasks have left the cgroup. rmdir's user-visible side then returns as soon as cgroup.procs and friends are empty, while ->css_offline() still runs only after the cgroup is fully drained.  Verified by the original reproducer (pidns teardown + zombie reaper, runs under vng) which hangs vanilla and succeeds here, and by per-commit deterministic repros for [2], [3], [4], [5] with a boot parameter that widens the post-exit_signals() window so each state is reliably reachable. Some stress tests on top of that.  cgroup_apply_control_disable() has the same shape of pre-existing race: when a controller is disabled via subtree_control, kill_css() ran synchronously while tasks past exit_signals() could still be linked to the cgroup's csets, and ->css_offline() could fire before they drained. This patch preserves the existing synchronous behavior at that call site (kill_css_sync() + kill_css_finish() back-to-back) and a follow-up patch will defer kill_css_finish() there using a per-css trigger.  This seems like the right approach and I don't see problems with it. The changes are somewhat invasive but not excessively so, so backporting to -stable should be okay. If something does turn out to be wrong, the fallback is to revert the entire chain ([1]-[5]) and rework in the development branch instead.  v2: Pin cgrp across the deferred destroy work with explicit     cgroup_get()/cgroup_put() around queue_work() and the work_fn. v1     wasn't actually broken (ordered cgroup_offline_wq + queue_work order     in cgroup_task_dead() saved it) but the explicit ref removes the     dependency on those non-obvious invariants. Also note the     pre-existing cgroup_apply_control_disable() race in the description;     a follow-up will defer kill_css_finish() there.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46221",
                                "url": "https://ubuntu.com/security/CVE-2026-46221",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  EDAC/versalnet: Fix device name memory leak  The device name allocated via kzalloc() in init_one_mc() is assigned to dev->init_name but never freed on the normal removal path. device_register() copies init_name and then sets dev->init_name to NULL, so the name pointer becomes unreachable from the device. Thus leaking memory.  Use a stack-local char array instead of using kzalloc() for name.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46231",
                                "url": "https://ubuntu.com/security/CVE-2026-46231",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  batman-adv: bla: put backbone reference on failed claim hash insert  When batadv_bla_add_claim() fails to insert a new claim into the hash, it leaked a reference to the backbone_gw for which the claim was intended. Call batadv_backbone_gw_put() on the error path to release the reference and avoid leaking the backbone_gw object.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46233",
                                "url": "https://ubuntu.com/security/CVE-2026-46233",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  batman-adv: bla: only purge non-released claims  When batadv_bla_purge_claims() goes through the list of claims, it is only traversing the hash list with an rcu_read_lock(). Due to a potential parallel batadv_claim_put(), it can happen that it encounters a claim which was actually in the process of being released+freed by batadv_claim_release(). In this case, backbone_gw is set to NULL before the delayed RCU kfree is started. Calling batadv_bla_claim_get_backbone_gw() is then no longer allowed because it would cause a NULL-ptr derefence.  To avoid this, only claims with a valid reference counter must be purged. All others are already taken care of.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46212",
                                "url": "https://ubuntu.com/security/CVE-2026-46212",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  batman-adv: bla: prevent use-after-free when deleting claims  When batadv_bla_del_backbone_claims() removes all claims for a backbone, it does this by dropping the link entry in the hash list. This list entry itself was one of the references which need to be dropped at the same time via batadv_claim_put().  But the batadv_claim_put() must not be done before the last access to the claim object in this function. Otherwise the claim might be freed already by the batadv_claim_release() function before the list entry was dropped.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46238",
                                "url": "https://ubuntu.com/security/CVE-2026-46238",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  batman-adv: stop caching unowned originator pointers in BAT IV  BAT IV keeps the last-hop neighbor address in each neigh_node, but some paths also cache an originator pointer derived from a temporary lookup. That pointer is not owned by the neigh_node and may no longer refer to a live originator entry after purge handling runs.  Stop storing the auxiliary originator pointer in the BAT IV neighbor state. When BAT IV needs the neighbor originator data, resolve it from the stored neighbor address and drop the reference again after use.  [sven: avoid bonding logic for outgoing OGM]",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46208",
                                "url": "https://ubuntu.com/security/CVE-2026-46208",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  batman-adv: stop tp_meter sessions during mesh teardown  TP meter sessions remain linked on bat_priv->tp_list after the netlink request has already finished. When the mesh interface is removed, batadv_mesh_free() currently tears down the mesh without first draining these sessions.  A running sender thread or a late incoming tp_meter packet can then keep processing against a mesh instance which is already shutting down. Synchronize tp_meter with the mesh lifetime by stopping all active sessions from batadv_mesh_free() and waiting for sender threads to exit before teardown continues.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46206",
                                "url": "https://ubuntu.com/security/CVE-2026-46206",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  batman-adv: reject new tp_meter sessions during teardown  Prevent tp_meter from starting new sender or receiver sessions after mesh_state has left BATADV_MESH_ACTIVE.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46198",
                                "url": "https://ubuntu.com/security/CVE-2026-46198",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  batman-adv: fix integer overflow on buff_pos  Fixing an integer overflow present in batadv_iv_ogm_send_to_if. The size check is done using the int type in batadv_iv_ogm_aggr_packet whereas the buff_pos variable uses the s16 type. This could lead to an out-of-bound read.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46227",
                                "url": "https://ubuntu.com/security/CVE-2026-46227",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  sctp: revalidate list cursor after sctp_sendmsg_to_asoc() in SCTP_SENDALL  The SCTP_SENDALL path in sctp_sendmsg() iterates ep->asocs with list_for_each_entry_safe(), which caches the next entry in @tmp before the loop body runs.  The body calls sctp_sendmsg_to_asoc(), which may drop the socket lock inside sctp_wait_for_sndbuf().  While the lock is dropped, another thread can SCTP_SOCKOPT_PEELOFF the association cached in @tmp, migrating it to a new endpoint via sctp_sock_migrate() (list_del_init() + list_add_tail() to newep->asocs), and optionally close the new socket which frees the association via kfree_rcu().  The cached @tmp can also be freed by a network ABORT for that association, processed in softirq while the lock is dropped.  sctp_wait_for_sndbuf() revalidates @asoc (the current entry) on re-lock via the \"sk != asoc->base.sk\" and \"asoc->base.dead\" checks, but nothing revalidates @tmp.  After a successful return, the iterator advances to the stale @tmp, yielding either a use-after-free (if the peeled socket was closed) or a list-walk onto the new endpoint's list head (type confusion of &newep->asocs as a struct sctp_association *).  Both are reachable from CapEff=0; the type-confusion path gives controlled indirect call via the outqueue.sched->init_sid pointer.  Fix by re-deriving @tmp from @asoc after sctp_sendmsg_to_asoc() returns.  @asoc is known to still be on ep->asocs at that point: the only callers that list_del an association from ep->asocs are sctp_association_free() (which sets asoc->base.dead) and sctp_assoc_migrate() (which changes asoc->base.sk), and sctp_wait_for_sndbuf() checks both under the lock before any successful return; a tripped check propagates as err < 0 and the loop bails before the re-derive.  The SCTP_ABORT path in sctp_sendmsg_check_sflags() returns 0 and the loop hits 'continue' before sctp_sendmsg_to_asoc() is ever called, so the @tmp cached by list_for_each_entry_safe() still covers the lock-held free that ba59fb027307 (\"sctp: walk the list of asoc safely\") was added for.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46220",
                                "url": "https://ubuntu.com/security/CVE-2026-46220",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/amdgpu/sdma4: replace BUG_ON with WARN_ON in fence emission  sdma_v4_0_ring_emit_fence() contains two BUG_ON(addr & 0x3) assertions that verify fence writeback addresses are dword-aligned.  These assertions can be reached from unprivileged userspace via crafted DRM_IOCTL_AMDGPU_CS submissions, causing a fatal kernel panic in a scheduler worker thread.  Replace both BUG_ON() calls with WARN_ON() to log the condition without crashing the kernel.  A misaligned fence address at this point indicates a driver bug, but crashing the kernel is never the correct response when the assertion is reachable from userspace.  The CS IOCTL path is the correct place to filter invalid submissions; the ring emission callback is too late to do anything about it.  (cherry picked from commit b90250bd933afd1ba94d86d6b13821997b22b18e)",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46215",
                                "url": "https://ubuntu.com/security/CVE-2026-46215",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm: Set old handle to NULL before prime swap in change_handle  There was a potential race condition in change_handle. The ioctl briefly had a single object with two idr entries; a concurrent gem_close could delete the object and remove one of the handles while leaving the other one dangling, which could subsequently be dereferenced for a use-after-free.  To fix this, do the same dance that gem_close itself does. (f6cd7daecff5 drm: Release driver references to handle before making it available again) First idr_replace the old handle to NULL. Later, if the prime operations are successful, actually close it.  create_tail required a similar dance to avoid a similar problem. (bd46cece51a3 drm/gem: Fix race in drm_gem_handle_create_tail()) It idr_allocs the new handle with NULL, then swaps in the correct object later to avoid races. We don't need to do that here, since the only operations that could race are drm_prime, and change_handle holds the prime lock for the entire duration.  v2: cleanups of error paths",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46201",
                                "url": "https://ubuntu.com/security/CVE-2026-46201",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/xe: Fix dma-buf attachment leak in xe_gem_prime_import()  When xe_dma_buf_init_obj() fails, the attachment from dma_buf_dynamic_attach() is not detached. Add dma_buf_detach() before returning the error. Note: we cannot use goto out_err here because xe_dma_buf_init_obj() already frees bo on failure, and out_err would double-free it.  (cherry picked from commit a828eb185aac41800df8eae4b60501ccc0dbbe51)",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46224",
                                "url": "https://ubuntu.com/security/CVE-2026-46224",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/xe: Fix bo leak in xe_dma_buf_init_obj() on allocation failure  When drm_gpuvm_resv_object_alloc() fails, the pre-allocated storage bo is not freed. Add xe_bo_free(storage) before returning the error.  xe_dma_buf_init_obj() calls xe_bo_init_locked(), which frees the bo on error. Therefore, xe_dma_buf_init_obj() must also free the bo on its own error paths. Otherwise, since xe_gem_prime_import() cannot distinguish whether the failure originated from xe_dma_buf_init_obj() or from xe_bo_init_locked(), it cannot safely decide whether the bo should be freed.  Add comments documenting the ownership semantics: on success, ownership of storage is transferred to the returned drm_gem_object; on failure, storage is freed before returning.  v2: Add comments to explain the free logic.  (cherry picked from commit 78a6c5f899f22338bbf48b44fb8950409c5a69b9)",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46197",
                                "url": "https://ubuntu.com/security/CVE-2026-46197",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/amdkfd: validate SVM ioctl nattr against buffer size  Validate nattr field against the buffer size, preventing out-of-bounds buffer access via user-controlled attribute count.  (cherry picked from commit 5eca8bfdfa456c3304ca77523718fe24254c172f)",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46209",
                                "url": "https://ubuntu.com/security/CVE-2026-46209",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/gem: Fix inconsistent plane dimension calculation in drm_gem_fb_init_with_funcs()  drm_gem_fb_init_with_funcs() computes sub-sampled plane dimensions using plain integer division:    unsigned int width  = mode_cmd->width  / (i ? info->hsub : 1);   unsigned int height = mode_cmd->height / (i ? info->vsub : 1);  However, the ioctl-level framebuffer_check() in drm_framebuffer.c uses drm_format_info_plane_width/height() which round up dimensions via DIV_ROUND_UP(). This inconsistency corrupts the subsequent GEM object size check for certain pixel format and dimension combinations.  For example, with NV12 (vsub=2) and a 1-pixel-tall framebuffer the GEM size validation path sees height=0 instead of height=1. The expression (height - 1) then wraps to UINT_MAX as an unsigned int, causing min_size to overflow and wrap back to a small value. A tiny GEM object therefore passes the size guard, yet when the GPU accesses the chroma plane it will read or write memory beyond the object's bounds.  Fix by replacing the open-coded divisions with drm_format_info_plane_width() and drm_format_info_plane_height(), which use DIV_ROUND_UP() and match the calculation already used in framebuffer_check().",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46230",
                                "url": "https://ubuntu.com/security/CVE-2026-46230",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/amdgpu/vcn3: Prevent OOB reads when parsing dec msg  Check bounds against the end of the BO whenever we access the msg.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46199",
                                "url": "https://ubuntu.com/security/CVE-2026-46199",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/amdgpu/vcn4: Prevent OOB reads when parsing dec msg  Check bounds against the end of the BO whenever we access the msg.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46204",
                                "url": "https://ubuntu.com/security/CVE-2026-46204",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/amdgpu/vcn4: Prevent OOB reads when parsing IB  Rewrite the IB parsing to use amdgpu_ib_get_value() which handles the bounds checks.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46218",
                                "url": "https://ubuntu.com/security/CVE-2026-46218",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/amdgpu: Add bounds checking to ib_{get,set}_value  The uvd/vce/vcn code accesses the IB at predefined offsets without checking that the IB is large enough. Check the bounds here. The caller is responsible for making sure it can handle arbitrary return values.  Also make the idx a uint32_t to prevent overflows causing the condition to fail.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46229",
                                "url": "https://ubuntu.com/security/CVE-2026-46229",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/amdkfd: Clear VRAM on allocation to prevent stale data exposure  KFD VRAM allocations set AMDGPU_GEM_CREATE_VRAM_WIPE_ON_RELEASE but not AMDGPU_GEM_CREATE_VRAM_CLEARED, leaving freshly allocated VRAM with stale data from prior use observable by compute kernels.  The GEM ioctl path already sets VRAM_CLEARED for all userspace allocations via amdgpu_gem_create_ioctl() and amdgpu_mode_dumb_create(). The KFD path was missing this flag, allowing stale page table remnants to leak into user buffers.  This causes crashes in RCCL P2P transport where non-zero data in ptrExchange/head/tail fields corrupts the protocol handshake.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46211",
                                "url": "https://ubuntu.com/security/CVE-2026-46211",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/msm/gem: fix error handling in msm_ioctl_gem_info_get_metadata()  msm_ioctl_gem_info_get_metadata() always returns 0 regardless of errors. When copy_to_user() fails or the user buffer is too small, the error code stored in ret is ignored because the function unconditionally returns 0. This causes userspace to believe the ioctl succeeded when it did not.  Additionally, kmemdup() can return NULL on allocation failure, but the return value is not checked. This leads to a NULL pointer dereference in the subsequent copy_to_user() call.  Add the missing NULL check for kmemdup() and return ret instead of 0.  Note that the SET counterpart (msm_ioctl_gem_info_set_metadata) correctly returns ret.  Patchwork: https://patchwork.freedesktop.org/patch/714478/",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46203",
                                "url": "https://ubuntu.com/security/CVE-2026-46203",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: cadence-quadspi: fix unclocked access on unbind  Make sure that the controller is runtime resumed before disabling it during driver unbind to avoid an unclocked register access.  This issue was flagged by Sashiko when reviewing a controller deregistration fix.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46219",
                                "url": "https://ubuntu.com/security/CVE-2026-46219",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: mpc52xx: fix use-after-free on unbind  The state machine work is scheduled by the interrupt handler and therefore needs to be cancelled after disabling interrupts to avoid a potential use-after-free.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46200",
                                "url": "https://ubuntu.com/security/CVE-2026-46200",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: mpc52xx: fix controller deregistration  Make sure to deregister the controller before disabling and releasing underlying resources like interrupts and gpios during driver unbind.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46241",
                                "url": "https://ubuntu.com/security/CVE-2026-46241",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: mpc52xx: fix use-after-free on registration failure  Make sure to disable and free the interrupts in case controller registration fails to avoid a potential use-after-free and resource leak.  This issue was flagged by Sashiko when reviewing a controller deregistration fix.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46225",
                                "url": "https://ubuntu.com/security/CVE-2026-46225",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: rspi: fix controller deregistration  Make sure to deregister the controller before releasing underlying resources like DMA during driver unbind.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46226",
                                "url": "https://ubuntu.com/security/CVE-2026-46226",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: fsl: fix controller deregistration  Make sure to deregister the controller before releasing underlying resources like DMA during driver unbind.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46228",
                                "url": "https://ubuntu.com/security/CVE-2026-46228",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: ch341: fix devres lifetime  USB drivers bind to USB interfaces and any device managed resources should have their lifetime tied to the interface rather than parent USB device. This avoids issues like memory leaks when drivers are unbound without their devices being physically disconnected (e.g. on probe deferral or configuration changes).  Fix the controller and driver data lifetime so that they are released on driver unbind.  Note that this also makes sure that the SPI controller is placed correctly under the USB interface in the device tree.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46216",
                                "url": "https://ubuntu.com/security/CVE-2026-46216",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/xe/hdcp: Add NULL check for media_gt in intel_hdcp_gsc_check_status()  When media GT is disabled via configfs, there is no allocation for media_gt, which is kept as NULL.  In such scenario, intel_hdcp_gsc_check_status() results in a kernel pagefault error due to &gt->uc.gsc being evaluated as an invalid memory address.  Fix that by introducing a NULL check on media_gt and bailing out early if so.  While at it, also drop the NULL check for gsc, since it can't be NULL if media_gt is not NULL.  v2:   - Get address for gsc only after checking that gt is not NULL.     (Shuicheng)   - Drop the NULL check for gsc. (Shuicheng) v3:   - Add \"Fixes\" and \"Cc: <stable...>\" tags. (Matt)  (cherry picked from commit bfaf87e84ca3ca3f6e275f9ae56da47a8b55ffd1)",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46210",
                                "url": "https://ubuntu.com/security/CVE-2026-46210",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  media: iris: fix use-after-free of fmt_src during MBPF check  During concurrency testing, multiple instances can run in parallel, and each instance uses its own inst->lock while the core->lock protects the list of active instances. The race happens because these locks cover different scopes, inst->lock protects only the internals of a single instance, while the Macro Blocks Per Frame (MBPF) checker walks the core list under core->lock and reads fields like fmt_src->width and fmt_src->height. At the same time, iris_close() may free fmt_src and fmt_dst under inst->lock while the instance is still present in the core list. This allows a situation where the MBPF checker, still iterating through the core list, reaches an instance whose fmt_src was already freed by another thread and ends up dereferencing a dangling pointer, resulting in a use-after-free. This happens because the MBPF checker assumes that any instance in the core list is fully valid, but the freeing of fmt_src and fmt_dst without removing the instance from the core list is not correct.  The correct ordering is to defer freeing fmt_src and fmt_dst until after the instance has been removed from the core list and all teardown under the core lock has completed, ensuring that no dangling pointers are ever exposed during MBPF checks.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46240",
                                "url": "https://ubuntu.com/security/CVE-2026-46240",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  media: iris: Fix use-after-free in iris_release_internal_buffers()  The recent change in commit 1dabf00ee206 (\"media: iris: gen1: Destroy internal buffers after FW releases\") introduced a regression where session_release_buf() may free the buffer. The caller, iris_release_internal_buffers(), continued to access `buffer` after the call, leading to a potential use-after-free.  Fix this by setting BUF_ATTR_PENDING_RELEASE before calling session_release_buf(), and reverting the flag if the call fails. This ensures no dereference occurs after potential freeing.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46235",
                                "url": "https://ubuntu.com/security/CVE-2026-46235",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  media: saa7164: add ioremap return checks and cleanups  Add checks for ioremap return values in saa7164_dev_setup(). If ioremap for BAR0 or BAR2 fails, release the already allocated PCI memory regions, remove the device from the global list, decrement the device count, and return -ENODEV.  This prevents potential null pointer dereferences and ensures proper cleanup on memory mapping failures.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46222",
                                "url": "https://ubuntu.com/security/CVE-2026-46222",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  media: rockchip: rkcif: Add missing MUST_CONNECT flag to pads  The pads missed checks for connected devices which may a null dereference when the stream is enabled.  Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020 pc : rkcif_interface_enable_streams+0x48/0xf0 lr : rkcif_interface_enable_streams+0x44/0xf0 Call trace:  rkcif_interface_enable_streams+0x48/0xf0  v4l2_subdev_enable_streams+0x26c/0x3f0  rkcif_stream_start_streaming+0x140/0x278  vb2_start_streaming+0x74/0x188  vb2_core_streamon+0xe0/0x1d8  vb2_ioctl_streamon+0x60/0xa8  v4l_streamon+0x2c/0x40  __video_do_ioctl+0x34c/0x400  video_usercopy+0x2d0/0x800  video_ioctl2+0x20/0x60  v4l2_ioctl+0x48/0x78",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46239",
                                "url": "https://ubuntu.com/security/CVE-2026-46239",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  media: i2c: ov5647: Fix runtime PM refcount leak in s_ctrl  Three control cases (AUTOGAIN, EXPOSURE_AUTO, ANALOGUE_GAIN) directly return without calling pm_runtime_put(), causing runtime PM reference count leaks.  Change these cases from 'return' to 'ret = ... break' pattern to ensure pm_runtime_put() is always called before function exit.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46236",
                                "url": "https://ubuntu.com/security/CVE-2026-46236",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  media: rc: xbox_remote: heed DMA restrictions  The buffer for IO must not be part of the device structure because that violates the DMA coherency rules.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46205",
                                "url": "https://ubuntu.com/security/CVE-2026-46205",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  staging: media: atomisp: Disallow all private IOCTLs  Disallow all private IOCTLs. These aren't quite as safe as one could assume of IOCTL handlers; disable them for now. Instead of removing the code, return in the beginning of the function if cmd is non-zero in order to keep static checkers happy.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46202",
                                "url": "https://ubuntu.com/security/CVE-2026-46202",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  HID: appletb-kbd: run inactivity autodim from workqueues  The autodim code in hid-appletb-kbd takes backlight_device->ops_lock via backlight_device_set_brightness() -> mutex_lock() from two different atomic contexts:   * appletb_inactivity_timer() is a struct timer_list callback, so it    runs in softirq context.  Every expiry triggers       BUG: sleeping function called from invalid context at kernel/locking/mutex.c:591      Call Trace:       <IRQ>       __might_resched       __mutex_lock       backlight_device_set_brightness       appletb_inactivity_timer       call_timer_fn       run_timer_softirq   * reset_inactivity_timer() is called from appletb_kbd_hid_event() and    appletb_kbd_inp_event().  On real USB hardware these run in    softirq/IRQ context (URB completion and input-event dispatch).    When the Touch Bar has already been dimmed or turned off, the    reset path calls backlight_device_set_brightness() directly to    restore brightness, producing the same warning.  Both call sites hit the same mutex_lock()-from-atomic bug.  Fix them together by moving the blocking work onto the system workqueue:   * Convert the inactivity timer from struct timer_list to    struct delayed_work; the callback (appletb_inactivity_work) now    runs in process context where mutex_lock() is legal.  * Add a dedicated struct work_struct restore_brightness_work and have    reset_inactivity_timer() schedule it instead of calling    backlight_device_set_brightness() directly.  Cancel both works synchronously during driver tear-down alongside the existing backlight reference drop.  The semantics are unchanged (same delays, same state transitions on dim, turn-off and user activity); only the execution context of the sleeping call changes.  The timer field and callback are renamed to match their new type; reset_inactivity_timer() keeps its name because it is invoked from input event paths that read naturally as \"reset the inactivity timer\".",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46213",
                                "url": "https://ubuntu.com/security/CVE-2026-46213",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  HID: appletb-kbd: fix UAF in inactivity-timer cleanup path  Commit 38224c472a03 (\"HID: appletb-kbd: fix slab use-after-free bug in appletb_kbd_probe\") added timer_delete_sync(&kbd->inactivity_timer) to both the probe close_hw error path and appletb_kbd_remove(), but the way it was wired in left the inactivity timer reachable during driver tear-down via two distinct windows.  Window A -- put_device() before timer_delete_sync():  \tput_device(&kbd->backlight_dev->dev); \ttimer_delete_sync(&kbd->inactivity_timer);  The inactivity_timer softirq reads kbd->backlight_dev and calls backlight_device_set_brightness() -> mutex_lock(&ops_lock).  If a concurrent hid_appletb_bl unbind drops the last devm reference between these two calls, the backlight_device is freed and the mutex_lock() touches freed memory.  Window B -- backlight cleanup before hid_hw_stop():  \tif (kbd->backlight_dev) { \t\ttimer_delete_sync(...); \t\tput_device(...); \t} \thid_hw_close(hdev); \thid_hw_stop(hdev);  Even after Window A is closed, hid_hw_close()/hid_hw_stop() still run afterwards, so a late \".event\" callback from the HID core (USB URB completion on real Apple hardware) can arrive after timer_delete_sync() drained the softirq but before put_device() drops the reference.  That callback reaches reset_inactivity_timer(), which calls mod_timer() and re-arms the timer.  The freshly re-armed timer can then fire on the about-to-be-freed backlight_device.  Both windows produce the same KASAN slab-use-after-free:    BUG: KASAN: slab-use-after-free in __mutex_lock+0x1aab/0x21c0   Read of size 8 at addr ffff88803ee9a108 by task swapper/0/0   Call Trace:    <IRQ>    __mutex_lock    backlight_device_set_brightness    appletb_inactivity_timer    call_timer_fn    run_timer_softirq    handle_softirqs   Allocated by task N:    devm_backlight_device_register    appletb_bl_probe   Freed by task M:    (concurrent hid_appletb_bl unbind path)  Close both windows at once by reworking the tear-down in appletb_kbd_remove() and in the probe close_hw error path so that   1) hid_hw_close()/hid_hw_stop() run before the backlight cleanup,     guaranteeing no further .event callback can fire and re-arm the     timer, and  2) inside the \"if (kbd->backlight_dev)\" block, timer_delete_sync()     runs before put_device(), so the softirq is drained before the     final reference is dropped.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46232",
                                "url": "https://ubuntu.com/security/CVE-2026-46232",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  HID: playstation: Clamp num_touch_reports  A device would never lie about the number of touch reports would it?  If it does the loop in dualshock4_parse_report will read off the end of the touch_reports array, up to about 2 KiB for the maximum number of 256 loop iteraions. The data that is read is emitted via evdev if the DS4_TOUCH_POINT_INACTIVE bit happens to be set. Protect against this by clamping the num_touch_reports value provided by the device to the maximum size of the touch_reports array.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-43490",
                                "url": "https://ubuntu.com/security/CVE-2026-43490",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ksmbd: validate inherited ACE SID length  smb_inherit_dacl() walks the parent directory DACL loaded from the security descriptor xattr. It verifies that each ACE contains the fixed SID header before using it, but does not verify that the variable-length SID described by sid.num_subauth is fully contained in the ACE.  A malformed inheritable ACE can advertise more subauthorities than are present in the ACE. compare_sids() may then read past the ACE. smb_set_ace() also clamps the copied destination SID, but used the unchecked source SID count to compute the inherited ACE size. That could advance the temporary inherited ACE buffer pointer and nt_size accounting past the allocated buffer.  Fix this by validating the parent ACE SID count and SID length before using the SID during inheritance. Compute the inherited ACE size from the copied SID so the size matches the bounded destination SID. Reject the inherited DACL if size accumulation would overflow smb_acl.size or the security descriptor allocation size.",
                                "cve_priority": "high",
                                "cve_public_date": "2026-05-15 06:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46174",
                                "url": "https://ubuntu.com/security/CVE-2026-46174",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  x86/CPU/AMD: Prevent improper isolation of shared resources in Zen2's op cache  Make sure resources are not improperly shared in the op cache and cause instruction corruption this way.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46110",
                                "url": "https://ubuntu.com/security/CVE-2026-46110",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net: stmmac: Prevent NULL deref when RX memory exhausted  The CPU receives frames from the MAC through conventional DMA: the CPU allocates buffers for the MAC, then the MAC fills them and returns ownership to the CPU. For each hardware RX queue, the CPU and MAC coordinate through a shared ring array of DMA descriptors: one descriptor per DMA buffer. Each descriptor includes the buffer's physical address and a status flag (\"OWN\") indicating which side owns the buffer: OWN=0 for CPU, OWN=1 for MAC. The CPU is only allowed to set the flag and the MAC is only allowed to clear it, and both must move through the ring in sequence: thus the ring is used for both \"submissions\" and \"completions.\"  In the stmmac driver, stmmac_rx() bookmarks its position in the ring with the `cur_rx` index. The main receive loop in that function checks for rx_descs[cur_rx].own=0, gives the corresponding buffer to the network stack (NULLing the pointer), and increments `cur_rx` modulo the ring size. After the loop exits, stmmac_rx_refill(), which bookmarks its position with `dirty_rx`, allocates fresh buffers and rearms the descriptors (setting OWN=1). If it fails any allocation, it simply stops early (leaving OWN=0) and will retry where it left off when next called.  This means descriptors have a three-stage lifecycle (terms my own): - `empty` (OWN=1, buffer valid) - `full` (OWN=0, buffer valid and populated) - `dirty` (OWN=0, buffer NULL)  But because stmmac_rx() only checks OWN, it confuses `full`/`dirty`. In the past (see 'Fixes:'), there was a bug where the loop could cycle `cur_rx` all the way back to the first descriptor it dirtied, resulting in a NULL dereference when mistaken for `full`. The aforementioned commit resolved that *specific* failure by capping the loop's iteration limit at `dma_rx_size - 1`, but this is only a partial fix: if the previous stmmac_rx_refill() didn't complete, then there are leftover `dirty` descriptors that the loop might encounter without needing to cycle fully around. The current code therefore panics (see 'Closes:') when stmmac_rx_refill() is memory-starved long enough for `cur_rx` to catch up to `dirty_rx`.  Fix this by explicitly checking, before advancing `cur_rx`, if the next entry is dirty; exit the loop if so. This prevents processing of the final, used descriptor until stmmac_rx_refill() succeeds, but fully prevents the `cur_rx == dirty_rx` ambiguity as the previous bugfix intended: so remove the clamp as well. Since stmmac_rx_zc() is a copy-paste-and-tweak of stmmac_rx() and the code structure is identical, any fix to stmmac_rx() will also need a corresponding fix for stmmac_rx_zc(). Therefore, apply the same check there.  In stmmac_rx() (not stmmac_rx_zc()), a related bug remains: after the MAC sets OWN=0 on the final descriptor, it will be unable to send any further DMA-complete IRQs until it's given more `empty` descriptors. Currently, the driver simply *hopes* that the next stmmac_rx_refill() succeeds, risking an indefinite stall of the receive process if not. But this is not a regression, so it can be addressed in a future change.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46153",
                                "url": "https://ubuntu.com/security/CVE-2026-46153",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  8021q: delete cleared egress QoS mappings  vlan_dev_set_egress_priority() currently keeps cleared egress priority mappings in the hash as tombstones. Repeated set/clear cycles with distinct skb priorities therefore accumulate mapping nodes until device teardown and leak memory.  Delete mappings when vlan_prio is cleared instead of keeping tombstones. Now that the egress mapping lists are RCU protected, the node can be unlinked safely and freed after a grace period.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46169",
                                "url": "https://ubuntu.com/security/CVE-2026-46169",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  hfsplus: fix uninit-value by validating catalog record size  Syzbot reported a KMSAN uninit-value issue in hfsplus_strcasecmp(). The root cause is that hfs_brec_read() doesn't validate that the on-disk record size matches the expected size for the record type being read.  When mounting a corrupted filesystem, hfs_brec_read() may read less data than expected. For example, when reading a catalog thread record, the debug output showed:    HFSPLUS_BREC_READ: rec_len=520, fd->entrylength=26   HFSPLUS_BREC_READ: WARNING - entrylength (26) < rec_len (520) - PARTIAL READ!  hfs_brec_read() only validates that entrylength is not greater than the buffer size, but doesn't check if it's less than expected. It successfully reads 26 bytes into a 520-byte structure and returns success, leaving 494 bytes uninitialized.  This uninitialized data in tmp.thread.nodeName then gets copied by hfsplus_cat_build_key_uni() and used by hfsplus_strcasecmp(), triggering the KMSAN warning when the uninitialized bytes are used as array indices in case_fold().  Fix by introducing hfsplus_brec_read_cat() wrapper that: 1. Calls hfs_brec_read() to read the data 2. Validates the record size based on the type field:    - Fixed size for folder and file records    - Variable size for thread records (depends on string length) 3. Returns -EIO if size doesn't match expected  For thread records, check against HFSPLUS_MIN_THREAD_SZ before reading nodeName.length to avoid reading uninitialized data at call sites that don't zero-initialize the entry structure.  Also initialize the tmp variable in hfsplus_find_cat() as defensive programming to ensure no uninitialized data even if validation is bypassed.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46188",
                                "url": "https://ubuntu.com/security/CVE-2026-46188",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  octeon_ep_vf: add NULL check for napi_build_skb()  napi_build_skb() can return NULL on allocation failure. In __octep_vf_oq_process_rx(), the result is used directly without a NULL check in both the single-buffer and multi-fragment paths, leading to a NULL pointer dereference.  Add NULL checks after both napi_build_skb() calls, properly advancing descriptors and consuming remaining fragments on failure.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-45837",
                                "url": "https://ubuntu.com/security/CVE-2026-45837",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  bpf: Fix use-after-free in arena_vm_close on fork  arena_vm_open() only bumps vml->mmap_count but never registers the child VMA in arena->vma_list. The vml->vma always points at the parent VMA, so after parent munmap the pointer dangles. If the child then calls bpf_arena_free_pages(), zap_pages() reads the stale vml->vma triggering use-after-free.  Fix this by preventing the arena VMA from being inherited across fork with VM_DONTCOPY, and preventing VMA splits via the may_split callback.  Also reject mremap with a .mremap callback returning -EINVAL. A same-size mremap(MREMAP_FIXED) on the full arena VMA reaches copy_vma() through the following path:    check_prep_vma()       - returns 0 early: new_len == old_len                            skips VM_DONTEXPAND check   prep_move_vma()        - vm_start == old_addr and                            vm_end == old_addr + old_len                            so may_split is never called   move_vma()     copy_vma_and_data()       copy_vma()         vm_area_dup()    - copies vm_private_data (vml pointer)         vm_ops->open()   - bumps vml->mmap_count       vm_ops->mremap()   - returns -EINVAL, rollback unmaps new VMA  The refcount ensures the rollback's arena_vm_close does not free the vml shared with the original VMA.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-05-27 11:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46156",
                                "url": "https://ubuntu.com/security/CVE-2026-46156",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  LoongArch: Fix potential ADE in loongson_gpu_fixup_dma_hang()  The switch case in loongson_gpu_fixup_dma_hang() may not DC2 or DC3, and readl(crtc_reg) will access with random address, because the \"device\" is from \"base+PCI_DEVICE_ID\", \"base\" is from \"pdev->devfn+1\". This is wrong when my platform inserts a discrete GPU:  lspci -tv -[0000:00]-+-00.0  Loongson Technology LLC Hyper Transport Bridge Controller ...            +-06.0  Loongson Technology LLC LG100 GPU            +-06.2  Loongson Technology LLC Device 7a37 ...  Add a default switch case to fix the panic as below:   Kernel ade access[#1]:  CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.6.136-loong64-desktop-hwe+ #4  pc 90000000017e5534 ra 90000000017e54c0 tp 90000001002f8000 sp 90000001002fb6c0  a0 80000efe00003100 a1 0000000000003100 a2 0000000000000000 a3 0000000000000002  a4 90000001002fb6b4 a5 900000087cdb58fd a6 90000000027af000 a7 0000000000000001  t0 00000000000085b9 t1 000000000000ffff t2 0000000000000000 t3 0000000000000000  t4 fffffffffffffffd t5 00000000fffb6d9c t6 0000000000083b00 t7 00000000000070c0  t8 900000087cdb4d94 u0 900000087cdb58fd s9 90000001002fb826 s0 90000000031c12c8  s1 7fffffffffffff00 s2 90000000031c12d0 s3 0000000000002710 s4 0000000000000000  s5 0000000000000000 s6 9000000100053000 s7 7fffffffffffff00 s8 90000000030d4000     ra: 90000000017e54c0 loongson_gpu_fixup_dma_hang+0x40/0x210    ERA: 90000000017e5534 loongson_gpu_fixup_dma_hang+0xb4/0x210   CRMD: 000000b0 (PLV0 -IE -DA +PG DACF=CC DACM=CC -WE)   PRMD: 00000004 (PPLV0 +PIE -PWE)   EUEN: 00000000 (-FPE -SXE -ASXE -BTE)   ECFG: 00071c1d (LIE=0,2-4,10-12 VS=7)  ESTAT: 00480000 [ADEM] (IS= ECode=8 EsubCode=1)   BADV: 7fffffffffffff00   PRID: 0014d000 (Loongson-64bit, Loongson-3A6000-HV)  Modules linked in:  Process swapper/0 (pid: 1, threadinfo=(____ptrval____), task=(____ptrval____))  Stack : 0000000000000006 90000001002fb778 90000001002fb704 0000000000000007          0000000016a65700 90000000017e5690 000000000000ffff ffffffffffffffff          900000000209f7c0 9000000100053000 900000000209f7a8 9000000000eebc08          0000000000000000 0000000000000000 0000000000000006 90000001002fb778          90000001000530b8 90000000027af000 0000000000000000 9000000100054000          9000000100053000 9000000000ebb70c 9000000100004c00 9000000004000001          90000001002fb7e4 bae765461f31cb12 0000000000000000 0000000000000000          0000000000000006 90000000027af000 0000000000000030 90000000027af000          900000087cd6f800 9000000100053000 0000000000000000 9000000000ebc560          7a2500147cdaf720 bae765461f31cb12 0000000000000001 0000000000000030          ...  Call Trace:  [<90000000017e5534>] loongson_gpu_fixup_dma_hang+0xb4/0x210  [<9000000000eebc08>] pci_fixup_device+0x108/0x280  [<9000000000ebb70c>] pci_setup_device+0x24c/0x690  [<9000000000ebc560>] pci_scan_single_device+0xe0/0x140  [<9000000000ebc684>] pci_scan_slot+0xc4/0x280  [<9000000000ebdd00>] pci_scan_child_bus_extend+0x60/0x3f0  [<9000000000f5bc94>] acpi_pci_root_create+0x2b4/0x420  [<90000000017e5e74>] pci_acpi_scan_root+0x2d4/0x440  [<9000000000f5b02c>] acpi_pci_root_add+0x21c/0x3a0  [<9000000000f4ee54>] acpi_bus_attach+0x1a4/0x3c0  [<90000000010e200c>] device_for_each_child+0x6c/0xe0  [<9000000000f4bbf4>] acpi_dev_for_each_child+0x44/0x70  [<9000000000f4ef40>] acpi_bus_attach+0x290/0x3c0  [<90000000010e200c>] device_for_each_child+0x6c/0xe0  [<9000000000f4bbf4>] acpi_dev_for_each_child+0x44/0x70  [<9000000000f4ef40>] acpi_bus_attach+0x290/0x3c0  [<9000000000f5211c>] acpi_bus_scan+0x6c/0x280  [<900000000189c028>] acpi_scan_init+0x194/0x310  [<900000000189bc6c>] acpi_init+0xcc/0x140  [<9000000000220cdc>] do_one_initcall+0x4c/0x310  [<90000000018618fc>] kernel_init_freeable+0x258/0x2d4  [<900000000184326c>] kernel_init+0x28/0x13c  [<9000000000222008>] ret_from_kernel_thread+0xc/0xa4",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46147",
                                "url": "https://ubuntu.com/security/CVE-2026-46147",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  KVM: arm64: Fix pin leak and publication ordering in __pkvm_init_vcpu()  Two bugs exist in the vCPU initialisation path:  1. If a check fails after hyp_pin_shared_mem() succeeds, the cleanup    path jumps to 'unlock' without calling unpin_host_vcpu() or    unpin_host_sve_state(), permanently leaking pin references on the    host vCPU and SVE state pages.     Extract a register_hyp_vcpu() helper that performs the checks and    the store. When register_hyp_vcpu() returns an error, call    unpin_host_vcpu() and unpin_host_sve_state() inline before falling    through to the existing 'unlock' label.  2. register_hyp_vcpu() publishes the new vCPU pointer into    'hyp_vm->vcpus[]' with a bare store, allowing a concurrent caller    of pkvm_load_hyp_vcpu() to observe a partially initialised vCPU    object.     Ensure the store uses smp_store_release() and the load uses    smp_load_acquire(). While 'vm_table_lock' currently serialises the    store and the load, these barriers ensure the reader sees the fully    initialised 'hyp_vcpu' object even if there were a lockless path or    if the lock's own ordering guarantees were insufficient for nested    object initialization.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46175",
                                "url": "https://ubuntu.com/security/CVE-2026-46175",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  f2fs: fix fsck inconsistency caused by FGGC of node block  During FGGC node block migration, fsck may incorrectly treat the migrated node block as fsync-written data.  The reproduction scenario: root@vm:/mnt/f2fs# seq 1 2048 | xargs -n 1 ./test_sync // write inline inode and sync root@vm:/mnt/f2fs# rm -f 1 root@vm:/mnt/f2fs# sync root@vm:/mnt/f2fs# f2fs_io gc_range // move data block in sync mode and not write CP   SPO, \"fsck --dry-run\" find inode has already checkpointed but still   with DENT_BIT_SHIFT set  The root cause is that GC does not clear the dentry mark and fsync mark during node block migration, leading fsck to misinterpret them as user-issued fsync writes.  In BGGC mode, node block migration is handled by f2fs_sync_node_pages(), which guarantees the dentry and fsync marks are cleared before writing.  This patch move the set/clear of the fsync|dentry marks into __write_node_folio to make the logic clearer, and ensures the fsync|dentry mark is cleared in FGGC.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46194",
                                "url": "https://ubuntu.com/security/CVE-2026-46194",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  f2fs: fix node_cnt race between extent node destroy and writeback  f2fs_destroy_extent_node() does not set FI_NO_EXTENT before clearing extent nodes. When called from f2fs_drop_inode() with I_SYNC set, concurrent kworker writeback can insert new extent nodes into the same extent tree, racing with the destroy and triggering f2fs_bug_on() in __destroy_extent_node(). The scenario is as follows:  drop inode                            writeback  - iput   - f2fs_drop_inode  // I_SYNC set    - f2fs_destroy_extent_node     - __destroy_extent_node      - while (node_cnt) {         write_lock(&et->lock)         __free_extent_tree         write_unlock(&et->lock)                                        - __writeback_single_inode                                         - f2fs_outplace_write_data                                          - f2fs_update_read_extent_cache                                           - __update_extent_tree_range                                            // FI_NO_EXTENT not set,                                            // insert new extent node        } // node_cnt == 0, exit while      - f2fs_bug_on(node_cnt)  // node_cnt > 0  Additionally, __update_extent_tree_range() only checks FI_NO_EXTENT for EX_READ type, leaving EX_BLOCK_AGE updates completely unprotected.  This patch set FI_NO_EXTENT under et->lock in __destroy_extent_node(), consistent with other callers (__update_extent_tree_range and __drop_extent_tree) and check FI_NO_EXTENT for both EX_READ and EX_BLOCK_AGE tree.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46170",
                                "url": "https://ubuntu.com/security/CVE-2026-46170",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  mptcp: pm: ADD_ADDR rtx: free sk if last  When an ADD_ADDR is retransmitted, the sk is held in sk_reset_timer(), and released at the end.  If at that moment, it was the last reference being held, the sk would not be freed. sock_put() should then be called instead of __sock_put().  But that's not enough: if it is the last reference, sock_put() will call sk_free(), which will end up calling sk_stop_timer_sync() on the same timer, and waiting indefinitely to finish. So it is needed to mark that the timer is done at the end of the timer handler when it has not been rescheduled, not to call sk_stop_timer_sync() on \"itself\".",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46158",
                                "url": "https://ubuntu.com/security/CVE-2026-46158",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  mptcp: pm: ADD_ADDR rtx: always decrease sk refcount  When an ADD_ADDR is retransmitted, the sk is held in sk_reset_timer(). It should then be released in all cases at the end.  Some (unlikely) checks were returning directly instead of calling sock_put() to decrease the refcount. Jump to a new 'exit' label to call __sock_put() (which will become sock_put() in the next commit) to fix this potential leak.  While at it, drop the '!msk' check which cannot happen because it is never reset, and explicitly mark the remaining one as \"unlikely\".",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46168",
                                "url": "https://ubuntu.com/security/CVE-2026-46168",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  mptcp: fix scheduling with atomic in timestamp sockopt  Using lock_sock_fast() (atomic context) around sock_set_timestamp() and sock_set_timestamping() is unsafe, as both helpers can sleep.  Replace lock_sock_fast() with sleepable lock_sock()/release_sock() to avoid scheduling while atomic panic.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46189",
                                "url": "https://ubuntu.com/security/CVE-2026-46189",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/vmw_pvrdma: Fix double free on pvrdma_alloc_ucontext() error path  Sashiko points out that pvrdma_uar_free() is already called within pvrdma_dealloc_ucontext(), so calling it before triggers a double free.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46133",
                                "url": "https://ubuntu.com/security/CVE-2026-46133",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/rxe: Reject unknown opcodes before ICRC processing  Even after applying commit 7244491dab34 (\"RDMA/rxe: Validate pad and ICRC before payload_size() in rxe_rcv\"), a single unauthenticated UDP packet can still trigger panic.  That patch handled payload_size() underflow only for valid opcodes with short packets, not for packets carrying an unknown opcode.  The unknown-opcode OOB read described below predates that commit and reaches back to the initial Soft RoCE driver.  The check added there reads      pkt->paylen < header_size(pkt) + bth_pad(pkt) + RXE_ICRC_SIZE  where header_size(pkt) expands to rxe_opcode[pkt->opcode].length.  The rxe_opcode[] array has 256 entries but is only populated for defined IB opcodes; any other entry (for example opcode 0xff) is zero-initialized, so length == 0 and the check degenerates to      pkt->paylen < 0 + bth_pad(pkt) + RXE_ICRC_SIZE  which does not constrain pkt->paylen enough.  rxe_icrc_hdr() then computes      rxe_opcode[pkt->opcode].length - RXE_BTH_BYTES  which underflows when length == 0 and passes a huge value to rxe_crc32(), causing an out-of-bounds read of the skb payload.  Reproduced on v7.0-rc7 with that fix applied, QEMU/KVM with CONFIG_RDMA_RXE=y and CONFIG_KASAN=y, after      rdma link add rxe0 type rxe netdev eth0  A single 48-byte UDP packet to port 4791 with BTH opcode=0xff and QPN=IB_MULTICAST_QPN triggers:      BUG: KASAN: slab-out-of-bounds in crc32_le+0x115/0x170     Read of size 1 at addr ...     The buggy address is located 0 bytes to the right of      allocated 704-byte region     Call Trace:      crc32_le+0x115/0x170      rxe_icrc_hdr.isra.0+0x226/0x300      rxe_icrc_check+0x13f/0x3a0      rxe_rcv+0x6e1/0x16e0      rxe_udp_encap_recv+0x20a/0x320      udp_queue_rcv_one_skb+0x7ed/0x12c0  Subsequent packets with the same shape fault on unmapped memory and panic the kernel.  The trigger requires only module load and \"rdma link add\"; no QP, no connection, and no authentication.  Fix this by rejecting packets whose opcode has no rxe_opcode[] entry, detected via the zero mask or zero length, before any length arithmetic runs.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46114",
                                "url": "https://ubuntu.com/security/CVE-2026-46114",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/rxe: Reject non-8-byte ATOMIC_WRITE payloads  atomic_write_reply() at drivers/infiniband/sw/rxe/rxe_resp.c unconditionally dereferences 8 bytes at payload_addr(pkt):      value = *(u64 *)payload_addr(pkt);  check_rkey() previously accepted an ATOMIC_WRITE request with pktlen == resid == 0 because the length validation only compared pktlen against resid. A remote initiator that sets the RETH length to 0 therefore reaches atomic_write_reply() with a zero-byte logical payload, and the responder reads sizeof(u64) bytes from past the logical end of the packet into skb->head tailroom, then writes those 8 bytes into the attacker's MR via rxe_mr_do_atomic_write(). That is a remote disclosure of 4 bytes of kernel tailroom per probe (the other 4 bytes are the packet's own trailing ICRC).  IBA oA19-28 defines ATOMIC_WRITE as exactly 8 bytes. Anything else is protocol-invalid. Hoist a strict length check into check_rkey() so the responder never reaches the unchecked dereference, and keep the existing WRITE-family length logic for the normal RDMA WRITE path.  Reproduced on mainline with an unmodified rxe driver: a sustained zero-length ATOMIC_WRITE probe repeatedly leaks adjacent skb head-buffer bytes into the attacker's MR, including recognisable kernel strings and partial kernel-direct-map pointer words.  With this patch applied the responder rejects the PDU and the MR stays all-zero.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46127",
                                "url": "https://ubuntu.com/security/CVE-2026-46127",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/ocrdma: Don't NULL deref uctx on errors in ocrdma_copy_pd_uresp()  Sashiko points out that pd->uctx isn't initialized until late in the function so all these error flow references are NULL and will crash. Use the uctx that isn't NULL.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46176",
                                "url": "https://ubuntu.com/security/CVE-2026-46176",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/mlx5: Fix error path fall-through in mlx5_ib_dev_res_srq_init()  mlx5_ib_dev_res_srq_init() allocates two SRQs, s0 and s1. When ib_create_srq() fails for s1, the error branch destroys s0 but falls through and unconditionally assigns the freed s0 and the ERR_PTR s1 to devr->s0 and devr->s1.  This leads to several problems: the lock-free fast path checks \"if (devr->s1) return 0;\" and treats the ERR_PTR as already initialised; users in mlx5_ib_create_qp() dereference the freed SRQ or ERR_PTR via to_msrq(devr->s0)->msrq.srqn; and mlx5_ib_dev_res_cleanup() dereferences the ERR_PTR and double-frees s0 on teardown.  Fix by adding the same `goto unlock` in the s1 failure path.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46178",
                                "url": "https://ubuntu.com/security/CVE-2026-46178",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/mlx4: Fix resource leak on error in mlx4_ib_create_srq()  Sashiko points out that mlx4_srq_alloc() was not undone during error unwind, add the missing call to mlx4_srq_free().",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46181",
                                "url": "https://ubuntu.com/security/CVE-2026-46181",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/mlx4: Fix mis-use of RCU in mlx4_srq_event()  Sashiko points out the radix_tree itself is RCU safe, but nothing ever frees the mlx4_srq struct with RCU, and it isn't even accessed within the RCU critical section. It also will crash if an event is delivered before the srq object is finished initializing.  Use the spinlock since it isn't easy to make RCU work, use refcount_inc_not_zero() to protect against partially initialized objects, and order the refcount_set() to be after the srq is fully initialized.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46145",
                                "url": "https://ubuntu.com/security/CVE-2026-46145",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/mana: Validate rx_hash_key_len  Sashiko points out that rx_hash_key_len comes from a uAPI structure and is blindly passed to memcpy, allowing the userspace to trash kernel memory. Bounds check it so the memcpy cannot overflow.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46117",
                                "url": "https://ubuntu.com/security/CVE-2026-46117",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/mana: Remove user triggerable WARN_ON() in mana_ib_create_qp_rss()  Sashiko points out that the user can specify WQs sharing the same CQ as a part of the uAPI and this will trigger the WARN_ON() then go on to corrupt the kernel.  Just reject it outright and fail the QP creation.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46126",
                                "url": "https://ubuntu.com/security/CVE-2026-46126",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/mana: Fix mana_destroy_wq_obj() cleanup in mana_ib_create_qp_rss()  Sashiko points out there are two bugs here in the error unwind flow, both related to how the WQ table is unwound.  First there is a double i-- on the first failure path due to the while loop having a i--, remove it.  Second if mana_ib_install_cq_cb() fails then mana_create_wq_obj() is not undone due to the above i--.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46144",
                                "url": "https://ubuntu.com/security/CVE-2026-46144",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/mana: Fix error unwind in mana_ib_create_qp_rss()  Sashiko points out that mana_ib_cfg_vport_steering() is leaked, the normal destroy path cleans it up.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46141",
                                "url": "https://ubuntu.com/security/CVE-2026-46141",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  powerpc/xive: fix kmemleak caused by incorrect chip_data lookup  The kmemleak reports the following memory leak:  Unreferenced object 0xc0000002a7fbc640 (size 64):   comm \"kworker/8:1\", pid 540, jiffies 4294937872   hex dump (first 32 bytes):     01 00 00 00 00 00 00 00 00 00 09 04 00 04 00 00  ................     00 00 a7 81 00 00 0a c0 00 00 08 04 00 04 00 00  ................   backtrace (crc 177d48f6):     __kmalloc_cache_noprof+0x520/0x730     xive_irq_alloc_data.constprop.0+0x40/0xe0     xive_irq_domain_alloc+0xd0/0x1b0     irq_domain_alloc_irqs_parent+0x44/0x6c     pseries_irq_domain_alloc+0x1cc/0x354     irq_domain_alloc_irqs_parent+0x44/0x6c     msi_domain_alloc+0xb0/0x220     irq_domain_alloc_irqs_locked+0x138/0x4d0     __irq_domain_alloc_irqs+0x8c/0xfc     __msi_domain_alloc_irqs+0x214/0x4d8     msi_domain_alloc_irqs_all_locked+0x70/0xf8     pci_msi_setup_msi_irqs+0x60/0x78     __pci_enable_msix_range+0x54c/0x98c     pci_alloc_irq_vectors_affinity+0x16c/0x1d4     nvme_pci_enable+0xac/0x9c0 [nvme]     nvme_probe+0x340/0x764 [nvme]  This occurs when allocating MSI-X vectors for an NVMe device. During allocation the XIVE code creates a struct xive_irq_data and stores it in irq_data->chip_data.  When the MSI-X irqdomain is later freed, xive_irq_free_data() is responsible for retrieving this structure and freeing it. However, after commit cc0cc23babc9 (\"powerpc/xive: Untangle xive from child interrupt controller drivers\"), xive_irq_free_data() retrieves the chip_data using irq_get_chip_data(), which looks up the data through the child domain.  This is incorrect because the XIVE-specific irq data is associated with the XIVE (parent) domain. As a result the lookup fails and the allocated struct xive_irq_data is never freed, leading to the kmemleak report shown above.  Fix this by retrieving the irq_data from the correct domain using irq_domain_get_irq_data() and then accessing the chip_data via irq_data_get_irq_chip_data().",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46183",
                                "url": "https://ubuntu.com/security/CVE-2026-46183",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  mm/damon/sysfs-schemes: protect path kfree() with damon_sysfs_lock  damon_sysfs_quot_goal->path can be read and written by users, via DAMON sysfs 'path' file.  It can also be indirectly read, for the parameters {on,off}line committing to DAMON.  The reads for parameters committing are protected by damon_sysfs_lock to avoid the sysfs files being destroyed while any of the parameters are being read.  But the user-driven direct reads and writes are not protected by any lock, while the write is deallocating the path-pointing buffer.  As a result, the readers could read the already freed buffer (user-after-free).  Note that the user-reads don't race when the same open file is used by the writer, due to kernfs's open file locking.  Nonetheless, doing the reads and writes with separate open files would be common.  Fix it by protecting both the user-direct reads and writes with damon_sysfs_lock.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46121",
                                "url": "https://ubuntu.com/security/CVE-2026-46121",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  mm/damon/sysfs-schemes: protect memcg_path kfree() with damon_sysfs_lock  Patch series \"mm/damon/sysfs-schemes: fix use-after-free for [memcg_]path\".  Reads of 'memcg_path' and 'path' files in DAMON sysfs interface could race with their writes, results in use-after-free.  Fix those.   This patch (of 2):  damon_sysfs_scheme_filter->mmecg_path can be read and written by users, via DAMON sysfs memcg_path file.  It can also be indirectly read, for the parameters {on,off}line committing to DAMON.  The reads for parameters committing are protected by damon_sysfs_lock to avoid the sysfs files being destroyed while any of the parameters are being read.  But the user-driven direct reads and writes are not protected by any lock, while the write is deallocating the memcg_path-pointing buffer.  As a result, the readers could read the already freed buffer (user-after-free).  Note that the user-reads don't race when the same open file is used by the writer, due to kernfs's open file locking.  Nonetheless, doing the reads and writes with separate open files would be common.  Fix it by protecting both the user-direct reads and writes with damon_sysfs_lock.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46131",
                                "url": "https://ubuntu.com/security/CVE-2026-46131",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  KVM: x86: check for nEPT/nNPT in slow flush hypercalls  Checking is_guest_mode(vcpu) is incorrect, because translate_nested_gpa() is only valid if an L2 guest is running *with nested EPT/NPT enabled*. Instead use the same condition as translate_nested_gpa() itself.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46139",
                                "url": "https://ubuntu.com/security/CVE-2026-46139",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  smb: client: use kzalloc to zero-initialize security descriptor buffer  Commit 62e7dd0a39c2d (\"smb: common: change the data type of num_aces to le16\") split struct smb_acl's __le32 num_aces field into __le16 num_aces and __le16 reserved. The reserved field corresponds to Sbz2 in the MS-DTYP ACL wire format, which must be zero [1].  When building an ACL descriptor in build_sec_desc(), we are using a kmalloc()'ed descriptor buffer and writing the fields explicitly using le16() writes now. This never writes to the 2 byte reserved field, leaving it as uninitialized heap data.  When the reserved field happens to contain non-zero slab garbage, Samba rejects the security descriptor with \"ndr_pull_security_descriptor failed: Range Error\", causing chmod to fail with EINVAL.  Change kmalloc() to kzalloc() to ensure the entire buffer is zero-initialized.   [1] https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/20233ed8-a6c6-4097-aafa-dd545ed24428",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46105",
                                "url": "https://ubuntu.com/security/CVE-2026-46105",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  scsi: mpt3sas: Limit NVMe request size to 2 MiB  The HBA firmware reports NVMe MDTS values based on the underlying drive capability. However, because the driver allocates a fixed 4K buffer for the PRP list, accommodating at most 512 entries, the driver supports a maximum I/O transfer size of 2 MiB.  Limit max_hw_sectors to the smaller of the reported MDTS and the 2 MiB driver limit to prevent issuing oversized I/O that may lead to a kernel oops.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46171",
                                "url": "https://ubuntu.com/security/CVE-2026-46171",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  riscv: kvm: fix vector context allocation leak  When the second kzalloc (host_context.vector.datap) fails in kvm_riscv_vcpu_alloc_vector_context, the first allocation (guest_context.vector.datap) is leaked. Free it before returning.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46112",
                                "url": "https://ubuntu.com/security/CVE-2026-46112",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/hns: Fix unlocked call to hns_roce_qp_remove()  Sashiko points out that hns_roce_qp_remove() requires the caller to hold locks.  The error flow in hns_roce_create_qp_common() doesn't hold those locks for the error unwind so it risks corrupting memory.  Grab the same locks the other two callers use.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46165",
                                "url": "https://ubuntu.com/security/CVE-2026-46165",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  openvswitch: vport: fix self-deadlock on release of tunnel ports  vports are used concurrently and protected by RCU, so netdev_put() must happen after the RCU grace period.  So, either in an RCU call or after the synchronize_net().  The rtnl_delete_link() must happen under RTNL and so can't be executed in RCU context.  Calling synchronize_net() while holding RTNL is not a good idea for performance and system stability under load in general, so calling netdev_put() in RCU call is the right solution here.  However, when the device is deleted, rtnl_unlock() will call netdev_run_todo() and block until all the references are gone.  In the current code this means that we never reach the call_rcu() and the vport is never freed and the reference is never released, causing a self-deadlock on device removal.  Fix that by moving the rcu_call() before the rtnl_unlock(), so the scheduled RCU callback will be executed when synchronize_net() is called from the rtnl_unlock()->netdev_run_todo() while the RTNL itself is already released.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46161",
                                "url": "https://ubuntu.com/security/CVE-2026-46161",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  md/raid10: fix divide-by-zero in setup_geo() with zero far_copies  setup_geo() extracts near_copies (nc) and far_copies (fc) from the user-provided layout parameter without checking for zero. When fc=0 with the \"improved\" far set layout selected, 'geo->far_set_size = disks / fc' triggers a divide-by-zero.  Validate nc and fc immediately after extraction, returning -1 if either is zero.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-43492",
                                "url": "https://ubuntu.com/security/CVE-2026-43492",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  lib/crypto: mpi: Fix integer underflow in mpi_read_raw_from_sgl()  Yiming reports an integer underflow in mpi_read_raw_from_sgl() when subtracting \"lzeros\" from the unsigned \"nbytes\".  For this to happen, the scatterlist \"sgl\" needs to occupy more bytes than the \"nbytes\" parameter and the first \"nbytes + 1\" bytes of the scatterlist must be zero.  Under these conditions, the while loop iterating over the scatterlist will count more zeroes than \"nbytes\", subtract the number of zeroes from \"nbytes\" and cause the underflow.  When commit 2d4d1eea540b (\"lib/mpi: Add mpi sgl helpers\") originally introduced the bug, it couldn't be triggered because all callers of mpi_read_raw_from_sgl() passed a scatterlist whose length was equal to \"nbytes\".  However since commit 63ba4d67594a (\"KEYS: asymmetric: Use new crypto interface without scatterlists\"), the underflow can now actually be triggered.  When invoking a KEYCTL_PKEY_ENCRYPT system call with a larger \"out_len\" than \"in_len\" and filling the \"in\" buffer with zeroes, crypto_akcipher_sync_prep() will create an all-zero scatterlist used for both the \"src\" and \"dst\" member of struct akcipher_request and thereby fulfil the conditions to trigger the bug:    sys_keyctl()     keyctl_pkey_e_d_s()       asymmetric_key_eds_op()         software_key_eds_op()           crypto_akcipher_sync_encrypt()             crypto_akcipher_sync_prep()               crypto_akcipher_encrypt()                 rsa_enc()                   mpi_read_raw_from_sgl()  To the user this will be visible as a DoS as the kernel spins forever, causing soft lockup splats as a side effect.  Fix it.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-19 12:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46124",
                                "url": "https://ubuntu.com/security/CVE-2026-46124",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  isofs: validate block number from NFS file handle in isofs_export_iget  isofs_fh_to_dentry() and isofs_fh_to_parent() pass an attacker- controlled block number (ifid->block or ifid->parent_block) from the NFS file handle to isofs_export_iget(), which only rejects block == 0 before calling isofs_iget() and ultimately sb_bread(). A crafted file handle with fh_len sufficient to pass the check added by commit 0405d4b63d08 (\"isofs: Prevent the use of too small fid\") can still drive the server to read any in-range block on the backing device as if it were an iso_directory_record.  That earlier fix was assigned CVE-2025-37780.  sb_bread() on an out-of-range block returns NULL cleanly via the EIO path, so there is no memory-safety violation.  For in-range reads of adjacent-partition data on the same block device, the unrelated bytes end up in iso_inode_info fields that reach the NFS client as dentry metadata.  The deployment surface (isofs exported over NFS from loop-mounted images) is narrow and requires an authenticated NFS peer, but the malformed-file-handle class is reportable as hardening next to the existing CVE-2025-37780 fix.  Reject block >= ISOFS_SB(sb)->s_nzones in isofs_export_iget() so the check covers both isofs_fh_to_dentry() and isofs_fh_to_parent() call sites with a single line.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46130",
                                "url": "https://ubuntu.com/security/CVE-2026-46130",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  dm-verity-fec: fix reading parity bytes split across blocks (take 3)  fec_decode_bufs() assumes that the parity bytes of the first RS codeword it decodes are never split across parity blocks.  This assumption is false.  Consider v->fec->block_size == 4096 && v->fec->roots == 17 && fio->nbufs == 1, for example.  In that case, each call to fec_decode_bufs() consumes v->fec->roots * (fio->nbufs << DM_VERITY_FEC_BUF_RS_BITS) = 272 parity bytes.  Considering that the parity data for each message block starts on a block boundary, the byte alignment in the parity data will iterate through 272*i mod 4096 until the 3 parity blocks have been consumed.  On the 16th call (i=15), the alignment will be 4080 bytes into the first block.  Only 16 bytes remain in that block, but 17 parity bytes will be needed.  The code reads out-of-bounds from the parity block buffer.  Fortunately this doesn't normally happen, since it can occur only for certain non-default values of fec_roots *and* when the maximum number of buffers couldn't be allocated due to low memory.  For example with block_size=4096 only the following cases are affected:      fec_roots=17: nbufs in [1, 3, 5, 15]     fec_roots=19: nbufs in [1, 229]     fec_roots=21: nbufs in [1, 3, 5, 13, 15, 39, 65, 195]     fec_roots=23: nbufs in [1, 89]  Regardless, fix it by refactoring how the parity blocks are read.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46106",
                                "url": "https://ubuntu.com/security/CVE-2026-46106",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  eventfs: Hold eventfs_mutex and SRCU when remount walks events  Commit 340f0c7067a9 (\"eventfs: Update all the eventfs_inodes from the events descriptor\") had eventfs_set_attrs() recurse through ei->children on remount.  The walk only holds the rcu_read_lock() taken by tracefs_apply_options() over tracefs_inodes, which is wrong:    - list_for_each_entry over ei->children races with the list_del_rcu()     in eventfs_remove_rec() -- LIST_POISON1 deref, same shape as     d2603279c7d6.   - eventfs_inodes are freed via call_srcu(&eventfs_srcu, ...).     rcu_read_lock() does not extend an SRCU grace period, so ti->private     can be reclaimed under the walk.   - The writes to ei->attr race with eventfs_set_attr(), which holds     eventfs_mutex.  Reproducer:    while :; do mount -o remount,uid=$((RANDOM%1000)) /sys/kernel/tracing; done &   while :; do       echo \"p:kp submit_bio\" > /sys/kernel/tracing/kprobe_events       echo > /sys/kernel/tracing/kprobe_events   done  Wrap the events portion of tracefs_apply_options() in eventfs_remount_lock()/_unlock() that take eventfs_mutex and srcu_read_lock(&eventfs_srcu).  eventfs_set_attrs() doesn't sleep so the nested rcu_read_lock() is fine; lockdep_assert_held() pins the contract.  Comment in tracefs_drop_inode() said \"RCU cycle\" -- it is SRCU.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46107",
                                "url": "https://ubuntu.com/security/CVE-2026-46107",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  dm-thin: fix metadata refcount underflow  There's a bug in dm-thin in the function rebalance_children. If the internal btree node has one entry, the code tries to copy all btree entries from the node's child to the node itself and then decrement the child's reference count.  If the child node is shared (it has reference count > 1), we won't free it, so there would be two pointers to each of the grandchildren nodes. But the reference counts of the grandchildren is not increased, thus the reference count doesn't match the number of pointers that point to the grandchildren. This results in \"device mapper: space map common: unable to decrement block\" errors.  Fix this bug by incrementing reference counts on the grandchildren if the btree node is shared.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46160",
                                "url": "https://ubuntu.com/security/CVE-2026-46160",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  btrfs: fix missing last_unlink_trans update when removing a directory  When removing a directory we are not updating its last_unlink_trans field, which can result in incorrect fsync behaviour in case some one fsyncs the directory after it was removed because it's holding a file descriptor on it.  Example scenario:     mkdir /mnt/dir1    mkdir /mnt/dir1/dir2    mkdir /mnt/dir3     sync -f /mnt     # Do some change to the directory and fsync it.    chmod 700 /mnt/dir1    xfs_io -c fsync /mnt/dir1     # Move dir2 out of dir1 so that dir1 becomes empty.    mv /mnt/dir1/dir2 /mnt/dir3/     open fd on /mnt/dir1    call rmdir(2) on path \"/mnt/dir1\"    fsync fd     <trigger power failure>  When attempting to mount the filesystem, the log replay will fail with an -EIO error and dmesg/syslog has the following:     [445771.626482] BTRFS info (device dm-0): first mount of filesystem 0368bbea-6c5e-44b5-b409-09abe496e650    [445771.626486] BTRFS info (device dm-0): using crc32c checksum algorithm    [445771.627912] BTRFS info (device dm-0): start tree-log replay    [445771.628335] page: refcount:2 mapcount:0 mapping:0000000061443ddc index:0x1d00 pfn:0x7072a5    [445771.629453] memcg:ffff89f400351b00    [445771.629892] aops:btree_aops [btrfs] ino:1    [445771.630737] flags: 0x17fffc00000402a(uptodate|lru|private|writeback|node=0|zone=2|lastcpupid=0x1ffff)    [445771.632359] raw: 017fffc00000402a fffff47284d950c8 fffff472907b7c08 ffff89f458e412b8    [445771.633713] raw: 0000000000001d00 ffff89f6c51d1a90 00000002ffffffff ffff89f400351b00    [445771.635029] page dumped because: eb page dump    [445771.635825] BTRFS critical (device dm-0): corrupt leaf: root=5 block=30408704 slot=10 ino=258, invalid nlink: has 2 expect no more than 1 for dir    [445771.638088] BTRFS info (device dm-0): leaf 30408704 gen 10 total ptrs 17 free space 14878 owner 5    [445771.638091] BTRFS info (device dm-0): refs 4 lock_owner 0 current 3581087    [445771.638094] \titem 0 key (256 INODE_ITEM 0) itemoff 16123 itemsize 160    [445771.638097] \t\tinode generation 3 transid 9 size 16 nbytes 16384    [445771.638098] \t\tblock group 0 mode 40755 links 1 uid 0 gid 0    [445771.638100] \t\trdev 0 sequence 2 flags 0x0    [445771.638102] \t\tatime 1775744884.0    [445771.660056] \t\tctime 1775744885.645502983    [445771.660058] \t\tmtime 1775744885.645502983    [445771.660060] \t\totime 1775744884.0    [445771.660062] \titem 1 key (256 INODE_REF 256) itemoff 16111 itemsize 12    [445771.660064] \t\tindex 0 name_len 2    [445771.660066] \titem 2 key (256 DIR_ITEM 1843588421) itemoff 16077 itemsize 34    [445771.660068] \t\tlocation key (259 1 0) type 2    [445771.660070] \t\ttransid 9 data_len 0 name_len 4    [445771.660075] \titem 3 key (256 DIR_ITEM 2363071922) itemoff 16043 itemsize 34    [445771.660076] \t\tlocation key (257 1 0) type 2    [445771.660077] \t\ttransid 9 data_len 0 name_len 4    [445771.660078] \titem 4 key (256 DIR_INDEX 2) itemoff 16009 itemsize 34    [445771.660079] \t\tlocation key (257 1 0) type 2    [445771.660080] \t\ttransid 9 data_len 0 name_len 4    [445771.660081] \titem 5 key (256 DIR_INDEX 3) itemoff 15975 itemsize 34    [445771.660082] \t\tlocation key (259 1 0) type 2    [445771.660083] \t\ttransid 9 data_len 0 name_len 4    [445771.660084] \titem 6 key (257 INODE_ITEM 0) itemoff 15815 itemsize 160    [445771.660086] \t\tinode generation 9 transid 9 size 8 nbytes 0    [445771.660087] \t\tblock group 0 mode 40777 links 1 uid 0 gid 0    [445771.660088] \t\trdev 0 sequence 2 flags 0x0    [445771.660089] \t\tatime 1775744885.641174097    [445771.660090] \t\tctime 1775744885.645502983    [445771.660091] \t\tmtime 1775744885.645502983    [445771.660105] \t\totime 1775744885.641174097    [445771.660106] \titem 7 key (257 INODE_REF 256) itemoff 15801 itemsize 14    [445771.660107] \t\tindex 2 name_len 4    [445771.660108] \titem 8 key (257 DIR_ITEM 2676584006) itemoff 15767 itemsize 34    [445771.660109] \t\tlocation key (2 ---truncated---",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46164",
                                "url": "https://ubuntu.com/security/CVE-2026-46164",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  btrfs: fix double free in create_space_info_sub_group() error path  When kobject_init_and_add() fails, the call chain is:  create_space_info_sub_group() -> btrfs_sysfs_add_space_info_type() -> kobject_init_and_add() -> failure -> kobject_put(&sub_group->kobj) -> space_info_release() -> kfree(sub_group)  Then control returns to create_space_info_sub_group(), where:  btrfs_sysfs_add_space_info_type() returns error -> kfree(sub_group)  Thus, sub_group is freed twice.  Keep parent->sub_group[index] = NULL for the failure path, but after btrfs_sysfs_add_space_info_type() has called kobject_put(), let the kobject release callback handle the cleanup.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46129",
                                "url": "https://ubuntu.com/security/CVE-2026-46129",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  btrfs: fix double free in create_space_info() error path  When kobject_init_and_add() fails, the call chain is:  create_space_info() -> btrfs_sysfs_add_space_info_type() -> kobject_init_and_add() -> failure -> kobject_put(&space_info->kobj) -> space_info_release() -> kfree(space_info)  Then control returns to create_space_info():  btrfs_sysfs_add_space_info_type() returns error -> goto out_free -> kfree(space_info)  This causes a double free.  Keep the direct kfree(space_info) for the earlier failure path, but after btrfs_sysfs_add_space_info_type() has called kobject_put(), let the kobject release callback handle the cleanup.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46159",
                                "url": "https://ubuntu.com/security/CVE-2026-46159",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  btrfs: fix btrfs_ioctl_space_info() slot_count TOCTOU which can lead to info-leak  btrfs_ioctl_space_info() has a TOCTOU race between two passes over the block group RAID type lists. The first pass counts entries to determine the allocation size, then the second pass fills the buffer. The groups_sem rwlock is released between passes, allowing concurrent block group removal to reduce the entry count.  When the second pass fills fewer entries than the first pass counted, copy_to_user() copies the full alloc_size bytes including trailing uninitialized kmalloc bytes to userspace.  Fix by copying only total_spaces entries (the actually-filled count from the second pass) instead of alloc_size bytes, and switch to kzalloc so any future copy size mismatch cannot leak heap data.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46143",
                                "url": "https://ubuntu.com/security/CVE-2026-46143",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ASoC: qcom: q6apm-lpass-dai: Fix multiple graph opens  As prepare can be called mulitple times, this can result in multiple graph opens for playback path.  This will result in a memory leaks, fix this by adding a check before opening.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46148",
                                "url": "https://ubuntu.com/security/CVE-2026-46148",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: microchip-core-qspi: control built-in cs manually  The coreQSPI IP supports only a single chip select, which is automagically operated by the hardware - set low when the transmit buffer first gets written to and set high when the number of bytes written to the TOTALBYTES field of the FRAMES register have been sent on the bus. Additional devices must use GPIOs for their chip selects. It was reported to me that if there are two devices attached to this QSPI controller that the in-built chip select is set low while linux tries to access the device attached to the GPIO.  This went undetected as the boards that connected multiple devices to the SPI controller all exclusively used GPIOs for chip selects, not relying on the built-in chip select at all. It turns out that this was because the built-in chip select, when controlled automagically, is set low when active and high when inactive, thereby ruling out its use for active-high devices or devices that need to transmit with the chip select disabled.  Modify the driver so that it controls chip select directly, retaining the behaviour for mem_ops of setting the chip select active for the entire duration of the transfer in the exec_op callback. For regular transfers, implement the set_cs callback for the core to use.  As part of this, the existing setup callback, mchp_coreqspi_setup_op(), is removed. Modifying the CLKIDLE field is not safe to do during operation when there are multiple devices, so this code is removed entirely. Setting the MASTER and ENABLE fields is something that can be done once at probe, it doesn't need to be re-run for each device. Instead the new setup callback sets the built-in chip select to its inactive state for active-low devices, as the reset value of the chip select in software controlled mode is low.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46192",
                                "url": "https://ubuntu.com/security/CVE-2026-46192",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: microchip-core-qspi: don't attempt to transmit during emulated read-only dual/quad operations  The core will deal with reads by creating clock cycles itself, there's no need to generate clock cycles by transmitting garbage data at the driver level. Further, transmitting garbage data just bricks the transfer since QSPI doesn't have a dedicated master-out line like MOSI in regular SPI. I'm not entirely sure if the transfer is bricked because of the garbage data being transmitted on the bus or because the core loses track of whether it is supposed to be sending or receiving data.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46162",
                                "url": "https://ubuntu.com/security/CVE-2026-46162",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ice: fix double free in ice_sf_eth_activate() error path  When auxiliary_device_add() fails, ice_sf_eth_activate() jumps to aux_dev_uninit and calls auxiliary_device_uninit(&sf_dev->adev).  The device release callback ice_sf_dev_release() frees sf_dev, but the current error path falls through to sf_dev_free and calls kfree(sf_dev) again, causing a double free.  Keep kfree(sf_dev) for the auxiliary_device_init() failure path, but avoid falling through to sf_dev_free after auxiliary_device_uninit().",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46273",
                                "url": "https://ubuntu.com/security/CVE-2026-46273",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ibmveth: Disable GSO for packets with small MSS  Some physical adapters on Power systems do not support segmentation offload when the MSS is less than 224 bytes. Attempting to send such packets causes the adapter to freeze, stopping all traffic until manually reset.  Implement ndo_features_check to disable GSO for packets with small MSS values. The network stack will perform software segmentation instead.  The 224-byte minimum matches ibmvnic commit <f10b09ef687f> (\"ibmvnic: Enforce stronger sanity checks on GSO packets\") which uses the same physical adapters in SEA configurations.  The issue occurs specifically when the hardware attempts to perform segmentation (gso_segs > 1) with a small MSS. Single-segment GSO packets (gso_segs == 1) do not trigger the problematic LSO code path and are transmitted normally without segmentation.  Add an ndo_features_check callback to disable GSO when MSS < 224 bytes. Also call vlan_features_check() to ensure proper handling of VLAN packets, particularly QinQ (802.1ad) configurations where the hardware parser may not support certain offload features.  Validated using iptables to force small MSS values. Without the fix, the adapter freezes. With the fix, packets are segmented in software and transmission succeeds. Comprehensive regression testing completedd (MSS tests, performance, stability).",
                                "cve_priority": "high",
                                "cve_public_date": "2026-06-03 18:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46191",
                                "url": "https://ubuntu.com/security/CVE-2026-46191",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  fbcon: Avoid OOB font access if console rotation fails  Clear the font buffer if the reallocation during console rotation fails in fbcon_rotate_font(). The putcs implementations for the rotated buffer will return early in this case. See [1] for an example.  Currently, fbcon_rotate_font() keeps the old buffer, which is too small for the rotated font. Printing to the rotated console with a high-enough character code will overflow the font buffer.  v2: - fix typos in commit message",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46134",
                                "url": "https://ubuntu.com/security/CVE-2026-46134",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  platform/chrome: cros_ec_typec: Init mutex in Thunderbolt registration  cros_typec_register_thunderbolt() missed initializing the `adata->lock` mutex.  This leads to a NULL dereference when the mutex is later acquired (e.g. in cros_typec_altmode_work()).  Initialize the mutex in cros_typec_register_thunderbolt() to fix the issue.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-43495",
                                "url": "https://ubuntu.com/security/CVE-2026-43495",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net: wwan: t7xx: validate port_count against message length in t7xx_port_enum_msg_handler  t7xx_port_enum_msg_handler() uses the modem-supplied port_count field as a loop bound over port_msg->data[] without checking that the message buffer contains sufficient data. A modem sending port_count=65535 in a 12-byte buffer triggers a slab-out-of-bounds read of up to 262140 bytes.  Add a sizeof(*port_msg) check before accessing the port message header fields to guard against undersized messages.  Add a struct_size() check after extracting port_count and before the loop.  In t7xx_parse_host_rt_data(), guard the rt_feature header read with a remaining-buffer check before accessing data_len, validate feat_data_len against the actual remaining buffer to prevent OOB reads and signed integer overflow on offset.  Pass msg_len from both call sites: skb->len at the DPMAIF path after skb_pull(), and the validated feat_data_len at the handshake path.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-21 13:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-43502",
                                "url": "https://ubuntu.com/security/CVE-2026-43502",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net/rds: handle zerocopy send cleanup before the message is queued  A zerocopy send can fail after user pages have been pinned but before the message is attached to the sending socket.  The purge path currently infers zerocopy state from rm->m_rs, so an unqueued message can be cleaned up as if it owned normal payload pages. However, zerocopy ownership is really determined by the presence of op_mmp_znotifier, regardless of whether the message has reached the socket queue.  Capture op_mmp_znotifier up front in rds_message_purge() and use it as the cleanup discriminator. If the message is already associated with a socket, keep the existing completion path. Otherwise, drop the pinned page accounting directly and release the notifier before putting the payload pages.  This keeps early send failure cleanup consistent with the zerocopy lifetime rules without changing the normal queued completion path.",
                                "cve_priority": "high",
                                "cve_public_date": "2026-05-21 13:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46120",
                                "url": "https://ubuntu.com/security/CVE-2026-46120",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ip6_gre: Use cached t->net in ip6erspan_changelink().  After commit 5e72ce3e3980 (\"net: ipv6: Use link netns in newlink() of rtnl_link_ops\"), ip6erspan_newlink() correctly resolves the per-netns ip6gre hash via link_net. ip6erspan_changelink() was not converted in that series and still uses dev_net(dev), which diverges from the device's creation netns after IFLA_NET_NS_FD migration.  This re-inserts the tunnel into the wrong per-netns hash. The original netns keeps a stale entry. When that netns is later destroyed, ip6gre_exit_rtnl_net() walks the stale entry, producing a slab-use-after-free reported by KASAN, followed by a kernel BUG at net/core/dev.c (LIST_POISON1) in unregister_netdevice_many_notify().  Reachable from an unprivileged user namespace (unshare --user --map-root-user --net).  ip6gre_changelink() earlier in the same file already uses the cached t->net; only ip6erspan_changelink() has the wrong shape.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46142",
                                "url": "https://ubuntu.com/security/CVE-2026-46142",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net: libwx: fix VF illegal register access  Register WX_CFG_PORT_ST is a PF restricted register. When a VF is initialized, attempting to read this register triggers an illegal register access, which lead to a system hang.  When the device is VF, the bus function ID can be obtained directly from the PCI_FUNC(pdev->devfn).",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46118",
                                "url": "https://ubuntu.com/security/CVE-2026-46118",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  pseries/papr-hvpipe: Fix null ptr deref in papr_hvpipe_dev_create_handle()  commit 6d3789d347a7 (\"papr-hvpipe: convert papr_hvpipe_dev_create_handle() to FD_PREPARE()\"), changed the create handle to FD_PREPARE(), but it caused kernel null-ptr-deref because after call to retain_and_null_ptr(src_info), src_info is re-used for adding it to the global list.  Getting the following kernel panic in papr_hvpipe_dev_create_handle() when trying to add src_info to the list.  Kernel attempted to write user page (0) - exploit attempt? (uid: 0)  BUG: Kernel NULL pointer dereference on write at 0x00000000  Faulting instruction address: 0xc0000000001b44a0  Oops: Kernel access of bad area, sig: 11 [#1]  ...  Call Trace:  papr_hvpipe_dev_ioctl+0x1f4/0x48c (unreliable)  sys_ioctl+0x528/0x1064  system_call_exception+0x128/0x360  system_call_vectored_common+0x15c/0x2ec  Now, the error handling with FD_PREPARE's file cleanup and __free(kfree) auto cleanup is getting too convoluted. This is mainly because we need to ensure only 1 user get the srcID handle. To simplify this, we allocate prepare the src_info in the beginning and add it to the global list under a spinlock after checking that no duplicates exist.  This simplify the error handling where if the FD_ADD fails, we can simply remove the src_info from the list and consume any pending msg in hvpipe to be cleared, after src_info became visible in the global list.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46182",
                                "url": "https://ubuntu.com/security/CVE-2026-46182",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  pseries/papr-hvpipe: Prevent kernel stack memory leak to userspace  The hdr variable is allocated on the stack and only hdr.version and hdr.flags are initialized explicitly. Because the struct papr_hvpipe_hdr contains reserved padding bytes (reserved[3] and reserved2[40]), these could leak the uninitialized bytes to userspace after copy_to_user().  This patch fixes that by initializing the whole struct to 0.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46184",
                                "url": "https://ubuntu.com/security/CVE-2026-46184",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  sound: ua101: fix division by zero at probe  Add a missing sanity check for bNrChannels in detect_usb_format() to prevent a division by zero in playback_urb_complete() and capture_urb_complete().  USB core does not validate class-specific descriptor fields such as bNrChannels, so drivers must verify them before use. If a device provides bNrChannels = 0, frame_bytes becomes zero and is later used as a divisor in the URB completion handlers, leading to a kernel crash.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-43498",
                                "url": "https://ubuntu.com/security/CVE-2026-43498",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  accel/ivpu: Disallow re-exporting imported GEM objects  Prevent re-exporting of imported GEM buffers by adding a custom prime_handle_to_fd callback that checks if the object is imported and returns -EOPNOTSUPP if so.  Re-exporting imported GEM buffers causes loss of buffer flags settings, leading to incorrect device access and data corruption.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-21 13:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46132",
                                "url": "https://ubuntu.com/security/CVE-2026-46132",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net: rtnetlink: zero ifla_vf_broadcast to avoid stack infoleak in rtnl_fill_vfinfo  rtnl_fill_vfinfo() declares struct ifla_vf_broadcast on the stack without initialisation:  \tstruct ifla_vf_broadcast vf_broadcast;  The struct contains a single fixed 32-byte field:  \t/* include/uapi/linux/if_link.h */ \tstruct ifla_vf_broadcast { \t\t__u8 broadcast[32]; \t};  The function then copies dev->broadcast into it using dev->addr_len as the length:  \tmemcpy(vf_broadcast.broadcast, dev->broadcast, dev->addr_len);  On Ethernet devices (the overwhelming majority of SR-IOV NICs) dev->addr_len is 6, so only the first 6 bytes of broadcast[] are written. The remaining 26 bytes retain whatever was previously on the kernel stack. The full struct is then handed to userspace via:  \tnla_put(skb, IFLA_VF_BROADCAST, \t\tsizeof(vf_broadcast), &vf_broadcast)  leaking up to 26 bytes of uninitialised kernel stack per VF per RTM_GETLINK request, repeatable.  The other vf_* structs in the same function are explicitly zeroed for exactly this reason - see the memset() calls for ivi, vf_vlan_info, node_guid and port_guid a few lines above. vf_broadcast was simply missed when it was added.  Reachability: any unprivileged local process can open AF_NETLINK / NETLINK_ROUTE without capabilities and send RTM_GETLINK with an IFLA_EXT_MASK attribute carrying RTEXT_FILTER_VF. The kernel walks each VF and emits IFLA_VF_BROADCAST, leaking 26 bytes of stack per VF per request. Stack residue at this call site can include return addresses and transient sensitive data; KASAN with stack instrumentation, or KMSAN, will flag the nla_put() when reproduced.  Zero the on-stack struct before the partial memcpy, matching the existing pattern used for the other vf_* structs in the same function.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46190",
                                "url": "https://ubuntu.com/security/CVE-2026-46190",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  mtd: spi-nor: debugfs: fix out-of-bounds read in spi_nor_params_show()  Sashiko noticed an out-of-bounds read [1].  In spi_nor_params_show(), the snor_f_names array is passed to spi_nor_print_flags() using sizeof(snor_f_names).  Since snor_f_names is an array of pointers, sizeof() returns the total number of bytes occupied by the pointers \t(element_count * sizeof(void *)) rather than the element count itself. On 64-bit systems, this makes the passed length 8x larger than intended.  Inside spi_nor_print_flags(), the 'names_len' argument is used to bounds-check the 'names' array access. An out-of-bounds read occurs if a flag bit is set that exceeds the array's actual element count but is within the inflated byte-size count.  Correct this by using ARRAY_SIZE() to pass the actual number of string pointers in the array.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46150",
                                "url": "https://ubuntu.com/security/CVE-2026-46150",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  fanotify: fix false positive on permission events  fsnotify_get_mark_safe() may return false for a mark on an unrelated group, which results in bypassing the permission check.  Fix by skipping over detached marks that are not in the current group.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-45836",
                                "url": "https://ubuntu.com/security/CVE-2026-45836",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_get_sndtimeo_cb()  Add the same NULL guard already present in l2cap_sock_resume_cb() and l2cap_sock_ready_cb().",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-26 17:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-45834",
                                "url": "https://ubuntu.com/security/CVE-2026-45834",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_state_change_cb()  Add the same NULL guard already present in l2cap_sock_resume_cb() and l2cap_sock_ready_cb().",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-26 17:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-45835",
                                "url": "https://ubuntu.com/security/CVE-2026-45835",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_new_connection_cb()  Add the same NULL guard already present in l2cap_sock_resume_cb() and l2cap_sock_ready_cb().",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-26 17:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46138",
                                "url": "https://ubuntu.com/security/CVE-2026-46138",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Bluetooth: hci_event: Fix OOB read and infinite loop in hci_le_create_big_complete_evt  hci_le_create_big_complete_evt() iterates over BT_BOUND connections for a BIG handle using a while loop, accessing ev->bis_handle[i++] on each iteration.  However, there is no check that i stays within ev->num_bis before the array access.  When a controller sends a LE_Create_BIG_Complete event with fewer bis_handle entries than there are BT_BOUND connections for that BIG, or with num_bis=0, the loop reads beyond the valid bis_handle[] flex array into adjacent heap memory.  Since the out-of-bounds values typically exceed HCI_CONN_HANDLE_MAX (0x0EFF), hci_conn_set_handle() rejects them and the connection remains in BT_BOUND state.  The same connection is then found again by hci_conn_hash_lookup_big_state(), creating an infinite loop with hci_dev_lock held.  Fix this by terminating the BIG if in case not all BIS could be setup properly.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46111",
                                "url": "https://ubuntu.com/security/CVE-2026-46111",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Bluetooth: hci_conn: fix potential UAF in create_big_sync  Add hci_conn_valid() check in create_big_sync() to detect stale connections before proceeding with BIG creation. Handle the resulting -ECANCELED in create_big_complete() and re-validate the connection under hci_dev_lock() before dereferencing, matching the pattern used by create_le_conn_complete() and create_pa_complete().  Keep the hci_conn object alive across the async boundary by taking a reference via hci_conn_get() when queueing create_big_sync(), and dropping it in the completion callback. The refcount and the lock are complementary: the refcount keeps the object allocated, while hci_dev_lock() serializes hci_conn_hash_del()'s list_del_rcu() on hdev->conn_hash, as required by hci_conn_del().  hci_conn_put() is called outside hci_dev_unlock() so the final put (which resolves to kfree() via bt_link_release) does not run under hdev->lock, though the release path would be safe either way.  Without this, create_big_complete() would unconditionally dereference the conn pointer on error, causing a use-after-free via hci_connect_cfm() and hci_conn_del().",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46140",
                                "url": "https://ubuntu.com/security/CVE-2026-46140",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Bluetooth: btmtk: validate WMT event SKB length before struct access  btmtk_usb_hci_wmt_sync() casts the WMT event response SKB data to struct btmtk_hci_wmt_evt (7 bytes) and struct btmtk_hci_wmt_evt_funcc (9 bytes) without first checking that the SKB contains enough data. A short firmware response causes out-of-bounds reads from SKB tailroom.  Use skb_pull_data() to validate and advance past the base WMT event header. For the FUNC_CTRL case, pull the additional status field bytes before accessing them.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46186",
                                "url": "https://ubuntu.com/security/CVE-2026-46186",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Bluetooth: virtio_bt: validate rx pkt_type header length  virtbt_rx_handle() reads the leading pkt_type byte from the RX skb and forwards the remainder to hci_recv_frame() for every event/ACL/SCO/ISO type, without checking that the remaining payload is at least the fixed HCI header for that type.  After the preceding patch bounds the backend-supplied used.len to [1, VIRTBT_RX_BUF_SIZE], a one-byte completion still reaches hci_recv_frame() with skb->len already pulled to 0. If the byte happened to be HCI_ACLDATA_PKT, the ACL-vs-ISO classification fast-path in hci_dev_classify_pkt_type() dereferences hci_acl_hdr(skb)->handle whenever the HCI device has an active CIS_LINK, BIS_LINK, or PA_LINK connection, reading two bytes of uninitialized RX-buffer data. The same hazard exists for every packet type the driver accepts because none of the switch cases in virtbt_rx_handle() check skb->len against the per-type minimum HCI header size before handing the frame to the core.  After stripping pkt_type, require skb->len to cover the fixed header size for the selected type (event 2, ACL 4, SCO 3, ISO 4) before calling hci_recv_frame(); drop ratelimited otherwise. Unknown pkt_type values still take the original kfree_skb() default path.  Use bt_dev_err_ratelimited() because both the length and pkt_type values come from an untrusted backend that can otherwise flood the kernel log.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46123",
                                "url": "https://ubuntu.com/security/CVE-2026-46123",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Bluetooth: virtio_bt: clamp rx length before skb_put  virtbt_rx_work() calls skb_put(skb, len) where len comes directly from virtqueue_get_buf() with no validation against the buffer we posted to the device. The RX skb is allocated in virtbt_add_inbuf() and exposed to virtio as exactly 1000 bytes via sg_init_one().  Checking len against skb_tailroom(skb) is not sufficient because alloc_skb() can leave more tailroom than the 1000 bytes actually handed to the device. A malicious or buggy backend can therefore report used.len between 1001 and skb_tailroom(skb), causing skb_put() to include uninitialized kernel heap bytes that were never written by the device.  The same path also accepts len == 0, in which case skb_put(skb, 0) leaves the skb empty but virtbt_rx_handle() still reads the pkt_type byte from skb->data, consuming uninitialized memory.  Define VIRTBT_RX_BUF_SIZE once and reuse it in alloc_skb() and sg_init_one(), and gate virtbt_rx_work() on that same constant so the bound checked matches the buffer actually exposed to the device. Reject used.len == 0 in the same gate so an empty completion can no longer reach virtbt_rx_handle().  Use bt_dev_err_ratelimited() because the length value comes from an untrusted backend that can otherwise flood the kernel log.  Same class of bug as commit c04db81cd028 (\"net/9p: Fix buffer overflow in USB transport layer\"), which hardened the USB 9p transport against unchecked device-reported length.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46104",
                                "url": "https://ubuntu.com/security/CVE-2026-46104",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  selinux: use sk blob accessor in socket permission helpers  SELinux socket state lives in the composite LSM socket blob.  sock_has_perm() and nlmsg_sock_has_extended_perms() currently dereference sk->sk_security directly, which assumes the SELinux socket blob is at offset zero.  In stacked configurations that assumption does not hold. If another LSM allocates socket blob storage before SELinux, these helpers may read the wrong blob and feed invalid SID and class values into AVC checks.  Use selinux_sock() instead of accessing sk->sk_security directly.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46193",
                                "url": "https://ubuntu.com/security/CVE-2026-46193",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  xfrm: ah: account for ESN high bits in async callbacks  AH allocates its temporary auth/ICV layout differently when ESN is enabled: the async ahash setup appends a 4-byte seqhi slot before the ICV or auth_data area, but the async completion callbacks still reconstruct the temporary layout as if seqhi were absent.  With an async AH implementation selected, that makes AH copy or compare the wrong bytes on both the IPv4 and IPv6 paths. In UML repro on IPv4 AH with ESN and forced async hmac(sha1), ping fails with 100% packet loss, and the callback logs show the pre-fix drift:    ah4 output_done: esn=1 err=0 icv_off=20 expected_off=24   ah4 input_done: esn=1 auth_off=20 expected_auth_off=24 icv_off=32 expected_icv_off=36  Reconstruct the callback-side layout the same way the setup path built it by skipping the ESN seqhi slot before locating the saved auth_data or ICV. Per RFC 4302, the ESN high-order 32 bits participate in the AH ICV computation, so the async callbacks must account for the seqhi slot.  Post-fix, the same IPv4 AH+ESN+forced-async-hmac(sha1) UML repro shows the corrected offset (ah4 output_done: esn=1 err=0 icv_off=24 expected_off=24) and ping succeeds; net/ipv4/ah4.o and net/ipv6/ah6.o build clean at W=1. IPv6 AH+ESN was not exercised at runtime, and the change has not been tested against a real async hardware AH engine.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46172",
                                "url": "https://ubuntu.com/security/CVE-2026-46172",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ipv6: xfrm6: release dst on error in xfrm6_rcv_encap()  xfrm6_rcv_encap() performs an IPv6 route lookup when the skb does not already have a dst attached. ip6_route_input_lookup() returns a referenced dst entry even when the lookup resolves to an error route.  If dst->error is set, xfrm6_rcv_encap() drops the skb without attaching the dst to the skb and without releasing the reference returned by the lookup. Repeated packets hitting this path therefore leak dst entries.  Release the dst before jumping to the drop path.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46116",
                                "url": "https://ubuntu.com/security/CVE-2026-46116",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  xfrm: defensively unhash xfrm_state lists in __xfrm_state_delete  KASAN reproduces a slab-use-after-free in __xfrm_state_delete()'s hlist_del_rcu calls under syzkaller load on linux-6.12.y stable (reproduced on 6.12.47, also reachable via the same code path on torvalds/master and on the ipsec tree). Nine unique signatures cluster in the xfrm_state lifecycle, the load-bearing one being:    BUG: KASAN: slab-use-after-free in __hlist_del include/linux/list.h:990 [inline]   BUG: KASAN: slab-use-after-free in hlist_del_rcu include/linux/rculist.h:516 [inline]   BUG: KASAN: slab-use-after-free in __xfrm_state_delete net/xfrm/xfrm_state.c   Write of size 8 at addr ffff8881198bcb70 by task kworker/u8:9/435    Workqueue: netns cleanup_net   Call Trace:    __hlist_del / hlist_del_rcu    __xfrm_state_delete    xfrm_state_delete    xfrm_state_flush    xfrm_state_fini    ops_exit_list    cleanup_net  The other observed signatures hit the same slab object from __xfrm_state_lookup, xfrm_alloc_spi, __xfrm_state_insert and an OOB write variant of __xfrm_state_delete, all on the byseq/byspi hash chains.  __xfrm_state_delete() guards its byseq and byspi unhashes with value-based predicates:  \tif (x->km.seq) \t\thlist_del_rcu(&x->byseq); \tif (x->id.spi) \t\thlist_del_rcu(&x->byspi);  while everywhere else in the file (e.g. state_cache, state_cache_input) the safer hlist_unhashed() check is used. xfrm_alloc_spi() sets x->id.spi = newspi inside xfrm_state_lock and then immediately inserts into byspi, but a path that observes x->id.spi != 0 outside of xfrm_state_lock can still skip-or-hit the byspi unhash inconsistently with whether x is actually on the list. The same holds for x->km.seq versus byseq, and the bydst/bysrc unhashes have no predicate at all, so a second __xfrm_state_delete() on the same object writes through LIST_POISON pprev.  The defensive change here:    - Use hlist_del_init_rcu() instead of hlist_del_rcu() on bydst,     bysrc, byseq and byspi so a second deletion is a no-op rather     than a write through LIST_POISON pprev. The byseq/byspi nodes     are already initialised in xfrm_state_alloc().   - Test hlist_unhashed() rather than the value predicate for     byseq/byspi, so the unhash decision tracks list state rather than     mutable scalar fields.  Empirical verification: applied this patch on top of v6.12.47, rebuilt, and re-ran the same syzkaller harness for 1h16m on a previously-crashy configuration that produced ~100 hits each of slab-use-after-free Read in xfrm_alloc_spi / Read in __xfrm_state_lookup / Write in __xfrm_state_delete. After the patch, 7.1M execs across 32 VMs at ~1550 exec/sec produced zero xfrm_state UAF/OOB hits. /proc/slabinfo confirms the xfrm_state slab is actively allocated and freed during the run (~143 KiB resident), so the fuzzer is still exercising those code paths -- they just no longer crash.  Reproduction:    - Linux 6.12.47 x86_64 + KASAN_GENERIC + KASAN_INLINE + KCOV   - syzkaller @ 746545b8b1e4c3a128db8652b340d3df90ce61db   - 32 QEMU/KVM VMs x 2 vCPU on AWS c5.metal bare metal   - 9 unique signatures collected in ~9h, all within xfrm_state     lifecycle",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46154",
                                "url": "https://ubuntu.com/security/CVE-2026-46154",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  sched_ext: Read scx_root under scx_cgroup_ops_rwsem in cgroup setters  scx_group_set_{weight,idle,bandwidth}() cache scx_root before acquiring scx_cgroup_ops_rwsem, so the pointer can be stale by the time the op runs. If the loaded scheduler is disabled and freed (via RCU work) and another is enabled between the naked load and the rwsem acquire, the reader sees scx_cgroup_enabled=true (the new scheduler's) but dereferences the freed one - UAF on SCX_HAS_OP(sch, ...) / SCX_CALL_OP(sch, ...).  scx_cgroup_enabled is toggled only under scx_cgroup_ops_rwsem write (scx_cgroup_{init,exit}), so reading scx_root inside the rwsem read section correlates @sch with the enabled snapshot.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46157",
                                "url": "https://ubuntu.com/security/CVE-2026-46157",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ALSA: pcm: oss: Fix data race at accessing runtime.oss.trigger  Currently the runtime.oss.trigger field may be accessed concurrently without protection, which may lead to the data race.  And, in this case, it may lead to more severe problem because it's a bit field; as writing the data, it may overwrite other bit fields as well, which confuses the operation completely, as spotted by fuzzing.  Fix it by covering runtime.oss.trigger bit fled also with the existing params_lock mutex in both snd_pcm_oss_get_trigger() and snd_pcm_oss_poll().",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46109",
                                "url": "https://ubuntu.com/security/CVE-2026-46109",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  usb: ulpi: fix memory leak on ulpi_register() error paths  Commit 01af542392b5 (\"usb: ulpi: fix double free in ulpi_register_interface() error path\") removed kfree(ulpi) from ulpi_register_interface() to fix a double-free when device_register() fails.  But when ulpi_of_register() or ulpi_read_id() fail before device_register() is called, the ulpi allocation is leaked.  Add kfree(ulpi) on both error paths to properly clean up the allocation.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46146",
                                "url": "https://ubuntu.com/security/CVE-2026-46146",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ALSA: usb-audio: Avoid potential endless loop in convert_chmap_v3()  The convert_chmap_v3() has a loop with its increment size of cs_desc->wLength, but we forgot to validate cs_desc->wLength itself, which may lead to potential endless loop by a malformed descriptor.  Add a proper size check to abort the loop for plugging the hole.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46167",
                                "url": "https://ubuntu.com/security/CVE-2026-46167",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  usb: usblp: fix uninitialized heap leak via LPGETSTATUS ioctl  Just like in a previous problem in this driver, usblp_ctrl_msg() will collapse the usb_control_msg() return value to 0/-errno, discarding the actual number of bytes transferred.  Ideally that short command should be detected and error out, but many printers are known to send \"incorrect\" responses back so we can't just do that.  statusbuf is kmalloc(8) at probe time and never filled before the first LPGETSTATUS ioctl.  usblp_read_status() requests 1 byte. If a malicious printer responds with zero bytes, *statusbuf is one byte of stale kmalloc heap, sign-extended into the local int status, which the LPGETSTATUS path then copy_to_user()s directly to the ioctl caller.  Fix this all by just zapping out the memory buffer when allocated at probe time.  If a later call does a short read, the data will be identical to what the device sent it the last time, so there is no \"leak\" of information happening.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46151",
                                "url": "https://ubuntu.com/security/CVE-2026-46151",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  usb: usblp: fix heap leak in IEEE 1284 device ID via short response  usblp_ctrl_msg() collapses the usb_control_msg() return value to 0/-errno, discarding the actual number of bytes transferred.  A broken printer can complete the GET_DEVICE_ID control transfer short and the driver has no way to know.  usblp_cache_device_id_string() reads the 2-byte big-endian length prefix from the response and trusts it (clamped only to the buffer bounds). The buffer is kmalloc(1024) at probe time. A device that sends exactly two bytes (e.g. 0x03 0xFF, claiming a 1023-byte ID) leaves device_id_string[2..1022] holding stale kmalloc heap.  That stale data is then exposed:   - via the ieee1284_id sysfs attribute (sprintf(\"%s\", buf+2), truncated     at the first NUL in the stale heap), and   - via the IOCNR_GET_DEVICE_ID ioctl, which copy_to_user()s the full     claimed length regardless of NULs, up to 1021 bytes of uninitialized     heap, with the leak size chosen by the device.  Fix this up by just zapping the buffer with zeros before each request sent to the device.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46180",
                                "url": "https://ubuntu.com/security/CVE-2026-46180",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  wifi: brcmfmac: Fix potential use-after-free issue when stopping watchdog task  Watchdog task might end between send_sig() and kthread_stop() calls, what results in the use-after-free issue. Fix this by increasing watchdog task reference count before calling send_sig() and dropping it by switching to kthread_stop_put().",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46122",
                                "url": "https://ubuntu.com/security/CVE-2026-46122",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  wifi: b43: enforce bounds check on firmware key index in b43_rx()  The firmware-controlled key index in b43_rx() can exceed the dev->key[] array size (58 entries). The existing B43_WARN_ON is non-enforcing in production builds, allowing an out-of-bounds read.  Make the B43_WARN_ON check enforcing by dropping the frame when the firmware returns an invalid key index.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46125",
                                "url": "https://ubuntu.com/security/CVE-2026-46125",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  wifi: mac80211: remove station if connection prep fails  If connection preparation fails for MLO connections, then the interface is completely reset to non-MLD. In this case, we must not keep the station since it's related to the link of the vif being removed. Delete an existing station. Any \"new_sta\" is already being removed, so that doesn't need changes.  This fixes a use-after-free/double-free in debugfs if that's enabled, because a vif going from MLD (and to MLD, but that's not relevant here) recreates its entire debugfs.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46166",
                                "url": "https://ubuntu.com/security/CVE-2026-46166",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  wifi: mac80211: use safe list iteration in radar detect work  The call to ieee80211_dfs_cac_cancel can cause the iterated chanctx to be freed and removed from the list. Guard against this to avoid a slab-use-after-free error.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46187",
                                "url": "https://ubuntu.com/security/CVE-2026-46187",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  wifi: rsi: fix kthread lifetime race between self-exit and external-stop  RSI driver use both self-exit(kthread_complete_and_exit) and external-stop (kthread_stop) when killing a kthread. Generally, kthread_stop() is called first, and in this case, no particular issues occur.  However, in rare instances where kthread_complete_and_exit() is called first and then kthread_stop() is called, a UAF occurs because the kthread object, which has already exited and been freed, is accessed again.  Therefore, to prevent this with minimal modification, you must remove kthread_stop() and change the code to wait until the self-exit operation is completed.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46152",
                                "url": "https://ubuntu.com/security/CVE-2026-46152",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  wifi: mac80211: drop stray 'static' from fast-RX rx_result  ieee80211_invoke_fast_rx() is documented as safe for parallel RX, but its per-invocation rx_result is declared static. Concurrent callers then share one instance and can overwrite each other's result between ieee80211_rx_mesh_data() and the switch on res.  That can make a packet that was queued or consumed by ieee80211_rx_mesh_data() fall through into ieee80211_rx_8023(), or make a packet that should continue return as queued.  Make res an automatic variable so each invocation keeps its own result.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46163",
                                "url": "https://ubuntu.com/security/CVE-2026-46163",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  wifi: b43legacy: enforce bounds check on firmware key index in RX path  Same fix as b43: the firmware-controlled key index in b43legacy_rx() can exceed dev->max_nr_keys. The existing B43legacy_WARN_ON is non-enforcing in production builds, allowing an out-of-bounds read of dev->key[].  Make the check enforcing by dropping the frame for invalid indices.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46136",
                                "url": "https://ubuntu.com/security/CVE-2026-46136",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  wifi: mt76: mt7921: fix a potential clc buffer length underflow  The buf_len is used to limit the iterations for retrieving the country power setting and may underflow under certain conditions due to changes in the power table in CLC.  This underflow leads to an almost infinite loop or an invalid power setting resulting in driver initialization failure.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46173",
                                "url": "https://ubuntu.com/security/CVE-2026-46173",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  exit: prevent preemption of oopsing TASK_DEAD task  When an already-exiting task oopses, make_task_dead() currently calls do_task_dead() with preemption enabled.  That is forbidden: do_task_dead() calls __schedule(), which has a comment saying \"WARNING: must be called with preemption disabled!\".  If an oopsing task is preempted in do_task_dead(), between becoming TASK_DEAD and entering the scheduler explicitly, bad things happen: finish_task_switch() assumes that once the scheduler has switched away from a TASK_DEAD task, the task can never run again and its stack is no longer needed; but that assumption apparently doesn't hold if the dead task was preempted (the SM_PREEMPT case).  This means that the scheduler ends up repeatedly dropping references on the dead task's stack, which can lead to use-after-free or double-free of the entire task stack; in other words, two tasks can end up running on the same stack, resulting in various kinds of memory corruption.  (This does not just affect \"recursively oopsing\" tasks; it is enough to oops once during task exit, for example in a file_operations::release handler)",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-43496",
                                "url": "https://ubuntu.com/security/CVE-2026-43496",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net/sched: sch_red: Replace direct dequeue call with peek and qdisc_dequeue_peeked  When red qdisc has children (eg qfq qdisc) whose peek() callback is qdisc_peek_dequeued(), we could get a kernel panic. When the parent of such qdiscs (eg illustrated in patch #3 as tbf) wants to retrieve an skb from its child (red in this case), it will do the following:  1a. do a peek() - and when sensing there's an skb the child can offer, then      - the child in this case(red) calls its child's (qfq) peek.         qfq does the right thing and will return the gso_skb queue packet.         Note: if there wasnt a gso_skb entry then qfq will store it there.  1b. invoke a dequeue() on the child (red). And herein lies the problem.      - red will call the child's dequeue() which will essentially just        try to grab something of qfq's queue.  [   78.667668][  T363] KASAN: null-ptr-deref in range [0x0000000000000048-0x000000000000004f] [   78.667927][  T363] CPU: 1 UID: 0 PID: 363 Comm: ping Not tainted 7.1.0-rc1-00033-g46f74a3f7d57-dirty #790 PREEMPT(full) [   78.668263][  T363] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 [   78.668486][  T363] RIP: 0010:qfq_dequeue+0x446/0xc90 [sch_qfq] [   78.668718][  T363] Code: 54 c0 e8 dd 90 00 f1 48 c7 c7 e0 03 54 c0 48 89 de e8 ce 90 00 f1 48 8d 7b 48 b8 ff ff 37 00 48 89 fa 48 c1 e0 2a 48 c1 ea 03 <80> 3c 02 00 74 05 e8 ef a1 e1 f1 48 8b 7b 48 48 8d 54 24 58 48 8d [   78.669312][  T363] RSP: 0018:ffff88810de573e0 EFLAGS: 00010216 [   78.669533][  T363] RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000 [   78.669790][  T363] RDX: 0000000000000009 RSI: 0000000000000004 RDI: 0000000000000048 [   78.670044][  T363] RBP: ffff888110dc4000 R08: ffffffffb1b0885a R09: fffffbfff6ba9078 [   78.670297][  T363] R10: 0000000000000003 R11: ffff888110e31c80 R12: 0000001880000000 [   78.670560][  T363] R13: ffff888110dc4150 R14: ffff888110dc42b8 R15: 0000000000000200 [   78.670814][  T363] FS:  00007f66a8f09c40(0000) GS:ffff888163428000(0000) knlGS:0000000000000000 [   78.671110][  T363] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [   78.671324][  T363] CR2: 000055db4c6a30a8 CR3: 000000010da67000 CR4: 0000000000750ef0 [   78.671585][  T363] PKRU: 55555554 [   78.671713][  T363] Call Trace: [   78.671843][  T363]  <TASK> [   78.671936][  T363]  ? __pfx_qfq_dequeue+0x10/0x10 [sch_qfq] [   78.672148][  T363]  ? __pfx__printk+0x10/0x10 [   78.672322][  T363]  ? srso_alias_return_thunk+0x5/0xfbef5 [   78.672496][  T363]  ? lockdep_hardirqs_on_prepare+0xa8/0x1a0 [   78.672706][  T363]  ? srso_alias_return_thunk+0x5/0xfbef5 [   78.672875][  T363]  ? trace_hardirqs_on+0x19/0x1a0 [   78.673047][  T363]  red_dequeue+0x65/0x270 [sch_red] [   78.673217][  T363]  ? srso_alias_return_thunk+0x5/0xfbef5 [   78.673385][  T363]  tbf_dequeue.cold+0xb0/0x70c [sch_tbf] [   78.673566][  T363]  __qdisc_run+0x169/0x1900  The right thing to do in #1b is to grab the skb off gso_skb queue. This patchset fixes that issue by changing #1b to use qdisc_dequeue_peeked() method instead.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-21 13:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46113",
                                "url": "https://ubuntu.com/security/CVE-2026-46113",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  KVM: x86: Fix shadow paging use-after-free due to unexpected GFN  The shadow MMU computes GFNs for direct shadow pages using sp->gfn plus the SPTE index. This assumption breaks for shadow paging if the guest page tables are modified between VM entries (similar to commit aad885e77496, \"KVM: x86/mmu: Drop/zap existing present SPTE even when creating an MMIO SPTE\", 2026-03-27).  The flow is as follows:  - a PDE is installed for a 2MB mapping, and a page in that area is   accessed.  KVM creates a kvm_mmu_page consisting of 512 4KB pages;   the kvm_mmu_page is marked by FNAME(fetch) as direct-mapped because   the guest's mapping is a huge page (and thus contiguous).  - the PDE mapping is changed from outside the guest.  - the guest accesses another page in the same 2MB area.  KVM installs   a new leaf SPTE and rmap entry; the SPTE uses the \"correct\" GFN   (i.e. based on the new mapping, as changed in the previous step) but   that GFN is outside of the [sp->gfn, sp->gfn + 511] range; therefore   the rmap entry cannot be found and removed when the kvm_mmu_page   is zapped.  - the memslot that covers the first 2MB mapping is deleted, and the   kvm_mmu_page for the now-invalid GPA is zapped.  However, rmap_remove()   only looks at the [sp->gfn, sp->gfn + 511] range established in step 1,   and fails to find the rmap entry that was recorded by step 3.  - any operation that causes an rmap walk for the same page accessed   by step 3 then walks a stale rmap and dereferences a freed kvm_mmu_page.   This includes dirty logging or MMU notifier invalidations (e.g., from   MADV_DONTNEED).  The underlying issue is that KVM's walking of shadow PTEs assumes that if a SPTE is present when KVM wants to install a non-leaf SPTE, then the existing kvm_mmu_page must be for the correct gfn.  Because the only way for the gfn to be wrong is if KVM messed up and failed to zap a SPTE... which shouldn't happen, but *actually* only happens in response to a guest write.  That bug dates back literally forever, as even the first version of KVM assumes that the GFN matches and walks into the \"wrong\" shadow page. However, that was only an imprecision until 2032a93d66fa (\"KVM: MMU: Don't allocate gfns page for direct mmu pages\") came along.  Fix it by checking for a target gfn mismatch and zapping the existing SPTE.  That way the old SP and rmap entries are gone, KVM installs the rmap in the right location, and everyone is happy.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46179",
                                "url": "https://ubuntu.com/security/CVE-2026-46179",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ASoC: SOF: Don't allow pointer operations on unconfigured streams  When reporting the pointer for a compressed stream we report the current I/O frame position by dividing the position by the number of channels multiplied by the number of container bytes. These values default to 0 and are only configured as part of setting the stream parameters so this allows a divide by zero to be configured. Validate that they are non zero, returning an error if not",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46196",
                                "url": "https://ubuntu.com/security/CVE-2026-46196",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  tracepoint: balance regfunc() on func_add() failure in tracepoint_add_func()  When a tracepoint goes through the 0 -> 1 transition, tracepoint_add_func() invokes the subsystem's ext->regfunc() before attempting to install the new probe via func_add(). If func_add() then fails (for example, when allocate_probes() cannot allocate a new probe array under memory pressure and returns -ENOMEM), the function returns the error without calling the matching ext->unregfunc(), leaving the side effects of regfunc() behind with no installed probe to justify them.  For syscall tracepoints this is particularly unpleasant: syscall_regfunc() bumps sys_tracepoint_refcount and sets SYSCALL_TRACEPOINT on every task. After a leaked failure, the refcount is stuck at a non-zero value with no consumer, and every task continues paying the syscall trace entry/exit overhead until reboot. Other subsystems providing regfunc()/unregfunc() pairs exhibit similarly scoped persistent state.  Mirror the existing 1 -> 0 cleanup and call ext->unregfunc() in the func_add() error path, gated on the same condition used there so the unwind is symmetric with the registration.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-43497",
                                "url": "https://ubuntu.com/security/CVE-2026-43497",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  fbdev: udlfb: add vm_ops to dlfb_ops_mmap to prevent use-after-free  dlfb_ops_mmap() uses remap_pfn_range() to map vmalloc framebuffer pages to userspace but sets no vm_ops on the VMA. This means the kernel cannot track active mmaps. When dlfb_realloc_framebuffer() replaces the backing buffer via FBIOPUT_VSCREENINFO, existing mmap PTEs are not invalidated. On USB disconnect, dlfb_ops_destroy() calls vfree() on the old pages while userspace PTEs still reference them, resulting in a use-after-free: the process retains read/write access to freed kernel pages.  Add vm_operations_struct with open/close callbacks that maintain an atomic mmap_count on struct dlfb_data. In dlfb_realloc_framebuffer(), check mmap_count and return -EBUSY if the buffer is currently mapped, preventing buffer replacement while userspace holds stale PTEs.  Tested with PoC using dummy_hcd + raw_gadget USB device emulation.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-05-21 13:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46108",
                                "url": "https://ubuntu.com/security/CVE-2026-46108",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ipmi:si: Return state to normal if message allocation fails  There were places where nothing would get started if a message allocation failed, so the driver needs to return to normal state.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46128",
                                "url": "https://ubuntu.com/security/CVE-2026-46128",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ipmi: Check event message buffer response for bad data  The event message buffer response data size got checked later when processing, but check it right after the response comes back.  It appears some BMCs may return an empty message instead of an error when fetching events.  There are apparently some new BMCs that make this error, so we need to compensate.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46177",
                                "url": "https://ubuntu.com/security/CVE-2026-46177",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ipmi: Add limits to event and receive message requests  The driver would just fetch events and receive messages until the BMC said it was done.  To avoid issues with BMCs that never say they are done, add a limit of 10 fetches at a time.  In addition, an si interface has an attn state it can return from the hardware which is supposed to cause a flag fetch to see if the driver needs to fetch events or message or a few other things.  If the attn bit gets stuck, it's a similar problem.  So allow messages in between flag fetches so the driver itself doesn't get stuck.  This is a more general fix than the previous fix for the specific bad BMC, but should fix the more general issue of a BMC that won't stop saying it has data.  This has been there from the beginning of the driver.  It's not a bug per-se, but it is accounting for bugs in BMCs.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46149",
                                "url": "https://ubuntu.com/security/CVE-2026-46149",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  scsi: target: configfs: Bound snprintf() return in tg_pt_gp_members_show()  target_tg_pt_gp_members_show() formats LUN paths with snprintf() into a 256-byte stack buffer, then will memcpy() cur_len bytes from that buffer.  snprintf() returns the length the output would have had, which can exceed the buffer size when the fabric WWN is long because iSCSI IQN names can be up to 223 bytes.  The check at the memcpy() site only guards the destination page write, not the source read, so memcpy() will read past the stack buffer and copy adjacent stack contents to the sysfs reader, which when CONFIG_FORTIFY_SOURCE is enabled, fortify_panic() will be triggered.  Commit 27e06650a5ea (\"scsi: target: target_core_configfs: Add length check to avoid buffer overflow\") added the same bound to the target_lu_gp_members_show() but the tg_pt_gp variant was missed so resolve that here.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46244",
                                "url": "https://ubuntu.com/security/CVE-2026-46244",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  netfilter: nft_inner: Fix IPv6 inner_thoff desync  In nft_inner_parse_l2l3(), when processing inner IPv6 packets, ipv6_find_hdr() correctly computes the transport header offset traversing all extension headers, but the result is immediately overwritten with nhoff + sizeof(_ip6h) (40 bytes), which only accounts for the IPv6 base header. This creates a desync between inner_thoff (wrong — points to extension header start) and l4proto (correct — e.g., IPPROTO_TCP), enabling transport header forgery and potential firewall bypass. This issue affects stable versions from Linux 6.2.  For comparison, the normal (non-inner) IPv6 path correctly preserves ipv6_find_hdr()'s result. Removing the incorrect overwrite ensures that ipv6_find_hdr()'s calculated transport header offset is preserved, thereby fixing the desynchronization.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-03 18:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46137",
                                "url": "https://ubuntu.com/security/CVE-2026-46137",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  mptcp: pm: ADD_ADDR rtx: fix potential data-race  This mptcp_pm_add_timer() helper is executed as a timer callback in softirq context. To avoid any data races, the socket lock needs to be held with bh_lock_sock().  If the socket is in use, retry again soon after, similar to what is done with the keepalive timer.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46185",
                                "url": "https://ubuntu.com/security/CVE-2026-46185",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  smb/client: fix out-of-bounds read in symlink_data()  Since smb2_check_message() returns success without length validation for the symlink error response, in symlink_data() it is possible for iov->iov_len to be smaller than sizeof(struct smb2_err_rsp). If the buffer only contains the base SMB2 header (64 bytes), accessing err->ErrorContextCount (at offset 66) or err->ByteCount later in symlink_data() will cause an out-of-bounds read.",
                                "cve_priority": "high",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46195",
                                "url": "https://ubuntu.com/security/CVE-2026-46195",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  smb: client: validate dacloffset before building DACL pointers  parse_sec_desc(), build_sec_desc(), and the chown path in id_mode_to_cifs_acl() all add the server-supplied dacloffset to pntsd before proving a DACL header fits inside the returned security descriptor.  On 32-bit builds a malicious server can return dacloffset near U32_MAX, wrap the derived DACL pointer below end_of_acl, and then slip past the later pointer-based bounds checks. build_sec_desc() and id_mode_to_cifs_acl() can then dereference DACL fields from the wrapped pointer in the chmod/chown rewrite paths.  Validate dacloffset numerically before building any DACL pointer and reuse the same helper at the three DACL entry points.",
                                "cve_priority": "high",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46289",
                                "url": "https://ubuntu.com/security/CVE-2026-46289",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  lib/scatterlist: fix length calculations in extract_kvec_to_sg  Patch series \"Fix bugs in extract_iter_to_sg()\", v3.  Fix bugs in the kvec and user variants of extract_iter_to_sg.  This series is growing due to useful remarks made by sashiko.dev.  The main bugs are: - The length for an sglist entry when extracting from   a kvec can exceed the number of bytes in the page. This   is obviously not intended. - When extracting a user buffer the sglist is temporarily   used as a scratch buffer for extracted page pointers.   If the sglist already contains some elements this scratch   buffer could overlap with existing entries in the sglist.  The series adds test cases to the kunit_iov_iter test that demonstrate all of these bugs.  Additionally, there is a memory leak fix for the test itself.  The bugs were orignally introduced into kernel v6.3 where the function lived in fs/netfs/iterator.c.  It was later moved to lib/scatterlist.c in v6.5.  Thus the actual fix is only marked for backports to v6.5+.   This patch (of 5):  When extracting from a kvec to a scatterlist, do not cross page boundaries.  The required length was already calculated but not used as intended.  Adjust the copied length if the loop runs out of sglist entries without extracting everything.  While there, return immediately from extract_iter_to_sg if there are no sglist entries at all.  A subsequent commit will add kunit test cases that demonstrate that the patch is necessary.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-08 17:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46119",
                                "url": "https://ubuntu.com/security/CVE-2026-46119",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  libceph: Fix slab-out-of-bounds access in auth message processing  If a (potentially corrupted) message of type CEPH_MSG_AUTH_REPLY contains a positive value in its result field, it is treated as an error code by ceph_handle_auth_reply() and returned to handle_auth_reply(). Thereafter, an attempt is made to send the preallocated message of type CEPH_MSG_AUTH, where the returned value is interpreted as the size of the front segment to send. If the result value in the message is greater than the size of the memory buffer allocated for the front segment, an out-of-bounds access occurs, and the content of the memory region beyond this buffer is sent out.  This patch fixes the issue by treating only negative values in the result field as errors. Positive values are therefore treated as success in the same way as a zero value. Additionally, a BUG_ON is added to __send_prepared_auth_request() comparing the len parameter to front_alloc_len to prevent sending the message if it exceeds the bounds of the allocation and to make it easier to catch any logic flaws leading to this.",
                                "cve_priority": "high",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46135",
                                "url": "https://ubuntu.com/security/CVE-2026-46135",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  nvmet-tcp: fix race between ICReq handling and queue teardown  nvmet_tcp_handle_icreq() updates queue->state after sending an Initialization Connection Response (ICResp), but it does so without serializing against target-side queue teardown.  If an NVMe/TCP host sends an Initialization Connection Request (ICReq) and immediately closes the connection, target-side teardown may start in softirq context before io_work drains the already buffered ICReq. In that case, nvmet_tcp_schedule_release_queue() sets queue->state to NVMET_TCP_Q_DISCONNECTING and drops the queue reference under state_lock.  If io_work later processes that ICReq, nvmet_tcp_handle_icreq() can still overwrite the state back to NVMET_TCP_Q_LIVE. That defeats the DISCONNECTING-state guard in nvmet_tcp_schedule_release_queue() and allows a later socket state change to re-enter teardown and issue a second kref_put() on an already released queue.  The ICResp send failure path has the same problem. If teardown has already moved the queue to DISCONNECTING, a send error can still overwrite the state with NVMET_TCP_Q_FAILED, again reopening the window for a second teardown path to drop the queue reference.  Fix this by serializing both post-send state transitions with state_lock and bailing out if teardown has already started.  Use -ESHUTDOWN as an internal sentinel for that bail-out path rather than propagating it as a transport error like -ECONNRESET. Keep nvmet_tcp_socket_error() setting rcv_state to NVMET_TCP_RECV_ERR before honoring that sentinel so receive-side parsing stays quiesced until the existing release path completes.",
                                "cve_priority": "critical",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46155",
                                "url": "https://ubuntu.com/security/CVE-2026-46155",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  smb/client: fix out-of-bounds read in smb2_compound_op()  If a server sends a truncated response but a large OutputBufferLength, and terminates the EA list early, check_wsl_eas() returns success without validating that the entire OutputBufferLength fits within iov_len.  Then smb2_compound_op() does:     memcpy(idata->wsl.eas, data[0], size[0]);  Where size[0] is OutputBufferLength. If iov_len is smaller than size[0], memcpy can read beyond the end of the rsp_iov allocation and leak adjacent kernel heap memory.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46115",
                                "url": "https://ubuntu.com/security/CVE-2026-46115",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  block: add pgmap check to biovec_phys_mergeable  biovec_phys_mergeable() is used by the request merge, DMA mapping, and integrity merge paths to decide if two physically contiguous bvec segments can be coalesced into one. It currently has no check for whether the segments belong to different dev_pagemaps.  When zone device memory is registered in multiple chunks, each chunk gets its own dev_pagemap. A single bio can legitimately contain bvecs from different pgmaps -- iov_iter_extract_bvecs() breaks at pgmap boundaries but the outer loop in bio_iov_iter_get_pages() continues filling the same bio. If such bvecs are physically contiguous, biovec_phys_mergeable() will coalesce them, making it impossible to recover the correct pgmap for the merged segment via page_pgmap().  Add a zone_device_pages_have_same_pgmap() check to prevent merging bvec segments that span different pgmaps.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46243",
                                "url": "https://ubuntu.com/security/CVE-2026-46243",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  smb: client: reject userspace cifs.spnego descriptions  cifs.spnego key descriptions contain authority-bearing fields such as pid, uid, creduid, and upcall_target that cifs.upcall treats as kernel-originating inputs. However, userspace can also create keys of this type through request_key(2) or add_key(2), allowing those fields to be supplied without CIFS origin.  Only accept cifs.spnego descriptions while CIFS is using its private spnego_cred to request the key.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-01 17:17:00 UTC"
                            }
                        ],
                        "log": [
                            "",
                            "  * resolute/linux: 7.0.0-28.28 -proposed tracker (LP: #2157520)",
                            "",
                            "  * Backport ASoC SDCA, AMD SoundWire, and RT722 audio fixes (LP: #2154418)",
                            "    - ASoC: amd: acp-sdw-legacy: rename the dmic component name",
                            "    - SAUCE: ASoC: rt722-sdca: add FU06 Playback Switch for speaker mute",
                            "      control",
                            "",
                            "  * MIPI camera of a BBG809N3A_B sensor SKU of the DELL Pro 14 Premium PA14260",
                            "    renders upside-down (LP: #2155837)",
                            "    - SAUCE: media: ipu-bridge: correct platform handling for DELL Pro 14",
                            "      Premium PA14260",
                            "",
                            "  * resolute ubuntu_kernel_selftests:seccomp_build test compilation issue",
                            "    (LP: #2154174)",
                            "    - SAUCE: selftests/seccomp fix compilation issue for amd64",
                            "",
                            "  * [Ubuntu 26.04] Severe Performance Degradation on kernel 7.0.0-15",
                            "    (LP: #2154748)",
                            "    - s390: Remove GENERIC_LOCKBREAK Kconfig option",
                            "    - UBUNTU [Config]: Remove GENERIC_LOCKBREAK in s390x",
                            "",
                            "  * Fix no sound output device on Dell GhostRider PTL no camera SKU",
                            "    (LP: #2156559)",
                            "    - ASoC: Intel: sof_sdw: append dai type to dai link name unconditionally",
                            "",
                            "  * Fix no audio from right built-in speaker on HP ZBook with TAS2781",
                            "    amplifier (LP: #2156556)",
                            "    - ALSA: hda/tas2781: Fix device-0 reset issue and handle -EXDEV in block",
                            "      data processing",
                            "",
                            "  * Installer fails internally with a RSync error due to page fault",
                            "    (LP: #2150640)",
                            "    - ovl: keep err zero after successful ovl_cache_get()",
                            "",
                            "  * Internal display black screen on Intel Lunar Lake with eDP panel",
                            "    (LP: #2156312)",
                            "    - drm/i915/alpm: Allow LOBF only for platform that have Always on VRR TG",
                            "",
                            "  * Thunderbolt DP tunnel torn down during boot with LUKS Full Disk Encryption",
                            "    (LP: #2155096)",
                            "    - SAUCE: thunderbolt: Defer DP tunnel teardown until display driver is",
                            "      ready",
                            "",
                            "  * watchdog: lenovo_se10_wdt: Add SE10 Gen 2 support (LP: #2154715)",
                            "    - watchdog: lenovo_se10_wdt: Add support for SE10 Gen 2 platform",
                            "    - watchdog: lenovo_se10_wdt: Fix use-after-free and resource leak risk",
                            "",
                            "  * [Ubuntu 26.04] KVM: IBM Test Accelerator for Z (TAZ) not working properly",
                            "    (LP: #2153159)",
                            "    - KVM: s390: only deliver service interrupt with payload",
                            "    - KVM: s390: vsie: Allow non-zarch guests",
                            "    - KVM: s390: vsie: Disable some bits when in ESA mode",
                            "    - KVM: s390: vsie: Accommodate ESA prefix pages",
                            "    - KVM: s390: Add KVM capability for ESA mode guests",
                            "",
                            "  * ubuntu_bpf failed to build on Resolute (error: expected ‘:’, ‘,’, ‘;’, ‘}’",
                            "    or ‘__attribute__’ before ‘__counted_by’) (LP: #2150071)",
                            "    - tools/headers: Regenerate stddef.h to fix BPF selftests",
                            "",
                            "  * ubuntu_bpf: FTBFS with clang 23 / gcc 15 (LP: #2154343)",
                            "    - selftests/bpf: Fix const qualifier warning in fexit_bpf2bpf.c",
                            "",
                            "  * ALSA: hda/tas2781 Audio Fix for the front-right speacker (LP: #2149770)",
                            "    - ALSA: hda/tas2781: Fix sound abnormal issue on some SPI device",
                            "",
                            "  * Fix bad audio record quality when volume above 50% on Framework PTL",
                            "    (LP: #2153155)",
                            "    - ALSA: hda/realtek: fix mic boost on Framework PTL",
                            "",
                            "  * Patchset for TUXEDO devices (LP: #2152570)",
                            "    - drm/i915/vbt: Add edp pipe joiner enable/disable bits",
                            "    - drm/i915/dp: Avoid joiner for eDP if not enabled in VBT",
                            "    - drm/amd/display: Add Idle state manager(ISM)",
                            "    - drm/i915/backlight: Remove try_vesa_interface",
                            "    - drm/i915/backlight: Use intel_panel variable instead of intel_connector",
                            "    - drm/i915/backlight: Take luminance_set into account for VESA backlight",
                            "    - drm/i915/backlight: Check luminance_set when disabling PWM via AUX VESA",
                            "      backlight",
                            "    - drm/i915/backlight: Short circuit intel_dp_aux_supports_hdr_backlight",
                            "    - drm/i915/backlight: Update debug log during backlight setup",
                            "    - drm/i915/backlight: Check if VESA backlight is possible",
                            "    - drm/i915/backlight: Provide clear description on how backlight level is",
                            "      controlled",
                            "    - drm/i915/backlight: Fix VESA backlight possible check condition",
                            "",
                            "  * Resolute update: v7.0.12 upstream stable release (LP: #2156636)",
                            "    - Input: usbtouchscreen - clamp NEXIO data_len/x_len to URB buffer size",
                            "    - ACPI: button: Fix ACPI GPE handler leak during removal",
                            "    - ACPI: button: Enable wakeup GPEs for ACPI buttons at probe time",
                            "    - xfrm: move policy_bydst RCU sync from per-netns .exit to .pre_exit",
                            "    - net/sched: sch_sfb: Replace direct dequeue call with peek and",
                            "      qdisc_dequeue_peeked",
                            "    - bcache: fix uninitialized closure object",
                            "    - nfc: llcp: Fix use-after-free in llcp_sock_release()",
                            "    - nfc: llcp: Fix use-after-free race in nfc_llcp_recv_cc()",
                            "    - xfrm: Check for underflow in xfrm_state_mtu",
                            "    - nfc: nxp-nci: i2c: use rising-edge IRQ on ACPI systems",
                            "    - tools/bootconfig: Fix buf leaks in apply_xbc",
                            "    - HID: remove duplicate hid_warn_ratelimited definition",
                            "    - kunit: fix use-after-free in debugfs when using kunit.filter",
                            "    - accel/rocket: fix UAF via dangling GEM handle in create_bo",
                            "    - netfilter: synproxy: refresh tcphdr after skb_ensure_writable",
                            "    - netfilter: xt_cpu: prefer raw_smp_processor_id",
                            "    - netfilter: ebtables: fix OOB read in compat_mtw_from_user",
                            "    - netfilter: nf_tables: fix dst corruption in same register operation",
                            "    - vsock: keep poll shutdown state consistent",
                            "    - net: netlink: fix sending unassigned nsid after assigned one",
                            "    - net: netlink: don't set nsid on local notifications",
                            "    - net/smc: Do not re-initialize smc hashtables",
                            "    - net/iucv: fix locking in .getsockopt",
                            "    - scsi: core: Run queues for all non-SDEV_DEL devices from",
                            "      scsi_run_host_queues",
                            "    - scsi: scsi_debug: Add missing newline in scsi_debug_device_reset()",
                            "    - ipv4: free net->ipv4.sysctl_local_reserved_ports after",
                            "      unregister_net_sysctl_table()",
                            "    - ALSA: hda: cs35l56: Fix system name string leaks",
                            "    - ALSA: pcm: oss: Fix setup list UAF on proc write error",
                            "    - ASoC: Intel: bytcht_es8316: Fix MCLK leak on init errors",
                            "    - net/mlx5: HWS: Reject unsupported remove-header action",
                            "    - net: hsr: fix potential OOB access in supervision frame handling",
                            "    - accel/ivpu: prevent uninitialized data bug in debugfs",
                            "    - gpio: mxc: fix irq_high handling",
                            "    - drm/i915/aux: use polling when irqs are unavailable",
                            "    - net: Avoid checksumming unreadable skb tail on trim",
                            "    - ethtool: rss: avoid modifying the RSS context response",
                            "    - ethtool: rss: add missing errno on RSS context delete",
                            "    - ethtool: rss: fix falsely ignoring indir table updates",
                            "    - ethtool: rss: fix indir_table and hkey leak on get_rxfh failure",
                            "    - ethtool: rss: fix hkey leak when indir_size is 0",
                            "    - ethtool: rss: avoid device context leak on reply-build failure",
                            "    - ethtool: module: call ethnl_ops_complete() on module flash errors",
                            "    - ethtool: module: avoid leaking a netdev ref on module flash errors",
                            "    - ethtool: module: avoid racy updates to dev->ethtool bitfield",
                            "    - ethtool: module: check fw_flash_in_progress under rtnl_lock",
                            "    - ethtool: module: fix cleanup if socket used for flashing multiple",
                            "      devices",
                            "    - ethtool: cmis: require exact CDB reply length",
                            "    - ethtool: cmis: fix u16-to-u8 truncation of msleep_pre_rpl",
                            "    - ethtool: cmis: validate start_cmd_payload_size from module",
                            "    - ethtool: cmis: validate fw->size against start_cmd_payload_size",
                            "    - cxl/test: Update mock dev array before calling platform_device_add()",
                            "    - blk-mq: reinsert cached request to the list",
                            "    - tunnels: load network headers after skb_cow() in",
                            "      iptunnel_pmtud_build_icmp[v6]()",
                            "    - vxlan: do not reuse cached ip_hdr() value after skb_tunnel_check_pmtu()",
                            "    - tunnels: do not assume transport header in iptunnel_pmtud_check_icmp()",
                            "    - ksmbd: fix FSCTL permission bypass by adding a permission check for",
                            "      FSCTL_SET_SPARSE",
                            "    - ASoC: codecs: simple-mux: Fix enum control bounds check",
                            "    - drm/xe: Restore IDLEDLY regiter on engine reset",
                            "    - Bluetooth: 6lowpan: check skb_clone() return value in send_mcast_pkt()",
                            "    - bonding: refuse to enslave CAN devices",
                            "    - bridge: Fix sleep in atomic context in netlink path",
                            "    - bridge: Fix sleep in atomic context in sysfs path",
                            "    - ethtool: coalesce: cap profile updates at NET_DIM_PARAMS_NUM_PROFILES",
                            "    - ethtool: tsconfig: fix reply error handling",
                            "    - ethtool: linkstate: fix unbalanced ethnl_ops_complete() on PHY lookup",
                            "      error",
                            "    - ethtool: pse-pd: fix missing ethnl_ops_complete()",
                            "    - ethtool: tsconfig: fix missing ethnl_ops_complete()",
                            "    - ethtool: tsinfo: fix uninitialized stats on the by-PHC path",
                            "    - ethtool: tsinfo: don't pass ERR_PTR to genlmsg_cancel on prepare failure",
                            "    - ethtool: strset: fix header attribute index in ethnl_req_get_phydev()",
                            "    - ethtool: eeprom: add missing ethnl_ops_begin() / _complete() during",
                            "      fallback",
                            "    - ethtool: eeprom: add more safeties to EEPROM Netlink fallback",
                            "    - ipv6: rpl: fix hdrlen overflow in ipv6_rpl_srh_decompress()",
                            "    - net/sched: Revert \"net/sched: Restrict conditions for adding duplicating",
                            "      netems to qdisc tree\"",
                            "    - net/sched: fix packet loop on netem when duplicate is on",
                            "    - net: Introduce skb tc depth field to track packet loops",
                            "    - net/sched: Fix ethx:ingress -> ethy:egress -> ethx:ingress mirred loop",
                            "    - net/sched: act_mirred: Fix blockcast recursion bypass leading to stack",
                            "      overflow",
                            "    - net/sched: act_mirred: Fix return code in early mirred redirect error",
                            "      paths",
                            "    - net: hibmcge: disable Relaxed Ordering to fix RX packet corruption",
                            "    - net: hibmcge: move dma_rmb() after dma_sync_single_for_cpu() in RX path",
                            "    - net/handshake: Use spin_lock_bh for hn_lock",
                            "    - nvme-tcp: store negative errno in queue->tls_err",
                            "    - net/handshake: Pass negative errno through handshake_complete()",
                            "    - net/handshake: hand off the pinned file reference to accept_doit",
                            "    - net/handshake: Take a long-lived file reference at submit",
                            "    - net/handshake: Drain pending requests at net namespace exit",
                            "    - dpll: zl3073x: detect DPLL channel count from chip ID at runtime",
                            "    - dpll: zl3073x: add die temperature reporting for supported chips",
                            "    - dpll: export __dpll_device_change_ntf() for use under dpll_lock",
                            "    - dpll: zl3073x: use __dpll_device_change_ntf() and remove change_work",
                            "    - Bluetooth: l2cap: clear chan->ident on ECRED reconfiguration success",
                            "    - Bluetooth: L2CAP: Fix possible crash on l2cap_ecred_conn_rsp",
                            "    - Bluetooth: hci_sync: Set HCI_CMD_DRAIN_WORKQUEUE during device close",
                            "    - Bluetooth: hci_sync: Reset device counters in hci_dev_close_sync()",
                            "    - gpio: adnp: fix flow control regression caused by scoped_guard()",
                            "    - gpio: virtuser: Fix uninitialized data bug in",
                            "      gpio_virtuser_direction_do_write()",
                            "    - gpio: rockchip: convert bank->clk to devm_clk_get_enabled()",
                            "    - gpio: rockchip: teardown bugs and resource leaks",
                            "    - net: mana: Add NULL guards in teardown path to prevent panic on attach",
                            "      failure",
                            "    - net: mana: Skip redundant detach on already-detached port",
                            "    - sctp: fix race between sctp_wait_for_connect and peeloff",
                            "    - net: pcs: pcs-mtk-lynxi: fix bpi-r3 serdes configuration",
                            "    - vsock/virtio: bind uarg before filling zerocopy skb",
                            "    - ipv6: fix possible infinite loop in rt6_fill_node()",
                            "    - ipv6: fix possible infinite loop in fib6_select_path()",
                            "    - net: skbuff: fix pskb_carve leaking zcopy pages",
                            "    - Revert \"ipv6: preserve insertion order for same-scope addresses\"",
                            "    - Revert \"x86/fpu: Refine and simplify the magic number check during",
                            "      signal return\"",
                            "    - drm/i915/psr: Add defininitions for INTEL_WA_REGISTER_CAPS DPCD register",
                            "    - drm/i915/psr: Read Intel DPCD workaround register",
                            "    - drm/i915/psr: Apply Intel DPCD workaround when SDP on prior line used",
                            "    - iio: imu: st_lsm6dsx: fix stack leak in tagged FIFO buffer",
                            "    - iio: imu: adis16550: fix stack leak in trigger handler",
                            "    - iio: pressure: bmp280: fix stack leak in bmp580 trigger handler",
                            "    - usb: typec: ucsi: ccg: reject firmware images without a ':' record",
                            "      header",
                            "    - usb: typec: tcpm: validate VDO count in Discover Identity ACK handlers",
                            "    - usb: typec: tcpm: bound altmode_desc[] per iteration in",
                            "      svdm_consume_modes()",
                            "    - usb: typec: ucsi: displayport: NAK DP_CMD_CONFIGURE without a payload",
                            "      VDO",
                            "    - usb: typec: altmodes/displayport: validate count before reading Status",
                            "      Update VDO",
                            "    - usb: typec: wcove: don't write past struct pd_message in",
                            "      wcove_read_rx_buffer()",
                            "    - usb: typec: tcpm/tcpci_maxim: validate header NDO against RX_BYTE_CNT",
                            "    - usb: typec: ucsi: validate connector number in ucsi_connector_change()",
                            "    - USB: serial: safe_serial: fix memory corruption with small endpoint",
                            "    - media: rc: igorplugusb: fix control request setup packet",
                            "    - Input: ims-pcu - fix usb_free_coherent() size in ims_pcu_buffers_free()",
                            "    - USB: serial: cypress_m8: fix memory corruption with small endpoint",
                            "    - HID: quirks: Add ALWAYS_POLL quirk for SIGMACHIP USB mouse",
                            "    - Bluetooth: btusb: Allow firmware re-download when version matches",
                            "    - mm/vmalloc: do not trigger BUG() on BH disabled context",
                            "    - hpfs: fix a crash if hpfs_map_dnode_bitmap fails",
                            "    - mm/damon/sysfs-schemes: delete tried region in regions_rmdirs()",
                            "    - ipc: limit next_id allocation to the valid ID range",
                            "    - mm: memcontrol: propagate NMI slab stats to memcg vmstats",
                            "    - mm/migrate_device: fix pgtable leak in migrate_vma_insert_huge_pmd_page",
                            "    - memfd: deny writeable mappings when implying SEAL_WRITE",
                            "    - zram: fix use-after-free in zram_writeback_endio",
                            "    - mm/rmap: initialize nr_pages to 1 at loop start in try_to_unmap_one",
                            "    - auxdisplay: line-display: fix OOB read on zero-length message_store()",
                            "    - smb: client: fix uninitialized variable in smb2_writev_callback",
                            "    - Bluetooth: L2CAP: use chan timer to close channels in cleanup_listen()",
                            "    - Bluetooth: L2CAP: fix chan ref leak in l2cap_chan_timeout() on !conn",
                            "    - Bluetooth: HIDP: fix missing length checks in hidp_input_report()",
                            "    - Bluetooth: ISO: fix UAF in iso_recv_frame",
                            "    - Bluetooth: ISO: serialize iso_sock_clear_timer with socket lock",
                            "    - Bluetooth: hci_conn: Fix memory leak in hci_le_big_terminate()",
                            "    - Bluetooth: hci_qca: Use 100 ms SSR delay for rampatch and NVM loading",
                            "    - Bluetooth: hci_sync: fix UAF in hci_le_create_cis_sync",
                            "    - Input: xpad - fix out-of-bounds access for Share button",
                            "    - parport: Fix race between port and client registration",
                            "    - rust_binder: Avoid holding lock when dropping delivered_death",
                            "    - rust_binder: avoid calling pending_oneway_finished() on TF_UPDATE_TXN",
                            "    - USB: cdc-acm: Fix bit overlap and move quirk definitions to header",
                            "    - KVM: arm64: Correctly cap ZCR_EL2 provided by a guest hypervisor",
                            "    - KVM: arm64: PMU: Preserve AArch32 counter low bits",
                            "    - KVM: SVM: Flush the current TLB when transitioning from xAVIC => x2AVIC",
                            "    - KVM: SEV: Require in-GHCB scratch area if GHCB v2+ is in use",
                            "    - KVM: SEV: Ignore Port I/O requests of length '0'",
                            "    - KVM: SEV: Use the size of the PSC header as the minimum size for PSC",
                            "      requests",
                            "    - KVM: SEV: WARN if KVM attempts to setup scratch area with min_len==0",
                            "    - KVM: SEV: Compute the correct max length of the in-GHCB scratch area",
                            "    - KVM: SEV: Check PSC request indices against the actual size of the",
                            "      buffer",
                            "    - KVM: SEV: Use READ_ONCE() when reading entries/indices from PSC buffer",
                            "    - KVM: SEV: Don't explicitly pass PSC buffer to snp_begin_psc()",
                            "    - gpio: shared: undo the vote of the proxy on GPIO free",
                            "    - gpio: shared: fix deadlock on shared proxy's parent removal",
                            "    - gpio: shared: fix lockdep false positive by removing unneeded lock",
                            "    - Disable -Wattribute-alias for clang-23 and newer",
                            "    - iio: adc: xilinx-xadc: Fix sequencer mode in postdisable for dual mux",
                            "    - iio: adc: npcm: fix unbalanced clk_disable_unprepare()",
                            "    - iio: dac: ad3530r: Fix AD3531/AD3531R powerdown mode strings",
                            "    - iio: dac: max5821: fix return value check in powerdown sync",
                            "    - iio: dac: ad5686: fix ref bit initialization for single-channel parts",
                            "    - iio: dac: ad5686: fix input raw value check",
                            "    - iio: dac: ad5686: acquire lock when doing powerdown control",
                            "    - iio: dac: ad5686: fix powerdown control on dual-channel devices",
                            "    - iio: adc: mt6359: fix unchecked return value in mt6358_read_imp",
                            "    - iio: adc: viperboard: Fix error handling in vprbrd_iio_read_raw",
                            "    - iio: adc: ad4695: Fix call ordering in offload buffer postenable",
                            "    - iio: adc: nxp-sar-adc: fix division by zero in write_raw",
                            "    - iio: adc: nxp-sar-adc: Avoid division by zero",
                            "    - iio: adc: nxp-sar-adc: zero-initialize dma_slave_config",
                            "    - iio: gyro: itg3200: fix i2c read into the wrong stack location",
                            "    - iio: gyro: adis16260: fix division by zero in write_raw",
                            "    - iio: ssp_sensors: cancel delayed work_refresh on remove",
                            "    - iio: temperature: tsys01: fix broken PROM checksum validation",
                            "    - iio: magnetometer: st_magn: fix default DRDY pin selection for LIS2MDL",
                            "    - iio: light: veml6070: Fix resource leak in probe error path",
                            "    - iio: Fix iio_multiply_value use in iio_read_channel_processed_scale",
                            "    - iio: chemical: mhz19b: reject oversized serial replies",
                            "    - iio: chemical: scd30: fix division by zero in write_raw",
                            "    - iio: light: cm3323: fix reg_conf not being initialized correctly",
                            "    - iio: buffer: hw-consumer: fix use-after-free in error path",
                            "    - iio: buffer: Fix DMA fence leak in iio_buffer_enqueue_dmabuf()",
                            "    - USB: serial: omninet: fix memory corruption with small endpoint",
                            "    - usb: cdns3: gadget: fix request skipping after clearing halt",
                            "    - usb: cdns3: plat: fix leaked usb2_phy initialization on usb3_phy",
                            "      acquisition failure",
                            "    - usb: cdns3: plat: fix unbalanced pm_runtime_forbid() call permanently",
                            "      leaks the runtime PM usage counter across bind/unbind cycles",
                            "    - usb: dwc2: Fix use after free in debug code",
                            "    - Input: elan_i2c - validate firmware size before use",
                            "    - i2c: davinci: fix division by zero on missing clock-frequency",
                            "    - x86/ftrace: Relocate %rip-relative percpu refs in dynamic trampolines",
                            "    - wireguard: send: append trailer after expanding head",
                            "    - bpf: sockmap: fix tail fragment offset in bpf_msg_push_data",
                            "    - macsec: fix replay protection at XPN lower-PN wrap",
                            "    - ipv6: exthdrs: refresh nh pointer after ipv6_hop_jumbo()",
                            "    - ASoC: qcom: q6asm-dai: fix error handling in prepare and set_params",
                            "    - octeontx2-af: validate body pcifunc in rvu_mbox_handler_rep_event_notify",
                            "    - ipv6: exthdrs: refresh nh after handling HAO option",
                            "    - ip6: vti: Use ip6_tnl.net in vti6_siocdevprivate().",
                            "    - ipv6: validate extension header length before copying to cmsg",
                            "    - xfrm: input: hold netns during deferred transport reinjection",
                            "    - l2tp: use refcount_inc_not_zero in l2tp_session_get_by_ifname",
                            "    - ip6: vti: Use ip6_tnl.net in vti6_changelink().",
                            "    - net: skbuff: fix missing zerocopy reference in pskb_carve helpers",
                            "    - spi: spi-mem: avoid mutating op template in spi_mem_supports_op()",
                            "    - HID: wacom: Fix OOB write in wacom_hid_set_device_mode()",
                            "    - iommu, debugobjects: avoid gcc-16.1 section mismatch warnings",
                            "    - nfc: hci: fix out-of-bounds read in HCP header parsing",
                            "    - xfrm: route MIGRATE notifications to caller's netns",
                            "    - xfrm: ipcomp: Free destination pages on acomp errors",
                            "    - xfrm: ah: use skb_to_full_sk in async output callbacks",
                            "    - ALSA: scarlett2: Fix 2i2 Gen 4 direct monitor gain on firmware 2417",
                            "    - ALSA: firewire-motu: Protect register DSP event queue positions",
                            "    - netfilter: conntrack: tcp: do not force CLOSE on invalid-seq RST without",
                            "      direction check",
                            "    - ASoC: qcom: q6asm-dai: close stream only when running",
                            "    - ASoC: qcom: q6asm-dai: do not set stream state in event and trigger",
                            "      callbacks",
                            "    - xfrm: esp: restore combined single-frag length gate",
                            "    - ALSA: hda/realtek: Fix speaker output on ASUS ROG Strix G615LP",
                            "    - xfrm: iptfs: reset runtime state when cloning SAs",
                            "    - dma-buf: fix UAF in dma_buf_fd() tracepoint",
                            "    - Input: xpad - add \"Nova 2 Lite\" from GameSir",
                            "    - Input: xpad - add support for ASUS ROG RAIKIRI II",
                            "    - ksmbd: OOB read regression in smb_check_perm_dacl() ACE-walk loops",
                            "    - misc: rp1: Send IACK on IRQ activate to fix kdump/kexec",
                            "    - Input: atmel_mxt_ts - fix boundary check in mxt_prepare_cfg_mem",
                            "    - Input: synaptics - add LEN2058 to SMBus passlist for ThinkPad E490",
                            "    - dt-bindings: usb: Fix EIC7700 USB reset's issue",
                            "    - comedi: comedi_test: fix check for valid scan_begin_src in",
                            "      waveform_ai_cmdtest()",
                            "    - comedi: comedi_test: Fix limiting of convert_arg in",
                            "      waveform_ai_cmdtest()",
                            "    - counter: Fix refcount leak in counter_alloc() error path",
                            "    - tty: serial: pch_uart: add check for dma_alloc_coherent()",
                            "    - tty: serial: samsung: Remove redundant port lock acquisition in rx",
                            "      helpers",
                            "    - uio: uio_pci_generic_sva: fix double free of devm_kzalloc() memory",
                            "    - usb: chipidea: core: convert ci_role_switch to local variable",
                            "    - usb: core: Fix up Interrupt IN endpoints with bogus wBytesPerInterval",
                            "    - usb: dwc3: xilinx: fix error handling in zynqmp init error paths",
                            "    - usb: musb: omap2430: Fix use-after-free in omap2430_probe()",
                            "    - USB: quirks: add NO_LPM for Lenovo ThinkPad USB-C Dock Gen2 hub",
                            "      controllers",
                            "    - usb: storage: Add quirks for PNY Elite Portable SSD",
                            "    - usbip: vudc: Fix use after free bug in vudc_remove due to race condition",
                            "    - usb: usbtmc: check URB actual_length for interrupt-IN notifications",
                            "    - usb: usbtmc: reject interrupt endpoints with small wMaxPacketSize",
                            "    - usb: typec: tipd: Fix error code in tps6598x_probe()",
                            "    - usb: typec: tcpm: improve handling of DISCOVER_MODES failures",
                            "    - usb: typec: ucsi: Check if power role change actually happened before",
                            "      handling",
                            "    - usb: typec: ucsi: Don't update power_supply on power role change if not",
                            "      connected",
                            "    - USB: serial: option: add MeiG SRM813Q",
                            "    - USB: serial: option: add missing RSVD(5) flag for Rolling RW135R-GL",
                            "    - USB: serial: belkin_sa: validate interrupt status length",
                            "    - USB: serial: cypress_m8: validate interrupt packet headers",
                            "    - USB: serial: digi_acceleport: fix memory corruption with small endpoints",
                            "    - USB: serial: keyspan: fix missing indat transfer sanity check",
                            "    - USB: serial: mxuport: fix memory corruption with small endpoint",
                            "    - USB: serial: mct_u232: fix memory corruption with small endpoint",
                            "    - USB: serial: mct_u232: fix missing interrupt-in transfer sanity check",
                            "    - usb: gadget: uvc: hold opts->lock across XU walks in uvc_function_bind",
                            "    - usb: gadget: net2280: Fix double free in probe error path",
                            "    - usb: gadget: f_hid: fix device reference leak in hidg_alloc()",
                            "    - usb: gadget: composite: fix integer underflow in WebUSB GET_URL handling",
                            "    - usb: gadget: dummy_hcd: Reject hub port requests for non-existent ports",
                            "    - usb: gadget: f_fs: copy only received bytes on short ep0 read",
                            "    - usb: gadget: f_fs: serialize DMABUF cancel against request completion",
                            "    - thunderbolt: property: Reject u32 wrap in tb_property_entry_valid()",
                            "    - thunderbolt: property: Reject dir_len < 4 to prevent size_t underflow",
                            "    - thunderbolt: property: Cap recursion depth in __tb_property_parse_dir()",
                            "    - scsi: fcoe: Reject FIP descriptors with zero fip_dlen in CVL walker",
                            "    - scsi: scsi_transport_fc: Widen FPIN pname walker counter to u32",
                            "    - scsi: target: iscsi: Fix CRC overread and double-free in",
                            "      iscsit_handle_text_cmd()",
                            "    - scsi: target: iscsi: Bound iscsi_encode_text_output() appends to rsp_buf",
                            "    - scsi: target: iscsi: Validate CHAP_R length before base64 decode",
                            "    - drm/hyperv: validate resolution_count and fix WIN8 fallback",
                            "    - drm/hyperv: validate VMBus packet size in receive callback",
                            "    - drm/gem: fix race between change_handle and handle_delete",
                            "    - drm/i915/color: Fix HDR pre-CSC LUT programming loop",
                            "    - drm/i915/psr: Block DC states on vblank enable when Panel Replay",
                            "      supported",
                            "    - drm/i915/psr: Use DC_OFF wake reference to block DC6 on vblank enable",
                            "    - drm/i915: Fix potential UAF in TTM object purge",
                            "    - drm/amd/pm/si: Disregard vblank time when no displays are connected",
                            "    - serial: altera_jtaguart: handle uart_add_one_port() failures",
                            "    - serial: qcom-geni: fix UART_RX_PAR_EN bit position",
                            "    - serial: qcom_geni: fix kfifo underflow when flush precedes DMA",
                            "      completion IRQ",
                            "    - serial: sh-sci: fix memory region release in error path",
                            "    - serial: zs: Fix swapped RI/DSR modem line transition counting",
                            "    - serial: fsl_lpuart: fix rx buffer and DMA map leaks in start_rx_dma",
                            "    - drm/amdkfd: fix NULL pointer bug in svm_range_set_attr",
                            "    - drm/amdkfd: fix a vulnerability of integer overflow in kfd debugger",
                            "    - drm/amdkfd: Check for pdd drm file first in CRIU restore path",
                            "    - drm/amdgpu: fix lock leak on ENOMEM in AMDGPU_GEM_OP_GET_MAPPING_INFO",
                            "    - drm/amdgpu: fix calling VM invalidation in amdgpu_hmm_invalidate_gfx",
                            "    - drm/amdgpu: fix amdgpu_hmm_range_get_pages",
                            "    - drm/amdgpu: check num_entries in GEM_OP GET_MAPPING_INFO",
                            "    - serial: dz: Fix bootconsole message clobbering at chip reset",
                            "    - serial: dz: Fix bootconsole handover lockup",
                            "    - serial: dz: Convert to use a platform device",
                            "    - serial: zs: Fix bootconsole handover lockup",
                            "    - serial: zs: Switch to using channel reset",
                            "    - serial: zs: Convert to use a platform device",
                            "    - serial: core: introduce guard(uart_port_lock_check_sysrq_irqsave)",
                            "    - serial: 8250: dispatch SysRq character in serial8250_handle_irq()",
                            "    - serial: 8250_dw: dispatch SysRq character in dw8250_handle_irq()",
                            "    - platform/x86/intel/vsec: Refactor base_addr handling",
                            "    - platform/x86/intel/vsec: Make driver_data info const",
                            "    - platform/x86/intel/vsec: Fix enable_cnt imbalance on PCIe error recovery",
                            "    - rxrpc: Fix RESPONSE packet verification to extract skb to a linear",
                            "      buffer",
                            "    - ALSA: hda/realtek: Fix mute and mic-mute LEDs for HP Envy X360 15-fh0xxx",
                            "    - ALSA: hda/realtek: Fix mute and mic-mute LEDs for HP 16 Piston OmniBook",
                            "      X",
                            "    - arm64: tlb: Flush walk cache when unsharing PMD tables",
                            "    - i2c: tegra: make tegra_i2c_mutex_unlock() return void",
                            "    - hwmon: (pmbus) Add support for guarded PMBus lock",
                            "    - hwmon: (pmbus/adm1266) serialize sequencer_state debugfs read with",
                            "      pmbus_lock",
                            "    - hwmon: (pmbus/adm1266) serialize GPIO PMBus accesses with pmbus_lock",
                            "    - net: phy: micrel: fix LAN8814 QSGMII soft reset",
                            "    - xhci: tegra: Fix ghost USB device on dual-role port unplug",
                            "    - mailbox: Fix NULL message support in mbox_send_message()",
                            "    - usb: core: Fix SuperSpeed root hub wMaxPacketSize",
                            "    - tools: ynl: add scope qualifier for definitions",
                            "    - Linux 7.0.12",
                            "",
                            "  * Resolute update: v7.0.12 upstream stable release (LP: #2156636) //",
                            "    CVE-2026-46318",
                            "    - Revert \"mm/hugetlbfs: update hugetlbfs to use mmap_prepare\"",
                            "",
                            "  * Resolute update: v7.0.12 upstream stable release (LP: #2156636) //",
                            "    CVE-2026-46322",
                            "    - tun: free page on build_skb failure in tun_xdp_one()",
                            "",
                            "  * Resolute update: v7.0.12 upstream stable release (LP: #2156636) //",
                            "    CVE-2026-46320",
                            "    - tap: free page on error paths in tap_get_user_xdp()",
                            "",
                            "  * Resolute update: v7.0.12 upstream stable release (LP: #2156636) //",
                            "    CVE-2026-46321",
                            "    - tun: free page on short-frame rejection in tun_xdp_one()",
                            "",
                            "  * CVE-2026-46316 // CVE-2026-46317",
                            "    - KVM: arm64: Reassign nested_mmus array behind mmu_lock",
                            "",
                            "  * CVE-2026-46316",
                            "    - KVM: arm64: vgic-its: Drop the translation cache reference only for the",
                            "      erased entry",
                            "    - KVM: arm64: Take the SRCU lock for page table walks in fault injection",
                            "      and AT emulation",
                            "",
                            "  * Resolute update: v7.0.11 upstream stable release (LP: #2156390)",
                            "    - iommu/amd: Fix illegal cap/mmio access in IOMMU debugfs",
                            "    - iommu/amd: Remove latent out-of-bounds access in IOMMU debugfs",
                            "    - ksmbd: close durable scavenger races against m_fp_list lookups",
                            "    - ata: libata-scsi: improve readability of ata_scsi_qc_issue()",
                            "    - ata: libata-scsi: do not use the deferred QC feature for ATA_DEFER_PORT",
                            "    - ata: libata-scsi: do not use the deferred QC feature on PMPs with CBS",
                            "    - ata: libata-scsi: do not needlessly defer commands when using PMP with",
                            "      FBS",
                            "    - sysfs: don't remove existing directory on update failure",
                            "    - mm/damon/sysfs-schemes: call missing mem_cgroup_iter_break()",
                            "    - ksmbd: fix null pointer dereference in compare_guid_key()",
                            "    - ksmbd: fix null pointer dereference in proc_show_files()",
                            "    - ksmbd: fix SID memory leak in set_posix_acl_entries_dacl() on overflow",
                            "    - ksmbd: validate SID in parent security descriptor during ACL inheritance",
                            "    - regulator: tps65219: fix irq_data.rdev not being assigned",
                            "    - x86/mm: Disable broadcast TLB flush when PCID is disabled",
                            "    - scripts/gdb: mm: cast untyped symbols in x86_page_ops",
                            "    - smb: client: require net admin for CIFS SWN netlink",
                            "    - smb: client: protect tc_count increment in",
                            "      smb2_find_smb_sess_tcon_unlocked()",
                            "    - smb: client: use data_len for SMB2 READ encrypted folioq copy",
                            "    - smb/server: promote S_DEL_ON_CLS to S_DEL_PENDING when close",
                            "    - hwmon: (pmbus/adm1266) widen blackbox-info buffer to I2C_SMBUS_BLOCK_MAX",
                            "    - ALSA: ua101: Reject too-short USB descriptors",
                            "    - ALSA: pcm: Don't setup bogus iov_iter for silencing",
                            "    - ALSA: asihpi: Fix potential OOB array access at reading cache",
                            "    - ALSA: scarlett2: Allow flash writes ending at segment boundary",
                            "    - ACPI: battery: Fix system wakeup on critical battery status",
                            "    - efi: Allocate runtime workqueue before ACPI init",
                            "    - spi: amd: Set correct bus number in ACPI probe path",
                            "    - io_uring/waitid: clear waitid info before copying it to userspace",
                            "    - drivers/base/memory: fix memory block reference leak in poison",
                            "      accounting",
                            "    - ipv6: ioam: refresh hdr pointer before ioam6_event()",
                            "    - mm/memory: fix spurious warning when unmapping device-private/exclusive",
                            "      pages",
                            "    - mm: fix __vm_normal_page() to handle missing support for",
                            "      pmd_special()/pud_special()",
                            "    - mm/memory_hotplug: fix memory block reference leak on remove",
                            "    - mm/page_alloc: fix initialization of tags of the huge zero folio with",
                            "      init_on_free",
                            "    - mm/migrate_device: fix spinlock leak in migrate_vma_insert_huge_pmd_page",
                            "    - selftests/mm: run_vmtests.sh: fix destructive tests invocation",
                            "    - mm/damon: fix damos_stat tracepoint format for sz_applied",
                            "    - net: wwan: iosm: fix potential memory leaks in ipc_imem_init()",
                            "    - Bluetooth: fix UAF in l2cap_sock_cleanup_listen() vs l2cap_conn_del()",
                            "    - Bluetooth: ISO: drop ISO_END frames received without prior ISO_START",
                            "    - Bluetooth: bnep: Fix UAF read of dev->name",
                            "    - Bluetooth: hci_uart: fix UAFs and race conditions in close and init",
                            "      paths",
                            "    - Bluetooth: L2CAP: ecred_reconfigure: send packed pdu, not stack pointer",
                            "    - Bluetooth: hci_qca: Convert timeout from jiffies to ms",
                            "    - Bluetooth: MGMT: validate Add Extended Advertising Data length",
                            "    - Bluetooth: serialize accept_q access",
                            "    - phonet/pep: disable BH around forwarded sk_receive_skb()",
                            "    - net: bcmgenet: keep RBUF EEE/PM disabled",
                            "    - net: devmem: reject dma-buf bind with non-page-aligned size or SG length",
                            "    - net: phy: skip EEE advertisement write when autoneg is disabled",
                            "    - net: hsr: defer node table free until after RCU readers",
                            "    - net/mlx5e: Fix use-after-free in mlx5e_tx_reporter_timeout_recover",
                            "    - net: ifb: report ethtool stats over num_tx_queues",
                            "    - net: pse-pd: fix sign on -ENOENT check in of_load_pse_pis()",
                            "    - netfilter: ip6t_hbh: reject oversized option lists",
                            "    - netfilter: nf_queue: hold bridge skb->dev while queued",
                            "    - netfilter: ipset: stop hash:* range iteration at end",
                            "    - net: ethtool: fix NULL pointer dereference in phy_reply_size",
                            "    - net: ethtool: phy: avoid NULL deref when PHY driver is unbound",
                            "    - ACPI: driver: Check ACPI_COMPANION() against NULL during probe",
                            "    - sched_ext: Fix missing warning in scx_set_task_state() default case",
                            "    - sched_ext: Avoid UAF in scx_root_enable_workfn() init failure path",
                            "    - l2tp: use list_del_rcu in l2tp_session_unhash",
                            "    - qed: fix double free in qed_cxt_tables_alloc()",
                            "    - ring-buffer: Fix reporting of missed events in iterator",
                            "    - ring-buffer: Flush and stop persistent ring buffer on panic",
                            "    - wifi: mac80211: capture fast-RX rate before mesh reuses skb->cb",
                            "    - ipv6: ioam: add NULL check for idev in ipv6_hop_ioam()",
                            "    - selftests: mptcp: drop nanoseconds width specifier",
                            "    - mptcp: pm: fix ADD_ADDR timer infinite retry on option space",
                            "      insufficient",
                            "    - vsock/vmci: fix UAF when peer resets connection during handshake",
                            "    - vsock/virtio: reset connection on receiving queue overflow",
                            "    - ice: fix VF queue configuration with low MTU values",
                            "    - wifi: ath11k: clear shared SRNG pointer state on restart",
                            "    - wifi: iwlwifi: mvm: fix driver-set TX rates on old devices",
                            "    - wifi: iwlwifi: mld: stop TX during firmware restart",
                            "    - ipv4: raw: reject IP_HDRINCL packets with ihl < 5",
                            "    - ixgbevf: fix use-after-free in VEPA multicast source pruning",
                            "    - rbd: eliminate a race in lock_dwork draining on unmap",
                            "    - mptcp: do not drop partial packets",
                            "    - mptcp: reset rcv wnd on disconnect",
                            "    - lsm: hold cred_guard_mutex for lsm_set_self_attr()",
                            "    - octeontx2-af: CGX: add bounds check to cgx_speed_mbps index",
                            "    - octeontx2-pf: fix double free in rvu_rep_rsrc_init()",
                            "    - igc: fix potential skb leak in igc_fpe_xmit_smd_frame()",
                            "    - ice: fix locking around wait_event_interruptible_locked_irq",
                            "    - ice: fix setting promisc mode while adding VID filter",
                            "    - ice: restore PTP Rx timestamp config after ethtool set-channels",
                            "    - wifi: cfg80211: advance loop vars in cfg80211_merge_profile()",
                            "    - af_unix: Fix UAF read of tail->len in unix_stream_data_wait()",
                            "    - wifi: mac80211: consume only present negotiated TTLM maps",
                            "    - octeontx2-pf: avoid double free of pool->stack on AQ init failure",
                            "    - cifs: Fix busy dentry used after unmounting",
                            "    - tracing: Do not call map->ops->elt_free() if elt_alloc() fails",
                            "    - ASoC: codecs: pcm512x: fix null-ptr dereference in",
                            "      pcm512x_overclock_xxx_put()",
                            "    - arm64: probes: Handle probes on hinted conditional branch instructions",
                            "    - KVM: arm64: vgic-its: Reject restored DTE with out-of-range",
                            "      num_eventid_bits",
                            "    - KVM: arm64: vgic: Free private_irqs when init fails after allocation",
                            "    - KVM: SVM: Disable AVIC IPI virtualization on Hygon Family 18h (erratum",
                            "      #1235)",
                            "    - riscv: kvm: return SBI_ERR_FAILURE for pmu_snapshot_set_shmem() when OOM",
                            "    - riscv: kvm: return SBI_ERR_FAILURE for pmu_event_info() when OOM",
                            "    - virt: sev-guest: Explicitly leak pages in unknown state",
                            "    - i2c: tegra: fix pm_runtime leak on mutex_lock failure",
                            "    - drm/bridge: chipone-icn6211: use devm_drm_bridge_add in i2c probe",
                            "    - spi: qup: fix error pointer deref after DMA setup failure",
                            "    - phy: exynos5-usbdrd: fix USB 2.0 HS PHY tuning values for Exynos7870",
                            "    - phy: tegra: xusb: Fix per-pad high-speed termination calibration",
                            "    - phy: qcom-qmp-ufs: Fix kaanapali PHY PLL lock failure after SM8650 G4",
                            "      fix",
                            "    - phy: qcom: edp: Unify generic DP/eDP swing and pre-emphasis tables",
                            "    - phy: qcom: edp: Add eDP/DP mode switch support",
                            "    - phy: qcom: edp: Fix AUX_CFG8 programming for DP mode",
                            "    - scsi: isci: Fix use-after-free in device removal path",
                            "    - spi: ep93xx: fix error pointer deref after DMA setup failure",
                            "    - spi: sprd: fix error pointer deref after DMA setup failure",
                            "    - spi: ti-qspi: fix use-after-free after DMA setup failure",
                            "    - mm/slub: hold cpus_read_lock around flush_rcu_sheaves_on_cache()",
                            "    - RDMA/siw: Reject MPA FPDU length underflow before signed receive math",
                            "    - s390/cio: Restore GFP_DMA for CHSC allocation",
                            "    - s390/pai: Disable duplicate read of kernel PAI counter value",
                            "    - s390/pai: Fix missing PAI counter increments under heavy load",
                            "    - fwctl: pds: Validate RPC input size before parsing",
                            "    - LoongArch: kprobes: Use larch_insn_text_copy() to patch instructions",
                            "    - LoongArch: Remove unused code to avoid build warning",
                            "    - cpufreq: intel_pstate: Use correct scaling factor on Raptor Lake-E",
                            "    - device property: set fwnode->secondary to NULL in fwnode_init()",
                            "    - drm/i915/display: Copy color pipeline from plane in the primary joiner",
                            "      pipe",
                            "    - drm/msm: Fix shrinker deadlock",
                            "    - drm/v3d: Fix use-after-free of CPU job query arrays on error path",
                            "    - drm/v3d: Release indirect CSD GEM reference on CPU job free",
                            "    - drm/virtio: use uninterruptible resv lock for plane updates",
                            "    - drm/xe/multi_queue: Fix secondary queue error case",
                            "    - drm/amdgpu/vpe: Force collaborate sync after TRAP",
                            "    - drm/bridge: it66121: acquire reset GPIO in probe",
                            "    - drm/bridge: megachips: remove bridge when irq request fails",
                            "    - drm/amd/display: Fix integer overflow in bios_get_image()",
                            "    - drm/amd/display: Validate GPIO pin LUT table size before iterating",
                            "    - drm/amd/display: Validate payload length and link_index in",
                            "      dc_process_dmub_aux_transfer_async",
                            "    - batman-adv: v: stop OGMv2 on disabled interface",
                            "    - batman-adv: tvlv: abort OGM send on tvlv append failure",
                            "    - batman-adv: tvlv: reject oversized TVLV packets",
                            "    - batman-adv: iv: recover OGM scheduling after forward packet error",
                            "    - batman-adv: mcast: fix use-after-free in orig_node RCU release",
                            "    - batman-adv: clear current gateway during teardown",
                            "    - batman-adv: dat: handle forward allocation error",
                            "    - batman-adv: fix fragment reassembly length accounting",
                            "    - batman-adv: fix tp_meter counter underflow during shutdown",
                            "    - batman-adv: frag: disallow unicast fragment in fragment",
                            "    - batman-adv: bla: fix report_work leak on backbone_gw purge",
                            "    - batman-adv: bla: avoid double decrement of bla.num_requests",
                            "    - batman-adv: bla: avoid NULL-ptr deref for claim via dropped interface",
                            "    - batman-adv: tp_meter: avoid use of uninit sender vars",
                            "    - batman-adv: tp_meter: directly shut down timer on cleanup",
                            "    - batman-adv: tp_meter: fix tp_vars reference leak in receiver shutdown",
                            "    - batman-adv: tp_meter: fix race condition in send error reporting",
                            "    - batman-adv: tp_meter: avoid role confusion in tp_list",
                            "    - batman-adv: tt: fix TOCTOU race for reported vlans",
                            "    - batman-adv: tt: reject oversized local TVLV buffers",
                            "    - batman-adv: tt: avoid empty VLAN responses",
                            "    - batman-adv: tt: fix negative last_changeset_len",
                            "    - batman-adv: tt: fix negative tt_buff_len",
                            "    - batman-adv: tt: prevent TVLV entry number overflow",
                            "    - hwmon: (pmbus/adm1266) seed timestamp from the real-time clock",
                            "    - hwmon: (pmbus/adm1266) reject implausible blackbox record_count",
                            "    - hwmon: (pmbus/adm1266) include PEC byte in pmbus_block_xfer read buffer",
                            "    - hwmon: (pmbus/adm1266) bounce blackbox records through a protocol-sized",
                            "      buffer",
                            "    - hwmon: (pmbus/adm1266) cap PDIO scan in get_multiple at ADM1266_PDIO_NR",
                            "    - hwmon: (pmbus/adm1266) don't clobber GPIO bits before PDIO read in",
                            "      get_multiple",
                            "    - hwmon: (pmbus/adm1266) register the gpio_chip after pmbus_do_probe()",
                            "    - hwmon: (pmbus/adm1266) register the nvmem device after pmbus_do_probe()",
                            "    - hwmon: (pmbus/adm1266) reject short block-read responses in the GPIO",
                            "      accessors",
                            "    - pinctrl: mediatek: moore: implement gpio_chip::get_direction()",
                            "    - pinctrl: qcom: ipq4019: mark gpio as a GPIO pin function",
                            "    - arm64: dts: renesas: r8a78000: Fix SCIF brg_int clocks",
                            "    - ARM: dts: renesas: genmai: Drop superfluous cells",
                            "    - ARM: dts: renesas: rskrza1: Drop superfluous cells",
                            "    - pinctrl: renesas: rzg2l: Fix incorrect PUPD register offset for high",
                            "      pins during suspend/resume",
                            "    - pinctrl: renesas: rzg2l: Fix SMT register cache handling",
                            "    - pinctrl: meson: amlogic-a4: fix deadlock issue",
                            "    - pinctrl: qcom: Fix GPIO to PDC wake irq map for qcs615",
                            "    - kho: skip KHO for crash kernel",
                            "    - mm/memfd_luo: report error when restoring a folio fails mid-loop",
                            "    - HID: intel-thc-hid: Intel-quickspi: Fix some error codes",
                            "    - HID: uclogic: Fix regression of input name assignment",
                            "    - firmware: arm_ffa: Check for NULL FF-A ID table while driver",
                            "      registration",
                            "    - firmware: arm_ffa: Skip free_pages on RX buffer alloc failure",
                            "    - firmware: arm_ffa: Fix per-vcpu self notifications handling in workqueue",
                            "    - firmware: arm_ffa: Unregister bus notifier on teardown for FF-A v1.0",
                            "    - riscv: errata: Fix bitwise vs logical AND in MIPS errata patching",
                            "    - riscv: Fix register corruption from uninitialized cregs on error",
                            "    - riscv: mm: Fixup no5lvl failure when vaddr is invalid",
                            "    - kunit: config: Enable KUNIT_DEBUGFS by default",
                            "    - kunit: config: KUNIT_DEBUGFS should depend on DEBUG_FS",
                            "    - pinctrl: qcom: Fix wakeirq map by removing disconnected irqs for sm8150",
                            "    - firmware: arm_ffa: Bound PARTITION_INFO_GET_REGS copies",
                            "    - firmware: arm_ffa: Keep framework RX release under lock",
                            "    - firmware: arm_ffa: Validate framework notification message layout",
                            "    - firmware: arm_ffa: Align RxTx buffer size before mapping",
                            "    - firmware: arm_ffa: Snapshot notifier callbacks under lock",
                            "    - firmware: arm_ffa: Fix sched-recv callback partition lookup",
                            "    - ARM: integrator: Fix early initialization",
                            "    - ALSA: hda: cs35l56: Put ACPI device after setting companion",
                            "    - ALSA: hda: cs35l41: Put ACPI device on missing physical node",
                            "    - btrfs: tracepoints: fix sleep while in atomic context in",
                            "      btrfs_sync_file()",
                            "    - netfilter: x_tables: allow initial table replace without emitting audit",
                            "      log message",
                            "    - netfilter: x_tables: allocate hook ops while under mutex",
                            "    - netfilter: x_tables: unregister the templates first",
                            "    - netfilter: x_tables: add and use xt_unregister_table_pre_exit",
                            "    - netfilter: x_tables: add and use xtables_unregister_table_exit",
                            "    - netfilter: ebtables: move to two-stage removal scheme",
                            "    - netfilter: ebtables: close dangling table module init race",
                            "    - netfilter: x_tables: close dangling table module init race",
                            "    - netfilter: bridge: eb_tables: close module init race",
                            "    - netfilter: nf_conntrack_expect: restore helper propagation via",
                            "      expectation",
                            "    - kprobes: skip non-symbol addresses in kprobe_add_ksym_blacklist()",
                            "    - test_kprobes: clear kprobes between test runs",
                            "    - tcp: Fix imbalanced icsk_accept_queue count.",
                            "    - net: napi: Avoid gro timer misfiring at end of busypoll",
                            "    - net: shaper: Reject reparenting of existing nodes",
                            "    - idpf: fix read_dev_clk_lock spinlock init in idpf_ptp_init()",
                            "    - ice: fix setting RSS VSI hash for E830",
                            "    - ice: fix locking in ice_dcb_rebuild()",
                            "    - ice: dpll: fix rclk pin state get for E810",
                            "    - ice: dpll: fix misplaced header macros",
                            "    - net: lan966x: avoid unregistering netdev on register failure",
                            "    - net: ti: icssm-prueth: fix eth_ports_node leak in probe",
                            "    - phy: marvell: mvebu-a3700-utmi: fix incorrect USB2_PHY_CTRL register",
                            "      access",
                            "    - phy: spacemit: Remove incorrect clk_disable() in spacemit_usb2phy_init()",
                            "    - NFSD: Fix infinite loop in layout state revocation",
                            "    - ASoC: sdw_utils: Add quirk to ignore RT712 CODEC_MIC",
                            "    - ASoC: sdw_utils: Add quirk to ignore RT721 CODEC_MIC",
                            "    - fprobe: Fix unregister_fprobe() to wait for RCU grace period",
                            "    - fs/statmount: fix slab out-of-bounds write in statmount_mnt_idmap",
                            "    - fs: Fix return in jfs_mkdir and orangefs_mkdir",
                            "    - irqchip/ath79-cpu: Remove unused function",
                            "    - fs: fix forced iversion increment on lazytime timestamp updates",
                            "    - ublk: reject max_sectors smaller than PAGE_SECTORS in parameter",
                            "      validation",
                            "    - nsfs: fix wrong error code returned for pidns ioctls",
                            "    - irq_work: Fix use-after-free in irq_work_single() on PREEMPT_RT",
                            "    - nvme: fix bio leak on mapping failure",
                            "    - nvme-pci: fix use-after-free in nvme_free_host_mem()",
                            "    - zonefs: handle integer overflow in zonefs_fname_to_fno",
                            "    - tcp: Fix out-of-bounds access for twsk in tcp_ao_established_key().",
                            "    - ASoC: SOF: amd: Fix error code handling in psp_send_cmd()",
                            "    - powerpc: 82xx: fix uninitialized pointers with free attribute",
                            "    - powerpc: fix dead default for GUEST_STATE_BUFFER_TEST",
                            "    - powerpc/hv-gpci: fix preempt count leak in sysfs show paths",
                            "    - netfs: Fix cancellation of a DIO and single read subrequests",
                            "    - netfs: Fix missing locking around retry adding new subreqs",
                            "    - netfs: Fix missing barriers when accessing stream->subrequests",
                            "      locklessly",
                            "    - netfs: Fix netfs_read_to_pagecache() to pause on subreq failure",
                            "    - netfs: Fix potential for tearing in ->remote_i_size and ->zero_point",
                            "    - netfs: Fix zeropoint update where i_size > remote_i_size",
                            "    - netfs: fix VM_BUG_ON_FOLIO() issue in netfs_write_begin() call",
                            "    - netfs: Fix overrun check in netfs_extract_user_iter()",
                            "    - netfs: Fix netfs_invalidate_folio() to clear dirty bit if all changes",
                            "      gone",
                            "    - netfs: Defer the emission of trace_netfs_folio()",
                            "    - netfs: Fix streaming write being overwritten",
                            "    - netfs: Fix potential deadlock in write-through mode",
                            "    - netfs: Fix read-gaps to remove netfs_folio from filled folio",
                            "    - netfs: Fix write streaming disablement if fd open O_RDWR",
                            "    - netfs: Fix early put of sink folio in netfs_read_gaps()",
                            "    - netfs: Fix leak of request in netfs_write_begin() error handling",
                            "    - netfs: Fix potential UAF in netfs_unlock_abandoned_read_pages()",
                            "    - netfs: Fix partial invalidation of streaming-write folio",
                            "    - netfs: Fix folio->private handling in netfs_perform_write()",
                            "    - netfs: Fix netfs_read_folio() to wait on writeback",
                            "    - netfs, afs: Fix write skipping in dir/link writepages",
                            "    - afs: Fix the locking used by afs_get_link()",
                            "    - net: ethernet: cortina: Make RX SKB per-port",
                            "    - net: ethernet: cortina: Drop half-assembled SKB",
                            "    - net: ethernet: cortina: Carry over frag counter",
                            "    - net: ethernet: cs89x0: remove stale CONFIG_MACH_MX31ADS reference",
                            "    - wifi: ath11k: fix error path leaks in some WMI WOW calls",
                            "    - wifi: ath11k: fix error path leak in ath11k_tm_cmd_wmi_ftm()",
                            "    - wifi: ath10k: skip WMI and beacon transmission when device is wedged",
                            "    - net: shaper: flip the polarity of the valid flag",
                            "    - net: shaper: fix trivial ordering issue in net_shaper_commit()",
                            "    - net: shaper: reject duplicate leaves in GROUP request",
                            "    - net: shaper: set ret to -ENOMEM when genlmsg_new() fails in group_doit",
                            "    - net: shaper: fix undersized reply skb allocation in GROUP command",
                            "    - net: shaper: enforce singleton NETDEV scope with id 0",
                            "    - net: shaper: reject QUEUE scope handle with missing id",
                            "    - block: don't overwrite bip_vcnt in bio_integrity_copy_user()",
                            "    - block: recompute nr_integrity_segments in blk_insert_cloned_request",
                            "    - HID: quirks: really enable the intended work around for appledisplay",
                            "    - block: bio-integrity: Fix null-ptr-deref in bio_integrity_map_user()",
                            "    - accel/qaic: Add overflow check to remap_pfn_range during mmap",
                            "    - net/smc: avoid NULL deref of conn->lnk in smc_msg_event tracepoint",
                            "    - ethtool: fix ethnl_bitmap32_not_zero() bit interval semantics",
                            "    - drm/msm/dpu: fix UV scanlines calculation for YUV UBWC formats",
                            "    - drm/msm/dpu: Fix Kaanapali CWB register configuration",
                            "    - drm/msm/dsi: don't dump registers past the mapped region",
                            "    - drm/msm/dpu: don't mix devm and drmm functions",
                            "    - block: rename struct gendisk zone_wplugs_lock field",
                            "    - block: allow submitting all zone writes from a single context",
                            "    - block: fix handling of dead zone write plugs",
                            "    - selftests: ublk: cap nthreads to kernel's actual nr_hw_queues",
                            "    - x86/mce: Restore MCA polling interval halving",
                            "    - Documentation: intel_pstate: Fix description of asymmetric packing with",
                            "      SMT",
                            "    - drm/msm: Fix GMEM_BASE for A650",
                            "    - drm/msm/a6xx: Add soft fuse detection support",
                            "    - drm/msm/adreno: Fix a reference leak in a6xx_gpu_init()",
                            "    - drm/msm/adreno: fix userspace-triggered crash on a2xx-a4xx",
                            "    - drm/msm/a6xx: Restore sysprof_active",
                            "    - drm/msm: Fix iommu_map_sgtable() return value check and avoid WARN",
                            "    - drm/msm/a6xx: Check kzalloc return in a8xx_hfi_send_perf_table",
                            "    - ASoC: intel: sof_sdw: Prepare for configuration without a jack",
                            "    - ASoC: sdw_utils: cs42l43: allow spk component names to be combined",
                            "    - ASoC: sdw_utils: Check speaker component string allocation",
                            "    - riscv: Docs: fix unmatched quote warning",
                            "    - powerpc/time: Remove redundant preempt_disable|enable() calls from",
                            "      arch_irq_work_raise()",
                            "    - net/smc: reject CHID-0 ACCEPT that matches an empty ism_dev slot",
                            "    - net: tls: fix off-by-one in sg_chain entry count for wrapped sk_msg ring",
                            "    - net: tls: prevent chain-after-chain in plain text SG",
                            "    - net: phy: DP83TC811: add reading of abilities",
                            "    - ovpn: tcp - use cached peer pointer in ovpn_tcp_close()",
                            "    - ovpn: respect peer refcount in CMD_NEW_PEER error path",
                            "    - ovpn: fix race between deleting interface and adding new peer",
                            "    - cifs: client: stage smb3_reconfigure() updates and restore ctx on",
                            "      failure",
                            "    - phy: apple: atc: Fix typec switch/mux leak on unbind",
                            "    - gcc-plugins: Always define CONST_CAST_GIMPLE and CONST_CAST_TREE",
                            "    - x86/xen: Fix xen_e820_swap_entry_with_ram()",
                            "    - vfio/pci: Check BAR resources before exporting a DMABUF",
                            "    - ovpn: disable BHs when updating device stats",
                            "    - tls: Preserve sk_err across recvmsg() when data has been copied",
                            "    - net/mlx5: Do not restore destination-less TC rules",
                            "    - net/mlx5: Skip disabled vports when setting max TX speed",
                            "    - scsi: sd: Fix return code handling in sd_spinup_disk()",
                            "    - ASoC: codecs: fs210x: fix possible buffer overflow",
                            "    - iommupt: Directly call iommupt's unmap_range()",
                            "    - iommupt: Avoid rewalking during map",
                            "    - iommu: Fix loss of errno on map failure for classic ops",
                            "    - iommu: Fix up map/unmap debugging for iommupt domains",
                            "    - iommu: Handle unmap error when iommu_debug is enabled",
                            "    - iommupt: Check for missing PAGE_SIZE in the pgsize_bitmap",
                            "    - iommupt: Fix the end_index calculation in __map_range_leaf()",
                            "    - ALSA: scarlett2: Add missing error check when initialise Autogain Status",
                            "    - ALSA: hda/ca0132: Disable auto-detect on manual output select",
                            "    - cachefiles: Fix error return when vfs_mkdir() fails",
                            "    - io_uring/net: punt IORING_OP_BIND async if it needs file create",
                            "    - vsock/virtio: fix zerocopy completion for multi-skb sends",
                            "    - btrfs: check for subvolume before deleting squota qgroup",
                            "    - btrfs: fix squota accounting during enable generation",
                            "    - ASoC: amd: acp-sdw-legacy: check CPU DAI name before logging",
                            "    - spi: mtk-snfi: Fix resource leak in mtk_snand_read_page_cache()",
                            "    - netfilter: nft_inner: release local_lock before re-enabling softirqs",
                            "    - ALSA: hda/realtek: Use ALC287_FIXUP_TXNW2781_I2C for ASUS Strix Gxx5",
                            "    - drm/msm/snapshot: fix dumping of the unaligned regions",
                            "    - hwmon: (lm90) Stop work before releasing hwmon device",
                            "    - hwmon: (lm90) Add lock protection to lm90_alert",
                            "    - wifi: iwlwifi: mld: fix TSO segmentation explosion when AMSDU is",
                            "      disabled",
                            "    - wifi: iwlwifi: mld: don't dereference a pointer before NULL checking it",
                            "    - dma-mapping: move dma_map_resource() sanity check into debug code",
                            "    - drm/gem: Make the GEM LRU lock part of drm_device",
                            "    - drm/xe/gsc: Fix double-free of managed BO in error path",
                            "    - drm/xe/vf: Fix signature of print functions",
                            "    - drm/xe/pf: Fix CFI failure in debugfs access",
                            "    - drm/xe: Consolidate workaround entries for Wa_14019988906",
                            "    - drm/xe: Consolidate workaround entries for Wa_18033852989",
                            "    - drm/xe: Define and use MCR version of COMMON_SLICE_CHICKEN1",
                            "    - drm/xe/tuning: Apply windower hardware filtering setting on Xe3 and Xe3p",
                            "    - drm/xe: Define and use MCR version of COMMON_SLICE_CHICKEN4",
                            "    - wifi: ath11k: fix peer resolution on rx path when peer_id=0",
                            "    - wifi: ath12k: fix EHT TX MCS limitation due to wrong 20 MHz-only parsing",
                            "    - drm/mediatek: mtk_hdmi_ddc_v2: Fix non-static global variable",
                            "    - drm/mediatek: mtk_hdmi_v2: Fix non-static global variable",
                            "    - drm/mediatek: mtk_cec: Fix non-static global variable",
                            "    - drm/mediatek: mtk_hdmi_ddc: Fix non-static global variable",
                            "    - io_uring: propagate array_index_nospec opcode into req->opcode",
                            "    - srcu: Don't queue workqueue handlers to never-online CPUs",
                            "    - cgroup/rstat: validate cpu before css_rstat_cpu() access",
                            "    - net/mlx5e: xsk: Fix unlocked writing to ICOSQ",
                            "    - cifs: Fix undefined variables",
                            "    - ice: ptp: serialize E825 PHY timer start with PTP lock",
                            "    - ice: ptp: use primary NAC semaphore on E825",
                            "    - igc: set tx buffer type for SMD frames",
                            "    - drm/i915/dp: Fix readback for target_rr in Adaptive Sync SDP",
                            "    - phy: qcom: qmp-usbc: Fix out-of-bounds array access in dp swing config",
                            "    - kbuild: pacman-pkg: make \"rc\" releases adhere to pacman versioning",
                            "      scheme",
                            "    - net: dsa: mt7530: fix FDB entries not aging out with short timeout",
                            "    - net: dsa: mt7530: preserve VLAN tags on trapped link-local frames",
                            "    - net: mana: Fix TOCTOU double-fetch of hwc_msg_id from DMA buffer",
                            "    - platform/surface: aggregator_registry: omit battery & AC nodes on",
                            "      Surface Laptop 7",
                            "    - platform/x86: adv_swbutton: Check ACPI_HANDLE() against NULL",
                            "    - platform/x86: hp_accel: Check ACPI_COMPANION() against NULL",
                            "    - platform/x86: intel-hid: Check ACPI_HANDLE() against NULL",
                            "    - platform/x86: intel_sar: Check ACPI_HANDLE() against NULL",
                            "    - platform/x86: intel-vbtn: Check ACPI_HANDLE() against NULL",
                            "    - platform/x86: uniwill-laptop: Properly initialize charging threshold",
                            "    - platform/x86: uniwill-laptop: Accept charging threshold of 0",
                            "    - platform/x86: uniwill-laptop: Fix behavior of \"force\" module param",
                            "    - platform/x86: asus-armoury: fix mini-LED mode get/set on MODE2 devices",
                            "    - ASoC: soc-utils: Add missing va_end in snd_soc_ret()",
                            "    - drm/amdgpu: Align amdgpu_gtt_mgr entries to TLB size on Tahiti (v2)",
                            "    - drm/amdgpu/vce1: Check that the GPU address is < 128 MiB",
                            "    - drm/amdgpu/vce1: Fix VCE 1 firmware size and offsets",
                            "    - RDMA/mana_ib: Report max_msg_sz in mana_ib_query_port",
                            "    - RDMA/rtrs: Fix use-after-free in path file creation cleanup",
                            "    - bridge: mcast: Fix a possible use-after-free when removing a bridge port",
                            "    - net: phy: honor eee_disabled_modes in phy_support_eee()",
                            "    - net: phy: honor eee_disabled_modes in phy_advertise_eee_all()",
                            "    - net: airoha: Fix NPU RX DMA descriptor bits",
                            "    - pds_core: fix error handling in pdsc_devcmd_wait",
                            "    - pds_core: fix debugfs_lookup dentry leak and error handling",
                            "    - erofs: fix managed cache race for unaligned extents",
                            "    - erofs: harden h_shared_count in erofs_init_inode_xattrs()",
                            "    - erofs: fix metabuf leak in inode xattr initialization",
                            "    - wifi: mac80211: bounds-check link_id in ieee80211_ml_epcs",
                            "    - wifi: mac80211: fix MLE defragmentation",
                            "    - wifi: mac80211: fix multi-link element inheritance",
                            "    - wifi: wilc1000: fix dma_buffer leak on bus acquire failure",
                            "    - ALSA: seq: Serialize UMP output teardown with event_input",
                            "    - cgroup: rstat: relax NMI guard after switch to try_cmpxchg",
                            "    - tracing: Avoid NULL return from hist_field_name() on truncation",
                            "    - Bluetooth: hci_sync: Fix not setting mask for",
                            "      HCI_EVT_LE_ALL_REMOTE_FEATURES_COMPLETE",
                            "    - Bluetooth: btintel_pcie: Fix incorrect MAC access programming",
                            "    - Bluetooth: btmtk: fix urb->setup_packet leak in error paths",
                            "    - udp: gso: Fix handling checksum in __udp_gso_segment",
                            "    - udp: Fix UDP length on last GSO_PARTIAL segment",
                            "    - net/mlx5e: Fix eswitch mode block underflow on IPsec acquire SA",
                            "    - net: shaper: annotate the data races",
                            "    - net: shaper: rework the VALID marking (again)",
                            "    - crypto/krb5, rxrpc: Fix lack of pre-decrypt/pre-verify length checks",
                            "    - rxrpc: Fix DATA decrypt vs splice() by copying data to buffer in recvmsg",
                            "    - net: ag71xx: check error for platform_get_irq",
                            "    - bpf, skmsg: fix verdict sk_data_ready racing with ktls rx",
                            "    - tcp: fix stale per-CPU tcp_tw_isn leak enabling ISN prediction",
                            "    - net: stmmac: eswin: fix HSP CSR init ordering after clock enable",
                            "    - net: stmmac: eswin: clear TXD and RXD delay registers during",
                            "      initialization",
                            "    - net: stmmac: eswin: correct RGMII delay granularity to 20 ps",
                            "    - net: stmmac: eswin: validate RGMII delay values",
                            "    - gpio: cdev: check if uAPI v2 config attributes are correctly zeroed",
                            "    - gpio: aggregator: fix a potential use-after-free",
                            "    - gpio: aggregator: stop using dev-sync-probe",
                            "    - gpio: aggregator: remove the software node when deactivating the",
                            "      aggregator",
                            "    - gpio: aggregator: lock device when calling device_is_bound()",
                            "    - ASoC: cs35l56: Fix flushing of IRQ work in cs35l56_sdw_remove()",
                            "    - drm/xe/oa: Fix exec_queue leak on width check in stream open",
                            "    - ASoC: cs-amp-lib: Fix wrong sizeof() in",
                            "      _cs_amp_set_efi_calibration_data()",
                            "    - ASoC: cs-amp-lib: Fix missing dput() after debugfs_lookup()",
                            "    - selftests: net: Fix checksums in xdp_native",
                            "    - nvme-pci: fix dma_vecs leak on p2p memory",
                            "    - nvme-pci: fix dma mapping leak on data setup error",
                            "    - octeontx2-af: npc: Fix allmulticast skip logic for LBK and SDP VFs",
                            "    - net: mana: validate rx_req_idx to prevent out-of-bounds array access",
                            "    - tap: fix stack info leak in tap_ioctl() SIOCGIFHWADDR",
                            "    - net: airoha: Disable GDM2 forwarding before configuring GDM2 loopback",
                            "    - pds_core: ensure null-termination for firmware version strings",
                            "    - net: enetc: fix missing error code when pf->vf_state allocation fails",
                            "    - io_uring/nop: pass all errors to userspace",
                            "    - blk-mq: pop cached request if it is usable",
                            "    - ksmbd: fix durable reconnect error path file lifetime",
                            "    - LoongArch: kprobes: Fix handling of fatal unrecoverable recursions",
                            "    - block: avoid use-after-free in disk_free_zone_resources()",
                            "    - Documentation: laptops: Update documentation for uniwill laptops",
                            "    - platform/x86: uniwill-laptop: Do not enable the charging limit even when",
                            "      forced",
                            "    - drm/msm: Restore second parameter name in purge() and evict()",
                            "    - security/keys: fix missed RCU read section on lookup",
                            "    - Linux 7.0.11",
                            "",
                            "  * Resolute update: v7.0.10 upstream stable release (LP: #2156385)",
                            "    - blk-cgroup: wait for blkcg cleanup before initializing new disk",
                            "    - md: suppress spurious superblock update error message for dm-raid",
                            "    - fs/omfs: reject s_sys_blocksize smaller than OMFS_DIR_START",
                            "    - fs/mbcache: cancel shrink work before destroying the cache",
                            "    - md/raid1: fix the comparing region of interval tree",
                            "    - fs: fix archiecture-specific compat_ftruncate64",
                            "    - drbd: Balance RCU calls in drbd_adm_dump_devices()",
                            "    - loop: fix partition scan race between udev and loop_reread_partitions()",
                            "    - block: fix zones_cond memory leak on zone revalidation error paths",
                            "    - nilfs2: reject zero bd_oblocknr in nilfs_ioctl_mark_blocks_dirty()",
                            "    - blk-cgroup: fix disk reference leak in blkcg_maybe_throttle_current()",
                            "    - pstore/ram: fix resource leak when ioremap() fails",
                            "    - erofs: include the trailing NUL in FS_IOC_GETFSLABEL",
                            "    - md: fix array_state=clear sysfs deadlock",
                            "    - ublk: reset per-IO canceled flag on each fetch",
                            "    - blk-wbt: remove WARN_ON_ONCE from wbt_init_enable_default()",
                            "    - erofs: handle 48-bit blocks/uniaddr for extra devices",
                            "    - md: remove unused static md_wq workqueue",
                            "    - md: wake raid456 reshape waiters before suspend",
                            "    - dcache: permit dynamic_dname()s up to NAME_MAX",
                            "    - btrfs: fix the inline compressed extent check in inode_need_compress()",
                            "    - btrfs: fix deadlock between reflink and transaction commit when using",
                            "      flushoncommit",
                            "    - btrfs: do not reject a valid running dev-replace",
                            "    - OPP: debugfs: Use performance level if available to distinguish between",
                            "      rates",
                            "    - OPP: Move break out of scoped_guard in dev_pm_opp_xlate_required_opp()",
                            "    - ACPI: x86: cmos_rtc: Clean up address space handler driver",
                            "    - ACPI: x86: cmos_rtc: Improve coordination with ACPI TAD driver",
                            "    - devres: fix missing node debug info in devm_krealloc()",
                            "    - thermal/drivers/spear: Fix error condition for reading st,thermal-flags",
                            "    - debugfs: check for NULL pointer in debugfs_create_str()",
                            "    - debugfs: fix placement of EXPORT_SYMBOL_GPL for debugfs_create_str()",
                            "    - soundwire: debugfs: initialize firmware_file to empty string",
                            "    - amd-pstate: Fix memory leak in amd_pstate_epp_cpu_init()",
                            "    - amd-pstate: Update cppc_req_cached in fast_switch case",
                            "    - cpufreq: Pass the policy to cpufreq_driver->adjust_perf()",
                            "    - PCI: use generic driver_override infrastructure",
                            "    - platform/wmi: use generic driver_override infrastructure",
                            "    - vdpa: use generic driver_override infrastructure",
                            "    - s390/cio: use generic driver_override infrastructure",
                            "    - s390/ap: use generic driver_override infrastructure",
                            "    - bus: fsl-mc: use generic driver_override infrastructure",
                            "    - locking/mutex: Rename mutex_init_lockep()",
                            "    - locking/mutex: Fix wrong comment for CONFIG_DEBUG_LOCK_ALLOC",
                            "    - irqchip/irq-pic32-evic: Address warning related to wrong printf()",
                            "      formatter",
                            "    - hrtimer: Avoid pointless reprogramming in __hrtimer_start_range_ns()",
                            "    - hrtimer: Reduce trace noise in hrtimer_start()",
                            "    - locking: Fix rwlock and spinlock lock context annotations",
                            "    - signal: Fix the lock_task_sighand() annotation",
                            "    - ww-mutex: Fix the ww_acquire_ctx function annotations",
                            "    - perf/amd/ibs: Account interrupt for discarded samples",
                            "    - perf/amd/ibs: Preserve PhyAddrVal bit when clearing PhyAddr MSR",
                            "    - perf/amd/ibs: Avoid calling perf_allow_kernel() from the IBS NMI handler",
                            "    - x86/tdx: Fix the typo in TDX_ATTR_MIGRTABLE",
                            "    - rust: sync: atomic: Remove bound `T: Sync` for `Atomic::from_ptr()`",
                            "    - sparc64: vdso: Link with -z noexecstack",
                            "    - scripts/gdb: timerlist: Adapt to move of tk_core",
                            "    - locking: Fix rwlock support in <linux/spinlock_up.h>",
                            "    - sched/topology: Compute sd_weight considering cpuset partitions",
                            "    - x86/irqflags: Preemptively move include paravirt.h directive where it",
                            "      belongs",
                            "    - sched/topology: Fix sched_domain_span()",
                            "    - irqchip/renesas-rzg2l: Fix error path in rzg2l_irqc_common_probe()",
                            "    - ASoC: Intel: avs: Check maximum valid CPUID leaf",
                            "    - ASoC: Intel: avs: Include CPUID header at file scope",
                            "    - x86/vdso: Clean up remnants of VDSO32_NOTE_MASK",
                            "    - firmware: dmi: Correct an indexing error in dmi.h",
                            "    - fs/resctrl: Report invalid domain ID when parsing io_alloc_cbm",
                            "    - sched: Make class_schedulers avoid pushing current, and get rid of",
                            "      proxy_tag_curr()",
                            "    - sched/rt: Skip group schedulable check with rt_group_sched=0",
                            "    - wifi: ath11k: fix memory leaks in beacon template setup",
                            "    - wifi: mwifiex: Fix memory leak in mwifiex_11n_aggregate_pkt()",
                            "    - wifi: rtlwifi: pci: fix possible use-after-free caused by unfinished",
                            "      irq_prepare_bcn_tasklet",
                            "    - bpf: test_run: Fix the null pointer dereference issue in",
                            "      bpf_lwt_xmit_push_encap",
                            "    - wifi: ath12k: account TX stats only when ACK/BA status is present",
                            "    - wifi: ath12k: Fix legacy rate mapping for monitor mode capture",
                            "    - selftests/bpf: Handle !CONFIG_SMC in bpf_smc.c",
                            "    - wifi: ieee80211: fix definition of EHT-MCS 15 in MRU",
                            "    - dpaa2: add independent dependencies for FSL_DPAA2_SWITCH",
                            "    - [Config] Disable CONFIG_FSL_DPAA2_SWITCH on armhf and ppc64el",
                            "    - dpaa2: compile dpaa2 even CONFIG_FSL_DPAA2_ETH=n",
                            "    - s390/bpf: Zero-extend bpf prog return values and kfunc arguments",
                            "    - powerpc/pgtable-frag: Fix bad page state in pte_frag_destroy",
                            "    - powerpc/64s: Fix unmap race with PMD migration entries",
                            "    - module: Fix freeing of charp module parameters when CONFIG_SYSFS=n",
                            "    - wifi: libertas: use USB anchors for tracking in-flight URBs",
                            "    - wifi: libertas: don't kill URBs in interrupt context",
                            "    - bpf: Do not allow deleting local storage in NMI",
                            "    - selftests/nolibc: fix test_file_stream() on musl libc",
                            "    - selftests/nolibc: Fix build with host headers and libc",
                            "    - tools/nolibc/printf: Change variables 'c' to 'ch' and 'tmpbuf[]' to",
                            "      'outbuf[]'",
                            "    - tools/nolibc/printf: Move snprintf length check to callback",
                            "    - tools/nolibc: MIPS: fix clobbers of 'lo' and 'hi' registers on different",
                            "      ISAs",
                            "    - tools/nolibc: avoid -Wundef warning for __STDC_VERSION__",
                            "    - wifi: mt76: mt7996: fix the behavior of radar detection",
                            "    - wifi: mt76: mt7996: fix iface combination for different chipsets",
                            "    - wifi: mt76: mt7996: Set mtxq->wcid just for primary link",
                            "    - wifi: mt76: mt7996: Reset mtxq->idx if primary link is removed in",
                            "      mt7996_vif_link_remove()",
                            "    - wifi: mt76: mt7996: Switch to the secondary link if the default one is",
                            "      removed",
                            "    - wifi: mt76: mt7996: Clear wcid pointer in mt7996_mac_sta_deinit_link()",
                            "    - wifi: mt76: mt7996: Reset ampdu_state state in case of failure in",
                            "      mt7996_tx_check_aggr()",
                            "    - wifi: mt76: mt7921: Reset ampdu_state state in case of failure in",
                            "      mt76_connac2_tx_check_aggr()",
                            "    - wifi: mt76: mt7925: Fix incorrect MLO mode in firmware control",
                            "    - wifi: mt76: mt7615: fix use_cts_prot support",
                            "    - wifi: mt76: mt7915: fix use_cts_prot support",
                            "    - wifi: mt76: mt7925: prevent NULL pointer dereference in",
                            "      mt7925_tx_check_aggr()",
                            "    - wifi: mt76: mt7925: prevent NULL vif dereference in",
                            "      mt7925_mac_write_txwi",
                            "    - wifi: mt76: mt7996: fix FCS error flag check in RX descriptor",
                            "    - wifi: mt76: mt7921: Place upper limit on station AID",
                            "    - wifi: mt76: Fix memory leak destroying device",
                            "    - wifi: mt76: mt7996: Fix NPU stop procedure",
                            "    - wifi: mt76: npu: Add missing rx_token_size initialization",
                            "    - wifi: mt76: mt7925: drop puncturing handling from BSS change path",
                            "    - wifi: mt76: mt7925: fix potential deadlock in mt7925_roc_abort_sync",
                            "    - wifi: mt76: Fix memory leak after mt76_connac_mcu_alloc_sta_req()",
                            "    - wifi: mt76: mt7925: fix tx power setting failure after chip reset",
                            "    - wifi: mt76: mt7921: fix potential deadlock in mt7921_roc_abort_sync",
                            "    - wifi: mt76: fix deadlock in remain-on-channel",
                            "    - wifi: mt76: fix backoff fields and max_power calculation",
                            "    - arm64: cpufeature: Make PMUVer and PerfMon unsigned",
                            "    - bpf: Switch CONFIG_CFI_CLANG to CONFIG_CFI",
                            "    - wifi: mt76: mt7996: fix wrong DMAD length when using MAC TXP",
                            "    - wifi: mt76: mt7996: fix struct mt7996_mcu_uni_event",
                            "    - wifi: mt76: mt7915: fix use-after-free bugs in mt7915_mac_dump_work()",
                            "    - wifi: mt76: mt7996: fix use-after-free bugs in mt7996_mac_dump_work()",
                            "    - wifi: mt76: mt7921: fix 6GHz regulatory update on connection",
                            "    - wifi: mt76: mt7996: Add missing CHANCTX_STA_CSA property",
                            "    - wifi: mt76: mt7996: Remove link pointer dependency in",
                            "      mt7996_mac_sta_remove_links()",
                            "    - wifi: mt76: mt7996: Decrement sta counter removing the link in",
                            "      mt7996_mac_reset_sta_iter()",
                            "    - wifi: mt76: fix multi-radio on-channel scanning",
                            "    - wifi: mt76: support upgrading passive scans to active",
                            "    - wifi: mt76: mt7996: fix RRO EMU configuration",
                            "    - bpf: Fix refcount check in check_struct_ops_btf_id()",
                            "    - selftests/bpf: Fix sockmap_multi_channels reliability",
                            "    - bpf: Use RCU-safe iteration in dev_map_redirect_multi() SKB path",
                            "    - bpf: Fix variable length stack write over spilled pointers",
                            "    - arm_mpam: Ensure in_reset_state is false after applying configuration",
                            "    - arm_mpam: Reset when feature configuration bit unset",
                            "    - bpf,arc_jit: Fix missing newline in pr_err messages",
                            "    - wifi: rtw89: phy: fix uninitialized variable access in",
                            "      rtw89_phy_cfo_set_crystal_cap()",
                            "    - drivers/vfio_pci_core: Change PXD_ORDER check from switch case to",
                            "      if/else block",
                            "    - r8152: fix incorrect register write to USB_UPHY_XTAL",
                            "    - selftests/tracing: Fix to make --logdir option work again",
                            "    - selftests/tracing: Fix to check awk supports non POSIX strtonum()",
                            "    - powerpc/crash: fix backup region offset update to elfcorehdr",
                            "    - powerpc/crash: Update backup region offset in elfcorehdr on memory",
                            "      hotplug",
                            "    - bpf: Fix abuse of kprobe_write_ctx via freplace",
                            "    - macvlan: annotate data-races around port->bc_queue_len_used",
                            "    - bpf: Use copy_map_value_locked() in alloc_htab_elem() for BPF_F_LOCK",
                            "    - bpf: Fix stale offload->prog pointer after constant blinding",
                            "    - net: ethernet: ti-cpsw:: rename soft_reset() function",
                            "    - net: ethernet: ti-cpsw: fix linking built-in code to modules",
                            "    - wifi: brcmfmac: Fix error pointer dereference",
                            "    - wifi: mac80211: handle VHT EXT NSS in ieee80211_determine_our_sta_mode()",
                            "    - bpf: Drop task_to_inode and inet_conn_established from lsm sleepable",
                            "      hooks",
                            "    - bpf: Prefer vmlinux symbols over module symbols for unqualified kprobes",
                            "    - wifi: ath10k: fix station lookup failure during disconnect",
                            "    - bpf: Fix linked reg delta tracking when src_reg == dst_reg",
                            "    - net: dropreason: add SKB_DROP_REASON_RECURSION_LIMIT",
                            "    - net: plumb drop reasons to __dev_queue_xmit()",
                            "    - net: qdisc_pkt_len_segs_init() cleanup",
                            "    - net: pull headers in qdisc_pkt_len_segs_init()",
                            "    - arm64: entry: Don't preempt with SError or Debug masked",
                            "    - ACPI: AGDI: fix missing newline in error message",
                            "    - arm64: kexec: Remove duplicate allocation for trans_pgd",
                            "    - bpf: Propagate error from visit_tailcall_insn",
                            "    - bpf: Fix ld_{abs,ind} failure path analysis in subprogs",
                            "    - bpf: Remove static qualifier from local subprog pointer",
                            "    - mptcp: better mptcp-level RTT estimator",
                            "    - bpf: Fix use-after-free in offloaded map/prog info fill",
                            "    - macsec: Support VLAN-filtering lower devices",
                            "    - net: bcmgenet: fix off-by-one in bcmgenet_put_txcb",
                            "    - net: bcmgenet: fix leaking free_bds",
                            "    - net: bcmgenet: fix racing timeout handler",
                            "    - net: airoha: Add dma_rmb() and READ_ONCE() in airoha_qdma_rx_process()",
                            "    - eth: fbnic: Use wake instead of start",
                            "    - netfilter: xt_socket: enable defrag after all other checks",
                            "    - netfilter: nft_fwd_netdev: check ttl/hl before forwarding",
                            "    - bpf: fix mm lifecycle in open-coded task_vma iterator",
                            "    - bpf: switch task_vma iterator from mmap_lock to per-VMA locks",
                            "    - bpf: return VMA snapshot from task_vma iterator",
                            "    - bpf: Fix RCU stall in bpf_fd_array_map_clear()",
                            "    - net: hamradio: 6pack: fix uninit-value in sixpack_receive_buf",
                            "    - net: airoha: Fix FE_PSE_BUF_SET configuration if PPE2 is available",
                            "    - bpf: Enforce regsafe base id consistency for BPF_ADD_CONST scalars",
                            "    - selftests/bpf: fix __jited_unpriv tag name",
                            "    - net/sched: cls_fw: fix NULL dereference of \"old\" filters before change()",
                            "    - net/sched: act_ct: Only release RCU read lock after ct_ft",
                            "    - selftests: netfilter: nft_tproxy.sh: adjust to socat changes",
                            "    - net: mana: Use pci_name() for debugfs directory naming",
                            "    - net: mana: Move current_speed debugfs file to mana_init_port()",
                            "    - net: airoha: Add missing RX_CPU_IDX() configuration in",
                            "      airoha_qdma_cleanup_rx_queue()",
                            "    - net_sched: fix skb memory leak in deferred qdisc drops",
                            "    - bpf: Fix same-register dst/src OOB read and pointer leak in sock_ops",
                            "    - bpf: Allow instructions with arena source and non-arena dest registers",
                            "    - selftests/bpf: Fix reg_bounds to match new tnum-based refinement",
                            "    - net/rds: Optimize rds_ib_laddr_check",
                            "    - net/rds: Restrict use of RDS/IB to the initial network namespace",
                            "    - bpf: Fix OOB in pcpu_init_value",
                            "    - ppp: require CAP_NET_ADMIN in target netns for unattached ioctls",
                            "    - net: ipa: Fix programming of QTIME_TIMESTAMP_CFG",
                            "    - net: ipa: Fix decoding EV_PER_EE for IPA v5.0+",
                            "    - dt-bindings: net: dsa: nxp,sja1105: make spi-cpol optional for sja1110",
                            "    - net: phy: fix a return path in get_phy_c45_ids()",
                            "    - net/mlx5e: Fix features not applied during netdev registration",
                            "    - net/mlx5e: IPsec, fix ASO poll timeout with read_poll_timeout_atomic()",
                            "    - net: ethernet: mtk_eth_soc: initialize PPE per-tag-layer MTU registers",
                            "    - net: fix skb_ext_total_length() BUILD_BUG_ON with",
                            "      CONFIG_GCOV_PROFILE_ALL",
                            "    - bpf: reject short IPv4/IPv6 inputs in bpf_prog_test_run_skb",
                            "    - Bluetooth: L2CAP: Fix printing wrong information if SDU length exceeds",
                            "      MTU",
                            "    - Bluetooth: hci_ldisc: Clear HCI_UART_PROTO_INIT on error",
                            "    - Bluetooth: fix locking in hci_conn_request_evt() with HCI_PROTO_DEFER",
                            "    - Bluetooth: l2cap: Add missing chan lock in l2cap_ecred_reconf_rsp",
                            "    - Bluetooth: SCO: check for codecs->num_codecs == 1 before assigning to",
                            "      sco_pi(sk)->codec",
                            "    - net: phy: qcom: at803x: Use the correct bit to disable extended next",
                            "      page",
                            "    - udp: Force compute_score to always inline",
                            "    - tcp: Don't set treq->req_usec_ts in cookie_tcp_reqsk_init().",
                            "    - sctp: fix missing encap_port propagation for GSO fragments",
                            "    - sctp: disable BH before calling udp_tunnel_xmit_skb()",
                            "    - selftests/namespaces: remove unused utils.h include from",
                            "      listns_efault_test",
                            "    - net, bpf: fix null-ptr-deref in xdp_master_redirect() for down master",
                            "    - net: airoha: Fix VIP configuration for AN7583 SoC",
                            "    - net: airoha: Add missing PPE configurations in airoha_ppe_hw_init()",
                            "    - drm/panel: ilitek-ili9882t: Select DRM_DISPLAY_DSC_HELPER",
                            "    - selftests/futex: Fix incorrect result reporting of futex_requeue test",
                            "      item",
                            "    - drm/komeda: fix integer overflow in AFBC framebuffer size check",
                            "    - dma-fence: Fix sparse warnings due __rcu annotations",
                            "    - drm/gpusvm: Fix unbalanced unlock in drm_gpusvm_scan_mm()",
                            "    - drm/virtio: Allow importing prime buffers when 3D is enabled",
                            "    - ASoC: soc-compress: use function to clear symmetric params",
                            "    - PCI/TPH: Allow TPH enable for RCiEPs",
                            "    - PCI: endpoint: pci-epf-vntb: Fix MSI doorbell IRQ unwind",
                            "    - PCI: endpoint: pci-epf-test: Don't free doorbell IRQ unless requested",
                            "    - PCI: endpoint: pci-ep-msi: Fix error unwind and prevent double alloc",
                            "    - drm/sun4i: mixer: Fix layer init code",
                            "    - drm/sun4i: backend: fix error pointer dereference",
                            "    - drm/xe: Consolidate workaround entries for Wa_14019877138",
                            "    - drm/xe: Consolidate workaround entries for Wa_14019386621",
                            "    - drm/xe/xe2_hpg: Drop invalid workaround Wa_15010599737",
                            "    - gpu: nova-core: gsp: use empty slices instead of [0..0] ranges",
                            "    - gpu: nova-core: gsp: fix improper handling of empty slot in cmdq",
                            "    - drm/amdkfd: Removed commented line for MQD queue priority",
                            "    - PCI: imx6: Fix device node reference leak in imx_pcie_probe()",
                            "    - crypto: inside-secure/eip93 - fix register definition",
                            "    - ASoC: sti: Return errors from regmap_field_alloc()",
                            "    - ASoC: sti: use managed regmap_field allocations",
                            "    - dm cache: fix null-deref with concurrent writes in passthrough mode",
                            "    - dm cache: fix write path cache coherency in passthrough mode",
                            "    - dm cache: fix write hang in passthrough mode",
                            "    - dm cache policy smq: fix missing locks in invalidating cache blocks",
                            "    - dm cache: fix concurrent write failure in passthrough mode",
                            "    - dm cache: fix dirty mapping checking in passthrough mode switching",
                            "    - dm-mpath: don't stop probing paths at presuspend",
                            "    - drm/amd/ras: Fix type size of remainder argument",
                            "    - dt-bindings: mmc: dwcmshc-sdhci: Fix resets array validation",
                            "    - drm/amdgpu: GFX12.1 scratch memory limit up to 57-bit",
                            "    - platform/chrome: chromeos_tbmc: Drop wakeup source on remove",
                            "    - gpu: nova-core: use checked arithmetic in FWSEC firmware parsing",
                            "    - gpu: nova-core: create falcon firmware DMA objects lazily",
                            "    - gpu: nova-core: falcon: rename load parameters to reflect DMA dependency",
                            "    - gpu: nova-core: firmware: fix and explain v2 header offsets computations",
                            "    - PCI: dwc: ep: Fix MSI-X Table Size configuration in",
                            "      dw_pcie_ep_set_msix()",
                            "    - PCI: dwc: ep: Mirror the max link width and speed fields to all",
                            "      functions",
                            "    - PCI: dwc: Perform cleanup in the error path of dw_pcie_resume_noirq()",
                            "    - dm cache metadata: fix memory leak on metadata abort retry",
                            "    - dm log: fix out-of-bounds write due to region_count overflow",
                            "    - iopoll: fix function parameter names in read_poll_timeout_atomic()",
                            "    - drm/bridge: cadence: cdns-mhdp8546-core: Set the mhdp connector earlier",
                            "      in atomic_enable()",
                            "    - drm/bridge: cadence: cdns-mhdp8546-core: Add mode_valid hook to",
                            "      drm_bridge_funcs",
                            "    - drm/bridge: cadence: cdns-mhdp8546-core: Handle HDCP state in bridge",
                            "      atomic check",
                            "    - spi: nxp-xspi: Use reinit_completion() for repeated operations",
                            "    - spi: nxp-fspi: Use reinit_completion() for repeated operations",
                            "    - spi: fsl-qspi: Use reinit_completion() for repeated operations",
                            "    - spi: axiado: Remove redundant pm_runtime_mark_last_busy() call",
                            "    - media: i2c: og01a1b: Fix V4L2 subdevice data initialization on probe",
                            "    - media: synopsys: VIDEO_DW_MIPI_CSI2RX should depend on ARCH_ROCKCHIP",
                            "    - [Config] VIDEO_DW_MIPI_CSI2RX depends on ARCH_ROCKCHIP",
                            "    - drm/amd/pm: Fix xgmi max speed reporting",
                            "    - spi: atcspi200: fix mutex initialization order",
                            "    - selftests/sched_ext: Add missing error check for exit__load()",
                            "    - drm/v3d: Handle error from drm_sched_entity_init()",
                            "    - drm/sun4i: Fix resource leaks",
                            "    - crypto: inside-secure/eip93 - register hash before authenc algorithms",
                            "    - PCI: rzg3s-host: Fix reset handling in probe error path",
                            "    - PCI: rzg3s-host: Reorder reset assertion during suspend",
                            "    - dt-bindings: PCI: renesas,r9a08g045s33-pcie: Fix naming properties",
                            "    - iommu/riscv: Add IOTINVAL after updating DDT/PDT entries",
                            "    - iommu/riscv: Skip IRQ count check when using MSI interrupts",
                            "    - iommu/riscv: Add missing GENERIC_MSI_IRQ",
                            "    - iommu/riscv: Stop polling when CQCSR reports an error",
                            "    - drm/amdkfd: Update queue properties for metadata ring",
                            "    - drm/amd/ras: Fix NULL deref in ras_core_ras_interrupt_detected()",
                            "    - drm/amdgpu: Add default case in DVI mode validation",
                            "    - regulator: dt-bindings: fp9931: Make vin-supply property as required",
                            "    - regulator: fp9931: Fix handling of mandatory \"vin\" supply",
                            "    - drm/amd/ras: Fix NULL deref in ras_core_get_utc_second_timestamp()",
                            "    - drm/amdgpu: Drop redundant queue NULL check in hang detect worker",
                            "    - drm/amdgpu: Remove dead negative offset check in",
                            "      amdgpu_virt_init_critical_region()",
                            "    - dm init: ensure device probing has finished in dm-mod.waitfor=",
                            "    - fbdev: matroxfb: Mark variable with __maybe_unused to avoid W=1 build",
                            "      break",
                            "    - crypto: simd - reject compat registrations without __ prefixes",
                            "    - crypto: tegra - Disable softirqs before finalizing request",
                            "    - crypto: atmel-aes - guard unregister on error in atmel_aes_register_algs",
                            "    - padata: Remove cpu online check from cpu add and removal",
                            "    - padata: Put CPU offline callback in ONLINE section to allow failure",
                            "    - PCI: dwc: rcar-gen4: Change EPC BAR alignment to 4K as per the",
                            "      documentation",
                            "    - accel/amdxdna: fix missing newline in pr_err message",
                            "    - drm/amd/ras: Remove redundant NULL check in pending bad-bank list",
                            "      iteration",
                            "    - drm/amdgpu/gfx10: look at the right prop for gfx queue priority",
                            "    - drm/amdgpu/gfx11: look at the right prop for gfx queue priority",
                            "    - spi: hisi-kunpeng: prevent infinite while() loop in hisi_spi_flush_fifo",
                            "    - PCI: sky1: Fix missing cleanup of ECAM config on probe failure",
                            "    - drm/imagination: Switch reset_reason fields from enum to u32",
                            "    - iommu/tegra241-cmdqv: Set supports_cmd op in tegra241_vcmdq_hw_init()",
                            "    - iommu/tegra241-cmdqv: Update uAPI to clarify HYP_OWN requirement",
                            "    - drm/msm: add missing MODULE_DEVICE_ID definitions",
                            "    - drm/msm/dpu: fix mismatch between power and frequency",
                            "    - drm/msm/dsi: add the missing parameter description",
                            "    - drm/msm/dpu: don't try using 2 LMs if only one DSC is available",
                            "    - drm/msm/dsi: fix bits_per_pclk",
                            "    - drm/msm/dsi: fix hdisplay calculation for CMD mode panel",
                            "    - drm/msm/dsi: rename MSM8998 DSI version from V2_2_0 to V2_0_0",
                            "    - ASoC: rockchip: rockchip_sai: Set slot width for non-TDM mode",
                            "    - tools/sched_ext: scx_pair: fix pair_ctx indexing for CPU pairs",
                            "    - drm/panel: sharp-ls043t1le01: make use of prepare_prev_first",
                            "    - drm/panel: simple: Correct G190EAN01 prepare timing",
                            "    - PCI: qcom: Advertise Hotplug Slot Capability with no Command Completion",
                            "      support",
                            "    - PCI: Prevent shrinking bridge window from its required size",
                            "    - PCI: Fix premature removal from realloc_head list during resource",
                            "      assignment",
                            "    - crypto: hisilicon/sec2 - prevent req used-after-free for sec",
                            "    - PCI: Fix alignment calculation for resource size larger than align",
                            "    - iommu/riscv: Fix signedness bug",
                            "    - ALSA: core: Validate compress device numbers without dynamic minors",
                            "    - drm/amd/display: Avoid NULL dereference in dc_dmub_srv error paths",
                            "    - ASoC: amd: acp: update dmic_num logic for acp pdm dmic",
                            "    - drm/amd/pm/ci: Use highest MCLK on CI when MCLK DPM is disabled",
                            "    - drm/amd/pm/ci: Disable MCLK DPM on problematic CI ASICs",
                            "    - drm/amd/pm/smu7: Fix SMU7 voltage dependency on display clock",
                            "    - drm/amd/pm/ci: Fix powertune defaults for Hawaii 0x67B0",
                            "    - drm/amd/pm/ci: Clear EnabledForActivity field for memory levels",
                            "    - drm/amd/pm/ci: Fill DW8 fields from SMC",
                            "    - drm/amd/pm/smu7: Add SCLK cap for quirky Hawaii board",
                            "    - drm/amdgpu/uvd4.2: Don't initialize UVD 4.2 when DPM is disabled",
                            "    - PCI/DPC: Log AER error info for DPC/EDR uncorrectable errors",
                            "    - hwmon: (aspeed-g6-pwm-tach): remove redundant driver remove callback",
                            "    - ALSA: hda/realtek: fix bad indentation for alc269",
                            "    - ALSA: hda/realtek: fix code style (ERROR: else should follow close brace",
                            "      '}')",
                            "    - ASoC: SOF: Intel: hda: Place check before dereference",
                            "    - drm/msm/vma: Avoid lock in VM_BIND fence signaling path",
                            "    - drm/msm/a6xx: Add missing aperture_lock init",
                            "    - drm/msm: Reject fb creation from _NO_SHARE objs",
                            "    - drm/msm: Fix VM_BIND UNMAP locking",
                            "    - drm/msm/a6xx: Fix HLSQ register dumping",
                            "    - drm/msm/shrinker: Fix can_block() logic",
                            "    - drm/msm/a6xx: Fix dumping A650+ debugbus blocks",
                            "    - drm/msm/a6xx: Use barriers while updating HFI Q headers",
                            "    - drm/msm/a8xx: Fix the ticks used in submit traces",
                            "    - drm/msm/a6xx: Switch to preemption safe AO counter",
                            "    - drm/msm/a6xx: Correct OOB usage",
                            "    - drm/msm/adreno: Implement gx_is_on() for A8x",
                            "    - drm/msm/a6xx: Fix gpu init from secure world",
                            "    - ALSA: hda/cmedia: Remove duplicate pin configuration parsing",
                            "    - pmdomain: ti: omap_prm: Fix a reference leak on device node",
                            "    - pmdomain: imx: scu-pd: Fix device_node reference leak during ->probe()",
                            "    - PM: domains: De-constify fields in struct dev_pm_domain_attach_data",
                            "    - drm/msm/dpu: drop INTF_0 on MSM8953",
                            "    - ASoC: fsl_micfil: Add access property for \"VAD Detected\"",
                            "    - ASoC: fsl_micfil: Fix event generation in hwvad_put_enable()",
                            "    - ASoC: fsl_micfil: Fix event generation in hwvad_put_init_mode()",
                            "    - ASoC: fsl_micfil: Fix event generation in micfil_range_set()",
                            "    - ASoC: fsl_micfil: Fix event generation in micfil_put_dc_remover_state()",
                            "    - ASoC: fsl_micfil: Fix event generation in micfil_quality_set()",
                            "    - ASoC: fsl_xcvr: Fix event generation in fsl_xcvr_arc_mode_put()",
                            "    - ASoC: fsl_xcvr: Fix event generation in fsl_xcvr_mode_put()",
                            "    - ASoC: fsl_easrc: Check the variable range in fsl_easrc_iec958_put_bits()",
                            "    - ASoC: fsl_easrc: Fix value type in fsl_easrc_iec958_get_bits()",
                            "    - ASoC: fsl_easrc: Change the type for iec958 channel status controls",
                            "    - iommu/amd: Fix clone_alias() to use the original device's devid",
                            "    - iommu/riscv: Remove overflows on the invalidation path",
                            "    - ASoC: qcom: qdsp6: topology: check widget type before accessing data",
                            "    - PCI: dwc: Fix type mismatch for kstrtou32_from_user() return value",
                            "    - crypto: qat - disable 4xxx AE cluster when lead engine is fused off",
                            "    - crypto: qat - disable 420xx AE cluster when lead engine is fused off",
                            "    - crypto: qat - fix compression instance leak",
                            "    - crypto: qat - fix type mismatch in RAS sysfs show functions",
                            "    - crypto: iaa - fix per-node CPU counter reset in rebalance_wq_table()",
                            "    - crypto: qat - use swab32 macro",
                            "    - ALSA: hda: Notify IEC958 Default PCM switch state changes",
                            "    - ASoC: rsnd: Fix potential out-of-bounds access of component_dais[]",
                            "    - PCI: Enable AtomicOps only if Root Port supports them",
                            "    - PCI: imx6: Keep Root Port MSI capability with iMSI-RX to work around",
                            "      hardware bug",
                            "    - PCI: aspeed: Fix IRQ domain leak on platform_get_irq() failure",
                            "    - dt-bindings: PCI: imx6q-pcie: Fix maxItems of clocks and clock-names",
                            "    - PCI: mediatek-gen3: Prevent leaking IRQ domains when IRQ not found",
                            "    - gpu: nova-core: bitfield: fix broken Default implementation",
                            "    - selftests/mm: skip migration tests if NUMA is unavailable",
                            "    - Documentation: fix a hugetlbfs reservation statement",
                            "    - Docs/admin-guide/mm/damn/lru_sort: fix intervals autotune parameter name",
                            "    - Docs/mm/damon/index: fix typo: autoamted -> automated",
                            "    - zram: do not permit params change after init",
                            "    - selftest: memcg: skip memcg_sock test if address family not supported",
                            "    - gpu: nova-core: remove redundant `.as_ref()` for `dev_*` print",
                            "    - gpu: nova-core: fix missing colon in SEC2 boot debug message",
                            "    - ALSA: scarlett2: Add missing sentinel initializer field",
                            "    - ASoC: qcom: audioreach: explicitly enable speaker protection modules",
                            "    - ASoC: SOF: compress: return the configured codec from get_params",
                            "    - PCI/NPEM: Set LED_HW_PLUGGABLE for hotplug-capable ports",
                            "    - tools/sched_ext: Fix off-by-one in scx_sdt payload zeroing",
                            "    - ASoC: soc-component: re-add pcm_new()/pcm_free()",
                            "    - ASoC: amd: name back to pcm_new()/pcm_free()",
                            "    - ASoC: amd: ps: fix the pcm device numbering for acp pdm dmic",
                            "    - ALSA: usb-audio: qcom: Fix incorrect type in enable_audio_stream",
                            "    - PCI: tegra194: Fix polling delay for L2 state",
                            "    - PCI: tegra194: Increase LTSSM poll time on surprise link down",
                            "    - PCI: tegra194: Disable LTSSM after transition to Detect on surprise link",
                            "      down",
                            "    - PCI: tegra194: Don't force the device into the D0 state before L2",
                            "    - PCI: tegra194: Disable PERST# IRQ only in Endpoint mode",
                            "    - PCI: tegra194: Use devm_gpiod_get_optional() to parse \"nvidia,refclk-",
                            "      select\"",
                            "    - PCI: tegra194: Disable direct speed change for Endpoint mode",
                            "    - PCI: tegra194: Set LTR message request before PCIe link up in Endpoint",
                            "      mode",
                            "    - PCI: tegra194: Allow system suspend when the Endpoint link is not up",
                            "    - PCI: tegra194: Free up Endpoint resources during remove()",
                            "    - PCI: tegra194: Use DWC IP core version",
                            "    - PCI: dwc: Apply ECRC workaround to DesignWare 5.00a as well",
                            "    - PCI: tegra194: Disable L1.2 capability of Tegra234 EP",
                            "    - PCI: tegra194: Fix CBB timeout caused by DBI access before core power-on",
                            "    - drm/fb-helper: Fix a locking bug in an error path",
                            "    - PCI: cadence: Add flags for disabling ASPM capability for broken Root",
                            "      Ports",
                            "    - PCI: sg2042: Avoid L0s and L1 on Sophgo 2042 PCIe Root Ports",
                            "    - ASoC: SDCA: Fix cleanup inversion in class driver",
                            "    - spi: rzv2h-rspi: Fix invalid SPR=0/BRDV=0 clock configuration",
                            "    - spi: mtk-snfi: unregister ECC engine on probe failure and remove()",
                            "      callback",
                            "    - ALSA: sc6000: Keep the programmed board state in card-private data",
                            "    - dm cache: fix missing return in invalidate_committed's error path",
                            "    - sched_ext: Track @p's rq lock across set_cpus_allowed_scx ->",
                            "      ops.set_cpumask",
                            "    - sched_ext: Fix ops.cgroup_move() invocation kf_mask and rq tracking",
                            "    - spi: cadence-qspi: Revert the filtering of certain opcodes in ODTR",
                            "    - crypto: jitterentropy - replace long-held spinlock with mutex",
                            "    - ALSA: usb-audio: Exclude Scarlett 18i20 1st Gen from SKIP_IFACE_SETUP",
                            "    - ALSA: hda/realtek - fixed speaker no sound update",
                            "    - gfs2: Call unlock_new_inode before d_instantiate",
                            "    - fanotify: avoid/silence premature LSM capability checks",
                            "    - fanotify: call fanotify_events_supported() before path_permission() and",
                            "      security_path_notify()",
                            "    - fuse: fix uninit-value in fuse_dentry_revalidate()",
                            "    - ktest: Avoid undef warning when WARNINGS_FILE is unset",
                            "    - ktest: Honor empty per-test option overrides",
                            "    - ktest: Run POST_KTEST hooks on failure and cancellation",
                            "    - vfio: selftests: fix crash in vfio_dma_mapping_mmio_test",
                            "    - rtla/utils: Fix resource leak in set_comm_sched_attr()",
                            "    - tools/rtla: Generate optstring from long options",
                            "    - rtla: Fix segfault on multiple SIGINTs",
                            "    - vfio: selftests: Build tests on aarch64",
                            "    - gfs2: less aggressive low-memory log flushing",
                            "    - quota: Fix race of dquot_scan_active() with quota deactivation",
                            "    - vfio: unhide vdev->debug_root",
                            "    - gfs2: add some missing log locking",
                            "    - gfs2: prevent NULL pointer dereference during unmount",
                            "    - efi/capsule-loader: fix incorrect sizeof in phys array reallocation",
                            "    - ksmbd: fix use-after-free from async crypto on Qualcomm crypto engine",
                            "    - arm64: dts: mediatek: mt8365: Describe infracfg-nao as a pure syscon",
                            "    - ARM: dts: mediatek: mt7623: fix efuse fallback compatible",
                            "    - memory: tegra124-emc: Fix dll_change check",
                            "    - memory: tegra30-emc: Fix dll_change check",
                            "    - arm64: dts: imx8-apalis: Fix LEDs name collision",
                            "    - arm64: dts: imx91-11x11-evk: change usdhc tuning step for eMMC and SD",
                            "    - riscv: dts: spacemit: pcie: fix missing power regulator",
                            "    - arm64: dts: mediatek: mt7988a-bpi-r4pro: fix model string",
                            "    - arm64: dts: rockchip: Make Jaguar PCIe-refclk pin use pull-up config",
                            "    - arm64: dts: imx8mp-evk: Enable pull select bit for PCIe regulator GPIO",
                            "      (M.2 W_DISABLE1)",
                            "    - iommufd: vfio compatibility extension check for noiommu mode",
                            "    - arm64: dts: qcom: sm6125-xiaomi-ginkgo: Remove board-id",
                            "    - arm64: dts: qcom: sm6125-xiaomi-ginkgo: Correct reserved memory ranges",
                            "    - arm64: dts: qcom: sm6125-xiaomi-ginkgo: Remove extcon",
                            "    - arm64: dts: qcom: sm6125-xiaomi-ginkgo: Fix reserved gpio ranges",
                            "    - arm64: dts: qcom: qcs6490-rubikpi3: Use lt9611 DSI Port B",
                            "    - arm64: dts: qcom: talos: Add missing clock-names to GCC",
                            "    - arm64: dts: ti: k3-am62l: include WKUP_UART0 in wakeup peripheral window",
                            "    - arm64: dts: mediatek: mt6795: Fix gpio-ranges pin count",
                            "    - arm64: dts: mediatek: mt7981b: Fix gpio-ranges pin count",
                            "    - arm64: dts: mediatek: mt7986a: Fix gpio-ranges pin count",
                            "    - iommufd/selftest: Fix page leaks in mock_viommu_{init,destroy}",
                            "    - arm64: dts: imx8mp-kontron: Fix touch reset configuration on DL devices",
                            "    - arm64: dts: imx8mp-kontron: Drop vmmc-supply to fix SD card on SMARC",
                            "      eval carrier",
                            "    - arm64: dts: imx8mp-hummingboard-pulse/cubox-m: fix vmmc gpio polarity",
                            "    - arm64: dts: imx8mp-hummingboard-pulse: fix mini-hdmi dsi port reference",
                            "    - ARM: dts: BCM5301X: Drop extra NAND controller compatible",
                            "    - arm64: dts: qcom: msm8953-xiaomi-vince: correct wled ovp value",
                            "    - arm64: dts: qcom: msm8937-xiaomi-land: correct wled ovp value",
                            "    - arm64: dts: qcom: msm8953-xiaomi-daisy: fix backlight",
                            "    - firmware: qcom_scm: don't opencode kmemdup",
                            "    - soc: qcom: ubwc: disable bank swizzling for Glymur platform",
                            "    - arm64: dts: rockchip: Fix Bluetooth stability on LCKFB TaiShan Pi",
                            "    - Revert \"arm64: dts: rockchip: add SPDIF audio to Beelink A1\"",
                            "    - arm64: dts: rockchip: Correct Fan Supply for Gameforce Ace",
                            "    - arm64: dts: rockchip: Correct Joystick Axes on Gameforce Ace",
                            "    - soc: qcom: ocmem: make the core clock optional",
                            "    - soc: qcom: ocmem: register reasons for probe deferrals",
                            "    - soc: qcom: ocmem: return -EPROBE_DEFER is ocmem is not available",
                            "    - riscv: dts: spacemit: drop incorrect pinctrl for combo PHY",
                            "    - arm64: dts: rockchip: Fix RK3562 EVB2 model name",
                            "    - arm64: dts: rockchip: Add mphy reset to ufshc node",
                            "    - bus: rifsc: fix RIF configuration check for peripherals",
                            "    - arm64: dts: qcom: arduino-imola: fix faulty spidev node",
                            "    - Revert \"UBUNTU: SAUCE: arm64: dts: add missing denali-oled.dtb to",
                            "      Makefile\"",
                            "    - arm64: dts: qcom: add missing denali-oled.dtb to Makefile",
                            "    - arm64: dts: qcom: hamoa: correct Iris corners for the MXC rail",
                            "    - arm64: dts: qcom: lemans: correct Iris corners for the MXC rail",
                            "    - arm64: dts: qcom: monaco: correct Iris corners for the MXC rail",
                            "    - arm64: dts: qcom: sm8550: correct Iris corners for the MXC rail",
                            "    - arm64: dts: qcom: sm8650: correct Iris corners for the MXC rail",
                            "    - arm64: dts: qcom: sm8750: correct Iris corners for the MXC rail",
                            "    - arm64: dts: qcom: kaanapali: Fix GIC_ITS range length",
                            "    - arm64: dts: qcom: milos: Fix GIC_ITS range length",
                            "    - arm64: dts: qcom: sm8450: Fix GIC_ITS range length",
                            "    - arm64: dts: qcom: sm8550: Fix GIC_ITS range length",
                            "    - arm64: dts: qcom: sm8650: Fix GIC_ITS range length",
                            "    - arm64: dts: qcom: sm8750: Fix GIC_ITS range length",
                            "    - arm64: dts: qcom: sm8550: Fix xo clock supply of platform SD host",
                            "      controller",
                            "    - arm64: dts: qcom: sm8650: Fix xo clock supply of SD host controller",
                            "    - arm64: dts: qcom: hamoa: Fix xo clock supply of platform SD host",
                            "      controller",
                            "    - arm64: dts: qcom: sm8450: Enable UHS-I SDR50 and SDR104 SD card modes",
                            "    - arm64: dts: qcom: sm8550: Enable UHS-I SDR50 and SDR104 SD card modes",
                            "    - arm64: dts: qcom: sm8650: Enable UHS-I SDR50 and SDR104 SD card modes",
                            "    - arm64: dts: qcom: sm7225-fairphone-fp4: Fix conflicting bias pinctrl",
                            "    - arm64: dts: qcom: sdm845-xiaomi-beryllium: Mark l1a regulator as powered",
                            "      during boot",
                            "    - arm64: dts: qcom: msm8917-xiaomi-riva: Fix board-id for all bootloader",
                            "    - arm64: dts: ti: k3-am62p5-sk: Disable MMC1 internal pulls on data pins",
                            "    - arm64: dts: ti: k3-am62l3-evm: Disable MMC1 internal pulls on data pins",
                            "    - arm64: dts: ti: k3-am62-lp-sk: Enable internal pulls for MMC0 data pins",
                            "    - arm64: dts: ti: k3-am62-verdin: Fix SPI_1 GPIO CS pinctrl label",
                            "    - arm64: dts: freescale: imx8mp-tqma8mpql-mba8mp-ras314: fix UART1 RTS/CTS",
                            "      muxing",
                            "    - arm64: dts: imx91: Remove TMU's superfluous sensor ID",
                            "    - arm64: dts: imx8mp-kontron: Fix boot order for PMIC and RTC",
                            "    - arm64: dts: imx8dxl-evk: Use audio-graph-card2 for wm8960-2 and wm8960-3",
                            "    - arm64: dts: imx8mp-evk: Specify ADV7535 register addresses",
                            "    - arm64: dts: lx2160a: change i2c0 (iic1) pinmux mask to one bit",
                            "    - arm64: dts: lx2160a: remove duplicate pinmux nodes",
                            "    - arm64: dts: lx2160a: rename pinmux nodes for readability",
                            "    - arm64: dts: lx2160a: add sda gpio references for i2c bus recovery",
                            "    - arm64: dts: lx2160a: change zeros to hexadecimal in pinmux nodes",
                            "    - arm64: dts: lx2160a: complete pinmux for rcwsr12 configuration word",
                            "    - arm64: dts: imx8qm-mek: switch Type-C connector power-role to dual",
                            "    - arm64: dts: imx8qxp-mek: switch Type-C connector power-role to dual",
                            "    - soc/tegra: cbb: Set ERD on resume for err interrupt",
                            "    - soc/tegra: cbb: Fix incorrect ARRAY_SIZE in fabric lookup tables",
                            "    - soc/tegra: cbb: Fix cross-fabric target timeout lookup",
                            "    - arm64: tegra: Fix RTC aliases",
                            "    - soc/tegra: pmc: Add kerneldoc for reboot notifier",
                            "    - soc/tegra: pmc: Correct function names in kerneldoc",
                            "    - soc/tegra: pmc: Add kerneldoc for wake-up variables",
                            "    - unshare: fix nsproxy leak in ksys_unshare() on set_cred_ucounts()",
                            "      failure",
                            "    - ocfs2/dlm: validate qr_numregions in dlm_match_regions()",
                            "    - ocfs2/dlm: fix off-by-one in dlm_match_regions() region comparison",
                            "    - soc: qcom: llcc: fix v1 SB syndrome register offset",
                            "    - soc: qcom: aoss: compare against normalized cooling state",
                            "    - arm64: dts: qcom: milos: Add missing CX power domain to GCC",
                            "    - arm64: dts: qcom: sm8250: Add missing CPU7 3.09GHz OPP",
                            "    - ARM: OMAP1: Fix DEBUG_LL and earlyprintk on OMAP16XX",
                            "    - arm64/xor: fix conflicting attributes for xor_block_template",
                            "    - lib: kunit_iov_iter: fix memory leaks",
                            "    - ARM: dts: imx27-eukrea: replace interrupts with interrupts-extended",
                            "    - firmware: arm_ffa: Use the correct buffer size during RXTX_MAP",
                            "    - fwctl: Fix class init ordering to avoid NULL pointer dereference on",
                            "      device removal",
                            "    - ocfs2: fix listxattr handling when the buffer is full",
                            "    - ocfs2: validate bg_bits during freefrag scan",
                            "    - ocfs2: validate group add input before caching",
                            "    - dmaengine: dw-axi-dmac: fix Alignment should match open parenthesis",
                            "    - dmaengine: dw-axi-dmac: Remove unnecessary return statement from void",
                            "      function",
                            "    - phy: apple: apple: Use local variable for ioremap return value",
                            "    - soundwire: bus: demote UNATTACHED state warnings to dev_dbg()",
                            "    - soundwire: Intel: test bus.bpt_stream before assigning it",
                            "    - dmaengine: mxs-dma: Fix missing return value from",
                            "      of_dma_controller_register()",
                            "    - soundwire: cadence: Clear message complete before signaling waiting",
                            "      thread",
                            "    - tracing: move __printf() attribute on __ftrace_vbprintk()",
                            "    - tracing: Rebuild full_name on each hist_field_name() call",
                            "    - hte: tegra194: remove Kconfig dependency on Tegra194 SoC",
                            "    - [Config] Enable CONFIG_HTE_TEGRA194 on armhf",
                            "    - remoteproc: xlnx: Fix sram property parsing",
                            "    - stop_machine: Fix the documentation for a NULL cpus argument",
                            "    - remoteproc: imx_rproc: Check return value of regmap_attach_dev() in",
                            "      imx_rproc_mmio_detect_mode()",
                            "    - ima: check return value of crypto_shash_final() in boot aggregate",
                            "    - HID: asus: make asus_resume adhere to linux kernel coding standards",
                            "    - HID: asus: do not abort probe when not necessary",
                            "    - workqueue: devres: Add device-managed allocate workqueue",
                            "    - power: supply: max77705: Drop duplicated IRQ error message",
                            "    - power: supply: max77705: Free allocated workqueue and fix removal order",
                            "    - mtd: physmap_of_gemini: Fix disabled pinctrl state check",
                            "    - ima_fs: Correctly create securityfs files for unsupported hash algos",
                            "    - dt-bindings: interrupt-controller: arm,gic-v3: Fix EPPI range",
                            "    - mtd: spi-nor: core: correct the op.dummy.nbytes when check read",
                            "      operations",
                            "    - mtd: spi-nor: update spi_nor_fixups::post_sfdp() documentation",
                            "    - mtd: spi-nor: micron-st: add SNOR_CMD_PP_8_8_8_DTR sfdp fixup for",
                            "      mt35xu512aba",
                            "    - mtd: spi-nor: swp: check SR_TB flag when getting tb_mask",
                            "    - mtd: parsers: ofpart: call of_node_put() only in ofpart_fail path",
                            "    - mtd: parsers: ofpart: call of_node_get() for dedicated subpartitions",
                            "    - cxl/pci: Check memdev driver binding status in cxl_reset_done()",
                            "    - mtd: rawnand: sunxi: fix sunxi_nfc_hw_ecc_read_extra_oob",
                            "    - mtd: spinand: winbond: Clarify when to enable the HS bit",
                            "    - HID: usbhid: fix deadlock in hid_post_reset()",
                            "    - ext4: fix miss unlock 'sb->s_umount' in extents_kunit_init()",
                            "    - ext4: call deactivate_super() in extents_kunit_exit()",
                            "    - ext4: fix the error handling process in extents_kunit_init).",
                            "    - ext4: fix possible null-ptr-deref in extents_kunit_exit()",
                            "    - ext4: fix possible null-ptr-deref in mbt_kunit_exit()",
                            "    - bpf, arm64: Reject out-of-range B.cond targets",
                            "    - bpf, arm64: Fix off-by-one in check_imm signed range check",
                            "    - bpf, arm64: Remove redundant bpf_flush_icache() after pack allocator",
                            "      finalize",
                            "    - bpf, riscv: Remove redundant bpf_flush_icache() after pack allocator",
                            "      finalize",
                            "    - bpf, sockmap: Fix af_unix iter deadlock",
                            "    - bpf, sockmap: Fix af_unix null-ptr-deref in proto update",
                            "    - bpf, sockmap: Take state lock for af_unix iter",
                            "    - bpf: Fix precedence bug in convert_bpf_ld_abs alignment check",
                            "    - bpf: Fix NULL deref in map_kptr_match_type for scalar regs",
                            "    - bpf: allow UTF-8 literals in bpf_bprintf_prepare()",
                            "    - libbpf: Prevent double close and leak of btf objects",
                            "    - bpf: Validate node_id in arena_alloc_pages()",
                            "    - bpf, arm32: Reject BPF-to-BPF calls and callbacks in the JIT",
                            "    - perf trace: Fix IS_ERR() vs NULL check bug",
                            "    - dt-bindings: pinctrl: marvell,armada3710-xb-pinctrl: add missing items",
                            "      keyword",
                            "    - pinctrl: pinctrl-pic32: Fix resource leak",
                            "    - perf trace: Avoid an ERR_PTR in syscall_stats",
                            "    - pinctrl: microchip-mssio: Fix missing return in probe",
                            "    - perf test type profiling: Remote typedef on struct",
                            "    - pinctrl: cy8c95x0: remove duplicate error message",
                            "    - pinctrl: cy8c95x0: Unify messages with help of dev_err_probe()",
                            "    - pinctrl: cy8c95x0: Avoid returning positive values to user space",
                            "    - perf branch: Avoid incrementing NULL",
                            "    - perf: tools: cs-etm: Fix print issue for Coresight debug in ETE/TRBE",
                            "      trace",
                            "    - pinctrl: pinconf-generic: Fully validate 'pinmux' property",
                            "    - pinctrl: realtek: Fix function signature for config argument",
                            "    - pinctrl: abx500: Fix type of 'argument' variable",
                            "    - pinctrl: renesas: rzg2l: Fix save/restore of {IOLH,IEN,PUPD,SMT}",
                            "      registers",
                            "    - tools build: Correct link flags for libopenssl",
                            "    - perf lock: Fix option value type in parse_max_stack",
                            "    - perf stat: Fix opt->value type for parse_cache_level",
                            "    - memblock: reserve_mem: fix end caclulation in",
                            "      reserve_mem_release_by_name()",
                            "    - perf stat: Fix crash on arm64",
                            "    - perf tools: Fix module symbol resolution for non-zero .text sh_addr",
                            "    - perf test: Fix ratio_to_prev event parsing test",
                            "    - perf test: Skip perf data type profiling tests for s390",
                            "    - perf expr: Return -EINVAL for syntax error in expr__find_ids()",
                            "    - perf metrics: Make common stalled metrics conditional on having the",
                            "      event",
                            "    - ipmi: ssif_bmc: fix missing check for copy_to_user() partial failure",
                            "    - ipmi: ssif_bmc: fix message desynchronization after truncated response",
                            "    - ipmi: ssif_bmc: change log level to dbg in irq callback",
                            "    - perf cgroup: Update metric leader in evlist__expand_cgroup",
                            "    - pinctrl: sophgo: pinctrl-sg2042: Fix wrong module description",
                            "    - pinctrl: sophgo: pinctrl-sg2044: Fix wrong module description",
                            "    - perf maps: Fix fixup_overlap_and_insert that can break sorted by name",
                            "      order",
                            "    - perf maps: Fix copy_from that can break sorted by name order",
                            "    - perf util: Kill die() prototype, dead for a long time",
                            "    - i3c: master: dw-i3c: Fix missing reset assertion in remove() callback",
                            "    - i3c: master: dw-i3c: Balance PM runtime usage count on probe failure",
                            "    - i3c: master: renesas: Fix memory leak in renesas_i3c_i3c_xfers()",
                            "    - i3c: dw: Fix memory leak in dw_i3c_master_i3c_xfers()",
                            "    - i3c: master: adi: Fix error propagation for CCCs",
                            "    - i3c: mipi-i3c-hci: fix IBI payload length calculation for final status",
                            "    - fs/ntfs3: prevent uninitialized lcn caused by zero len",
                            "    - backlight: sky81452-backlight: Check return value of",
                            "      devm_gpiod_get_optional() in sky81452_bl_parse_dt()",
                            "    - platform/surface: surfacepro3_button: Drop wakeup source on remove",
                            "    - leds: lgm-sso: Remove duplicate assignments for priv->mmap",
                            "    - usb: typec: Fix error pointer dereference",
                            "    - tty: hvc_iucv: fix off-by-one in number of supported devices",
                            "    - usb: typec: ps883x: Fix Oops at unbind",
                            "    - platform/x86: panasonic-laptop: Fix OPTD notifier registration and",
                            "      cleanup",
                            "    - platform/x86: barco-p50-gpio: normalize return value of gpio_get",
                            "    - fs/ntfs3: fix missing run load for vcn0 in attr_data_get_block_locked()",
                            "    - mfd: mc13xxx-core: Fix memory leak in mc13xxx_add_subdevice_pdata()",
                            "    - nfs/blocklayout: Fix compilation error (`make W=1`) in",
                            "      bl_write_pagelist()",
                            "    - sunrpc: Kill RPC_IFDEBUG()",
                            "    - sunrpc: Fix compilation error (`make W=1`) when dprintk() is no-op",
                            "    - NFSD: fix nfs4_file access extra count in nfsd4_add_rdaccess_to_wrdeleg",
                            "    - nfsd: use dynamic allocation for oversized NFSv4.0 replay cache",
                            "    - RDMA/umem: Use consistent DMA attributes when unmapping entries",
                            "    - greybus: raw: fix use-after-free on cdev close",
                            "    - greybus: raw: fix use-after-free if write is called after disconnect",
                            "    - platform/x86: asus-wmi: adjust screenpad power/brightness handling",
                            "    - platform/x86: asus-wmi: fix screenpad brightness range",
                            "    - tty: serial: ip22zilog: Fix section mispatch warning",
                            "    - fs/ntfs3: terminate the cached volume label after UTF-8 conversion",
                            "    - platform/x86: hp-wmi: fix ignored return values in fan settings",
                            "    - platform/x86: hp-wmi: avoid cancel_delayed_work_sync from work handler",
                            "    - platform/x86: hp-wmi: use mod_delayed_work to reset keep-alive timer",
                            "    - platform/x86: hp-wmi: fix u8 underflow in gpu_delta calculation",
                            "    - platform/x86: hp-wmi: add locking for concurrent hwmon access",
                            "    - platform/x86: dell_rbu: avoid uninit value usage in packet_size_write()",
                            "    - platform/x86: dell-wmi-sysman: bound enumeration string aggregation",
                            "    - RDMA/core: Prefer NLA_NUL_STRING",
                            "    - platform/x86: hp-wmi: fix fan table parsing",
                            "    - dt-bindings: clock: qcom: Add GCC video axi reset clock for Glymur",
                            "    - clk: qcom: gcc-glymur: Add video axi clock resets for glymur",
                            "    - clk: qcom: dispcc-glymur: use RCG2 ops for DPTX1 AUX clock source",
                            "    - clk: qcom: dispcc-sm8450: use RCG2 ops for DPTX1 AUX clock source",
                            "    - clk: renesas: r9a09g057: Fix ordering of module clocks array",
                            "    - clk: renesas: r9a09g056: Fix ordering of module clocks array",
                            "    - clk: sunxi-ng: sun55i-a523-r: Add missing r-spi module clock",
                            "    - scsi: sg: Fix sysctl sg-big-buff register during sg_init()",
                            "    - scsi: sg: Resolve soft lockup issue when opening /dev/sgX",
                            "    - clk: qcom: dispcc-sc8280xp: remove CLK_SET_RATE_PARENT from",
                            "      byte_div_clk_src dividers",
                            "    - clk: qcom: dispcc-glymur: Fix DSI byte clock rate setting",
                            "    - clk: qcom: dispcc-kaanapali: Fix DSI byte clock rate setting",
                            "    - clk: qcom: dispcc-milos: Fix DSI byte clock rate setting",
                            "    - clk: qcom: dispcc-sm4450: Fix DSI byte clock rate setting",
                            "    - clk: qcom: dispcc[01]-sa8775p: Fix DSI byte clock rate setting",
                            "    - clk: renesas: r9a09g057: Remove entries for WDT{0,2,3}",
                            "    - scsi: target: core: Fix integer overflow in UNMAP bounds check",
                            "    - scsi: ufs: rockchip,rk3576-ufshc: dt-bindings: Add new mphy reset item",
                            "    - dt-bindings: clock: qcom,gcc-sc8180x: Add missing GDSCs",
                            "    - clk: qcom: gcc-sc8180x: Add missing GDSCs",
                            "    - clk: qcom: gcc-sc8180x: Use retention for USB power domains",
                            "    - clk: qcom: gcc-sc8180x: Use retention for PCIe power domains",
                            "    - clk: qcom: dispcc-sm8250: Use shared ops on the mdss vsync clk",
                            "    - clk: qcom: dispcc-sm8250: Enable parents for pixel clocks",
                            "    - clk: imx: imx6q: Fix device node reference leak in pll6_bypassed()",
                            "    - clk: imx: imx6q: Fix device node reference leak in",
                            "      of_assigned_ldb_sels()",
                            "    - clk: imx8mq: Correct the CSI PHY sels",
                            "    - um: Fix potential race condition in TLB sync",
                            "    - x86/um: fix vDSO installation",
                            "    - clk: qoriq: avoid format string warning",
                            "    - clk: xgene: Fix mapping leak in xgene_pllclk_init()",
                            "    - clk: spacemit: ccu_mix: fix inverted condition in ccu_mix_trigger_fc()",
                            "    - f2fs: avoid reading already updated pages during GC",
                            "    - printk_ringbuffer: Fix get_data() size sanity check",
                            "    - clk: qcom: gdsc: Fix error path on registration of multiple pm",
                            "      subdomains",
                            "    - lib/hexdump: print_hex_dump_bytes() calls print_hex_dump_debug()",
                            "    - f2fs: fix data loss caused by incorrect use of nat_entry flag",
                            "    - f2fs: fix to preserve previous reserve_{blocks,node} value when remount",
                            "    - scsi: hpsa: Enlarge controller and IRQ name buffers",
                            "    - drm/amd/display: Fix parameter mismatch in panel self-refresh helper",
                            "    - clk: qcom: gcc-x1e80100: Keep GCC USB QTB clock always ON",
                            "    - clk: visconti: pll: initialize clk_init_data to zero",
                            "    - f2fs: allow empty mount string for Opt_usr|grp|projjquota",
                            "    - f2fs: protect extension_list reading with sb_lock in f2fs_sbi_show()",
                            "    - drm/i915/wm: Verify the correct plane DDB entry",
                            "    - virt: arm-cca-guest: fix error check for RSI_INCOMPLETE",
                            "    - crypto: eip93 - fix hmac setkey algo selection",
                            "    - crypto: sa2ul - Fix AEAD fallback algorithm names",
                            "    - crypto: ccp - copy IV using skcipher ivsize",
                            "    - sh: Include <linux/io.h> in dac.h",
                            "    - erofs: unify lcn as u64 for 32-bit platforms",
                            "    - tools: hv: Fix cross-compilation",
                            "    - Drivers: hv: vmbus: fix hyperv_cpuhp_online variable shadowing",
                            "    - arm64: dts: imx8mp-debix-model-a: Correct PAD settings for PMIC_nINT",
                            "    - arm64: dts: imx8mp-debix-som-a: Correct PAD settings for PMIC_nINT",
                            "    - arm64: dts: imx8mp-navqp: Correct PAD settings for PMIC_nINT",
                            "    - arm64: dts: imx8mp-icore-mx8mp: Correct PAD settings for PMIC_nINT",
                            "    - arm64: dts: imx8mp-edm-g: Correct PAD settings for PMIC_nINT",
                            "    - arm64: dts: imx8mp-aristainetos3a-som-v1: Correct PAD settings for",
                            "      PMIC_nINT",
                            "    - arm64: dts: imx8mp-nitrogen-som: Correct PAD settings for PMIC_nINT",
                            "    - arm64: dts: imx8mp-sr-som: Correct PAD settings for PMIC_nINT",
                            "    - arm64: dts: imx8mp-ultra-mach-sbc: Correct PAD settings for PMIC_nINT",
                            "    - arm64: dts: imx8mp-dhcom-som: Correct PAD settings for PMIC_nINT",
                            "    - arm64: dts: imx8mp-data-modul-edm-sbc: Correct PAD settings for",
                            "      PMIC_nINT",
                            "    - PCMCIA: Fix garbled log messages for KERN_CONT",
                            "    - reset: amlogic: t7: Fix null reset ops",
                            "    - arm64: dts: imx8mm-emtop-som: Correct PAD settings for PMIC_nINT",
                            "    - arm64: dts: imx8mn-tqma8mqnl: Correct PAD settings for PMIC_nINT",
                            "    - arm64: dts: imx8mm-tqma8mqml: Correct PAD settings for PMIC_nINT",
                            "    - arm64: dts: marvell: armada-37xx: use 'usb2-phy' in USB3 controller's",
                            "      phy-names",
                            "    - pwm: stm32: Fix rounding issue for requests with inverted polarity",
                            "    - net/sched: act_mirred: fix wrong device for mac_header_xmit check in",
                            "      tcf_blockcast_redir",
                            "    - macvlan: fix macvlan_get_size() not reserving space for",
                            "      IFLA_MACVLAN_BC_CUTOFF",
                            "    - net/sched: sch_cake: fix NAT destination port not being updated in",
                            "      cake_update_flowkeys",
                            "    - nexthop: fix IPv6 route referencing IPv4 nexthop",
                            "    - net: airoha: Wait for NPU PPE configuration to complete in",
                            "      airoha_ppe_offload_setup()",
                            "    - net/sched: taprio: fix use-after-free in advance_sched() on schedule",
                            "      switch",
                            "    - net: dsa: remove redundant netdev_lock_ops() from conduit ethtool ops",
                            "    - net: enetc: correct the command BD ring consumer index",
                            "    - net: enetc: fix NTMP DMA use-after-free issue",
                            "    - ksmbd: fix use-after-free in smb2_open during durable reconnect",
                            "    - tcp: move tp->chrono_type next tp->chrono_stat[]",
                            "    - tcp: inline tcp_chrono_start()",
                            "    - tcp: annotate data-races in tcp_get_info_chrono_stats()",
                            "    - tcp: add data-race annotations around tp->data_segs_out and",
                            "      tp->total_retrans",
                            "    - tcp: add data-races annotations around tp->reordering, tp->snd_cwnd",
                            "    - tcp: annotate data-races around tp->snd_ssthresh",
                            "    - tcp: annotate data-races around tp->delivered and tp->delivered_ce",
                            "    - tcp: add data-race annotations for TCP_NLA_SNDQ_SIZE",
                            "    - tcp: annotate data-races around tp->bytes_sent",
                            "    - tcp: annotate data-races around tp->bytes_retrans",
                            "    - tcp: annotate data-races around tp->dsack_dups",
                            "    - tcp: annotate data-races around tp->reord_seen",
                            "    - tcp: annotate data-races around tp->srtt_us",
                            "    - tcp: annotate data-races around tp->timeout_rehash",
                            "    - tcp: annotate data-races around (tp->write_seq - tp->snd_nxt)",
                            "    - tcp: annotate data-races around tp->plb_rehash",
                            "    - ice: fix 'adjust' timer programming for E830 devices",
                            "    - ice: update PCS latency settings for E825 10G/25Gb modes",
                            "    - ice: fix double-free of tx_buf skb",
                            "    - ice: fix PHY config on media change with link-down-on-close",
                            "    - ice: fix ICE_AQ_LINK_SPEED_M for 200G",
                            "    - ice: fix race condition in TX timestamp ring cleanup",
                            "    - ice: fix potential NULL pointer deref in error path of",
                            "      ice_set_ringparam()",
                            "    - i40e: don't advertise IFF_SUPP_NOFCS",
                            "    - iavf: fix wrong VLAN mask for legacy Rx descriptors L2TAG2",
                            "    - e1000e: Unroll PTP in probe error handling",
                            "    - ipv6: fix possible UAF in icmpv6_rcv()",
                            "    - af_unix: Drop all SCM attributes for SOCKMAP.",
                            "    - sctp: fix OOB write to userspace in sctp_getsockopt_peer_auth_chunks",
                            "    - pppoe: drop PFC frames",
                            "    - net/mlx5: Fix HCA caps leak on notifier init failure",
                            "    - net: airoha: Fix possible TX queue stall in airoha_qdma_tx_napi_poll()",
                            "    - netfilter: nft_osf: restrict it to ipv4",
                            "    - netfilter: conntrack: remove sprintf usage",
                            "    - netfilter: xtables: restrict several matches to inet family",
                            "    - netfilter: nat: use kfree_rcu to release ops",
                            "    - ipvs: fix MTU check for GSO packets in tunnel mode",
                            "    - netfilter: nfnetlink_osf: fix out-of-bounds read on option matching",
                            "    - netfilter: nfnetlink_osf: fix potential NULL dereference in ttl check",
                            "    - net/sched: sch_dualpi2: drain both C-queue and L-queue in",
                            "      dualpi2_change()",
                            "    - arm64: dts: amlogic: meson-axg: Add missing cache information to cpu0",
                            "    - arm64: dts: meson-gxl-p230: fix ethernet PHY interrupt number",
                            "    - vfio/pci: Clean up DMABUFs before disabling function",
                            "    - pwm: atmel-tcb: Cache clock rates and mark chip as atomic",
                            "    - ksmbd: destroy tree_conn_ida in ksmbd_session_destroy()",
                            "    - ksmbd: destroy async_ida in ksmbd_conn_free()",
                            "    - ksmbd: fix durable fd leak on ClientGUID mismatch in durable v2 open",
                            "    - ksmbd: scope conn->binding slowpath to bound sessions only",
                            "    - net: validate skb->napi_id in RX tracepoints",
                            "    - bnge: fix initial HWRM sequence",
                            "    - bnge: remove unsupported backing store type",
                            "    - sctp: fix sockets_allocated imbalance after sk_clone()",
                            "    - net/rds: zero per-item info buffer before handing it to visitors",
                            "    - ice: fix timestamp interrupt configuration for E825C",
                            "    - ice: perform PHY soft reset for E825C ports at initialization",
                            "    - ice: fix ready bitmap check for non-E822 devices",
                            "    - ice: fix ice_ptp_read_tx_hwtstamp_status_eth56g",
                            "    - net_sched: sch_hhf: annotate data-races in hhf_dump_stats()",
                            "    - net/sched: sch_pie: annotate data-races in pie_dump_stats()",
                            "    - net/sched: sch_fq_codel: remove data-races from fq_codel_dump_stats()",
                            "    - net/sched: sch_red: annotate data-races in red_dump_stats()",
                            "    - net/sched: sch_sfb: annotate data-races in sfb_dump_stats()",
                            "    - net: airoha: Move ndesc initialization at end of airoha_qdma_init_tx()",
                            "    - net: airoha: Add missing bits in airoha_qdma_cleanup_tx_queue()",
                            "    - net: dsa: realtek: rtl8365mb: fix mode mask calculation",
                            "    - net: airoha: Move ndesc initialization at end of",
                            "      airoha_qdma_init_rx_queue()",
                            "    - net: airoha: Rework the code flow in airoha_remove() and in",
                            "      airoha_probe() error path",
                            "    - net: airoha: Add size check for TX NAPIs in airoha_qdma_cleanup()",
                            "    - net: mana: Init link_change_work before potential error paths in probe",
                            "    - net: mana: Init gf_stats_work before potential error paths in probe",
                            "    - net: mana: Guard mana_remove against double invocation",
                            "    - net: mana: Don't overwrite port probe error with add_adev result",
                            "    - net: mana: Fix EQ leak in mana_remove on NULL port",
                            "    - vsock/virtio: fix MSG_ZEROCOPY pinned-pages accounting",
                            "    - virtio_net: sync rss_trailer.max_tx_vq on queue_pairs change via",
                            "      VQ_PAIRS_SET",
                            "    - nfp: fix swapped arguments in nfp_encode_basic_qdr() calls",
                            "    - tcp: send a challenge ACK on SEG.ACK > SND.NXT",
                            "    - tipc: fix double-free in tipc_buf_append()",
                            "    - vhost_net: fix sleeping with preempt-disabled in vhost_net_busy_poll()",
                            "    - nstree: fix func. parameter kernel-doc warnings",
                            "    - eventpoll: use hlist_is_singular_node() in __ep_remove()",
                            "    - eventpoll: split __ep_remove()",
                            "    - eventpoll: kill __ep_remove()",
                            "    - eventpoll: drop vestigial __ prefix from ep_remove_{file,epi}()",
                            "    - eventpoll: move epi_fget() up",
                            "    - fs/adfs: validate nzones in adfs_validate_bblk()",
                            "    - rtc: abx80x: Disable alarm feature if no interrupt attached",
                            "    - kbuild: builddeb - avoid recompiles for non-cross-compiles",
                            "    - tools/power turbostat: Fix AMD RAPL regression on big systems",
                            "    - fbdev: offb: fix PCI device reference leak on probe failure",
                            "    - tools/power turbostat: Fix unrecognized option '-P'",
                            "    - tools/power turbostat: Fix --cpu-set 0 regression on HT systems",
                            "    - tools/power turbostat: Fix --cpu-set 1 regression on HT systems",
                            "    - kbuild: Never respect CONFIG_WERROR / W=e to fixdep",
                            "    - mailbox: mtk-vcp-mailbox: Fix the return value in mtk_vcp_mbox_xlate()",
                            "    - mailbox: mtk-cmdq: Fix CURR and END addr for task insert case",
                            "    - mailbox: mailbox-test: free channels on probe error",
                            "    - sched/psi: fix race between file release and pressure write",
                            "    - cgroup/rdma: fix integer overflow in rdmacg_try_charge()",
                            "    - cgroup/cpuset: record DL BW alloc CPU for attach rollback",
                            "    - mailbox: add sanity check for channel array",
                            "    - mailbox: mailbox-test: handle channel errors consistently",
                            "    - mailbox: mailbox-test: don't free the reused channel",
                            "    - mailbox: mailbox-test: initialize struct earlier",
                            "    - mailbox: mailbox-test: make data_ready a per-instance variable",
                            "    - fsnotify: fix inode reference leak in fsnotify_recalc_mask()",
                            "    - btrfs: fix bytes_may_use leak in move_existing_remap()",
                            "    - btrfs: fix bytes_may_use leak in do_remap_reloc_trans()",
                            "    - btrfs: don't clobber errors in add_remap_tree_entries()",
                            "    - btrfs: fix double-decrement of bytes_may_use in",
                            "      submit_one_async_extent()",
                            "    - tracing: branch: Fix inverted check on stat tracer registration",
                            "    - nvmet-tcp: propagate nvmet_tcp_build_pdu_iovec() errors to its callers",
                            "    - netfilter: nf_tables: use list_del_rcu for netlink hooks",
                            "    - rculist: add list_splice_rcu() for private lists",
                            "    - netfilter: nf_tables: join hook list via splice_list_rcu() in commit",
                            "      phase",
                            "    - netfilter: nf_tables: add hook transactions for device deletions",
                            "    - nvme-pci: fix missed admin queue sq doorbell write",
                            "    - drm/amdgpu: avoid double drm_exec_fini() in userq validate",
                            "    - drm/amdgpu/gmc: Fix AMDGPU_GART_PLACEMENT_LOW to not overlap with VRAM",
                            "    - drm/amd/pm: fix missing fine-grained dpm table flag on aldebaran",
                            "    - drm/amdgpu: fix AMDGPU_INFO_READ_MMR_REG",
                            "    - drm/amdgpu/uvd3.1: Don't validate the firmware when already validated",
                            "    - drm/amdgpu/gfx6: Support harvested SI chips with disabled TCCs (v2)",
                            "    - drm/amdgpu: Only send RMA CPER when threshold is exceeded",
                            "    - netfilter: xt_policy: fix strict mode inbound policy matching",
                            "    - netfilter: nf_conntrack_sip: don't use simple_strtoul",
                            "    - spi: rzv2h-rspi: Fix silent failure in clock setup error path",
                            "    - ASoC: amd: acp: Add DMI quirk for Valve Steam Deck OLED",
                            "    - ASoC: SOF: Intel: add an empty adr_link",
                            "    - spi: rockchip: Read ISR, not IMR, to detect cs-inactive IRQ",
                            "    - ASoC: tas2764: Mark die temp register as volatile",
                            "    - ASoC: tas2770: Fix order of operations for temperature calculation",
                            "    - drm/sysfb: ofdrm: fix PCI device reference leaks",
                            "    - drm/color-mgmt: Typo s/R332/RGB332/",
                            "    - arm64/scs: Fix potential sign extension issue of advance_loc4",
                            "    - spi: spi-mem: Add a packed command operation",
                            "    - mtd: spinand: Add support for packed read data ODTR commands",
                            "    - mtd: spinand: winbond: Set the packed page read flag to W35N02/04JW",
                            "    - mtd: spinand: winbond: Fix ODTR write VCR on W35NxxJW",
                            "    - ACPICA: Provide #defines for EINJV2 error types",
                            "    - ACPI: APEI: EINJ: Fix EINJV2 memory error injection",
                            "    - cdrom, scsi: sr: propagate read-only status to block layer via",
                            "      set_disk_ro()",
                            "    - spi: axiado: replace usleep_range() with udelay() in IRQ path",
                            "    - netdevsim: zero initialize struct iphdr in dummy sk_buff",
                            "    - net/sched: netem: fix probability gaps in 4-state loss model",
                            "    - net/sched: netem: fix queue limit check to include reordered packets",
                            "    - net/sched: netem: only reseed PRNG when seed is explicitly provided",
                            "    - net/sched: netem: validate slot configuration",
                            "    - net/sched: netem: fix slot delay calculation overflow",
                            "    - net/sched: netem: check for negative latency and jitter",
                            "    - net: airoha: fix BQL imbalance in TX path",
                            "    - net: airoha: stop net_device TX queue before updating CPU index",
                            "    - net: airoha: fix typo in function name",
                            "    - net: airoha: Do not wake all netdev TX queues in",
                            "      airoha_qdma_wake_netdev_txqs()",
                            "    - net: airoha: Do not read uninitialized fragment address in",
                            "      airoha_dev_xmit()",
                            "    - net/sched: sch_choke: annotate data-races in choke_dump_stats()",
                            "    - net/sched: sch_fq_pie: annotate data-races in fq_pie_dump_stats()",
                            "    - vrf: Fix a potential NPD when removing a port from a VRF",
                            "    - net: usb: rtl8150: fix use-after-free in rtl8150_start_xmit()",
                            "    - net: usb: rtl8150: free skb on usb_submit_urb() failure in xmit",
                            "    - spi: amlogic-spisg: initialize completion before requesting IRQ",
                            "    - NFC: trf7970a: Ignore antenna noise when checking for RF field",
                            "    - net: phonet: do not BUG_ON() in pn_socket_autobind() on failed bind",
                            "    - neigh: let neigh_xmit take skb ownership",
                            "    - tcp: make probe0 timer handle expired user timeout",
                            "    - netpoll: fix IPv6 local-address corruption",
                            "    - ALSA: usb-audio: Fix potential leak of pd at parsing UAC3 streams",
                            "    - sched/fair: Fix wakeup_preempt_fair() vs delayed dequeue",
                            "    - sched/fair: Clear rel_deadline when initializing forked entities",
                            "    - net: mctp i2c: check length before marking flow active",
                            "    - md/raid1,raid10: don't fail devices for invalid IO errors",
                            "    - md: add fallback to correct bitmap_ops on version mismatch",
                            "    - md: factor bitmap creation away from sysfs handling",
                            "    - md/md-bitmap: split bitmap sysfs groups",
                            "    - md/md-bitmap: add a none backend for bitmap grow",
                            "    - s390/mm: Fix phys_to_folio() usage in do_secure_storage_access()",
                            "    - net: phy: dp83869: fix setting CLK_O_SEL field.",
                            "    - drm/amd/display: properly handle family setting for early GC 11.5.4",
                            "    - drm/amdgpu/vcn: set no_user_fence for VCN v2.0 enc/dec rings",
                            "    - drm/amdgpu/vcn: set no_user_fence for VCN v2.5 enc/dec rings",
                            "    - drm/amdgpu/vcn: set no_user_fence for VCN v3.0 enc/dec rings",
                            "    - drm/amdgpu/vcn: set no_user_fence for VCN v4.0 enc ring",
                            "    - drm/amdgpu/vcn: set no_user_fence for VCN v4.0.3 enc ring",
                            "    - drm/amdgpu/vcn: set no_user_fence for VCN v4.0.5 enc ring",
                            "    - drm/amdgpu/vcn: set no_user_fence for VCN v5.0.0 enc ring",
                            "    - drm/amdgpu/vcn: set no_user_fence for VCN v5.0.1 enc ring",
                            "    - drm/amdgpu/jpeg: set no_user_fence for JPEG v2.0 ring",
                            "    - drm/amdgpu/jpeg: set no_user_fence for JPEG v2.5 ring",
                            "    - drm/amdgpu/jpeg: set no_user_fence for JPEG v3.0 ring",
                            "    - drm/amdgpu/jpeg: set no_user_fence for JPEG v4.0 ring",
                            "    - drm/amdgpu/jpeg: set no_user_fence for JPEG v4.0.3 ring",
                            "    - drm/amdgpu/jpeg: set no_user_fence for JPEG v4.0.5 ring",
                            "    - drm/amdgpu/jpeg: set no_user_fence for JPEG v5.0.0 ring",
                            "    - drm/amdgpu/jpeg: set no_user_fence for JPEG v5.0.1 ring",
                            "    - drm/amdgpu/jpeg: set no_user_fence for JPEG v5.3.0 ring",
                            "    - drm/amd/pm: Add fine grained flag to SMU v13.0.6",
                            "    - io_uring/napi: cap busy_poll_to 10 msec",
                            "    - ASoC: cs35l56: Fix illegal writes to OTP_MEM registers",
                            "    - net: psp: check for device unregister when creating assoc",
                            "    - net: psp: require admin permission for dev-set and key-rotate",
                            "    - ASoC: codecs: ab8500: Fix casting of private data",
                            "    - netfilter: skip recording stale or retransmitted INIT",
                            "    - sctp: discard stale INIT after handshake completion",
                            "    - net/sched: sch_cake: annotate data-races in cake_dump_stats() (I)",
                            "    - net/sched: sch_cake: annotate data-races in cake_dump_stats() (II)",
                            "    - net/sched: sch_cake: annotate data-races in cake_dump_stats() (III)",
                            "    - net/sched: sch_cake: annotate data-races in cake_dump_stats() (IV)",
                            "    - net/sched: sch_cake: annotate data-races in cake_dump_stats() (V)",
                            "    - netconsole: return count instead of strnlen(buf, count) from store",
                            "      callbacks",
                            "    - netconsole: avoid clobbering userdatum value on truncated write",
                            "    - netconsole: propagate device name truncation in dev_name_store()",
                            "    - netconsole: restore userdatum value on update_userdata() failure",
                            "    - ALSA: hda/conexant: Fix missing error check for jack detection",
                            "    - ALSA: hda: cs35l56: Fix uninitialized value in cs35l56_hda_read_acpi()",
                            "    - ALSA: hda/tas2781: Fix incorrect bit update for non-book-zero or book 0",
                            "      pages >1",
                            "    - futex: Prevent lockup in requeue-PI during signal/ timeout wakeup",
                            "    - drm/amd/display: Allow embedded connectors without DDC",
                            "    - drm/amd/display: Allow DCE link encoder without AUX registers",
                            "    - drm/amd/display: Allow constructing DCE6 link encoder without DDC",
                            "    - drm/amd/display: Allow constructing DCE8 link encoder without DDC",
                            "    - drm/amd/display: Read EDID from VBIOS embedded panel info",
                            "    - drm/amd/display: Use EDID from VBIOS embedded panel info",
                            "    - drm/xe: Use XE_WEDGED_MODE_UPON_ANY_HANG_NO_RESET enum instead of magic",
                            "      number",
                            "    - drm/xe: Drop registration of guc_submit_wedged_fini from",
                            "      xe_guc_submit_wedge()",
                            "    - drm/xe/debugfs: Correct printing of register whitelist ranges",
                            "    - drm/xe: Fix potential NULL deref in",
                            "      xe_exec_queue_tlb_inval_last_fence_put_unlocked",
                            "    - drm/xe: Fix error cleanup in xe_exec_queue_create_ioctl()",
                            "    - drm/xe/eustall: Fix drm_dev_put called before stream disable in close",
                            "    - drm/xe/gsc: Fix BO leak on error in query_compatibility_version()",
                            "    - drm/xe/xelp: Fix Wa_18022495364",
                            "    - net: airoha: Do not return err in ndo_stop() callback",
                            "    - bonding: print churn state via netlink",
                            "    - bonding: 3ad: implement proper RCU rules for port->aggregator",
                            "    - page_pool: fix memory-provider leak in page_pool_create_percpu() error",
                            "      path",
                            "    - iavf: rename IAVF_VLAN_IS_NEW to IAVF_VLAN_ADDING",
                            "    - iavf: stop removing VLAN filters from PF on interface down",
                            "    - iavf: wait for PF confirmation before removing VLAN filters",
                            "    - iavf: add VIRTCHNL_OP_ADD_VLAN to success completion handler",
                            "    - ice: fix NULL pointer dereference in ice_reset_all_vfs()",
                            "    - ice: fix infinite recursion in ice_cfg_tx_topo via ice_init_dev_hw",
                            "    - ice: fix missing SMA pin initialization in DPLL subsystem",
                            "    - ice: fix SMA and U.FL pin state changes affecting paired pin",
                            "    - ice: fix missing dpll notifications for SW pins",
                            "    - dpll: export __dpll_pin_change_ntf() for use under dpll_lock",
                            "    - ice: add dpll peer notification for paired SMA and U.FL pins",
                            "    - net: tls: fix strparser anchor skb leak on offload RX setup failure",
                            "    - sfc: fix error code in efx_devlink_info_running_versions()",
                            "    - net/sched: cls_flower: revert unintended changes",
                            "    - kselftest/arm64: Include <asm/ptrace.h> for user_gcs definition",
                            "    - arm64: Reserve an extra page for early kernel mapping",
                            "    - futex: Drop CLONE_THREAD requirement for private default hash alloc",
                            "    - PCI: Initialize temporary device in new_id_store()",
                            "    - workqueue: fix devm_alloc_workqueue() va_list misuse",
                            "    - net/sched: sch_pie: annotate more data-races in pie_dump_stats()",
                            "    - sched/fair: Fix wakeup_preempt_fair() for not waking up task",
                            "    - crypto: af_alg - Cap AEAD AD length to 0x80000000",
                            "    - i40e: Cleanup PTP pins on probe failure",
                            "    - workqueue: Fix wq->cpu_pwq leak in alloc_and_link_pwqs() WQ_UNBOUND path",
                            "    - net: ena: PHC: Fix potential use-after-free in get_timestamp",
                            "    - cgroup/cpuset: Reset DL migration state on can_attach() failure",
                            "    - netfilter: nf_conntrack_sip: get helper before allocating expectation",
                            "    - audit: fix incorrect inheritable capability in CAPSET records",
                            "    - net: ena: PHC: Check return code before setting timestamp output",
                            "    - cgroup/dmem: Return -ENOMEM on failed pool preallocation",
                            "    - idpf: fix double free and use-after-free in aux device error paths",
                            "    - cgroup/cpuset: Reserve DL bandwidth only for root-domain moves",
                            "    - Revert \"ACPI: CPPC: Adjust debug messages in amd_set_max_freq_ratio() to",
                            "      warn\"",
                            "    - netfilter: nft_ct: fix missing expect put in obj eval",
                            "    - net: atlantic: preserve PCI wake-from-D3 on shutdown when WOL enabled",
                            "    - audit: enforce AUDIT_LOCKED for AUDIT_TRIM and AUDIT_MAKE_EQUIV",
                            "    - cgroup/cpuset: Return only actually allocated CPUs during partition",
                            "      invalidation",
                            "    - KVM: x86: Swap the dst and src operand for MOVNTDQA",
                            "    - KVM: Reject wrapped offset in kvm_reset_dirty_gfn()",
                            "    - KVM: s390: pci: fix GAIT table indexing due to double-scaling pointer",
                            "      arithmetic",
                            "    - KVM: x86: Fix Xen hypercall tracepoint argument assignment",
                            "    - HID: pass the buffer size to hid_report_raw_event",
                            "    - HID: core: introduce hid_safe_input_report()",
                            "    - rseq: Revert to historical performance killing behaviour",
                            "    - rseq: Implement read only ABI enforcement for optimized RSEQ V2 mode",
                            "    - rseq: Reenable performance optimizations conditionally",
                            "    - HID: core: Fix size_t specifier in hid_report_raw_event()",
                            "    - ata: libata-scsi: fix requeue of deferred ATA PASS-THROUGH commands",
                            "    - media: staging: imx: configure src_mux in csi_start",
                            "    - Bluetooth: btmtk: accept too short WMT FUNC_CTRL events",
                            "    - nvme-apple: Reset q->sq_tail during queue init",
                            "    - smb/client: fix possible infinite loop and oob read in symlink_data()",
                            "    - drm/loongson: Use managed KMS polling",
                            "    - drm: Replace old pointer to new idr",
                            "    - drm/bridge: imx8qxp-pxl2dpi: avoid ERR_PTR with device_node cleanup",
                            "    - drm/i915/dp: Fix VSC dynamic range signaling for RGB formats",
                            "    - drm/amd/display: Wrap DCN32 phantom-plane allocation in",
                            "      DC_RUN_WITH_PREEMPTION_ENABLED",
                            "    - drm/ttm: Fix ttm_bo_swapout() infinite LRU walk on swapout failure",
                            "    - platform/x86: intel: Move debugfs register before creating devices",
                            "    - platform/x86: lenovo-wmi-helpers: Move gamezone enums to wmi-helpers",
                            "    - platform/x86: lenovo-wmi-helpers: Fix memory leak in",
                            "      lwmi_dev_evaluate_int()",
                            "    - platform/x86: lenovo-wmi-other: Balance IDA id allocation and free",
                            "    - platform/x86: lenovo-wmi-other: Balance component bind and unbind",
                            "    - platform/x86: lenovo-wmi-other: Zero initialize WMI arguments",
                            "    - platform/x86: lenovo-wmi-other: Fix tunable_attr_01 struct members",
                            "    - platform/x86: lenovo-wmi-other: Add Attribute ID helper functions",
                            "    - platform/x86: lenovo-wmi-other: Limit adding attributes to supported",
                            "      devices",
                            "    - accel/rocket: Fix prep_bo ioctl leaking positive return from",
                            "      dma_resv_wait_timeout()",
                            "    - ALSA: hda/realtek: Add mute LED quirk for HP Pavilion Laptop 16-ag0xxx",
                            "    - ALSA: hda/realtek: Add quirk for Samsung Galaxy Book5 360 headphone",
                            "    - ALSA: usb-audio: Bound MIDI 2.0 endpoint descriptor scans",
                            "    - ALSA: usb-audio: Bound MIDI endpoint descriptor scans",
                            "    - ALSA: usb-audio: qcom: Check offload mapping failures",
                            "    - btrfs: only release the dirty pages io tree after successful writes",
                            "    - ceph: fix a buffer leak in __ceph_setxattr()",
                            "    - ceph: fix BUG_ON in __ceph_build_xattrs_blob() due to stale blob size",
                            "    - ceph: put folios not suitable for writeback",
                            "    - io-wq: check that the predecessor is hashed in io_wq_remove_pending()",
                            "    - iommu/amd: Bounds-check devid in __rlookup_amd_iommu()",
                            "    - x86/kexec: Push kjump return address even for non-kjump kexec",
                            "    - xfs: fix memory leak on error in xfs_alloc_zone_info()",
                            "    - virt: sev-guest: Do not use host-controlled page order in cleanup path",
                            "    - powerpc/warp: Fix error handling in pika_dtm_thread",
                            "    - netfs: fix error handling in netfs_extract_user_iter()",
                            "    - nfsd: fix GET_DIR_DELEGATION when VFS leases are disabled",
                            "    - nfsd: fix file change detection in CB_GETATTR",
                            "    - nfsd: update mtime/ctime on CLONE in presense of delegated attributes",
                            "    - nfsd: update mtime/ctime on COPY in presence of delegated attributes",
                            "    - irqchip/riscv-imsic: Clear interrupt move state during CPU offlining",
                            "    - irqchip/meson-gpio: Use the correct register in",
                            "      meson_s4_gpio_irq_set_type()",
                            "    - irqchip/gic-v5: Move LPI allocation into the LPI domain",
                            "    - irqchip/gic-v5: Support range allocation for LPIs",
                            "    - irqchip/gic-v5: Allocate ITS parent LPIs as a range",
                            "    - libceph: Fix potential out-of-bounds access in osdmap_decode()",
                            "    - libceph: Fix potential null-ptr-deref in decode_choose_args()",
                            "    - libceph: Fix potential out-of-bounds access in __ceph_x_decrypt()",
                            "    - libceph: Fix potential out-of-bounds access in crush_decode()",
                            "    - libceph: handle rbtree insertion error in decode_choose_args()",
                            "    - iommu/vt-d: Disable DMAR for Intel Q35 IGFX",
                            "    - iommu/vt-d: Fix oops due to out of scope access",
                            "    - iommu/vt-d: Avoid NULL pointer dereference or refcount corruption",
                            "    - iommu: Fix NULL group->domain dereference in pci_dev_reset_iommu_done()",
                            "    - iommu: Replace per-group resetting_domain with per-gdev blocked flag",
                            "    - iommu: Fix WARN_ON in __iommu_group_set_domain_nofail() due to reset",
                            "    - iommu: Fix pasid attach in pci_dev_reset_iommu_prepare/done()",
                            "    - iommu: Fix nested pci_dev_reset_iommu_prepare/done()",
                            "    - iommu: Fix ATS invalidation timeouts during __iommu_remove_group_pasid()",
                            "    - drm/i915: skip __i915_request_skip() for already signaled requests",
                            "    - drm/panfrost: Fix wait_bo ioctl leaking positive return from",
                            "      dma_resv_wait_timeout()",
                            "    - drm/xe/dma-buf: handle empty bo and UAF races",
                            "    - drm/xe/dma-buf: fix UAF with retry loop",
                            "    - drm/ttm: Fix ttm_bo_shrink() infinite LRU walk on backup failure",
                            "    - drm/ttm: Convert -EAGAIN from dmem_cgroup_try_charge to -ENOSPC",
                            "    - drm/gma500/oaktrail_hdmi: fix i2c adapter leak on setup",
                            "    - drm/gma500/oaktrail_lvds: fix hang on init failure",
                            "    - drm/gma500/oaktrail_lvds: fix i2c adapter leaks on init",
                            "    - arm_mpam: Fix monitor instance selection when checking for hardware NRDY",
                            "    - arm_mpam: Pretend that NRDY is always hardware managed",
                            "    - arm_mpam: Improve check for whether or not NRDY is hardware managed",
                            "    - arm_mpam: Fix false positive assert failure during mpam_disable()",
                            "    - arm_mpam: Check whether the config array is allocated before destroying",
                            "      it",
                            "    - eventfs: Simplify code using guard()s",
                            "    - eventfs: Use list_add_tail_rcu() for SRCU-protected children list",
                            "    - smb: client: Use FullSessionKey for AES-256 encryption key derivation",
                            "    - spi: sifive: Simplify clock handling with devm_clk_get_enabled()",
                            "    - spi: sifive: fix controller deregistration",
                            "    - tracefs: Removed unused 'ret' variable in eventfs_iterate()",
                            "    - workqueue: Annotate alloc_workqueue_va() with __printf(1, 0)",
                            "    - selftests/bpf: Remove test_access_variable_array",
                            "    - netfs: Fix potential uninitialised var in netfs_extract_user_iter()",
                            "    - Linux 7.0.10",
                            "",
                            "  * Resolute update: v7.0.10 upstream stable release (LP: #2156385) //",
                            "    CVE-2026-45846",
                            "    - bareudp: fix NULL pointer dereference in bareudp_fill_metadata_dst()",
                            "",
                            "  * Resolute update: v7.0.10 upstream stable release (LP: #2156385) //",
                            "    CVE-2026-45845",
                            "    - net/sched: taprio: fix NULL pointer dereference in class dump",
                            "",
                            "  * Resolute update: v7.0.10 upstream stable release (LP: #2156385) //",
                            "    CVE-2026-45844",
                            "    - netfilter: arp_tables: fix IEEE1394 ARP payload parsing",
                            "",
                            "  * Resolute update: v7.0.10 upstream stable release (LP: #2156385) //",
                            "    CVE-2026-46242",
                            "    - eventpoll: fix ep_remove struct eventpoll / struct file UAF",
                            "",
                            "  * Resolute update: v7.0.10 upstream stable release (LP: #2156385) //",
                            "    CVE-2026-45843",
                            "    - slip: bound decode() reads against the compressed packet length",
                            "",
                            "  * Resolute update: v7.0.10 upstream stable release (LP: #2156385) //",
                            "    CVE-2026-45842",
                            "    - slip: reject VJ receive packets on instances with no rstate array",
                            "",
                            "  * Resolute update: v7.0.10 upstream stable release (LP: #2156385) //",
                            "    CVE-2026-45841",
                            "    - netfilter: nfnetlink_osf: fix divide-by-zero in OSF_WSS_MODULO",
                            "",
                            "  * Resolute update: v7.0.10 upstream stable release (LP: #2156385) //",
                            "    CVE-2026-45840",
                            "    - openvswitch: cap upcall PID array size and pre-size vport replies",
                            "",
                            "  * Resolute update: v7.0.10 upstream stable release (LP: #2156385) //",
                            "    CVE-2026-45839",
                            "    - bpf: reject negative CO-RE accessor indices in bpf_core_parse_spec()",
                            "",
                            "  * Resolute update: v7.0.10 upstream stable release (LP: #2156385) //",
                            "    CVE-2026-45838",
                            "    - bpf: fix end-of-list detection in cgroup_storage_get_next_key()",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006)",
                            "    - Linux 7.0.8",
                            "    - HID: pidff: Fix integer overflow in pidff_rescale",
                            "    - media: uvcvideo: Enable VB2_DMABUF for metadata stream",
                            "    - drm/msm/hdmi: Fix wrong CTRL1 register used in writing info frames",
                            "    - media: rzv2h-ivc: Avoid double job scheduling",
                            "    - media: nxp: imx8-isi: Reduce minimum queued buffers from 2 to 0",
                            "    - media: rzv2h-ivc: Write AXIRX_PIXFMT once",
                            "    - media: rzv2h-ivc: Fix FM_STOP register write",
                            "    - media: rzv2h-ivc: Fix concurrent buffer list access",
                            "    - media: mali-c55: Initialize the ISP in enable_streams()",
                            "    - media: mali-c55: Fix Iridix bypass macros",
                            "    - media: renesas: vsp1: Fix NULL pointer deref on module unload",
                            "    - media: renesas: vin: Fix RAW8 (again)",
                            "    - media: i2c: ov8856: free control handler on error in",
                            "      ov8856_init_controls()",
                            "    - media: dt-bindings: rockchip,vdec: Add alternative reg-names order for",
                            "      RK35{76,88}",
                            "    - media: dt-bindings: rockchip,vdec: Mark reg-names required for",
                            "      RK35{76,88}",
                            "    - media: chips-media: wave5: fix a potential memory leak in",
                            "      wave5_vdi_init()",
                            "    - media: chips-media: wave5: add missing spinlock protection for",
                            "      send_eos_event()",
                            "    - media: chips-media: wave5: add missing spinlock protection for",
                            "      handle_dynamic_resolution_change()",
                            "    - arm64: dts: freescale: imx95-toradex-smarc: fix PMIC_SD2_VSEL label",
                            "      position",
                            "    - drm/gpusvm: Allow device pages to be mapped in mixed mappings after",
                            "      system pages",
                            "    - drm/gpusvm: Force unmapping on error in drm_gpusvm_get_pages",
                            "    - spi: bcm63xx: fix controller deregistration",
                            "    - spi: atmel: fix controller deregistration",
                            "    - arm64: dts: lx2160a-cex7/lx2162a-sr-som: fix usd-cd & gpio pinmux",
                            "    - regulator: mt6357: fix OF node reference imbalance",
                            "    - spi: st-ssc4: fix controller deregistration",
                            "    - regulator: max77650: fix OF node reference imbalance",
                            "    - media: ti: vpe: Add missing v4l2_device_unregister in vip_remove()",
                            "    - media: rc: streamzap: Error handling in probe",
                            "    - media: i2c: imx283: Enter full standby when stopping streaming",
                            "    - regulator: bq257xx: fix OF node reference imbalance",
                            "    - regulator: rk808: fix OF node reference imbalance",
                            "    - media: videobuf2: Set vma_flags in vb2_dma_sg_mmap",
                            "    - media: mali-c55: Fully reset the ISP configuration",
                            "    - media: intel/ipu6: fix error pointer dereference",
                            "    - media: i2c: imx283: Fix hang when going from large to small resolution",
                            "    - regulator: act8945a: fix OF node reference imbalance",
                            "    - regulator: s2dos05: fix OF node reference imbalance",
                            "    - regulator: bd9571mwv: fix OF node reference imbalance",
                            "    - spi: lantiq-ssc: fix controller deregistration",
                            "    - spi: meson-spicc: fix controller deregistration",
                            "    - spi: qup: fix controller deregistration",
                            "    - arm64: dts: ti: k3-am69-aquila-clover: Fix DP regulator enable GPIO",
                            "    - spi: at91-usart: fix controller deregistration",
                            "    - media: ipu-bridge: Add upside-down sensor DMI quirk for Dell XPS 13 9340",
                            "      and XPS 14 9440",
                            "    - spi: amlogic-spisg: fix controller deregistration",
                            "    - spi: aspeed-smc: fix controller deregistration",
                            "    - drm/colorop: Preserve bypass value in duplicate_state()",
                            "    - drm/atomic: Add affected colorops with affected planes",
                            "    - platform/x86: hp-wmi: Ignore backlight and FnLock events",
                            "    - vsock/virtio: fix MSG_PEEK ignoring skb offset when calculating bytes to",
                            "      copy",
                            "    - arm64: dts: broadcom: bcm2712-d-rpi-5-b: add fixes for",
                            "      pinctrl/pinctrl_aon",
                            "    - arm64: dts: broadcom: bcm2712-d-rpi-5-b: update uart10 interrupt",
                            "    - media: pci: zoran: fix potential memory leak in zoran_probe()",
                            "    - media: dib8000: avoid division by 0 in dib8000_set_dds()",
                            "    - media: i2c: imx412: Assert reset GPIO during probe",
                            "    - media: staging: imx: request mbus_config in csi_start",
                            "    - media: i2c: ov08d10: fix image vertical start setting",
                            "    - media: i2c: ov08d10: fix runtime PM handling in probe",
                            "    - media: omap3isp: drop the use count of v4l2 pipeline",
                            "    - media: iris: fix QCOM_MDT_LOADER dependency",
                            "    - media: qcom: camss: Fix csid clock configuration for sa8775p",
                            "    - media: qcom: camss: Fix csid IRQ offset for sa8775p",
                            "    - media: qcom: iris: increase H265D_MAX_SLICE to fix H.265 decoding on",
                            "      SC7280",
                            "    - media: venus: fix QCOM_MDT_LOADER dependency",
                            "    - media: iris: Fix dma_free_attrs() size in iris_hfi_queues_init()",
                            "    - media: iris: switch to hardware mode after firmware boot",
                            "    - media: qcom: camss: Add missing clocks for VFE lite on sa8775p",
                            "    - spi: mxs: fix controller deregistration",
                            "    - spi: mt65xx: fix controller deregistration",
                            "    - spi: dln2: fix controller deregistration",
                            "    - spi: s3c64xx: fix controller deregistration",
                            "    - spi: fsl-espi: fix controller deregistration",
                            "    - spi: omap2-mcspi: fix controller deregistration",
                            "    - spi: pic32: fix controller deregistration",
                            "    - spi: ep93xx: fix controller deregistration",
                            "    - spi: mtk-nor: fix controller deregistration",
                            "    - spi: pl022: fix controller deregistration",
                            "    - spi: sh-hspi: fix controller deregistration",
                            "    - spi: bcmbca-hsspi: fix controller deregistration",
                            "    - spi: coldfire-qspi: fix controller deregistration",
                            "    - spi: npcm-pspi: fix controller deregistration",
                            "    - spi: cavium-thunderx: fix controller deregistration",
                            "    - spi: pic32-sqi: fix controller deregistration",
                            "    - spi: sprd: fix controller deregistration",
                            "    - spi: sh-msiof: fix controller deregistration",
                            "    - spi: slave-mt27xx: fix controller deregistration",
                            "    - spi: img-spfi: fix controller deregistration",
                            "    - spi: mpfs: fix controller deregistration",
                            "    - spi: octeon: fix controller deregistration",
                            "    - spi: imx: fix runtime pm leak on probe deferral",
                            "    - spi: mxic: fix controller deregistration",
                            "    - spi: orion: fix controller deregistration",
                            "    - spi: orion: fix runtime pm leak on unbind",
                            "    - spi: orion: fix clock imbalance on registration failure",
                            "    - spi: cadence: fix controller deregistration",
                            "    - spi: cadence-quadspi: fix controller deregistration",
                            "    - spi: cadence: fix unclocked access on unbind",
                            "    - spi: cadence: fix clock imbalance on probe failure",
                            "    - spi: cadence-quadspi: fix runtime pm disable imbalance on probe failure",
                            "    - spi: cadence-quadspi: fix clock imbalance on probe failure",
                            "    - spi: cadence-quadspi: fix runtime pm and clock imbalance on unbind",
                            "    - drm/colorop: Fix blob property reference tracking in state lifecycle",
                            "    - drm/imx: parallel-display: Prefer bus format set via legacy \"interface-",
                            "      pix-fmt\" DT property",
                            "    - drm/msm: always recover the gpu",
                            "    - drm/v3d: Reject empty multisync extension to prevent infinite loop",
                            "    - drm/i915/psr: Init variable to avoid early exit from et alignment loop",
                            "    - drm/amd/display: fix math_mod() using arg1 instead of arg2",
                            "    - drm/amd: Add missing firmware declaration for PSP v15.0.0",
                            "    - drm/amdgpu: Use NBIF offset for register RCC_STRAP0_RCC_DEV0_EPF0_STRAP0",
                            "      .",
                            "    - drm/amdgpu: Use SMUIO 15.0.0 offsets for TSC upper and lower count.",
                            "    - drm/amdgpu: gate VM CPU HDP flush on reset lock",
                            "    - drm/amd/pm: fix incorrect FeatureCtrlMask setting on smu v14.0.x",
                            "    - drm/amdkfd: Add upper bound check for num_of_nodes",
                            "    - drm/amdgpu/vce: Prevent partial address patches",
                            "    - drm/amd/display: Change dither policy for 10 bpc output back to",
                            "      dithering",
                            "    - drm/appletbdrm: Use kvzalloc for big allocations",
                            "    - drm/amdgpu: Avoid reset in AMDGPU unload path for APUs with GFX V11 and",
                            "      higher.",
                            "    - drm/udl: Increase GET_URB_TIMEOUT",
                            "    - drm/xe/bo: Fix bo leak on GGTT flag validation in xe_bo_init_locked()",
                            "    - drm/xe/bo: Fix bo leak on unaligned size validation in",
                            "      xe_bo_init_locked()",
                            "    - drm/xe/uapi: Reject coh_none PAT index for CPU cached memory in madvise",
                            "    - drm/radeon: add missing revision check for CI",
                            "    - drm/amdgpu: zero-initialize GART table on allocation",
                            "    - drm/exynos: remove bridge when component_add fails",
                            "    - drm/amdgpu/userq: fix access to stale wptr mapping",
                            "    - drm/panel: himax-hx83102: restore MODE_LPM after sending disable cmds",
                            "    - drm/amdgpu/gfx9: drop unnecessary 64-bit fence flag check in KIQ",
                            "    - drm/bridge: tda998x: Use __be32 for audio port OF property pointer",
                            "    - drm/sti: remove bridge when sti_hda component_add fails",
                            "    - drm/panel: boe-tv101wum-nl6: restore MODE_LPM after sending disable cmds",
                            "    - drm/amdkfd: Make all TLB-flushes heavy-weight",
                            "    - drm/amdgpu/pm: add missing revision check for CI",
                            "    - drm/amdgpu/pm: align Hawaii mclk workaround with radeon",
                            "    - arm64: dts: qcom: kodiak: Fix PCIe1 PHY ref clock voting",
                            "    - arm64: dts: qcom: lemans: Correct QUP interrupt numbers",
                            "    - arm64: dts: ti: k3-am62a7-sk: Fix pin name in comment from M19 to N22",
                            "    - arm64: dts: ti: k3-am69-aquila-dev: Fix DP regulator enable GPIO",
                            "    - batman-adv: tp_meter: fix tp_num leak on kmalloc failure",
                            "    - sched_ext: Use HK_TYPE_DOMAIN_BOOT to detect isolcpus= domain isolation",
                            "    - usb: typec: tcpm: reset internal port states on soft reset AMS",
                            "    - io_uring/zcrx: use guards for locking",
                            "    - io_uring/zcrx: warn on freelist violations",
                            "    - kho: fix error handling in kho_add_subtree()",
                            "    - EDAC/versalnet: Refactor memory controller initialization and cleanup",
                            "    - spi: uniphier: Simplify clock handling with devm_clk_get_enabled()",
                            "    - spi: uniphier: fix controller deregistration",
                            "    - cgroup: Increment nr_dying_subsys_* from rmdir context",
                            "    - sched_ext: Skip tasks with stale task_rq in bypass_lb_cpu()",
                            "    - perf build: fix \"argument list too long\" in second location",
                            "    - mm/vma: do not try to unmap a VMA if mmap_prepare() invoked from mmap()",
                            "    - vsock/virtio: fix length and offset in tap skb for split packets",
                            "    - drm/amdgpu/vcn3: Avoid overflow on msg bound check",
                            "    - drm/amdgpu/vcn4: Avoid overflow on msg bound check",
                            "    - Linux 7.0.9",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46214",
                            "    - vsock/virtio: fix accept queue count leak on transport mismatch",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46207",
                            "    - vsock/virtio: fix empty payload in tap skb for non-linear buffers",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46234",
                            "    - vsock: fix buffer size clamping order",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46223",
                            "    - cgroup: Defer css percpu_ref kill on rmdir until cgroup is depopulated",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46221",
                            "    - EDAC/versalnet: Fix device name memory leak",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46231",
                            "    - batman-adv: bla: put backbone reference on failed claim hash insert",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46233",
                            "    - batman-adv: bla: only purge non-released claims",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46212",
                            "    - batman-adv: bla: prevent use-after-free when deleting claims",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46238",
                            "    - batman-adv: stop caching unowned originator pointers in BAT IV",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46208",
                            "    - batman-adv: stop tp_meter sessions during mesh teardown",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46206",
                            "    - batman-adv: reject new tp_meter sessions during teardown",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46198",
                            "    - batman-adv: fix integer overflow on buff_pos",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46227",
                            "    - sctp: revalidate list cursor after sctp_sendmsg_to_asoc() in",
                            "      SCTP_SENDALL",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46220",
                            "    - drm/amdgpu/sdma4: replace BUG_ON with WARN_ON in fence emission",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46215",
                            "    - drm: Set old handle to NULL before prime swap in change_handle",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46201",
                            "    - drm/xe: Fix dma-buf attachment leak in xe_gem_prime_import()",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46224",
                            "    - drm/xe: Fix bo leak in xe_dma_buf_init_obj() on allocation failure",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46197",
                            "    - drm/amdkfd: validate SVM ioctl nattr against buffer size",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46209",
                            "    - drm/gem: Fix inconsistent plane dimension calculation in",
                            "      drm_gem_fb_init_with_funcs()",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46230",
                            "    - drm/amdgpu/vcn3: Prevent OOB reads when parsing dec msg",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46199",
                            "    - drm/amdgpu/vcn4: Prevent OOB reads when parsing dec msg",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46204",
                            "    - drm/amdgpu/vcn4: Prevent OOB reads when parsing IB",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46218",
                            "    - drm/amdgpu: Add bounds checking to ib_{get,set}_value",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46229",
                            "    - drm/amdkfd: Clear VRAM on allocation to prevent stale data exposure",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46211",
                            "    - drm/msm/gem: fix error handling in msm_ioctl_gem_info_get_metadata()",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46203",
                            "    - spi: cadence-quadspi: fix unclocked access on unbind",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46219",
                            "    - spi: mpc52xx: fix use-after-free on unbind",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46200",
                            "    - spi: mpc52xx: fix controller deregistration",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46241",
                            "    - spi: mpc52xx: fix use-after-free on registration failure",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46225",
                            "    - spi: rspi: fix controller deregistration",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46226",
                            "    - spi: fsl: fix controller deregistration",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46228",
                            "    - spi: ch341: fix devres lifetime",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46216",
                            "    - drm/xe/hdcp: Add NULL check for media_gt in",
                            "      intel_hdcp_gsc_check_status()",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46210",
                            "    - media: iris: fix use-after-free of fmt_src during MBPF check",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46240",
                            "    - media: iris: Fix use-after-free in iris_release_internal_buffers()",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46235",
                            "    - media: saa7164: add ioremap return checks and cleanups",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46222",
                            "    - media: rockchip: rkcif: Add missing MUST_CONNECT flag to pads",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46239",
                            "    - media: i2c: ov5647: Fix runtime PM refcount leak in s_ctrl",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46236",
                            "    - media: rc: xbox_remote: heed DMA restrictions",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46205",
                            "    - staging: media: atomisp: Disallow all private IOCTLs",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46202",
                            "    - HID: appletb-kbd: run inactivity autodim from workqueues",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46213",
                            "    - HID: appletb-kbd: fix UAF in inactivity-timer cleanup path",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46232",
                            "    - HID: playstation: Clamp num_touch_reports",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988)",
                            "    - ACPI: arm64: cpuidle: Tolerate platforms with no deep PSCI idle states",
                            "    - ACPI: scan: Use acpi_dev_put() in object add error paths",
                            "    - ACPI: video: Add backlight=native quirk for Dell OptiPlex 7770 AIO",
                            "    - ACPI: CPPC: Fix related_cpus inconsistency during CPU hotplug",
                            "    - ACPI: video: force native backlight on HP OMEN 16 (8A44)",
                            "    - iommufd: Fix a race with concurrent allocation and unmap",
                            "    - wifi: mt76: mt7925: fix incorrect TLV length in CLC command",
                            "    - spi: rockchip: fix controller deregistration",
                            "    - ksmbd: rewrite stop_sessions() with restartable iteration",
                            "    - flow_dissector: do not dissect PPPoE PFC frames",
                            "    - smb: client/smbdirect: fix MR registration for coalesced SG lists",
                            "    - wifi: mt76: mt7925: fix AMPDU state handling in mt7925_tx_check_aggr",
                            "    - wifi: mt76: mt7925: fix incorrect length field in txpower command",
                            "    - wifi: mt76: mt7921: fix ROC abort flow interruption in mt7921_roc_work",
                            "    - wifi: ath5k: do not access array OOB",
                            "    - ALSA: usb-audio: midi2: Restart output URBs on resume",
                            "    - ALSA: usb-audio: Fix UAC3 cluster descriptor size check",
                            "    - usb: dwc3: Move GUID programming after PHY initialization",
                            "    - USB: omap_udc: DMA: Don't enable burst 4 mode",
                            "    - USB: serial: option: add Telit Cinterion LE910Cx compositions",
                            "    - usb: typec: tcpm: fix debug accessory mode detection for sink ports",
                            "    - ALSA: hda: cs35l56: Propagate ASP TX source control errors",
                            "    - ALSA: hda/realtek: Fix speaker silence after S3 resume on Xiaomi Mi",
                            "      Laptop Pro 15",
                            "    - ALSA: firewire-tascam: Do not drop unread control events",
                            "    - ALSA: core: Serialize deferred fasync state checks",
                            "    - ALSA: seq: Fix UMP group 16 filtering",
                            "    - powerpc/kdump: fix KASAN sanitization flag for core_$(BITS).o",
                            "    - x86/efi: Restore IRQ state in EFI page fault handler",
                            "    - xfrm: provide message size for XFRM_MSG_MAPPING",
                            "    - selinux: fix avdcache auditing",
                            "    - selinux: don't reserve xattr slot when we won't fill it",
                            "    - selinux: shrink critical section in sel_write_load()",
                            "    - selinux: prune /sys/fs/selinux/checkreqprot",
                            "    - selinux: prune /sys/fs/selinux/disable",
                            "    - selinux: prune /sys/fs/selinux/user",
                            "    - selinux: allow multiple opens of /sys/fs/selinux/policy",
                            "    - io_uring/kbuf: support min length left for incremental buffers",
                            "    - io_uring/tw: serialize ctx->retry_llist with ->uring_lock",
                            "    - LoongArch: KVM: Fix missing EMULATE_FAIL in kvm_emu_mmio_read()",
                            "    - rust: drm: gem: clean up GEM state in init failure case",
                            "    - rust: allow `clippy::collapsible_match` globally",
                            "    - rust: allow `clippy::collapsible_if` globally",
                            "    - rust: pin-init: internal: move alignment check to `make_field_check`",
                            "    - spi: syncuacer: fix controller deregistration",
                            "    - spi: sun4i: fix controller deregistration",
                            "    - spi: zynq-qspi: fix controller deregistration",
                            "    - spi: ti-qspi: fix controller deregistration",
                            "    - spi: sun6i: fix controller deregistration",
                            "    - spi: tegra114: fix controller deregistration",
                            "    - spi: zynqmp-gqspi: fix controller deregistration",
                            "    - spi: tegra20-sflash: fix controller deregistration",
                            "    - spi: s3c64xx: fix NULL-deref on driver unbind",
                            "    - staging: rtl8723bs: os_dep: avoid NULL pointer dereference in",
                            "      rtw_cbuf_alloc",
                            "    - staging: vme_user: fix root device leak on init failure",
                            "    - KVM: arm64: Fix kvm_vcpu_initialized() macro parameter",
                            "    - arm64: signal: Preserve POR_EL0 if poe_context is missing",
                            "    - mm/hugetlb_cma: round up per_node before logging it",
                            "    - LoongArch: Fix SYM_SIGFUNC_START definition for 32BIT",
                            "    - LoongArch: KVM: Compile switch.S directly into the kernel",
                            "    - mptcp: pm: ADD_ADDR rtx: skip inactive subflows",
                            "    - perf/x86/intel: Improve validation and configuration of ACR masks",
                            "    - selftests/rseq: Don't run tests with runner scripts outside of the",
                            "      scripts",
                            "    - rseq: Set rseq::cpu_id_start to 0 on unregistration",
                            "    - rseq: Protect rseq_reset() against interrupts",
                            "    - rseq: Don't advertise time slice extensions if disabled",
                            "    - selftests/rseq: Make registration flexible for legacy and optimized mode",
                            "    - selftests/rseq: Skip tests if time slice extensions are not available",
                            "    - selftests/rseq: Validate legacy behavior",
                            "    - selftests/rseq: Expand for optimized RSEQ ABI v2",
                            "    - pseries/papr-hvpipe: Fix race with interrupt handler",
                            "    - pseries/papr-hvpipe: Fix & simplify error handling in papr_hvpipe_init()",
                            "    - pseries/papr-hvpipe: Fix the usage of copy_to_user()",
                            "    - net: libwx: use request_irq for VF misc interrupt",
                            "    - netpoll: pass buffer size to egress_dev() to avoid MAC truncation",
                            "    - ovl: fix verity lazy-load guard broken by fsverity_active() semantic",
                            "      change",
                            "    - parisc: Fix IRQ leak in LASI driver",
                            "    - x86/efi: Fix graceful fault handling after FPU softirq changes",
                            "    - hwmon: (ltc2992) Clamp threshold writes to hardware range",
                            "    - hwmon: (ltc2992) Fix u32 overflow in power read path",
                            "    - clk: rk808: fix OF node reference imbalance",
                            "    - hwmon: (corsair-psu) Close HID device on probe errors",
                            "    - af_unix: Reject SIOCATMARK on non-stream sockets",
                            "    - arm64/fpsimd: ptrace: zero target's fpsimd_state, not the tracer's",
                            "    - pmdomain: mediatek: fix use-after-free in",
                            "      scpsys_get_bus_protection_legacy()",
                            "    - block: fix zone write plug removal",
                            "    - block: only read from sqe on initial invocation of blkdev_uring_cmd()",
                            "    - cifs: abort open_cached_dir if we don't request leases",
                            "    - cifs: change_conf needs to be called for session setup",
                            "    - extcon: ptn5150: handle pending IRQ events during system resume",
                            "    - gpio: of: clear OF_POPULATED on hog nodes in remove path",
                            "    - hv: Select CONFIG_SYSFB only for CONFIG_HYPERV_VMBUS",
                            "    - hv_sock: fix ARM64 support",
                            "    - hv_sock: Report EOF instead of -EIO for FIN",
                            "    - hv_sock: Return -EIO for malformed/short packets",
                            "    - spi: microchip-core-qspi: fix controller deregistration",
                            "    - spi: microchip-core-spi: fix controller deregistration",
                            "    - tracefs: Fix default permissions not being applied on initial mount",
                            "    - udf: reject descriptors with oversized CRC length",
                            "    - x86/boot/e820: Re-enable BIOS fallback if e820 table is empty",
                            "    - thermal: core: Free thermal zone ID later during removal",
                            "    - thermal/drivers/sprd: Fix temperature clamping in",
                            "      sprd_thm_temp_to_rawdata",
                            "    - thermal/drivers/sprd: Fix raw temperature clamping in",
                            "      sprd_thm_rawdata_to_temp",
                            "    - spi: topcliff-pch: fix controller deregistration",
                            "    - spi: topcliff-pch: fix use-after-free on unbind",
                            "    - tracing/fprobe: Avoid kcalloc() in rcu_read_lock section",
                            "    - tracing/fprobe: Remove fprobe from hash in failure path",
                            "    - tracing/fprobe: Unregister fprobe even if memory allocation fails",
                            "    - tracing/probes: Limit size of event probe to 3K",
                            "    - tracing/fprobe: Check the same type fprobe on table as the unregistered",
                            "      one",
                            "    - clk: imx: imx8-acm: fix flags for acm clocks",
                            "    - clk: microchip: mpfs-ccc: fix out of bounds access during output",
                            "      registration",
                            "    - cpuidle: powerpc: avoid double clear when breaking snooze",
                            "    - ASoC: amd: yc: Add HP OMEN Gaming Laptop 16-ap0xxx product line in quirk",
                            "      table",
                            "    - ASoC: ES8389: convert to devm_clk_get_optional() to get clock",
                            "    - ASoC: fsl_easrc: fix comment typo",
                            "    - ASoC: Intel: bytcr_wm5102: Fix MCLK leak on platform_clock_control error",
                            "    - ASoC: qcom: q6apm-dai: reset queue ptr on trigger stop",
                            "    - ASoC: qcom: q6apm: remove child devices when apm is removed",
                            "    - btrfs: do not mark inode incompressible after inline attempt fails",
                            "    - dm: don't report warning when doing deferred remove",
                            "    - dm: fix a buffer overflow in ioctl processing",
                            "    - dm-verity-fec: correctly reject too-small FEC devices",
                            "    - dm-verity-fec: correctly reject too-small hash devices",
                            "    - dm-verity-fec: fix corrected block count stat",
                            "    - dm-verity-fec: fix the size of dm_verity_fec_io::erasures",
                            "    - isofs: validate Rock Ridge CE continuation extent against volume size",
                            "    - iommufd: Fix return value of iommufd_fault_fops_write()",
                            "    - iommu/vt-d: Block PASID attachment to nested domain with dirty tracking",
                            "    - iommu/arm-smmu-v3: Add a missing dma_wmb() for hitless STE update",
                            "    - lib/crc: tests: Make crc_kunit test only the enabled CRC variants",
                            "    - lib/scatterlist: fix temp buffer in extract_user_to_sg()",
                            "    - nvme-apple: drop invalid put of admin queue reference count",
                            "    - nvmet: avoid recursive nvmet-wq flush in nvmet_ctrl_free",
                            "    - pmdomain: core: Fix detach procedure for virtual devices in genpd",
                            "    - psp: strip variable-length PSP header in psp_dev_rcv()",
                            "    - s390/debug: Reject zero-length input in debug_input_flush_fn()",
                            "    - s390/debug: Reject zero-length input before trimming a newline",
                            "    - KVM: x86: Do IRR scan in __kvm_apic_update_irr even if PIR is empty",
                            "    - mm/damon/lru_sort: detect and use fresh enabled and kdamond_pid values",
                            "    - mm/damon/reclaim: detect and use fresh enabled and kdamond_pid values",
                            "    - mm/damon/stat: detect and use fresh enabled value",
                            "    - PCI: Update saved_config_space upon resource assignment",
                            "    - PCI/AER: Clear only error bits in PCIe Device Status",
                            "    - PCI/AER: Stop ruling out unbound devices as error source",
                            "    - PCI/ASPM: Fix pci_clear_and_set_config_dword() usage",
                            "    - power: supply: max17042: avoid overflow when determining health",
                            "    - perf/x86/intel: Always reprogram ACR events to prevent stale masks",
                            "    - perf/x86/intel: Disable PMI for self-reloaded ACR events",
                            "    - perf/x86/intel: Enable auto counter reload for DMR",
                            "    - RDMA/ionic: bound node_desc sysfs read with %.64s",
                            "    - RDMA/ionic: Fix typo in format string",
                            "    - remoteproc: imx_rproc: Fix NULL vs IS_ERR() bug in imx_rproc_addr_init()",
                            "    - remoteproc: k3: Fix NULL vs IS_ERR() bug in k3_reserved_mem_init()",
                            "    - sched_ext: idle: Recheck prev_cpu after narrowing allowed mask",
                            "    - sched_ext: Use dsq->first_task instead of list_empty() in",
                            "      dispatch_enqueue() FIFO-tail",
                            "    - selftests: mptcp: check output: catch cmd errors",
                            "    - selftests: mptcp: pm: restrict 'unknown' check to pm_nl_ctl",
                            "    - mptcp: fastclose msk when linger time is 0",
                            "    - mptcp: use MPJoinSynAckHMacFailure for SynAck HMAC failure",
                            "    - mptcp: use MPTCP_RST_EMPTCP for ACK HMAC validation failure",
                            "    - mptcp: sockopt: set timestamp flags on subflow socket, not msk",
                            "    - mptcp: sockopt: increase seq in mptcp_setsockopt_all_sf",
                            "    - mptcp: fix rx timestamp corruption on fastopen",
                            "    - mptcp: pm: prio: skip closed subflows",
                            "    - mptcp: pm: kernel: reset fullmesh counter after flush",
                            "    - mptcp: pm: kernel: correctly retransmit ADD_ADDR ID 0",
                            "    - mptcp: pm: ADD_ADDR rtx: resched blocked ADD_ADDR quicker",
                            "    - mptcp: pm: ADD_ADDR rtx: return early if no retrans",
                            "    - f2fs: add READ_ONCE() for i_blocks in f2fs_update_inode()",
                            "    - f2fs: fix false alarm of lockdep on cp_global_sem lock",
                            "    - f2fs: fix fiemap boundary handling when read extent cache is incomplete",
                            "    - f2fs: fix fsck inconsistency caused by incorrect nat_entry flag usage",
                            "    - f2fs: fix incorrect file address mapping when inline inode is unwritten",
                            "    - f2fs: fix incorrect multidevice info in trace_f2fs_map_blocks()",
                            "    - f2fs: fix uninitialized kobject put in f2fs_init_sysfs()",
                            "    - f2fs: refactor f2fs_move_node_folio function",
                            "    - f2fs: fix inline data not being written to disk in writeback path",
                            "    - KVM: arm64: Wake-up from WFI when iqrchip is in userspace",
                            "    - KVM: arm64: vgic: Fix IIDR revision field extracted from wrong value",
                            "    - KVM: arm64: Fix initialisation order in __pkvm_init_finalise()",
                            "    - KVM: arm64: Fix FEAT_SPE_FnE to use PMSIDR_EL1.FnE, not PMSVer",
                            "    - KVM: arm64: Fix FEAT_Debugv8p9 to check DebugVer, not PMUVer",
                            "    - LoongArch: KVM: Cap KVM_CAP_NR_VCPUS by KVM_CAP_MAX_VCPUS",
                            "    - LoongArch: KVM: Fix \"unreliable stack\" for kvm_exc_entry",
                            "    - LoongArch: KVM: Fix HW timer interrupt lost when inject interrupt by",
                            "      software",
                            "    - LoongArch: KVM: Move unconditional delay into timer clear scenery",
                            "    - LoongArch: KVM: Use kvm_set_pte() in kvm_flush_pte()",
                            "    - LoongArch: Use per-root-bridge PCIH flag to skip mem resource fixup",
                            "    - mmc: core: Adjust MDT beyond 2025",
                            "    - mmc: core: Add quirk for incorrect manufacturing date",
                            "    - mmc: core: Optimize time for secure erase/trim for some Kingston eMMCs",
                            "    - crypto: qat - fix indentation of macros in qat_hal.c",
                            "    - crypto: qat - fix firmware loading failure for GEN6 devices",
                            "    - hfsplus: fix held lock freed on hfsplus_fill_super()",
                            "    - 8021q: use RCU for egress QoS mappings",
                            "    - printk: add print_hex_dump_devel()",
                            "    - crypto: caam - guard HMAC key hex dumps in hash_digest_key",
                            "    - net: stmmac: rename STMMAC_GET_ENTRY() -> STMMAC_NEXT_ENTRY()",
                            "    - rust: pin-init: fix incorrect accessor reference lifetime",
                            "    - Linux 7.0.7",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-43490",
                            "    - ksmbd: validate inherited ACE SID length",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46174",
                            "    - x86/CPU/AMD: Prevent improper isolation of shared resources in Zen2's op",
                            "      cache",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46110",
                            "    - net: stmmac: Prevent NULL deref when RX memory exhausted",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46153",
                            "    - 8021q: delete cleared egress QoS mappings",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46169",
                            "    - hfsplus: fix uninit-value by validating catalog record size",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46188",
                            "    - octeon_ep_vf: add NULL check for napi_build_skb()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-45837",
                            "    - bpf: Fix use-after-free in arena_vm_close on fork",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46156",
                            "    - LoongArch: Fix potential ADE in loongson_gpu_fixup_dma_hang()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46147",
                            "    - KVM: arm64: Fix pin leak and publication ordering in __pkvm_init_vcpu()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46175",
                            "    - f2fs: fix fsck inconsistency caused by FGGC of node block",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46194",
                            "    - f2fs: fix node_cnt race between extent node destroy and writeback",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46170",
                            "    - mptcp: pm: ADD_ADDR rtx: free sk if last",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46158",
                            "    - mptcp: pm: ADD_ADDR rtx: always decrease sk refcount",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46168",
                            "    - mptcp: fix scheduling with atomic in timestamp sockopt",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46189",
                            "    - RDMA/vmw_pvrdma: Fix double free on pvrdma_alloc_ucontext() error path",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46133",
                            "    - RDMA/rxe: Reject unknown opcodes before ICRC processing",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46114",
                            "    - RDMA/rxe: Reject non-8-byte ATOMIC_WRITE payloads",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46127",
                            "    - RDMA/ocrdma: Don't NULL deref uctx on errors in ocrdma_copy_pd_uresp()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46176",
                            "    - RDMA/mlx5: Fix error path fall-through in mlx5_ib_dev_res_srq_init()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46178",
                            "    - RDMA/mlx4: Fix resource leak on error in mlx4_ib_create_srq()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46181",
                            "    - RDMA/mlx4: Fix mis-use of RCU in mlx4_srq_event()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46145",
                            "    - RDMA/mana: Validate rx_hash_key_len",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46117",
                            "    - RDMA/mana: Remove user triggerable WARN_ON() in mana_ib_create_qp_rss()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46126",
                            "    - RDMA/mana: Fix mana_destroy_wq_obj() cleanup in mana_ib_create_qp_rss()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46144",
                            "    - RDMA/mana: Fix error unwind in mana_ib_create_qp_rss()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46141",
                            "    - powerpc/xive: fix kmemleak caused by incorrect chip_data lookup",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46183",
                            "    - mm/damon/sysfs-schemes: protect path kfree() with damon_sysfs_lock",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46121",
                            "    - mm/damon/sysfs-schemes: protect memcg_path kfree() with damon_sysfs_lock",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46131",
                            "    - KVM: x86: check for nEPT/nNPT in slow flush hypercalls",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46139",
                            "    - smb: client: use kzalloc to zero-initialize security descriptor buffer",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46105",
                            "    - scsi: mpt3sas: Limit NVMe request size to 2 MiB",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46171",
                            "    - riscv: kvm: fix vector context allocation leak",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46112",
                            "    - RDMA/hns: Fix unlocked call to hns_roce_qp_remove()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46165",
                            "    - openvswitch: vport: fix self-deadlock on release of tunnel ports",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46161",
                            "    - md/raid10: fix divide-by-zero in setup_geo() with zero far_copies",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-43492",
                            "    - lib/crypto: mpi: Fix integer underflow in mpi_read_raw_from_sgl()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46124",
                            "    - isofs: validate block number from NFS file handle in isofs_export_iget",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46130",
                            "    - dm-verity-fec: fix reading parity bytes split across blocks (take 3)",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46106",
                            "    - eventfs: Hold eventfs_mutex and SRCU when remount walks events",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46107",
                            "    - dm-thin: fix metadata refcount underflow",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46160",
                            "    - btrfs: fix missing last_unlink_trans update when removing a directory",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46164",
                            "    - btrfs: fix double free in create_space_info_sub_group() error path",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46129",
                            "    - btrfs: fix double free in create_space_info() error path",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46159",
                            "    - btrfs: fix btrfs_ioctl_space_info() slot_count TOCTOU which can lead to",
                            "      info-leak",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46143",
                            "    - ASoC: qcom: q6apm-lpass-dai: Fix multiple graph opens",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46148",
                            "    - spi: microchip-core-qspi: control built-in cs manually",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46192",
                            "    - spi: microchip-core-qspi: don't attempt to transmit during emulated",
                            "      read-only dual/quad operations",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46162",
                            "    - ice: fix double free in ice_sf_eth_activate() error path",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46273",
                            "    - ibmveth: Disable GSO for packets with small MSS",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46191",
                            "    - fbcon: Avoid OOB font access if console rotation fails",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46134",
                            "    - platform/chrome: cros_ec_typec: Init mutex in Thunderbolt registration",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-43495",
                            "    - net: wwan: t7xx: validate port_count against message length in",
                            "      t7xx_port_enum_msg_handler",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-43502",
                            "    - net/rds: handle zerocopy send cleanup before the message is queued",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46120",
                            "    - ip6_gre: Use cached t->net in ip6erspan_changelink().",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46142",
                            "    - net: libwx: fix VF illegal register access",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46118",
                            "    - pseries/papr-hvpipe: Fix null ptr deref in",
                            "      papr_hvpipe_dev_create_handle()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46182",
                            "    - pseries/papr-hvpipe: Prevent kernel stack memory leak to userspace",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46184",
                            "    - sound: ua101: fix division by zero at probe",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-43498",
                            "    - accel/ivpu: Disallow re-exporting imported GEM objects",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46132",
                            "    - net: rtnetlink: zero ifla_vf_broadcast to avoid stack infoleak in",
                            "      rtnl_fill_vfinfo",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46190",
                            "    - mtd: spi-nor: debugfs: fix out-of-bounds read in spi_nor_params_show()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46150",
                            "    - fanotify: fix false positive on permission events",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-45836",
                            "    - Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_get_sndtimeo_cb()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-45834",
                            "    - Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_state_change_cb()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-45835",
                            "    - Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_new_connection_cb()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46138",
                            "    - Bluetooth: hci_event: Fix OOB read and infinite loop in",
                            "      hci_le_create_big_complete_evt",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46111",
                            "    - Bluetooth: hci_conn: fix potential UAF in create_big_sync",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46140",
                            "    - Bluetooth: btmtk: validate WMT event SKB length before struct access",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46186",
                            "    - Bluetooth: virtio_bt: validate rx pkt_type header length",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46123",
                            "    - Bluetooth: virtio_bt: clamp rx length before skb_put",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46104",
                            "    - selinux: use sk blob accessor in socket permission helpers",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46193",
                            "    - xfrm: ah: account for ESN high bits in async callbacks",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46172",
                            "    - ipv6: xfrm6: release dst on error in xfrm6_rcv_encap()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46116",
                            "    - xfrm: defensively unhash xfrm_state lists in __xfrm_state_delete",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46154",
                            "    - sched_ext: Read scx_root under scx_cgroup_ops_rwsem in cgroup setters",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46157",
                            "    - ALSA: pcm: oss: Fix data race at accessing runtime.oss.trigger",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46109",
                            "    - usb: ulpi: fix memory leak on ulpi_register() error paths",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46146",
                            "    - ALSA: usb-audio: Avoid potential endless loop in convert_chmap_v3()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46167",
                            "    - usb: usblp: fix uninitialized heap leak via LPGETSTATUS ioctl",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46151",
                            "    - usb: usblp: fix heap leak in IEEE 1284 device ID via short response",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46180",
                            "    - wifi: brcmfmac: Fix potential use-after-free issue when stopping",
                            "      watchdog task",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46122",
                            "    - wifi: b43: enforce bounds check on firmware key index in b43_rx()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46125",
                            "    - wifi: mac80211: remove station if connection prep fails",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46166",
                            "    - wifi: mac80211: use safe list iteration in radar detect work",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46187",
                            "    - wifi: rsi: fix kthread lifetime race between self-exit and external-stop",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46152",
                            "    - wifi: mac80211: drop stray 'static' from fast-RX rx_result",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46163",
                            "    - wifi: b43legacy: enforce bounds check on firmware key index in RX path",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46136",
                            "    - wifi: mt76: mt7921: fix a potential clc buffer length underflow",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46173",
                            "    - exit: prevent preemption of oopsing TASK_DEAD task",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-43496",
                            "    - net/sched: sch_red: Replace direct dequeue call with peek and",
                            "      qdisc_dequeue_peeked",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46113",
                            "    - KVM: x86: Fix shadow paging use-after-free due to unexpected GFN",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46179",
                            "    - ASoC: SOF: Don't allow pointer operations on unconfigured streams",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46196",
                            "    - tracepoint: balance regfunc() on func_add() failure in",
                            "      tracepoint_add_func()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-43497",
                            "    - fbdev: udlfb: add vm_ops to dlfb_ops_mmap to prevent use-after-free",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46108",
                            "    - ipmi:si: Return state to normal if message allocation fails",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46128",
                            "    - ipmi: Check event message buffer response for bad data",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46177",
                            "    - ipmi: Add limits to event and receive message requests",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46149",
                            "    - scsi: target: configfs: Bound snprintf() return in",
                            "      tg_pt_gp_members_show()",
                            "",
                            "  * Ubuntu 26.04 linux kernel has non-functional nova-core GPU driver enabled,",
                            "    conflicting with nouveau (LP: #2150845)",
                            "    - [Config] Disable NOVA_CORE",
                            "",
                            "  * CVE-2026-46244",
                            "    - netfilter: nft_inner: Fix IPv6 inner_thoff desync",
                            "",
                            "  * CVE-2026-46137",
                            "    - mptcp: pm: ADD_ADDR rtx: allow ID 0",
                            "    - mptcp: pm: ADD_ADDR rtx: fix potential data-race",
                            "",
                            "  * CVE-2026-46185",
                            "    - smb/client: fix out-of-bounds read in symlink_data()",
                            "",
                            "  * CVE-2026-46195",
                            "    - smb: client: validate dacloffset before building DACL pointers",
                            "",
                            "  * CVE-2026-46289",
                            "    - lib/scatterlist: fix length calculations in extract_kvec_to_sg",
                            "",
                            "  * CVE-2026-46119",
                            "    - libceph: Fix slab-out-of-bounds access in auth message processing",
                            "",
                            "  * CVE-2026-46135",
                            "    - nvmet-tcp: fix race between ICReq handling and queue teardown",
                            "",
                            "  * CVE-2026-46155",
                            "    - smb/client: fix out-of-bounds read in smb2_compound_op()",
                            "",
                            "  * CVE-2026-46115",
                            "    - block: add pgmap check to biovec_phys_mergeable",
                            "",
                            "  * CVE-2026-46243",
                            "    - smb: client: reject userspace cifs.spnego descriptions",
                            ""
                        ],
                        "package": "linux",
                        "version": "7.0.0-28.28",
                        "urgency": "medium",
                        "distributions": "resolute",
                        "launchpad_bugs_fixed": [
                            2157520,
                            2154418,
                            2155837,
                            2154174,
                            2154748,
                            2156559,
                            2156556,
                            2150640,
                            2156312,
                            2155096,
                            2154715,
                            2153159,
                            2150071,
                            2154343,
                            2149770,
                            2153155,
                            2152570,
                            2156636,
                            2156636,
                            2156636,
                            2156636,
                            2156636,
                            2156390,
                            2156385,
                            2156385,
                            2156385,
                            2156385,
                            2156385,
                            2156385,
                            2156385,
                            2156385,
                            2156385,
                            2156385,
                            2156385,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2150845
                        ],
                        "author": "Mehmet Basaran <mehmet.basaran@canonical.com>",
                        "date": "Sun, 21 Jun 2026 02:37:29 +0300"
                    }
                ],
                "notes": null,
                "is_version_downgrade": false
            },
            {
                "name": "linux-tools-common",
                "from_version": {
                    "source_package_name": "linux",
                    "source_package_version": "7.0.0-27.27",
                    "version": "7.0.0-27.27"
                },
                "to_version": {
                    "source_package_name": "linux",
                    "source_package_version": "7.0.0-28.28",
                    "version": "7.0.0-28.28"
                },
                "cves": [
                    {
                        "cve": "CVE-2026-46318",
                        "url": "https://ubuntu.com/security/CVE-2026-46318",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Revert \"mm/hugetlbfs: update hugetlbfs to use mmap_prepare\"  This reverts commit ea52cb24cd3f (\"mm/hugetlbfs: update hugetlbfs to use mmap_prepare\") with conflict resolution to account for changes in commit ea52cb24cd3f (\"mm/hugetlbfs: update hugetlbfs to use mmap_prepare\").  The patch incorrectly handled hugetlb VMA lock allocation at the mmap_prepare stage, where a failed allocation occurring after mmap_prepare is called might result in the lock leaking.  There is no risk of a merge causing a similar issues, as VMA_DONTEXPAND_BIT is set for hugetlb mappings.  As a first step in addressing this issue, simply revert the change so we can rework how we do this having corrected the underlying issues.  We maintain the VMA flags changes as best we can, accounting for the fact that we were working with a VMA descriptor previously and propagating like-for-like changes for this.  Note that we invoke vma_set_flags() and do not call vma_start_write() as vm_flags_set() does.  This is OK as it's being done in an .mmap hook where the VMA is not yet linked into the tree so nobody else can be accessing it.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-06-09 13:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46322",
                        "url": "https://ubuntu.com/security/CVE-2026-46322",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  tun: free page on build_skb failure in tun_xdp_one()  When build_skb() fails in tun_xdp_one(), the function sets ret to -ENOMEM and jumps to the out label, which returns without freeing the page that vhost_net_build_xdp() allocated for the frame. As with the short-frame rejection path, tun_sendmsg() discards the per-buffer error and still returns total_len, so vhost_tx_batch() takes the success path and never frees the page. Each build_skb() failure in a batch leaks one page-frag chunk.  Free the page before taking the error path, matching the put_page() the other error exits of tun_xdp_one() already perform.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-09 13:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46320",
                        "url": "https://ubuntu.com/security/CVE-2026-46320",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  tap: free page on error paths in tap_get_user_xdp()  tap_get_user_xdp() rejects a frame shorter than ETH_HLEN with -EINVAL, and returns -ENOMEM when build_skb() fails. Both paths jump to the err label without freeing the page that vhost_net_build_xdp() allocated for the frame. tap_sendmsg() discards the per-buffer return value and always returns 0, so vhost_tx_batch() takes the success path and never frees the page; each rejected frame in a batch leaks one page-frag chunk.  Free the page on both error paths, before the skb is built. This is the tap counterpart of the same leak in tun_xdp_one().",
                        "cve_priority": "high",
                        "cve_public_date": "2026-06-09 13:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46321",
                        "url": "https://ubuntu.com/security/CVE-2026-46321",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  tun: free page on short-frame rejection in tun_xdp_one()  tun_xdp_one() returns -EINVAL on a frame shorter than ETH_HLEN without freeing the page that vhost_net_build_xdp() allocated for it. tun_sendmsg() discards that -EINVAL and still returns total_len, so vhost_tx_batch() takes the success path and never frees the page; each short frame in a batch leaks one page-frag chunk.  A local process that can open /dev/net/tun and /dev/vhost-net can hit this path: it attaches a tun/tap device as the vhost-net backend and feeds TX descriptors whose length minus the virtio-net header is below ETH_HLEN. Each kick leaks the page-frag chunks for that batch, and a tight submission loop exhausts host memory and triggers an OOM panic. Free the page before returning -EINVAL, matching the XDP-program error path in the same function.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-09 13:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46316",
                        "url": "https://ubuntu.com/security/CVE-2026-46316",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  KVM: arm64: vgic-its: Drop the translation cache reference only for the erased entry  vgic_its_invalidate_cache() walks the per-ITS translation cache with xa_for_each() and drops the cache's reference on each entry with vgic_put_irq(). It puts the iterated pointer, though, rather than the value returned by xa_erase().  The function is called from contexts that do not exclude one another: the ITS command handlers hold its_lock, the GITS_CTLR write path holds cmd_lock, and the path that clears EnableLPIs in a redistributor's GICR_CTLR holds neither. Two or more of them can drain the same cache concurrently, and if each one observes the same entry, erases it and then puts it, the single reference the cache holds on that entry is dropped more than once. The entry can then be freed while an ITE still maps it.  xa_erase() is atomic and returns the previous entry, so put only the entry that this context actually removed. The cache reference is then dropped exactly once per entry even when the invalidations run concurrently, and the behavior is unchanged when only one context runs.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-09 13:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46317",
                        "url": "https://ubuntu.com/security/CVE-2026-46317",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  KVM: arm64: Reassign nested_mmus array behind mmu_lock  kvm->arch.nested_mmus[] is walked under kvm->mmu_lock, including from the MMU notifier path (kvm_unmap_gfn_range() -> kvm_nested_s2_unmap()), which can run at any time. kvm_vcpu_init_nested() reallocates the array and frees the old buffer while holding only kvm->arch.config_lock, so such a walker can reference the freed array.  Allocate the new array outside of mmu_lock, as the allocation can sleep. Under the lock, copy the existing entries, fix up the back pointers and reassign the array. Free the old buffer after dropping the lock, as kvfree() can sleep as well.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-09 13:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-45846",
                        "url": "https://ubuntu.com/security/CVE-2026-45846",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  bareudp: fix NULL pointer dereference in bareudp_fill_metadata_dst()  bareudp_fill_metadata_dst() passes bareudp->sock to udp_tunnel6_dst_lookup() in the IPv6 path without a NULL check. The socket is only created in bareudp_open() and NULLed in bareudp_stop(), so calling this function while the device is down triggers a NULL dereference via sock->sk.   BUG: kernel NULL pointer dereference, address: 0000000000000018  RIP: 0010:udp_tunnel6_dst_lookup (net/ipv6/ip6_udp_tunnel.c:160)  Call Trace:   <TASK>   bareudp_fill_metadata_dst (drivers/net/bareudp.c:532)   do_execute_actions (net/openvswitch/actions.c:901)   ovs_execute_actions (net/openvswitch/actions.c:1589)   ovs_packet_cmd_execute (net/openvswitch/datapath.c:700)   genl_family_rcv_msg_doit (net/netlink/genetlink.c:1114)   genl_rcv_msg (net/netlink/genetlink.c:1209)   netlink_rcv_skb (net/netlink/af_netlink.c:2550)   </TASK>  Add a NULL check returning -ESHUTDOWN, consistent with the xmit paths in the same driver.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-27 11:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-45845",
                        "url": "https://ubuntu.com/security/CVE-2026-45845",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net/sched: taprio: fix NULL pointer dereference in class dump  When a TAPRIO child qdisc is deleted via RTM_DELQDISC, taprio_graft() is called with new == NULL and stores NULL into q->qdiscs[cl - 1]. Subsequent RTM_GETTCLASS dump operations walk all classes via taprio_walk() and call taprio_dump_class(), which calls taprio_leaf() returning the NULL pointer, then dereferences it to read child->handle, causing a kernel NULL pointer dereference.  The bug is reachable with namespace-scoped CAP_NET_ADMIN on any kernel with CONFIG_NET_SCH_TAPRIO enabled. On systems with unprivileged user namespaces enabled, an unprivileged local user can trigger a kernel panic by creating a taprio qdisc inside a new network namespace, grafting an explicit child qdisc, deleting it, and requesting a class dump. The RTM_GETTCLASS dump itself requires no capability.   Oops: general protection fault, probably for non-canonical address 0xdffffc0000000007: 0000 [#1] SMP KASAN NOPTI  KASAN: null-ptr-deref in range [0x0000000000000038-0x000000000000003f]  RIP: 0010:taprio_dump_class (net/sched/sch_taprio.c:2478)  Call Trace:   <TASK>   tc_fill_tclass (net/sched/sch_api.c:1966)   qdisc_class_dump (net/sched/sch_api.c:2326)   taprio_walk (net/sched/sch_taprio.c:2514)   tc_dump_tclass_qdisc (net/sched/sch_api.c:2352)   tc_dump_tclass_root (net/sched/sch_api.c:2370)   tc_dump_tclass (net/sched/sch_api.c:2431)   rtnl_dumpit (net/core/rtnetlink.c:6864)   netlink_dump (net/netlink/af_netlink.c:2325)   rtnetlink_rcv_msg (net/core/rtnetlink.c:6959)   netlink_rcv_skb (net/netlink/af_netlink.c:2550)   </TASK>  Fix this by substituting &noop_qdisc when new is NULL in taprio_graft(), a common pattern used by other qdiscs (e.g., multiq_graft()) to ensure the q->qdiscs[] slots are never NULL. This makes control-plane dump paths safe without requiring individual NULL checks.  Since the data-plane paths (taprio_enqueue and taprio_dequeue_from_txq) previously had explicit NULL guards that would drop/skip the packet cleanly, update those checks to test for &noop_qdisc instead. Without this, packets would reach taprio_enqueue_one() which increments the root qdisc's qlen and backlog before calling the child's enqueue; noop_qdisc drops the packet but those counters are never rolled back, permanently inflating the root qdisc's statistics.  After this change *old can be a valid qdisc, NULL, or &noop_qdisc. Only call qdisc_put(*old) in the first case to avoid decreasing noop_qdisc's refcount, which was never increased.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-27 11:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-45844",
                        "url": "https://ubuntu.com/security/CVE-2026-45844",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  netfilter: arp_tables: fix IEEE1394 ARP payload parsing  Weiming Shi says:  \"arp_packet_match() unconditionally parses the ARP payload assuming two hardware addresses are present (source and target). However, IPv4-over-IEEE1394 ARP (RFC 2734) omits the target hardware address field, and arp_hdr_len() already accounts for this by returning a shorter length for ARPHRD_IEEE1394 devices.  As a result, on IEEE1394 interfaces arp_packet_match() advances past a nonexistent target hardware address and reads the wrong bytes for both the target device address comparison and the target IP address. This causes arptables rules to match against garbage data, leading to incorrect filtering decisions: packets that should be accepted may be dropped and vice versa.  The ARP stack in net/ipv4/arp.c (arp_create and arp_process) already handles this correctly by skipping the target hardware address for ARPHRD_IEEE1394. Apply the same pattern to arp_packet_match().\"  Mangle the original patch to always return 0 (no match) in case user matches on the target hardware address which is never present in IEEE1394.  Note that this returns 0 (no match) for either normal and inverse match because matching in the target hardware address in ARPHRD_IEEE1394 has never been supported by arptables. This is intentional, matching on the target hardware address should never evaluate true for ARPHRD_IEEE1394.  Moreover, adjust arpt_mangle to drop the packet too as AI suggests:  In arpt_mangle, the logic assumes a standard ARP layout. Because IEEE1394 (FireWire) omits the target hardware address, the linear pointer arithmetic miscalculates the offset for the target IP address. This causes mangling operations to write to the wrong location, leading to packet corruption. To ensure safety, this patch drops packets (NF_DROP) when mangling is requested for these fields on IEEE1394 devices, as the current implementation cannot correctly map the FireWire ARP payload.  This omits both mangling target hardware and IP address. Even if IP address mangling should be possible in IEEE1394, this would require to adjust arpt_mangle offset calculation, which has never been supported.  Based on patch from Weiming Shi <bestswngs@gmail.com>.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-05-27 11:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46242",
                        "url": "https://ubuntu.com/security/CVE-2026-46242",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  eventpoll: fix ep_remove struct eventpoll / struct file UAF  ep_remove() (via ep_remove_file()) cleared file->f_ep under file->f_lock but then kept using @file inside the critical section (is_file_epoll(), hlist_del_rcu() through the head, spin_unlock). A concurrent __fput() taking the eventpoll_release() fastpath in that window observed the transient NULL, skipped eventpoll_release_file() and ran to f_op->release / file_free().  For the epoll-watches-epoll case, f_op->release is ep_eventpoll_release() -> ep_clear_and_put() -> ep_free(), which kfree()s the watched struct eventpoll. Its embedded ->refs hlist_head is exactly where epi->fllink.pprev points, so the subsequent hlist_del_rcu()'s \"*pprev = next\" scribbles into freed kmalloc-192 memory.  In addition, struct file is SLAB_TYPESAFE_BY_RCU, so the slot backing @file could be recycled by alloc_empty_file() -- reinitializing f_lock and f_ep -- while ep_remove() is still nominally inside that lock. The upshot is an attacker-controllable kmem_cache_free() against the wrong slab cache.  Pin @file via epi_fget() at the top of ep_remove() and gate the critical section on the pin succeeding. With the pin held @file cannot reach refcount zero, which holds __fput() off and transitively keeps the watched struct eventpoll alive across the hlist_del_rcu() and the f_lock use, closing both UAFs.  If the pin fails @file has already reached refcount zero and its __fput() is in flight. Because we bailed before clearing f_ep, that path takes the eventpoll_release() slow path into eventpoll_release_file() and blocks on ep->mtx until the waiter side's ep_clear_and_put() drops it. The bailed epi's share of ep->refcount stays intact, so the trailing ep_refcount_dec_and_test() in ep_clear_and_put() cannot free the eventpoll out from under eventpoll_release_file(); the orphaned epi is then cleaned up there.  A successful pin also proves we are not racing eventpoll_release_file() on this epi, so drop the now-redundant re-check of epi->dying under f_lock. The cheap lockless READ_ONCE(epi->dying) fast-path bailout stays.",
                        "cve_priority": "high",
                        "cve_public_date": "2026-05-30 13:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-45843",
                        "url": "https://ubuntu.com/security/CVE-2026-45843",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  slip: bound decode() reads against the compressed packet length  slhc_uncompress() parses a VJ-compressed TCP header by advancing a pointer through the packet via decode() and pull16(). Neither helper bounds-checks against isize, and decode() masks its return with & 0xffff so it can never return the -1 that callers test for -- those error paths are dead code.  A short compressed frame whose change byte requests optional fields lets decode() read past the end of the packet. The over-read bytes are folded into the cached cstate and reflected into subsequent reconstructed packets.  Make decode() and pull16() take the packet end pointer and return -1 when exhausted. Add a bounds check before the TCP-checksum read. The existing == -1 tests now do what they were always meant to.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-27 11:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-45842",
                        "url": "https://ubuntu.com/security/CVE-2026-45842",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  slip: reject VJ receive packets on instances with no rstate array  slhc_init() accepts rslots == 0 as a valid configuration, with the documented meaning of 'no receive compression'. In that case the allocation loop in slhc_init() is skipped, so comp->rstate stays NULL and comp->rslot_limit stays 0 (from the kzalloc of struct slcompress).  The receive helpers do not defend against that configuration. slhc_uncompress() dereferences comp->rstate[x] when the VJ header carries an explicit connection ID, and slhc_remember() later assigns cs = &comp->rstate[...] after only comparing the packet's slot number to comp->rslot_limit. Because rslot_limit is 0, slot 0 passes the range check, and the code dereferences a NULL rstate.  The configuration is reachable in-tree through PPP. PPPIOCSMAXCID stores its argument in a signed int, and (val >> 16) uses arithmetic shift. Passing 0xffff0000 therefore sign-extends to -1, so val2 + 1 is 0 and ppp_generic.c ends up calling slhc_init(0, 1). Because /dev/ppp open is gated by ns_capable(CAP_NET_ADMIN), the whole path is reachable from an unprivileged user namespace. Once the malformed VJ state is installed, any inbound VJ-compressed or VJ-uncompressed frame that selects slot 0 crashes the kernel in softirq context:   Oops: general protection fault, probably for non-canonical        address 0xdffffc0000000000: 0000 [#1] SMP KASAN NOPTI  KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]  RIP: 0010:slhc_uncompress (drivers/net/slip/slhc.c:519)  Call Trace:   <TASK>   ppp_receive_nonmp_frame (drivers/net/ppp/ppp_generic.c:2466)   ppp_input (drivers/net/ppp/ppp_generic.c:2359)   ppp_async_process (drivers/net/ppp/ppp_async.c:492)   tasklet_action_common (kernel/softirq.c:926)   handle_softirqs (kernel/softirq.c:623)   run_ksoftirqd (kernel/softirq.c:1055)   smpboot_thread_fn (kernel/smpboot.c:160)   kthread (kernel/kthread.c:436)   ret_from_fork (arch/x86/kernel/process.c:164)   </TASK>  Reject the receive side on such instances instead of touching rstate. slhc_uncompress() falls through to its existing 'bad' label, which bumps sls_i_error and enters the toss state. slhc_remember() mirrors that with an explicit sls_i_error increment followed by slhc_toss(); the sls_i_runt counter is not used here because a missing rstate is an internal configuration state, not a runt packet.  The transmit path is unaffected: the only in-tree caller that picks rslots from userspace (ppp_generic.c) still supplies tslots >= 1, and slip.c always calls slhc_init(16, 16), so comp->tstate remains valid and slhc_compress() continues to work.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-27 11:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-45841",
                        "url": "https://ubuntu.com/security/CVE-2026-45841",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  netfilter: nfnetlink_osf: fix divide-by-zero in OSF_WSS_MODULO  nf_osf_match_one() computes ctx->window % f->wss.val in the OSF_WSS_MODULO branch with no guard for f->wss.val == 0. A CAP_NET_ADMIN user can add such a fingerprint via nfnetlink; a subsequent matching TCP SYN divides by zero and panics the kernel.  Reject the bogus fingerprint in nfnl_osf_add_callback() above the per-option for-loop. f->wss is per-fingerprint, not per-option, so the check must run regardless of f->opt_num (including 0). Also reject wss.wc >= OSF_WSS_MAX; nf_osf_match_one() already treats that as \"should not happen\".  Crash:  Oops: divide error: 0000 [#1] SMP KASAN NOPTI  RIP: 0010:nf_osf_match_one (net/netfilter/nfnetlink_osf.c:98)  Call Trace:  <IRQ>   nf_osf_match (net/netfilter/nfnetlink_osf.c:220)   xt_osf_match_packet (net/netfilter/xt_osf.c:32)   ipt_do_table (net/ipv4/netfilter/ip_tables.c:348)   nf_hook_slow (net/netfilter/core.c:622)   ip_local_deliver (net/ipv4/ip_input.c:265)   ip_rcv (include/linux/skbuff.h:1162)   __netif_receive_skb_one_core (net/core/dev.c:6181)   process_backlog (net/core/dev.c:6642)   __napi_poll (net/core/dev.c:7710)   net_rx_action (net/core/dev.c:7945)   handle_softirqs (kernel/softirq.c:622)",
                        "cve_priority": "low",
                        "cve_public_date": "2026-05-27 11:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-45840",
                        "url": "https://ubuntu.com/security/CVE-2026-45840",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  openvswitch: cap upcall PID array size and pre-size vport replies  The vport netlink reply helpers allocate a fixed-size skb with nlmsg_new(NLMSG_DEFAULT_SIZE, ...) but serialize the full upcall PID array via ovs_vport_get_upcall_portids().  Since ovs_vport_set_upcall_portids() accepts any non-zero multiple of sizeof(u32) with no upper bound, a CAP_NET_ADMIN user can install a PID array large enough to overflow the reply buffer, causing nla_put() to fail with -EMSGSIZE and hitting BUG_ON(err < 0).  On systems with unprivileged user namespaces enabled (e.g., Ubuntu default), this is reachable via unshare -Urn since OVS vport mutation operations use GENL_UNS_ADMIN_PERM.   kernel BUG at net/openvswitch/datapath.c:2414!  Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI  CPU: 1 UID: 0 PID: 65 Comm: poc Not tainted 7.0.0-rc7-00195-geb216e422044 #1  RIP: 0010:ovs_vport_cmd_set+0x34c/0x400  Call Trace:   <TASK>   genl_family_rcv_msg_doit (net/netlink/genetlink.c:1116)   genl_rcv_msg (net/netlink/genetlink.c:1194)   netlink_rcv_skb (net/netlink/af_netlink.c:2550)   genl_rcv (net/netlink/genetlink.c:1219)   netlink_unicast (net/netlink/af_netlink.c:1344)   netlink_sendmsg (net/netlink/af_netlink.c:1894)   __sys_sendto (net/socket.c:2206)   __x64_sys_sendto (net/socket.c:2209)   do_syscall_64 (arch/x86/entry/syscall_64.c:63)   entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)   </TASK>  Kernel panic - not syncing: Fatal exception  Reject attempts to set more PIDs than nr_cpu_ids in ovs_vport_set_upcall_portids(), and pre-compute the worst-case reply size in ovs_vport_cmd_msg_size() based on that bound, similar to the existing ovs_dp_cmd_msg_size().  nr_cpu_ids matches the cap already used by the per-CPU dispatch configuration on the datapath side (ovs_dp_cmd_fill_info() serialises at most nr_cpu_ids PIDs), so the two sides stay consistent.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-27 11:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-45839",
                        "url": "https://ubuntu.com/security/CVE-2026-45839",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  bpf: reject negative CO-RE accessor indices in bpf_core_parse_spec()  CO-RE accessor strings are colon-separated indices that describe a path from a root BTF type to a target field, e.g. \"0:1:2\" walks through nested struct members. bpf_core_parse_spec() parses each component with sscanf(\"%d\"), so negative values like -1 are silently accepted.  The subsequent bounds checks (access_idx >= btf_vlen(t)) only guard the upper bound and always pass for negative values because C integer promotion converts the __u16 btf_vlen result to int, making the comparison (int)(-1) >= (int)(N) false for any positive N.  When -1 reaches btf_member_bit_offset() it gets cast to u32 0xffffffff, producing an out-of-bounds read far past the members array.  A crafted BPF program with a negative CO-RE accessor on any struct that exists in vmlinux BTF (e.g. task_struct) crashes the kernel deterministically during BPF_PROG_LOAD on any system with CONFIG_DEBUG_INFO_BTF=y (default on major distributions).  The bug is reachable with CAP_BPF:   BUG: unable to handle page fault for address: ffffed11818b6626  #PF: supervisor read access in kernel mode  #PF: error_code(0x0000) - not-present page  Oops: Oops: 0000 [#1] SMP KASAN NOPTI  CPU: 0 UID: 0 PID: 85 Comm: poc Not tainted 7.0.0-rc6 #18 PREEMPT(full)  RIP: 0010:bpf_core_parse_spec (tools/lib/bpf/relo_core.c:354)  RAX: 00000000ffffffff  Call Trace:   <TASK>   bpf_core_calc_relo_insn (tools/lib/bpf/relo_core.c:1321)   bpf_core_apply (kernel/bpf/btf.c:9507)   check_core_relo (kernel/bpf/verifier.c:19475)   bpf_check (kernel/bpf/verifier.c:26031)   bpf_prog_load (kernel/bpf/syscall.c:3089)   __sys_bpf (kernel/bpf/syscall.c:6228)   </TASK>  CO-RE accessor indices are inherently non-negative (struct member index, array element index, or enumerator index), so reject them immediately after parsing.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-27 11:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-45838",
                        "url": "https://ubuntu.com/security/CVE-2026-45838",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  bpf: fix end-of-list detection in cgroup_storage_get_next_key()  list_next_entry() never returns NULL -- when the current element is the last entry it wraps to the list head via container_of(). The subsequent NULL check is therefore dead code and get_next_key() never returns -ENOENT for the last element, instead reading storage->key from a bogus pointer that aliases internal map fields and copying the result to userspace.  Replace it with list_entry_is_head() so the function correctly returns -ENOENT when there are no more entries.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-05-27 11:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46214",
                        "url": "https://ubuntu.com/security/CVE-2026-46214",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  vsock/virtio: fix accept queue count leak on transport mismatch  virtio_transport_recv_listen() calls sk_acceptq_added() before vsock_assign_transport(). If vsock_assign_transport() fails or selects a different transport, the error path returns without calling sk_acceptq_removed(), permanently incrementing sk_ack_backlog.  After approximately backlog+1 such failures, sk_acceptq_is_full() returns true, causing the listener to reject all new connections.  Fix by moving sk_acceptq_added() to after the transport validation, matching the pattern used by vmci_transport and hyperv_transport.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46207",
                        "url": "https://ubuntu.com/security/CVE-2026-46207",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  vsock/virtio: fix empty payload in tap skb for non-linear buffers  For non-linear skbs, virtio_transport_build_skb() goes through virtio_transport_copy_nonlinear_skb() to copy the original payload in the new skb to be delivered to the vsockmon tap device. This manually initializes an iov_iter but does not set iov_iter.count. Since the iov_iter is zero-initialized, the copy length is zero and no payload is actually copied to the monitor interface, leaving data un-initialized.  Fix this by removing the linear vs non-linear split and using skb_copy_datagram_iter() with iov_iter_kvec() for all cases, as vhost-vsock already does. This handles both linear and non-linear skbs, properly initializes the iov_iter, and removes the now unused virtio_transport_copy_nonlinear_skb().  While touching this code, let's also check the return value of skb_copy_datagram_iter(), even though it's unlikely to fail.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46234",
                        "url": "https://ubuntu.com/security/CVE-2026-46234",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  vsock: fix buffer size clamping order  In vsock_update_buffer_size(), the buffer size was being clamped to the maximum first, and then to the minimum. If a user sets a minimum buffer size larger than the maximum, the minimum check overrides the maximum check, inverting the constraint.  This breaks the intended socket memory boundaries by allowing the vsk->buffer_size to grow beyond the configured vsk->buffer_max_size.  Fix this by checking the minimum first, and then the maximum. This ensures the buffer size never exceeds the buffer_max_size.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46223",
                        "url": "https://ubuntu.com/security/CVE-2026-46223",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  cgroup: Defer css percpu_ref kill on rmdir until cgroup is depopulated  A chain of commits going back to v7.0 reworked rmdir to satisfy the controller invariant that a subsystem's ->css_offline() must not run while tasks are still doing kernel-side work in the cgroup.  [1] d245698d727a (\"cgroup: Defer task cgroup unlink until after the task is done switching out\") [2] a72f73c4dd9b (\"cgroup: Don't expose dead tasks in cgroup\") [3] 1b164b876c36 (\"cgroup: Wait for dying tasks to leave on rmdir\") [4] 4c56a8ac6869 (\"cgroup: Fix cgroup_drain_dying() testing the wrong condition\") [5] 13e786b64bd3 (\"cgroup: Increment nr_dying_subsys_* from rmdir context\")  [1] moved task cset unlink from do_exit() to finish_task_switch() so a task's cset link drops only after the task has fully stopped scheduling. That made tasks past exit_signals() linger on cset->tasks until their final context switch, which led to a series of problems as what userspace expected to see after rmdir diverged from what the kernel needs to wait for. [2]-[5] tried to bridge that divergence: [2] filtered the exiting tasks from cgroup.procs; [3] had rmdir(2) sleep in TASK_UNINTERRUPTIBLE for them; [4] fixed the wait's condition; [5] made nr_dying_subsys_* visible synchronously.  The cgroup_drain_dying() wait in [3] turned out to be a dead end. When the rmdir caller is also the reaper of a zombie that pins a pidns teardown (e.g. host PID 1 systemd reaping orphan pids that were re-parented to it during the same teardown), rmdir blocks in TASK_UNINTERRUPTIBLE waiting for those pids to free, the pids can't free because PID 1 is the reaper and it's stuck in rmdir, and the system A-A deadlocks. No internal lock ordering breaks this; the wait itself is the bug.  The css killing side that drove the original reorder, however, can be made cleanly asynchronous: ->css_offline() is already async, run from css_killed_work_fn() driven by percpu_ref_kill_and_confirm(). The fix is to make that chain start only after all tasks have left the cgroup. rmdir's user-visible side then returns as soon as cgroup.procs and friends are empty, while ->css_offline() still runs only after the cgroup is fully drained.  Verified by the original reproducer (pidns teardown + zombie reaper, runs under vng) which hangs vanilla and succeeds here, and by per-commit deterministic repros for [2], [3], [4], [5] with a boot parameter that widens the post-exit_signals() window so each state is reliably reachable. Some stress tests on top of that.  cgroup_apply_control_disable() has the same shape of pre-existing race: when a controller is disabled via subtree_control, kill_css() ran synchronously while tasks past exit_signals() could still be linked to the cgroup's csets, and ->css_offline() could fire before they drained. This patch preserves the existing synchronous behavior at that call site (kill_css_sync() + kill_css_finish() back-to-back) and a follow-up patch will defer kill_css_finish() there using a per-css trigger.  This seems like the right approach and I don't see problems with it. The changes are somewhat invasive but not excessively so, so backporting to -stable should be okay. If something does turn out to be wrong, the fallback is to revert the entire chain ([1]-[5]) and rework in the development branch instead.  v2: Pin cgrp across the deferred destroy work with explicit     cgroup_get()/cgroup_put() around queue_work() and the work_fn. v1     wasn't actually broken (ordered cgroup_offline_wq + queue_work order     in cgroup_task_dead() saved it) but the explicit ref removes the     dependency on those non-obvious invariants. Also note the     pre-existing cgroup_apply_control_disable() race in the description;     a follow-up will defer kill_css_finish() there.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46221",
                        "url": "https://ubuntu.com/security/CVE-2026-46221",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  EDAC/versalnet: Fix device name memory leak  The device name allocated via kzalloc() in init_one_mc() is assigned to dev->init_name but never freed on the normal removal path. device_register() copies init_name and then sets dev->init_name to NULL, so the name pointer becomes unreachable from the device. Thus leaking memory.  Use a stack-local char array instead of using kzalloc() for name.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46231",
                        "url": "https://ubuntu.com/security/CVE-2026-46231",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  batman-adv: bla: put backbone reference on failed claim hash insert  When batadv_bla_add_claim() fails to insert a new claim into the hash, it leaked a reference to the backbone_gw for which the claim was intended. Call batadv_backbone_gw_put() on the error path to release the reference and avoid leaking the backbone_gw object.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46233",
                        "url": "https://ubuntu.com/security/CVE-2026-46233",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  batman-adv: bla: only purge non-released claims  When batadv_bla_purge_claims() goes through the list of claims, it is only traversing the hash list with an rcu_read_lock(). Due to a potential parallel batadv_claim_put(), it can happen that it encounters a claim which was actually in the process of being released+freed by batadv_claim_release(). In this case, backbone_gw is set to NULL before the delayed RCU kfree is started. Calling batadv_bla_claim_get_backbone_gw() is then no longer allowed because it would cause a NULL-ptr derefence.  To avoid this, only claims with a valid reference counter must be purged. All others are already taken care of.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46212",
                        "url": "https://ubuntu.com/security/CVE-2026-46212",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  batman-adv: bla: prevent use-after-free when deleting claims  When batadv_bla_del_backbone_claims() removes all claims for a backbone, it does this by dropping the link entry in the hash list. This list entry itself was one of the references which need to be dropped at the same time via batadv_claim_put().  But the batadv_claim_put() must not be done before the last access to the claim object in this function. Otherwise the claim might be freed already by the batadv_claim_release() function before the list entry was dropped.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46238",
                        "url": "https://ubuntu.com/security/CVE-2026-46238",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  batman-adv: stop caching unowned originator pointers in BAT IV  BAT IV keeps the last-hop neighbor address in each neigh_node, but some paths also cache an originator pointer derived from a temporary lookup. That pointer is not owned by the neigh_node and may no longer refer to a live originator entry after purge handling runs.  Stop storing the auxiliary originator pointer in the BAT IV neighbor state. When BAT IV needs the neighbor originator data, resolve it from the stored neighbor address and drop the reference again after use.  [sven: avoid bonding logic for outgoing OGM]",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46208",
                        "url": "https://ubuntu.com/security/CVE-2026-46208",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  batman-adv: stop tp_meter sessions during mesh teardown  TP meter sessions remain linked on bat_priv->tp_list after the netlink request has already finished. When the mesh interface is removed, batadv_mesh_free() currently tears down the mesh without first draining these sessions.  A running sender thread or a late incoming tp_meter packet can then keep processing against a mesh instance which is already shutting down. Synchronize tp_meter with the mesh lifetime by stopping all active sessions from batadv_mesh_free() and waiting for sender threads to exit before teardown continues.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46206",
                        "url": "https://ubuntu.com/security/CVE-2026-46206",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  batman-adv: reject new tp_meter sessions during teardown  Prevent tp_meter from starting new sender or receiver sessions after mesh_state has left BATADV_MESH_ACTIVE.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46198",
                        "url": "https://ubuntu.com/security/CVE-2026-46198",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  batman-adv: fix integer overflow on buff_pos  Fixing an integer overflow present in batadv_iv_ogm_send_to_if. The size check is done using the int type in batadv_iv_ogm_aggr_packet whereas the buff_pos variable uses the s16 type. This could lead to an out-of-bound read.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46227",
                        "url": "https://ubuntu.com/security/CVE-2026-46227",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  sctp: revalidate list cursor after sctp_sendmsg_to_asoc() in SCTP_SENDALL  The SCTP_SENDALL path in sctp_sendmsg() iterates ep->asocs with list_for_each_entry_safe(), which caches the next entry in @tmp before the loop body runs.  The body calls sctp_sendmsg_to_asoc(), which may drop the socket lock inside sctp_wait_for_sndbuf().  While the lock is dropped, another thread can SCTP_SOCKOPT_PEELOFF the association cached in @tmp, migrating it to a new endpoint via sctp_sock_migrate() (list_del_init() + list_add_tail() to newep->asocs), and optionally close the new socket which frees the association via kfree_rcu().  The cached @tmp can also be freed by a network ABORT for that association, processed in softirq while the lock is dropped.  sctp_wait_for_sndbuf() revalidates @asoc (the current entry) on re-lock via the \"sk != asoc->base.sk\" and \"asoc->base.dead\" checks, but nothing revalidates @tmp.  After a successful return, the iterator advances to the stale @tmp, yielding either a use-after-free (if the peeled socket was closed) or a list-walk onto the new endpoint's list head (type confusion of &newep->asocs as a struct sctp_association *).  Both are reachable from CapEff=0; the type-confusion path gives controlled indirect call via the outqueue.sched->init_sid pointer.  Fix by re-deriving @tmp from @asoc after sctp_sendmsg_to_asoc() returns.  @asoc is known to still be on ep->asocs at that point: the only callers that list_del an association from ep->asocs are sctp_association_free() (which sets asoc->base.dead) and sctp_assoc_migrate() (which changes asoc->base.sk), and sctp_wait_for_sndbuf() checks both under the lock before any successful return; a tripped check propagates as err < 0 and the loop bails before the re-derive.  The SCTP_ABORT path in sctp_sendmsg_check_sflags() returns 0 and the loop hits 'continue' before sctp_sendmsg_to_asoc() is ever called, so the @tmp cached by list_for_each_entry_safe() still covers the lock-held free that ba59fb027307 (\"sctp: walk the list of asoc safely\") was added for.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46220",
                        "url": "https://ubuntu.com/security/CVE-2026-46220",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/amdgpu/sdma4: replace BUG_ON with WARN_ON in fence emission  sdma_v4_0_ring_emit_fence() contains two BUG_ON(addr & 0x3) assertions that verify fence writeback addresses are dword-aligned.  These assertions can be reached from unprivileged userspace via crafted DRM_IOCTL_AMDGPU_CS submissions, causing a fatal kernel panic in a scheduler worker thread.  Replace both BUG_ON() calls with WARN_ON() to log the condition without crashing the kernel.  A misaligned fence address at this point indicates a driver bug, but crashing the kernel is never the correct response when the assertion is reachable from userspace.  The CS IOCTL path is the correct place to filter invalid submissions; the ring emission callback is too late to do anything about it.  (cherry picked from commit b90250bd933afd1ba94d86d6b13821997b22b18e)",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46215",
                        "url": "https://ubuntu.com/security/CVE-2026-46215",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm: Set old handle to NULL before prime swap in change_handle  There was a potential race condition in change_handle. The ioctl briefly had a single object with two idr entries; a concurrent gem_close could delete the object and remove one of the handles while leaving the other one dangling, which could subsequently be dereferenced for a use-after-free.  To fix this, do the same dance that gem_close itself does. (f6cd7daecff5 drm: Release driver references to handle before making it available again) First idr_replace the old handle to NULL. Later, if the prime operations are successful, actually close it.  create_tail required a similar dance to avoid a similar problem. (bd46cece51a3 drm/gem: Fix race in drm_gem_handle_create_tail()) It idr_allocs the new handle with NULL, then swaps in the correct object later to avoid races. We don't need to do that here, since the only operations that could race are drm_prime, and change_handle holds the prime lock for the entire duration.  v2: cleanups of error paths",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46201",
                        "url": "https://ubuntu.com/security/CVE-2026-46201",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/xe: Fix dma-buf attachment leak in xe_gem_prime_import()  When xe_dma_buf_init_obj() fails, the attachment from dma_buf_dynamic_attach() is not detached. Add dma_buf_detach() before returning the error. Note: we cannot use goto out_err here because xe_dma_buf_init_obj() already frees bo on failure, and out_err would double-free it.  (cherry picked from commit a828eb185aac41800df8eae4b60501ccc0dbbe51)",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46224",
                        "url": "https://ubuntu.com/security/CVE-2026-46224",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/xe: Fix bo leak in xe_dma_buf_init_obj() on allocation failure  When drm_gpuvm_resv_object_alloc() fails, the pre-allocated storage bo is not freed. Add xe_bo_free(storage) before returning the error.  xe_dma_buf_init_obj() calls xe_bo_init_locked(), which frees the bo on error. Therefore, xe_dma_buf_init_obj() must also free the bo on its own error paths. Otherwise, since xe_gem_prime_import() cannot distinguish whether the failure originated from xe_dma_buf_init_obj() or from xe_bo_init_locked(), it cannot safely decide whether the bo should be freed.  Add comments documenting the ownership semantics: on success, ownership of storage is transferred to the returned drm_gem_object; on failure, storage is freed before returning.  v2: Add comments to explain the free logic.  (cherry picked from commit 78a6c5f899f22338bbf48b44fb8950409c5a69b9)",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46197",
                        "url": "https://ubuntu.com/security/CVE-2026-46197",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/amdkfd: validate SVM ioctl nattr against buffer size  Validate nattr field against the buffer size, preventing out-of-bounds buffer access via user-controlled attribute count.  (cherry picked from commit 5eca8bfdfa456c3304ca77523718fe24254c172f)",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46209",
                        "url": "https://ubuntu.com/security/CVE-2026-46209",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/gem: Fix inconsistent plane dimension calculation in drm_gem_fb_init_with_funcs()  drm_gem_fb_init_with_funcs() computes sub-sampled plane dimensions using plain integer division:    unsigned int width  = mode_cmd->width  / (i ? info->hsub : 1);   unsigned int height = mode_cmd->height / (i ? info->vsub : 1);  However, the ioctl-level framebuffer_check() in drm_framebuffer.c uses drm_format_info_plane_width/height() which round up dimensions via DIV_ROUND_UP(). This inconsistency corrupts the subsequent GEM object size check for certain pixel format and dimension combinations.  For example, with NV12 (vsub=2) and a 1-pixel-tall framebuffer the GEM size validation path sees height=0 instead of height=1. The expression (height - 1) then wraps to UINT_MAX as an unsigned int, causing min_size to overflow and wrap back to a small value. A tiny GEM object therefore passes the size guard, yet when the GPU accesses the chroma plane it will read or write memory beyond the object's bounds.  Fix by replacing the open-coded divisions with drm_format_info_plane_width() and drm_format_info_plane_height(), which use DIV_ROUND_UP() and match the calculation already used in framebuffer_check().",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46230",
                        "url": "https://ubuntu.com/security/CVE-2026-46230",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/amdgpu/vcn3: Prevent OOB reads when parsing dec msg  Check bounds against the end of the BO whenever we access the msg.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46199",
                        "url": "https://ubuntu.com/security/CVE-2026-46199",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/amdgpu/vcn4: Prevent OOB reads when parsing dec msg  Check bounds against the end of the BO whenever we access the msg.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46204",
                        "url": "https://ubuntu.com/security/CVE-2026-46204",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/amdgpu/vcn4: Prevent OOB reads when parsing IB  Rewrite the IB parsing to use amdgpu_ib_get_value() which handles the bounds checks.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46218",
                        "url": "https://ubuntu.com/security/CVE-2026-46218",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/amdgpu: Add bounds checking to ib_{get,set}_value  The uvd/vce/vcn code accesses the IB at predefined offsets without checking that the IB is large enough. Check the bounds here. The caller is responsible for making sure it can handle arbitrary return values.  Also make the idx a uint32_t to prevent overflows causing the condition to fail.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46229",
                        "url": "https://ubuntu.com/security/CVE-2026-46229",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/amdkfd: Clear VRAM on allocation to prevent stale data exposure  KFD VRAM allocations set AMDGPU_GEM_CREATE_VRAM_WIPE_ON_RELEASE but not AMDGPU_GEM_CREATE_VRAM_CLEARED, leaving freshly allocated VRAM with stale data from prior use observable by compute kernels.  The GEM ioctl path already sets VRAM_CLEARED for all userspace allocations via amdgpu_gem_create_ioctl() and amdgpu_mode_dumb_create(). The KFD path was missing this flag, allowing stale page table remnants to leak into user buffers.  This causes crashes in RCCL P2P transport where non-zero data in ptrExchange/head/tail fields corrupts the protocol handshake.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46211",
                        "url": "https://ubuntu.com/security/CVE-2026-46211",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/msm/gem: fix error handling in msm_ioctl_gem_info_get_metadata()  msm_ioctl_gem_info_get_metadata() always returns 0 regardless of errors. When copy_to_user() fails or the user buffer is too small, the error code stored in ret is ignored because the function unconditionally returns 0. This causes userspace to believe the ioctl succeeded when it did not.  Additionally, kmemdup() can return NULL on allocation failure, but the return value is not checked. This leads to a NULL pointer dereference in the subsequent copy_to_user() call.  Add the missing NULL check for kmemdup() and return ret instead of 0.  Note that the SET counterpart (msm_ioctl_gem_info_set_metadata) correctly returns ret.  Patchwork: https://patchwork.freedesktop.org/patch/714478/",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46203",
                        "url": "https://ubuntu.com/security/CVE-2026-46203",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: cadence-quadspi: fix unclocked access on unbind  Make sure that the controller is runtime resumed before disabling it during driver unbind to avoid an unclocked register access.  This issue was flagged by Sashiko when reviewing a controller deregistration fix.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46219",
                        "url": "https://ubuntu.com/security/CVE-2026-46219",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: mpc52xx: fix use-after-free on unbind  The state machine work is scheduled by the interrupt handler and therefore needs to be cancelled after disabling interrupts to avoid a potential use-after-free.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46200",
                        "url": "https://ubuntu.com/security/CVE-2026-46200",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: mpc52xx: fix controller deregistration  Make sure to deregister the controller before disabling and releasing underlying resources like interrupts and gpios during driver unbind.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46241",
                        "url": "https://ubuntu.com/security/CVE-2026-46241",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: mpc52xx: fix use-after-free on registration failure  Make sure to disable and free the interrupts in case controller registration fails to avoid a potential use-after-free and resource leak.  This issue was flagged by Sashiko when reviewing a controller deregistration fix.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46225",
                        "url": "https://ubuntu.com/security/CVE-2026-46225",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: rspi: fix controller deregistration  Make sure to deregister the controller before releasing underlying resources like DMA during driver unbind.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46226",
                        "url": "https://ubuntu.com/security/CVE-2026-46226",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: fsl: fix controller deregistration  Make sure to deregister the controller before releasing underlying resources like DMA during driver unbind.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46228",
                        "url": "https://ubuntu.com/security/CVE-2026-46228",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: ch341: fix devres lifetime  USB drivers bind to USB interfaces and any device managed resources should have their lifetime tied to the interface rather than parent USB device. This avoids issues like memory leaks when drivers are unbound without their devices being physically disconnected (e.g. on probe deferral or configuration changes).  Fix the controller and driver data lifetime so that they are released on driver unbind.  Note that this also makes sure that the SPI controller is placed correctly under the USB interface in the device tree.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46216",
                        "url": "https://ubuntu.com/security/CVE-2026-46216",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/xe/hdcp: Add NULL check for media_gt in intel_hdcp_gsc_check_status()  When media GT is disabled via configfs, there is no allocation for media_gt, which is kept as NULL.  In such scenario, intel_hdcp_gsc_check_status() results in a kernel pagefault error due to &gt->uc.gsc being evaluated as an invalid memory address.  Fix that by introducing a NULL check on media_gt and bailing out early if so.  While at it, also drop the NULL check for gsc, since it can't be NULL if media_gt is not NULL.  v2:   - Get address for gsc only after checking that gt is not NULL.     (Shuicheng)   - Drop the NULL check for gsc. (Shuicheng) v3:   - Add \"Fixes\" and \"Cc: <stable...>\" tags. (Matt)  (cherry picked from commit bfaf87e84ca3ca3f6e275f9ae56da47a8b55ffd1)",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46210",
                        "url": "https://ubuntu.com/security/CVE-2026-46210",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  media: iris: fix use-after-free of fmt_src during MBPF check  During concurrency testing, multiple instances can run in parallel, and each instance uses its own inst->lock while the core->lock protects the list of active instances. The race happens because these locks cover different scopes, inst->lock protects only the internals of a single instance, while the Macro Blocks Per Frame (MBPF) checker walks the core list under core->lock and reads fields like fmt_src->width and fmt_src->height. At the same time, iris_close() may free fmt_src and fmt_dst under inst->lock while the instance is still present in the core list. This allows a situation where the MBPF checker, still iterating through the core list, reaches an instance whose fmt_src was already freed by another thread and ends up dereferencing a dangling pointer, resulting in a use-after-free. This happens because the MBPF checker assumes that any instance in the core list is fully valid, but the freeing of fmt_src and fmt_dst without removing the instance from the core list is not correct.  The correct ordering is to defer freeing fmt_src and fmt_dst until after the instance has been removed from the core list and all teardown under the core lock has completed, ensuring that no dangling pointers are ever exposed during MBPF checks.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46240",
                        "url": "https://ubuntu.com/security/CVE-2026-46240",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  media: iris: Fix use-after-free in iris_release_internal_buffers()  The recent change in commit 1dabf00ee206 (\"media: iris: gen1: Destroy internal buffers after FW releases\") introduced a regression where session_release_buf() may free the buffer. The caller, iris_release_internal_buffers(), continued to access `buffer` after the call, leading to a potential use-after-free.  Fix this by setting BUF_ATTR_PENDING_RELEASE before calling session_release_buf(), and reverting the flag if the call fails. This ensures no dereference occurs after potential freeing.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46235",
                        "url": "https://ubuntu.com/security/CVE-2026-46235",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  media: saa7164: add ioremap return checks and cleanups  Add checks for ioremap return values in saa7164_dev_setup(). If ioremap for BAR0 or BAR2 fails, release the already allocated PCI memory regions, remove the device from the global list, decrement the device count, and return -ENODEV.  This prevents potential null pointer dereferences and ensures proper cleanup on memory mapping failures.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46222",
                        "url": "https://ubuntu.com/security/CVE-2026-46222",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  media: rockchip: rkcif: Add missing MUST_CONNECT flag to pads  The pads missed checks for connected devices which may a null dereference when the stream is enabled.  Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020 pc : rkcif_interface_enable_streams+0x48/0xf0 lr : rkcif_interface_enable_streams+0x44/0xf0 Call trace:  rkcif_interface_enable_streams+0x48/0xf0  v4l2_subdev_enable_streams+0x26c/0x3f0  rkcif_stream_start_streaming+0x140/0x278  vb2_start_streaming+0x74/0x188  vb2_core_streamon+0xe0/0x1d8  vb2_ioctl_streamon+0x60/0xa8  v4l_streamon+0x2c/0x40  __video_do_ioctl+0x34c/0x400  video_usercopy+0x2d0/0x800  video_ioctl2+0x20/0x60  v4l2_ioctl+0x48/0x78",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46239",
                        "url": "https://ubuntu.com/security/CVE-2026-46239",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  media: i2c: ov5647: Fix runtime PM refcount leak in s_ctrl  Three control cases (AUTOGAIN, EXPOSURE_AUTO, ANALOGUE_GAIN) directly return without calling pm_runtime_put(), causing runtime PM reference count leaks.  Change these cases from 'return' to 'ret = ... break' pattern to ensure pm_runtime_put() is always called before function exit.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46236",
                        "url": "https://ubuntu.com/security/CVE-2026-46236",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  media: rc: xbox_remote: heed DMA restrictions  The buffer for IO must not be part of the device structure because that violates the DMA coherency rules.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46205",
                        "url": "https://ubuntu.com/security/CVE-2026-46205",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  staging: media: atomisp: Disallow all private IOCTLs  Disallow all private IOCTLs. These aren't quite as safe as one could assume of IOCTL handlers; disable them for now. Instead of removing the code, return in the beginning of the function if cmd is non-zero in order to keep static checkers happy.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46202",
                        "url": "https://ubuntu.com/security/CVE-2026-46202",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  HID: appletb-kbd: run inactivity autodim from workqueues  The autodim code in hid-appletb-kbd takes backlight_device->ops_lock via backlight_device_set_brightness() -> mutex_lock() from two different atomic contexts:   * appletb_inactivity_timer() is a struct timer_list callback, so it    runs in softirq context.  Every expiry triggers       BUG: sleeping function called from invalid context at kernel/locking/mutex.c:591      Call Trace:       <IRQ>       __might_resched       __mutex_lock       backlight_device_set_brightness       appletb_inactivity_timer       call_timer_fn       run_timer_softirq   * reset_inactivity_timer() is called from appletb_kbd_hid_event() and    appletb_kbd_inp_event().  On real USB hardware these run in    softirq/IRQ context (URB completion and input-event dispatch).    When the Touch Bar has already been dimmed or turned off, the    reset path calls backlight_device_set_brightness() directly to    restore brightness, producing the same warning.  Both call sites hit the same mutex_lock()-from-atomic bug.  Fix them together by moving the blocking work onto the system workqueue:   * Convert the inactivity timer from struct timer_list to    struct delayed_work; the callback (appletb_inactivity_work) now    runs in process context where mutex_lock() is legal.  * Add a dedicated struct work_struct restore_brightness_work and have    reset_inactivity_timer() schedule it instead of calling    backlight_device_set_brightness() directly.  Cancel both works synchronously during driver tear-down alongside the existing backlight reference drop.  The semantics are unchanged (same delays, same state transitions on dim, turn-off and user activity); only the execution context of the sleeping call changes.  The timer field and callback are renamed to match their new type; reset_inactivity_timer() keeps its name because it is invoked from input event paths that read naturally as \"reset the inactivity timer\".",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46213",
                        "url": "https://ubuntu.com/security/CVE-2026-46213",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  HID: appletb-kbd: fix UAF in inactivity-timer cleanup path  Commit 38224c472a03 (\"HID: appletb-kbd: fix slab use-after-free bug in appletb_kbd_probe\") added timer_delete_sync(&kbd->inactivity_timer) to both the probe close_hw error path and appletb_kbd_remove(), but the way it was wired in left the inactivity timer reachable during driver tear-down via two distinct windows.  Window A -- put_device() before timer_delete_sync():  \tput_device(&kbd->backlight_dev->dev); \ttimer_delete_sync(&kbd->inactivity_timer);  The inactivity_timer softirq reads kbd->backlight_dev and calls backlight_device_set_brightness() -> mutex_lock(&ops_lock).  If a concurrent hid_appletb_bl unbind drops the last devm reference between these two calls, the backlight_device is freed and the mutex_lock() touches freed memory.  Window B -- backlight cleanup before hid_hw_stop():  \tif (kbd->backlight_dev) { \t\ttimer_delete_sync(...); \t\tput_device(...); \t} \thid_hw_close(hdev); \thid_hw_stop(hdev);  Even after Window A is closed, hid_hw_close()/hid_hw_stop() still run afterwards, so a late \".event\" callback from the HID core (USB URB completion on real Apple hardware) can arrive after timer_delete_sync() drained the softirq but before put_device() drops the reference.  That callback reaches reset_inactivity_timer(), which calls mod_timer() and re-arms the timer.  The freshly re-armed timer can then fire on the about-to-be-freed backlight_device.  Both windows produce the same KASAN slab-use-after-free:    BUG: KASAN: slab-use-after-free in __mutex_lock+0x1aab/0x21c0   Read of size 8 at addr ffff88803ee9a108 by task swapper/0/0   Call Trace:    <IRQ>    __mutex_lock    backlight_device_set_brightness    appletb_inactivity_timer    call_timer_fn    run_timer_softirq    handle_softirqs   Allocated by task N:    devm_backlight_device_register    appletb_bl_probe   Freed by task M:    (concurrent hid_appletb_bl unbind path)  Close both windows at once by reworking the tear-down in appletb_kbd_remove() and in the probe close_hw error path so that   1) hid_hw_close()/hid_hw_stop() run before the backlight cleanup,     guaranteeing no further .event callback can fire and re-arm the     timer, and  2) inside the \"if (kbd->backlight_dev)\" block, timer_delete_sync()     runs before put_device(), so the softirq is drained before the     final reference is dropped.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46232",
                        "url": "https://ubuntu.com/security/CVE-2026-46232",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  HID: playstation: Clamp num_touch_reports  A device would never lie about the number of touch reports would it?  If it does the loop in dualshock4_parse_report will read off the end of the touch_reports array, up to about 2 KiB for the maximum number of 256 loop iteraions. The data that is read is emitted via evdev if the DS4_TOUCH_POINT_INACTIVE bit happens to be set. Protect against this by clamping the num_touch_reports value provided by the device to the maximum size of the touch_reports array.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-43490",
                        "url": "https://ubuntu.com/security/CVE-2026-43490",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ksmbd: validate inherited ACE SID length  smb_inherit_dacl() walks the parent directory DACL loaded from the security descriptor xattr. It verifies that each ACE contains the fixed SID header before using it, but does not verify that the variable-length SID described by sid.num_subauth is fully contained in the ACE.  A malformed inheritable ACE can advertise more subauthorities than are present in the ACE. compare_sids() may then read past the ACE. smb_set_ace() also clamps the copied destination SID, but used the unchecked source SID count to compute the inherited ACE size. That could advance the temporary inherited ACE buffer pointer and nt_size accounting past the allocated buffer.  Fix this by validating the parent ACE SID count and SID length before using the SID during inheritance. Compute the inherited ACE size from the copied SID so the size matches the bounded destination SID. Reject the inherited DACL if size accumulation would overflow smb_acl.size or the security descriptor allocation size.",
                        "cve_priority": "high",
                        "cve_public_date": "2026-05-15 06:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46174",
                        "url": "https://ubuntu.com/security/CVE-2026-46174",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  x86/CPU/AMD: Prevent improper isolation of shared resources in Zen2's op cache  Make sure resources are not improperly shared in the op cache and cause instruction corruption this way.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46110",
                        "url": "https://ubuntu.com/security/CVE-2026-46110",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net: stmmac: Prevent NULL deref when RX memory exhausted  The CPU receives frames from the MAC through conventional DMA: the CPU allocates buffers for the MAC, then the MAC fills them and returns ownership to the CPU. For each hardware RX queue, the CPU and MAC coordinate through a shared ring array of DMA descriptors: one descriptor per DMA buffer. Each descriptor includes the buffer's physical address and a status flag (\"OWN\") indicating which side owns the buffer: OWN=0 for CPU, OWN=1 for MAC. The CPU is only allowed to set the flag and the MAC is only allowed to clear it, and both must move through the ring in sequence: thus the ring is used for both \"submissions\" and \"completions.\"  In the stmmac driver, stmmac_rx() bookmarks its position in the ring with the `cur_rx` index. The main receive loop in that function checks for rx_descs[cur_rx].own=0, gives the corresponding buffer to the network stack (NULLing the pointer), and increments `cur_rx` modulo the ring size. After the loop exits, stmmac_rx_refill(), which bookmarks its position with `dirty_rx`, allocates fresh buffers and rearms the descriptors (setting OWN=1). If it fails any allocation, it simply stops early (leaving OWN=0) and will retry where it left off when next called.  This means descriptors have a three-stage lifecycle (terms my own): - `empty` (OWN=1, buffer valid) - `full` (OWN=0, buffer valid and populated) - `dirty` (OWN=0, buffer NULL)  But because stmmac_rx() only checks OWN, it confuses `full`/`dirty`. In the past (see 'Fixes:'), there was a bug where the loop could cycle `cur_rx` all the way back to the first descriptor it dirtied, resulting in a NULL dereference when mistaken for `full`. The aforementioned commit resolved that *specific* failure by capping the loop's iteration limit at `dma_rx_size - 1`, but this is only a partial fix: if the previous stmmac_rx_refill() didn't complete, then there are leftover `dirty` descriptors that the loop might encounter without needing to cycle fully around. The current code therefore panics (see 'Closes:') when stmmac_rx_refill() is memory-starved long enough for `cur_rx` to catch up to `dirty_rx`.  Fix this by explicitly checking, before advancing `cur_rx`, if the next entry is dirty; exit the loop if so. This prevents processing of the final, used descriptor until stmmac_rx_refill() succeeds, but fully prevents the `cur_rx == dirty_rx` ambiguity as the previous bugfix intended: so remove the clamp as well. Since stmmac_rx_zc() is a copy-paste-and-tweak of stmmac_rx() and the code structure is identical, any fix to stmmac_rx() will also need a corresponding fix for stmmac_rx_zc(). Therefore, apply the same check there.  In stmmac_rx() (not stmmac_rx_zc()), a related bug remains: after the MAC sets OWN=0 on the final descriptor, it will be unable to send any further DMA-complete IRQs until it's given more `empty` descriptors. Currently, the driver simply *hopes* that the next stmmac_rx_refill() succeeds, risking an indefinite stall of the receive process if not. But this is not a regression, so it can be addressed in a future change.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46153",
                        "url": "https://ubuntu.com/security/CVE-2026-46153",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  8021q: delete cleared egress QoS mappings  vlan_dev_set_egress_priority() currently keeps cleared egress priority mappings in the hash as tombstones. Repeated set/clear cycles with distinct skb priorities therefore accumulate mapping nodes until device teardown and leak memory.  Delete mappings when vlan_prio is cleared instead of keeping tombstones. Now that the egress mapping lists are RCU protected, the node can be unlinked safely and freed after a grace period.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46169",
                        "url": "https://ubuntu.com/security/CVE-2026-46169",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  hfsplus: fix uninit-value by validating catalog record size  Syzbot reported a KMSAN uninit-value issue in hfsplus_strcasecmp(). The root cause is that hfs_brec_read() doesn't validate that the on-disk record size matches the expected size for the record type being read.  When mounting a corrupted filesystem, hfs_brec_read() may read less data than expected. For example, when reading a catalog thread record, the debug output showed:    HFSPLUS_BREC_READ: rec_len=520, fd->entrylength=26   HFSPLUS_BREC_READ: WARNING - entrylength (26) < rec_len (520) - PARTIAL READ!  hfs_brec_read() only validates that entrylength is not greater than the buffer size, but doesn't check if it's less than expected. It successfully reads 26 bytes into a 520-byte structure and returns success, leaving 494 bytes uninitialized.  This uninitialized data in tmp.thread.nodeName then gets copied by hfsplus_cat_build_key_uni() and used by hfsplus_strcasecmp(), triggering the KMSAN warning when the uninitialized bytes are used as array indices in case_fold().  Fix by introducing hfsplus_brec_read_cat() wrapper that: 1. Calls hfs_brec_read() to read the data 2. Validates the record size based on the type field:    - Fixed size for folder and file records    - Variable size for thread records (depends on string length) 3. Returns -EIO if size doesn't match expected  For thread records, check against HFSPLUS_MIN_THREAD_SZ before reading nodeName.length to avoid reading uninitialized data at call sites that don't zero-initialize the entry structure.  Also initialize the tmp variable in hfsplus_find_cat() as defensive programming to ensure no uninitialized data even if validation is bypassed.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46188",
                        "url": "https://ubuntu.com/security/CVE-2026-46188",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  octeon_ep_vf: add NULL check for napi_build_skb()  napi_build_skb() can return NULL on allocation failure. In __octep_vf_oq_process_rx(), the result is used directly without a NULL check in both the single-buffer and multi-fragment paths, leading to a NULL pointer dereference.  Add NULL checks after both napi_build_skb() calls, properly advancing descriptors and consuming remaining fragments on failure.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-45837",
                        "url": "https://ubuntu.com/security/CVE-2026-45837",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  bpf: Fix use-after-free in arena_vm_close on fork  arena_vm_open() only bumps vml->mmap_count but never registers the child VMA in arena->vma_list. The vml->vma always points at the parent VMA, so after parent munmap the pointer dangles. If the child then calls bpf_arena_free_pages(), zap_pages() reads the stale vml->vma triggering use-after-free.  Fix this by preventing the arena VMA from being inherited across fork with VM_DONTCOPY, and preventing VMA splits via the may_split callback.  Also reject mremap with a .mremap callback returning -EINVAL. A same-size mremap(MREMAP_FIXED) on the full arena VMA reaches copy_vma() through the following path:    check_prep_vma()       - returns 0 early: new_len == old_len                            skips VM_DONTEXPAND check   prep_move_vma()        - vm_start == old_addr and                            vm_end == old_addr + old_len                            so may_split is never called   move_vma()     copy_vma_and_data()       copy_vma()         vm_area_dup()    - copies vm_private_data (vml pointer)         vm_ops->open()   - bumps vml->mmap_count       vm_ops->mremap()   - returns -EINVAL, rollback unmaps new VMA  The refcount ensures the rollback's arena_vm_close does not free the vml shared with the original VMA.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-05-27 11:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46156",
                        "url": "https://ubuntu.com/security/CVE-2026-46156",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  LoongArch: Fix potential ADE in loongson_gpu_fixup_dma_hang()  The switch case in loongson_gpu_fixup_dma_hang() may not DC2 or DC3, and readl(crtc_reg) will access with random address, because the \"device\" is from \"base+PCI_DEVICE_ID\", \"base\" is from \"pdev->devfn+1\". This is wrong when my platform inserts a discrete GPU:  lspci -tv -[0000:00]-+-00.0  Loongson Technology LLC Hyper Transport Bridge Controller ...            +-06.0  Loongson Technology LLC LG100 GPU            +-06.2  Loongson Technology LLC Device 7a37 ...  Add a default switch case to fix the panic as below:   Kernel ade access[#1]:  CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.6.136-loong64-desktop-hwe+ #4  pc 90000000017e5534 ra 90000000017e54c0 tp 90000001002f8000 sp 90000001002fb6c0  a0 80000efe00003100 a1 0000000000003100 a2 0000000000000000 a3 0000000000000002  a4 90000001002fb6b4 a5 900000087cdb58fd a6 90000000027af000 a7 0000000000000001  t0 00000000000085b9 t1 000000000000ffff t2 0000000000000000 t3 0000000000000000  t4 fffffffffffffffd t5 00000000fffb6d9c t6 0000000000083b00 t7 00000000000070c0  t8 900000087cdb4d94 u0 900000087cdb58fd s9 90000001002fb826 s0 90000000031c12c8  s1 7fffffffffffff00 s2 90000000031c12d0 s3 0000000000002710 s4 0000000000000000  s5 0000000000000000 s6 9000000100053000 s7 7fffffffffffff00 s8 90000000030d4000     ra: 90000000017e54c0 loongson_gpu_fixup_dma_hang+0x40/0x210    ERA: 90000000017e5534 loongson_gpu_fixup_dma_hang+0xb4/0x210   CRMD: 000000b0 (PLV0 -IE -DA +PG DACF=CC DACM=CC -WE)   PRMD: 00000004 (PPLV0 +PIE -PWE)   EUEN: 00000000 (-FPE -SXE -ASXE -BTE)   ECFG: 00071c1d (LIE=0,2-4,10-12 VS=7)  ESTAT: 00480000 [ADEM] (IS= ECode=8 EsubCode=1)   BADV: 7fffffffffffff00   PRID: 0014d000 (Loongson-64bit, Loongson-3A6000-HV)  Modules linked in:  Process swapper/0 (pid: 1, threadinfo=(____ptrval____), task=(____ptrval____))  Stack : 0000000000000006 90000001002fb778 90000001002fb704 0000000000000007          0000000016a65700 90000000017e5690 000000000000ffff ffffffffffffffff          900000000209f7c0 9000000100053000 900000000209f7a8 9000000000eebc08          0000000000000000 0000000000000000 0000000000000006 90000001002fb778          90000001000530b8 90000000027af000 0000000000000000 9000000100054000          9000000100053000 9000000000ebb70c 9000000100004c00 9000000004000001          90000001002fb7e4 bae765461f31cb12 0000000000000000 0000000000000000          0000000000000006 90000000027af000 0000000000000030 90000000027af000          900000087cd6f800 9000000100053000 0000000000000000 9000000000ebc560          7a2500147cdaf720 bae765461f31cb12 0000000000000001 0000000000000030          ...  Call Trace:  [<90000000017e5534>] loongson_gpu_fixup_dma_hang+0xb4/0x210  [<9000000000eebc08>] pci_fixup_device+0x108/0x280  [<9000000000ebb70c>] pci_setup_device+0x24c/0x690  [<9000000000ebc560>] pci_scan_single_device+0xe0/0x140  [<9000000000ebc684>] pci_scan_slot+0xc4/0x280  [<9000000000ebdd00>] pci_scan_child_bus_extend+0x60/0x3f0  [<9000000000f5bc94>] acpi_pci_root_create+0x2b4/0x420  [<90000000017e5e74>] pci_acpi_scan_root+0x2d4/0x440  [<9000000000f5b02c>] acpi_pci_root_add+0x21c/0x3a0  [<9000000000f4ee54>] acpi_bus_attach+0x1a4/0x3c0  [<90000000010e200c>] device_for_each_child+0x6c/0xe0  [<9000000000f4bbf4>] acpi_dev_for_each_child+0x44/0x70  [<9000000000f4ef40>] acpi_bus_attach+0x290/0x3c0  [<90000000010e200c>] device_for_each_child+0x6c/0xe0  [<9000000000f4bbf4>] acpi_dev_for_each_child+0x44/0x70  [<9000000000f4ef40>] acpi_bus_attach+0x290/0x3c0  [<9000000000f5211c>] acpi_bus_scan+0x6c/0x280  [<900000000189c028>] acpi_scan_init+0x194/0x310  [<900000000189bc6c>] acpi_init+0xcc/0x140  [<9000000000220cdc>] do_one_initcall+0x4c/0x310  [<90000000018618fc>] kernel_init_freeable+0x258/0x2d4  [<900000000184326c>] kernel_init+0x28/0x13c  [<9000000000222008>] ret_from_kernel_thread+0xc/0xa4",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46147",
                        "url": "https://ubuntu.com/security/CVE-2026-46147",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  KVM: arm64: Fix pin leak and publication ordering in __pkvm_init_vcpu()  Two bugs exist in the vCPU initialisation path:  1. If a check fails after hyp_pin_shared_mem() succeeds, the cleanup    path jumps to 'unlock' without calling unpin_host_vcpu() or    unpin_host_sve_state(), permanently leaking pin references on the    host vCPU and SVE state pages.     Extract a register_hyp_vcpu() helper that performs the checks and    the store. When register_hyp_vcpu() returns an error, call    unpin_host_vcpu() and unpin_host_sve_state() inline before falling    through to the existing 'unlock' label.  2. register_hyp_vcpu() publishes the new vCPU pointer into    'hyp_vm->vcpus[]' with a bare store, allowing a concurrent caller    of pkvm_load_hyp_vcpu() to observe a partially initialised vCPU    object.     Ensure the store uses smp_store_release() and the load uses    smp_load_acquire(). While 'vm_table_lock' currently serialises the    store and the load, these barriers ensure the reader sees the fully    initialised 'hyp_vcpu' object even if there were a lockless path or    if the lock's own ordering guarantees were insufficient for nested    object initialization.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46175",
                        "url": "https://ubuntu.com/security/CVE-2026-46175",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  f2fs: fix fsck inconsistency caused by FGGC of node block  During FGGC node block migration, fsck may incorrectly treat the migrated node block as fsync-written data.  The reproduction scenario: root@vm:/mnt/f2fs# seq 1 2048 | xargs -n 1 ./test_sync // write inline inode and sync root@vm:/mnt/f2fs# rm -f 1 root@vm:/mnt/f2fs# sync root@vm:/mnt/f2fs# f2fs_io gc_range // move data block in sync mode and not write CP   SPO, \"fsck --dry-run\" find inode has already checkpointed but still   with DENT_BIT_SHIFT set  The root cause is that GC does not clear the dentry mark and fsync mark during node block migration, leading fsck to misinterpret them as user-issued fsync writes.  In BGGC mode, node block migration is handled by f2fs_sync_node_pages(), which guarantees the dentry and fsync marks are cleared before writing.  This patch move the set/clear of the fsync|dentry marks into __write_node_folio to make the logic clearer, and ensures the fsync|dentry mark is cleared in FGGC.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46194",
                        "url": "https://ubuntu.com/security/CVE-2026-46194",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  f2fs: fix node_cnt race between extent node destroy and writeback  f2fs_destroy_extent_node() does not set FI_NO_EXTENT before clearing extent nodes. When called from f2fs_drop_inode() with I_SYNC set, concurrent kworker writeback can insert new extent nodes into the same extent tree, racing with the destroy and triggering f2fs_bug_on() in __destroy_extent_node(). The scenario is as follows:  drop inode                            writeback  - iput   - f2fs_drop_inode  // I_SYNC set    - f2fs_destroy_extent_node     - __destroy_extent_node      - while (node_cnt) {         write_lock(&et->lock)         __free_extent_tree         write_unlock(&et->lock)                                        - __writeback_single_inode                                         - f2fs_outplace_write_data                                          - f2fs_update_read_extent_cache                                           - __update_extent_tree_range                                            // FI_NO_EXTENT not set,                                            // insert new extent node        } // node_cnt == 0, exit while      - f2fs_bug_on(node_cnt)  // node_cnt > 0  Additionally, __update_extent_tree_range() only checks FI_NO_EXTENT for EX_READ type, leaving EX_BLOCK_AGE updates completely unprotected.  This patch set FI_NO_EXTENT under et->lock in __destroy_extent_node(), consistent with other callers (__update_extent_tree_range and __drop_extent_tree) and check FI_NO_EXTENT for both EX_READ and EX_BLOCK_AGE tree.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46170",
                        "url": "https://ubuntu.com/security/CVE-2026-46170",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  mptcp: pm: ADD_ADDR rtx: free sk if last  When an ADD_ADDR is retransmitted, the sk is held in sk_reset_timer(), and released at the end.  If at that moment, it was the last reference being held, the sk would not be freed. sock_put() should then be called instead of __sock_put().  But that's not enough: if it is the last reference, sock_put() will call sk_free(), which will end up calling sk_stop_timer_sync() on the same timer, and waiting indefinitely to finish. So it is needed to mark that the timer is done at the end of the timer handler when it has not been rescheduled, not to call sk_stop_timer_sync() on \"itself\".",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46158",
                        "url": "https://ubuntu.com/security/CVE-2026-46158",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  mptcp: pm: ADD_ADDR rtx: always decrease sk refcount  When an ADD_ADDR is retransmitted, the sk is held in sk_reset_timer(). It should then be released in all cases at the end.  Some (unlikely) checks were returning directly instead of calling sock_put() to decrease the refcount. Jump to a new 'exit' label to call __sock_put() (which will become sock_put() in the next commit) to fix this potential leak.  While at it, drop the '!msk' check which cannot happen because it is never reset, and explicitly mark the remaining one as \"unlikely\".",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46168",
                        "url": "https://ubuntu.com/security/CVE-2026-46168",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  mptcp: fix scheduling with atomic in timestamp sockopt  Using lock_sock_fast() (atomic context) around sock_set_timestamp() and sock_set_timestamping() is unsafe, as both helpers can sleep.  Replace lock_sock_fast() with sleepable lock_sock()/release_sock() to avoid scheduling while atomic panic.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46189",
                        "url": "https://ubuntu.com/security/CVE-2026-46189",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/vmw_pvrdma: Fix double free on pvrdma_alloc_ucontext() error path  Sashiko points out that pvrdma_uar_free() is already called within pvrdma_dealloc_ucontext(), so calling it before triggers a double free.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46133",
                        "url": "https://ubuntu.com/security/CVE-2026-46133",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/rxe: Reject unknown opcodes before ICRC processing  Even after applying commit 7244491dab34 (\"RDMA/rxe: Validate pad and ICRC before payload_size() in rxe_rcv\"), a single unauthenticated UDP packet can still trigger panic.  That patch handled payload_size() underflow only for valid opcodes with short packets, not for packets carrying an unknown opcode.  The unknown-opcode OOB read described below predates that commit and reaches back to the initial Soft RoCE driver.  The check added there reads      pkt->paylen < header_size(pkt) + bth_pad(pkt) + RXE_ICRC_SIZE  where header_size(pkt) expands to rxe_opcode[pkt->opcode].length.  The rxe_opcode[] array has 256 entries but is only populated for defined IB opcodes; any other entry (for example opcode 0xff) is zero-initialized, so length == 0 and the check degenerates to      pkt->paylen < 0 + bth_pad(pkt) + RXE_ICRC_SIZE  which does not constrain pkt->paylen enough.  rxe_icrc_hdr() then computes      rxe_opcode[pkt->opcode].length - RXE_BTH_BYTES  which underflows when length == 0 and passes a huge value to rxe_crc32(), causing an out-of-bounds read of the skb payload.  Reproduced on v7.0-rc7 with that fix applied, QEMU/KVM with CONFIG_RDMA_RXE=y and CONFIG_KASAN=y, after      rdma link add rxe0 type rxe netdev eth0  A single 48-byte UDP packet to port 4791 with BTH opcode=0xff and QPN=IB_MULTICAST_QPN triggers:      BUG: KASAN: slab-out-of-bounds in crc32_le+0x115/0x170     Read of size 1 at addr ...     The buggy address is located 0 bytes to the right of      allocated 704-byte region     Call Trace:      crc32_le+0x115/0x170      rxe_icrc_hdr.isra.0+0x226/0x300      rxe_icrc_check+0x13f/0x3a0      rxe_rcv+0x6e1/0x16e0      rxe_udp_encap_recv+0x20a/0x320      udp_queue_rcv_one_skb+0x7ed/0x12c0  Subsequent packets with the same shape fault on unmapped memory and panic the kernel.  The trigger requires only module load and \"rdma link add\"; no QP, no connection, and no authentication.  Fix this by rejecting packets whose opcode has no rxe_opcode[] entry, detected via the zero mask or zero length, before any length arithmetic runs.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46114",
                        "url": "https://ubuntu.com/security/CVE-2026-46114",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/rxe: Reject non-8-byte ATOMIC_WRITE payloads  atomic_write_reply() at drivers/infiniband/sw/rxe/rxe_resp.c unconditionally dereferences 8 bytes at payload_addr(pkt):      value = *(u64 *)payload_addr(pkt);  check_rkey() previously accepted an ATOMIC_WRITE request with pktlen == resid == 0 because the length validation only compared pktlen against resid. A remote initiator that sets the RETH length to 0 therefore reaches atomic_write_reply() with a zero-byte logical payload, and the responder reads sizeof(u64) bytes from past the logical end of the packet into skb->head tailroom, then writes those 8 bytes into the attacker's MR via rxe_mr_do_atomic_write(). That is a remote disclosure of 4 bytes of kernel tailroom per probe (the other 4 bytes are the packet's own trailing ICRC).  IBA oA19-28 defines ATOMIC_WRITE as exactly 8 bytes. Anything else is protocol-invalid. Hoist a strict length check into check_rkey() so the responder never reaches the unchecked dereference, and keep the existing WRITE-family length logic for the normal RDMA WRITE path.  Reproduced on mainline with an unmodified rxe driver: a sustained zero-length ATOMIC_WRITE probe repeatedly leaks adjacent skb head-buffer bytes into the attacker's MR, including recognisable kernel strings and partial kernel-direct-map pointer words.  With this patch applied the responder rejects the PDU and the MR stays all-zero.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46127",
                        "url": "https://ubuntu.com/security/CVE-2026-46127",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/ocrdma: Don't NULL deref uctx on errors in ocrdma_copy_pd_uresp()  Sashiko points out that pd->uctx isn't initialized until late in the function so all these error flow references are NULL and will crash. Use the uctx that isn't NULL.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46176",
                        "url": "https://ubuntu.com/security/CVE-2026-46176",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/mlx5: Fix error path fall-through in mlx5_ib_dev_res_srq_init()  mlx5_ib_dev_res_srq_init() allocates two SRQs, s0 and s1. When ib_create_srq() fails for s1, the error branch destroys s0 but falls through and unconditionally assigns the freed s0 and the ERR_PTR s1 to devr->s0 and devr->s1.  This leads to several problems: the lock-free fast path checks \"if (devr->s1) return 0;\" and treats the ERR_PTR as already initialised; users in mlx5_ib_create_qp() dereference the freed SRQ or ERR_PTR via to_msrq(devr->s0)->msrq.srqn; and mlx5_ib_dev_res_cleanup() dereferences the ERR_PTR and double-frees s0 on teardown.  Fix by adding the same `goto unlock` in the s1 failure path.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46178",
                        "url": "https://ubuntu.com/security/CVE-2026-46178",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/mlx4: Fix resource leak on error in mlx4_ib_create_srq()  Sashiko points out that mlx4_srq_alloc() was not undone during error unwind, add the missing call to mlx4_srq_free().",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46181",
                        "url": "https://ubuntu.com/security/CVE-2026-46181",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/mlx4: Fix mis-use of RCU in mlx4_srq_event()  Sashiko points out the radix_tree itself is RCU safe, but nothing ever frees the mlx4_srq struct with RCU, and it isn't even accessed within the RCU critical section. It also will crash if an event is delivered before the srq object is finished initializing.  Use the spinlock since it isn't easy to make RCU work, use refcount_inc_not_zero() to protect against partially initialized objects, and order the refcount_set() to be after the srq is fully initialized.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46145",
                        "url": "https://ubuntu.com/security/CVE-2026-46145",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/mana: Validate rx_hash_key_len  Sashiko points out that rx_hash_key_len comes from a uAPI structure and is blindly passed to memcpy, allowing the userspace to trash kernel memory. Bounds check it so the memcpy cannot overflow.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46117",
                        "url": "https://ubuntu.com/security/CVE-2026-46117",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/mana: Remove user triggerable WARN_ON() in mana_ib_create_qp_rss()  Sashiko points out that the user can specify WQs sharing the same CQ as a part of the uAPI and this will trigger the WARN_ON() then go on to corrupt the kernel.  Just reject it outright and fail the QP creation.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46126",
                        "url": "https://ubuntu.com/security/CVE-2026-46126",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/mana: Fix mana_destroy_wq_obj() cleanup in mana_ib_create_qp_rss()  Sashiko points out there are two bugs here in the error unwind flow, both related to how the WQ table is unwound.  First there is a double i-- on the first failure path due to the while loop having a i--, remove it.  Second if mana_ib_install_cq_cb() fails then mana_create_wq_obj() is not undone due to the above i--.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46144",
                        "url": "https://ubuntu.com/security/CVE-2026-46144",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/mana: Fix error unwind in mana_ib_create_qp_rss()  Sashiko points out that mana_ib_cfg_vport_steering() is leaked, the normal destroy path cleans it up.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46141",
                        "url": "https://ubuntu.com/security/CVE-2026-46141",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  powerpc/xive: fix kmemleak caused by incorrect chip_data lookup  The kmemleak reports the following memory leak:  Unreferenced object 0xc0000002a7fbc640 (size 64):   comm \"kworker/8:1\", pid 540, jiffies 4294937872   hex dump (first 32 bytes):     01 00 00 00 00 00 00 00 00 00 09 04 00 04 00 00  ................     00 00 a7 81 00 00 0a c0 00 00 08 04 00 04 00 00  ................   backtrace (crc 177d48f6):     __kmalloc_cache_noprof+0x520/0x730     xive_irq_alloc_data.constprop.0+0x40/0xe0     xive_irq_domain_alloc+0xd0/0x1b0     irq_domain_alloc_irqs_parent+0x44/0x6c     pseries_irq_domain_alloc+0x1cc/0x354     irq_domain_alloc_irqs_parent+0x44/0x6c     msi_domain_alloc+0xb0/0x220     irq_domain_alloc_irqs_locked+0x138/0x4d0     __irq_domain_alloc_irqs+0x8c/0xfc     __msi_domain_alloc_irqs+0x214/0x4d8     msi_domain_alloc_irqs_all_locked+0x70/0xf8     pci_msi_setup_msi_irqs+0x60/0x78     __pci_enable_msix_range+0x54c/0x98c     pci_alloc_irq_vectors_affinity+0x16c/0x1d4     nvme_pci_enable+0xac/0x9c0 [nvme]     nvme_probe+0x340/0x764 [nvme]  This occurs when allocating MSI-X vectors for an NVMe device. During allocation the XIVE code creates a struct xive_irq_data and stores it in irq_data->chip_data.  When the MSI-X irqdomain is later freed, xive_irq_free_data() is responsible for retrieving this structure and freeing it. However, after commit cc0cc23babc9 (\"powerpc/xive: Untangle xive from child interrupt controller drivers\"), xive_irq_free_data() retrieves the chip_data using irq_get_chip_data(), which looks up the data through the child domain.  This is incorrect because the XIVE-specific irq data is associated with the XIVE (parent) domain. As a result the lookup fails and the allocated struct xive_irq_data is never freed, leading to the kmemleak report shown above.  Fix this by retrieving the irq_data from the correct domain using irq_domain_get_irq_data() and then accessing the chip_data via irq_data_get_irq_chip_data().",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46183",
                        "url": "https://ubuntu.com/security/CVE-2026-46183",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  mm/damon/sysfs-schemes: protect path kfree() with damon_sysfs_lock  damon_sysfs_quot_goal->path can be read and written by users, via DAMON sysfs 'path' file.  It can also be indirectly read, for the parameters {on,off}line committing to DAMON.  The reads for parameters committing are protected by damon_sysfs_lock to avoid the sysfs files being destroyed while any of the parameters are being read.  But the user-driven direct reads and writes are not protected by any lock, while the write is deallocating the path-pointing buffer.  As a result, the readers could read the already freed buffer (user-after-free).  Note that the user-reads don't race when the same open file is used by the writer, due to kernfs's open file locking.  Nonetheless, doing the reads and writes with separate open files would be common.  Fix it by protecting both the user-direct reads and writes with damon_sysfs_lock.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46121",
                        "url": "https://ubuntu.com/security/CVE-2026-46121",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  mm/damon/sysfs-schemes: protect memcg_path kfree() with damon_sysfs_lock  Patch series \"mm/damon/sysfs-schemes: fix use-after-free for [memcg_]path\".  Reads of 'memcg_path' and 'path' files in DAMON sysfs interface could race with their writes, results in use-after-free.  Fix those.   This patch (of 2):  damon_sysfs_scheme_filter->mmecg_path can be read and written by users, via DAMON sysfs memcg_path file.  It can also be indirectly read, for the parameters {on,off}line committing to DAMON.  The reads for parameters committing are protected by damon_sysfs_lock to avoid the sysfs files being destroyed while any of the parameters are being read.  But the user-driven direct reads and writes are not protected by any lock, while the write is deallocating the memcg_path-pointing buffer.  As a result, the readers could read the already freed buffer (user-after-free).  Note that the user-reads don't race when the same open file is used by the writer, due to kernfs's open file locking.  Nonetheless, doing the reads and writes with separate open files would be common.  Fix it by protecting both the user-direct reads and writes with damon_sysfs_lock.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46131",
                        "url": "https://ubuntu.com/security/CVE-2026-46131",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  KVM: x86: check for nEPT/nNPT in slow flush hypercalls  Checking is_guest_mode(vcpu) is incorrect, because translate_nested_gpa() is only valid if an L2 guest is running *with nested EPT/NPT enabled*. Instead use the same condition as translate_nested_gpa() itself.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46139",
                        "url": "https://ubuntu.com/security/CVE-2026-46139",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  smb: client: use kzalloc to zero-initialize security descriptor buffer  Commit 62e7dd0a39c2d (\"smb: common: change the data type of num_aces to le16\") split struct smb_acl's __le32 num_aces field into __le16 num_aces and __le16 reserved. The reserved field corresponds to Sbz2 in the MS-DTYP ACL wire format, which must be zero [1].  When building an ACL descriptor in build_sec_desc(), we are using a kmalloc()'ed descriptor buffer and writing the fields explicitly using le16() writes now. This never writes to the 2 byte reserved field, leaving it as uninitialized heap data.  When the reserved field happens to contain non-zero slab garbage, Samba rejects the security descriptor with \"ndr_pull_security_descriptor failed: Range Error\", causing chmod to fail with EINVAL.  Change kmalloc() to kzalloc() to ensure the entire buffer is zero-initialized.   [1] https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/20233ed8-a6c6-4097-aafa-dd545ed24428",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46105",
                        "url": "https://ubuntu.com/security/CVE-2026-46105",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  scsi: mpt3sas: Limit NVMe request size to 2 MiB  The HBA firmware reports NVMe MDTS values based on the underlying drive capability. However, because the driver allocates a fixed 4K buffer for the PRP list, accommodating at most 512 entries, the driver supports a maximum I/O transfer size of 2 MiB.  Limit max_hw_sectors to the smaller of the reported MDTS and the 2 MiB driver limit to prevent issuing oversized I/O that may lead to a kernel oops.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46171",
                        "url": "https://ubuntu.com/security/CVE-2026-46171",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  riscv: kvm: fix vector context allocation leak  When the second kzalloc (host_context.vector.datap) fails in kvm_riscv_vcpu_alloc_vector_context, the first allocation (guest_context.vector.datap) is leaked. Free it before returning.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46112",
                        "url": "https://ubuntu.com/security/CVE-2026-46112",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/hns: Fix unlocked call to hns_roce_qp_remove()  Sashiko points out that hns_roce_qp_remove() requires the caller to hold locks.  The error flow in hns_roce_create_qp_common() doesn't hold those locks for the error unwind so it risks corrupting memory.  Grab the same locks the other two callers use.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46165",
                        "url": "https://ubuntu.com/security/CVE-2026-46165",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  openvswitch: vport: fix self-deadlock on release of tunnel ports  vports are used concurrently and protected by RCU, so netdev_put() must happen after the RCU grace period.  So, either in an RCU call or after the synchronize_net().  The rtnl_delete_link() must happen under RTNL and so can't be executed in RCU context.  Calling synchronize_net() while holding RTNL is not a good idea for performance and system stability under load in general, so calling netdev_put() in RCU call is the right solution here.  However, when the device is deleted, rtnl_unlock() will call netdev_run_todo() and block until all the references are gone.  In the current code this means that we never reach the call_rcu() and the vport is never freed and the reference is never released, causing a self-deadlock on device removal.  Fix that by moving the rcu_call() before the rtnl_unlock(), so the scheduled RCU callback will be executed when synchronize_net() is called from the rtnl_unlock()->netdev_run_todo() while the RTNL itself is already released.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46161",
                        "url": "https://ubuntu.com/security/CVE-2026-46161",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  md/raid10: fix divide-by-zero in setup_geo() with zero far_copies  setup_geo() extracts near_copies (nc) and far_copies (fc) from the user-provided layout parameter without checking for zero. When fc=0 with the \"improved\" far set layout selected, 'geo->far_set_size = disks / fc' triggers a divide-by-zero.  Validate nc and fc immediately after extraction, returning -1 if either is zero.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-43492",
                        "url": "https://ubuntu.com/security/CVE-2026-43492",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  lib/crypto: mpi: Fix integer underflow in mpi_read_raw_from_sgl()  Yiming reports an integer underflow in mpi_read_raw_from_sgl() when subtracting \"lzeros\" from the unsigned \"nbytes\".  For this to happen, the scatterlist \"sgl\" needs to occupy more bytes than the \"nbytes\" parameter and the first \"nbytes + 1\" bytes of the scatterlist must be zero.  Under these conditions, the while loop iterating over the scatterlist will count more zeroes than \"nbytes\", subtract the number of zeroes from \"nbytes\" and cause the underflow.  When commit 2d4d1eea540b (\"lib/mpi: Add mpi sgl helpers\") originally introduced the bug, it couldn't be triggered because all callers of mpi_read_raw_from_sgl() passed a scatterlist whose length was equal to \"nbytes\".  However since commit 63ba4d67594a (\"KEYS: asymmetric: Use new crypto interface without scatterlists\"), the underflow can now actually be triggered.  When invoking a KEYCTL_PKEY_ENCRYPT system call with a larger \"out_len\" than \"in_len\" and filling the \"in\" buffer with zeroes, crypto_akcipher_sync_prep() will create an all-zero scatterlist used for both the \"src\" and \"dst\" member of struct akcipher_request and thereby fulfil the conditions to trigger the bug:    sys_keyctl()     keyctl_pkey_e_d_s()       asymmetric_key_eds_op()         software_key_eds_op()           crypto_akcipher_sync_encrypt()             crypto_akcipher_sync_prep()               crypto_akcipher_encrypt()                 rsa_enc()                   mpi_read_raw_from_sgl()  To the user this will be visible as a DoS as the kernel spins forever, causing soft lockup splats as a side effect.  Fix it.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-19 12:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46124",
                        "url": "https://ubuntu.com/security/CVE-2026-46124",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  isofs: validate block number from NFS file handle in isofs_export_iget  isofs_fh_to_dentry() and isofs_fh_to_parent() pass an attacker- controlled block number (ifid->block or ifid->parent_block) from the NFS file handle to isofs_export_iget(), which only rejects block == 0 before calling isofs_iget() and ultimately sb_bread(). A crafted file handle with fh_len sufficient to pass the check added by commit 0405d4b63d08 (\"isofs: Prevent the use of too small fid\") can still drive the server to read any in-range block on the backing device as if it were an iso_directory_record.  That earlier fix was assigned CVE-2025-37780.  sb_bread() on an out-of-range block returns NULL cleanly via the EIO path, so there is no memory-safety violation.  For in-range reads of adjacent-partition data on the same block device, the unrelated bytes end up in iso_inode_info fields that reach the NFS client as dentry metadata.  The deployment surface (isofs exported over NFS from loop-mounted images) is narrow and requires an authenticated NFS peer, but the malformed-file-handle class is reportable as hardening next to the existing CVE-2025-37780 fix.  Reject block >= ISOFS_SB(sb)->s_nzones in isofs_export_iget() so the check covers both isofs_fh_to_dentry() and isofs_fh_to_parent() call sites with a single line.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46130",
                        "url": "https://ubuntu.com/security/CVE-2026-46130",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  dm-verity-fec: fix reading parity bytes split across blocks (take 3)  fec_decode_bufs() assumes that the parity bytes of the first RS codeword it decodes are never split across parity blocks.  This assumption is false.  Consider v->fec->block_size == 4096 && v->fec->roots == 17 && fio->nbufs == 1, for example.  In that case, each call to fec_decode_bufs() consumes v->fec->roots * (fio->nbufs << DM_VERITY_FEC_BUF_RS_BITS) = 272 parity bytes.  Considering that the parity data for each message block starts on a block boundary, the byte alignment in the parity data will iterate through 272*i mod 4096 until the 3 parity blocks have been consumed.  On the 16th call (i=15), the alignment will be 4080 bytes into the first block.  Only 16 bytes remain in that block, but 17 parity bytes will be needed.  The code reads out-of-bounds from the parity block buffer.  Fortunately this doesn't normally happen, since it can occur only for certain non-default values of fec_roots *and* when the maximum number of buffers couldn't be allocated due to low memory.  For example with block_size=4096 only the following cases are affected:      fec_roots=17: nbufs in [1, 3, 5, 15]     fec_roots=19: nbufs in [1, 229]     fec_roots=21: nbufs in [1, 3, 5, 13, 15, 39, 65, 195]     fec_roots=23: nbufs in [1, 89]  Regardless, fix it by refactoring how the parity blocks are read.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46106",
                        "url": "https://ubuntu.com/security/CVE-2026-46106",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  eventfs: Hold eventfs_mutex and SRCU when remount walks events  Commit 340f0c7067a9 (\"eventfs: Update all the eventfs_inodes from the events descriptor\") had eventfs_set_attrs() recurse through ei->children on remount.  The walk only holds the rcu_read_lock() taken by tracefs_apply_options() over tracefs_inodes, which is wrong:    - list_for_each_entry over ei->children races with the list_del_rcu()     in eventfs_remove_rec() -- LIST_POISON1 deref, same shape as     d2603279c7d6.   - eventfs_inodes are freed via call_srcu(&eventfs_srcu, ...).     rcu_read_lock() does not extend an SRCU grace period, so ti->private     can be reclaimed under the walk.   - The writes to ei->attr race with eventfs_set_attr(), which holds     eventfs_mutex.  Reproducer:    while :; do mount -o remount,uid=$((RANDOM%1000)) /sys/kernel/tracing; done &   while :; do       echo \"p:kp submit_bio\" > /sys/kernel/tracing/kprobe_events       echo > /sys/kernel/tracing/kprobe_events   done  Wrap the events portion of tracefs_apply_options() in eventfs_remount_lock()/_unlock() that take eventfs_mutex and srcu_read_lock(&eventfs_srcu).  eventfs_set_attrs() doesn't sleep so the nested rcu_read_lock() is fine; lockdep_assert_held() pins the contract.  Comment in tracefs_drop_inode() said \"RCU cycle\" -- it is SRCU.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46107",
                        "url": "https://ubuntu.com/security/CVE-2026-46107",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  dm-thin: fix metadata refcount underflow  There's a bug in dm-thin in the function rebalance_children. If the internal btree node has one entry, the code tries to copy all btree entries from the node's child to the node itself and then decrement the child's reference count.  If the child node is shared (it has reference count > 1), we won't free it, so there would be two pointers to each of the grandchildren nodes. But the reference counts of the grandchildren is not increased, thus the reference count doesn't match the number of pointers that point to the grandchildren. This results in \"device mapper: space map common: unable to decrement block\" errors.  Fix this bug by incrementing reference counts on the grandchildren if the btree node is shared.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46160",
                        "url": "https://ubuntu.com/security/CVE-2026-46160",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  btrfs: fix missing last_unlink_trans update when removing a directory  When removing a directory we are not updating its last_unlink_trans field, which can result in incorrect fsync behaviour in case some one fsyncs the directory after it was removed because it's holding a file descriptor on it.  Example scenario:     mkdir /mnt/dir1    mkdir /mnt/dir1/dir2    mkdir /mnt/dir3     sync -f /mnt     # Do some change to the directory and fsync it.    chmod 700 /mnt/dir1    xfs_io -c fsync /mnt/dir1     # Move dir2 out of dir1 so that dir1 becomes empty.    mv /mnt/dir1/dir2 /mnt/dir3/     open fd on /mnt/dir1    call rmdir(2) on path \"/mnt/dir1\"    fsync fd     <trigger power failure>  When attempting to mount the filesystem, the log replay will fail with an -EIO error and dmesg/syslog has the following:     [445771.626482] BTRFS info (device dm-0): first mount of filesystem 0368bbea-6c5e-44b5-b409-09abe496e650    [445771.626486] BTRFS info (device dm-0): using crc32c checksum algorithm    [445771.627912] BTRFS info (device dm-0): start tree-log replay    [445771.628335] page: refcount:2 mapcount:0 mapping:0000000061443ddc index:0x1d00 pfn:0x7072a5    [445771.629453] memcg:ffff89f400351b00    [445771.629892] aops:btree_aops [btrfs] ino:1    [445771.630737] flags: 0x17fffc00000402a(uptodate|lru|private|writeback|node=0|zone=2|lastcpupid=0x1ffff)    [445771.632359] raw: 017fffc00000402a fffff47284d950c8 fffff472907b7c08 ffff89f458e412b8    [445771.633713] raw: 0000000000001d00 ffff89f6c51d1a90 00000002ffffffff ffff89f400351b00    [445771.635029] page dumped because: eb page dump    [445771.635825] BTRFS critical (device dm-0): corrupt leaf: root=5 block=30408704 slot=10 ino=258, invalid nlink: has 2 expect no more than 1 for dir    [445771.638088] BTRFS info (device dm-0): leaf 30408704 gen 10 total ptrs 17 free space 14878 owner 5    [445771.638091] BTRFS info (device dm-0): refs 4 lock_owner 0 current 3581087    [445771.638094] \titem 0 key (256 INODE_ITEM 0) itemoff 16123 itemsize 160    [445771.638097] \t\tinode generation 3 transid 9 size 16 nbytes 16384    [445771.638098] \t\tblock group 0 mode 40755 links 1 uid 0 gid 0    [445771.638100] \t\trdev 0 sequence 2 flags 0x0    [445771.638102] \t\tatime 1775744884.0    [445771.660056] \t\tctime 1775744885.645502983    [445771.660058] \t\tmtime 1775744885.645502983    [445771.660060] \t\totime 1775744884.0    [445771.660062] \titem 1 key (256 INODE_REF 256) itemoff 16111 itemsize 12    [445771.660064] \t\tindex 0 name_len 2    [445771.660066] \titem 2 key (256 DIR_ITEM 1843588421) itemoff 16077 itemsize 34    [445771.660068] \t\tlocation key (259 1 0) type 2    [445771.660070] \t\ttransid 9 data_len 0 name_len 4    [445771.660075] \titem 3 key (256 DIR_ITEM 2363071922) itemoff 16043 itemsize 34    [445771.660076] \t\tlocation key (257 1 0) type 2    [445771.660077] \t\ttransid 9 data_len 0 name_len 4    [445771.660078] \titem 4 key (256 DIR_INDEX 2) itemoff 16009 itemsize 34    [445771.660079] \t\tlocation key (257 1 0) type 2    [445771.660080] \t\ttransid 9 data_len 0 name_len 4    [445771.660081] \titem 5 key (256 DIR_INDEX 3) itemoff 15975 itemsize 34    [445771.660082] \t\tlocation key (259 1 0) type 2    [445771.660083] \t\ttransid 9 data_len 0 name_len 4    [445771.660084] \titem 6 key (257 INODE_ITEM 0) itemoff 15815 itemsize 160    [445771.660086] \t\tinode generation 9 transid 9 size 8 nbytes 0    [445771.660087] \t\tblock group 0 mode 40777 links 1 uid 0 gid 0    [445771.660088] \t\trdev 0 sequence 2 flags 0x0    [445771.660089] \t\tatime 1775744885.641174097    [445771.660090] \t\tctime 1775744885.645502983    [445771.660091] \t\tmtime 1775744885.645502983    [445771.660105] \t\totime 1775744885.641174097    [445771.660106] \titem 7 key (257 INODE_REF 256) itemoff 15801 itemsize 14    [445771.660107] \t\tindex 2 name_len 4    [445771.660108] \titem 8 key (257 DIR_ITEM 2676584006) itemoff 15767 itemsize 34    [445771.660109] \t\tlocation key (2 ---truncated---",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46164",
                        "url": "https://ubuntu.com/security/CVE-2026-46164",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  btrfs: fix double free in create_space_info_sub_group() error path  When kobject_init_and_add() fails, the call chain is:  create_space_info_sub_group() -> btrfs_sysfs_add_space_info_type() -> kobject_init_and_add() -> failure -> kobject_put(&sub_group->kobj) -> space_info_release() -> kfree(sub_group)  Then control returns to create_space_info_sub_group(), where:  btrfs_sysfs_add_space_info_type() returns error -> kfree(sub_group)  Thus, sub_group is freed twice.  Keep parent->sub_group[index] = NULL for the failure path, but after btrfs_sysfs_add_space_info_type() has called kobject_put(), let the kobject release callback handle the cleanup.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46129",
                        "url": "https://ubuntu.com/security/CVE-2026-46129",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  btrfs: fix double free in create_space_info() error path  When kobject_init_and_add() fails, the call chain is:  create_space_info() -> btrfs_sysfs_add_space_info_type() -> kobject_init_and_add() -> failure -> kobject_put(&space_info->kobj) -> space_info_release() -> kfree(space_info)  Then control returns to create_space_info():  btrfs_sysfs_add_space_info_type() returns error -> goto out_free -> kfree(space_info)  This causes a double free.  Keep the direct kfree(space_info) for the earlier failure path, but after btrfs_sysfs_add_space_info_type() has called kobject_put(), let the kobject release callback handle the cleanup.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46159",
                        "url": "https://ubuntu.com/security/CVE-2026-46159",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  btrfs: fix btrfs_ioctl_space_info() slot_count TOCTOU which can lead to info-leak  btrfs_ioctl_space_info() has a TOCTOU race between two passes over the block group RAID type lists. The first pass counts entries to determine the allocation size, then the second pass fills the buffer. The groups_sem rwlock is released between passes, allowing concurrent block group removal to reduce the entry count.  When the second pass fills fewer entries than the first pass counted, copy_to_user() copies the full alloc_size bytes including trailing uninitialized kmalloc bytes to userspace.  Fix by copying only total_spaces entries (the actually-filled count from the second pass) instead of alloc_size bytes, and switch to kzalloc so any future copy size mismatch cannot leak heap data.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46143",
                        "url": "https://ubuntu.com/security/CVE-2026-46143",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ASoC: qcom: q6apm-lpass-dai: Fix multiple graph opens  As prepare can be called mulitple times, this can result in multiple graph opens for playback path.  This will result in a memory leaks, fix this by adding a check before opening.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46148",
                        "url": "https://ubuntu.com/security/CVE-2026-46148",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: microchip-core-qspi: control built-in cs manually  The coreQSPI IP supports only a single chip select, which is automagically operated by the hardware - set low when the transmit buffer first gets written to and set high when the number of bytes written to the TOTALBYTES field of the FRAMES register have been sent on the bus. Additional devices must use GPIOs for their chip selects. It was reported to me that if there are two devices attached to this QSPI controller that the in-built chip select is set low while linux tries to access the device attached to the GPIO.  This went undetected as the boards that connected multiple devices to the SPI controller all exclusively used GPIOs for chip selects, not relying on the built-in chip select at all. It turns out that this was because the built-in chip select, when controlled automagically, is set low when active and high when inactive, thereby ruling out its use for active-high devices or devices that need to transmit with the chip select disabled.  Modify the driver so that it controls chip select directly, retaining the behaviour for mem_ops of setting the chip select active for the entire duration of the transfer in the exec_op callback. For regular transfers, implement the set_cs callback for the core to use.  As part of this, the existing setup callback, mchp_coreqspi_setup_op(), is removed. Modifying the CLKIDLE field is not safe to do during operation when there are multiple devices, so this code is removed entirely. Setting the MASTER and ENABLE fields is something that can be done once at probe, it doesn't need to be re-run for each device. Instead the new setup callback sets the built-in chip select to its inactive state for active-low devices, as the reset value of the chip select in software controlled mode is low.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46192",
                        "url": "https://ubuntu.com/security/CVE-2026-46192",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: microchip-core-qspi: don't attempt to transmit during emulated read-only dual/quad operations  The core will deal with reads by creating clock cycles itself, there's no need to generate clock cycles by transmitting garbage data at the driver level. Further, transmitting garbage data just bricks the transfer since QSPI doesn't have a dedicated master-out line like MOSI in regular SPI. I'm not entirely sure if the transfer is bricked because of the garbage data being transmitted on the bus or because the core loses track of whether it is supposed to be sending or receiving data.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46162",
                        "url": "https://ubuntu.com/security/CVE-2026-46162",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ice: fix double free in ice_sf_eth_activate() error path  When auxiliary_device_add() fails, ice_sf_eth_activate() jumps to aux_dev_uninit and calls auxiliary_device_uninit(&sf_dev->adev).  The device release callback ice_sf_dev_release() frees sf_dev, but the current error path falls through to sf_dev_free and calls kfree(sf_dev) again, causing a double free.  Keep kfree(sf_dev) for the auxiliary_device_init() failure path, but avoid falling through to sf_dev_free after auxiliary_device_uninit().",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46273",
                        "url": "https://ubuntu.com/security/CVE-2026-46273",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ibmveth: Disable GSO for packets with small MSS  Some physical adapters on Power systems do not support segmentation offload when the MSS is less than 224 bytes. Attempting to send such packets causes the adapter to freeze, stopping all traffic until manually reset.  Implement ndo_features_check to disable GSO for packets with small MSS values. The network stack will perform software segmentation instead.  The 224-byte minimum matches ibmvnic commit <f10b09ef687f> (\"ibmvnic: Enforce stronger sanity checks on GSO packets\") which uses the same physical adapters in SEA configurations.  The issue occurs specifically when the hardware attempts to perform segmentation (gso_segs > 1) with a small MSS. Single-segment GSO packets (gso_segs == 1) do not trigger the problematic LSO code path and are transmitted normally without segmentation.  Add an ndo_features_check callback to disable GSO when MSS < 224 bytes. Also call vlan_features_check() to ensure proper handling of VLAN packets, particularly QinQ (802.1ad) configurations where the hardware parser may not support certain offload features.  Validated using iptables to force small MSS values. Without the fix, the adapter freezes. With the fix, packets are segmented in software and transmission succeeds. Comprehensive regression testing completedd (MSS tests, performance, stability).",
                        "cve_priority": "high",
                        "cve_public_date": "2026-06-03 18:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46191",
                        "url": "https://ubuntu.com/security/CVE-2026-46191",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  fbcon: Avoid OOB font access if console rotation fails  Clear the font buffer if the reallocation during console rotation fails in fbcon_rotate_font(). The putcs implementations for the rotated buffer will return early in this case. See [1] for an example.  Currently, fbcon_rotate_font() keeps the old buffer, which is too small for the rotated font. Printing to the rotated console with a high-enough character code will overflow the font buffer.  v2: - fix typos in commit message",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46134",
                        "url": "https://ubuntu.com/security/CVE-2026-46134",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  platform/chrome: cros_ec_typec: Init mutex in Thunderbolt registration  cros_typec_register_thunderbolt() missed initializing the `adata->lock` mutex.  This leads to a NULL dereference when the mutex is later acquired (e.g. in cros_typec_altmode_work()).  Initialize the mutex in cros_typec_register_thunderbolt() to fix the issue.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-43495",
                        "url": "https://ubuntu.com/security/CVE-2026-43495",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net: wwan: t7xx: validate port_count against message length in t7xx_port_enum_msg_handler  t7xx_port_enum_msg_handler() uses the modem-supplied port_count field as a loop bound over port_msg->data[] without checking that the message buffer contains sufficient data. A modem sending port_count=65535 in a 12-byte buffer triggers a slab-out-of-bounds read of up to 262140 bytes.  Add a sizeof(*port_msg) check before accessing the port message header fields to guard against undersized messages.  Add a struct_size() check after extracting port_count and before the loop.  In t7xx_parse_host_rt_data(), guard the rt_feature header read with a remaining-buffer check before accessing data_len, validate feat_data_len against the actual remaining buffer to prevent OOB reads and signed integer overflow on offset.  Pass msg_len from both call sites: skb->len at the DPMAIF path after skb_pull(), and the validated feat_data_len at the handshake path.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-21 13:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-43502",
                        "url": "https://ubuntu.com/security/CVE-2026-43502",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net/rds: handle zerocopy send cleanup before the message is queued  A zerocopy send can fail after user pages have been pinned but before the message is attached to the sending socket.  The purge path currently infers zerocopy state from rm->m_rs, so an unqueued message can be cleaned up as if it owned normal payload pages. However, zerocopy ownership is really determined by the presence of op_mmp_znotifier, regardless of whether the message has reached the socket queue.  Capture op_mmp_znotifier up front in rds_message_purge() and use it as the cleanup discriminator. If the message is already associated with a socket, keep the existing completion path. Otherwise, drop the pinned page accounting directly and release the notifier before putting the payload pages.  This keeps early send failure cleanup consistent with the zerocopy lifetime rules without changing the normal queued completion path.",
                        "cve_priority": "high",
                        "cve_public_date": "2026-05-21 13:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46120",
                        "url": "https://ubuntu.com/security/CVE-2026-46120",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ip6_gre: Use cached t->net in ip6erspan_changelink().  After commit 5e72ce3e3980 (\"net: ipv6: Use link netns in newlink() of rtnl_link_ops\"), ip6erspan_newlink() correctly resolves the per-netns ip6gre hash via link_net. ip6erspan_changelink() was not converted in that series and still uses dev_net(dev), which diverges from the device's creation netns after IFLA_NET_NS_FD migration.  This re-inserts the tunnel into the wrong per-netns hash. The original netns keeps a stale entry. When that netns is later destroyed, ip6gre_exit_rtnl_net() walks the stale entry, producing a slab-use-after-free reported by KASAN, followed by a kernel BUG at net/core/dev.c (LIST_POISON1) in unregister_netdevice_many_notify().  Reachable from an unprivileged user namespace (unshare --user --map-root-user --net).  ip6gre_changelink() earlier in the same file already uses the cached t->net; only ip6erspan_changelink() has the wrong shape.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46142",
                        "url": "https://ubuntu.com/security/CVE-2026-46142",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net: libwx: fix VF illegal register access  Register WX_CFG_PORT_ST is a PF restricted register. When a VF is initialized, attempting to read this register triggers an illegal register access, which lead to a system hang.  When the device is VF, the bus function ID can be obtained directly from the PCI_FUNC(pdev->devfn).",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46118",
                        "url": "https://ubuntu.com/security/CVE-2026-46118",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  pseries/papr-hvpipe: Fix null ptr deref in papr_hvpipe_dev_create_handle()  commit 6d3789d347a7 (\"papr-hvpipe: convert papr_hvpipe_dev_create_handle() to FD_PREPARE()\"), changed the create handle to FD_PREPARE(), but it caused kernel null-ptr-deref because after call to retain_and_null_ptr(src_info), src_info is re-used for adding it to the global list.  Getting the following kernel panic in papr_hvpipe_dev_create_handle() when trying to add src_info to the list.  Kernel attempted to write user page (0) - exploit attempt? (uid: 0)  BUG: Kernel NULL pointer dereference on write at 0x00000000  Faulting instruction address: 0xc0000000001b44a0  Oops: Kernel access of bad area, sig: 11 [#1]  ...  Call Trace:  papr_hvpipe_dev_ioctl+0x1f4/0x48c (unreliable)  sys_ioctl+0x528/0x1064  system_call_exception+0x128/0x360  system_call_vectored_common+0x15c/0x2ec  Now, the error handling with FD_PREPARE's file cleanup and __free(kfree) auto cleanup is getting too convoluted. This is mainly because we need to ensure only 1 user get the srcID handle. To simplify this, we allocate prepare the src_info in the beginning and add it to the global list under a spinlock after checking that no duplicates exist.  This simplify the error handling where if the FD_ADD fails, we can simply remove the src_info from the list and consume any pending msg in hvpipe to be cleared, after src_info became visible in the global list.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46182",
                        "url": "https://ubuntu.com/security/CVE-2026-46182",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  pseries/papr-hvpipe: Prevent kernel stack memory leak to userspace  The hdr variable is allocated on the stack and only hdr.version and hdr.flags are initialized explicitly. Because the struct papr_hvpipe_hdr contains reserved padding bytes (reserved[3] and reserved2[40]), these could leak the uninitialized bytes to userspace after copy_to_user().  This patch fixes that by initializing the whole struct to 0.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46184",
                        "url": "https://ubuntu.com/security/CVE-2026-46184",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  sound: ua101: fix division by zero at probe  Add a missing sanity check for bNrChannels in detect_usb_format() to prevent a division by zero in playback_urb_complete() and capture_urb_complete().  USB core does not validate class-specific descriptor fields such as bNrChannels, so drivers must verify them before use. If a device provides bNrChannels = 0, frame_bytes becomes zero and is later used as a divisor in the URB completion handlers, leading to a kernel crash.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-43498",
                        "url": "https://ubuntu.com/security/CVE-2026-43498",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  accel/ivpu: Disallow re-exporting imported GEM objects  Prevent re-exporting of imported GEM buffers by adding a custom prime_handle_to_fd callback that checks if the object is imported and returns -EOPNOTSUPP if so.  Re-exporting imported GEM buffers causes loss of buffer flags settings, leading to incorrect device access and data corruption.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-21 13:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46132",
                        "url": "https://ubuntu.com/security/CVE-2026-46132",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net: rtnetlink: zero ifla_vf_broadcast to avoid stack infoleak in rtnl_fill_vfinfo  rtnl_fill_vfinfo() declares struct ifla_vf_broadcast on the stack without initialisation:  \tstruct ifla_vf_broadcast vf_broadcast;  The struct contains a single fixed 32-byte field:  \t/* include/uapi/linux/if_link.h */ \tstruct ifla_vf_broadcast { \t\t__u8 broadcast[32]; \t};  The function then copies dev->broadcast into it using dev->addr_len as the length:  \tmemcpy(vf_broadcast.broadcast, dev->broadcast, dev->addr_len);  On Ethernet devices (the overwhelming majority of SR-IOV NICs) dev->addr_len is 6, so only the first 6 bytes of broadcast[] are written. The remaining 26 bytes retain whatever was previously on the kernel stack. The full struct is then handed to userspace via:  \tnla_put(skb, IFLA_VF_BROADCAST, \t\tsizeof(vf_broadcast), &vf_broadcast)  leaking up to 26 bytes of uninitialised kernel stack per VF per RTM_GETLINK request, repeatable.  The other vf_* structs in the same function are explicitly zeroed for exactly this reason - see the memset() calls for ivi, vf_vlan_info, node_guid and port_guid a few lines above. vf_broadcast was simply missed when it was added.  Reachability: any unprivileged local process can open AF_NETLINK / NETLINK_ROUTE without capabilities and send RTM_GETLINK with an IFLA_EXT_MASK attribute carrying RTEXT_FILTER_VF. The kernel walks each VF and emits IFLA_VF_BROADCAST, leaking 26 bytes of stack per VF per request. Stack residue at this call site can include return addresses and transient sensitive data; KASAN with stack instrumentation, or KMSAN, will flag the nla_put() when reproduced.  Zero the on-stack struct before the partial memcpy, matching the existing pattern used for the other vf_* structs in the same function.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46190",
                        "url": "https://ubuntu.com/security/CVE-2026-46190",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  mtd: spi-nor: debugfs: fix out-of-bounds read in spi_nor_params_show()  Sashiko noticed an out-of-bounds read [1].  In spi_nor_params_show(), the snor_f_names array is passed to spi_nor_print_flags() using sizeof(snor_f_names).  Since snor_f_names is an array of pointers, sizeof() returns the total number of bytes occupied by the pointers \t(element_count * sizeof(void *)) rather than the element count itself. On 64-bit systems, this makes the passed length 8x larger than intended.  Inside spi_nor_print_flags(), the 'names_len' argument is used to bounds-check the 'names' array access. An out-of-bounds read occurs if a flag bit is set that exceeds the array's actual element count but is within the inflated byte-size count.  Correct this by using ARRAY_SIZE() to pass the actual number of string pointers in the array.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46150",
                        "url": "https://ubuntu.com/security/CVE-2026-46150",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  fanotify: fix false positive on permission events  fsnotify_get_mark_safe() may return false for a mark on an unrelated group, which results in bypassing the permission check.  Fix by skipping over detached marks that are not in the current group.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-45836",
                        "url": "https://ubuntu.com/security/CVE-2026-45836",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_get_sndtimeo_cb()  Add the same NULL guard already present in l2cap_sock_resume_cb() and l2cap_sock_ready_cb().",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-26 17:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-45834",
                        "url": "https://ubuntu.com/security/CVE-2026-45834",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_state_change_cb()  Add the same NULL guard already present in l2cap_sock_resume_cb() and l2cap_sock_ready_cb().",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-26 17:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-45835",
                        "url": "https://ubuntu.com/security/CVE-2026-45835",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_new_connection_cb()  Add the same NULL guard already present in l2cap_sock_resume_cb() and l2cap_sock_ready_cb().",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-26 17:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46138",
                        "url": "https://ubuntu.com/security/CVE-2026-46138",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Bluetooth: hci_event: Fix OOB read and infinite loop in hci_le_create_big_complete_evt  hci_le_create_big_complete_evt() iterates over BT_BOUND connections for a BIG handle using a while loop, accessing ev->bis_handle[i++] on each iteration.  However, there is no check that i stays within ev->num_bis before the array access.  When a controller sends a LE_Create_BIG_Complete event with fewer bis_handle entries than there are BT_BOUND connections for that BIG, or with num_bis=0, the loop reads beyond the valid bis_handle[] flex array into adjacent heap memory.  Since the out-of-bounds values typically exceed HCI_CONN_HANDLE_MAX (0x0EFF), hci_conn_set_handle() rejects them and the connection remains in BT_BOUND state.  The same connection is then found again by hci_conn_hash_lookup_big_state(), creating an infinite loop with hci_dev_lock held.  Fix this by terminating the BIG if in case not all BIS could be setup properly.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46111",
                        "url": "https://ubuntu.com/security/CVE-2026-46111",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Bluetooth: hci_conn: fix potential UAF in create_big_sync  Add hci_conn_valid() check in create_big_sync() to detect stale connections before proceeding with BIG creation. Handle the resulting -ECANCELED in create_big_complete() and re-validate the connection under hci_dev_lock() before dereferencing, matching the pattern used by create_le_conn_complete() and create_pa_complete().  Keep the hci_conn object alive across the async boundary by taking a reference via hci_conn_get() when queueing create_big_sync(), and dropping it in the completion callback. The refcount and the lock are complementary: the refcount keeps the object allocated, while hci_dev_lock() serializes hci_conn_hash_del()'s list_del_rcu() on hdev->conn_hash, as required by hci_conn_del().  hci_conn_put() is called outside hci_dev_unlock() so the final put (which resolves to kfree() via bt_link_release) does not run under hdev->lock, though the release path would be safe either way.  Without this, create_big_complete() would unconditionally dereference the conn pointer on error, causing a use-after-free via hci_connect_cfm() and hci_conn_del().",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46140",
                        "url": "https://ubuntu.com/security/CVE-2026-46140",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Bluetooth: btmtk: validate WMT event SKB length before struct access  btmtk_usb_hci_wmt_sync() casts the WMT event response SKB data to struct btmtk_hci_wmt_evt (7 bytes) and struct btmtk_hci_wmt_evt_funcc (9 bytes) without first checking that the SKB contains enough data. A short firmware response causes out-of-bounds reads from SKB tailroom.  Use skb_pull_data() to validate and advance past the base WMT event header. For the FUNC_CTRL case, pull the additional status field bytes before accessing them.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46186",
                        "url": "https://ubuntu.com/security/CVE-2026-46186",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Bluetooth: virtio_bt: validate rx pkt_type header length  virtbt_rx_handle() reads the leading pkt_type byte from the RX skb and forwards the remainder to hci_recv_frame() for every event/ACL/SCO/ISO type, without checking that the remaining payload is at least the fixed HCI header for that type.  After the preceding patch bounds the backend-supplied used.len to [1, VIRTBT_RX_BUF_SIZE], a one-byte completion still reaches hci_recv_frame() with skb->len already pulled to 0. If the byte happened to be HCI_ACLDATA_PKT, the ACL-vs-ISO classification fast-path in hci_dev_classify_pkt_type() dereferences hci_acl_hdr(skb)->handle whenever the HCI device has an active CIS_LINK, BIS_LINK, or PA_LINK connection, reading two bytes of uninitialized RX-buffer data. The same hazard exists for every packet type the driver accepts because none of the switch cases in virtbt_rx_handle() check skb->len against the per-type minimum HCI header size before handing the frame to the core.  After stripping pkt_type, require skb->len to cover the fixed header size for the selected type (event 2, ACL 4, SCO 3, ISO 4) before calling hci_recv_frame(); drop ratelimited otherwise. Unknown pkt_type values still take the original kfree_skb() default path.  Use bt_dev_err_ratelimited() because both the length and pkt_type values come from an untrusted backend that can otherwise flood the kernel log.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46123",
                        "url": "https://ubuntu.com/security/CVE-2026-46123",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Bluetooth: virtio_bt: clamp rx length before skb_put  virtbt_rx_work() calls skb_put(skb, len) where len comes directly from virtqueue_get_buf() with no validation against the buffer we posted to the device. The RX skb is allocated in virtbt_add_inbuf() and exposed to virtio as exactly 1000 bytes via sg_init_one().  Checking len against skb_tailroom(skb) is not sufficient because alloc_skb() can leave more tailroom than the 1000 bytes actually handed to the device. A malicious or buggy backend can therefore report used.len between 1001 and skb_tailroom(skb), causing skb_put() to include uninitialized kernel heap bytes that were never written by the device.  The same path also accepts len == 0, in which case skb_put(skb, 0) leaves the skb empty but virtbt_rx_handle() still reads the pkt_type byte from skb->data, consuming uninitialized memory.  Define VIRTBT_RX_BUF_SIZE once and reuse it in alloc_skb() and sg_init_one(), and gate virtbt_rx_work() on that same constant so the bound checked matches the buffer actually exposed to the device. Reject used.len == 0 in the same gate so an empty completion can no longer reach virtbt_rx_handle().  Use bt_dev_err_ratelimited() because the length value comes from an untrusted backend that can otherwise flood the kernel log.  Same class of bug as commit c04db81cd028 (\"net/9p: Fix buffer overflow in USB transport layer\"), which hardened the USB 9p transport against unchecked device-reported length.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46104",
                        "url": "https://ubuntu.com/security/CVE-2026-46104",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  selinux: use sk blob accessor in socket permission helpers  SELinux socket state lives in the composite LSM socket blob.  sock_has_perm() and nlmsg_sock_has_extended_perms() currently dereference sk->sk_security directly, which assumes the SELinux socket blob is at offset zero.  In stacked configurations that assumption does not hold. If another LSM allocates socket blob storage before SELinux, these helpers may read the wrong blob and feed invalid SID and class values into AVC checks.  Use selinux_sock() instead of accessing sk->sk_security directly.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46193",
                        "url": "https://ubuntu.com/security/CVE-2026-46193",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  xfrm: ah: account for ESN high bits in async callbacks  AH allocates its temporary auth/ICV layout differently when ESN is enabled: the async ahash setup appends a 4-byte seqhi slot before the ICV or auth_data area, but the async completion callbacks still reconstruct the temporary layout as if seqhi were absent.  With an async AH implementation selected, that makes AH copy or compare the wrong bytes on both the IPv4 and IPv6 paths. In UML repro on IPv4 AH with ESN and forced async hmac(sha1), ping fails with 100% packet loss, and the callback logs show the pre-fix drift:    ah4 output_done: esn=1 err=0 icv_off=20 expected_off=24   ah4 input_done: esn=1 auth_off=20 expected_auth_off=24 icv_off=32 expected_icv_off=36  Reconstruct the callback-side layout the same way the setup path built it by skipping the ESN seqhi slot before locating the saved auth_data or ICV. Per RFC 4302, the ESN high-order 32 bits participate in the AH ICV computation, so the async callbacks must account for the seqhi slot.  Post-fix, the same IPv4 AH+ESN+forced-async-hmac(sha1) UML repro shows the corrected offset (ah4 output_done: esn=1 err=0 icv_off=24 expected_off=24) and ping succeeds; net/ipv4/ah4.o and net/ipv6/ah6.o build clean at W=1. IPv6 AH+ESN was not exercised at runtime, and the change has not been tested against a real async hardware AH engine.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46172",
                        "url": "https://ubuntu.com/security/CVE-2026-46172",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ipv6: xfrm6: release dst on error in xfrm6_rcv_encap()  xfrm6_rcv_encap() performs an IPv6 route lookup when the skb does not already have a dst attached. ip6_route_input_lookup() returns a referenced dst entry even when the lookup resolves to an error route.  If dst->error is set, xfrm6_rcv_encap() drops the skb without attaching the dst to the skb and without releasing the reference returned by the lookup. Repeated packets hitting this path therefore leak dst entries.  Release the dst before jumping to the drop path.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46116",
                        "url": "https://ubuntu.com/security/CVE-2026-46116",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  xfrm: defensively unhash xfrm_state lists in __xfrm_state_delete  KASAN reproduces a slab-use-after-free in __xfrm_state_delete()'s hlist_del_rcu calls under syzkaller load on linux-6.12.y stable (reproduced on 6.12.47, also reachable via the same code path on torvalds/master and on the ipsec tree). Nine unique signatures cluster in the xfrm_state lifecycle, the load-bearing one being:    BUG: KASAN: slab-use-after-free in __hlist_del include/linux/list.h:990 [inline]   BUG: KASAN: slab-use-after-free in hlist_del_rcu include/linux/rculist.h:516 [inline]   BUG: KASAN: slab-use-after-free in __xfrm_state_delete net/xfrm/xfrm_state.c   Write of size 8 at addr ffff8881198bcb70 by task kworker/u8:9/435    Workqueue: netns cleanup_net   Call Trace:    __hlist_del / hlist_del_rcu    __xfrm_state_delete    xfrm_state_delete    xfrm_state_flush    xfrm_state_fini    ops_exit_list    cleanup_net  The other observed signatures hit the same slab object from __xfrm_state_lookup, xfrm_alloc_spi, __xfrm_state_insert and an OOB write variant of __xfrm_state_delete, all on the byseq/byspi hash chains.  __xfrm_state_delete() guards its byseq and byspi unhashes with value-based predicates:  \tif (x->km.seq) \t\thlist_del_rcu(&x->byseq); \tif (x->id.spi) \t\thlist_del_rcu(&x->byspi);  while everywhere else in the file (e.g. state_cache, state_cache_input) the safer hlist_unhashed() check is used. xfrm_alloc_spi() sets x->id.spi = newspi inside xfrm_state_lock and then immediately inserts into byspi, but a path that observes x->id.spi != 0 outside of xfrm_state_lock can still skip-or-hit the byspi unhash inconsistently with whether x is actually on the list. The same holds for x->km.seq versus byseq, and the bydst/bysrc unhashes have no predicate at all, so a second __xfrm_state_delete() on the same object writes through LIST_POISON pprev.  The defensive change here:    - Use hlist_del_init_rcu() instead of hlist_del_rcu() on bydst,     bysrc, byseq and byspi so a second deletion is a no-op rather     than a write through LIST_POISON pprev. The byseq/byspi nodes     are already initialised in xfrm_state_alloc().   - Test hlist_unhashed() rather than the value predicate for     byseq/byspi, so the unhash decision tracks list state rather than     mutable scalar fields.  Empirical verification: applied this patch on top of v6.12.47, rebuilt, and re-ran the same syzkaller harness for 1h16m on a previously-crashy configuration that produced ~100 hits each of slab-use-after-free Read in xfrm_alloc_spi / Read in __xfrm_state_lookup / Write in __xfrm_state_delete. After the patch, 7.1M execs across 32 VMs at ~1550 exec/sec produced zero xfrm_state UAF/OOB hits. /proc/slabinfo confirms the xfrm_state slab is actively allocated and freed during the run (~143 KiB resident), so the fuzzer is still exercising those code paths -- they just no longer crash.  Reproduction:    - Linux 6.12.47 x86_64 + KASAN_GENERIC + KASAN_INLINE + KCOV   - syzkaller @ 746545b8b1e4c3a128db8652b340d3df90ce61db   - 32 QEMU/KVM VMs x 2 vCPU on AWS c5.metal bare metal   - 9 unique signatures collected in ~9h, all within xfrm_state     lifecycle",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46154",
                        "url": "https://ubuntu.com/security/CVE-2026-46154",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  sched_ext: Read scx_root under scx_cgroup_ops_rwsem in cgroup setters  scx_group_set_{weight,idle,bandwidth}() cache scx_root before acquiring scx_cgroup_ops_rwsem, so the pointer can be stale by the time the op runs. If the loaded scheduler is disabled and freed (via RCU work) and another is enabled between the naked load and the rwsem acquire, the reader sees scx_cgroup_enabled=true (the new scheduler's) but dereferences the freed one - UAF on SCX_HAS_OP(sch, ...) / SCX_CALL_OP(sch, ...).  scx_cgroup_enabled is toggled only under scx_cgroup_ops_rwsem write (scx_cgroup_{init,exit}), so reading scx_root inside the rwsem read section correlates @sch with the enabled snapshot.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46157",
                        "url": "https://ubuntu.com/security/CVE-2026-46157",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ALSA: pcm: oss: Fix data race at accessing runtime.oss.trigger  Currently the runtime.oss.trigger field may be accessed concurrently without protection, which may lead to the data race.  And, in this case, it may lead to more severe problem because it's a bit field; as writing the data, it may overwrite other bit fields as well, which confuses the operation completely, as spotted by fuzzing.  Fix it by covering runtime.oss.trigger bit fled also with the existing params_lock mutex in both snd_pcm_oss_get_trigger() and snd_pcm_oss_poll().",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46109",
                        "url": "https://ubuntu.com/security/CVE-2026-46109",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  usb: ulpi: fix memory leak on ulpi_register() error paths  Commit 01af542392b5 (\"usb: ulpi: fix double free in ulpi_register_interface() error path\") removed kfree(ulpi) from ulpi_register_interface() to fix a double-free when device_register() fails.  But when ulpi_of_register() or ulpi_read_id() fail before device_register() is called, the ulpi allocation is leaked.  Add kfree(ulpi) on both error paths to properly clean up the allocation.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46146",
                        "url": "https://ubuntu.com/security/CVE-2026-46146",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ALSA: usb-audio: Avoid potential endless loop in convert_chmap_v3()  The convert_chmap_v3() has a loop with its increment size of cs_desc->wLength, but we forgot to validate cs_desc->wLength itself, which may lead to potential endless loop by a malformed descriptor.  Add a proper size check to abort the loop for plugging the hole.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46167",
                        "url": "https://ubuntu.com/security/CVE-2026-46167",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  usb: usblp: fix uninitialized heap leak via LPGETSTATUS ioctl  Just like in a previous problem in this driver, usblp_ctrl_msg() will collapse the usb_control_msg() return value to 0/-errno, discarding the actual number of bytes transferred.  Ideally that short command should be detected and error out, but many printers are known to send \"incorrect\" responses back so we can't just do that.  statusbuf is kmalloc(8) at probe time and never filled before the first LPGETSTATUS ioctl.  usblp_read_status() requests 1 byte. If a malicious printer responds with zero bytes, *statusbuf is one byte of stale kmalloc heap, sign-extended into the local int status, which the LPGETSTATUS path then copy_to_user()s directly to the ioctl caller.  Fix this all by just zapping out the memory buffer when allocated at probe time.  If a later call does a short read, the data will be identical to what the device sent it the last time, so there is no \"leak\" of information happening.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46151",
                        "url": "https://ubuntu.com/security/CVE-2026-46151",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  usb: usblp: fix heap leak in IEEE 1284 device ID via short response  usblp_ctrl_msg() collapses the usb_control_msg() return value to 0/-errno, discarding the actual number of bytes transferred.  A broken printer can complete the GET_DEVICE_ID control transfer short and the driver has no way to know.  usblp_cache_device_id_string() reads the 2-byte big-endian length prefix from the response and trusts it (clamped only to the buffer bounds). The buffer is kmalloc(1024) at probe time. A device that sends exactly two bytes (e.g. 0x03 0xFF, claiming a 1023-byte ID) leaves device_id_string[2..1022] holding stale kmalloc heap.  That stale data is then exposed:   - via the ieee1284_id sysfs attribute (sprintf(\"%s\", buf+2), truncated     at the first NUL in the stale heap), and   - via the IOCNR_GET_DEVICE_ID ioctl, which copy_to_user()s the full     claimed length regardless of NULs, up to 1021 bytes of uninitialized     heap, with the leak size chosen by the device.  Fix this up by just zapping the buffer with zeros before each request sent to the device.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46180",
                        "url": "https://ubuntu.com/security/CVE-2026-46180",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  wifi: brcmfmac: Fix potential use-after-free issue when stopping watchdog task  Watchdog task might end between send_sig() and kthread_stop() calls, what results in the use-after-free issue. Fix this by increasing watchdog task reference count before calling send_sig() and dropping it by switching to kthread_stop_put().",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46122",
                        "url": "https://ubuntu.com/security/CVE-2026-46122",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  wifi: b43: enforce bounds check on firmware key index in b43_rx()  The firmware-controlled key index in b43_rx() can exceed the dev->key[] array size (58 entries). The existing B43_WARN_ON is non-enforcing in production builds, allowing an out-of-bounds read.  Make the B43_WARN_ON check enforcing by dropping the frame when the firmware returns an invalid key index.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46125",
                        "url": "https://ubuntu.com/security/CVE-2026-46125",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  wifi: mac80211: remove station if connection prep fails  If connection preparation fails for MLO connections, then the interface is completely reset to non-MLD. In this case, we must not keep the station since it's related to the link of the vif being removed. Delete an existing station. Any \"new_sta\" is already being removed, so that doesn't need changes.  This fixes a use-after-free/double-free in debugfs if that's enabled, because a vif going from MLD (and to MLD, but that's not relevant here) recreates its entire debugfs.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46166",
                        "url": "https://ubuntu.com/security/CVE-2026-46166",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  wifi: mac80211: use safe list iteration in radar detect work  The call to ieee80211_dfs_cac_cancel can cause the iterated chanctx to be freed and removed from the list. Guard against this to avoid a slab-use-after-free error.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46187",
                        "url": "https://ubuntu.com/security/CVE-2026-46187",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  wifi: rsi: fix kthread lifetime race between self-exit and external-stop  RSI driver use both self-exit(kthread_complete_and_exit) and external-stop (kthread_stop) when killing a kthread. Generally, kthread_stop() is called first, and in this case, no particular issues occur.  However, in rare instances where kthread_complete_and_exit() is called first and then kthread_stop() is called, a UAF occurs because the kthread object, which has already exited and been freed, is accessed again.  Therefore, to prevent this with minimal modification, you must remove kthread_stop() and change the code to wait until the self-exit operation is completed.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46152",
                        "url": "https://ubuntu.com/security/CVE-2026-46152",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  wifi: mac80211: drop stray 'static' from fast-RX rx_result  ieee80211_invoke_fast_rx() is documented as safe for parallel RX, but its per-invocation rx_result is declared static. Concurrent callers then share one instance and can overwrite each other's result between ieee80211_rx_mesh_data() and the switch on res.  That can make a packet that was queued or consumed by ieee80211_rx_mesh_data() fall through into ieee80211_rx_8023(), or make a packet that should continue return as queued.  Make res an automatic variable so each invocation keeps its own result.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46163",
                        "url": "https://ubuntu.com/security/CVE-2026-46163",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  wifi: b43legacy: enforce bounds check on firmware key index in RX path  Same fix as b43: the firmware-controlled key index in b43legacy_rx() can exceed dev->max_nr_keys. The existing B43legacy_WARN_ON is non-enforcing in production builds, allowing an out-of-bounds read of dev->key[].  Make the check enforcing by dropping the frame for invalid indices.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46136",
                        "url": "https://ubuntu.com/security/CVE-2026-46136",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  wifi: mt76: mt7921: fix a potential clc buffer length underflow  The buf_len is used to limit the iterations for retrieving the country power setting and may underflow under certain conditions due to changes in the power table in CLC.  This underflow leads to an almost infinite loop or an invalid power setting resulting in driver initialization failure.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46173",
                        "url": "https://ubuntu.com/security/CVE-2026-46173",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  exit: prevent preemption of oopsing TASK_DEAD task  When an already-exiting task oopses, make_task_dead() currently calls do_task_dead() with preemption enabled.  That is forbidden: do_task_dead() calls __schedule(), which has a comment saying \"WARNING: must be called with preemption disabled!\".  If an oopsing task is preempted in do_task_dead(), between becoming TASK_DEAD and entering the scheduler explicitly, bad things happen: finish_task_switch() assumes that once the scheduler has switched away from a TASK_DEAD task, the task can never run again and its stack is no longer needed; but that assumption apparently doesn't hold if the dead task was preempted (the SM_PREEMPT case).  This means that the scheduler ends up repeatedly dropping references on the dead task's stack, which can lead to use-after-free or double-free of the entire task stack; in other words, two tasks can end up running on the same stack, resulting in various kinds of memory corruption.  (This does not just affect \"recursively oopsing\" tasks; it is enough to oops once during task exit, for example in a file_operations::release handler)",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-43496",
                        "url": "https://ubuntu.com/security/CVE-2026-43496",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net/sched: sch_red: Replace direct dequeue call with peek and qdisc_dequeue_peeked  When red qdisc has children (eg qfq qdisc) whose peek() callback is qdisc_peek_dequeued(), we could get a kernel panic. When the parent of such qdiscs (eg illustrated in patch #3 as tbf) wants to retrieve an skb from its child (red in this case), it will do the following:  1a. do a peek() - and when sensing there's an skb the child can offer, then      - the child in this case(red) calls its child's (qfq) peek.         qfq does the right thing and will return the gso_skb queue packet.         Note: if there wasnt a gso_skb entry then qfq will store it there.  1b. invoke a dequeue() on the child (red). And herein lies the problem.      - red will call the child's dequeue() which will essentially just        try to grab something of qfq's queue.  [   78.667668][  T363] KASAN: null-ptr-deref in range [0x0000000000000048-0x000000000000004f] [   78.667927][  T363] CPU: 1 UID: 0 PID: 363 Comm: ping Not tainted 7.1.0-rc1-00033-g46f74a3f7d57-dirty #790 PREEMPT(full) [   78.668263][  T363] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 [   78.668486][  T363] RIP: 0010:qfq_dequeue+0x446/0xc90 [sch_qfq] [   78.668718][  T363] Code: 54 c0 e8 dd 90 00 f1 48 c7 c7 e0 03 54 c0 48 89 de e8 ce 90 00 f1 48 8d 7b 48 b8 ff ff 37 00 48 89 fa 48 c1 e0 2a 48 c1 ea 03 <80> 3c 02 00 74 05 e8 ef a1 e1 f1 48 8b 7b 48 48 8d 54 24 58 48 8d [   78.669312][  T363] RSP: 0018:ffff88810de573e0 EFLAGS: 00010216 [   78.669533][  T363] RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000 [   78.669790][  T363] RDX: 0000000000000009 RSI: 0000000000000004 RDI: 0000000000000048 [   78.670044][  T363] RBP: ffff888110dc4000 R08: ffffffffb1b0885a R09: fffffbfff6ba9078 [   78.670297][  T363] R10: 0000000000000003 R11: ffff888110e31c80 R12: 0000001880000000 [   78.670560][  T363] R13: ffff888110dc4150 R14: ffff888110dc42b8 R15: 0000000000000200 [   78.670814][  T363] FS:  00007f66a8f09c40(0000) GS:ffff888163428000(0000) knlGS:0000000000000000 [   78.671110][  T363] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [   78.671324][  T363] CR2: 000055db4c6a30a8 CR3: 000000010da67000 CR4: 0000000000750ef0 [   78.671585][  T363] PKRU: 55555554 [   78.671713][  T363] Call Trace: [   78.671843][  T363]  <TASK> [   78.671936][  T363]  ? __pfx_qfq_dequeue+0x10/0x10 [sch_qfq] [   78.672148][  T363]  ? __pfx__printk+0x10/0x10 [   78.672322][  T363]  ? srso_alias_return_thunk+0x5/0xfbef5 [   78.672496][  T363]  ? lockdep_hardirqs_on_prepare+0xa8/0x1a0 [   78.672706][  T363]  ? srso_alias_return_thunk+0x5/0xfbef5 [   78.672875][  T363]  ? trace_hardirqs_on+0x19/0x1a0 [   78.673047][  T363]  red_dequeue+0x65/0x270 [sch_red] [   78.673217][  T363]  ? srso_alias_return_thunk+0x5/0xfbef5 [   78.673385][  T363]  tbf_dequeue.cold+0xb0/0x70c [sch_tbf] [   78.673566][  T363]  __qdisc_run+0x169/0x1900  The right thing to do in #1b is to grab the skb off gso_skb queue. This patchset fixes that issue by changing #1b to use qdisc_dequeue_peeked() method instead.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-21 13:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46113",
                        "url": "https://ubuntu.com/security/CVE-2026-46113",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  KVM: x86: Fix shadow paging use-after-free due to unexpected GFN  The shadow MMU computes GFNs for direct shadow pages using sp->gfn plus the SPTE index. This assumption breaks for shadow paging if the guest page tables are modified between VM entries (similar to commit aad885e77496, \"KVM: x86/mmu: Drop/zap existing present SPTE even when creating an MMIO SPTE\", 2026-03-27).  The flow is as follows:  - a PDE is installed for a 2MB mapping, and a page in that area is   accessed.  KVM creates a kvm_mmu_page consisting of 512 4KB pages;   the kvm_mmu_page is marked by FNAME(fetch) as direct-mapped because   the guest's mapping is a huge page (and thus contiguous).  - the PDE mapping is changed from outside the guest.  - the guest accesses another page in the same 2MB area.  KVM installs   a new leaf SPTE and rmap entry; the SPTE uses the \"correct\" GFN   (i.e. based on the new mapping, as changed in the previous step) but   that GFN is outside of the [sp->gfn, sp->gfn + 511] range; therefore   the rmap entry cannot be found and removed when the kvm_mmu_page   is zapped.  - the memslot that covers the first 2MB mapping is deleted, and the   kvm_mmu_page for the now-invalid GPA is zapped.  However, rmap_remove()   only looks at the [sp->gfn, sp->gfn + 511] range established in step 1,   and fails to find the rmap entry that was recorded by step 3.  - any operation that causes an rmap walk for the same page accessed   by step 3 then walks a stale rmap and dereferences a freed kvm_mmu_page.   This includes dirty logging or MMU notifier invalidations (e.g., from   MADV_DONTNEED).  The underlying issue is that KVM's walking of shadow PTEs assumes that if a SPTE is present when KVM wants to install a non-leaf SPTE, then the existing kvm_mmu_page must be for the correct gfn.  Because the only way for the gfn to be wrong is if KVM messed up and failed to zap a SPTE... which shouldn't happen, but *actually* only happens in response to a guest write.  That bug dates back literally forever, as even the first version of KVM assumes that the GFN matches and walks into the \"wrong\" shadow page. However, that was only an imprecision until 2032a93d66fa (\"KVM: MMU: Don't allocate gfns page for direct mmu pages\") came along.  Fix it by checking for a target gfn mismatch and zapping the existing SPTE.  That way the old SP and rmap entries are gone, KVM installs the rmap in the right location, and everyone is happy.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46179",
                        "url": "https://ubuntu.com/security/CVE-2026-46179",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ASoC: SOF: Don't allow pointer operations on unconfigured streams  When reporting the pointer for a compressed stream we report the current I/O frame position by dividing the position by the number of channels multiplied by the number of container bytes. These values default to 0 and are only configured as part of setting the stream parameters so this allows a divide by zero to be configured. Validate that they are non zero, returning an error if not",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46196",
                        "url": "https://ubuntu.com/security/CVE-2026-46196",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  tracepoint: balance regfunc() on func_add() failure in tracepoint_add_func()  When a tracepoint goes through the 0 -> 1 transition, tracepoint_add_func() invokes the subsystem's ext->regfunc() before attempting to install the new probe via func_add(). If func_add() then fails (for example, when allocate_probes() cannot allocate a new probe array under memory pressure and returns -ENOMEM), the function returns the error without calling the matching ext->unregfunc(), leaving the side effects of regfunc() behind with no installed probe to justify them.  For syscall tracepoints this is particularly unpleasant: syscall_regfunc() bumps sys_tracepoint_refcount and sets SYSCALL_TRACEPOINT on every task. After a leaked failure, the refcount is stuck at a non-zero value with no consumer, and every task continues paying the syscall trace entry/exit overhead until reboot. Other subsystems providing regfunc()/unregfunc() pairs exhibit similarly scoped persistent state.  Mirror the existing 1 -> 0 cleanup and call ext->unregfunc() in the func_add() error path, gated on the same condition used there so the unwind is symmetric with the registration.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-43497",
                        "url": "https://ubuntu.com/security/CVE-2026-43497",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  fbdev: udlfb: add vm_ops to dlfb_ops_mmap to prevent use-after-free  dlfb_ops_mmap() uses remap_pfn_range() to map vmalloc framebuffer pages to userspace but sets no vm_ops on the VMA. This means the kernel cannot track active mmaps. When dlfb_realloc_framebuffer() replaces the backing buffer via FBIOPUT_VSCREENINFO, existing mmap PTEs are not invalidated. On USB disconnect, dlfb_ops_destroy() calls vfree() on the old pages while userspace PTEs still reference them, resulting in a use-after-free: the process retains read/write access to freed kernel pages.  Add vm_operations_struct with open/close callbacks that maintain an atomic mmap_count on struct dlfb_data. In dlfb_realloc_framebuffer(), check mmap_count and return -EBUSY if the buffer is currently mapped, preventing buffer replacement while userspace holds stale PTEs.  Tested with PoC using dummy_hcd + raw_gadget USB device emulation.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-05-21 13:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46108",
                        "url": "https://ubuntu.com/security/CVE-2026-46108",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ipmi:si: Return state to normal if message allocation fails  There were places where nothing would get started if a message allocation failed, so the driver needs to return to normal state.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46128",
                        "url": "https://ubuntu.com/security/CVE-2026-46128",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ipmi: Check event message buffer response for bad data  The event message buffer response data size got checked later when processing, but check it right after the response comes back.  It appears some BMCs may return an empty message instead of an error when fetching events.  There are apparently some new BMCs that make this error, so we need to compensate.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46177",
                        "url": "https://ubuntu.com/security/CVE-2026-46177",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ipmi: Add limits to event and receive message requests  The driver would just fetch events and receive messages until the BMC said it was done.  To avoid issues with BMCs that never say they are done, add a limit of 10 fetches at a time.  In addition, an si interface has an attn state it can return from the hardware which is supposed to cause a flag fetch to see if the driver needs to fetch events or message or a few other things.  If the attn bit gets stuck, it's a similar problem.  So allow messages in between flag fetches so the driver itself doesn't get stuck.  This is a more general fix than the previous fix for the specific bad BMC, but should fix the more general issue of a BMC that won't stop saying it has data.  This has been there from the beginning of the driver.  It's not a bug per-se, but it is accounting for bugs in BMCs.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46149",
                        "url": "https://ubuntu.com/security/CVE-2026-46149",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  scsi: target: configfs: Bound snprintf() return in tg_pt_gp_members_show()  target_tg_pt_gp_members_show() formats LUN paths with snprintf() into a 256-byte stack buffer, then will memcpy() cur_len bytes from that buffer.  snprintf() returns the length the output would have had, which can exceed the buffer size when the fabric WWN is long because iSCSI IQN names can be up to 223 bytes.  The check at the memcpy() site only guards the destination page write, not the source read, so memcpy() will read past the stack buffer and copy adjacent stack contents to the sysfs reader, which when CONFIG_FORTIFY_SOURCE is enabled, fortify_panic() will be triggered.  Commit 27e06650a5ea (\"scsi: target: target_core_configfs: Add length check to avoid buffer overflow\") added the same bound to the target_lu_gp_members_show() but the tg_pt_gp variant was missed so resolve that here.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46244",
                        "url": "https://ubuntu.com/security/CVE-2026-46244",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  netfilter: nft_inner: Fix IPv6 inner_thoff desync  In nft_inner_parse_l2l3(), when processing inner IPv6 packets, ipv6_find_hdr() correctly computes the transport header offset traversing all extension headers, but the result is immediately overwritten with nhoff + sizeof(_ip6h) (40 bytes), which only accounts for the IPv6 base header. This creates a desync between inner_thoff (wrong — points to extension header start) and l4proto (correct — e.g., IPPROTO_TCP), enabling transport header forgery and potential firewall bypass. This issue affects stable versions from Linux 6.2.  For comparison, the normal (non-inner) IPv6 path correctly preserves ipv6_find_hdr()'s result. Removing the incorrect overwrite ensures that ipv6_find_hdr()'s calculated transport header offset is preserved, thereby fixing the desynchronization.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-03 18:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46137",
                        "url": "https://ubuntu.com/security/CVE-2026-46137",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  mptcp: pm: ADD_ADDR rtx: fix potential data-race  This mptcp_pm_add_timer() helper is executed as a timer callback in softirq context. To avoid any data races, the socket lock needs to be held with bh_lock_sock().  If the socket is in use, retry again soon after, similar to what is done with the keepalive timer.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46185",
                        "url": "https://ubuntu.com/security/CVE-2026-46185",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  smb/client: fix out-of-bounds read in symlink_data()  Since smb2_check_message() returns success without length validation for the symlink error response, in symlink_data() it is possible for iov->iov_len to be smaller than sizeof(struct smb2_err_rsp). If the buffer only contains the base SMB2 header (64 bytes), accessing err->ErrorContextCount (at offset 66) or err->ByteCount later in symlink_data() will cause an out-of-bounds read.",
                        "cve_priority": "high",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46195",
                        "url": "https://ubuntu.com/security/CVE-2026-46195",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  smb: client: validate dacloffset before building DACL pointers  parse_sec_desc(), build_sec_desc(), and the chown path in id_mode_to_cifs_acl() all add the server-supplied dacloffset to pntsd before proving a DACL header fits inside the returned security descriptor.  On 32-bit builds a malicious server can return dacloffset near U32_MAX, wrap the derived DACL pointer below end_of_acl, and then slip past the later pointer-based bounds checks. build_sec_desc() and id_mode_to_cifs_acl() can then dereference DACL fields from the wrapped pointer in the chmod/chown rewrite paths.  Validate dacloffset numerically before building any DACL pointer and reuse the same helper at the three DACL entry points.",
                        "cve_priority": "high",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46289",
                        "url": "https://ubuntu.com/security/CVE-2026-46289",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  lib/scatterlist: fix length calculations in extract_kvec_to_sg  Patch series \"Fix bugs in extract_iter_to_sg()\", v3.  Fix bugs in the kvec and user variants of extract_iter_to_sg.  This series is growing due to useful remarks made by sashiko.dev.  The main bugs are: - The length for an sglist entry when extracting from   a kvec can exceed the number of bytes in the page. This   is obviously not intended. - When extracting a user buffer the sglist is temporarily   used as a scratch buffer for extracted page pointers.   If the sglist already contains some elements this scratch   buffer could overlap with existing entries in the sglist.  The series adds test cases to the kunit_iov_iter test that demonstrate all of these bugs.  Additionally, there is a memory leak fix for the test itself.  The bugs were orignally introduced into kernel v6.3 where the function lived in fs/netfs/iterator.c.  It was later moved to lib/scatterlist.c in v6.5.  Thus the actual fix is only marked for backports to v6.5+.   This patch (of 5):  When extracting from a kvec to a scatterlist, do not cross page boundaries.  The required length was already calculated but not used as intended.  Adjust the copied length if the loop runs out of sglist entries without extracting everything.  While there, return immediately from extract_iter_to_sg if there are no sglist entries at all.  A subsequent commit will add kunit test cases that demonstrate that the patch is necessary.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-08 17:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46119",
                        "url": "https://ubuntu.com/security/CVE-2026-46119",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  libceph: Fix slab-out-of-bounds access in auth message processing  If a (potentially corrupted) message of type CEPH_MSG_AUTH_REPLY contains a positive value in its result field, it is treated as an error code by ceph_handle_auth_reply() and returned to handle_auth_reply(). Thereafter, an attempt is made to send the preallocated message of type CEPH_MSG_AUTH, where the returned value is interpreted as the size of the front segment to send. If the result value in the message is greater than the size of the memory buffer allocated for the front segment, an out-of-bounds access occurs, and the content of the memory region beyond this buffer is sent out.  This patch fixes the issue by treating only negative values in the result field as errors. Positive values are therefore treated as success in the same way as a zero value. Additionally, a BUG_ON is added to __send_prepared_auth_request() comparing the len parameter to front_alloc_len to prevent sending the message if it exceeds the bounds of the allocation and to make it easier to catch any logic flaws leading to this.",
                        "cve_priority": "high",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46135",
                        "url": "https://ubuntu.com/security/CVE-2026-46135",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  nvmet-tcp: fix race between ICReq handling and queue teardown  nvmet_tcp_handle_icreq() updates queue->state after sending an Initialization Connection Response (ICResp), but it does so without serializing against target-side queue teardown.  If an NVMe/TCP host sends an Initialization Connection Request (ICReq) and immediately closes the connection, target-side teardown may start in softirq context before io_work drains the already buffered ICReq. In that case, nvmet_tcp_schedule_release_queue() sets queue->state to NVMET_TCP_Q_DISCONNECTING and drops the queue reference under state_lock.  If io_work later processes that ICReq, nvmet_tcp_handle_icreq() can still overwrite the state back to NVMET_TCP_Q_LIVE. That defeats the DISCONNECTING-state guard in nvmet_tcp_schedule_release_queue() and allows a later socket state change to re-enter teardown and issue a second kref_put() on an already released queue.  The ICResp send failure path has the same problem. If teardown has already moved the queue to DISCONNECTING, a send error can still overwrite the state with NVMET_TCP_Q_FAILED, again reopening the window for a second teardown path to drop the queue reference.  Fix this by serializing both post-send state transitions with state_lock and bailing out if teardown has already started.  Use -ESHUTDOWN as an internal sentinel for that bail-out path rather than propagating it as a transport error like -ECONNRESET. Keep nvmet_tcp_socket_error() setting rcv_state to NVMET_TCP_RECV_ERR before honoring that sentinel so receive-side parsing stays quiesced until the existing release path completes.",
                        "cve_priority": "critical",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46155",
                        "url": "https://ubuntu.com/security/CVE-2026-46155",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  smb/client: fix out-of-bounds read in smb2_compound_op()  If a server sends a truncated response but a large OutputBufferLength, and terminates the EA list early, check_wsl_eas() returns success without validating that the entire OutputBufferLength fits within iov_len.  Then smb2_compound_op() does:     memcpy(idata->wsl.eas, data[0], size[0]);  Where size[0] is OutputBufferLength. If iov_len is smaller than size[0], memcpy can read beyond the end of the rsp_iov allocation and leak adjacent kernel heap memory.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46115",
                        "url": "https://ubuntu.com/security/CVE-2026-46115",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  block: add pgmap check to biovec_phys_mergeable  biovec_phys_mergeable() is used by the request merge, DMA mapping, and integrity merge paths to decide if two physically contiguous bvec segments can be coalesced into one. It currently has no check for whether the segments belong to different dev_pagemaps.  When zone device memory is registered in multiple chunks, each chunk gets its own dev_pagemap. A single bio can legitimately contain bvecs from different pgmaps -- iov_iter_extract_bvecs() breaks at pgmap boundaries but the outer loop in bio_iov_iter_get_pages() continues filling the same bio. If such bvecs are physically contiguous, biovec_phys_mergeable() will coalesce them, making it impossible to recover the correct pgmap for the merged segment via page_pgmap().  Add a zone_device_pages_have_same_pgmap() check to prevent merging bvec segments that span different pgmaps.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46243",
                        "url": "https://ubuntu.com/security/CVE-2026-46243",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  smb: client: reject userspace cifs.spnego descriptions  cifs.spnego key descriptions contain authority-bearing fields such as pid, uid, creduid, and upcall_target that cifs.upcall treats as kernel-originating inputs. However, userspace can also create keys of this type through request_key(2) or add_key(2), allowing those fields to be supplied without CIFS origin.  Only accept cifs.spnego descriptions while CIFS is using its private spnego_cred to request the key.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-01 17:17:00 UTC"
                    }
                ],
                "launchpad_bugs_fixed": [
                    2157520,
                    2154418,
                    2155837,
                    2154174,
                    2154748,
                    2156559,
                    2156556,
                    2150640,
                    2156312,
                    2155096,
                    2154715,
                    2153159,
                    2150071,
                    2154343,
                    2149770,
                    2153155,
                    2152570,
                    2156636,
                    2156636,
                    2156636,
                    2156636,
                    2156636,
                    2156390,
                    2156385,
                    2156385,
                    2156385,
                    2156385,
                    2156385,
                    2156385,
                    2156385,
                    2156385,
                    2156385,
                    2156385,
                    2156385,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2150845
                ],
                "changes": [
                    {
                        "cves": [
                            {
                                "cve": "CVE-2026-46318",
                                "url": "https://ubuntu.com/security/CVE-2026-46318",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Revert \"mm/hugetlbfs: update hugetlbfs to use mmap_prepare\"  This reverts commit ea52cb24cd3f (\"mm/hugetlbfs: update hugetlbfs to use mmap_prepare\") with conflict resolution to account for changes in commit ea52cb24cd3f (\"mm/hugetlbfs: update hugetlbfs to use mmap_prepare\").  The patch incorrectly handled hugetlb VMA lock allocation at the mmap_prepare stage, where a failed allocation occurring after mmap_prepare is called might result in the lock leaking.  There is no risk of a merge causing a similar issues, as VMA_DONTEXPAND_BIT is set for hugetlb mappings.  As a first step in addressing this issue, simply revert the change so we can rework how we do this having corrected the underlying issues.  We maintain the VMA flags changes as best we can, accounting for the fact that we were working with a VMA descriptor previously and propagating like-for-like changes for this.  Note that we invoke vma_set_flags() and do not call vma_start_write() as vm_flags_set() does.  This is OK as it's being done in an .mmap hook where the VMA is not yet linked into the tree so nobody else can be accessing it.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-06-09 13:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46322",
                                "url": "https://ubuntu.com/security/CVE-2026-46322",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  tun: free page on build_skb failure in tun_xdp_one()  When build_skb() fails in tun_xdp_one(), the function sets ret to -ENOMEM and jumps to the out label, which returns without freeing the page that vhost_net_build_xdp() allocated for the frame. As with the short-frame rejection path, tun_sendmsg() discards the per-buffer error and still returns total_len, so vhost_tx_batch() takes the success path and never frees the page. Each build_skb() failure in a batch leaks one page-frag chunk.  Free the page before taking the error path, matching the put_page() the other error exits of tun_xdp_one() already perform.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-09 13:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46320",
                                "url": "https://ubuntu.com/security/CVE-2026-46320",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  tap: free page on error paths in tap_get_user_xdp()  tap_get_user_xdp() rejects a frame shorter than ETH_HLEN with -EINVAL, and returns -ENOMEM when build_skb() fails. Both paths jump to the err label without freeing the page that vhost_net_build_xdp() allocated for the frame. tap_sendmsg() discards the per-buffer return value and always returns 0, so vhost_tx_batch() takes the success path and never frees the page; each rejected frame in a batch leaks one page-frag chunk.  Free the page on both error paths, before the skb is built. This is the tap counterpart of the same leak in tun_xdp_one().",
                                "cve_priority": "high",
                                "cve_public_date": "2026-06-09 13:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46321",
                                "url": "https://ubuntu.com/security/CVE-2026-46321",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  tun: free page on short-frame rejection in tun_xdp_one()  tun_xdp_one() returns -EINVAL on a frame shorter than ETH_HLEN without freeing the page that vhost_net_build_xdp() allocated for it. tun_sendmsg() discards that -EINVAL and still returns total_len, so vhost_tx_batch() takes the success path and never frees the page; each short frame in a batch leaks one page-frag chunk.  A local process that can open /dev/net/tun and /dev/vhost-net can hit this path: it attaches a tun/tap device as the vhost-net backend and feeds TX descriptors whose length minus the virtio-net header is below ETH_HLEN. Each kick leaks the page-frag chunks for that batch, and a tight submission loop exhausts host memory and triggers an OOM panic. Free the page before returning -EINVAL, matching the XDP-program error path in the same function.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-09 13:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46316",
                                "url": "https://ubuntu.com/security/CVE-2026-46316",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  KVM: arm64: vgic-its: Drop the translation cache reference only for the erased entry  vgic_its_invalidate_cache() walks the per-ITS translation cache with xa_for_each() and drops the cache's reference on each entry with vgic_put_irq(). It puts the iterated pointer, though, rather than the value returned by xa_erase().  The function is called from contexts that do not exclude one another: the ITS command handlers hold its_lock, the GITS_CTLR write path holds cmd_lock, and the path that clears EnableLPIs in a redistributor's GICR_CTLR holds neither. Two or more of them can drain the same cache concurrently, and if each one observes the same entry, erases it and then puts it, the single reference the cache holds on that entry is dropped more than once. The entry can then be freed while an ITE still maps it.  xa_erase() is atomic and returns the previous entry, so put only the entry that this context actually removed. The cache reference is then dropped exactly once per entry even when the invalidations run concurrently, and the behavior is unchanged when only one context runs.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-09 13:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46317",
                                "url": "https://ubuntu.com/security/CVE-2026-46317",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  KVM: arm64: Reassign nested_mmus array behind mmu_lock  kvm->arch.nested_mmus[] is walked under kvm->mmu_lock, including from the MMU notifier path (kvm_unmap_gfn_range() -> kvm_nested_s2_unmap()), which can run at any time. kvm_vcpu_init_nested() reallocates the array and frees the old buffer while holding only kvm->arch.config_lock, so such a walker can reference the freed array.  Allocate the new array outside of mmu_lock, as the allocation can sleep. Under the lock, copy the existing entries, fix up the back pointers and reassign the array. Free the old buffer after dropping the lock, as kvfree() can sleep as well.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-09 13:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-45846",
                                "url": "https://ubuntu.com/security/CVE-2026-45846",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  bareudp: fix NULL pointer dereference in bareudp_fill_metadata_dst()  bareudp_fill_metadata_dst() passes bareudp->sock to udp_tunnel6_dst_lookup() in the IPv6 path without a NULL check. The socket is only created in bareudp_open() and NULLed in bareudp_stop(), so calling this function while the device is down triggers a NULL dereference via sock->sk.   BUG: kernel NULL pointer dereference, address: 0000000000000018  RIP: 0010:udp_tunnel6_dst_lookup (net/ipv6/ip6_udp_tunnel.c:160)  Call Trace:   <TASK>   bareudp_fill_metadata_dst (drivers/net/bareudp.c:532)   do_execute_actions (net/openvswitch/actions.c:901)   ovs_execute_actions (net/openvswitch/actions.c:1589)   ovs_packet_cmd_execute (net/openvswitch/datapath.c:700)   genl_family_rcv_msg_doit (net/netlink/genetlink.c:1114)   genl_rcv_msg (net/netlink/genetlink.c:1209)   netlink_rcv_skb (net/netlink/af_netlink.c:2550)   </TASK>  Add a NULL check returning -ESHUTDOWN, consistent with the xmit paths in the same driver.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-27 11:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-45845",
                                "url": "https://ubuntu.com/security/CVE-2026-45845",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net/sched: taprio: fix NULL pointer dereference in class dump  When a TAPRIO child qdisc is deleted via RTM_DELQDISC, taprio_graft() is called with new == NULL and stores NULL into q->qdiscs[cl - 1]. Subsequent RTM_GETTCLASS dump operations walk all classes via taprio_walk() and call taprio_dump_class(), which calls taprio_leaf() returning the NULL pointer, then dereferences it to read child->handle, causing a kernel NULL pointer dereference.  The bug is reachable with namespace-scoped CAP_NET_ADMIN on any kernel with CONFIG_NET_SCH_TAPRIO enabled. On systems with unprivileged user namespaces enabled, an unprivileged local user can trigger a kernel panic by creating a taprio qdisc inside a new network namespace, grafting an explicit child qdisc, deleting it, and requesting a class dump. The RTM_GETTCLASS dump itself requires no capability.   Oops: general protection fault, probably for non-canonical address 0xdffffc0000000007: 0000 [#1] SMP KASAN NOPTI  KASAN: null-ptr-deref in range [0x0000000000000038-0x000000000000003f]  RIP: 0010:taprio_dump_class (net/sched/sch_taprio.c:2478)  Call Trace:   <TASK>   tc_fill_tclass (net/sched/sch_api.c:1966)   qdisc_class_dump (net/sched/sch_api.c:2326)   taprio_walk (net/sched/sch_taprio.c:2514)   tc_dump_tclass_qdisc (net/sched/sch_api.c:2352)   tc_dump_tclass_root (net/sched/sch_api.c:2370)   tc_dump_tclass (net/sched/sch_api.c:2431)   rtnl_dumpit (net/core/rtnetlink.c:6864)   netlink_dump (net/netlink/af_netlink.c:2325)   rtnetlink_rcv_msg (net/core/rtnetlink.c:6959)   netlink_rcv_skb (net/netlink/af_netlink.c:2550)   </TASK>  Fix this by substituting &noop_qdisc when new is NULL in taprio_graft(), a common pattern used by other qdiscs (e.g., multiq_graft()) to ensure the q->qdiscs[] slots are never NULL. This makes control-plane dump paths safe without requiring individual NULL checks.  Since the data-plane paths (taprio_enqueue and taprio_dequeue_from_txq) previously had explicit NULL guards that would drop/skip the packet cleanly, update those checks to test for &noop_qdisc instead. Without this, packets would reach taprio_enqueue_one() which increments the root qdisc's qlen and backlog before calling the child's enqueue; noop_qdisc drops the packet but those counters are never rolled back, permanently inflating the root qdisc's statistics.  After this change *old can be a valid qdisc, NULL, or &noop_qdisc. Only call qdisc_put(*old) in the first case to avoid decreasing noop_qdisc's refcount, which was never increased.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-27 11:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-45844",
                                "url": "https://ubuntu.com/security/CVE-2026-45844",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  netfilter: arp_tables: fix IEEE1394 ARP payload parsing  Weiming Shi says:  \"arp_packet_match() unconditionally parses the ARP payload assuming two hardware addresses are present (source and target). However, IPv4-over-IEEE1394 ARP (RFC 2734) omits the target hardware address field, and arp_hdr_len() already accounts for this by returning a shorter length for ARPHRD_IEEE1394 devices.  As a result, on IEEE1394 interfaces arp_packet_match() advances past a nonexistent target hardware address and reads the wrong bytes for both the target device address comparison and the target IP address. This causes arptables rules to match against garbage data, leading to incorrect filtering decisions: packets that should be accepted may be dropped and vice versa.  The ARP stack in net/ipv4/arp.c (arp_create and arp_process) already handles this correctly by skipping the target hardware address for ARPHRD_IEEE1394. Apply the same pattern to arp_packet_match().\"  Mangle the original patch to always return 0 (no match) in case user matches on the target hardware address which is never present in IEEE1394.  Note that this returns 0 (no match) for either normal and inverse match because matching in the target hardware address in ARPHRD_IEEE1394 has never been supported by arptables. This is intentional, matching on the target hardware address should never evaluate true for ARPHRD_IEEE1394.  Moreover, adjust arpt_mangle to drop the packet too as AI suggests:  In arpt_mangle, the logic assumes a standard ARP layout. Because IEEE1394 (FireWire) omits the target hardware address, the linear pointer arithmetic miscalculates the offset for the target IP address. This causes mangling operations to write to the wrong location, leading to packet corruption. To ensure safety, this patch drops packets (NF_DROP) when mangling is requested for these fields on IEEE1394 devices, as the current implementation cannot correctly map the FireWire ARP payload.  This omits both mangling target hardware and IP address. Even if IP address mangling should be possible in IEEE1394, this would require to adjust arpt_mangle offset calculation, which has never been supported.  Based on patch from Weiming Shi <bestswngs@gmail.com>.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-05-27 11:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46242",
                                "url": "https://ubuntu.com/security/CVE-2026-46242",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  eventpoll: fix ep_remove struct eventpoll / struct file UAF  ep_remove() (via ep_remove_file()) cleared file->f_ep under file->f_lock but then kept using @file inside the critical section (is_file_epoll(), hlist_del_rcu() through the head, spin_unlock). A concurrent __fput() taking the eventpoll_release() fastpath in that window observed the transient NULL, skipped eventpoll_release_file() and ran to f_op->release / file_free().  For the epoll-watches-epoll case, f_op->release is ep_eventpoll_release() -> ep_clear_and_put() -> ep_free(), which kfree()s the watched struct eventpoll. Its embedded ->refs hlist_head is exactly where epi->fllink.pprev points, so the subsequent hlist_del_rcu()'s \"*pprev = next\" scribbles into freed kmalloc-192 memory.  In addition, struct file is SLAB_TYPESAFE_BY_RCU, so the slot backing @file could be recycled by alloc_empty_file() -- reinitializing f_lock and f_ep -- while ep_remove() is still nominally inside that lock. The upshot is an attacker-controllable kmem_cache_free() against the wrong slab cache.  Pin @file via epi_fget() at the top of ep_remove() and gate the critical section on the pin succeeding. With the pin held @file cannot reach refcount zero, which holds __fput() off and transitively keeps the watched struct eventpoll alive across the hlist_del_rcu() and the f_lock use, closing both UAFs.  If the pin fails @file has already reached refcount zero and its __fput() is in flight. Because we bailed before clearing f_ep, that path takes the eventpoll_release() slow path into eventpoll_release_file() and blocks on ep->mtx until the waiter side's ep_clear_and_put() drops it. The bailed epi's share of ep->refcount stays intact, so the trailing ep_refcount_dec_and_test() in ep_clear_and_put() cannot free the eventpoll out from under eventpoll_release_file(); the orphaned epi is then cleaned up there.  A successful pin also proves we are not racing eventpoll_release_file() on this epi, so drop the now-redundant re-check of epi->dying under f_lock. The cheap lockless READ_ONCE(epi->dying) fast-path bailout stays.",
                                "cve_priority": "high",
                                "cve_public_date": "2026-05-30 13:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-45843",
                                "url": "https://ubuntu.com/security/CVE-2026-45843",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  slip: bound decode() reads against the compressed packet length  slhc_uncompress() parses a VJ-compressed TCP header by advancing a pointer through the packet via decode() and pull16(). Neither helper bounds-checks against isize, and decode() masks its return with & 0xffff so it can never return the -1 that callers test for -- those error paths are dead code.  A short compressed frame whose change byte requests optional fields lets decode() read past the end of the packet. The over-read bytes are folded into the cached cstate and reflected into subsequent reconstructed packets.  Make decode() and pull16() take the packet end pointer and return -1 when exhausted. Add a bounds check before the TCP-checksum read. The existing == -1 tests now do what they were always meant to.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-27 11:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-45842",
                                "url": "https://ubuntu.com/security/CVE-2026-45842",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  slip: reject VJ receive packets on instances with no rstate array  slhc_init() accepts rslots == 0 as a valid configuration, with the documented meaning of 'no receive compression'. In that case the allocation loop in slhc_init() is skipped, so comp->rstate stays NULL and comp->rslot_limit stays 0 (from the kzalloc of struct slcompress).  The receive helpers do not defend against that configuration. slhc_uncompress() dereferences comp->rstate[x] when the VJ header carries an explicit connection ID, and slhc_remember() later assigns cs = &comp->rstate[...] after only comparing the packet's slot number to comp->rslot_limit. Because rslot_limit is 0, slot 0 passes the range check, and the code dereferences a NULL rstate.  The configuration is reachable in-tree through PPP. PPPIOCSMAXCID stores its argument in a signed int, and (val >> 16) uses arithmetic shift. Passing 0xffff0000 therefore sign-extends to -1, so val2 + 1 is 0 and ppp_generic.c ends up calling slhc_init(0, 1). Because /dev/ppp open is gated by ns_capable(CAP_NET_ADMIN), the whole path is reachable from an unprivileged user namespace. Once the malformed VJ state is installed, any inbound VJ-compressed or VJ-uncompressed frame that selects slot 0 crashes the kernel in softirq context:   Oops: general protection fault, probably for non-canonical        address 0xdffffc0000000000: 0000 [#1] SMP KASAN NOPTI  KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]  RIP: 0010:slhc_uncompress (drivers/net/slip/slhc.c:519)  Call Trace:   <TASK>   ppp_receive_nonmp_frame (drivers/net/ppp/ppp_generic.c:2466)   ppp_input (drivers/net/ppp/ppp_generic.c:2359)   ppp_async_process (drivers/net/ppp/ppp_async.c:492)   tasklet_action_common (kernel/softirq.c:926)   handle_softirqs (kernel/softirq.c:623)   run_ksoftirqd (kernel/softirq.c:1055)   smpboot_thread_fn (kernel/smpboot.c:160)   kthread (kernel/kthread.c:436)   ret_from_fork (arch/x86/kernel/process.c:164)   </TASK>  Reject the receive side on such instances instead of touching rstate. slhc_uncompress() falls through to its existing 'bad' label, which bumps sls_i_error and enters the toss state. slhc_remember() mirrors that with an explicit sls_i_error increment followed by slhc_toss(); the sls_i_runt counter is not used here because a missing rstate is an internal configuration state, not a runt packet.  The transmit path is unaffected: the only in-tree caller that picks rslots from userspace (ppp_generic.c) still supplies tslots >= 1, and slip.c always calls slhc_init(16, 16), so comp->tstate remains valid and slhc_compress() continues to work.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-27 11:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-45841",
                                "url": "https://ubuntu.com/security/CVE-2026-45841",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  netfilter: nfnetlink_osf: fix divide-by-zero in OSF_WSS_MODULO  nf_osf_match_one() computes ctx->window % f->wss.val in the OSF_WSS_MODULO branch with no guard for f->wss.val == 0. A CAP_NET_ADMIN user can add such a fingerprint via nfnetlink; a subsequent matching TCP SYN divides by zero and panics the kernel.  Reject the bogus fingerprint in nfnl_osf_add_callback() above the per-option for-loop. f->wss is per-fingerprint, not per-option, so the check must run regardless of f->opt_num (including 0). Also reject wss.wc >= OSF_WSS_MAX; nf_osf_match_one() already treats that as \"should not happen\".  Crash:  Oops: divide error: 0000 [#1] SMP KASAN NOPTI  RIP: 0010:nf_osf_match_one (net/netfilter/nfnetlink_osf.c:98)  Call Trace:  <IRQ>   nf_osf_match (net/netfilter/nfnetlink_osf.c:220)   xt_osf_match_packet (net/netfilter/xt_osf.c:32)   ipt_do_table (net/ipv4/netfilter/ip_tables.c:348)   nf_hook_slow (net/netfilter/core.c:622)   ip_local_deliver (net/ipv4/ip_input.c:265)   ip_rcv (include/linux/skbuff.h:1162)   __netif_receive_skb_one_core (net/core/dev.c:6181)   process_backlog (net/core/dev.c:6642)   __napi_poll (net/core/dev.c:7710)   net_rx_action (net/core/dev.c:7945)   handle_softirqs (kernel/softirq.c:622)",
                                "cve_priority": "low",
                                "cve_public_date": "2026-05-27 11:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-45840",
                                "url": "https://ubuntu.com/security/CVE-2026-45840",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  openvswitch: cap upcall PID array size and pre-size vport replies  The vport netlink reply helpers allocate a fixed-size skb with nlmsg_new(NLMSG_DEFAULT_SIZE, ...) but serialize the full upcall PID array via ovs_vport_get_upcall_portids().  Since ovs_vport_set_upcall_portids() accepts any non-zero multiple of sizeof(u32) with no upper bound, a CAP_NET_ADMIN user can install a PID array large enough to overflow the reply buffer, causing nla_put() to fail with -EMSGSIZE and hitting BUG_ON(err < 0).  On systems with unprivileged user namespaces enabled (e.g., Ubuntu default), this is reachable via unshare -Urn since OVS vport mutation operations use GENL_UNS_ADMIN_PERM.   kernel BUG at net/openvswitch/datapath.c:2414!  Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI  CPU: 1 UID: 0 PID: 65 Comm: poc Not tainted 7.0.0-rc7-00195-geb216e422044 #1  RIP: 0010:ovs_vport_cmd_set+0x34c/0x400  Call Trace:   <TASK>   genl_family_rcv_msg_doit (net/netlink/genetlink.c:1116)   genl_rcv_msg (net/netlink/genetlink.c:1194)   netlink_rcv_skb (net/netlink/af_netlink.c:2550)   genl_rcv (net/netlink/genetlink.c:1219)   netlink_unicast (net/netlink/af_netlink.c:1344)   netlink_sendmsg (net/netlink/af_netlink.c:1894)   __sys_sendto (net/socket.c:2206)   __x64_sys_sendto (net/socket.c:2209)   do_syscall_64 (arch/x86/entry/syscall_64.c:63)   entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)   </TASK>  Kernel panic - not syncing: Fatal exception  Reject attempts to set more PIDs than nr_cpu_ids in ovs_vport_set_upcall_portids(), and pre-compute the worst-case reply size in ovs_vport_cmd_msg_size() based on that bound, similar to the existing ovs_dp_cmd_msg_size().  nr_cpu_ids matches the cap already used by the per-CPU dispatch configuration on the datapath side (ovs_dp_cmd_fill_info() serialises at most nr_cpu_ids PIDs), so the two sides stay consistent.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-27 11:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-45839",
                                "url": "https://ubuntu.com/security/CVE-2026-45839",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  bpf: reject negative CO-RE accessor indices in bpf_core_parse_spec()  CO-RE accessor strings are colon-separated indices that describe a path from a root BTF type to a target field, e.g. \"0:1:2\" walks through nested struct members. bpf_core_parse_spec() parses each component with sscanf(\"%d\"), so negative values like -1 are silently accepted.  The subsequent bounds checks (access_idx >= btf_vlen(t)) only guard the upper bound and always pass for negative values because C integer promotion converts the __u16 btf_vlen result to int, making the comparison (int)(-1) >= (int)(N) false for any positive N.  When -1 reaches btf_member_bit_offset() it gets cast to u32 0xffffffff, producing an out-of-bounds read far past the members array.  A crafted BPF program with a negative CO-RE accessor on any struct that exists in vmlinux BTF (e.g. task_struct) crashes the kernel deterministically during BPF_PROG_LOAD on any system with CONFIG_DEBUG_INFO_BTF=y (default on major distributions).  The bug is reachable with CAP_BPF:   BUG: unable to handle page fault for address: ffffed11818b6626  #PF: supervisor read access in kernel mode  #PF: error_code(0x0000) - not-present page  Oops: Oops: 0000 [#1] SMP KASAN NOPTI  CPU: 0 UID: 0 PID: 85 Comm: poc Not tainted 7.0.0-rc6 #18 PREEMPT(full)  RIP: 0010:bpf_core_parse_spec (tools/lib/bpf/relo_core.c:354)  RAX: 00000000ffffffff  Call Trace:   <TASK>   bpf_core_calc_relo_insn (tools/lib/bpf/relo_core.c:1321)   bpf_core_apply (kernel/bpf/btf.c:9507)   check_core_relo (kernel/bpf/verifier.c:19475)   bpf_check (kernel/bpf/verifier.c:26031)   bpf_prog_load (kernel/bpf/syscall.c:3089)   __sys_bpf (kernel/bpf/syscall.c:6228)   </TASK>  CO-RE accessor indices are inherently non-negative (struct member index, array element index, or enumerator index), so reject them immediately after parsing.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-27 11:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-45838",
                                "url": "https://ubuntu.com/security/CVE-2026-45838",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  bpf: fix end-of-list detection in cgroup_storage_get_next_key()  list_next_entry() never returns NULL -- when the current element is the last entry it wraps to the list head via container_of(). The subsequent NULL check is therefore dead code and get_next_key() never returns -ENOENT for the last element, instead reading storage->key from a bogus pointer that aliases internal map fields and copying the result to userspace.  Replace it with list_entry_is_head() so the function correctly returns -ENOENT when there are no more entries.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-05-27 11:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46214",
                                "url": "https://ubuntu.com/security/CVE-2026-46214",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  vsock/virtio: fix accept queue count leak on transport mismatch  virtio_transport_recv_listen() calls sk_acceptq_added() before vsock_assign_transport(). If vsock_assign_transport() fails or selects a different transport, the error path returns without calling sk_acceptq_removed(), permanently incrementing sk_ack_backlog.  After approximately backlog+1 such failures, sk_acceptq_is_full() returns true, causing the listener to reject all new connections.  Fix by moving sk_acceptq_added() to after the transport validation, matching the pattern used by vmci_transport and hyperv_transport.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46207",
                                "url": "https://ubuntu.com/security/CVE-2026-46207",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  vsock/virtio: fix empty payload in tap skb for non-linear buffers  For non-linear skbs, virtio_transport_build_skb() goes through virtio_transport_copy_nonlinear_skb() to copy the original payload in the new skb to be delivered to the vsockmon tap device. This manually initializes an iov_iter but does not set iov_iter.count. Since the iov_iter is zero-initialized, the copy length is zero and no payload is actually copied to the monitor interface, leaving data un-initialized.  Fix this by removing the linear vs non-linear split and using skb_copy_datagram_iter() with iov_iter_kvec() for all cases, as vhost-vsock already does. This handles both linear and non-linear skbs, properly initializes the iov_iter, and removes the now unused virtio_transport_copy_nonlinear_skb().  While touching this code, let's also check the return value of skb_copy_datagram_iter(), even though it's unlikely to fail.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46234",
                                "url": "https://ubuntu.com/security/CVE-2026-46234",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  vsock: fix buffer size clamping order  In vsock_update_buffer_size(), the buffer size was being clamped to the maximum first, and then to the minimum. If a user sets a minimum buffer size larger than the maximum, the minimum check overrides the maximum check, inverting the constraint.  This breaks the intended socket memory boundaries by allowing the vsk->buffer_size to grow beyond the configured vsk->buffer_max_size.  Fix this by checking the minimum first, and then the maximum. This ensures the buffer size never exceeds the buffer_max_size.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46223",
                                "url": "https://ubuntu.com/security/CVE-2026-46223",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  cgroup: Defer css percpu_ref kill on rmdir until cgroup is depopulated  A chain of commits going back to v7.0 reworked rmdir to satisfy the controller invariant that a subsystem's ->css_offline() must not run while tasks are still doing kernel-side work in the cgroup.  [1] d245698d727a (\"cgroup: Defer task cgroup unlink until after the task is done switching out\") [2] a72f73c4dd9b (\"cgroup: Don't expose dead tasks in cgroup\") [3] 1b164b876c36 (\"cgroup: Wait for dying tasks to leave on rmdir\") [4] 4c56a8ac6869 (\"cgroup: Fix cgroup_drain_dying() testing the wrong condition\") [5] 13e786b64bd3 (\"cgroup: Increment nr_dying_subsys_* from rmdir context\")  [1] moved task cset unlink from do_exit() to finish_task_switch() so a task's cset link drops only after the task has fully stopped scheduling. That made tasks past exit_signals() linger on cset->tasks until their final context switch, which led to a series of problems as what userspace expected to see after rmdir diverged from what the kernel needs to wait for. [2]-[5] tried to bridge that divergence: [2] filtered the exiting tasks from cgroup.procs; [3] had rmdir(2) sleep in TASK_UNINTERRUPTIBLE for them; [4] fixed the wait's condition; [5] made nr_dying_subsys_* visible synchronously.  The cgroup_drain_dying() wait in [3] turned out to be a dead end. When the rmdir caller is also the reaper of a zombie that pins a pidns teardown (e.g. host PID 1 systemd reaping orphan pids that were re-parented to it during the same teardown), rmdir blocks in TASK_UNINTERRUPTIBLE waiting for those pids to free, the pids can't free because PID 1 is the reaper and it's stuck in rmdir, and the system A-A deadlocks. No internal lock ordering breaks this; the wait itself is the bug.  The css killing side that drove the original reorder, however, can be made cleanly asynchronous: ->css_offline() is already async, run from css_killed_work_fn() driven by percpu_ref_kill_and_confirm(). The fix is to make that chain start only after all tasks have left the cgroup. rmdir's user-visible side then returns as soon as cgroup.procs and friends are empty, while ->css_offline() still runs only after the cgroup is fully drained.  Verified by the original reproducer (pidns teardown + zombie reaper, runs under vng) which hangs vanilla and succeeds here, and by per-commit deterministic repros for [2], [3], [4], [5] with a boot parameter that widens the post-exit_signals() window so each state is reliably reachable. Some stress tests on top of that.  cgroup_apply_control_disable() has the same shape of pre-existing race: when a controller is disabled via subtree_control, kill_css() ran synchronously while tasks past exit_signals() could still be linked to the cgroup's csets, and ->css_offline() could fire before they drained. This patch preserves the existing synchronous behavior at that call site (kill_css_sync() + kill_css_finish() back-to-back) and a follow-up patch will defer kill_css_finish() there using a per-css trigger.  This seems like the right approach and I don't see problems with it. The changes are somewhat invasive but not excessively so, so backporting to -stable should be okay. If something does turn out to be wrong, the fallback is to revert the entire chain ([1]-[5]) and rework in the development branch instead.  v2: Pin cgrp across the deferred destroy work with explicit     cgroup_get()/cgroup_put() around queue_work() and the work_fn. v1     wasn't actually broken (ordered cgroup_offline_wq + queue_work order     in cgroup_task_dead() saved it) but the explicit ref removes the     dependency on those non-obvious invariants. Also note the     pre-existing cgroup_apply_control_disable() race in the description;     a follow-up will defer kill_css_finish() there.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46221",
                                "url": "https://ubuntu.com/security/CVE-2026-46221",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  EDAC/versalnet: Fix device name memory leak  The device name allocated via kzalloc() in init_one_mc() is assigned to dev->init_name but never freed on the normal removal path. device_register() copies init_name and then sets dev->init_name to NULL, so the name pointer becomes unreachable from the device. Thus leaking memory.  Use a stack-local char array instead of using kzalloc() for name.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46231",
                                "url": "https://ubuntu.com/security/CVE-2026-46231",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  batman-adv: bla: put backbone reference on failed claim hash insert  When batadv_bla_add_claim() fails to insert a new claim into the hash, it leaked a reference to the backbone_gw for which the claim was intended. Call batadv_backbone_gw_put() on the error path to release the reference and avoid leaking the backbone_gw object.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46233",
                                "url": "https://ubuntu.com/security/CVE-2026-46233",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  batman-adv: bla: only purge non-released claims  When batadv_bla_purge_claims() goes through the list of claims, it is only traversing the hash list with an rcu_read_lock(). Due to a potential parallel batadv_claim_put(), it can happen that it encounters a claim which was actually in the process of being released+freed by batadv_claim_release(). In this case, backbone_gw is set to NULL before the delayed RCU kfree is started. Calling batadv_bla_claim_get_backbone_gw() is then no longer allowed because it would cause a NULL-ptr derefence.  To avoid this, only claims with a valid reference counter must be purged. All others are already taken care of.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46212",
                                "url": "https://ubuntu.com/security/CVE-2026-46212",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  batman-adv: bla: prevent use-after-free when deleting claims  When batadv_bla_del_backbone_claims() removes all claims for a backbone, it does this by dropping the link entry in the hash list. This list entry itself was one of the references which need to be dropped at the same time via batadv_claim_put().  But the batadv_claim_put() must not be done before the last access to the claim object in this function. Otherwise the claim might be freed already by the batadv_claim_release() function before the list entry was dropped.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46238",
                                "url": "https://ubuntu.com/security/CVE-2026-46238",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  batman-adv: stop caching unowned originator pointers in BAT IV  BAT IV keeps the last-hop neighbor address in each neigh_node, but some paths also cache an originator pointer derived from a temporary lookup. That pointer is not owned by the neigh_node and may no longer refer to a live originator entry after purge handling runs.  Stop storing the auxiliary originator pointer in the BAT IV neighbor state. When BAT IV needs the neighbor originator data, resolve it from the stored neighbor address and drop the reference again after use.  [sven: avoid bonding logic for outgoing OGM]",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46208",
                                "url": "https://ubuntu.com/security/CVE-2026-46208",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  batman-adv: stop tp_meter sessions during mesh teardown  TP meter sessions remain linked on bat_priv->tp_list after the netlink request has already finished. When the mesh interface is removed, batadv_mesh_free() currently tears down the mesh without first draining these sessions.  A running sender thread or a late incoming tp_meter packet can then keep processing against a mesh instance which is already shutting down. Synchronize tp_meter with the mesh lifetime by stopping all active sessions from batadv_mesh_free() and waiting for sender threads to exit before teardown continues.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46206",
                                "url": "https://ubuntu.com/security/CVE-2026-46206",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  batman-adv: reject new tp_meter sessions during teardown  Prevent tp_meter from starting new sender or receiver sessions after mesh_state has left BATADV_MESH_ACTIVE.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46198",
                                "url": "https://ubuntu.com/security/CVE-2026-46198",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  batman-adv: fix integer overflow on buff_pos  Fixing an integer overflow present in batadv_iv_ogm_send_to_if. The size check is done using the int type in batadv_iv_ogm_aggr_packet whereas the buff_pos variable uses the s16 type. This could lead to an out-of-bound read.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46227",
                                "url": "https://ubuntu.com/security/CVE-2026-46227",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  sctp: revalidate list cursor after sctp_sendmsg_to_asoc() in SCTP_SENDALL  The SCTP_SENDALL path in sctp_sendmsg() iterates ep->asocs with list_for_each_entry_safe(), which caches the next entry in @tmp before the loop body runs.  The body calls sctp_sendmsg_to_asoc(), which may drop the socket lock inside sctp_wait_for_sndbuf().  While the lock is dropped, another thread can SCTP_SOCKOPT_PEELOFF the association cached in @tmp, migrating it to a new endpoint via sctp_sock_migrate() (list_del_init() + list_add_tail() to newep->asocs), and optionally close the new socket which frees the association via kfree_rcu().  The cached @tmp can also be freed by a network ABORT for that association, processed in softirq while the lock is dropped.  sctp_wait_for_sndbuf() revalidates @asoc (the current entry) on re-lock via the \"sk != asoc->base.sk\" and \"asoc->base.dead\" checks, but nothing revalidates @tmp.  After a successful return, the iterator advances to the stale @tmp, yielding either a use-after-free (if the peeled socket was closed) or a list-walk onto the new endpoint's list head (type confusion of &newep->asocs as a struct sctp_association *).  Both are reachable from CapEff=0; the type-confusion path gives controlled indirect call via the outqueue.sched->init_sid pointer.  Fix by re-deriving @tmp from @asoc after sctp_sendmsg_to_asoc() returns.  @asoc is known to still be on ep->asocs at that point: the only callers that list_del an association from ep->asocs are sctp_association_free() (which sets asoc->base.dead) and sctp_assoc_migrate() (which changes asoc->base.sk), and sctp_wait_for_sndbuf() checks both under the lock before any successful return; a tripped check propagates as err < 0 and the loop bails before the re-derive.  The SCTP_ABORT path in sctp_sendmsg_check_sflags() returns 0 and the loop hits 'continue' before sctp_sendmsg_to_asoc() is ever called, so the @tmp cached by list_for_each_entry_safe() still covers the lock-held free that ba59fb027307 (\"sctp: walk the list of asoc safely\") was added for.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46220",
                                "url": "https://ubuntu.com/security/CVE-2026-46220",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/amdgpu/sdma4: replace BUG_ON with WARN_ON in fence emission  sdma_v4_0_ring_emit_fence() contains two BUG_ON(addr & 0x3) assertions that verify fence writeback addresses are dword-aligned.  These assertions can be reached from unprivileged userspace via crafted DRM_IOCTL_AMDGPU_CS submissions, causing a fatal kernel panic in a scheduler worker thread.  Replace both BUG_ON() calls with WARN_ON() to log the condition without crashing the kernel.  A misaligned fence address at this point indicates a driver bug, but crashing the kernel is never the correct response when the assertion is reachable from userspace.  The CS IOCTL path is the correct place to filter invalid submissions; the ring emission callback is too late to do anything about it.  (cherry picked from commit b90250bd933afd1ba94d86d6b13821997b22b18e)",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46215",
                                "url": "https://ubuntu.com/security/CVE-2026-46215",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm: Set old handle to NULL before prime swap in change_handle  There was a potential race condition in change_handle. The ioctl briefly had a single object with two idr entries; a concurrent gem_close could delete the object and remove one of the handles while leaving the other one dangling, which could subsequently be dereferenced for a use-after-free.  To fix this, do the same dance that gem_close itself does. (f6cd7daecff5 drm: Release driver references to handle before making it available again) First idr_replace the old handle to NULL. Later, if the prime operations are successful, actually close it.  create_tail required a similar dance to avoid a similar problem. (bd46cece51a3 drm/gem: Fix race in drm_gem_handle_create_tail()) It idr_allocs the new handle with NULL, then swaps in the correct object later to avoid races. We don't need to do that here, since the only operations that could race are drm_prime, and change_handle holds the prime lock for the entire duration.  v2: cleanups of error paths",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46201",
                                "url": "https://ubuntu.com/security/CVE-2026-46201",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/xe: Fix dma-buf attachment leak in xe_gem_prime_import()  When xe_dma_buf_init_obj() fails, the attachment from dma_buf_dynamic_attach() is not detached. Add dma_buf_detach() before returning the error. Note: we cannot use goto out_err here because xe_dma_buf_init_obj() already frees bo on failure, and out_err would double-free it.  (cherry picked from commit a828eb185aac41800df8eae4b60501ccc0dbbe51)",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46224",
                                "url": "https://ubuntu.com/security/CVE-2026-46224",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/xe: Fix bo leak in xe_dma_buf_init_obj() on allocation failure  When drm_gpuvm_resv_object_alloc() fails, the pre-allocated storage bo is not freed. Add xe_bo_free(storage) before returning the error.  xe_dma_buf_init_obj() calls xe_bo_init_locked(), which frees the bo on error. Therefore, xe_dma_buf_init_obj() must also free the bo on its own error paths. Otherwise, since xe_gem_prime_import() cannot distinguish whether the failure originated from xe_dma_buf_init_obj() or from xe_bo_init_locked(), it cannot safely decide whether the bo should be freed.  Add comments documenting the ownership semantics: on success, ownership of storage is transferred to the returned drm_gem_object; on failure, storage is freed before returning.  v2: Add comments to explain the free logic.  (cherry picked from commit 78a6c5f899f22338bbf48b44fb8950409c5a69b9)",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46197",
                                "url": "https://ubuntu.com/security/CVE-2026-46197",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/amdkfd: validate SVM ioctl nattr against buffer size  Validate nattr field against the buffer size, preventing out-of-bounds buffer access via user-controlled attribute count.  (cherry picked from commit 5eca8bfdfa456c3304ca77523718fe24254c172f)",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46209",
                                "url": "https://ubuntu.com/security/CVE-2026-46209",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/gem: Fix inconsistent plane dimension calculation in drm_gem_fb_init_with_funcs()  drm_gem_fb_init_with_funcs() computes sub-sampled plane dimensions using plain integer division:    unsigned int width  = mode_cmd->width  / (i ? info->hsub : 1);   unsigned int height = mode_cmd->height / (i ? info->vsub : 1);  However, the ioctl-level framebuffer_check() in drm_framebuffer.c uses drm_format_info_plane_width/height() which round up dimensions via DIV_ROUND_UP(). This inconsistency corrupts the subsequent GEM object size check for certain pixel format and dimension combinations.  For example, with NV12 (vsub=2) and a 1-pixel-tall framebuffer the GEM size validation path sees height=0 instead of height=1. The expression (height - 1) then wraps to UINT_MAX as an unsigned int, causing min_size to overflow and wrap back to a small value. A tiny GEM object therefore passes the size guard, yet when the GPU accesses the chroma plane it will read or write memory beyond the object's bounds.  Fix by replacing the open-coded divisions with drm_format_info_plane_width() and drm_format_info_plane_height(), which use DIV_ROUND_UP() and match the calculation already used in framebuffer_check().",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46230",
                                "url": "https://ubuntu.com/security/CVE-2026-46230",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/amdgpu/vcn3: Prevent OOB reads when parsing dec msg  Check bounds against the end of the BO whenever we access the msg.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46199",
                                "url": "https://ubuntu.com/security/CVE-2026-46199",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/amdgpu/vcn4: Prevent OOB reads when parsing dec msg  Check bounds against the end of the BO whenever we access the msg.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46204",
                                "url": "https://ubuntu.com/security/CVE-2026-46204",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/amdgpu/vcn4: Prevent OOB reads when parsing IB  Rewrite the IB parsing to use amdgpu_ib_get_value() which handles the bounds checks.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46218",
                                "url": "https://ubuntu.com/security/CVE-2026-46218",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/amdgpu: Add bounds checking to ib_{get,set}_value  The uvd/vce/vcn code accesses the IB at predefined offsets without checking that the IB is large enough. Check the bounds here. The caller is responsible for making sure it can handle arbitrary return values.  Also make the idx a uint32_t to prevent overflows causing the condition to fail.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46229",
                                "url": "https://ubuntu.com/security/CVE-2026-46229",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/amdkfd: Clear VRAM on allocation to prevent stale data exposure  KFD VRAM allocations set AMDGPU_GEM_CREATE_VRAM_WIPE_ON_RELEASE but not AMDGPU_GEM_CREATE_VRAM_CLEARED, leaving freshly allocated VRAM with stale data from prior use observable by compute kernels.  The GEM ioctl path already sets VRAM_CLEARED for all userspace allocations via amdgpu_gem_create_ioctl() and amdgpu_mode_dumb_create(). The KFD path was missing this flag, allowing stale page table remnants to leak into user buffers.  This causes crashes in RCCL P2P transport where non-zero data in ptrExchange/head/tail fields corrupts the protocol handshake.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46211",
                                "url": "https://ubuntu.com/security/CVE-2026-46211",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/msm/gem: fix error handling in msm_ioctl_gem_info_get_metadata()  msm_ioctl_gem_info_get_metadata() always returns 0 regardless of errors. When copy_to_user() fails or the user buffer is too small, the error code stored in ret is ignored because the function unconditionally returns 0. This causes userspace to believe the ioctl succeeded when it did not.  Additionally, kmemdup() can return NULL on allocation failure, but the return value is not checked. This leads to a NULL pointer dereference in the subsequent copy_to_user() call.  Add the missing NULL check for kmemdup() and return ret instead of 0.  Note that the SET counterpart (msm_ioctl_gem_info_set_metadata) correctly returns ret.  Patchwork: https://patchwork.freedesktop.org/patch/714478/",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46203",
                                "url": "https://ubuntu.com/security/CVE-2026-46203",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: cadence-quadspi: fix unclocked access on unbind  Make sure that the controller is runtime resumed before disabling it during driver unbind to avoid an unclocked register access.  This issue was flagged by Sashiko when reviewing a controller deregistration fix.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46219",
                                "url": "https://ubuntu.com/security/CVE-2026-46219",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: mpc52xx: fix use-after-free on unbind  The state machine work is scheduled by the interrupt handler and therefore needs to be cancelled after disabling interrupts to avoid a potential use-after-free.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46200",
                                "url": "https://ubuntu.com/security/CVE-2026-46200",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: mpc52xx: fix controller deregistration  Make sure to deregister the controller before disabling and releasing underlying resources like interrupts and gpios during driver unbind.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46241",
                                "url": "https://ubuntu.com/security/CVE-2026-46241",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: mpc52xx: fix use-after-free on registration failure  Make sure to disable and free the interrupts in case controller registration fails to avoid a potential use-after-free and resource leak.  This issue was flagged by Sashiko when reviewing a controller deregistration fix.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46225",
                                "url": "https://ubuntu.com/security/CVE-2026-46225",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: rspi: fix controller deregistration  Make sure to deregister the controller before releasing underlying resources like DMA during driver unbind.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46226",
                                "url": "https://ubuntu.com/security/CVE-2026-46226",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: fsl: fix controller deregistration  Make sure to deregister the controller before releasing underlying resources like DMA during driver unbind.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46228",
                                "url": "https://ubuntu.com/security/CVE-2026-46228",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: ch341: fix devres lifetime  USB drivers bind to USB interfaces and any device managed resources should have their lifetime tied to the interface rather than parent USB device. This avoids issues like memory leaks when drivers are unbound without their devices being physically disconnected (e.g. on probe deferral or configuration changes).  Fix the controller and driver data lifetime so that they are released on driver unbind.  Note that this also makes sure that the SPI controller is placed correctly under the USB interface in the device tree.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46216",
                                "url": "https://ubuntu.com/security/CVE-2026-46216",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/xe/hdcp: Add NULL check for media_gt in intel_hdcp_gsc_check_status()  When media GT is disabled via configfs, there is no allocation for media_gt, which is kept as NULL.  In such scenario, intel_hdcp_gsc_check_status() results in a kernel pagefault error due to &gt->uc.gsc being evaluated as an invalid memory address.  Fix that by introducing a NULL check on media_gt and bailing out early if so.  While at it, also drop the NULL check for gsc, since it can't be NULL if media_gt is not NULL.  v2:   - Get address for gsc only after checking that gt is not NULL.     (Shuicheng)   - Drop the NULL check for gsc. (Shuicheng) v3:   - Add \"Fixes\" and \"Cc: <stable...>\" tags. (Matt)  (cherry picked from commit bfaf87e84ca3ca3f6e275f9ae56da47a8b55ffd1)",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46210",
                                "url": "https://ubuntu.com/security/CVE-2026-46210",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  media: iris: fix use-after-free of fmt_src during MBPF check  During concurrency testing, multiple instances can run in parallel, and each instance uses its own inst->lock while the core->lock protects the list of active instances. The race happens because these locks cover different scopes, inst->lock protects only the internals of a single instance, while the Macro Blocks Per Frame (MBPF) checker walks the core list under core->lock and reads fields like fmt_src->width and fmt_src->height. At the same time, iris_close() may free fmt_src and fmt_dst under inst->lock while the instance is still present in the core list. This allows a situation where the MBPF checker, still iterating through the core list, reaches an instance whose fmt_src was already freed by another thread and ends up dereferencing a dangling pointer, resulting in a use-after-free. This happens because the MBPF checker assumes that any instance in the core list is fully valid, but the freeing of fmt_src and fmt_dst without removing the instance from the core list is not correct.  The correct ordering is to defer freeing fmt_src and fmt_dst until after the instance has been removed from the core list and all teardown under the core lock has completed, ensuring that no dangling pointers are ever exposed during MBPF checks.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46240",
                                "url": "https://ubuntu.com/security/CVE-2026-46240",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  media: iris: Fix use-after-free in iris_release_internal_buffers()  The recent change in commit 1dabf00ee206 (\"media: iris: gen1: Destroy internal buffers after FW releases\") introduced a regression where session_release_buf() may free the buffer. The caller, iris_release_internal_buffers(), continued to access `buffer` after the call, leading to a potential use-after-free.  Fix this by setting BUF_ATTR_PENDING_RELEASE before calling session_release_buf(), and reverting the flag if the call fails. This ensures no dereference occurs after potential freeing.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46235",
                                "url": "https://ubuntu.com/security/CVE-2026-46235",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  media: saa7164: add ioremap return checks and cleanups  Add checks for ioremap return values in saa7164_dev_setup(). If ioremap for BAR0 or BAR2 fails, release the already allocated PCI memory regions, remove the device from the global list, decrement the device count, and return -ENODEV.  This prevents potential null pointer dereferences and ensures proper cleanup on memory mapping failures.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46222",
                                "url": "https://ubuntu.com/security/CVE-2026-46222",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  media: rockchip: rkcif: Add missing MUST_CONNECT flag to pads  The pads missed checks for connected devices which may a null dereference when the stream is enabled.  Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020 pc : rkcif_interface_enable_streams+0x48/0xf0 lr : rkcif_interface_enable_streams+0x44/0xf0 Call trace:  rkcif_interface_enable_streams+0x48/0xf0  v4l2_subdev_enable_streams+0x26c/0x3f0  rkcif_stream_start_streaming+0x140/0x278  vb2_start_streaming+0x74/0x188  vb2_core_streamon+0xe0/0x1d8  vb2_ioctl_streamon+0x60/0xa8  v4l_streamon+0x2c/0x40  __video_do_ioctl+0x34c/0x400  video_usercopy+0x2d0/0x800  video_ioctl2+0x20/0x60  v4l2_ioctl+0x48/0x78",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46239",
                                "url": "https://ubuntu.com/security/CVE-2026-46239",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  media: i2c: ov5647: Fix runtime PM refcount leak in s_ctrl  Three control cases (AUTOGAIN, EXPOSURE_AUTO, ANALOGUE_GAIN) directly return without calling pm_runtime_put(), causing runtime PM reference count leaks.  Change these cases from 'return' to 'ret = ... break' pattern to ensure pm_runtime_put() is always called before function exit.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46236",
                                "url": "https://ubuntu.com/security/CVE-2026-46236",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  media: rc: xbox_remote: heed DMA restrictions  The buffer for IO must not be part of the device structure because that violates the DMA coherency rules.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46205",
                                "url": "https://ubuntu.com/security/CVE-2026-46205",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  staging: media: atomisp: Disallow all private IOCTLs  Disallow all private IOCTLs. These aren't quite as safe as one could assume of IOCTL handlers; disable them for now. Instead of removing the code, return in the beginning of the function if cmd is non-zero in order to keep static checkers happy.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46202",
                                "url": "https://ubuntu.com/security/CVE-2026-46202",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  HID: appletb-kbd: run inactivity autodim from workqueues  The autodim code in hid-appletb-kbd takes backlight_device->ops_lock via backlight_device_set_brightness() -> mutex_lock() from two different atomic contexts:   * appletb_inactivity_timer() is a struct timer_list callback, so it    runs in softirq context.  Every expiry triggers       BUG: sleeping function called from invalid context at kernel/locking/mutex.c:591      Call Trace:       <IRQ>       __might_resched       __mutex_lock       backlight_device_set_brightness       appletb_inactivity_timer       call_timer_fn       run_timer_softirq   * reset_inactivity_timer() is called from appletb_kbd_hid_event() and    appletb_kbd_inp_event().  On real USB hardware these run in    softirq/IRQ context (URB completion and input-event dispatch).    When the Touch Bar has already been dimmed or turned off, the    reset path calls backlight_device_set_brightness() directly to    restore brightness, producing the same warning.  Both call sites hit the same mutex_lock()-from-atomic bug.  Fix them together by moving the blocking work onto the system workqueue:   * Convert the inactivity timer from struct timer_list to    struct delayed_work; the callback (appletb_inactivity_work) now    runs in process context where mutex_lock() is legal.  * Add a dedicated struct work_struct restore_brightness_work and have    reset_inactivity_timer() schedule it instead of calling    backlight_device_set_brightness() directly.  Cancel both works synchronously during driver tear-down alongside the existing backlight reference drop.  The semantics are unchanged (same delays, same state transitions on dim, turn-off and user activity); only the execution context of the sleeping call changes.  The timer field and callback are renamed to match their new type; reset_inactivity_timer() keeps its name because it is invoked from input event paths that read naturally as \"reset the inactivity timer\".",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46213",
                                "url": "https://ubuntu.com/security/CVE-2026-46213",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  HID: appletb-kbd: fix UAF in inactivity-timer cleanup path  Commit 38224c472a03 (\"HID: appletb-kbd: fix slab use-after-free bug in appletb_kbd_probe\") added timer_delete_sync(&kbd->inactivity_timer) to both the probe close_hw error path and appletb_kbd_remove(), but the way it was wired in left the inactivity timer reachable during driver tear-down via two distinct windows.  Window A -- put_device() before timer_delete_sync():  \tput_device(&kbd->backlight_dev->dev); \ttimer_delete_sync(&kbd->inactivity_timer);  The inactivity_timer softirq reads kbd->backlight_dev and calls backlight_device_set_brightness() -> mutex_lock(&ops_lock).  If a concurrent hid_appletb_bl unbind drops the last devm reference between these two calls, the backlight_device is freed and the mutex_lock() touches freed memory.  Window B -- backlight cleanup before hid_hw_stop():  \tif (kbd->backlight_dev) { \t\ttimer_delete_sync(...); \t\tput_device(...); \t} \thid_hw_close(hdev); \thid_hw_stop(hdev);  Even after Window A is closed, hid_hw_close()/hid_hw_stop() still run afterwards, so a late \".event\" callback from the HID core (USB URB completion on real Apple hardware) can arrive after timer_delete_sync() drained the softirq but before put_device() drops the reference.  That callback reaches reset_inactivity_timer(), which calls mod_timer() and re-arms the timer.  The freshly re-armed timer can then fire on the about-to-be-freed backlight_device.  Both windows produce the same KASAN slab-use-after-free:    BUG: KASAN: slab-use-after-free in __mutex_lock+0x1aab/0x21c0   Read of size 8 at addr ffff88803ee9a108 by task swapper/0/0   Call Trace:    <IRQ>    __mutex_lock    backlight_device_set_brightness    appletb_inactivity_timer    call_timer_fn    run_timer_softirq    handle_softirqs   Allocated by task N:    devm_backlight_device_register    appletb_bl_probe   Freed by task M:    (concurrent hid_appletb_bl unbind path)  Close both windows at once by reworking the tear-down in appletb_kbd_remove() and in the probe close_hw error path so that   1) hid_hw_close()/hid_hw_stop() run before the backlight cleanup,     guaranteeing no further .event callback can fire and re-arm the     timer, and  2) inside the \"if (kbd->backlight_dev)\" block, timer_delete_sync()     runs before put_device(), so the softirq is drained before the     final reference is dropped.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46232",
                                "url": "https://ubuntu.com/security/CVE-2026-46232",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  HID: playstation: Clamp num_touch_reports  A device would never lie about the number of touch reports would it?  If it does the loop in dualshock4_parse_report will read off the end of the touch_reports array, up to about 2 KiB for the maximum number of 256 loop iteraions. The data that is read is emitted via evdev if the DS4_TOUCH_POINT_INACTIVE bit happens to be set. Protect against this by clamping the num_touch_reports value provided by the device to the maximum size of the touch_reports array.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-43490",
                                "url": "https://ubuntu.com/security/CVE-2026-43490",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ksmbd: validate inherited ACE SID length  smb_inherit_dacl() walks the parent directory DACL loaded from the security descriptor xattr. It verifies that each ACE contains the fixed SID header before using it, but does not verify that the variable-length SID described by sid.num_subauth is fully contained in the ACE.  A malformed inheritable ACE can advertise more subauthorities than are present in the ACE. compare_sids() may then read past the ACE. smb_set_ace() also clamps the copied destination SID, but used the unchecked source SID count to compute the inherited ACE size. That could advance the temporary inherited ACE buffer pointer and nt_size accounting past the allocated buffer.  Fix this by validating the parent ACE SID count and SID length before using the SID during inheritance. Compute the inherited ACE size from the copied SID so the size matches the bounded destination SID. Reject the inherited DACL if size accumulation would overflow smb_acl.size or the security descriptor allocation size.",
                                "cve_priority": "high",
                                "cve_public_date": "2026-05-15 06:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46174",
                                "url": "https://ubuntu.com/security/CVE-2026-46174",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  x86/CPU/AMD: Prevent improper isolation of shared resources in Zen2's op cache  Make sure resources are not improperly shared in the op cache and cause instruction corruption this way.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46110",
                                "url": "https://ubuntu.com/security/CVE-2026-46110",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net: stmmac: Prevent NULL deref when RX memory exhausted  The CPU receives frames from the MAC through conventional DMA: the CPU allocates buffers for the MAC, then the MAC fills them and returns ownership to the CPU. For each hardware RX queue, the CPU and MAC coordinate through a shared ring array of DMA descriptors: one descriptor per DMA buffer. Each descriptor includes the buffer's physical address and a status flag (\"OWN\") indicating which side owns the buffer: OWN=0 for CPU, OWN=1 for MAC. The CPU is only allowed to set the flag and the MAC is only allowed to clear it, and both must move through the ring in sequence: thus the ring is used for both \"submissions\" and \"completions.\"  In the stmmac driver, stmmac_rx() bookmarks its position in the ring with the `cur_rx` index. The main receive loop in that function checks for rx_descs[cur_rx].own=0, gives the corresponding buffer to the network stack (NULLing the pointer), and increments `cur_rx` modulo the ring size. After the loop exits, stmmac_rx_refill(), which bookmarks its position with `dirty_rx`, allocates fresh buffers and rearms the descriptors (setting OWN=1). If it fails any allocation, it simply stops early (leaving OWN=0) and will retry where it left off when next called.  This means descriptors have a three-stage lifecycle (terms my own): - `empty` (OWN=1, buffer valid) - `full` (OWN=0, buffer valid and populated) - `dirty` (OWN=0, buffer NULL)  But because stmmac_rx() only checks OWN, it confuses `full`/`dirty`. In the past (see 'Fixes:'), there was a bug where the loop could cycle `cur_rx` all the way back to the first descriptor it dirtied, resulting in a NULL dereference when mistaken for `full`. The aforementioned commit resolved that *specific* failure by capping the loop's iteration limit at `dma_rx_size - 1`, but this is only a partial fix: if the previous stmmac_rx_refill() didn't complete, then there are leftover `dirty` descriptors that the loop might encounter without needing to cycle fully around. The current code therefore panics (see 'Closes:') when stmmac_rx_refill() is memory-starved long enough for `cur_rx` to catch up to `dirty_rx`.  Fix this by explicitly checking, before advancing `cur_rx`, if the next entry is dirty; exit the loop if so. This prevents processing of the final, used descriptor until stmmac_rx_refill() succeeds, but fully prevents the `cur_rx == dirty_rx` ambiguity as the previous bugfix intended: so remove the clamp as well. Since stmmac_rx_zc() is a copy-paste-and-tweak of stmmac_rx() and the code structure is identical, any fix to stmmac_rx() will also need a corresponding fix for stmmac_rx_zc(). Therefore, apply the same check there.  In stmmac_rx() (not stmmac_rx_zc()), a related bug remains: after the MAC sets OWN=0 on the final descriptor, it will be unable to send any further DMA-complete IRQs until it's given more `empty` descriptors. Currently, the driver simply *hopes* that the next stmmac_rx_refill() succeeds, risking an indefinite stall of the receive process if not. But this is not a regression, so it can be addressed in a future change.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46153",
                                "url": "https://ubuntu.com/security/CVE-2026-46153",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  8021q: delete cleared egress QoS mappings  vlan_dev_set_egress_priority() currently keeps cleared egress priority mappings in the hash as tombstones. Repeated set/clear cycles with distinct skb priorities therefore accumulate mapping nodes until device teardown and leak memory.  Delete mappings when vlan_prio is cleared instead of keeping tombstones. Now that the egress mapping lists are RCU protected, the node can be unlinked safely and freed after a grace period.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46169",
                                "url": "https://ubuntu.com/security/CVE-2026-46169",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  hfsplus: fix uninit-value by validating catalog record size  Syzbot reported a KMSAN uninit-value issue in hfsplus_strcasecmp(). The root cause is that hfs_brec_read() doesn't validate that the on-disk record size matches the expected size for the record type being read.  When mounting a corrupted filesystem, hfs_brec_read() may read less data than expected. For example, when reading a catalog thread record, the debug output showed:    HFSPLUS_BREC_READ: rec_len=520, fd->entrylength=26   HFSPLUS_BREC_READ: WARNING - entrylength (26) < rec_len (520) - PARTIAL READ!  hfs_brec_read() only validates that entrylength is not greater than the buffer size, but doesn't check if it's less than expected. It successfully reads 26 bytes into a 520-byte structure and returns success, leaving 494 bytes uninitialized.  This uninitialized data in tmp.thread.nodeName then gets copied by hfsplus_cat_build_key_uni() and used by hfsplus_strcasecmp(), triggering the KMSAN warning when the uninitialized bytes are used as array indices in case_fold().  Fix by introducing hfsplus_brec_read_cat() wrapper that: 1. Calls hfs_brec_read() to read the data 2. Validates the record size based on the type field:    - Fixed size for folder and file records    - Variable size for thread records (depends on string length) 3. Returns -EIO if size doesn't match expected  For thread records, check against HFSPLUS_MIN_THREAD_SZ before reading nodeName.length to avoid reading uninitialized data at call sites that don't zero-initialize the entry structure.  Also initialize the tmp variable in hfsplus_find_cat() as defensive programming to ensure no uninitialized data even if validation is bypassed.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46188",
                                "url": "https://ubuntu.com/security/CVE-2026-46188",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  octeon_ep_vf: add NULL check for napi_build_skb()  napi_build_skb() can return NULL on allocation failure. In __octep_vf_oq_process_rx(), the result is used directly without a NULL check in both the single-buffer and multi-fragment paths, leading to a NULL pointer dereference.  Add NULL checks after both napi_build_skb() calls, properly advancing descriptors and consuming remaining fragments on failure.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-45837",
                                "url": "https://ubuntu.com/security/CVE-2026-45837",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  bpf: Fix use-after-free in arena_vm_close on fork  arena_vm_open() only bumps vml->mmap_count but never registers the child VMA in arena->vma_list. The vml->vma always points at the parent VMA, so after parent munmap the pointer dangles. If the child then calls bpf_arena_free_pages(), zap_pages() reads the stale vml->vma triggering use-after-free.  Fix this by preventing the arena VMA from being inherited across fork with VM_DONTCOPY, and preventing VMA splits via the may_split callback.  Also reject mremap with a .mremap callback returning -EINVAL. A same-size mremap(MREMAP_FIXED) on the full arena VMA reaches copy_vma() through the following path:    check_prep_vma()       - returns 0 early: new_len == old_len                            skips VM_DONTEXPAND check   prep_move_vma()        - vm_start == old_addr and                            vm_end == old_addr + old_len                            so may_split is never called   move_vma()     copy_vma_and_data()       copy_vma()         vm_area_dup()    - copies vm_private_data (vml pointer)         vm_ops->open()   - bumps vml->mmap_count       vm_ops->mremap()   - returns -EINVAL, rollback unmaps new VMA  The refcount ensures the rollback's arena_vm_close does not free the vml shared with the original VMA.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-05-27 11:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46156",
                                "url": "https://ubuntu.com/security/CVE-2026-46156",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  LoongArch: Fix potential ADE in loongson_gpu_fixup_dma_hang()  The switch case in loongson_gpu_fixup_dma_hang() may not DC2 or DC3, and readl(crtc_reg) will access with random address, because the \"device\" is from \"base+PCI_DEVICE_ID\", \"base\" is from \"pdev->devfn+1\". This is wrong when my platform inserts a discrete GPU:  lspci -tv -[0000:00]-+-00.0  Loongson Technology LLC Hyper Transport Bridge Controller ...            +-06.0  Loongson Technology LLC LG100 GPU            +-06.2  Loongson Technology LLC Device 7a37 ...  Add a default switch case to fix the panic as below:   Kernel ade access[#1]:  CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.6.136-loong64-desktop-hwe+ #4  pc 90000000017e5534 ra 90000000017e54c0 tp 90000001002f8000 sp 90000001002fb6c0  a0 80000efe00003100 a1 0000000000003100 a2 0000000000000000 a3 0000000000000002  a4 90000001002fb6b4 a5 900000087cdb58fd a6 90000000027af000 a7 0000000000000001  t0 00000000000085b9 t1 000000000000ffff t2 0000000000000000 t3 0000000000000000  t4 fffffffffffffffd t5 00000000fffb6d9c t6 0000000000083b00 t7 00000000000070c0  t8 900000087cdb4d94 u0 900000087cdb58fd s9 90000001002fb826 s0 90000000031c12c8  s1 7fffffffffffff00 s2 90000000031c12d0 s3 0000000000002710 s4 0000000000000000  s5 0000000000000000 s6 9000000100053000 s7 7fffffffffffff00 s8 90000000030d4000     ra: 90000000017e54c0 loongson_gpu_fixup_dma_hang+0x40/0x210    ERA: 90000000017e5534 loongson_gpu_fixup_dma_hang+0xb4/0x210   CRMD: 000000b0 (PLV0 -IE -DA +PG DACF=CC DACM=CC -WE)   PRMD: 00000004 (PPLV0 +PIE -PWE)   EUEN: 00000000 (-FPE -SXE -ASXE -BTE)   ECFG: 00071c1d (LIE=0,2-4,10-12 VS=7)  ESTAT: 00480000 [ADEM] (IS= ECode=8 EsubCode=1)   BADV: 7fffffffffffff00   PRID: 0014d000 (Loongson-64bit, Loongson-3A6000-HV)  Modules linked in:  Process swapper/0 (pid: 1, threadinfo=(____ptrval____), task=(____ptrval____))  Stack : 0000000000000006 90000001002fb778 90000001002fb704 0000000000000007          0000000016a65700 90000000017e5690 000000000000ffff ffffffffffffffff          900000000209f7c0 9000000100053000 900000000209f7a8 9000000000eebc08          0000000000000000 0000000000000000 0000000000000006 90000001002fb778          90000001000530b8 90000000027af000 0000000000000000 9000000100054000          9000000100053000 9000000000ebb70c 9000000100004c00 9000000004000001          90000001002fb7e4 bae765461f31cb12 0000000000000000 0000000000000000          0000000000000006 90000000027af000 0000000000000030 90000000027af000          900000087cd6f800 9000000100053000 0000000000000000 9000000000ebc560          7a2500147cdaf720 bae765461f31cb12 0000000000000001 0000000000000030          ...  Call Trace:  [<90000000017e5534>] loongson_gpu_fixup_dma_hang+0xb4/0x210  [<9000000000eebc08>] pci_fixup_device+0x108/0x280  [<9000000000ebb70c>] pci_setup_device+0x24c/0x690  [<9000000000ebc560>] pci_scan_single_device+0xe0/0x140  [<9000000000ebc684>] pci_scan_slot+0xc4/0x280  [<9000000000ebdd00>] pci_scan_child_bus_extend+0x60/0x3f0  [<9000000000f5bc94>] acpi_pci_root_create+0x2b4/0x420  [<90000000017e5e74>] pci_acpi_scan_root+0x2d4/0x440  [<9000000000f5b02c>] acpi_pci_root_add+0x21c/0x3a0  [<9000000000f4ee54>] acpi_bus_attach+0x1a4/0x3c0  [<90000000010e200c>] device_for_each_child+0x6c/0xe0  [<9000000000f4bbf4>] acpi_dev_for_each_child+0x44/0x70  [<9000000000f4ef40>] acpi_bus_attach+0x290/0x3c0  [<90000000010e200c>] device_for_each_child+0x6c/0xe0  [<9000000000f4bbf4>] acpi_dev_for_each_child+0x44/0x70  [<9000000000f4ef40>] acpi_bus_attach+0x290/0x3c0  [<9000000000f5211c>] acpi_bus_scan+0x6c/0x280  [<900000000189c028>] acpi_scan_init+0x194/0x310  [<900000000189bc6c>] acpi_init+0xcc/0x140  [<9000000000220cdc>] do_one_initcall+0x4c/0x310  [<90000000018618fc>] kernel_init_freeable+0x258/0x2d4  [<900000000184326c>] kernel_init+0x28/0x13c  [<9000000000222008>] ret_from_kernel_thread+0xc/0xa4",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46147",
                                "url": "https://ubuntu.com/security/CVE-2026-46147",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  KVM: arm64: Fix pin leak and publication ordering in __pkvm_init_vcpu()  Two bugs exist in the vCPU initialisation path:  1. If a check fails after hyp_pin_shared_mem() succeeds, the cleanup    path jumps to 'unlock' without calling unpin_host_vcpu() or    unpin_host_sve_state(), permanently leaking pin references on the    host vCPU and SVE state pages.     Extract a register_hyp_vcpu() helper that performs the checks and    the store. When register_hyp_vcpu() returns an error, call    unpin_host_vcpu() and unpin_host_sve_state() inline before falling    through to the existing 'unlock' label.  2. register_hyp_vcpu() publishes the new vCPU pointer into    'hyp_vm->vcpus[]' with a bare store, allowing a concurrent caller    of pkvm_load_hyp_vcpu() to observe a partially initialised vCPU    object.     Ensure the store uses smp_store_release() and the load uses    smp_load_acquire(). While 'vm_table_lock' currently serialises the    store and the load, these barriers ensure the reader sees the fully    initialised 'hyp_vcpu' object even if there were a lockless path or    if the lock's own ordering guarantees were insufficient for nested    object initialization.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46175",
                                "url": "https://ubuntu.com/security/CVE-2026-46175",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  f2fs: fix fsck inconsistency caused by FGGC of node block  During FGGC node block migration, fsck may incorrectly treat the migrated node block as fsync-written data.  The reproduction scenario: root@vm:/mnt/f2fs# seq 1 2048 | xargs -n 1 ./test_sync // write inline inode and sync root@vm:/mnt/f2fs# rm -f 1 root@vm:/mnt/f2fs# sync root@vm:/mnt/f2fs# f2fs_io gc_range // move data block in sync mode and not write CP   SPO, \"fsck --dry-run\" find inode has already checkpointed but still   with DENT_BIT_SHIFT set  The root cause is that GC does not clear the dentry mark and fsync mark during node block migration, leading fsck to misinterpret them as user-issued fsync writes.  In BGGC mode, node block migration is handled by f2fs_sync_node_pages(), which guarantees the dentry and fsync marks are cleared before writing.  This patch move the set/clear of the fsync|dentry marks into __write_node_folio to make the logic clearer, and ensures the fsync|dentry mark is cleared in FGGC.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46194",
                                "url": "https://ubuntu.com/security/CVE-2026-46194",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  f2fs: fix node_cnt race between extent node destroy and writeback  f2fs_destroy_extent_node() does not set FI_NO_EXTENT before clearing extent nodes. When called from f2fs_drop_inode() with I_SYNC set, concurrent kworker writeback can insert new extent nodes into the same extent tree, racing with the destroy and triggering f2fs_bug_on() in __destroy_extent_node(). The scenario is as follows:  drop inode                            writeback  - iput   - f2fs_drop_inode  // I_SYNC set    - f2fs_destroy_extent_node     - __destroy_extent_node      - while (node_cnt) {         write_lock(&et->lock)         __free_extent_tree         write_unlock(&et->lock)                                        - __writeback_single_inode                                         - f2fs_outplace_write_data                                          - f2fs_update_read_extent_cache                                           - __update_extent_tree_range                                            // FI_NO_EXTENT not set,                                            // insert new extent node        } // node_cnt == 0, exit while      - f2fs_bug_on(node_cnt)  // node_cnt > 0  Additionally, __update_extent_tree_range() only checks FI_NO_EXTENT for EX_READ type, leaving EX_BLOCK_AGE updates completely unprotected.  This patch set FI_NO_EXTENT under et->lock in __destroy_extent_node(), consistent with other callers (__update_extent_tree_range and __drop_extent_tree) and check FI_NO_EXTENT for both EX_READ and EX_BLOCK_AGE tree.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46170",
                                "url": "https://ubuntu.com/security/CVE-2026-46170",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  mptcp: pm: ADD_ADDR rtx: free sk if last  When an ADD_ADDR is retransmitted, the sk is held in sk_reset_timer(), and released at the end.  If at that moment, it was the last reference being held, the sk would not be freed. sock_put() should then be called instead of __sock_put().  But that's not enough: if it is the last reference, sock_put() will call sk_free(), which will end up calling sk_stop_timer_sync() on the same timer, and waiting indefinitely to finish. So it is needed to mark that the timer is done at the end of the timer handler when it has not been rescheduled, not to call sk_stop_timer_sync() on \"itself\".",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46158",
                                "url": "https://ubuntu.com/security/CVE-2026-46158",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  mptcp: pm: ADD_ADDR rtx: always decrease sk refcount  When an ADD_ADDR is retransmitted, the sk is held in sk_reset_timer(). It should then be released in all cases at the end.  Some (unlikely) checks were returning directly instead of calling sock_put() to decrease the refcount. Jump to a new 'exit' label to call __sock_put() (which will become sock_put() in the next commit) to fix this potential leak.  While at it, drop the '!msk' check which cannot happen because it is never reset, and explicitly mark the remaining one as \"unlikely\".",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46168",
                                "url": "https://ubuntu.com/security/CVE-2026-46168",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  mptcp: fix scheduling with atomic in timestamp sockopt  Using lock_sock_fast() (atomic context) around sock_set_timestamp() and sock_set_timestamping() is unsafe, as both helpers can sleep.  Replace lock_sock_fast() with sleepable lock_sock()/release_sock() to avoid scheduling while atomic panic.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46189",
                                "url": "https://ubuntu.com/security/CVE-2026-46189",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/vmw_pvrdma: Fix double free on pvrdma_alloc_ucontext() error path  Sashiko points out that pvrdma_uar_free() is already called within pvrdma_dealloc_ucontext(), so calling it before triggers a double free.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46133",
                                "url": "https://ubuntu.com/security/CVE-2026-46133",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/rxe: Reject unknown opcodes before ICRC processing  Even after applying commit 7244491dab34 (\"RDMA/rxe: Validate pad and ICRC before payload_size() in rxe_rcv\"), a single unauthenticated UDP packet can still trigger panic.  That patch handled payload_size() underflow only for valid opcodes with short packets, not for packets carrying an unknown opcode.  The unknown-opcode OOB read described below predates that commit and reaches back to the initial Soft RoCE driver.  The check added there reads      pkt->paylen < header_size(pkt) + bth_pad(pkt) + RXE_ICRC_SIZE  where header_size(pkt) expands to rxe_opcode[pkt->opcode].length.  The rxe_opcode[] array has 256 entries but is only populated for defined IB opcodes; any other entry (for example opcode 0xff) is zero-initialized, so length == 0 and the check degenerates to      pkt->paylen < 0 + bth_pad(pkt) + RXE_ICRC_SIZE  which does not constrain pkt->paylen enough.  rxe_icrc_hdr() then computes      rxe_opcode[pkt->opcode].length - RXE_BTH_BYTES  which underflows when length == 0 and passes a huge value to rxe_crc32(), causing an out-of-bounds read of the skb payload.  Reproduced on v7.0-rc7 with that fix applied, QEMU/KVM with CONFIG_RDMA_RXE=y and CONFIG_KASAN=y, after      rdma link add rxe0 type rxe netdev eth0  A single 48-byte UDP packet to port 4791 with BTH opcode=0xff and QPN=IB_MULTICAST_QPN triggers:      BUG: KASAN: slab-out-of-bounds in crc32_le+0x115/0x170     Read of size 1 at addr ...     The buggy address is located 0 bytes to the right of      allocated 704-byte region     Call Trace:      crc32_le+0x115/0x170      rxe_icrc_hdr.isra.0+0x226/0x300      rxe_icrc_check+0x13f/0x3a0      rxe_rcv+0x6e1/0x16e0      rxe_udp_encap_recv+0x20a/0x320      udp_queue_rcv_one_skb+0x7ed/0x12c0  Subsequent packets with the same shape fault on unmapped memory and panic the kernel.  The trigger requires only module load and \"rdma link add\"; no QP, no connection, and no authentication.  Fix this by rejecting packets whose opcode has no rxe_opcode[] entry, detected via the zero mask or zero length, before any length arithmetic runs.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46114",
                                "url": "https://ubuntu.com/security/CVE-2026-46114",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/rxe: Reject non-8-byte ATOMIC_WRITE payloads  atomic_write_reply() at drivers/infiniband/sw/rxe/rxe_resp.c unconditionally dereferences 8 bytes at payload_addr(pkt):      value = *(u64 *)payload_addr(pkt);  check_rkey() previously accepted an ATOMIC_WRITE request with pktlen == resid == 0 because the length validation only compared pktlen against resid. A remote initiator that sets the RETH length to 0 therefore reaches atomic_write_reply() with a zero-byte logical payload, and the responder reads sizeof(u64) bytes from past the logical end of the packet into skb->head tailroom, then writes those 8 bytes into the attacker's MR via rxe_mr_do_atomic_write(). That is a remote disclosure of 4 bytes of kernel tailroom per probe (the other 4 bytes are the packet's own trailing ICRC).  IBA oA19-28 defines ATOMIC_WRITE as exactly 8 bytes. Anything else is protocol-invalid. Hoist a strict length check into check_rkey() so the responder never reaches the unchecked dereference, and keep the existing WRITE-family length logic for the normal RDMA WRITE path.  Reproduced on mainline with an unmodified rxe driver: a sustained zero-length ATOMIC_WRITE probe repeatedly leaks adjacent skb head-buffer bytes into the attacker's MR, including recognisable kernel strings and partial kernel-direct-map pointer words.  With this patch applied the responder rejects the PDU and the MR stays all-zero.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46127",
                                "url": "https://ubuntu.com/security/CVE-2026-46127",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/ocrdma: Don't NULL deref uctx on errors in ocrdma_copy_pd_uresp()  Sashiko points out that pd->uctx isn't initialized until late in the function so all these error flow references are NULL and will crash. Use the uctx that isn't NULL.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46176",
                                "url": "https://ubuntu.com/security/CVE-2026-46176",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/mlx5: Fix error path fall-through in mlx5_ib_dev_res_srq_init()  mlx5_ib_dev_res_srq_init() allocates two SRQs, s0 and s1. When ib_create_srq() fails for s1, the error branch destroys s0 but falls through and unconditionally assigns the freed s0 and the ERR_PTR s1 to devr->s0 and devr->s1.  This leads to several problems: the lock-free fast path checks \"if (devr->s1) return 0;\" and treats the ERR_PTR as already initialised; users in mlx5_ib_create_qp() dereference the freed SRQ or ERR_PTR via to_msrq(devr->s0)->msrq.srqn; and mlx5_ib_dev_res_cleanup() dereferences the ERR_PTR and double-frees s0 on teardown.  Fix by adding the same `goto unlock` in the s1 failure path.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46178",
                                "url": "https://ubuntu.com/security/CVE-2026-46178",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/mlx4: Fix resource leak on error in mlx4_ib_create_srq()  Sashiko points out that mlx4_srq_alloc() was not undone during error unwind, add the missing call to mlx4_srq_free().",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46181",
                                "url": "https://ubuntu.com/security/CVE-2026-46181",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/mlx4: Fix mis-use of RCU in mlx4_srq_event()  Sashiko points out the radix_tree itself is RCU safe, but nothing ever frees the mlx4_srq struct with RCU, and it isn't even accessed within the RCU critical section. It also will crash if an event is delivered before the srq object is finished initializing.  Use the spinlock since it isn't easy to make RCU work, use refcount_inc_not_zero() to protect against partially initialized objects, and order the refcount_set() to be after the srq is fully initialized.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46145",
                                "url": "https://ubuntu.com/security/CVE-2026-46145",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/mana: Validate rx_hash_key_len  Sashiko points out that rx_hash_key_len comes from a uAPI structure and is blindly passed to memcpy, allowing the userspace to trash kernel memory. Bounds check it so the memcpy cannot overflow.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46117",
                                "url": "https://ubuntu.com/security/CVE-2026-46117",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/mana: Remove user triggerable WARN_ON() in mana_ib_create_qp_rss()  Sashiko points out that the user can specify WQs sharing the same CQ as a part of the uAPI and this will trigger the WARN_ON() then go on to corrupt the kernel.  Just reject it outright and fail the QP creation.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46126",
                                "url": "https://ubuntu.com/security/CVE-2026-46126",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/mana: Fix mana_destroy_wq_obj() cleanup in mana_ib_create_qp_rss()  Sashiko points out there are two bugs here in the error unwind flow, both related to how the WQ table is unwound.  First there is a double i-- on the first failure path due to the while loop having a i--, remove it.  Second if mana_ib_install_cq_cb() fails then mana_create_wq_obj() is not undone due to the above i--.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46144",
                                "url": "https://ubuntu.com/security/CVE-2026-46144",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/mana: Fix error unwind in mana_ib_create_qp_rss()  Sashiko points out that mana_ib_cfg_vport_steering() is leaked, the normal destroy path cleans it up.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46141",
                                "url": "https://ubuntu.com/security/CVE-2026-46141",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  powerpc/xive: fix kmemleak caused by incorrect chip_data lookup  The kmemleak reports the following memory leak:  Unreferenced object 0xc0000002a7fbc640 (size 64):   comm \"kworker/8:1\", pid 540, jiffies 4294937872   hex dump (first 32 bytes):     01 00 00 00 00 00 00 00 00 00 09 04 00 04 00 00  ................     00 00 a7 81 00 00 0a c0 00 00 08 04 00 04 00 00  ................   backtrace (crc 177d48f6):     __kmalloc_cache_noprof+0x520/0x730     xive_irq_alloc_data.constprop.0+0x40/0xe0     xive_irq_domain_alloc+0xd0/0x1b0     irq_domain_alloc_irqs_parent+0x44/0x6c     pseries_irq_domain_alloc+0x1cc/0x354     irq_domain_alloc_irqs_parent+0x44/0x6c     msi_domain_alloc+0xb0/0x220     irq_domain_alloc_irqs_locked+0x138/0x4d0     __irq_domain_alloc_irqs+0x8c/0xfc     __msi_domain_alloc_irqs+0x214/0x4d8     msi_domain_alloc_irqs_all_locked+0x70/0xf8     pci_msi_setup_msi_irqs+0x60/0x78     __pci_enable_msix_range+0x54c/0x98c     pci_alloc_irq_vectors_affinity+0x16c/0x1d4     nvme_pci_enable+0xac/0x9c0 [nvme]     nvme_probe+0x340/0x764 [nvme]  This occurs when allocating MSI-X vectors for an NVMe device. During allocation the XIVE code creates a struct xive_irq_data and stores it in irq_data->chip_data.  When the MSI-X irqdomain is later freed, xive_irq_free_data() is responsible for retrieving this structure and freeing it. However, after commit cc0cc23babc9 (\"powerpc/xive: Untangle xive from child interrupt controller drivers\"), xive_irq_free_data() retrieves the chip_data using irq_get_chip_data(), which looks up the data through the child domain.  This is incorrect because the XIVE-specific irq data is associated with the XIVE (parent) domain. As a result the lookup fails and the allocated struct xive_irq_data is never freed, leading to the kmemleak report shown above.  Fix this by retrieving the irq_data from the correct domain using irq_domain_get_irq_data() and then accessing the chip_data via irq_data_get_irq_chip_data().",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46183",
                                "url": "https://ubuntu.com/security/CVE-2026-46183",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  mm/damon/sysfs-schemes: protect path kfree() with damon_sysfs_lock  damon_sysfs_quot_goal->path can be read and written by users, via DAMON sysfs 'path' file.  It can also be indirectly read, for the parameters {on,off}line committing to DAMON.  The reads for parameters committing are protected by damon_sysfs_lock to avoid the sysfs files being destroyed while any of the parameters are being read.  But the user-driven direct reads and writes are not protected by any lock, while the write is deallocating the path-pointing buffer.  As a result, the readers could read the already freed buffer (user-after-free).  Note that the user-reads don't race when the same open file is used by the writer, due to kernfs's open file locking.  Nonetheless, doing the reads and writes with separate open files would be common.  Fix it by protecting both the user-direct reads and writes with damon_sysfs_lock.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46121",
                                "url": "https://ubuntu.com/security/CVE-2026-46121",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  mm/damon/sysfs-schemes: protect memcg_path kfree() with damon_sysfs_lock  Patch series \"mm/damon/sysfs-schemes: fix use-after-free for [memcg_]path\".  Reads of 'memcg_path' and 'path' files in DAMON sysfs interface could race with their writes, results in use-after-free.  Fix those.   This patch (of 2):  damon_sysfs_scheme_filter->mmecg_path can be read and written by users, via DAMON sysfs memcg_path file.  It can also be indirectly read, for the parameters {on,off}line committing to DAMON.  The reads for parameters committing are protected by damon_sysfs_lock to avoid the sysfs files being destroyed while any of the parameters are being read.  But the user-driven direct reads and writes are not protected by any lock, while the write is deallocating the memcg_path-pointing buffer.  As a result, the readers could read the already freed buffer (user-after-free).  Note that the user-reads don't race when the same open file is used by the writer, due to kernfs's open file locking.  Nonetheless, doing the reads and writes with separate open files would be common.  Fix it by protecting both the user-direct reads and writes with damon_sysfs_lock.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46131",
                                "url": "https://ubuntu.com/security/CVE-2026-46131",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  KVM: x86: check for nEPT/nNPT in slow flush hypercalls  Checking is_guest_mode(vcpu) is incorrect, because translate_nested_gpa() is only valid if an L2 guest is running *with nested EPT/NPT enabled*. Instead use the same condition as translate_nested_gpa() itself.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46139",
                                "url": "https://ubuntu.com/security/CVE-2026-46139",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  smb: client: use kzalloc to zero-initialize security descriptor buffer  Commit 62e7dd0a39c2d (\"smb: common: change the data type of num_aces to le16\") split struct smb_acl's __le32 num_aces field into __le16 num_aces and __le16 reserved. The reserved field corresponds to Sbz2 in the MS-DTYP ACL wire format, which must be zero [1].  When building an ACL descriptor in build_sec_desc(), we are using a kmalloc()'ed descriptor buffer and writing the fields explicitly using le16() writes now. This never writes to the 2 byte reserved field, leaving it as uninitialized heap data.  When the reserved field happens to contain non-zero slab garbage, Samba rejects the security descriptor with \"ndr_pull_security_descriptor failed: Range Error\", causing chmod to fail with EINVAL.  Change kmalloc() to kzalloc() to ensure the entire buffer is zero-initialized.   [1] https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/20233ed8-a6c6-4097-aafa-dd545ed24428",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46105",
                                "url": "https://ubuntu.com/security/CVE-2026-46105",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  scsi: mpt3sas: Limit NVMe request size to 2 MiB  The HBA firmware reports NVMe MDTS values based on the underlying drive capability. However, because the driver allocates a fixed 4K buffer for the PRP list, accommodating at most 512 entries, the driver supports a maximum I/O transfer size of 2 MiB.  Limit max_hw_sectors to the smaller of the reported MDTS and the 2 MiB driver limit to prevent issuing oversized I/O that may lead to a kernel oops.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46171",
                                "url": "https://ubuntu.com/security/CVE-2026-46171",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  riscv: kvm: fix vector context allocation leak  When the second kzalloc (host_context.vector.datap) fails in kvm_riscv_vcpu_alloc_vector_context, the first allocation (guest_context.vector.datap) is leaked. Free it before returning.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46112",
                                "url": "https://ubuntu.com/security/CVE-2026-46112",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/hns: Fix unlocked call to hns_roce_qp_remove()  Sashiko points out that hns_roce_qp_remove() requires the caller to hold locks.  The error flow in hns_roce_create_qp_common() doesn't hold those locks for the error unwind so it risks corrupting memory.  Grab the same locks the other two callers use.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46165",
                                "url": "https://ubuntu.com/security/CVE-2026-46165",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  openvswitch: vport: fix self-deadlock on release of tunnel ports  vports are used concurrently and protected by RCU, so netdev_put() must happen after the RCU grace period.  So, either in an RCU call or after the synchronize_net().  The rtnl_delete_link() must happen under RTNL and so can't be executed in RCU context.  Calling synchronize_net() while holding RTNL is not a good idea for performance and system stability under load in general, so calling netdev_put() in RCU call is the right solution here.  However, when the device is deleted, rtnl_unlock() will call netdev_run_todo() and block until all the references are gone.  In the current code this means that we never reach the call_rcu() and the vport is never freed and the reference is never released, causing a self-deadlock on device removal.  Fix that by moving the rcu_call() before the rtnl_unlock(), so the scheduled RCU callback will be executed when synchronize_net() is called from the rtnl_unlock()->netdev_run_todo() while the RTNL itself is already released.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46161",
                                "url": "https://ubuntu.com/security/CVE-2026-46161",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  md/raid10: fix divide-by-zero in setup_geo() with zero far_copies  setup_geo() extracts near_copies (nc) and far_copies (fc) from the user-provided layout parameter without checking for zero. When fc=0 with the \"improved\" far set layout selected, 'geo->far_set_size = disks / fc' triggers a divide-by-zero.  Validate nc and fc immediately after extraction, returning -1 if either is zero.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-43492",
                                "url": "https://ubuntu.com/security/CVE-2026-43492",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  lib/crypto: mpi: Fix integer underflow in mpi_read_raw_from_sgl()  Yiming reports an integer underflow in mpi_read_raw_from_sgl() when subtracting \"lzeros\" from the unsigned \"nbytes\".  For this to happen, the scatterlist \"sgl\" needs to occupy more bytes than the \"nbytes\" parameter and the first \"nbytes + 1\" bytes of the scatterlist must be zero.  Under these conditions, the while loop iterating over the scatterlist will count more zeroes than \"nbytes\", subtract the number of zeroes from \"nbytes\" and cause the underflow.  When commit 2d4d1eea540b (\"lib/mpi: Add mpi sgl helpers\") originally introduced the bug, it couldn't be triggered because all callers of mpi_read_raw_from_sgl() passed a scatterlist whose length was equal to \"nbytes\".  However since commit 63ba4d67594a (\"KEYS: asymmetric: Use new crypto interface without scatterlists\"), the underflow can now actually be triggered.  When invoking a KEYCTL_PKEY_ENCRYPT system call with a larger \"out_len\" than \"in_len\" and filling the \"in\" buffer with zeroes, crypto_akcipher_sync_prep() will create an all-zero scatterlist used for both the \"src\" and \"dst\" member of struct akcipher_request and thereby fulfil the conditions to trigger the bug:    sys_keyctl()     keyctl_pkey_e_d_s()       asymmetric_key_eds_op()         software_key_eds_op()           crypto_akcipher_sync_encrypt()             crypto_akcipher_sync_prep()               crypto_akcipher_encrypt()                 rsa_enc()                   mpi_read_raw_from_sgl()  To the user this will be visible as a DoS as the kernel spins forever, causing soft lockup splats as a side effect.  Fix it.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-19 12:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46124",
                                "url": "https://ubuntu.com/security/CVE-2026-46124",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  isofs: validate block number from NFS file handle in isofs_export_iget  isofs_fh_to_dentry() and isofs_fh_to_parent() pass an attacker- controlled block number (ifid->block or ifid->parent_block) from the NFS file handle to isofs_export_iget(), which only rejects block == 0 before calling isofs_iget() and ultimately sb_bread(). A crafted file handle with fh_len sufficient to pass the check added by commit 0405d4b63d08 (\"isofs: Prevent the use of too small fid\") can still drive the server to read any in-range block on the backing device as if it were an iso_directory_record.  That earlier fix was assigned CVE-2025-37780.  sb_bread() on an out-of-range block returns NULL cleanly via the EIO path, so there is no memory-safety violation.  For in-range reads of adjacent-partition data on the same block device, the unrelated bytes end up in iso_inode_info fields that reach the NFS client as dentry metadata.  The deployment surface (isofs exported over NFS from loop-mounted images) is narrow and requires an authenticated NFS peer, but the malformed-file-handle class is reportable as hardening next to the existing CVE-2025-37780 fix.  Reject block >= ISOFS_SB(sb)->s_nzones in isofs_export_iget() so the check covers both isofs_fh_to_dentry() and isofs_fh_to_parent() call sites with a single line.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46130",
                                "url": "https://ubuntu.com/security/CVE-2026-46130",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  dm-verity-fec: fix reading parity bytes split across blocks (take 3)  fec_decode_bufs() assumes that the parity bytes of the first RS codeword it decodes are never split across parity blocks.  This assumption is false.  Consider v->fec->block_size == 4096 && v->fec->roots == 17 && fio->nbufs == 1, for example.  In that case, each call to fec_decode_bufs() consumes v->fec->roots * (fio->nbufs << DM_VERITY_FEC_BUF_RS_BITS) = 272 parity bytes.  Considering that the parity data for each message block starts on a block boundary, the byte alignment in the parity data will iterate through 272*i mod 4096 until the 3 parity blocks have been consumed.  On the 16th call (i=15), the alignment will be 4080 bytes into the first block.  Only 16 bytes remain in that block, but 17 parity bytes will be needed.  The code reads out-of-bounds from the parity block buffer.  Fortunately this doesn't normally happen, since it can occur only for certain non-default values of fec_roots *and* when the maximum number of buffers couldn't be allocated due to low memory.  For example with block_size=4096 only the following cases are affected:      fec_roots=17: nbufs in [1, 3, 5, 15]     fec_roots=19: nbufs in [1, 229]     fec_roots=21: nbufs in [1, 3, 5, 13, 15, 39, 65, 195]     fec_roots=23: nbufs in [1, 89]  Regardless, fix it by refactoring how the parity blocks are read.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46106",
                                "url": "https://ubuntu.com/security/CVE-2026-46106",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  eventfs: Hold eventfs_mutex and SRCU when remount walks events  Commit 340f0c7067a9 (\"eventfs: Update all the eventfs_inodes from the events descriptor\") had eventfs_set_attrs() recurse through ei->children on remount.  The walk only holds the rcu_read_lock() taken by tracefs_apply_options() over tracefs_inodes, which is wrong:    - list_for_each_entry over ei->children races with the list_del_rcu()     in eventfs_remove_rec() -- LIST_POISON1 deref, same shape as     d2603279c7d6.   - eventfs_inodes are freed via call_srcu(&eventfs_srcu, ...).     rcu_read_lock() does not extend an SRCU grace period, so ti->private     can be reclaimed under the walk.   - The writes to ei->attr race with eventfs_set_attr(), which holds     eventfs_mutex.  Reproducer:    while :; do mount -o remount,uid=$((RANDOM%1000)) /sys/kernel/tracing; done &   while :; do       echo \"p:kp submit_bio\" > /sys/kernel/tracing/kprobe_events       echo > /sys/kernel/tracing/kprobe_events   done  Wrap the events portion of tracefs_apply_options() in eventfs_remount_lock()/_unlock() that take eventfs_mutex and srcu_read_lock(&eventfs_srcu).  eventfs_set_attrs() doesn't sleep so the nested rcu_read_lock() is fine; lockdep_assert_held() pins the contract.  Comment in tracefs_drop_inode() said \"RCU cycle\" -- it is SRCU.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46107",
                                "url": "https://ubuntu.com/security/CVE-2026-46107",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  dm-thin: fix metadata refcount underflow  There's a bug in dm-thin in the function rebalance_children. If the internal btree node has one entry, the code tries to copy all btree entries from the node's child to the node itself and then decrement the child's reference count.  If the child node is shared (it has reference count > 1), we won't free it, so there would be two pointers to each of the grandchildren nodes. But the reference counts of the grandchildren is not increased, thus the reference count doesn't match the number of pointers that point to the grandchildren. This results in \"device mapper: space map common: unable to decrement block\" errors.  Fix this bug by incrementing reference counts on the grandchildren if the btree node is shared.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46160",
                                "url": "https://ubuntu.com/security/CVE-2026-46160",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  btrfs: fix missing last_unlink_trans update when removing a directory  When removing a directory we are not updating its last_unlink_trans field, which can result in incorrect fsync behaviour in case some one fsyncs the directory after it was removed because it's holding a file descriptor on it.  Example scenario:     mkdir /mnt/dir1    mkdir /mnt/dir1/dir2    mkdir /mnt/dir3     sync -f /mnt     # Do some change to the directory and fsync it.    chmod 700 /mnt/dir1    xfs_io -c fsync /mnt/dir1     # Move dir2 out of dir1 so that dir1 becomes empty.    mv /mnt/dir1/dir2 /mnt/dir3/     open fd on /mnt/dir1    call rmdir(2) on path \"/mnt/dir1\"    fsync fd     <trigger power failure>  When attempting to mount the filesystem, the log replay will fail with an -EIO error and dmesg/syslog has the following:     [445771.626482] BTRFS info (device dm-0): first mount of filesystem 0368bbea-6c5e-44b5-b409-09abe496e650    [445771.626486] BTRFS info (device dm-0): using crc32c checksum algorithm    [445771.627912] BTRFS info (device dm-0): start tree-log replay    [445771.628335] page: refcount:2 mapcount:0 mapping:0000000061443ddc index:0x1d00 pfn:0x7072a5    [445771.629453] memcg:ffff89f400351b00    [445771.629892] aops:btree_aops [btrfs] ino:1    [445771.630737] flags: 0x17fffc00000402a(uptodate|lru|private|writeback|node=0|zone=2|lastcpupid=0x1ffff)    [445771.632359] raw: 017fffc00000402a fffff47284d950c8 fffff472907b7c08 ffff89f458e412b8    [445771.633713] raw: 0000000000001d00 ffff89f6c51d1a90 00000002ffffffff ffff89f400351b00    [445771.635029] page dumped because: eb page dump    [445771.635825] BTRFS critical (device dm-0): corrupt leaf: root=5 block=30408704 slot=10 ino=258, invalid nlink: has 2 expect no more than 1 for dir    [445771.638088] BTRFS info (device dm-0): leaf 30408704 gen 10 total ptrs 17 free space 14878 owner 5    [445771.638091] BTRFS info (device dm-0): refs 4 lock_owner 0 current 3581087    [445771.638094] \titem 0 key (256 INODE_ITEM 0) itemoff 16123 itemsize 160    [445771.638097] \t\tinode generation 3 transid 9 size 16 nbytes 16384    [445771.638098] \t\tblock group 0 mode 40755 links 1 uid 0 gid 0    [445771.638100] \t\trdev 0 sequence 2 flags 0x0    [445771.638102] \t\tatime 1775744884.0    [445771.660056] \t\tctime 1775744885.645502983    [445771.660058] \t\tmtime 1775744885.645502983    [445771.660060] \t\totime 1775744884.0    [445771.660062] \titem 1 key (256 INODE_REF 256) itemoff 16111 itemsize 12    [445771.660064] \t\tindex 0 name_len 2    [445771.660066] \titem 2 key (256 DIR_ITEM 1843588421) itemoff 16077 itemsize 34    [445771.660068] \t\tlocation key (259 1 0) type 2    [445771.660070] \t\ttransid 9 data_len 0 name_len 4    [445771.660075] \titem 3 key (256 DIR_ITEM 2363071922) itemoff 16043 itemsize 34    [445771.660076] \t\tlocation key (257 1 0) type 2    [445771.660077] \t\ttransid 9 data_len 0 name_len 4    [445771.660078] \titem 4 key (256 DIR_INDEX 2) itemoff 16009 itemsize 34    [445771.660079] \t\tlocation key (257 1 0) type 2    [445771.660080] \t\ttransid 9 data_len 0 name_len 4    [445771.660081] \titem 5 key (256 DIR_INDEX 3) itemoff 15975 itemsize 34    [445771.660082] \t\tlocation key (259 1 0) type 2    [445771.660083] \t\ttransid 9 data_len 0 name_len 4    [445771.660084] \titem 6 key (257 INODE_ITEM 0) itemoff 15815 itemsize 160    [445771.660086] \t\tinode generation 9 transid 9 size 8 nbytes 0    [445771.660087] \t\tblock group 0 mode 40777 links 1 uid 0 gid 0    [445771.660088] \t\trdev 0 sequence 2 flags 0x0    [445771.660089] \t\tatime 1775744885.641174097    [445771.660090] \t\tctime 1775744885.645502983    [445771.660091] \t\tmtime 1775744885.645502983    [445771.660105] \t\totime 1775744885.641174097    [445771.660106] \titem 7 key (257 INODE_REF 256) itemoff 15801 itemsize 14    [445771.660107] \t\tindex 2 name_len 4    [445771.660108] \titem 8 key (257 DIR_ITEM 2676584006) itemoff 15767 itemsize 34    [445771.660109] \t\tlocation key (2 ---truncated---",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46164",
                                "url": "https://ubuntu.com/security/CVE-2026-46164",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  btrfs: fix double free in create_space_info_sub_group() error path  When kobject_init_and_add() fails, the call chain is:  create_space_info_sub_group() -> btrfs_sysfs_add_space_info_type() -> kobject_init_and_add() -> failure -> kobject_put(&sub_group->kobj) -> space_info_release() -> kfree(sub_group)  Then control returns to create_space_info_sub_group(), where:  btrfs_sysfs_add_space_info_type() returns error -> kfree(sub_group)  Thus, sub_group is freed twice.  Keep parent->sub_group[index] = NULL for the failure path, but after btrfs_sysfs_add_space_info_type() has called kobject_put(), let the kobject release callback handle the cleanup.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46129",
                                "url": "https://ubuntu.com/security/CVE-2026-46129",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  btrfs: fix double free in create_space_info() error path  When kobject_init_and_add() fails, the call chain is:  create_space_info() -> btrfs_sysfs_add_space_info_type() -> kobject_init_and_add() -> failure -> kobject_put(&space_info->kobj) -> space_info_release() -> kfree(space_info)  Then control returns to create_space_info():  btrfs_sysfs_add_space_info_type() returns error -> goto out_free -> kfree(space_info)  This causes a double free.  Keep the direct kfree(space_info) for the earlier failure path, but after btrfs_sysfs_add_space_info_type() has called kobject_put(), let the kobject release callback handle the cleanup.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46159",
                                "url": "https://ubuntu.com/security/CVE-2026-46159",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  btrfs: fix btrfs_ioctl_space_info() slot_count TOCTOU which can lead to info-leak  btrfs_ioctl_space_info() has a TOCTOU race between two passes over the block group RAID type lists. The first pass counts entries to determine the allocation size, then the second pass fills the buffer. The groups_sem rwlock is released between passes, allowing concurrent block group removal to reduce the entry count.  When the second pass fills fewer entries than the first pass counted, copy_to_user() copies the full alloc_size bytes including trailing uninitialized kmalloc bytes to userspace.  Fix by copying only total_spaces entries (the actually-filled count from the second pass) instead of alloc_size bytes, and switch to kzalloc so any future copy size mismatch cannot leak heap data.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46143",
                                "url": "https://ubuntu.com/security/CVE-2026-46143",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ASoC: qcom: q6apm-lpass-dai: Fix multiple graph opens  As prepare can be called mulitple times, this can result in multiple graph opens for playback path.  This will result in a memory leaks, fix this by adding a check before opening.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46148",
                                "url": "https://ubuntu.com/security/CVE-2026-46148",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: microchip-core-qspi: control built-in cs manually  The coreQSPI IP supports only a single chip select, which is automagically operated by the hardware - set low when the transmit buffer first gets written to and set high when the number of bytes written to the TOTALBYTES field of the FRAMES register have been sent on the bus. Additional devices must use GPIOs for their chip selects. It was reported to me that if there are two devices attached to this QSPI controller that the in-built chip select is set low while linux tries to access the device attached to the GPIO.  This went undetected as the boards that connected multiple devices to the SPI controller all exclusively used GPIOs for chip selects, not relying on the built-in chip select at all. It turns out that this was because the built-in chip select, when controlled automagically, is set low when active and high when inactive, thereby ruling out its use for active-high devices or devices that need to transmit with the chip select disabled.  Modify the driver so that it controls chip select directly, retaining the behaviour for mem_ops of setting the chip select active for the entire duration of the transfer in the exec_op callback. For regular transfers, implement the set_cs callback for the core to use.  As part of this, the existing setup callback, mchp_coreqspi_setup_op(), is removed. Modifying the CLKIDLE field is not safe to do during operation when there are multiple devices, so this code is removed entirely. Setting the MASTER and ENABLE fields is something that can be done once at probe, it doesn't need to be re-run for each device. Instead the new setup callback sets the built-in chip select to its inactive state for active-low devices, as the reset value of the chip select in software controlled mode is low.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46192",
                                "url": "https://ubuntu.com/security/CVE-2026-46192",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: microchip-core-qspi: don't attempt to transmit during emulated read-only dual/quad operations  The core will deal with reads by creating clock cycles itself, there's no need to generate clock cycles by transmitting garbage data at the driver level. Further, transmitting garbage data just bricks the transfer since QSPI doesn't have a dedicated master-out line like MOSI in regular SPI. I'm not entirely sure if the transfer is bricked because of the garbage data being transmitted on the bus or because the core loses track of whether it is supposed to be sending or receiving data.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46162",
                                "url": "https://ubuntu.com/security/CVE-2026-46162",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ice: fix double free in ice_sf_eth_activate() error path  When auxiliary_device_add() fails, ice_sf_eth_activate() jumps to aux_dev_uninit and calls auxiliary_device_uninit(&sf_dev->adev).  The device release callback ice_sf_dev_release() frees sf_dev, but the current error path falls through to sf_dev_free and calls kfree(sf_dev) again, causing a double free.  Keep kfree(sf_dev) for the auxiliary_device_init() failure path, but avoid falling through to sf_dev_free after auxiliary_device_uninit().",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46273",
                                "url": "https://ubuntu.com/security/CVE-2026-46273",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ibmveth: Disable GSO for packets with small MSS  Some physical adapters on Power systems do not support segmentation offload when the MSS is less than 224 bytes. Attempting to send such packets causes the adapter to freeze, stopping all traffic until manually reset.  Implement ndo_features_check to disable GSO for packets with small MSS values. The network stack will perform software segmentation instead.  The 224-byte minimum matches ibmvnic commit <f10b09ef687f> (\"ibmvnic: Enforce stronger sanity checks on GSO packets\") which uses the same physical adapters in SEA configurations.  The issue occurs specifically when the hardware attempts to perform segmentation (gso_segs > 1) with a small MSS. Single-segment GSO packets (gso_segs == 1) do not trigger the problematic LSO code path and are transmitted normally without segmentation.  Add an ndo_features_check callback to disable GSO when MSS < 224 bytes. Also call vlan_features_check() to ensure proper handling of VLAN packets, particularly QinQ (802.1ad) configurations where the hardware parser may not support certain offload features.  Validated using iptables to force small MSS values. Without the fix, the adapter freezes. With the fix, packets are segmented in software and transmission succeeds. Comprehensive regression testing completedd (MSS tests, performance, stability).",
                                "cve_priority": "high",
                                "cve_public_date": "2026-06-03 18:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46191",
                                "url": "https://ubuntu.com/security/CVE-2026-46191",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  fbcon: Avoid OOB font access if console rotation fails  Clear the font buffer if the reallocation during console rotation fails in fbcon_rotate_font(). The putcs implementations for the rotated buffer will return early in this case. See [1] for an example.  Currently, fbcon_rotate_font() keeps the old buffer, which is too small for the rotated font. Printing to the rotated console with a high-enough character code will overflow the font buffer.  v2: - fix typos in commit message",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46134",
                                "url": "https://ubuntu.com/security/CVE-2026-46134",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  platform/chrome: cros_ec_typec: Init mutex in Thunderbolt registration  cros_typec_register_thunderbolt() missed initializing the `adata->lock` mutex.  This leads to a NULL dereference when the mutex is later acquired (e.g. in cros_typec_altmode_work()).  Initialize the mutex in cros_typec_register_thunderbolt() to fix the issue.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-43495",
                                "url": "https://ubuntu.com/security/CVE-2026-43495",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net: wwan: t7xx: validate port_count against message length in t7xx_port_enum_msg_handler  t7xx_port_enum_msg_handler() uses the modem-supplied port_count field as a loop bound over port_msg->data[] without checking that the message buffer contains sufficient data. A modem sending port_count=65535 in a 12-byte buffer triggers a slab-out-of-bounds read of up to 262140 bytes.  Add a sizeof(*port_msg) check before accessing the port message header fields to guard against undersized messages.  Add a struct_size() check after extracting port_count and before the loop.  In t7xx_parse_host_rt_data(), guard the rt_feature header read with a remaining-buffer check before accessing data_len, validate feat_data_len against the actual remaining buffer to prevent OOB reads and signed integer overflow on offset.  Pass msg_len from both call sites: skb->len at the DPMAIF path after skb_pull(), and the validated feat_data_len at the handshake path.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-21 13:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-43502",
                                "url": "https://ubuntu.com/security/CVE-2026-43502",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net/rds: handle zerocopy send cleanup before the message is queued  A zerocopy send can fail after user pages have been pinned but before the message is attached to the sending socket.  The purge path currently infers zerocopy state from rm->m_rs, so an unqueued message can be cleaned up as if it owned normal payload pages. However, zerocopy ownership is really determined by the presence of op_mmp_znotifier, regardless of whether the message has reached the socket queue.  Capture op_mmp_znotifier up front in rds_message_purge() and use it as the cleanup discriminator. If the message is already associated with a socket, keep the existing completion path. Otherwise, drop the pinned page accounting directly and release the notifier before putting the payload pages.  This keeps early send failure cleanup consistent with the zerocopy lifetime rules without changing the normal queued completion path.",
                                "cve_priority": "high",
                                "cve_public_date": "2026-05-21 13:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46120",
                                "url": "https://ubuntu.com/security/CVE-2026-46120",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ip6_gre: Use cached t->net in ip6erspan_changelink().  After commit 5e72ce3e3980 (\"net: ipv6: Use link netns in newlink() of rtnl_link_ops\"), ip6erspan_newlink() correctly resolves the per-netns ip6gre hash via link_net. ip6erspan_changelink() was not converted in that series and still uses dev_net(dev), which diverges from the device's creation netns after IFLA_NET_NS_FD migration.  This re-inserts the tunnel into the wrong per-netns hash. The original netns keeps a stale entry. When that netns is later destroyed, ip6gre_exit_rtnl_net() walks the stale entry, producing a slab-use-after-free reported by KASAN, followed by a kernel BUG at net/core/dev.c (LIST_POISON1) in unregister_netdevice_many_notify().  Reachable from an unprivileged user namespace (unshare --user --map-root-user --net).  ip6gre_changelink() earlier in the same file already uses the cached t->net; only ip6erspan_changelink() has the wrong shape.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46142",
                                "url": "https://ubuntu.com/security/CVE-2026-46142",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net: libwx: fix VF illegal register access  Register WX_CFG_PORT_ST is a PF restricted register. When a VF is initialized, attempting to read this register triggers an illegal register access, which lead to a system hang.  When the device is VF, the bus function ID can be obtained directly from the PCI_FUNC(pdev->devfn).",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46118",
                                "url": "https://ubuntu.com/security/CVE-2026-46118",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  pseries/papr-hvpipe: Fix null ptr deref in papr_hvpipe_dev_create_handle()  commit 6d3789d347a7 (\"papr-hvpipe: convert papr_hvpipe_dev_create_handle() to FD_PREPARE()\"), changed the create handle to FD_PREPARE(), but it caused kernel null-ptr-deref because after call to retain_and_null_ptr(src_info), src_info is re-used for adding it to the global list.  Getting the following kernel panic in papr_hvpipe_dev_create_handle() when trying to add src_info to the list.  Kernel attempted to write user page (0) - exploit attempt? (uid: 0)  BUG: Kernel NULL pointer dereference on write at 0x00000000  Faulting instruction address: 0xc0000000001b44a0  Oops: Kernel access of bad area, sig: 11 [#1]  ...  Call Trace:  papr_hvpipe_dev_ioctl+0x1f4/0x48c (unreliable)  sys_ioctl+0x528/0x1064  system_call_exception+0x128/0x360  system_call_vectored_common+0x15c/0x2ec  Now, the error handling with FD_PREPARE's file cleanup and __free(kfree) auto cleanup is getting too convoluted. This is mainly because we need to ensure only 1 user get the srcID handle. To simplify this, we allocate prepare the src_info in the beginning and add it to the global list under a spinlock after checking that no duplicates exist.  This simplify the error handling where if the FD_ADD fails, we can simply remove the src_info from the list and consume any pending msg in hvpipe to be cleared, after src_info became visible in the global list.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46182",
                                "url": "https://ubuntu.com/security/CVE-2026-46182",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  pseries/papr-hvpipe: Prevent kernel stack memory leak to userspace  The hdr variable is allocated on the stack and only hdr.version and hdr.flags are initialized explicitly. Because the struct papr_hvpipe_hdr contains reserved padding bytes (reserved[3] and reserved2[40]), these could leak the uninitialized bytes to userspace after copy_to_user().  This patch fixes that by initializing the whole struct to 0.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46184",
                                "url": "https://ubuntu.com/security/CVE-2026-46184",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  sound: ua101: fix division by zero at probe  Add a missing sanity check for bNrChannels in detect_usb_format() to prevent a division by zero in playback_urb_complete() and capture_urb_complete().  USB core does not validate class-specific descriptor fields such as bNrChannels, so drivers must verify them before use. If a device provides bNrChannels = 0, frame_bytes becomes zero and is later used as a divisor in the URB completion handlers, leading to a kernel crash.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-43498",
                                "url": "https://ubuntu.com/security/CVE-2026-43498",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  accel/ivpu: Disallow re-exporting imported GEM objects  Prevent re-exporting of imported GEM buffers by adding a custom prime_handle_to_fd callback that checks if the object is imported and returns -EOPNOTSUPP if so.  Re-exporting imported GEM buffers causes loss of buffer flags settings, leading to incorrect device access and data corruption.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-21 13:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46132",
                                "url": "https://ubuntu.com/security/CVE-2026-46132",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net: rtnetlink: zero ifla_vf_broadcast to avoid stack infoleak in rtnl_fill_vfinfo  rtnl_fill_vfinfo() declares struct ifla_vf_broadcast on the stack without initialisation:  \tstruct ifla_vf_broadcast vf_broadcast;  The struct contains a single fixed 32-byte field:  \t/* include/uapi/linux/if_link.h */ \tstruct ifla_vf_broadcast { \t\t__u8 broadcast[32]; \t};  The function then copies dev->broadcast into it using dev->addr_len as the length:  \tmemcpy(vf_broadcast.broadcast, dev->broadcast, dev->addr_len);  On Ethernet devices (the overwhelming majority of SR-IOV NICs) dev->addr_len is 6, so only the first 6 bytes of broadcast[] are written. The remaining 26 bytes retain whatever was previously on the kernel stack. The full struct is then handed to userspace via:  \tnla_put(skb, IFLA_VF_BROADCAST, \t\tsizeof(vf_broadcast), &vf_broadcast)  leaking up to 26 bytes of uninitialised kernel stack per VF per RTM_GETLINK request, repeatable.  The other vf_* structs in the same function are explicitly zeroed for exactly this reason - see the memset() calls for ivi, vf_vlan_info, node_guid and port_guid a few lines above. vf_broadcast was simply missed when it was added.  Reachability: any unprivileged local process can open AF_NETLINK / NETLINK_ROUTE without capabilities and send RTM_GETLINK with an IFLA_EXT_MASK attribute carrying RTEXT_FILTER_VF. The kernel walks each VF and emits IFLA_VF_BROADCAST, leaking 26 bytes of stack per VF per request. Stack residue at this call site can include return addresses and transient sensitive data; KASAN with stack instrumentation, or KMSAN, will flag the nla_put() when reproduced.  Zero the on-stack struct before the partial memcpy, matching the existing pattern used for the other vf_* structs in the same function.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46190",
                                "url": "https://ubuntu.com/security/CVE-2026-46190",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  mtd: spi-nor: debugfs: fix out-of-bounds read in spi_nor_params_show()  Sashiko noticed an out-of-bounds read [1].  In spi_nor_params_show(), the snor_f_names array is passed to spi_nor_print_flags() using sizeof(snor_f_names).  Since snor_f_names is an array of pointers, sizeof() returns the total number of bytes occupied by the pointers \t(element_count * sizeof(void *)) rather than the element count itself. On 64-bit systems, this makes the passed length 8x larger than intended.  Inside spi_nor_print_flags(), the 'names_len' argument is used to bounds-check the 'names' array access. An out-of-bounds read occurs if a flag bit is set that exceeds the array's actual element count but is within the inflated byte-size count.  Correct this by using ARRAY_SIZE() to pass the actual number of string pointers in the array.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46150",
                                "url": "https://ubuntu.com/security/CVE-2026-46150",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  fanotify: fix false positive on permission events  fsnotify_get_mark_safe() may return false for a mark on an unrelated group, which results in bypassing the permission check.  Fix by skipping over detached marks that are not in the current group.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-45836",
                                "url": "https://ubuntu.com/security/CVE-2026-45836",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_get_sndtimeo_cb()  Add the same NULL guard already present in l2cap_sock_resume_cb() and l2cap_sock_ready_cb().",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-26 17:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-45834",
                                "url": "https://ubuntu.com/security/CVE-2026-45834",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_state_change_cb()  Add the same NULL guard already present in l2cap_sock_resume_cb() and l2cap_sock_ready_cb().",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-26 17:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-45835",
                                "url": "https://ubuntu.com/security/CVE-2026-45835",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_new_connection_cb()  Add the same NULL guard already present in l2cap_sock_resume_cb() and l2cap_sock_ready_cb().",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-26 17:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46138",
                                "url": "https://ubuntu.com/security/CVE-2026-46138",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Bluetooth: hci_event: Fix OOB read and infinite loop in hci_le_create_big_complete_evt  hci_le_create_big_complete_evt() iterates over BT_BOUND connections for a BIG handle using a while loop, accessing ev->bis_handle[i++] on each iteration.  However, there is no check that i stays within ev->num_bis before the array access.  When a controller sends a LE_Create_BIG_Complete event with fewer bis_handle entries than there are BT_BOUND connections for that BIG, or with num_bis=0, the loop reads beyond the valid bis_handle[] flex array into adjacent heap memory.  Since the out-of-bounds values typically exceed HCI_CONN_HANDLE_MAX (0x0EFF), hci_conn_set_handle() rejects them and the connection remains in BT_BOUND state.  The same connection is then found again by hci_conn_hash_lookup_big_state(), creating an infinite loop with hci_dev_lock held.  Fix this by terminating the BIG if in case not all BIS could be setup properly.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46111",
                                "url": "https://ubuntu.com/security/CVE-2026-46111",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Bluetooth: hci_conn: fix potential UAF in create_big_sync  Add hci_conn_valid() check in create_big_sync() to detect stale connections before proceeding with BIG creation. Handle the resulting -ECANCELED in create_big_complete() and re-validate the connection under hci_dev_lock() before dereferencing, matching the pattern used by create_le_conn_complete() and create_pa_complete().  Keep the hci_conn object alive across the async boundary by taking a reference via hci_conn_get() when queueing create_big_sync(), and dropping it in the completion callback. The refcount and the lock are complementary: the refcount keeps the object allocated, while hci_dev_lock() serializes hci_conn_hash_del()'s list_del_rcu() on hdev->conn_hash, as required by hci_conn_del().  hci_conn_put() is called outside hci_dev_unlock() so the final put (which resolves to kfree() via bt_link_release) does not run under hdev->lock, though the release path would be safe either way.  Without this, create_big_complete() would unconditionally dereference the conn pointer on error, causing a use-after-free via hci_connect_cfm() and hci_conn_del().",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46140",
                                "url": "https://ubuntu.com/security/CVE-2026-46140",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Bluetooth: btmtk: validate WMT event SKB length before struct access  btmtk_usb_hci_wmt_sync() casts the WMT event response SKB data to struct btmtk_hci_wmt_evt (7 bytes) and struct btmtk_hci_wmt_evt_funcc (9 bytes) without first checking that the SKB contains enough data. A short firmware response causes out-of-bounds reads from SKB tailroom.  Use skb_pull_data() to validate and advance past the base WMT event header. For the FUNC_CTRL case, pull the additional status field bytes before accessing them.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46186",
                                "url": "https://ubuntu.com/security/CVE-2026-46186",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Bluetooth: virtio_bt: validate rx pkt_type header length  virtbt_rx_handle() reads the leading pkt_type byte from the RX skb and forwards the remainder to hci_recv_frame() for every event/ACL/SCO/ISO type, without checking that the remaining payload is at least the fixed HCI header for that type.  After the preceding patch bounds the backend-supplied used.len to [1, VIRTBT_RX_BUF_SIZE], a one-byte completion still reaches hci_recv_frame() with skb->len already pulled to 0. If the byte happened to be HCI_ACLDATA_PKT, the ACL-vs-ISO classification fast-path in hci_dev_classify_pkt_type() dereferences hci_acl_hdr(skb)->handle whenever the HCI device has an active CIS_LINK, BIS_LINK, or PA_LINK connection, reading two bytes of uninitialized RX-buffer data. The same hazard exists for every packet type the driver accepts because none of the switch cases in virtbt_rx_handle() check skb->len against the per-type minimum HCI header size before handing the frame to the core.  After stripping pkt_type, require skb->len to cover the fixed header size for the selected type (event 2, ACL 4, SCO 3, ISO 4) before calling hci_recv_frame(); drop ratelimited otherwise. Unknown pkt_type values still take the original kfree_skb() default path.  Use bt_dev_err_ratelimited() because both the length and pkt_type values come from an untrusted backend that can otherwise flood the kernel log.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46123",
                                "url": "https://ubuntu.com/security/CVE-2026-46123",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Bluetooth: virtio_bt: clamp rx length before skb_put  virtbt_rx_work() calls skb_put(skb, len) where len comes directly from virtqueue_get_buf() with no validation against the buffer we posted to the device. The RX skb is allocated in virtbt_add_inbuf() and exposed to virtio as exactly 1000 bytes via sg_init_one().  Checking len against skb_tailroom(skb) is not sufficient because alloc_skb() can leave more tailroom than the 1000 bytes actually handed to the device. A malicious or buggy backend can therefore report used.len between 1001 and skb_tailroom(skb), causing skb_put() to include uninitialized kernel heap bytes that were never written by the device.  The same path also accepts len == 0, in which case skb_put(skb, 0) leaves the skb empty but virtbt_rx_handle() still reads the pkt_type byte from skb->data, consuming uninitialized memory.  Define VIRTBT_RX_BUF_SIZE once and reuse it in alloc_skb() and sg_init_one(), and gate virtbt_rx_work() on that same constant so the bound checked matches the buffer actually exposed to the device. Reject used.len == 0 in the same gate so an empty completion can no longer reach virtbt_rx_handle().  Use bt_dev_err_ratelimited() because the length value comes from an untrusted backend that can otherwise flood the kernel log.  Same class of bug as commit c04db81cd028 (\"net/9p: Fix buffer overflow in USB transport layer\"), which hardened the USB 9p transport against unchecked device-reported length.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46104",
                                "url": "https://ubuntu.com/security/CVE-2026-46104",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  selinux: use sk blob accessor in socket permission helpers  SELinux socket state lives in the composite LSM socket blob.  sock_has_perm() and nlmsg_sock_has_extended_perms() currently dereference sk->sk_security directly, which assumes the SELinux socket blob is at offset zero.  In stacked configurations that assumption does not hold. If another LSM allocates socket blob storage before SELinux, these helpers may read the wrong blob and feed invalid SID and class values into AVC checks.  Use selinux_sock() instead of accessing sk->sk_security directly.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46193",
                                "url": "https://ubuntu.com/security/CVE-2026-46193",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  xfrm: ah: account for ESN high bits in async callbacks  AH allocates its temporary auth/ICV layout differently when ESN is enabled: the async ahash setup appends a 4-byte seqhi slot before the ICV or auth_data area, but the async completion callbacks still reconstruct the temporary layout as if seqhi were absent.  With an async AH implementation selected, that makes AH copy or compare the wrong bytes on both the IPv4 and IPv6 paths. In UML repro on IPv4 AH with ESN and forced async hmac(sha1), ping fails with 100% packet loss, and the callback logs show the pre-fix drift:    ah4 output_done: esn=1 err=0 icv_off=20 expected_off=24   ah4 input_done: esn=1 auth_off=20 expected_auth_off=24 icv_off=32 expected_icv_off=36  Reconstruct the callback-side layout the same way the setup path built it by skipping the ESN seqhi slot before locating the saved auth_data or ICV. Per RFC 4302, the ESN high-order 32 bits participate in the AH ICV computation, so the async callbacks must account for the seqhi slot.  Post-fix, the same IPv4 AH+ESN+forced-async-hmac(sha1) UML repro shows the corrected offset (ah4 output_done: esn=1 err=0 icv_off=24 expected_off=24) and ping succeeds; net/ipv4/ah4.o and net/ipv6/ah6.o build clean at W=1. IPv6 AH+ESN was not exercised at runtime, and the change has not been tested against a real async hardware AH engine.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46172",
                                "url": "https://ubuntu.com/security/CVE-2026-46172",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ipv6: xfrm6: release dst on error in xfrm6_rcv_encap()  xfrm6_rcv_encap() performs an IPv6 route lookup when the skb does not already have a dst attached. ip6_route_input_lookup() returns a referenced dst entry even when the lookup resolves to an error route.  If dst->error is set, xfrm6_rcv_encap() drops the skb without attaching the dst to the skb and without releasing the reference returned by the lookup. Repeated packets hitting this path therefore leak dst entries.  Release the dst before jumping to the drop path.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46116",
                                "url": "https://ubuntu.com/security/CVE-2026-46116",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  xfrm: defensively unhash xfrm_state lists in __xfrm_state_delete  KASAN reproduces a slab-use-after-free in __xfrm_state_delete()'s hlist_del_rcu calls under syzkaller load on linux-6.12.y stable (reproduced on 6.12.47, also reachable via the same code path on torvalds/master and on the ipsec tree). Nine unique signatures cluster in the xfrm_state lifecycle, the load-bearing one being:    BUG: KASAN: slab-use-after-free in __hlist_del include/linux/list.h:990 [inline]   BUG: KASAN: slab-use-after-free in hlist_del_rcu include/linux/rculist.h:516 [inline]   BUG: KASAN: slab-use-after-free in __xfrm_state_delete net/xfrm/xfrm_state.c   Write of size 8 at addr ffff8881198bcb70 by task kworker/u8:9/435    Workqueue: netns cleanup_net   Call Trace:    __hlist_del / hlist_del_rcu    __xfrm_state_delete    xfrm_state_delete    xfrm_state_flush    xfrm_state_fini    ops_exit_list    cleanup_net  The other observed signatures hit the same slab object from __xfrm_state_lookup, xfrm_alloc_spi, __xfrm_state_insert and an OOB write variant of __xfrm_state_delete, all on the byseq/byspi hash chains.  __xfrm_state_delete() guards its byseq and byspi unhashes with value-based predicates:  \tif (x->km.seq) \t\thlist_del_rcu(&x->byseq); \tif (x->id.spi) \t\thlist_del_rcu(&x->byspi);  while everywhere else in the file (e.g. state_cache, state_cache_input) the safer hlist_unhashed() check is used. xfrm_alloc_spi() sets x->id.spi = newspi inside xfrm_state_lock and then immediately inserts into byspi, but a path that observes x->id.spi != 0 outside of xfrm_state_lock can still skip-or-hit the byspi unhash inconsistently with whether x is actually on the list. The same holds for x->km.seq versus byseq, and the bydst/bysrc unhashes have no predicate at all, so a second __xfrm_state_delete() on the same object writes through LIST_POISON pprev.  The defensive change here:    - Use hlist_del_init_rcu() instead of hlist_del_rcu() on bydst,     bysrc, byseq and byspi so a second deletion is a no-op rather     than a write through LIST_POISON pprev. The byseq/byspi nodes     are already initialised in xfrm_state_alloc().   - Test hlist_unhashed() rather than the value predicate for     byseq/byspi, so the unhash decision tracks list state rather than     mutable scalar fields.  Empirical verification: applied this patch on top of v6.12.47, rebuilt, and re-ran the same syzkaller harness for 1h16m on a previously-crashy configuration that produced ~100 hits each of slab-use-after-free Read in xfrm_alloc_spi / Read in __xfrm_state_lookup / Write in __xfrm_state_delete. After the patch, 7.1M execs across 32 VMs at ~1550 exec/sec produced zero xfrm_state UAF/OOB hits. /proc/slabinfo confirms the xfrm_state slab is actively allocated and freed during the run (~143 KiB resident), so the fuzzer is still exercising those code paths -- they just no longer crash.  Reproduction:    - Linux 6.12.47 x86_64 + KASAN_GENERIC + KASAN_INLINE + KCOV   - syzkaller @ 746545b8b1e4c3a128db8652b340d3df90ce61db   - 32 QEMU/KVM VMs x 2 vCPU on AWS c5.metal bare metal   - 9 unique signatures collected in ~9h, all within xfrm_state     lifecycle",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46154",
                                "url": "https://ubuntu.com/security/CVE-2026-46154",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  sched_ext: Read scx_root under scx_cgroup_ops_rwsem in cgroup setters  scx_group_set_{weight,idle,bandwidth}() cache scx_root before acquiring scx_cgroup_ops_rwsem, so the pointer can be stale by the time the op runs. If the loaded scheduler is disabled and freed (via RCU work) and another is enabled between the naked load and the rwsem acquire, the reader sees scx_cgroup_enabled=true (the new scheduler's) but dereferences the freed one - UAF on SCX_HAS_OP(sch, ...) / SCX_CALL_OP(sch, ...).  scx_cgroup_enabled is toggled only under scx_cgroup_ops_rwsem write (scx_cgroup_{init,exit}), so reading scx_root inside the rwsem read section correlates @sch with the enabled snapshot.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46157",
                                "url": "https://ubuntu.com/security/CVE-2026-46157",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ALSA: pcm: oss: Fix data race at accessing runtime.oss.trigger  Currently the runtime.oss.trigger field may be accessed concurrently without protection, which may lead to the data race.  And, in this case, it may lead to more severe problem because it's a bit field; as writing the data, it may overwrite other bit fields as well, which confuses the operation completely, as spotted by fuzzing.  Fix it by covering runtime.oss.trigger bit fled also with the existing params_lock mutex in both snd_pcm_oss_get_trigger() and snd_pcm_oss_poll().",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46109",
                                "url": "https://ubuntu.com/security/CVE-2026-46109",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  usb: ulpi: fix memory leak on ulpi_register() error paths  Commit 01af542392b5 (\"usb: ulpi: fix double free in ulpi_register_interface() error path\") removed kfree(ulpi) from ulpi_register_interface() to fix a double-free when device_register() fails.  But when ulpi_of_register() or ulpi_read_id() fail before device_register() is called, the ulpi allocation is leaked.  Add kfree(ulpi) on both error paths to properly clean up the allocation.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46146",
                                "url": "https://ubuntu.com/security/CVE-2026-46146",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ALSA: usb-audio: Avoid potential endless loop in convert_chmap_v3()  The convert_chmap_v3() has a loop with its increment size of cs_desc->wLength, but we forgot to validate cs_desc->wLength itself, which may lead to potential endless loop by a malformed descriptor.  Add a proper size check to abort the loop for plugging the hole.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46167",
                                "url": "https://ubuntu.com/security/CVE-2026-46167",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  usb: usblp: fix uninitialized heap leak via LPGETSTATUS ioctl  Just like in a previous problem in this driver, usblp_ctrl_msg() will collapse the usb_control_msg() return value to 0/-errno, discarding the actual number of bytes transferred.  Ideally that short command should be detected and error out, but many printers are known to send \"incorrect\" responses back so we can't just do that.  statusbuf is kmalloc(8) at probe time and never filled before the first LPGETSTATUS ioctl.  usblp_read_status() requests 1 byte. If a malicious printer responds with zero bytes, *statusbuf is one byte of stale kmalloc heap, sign-extended into the local int status, which the LPGETSTATUS path then copy_to_user()s directly to the ioctl caller.  Fix this all by just zapping out the memory buffer when allocated at probe time.  If a later call does a short read, the data will be identical to what the device sent it the last time, so there is no \"leak\" of information happening.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46151",
                                "url": "https://ubuntu.com/security/CVE-2026-46151",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  usb: usblp: fix heap leak in IEEE 1284 device ID via short response  usblp_ctrl_msg() collapses the usb_control_msg() return value to 0/-errno, discarding the actual number of bytes transferred.  A broken printer can complete the GET_DEVICE_ID control transfer short and the driver has no way to know.  usblp_cache_device_id_string() reads the 2-byte big-endian length prefix from the response and trusts it (clamped only to the buffer bounds). The buffer is kmalloc(1024) at probe time. A device that sends exactly two bytes (e.g. 0x03 0xFF, claiming a 1023-byte ID) leaves device_id_string[2..1022] holding stale kmalloc heap.  That stale data is then exposed:   - via the ieee1284_id sysfs attribute (sprintf(\"%s\", buf+2), truncated     at the first NUL in the stale heap), and   - via the IOCNR_GET_DEVICE_ID ioctl, which copy_to_user()s the full     claimed length regardless of NULs, up to 1021 bytes of uninitialized     heap, with the leak size chosen by the device.  Fix this up by just zapping the buffer with zeros before each request sent to the device.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46180",
                                "url": "https://ubuntu.com/security/CVE-2026-46180",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  wifi: brcmfmac: Fix potential use-after-free issue when stopping watchdog task  Watchdog task might end between send_sig() and kthread_stop() calls, what results in the use-after-free issue. Fix this by increasing watchdog task reference count before calling send_sig() and dropping it by switching to kthread_stop_put().",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46122",
                                "url": "https://ubuntu.com/security/CVE-2026-46122",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  wifi: b43: enforce bounds check on firmware key index in b43_rx()  The firmware-controlled key index in b43_rx() can exceed the dev->key[] array size (58 entries). The existing B43_WARN_ON is non-enforcing in production builds, allowing an out-of-bounds read.  Make the B43_WARN_ON check enforcing by dropping the frame when the firmware returns an invalid key index.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46125",
                                "url": "https://ubuntu.com/security/CVE-2026-46125",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  wifi: mac80211: remove station if connection prep fails  If connection preparation fails for MLO connections, then the interface is completely reset to non-MLD. In this case, we must not keep the station since it's related to the link of the vif being removed. Delete an existing station. Any \"new_sta\" is already being removed, so that doesn't need changes.  This fixes a use-after-free/double-free in debugfs if that's enabled, because a vif going from MLD (and to MLD, but that's not relevant here) recreates its entire debugfs.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46166",
                                "url": "https://ubuntu.com/security/CVE-2026-46166",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  wifi: mac80211: use safe list iteration in radar detect work  The call to ieee80211_dfs_cac_cancel can cause the iterated chanctx to be freed and removed from the list. Guard against this to avoid a slab-use-after-free error.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46187",
                                "url": "https://ubuntu.com/security/CVE-2026-46187",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  wifi: rsi: fix kthread lifetime race between self-exit and external-stop  RSI driver use both self-exit(kthread_complete_and_exit) and external-stop (kthread_stop) when killing a kthread. Generally, kthread_stop() is called first, and in this case, no particular issues occur.  However, in rare instances where kthread_complete_and_exit() is called first and then kthread_stop() is called, a UAF occurs because the kthread object, which has already exited and been freed, is accessed again.  Therefore, to prevent this with minimal modification, you must remove kthread_stop() and change the code to wait until the self-exit operation is completed.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46152",
                                "url": "https://ubuntu.com/security/CVE-2026-46152",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  wifi: mac80211: drop stray 'static' from fast-RX rx_result  ieee80211_invoke_fast_rx() is documented as safe for parallel RX, but its per-invocation rx_result is declared static. Concurrent callers then share one instance and can overwrite each other's result between ieee80211_rx_mesh_data() and the switch on res.  That can make a packet that was queued or consumed by ieee80211_rx_mesh_data() fall through into ieee80211_rx_8023(), or make a packet that should continue return as queued.  Make res an automatic variable so each invocation keeps its own result.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46163",
                                "url": "https://ubuntu.com/security/CVE-2026-46163",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  wifi: b43legacy: enforce bounds check on firmware key index in RX path  Same fix as b43: the firmware-controlled key index in b43legacy_rx() can exceed dev->max_nr_keys. The existing B43legacy_WARN_ON is non-enforcing in production builds, allowing an out-of-bounds read of dev->key[].  Make the check enforcing by dropping the frame for invalid indices.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46136",
                                "url": "https://ubuntu.com/security/CVE-2026-46136",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  wifi: mt76: mt7921: fix a potential clc buffer length underflow  The buf_len is used to limit the iterations for retrieving the country power setting and may underflow under certain conditions due to changes in the power table in CLC.  This underflow leads to an almost infinite loop or an invalid power setting resulting in driver initialization failure.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46173",
                                "url": "https://ubuntu.com/security/CVE-2026-46173",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  exit: prevent preemption of oopsing TASK_DEAD task  When an already-exiting task oopses, make_task_dead() currently calls do_task_dead() with preemption enabled.  That is forbidden: do_task_dead() calls __schedule(), which has a comment saying \"WARNING: must be called with preemption disabled!\".  If an oopsing task is preempted in do_task_dead(), between becoming TASK_DEAD and entering the scheduler explicitly, bad things happen: finish_task_switch() assumes that once the scheduler has switched away from a TASK_DEAD task, the task can never run again and its stack is no longer needed; but that assumption apparently doesn't hold if the dead task was preempted (the SM_PREEMPT case).  This means that the scheduler ends up repeatedly dropping references on the dead task's stack, which can lead to use-after-free or double-free of the entire task stack; in other words, two tasks can end up running on the same stack, resulting in various kinds of memory corruption.  (This does not just affect \"recursively oopsing\" tasks; it is enough to oops once during task exit, for example in a file_operations::release handler)",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-43496",
                                "url": "https://ubuntu.com/security/CVE-2026-43496",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net/sched: sch_red: Replace direct dequeue call with peek and qdisc_dequeue_peeked  When red qdisc has children (eg qfq qdisc) whose peek() callback is qdisc_peek_dequeued(), we could get a kernel panic. When the parent of such qdiscs (eg illustrated in patch #3 as tbf) wants to retrieve an skb from its child (red in this case), it will do the following:  1a. do a peek() - and when sensing there's an skb the child can offer, then      - the child in this case(red) calls its child's (qfq) peek.         qfq does the right thing and will return the gso_skb queue packet.         Note: if there wasnt a gso_skb entry then qfq will store it there.  1b. invoke a dequeue() on the child (red). And herein lies the problem.      - red will call the child's dequeue() which will essentially just        try to grab something of qfq's queue.  [   78.667668][  T363] KASAN: null-ptr-deref in range [0x0000000000000048-0x000000000000004f] [   78.667927][  T363] CPU: 1 UID: 0 PID: 363 Comm: ping Not tainted 7.1.0-rc1-00033-g46f74a3f7d57-dirty #790 PREEMPT(full) [   78.668263][  T363] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 [   78.668486][  T363] RIP: 0010:qfq_dequeue+0x446/0xc90 [sch_qfq] [   78.668718][  T363] Code: 54 c0 e8 dd 90 00 f1 48 c7 c7 e0 03 54 c0 48 89 de e8 ce 90 00 f1 48 8d 7b 48 b8 ff ff 37 00 48 89 fa 48 c1 e0 2a 48 c1 ea 03 <80> 3c 02 00 74 05 e8 ef a1 e1 f1 48 8b 7b 48 48 8d 54 24 58 48 8d [   78.669312][  T363] RSP: 0018:ffff88810de573e0 EFLAGS: 00010216 [   78.669533][  T363] RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000 [   78.669790][  T363] RDX: 0000000000000009 RSI: 0000000000000004 RDI: 0000000000000048 [   78.670044][  T363] RBP: ffff888110dc4000 R08: ffffffffb1b0885a R09: fffffbfff6ba9078 [   78.670297][  T363] R10: 0000000000000003 R11: ffff888110e31c80 R12: 0000001880000000 [   78.670560][  T363] R13: ffff888110dc4150 R14: ffff888110dc42b8 R15: 0000000000000200 [   78.670814][  T363] FS:  00007f66a8f09c40(0000) GS:ffff888163428000(0000) knlGS:0000000000000000 [   78.671110][  T363] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [   78.671324][  T363] CR2: 000055db4c6a30a8 CR3: 000000010da67000 CR4: 0000000000750ef0 [   78.671585][  T363] PKRU: 55555554 [   78.671713][  T363] Call Trace: [   78.671843][  T363]  <TASK> [   78.671936][  T363]  ? __pfx_qfq_dequeue+0x10/0x10 [sch_qfq] [   78.672148][  T363]  ? __pfx__printk+0x10/0x10 [   78.672322][  T363]  ? srso_alias_return_thunk+0x5/0xfbef5 [   78.672496][  T363]  ? lockdep_hardirqs_on_prepare+0xa8/0x1a0 [   78.672706][  T363]  ? srso_alias_return_thunk+0x5/0xfbef5 [   78.672875][  T363]  ? trace_hardirqs_on+0x19/0x1a0 [   78.673047][  T363]  red_dequeue+0x65/0x270 [sch_red] [   78.673217][  T363]  ? srso_alias_return_thunk+0x5/0xfbef5 [   78.673385][  T363]  tbf_dequeue.cold+0xb0/0x70c [sch_tbf] [   78.673566][  T363]  __qdisc_run+0x169/0x1900  The right thing to do in #1b is to grab the skb off gso_skb queue. This patchset fixes that issue by changing #1b to use qdisc_dequeue_peeked() method instead.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-21 13:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46113",
                                "url": "https://ubuntu.com/security/CVE-2026-46113",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  KVM: x86: Fix shadow paging use-after-free due to unexpected GFN  The shadow MMU computes GFNs for direct shadow pages using sp->gfn plus the SPTE index. This assumption breaks for shadow paging if the guest page tables are modified between VM entries (similar to commit aad885e77496, \"KVM: x86/mmu: Drop/zap existing present SPTE even when creating an MMIO SPTE\", 2026-03-27).  The flow is as follows:  - a PDE is installed for a 2MB mapping, and a page in that area is   accessed.  KVM creates a kvm_mmu_page consisting of 512 4KB pages;   the kvm_mmu_page is marked by FNAME(fetch) as direct-mapped because   the guest's mapping is a huge page (and thus contiguous).  - the PDE mapping is changed from outside the guest.  - the guest accesses another page in the same 2MB area.  KVM installs   a new leaf SPTE and rmap entry; the SPTE uses the \"correct\" GFN   (i.e. based on the new mapping, as changed in the previous step) but   that GFN is outside of the [sp->gfn, sp->gfn + 511] range; therefore   the rmap entry cannot be found and removed when the kvm_mmu_page   is zapped.  - the memslot that covers the first 2MB mapping is deleted, and the   kvm_mmu_page for the now-invalid GPA is zapped.  However, rmap_remove()   only looks at the [sp->gfn, sp->gfn + 511] range established in step 1,   and fails to find the rmap entry that was recorded by step 3.  - any operation that causes an rmap walk for the same page accessed   by step 3 then walks a stale rmap and dereferences a freed kvm_mmu_page.   This includes dirty logging or MMU notifier invalidations (e.g., from   MADV_DONTNEED).  The underlying issue is that KVM's walking of shadow PTEs assumes that if a SPTE is present when KVM wants to install a non-leaf SPTE, then the existing kvm_mmu_page must be for the correct gfn.  Because the only way for the gfn to be wrong is if KVM messed up and failed to zap a SPTE... which shouldn't happen, but *actually* only happens in response to a guest write.  That bug dates back literally forever, as even the first version of KVM assumes that the GFN matches and walks into the \"wrong\" shadow page. However, that was only an imprecision until 2032a93d66fa (\"KVM: MMU: Don't allocate gfns page for direct mmu pages\") came along.  Fix it by checking for a target gfn mismatch and zapping the existing SPTE.  That way the old SP and rmap entries are gone, KVM installs the rmap in the right location, and everyone is happy.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46179",
                                "url": "https://ubuntu.com/security/CVE-2026-46179",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ASoC: SOF: Don't allow pointer operations on unconfigured streams  When reporting the pointer for a compressed stream we report the current I/O frame position by dividing the position by the number of channels multiplied by the number of container bytes. These values default to 0 and are only configured as part of setting the stream parameters so this allows a divide by zero to be configured. Validate that they are non zero, returning an error if not",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46196",
                                "url": "https://ubuntu.com/security/CVE-2026-46196",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  tracepoint: balance regfunc() on func_add() failure in tracepoint_add_func()  When a tracepoint goes through the 0 -> 1 transition, tracepoint_add_func() invokes the subsystem's ext->regfunc() before attempting to install the new probe via func_add(). If func_add() then fails (for example, when allocate_probes() cannot allocate a new probe array under memory pressure and returns -ENOMEM), the function returns the error without calling the matching ext->unregfunc(), leaving the side effects of regfunc() behind with no installed probe to justify them.  For syscall tracepoints this is particularly unpleasant: syscall_regfunc() bumps sys_tracepoint_refcount and sets SYSCALL_TRACEPOINT on every task. After a leaked failure, the refcount is stuck at a non-zero value with no consumer, and every task continues paying the syscall trace entry/exit overhead until reboot. Other subsystems providing regfunc()/unregfunc() pairs exhibit similarly scoped persistent state.  Mirror the existing 1 -> 0 cleanup and call ext->unregfunc() in the func_add() error path, gated on the same condition used there so the unwind is symmetric with the registration.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-43497",
                                "url": "https://ubuntu.com/security/CVE-2026-43497",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  fbdev: udlfb: add vm_ops to dlfb_ops_mmap to prevent use-after-free  dlfb_ops_mmap() uses remap_pfn_range() to map vmalloc framebuffer pages to userspace but sets no vm_ops on the VMA. This means the kernel cannot track active mmaps. When dlfb_realloc_framebuffer() replaces the backing buffer via FBIOPUT_VSCREENINFO, existing mmap PTEs are not invalidated. On USB disconnect, dlfb_ops_destroy() calls vfree() on the old pages while userspace PTEs still reference them, resulting in a use-after-free: the process retains read/write access to freed kernel pages.  Add vm_operations_struct with open/close callbacks that maintain an atomic mmap_count on struct dlfb_data. In dlfb_realloc_framebuffer(), check mmap_count and return -EBUSY if the buffer is currently mapped, preventing buffer replacement while userspace holds stale PTEs.  Tested with PoC using dummy_hcd + raw_gadget USB device emulation.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-05-21 13:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46108",
                                "url": "https://ubuntu.com/security/CVE-2026-46108",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ipmi:si: Return state to normal if message allocation fails  There were places where nothing would get started if a message allocation failed, so the driver needs to return to normal state.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46128",
                                "url": "https://ubuntu.com/security/CVE-2026-46128",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ipmi: Check event message buffer response for bad data  The event message buffer response data size got checked later when processing, but check it right after the response comes back.  It appears some BMCs may return an empty message instead of an error when fetching events.  There are apparently some new BMCs that make this error, so we need to compensate.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46177",
                                "url": "https://ubuntu.com/security/CVE-2026-46177",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ipmi: Add limits to event and receive message requests  The driver would just fetch events and receive messages until the BMC said it was done.  To avoid issues with BMCs that never say they are done, add a limit of 10 fetches at a time.  In addition, an si interface has an attn state it can return from the hardware which is supposed to cause a flag fetch to see if the driver needs to fetch events or message or a few other things.  If the attn bit gets stuck, it's a similar problem.  So allow messages in between flag fetches so the driver itself doesn't get stuck.  This is a more general fix than the previous fix for the specific bad BMC, but should fix the more general issue of a BMC that won't stop saying it has data.  This has been there from the beginning of the driver.  It's not a bug per-se, but it is accounting for bugs in BMCs.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46149",
                                "url": "https://ubuntu.com/security/CVE-2026-46149",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  scsi: target: configfs: Bound snprintf() return in tg_pt_gp_members_show()  target_tg_pt_gp_members_show() formats LUN paths with snprintf() into a 256-byte stack buffer, then will memcpy() cur_len bytes from that buffer.  snprintf() returns the length the output would have had, which can exceed the buffer size when the fabric WWN is long because iSCSI IQN names can be up to 223 bytes.  The check at the memcpy() site only guards the destination page write, not the source read, so memcpy() will read past the stack buffer and copy adjacent stack contents to the sysfs reader, which when CONFIG_FORTIFY_SOURCE is enabled, fortify_panic() will be triggered.  Commit 27e06650a5ea (\"scsi: target: target_core_configfs: Add length check to avoid buffer overflow\") added the same bound to the target_lu_gp_members_show() but the tg_pt_gp variant was missed so resolve that here.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46244",
                                "url": "https://ubuntu.com/security/CVE-2026-46244",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  netfilter: nft_inner: Fix IPv6 inner_thoff desync  In nft_inner_parse_l2l3(), when processing inner IPv6 packets, ipv6_find_hdr() correctly computes the transport header offset traversing all extension headers, but the result is immediately overwritten with nhoff + sizeof(_ip6h) (40 bytes), which only accounts for the IPv6 base header. This creates a desync between inner_thoff (wrong — points to extension header start) and l4proto (correct — e.g., IPPROTO_TCP), enabling transport header forgery and potential firewall bypass. This issue affects stable versions from Linux 6.2.  For comparison, the normal (non-inner) IPv6 path correctly preserves ipv6_find_hdr()'s result. Removing the incorrect overwrite ensures that ipv6_find_hdr()'s calculated transport header offset is preserved, thereby fixing the desynchronization.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-03 18:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46137",
                                "url": "https://ubuntu.com/security/CVE-2026-46137",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  mptcp: pm: ADD_ADDR rtx: fix potential data-race  This mptcp_pm_add_timer() helper is executed as a timer callback in softirq context. To avoid any data races, the socket lock needs to be held with bh_lock_sock().  If the socket is in use, retry again soon after, similar to what is done with the keepalive timer.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46185",
                                "url": "https://ubuntu.com/security/CVE-2026-46185",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  smb/client: fix out-of-bounds read in symlink_data()  Since smb2_check_message() returns success without length validation for the symlink error response, in symlink_data() it is possible for iov->iov_len to be smaller than sizeof(struct smb2_err_rsp). If the buffer only contains the base SMB2 header (64 bytes), accessing err->ErrorContextCount (at offset 66) or err->ByteCount later in symlink_data() will cause an out-of-bounds read.",
                                "cve_priority": "high",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46195",
                                "url": "https://ubuntu.com/security/CVE-2026-46195",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  smb: client: validate dacloffset before building DACL pointers  parse_sec_desc(), build_sec_desc(), and the chown path in id_mode_to_cifs_acl() all add the server-supplied dacloffset to pntsd before proving a DACL header fits inside the returned security descriptor.  On 32-bit builds a malicious server can return dacloffset near U32_MAX, wrap the derived DACL pointer below end_of_acl, and then slip past the later pointer-based bounds checks. build_sec_desc() and id_mode_to_cifs_acl() can then dereference DACL fields from the wrapped pointer in the chmod/chown rewrite paths.  Validate dacloffset numerically before building any DACL pointer and reuse the same helper at the three DACL entry points.",
                                "cve_priority": "high",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46289",
                                "url": "https://ubuntu.com/security/CVE-2026-46289",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  lib/scatterlist: fix length calculations in extract_kvec_to_sg  Patch series \"Fix bugs in extract_iter_to_sg()\", v3.  Fix bugs in the kvec and user variants of extract_iter_to_sg.  This series is growing due to useful remarks made by sashiko.dev.  The main bugs are: - The length for an sglist entry when extracting from   a kvec can exceed the number of bytes in the page. This   is obviously not intended. - When extracting a user buffer the sglist is temporarily   used as a scratch buffer for extracted page pointers.   If the sglist already contains some elements this scratch   buffer could overlap with existing entries in the sglist.  The series adds test cases to the kunit_iov_iter test that demonstrate all of these bugs.  Additionally, there is a memory leak fix for the test itself.  The bugs were orignally introduced into kernel v6.3 where the function lived in fs/netfs/iterator.c.  It was later moved to lib/scatterlist.c in v6.5.  Thus the actual fix is only marked for backports to v6.5+.   This patch (of 5):  When extracting from a kvec to a scatterlist, do not cross page boundaries.  The required length was already calculated but not used as intended.  Adjust the copied length if the loop runs out of sglist entries without extracting everything.  While there, return immediately from extract_iter_to_sg if there are no sglist entries at all.  A subsequent commit will add kunit test cases that demonstrate that the patch is necessary.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-08 17:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46119",
                                "url": "https://ubuntu.com/security/CVE-2026-46119",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  libceph: Fix slab-out-of-bounds access in auth message processing  If a (potentially corrupted) message of type CEPH_MSG_AUTH_REPLY contains a positive value in its result field, it is treated as an error code by ceph_handle_auth_reply() and returned to handle_auth_reply(). Thereafter, an attempt is made to send the preallocated message of type CEPH_MSG_AUTH, where the returned value is interpreted as the size of the front segment to send. If the result value in the message is greater than the size of the memory buffer allocated for the front segment, an out-of-bounds access occurs, and the content of the memory region beyond this buffer is sent out.  This patch fixes the issue by treating only negative values in the result field as errors. Positive values are therefore treated as success in the same way as a zero value. Additionally, a BUG_ON is added to __send_prepared_auth_request() comparing the len parameter to front_alloc_len to prevent sending the message if it exceeds the bounds of the allocation and to make it easier to catch any logic flaws leading to this.",
                                "cve_priority": "high",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46135",
                                "url": "https://ubuntu.com/security/CVE-2026-46135",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  nvmet-tcp: fix race between ICReq handling and queue teardown  nvmet_tcp_handle_icreq() updates queue->state after sending an Initialization Connection Response (ICResp), but it does so without serializing against target-side queue teardown.  If an NVMe/TCP host sends an Initialization Connection Request (ICReq) and immediately closes the connection, target-side teardown may start in softirq context before io_work drains the already buffered ICReq. In that case, nvmet_tcp_schedule_release_queue() sets queue->state to NVMET_TCP_Q_DISCONNECTING and drops the queue reference under state_lock.  If io_work later processes that ICReq, nvmet_tcp_handle_icreq() can still overwrite the state back to NVMET_TCP_Q_LIVE. That defeats the DISCONNECTING-state guard in nvmet_tcp_schedule_release_queue() and allows a later socket state change to re-enter teardown and issue a second kref_put() on an already released queue.  The ICResp send failure path has the same problem. If teardown has already moved the queue to DISCONNECTING, a send error can still overwrite the state with NVMET_TCP_Q_FAILED, again reopening the window for a second teardown path to drop the queue reference.  Fix this by serializing both post-send state transitions with state_lock and bailing out if teardown has already started.  Use -ESHUTDOWN as an internal sentinel for that bail-out path rather than propagating it as a transport error like -ECONNRESET. Keep nvmet_tcp_socket_error() setting rcv_state to NVMET_TCP_RECV_ERR before honoring that sentinel so receive-side parsing stays quiesced until the existing release path completes.",
                                "cve_priority": "critical",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46155",
                                "url": "https://ubuntu.com/security/CVE-2026-46155",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  smb/client: fix out-of-bounds read in smb2_compound_op()  If a server sends a truncated response but a large OutputBufferLength, and terminates the EA list early, check_wsl_eas() returns success without validating that the entire OutputBufferLength fits within iov_len.  Then smb2_compound_op() does:     memcpy(idata->wsl.eas, data[0], size[0]);  Where size[0] is OutputBufferLength. If iov_len is smaller than size[0], memcpy can read beyond the end of the rsp_iov allocation and leak adjacent kernel heap memory.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46115",
                                "url": "https://ubuntu.com/security/CVE-2026-46115",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  block: add pgmap check to biovec_phys_mergeable  biovec_phys_mergeable() is used by the request merge, DMA mapping, and integrity merge paths to decide if two physically contiguous bvec segments can be coalesced into one. It currently has no check for whether the segments belong to different dev_pagemaps.  When zone device memory is registered in multiple chunks, each chunk gets its own dev_pagemap. A single bio can legitimately contain bvecs from different pgmaps -- iov_iter_extract_bvecs() breaks at pgmap boundaries but the outer loop in bio_iov_iter_get_pages() continues filling the same bio. If such bvecs are physically contiguous, biovec_phys_mergeable() will coalesce them, making it impossible to recover the correct pgmap for the merged segment via page_pgmap().  Add a zone_device_pages_have_same_pgmap() check to prevent merging bvec segments that span different pgmaps.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46243",
                                "url": "https://ubuntu.com/security/CVE-2026-46243",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  smb: client: reject userspace cifs.spnego descriptions  cifs.spnego key descriptions contain authority-bearing fields such as pid, uid, creduid, and upcall_target that cifs.upcall treats as kernel-originating inputs. However, userspace can also create keys of this type through request_key(2) or add_key(2), allowing those fields to be supplied without CIFS origin.  Only accept cifs.spnego descriptions while CIFS is using its private spnego_cred to request the key.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-01 17:17:00 UTC"
                            }
                        ],
                        "log": [
                            "",
                            "  * resolute/linux: 7.0.0-28.28 -proposed tracker (LP: #2157520)",
                            "",
                            "  * Backport ASoC SDCA, AMD SoundWire, and RT722 audio fixes (LP: #2154418)",
                            "    - ASoC: amd: acp-sdw-legacy: rename the dmic component name",
                            "    - SAUCE: ASoC: rt722-sdca: add FU06 Playback Switch for speaker mute",
                            "      control",
                            "",
                            "  * MIPI camera of a BBG809N3A_B sensor SKU of the DELL Pro 14 Premium PA14260",
                            "    renders upside-down (LP: #2155837)",
                            "    - SAUCE: media: ipu-bridge: correct platform handling for DELL Pro 14",
                            "      Premium PA14260",
                            "",
                            "  * resolute ubuntu_kernel_selftests:seccomp_build test compilation issue",
                            "    (LP: #2154174)",
                            "    - SAUCE: selftests/seccomp fix compilation issue for amd64",
                            "",
                            "  * [Ubuntu 26.04] Severe Performance Degradation on kernel 7.0.0-15",
                            "    (LP: #2154748)",
                            "    - s390: Remove GENERIC_LOCKBREAK Kconfig option",
                            "    - UBUNTU [Config]: Remove GENERIC_LOCKBREAK in s390x",
                            "",
                            "  * Fix no sound output device on Dell GhostRider PTL no camera SKU",
                            "    (LP: #2156559)",
                            "    - ASoC: Intel: sof_sdw: append dai type to dai link name unconditionally",
                            "",
                            "  * Fix no audio from right built-in speaker on HP ZBook with TAS2781",
                            "    amplifier (LP: #2156556)",
                            "    - ALSA: hda/tas2781: Fix device-0 reset issue and handle -EXDEV in block",
                            "      data processing",
                            "",
                            "  * Installer fails internally with a RSync error due to page fault",
                            "    (LP: #2150640)",
                            "    - ovl: keep err zero after successful ovl_cache_get()",
                            "",
                            "  * Internal display black screen on Intel Lunar Lake with eDP panel",
                            "    (LP: #2156312)",
                            "    - drm/i915/alpm: Allow LOBF only for platform that have Always on VRR TG",
                            "",
                            "  * Thunderbolt DP tunnel torn down during boot with LUKS Full Disk Encryption",
                            "    (LP: #2155096)",
                            "    - SAUCE: thunderbolt: Defer DP tunnel teardown until display driver is",
                            "      ready",
                            "",
                            "  * watchdog: lenovo_se10_wdt: Add SE10 Gen 2 support (LP: #2154715)",
                            "    - watchdog: lenovo_se10_wdt: Add support for SE10 Gen 2 platform",
                            "    - watchdog: lenovo_se10_wdt: Fix use-after-free and resource leak risk",
                            "",
                            "  * [Ubuntu 26.04] KVM: IBM Test Accelerator for Z (TAZ) not working properly",
                            "    (LP: #2153159)",
                            "    - KVM: s390: only deliver service interrupt with payload",
                            "    - KVM: s390: vsie: Allow non-zarch guests",
                            "    - KVM: s390: vsie: Disable some bits when in ESA mode",
                            "    - KVM: s390: vsie: Accommodate ESA prefix pages",
                            "    - KVM: s390: Add KVM capability for ESA mode guests",
                            "",
                            "  * ubuntu_bpf failed to build on Resolute (error: expected ‘:’, ‘,’, ‘;’, ‘}’",
                            "    or ‘__attribute__’ before ‘__counted_by’) (LP: #2150071)",
                            "    - tools/headers: Regenerate stddef.h to fix BPF selftests",
                            "",
                            "  * ubuntu_bpf: FTBFS with clang 23 / gcc 15 (LP: #2154343)",
                            "    - selftests/bpf: Fix const qualifier warning in fexit_bpf2bpf.c",
                            "",
                            "  * ALSA: hda/tas2781 Audio Fix for the front-right speacker (LP: #2149770)",
                            "    - ALSA: hda/tas2781: Fix sound abnormal issue on some SPI device",
                            "",
                            "  * Fix bad audio record quality when volume above 50% on Framework PTL",
                            "    (LP: #2153155)",
                            "    - ALSA: hda/realtek: fix mic boost on Framework PTL",
                            "",
                            "  * Patchset for TUXEDO devices (LP: #2152570)",
                            "    - drm/i915/vbt: Add edp pipe joiner enable/disable bits",
                            "    - drm/i915/dp: Avoid joiner for eDP if not enabled in VBT",
                            "    - drm/amd/display: Add Idle state manager(ISM)",
                            "    - drm/i915/backlight: Remove try_vesa_interface",
                            "    - drm/i915/backlight: Use intel_panel variable instead of intel_connector",
                            "    - drm/i915/backlight: Take luminance_set into account for VESA backlight",
                            "    - drm/i915/backlight: Check luminance_set when disabling PWM via AUX VESA",
                            "      backlight",
                            "    - drm/i915/backlight: Short circuit intel_dp_aux_supports_hdr_backlight",
                            "    - drm/i915/backlight: Update debug log during backlight setup",
                            "    - drm/i915/backlight: Check if VESA backlight is possible",
                            "    - drm/i915/backlight: Provide clear description on how backlight level is",
                            "      controlled",
                            "    - drm/i915/backlight: Fix VESA backlight possible check condition",
                            "",
                            "  * Resolute update: v7.0.12 upstream stable release (LP: #2156636)",
                            "    - Input: usbtouchscreen - clamp NEXIO data_len/x_len to URB buffer size",
                            "    - ACPI: button: Fix ACPI GPE handler leak during removal",
                            "    - ACPI: button: Enable wakeup GPEs for ACPI buttons at probe time",
                            "    - xfrm: move policy_bydst RCU sync from per-netns .exit to .pre_exit",
                            "    - net/sched: sch_sfb: Replace direct dequeue call with peek and",
                            "      qdisc_dequeue_peeked",
                            "    - bcache: fix uninitialized closure object",
                            "    - nfc: llcp: Fix use-after-free in llcp_sock_release()",
                            "    - nfc: llcp: Fix use-after-free race in nfc_llcp_recv_cc()",
                            "    - xfrm: Check for underflow in xfrm_state_mtu",
                            "    - nfc: nxp-nci: i2c: use rising-edge IRQ on ACPI systems",
                            "    - tools/bootconfig: Fix buf leaks in apply_xbc",
                            "    - HID: remove duplicate hid_warn_ratelimited definition",
                            "    - kunit: fix use-after-free in debugfs when using kunit.filter",
                            "    - accel/rocket: fix UAF via dangling GEM handle in create_bo",
                            "    - netfilter: synproxy: refresh tcphdr after skb_ensure_writable",
                            "    - netfilter: xt_cpu: prefer raw_smp_processor_id",
                            "    - netfilter: ebtables: fix OOB read in compat_mtw_from_user",
                            "    - netfilter: nf_tables: fix dst corruption in same register operation",
                            "    - vsock: keep poll shutdown state consistent",
                            "    - net: netlink: fix sending unassigned nsid after assigned one",
                            "    - net: netlink: don't set nsid on local notifications",
                            "    - net/smc: Do not re-initialize smc hashtables",
                            "    - net/iucv: fix locking in .getsockopt",
                            "    - scsi: core: Run queues for all non-SDEV_DEL devices from",
                            "      scsi_run_host_queues",
                            "    - scsi: scsi_debug: Add missing newline in scsi_debug_device_reset()",
                            "    - ipv4: free net->ipv4.sysctl_local_reserved_ports after",
                            "      unregister_net_sysctl_table()",
                            "    - ALSA: hda: cs35l56: Fix system name string leaks",
                            "    - ALSA: pcm: oss: Fix setup list UAF on proc write error",
                            "    - ASoC: Intel: bytcht_es8316: Fix MCLK leak on init errors",
                            "    - net/mlx5: HWS: Reject unsupported remove-header action",
                            "    - net: hsr: fix potential OOB access in supervision frame handling",
                            "    - accel/ivpu: prevent uninitialized data bug in debugfs",
                            "    - gpio: mxc: fix irq_high handling",
                            "    - drm/i915/aux: use polling when irqs are unavailable",
                            "    - net: Avoid checksumming unreadable skb tail on trim",
                            "    - ethtool: rss: avoid modifying the RSS context response",
                            "    - ethtool: rss: add missing errno on RSS context delete",
                            "    - ethtool: rss: fix falsely ignoring indir table updates",
                            "    - ethtool: rss: fix indir_table and hkey leak on get_rxfh failure",
                            "    - ethtool: rss: fix hkey leak when indir_size is 0",
                            "    - ethtool: rss: avoid device context leak on reply-build failure",
                            "    - ethtool: module: call ethnl_ops_complete() on module flash errors",
                            "    - ethtool: module: avoid leaking a netdev ref on module flash errors",
                            "    - ethtool: module: avoid racy updates to dev->ethtool bitfield",
                            "    - ethtool: module: check fw_flash_in_progress under rtnl_lock",
                            "    - ethtool: module: fix cleanup if socket used for flashing multiple",
                            "      devices",
                            "    - ethtool: cmis: require exact CDB reply length",
                            "    - ethtool: cmis: fix u16-to-u8 truncation of msleep_pre_rpl",
                            "    - ethtool: cmis: validate start_cmd_payload_size from module",
                            "    - ethtool: cmis: validate fw->size against start_cmd_payload_size",
                            "    - cxl/test: Update mock dev array before calling platform_device_add()",
                            "    - blk-mq: reinsert cached request to the list",
                            "    - tunnels: load network headers after skb_cow() in",
                            "      iptunnel_pmtud_build_icmp[v6]()",
                            "    - vxlan: do not reuse cached ip_hdr() value after skb_tunnel_check_pmtu()",
                            "    - tunnels: do not assume transport header in iptunnel_pmtud_check_icmp()",
                            "    - ksmbd: fix FSCTL permission bypass by adding a permission check for",
                            "      FSCTL_SET_SPARSE",
                            "    - ASoC: codecs: simple-mux: Fix enum control bounds check",
                            "    - drm/xe: Restore IDLEDLY regiter on engine reset",
                            "    - Bluetooth: 6lowpan: check skb_clone() return value in send_mcast_pkt()",
                            "    - bonding: refuse to enslave CAN devices",
                            "    - bridge: Fix sleep in atomic context in netlink path",
                            "    - bridge: Fix sleep in atomic context in sysfs path",
                            "    - ethtool: coalesce: cap profile updates at NET_DIM_PARAMS_NUM_PROFILES",
                            "    - ethtool: tsconfig: fix reply error handling",
                            "    - ethtool: linkstate: fix unbalanced ethnl_ops_complete() on PHY lookup",
                            "      error",
                            "    - ethtool: pse-pd: fix missing ethnl_ops_complete()",
                            "    - ethtool: tsconfig: fix missing ethnl_ops_complete()",
                            "    - ethtool: tsinfo: fix uninitialized stats on the by-PHC path",
                            "    - ethtool: tsinfo: don't pass ERR_PTR to genlmsg_cancel on prepare failure",
                            "    - ethtool: strset: fix header attribute index in ethnl_req_get_phydev()",
                            "    - ethtool: eeprom: add missing ethnl_ops_begin() / _complete() during",
                            "      fallback",
                            "    - ethtool: eeprom: add more safeties to EEPROM Netlink fallback",
                            "    - ipv6: rpl: fix hdrlen overflow in ipv6_rpl_srh_decompress()",
                            "    - net/sched: Revert \"net/sched: Restrict conditions for adding duplicating",
                            "      netems to qdisc tree\"",
                            "    - net/sched: fix packet loop on netem when duplicate is on",
                            "    - net: Introduce skb tc depth field to track packet loops",
                            "    - net/sched: Fix ethx:ingress -> ethy:egress -> ethx:ingress mirred loop",
                            "    - net/sched: act_mirred: Fix blockcast recursion bypass leading to stack",
                            "      overflow",
                            "    - net/sched: act_mirred: Fix return code in early mirred redirect error",
                            "      paths",
                            "    - net: hibmcge: disable Relaxed Ordering to fix RX packet corruption",
                            "    - net: hibmcge: move dma_rmb() after dma_sync_single_for_cpu() in RX path",
                            "    - net/handshake: Use spin_lock_bh for hn_lock",
                            "    - nvme-tcp: store negative errno in queue->tls_err",
                            "    - net/handshake: Pass negative errno through handshake_complete()",
                            "    - net/handshake: hand off the pinned file reference to accept_doit",
                            "    - net/handshake: Take a long-lived file reference at submit",
                            "    - net/handshake: Drain pending requests at net namespace exit",
                            "    - dpll: zl3073x: detect DPLL channel count from chip ID at runtime",
                            "    - dpll: zl3073x: add die temperature reporting for supported chips",
                            "    - dpll: export __dpll_device_change_ntf() for use under dpll_lock",
                            "    - dpll: zl3073x: use __dpll_device_change_ntf() and remove change_work",
                            "    - Bluetooth: l2cap: clear chan->ident on ECRED reconfiguration success",
                            "    - Bluetooth: L2CAP: Fix possible crash on l2cap_ecred_conn_rsp",
                            "    - Bluetooth: hci_sync: Set HCI_CMD_DRAIN_WORKQUEUE during device close",
                            "    - Bluetooth: hci_sync: Reset device counters in hci_dev_close_sync()",
                            "    - gpio: adnp: fix flow control regression caused by scoped_guard()",
                            "    - gpio: virtuser: Fix uninitialized data bug in",
                            "      gpio_virtuser_direction_do_write()",
                            "    - gpio: rockchip: convert bank->clk to devm_clk_get_enabled()",
                            "    - gpio: rockchip: teardown bugs and resource leaks",
                            "    - net: mana: Add NULL guards in teardown path to prevent panic on attach",
                            "      failure",
                            "    - net: mana: Skip redundant detach on already-detached port",
                            "    - sctp: fix race between sctp_wait_for_connect and peeloff",
                            "    - net: pcs: pcs-mtk-lynxi: fix bpi-r3 serdes configuration",
                            "    - vsock/virtio: bind uarg before filling zerocopy skb",
                            "    - ipv6: fix possible infinite loop in rt6_fill_node()",
                            "    - ipv6: fix possible infinite loop in fib6_select_path()",
                            "    - net: skbuff: fix pskb_carve leaking zcopy pages",
                            "    - Revert \"ipv6: preserve insertion order for same-scope addresses\"",
                            "    - Revert \"x86/fpu: Refine and simplify the magic number check during",
                            "      signal return\"",
                            "    - drm/i915/psr: Add defininitions for INTEL_WA_REGISTER_CAPS DPCD register",
                            "    - drm/i915/psr: Read Intel DPCD workaround register",
                            "    - drm/i915/psr: Apply Intel DPCD workaround when SDP on prior line used",
                            "    - iio: imu: st_lsm6dsx: fix stack leak in tagged FIFO buffer",
                            "    - iio: imu: adis16550: fix stack leak in trigger handler",
                            "    - iio: pressure: bmp280: fix stack leak in bmp580 trigger handler",
                            "    - usb: typec: ucsi: ccg: reject firmware images without a ':' record",
                            "      header",
                            "    - usb: typec: tcpm: validate VDO count in Discover Identity ACK handlers",
                            "    - usb: typec: tcpm: bound altmode_desc[] per iteration in",
                            "      svdm_consume_modes()",
                            "    - usb: typec: ucsi: displayport: NAK DP_CMD_CONFIGURE without a payload",
                            "      VDO",
                            "    - usb: typec: altmodes/displayport: validate count before reading Status",
                            "      Update VDO",
                            "    - usb: typec: wcove: don't write past struct pd_message in",
                            "      wcove_read_rx_buffer()",
                            "    - usb: typec: tcpm/tcpci_maxim: validate header NDO against RX_BYTE_CNT",
                            "    - usb: typec: ucsi: validate connector number in ucsi_connector_change()",
                            "    - USB: serial: safe_serial: fix memory corruption with small endpoint",
                            "    - media: rc: igorplugusb: fix control request setup packet",
                            "    - Input: ims-pcu - fix usb_free_coherent() size in ims_pcu_buffers_free()",
                            "    - USB: serial: cypress_m8: fix memory corruption with small endpoint",
                            "    - HID: quirks: Add ALWAYS_POLL quirk for SIGMACHIP USB mouse",
                            "    - Bluetooth: btusb: Allow firmware re-download when version matches",
                            "    - mm/vmalloc: do not trigger BUG() on BH disabled context",
                            "    - hpfs: fix a crash if hpfs_map_dnode_bitmap fails",
                            "    - mm/damon/sysfs-schemes: delete tried region in regions_rmdirs()",
                            "    - ipc: limit next_id allocation to the valid ID range",
                            "    - mm: memcontrol: propagate NMI slab stats to memcg vmstats",
                            "    - mm/migrate_device: fix pgtable leak in migrate_vma_insert_huge_pmd_page",
                            "    - memfd: deny writeable mappings when implying SEAL_WRITE",
                            "    - zram: fix use-after-free in zram_writeback_endio",
                            "    - mm/rmap: initialize nr_pages to 1 at loop start in try_to_unmap_one",
                            "    - auxdisplay: line-display: fix OOB read on zero-length message_store()",
                            "    - smb: client: fix uninitialized variable in smb2_writev_callback",
                            "    - Bluetooth: L2CAP: use chan timer to close channels in cleanup_listen()",
                            "    - Bluetooth: L2CAP: fix chan ref leak in l2cap_chan_timeout() on !conn",
                            "    - Bluetooth: HIDP: fix missing length checks in hidp_input_report()",
                            "    - Bluetooth: ISO: fix UAF in iso_recv_frame",
                            "    - Bluetooth: ISO: serialize iso_sock_clear_timer with socket lock",
                            "    - Bluetooth: hci_conn: Fix memory leak in hci_le_big_terminate()",
                            "    - Bluetooth: hci_qca: Use 100 ms SSR delay for rampatch and NVM loading",
                            "    - Bluetooth: hci_sync: fix UAF in hci_le_create_cis_sync",
                            "    - Input: xpad - fix out-of-bounds access for Share button",
                            "    - parport: Fix race between port and client registration",
                            "    - rust_binder: Avoid holding lock when dropping delivered_death",
                            "    - rust_binder: avoid calling pending_oneway_finished() on TF_UPDATE_TXN",
                            "    - USB: cdc-acm: Fix bit overlap and move quirk definitions to header",
                            "    - KVM: arm64: Correctly cap ZCR_EL2 provided by a guest hypervisor",
                            "    - KVM: arm64: PMU: Preserve AArch32 counter low bits",
                            "    - KVM: SVM: Flush the current TLB when transitioning from xAVIC => x2AVIC",
                            "    - KVM: SEV: Require in-GHCB scratch area if GHCB v2+ is in use",
                            "    - KVM: SEV: Ignore Port I/O requests of length '0'",
                            "    - KVM: SEV: Use the size of the PSC header as the minimum size for PSC",
                            "      requests",
                            "    - KVM: SEV: WARN if KVM attempts to setup scratch area with min_len==0",
                            "    - KVM: SEV: Compute the correct max length of the in-GHCB scratch area",
                            "    - KVM: SEV: Check PSC request indices against the actual size of the",
                            "      buffer",
                            "    - KVM: SEV: Use READ_ONCE() when reading entries/indices from PSC buffer",
                            "    - KVM: SEV: Don't explicitly pass PSC buffer to snp_begin_psc()",
                            "    - gpio: shared: undo the vote of the proxy on GPIO free",
                            "    - gpio: shared: fix deadlock on shared proxy's parent removal",
                            "    - gpio: shared: fix lockdep false positive by removing unneeded lock",
                            "    - Disable -Wattribute-alias for clang-23 and newer",
                            "    - iio: adc: xilinx-xadc: Fix sequencer mode in postdisable for dual mux",
                            "    - iio: adc: npcm: fix unbalanced clk_disable_unprepare()",
                            "    - iio: dac: ad3530r: Fix AD3531/AD3531R powerdown mode strings",
                            "    - iio: dac: max5821: fix return value check in powerdown sync",
                            "    - iio: dac: ad5686: fix ref bit initialization for single-channel parts",
                            "    - iio: dac: ad5686: fix input raw value check",
                            "    - iio: dac: ad5686: acquire lock when doing powerdown control",
                            "    - iio: dac: ad5686: fix powerdown control on dual-channel devices",
                            "    - iio: adc: mt6359: fix unchecked return value in mt6358_read_imp",
                            "    - iio: adc: viperboard: Fix error handling in vprbrd_iio_read_raw",
                            "    - iio: adc: ad4695: Fix call ordering in offload buffer postenable",
                            "    - iio: adc: nxp-sar-adc: fix division by zero in write_raw",
                            "    - iio: adc: nxp-sar-adc: Avoid division by zero",
                            "    - iio: adc: nxp-sar-adc: zero-initialize dma_slave_config",
                            "    - iio: gyro: itg3200: fix i2c read into the wrong stack location",
                            "    - iio: gyro: adis16260: fix division by zero in write_raw",
                            "    - iio: ssp_sensors: cancel delayed work_refresh on remove",
                            "    - iio: temperature: tsys01: fix broken PROM checksum validation",
                            "    - iio: magnetometer: st_magn: fix default DRDY pin selection for LIS2MDL",
                            "    - iio: light: veml6070: Fix resource leak in probe error path",
                            "    - iio: Fix iio_multiply_value use in iio_read_channel_processed_scale",
                            "    - iio: chemical: mhz19b: reject oversized serial replies",
                            "    - iio: chemical: scd30: fix division by zero in write_raw",
                            "    - iio: light: cm3323: fix reg_conf not being initialized correctly",
                            "    - iio: buffer: hw-consumer: fix use-after-free in error path",
                            "    - iio: buffer: Fix DMA fence leak in iio_buffer_enqueue_dmabuf()",
                            "    - USB: serial: omninet: fix memory corruption with small endpoint",
                            "    - usb: cdns3: gadget: fix request skipping after clearing halt",
                            "    - usb: cdns3: plat: fix leaked usb2_phy initialization on usb3_phy",
                            "      acquisition failure",
                            "    - usb: cdns3: plat: fix unbalanced pm_runtime_forbid() call permanently",
                            "      leaks the runtime PM usage counter across bind/unbind cycles",
                            "    - usb: dwc2: Fix use after free in debug code",
                            "    - Input: elan_i2c - validate firmware size before use",
                            "    - i2c: davinci: fix division by zero on missing clock-frequency",
                            "    - x86/ftrace: Relocate %rip-relative percpu refs in dynamic trampolines",
                            "    - wireguard: send: append trailer after expanding head",
                            "    - bpf: sockmap: fix tail fragment offset in bpf_msg_push_data",
                            "    - macsec: fix replay protection at XPN lower-PN wrap",
                            "    - ipv6: exthdrs: refresh nh pointer after ipv6_hop_jumbo()",
                            "    - ASoC: qcom: q6asm-dai: fix error handling in prepare and set_params",
                            "    - octeontx2-af: validate body pcifunc in rvu_mbox_handler_rep_event_notify",
                            "    - ipv6: exthdrs: refresh nh after handling HAO option",
                            "    - ip6: vti: Use ip6_tnl.net in vti6_siocdevprivate().",
                            "    - ipv6: validate extension header length before copying to cmsg",
                            "    - xfrm: input: hold netns during deferred transport reinjection",
                            "    - l2tp: use refcount_inc_not_zero in l2tp_session_get_by_ifname",
                            "    - ip6: vti: Use ip6_tnl.net in vti6_changelink().",
                            "    - net: skbuff: fix missing zerocopy reference in pskb_carve helpers",
                            "    - spi: spi-mem: avoid mutating op template in spi_mem_supports_op()",
                            "    - HID: wacom: Fix OOB write in wacom_hid_set_device_mode()",
                            "    - iommu, debugobjects: avoid gcc-16.1 section mismatch warnings",
                            "    - nfc: hci: fix out-of-bounds read in HCP header parsing",
                            "    - xfrm: route MIGRATE notifications to caller's netns",
                            "    - xfrm: ipcomp: Free destination pages on acomp errors",
                            "    - xfrm: ah: use skb_to_full_sk in async output callbacks",
                            "    - ALSA: scarlett2: Fix 2i2 Gen 4 direct monitor gain on firmware 2417",
                            "    - ALSA: firewire-motu: Protect register DSP event queue positions",
                            "    - netfilter: conntrack: tcp: do not force CLOSE on invalid-seq RST without",
                            "      direction check",
                            "    - ASoC: qcom: q6asm-dai: close stream only when running",
                            "    - ASoC: qcom: q6asm-dai: do not set stream state in event and trigger",
                            "      callbacks",
                            "    - xfrm: esp: restore combined single-frag length gate",
                            "    - ALSA: hda/realtek: Fix speaker output on ASUS ROG Strix G615LP",
                            "    - xfrm: iptfs: reset runtime state when cloning SAs",
                            "    - dma-buf: fix UAF in dma_buf_fd() tracepoint",
                            "    - Input: xpad - add \"Nova 2 Lite\" from GameSir",
                            "    - Input: xpad - add support for ASUS ROG RAIKIRI II",
                            "    - ksmbd: OOB read regression in smb_check_perm_dacl() ACE-walk loops",
                            "    - misc: rp1: Send IACK on IRQ activate to fix kdump/kexec",
                            "    - Input: atmel_mxt_ts - fix boundary check in mxt_prepare_cfg_mem",
                            "    - Input: synaptics - add LEN2058 to SMBus passlist for ThinkPad E490",
                            "    - dt-bindings: usb: Fix EIC7700 USB reset's issue",
                            "    - comedi: comedi_test: fix check for valid scan_begin_src in",
                            "      waveform_ai_cmdtest()",
                            "    - comedi: comedi_test: Fix limiting of convert_arg in",
                            "      waveform_ai_cmdtest()",
                            "    - counter: Fix refcount leak in counter_alloc() error path",
                            "    - tty: serial: pch_uart: add check for dma_alloc_coherent()",
                            "    - tty: serial: samsung: Remove redundant port lock acquisition in rx",
                            "      helpers",
                            "    - uio: uio_pci_generic_sva: fix double free of devm_kzalloc() memory",
                            "    - usb: chipidea: core: convert ci_role_switch to local variable",
                            "    - usb: core: Fix up Interrupt IN endpoints with bogus wBytesPerInterval",
                            "    - usb: dwc3: xilinx: fix error handling in zynqmp init error paths",
                            "    - usb: musb: omap2430: Fix use-after-free in omap2430_probe()",
                            "    - USB: quirks: add NO_LPM for Lenovo ThinkPad USB-C Dock Gen2 hub",
                            "      controllers",
                            "    - usb: storage: Add quirks for PNY Elite Portable SSD",
                            "    - usbip: vudc: Fix use after free bug in vudc_remove due to race condition",
                            "    - usb: usbtmc: check URB actual_length for interrupt-IN notifications",
                            "    - usb: usbtmc: reject interrupt endpoints with small wMaxPacketSize",
                            "    - usb: typec: tipd: Fix error code in tps6598x_probe()",
                            "    - usb: typec: tcpm: improve handling of DISCOVER_MODES failures",
                            "    - usb: typec: ucsi: Check if power role change actually happened before",
                            "      handling",
                            "    - usb: typec: ucsi: Don't update power_supply on power role change if not",
                            "      connected",
                            "    - USB: serial: option: add MeiG SRM813Q",
                            "    - USB: serial: option: add missing RSVD(5) flag for Rolling RW135R-GL",
                            "    - USB: serial: belkin_sa: validate interrupt status length",
                            "    - USB: serial: cypress_m8: validate interrupt packet headers",
                            "    - USB: serial: digi_acceleport: fix memory corruption with small endpoints",
                            "    - USB: serial: keyspan: fix missing indat transfer sanity check",
                            "    - USB: serial: mxuport: fix memory corruption with small endpoint",
                            "    - USB: serial: mct_u232: fix memory corruption with small endpoint",
                            "    - USB: serial: mct_u232: fix missing interrupt-in transfer sanity check",
                            "    - usb: gadget: uvc: hold opts->lock across XU walks in uvc_function_bind",
                            "    - usb: gadget: net2280: Fix double free in probe error path",
                            "    - usb: gadget: f_hid: fix device reference leak in hidg_alloc()",
                            "    - usb: gadget: composite: fix integer underflow in WebUSB GET_URL handling",
                            "    - usb: gadget: dummy_hcd: Reject hub port requests for non-existent ports",
                            "    - usb: gadget: f_fs: copy only received bytes on short ep0 read",
                            "    - usb: gadget: f_fs: serialize DMABUF cancel against request completion",
                            "    - thunderbolt: property: Reject u32 wrap in tb_property_entry_valid()",
                            "    - thunderbolt: property: Reject dir_len < 4 to prevent size_t underflow",
                            "    - thunderbolt: property: Cap recursion depth in __tb_property_parse_dir()",
                            "    - scsi: fcoe: Reject FIP descriptors with zero fip_dlen in CVL walker",
                            "    - scsi: scsi_transport_fc: Widen FPIN pname walker counter to u32",
                            "    - scsi: target: iscsi: Fix CRC overread and double-free in",
                            "      iscsit_handle_text_cmd()",
                            "    - scsi: target: iscsi: Bound iscsi_encode_text_output() appends to rsp_buf",
                            "    - scsi: target: iscsi: Validate CHAP_R length before base64 decode",
                            "    - drm/hyperv: validate resolution_count and fix WIN8 fallback",
                            "    - drm/hyperv: validate VMBus packet size in receive callback",
                            "    - drm/gem: fix race between change_handle and handle_delete",
                            "    - drm/i915/color: Fix HDR pre-CSC LUT programming loop",
                            "    - drm/i915/psr: Block DC states on vblank enable when Panel Replay",
                            "      supported",
                            "    - drm/i915/psr: Use DC_OFF wake reference to block DC6 on vblank enable",
                            "    - drm/i915: Fix potential UAF in TTM object purge",
                            "    - drm/amd/pm/si: Disregard vblank time when no displays are connected",
                            "    - serial: altera_jtaguart: handle uart_add_one_port() failures",
                            "    - serial: qcom-geni: fix UART_RX_PAR_EN bit position",
                            "    - serial: qcom_geni: fix kfifo underflow when flush precedes DMA",
                            "      completion IRQ",
                            "    - serial: sh-sci: fix memory region release in error path",
                            "    - serial: zs: Fix swapped RI/DSR modem line transition counting",
                            "    - serial: fsl_lpuart: fix rx buffer and DMA map leaks in start_rx_dma",
                            "    - drm/amdkfd: fix NULL pointer bug in svm_range_set_attr",
                            "    - drm/amdkfd: fix a vulnerability of integer overflow in kfd debugger",
                            "    - drm/amdkfd: Check for pdd drm file first in CRIU restore path",
                            "    - drm/amdgpu: fix lock leak on ENOMEM in AMDGPU_GEM_OP_GET_MAPPING_INFO",
                            "    - drm/amdgpu: fix calling VM invalidation in amdgpu_hmm_invalidate_gfx",
                            "    - drm/amdgpu: fix amdgpu_hmm_range_get_pages",
                            "    - drm/amdgpu: check num_entries in GEM_OP GET_MAPPING_INFO",
                            "    - serial: dz: Fix bootconsole message clobbering at chip reset",
                            "    - serial: dz: Fix bootconsole handover lockup",
                            "    - serial: dz: Convert to use a platform device",
                            "    - serial: zs: Fix bootconsole handover lockup",
                            "    - serial: zs: Switch to using channel reset",
                            "    - serial: zs: Convert to use a platform device",
                            "    - serial: core: introduce guard(uart_port_lock_check_sysrq_irqsave)",
                            "    - serial: 8250: dispatch SysRq character in serial8250_handle_irq()",
                            "    - serial: 8250_dw: dispatch SysRq character in dw8250_handle_irq()",
                            "    - platform/x86/intel/vsec: Refactor base_addr handling",
                            "    - platform/x86/intel/vsec: Make driver_data info const",
                            "    - platform/x86/intel/vsec: Fix enable_cnt imbalance on PCIe error recovery",
                            "    - rxrpc: Fix RESPONSE packet verification to extract skb to a linear",
                            "      buffer",
                            "    - ALSA: hda/realtek: Fix mute and mic-mute LEDs for HP Envy X360 15-fh0xxx",
                            "    - ALSA: hda/realtek: Fix mute and mic-mute LEDs for HP 16 Piston OmniBook",
                            "      X",
                            "    - arm64: tlb: Flush walk cache when unsharing PMD tables",
                            "    - i2c: tegra: make tegra_i2c_mutex_unlock() return void",
                            "    - hwmon: (pmbus) Add support for guarded PMBus lock",
                            "    - hwmon: (pmbus/adm1266) serialize sequencer_state debugfs read with",
                            "      pmbus_lock",
                            "    - hwmon: (pmbus/adm1266) serialize GPIO PMBus accesses with pmbus_lock",
                            "    - net: phy: micrel: fix LAN8814 QSGMII soft reset",
                            "    - xhci: tegra: Fix ghost USB device on dual-role port unplug",
                            "    - mailbox: Fix NULL message support in mbox_send_message()",
                            "    - usb: core: Fix SuperSpeed root hub wMaxPacketSize",
                            "    - tools: ynl: add scope qualifier for definitions",
                            "    - Linux 7.0.12",
                            "",
                            "  * Resolute update: v7.0.12 upstream stable release (LP: #2156636) //",
                            "    CVE-2026-46318",
                            "    - Revert \"mm/hugetlbfs: update hugetlbfs to use mmap_prepare\"",
                            "",
                            "  * Resolute update: v7.0.12 upstream stable release (LP: #2156636) //",
                            "    CVE-2026-46322",
                            "    - tun: free page on build_skb failure in tun_xdp_one()",
                            "",
                            "  * Resolute update: v7.0.12 upstream stable release (LP: #2156636) //",
                            "    CVE-2026-46320",
                            "    - tap: free page on error paths in tap_get_user_xdp()",
                            "",
                            "  * Resolute update: v7.0.12 upstream stable release (LP: #2156636) //",
                            "    CVE-2026-46321",
                            "    - tun: free page on short-frame rejection in tun_xdp_one()",
                            "",
                            "  * CVE-2026-46316 // CVE-2026-46317",
                            "    - KVM: arm64: Reassign nested_mmus array behind mmu_lock",
                            "",
                            "  * CVE-2026-46316",
                            "    - KVM: arm64: vgic-its: Drop the translation cache reference only for the",
                            "      erased entry",
                            "    - KVM: arm64: Take the SRCU lock for page table walks in fault injection",
                            "      and AT emulation",
                            "",
                            "  * Resolute update: v7.0.11 upstream stable release (LP: #2156390)",
                            "    - iommu/amd: Fix illegal cap/mmio access in IOMMU debugfs",
                            "    - iommu/amd: Remove latent out-of-bounds access in IOMMU debugfs",
                            "    - ksmbd: close durable scavenger races against m_fp_list lookups",
                            "    - ata: libata-scsi: improve readability of ata_scsi_qc_issue()",
                            "    - ata: libata-scsi: do not use the deferred QC feature for ATA_DEFER_PORT",
                            "    - ata: libata-scsi: do not use the deferred QC feature on PMPs with CBS",
                            "    - ata: libata-scsi: do not needlessly defer commands when using PMP with",
                            "      FBS",
                            "    - sysfs: don't remove existing directory on update failure",
                            "    - mm/damon/sysfs-schemes: call missing mem_cgroup_iter_break()",
                            "    - ksmbd: fix null pointer dereference in compare_guid_key()",
                            "    - ksmbd: fix null pointer dereference in proc_show_files()",
                            "    - ksmbd: fix SID memory leak in set_posix_acl_entries_dacl() on overflow",
                            "    - ksmbd: validate SID in parent security descriptor during ACL inheritance",
                            "    - regulator: tps65219: fix irq_data.rdev not being assigned",
                            "    - x86/mm: Disable broadcast TLB flush when PCID is disabled",
                            "    - scripts/gdb: mm: cast untyped symbols in x86_page_ops",
                            "    - smb: client: require net admin for CIFS SWN netlink",
                            "    - smb: client: protect tc_count increment in",
                            "      smb2_find_smb_sess_tcon_unlocked()",
                            "    - smb: client: use data_len for SMB2 READ encrypted folioq copy",
                            "    - smb/server: promote S_DEL_ON_CLS to S_DEL_PENDING when close",
                            "    - hwmon: (pmbus/adm1266) widen blackbox-info buffer to I2C_SMBUS_BLOCK_MAX",
                            "    - ALSA: ua101: Reject too-short USB descriptors",
                            "    - ALSA: pcm: Don't setup bogus iov_iter for silencing",
                            "    - ALSA: asihpi: Fix potential OOB array access at reading cache",
                            "    - ALSA: scarlett2: Allow flash writes ending at segment boundary",
                            "    - ACPI: battery: Fix system wakeup on critical battery status",
                            "    - efi: Allocate runtime workqueue before ACPI init",
                            "    - spi: amd: Set correct bus number in ACPI probe path",
                            "    - io_uring/waitid: clear waitid info before copying it to userspace",
                            "    - drivers/base/memory: fix memory block reference leak in poison",
                            "      accounting",
                            "    - ipv6: ioam: refresh hdr pointer before ioam6_event()",
                            "    - mm/memory: fix spurious warning when unmapping device-private/exclusive",
                            "      pages",
                            "    - mm: fix __vm_normal_page() to handle missing support for",
                            "      pmd_special()/pud_special()",
                            "    - mm/memory_hotplug: fix memory block reference leak on remove",
                            "    - mm/page_alloc: fix initialization of tags of the huge zero folio with",
                            "      init_on_free",
                            "    - mm/migrate_device: fix spinlock leak in migrate_vma_insert_huge_pmd_page",
                            "    - selftests/mm: run_vmtests.sh: fix destructive tests invocation",
                            "    - mm/damon: fix damos_stat tracepoint format for sz_applied",
                            "    - net: wwan: iosm: fix potential memory leaks in ipc_imem_init()",
                            "    - Bluetooth: fix UAF in l2cap_sock_cleanup_listen() vs l2cap_conn_del()",
                            "    - Bluetooth: ISO: drop ISO_END frames received without prior ISO_START",
                            "    - Bluetooth: bnep: Fix UAF read of dev->name",
                            "    - Bluetooth: hci_uart: fix UAFs and race conditions in close and init",
                            "      paths",
                            "    - Bluetooth: L2CAP: ecred_reconfigure: send packed pdu, not stack pointer",
                            "    - Bluetooth: hci_qca: Convert timeout from jiffies to ms",
                            "    - Bluetooth: MGMT: validate Add Extended Advertising Data length",
                            "    - Bluetooth: serialize accept_q access",
                            "    - phonet/pep: disable BH around forwarded sk_receive_skb()",
                            "    - net: bcmgenet: keep RBUF EEE/PM disabled",
                            "    - net: devmem: reject dma-buf bind with non-page-aligned size or SG length",
                            "    - net: phy: skip EEE advertisement write when autoneg is disabled",
                            "    - net: hsr: defer node table free until after RCU readers",
                            "    - net/mlx5e: Fix use-after-free in mlx5e_tx_reporter_timeout_recover",
                            "    - net: ifb: report ethtool stats over num_tx_queues",
                            "    - net: pse-pd: fix sign on -ENOENT check in of_load_pse_pis()",
                            "    - netfilter: ip6t_hbh: reject oversized option lists",
                            "    - netfilter: nf_queue: hold bridge skb->dev while queued",
                            "    - netfilter: ipset: stop hash:* range iteration at end",
                            "    - net: ethtool: fix NULL pointer dereference in phy_reply_size",
                            "    - net: ethtool: phy: avoid NULL deref when PHY driver is unbound",
                            "    - ACPI: driver: Check ACPI_COMPANION() against NULL during probe",
                            "    - sched_ext: Fix missing warning in scx_set_task_state() default case",
                            "    - sched_ext: Avoid UAF in scx_root_enable_workfn() init failure path",
                            "    - l2tp: use list_del_rcu in l2tp_session_unhash",
                            "    - qed: fix double free in qed_cxt_tables_alloc()",
                            "    - ring-buffer: Fix reporting of missed events in iterator",
                            "    - ring-buffer: Flush and stop persistent ring buffer on panic",
                            "    - wifi: mac80211: capture fast-RX rate before mesh reuses skb->cb",
                            "    - ipv6: ioam: add NULL check for idev in ipv6_hop_ioam()",
                            "    - selftests: mptcp: drop nanoseconds width specifier",
                            "    - mptcp: pm: fix ADD_ADDR timer infinite retry on option space",
                            "      insufficient",
                            "    - vsock/vmci: fix UAF when peer resets connection during handshake",
                            "    - vsock/virtio: reset connection on receiving queue overflow",
                            "    - ice: fix VF queue configuration with low MTU values",
                            "    - wifi: ath11k: clear shared SRNG pointer state on restart",
                            "    - wifi: iwlwifi: mvm: fix driver-set TX rates on old devices",
                            "    - wifi: iwlwifi: mld: stop TX during firmware restart",
                            "    - ipv4: raw: reject IP_HDRINCL packets with ihl < 5",
                            "    - ixgbevf: fix use-after-free in VEPA multicast source pruning",
                            "    - rbd: eliminate a race in lock_dwork draining on unmap",
                            "    - mptcp: do not drop partial packets",
                            "    - mptcp: reset rcv wnd on disconnect",
                            "    - lsm: hold cred_guard_mutex for lsm_set_self_attr()",
                            "    - octeontx2-af: CGX: add bounds check to cgx_speed_mbps index",
                            "    - octeontx2-pf: fix double free in rvu_rep_rsrc_init()",
                            "    - igc: fix potential skb leak in igc_fpe_xmit_smd_frame()",
                            "    - ice: fix locking around wait_event_interruptible_locked_irq",
                            "    - ice: fix setting promisc mode while adding VID filter",
                            "    - ice: restore PTP Rx timestamp config after ethtool set-channels",
                            "    - wifi: cfg80211: advance loop vars in cfg80211_merge_profile()",
                            "    - af_unix: Fix UAF read of tail->len in unix_stream_data_wait()",
                            "    - wifi: mac80211: consume only present negotiated TTLM maps",
                            "    - octeontx2-pf: avoid double free of pool->stack on AQ init failure",
                            "    - cifs: Fix busy dentry used after unmounting",
                            "    - tracing: Do not call map->ops->elt_free() if elt_alloc() fails",
                            "    - ASoC: codecs: pcm512x: fix null-ptr dereference in",
                            "      pcm512x_overclock_xxx_put()",
                            "    - arm64: probes: Handle probes on hinted conditional branch instructions",
                            "    - KVM: arm64: vgic-its: Reject restored DTE with out-of-range",
                            "      num_eventid_bits",
                            "    - KVM: arm64: vgic: Free private_irqs when init fails after allocation",
                            "    - KVM: SVM: Disable AVIC IPI virtualization on Hygon Family 18h (erratum",
                            "      #1235)",
                            "    - riscv: kvm: return SBI_ERR_FAILURE for pmu_snapshot_set_shmem() when OOM",
                            "    - riscv: kvm: return SBI_ERR_FAILURE for pmu_event_info() when OOM",
                            "    - virt: sev-guest: Explicitly leak pages in unknown state",
                            "    - i2c: tegra: fix pm_runtime leak on mutex_lock failure",
                            "    - drm/bridge: chipone-icn6211: use devm_drm_bridge_add in i2c probe",
                            "    - spi: qup: fix error pointer deref after DMA setup failure",
                            "    - phy: exynos5-usbdrd: fix USB 2.0 HS PHY tuning values for Exynos7870",
                            "    - phy: tegra: xusb: Fix per-pad high-speed termination calibration",
                            "    - phy: qcom-qmp-ufs: Fix kaanapali PHY PLL lock failure after SM8650 G4",
                            "      fix",
                            "    - phy: qcom: edp: Unify generic DP/eDP swing and pre-emphasis tables",
                            "    - phy: qcom: edp: Add eDP/DP mode switch support",
                            "    - phy: qcom: edp: Fix AUX_CFG8 programming for DP mode",
                            "    - scsi: isci: Fix use-after-free in device removal path",
                            "    - spi: ep93xx: fix error pointer deref after DMA setup failure",
                            "    - spi: sprd: fix error pointer deref after DMA setup failure",
                            "    - spi: ti-qspi: fix use-after-free after DMA setup failure",
                            "    - mm/slub: hold cpus_read_lock around flush_rcu_sheaves_on_cache()",
                            "    - RDMA/siw: Reject MPA FPDU length underflow before signed receive math",
                            "    - s390/cio: Restore GFP_DMA for CHSC allocation",
                            "    - s390/pai: Disable duplicate read of kernel PAI counter value",
                            "    - s390/pai: Fix missing PAI counter increments under heavy load",
                            "    - fwctl: pds: Validate RPC input size before parsing",
                            "    - LoongArch: kprobes: Use larch_insn_text_copy() to patch instructions",
                            "    - LoongArch: Remove unused code to avoid build warning",
                            "    - cpufreq: intel_pstate: Use correct scaling factor on Raptor Lake-E",
                            "    - device property: set fwnode->secondary to NULL in fwnode_init()",
                            "    - drm/i915/display: Copy color pipeline from plane in the primary joiner",
                            "      pipe",
                            "    - drm/msm: Fix shrinker deadlock",
                            "    - drm/v3d: Fix use-after-free of CPU job query arrays on error path",
                            "    - drm/v3d: Release indirect CSD GEM reference on CPU job free",
                            "    - drm/virtio: use uninterruptible resv lock for plane updates",
                            "    - drm/xe/multi_queue: Fix secondary queue error case",
                            "    - drm/amdgpu/vpe: Force collaborate sync after TRAP",
                            "    - drm/bridge: it66121: acquire reset GPIO in probe",
                            "    - drm/bridge: megachips: remove bridge when irq request fails",
                            "    - drm/amd/display: Fix integer overflow in bios_get_image()",
                            "    - drm/amd/display: Validate GPIO pin LUT table size before iterating",
                            "    - drm/amd/display: Validate payload length and link_index in",
                            "      dc_process_dmub_aux_transfer_async",
                            "    - batman-adv: v: stop OGMv2 on disabled interface",
                            "    - batman-adv: tvlv: abort OGM send on tvlv append failure",
                            "    - batman-adv: tvlv: reject oversized TVLV packets",
                            "    - batman-adv: iv: recover OGM scheduling after forward packet error",
                            "    - batman-adv: mcast: fix use-after-free in orig_node RCU release",
                            "    - batman-adv: clear current gateway during teardown",
                            "    - batman-adv: dat: handle forward allocation error",
                            "    - batman-adv: fix fragment reassembly length accounting",
                            "    - batman-adv: fix tp_meter counter underflow during shutdown",
                            "    - batman-adv: frag: disallow unicast fragment in fragment",
                            "    - batman-adv: bla: fix report_work leak on backbone_gw purge",
                            "    - batman-adv: bla: avoid double decrement of bla.num_requests",
                            "    - batman-adv: bla: avoid NULL-ptr deref for claim via dropped interface",
                            "    - batman-adv: tp_meter: avoid use of uninit sender vars",
                            "    - batman-adv: tp_meter: directly shut down timer on cleanup",
                            "    - batman-adv: tp_meter: fix tp_vars reference leak in receiver shutdown",
                            "    - batman-adv: tp_meter: fix race condition in send error reporting",
                            "    - batman-adv: tp_meter: avoid role confusion in tp_list",
                            "    - batman-adv: tt: fix TOCTOU race for reported vlans",
                            "    - batman-adv: tt: reject oversized local TVLV buffers",
                            "    - batman-adv: tt: avoid empty VLAN responses",
                            "    - batman-adv: tt: fix negative last_changeset_len",
                            "    - batman-adv: tt: fix negative tt_buff_len",
                            "    - batman-adv: tt: prevent TVLV entry number overflow",
                            "    - hwmon: (pmbus/adm1266) seed timestamp from the real-time clock",
                            "    - hwmon: (pmbus/adm1266) reject implausible blackbox record_count",
                            "    - hwmon: (pmbus/adm1266) include PEC byte in pmbus_block_xfer read buffer",
                            "    - hwmon: (pmbus/adm1266) bounce blackbox records through a protocol-sized",
                            "      buffer",
                            "    - hwmon: (pmbus/adm1266) cap PDIO scan in get_multiple at ADM1266_PDIO_NR",
                            "    - hwmon: (pmbus/adm1266) don't clobber GPIO bits before PDIO read in",
                            "      get_multiple",
                            "    - hwmon: (pmbus/adm1266) register the gpio_chip after pmbus_do_probe()",
                            "    - hwmon: (pmbus/adm1266) register the nvmem device after pmbus_do_probe()",
                            "    - hwmon: (pmbus/adm1266) reject short block-read responses in the GPIO",
                            "      accessors",
                            "    - pinctrl: mediatek: moore: implement gpio_chip::get_direction()",
                            "    - pinctrl: qcom: ipq4019: mark gpio as a GPIO pin function",
                            "    - arm64: dts: renesas: r8a78000: Fix SCIF brg_int clocks",
                            "    - ARM: dts: renesas: genmai: Drop superfluous cells",
                            "    - ARM: dts: renesas: rskrza1: Drop superfluous cells",
                            "    - pinctrl: renesas: rzg2l: Fix incorrect PUPD register offset for high",
                            "      pins during suspend/resume",
                            "    - pinctrl: renesas: rzg2l: Fix SMT register cache handling",
                            "    - pinctrl: meson: amlogic-a4: fix deadlock issue",
                            "    - pinctrl: qcom: Fix GPIO to PDC wake irq map for qcs615",
                            "    - kho: skip KHO for crash kernel",
                            "    - mm/memfd_luo: report error when restoring a folio fails mid-loop",
                            "    - HID: intel-thc-hid: Intel-quickspi: Fix some error codes",
                            "    - HID: uclogic: Fix regression of input name assignment",
                            "    - firmware: arm_ffa: Check for NULL FF-A ID table while driver",
                            "      registration",
                            "    - firmware: arm_ffa: Skip free_pages on RX buffer alloc failure",
                            "    - firmware: arm_ffa: Fix per-vcpu self notifications handling in workqueue",
                            "    - firmware: arm_ffa: Unregister bus notifier on teardown for FF-A v1.0",
                            "    - riscv: errata: Fix bitwise vs logical AND in MIPS errata patching",
                            "    - riscv: Fix register corruption from uninitialized cregs on error",
                            "    - riscv: mm: Fixup no5lvl failure when vaddr is invalid",
                            "    - kunit: config: Enable KUNIT_DEBUGFS by default",
                            "    - kunit: config: KUNIT_DEBUGFS should depend on DEBUG_FS",
                            "    - pinctrl: qcom: Fix wakeirq map by removing disconnected irqs for sm8150",
                            "    - firmware: arm_ffa: Bound PARTITION_INFO_GET_REGS copies",
                            "    - firmware: arm_ffa: Keep framework RX release under lock",
                            "    - firmware: arm_ffa: Validate framework notification message layout",
                            "    - firmware: arm_ffa: Align RxTx buffer size before mapping",
                            "    - firmware: arm_ffa: Snapshot notifier callbacks under lock",
                            "    - firmware: arm_ffa: Fix sched-recv callback partition lookup",
                            "    - ARM: integrator: Fix early initialization",
                            "    - ALSA: hda: cs35l56: Put ACPI device after setting companion",
                            "    - ALSA: hda: cs35l41: Put ACPI device on missing physical node",
                            "    - btrfs: tracepoints: fix sleep while in atomic context in",
                            "      btrfs_sync_file()",
                            "    - netfilter: x_tables: allow initial table replace without emitting audit",
                            "      log message",
                            "    - netfilter: x_tables: allocate hook ops while under mutex",
                            "    - netfilter: x_tables: unregister the templates first",
                            "    - netfilter: x_tables: add and use xt_unregister_table_pre_exit",
                            "    - netfilter: x_tables: add and use xtables_unregister_table_exit",
                            "    - netfilter: ebtables: move to two-stage removal scheme",
                            "    - netfilter: ebtables: close dangling table module init race",
                            "    - netfilter: x_tables: close dangling table module init race",
                            "    - netfilter: bridge: eb_tables: close module init race",
                            "    - netfilter: nf_conntrack_expect: restore helper propagation via",
                            "      expectation",
                            "    - kprobes: skip non-symbol addresses in kprobe_add_ksym_blacklist()",
                            "    - test_kprobes: clear kprobes between test runs",
                            "    - tcp: Fix imbalanced icsk_accept_queue count.",
                            "    - net: napi: Avoid gro timer misfiring at end of busypoll",
                            "    - net: shaper: Reject reparenting of existing nodes",
                            "    - idpf: fix read_dev_clk_lock spinlock init in idpf_ptp_init()",
                            "    - ice: fix setting RSS VSI hash for E830",
                            "    - ice: fix locking in ice_dcb_rebuild()",
                            "    - ice: dpll: fix rclk pin state get for E810",
                            "    - ice: dpll: fix misplaced header macros",
                            "    - net: lan966x: avoid unregistering netdev on register failure",
                            "    - net: ti: icssm-prueth: fix eth_ports_node leak in probe",
                            "    - phy: marvell: mvebu-a3700-utmi: fix incorrect USB2_PHY_CTRL register",
                            "      access",
                            "    - phy: spacemit: Remove incorrect clk_disable() in spacemit_usb2phy_init()",
                            "    - NFSD: Fix infinite loop in layout state revocation",
                            "    - ASoC: sdw_utils: Add quirk to ignore RT712 CODEC_MIC",
                            "    - ASoC: sdw_utils: Add quirk to ignore RT721 CODEC_MIC",
                            "    - fprobe: Fix unregister_fprobe() to wait for RCU grace period",
                            "    - fs/statmount: fix slab out-of-bounds write in statmount_mnt_idmap",
                            "    - fs: Fix return in jfs_mkdir and orangefs_mkdir",
                            "    - irqchip/ath79-cpu: Remove unused function",
                            "    - fs: fix forced iversion increment on lazytime timestamp updates",
                            "    - ublk: reject max_sectors smaller than PAGE_SECTORS in parameter",
                            "      validation",
                            "    - nsfs: fix wrong error code returned for pidns ioctls",
                            "    - irq_work: Fix use-after-free in irq_work_single() on PREEMPT_RT",
                            "    - nvme: fix bio leak on mapping failure",
                            "    - nvme-pci: fix use-after-free in nvme_free_host_mem()",
                            "    - zonefs: handle integer overflow in zonefs_fname_to_fno",
                            "    - tcp: Fix out-of-bounds access for twsk in tcp_ao_established_key().",
                            "    - ASoC: SOF: amd: Fix error code handling in psp_send_cmd()",
                            "    - powerpc: 82xx: fix uninitialized pointers with free attribute",
                            "    - powerpc: fix dead default for GUEST_STATE_BUFFER_TEST",
                            "    - powerpc/hv-gpci: fix preempt count leak in sysfs show paths",
                            "    - netfs: Fix cancellation of a DIO and single read subrequests",
                            "    - netfs: Fix missing locking around retry adding new subreqs",
                            "    - netfs: Fix missing barriers when accessing stream->subrequests",
                            "      locklessly",
                            "    - netfs: Fix netfs_read_to_pagecache() to pause on subreq failure",
                            "    - netfs: Fix potential for tearing in ->remote_i_size and ->zero_point",
                            "    - netfs: Fix zeropoint update where i_size > remote_i_size",
                            "    - netfs: fix VM_BUG_ON_FOLIO() issue in netfs_write_begin() call",
                            "    - netfs: Fix overrun check in netfs_extract_user_iter()",
                            "    - netfs: Fix netfs_invalidate_folio() to clear dirty bit if all changes",
                            "      gone",
                            "    - netfs: Defer the emission of trace_netfs_folio()",
                            "    - netfs: Fix streaming write being overwritten",
                            "    - netfs: Fix potential deadlock in write-through mode",
                            "    - netfs: Fix read-gaps to remove netfs_folio from filled folio",
                            "    - netfs: Fix write streaming disablement if fd open O_RDWR",
                            "    - netfs: Fix early put of sink folio in netfs_read_gaps()",
                            "    - netfs: Fix leak of request in netfs_write_begin() error handling",
                            "    - netfs: Fix potential UAF in netfs_unlock_abandoned_read_pages()",
                            "    - netfs: Fix partial invalidation of streaming-write folio",
                            "    - netfs: Fix folio->private handling in netfs_perform_write()",
                            "    - netfs: Fix netfs_read_folio() to wait on writeback",
                            "    - netfs, afs: Fix write skipping in dir/link writepages",
                            "    - afs: Fix the locking used by afs_get_link()",
                            "    - net: ethernet: cortina: Make RX SKB per-port",
                            "    - net: ethernet: cortina: Drop half-assembled SKB",
                            "    - net: ethernet: cortina: Carry over frag counter",
                            "    - net: ethernet: cs89x0: remove stale CONFIG_MACH_MX31ADS reference",
                            "    - wifi: ath11k: fix error path leaks in some WMI WOW calls",
                            "    - wifi: ath11k: fix error path leak in ath11k_tm_cmd_wmi_ftm()",
                            "    - wifi: ath10k: skip WMI and beacon transmission when device is wedged",
                            "    - net: shaper: flip the polarity of the valid flag",
                            "    - net: shaper: fix trivial ordering issue in net_shaper_commit()",
                            "    - net: shaper: reject duplicate leaves in GROUP request",
                            "    - net: shaper: set ret to -ENOMEM when genlmsg_new() fails in group_doit",
                            "    - net: shaper: fix undersized reply skb allocation in GROUP command",
                            "    - net: shaper: enforce singleton NETDEV scope with id 0",
                            "    - net: shaper: reject QUEUE scope handle with missing id",
                            "    - block: don't overwrite bip_vcnt in bio_integrity_copy_user()",
                            "    - block: recompute nr_integrity_segments in blk_insert_cloned_request",
                            "    - HID: quirks: really enable the intended work around for appledisplay",
                            "    - block: bio-integrity: Fix null-ptr-deref in bio_integrity_map_user()",
                            "    - accel/qaic: Add overflow check to remap_pfn_range during mmap",
                            "    - net/smc: avoid NULL deref of conn->lnk in smc_msg_event tracepoint",
                            "    - ethtool: fix ethnl_bitmap32_not_zero() bit interval semantics",
                            "    - drm/msm/dpu: fix UV scanlines calculation for YUV UBWC formats",
                            "    - drm/msm/dpu: Fix Kaanapali CWB register configuration",
                            "    - drm/msm/dsi: don't dump registers past the mapped region",
                            "    - drm/msm/dpu: don't mix devm and drmm functions",
                            "    - block: rename struct gendisk zone_wplugs_lock field",
                            "    - block: allow submitting all zone writes from a single context",
                            "    - block: fix handling of dead zone write plugs",
                            "    - selftests: ublk: cap nthreads to kernel's actual nr_hw_queues",
                            "    - x86/mce: Restore MCA polling interval halving",
                            "    - Documentation: intel_pstate: Fix description of asymmetric packing with",
                            "      SMT",
                            "    - drm/msm: Fix GMEM_BASE for A650",
                            "    - drm/msm/a6xx: Add soft fuse detection support",
                            "    - drm/msm/adreno: Fix a reference leak in a6xx_gpu_init()",
                            "    - drm/msm/adreno: fix userspace-triggered crash on a2xx-a4xx",
                            "    - drm/msm/a6xx: Restore sysprof_active",
                            "    - drm/msm: Fix iommu_map_sgtable() return value check and avoid WARN",
                            "    - drm/msm/a6xx: Check kzalloc return in a8xx_hfi_send_perf_table",
                            "    - ASoC: intel: sof_sdw: Prepare for configuration without a jack",
                            "    - ASoC: sdw_utils: cs42l43: allow spk component names to be combined",
                            "    - ASoC: sdw_utils: Check speaker component string allocation",
                            "    - riscv: Docs: fix unmatched quote warning",
                            "    - powerpc/time: Remove redundant preempt_disable|enable() calls from",
                            "      arch_irq_work_raise()",
                            "    - net/smc: reject CHID-0 ACCEPT that matches an empty ism_dev slot",
                            "    - net: tls: fix off-by-one in sg_chain entry count for wrapped sk_msg ring",
                            "    - net: tls: prevent chain-after-chain in plain text SG",
                            "    - net: phy: DP83TC811: add reading of abilities",
                            "    - ovpn: tcp - use cached peer pointer in ovpn_tcp_close()",
                            "    - ovpn: respect peer refcount in CMD_NEW_PEER error path",
                            "    - ovpn: fix race between deleting interface and adding new peer",
                            "    - cifs: client: stage smb3_reconfigure() updates and restore ctx on",
                            "      failure",
                            "    - phy: apple: atc: Fix typec switch/mux leak on unbind",
                            "    - gcc-plugins: Always define CONST_CAST_GIMPLE and CONST_CAST_TREE",
                            "    - x86/xen: Fix xen_e820_swap_entry_with_ram()",
                            "    - vfio/pci: Check BAR resources before exporting a DMABUF",
                            "    - ovpn: disable BHs when updating device stats",
                            "    - tls: Preserve sk_err across recvmsg() when data has been copied",
                            "    - net/mlx5: Do not restore destination-less TC rules",
                            "    - net/mlx5: Skip disabled vports when setting max TX speed",
                            "    - scsi: sd: Fix return code handling in sd_spinup_disk()",
                            "    - ASoC: codecs: fs210x: fix possible buffer overflow",
                            "    - iommupt: Directly call iommupt's unmap_range()",
                            "    - iommupt: Avoid rewalking during map",
                            "    - iommu: Fix loss of errno on map failure for classic ops",
                            "    - iommu: Fix up map/unmap debugging for iommupt domains",
                            "    - iommu: Handle unmap error when iommu_debug is enabled",
                            "    - iommupt: Check for missing PAGE_SIZE in the pgsize_bitmap",
                            "    - iommupt: Fix the end_index calculation in __map_range_leaf()",
                            "    - ALSA: scarlett2: Add missing error check when initialise Autogain Status",
                            "    - ALSA: hda/ca0132: Disable auto-detect on manual output select",
                            "    - cachefiles: Fix error return when vfs_mkdir() fails",
                            "    - io_uring/net: punt IORING_OP_BIND async if it needs file create",
                            "    - vsock/virtio: fix zerocopy completion for multi-skb sends",
                            "    - btrfs: check for subvolume before deleting squota qgroup",
                            "    - btrfs: fix squota accounting during enable generation",
                            "    - ASoC: amd: acp-sdw-legacy: check CPU DAI name before logging",
                            "    - spi: mtk-snfi: Fix resource leak in mtk_snand_read_page_cache()",
                            "    - netfilter: nft_inner: release local_lock before re-enabling softirqs",
                            "    - ALSA: hda/realtek: Use ALC287_FIXUP_TXNW2781_I2C for ASUS Strix Gxx5",
                            "    - drm/msm/snapshot: fix dumping of the unaligned regions",
                            "    - hwmon: (lm90) Stop work before releasing hwmon device",
                            "    - hwmon: (lm90) Add lock protection to lm90_alert",
                            "    - wifi: iwlwifi: mld: fix TSO segmentation explosion when AMSDU is",
                            "      disabled",
                            "    - wifi: iwlwifi: mld: don't dereference a pointer before NULL checking it",
                            "    - dma-mapping: move dma_map_resource() sanity check into debug code",
                            "    - drm/gem: Make the GEM LRU lock part of drm_device",
                            "    - drm/xe/gsc: Fix double-free of managed BO in error path",
                            "    - drm/xe/vf: Fix signature of print functions",
                            "    - drm/xe/pf: Fix CFI failure in debugfs access",
                            "    - drm/xe: Consolidate workaround entries for Wa_14019988906",
                            "    - drm/xe: Consolidate workaround entries for Wa_18033852989",
                            "    - drm/xe: Define and use MCR version of COMMON_SLICE_CHICKEN1",
                            "    - drm/xe/tuning: Apply windower hardware filtering setting on Xe3 and Xe3p",
                            "    - drm/xe: Define and use MCR version of COMMON_SLICE_CHICKEN4",
                            "    - wifi: ath11k: fix peer resolution on rx path when peer_id=0",
                            "    - wifi: ath12k: fix EHT TX MCS limitation due to wrong 20 MHz-only parsing",
                            "    - drm/mediatek: mtk_hdmi_ddc_v2: Fix non-static global variable",
                            "    - drm/mediatek: mtk_hdmi_v2: Fix non-static global variable",
                            "    - drm/mediatek: mtk_cec: Fix non-static global variable",
                            "    - drm/mediatek: mtk_hdmi_ddc: Fix non-static global variable",
                            "    - io_uring: propagate array_index_nospec opcode into req->opcode",
                            "    - srcu: Don't queue workqueue handlers to never-online CPUs",
                            "    - cgroup/rstat: validate cpu before css_rstat_cpu() access",
                            "    - net/mlx5e: xsk: Fix unlocked writing to ICOSQ",
                            "    - cifs: Fix undefined variables",
                            "    - ice: ptp: serialize E825 PHY timer start with PTP lock",
                            "    - ice: ptp: use primary NAC semaphore on E825",
                            "    - igc: set tx buffer type for SMD frames",
                            "    - drm/i915/dp: Fix readback for target_rr in Adaptive Sync SDP",
                            "    - phy: qcom: qmp-usbc: Fix out-of-bounds array access in dp swing config",
                            "    - kbuild: pacman-pkg: make \"rc\" releases adhere to pacman versioning",
                            "      scheme",
                            "    - net: dsa: mt7530: fix FDB entries not aging out with short timeout",
                            "    - net: dsa: mt7530: preserve VLAN tags on trapped link-local frames",
                            "    - net: mana: Fix TOCTOU double-fetch of hwc_msg_id from DMA buffer",
                            "    - platform/surface: aggregator_registry: omit battery & AC nodes on",
                            "      Surface Laptop 7",
                            "    - platform/x86: adv_swbutton: Check ACPI_HANDLE() against NULL",
                            "    - platform/x86: hp_accel: Check ACPI_COMPANION() against NULL",
                            "    - platform/x86: intel-hid: Check ACPI_HANDLE() against NULL",
                            "    - platform/x86: intel_sar: Check ACPI_HANDLE() against NULL",
                            "    - platform/x86: intel-vbtn: Check ACPI_HANDLE() against NULL",
                            "    - platform/x86: uniwill-laptop: Properly initialize charging threshold",
                            "    - platform/x86: uniwill-laptop: Accept charging threshold of 0",
                            "    - platform/x86: uniwill-laptop: Fix behavior of \"force\" module param",
                            "    - platform/x86: asus-armoury: fix mini-LED mode get/set on MODE2 devices",
                            "    - ASoC: soc-utils: Add missing va_end in snd_soc_ret()",
                            "    - drm/amdgpu: Align amdgpu_gtt_mgr entries to TLB size on Tahiti (v2)",
                            "    - drm/amdgpu/vce1: Check that the GPU address is < 128 MiB",
                            "    - drm/amdgpu/vce1: Fix VCE 1 firmware size and offsets",
                            "    - RDMA/mana_ib: Report max_msg_sz in mana_ib_query_port",
                            "    - RDMA/rtrs: Fix use-after-free in path file creation cleanup",
                            "    - bridge: mcast: Fix a possible use-after-free when removing a bridge port",
                            "    - net: phy: honor eee_disabled_modes in phy_support_eee()",
                            "    - net: phy: honor eee_disabled_modes in phy_advertise_eee_all()",
                            "    - net: airoha: Fix NPU RX DMA descriptor bits",
                            "    - pds_core: fix error handling in pdsc_devcmd_wait",
                            "    - pds_core: fix debugfs_lookup dentry leak and error handling",
                            "    - erofs: fix managed cache race for unaligned extents",
                            "    - erofs: harden h_shared_count in erofs_init_inode_xattrs()",
                            "    - erofs: fix metabuf leak in inode xattr initialization",
                            "    - wifi: mac80211: bounds-check link_id in ieee80211_ml_epcs",
                            "    - wifi: mac80211: fix MLE defragmentation",
                            "    - wifi: mac80211: fix multi-link element inheritance",
                            "    - wifi: wilc1000: fix dma_buffer leak on bus acquire failure",
                            "    - ALSA: seq: Serialize UMP output teardown with event_input",
                            "    - cgroup: rstat: relax NMI guard after switch to try_cmpxchg",
                            "    - tracing: Avoid NULL return from hist_field_name() on truncation",
                            "    - Bluetooth: hci_sync: Fix not setting mask for",
                            "      HCI_EVT_LE_ALL_REMOTE_FEATURES_COMPLETE",
                            "    - Bluetooth: btintel_pcie: Fix incorrect MAC access programming",
                            "    - Bluetooth: btmtk: fix urb->setup_packet leak in error paths",
                            "    - udp: gso: Fix handling checksum in __udp_gso_segment",
                            "    - udp: Fix UDP length on last GSO_PARTIAL segment",
                            "    - net/mlx5e: Fix eswitch mode block underflow on IPsec acquire SA",
                            "    - net: shaper: annotate the data races",
                            "    - net: shaper: rework the VALID marking (again)",
                            "    - crypto/krb5, rxrpc: Fix lack of pre-decrypt/pre-verify length checks",
                            "    - rxrpc: Fix DATA decrypt vs splice() by copying data to buffer in recvmsg",
                            "    - net: ag71xx: check error for platform_get_irq",
                            "    - bpf, skmsg: fix verdict sk_data_ready racing with ktls rx",
                            "    - tcp: fix stale per-CPU tcp_tw_isn leak enabling ISN prediction",
                            "    - net: stmmac: eswin: fix HSP CSR init ordering after clock enable",
                            "    - net: stmmac: eswin: clear TXD and RXD delay registers during",
                            "      initialization",
                            "    - net: stmmac: eswin: correct RGMII delay granularity to 20 ps",
                            "    - net: stmmac: eswin: validate RGMII delay values",
                            "    - gpio: cdev: check if uAPI v2 config attributes are correctly zeroed",
                            "    - gpio: aggregator: fix a potential use-after-free",
                            "    - gpio: aggregator: stop using dev-sync-probe",
                            "    - gpio: aggregator: remove the software node when deactivating the",
                            "      aggregator",
                            "    - gpio: aggregator: lock device when calling device_is_bound()",
                            "    - ASoC: cs35l56: Fix flushing of IRQ work in cs35l56_sdw_remove()",
                            "    - drm/xe/oa: Fix exec_queue leak on width check in stream open",
                            "    - ASoC: cs-amp-lib: Fix wrong sizeof() in",
                            "      _cs_amp_set_efi_calibration_data()",
                            "    - ASoC: cs-amp-lib: Fix missing dput() after debugfs_lookup()",
                            "    - selftests: net: Fix checksums in xdp_native",
                            "    - nvme-pci: fix dma_vecs leak on p2p memory",
                            "    - nvme-pci: fix dma mapping leak on data setup error",
                            "    - octeontx2-af: npc: Fix allmulticast skip logic for LBK and SDP VFs",
                            "    - net: mana: validate rx_req_idx to prevent out-of-bounds array access",
                            "    - tap: fix stack info leak in tap_ioctl() SIOCGIFHWADDR",
                            "    - net: airoha: Disable GDM2 forwarding before configuring GDM2 loopback",
                            "    - pds_core: ensure null-termination for firmware version strings",
                            "    - net: enetc: fix missing error code when pf->vf_state allocation fails",
                            "    - io_uring/nop: pass all errors to userspace",
                            "    - blk-mq: pop cached request if it is usable",
                            "    - ksmbd: fix durable reconnect error path file lifetime",
                            "    - LoongArch: kprobes: Fix handling of fatal unrecoverable recursions",
                            "    - block: avoid use-after-free in disk_free_zone_resources()",
                            "    - Documentation: laptops: Update documentation for uniwill laptops",
                            "    - platform/x86: uniwill-laptop: Do not enable the charging limit even when",
                            "      forced",
                            "    - drm/msm: Restore second parameter name in purge() and evict()",
                            "    - security/keys: fix missed RCU read section on lookup",
                            "    - Linux 7.0.11",
                            "",
                            "  * Resolute update: v7.0.10 upstream stable release (LP: #2156385)",
                            "    - blk-cgroup: wait for blkcg cleanup before initializing new disk",
                            "    - md: suppress spurious superblock update error message for dm-raid",
                            "    - fs/omfs: reject s_sys_blocksize smaller than OMFS_DIR_START",
                            "    - fs/mbcache: cancel shrink work before destroying the cache",
                            "    - md/raid1: fix the comparing region of interval tree",
                            "    - fs: fix archiecture-specific compat_ftruncate64",
                            "    - drbd: Balance RCU calls in drbd_adm_dump_devices()",
                            "    - loop: fix partition scan race between udev and loop_reread_partitions()",
                            "    - block: fix zones_cond memory leak on zone revalidation error paths",
                            "    - nilfs2: reject zero bd_oblocknr in nilfs_ioctl_mark_blocks_dirty()",
                            "    - blk-cgroup: fix disk reference leak in blkcg_maybe_throttle_current()",
                            "    - pstore/ram: fix resource leak when ioremap() fails",
                            "    - erofs: include the trailing NUL in FS_IOC_GETFSLABEL",
                            "    - md: fix array_state=clear sysfs deadlock",
                            "    - ublk: reset per-IO canceled flag on each fetch",
                            "    - blk-wbt: remove WARN_ON_ONCE from wbt_init_enable_default()",
                            "    - erofs: handle 48-bit blocks/uniaddr for extra devices",
                            "    - md: remove unused static md_wq workqueue",
                            "    - md: wake raid456 reshape waiters before suspend",
                            "    - dcache: permit dynamic_dname()s up to NAME_MAX",
                            "    - btrfs: fix the inline compressed extent check in inode_need_compress()",
                            "    - btrfs: fix deadlock between reflink and transaction commit when using",
                            "      flushoncommit",
                            "    - btrfs: do not reject a valid running dev-replace",
                            "    - OPP: debugfs: Use performance level if available to distinguish between",
                            "      rates",
                            "    - OPP: Move break out of scoped_guard in dev_pm_opp_xlate_required_opp()",
                            "    - ACPI: x86: cmos_rtc: Clean up address space handler driver",
                            "    - ACPI: x86: cmos_rtc: Improve coordination with ACPI TAD driver",
                            "    - devres: fix missing node debug info in devm_krealloc()",
                            "    - thermal/drivers/spear: Fix error condition for reading st,thermal-flags",
                            "    - debugfs: check for NULL pointer in debugfs_create_str()",
                            "    - debugfs: fix placement of EXPORT_SYMBOL_GPL for debugfs_create_str()",
                            "    - soundwire: debugfs: initialize firmware_file to empty string",
                            "    - amd-pstate: Fix memory leak in amd_pstate_epp_cpu_init()",
                            "    - amd-pstate: Update cppc_req_cached in fast_switch case",
                            "    - cpufreq: Pass the policy to cpufreq_driver->adjust_perf()",
                            "    - PCI: use generic driver_override infrastructure",
                            "    - platform/wmi: use generic driver_override infrastructure",
                            "    - vdpa: use generic driver_override infrastructure",
                            "    - s390/cio: use generic driver_override infrastructure",
                            "    - s390/ap: use generic driver_override infrastructure",
                            "    - bus: fsl-mc: use generic driver_override infrastructure",
                            "    - locking/mutex: Rename mutex_init_lockep()",
                            "    - locking/mutex: Fix wrong comment for CONFIG_DEBUG_LOCK_ALLOC",
                            "    - irqchip/irq-pic32-evic: Address warning related to wrong printf()",
                            "      formatter",
                            "    - hrtimer: Avoid pointless reprogramming in __hrtimer_start_range_ns()",
                            "    - hrtimer: Reduce trace noise in hrtimer_start()",
                            "    - locking: Fix rwlock and spinlock lock context annotations",
                            "    - signal: Fix the lock_task_sighand() annotation",
                            "    - ww-mutex: Fix the ww_acquire_ctx function annotations",
                            "    - perf/amd/ibs: Account interrupt for discarded samples",
                            "    - perf/amd/ibs: Preserve PhyAddrVal bit when clearing PhyAddr MSR",
                            "    - perf/amd/ibs: Avoid calling perf_allow_kernel() from the IBS NMI handler",
                            "    - x86/tdx: Fix the typo in TDX_ATTR_MIGRTABLE",
                            "    - rust: sync: atomic: Remove bound `T: Sync` for `Atomic::from_ptr()`",
                            "    - sparc64: vdso: Link with -z noexecstack",
                            "    - scripts/gdb: timerlist: Adapt to move of tk_core",
                            "    - locking: Fix rwlock support in <linux/spinlock_up.h>",
                            "    - sched/topology: Compute sd_weight considering cpuset partitions",
                            "    - x86/irqflags: Preemptively move include paravirt.h directive where it",
                            "      belongs",
                            "    - sched/topology: Fix sched_domain_span()",
                            "    - irqchip/renesas-rzg2l: Fix error path in rzg2l_irqc_common_probe()",
                            "    - ASoC: Intel: avs: Check maximum valid CPUID leaf",
                            "    - ASoC: Intel: avs: Include CPUID header at file scope",
                            "    - x86/vdso: Clean up remnants of VDSO32_NOTE_MASK",
                            "    - firmware: dmi: Correct an indexing error in dmi.h",
                            "    - fs/resctrl: Report invalid domain ID when parsing io_alloc_cbm",
                            "    - sched: Make class_schedulers avoid pushing current, and get rid of",
                            "      proxy_tag_curr()",
                            "    - sched/rt: Skip group schedulable check with rt_group_sched=0",
                            "    - wifi: ath11k: fix memory leaks in beacon template setup",
                            "    - wifi: mwifiex: Fix memory leak in mwifiex_11n_aggregate_pkt()",
                            "    - wifi: rtlwifi: pci: fix possible use-after-free caused by unfinished",
                            "      irq_prepare_bcn_tasklet",
                            "    - bpf: test_run: Fix the null pointer dereference issue in",
                            "      bpf_lwt_xmit_push_encap",
                            "    - wifi: ath12k: account TX stats only when ACK/BA status is present",
                            "    - wifi: ath12k: Fix legacy rate mapping for monitor mode capture",
                            "    - selftests/bpf: Handle !CONFIG_SMC in bpf_smc.c",
                            "    - wifi: ieee80211: fix definition of EHT-MCS 15 in MRU",
                            "    - dpaa2: add independent dependencies for FSL_DPAA2_SWITCH",
                            "    - [Config] Disable CONFIG_FSL_DPAA2_SWITCH on armhf and ppc64el",
                            "    - dpaa2: compile dpaa2 even CONFIG_FSL_DPAA2_ETH=n",
                            "    - s390/bpf: Zero-extend bpf prog return values and kfunc arguments",
                            "    - powerpc/pgtable-frag: Fix bad page state in pte_frag_destroy",
                            "    - powerpc/64s: Fix unmap race with PMD migration entries",
                            "    - module: Fix freeing of charp module parameters when CONFIG_SYSFS=n",
                            "    - wifi: libertas: use USB anchors for tracking in-flight URBs",
                            "    - wifi: libertas: don't kill URBs in interrupt context",
                            "    - bpf: Do not allow deleting local storage in NMI",
                            "    - selftests/nolibc: fix test_file_stream() on musl libc",
                            "    - selftests/nolibc: Fix build with host headers and libc",
                            "    - tools/nolibc/printf: Change variables 'c' to 'ch' and 'tmpbuf[]' to",
                            "      'outbuf[]'",
                            "    - tools/nolibc/printf: Move snprintf length check to callback",
                            "    - tools/nolibc: MIPS: fix clobbers of 'lo' and 'hi' registers on different",
                            "      ISAs",
                            "    - tools/nolibc: avoid -Wundef warning for __STDC_VERSION__",
                            "    - wifi: mt76: mt7996: fix the behavior of radar detection",
                            "    - wifi: mt76: mt7996: fix iface combination for different chipsets",
                            "    - wifi: mt76: mt7996: Set mtxq->wcid just for primary link",
                            "    - wifi: mt76: mt7996: Reset mtxq->idx if primary link is removed in",
                            "      mt7996_vif_link_remove()",
                            "    - wifi: mt76: mt7996: Switch to the secondary link if the default one is",
                            "      removed",
                            "    - wifi: mt76: mt7996: Clear wcid pointer in mt7996_mac_sta_deinit_link()",
                            "    - wifi: mt76: mt7996: Reset ampdu_state state in case of failure in",
                            "      mt7996_tx_check_aggr()",
                            "    - wifi: mt76: mt7921: Reset ampdu_state state in case of failure in",
                            "      mt76_connac2_tx_check_aggr()",
                            "    - wifi: mt76: mt7925: Fix incorrect MLO mode in firmware control",
                            "    - wifi: mt76: mt7615: fix use_cts_prot support",
                            "    - wifi: mt76: mt7915: fix use_cts_prot support",
                            "    - wifi: mt76: mt7925: prevent NULL pointer dereference in",
                            "      mt7925_tx_check_aggr()",
                            "    - wifi: mt76: mt7925: prevent NULL vif dereference in",
                            "      mt7925_mac_write_txwi",
                            "    - wifi: mt76: mt7996: fix FCS error flag check in RX descriptor",
                            "    - wifi: mt76: mt7921: Place upper limit on station AID",
                            "    - wifi: mt76: Fix memory leak destroying device",
                            "    - wifi: mt76: mt7996: Fix NPU stop procedure",
                            "    - wifi: mt76: npu: Add missing rx_token_size initialization",
                            "    - wifi: mt76: mt7925: drop puncturing handling from BSS change path",
                            "    - wifi: mt76: mt7925: fix potential deadlock in mt7925_roc_abort_sync",
                            "    - wifi: mt76: Fix memory leak after mt76_connac_mcu_alloc_sta_req()",
                            "    - wifi: mt76: mt7925: fix tx power setting failure after chip reset",
                            "    - wifi: mt76: mt7921: fix potential deadlock in mt7921_roc_abort_sync",
                            "    - wifi: mt76: fix deadlock in remain-on-channel",
                            "    - wifi: mt76: fix backoff fields and max_power calculation",
                            "    - arm64: cpufeature: Make PMUVer and PerfMon unsigned",
                            "    - bpf: Switch CONFIG_CFI_CLANG to CONFIG_CFI",
                            "    - wifi: mt76: mt7996: fix wrong DMAD length when using MAC TXP",
                            "    - wifi: mt76: mt7996: fix struct mt7996_mcu_uni_event",
                            "    - wifi: mt76: mt7915: fix use-after-free bugs in mt7915_mac_dump_work()",
                            "    - wifi: mt76: mt7996: fix use-after-free bugs in mt7996_mac_dump_work()",
                            "    - wifi: mt76: mt7921: fix 6GHz regulatory update on connection",
                            "    - wifi: mt76: mt7996: Add missing CHANCTX_STA_CSA property",
                            "    - wifi: mt76: mt7996: Remove link pointer dependency in",
                            "      mt7996_mac_sta_remove_links()",
                            "    - wifi: mt76: mt7996: Decrement sta counter removing the link in",
                            "      mt7996_mac_reset_sta_iter()",
                            "    - wifi: mt76: fix multi-radio on-channel scanning",
                            "    - wifi: mt76: support upgrading passive scans to active",
                            "    - wifi: mt76: mt7996: fix RRO EMU configuration",
                            "    - bpf: Fix refcount check in check_struct_ops_btf_id()",
                            "    - selftests/bpf: Fix sockmap_multi_channels reliability",
                            "    - bpf: Use RCU-safe iteration in dev_map_redirect_multi() SKB path",
                            "    - bpf: Fix variable length stack write over spilled pointers",
                            "    - arm_mpam: Ensure in_reset_state is false after applying configuration",
                            "    - arm_mpam: Reset when feature configuration bit unset",
                            "    - bpf,arc_jit: Fix missing newline in pr_err messages",
                            "    - wifi: rtw89: phy: fix uninitialized variable access in",
                            "      rtw89_phy_cfo_set_crystal_cap()",
                            "    - drivers/vfio_pci_core: Change PXD_ORDER check from switch case to",
                            "      if/else block",
                            "    - r8152: fix incorrect register write to USB_UPHY_XTAL",
                            "    - selftests/tracing: Fix to make --logdir option work again",
                            "    - selftests/tracing: Fix to check awk supports non POSIX strtonum()",
                            "    - powerpc/crash: fix backup region offset update to elfcorehdr",
                            "    - powerpc/crash: Update backup region offset in elfcorehdr on memory",
                            "      hotplug",
                            "    - bpf: Fix abuse of kprobe_write_ctx via freplace",
                            "    - macvlan: annotate data-races around port->bc_queue_len_used",
                            "    - bpf: Use copy_map_value_locked() in alloc_htab_elem() for BPF_F_LOCK",
                            "    - bpf: Fix stale offload->prog pointer after constant blinding",
                            "    - net: ethernet: ti-cpsw:: rename soft_reset() function",
                            "    - net: ethernet: ti-cpsw: fix linking built-in code to modules",
                            "    - wifi: brcmfmac: Fix error pointer dereference",
                            "    - wifi: mac80211: handle VHT EXT NSS in ieee80211_determine_our_sta_mode()",
                            "    - bpf: Drop task_to_inode and inet_conn_established from lsm sleepable",
                            "      hooks",
                            "    - bpf: Prefer vmlinux symbols over module symbols for unqualified kprobes",
                            "    - wifi: ath10k: fix station lookup failure during disconnect",
                            "    - bpf: Fix linked reg delta tracking when src_reg == dst_reg",
                            "    - net: dropreason: add SKB_DROP_REASON_RECURSION_LIMIT",
                            "    - net: plumb drop reasons to __dev_queue_xmit()",
                            "    - net: qdisc_pkt_len_segs_init() cleanup",
                            "    - net: pull headers in qdisc_pkt_len_segs_init()",
                            "    - arm64: entry: Don't preempt with SError or Debug masked",
                            "    - ACPI: AGDI: fix missing newline in error message",
                            "    - arm64: kexec: Remove duplicate allocation for trans_pgd",
                            "    - bpf: Propagate error from visit_tailcall_insn",
                            "    - bpf: Fix ld_{abs,ind} failure path analysis in subprogs",
                            "    - bpf: Remove static qualifier from local subprog pointer",
                            "    - mptcp: better mptcp-level RTT estimator",
                            "    - bpf: Fix use-after-free in offloaded map/prog info fill",
                            "    - macsec: Support VLAN-filtering lower devices",
                            "    - net: bcmgenet: fix off-by-one in bcmgenet_put_txcb",
                            "    - net: bcmgenet: fix leaking free_bds",
                            "    - net: bcmgenet: fix racing timeout handler",
                            "    - net: airoha: Add dma_rmb() and READ_ONCE() in airoha_qdma_rx_process()",
                            "    - eth: fbnic: Use wake instead of start",
                            "    - netfilter: xt_socket: enable defrag after all other checks",
                            "    - netfilter: nft_fwd_netdev: check ttl/hl before forwarding",
                            "    - bpf: fix mm lifecycle in open-coded task_vma iterator",
                            "    - bpf: switch task_vma iterator from mmap_lock to per-VMA locks",
                            "    - bpf: return VMA snapshot from task_vma iterator",
                            "    - bpf: Fix RCU stall in bpf_fd_array_map_clear()",
                            "    - net: hamradio: 6pack: fix uninit-value in sixpack_receive_buf",
                            "    - net: airoha: Fix FE_PSE_BUF_SET configuration if PPE2 is available",
                            "    - bpf: Enforce regsafe base id consistency for BPF_ADD_CONST scalars",
                            "    - selftests/bpf: fix __jited_unpriv tag name",
                            "    - net/sched: cls_fw: fix NULL dereference of \"old\" filters before change()",
                            "    - net/sched: act_ct: Only release RCU read lock after ct_ft",
                            "    - selftests: netfilter: nft_tproxy.sh: adjust to socat changes",
                            "    - net: mana: Use pci_name() for debugfs directory naming",
                            "    - net: mana: Move current_speed debugfs file to mana_init_port()",
                            "    - net: airoha: Add missing RX_CPU_IDX() configuration in",
                            "      airoha_qdma_cleanup_rx_queue()",
                            "    - net_sched: fix skb memory leak in deferred qdisc drops",
                            "    - bpf: Fix same-register dst/src OOB read and pointer leak in sock_ops",
                            "    - bpf: Allow instructions with arena source and non-arena dest registers",
                            "    - selftests/bpf: Fix reg_bounds to match new tnum-based refinement",
                            "    - net/rds: Optimize rds_ib_laddr_check",
                            "    - net/rds: Restrict use of RDS/IB to the initial network namespace",
                            "    - bpf: Fix OOB in pcpu_init_value",
                            "    - ppp: require CAP_NET_ADMIN in target netns for unattached ioctls",
                            "    - net: ipa: Fix programming of QTIME_TIMESTAMP_CFG",
                            "    - net: ipa: Fix decoding EV_PER_EE for IPA v5.0+",
                            "    - dt-bindings: net: dsa: nxp,sja1105: make spi-cpol optional for sja1110",
                            "    - net: phy: fix a return path in get_phy_c45_ids()",
                            "    - net/mlx5e: Fix features not applied during netdev registration",
                            "    - net/mlx5e: IPsec, fix ASO poll timeout with read_poll_timeout_atomic()",
                            "    - net: ethernet: mtk_eth_soc: initialize PPE per-tag-layer MTU registers",
                            "    - net: fix skb_ext_total_length() BUILD_BUG_ON with",
                            "      CONFIG_GCOV_PROFILE_ALL",
                            "    - bpf: reject short IPv4/IPv6 inputs in bpf_prog_test_run_skb",
                            "    - Bluetooth: L2CAP: Fix printing wrong information if SDU length exceeds",
                            "      MTU",
                            "    - Bluetooth: hci_ldisc: Clear HCI_UART_PROTO_INIT on error",
                            "    - Bluetooth: fix locking in hci_conn_request_evt() with HCI_PROTO_DEFER",
                            "    - Bluetooth: l2cap: Add missing chan lock in l2cap_ecred_reconf_rsp",
                            "    - Bluetooth: SCO: check for codecs->num_codecs == 1 before assigning to",
                            "      sco_pi(sk)->codec",
                            "    - net: phy: qcom: at803x: Use the correct bit to disable extended next",
                            "      page",
                            "    - udp: Force compute_score to always inline",
                            "    - tcp: Don't set treq->req_usec_ts in cookie_tcp_reqsk_init().",
                            "    - sctp: fix missing encap_port propagation for GSO fragments",
                            "    - sctp: disable BH before calling udp_tunnel_xmit_skb()",
                            "    - selftests/namespaces: remove unused utils.h include from",
                            "      listns_efault_test",
                            "    - net, bpf: fix null-ptr-deref in xdp_master_redirect() for down master",
                            "    - net: airoha: Fix VIP configuration for AN7583 SoC",
                            "    - net: airoha: Add missing PPE configurations in airoha_ppe_hw_init()",
                            "    - drm/panel: ilitek-ili9882t: Select DRM_DISPLAY_DSC_HELPER",
                            "    - selftests/futex: Fix incorrect result reporting of futex_requeue test",
                            "      item",
                            "    - drm/komeda: fix integer overflow in AFBC framebuffer size check",
                            "    - dma-fence: Fix sparse warnings due __rcu annotations",
                            "    - drm/gpusvm: Fix unbalanced unlock in drm_gpusvm_scan_mm()",
                            "    - drm/virtio: Allow importing prime buffers when 3D is enabled",
                            "    - ASoC: soc-compress: use function to clear symmetric params",
                            "    - PCI/TPH: Allow TPH enable for RCiEPs",
                            "    - PCI: endpoint: pci-epf-vntb: Fix MSI doorbell IRQ unwind",
                            "    - PCI: endpoint: pci-epf-test: Don't free doorbell IRQ unless requested",
                            "    - PCI: endpoint: pci-ep-msi: Fix error unwind and prevent double alloc",
                            "    - drm/sun4i: mixer: Fix layer init code",
                            "    - drm/sun4i: backend: fix error pointer dereference",
                            "    - drm/xe: Consolidate workaround entries for Wa_14019877138",
                            "    - drm/xe: Consolidate workaround entries for Wa_14019386621",
                            "    - drm/xe/xe2_hpg: Drop invalid workaround Wa_15010599737",
                            "    - gpu: nova-core: gsp: use empty slices instead of [0..0] ranges",
                            "    - gpu: nova-core: gsp: fix improper handling of empty slot in cmdq",
                            "    - drm/amdkfd: Removed commented line for MQD queue priority",
                            "    - PCI: imx6: Fix device node reference leak in imx_pcie_probe()",
                            "    - crypto: inside-secure/eip93 - fix register definition",
                            "    - ASoC: sti: Return errors from regmap_field_alloc()",
                            "    - ASoC: sti: use managed regmap_field allocations",
                            "    - dm cache: fix null-deref with concurrent writes in passthrough mode",
                            "    - dm cache: fix write path cache coherency in passthrough mode",
                            "    - dm cache: fix write hang in passthrough mode",
                            "    - dm cache policy smq: fix missing locks in invalidating cache blocks",
                            "    - dm cache: fix concurrent write failure in passthrough mode",
                            "    - dm cache: fix dirty mapping checking in passthrough mode switching",
                            "    - dm-mpath: don't stop probing paths at presuspend",
                            "    - drm/amd/ras: Fix type size of remainder argument",
                            "    - dt-bindings: mmc: dwcmshc-sdhci: Fix resets array validation",
                            "    - drm/amdgpu: GFX12.1 scratch memory limit up to 57-bit",
                            "    - platform/chrome: chromeos_tbmc: Drop wakeup source on remove",
                            "    - gpu: nova-core: use checked arithmetic in FWSEC firmware parsing",
                            "    - gpu: nova-core: create falcon firmware DMA objects lazily",
                            "    - gpu: nova-core: falcon: rename load parameters to reflect DMA dependency",
                            "    - gpu: nova-core: firmware: fix and explain v2 header offsets computations",
                            "    - PCI: dwc: ep: Fix MSI-X Table Size configuration in",
                            "      dw_pcie_ep_set_msix()",
                            "    - PCI: dwc: ep: Mirror the max link width and speed fields to all",
                            "      functions",
                            "    - PCI: dwc: Perform cleanup in the error path of dw_pcie_resume_noirq()",
                            "    - dm cache metadata: fix memory leak on metadata abort retry",
                            "    - dm log: fix out-of-bounds write due to region_count overflow",
                            "    - iopoll: fix function parameter names in read_poll_timeout_atomic()",
                            "    - drm/bridge: cadence: cdns-mhdp8546-core: Set the mhdp connector earlier",
                            "      in atomic_enable()",
                            "    - drm/bridge: cadence: cdns-mhdp8546-core: Add mode_valid hook to",
                            "      drm_bridge_funcs",
                            "    - drm/bridge: cadence: cdns-mhdp8546-core: Handle HDCP state in bridge",
                            "      atomic check",
                            "    - spi: nxp-xspi: Use reinit_completion() for repeated operations",
                            "    - spi: nxp-fspi: Use reinit_completion() for repeated operations",
                            "    - spi: fsl-qspi: Use reinit_completion() for repeated operations",
                            "    - spi: axiado: Remove redundant pm_runtime_mark_last_busy() call",
                            "    - media: i2c: og01a1b: Fix V4L2 subdevice data initialization on probe",
                            "    - media: synopsys: VIDEO_DW_MIPI_CSI2RX should depend on ARCH_ROCKCHIP",
                            "    - [Config] VIDEO_DW_MIPI_CSI2RX depends on ARCH_ROCKCHIP",
                            "    - drm/amd/pm: Fix xgmi max speed reporting",
                            "    - spi: atcspi200: fix mutex initialization order",
                            "    - selftests/sched_ext: Add missing error check for exit__load()",
                            "    - drm/v3d: Handle error from drm_sched_entity_init()",
                            "    - drm/sun4i: Fix resource leaks",
                            "    - crypto: inside-secure/eip93 - register hash before authenc algorithms",
                            "    - PCI: rzg3s-host: Fix reset handling in probe error path",
                            "    - PCI: rzg3s-host: Reorder reset assertion during suspend",
                            "    - dt-bindings: PCI: renesas,r9a08g045s33-pcie: Fix naming properties",
                            "    - iommu/riscv: Add IOTINVAL after updating DDT/PDT entries",
                            "    - iommu/riscv: Skip IRQ count check when using MSI interrupts",
                            "    - iommu/riscv: Add missing GENERIC_MSI_IRQ",
                            "    - iommu/riscv: Stop polling when CQCSR reports an error",
                            "    - drm/amdkfd: Update queue properties for metadata ring",
                            "    - drm/amd/ras: Fix NULL deref in ras_core_ras_interrupt_detected()",
                            "    - drm/amdgpu: Add default case in DVI mode validation",
                            "    - regulator: dt-bindings: fp9931: Make vin-supply property as required",
                            "    - regulator: fp9931: Fix handling of mandatory \"vin\" supply",
                            "    - drm/amd/ras: Fix NULL deref in ras_core_get_utc_second_timestamp()",
                            "    - drm/amdgpu: Drop redundant queue NULL check in hang detect worker",
                            "    - drm/amdgpu: Remove dead negative offset check in",
                            "      amdgpu_virt_init_critical_region()",
                            "    - dm init: ensure device probing has finished in dm-mod.waitfor=",
                            "    - fbdev: matroxfb: Mark variable with __maybe_unused to avoid W=1 build",
                            "      break",
                            "    - crypto: simd - reject compat registrations without __ prefixes",
                            "    - crypto: tegra - Disable softirqs before finalizing request",
                            "    - crypto: atmel-aes - guard unregister on error in atmel_aes_register_algs",
                            "    - padata: Remove cpu online check from cpu add and removal",
                            "    - padata: Put CPU offline callback in ONLINE section to allow failure",
                            "    - PCI: dwc: rcar-gen4: Change EPC BAR alignment to 4K as per the",
                            "      documentation",
                            "    - accel/amdxdna: fix missing newline in pr_err message",
                            "    - drm/amd/ras: Remove redundant NULL check in pending bad-bank list",
                            "      iteration",
                            "    - drm/amdgpu/gfx10: look at the right prop for gfx queue priority",
                            "    - drm/amdgpu/gfx11: look at the right prop for gfx queue priority",
                            "    - spi: hisi-kunpeng: prevent infinite while() loop in hisi_spi_flush_fifo",
                            "    - PCI: sky1: Fix missing cleanup of ECAM config on probe failure",
                            "    - drm/imagination: Switch reset_reason fields from enum to u32",
                            "    - iommu/tegra241-cmdqv: Set supports_cmd op in tegra241_vcmdq_hw_init()",
                            "    - iommu/tegra241-cmdqv: Update uAPI to clarify HYP_OWN requirement",
                            "    - drm/msm: add missing MODULE_DEVICE_ID definitions",
                            "    - drm/msm/dpu: fix mismatch between power and frequency",
                            "    - drm/msm/dsi: add the missing parameter description",
                            "    - drm/msm/dpu: don't try using 2 LMs if only one DSC is available",
                            "    - drm/msm/dsi: fix bits_per_pclk",
                            "    - drm/msm/dsi: fix hdisplay calculation for CMD mode panel",
                            "    - drm/msm/dsi: rename MSM8998 DSI version from V2_2_0 to V2_0_0",
                            "    - ASoC: rockchip: rockchip_sai: Set slot width for non-TDM mode",
                            "    - tools/sched_ext: scx_pair: fix pair_ctx indexing for CPU pairs",
                            "    - drm/panel: sharp-ls043t1le01: make use of prepare_prev_first",
                            "    - drm/panel: simple: Correct G190EAN01 prepare timing",
                            "    - PCI: qcom: Advertise Hotplug Slot Capability with no Command Completion",
                            "      support",
                            "    - PCI: Prevent shrinking bridge window from its required size",
                            "    - PCI: Fix premature removal from realloc_head list during resource",
                            "      assignment",
                            "    - crypto: hisilicon/sec2 - prevent req used-after-free for sec",
                            "    - PCI: Fix alignment calculation for resource size larger than align",
                            "    - iommu/riscv: Fix signedness bug",
                            "    - ALSA: core: Validate compress device numbers without dynamic minors",
                            "    - drm/amd/display: Avoid NULL dereference in dc_dmub_srv error paths",
                            "    - ASoC: amd: acp: update dmic_num logic for acp pdm dmic",
                            "    - drm/amd/pm/ci: Use highest MCLK on CI when MCLK DPM is disabled",
                            "    - drm/amd/pm/ci: Disable MCLK DPM on problematic CI ASICs",
                            "    - drm/amd/pm/smu7: Fix SMU7 voltage dependency on display clock",
                            "    - drm/amd/pm/ci: Fix powertune defaults for Hawaii 0x67B0",
                            "    - drm/amd/pm/ci: Clear EnabledForActivity field for memory levels",
                            "    - drm/amd/pm/ci: Fill DW8 fields from SMC",
                            "    - drm/amd/pm/smu7: Add SCLK cap for quirky Hawaii board",
                            "    - drm/amdgpu/uvd4.2: Don't initialize UVD 4.2 when DPM is disabled",
                            "    - PCI/DPC: Log AER error info for DPC/EDR uncorrectable errors",
                            "    - hwmon: (aspeed-g6-pwm-tach): remove redundant driver remove callback",
                            "    - ALSA: hda/realtek: fix bad indentation for alc269",
                            "    - ALSA: hda/realtek: fix code style (ERROR: else should follow close brace",
                            "      '}')",
                            "    - ASoC: SOF: Intel: hda: Place check before dereference",
                            "    - drm/msm/vma: Avoid lock in VM_BIND fence signaling path",
                            "    - drm/msm/a6xx: Add missing aperture_lock init",
                            "    - drm/msm: Reject fb creation from _NO_SHARE objs",
                            "    - drm/msm: Fix VM_BIND UNMAP locking",
                            "    - drm/msm/a6xx: Fix HLSQ register dumping",
                            "    - drm/msm/shrinker: Fix can_block() logic",
                            "    - drm/msm/a6xx: Fix dumping A650+ debugbus blocks",
                            "    - drm/msm/a6xx: Use barriers while updating HFI Q headers",
                            "    - drm/msm/a8xx: Fix the ticks used in submit traces",
                            "    - drm/msm/a6xx: Switch to preemption safe AO counter",
                            "    - drm/msm/a6xx: Correct OOB usage",
                            "    - drm/msm/adreno: Implement gx_is_on() for A8x",
                            "    - drm/msm/a6xx: Fix gpu init from secure world",
                            "    - ALSA: hda/cmedia: Remove duplicate pin configuration parsing",
                            "    - pmdomain: ti: omap_prm: Fix a reference leak on device node",
                            "    - pmdomain: imx: scu-pd: Fix device_node reference leak during ->probe()",
                            "    - PM: domains: De-constify fields in struct dev_pm_domain_attach_data",
                            "    - drm/msm/dpu: drop INTF_0 on MSM8953",
                            "    - ASoC: fsl_micfil: Add access property for \"VAD Detected\"",
                            "    - ASoC: fsl_micfil: Fix event generation in hwvad_put_enable()",
                            "    - ASoC: fsl_micfil: Fix event generation in hwvad_put_init_mode()",
                            "    - ASoC: fsl_micfil: Fix event generation in micfil_range_set()",
                            "    - ASoC: fsl_micfil: Fix event generation in micfil_put_dc_remover_state()",
                            "    - ASoC: fsl_micfil: Fix event generation in micfil_quality_set()",
                            "    - ASoC: fsl_xcvr: Fix event generation in fsl_xcvr_arc_mode_put()",
                            "    - ASoC: fsl_xcvr: Fix event generation in fsl_xcvr_mode_put()",
                            "    - ASoC: fsl_easrc: Check the variable range in fsl_easrc_iec958_put_bits()",
                            "    - ASoC: fsl_easrc: Fix value type in fsl_easrc_iec958_get_bits()",
                            "    - ASoC: fsl_easrc: Change the type for iec958 channel status controls",
                            "    - iommu/amd: Fix clone_alias() to use the original device's devid",
                            "    - iommu/riscv: Remove overflows on the invalidation path",
                            "    - ASoC: qcom: qdsp6: topology: check widget type before accessing data",
                            "    - PCI: dwc: Fix type mismatch for kstrtou32_from_user() return value",
                            "    - crypto: qat - disable 4xxx AE cluster when lead engine is fused off",
                            "    - crypto: qat - disable 420xx AE cluster when lead engine is fused off",
                            "    - crypto: qat - fix compression instance leak",
                            "    - crypto: qat - fix type mismatch in RAS sysfs show functions",
                            "    - crypto: iaa - fix per-node CPU counter reset in rebalance_wq_table()",
                            "    - crypto: qat - use swab32 macro",
                            "    - ALSA: hda: Notify IEC958 Default PCM switch state changes",
                            "    - ASoC: rsnd: Fix potential out-of-bounds access of component_dais[]",
                            "    - PCI: Enable AtomicOps only if Root Port supports them",
                            "    - PCI: imx6: Keep Root Port MSI capability with iMSI-RX to work around",
                            "      hardware bug",
                            "    - PCI: aspeed: Fix IRQ domain leak on platform_get_irq() failure",
                            "    - dt-bindings: PCI: imx6q-pcie: Fix maxItems of clocks and clock-names",
                            "    - PCI: mediatek-gen3: Prevent leaking IRQ domains when IRQ not found",
                            "    - gpu: nova-core: bitfield: fix broken Default implementation",
                            "    - selftests/mm: skip migration tests if NUMA is unavailable",
                            "    - Documentation: fix a hugetlbfs reservation statement",
                            "    - Docs/admin-guide/mm/damn/lru_sort: fix intervals autotune parameter name",
                            "    - Docs/mm/damon/index: fix typo: autoamted -> automated",
                            "    - zram: do not permit params change after init",
                            "    - selftest: memcg: skip memcg_sock test if address family not supported",
                            "    - gpu: nova-core: remove redundant `.as_ref()` for `dev_*` print",
                            "    - gpu: nova-core: fix missing colon in SEC2 boot debug message",
                            "    - ALSA: scarlett2: Add missing sentinel initializer field",
                            "    - ASoC: qcom: audioreach: explicitly enable speaker protection modules",
                            "    - ASoC: SOF: compress: return the configured codec from get_params",
                            "    - PCI/NPEM: Set LED_HW_PLUGGABLE for hotplug-capable ports",
                            "    - tools/sched_ext: Fix off-by-one in scx_sdt payload zeroing",
                            "    - ASoC: soc-component: re-add pcm_new()/pcm_free()",
                            "    - ASoC: amd: name back to pcm_new()/pcm_free()",
                            "    - ASoC: amd: ps: fix the pcm device numbering for acp pdm dmic",
                            "    - ALSA: usb-audio: qcom: Fix incorrect type in enable_audio_stream",
                            "    - PCI: tegra194: Fix polling delay for L2 state",
                            "    - PCI: tegra194: Increase LTSSM poll time on surprise link down",
                            "    - PCI: tegra194: Disable LTSSM after transition to Detect on surprise link",
                            "      down",
                            "    - PCI: tegra194: Don't force the device into the D0 state before L2",
                            "    - PCI: tegra194: Disable PERST# IRQ only in Endpoint mode",
                            "    - PCI: tegra194: Use devm_gpiod_get_optional() to parse \"nvidia,refclk-",
                            "      select\"",
                            "    - PCI: tegra194: Disable direct speed change for Endpoint mode",
                            "    - PCI: tegra194: Set LTR message request before PCIe link up in Endpoint",
                            "      mode",
                            "    - PCI: tegra194: Allow system suspend when the Endpoint link is not up",
                            "    - PCI: tegra194: Free up Endpoint resources during remove()",
                            "    - PCI: tegra194: Use DWC IP core version",
                            "    - PCI: dwc: Apply ECRC workaround to DesignWare 5.00a as well",
                            "    - PCI: tegra194: Disable L1.2 capability of Tegra234 EP",
                            "    - PCI: tegra194: Fix CBB timeout caused by DBI access before core power-on",
                            "    - drm/fb-helper: Fix a locking bug in an error path",
                            "    - PCI: cadence: Add flags for disabling ASPM capability for broken Root",
                            "      Ports",
                            "    - PCI: sg2042: Avoid L0s and L1 on Sophgo 2042 PCIe Root Ports",
                            "    - ASoC: SDCA: Fix cleanup inversion in class driver",
                            "    - spi: rzv2h-rspi: Fix invalid SPR=0/BRDV=0 clock configuration",
                            "    - spi: mtk-snfi: unregister ECC engine on probe failure and remove()",
                            "      callback",
                            "    - ALSA: sc6000: Keep the programmed board state in card-private data",
                            "    - dm cache: fix missing return in invalidate_committed's error path",
                            "    - sched_ext: Track @p's rq lock across set_cpus_allowed_scx ->",
                            "      ops.set_cpumask",
                            "    - sched_ext: Fix ops.cgroup_move() invocation kf_mask and rq tracking",
                            "    - spi: cadence-qspi: Revert the filtering of certain opcodes in ODTR",
                            "    - crypto: jitterentropy - replace long-held spinlock with mutex",
                            "    - ALSA: usb-audio: Exclude Scarlett 18i20 1st Gen from SKIP_IFACE_SETUP",
                            "    - ALSA: hda/realtek - fixed speaker no sound update",
                            "    - gfs2: Call unlock_new_inode before d_instantiate",
                            "    - fanotify: avoid/silence premature LSM capability checks",
                            "    - fanotify: call fanotify_events_supported() before path_permission() and",
                            "      security_path_notify()",
                            "    - fuse: fix uninit-value in fuse_dentry_revalidate()",
                            "    - ktest: Avoid undef warning when WARNINGS_FILE is unset",
                            "    - ktest: Honor empty per-test option overrides",
                            "    - ktest: Run POST_KTEST hooks on failure and cancellation",
                            "    - vfio: selftests: fix crash in vfio_dma_mapping_mmio_test",
                            "    - rtla/utils: Fix resource leak in set_comm_sched_attr()",
                            "    - tools/rtla: Generate optstring from long options",
                            "    - rtla: Fix segfault on multiple SIGINTs",
                            "    - vfio: selftests: Build tests on aarch64",
                            "    - gfs2: less aggressive low-memory log flushing",
                            "    - quota: Fix race of dquot_scan_active() with quota deactivation",
                            "    - vfio: unhide vdev->debug_root",
                            "    - gfs2: add some missing log locking",
                            "    - gfs2: prevent NULL pointer dereference during unmount",
                            "    - efi/capsule-loader: fix incorrect sizeof in phys array reallocation",
                            "    - ksmbd: fix use-after-free from async crypto on Qualcomm crypto engine",
                            "    - arm64: dts: mediatek: mt8365: Describe infracfg-nao as a pure syscon",
                            "    - ARM: dts: mediatek: mt7623: fix efuse fallback compatible",
                            "    - memory: tegra124-emc: Fix dll_change check",
                            "    - memory: tegra30-emc: Fix dll_change check",
                            "    - arm64: dts: imx8-apalis: Fix LEDs name collision",
                            "    - arm64: dts: imx91-11x11-evk: change usdhc tuning step for eMMC and SD",
                            "    - riscv: dts: spacemit: pcie: fix missing power regulator",
                            "    - arm64: dts: mediatek: mt7988a-bpi-r4pro: fix model string",
                            "    - arm64: dts: rockchip: Make Jaguar PCIe-refclk pin use pull-up config",
                            "    - arm64: dts: imx8mp-evk: Enable pull select bit for PCIe regulator GPIO",
                            "      (M.2 W_DISABLE1)",
                            "    - iommufd: vfio compatibility extension check for noiommu mode",
                            "    - arm64: dts: qcom: sm6125-xiaomi-ginkgo: Remove board-id",
                            "    - arm64: dts: qcom: sm6125-xiaomi-ginkgo: Correct reserved memory ranges",
                            "    - arm64: dts: qcom: sm6125-xiaomi-ginkgo: Remove extcon",
                            "    - arm64: dts: qcom: sm6125-xiaomi-ginkgo: Fix reserved gpio ranges",
                            "    - arm64: dts: qcom: qcs6490-rubikpi3: Use lt9611 DSI Port B",
                            "    - arm64: dts: qcom: talos: Add missing clock-names to GCC",
                            "    - arm64: dts: ti: k3-am62l: include WKUP_UART0 in wakeup peripheral window",
                            "    - arm64: dts: mediatek: mt6795: Fix gpio-ranges pin count",
                            "    - arm64: dts: mediatek: mt7981b: Fix gpio-ranges pin count",
                            "    - arm64: dts: mediatek: mt7986a: Fix gpio-ranges pin count",
                            "    - iommufd/selftest: Fix page leaks in mock_viommu_{init,destroy}",
                            "    - arm64: dts: imx8mp-kontron: Fix touch reset configuration on DL devices",
                            "    - arm64: dts: imx8mp-kontron: Drop vmmc-supply to fix SD card on SMARC",
                            "      eval carrier",
                            "    - arm64: dts: imx8mp-hummingboard-pulse/cubox-m: fix vmmc gpio polarity",
                            "    - arm64: dts: imx8mp-hummingboard-pulse: fix mini-hdmi dsi port reference",
                            "    - ARM: dts: BCM5301X: Drop extra NAND controller compatible",
                            "    - arm64: dts: qcom: msm8953-xiaomi-vince: correct wled ovp value",
                            "    - arm64: dts: qcom: msm8937-xiaomi-land: correct wled ovp value",
                            "    - arm64: dts: qcom: msm8953-xiaomi-daisy: fix backlight",
                            "    - firmware: qcom_scm: don't opencode kmemdup",
                            "    - soc: qcom: ubwc: disable bank swizzling for Glymur platform",
                            "    - arm64: dts: rockchip: Fix Bluetooth stability on LCKFB TaiShan Pi",
                            "    - Revert \"arm64: dts: rockchip: add SPDIF audio to Beelink A1\"",
                            "    - arm64: dts: rockchip: Correct Fan Supply for Gameforce Ace",
                            "    - arm64: dts: rockchip: Correct Joystick Axes on Gameforce Ace",
                            "    - soc: qcom: ocmem: make the core clock optional",
                            "    - soc: qcom: ocmem: register reasons for probe deferrals",
                            "    - soc: qcom: ocmem: return -EPROBE_DEFER is ocmem is not available",
                            "    - riscv: dts: spacemit: drop incorrect pinctrl for combo PHY",
                            "    - arm64: dts: rockchip: Fix RK3562 EVB2 model name",
                            "    - arm64: dts: rockchip: Add mphy reset to ufshc node",
                            "    - bus: rifsc: fix RIF configuration check for peripherals",
                            "    - arm64: dts: qcom: arduino-imola: fix faulty spidev node",
                            "    - Revert \"UBUNTU: SAUCE: arm64: dts: add missing denali-oled.dtb to",
                            "      Makefile\"",
                            "    - arm64: dts: qcom: add missing denali-oled.dtb to Makefile",
                            "    - arm64: dts: qcom: hamoa: correct Iris corners for the MXC rail",
                            "    - arm64: dts: qcom: lemans: correct Iris corners for the MXC rail",
                            "    - arm64: dts: qcom: monaco: correct Iris corners for the MXC rail",
                            "    - arm64: dts: qcom: sm8550: correct Iris corners for the MXC rail",
                            "    - arm64: dts: qcom: sm8650: correct Iris corners for the MXC rail",
                            "    - arm64: dts: qcom: sm8750: correct Iris corners for the MXC rail",
                            "    - arm64: dts: qcom: kaanapali: Fix GIC_ITS range length",
                            "    - arm64: dts: qcom: milos: Fix GIC_ITS range length",
                            "    - arm64: dts: qcom: sm8450: Fix GIC_ITS range length",
                            "    - arm64: dts: qcom: sm8550: Fix GIC_ITS range length",
                            "    - arm64: dts: qcom: sm8650: Fix GIC_ITS range length",
                            "    - arm64: dts: qcom: sm8750: Fix GIC_ITS range length",
                            "    - arm64: dts: qcom: sm8550: Fix xo clock supply of platform SD host",
                            "      controller",
                            "    - arm64: dts: qcom: sm8650: Fix xo clock supply of SD host controller",
                            "    - arm64: dts: qcom: hamoa: Fix xo clock supply of platform SD host",
                            "      controller",
                            "    - arm64: dts: qcom: sm8450: Enable UHS-I SDR50 and SDR104 SD card modes",
                            "    - arm64: dts: qcom: sm8550: Enable UHS-I SDR50 and SDR104 SD card modes",
                            "    - arm64: dts: qcom: sm8650: Enable UHS-I SDR50 and SDR104 SD card modes",
                            "    - arm64: dts: qcom: sm7225-fairphone-fp4: Fix conflicting bias pinctrl",
                            "    - arm64: dts: qcom: sdm845-xiaomi-beryllium: Mark l1a regulator as powered",
                            "      during boot",
                            "    - arm64: dts: qcom: msm8917-xiaomi-riva: Fix board-id for all bootloader",
                            "    - arm64: dts: ti: k3-am62p5-sk: Disable MMC1 internal pulls on data pins",
                            "    - arm64: dts: ti: k3-am62l3-evm: Disable MMC1 internal pulls on data pins",
                            "    - arm64: dts: ti: k3-am62-lp-sk: Enable internal pulls for MMC0 data pins",
                            "    - arm64: dts: ti: k3-am62-verdin: Fix SPI_1 GPIO CS pinctrl label",
                            "    - arm64: dts: freescale: imx8mp-tqma8mpql-mba8mp-ras314: fix UART1 RTS/CTS",
                            "      muxing",
                            "    - arm64: dts: imx91: Remove TMU's superfluous sensor ID",
                            "    - arm64: dts: imx8mp-kontron: Fix boot order for PMIC and RTC",
                            "    - arm64: dts: imx8dxl-evk: Use audio-graph-card2 for wm8960-2 and wm8960-3",
                            "    - arm64: dts: imx8mp-evk: Specify ADV7535 register addresses",
                            "    - arm64: dts: lx2160a: change i2c0 (iic1) pinmux mask to one bit",
                            "    - arm64: dts: lx2160a: remove duplicate pinmux nodes",
                            "    - arm64: dts: lx2160a: rename pinmux nodes for readability",
                            "    - arm64: dts: lx2160a: add sda gpio references for i2c bus recovery",
                            "    - arm64: dts: lx2160a: change zeros to hexadecimal in pinmux nodes",
                            "    - arm64: dts: lx2160a: complete pinmux for rcwsr12 configuration word",
                            "    - arm64: dts: imx8qm-mek: switch Type-C connector power-role to dual",
                            "    - arm64: dts: imx8qxp-mek: switch Type-C connector power-role to dual",
                            "    - soc/tegra: cbb: Set ERD on resume for err interrupt",
                            "    - soc/tegra: cbb: Fix incorrect ARRAY_SIZE in fabric lookup tables",
                            "    - soc/tegra: cbb: Fix cross-fabric target timeout lookup",
                            "    - arm64: tegra: Fix RTC aliases",
                            "    - soc/tegra: pmc: Add kerneldoc for reboot notifier",
                            "    - soc/tegra: pmc: Correct function names in kerneldoc",
                            "    - soc/tegra: pmc: Add kerneldoc for wake-up variables",
                            "    - unshare: fix nsproxy leak in ksys_unshare() on set_cred_ucounts()",
                            "      failure",
                            "    - ocfs2/dlm: validate qr_numregions in dlm_match_regions()",
                            "    - ocfs2/dlm: fix off-by-one in dlm_match_regions() region comparison",
                            "    - soc: qcom: llcc: fix v1 SB syndrome register offset",
                            "    - soc: qcom: aoss: compare against normalized cooling state",
                            "    - arm64: dts: qcom: milos: Add missing CX power domain to GCC",
                            "    - arm64: dts: qcom: sm8250: Add missing CPU7 3.09GHz OPP",
                            "    - ARM: OMAP1: Fix DEBUG_LL and earlyprintk on OMAP16XX",
                            "    - arm64/xor: fix conflicting attributes for xor_block_template",
                            "    - lib: kunit_iov_iter: fix memory leaks",
                            "    - ARM: dts: imx27-eukrea: replace interrupts with interrupts-extended",
                            "    - firmware: arm_ffa: Use the correct buffer size during RXTX_MAP",
                            "    - fwctl: Fix class init ordering to avoid NULL pointer dereference on",
                            "      device removal",
                            "    - ocfs2: fix listxattr handling when the buffer is full",
                            "    - ocfs2: validate bg_bits during freefrag scan",
                            "    - ocfs2: validate group add input before caching",
                            "    - dmaengine: dw-axi-dmac: fix Alignment should match open parenthesis",
                            "    - dmaengine: dw-axi-dmac: Remove unnecessary return statement from void",
                            "      function",
                            "    - phy: apple: apple: Use local variable for ioremap return value",
                            "    - soundwire: bus: demote UNATTACHED state warnings to dev_dbg()",
                            "    - soundwire: Intel: test bus.bpt_stream before assigning it",
                            "    - dmaengine: mxs-dma: Fix missing return value from",
                            "      of_dma_controller_register()",
                            "    - soundwire: cadence: Clear message complete before signaling waiting",
                            "      thread",
                            "    - tracing: move __printf() attribute on __ftrace_vbprintk()",
                            "    - tracing: Rebuild full_name on each hist_field_name() call",
                            "    - hte: tegra194: remove Kconfig dependency on Tegra194 SoC",
                            "    - [Config] Enable CONFIG_HTE_TEGRA194 on armhf",
                            "    - remoteproc: xlnx: Fix sram property parsing",
                            "    - stop_machine: Fix the documentation for a NULL cpus argument",
                            "    - remoteproc: imx_rproc: Check return value of regmap_attach_dev() in",
                            "      imx_rproc_mmio_detect_mode()",
                            "    - ima: check return value of crypto_shash_final() in boot aggregate",
                            "    - HID: asus: make asus_resume adhere to linux kernel coding standards",
                            "    - HID: asus: do not abort probe when not necessary",
                            "    - workqueue: devres: Add device-managed allocate workqueue",
                            "    - power: supply: max77705: Drop duplicated IRQ error message",
                            "    - power: supply: max77705: Free allocated workqueue and fix removal order",
                            "    - mtd: physmap_of_gemini: Fix disabled pinctrl state check",
                            "    - ima_fs: Correctly create securityfs files for unsupported hash algos",
                            "    - dt-bindings: interrupt-controller: arm,gic-v3: Fix EPPI range",
                            "    - mtd: spi-nor: core: correct the op.dummy.nbytes when check read",
                            "      operations",
                            "    - mtd: spi-nor: update spi_nor_fixups::post_sfdp() documentation",
                            "    - mtd: spi-nor: micron-st: add SNOR_CMD_PP_8_8_8_DTR sfdp fixup for",
                            "      mt35xu512aba",
                            "    - mtd: spi-nor: swp: check SR_TB flag when getting tb_mask",
                            "    - mtd: parsers: ofpart: call of_node_put() only in ofpart_fail path",
                            "    - mtd: parsers: ofpart: call of_node_get() for dedicated subpartitions",
                            "    - cxl/pci: Check memdev driver binding status in cxl_reset_done()",
                            "    - mtd: rawnand: sunxi: fix sunxi_nfc_hw_ecc_read_extra_oob",
                            "    - mtd: spinand: winbond: Clarify when to enable the HS bit",
                            "    - HID: usbhid: fix deadlock in hid_post_reset()",
                            "    - ext4: fix miss unlock 'sb->s_umount' in extents_kunit_init()",
                            "    - ext4: call deactivate_super() in extents_kunit_exit()",
                            "    - ext4: fix the error handling process in extents_kunit_init).",
                            "    - ext4: fix possible null-ptr-deref in extents_kunit_exit()",
                            "    - ext4: fix possible null-ptr-deref in mbt_kunit_exit()",
                            "    - bpf, arm64: Reject out-of-range B.cond targets",
                            "    - bpf, arm64: Fix off-by-one in check_imm signed range check",
                            "    - bpf, arm64: Remove redundant bpf_flush_icache() after pack allocator",
                            "      finalize",
                            "    - bpf, riscv: Remove redundant bpf_flush_icache() after pack allocator",
                            "      finalize",
                            "    - bpf, sockmap: Fix af_unix iter deadlock",
                            "    - bpf, sockmap: Fix af_unix null-ptr-deref in proto update",
                            "    - bpf, sockmap: Take state lock for af_unix iter",
                            "    - bpf: Fix precedence bug in convert_bpf_ld_abs alignment check",
                            "    - bpf: Fix NULL deref in map_kptr_match_type for scalar regs",
                            "    - bpf: allow UTF-8 literals in bpf_bprintf_prepare()",
                            "    - libbpf: Prevent double close and leak of btf objects",
                            "    - bpf: Validate node_id in arena_alloc_pages()",
                            "    - bpf, arm32: Reject BPF-to-BPF calls and callbacks in the JIT",
                            "    - perf trace: Fix IS_ERR() vs NULL check bug",
                            "    - dt-bindings: pinctrl: marvell,armada3710-xb-pinctrl: add missing items",
                            "      keyword",
                            "    - pinctrl: pinctrl-pic32: Fix resource leak",
                            "    - perf trace: Avoid an ERR_PTR in syscall_stats",
                            "    - pinctrl: microchip-mssio: Fix missing return in probe",
                            "    - perf test type profiling: Remote typedef on struct",
                            "    - pinctrl: cy8c95x0: remove duplicate error message",
                            "    - pinctrl: cy8c95x0: Unify messages with help of dev_err_probe()",
                            "    - pinctrl: cy8c95x0: Avoid returning positive values to user space",
                            "    - perf branch: Avoid incrementing NULL",
                            "    - perf: tools: cs-etm: Fix print issue for Coresight debug in ETE/TRBE",
                            "      trace",
                            "    - pinctrl: pinconf-generic: Fully validate 'pinmux' property",
                            "    - pinctrl: realtek: Fix function signature for config argument",
                            "    - pinctrl: abx500: Fix type of 'argument' variable",
                            "    - pinctrl: renesas: rzg2l: Fix save/restore of {IOLH,IEN,PUPD,SMT}",
                            "      registers",
                            "    - tools build: Correct link flags for libopenssl",
                            "    - perf lock: Fix option value type in parse_max_stack",
                            "    - perf stat: Fix opt->value type for parse_cache_level",
                            "    - memblock: reserve_mem: fix end caclulation in",
                            "      reserve_mem_release_by_name()",
                            "    - perf stat: Fix crash on arm64",
                            "    - perf tools: Fix module symbol resolution for non-zero .text sh_addr",
                            "    - perf test: Fix ratio_to_prev event parsing test",
                            "    - perf test: Skip perf data type profiling tests for s390",
                            "    - perf expr: Return -EINVAL for syntax error in expr__find_ids()",
                            "    - perf metrics: Make common stalled metrics conditional on having the",
                            "      event",
                            "    - ipmi: ssif_bmc: fix missing check for copy_to_user() partial failure",
                            "    - ipmi: ssif_bmc: fix message desynchronization after truncated response",
                            "    - ipmi: ssif_bmc: change log level to dbg in irq callback",
                            "    - perf cgroup: Update metric leader in evlist__expand_cgroup",
                            "    - pinctrl: sophgo: pinctrl-sg2042: Fix wrong module description",
                            "    - pinctrl: sophgo: pinctrl-sg2044: Fix wrong module description",
                            "    - perf maps: Fix fixup_overlap_and_insert that can break sorted by name",
                            "      order",
                            "    - perf maps: Fix copy_from that can break sorted by name order",
                            "    - perf util: Kill die() prototype, dead for a long time",
                            "    - i3c: master: dw-i3c: Fix missing reset assertion in remove() callback",
                            "    - i3c: master: dw-i3c: Balance PM runtime usage count on probe failure",
                            "    - i3c: master: renesas: Fix memory leak in renesas_i3c_i3c_xfers()",
                            "    - i3c: dw: Fix memory leak in dw_i3c_master_i3c_xfers()",
                            "    - i3c: master: adi: Fix error propagation for CCCs",
                            "    - i3c: mipi-i3c-hci: fix IBI payload length calculation for final status",
                            "    - fs/ntfs3: prevent uninitialized lcn caused by zero len",
                            "    - backlight: sky81452-backlight: Check return value of",
                            "      devm_gpiod_get_optional() in sky81452_bl_parse_dt()",
                            "    - platform/surface: surfacepro3_button: Drop wakeup source on remove",
                            "    - leds: lgm-sso: Remove duplicate assignments for priv->mmap",
                            "    - usb: typec: Fix error pointer dereference",
                            "    - tty: hvc_iucv: fix off-by-one in number of supported devices",
                            "    - usb: typec: ps883x: Fix Oops at unbind",
                            "    - platform/x86: panasonic-laptop: Fix OPTD notifier registration and",
                            "      cleanup",
                            "    - platform/x86: barco-p50-gpio: normalize return value of gpio_get",
                            "    - fs/ntfs3: fix missing run load for vcn0 in attr_data_get_block_locked()",
                            "    - mfd: mc13xxx-core: Fix memory leak in mc13xxx_add_subdevice_pdata()",
                            "    - nfs/blocklayout: Fix compilation error (`make W=1`) in",
                            "      bl_write_pagelist()",
                            "    - sunrpc: Kill RPC_IFDEBUG()",
                            "    - sunrpc: Fix compilation error (`make W=1`) when dprintk() is no-op",
                            "    - NFSD: fix nfs4_file access extra count in nfsd4_add_rdaccess_to_wrdeleg",
                            "    - nfsd: use dynamic allocation for oversized NFSv4.0 replay cache",
                            "    - RDMA/umem: Use consistent DMA attributes when unmapping entries",
                            "    - greybus: raw: fix use-after-free on cdev close",
                            "    - greybus: raw: fix use-after-free if write is called after disconnect",
                            "    - platform/x86: asus-wmi: adjust screenpad power/brightness handling",
                            "    - platform/x86: asus-wmi: fix screenpad brightness range",
                            "    - tty: serial: ip22zilog: Fix section mispatch warning",
                            "    - fs/ntfs3: terminate the cached volume label after UTF-8 conversion",
                            "    - platform/x86: hp-wmi: fix ignored return values in fan settings",
                            "    - platform/x86: hp-wmi: avoid cancel_delayed_work_sync from work handler",
                            "    - platform/x86: hp-wmi: use mod_delayed_work to reset keep-alive timer",
                            "    - platform/x86: hp-wmi: fix u8 underflow in gpu_delta calculation",
                            "    - platform/x86: hp-wmi: add locking for concurrent hwmon access",
                            "    - platform/x86: dell_rbu: avoid uninit value usage in packet_size_write()",
                            "    - platform/x86: dell-wmi-sysman: bound enumeration string aggregation",
                            "    - RDMA/core: Prefer NLA_NUL_STRING",
                            "    - platform/x86: hp-wmi: fix fan table parsing",
                            "    - dt-bindings: clock: qcom: Add GCC video axi reset clock for Glymur",
                            "    - clk: qcom: gcc-glymur: Add video axi clock resets for glymur",
                            "    - clk: qcom: dispcc-glymur: use RCG2 ops for DPTX1 AUX clock source",
                            "    - clk: qcom: dispcc-sm8450: use RCG2 ops for DPTX1 AUX clock source",
                            "    - clk: renesas: r9a09g057: Fix ordering of module clocks array",
                            "    - clk: renesas: r9a09g056: Fix ordering of module clocks array",
                            "    - clk: sunxi-ng: sun55i-a523-r: Add missing r-spi module clock",
                            "    - scsi: sg: Fix sysctl sg-big-buff register during sg_init()",
                            "    - scsi: sg: Resolve soft lockup issue when opening /dev/sgX",
                            "    - clk: qcom: dispcc-sc8280xp: remove CLK_SET_RATE_PARENT from",
                            "      byte_div_clk_src dividers",
                            "    - clk: qcom: dispcc-glymur: Fix DSI byte clock rate setting",
                            "    - clk: qcom: dispcc-kaanapali: Fix DSI byte clock rate setting",
                            "    - clk: qcom: dispcc-milos: Fix DSI byte clock rate setting",
                            "    - clk: qcom: dispcc-sm4450: Fix DSI byte clock rate setting",
                            "    - clk: qcom: dispcc[01]-sa8775p: Fix DSI byte clock rate setting",
                            "    - clk: renesas: r9a09g057: Remove entries for WDT{0,2,3}",
                            "    - scsi: target: core: Fix integer overflow in UNMAP bounds check",
                            "    - scsi: ufs: rockchip,rk3576-ufshc: dt-bindings: Add new mphy reset item",
                            "    - dt-bindings: clock: qcom,gcc-sc8180x: Add missing GDSCs",
                            "    - clk: qcom: gcc-sc8180x: Add missing GDSCs",
                            "    - clk: qcom: gcc-sc8180x: Use retention for USB power domains",
                            "    - clk: qcom: gcc-sc8180x: Use retention for PCIe power domains",
                            "    - clk: qcom: dispcc-sm8250: Use shared ops on the mdss vsync clk",
                            "    - clk: qcom: dispcc-sm8250: Enable parents for pixel clocks",
                            "    - clk: imx: imx6q: Fix device node reference leak in pll6_bypassed()",
                            "    - clk: imx: imx6q: Fix device node reference leak in",
                            "      of_assigned_ldb_sels()",
                            "    - clk: imx8mq: Correct the CSI PHY sels",
                            "    - um: Fix potential race condition in TLB sync",
                            "    - x86/um: fix vDSO installation",
                            "    - clk: qoriq: avoid format string warning",
                            "    - clk: xgene: Fix mapping leak in xgene_pllclk_init()",
                            "    - clk: spacemit: ccu_mix: fix inverted condition in ccu_mix_trigger_fc()",
                            "    - f2fs: avoid reading already updated pages during GC",
                            "    - printk_ringbuffer: Fix get_data() size sanity check",
                            "    - clk: qcom: gdsc: Fix error path on registration of multiple pm",
                            "      subdomains",
                            "    - lib/hexdump: print_hex_dump_bytes() calls print_hex_dump_debug()",
                            "    - f2fs: fix data loss caused by incorrect use of nat_entry flag",
                            "    - f2fs: fix to preserve previous reserve_{blocks,node} value when remount",
                            "    - scsi: hpsa: Enlarge controller and IRQ name buffers",
                            "    - drm/amd/display: Fix parameter mismatch in panel self-refresh helper",
                            "    - clk: qcom: gcc-x1e80100: Keep GCC USB QTB clock always ON",
                            "    - clk: visconti: pll: initialize clk_init_data to zero",
                            "    - f2fs: allow empty mount string for Opt_usr|grp|projjquota",
                            "    - f2fs: protect extension_list reading with sb_lock in f2fs_sbi_show()",
                            "    - drm/i915/wm: Verify the correct plane DDB entry",
                            "    - virt: arm-cca-guest: fix error check for RSI_INCOMPLETE",
                            "    - crypto: eip93 - fix hmac setkey algo selection",
                            "    - crypto: sa2ul - Fix AEAD fallback algorithm names",
                            "    - crypto: ccp - copy IV using skcipher ivsize",
                            "    - sh: Include <linux/io.h> in dac.h",
                            "    - erofs: unify lcn as u64 for 32-bit platforms",
                            "    - tools: hv: Fix cross-compilation",
                            "    - Drivers: hv: vmbus: fix hyperv_cpuhp_online variable shadowing",
                            "    - arm64: dts: imx8mp-debix-model-a: Correct PAD settings for PMIC_nINT",
                            "    - arm64: dts: imx8mp-debix-som-a: Correct PAD settings for PMIC_nINT",
                            "    - arm64: dts: imx8mp-navqp: Correct PAD settings for PMIC_nINT",
                            "    - arm64: dts: imx8mp-icore-mx8mp: Correct PAD settings for PMIC_nINT",
                            "    - arm64: dts: imx8mp-edm-g: Correct PAD settings for PMIC_nINT",
                            "    - arm64: dts: imx8mp-aristainetos3a-som-v1: Correct PAD settings for",
                            "      PMIC_nINT",
                            "    - arm64: dts: imx8mp-nitrogen-som: Correct PAD settings for PMIC_nINT",
                            "    - arm64: dts: imx8mp-sr-som: Correct PAD settings for PMIC_nINT",
                            "    - arm64: dts: imx8mp-ultra-mach-sbc: Correct PAD settings for PMIC_nINT",
                            "    - arm64: dts: imx8mp-dhcom-som: Correct PAD settings for PMIC_nINT",
                            "    - arm64: dts: imx8mp-data-modul-edm-sbc: Correct PAD settings for",
                            "      PMIC_nINT",
                            "    - PCMCIA: Fix garbled log messages for KERN_CONT",
                            "    - reset: amlogic: t7: Fix null reset ops",
                            "    - arm64: dts: imx8mm-emtop-som: Correct PAD settings for PMIC_nINT",
                            "    - arm64: dts: imx8mn-tqma8mqnl: Correct PAD settings for PMIC_nINT",
                            "    - arm64: dts: imx8mm-tqma8mqml: Correct PAD settings for PMIC_nINT",
                            "    - arm64: dts: marvell: armada-37xx: use 'usb2-phy' in USB3 controller's",
                            "      phy-names",
                            "    - pwm: stm32: Fix rounding issue for requests with inverted polarity",
                            "    - net/sched: act_mirred: fix wrong device for mac_header_xmit check in",
                            "      tcf_blockcast_redir",
                            "    - macvlan: fix macvlan_get_size() not reserving space for",
                            "      IFLA_MACVLAN_BC_CUTOFF",
                            "    - net/sched: sch_cake: fix NAT destination port not being updated in",
                            "      cake_update_flowkeys",
                            "    - nexthop: fix IPv6 route referencing IPv4 nexthop",
                            "    - net: airoha: Wait for NPU PPE configuration to complete in",
                            "      airoha_ppe_offload_setup()",
                            "    - net/sched: taprio: fix use-after-free in advance_sched() on schedule",
                            "      switch",
                            "    - net: dsa: remove redundant netdev_lock_ops() from conduit ethtool ops",
                            "    - net: enetc: correct the command BD ring consumer index",
                            "    - net: enetc: fix NTMP DMA use-after-free issue",
                            "    - ksmbd: fix use-after-free in smb2_open during durable reconnect",
                            "    - tcp: move tp->chrono_type next tp->chrono_stat[]",
                            "    - tcp: inline tcp_chrono_start()",
                            "    - tcp: annotate data-races in tcp_get_info_chrono_stats()",
                            "    - tcp: add data-race annotations around tp->data_segs_out and",
                            "      tp->total_retrans",
                            "    - tcp: add data-races annotations around tp->reordering, tp->snd_cwnd",
                            "    - tcp: annotate data-races around tp->snd_ssthresh",
                            "    - tcp: annotate data-races around tp->delivered and tp->delivered_ce",
                            "    - tcp: add data-race annotations for TCP_NLA_SNDQ_SIZE",
                            "    - tcp: annotate data-races around tp->bytes_sent",
                            "    - tcp: annotate data-races around tp->bytes_retrans",
                            "    - tcp: annotate data-races around tp->dsack_dups",
                            "    - tcp: annotate data-races around tp->reord_seen",
                            "    - tcp: annotate data-races around tp->srtt_us",
                            "    - tcp: annotate data-races around tp->timeout_rehash",
                            "    - tcp: annotate data-races around (tp->write_seq - tp->snd_nxt)",
                            "    - tcp: annotate data-races around tp->plb_rehash",
                            "    - ice: fix 'adjust' timer programming for E830 devices",
                            "    - ice: update PCS latency settings for E825 10G/25Gb modes",
                            "    - ice: fix double-free of tx_buf skb",
                            "    - ice: fix PHY config on media change with link-down-on-close",
                            "    - ice: fix ICE_AQ_LINK_SPEED_M for 200G",
                            "    - ice: fix race condition in TX timestamp ring cleanup",
                            "    - ice: fix potential NULL pointer deref in error path of",
                            "      ice_set_ringparam()",
                            "    - i40e: don't advertise IFF_SUPP_NOFCS",
                            "    - iavf: fix wrong VLAN mask for legacy Rx descriptors L2TAG2",
                            "    - e1000e: Unroll PTP in probe error handling",
                            "    - ipv6: fix possible UAF in icmpv6_rcv()",
                            "    - af_unix: Drop all SCM attributes for SOCKMAP.",
                            "    - sctp: fix OOB write to userspace in sctp_getsockopt_peer_auth_chunks",
                            "    - pppoe: drop PFC frames",
                            "    - net/mlx5: Fix HCA caps leak on notifier init failure",
                            "    - net: airoha: Fix possible TX queue stall in airoha_qdma_tx_napi_poll()",
                            "    - netfilter: nft_osf: restrict it to ipv4",
                            "    - netfilter: conntrack: remove sprintf usage",
                            "    - netfilter: xtables: restrict several matches to inet family",
                            "    - netfilter: nat: use kfree_rcu to release ops",
                            "    - ipvs: fix MTU check for GSO packets in tunnel mode",
                            "    - netfilter: nfnetlink_osf: fix out-of-bounds read on option matching",
                            "    - netfilter: nfnetlink_osf: fix potential NULL dereference in ttl check",
                            "    - net/sched: sch_dualpi2: drain both C-queue and L-queue in",
                            "      dualpi2_change()",
                            "    - arm64: dts: amlogic: meson-axg: Add missing cache information to cpu0",
                            "    - arm64: dts: meson-gxl-p230: fix ethernet PHY interrupt number",
                            "    - vfio/pci: Clean up DMABUFs before disabling function",
                            "    - pwm: atmel-tcb: Cache clock rates and mark chip as atomic",
                            "    - ksmbd: destroy tree_conn_ida in ksmbd_session_destroy()",
                            "    - ksmbd: destroy async_ida in ksmbd_conn_free()",
                            "    - ksmbd: fix durable fd leak on ClientGUID mismatch in durable v2 open",
                            "    - ksmbd: scope conn->binding slowpath to bound sessions only",
                            "    - net: validate skb->napi_id in RX tracepoints",
                            "    - bnge: fix initial HWRM sequence",
                            "    - bnge: remove unsupported backing store type",
                            "    - sctp: fix sockets_allocated imbalance after sk_clone()",
                            "    - net/rds: zero per-item info buffer before handing it to visitors",
                            "    - ice: fix timestamp interrupt configuration for E825C",
                            "    - ice: perform PHY soft reset for E825C ports at initialization",
                            "    - ice: fix ready bitmap check for non-E822 devices",
                            "    - ice: fix ice_ptp_read_tx_hwtstamp_status_eth56g",
                            "    - net_sched: sch_hhf: annotate data-races in hhf_dump_stats()",
                            "    - net/sched: sch_pie: annotate data-races in pie_dump_stats()",
                            "    - net/sched: sch_fq_codel: remove data-races from fq_codel_dump_stats()",
                            "    - net/sched: sch_red: annotate data-races in red_dump_stats()",
                            "    - net/sched: sch_sfb: annotate data-races in sfb_dump_stats()",
                            "    - net: airoha: Move ndesc initialization at end of airoha_qdma_init_tx()",
                            "    - net: airoha: Add missing bits in airoha_qdma_cleanup_tx_queue()",
                            "    - net: dsa: realtek: rtl8365mb: fix mode mask calculation",
                            "    - net: airoha: Move ndesc initialization at end of",
                            "      airoha_qdma_init_rx_queue()",
                            "    - net: airoha: Rework the code flow in airoha_remove() and in",
                            "      airoha_probe() error path",
                            "    - net: airoha: Add size check for TX NAPIs in airoha_qdma_cleanup()",
                            "    - net: mana: Init link_change_work before potential error paths in probe",
                            "    - net: mana: Init gf_stats_work before potential error paths in probe",
                            "    - net: mana: Guard mana_remove against double invocation",
                            "    - net: mana: Don't overwrite port probe error with add_adev result",
                            "    - net: mana: Fix EQ leak in mana_remove on NULL port",
                            "    - vsock/virtio: fix MSG_ZEROCOPY pinned-pages accounting",
                            "    - virtio_net: sync rss_trailer.max_tx_vq on queue_pairs change via",
                            "      VQ_PAIRS_SET",
                            "    - nfp: fix swapped arguments in nfp_encode_basic_qdr() calls",
                            "    - tcp: send a challenge ACK on SEG.ACK > SND.NXT",
                            "    - tipc: fix double-free in tipc_buf_append()",
                            "    - vhost_net: fix sleeping with preempt-disabled in vhost_net_busy_poll()",
                            "    - nstree: fix func. parameter kernel-doc warnings",
                            "    - eventpoll: use hlist_is_singular_node() in __ep_remove()",
                            "    - eventpoll: split __ep_remove()",
                            "    - eventpoll: kill __ep_remove()",
                            "    - eventpoll: drop vestigial __ prefix from ep_remove_{file,epi}()",
                            "    - eventpoll: move epi_fget() up",
                            "    - fs/adfs: validate nzones in adfs_validate_bblk()",
                            "    - rtc: abx80x: Disable alarm feature if no interrupt attached",
                            "    - kbuild: builddeb - avoid recompiles for non-cross-compiles",
                            "    - tools/power turbostat: Fix AMD RAPL regression on big systems",
                            "    - fbdev: offb: fix PCI device reference leak on probe failure",
                            "    - tools/power turbostat: Fix unrecognized option '-P'",
                            "    - tools/power turbostat: Fix --cpu-set 0 regression on HT systems",
                            "    - tools/power turbostat: Fix --cpu-set 1 regression on HT systems",
                            "    - kbuild: Never respect CONFIG_WERROR / W=e to fixdep",
                            "    - mailbox: mtk-vcp-mailbox: Fix the return value in mtk_vcp_mbox_xlate()",
                            "    - mailbox: mtk-cmdq: Fix CURR and END addr for task insert case",
                            "    - mailbox: mailbox-test: free channels on probe error",
                            "    - sched/psi: fix race between file release and pressure write",
                            "    - cgroup/rdma: fix integer overflow in rdmacg_try_charge()",
                            "    - cgroup/cpuset: record DL BW alloc CPU for attach rollback",
                            "    - mailbox: add sanity check for channel array",
                            "    - mailbox: mailbox-test: handle channel errors consistently",
                            "    - mailbox: mailbox-test: don't free the reused channel",
                            "    - mailbox: mailbox-test: initialize struct earlier",
                            "    - mailbox: mailbox-test: make data_ready a per-instance variable",
                            "    - fsnotify: fix inode reference leak in fsnotify_recalc_mask()",
                            "    - btrfs: fix bytes_may_use leak in move_existing_remap()",
                            "    - btrfs: fix bytes_may_use leak in do_remap_reloc_trans()",
                            "    - btrfs: don't clobber errors in add_remap_tree_entries()",
                            "    - btrfs: fix double-decrement of bytes_may_use in",
                            "      submit_one_async_extent()",
                            "    - tracing: branch: Fix inverted check on stat tracer registration",
                            "    - nvmet-tcp: propagate nvmet_tcp_build_pdu_iovec() errors to its callers",
                            "    - netfilter: nf_tables: use list_del_rcu for netlink hooks",
                            "    - rculist: add list_splice_rcu() for private lists",
                            "    - netfilter: nf_tables: join hook list via splice_list_rcu() in commit",
                            "      phase",
                            "    - netfilter: nf_tables: add hook transactions for device deletions",
                            "    - nvme-pci: fix missed admin queue sq doorbell write",
                            "    - drm/amdgpu: avoid double drm_exec_fini() in userq validate",
                            "    - drm/amdgpu/gmc: Fix AMDGPU_GART_PLACEMENT_LOW to not overlap with VRAM",
                            "    - drm/amd/pm: fix missing fine-grained dpm table flag on aldebaran",
                            "    - drm/amdgpu: fix AMDGPU_INFO_READ_MMR_REG",
                            "    - drm/amdgpu/uvd3.1: Don't validate the firmware when already validated",
                            "    - drm/amdgpu/gfx6: Support harvested SI chips with disabled TCCs (v2)",
                            "    - drm/amdgpu: Only send RMA CPER when threshold is exceeded",
                            "    - netfilter: xt_policy: fix strict mode inbound policy matching",
                            "    - netfilter: nf_conntrack_sip: don't use simple_strtoul",
                            "    - spi: rzv2h-rspi: Fix silent failure in clock setup error path",
                            "    - ASoC: amd: acp: Add DMI quirk for Valve Steam Deck OLED",
                            "    - ASoC: SOF: Intel: add an empty adr_link",
                            "    - spi: rockchip: Read ISR, not IMR, to detect cs-inactive IRQ",
                            "    - ASoC: tas2764: Mark die temp register as volatile",
                            "    - ASoC: tas2770: Fix order of operations for temperature calculation",
                            "    - drm/sysfb: ofdrm: fix PCI device reference leaks",
                            "    - drm/color-mgmt: Typo s/R332/RGB332/",
                            "    - arm64/scs: Fix potential sign extension issue of advance_loc4",
                            "    - spi: spi-mem: Add a packed command operation",
                            "    - mtd: spinand: Add support for packed read data ODTR commands",
                            "    - mtd: spinand: winbond: Set the packed page read flag to W35N02/04JW",
                            "    - mtd: spinand: winbond: Fix ODTR write VCR on W35NxxJW",
                            "    - ACPICA: Provide #defines for EINJV2 error types",
                            "    - ACPI: APEI: EINJ: Fix EINJV2 memory error injection",
                            "    - cdrom, scsi: sr: propagate read-only status to block layer via",
                            "      set_disk_ro()",
                            "    - spi: axiado: replace usleep_range() with udelay() in IRQ path",
                            "    - netdevsim: zero initialize struct iphdr in dummy sk_buff",
                            "    - net/sched: netem: fix probability gaps in 4-state loss model",
                            "    - net/sched: netem: fix queue limit check to include reordered packets",
                            "    - net/sched: netem: only reseed PRNG when seed is explicitly provided",
                            "    - net/sched: netem: validate slot configuration",
                            "    - net/sched: netem: fix slot delay calculation overflow",
                            "    - net/sched: netem: check for negative latency and jitter",
                            "    - net: airoha: fix BQL imbalance in TX path",
                            "    - net: airoha: stop net_device TX queue before updating CPU index",
                            "    - net: airoha: fix typo in function name",
                            "    - net: airoha: Do not wake all netdev TX queues in",
                            "      airoha_qdma_wake_netdev_txqs()",
                            "    - net: airoha: Do not read uninitialized fragment address in",
                            "      airoha_dev_xmit()",
                            "    - net/sched: sch_choke: annotate data-races in choke_dump_stats()",
                            "    - net/sched: sch_fq_pie: annotate data-races in fq_pie_dump_stats()",
                            "    - vrf: Fix a potential NPD when removing a port from a VRF",
                            "    - net: usb: rtl8150: fix use-after-free in rtl8150_start_xmit()",
                            "    - net: usb: rtl8150: free skb on usb_submit_urb() failure in xmit",
                            "    - spi: amlogic-spisg: initialize completion before requesting IRQ",
                            "    - NFC: trf7970a: Ignore antenna noise when checking for RF field",
                            "    - net: phonet: do not BUG_ON() in pn_socket_autobind() on failed bind",
                            "    - neigh: let neigh_xmit take skb ownership",
                            "    - tcp: make probe0 timer handle expired user timeout",
                            "    - netpoll: fix IPv6 local-address corruption",
                            "    - ALSA: usb-audio: Fix potential leak of pd at parsing UAC3 streams",
                            "    - sched/fair: Fix wakeup_preempt_fair() vs delayed dequeue",
                            "    - sched/fair: Clear rel_deadline when initializing forked entities",
                            "    - net: mctp i2c: check length before marking flow active",
                            "    - md/raid1,raid10: don't fail devices for invalid IO errors",
                            "    - md: add fallback to correct bitmap_ops on version mismatch",
                            "    - md: factor bitmap creation away from sysfs handling",
                            "    - md/md-bitmap: split bitmap sysfs groups",
                            "    - md/md-bitmap: add a none backend for bitmap grow",
                            "    - s390/mm: Fix phys_to_folio() usage in do_secure_storage_access()",
                            "    - net: phy: dp83869: fix setting CLK_O_SEL field.",
                            "    - drm/amd/display: properly handle family setting for early GC 11.5.4",
                            "    - drm/amdgpu/vcn: set no_user_fence for VCN v2.0 enc/dec rings",
                            "    - drm/amdgpu/vcn: set no_user_fence for VCN v2.5 enc/dec rings",
                            "    - drm/amdgpu/vcn: set no_user_fence for VCN v3.0 enc/dec rings",
                            "    - drm/amdgpu/vcn: set no_user_fence for VCN v4.0 enc ring",
                            "    - drm/amdgpu/vcn: set no_user_fence for VCN v4.0.3 enc ring",
                            "    - drm/amdgpu/vcn: set no_user_fence for VCN v4.0.5 enc ring",
                            "    - drm/amdgpu/vcn: set no_user_fence for VCN v5.0.0 enc ring",
                            "    - drm/amdgpu/vcn: set no_user_fence for VCN v5.0.1 enc ring",
                            "    - drm/amdgpu/jpeg: set no_user_fence for JPEG v2.0 ring",
                            "    - drm/amdgpu/jpeg: set no_user_fence for JPEG v2.5 ring",
                            "    - drm/amdgpu/jpeg: set no_user_fence for JPEG v3.0 ring",
                            "    - drm/amdgpu/jpeg: set no_user_fence for JPEG v4.0 ring",
                            "    - drm/amdgpu/jpeg: set no_user_fence for JPEG v4.0.3 ring",
                            "    - drm/amdgpu/jpeg: set no_user_fence for JPEG v4.0.5 ring",
                            "    - drm/amdgpu/jpeg: set no_user_fence for JPEG v5.0.0 ring",
                            "    - drm/amdgpu/jpeg: set no_user_fence for JPEG v5.0.1 ring",
                            "    - drm/amdgpu/jpeg: set no_user_fence for JPEG v5.3.0 ring",
                            "    - drm/amd/pm: Add fine grained flag to SMU v13.0.6",
                            "    - io_uring/napi: cap busy_poll_to 10 msec",
                            "    - ASoC: cs35l56: Fix illegal writes to OTP_MEM registers",
                            "    - net: psp: check for device unregister when creating assoc",
                            "    - net: psp: require admin permission for dev-set and key-rotate",
                            "    - ASoC: codecs: ab8500: Fix casting of private data",
                            "    - netfilter: skip recording stale or retransmitted INIT",
                            "    - sctp: discard stale INIT after handshake completion",
                            "    - net/sched: sch_cake: annotate data-races in cake_dump_stats() (I)",
                            "    - net/sched: sch_cake: annotate data-races in cake_dump_stats() (II)",
                            "    - net/sched: sch_cake: annotate data-races in cake_dump_stats() (III)",
                            "    - net/sched: sch_cake: annotate data-races in cake_dump_stats() (IV)",
                            "    - net/sched: sch_cake: annotate data-races in cake_dump_stats() (V)",
                            "    - netconsole: return count instead of strnlen(buf, count) from store",
                            "      callbacks",
                            "    - netconsole: avoid clobbering userdatum value on truncated write",
                            "    - netconsole: propagate device name truncation in dev_name_store()",
                            "    - netconsole: restore userdatum value on update_userdata() failure",
                            "    - ALSA: hda/conexant: Fix missing error check for jack detection",
                            "    - ALSA: hda: cs35l56: Fix uninitialized value in cs35l56_hda_read_acpi()",
                            "    - ALSA: hda/tas2781: Fix incorrect bit update for non-book-zero or book 0",
                            "      pages >1",
                            "    - futex: Prevent lockup in requeue-PI during signal/ timeout wakeup",
                            "    - drm/amd/display: Allow embedded connectors without DDC",
                            "    - drm/amd/display: Allow DCE link encoder without AUX registers",
                            "    - drm/amd/display: Allow constructing DCE6 link encoder without DDC",
                            "    - drm/amd/display: Allow constructing DCE8 link encoder without DDC",
                            "    - drm/amd/display: Read EDID from VBIOS embedded panel info",
                            "    - drm/amd/display: Use EDID from VBIOS embedded panel info",
                            "    - drm/xe: Use XE_WEDGED_MODE_UPON_ANY_HANG_NO_RESET enum instead of magic",
                            "      number",
                            "    - drm/xe: Drop registration of guc_submit_wedged_fini from",
                            "      xe_guc_submit_wedge()",
                            "    - drm/xe/debugfs: Correct printing of register whitelist ranges",
                            "    - drm/xe: Fix potential NULL deref in",
                            "      xe_exec_queue_tlb_inval_last_fence_put_unlocked",
                            "    - drm/xe: Fix error cleanup in xe_exec_queue_create_ioctl()",
                            "    - drm/xe/eustall: Fix drm_dev_put called before stream disable in close",
                            "    - drm/xe/gsc: Fix BO leak on error in query_compatibility_version()",
                            "    - drm/xe/xelp: Fix Wa_18022495364",
                            "    - net: airoha: Do not return err in ndo_stop() callback",
                            "    - bonding: print churn state via netlink",
                            "    - bonding: 3ad: implement proper RCU rules for port->aggregator",
                            "    - page_pool: fix memory-provider leak in page_pool_create_percpu() error",
                            "      path",
                            "    - iavf: rename IAVF_VLAN_IS_NEW to IAVF_VLAN_ADDING",
                            "    - iavf: stop removing VLAN filters from PF on interface down",
                            "    - iavf: wait for PF confirmation before removing VLAN filters",
                            "    - iavf: add VIRTCHNL_OP_ADD_VLAN to success completion handler",
                            "    - ice: fix NULL pointer dereference in ice_reset_all_vfs()",
                            "    - ice: fix infinite recursion in ice_cfg_tx_topo via ice_init_dev_hw",
                            "    - ice: fix missing SMA pin initialization in DPLL subsystem",
                            "    - ice: fix SMA and U.FL pin state changes affecting paired pin",
                            "    - ice: fix missing dpll notifications for SW pins",
                            "    - dpll: export __dpll_pin_change_ntf() for use under dpll_lock",
                            "    - ice: add dpll peer notification for paired SMA and U.FL pins",
                            "    - net: tls: fix strparser anchor skb leak on offload RX setup failure",
                            "    - sfc: fix error code in efx_devlink_info_running_versions()",
                            "    - net/sched: cls_flower: revert unintended changes",
                            "    - kselftest/arm64: Include <asm/ptrace.h> for user_gcs definition",
                            "    - arm64: Reserve an extra page for early kernel mapping",
                            "    - futex: Drop CLONE_THREAD requirement for private default hash alloc",
                            "    - PCI: Initialize temporary device in new_id_store()",
                            "    - workqueue: fix devm_alloc_workqueue() va_list misuse",
                            "    - net/sched: sch_pie: annotate more data-races in pie_dump_stats()",
                            "    - sched/fair: Fix wakeup_preempt_fair() for not waking up task",
                            "    - crypto: af_alg - Cap AEAD AD length to 0x80000000",
                            "    - i40e: Cleanup PTP pins on probe failure",
                            "    - workqueue: Fix wq->cpu_pwq leak in alloc_and_link_pwqs() WQ_UNBOUND path",
                            "    - net: ena: PHC: Fix potential use-after-free in get_timestamp",
                            "    - cgroup/cpuset: Reset DL migration state on can_attach() failure",
                            "    - netfilter: nf_conntrack_sip: get helper before allocating expectation",
                            "    - audit: fix incorrect inheritable capability in CAPSET records",
                            "    - net: ena: PHC: Check return code before setting timestamp output",
                            "    - cgroup/dmem: Return -ENOMEM on failed pool preallocation",
                            "    - idpf: fix double free and use-after-free in aux device error paths",
                            "    - cgroup/cpuset: Reserve DL bandwidth only for root-domain moves",
                            "    - Revert \"ACPI: CPPC: Adjust debug messages in amd_set_max_freq_ratio() to",
                            "      warn\"",
                            "    - netfilter: nft_ct: fix missing expect put in obj eval",
                            "    - net: atlantic: preserve PCI wake-from-D3 on shutdown when WOL enabled",
                            "    - audit: enforce AUDIT_LOCKED for AUDIT_TRIM and AUDIT_MAKE_EQUIV",
                            "    - cgroup/cpuset: Return only actually allocated CPUs during partition",
                            "      invalidation",
                            "    - KVM: x86: Swap the dst and src operand for MOVNTDQA",
                            "    - KVM: Reject wrapped offset in kvm_reset_dirty_gfn()",
                            "    - KVM: s390: pci: fix GAIT table indexing due to double-scaling pointer",
                            "      arithmetic",
                            "    - KVM: x86: Fix Xen hypercall tracepoint argument assignment",
                            "    - HID: pass the buffer size to hid_report_raw_event",
                            "    - HID: core: introduce hid_safe_input_report()",
                            "    - rseq: Revert to historical performance killing behaviour",
                            "    - rseq: Implement read only ABI enforcement for optimized RSEQ V2 mode",
                            "    - rseq: Reenable performance optimizations conditionally",
                            "    - HID: core: Fix size_t specifier in hid_report_raw_event()",
                            "    - ata: libata-scsi: fix requeue of deferred ATA PASS-THROUGH commands",
                            "    - media: staging: imx: configure src_mux in csi_start",
                            "    - Bluetooth: btmtk: accept too short WMT FUNC_CTRL events",
                            "    - nvme-apple: Reset q->sq_tail during queue init",
                            "    - smb/client: fix possible infinite loop and oob read in symlink_data()",
                            "    - drm/loongson: Use managed KMS polling",
                            "    - drm: Replace old pointer to new idr",
                            "    - drm/bridge: imx8qxp-pxl2dpi: avoid ERR_PTR with device_node cleanup",
                            "    - drm/i915/dp: Fix VSC dynamic range signaling for RGB formats",
                            "    - drm/amd/display: Wrap DCN32 phantom-plane allocation in",
                            "      DC_RUN_WITH_PREEMPTION_ENABLED",
                            "    - drm/ttm: Fix ttm_bo_swapout() infinite LRU walk on swapout failure",
                            "    - platform/x86: intel: Move debugfs register before creating devices",
                            "    - platform/x86: lenovo-wmi-helpers: Move gamezone enums to wmi-helpers",
                            "    - platform/x86: lenovo-wmi-helpers: Fix memory leak in",
                            "      lwmi_dev_evaluate_int()",
                            "    - platform/x86: lenovo-wmi-other: Balance IDA id allocation and free",
                            "    - platform/x86: lenovo-wmi-other: Balance component bind and unbind",
                            "    - platform/x86: lenovo-wmi-other: Zero initialize WMI arguments",
                            "    - platform/x86: lenovo-wmi-other: Fix tunable_attr_01 struct members",
                            "    - platform/x86: lenovo-wmi-other: Add Attribute ID helper functions",
                            "    - platform/x86: lenovo-wmi-other: Limit adding attributes to supported",
                            "      devices",
                            "    - accel/rocket: Fix prep_bo ioctl leaking positive return from",
                            "      dma_resv_wait_timeout()",
                            "    - ALSA: hda/realtek: Add mute LED quirk for HP Pavilion Laptop 16-ag0xxx",
                            "    - ALSA: hda/realtek: Add quirk for Samsung Galaxy Book5 360 headphone",
                            "    - ALSA: usb-audio: Bound MIDI 2.0 endpoint descriptor scans",
                            "    - ALSA: usb-audio: Bound MIDI endpoint descriptor scans",
                            "    - ALSA: usb-audio: qcom: Check offload mapping failures",
                            "    - btrfs: only release the dirty pages io tree after successful writes",
                            "    - ceph: fix a buffer leak in __ceph_setxattr()",
                            "    - ceph: fix BUG_ON in __ceph_build_xattrs_blob() due to stale blob size",
                            "    - ceph: put folios not suitable for writeback",
                            "    - io-wq: check that the predecessor is hashed in io_wq_remove_pending()",
                            "    - iommu/amd: Bounds-check devid in __rlookup_amd_iommu()",
                            "    - x86/kexec: Push kjump return address even for non-kjump kexec",
                            "    - xfs: fix memory leak on error in xfs_alloc_zone_info()",
                            "    - virt: sev-guest: Do not use host-controlled page order in cleanup path",
                            "    - powerpc/warp: Fix error handling in pika_dtm_thread",
                            "    - netfs: fix error handling in netfs_extract_user_iter()",
                            "    - nfsd: fix GET_DIR_DELEGATION when VFS leases are disabled",
                            "    - nfsd: fix file change detection in CB_GETATTR",
                            "    - nfsd: update mtime/ctime on CLONE in presense of delegated attributes",
                            "    - nfsd: update mtime/ctime on COPY in presence of delegated attributes",
                            "    - irqchip/riscv-imsic: Clear interrupt move state during CPU offlining",
                            "    - irqchip/meson-gpio: Use the correct register in",
                            "      meson_s4_gpio_irq_set_type()",
                            "    - irqchip/gic-v5: Move LPI allocation into the LPI domain",
                            "    - irqchip/gic-v5: Support range allocation for LPIs",
                            "    - irqchip/gic-v5: Allocate ITS parent LPIs as a range",
                            "    - libceph: Fix potential out-of-bounds access in osdmap_decode()",
                            "    - libceph: Fix potential null-ptr-deref in decode_choose_args()",
                            "    - libceph: Fix potential out-of-bounds access in __ceph_x_decrypt()",
                            "    - libceph: Fix potential out-of-bounds access in crush_decode()",
                            "    - libceph: handle rbtree insertion error in decode_choose_args()",
                            "    - iommu/vt-d: Disable DMAR for Intel Q35 IGFX",
                            "    - iommu/vt-d: Fix oops due to out of scope access",
                            "    - iommu/vt-d: Avoid NULL pointer dereference or refcount corruption",
                            "    - iommu: Fix NULL group->domain dereference in pci_dev_reset_iommu_done()",
                            "    - iommu: Replace per-group resetting_domain with per-gdev blocked flag",
                            "    - iommu: Fix WARN_ON in __iommu_group_set_domain_nofail() due to reset",
                            "    - iommu: Fix pasid attach in pci_dev_reset_iommu_prepare/done()",
                            "    - iommu: Fix nested pci_dev_reset_iommu_prepare/done()",
                            "    - iommu: Fix ATS invalidation timeouts during __iommu_remove_group_pasid()",
                            "    - drm/i915: skip __i915_request_skip() for already signaled requests",
                            "    - drm/panfrost: Fix wait_bo ioctl leaking positive return from",
                            "      dma_resv_wait_timeout()",
                            "    - drm/xe/dma-buf: handle empty bo and UAF races",
                            "    - drm/xe/dma-buf: fix UAF with retry loop",
                            "    - drm/ttm: Fix ttm_bo_shrink() infinite LRU walk on backup failure",
                            "    - drm/ttm: Convert -EAGAIN from dmem_cgroup_try_charge to -ENOSPC",
                            "    - drm/gma500/oaktrail_hdmi: fix i2c adapter leak on setup",
                            "    - drm/gma500/oaktrail_lvds: fix hang on init failure",
                            "    - drm/gma500/oaktrail_lvds: fix i2c adapter leaks on init",
                            "    - arm_mpam: Fix monitor instance selection when checking for hardware NRDY",
                            "    - arm_mpam: Pretend that NRDY is always hardware managed",
                            "    - arm_mpam: Improve check for whether or not NRDY is hardware managed",
                            "    - arm_mpam: Fix false positive assert failure during mpam_disable()",
                            "    - arm_mpam: Check whether the config array is allocated before destroying",
                            "      it",
                            "    - eventfs: Simplify code using guard()s",
                            "    - eventfs: Use list_add_tail_rcu() for SRCU-protected children list",
                            "    - smb: client: Use FullSessionKey for AES-256 encryption key derivation",
                            "    - spi: sifive: Simplify clock handling with devm_clk_get_enabled()",
                            "    - spi: sifive: fix controller deregistration",
                            "    - tracefs: Removed unused 'ret' variable in eventfs_iterate()",
                            "    - workqueue: Annotate alloc_workqueue_va() with __printf(1, 0)",
                            "    - selftests/bpf: Remove test_access_variable_array",
                            "    - netfs: Fix potential uninitialised var in netfs_extract_user_iter()",
                            "    - Linux 7.0.10",
                            "",
                            "  * Resolute update: v7.0.10 upstream stable release (LP: #2156385) //",
                            "    CVE-2026-45846",
                            "    - bareudp: fix NULL pointer dereference in bareudp_fill_metadata_dst()",
                            "",
                            "  * Resolute update: v7.0.10 upstream stable release (LP: #2156385) //",
                            "    CVE-2026-45845",
                            "    - net/sched: taprio: fix NULL pointer dereference in class dump",
                            "",
                            "  * Resolute update: v7.0.10 upstream stable release (LP: #2156385) //",
                            "    CVE-2026-45844",
                            "    - netfilter: arp_tables: fix IEEE1394 ARP payload parsing",
                            "",
                            "  * Resolute update: v7.0.10 upstream stable release (LP: #2156385) //",
                            "    CVE-2026-46242",
                            "    - eventpoll: fix ep_remove struct eventpoll / struct file UAF",
                            "",
                            "  * Resolute update: v7.0.10 upstream stable release (LP: #2156385) //",
                            "    CVE-2026-45843",
                            "    - slip: bound decode() reads against the compressed packet length",
                            "",
                            "  * Resolute update: v7.0.10 upstream stable release (LP: #2156385) //",
                            "    CVE-2026-45842",
                            "    - slip: reject VJ receive packets on instances with no rstate array",
                            "",
                            "  * Resolute update: v7.0.10 upstream stable release (LP: #2156385) //",
                            "    CVE-2026-45841",
                            "    - netfilter: nfnetlink_osf: fix divide-by-zero in OSF_WSS_MODULO",
                            "",
                            "  * Resolute update: v7.0.10 upstream stable release (LP: #2156385) //",
                            "    CVE-2026-45840",
                            "    - openvswitch: cap upcall PID array size and pre-size vport replies",
                            "",
                            "  * Resolute update: v7.0.10 upstream stable release (LP: #2156385) //",
                            "    CVE-2026-45839",
                            "    - bpf: reject negative CO-RE accessor indices in bpf_core_parse_spec()",
                            "",
                            "  * Resolute update: v7.0.10 upstream stable release (LP: #2156385) //",
                            "    CVE-2026-45838",
                            "    - bpf: fix end-of-list detection in cgroup_storage_get_next_key()",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006)",
                            "    - Linux 7.0.8",
                            "    - HID: pidff: Fix integer overflow in pidff_rescale",
                            "    - media: uvcvideo: Enable VB2_DMABUF for metadata stream",
                            "    - drm/msm/hdmi: Fix wrong CTRL1 register used in writing info frames",
                            "    - media: rzv2h-ivc: Avoid double job scheduling",
                            "    - media: nxp: imx8-isi: Reduce minimum queued buffers from 2 to 0",
                            "    - media: rzv2h-ivc: Write AXIRX_PIXFMT once",
                            "    - media: rzv2h-ivc: Fix FM_STOP register write",
                            "    - media: rzv2h-ivc: Fix concurrent buffer list access",
                            "    - media: mali-c55: Initialize the ISP in enable_streams()",
                            "    - media: mali-c55: Fix Iridix bypass macros",
                            "    - media: renesas: vsp1: Fix NULL pointer deref on module unload",
                            "    - media: renesas: vin: Fix RAW8 (again)",
                            "    - media: i2c: ov8856: free control handler on error in",
                            "      ov8856_init_controls()",
                            "    - media: dt-bindings: rockchip,vdec: Add alternative reg-names order for",
                            "      RK35{76,88}",
                            "    - media: dt-bindings: rockchip,vdec: Mark reg-names required for",
                            "      RK35{76,88}",
                            "    - media: chips-media: wave5: fix a potential memory leak in",
                            "      wave5_vdi_init()",
                            "    - media: chips-media: wave5: add missing spinlock protection for",
                            "      send_eos_event()",
                            "    - media: chips-media: wave5: add missing spinlock protection for",
                            "      handle_dynamic_resolution_change()",
                            "    - arm64: dts: freescale: imx95-toradex-smarc: fix PMIC_SD2_VSEL label",
                            "      position",
                            "    - drm/gpusvm: Allow device pages to be mapped in mixed mappings after",
                            "      system pages",
                            "    - drm/gpusvm: Force unmapping on error in drm_gpusvm_get_pages",
                            "    - spi: bcm63xx: fix controller deregistration",
                            "    - spi: atmel: fix controller deregistration",
                            "    - arm64: dts: lx2160a-cex7/lx2162a-sr-som: fix usd-cd & gpio pinmux",
                            "    - regulator: mt6357: fix OF node reference imbalance",
                            "    - spi: st-ssc4: fix controller deregistration",
                            "    - regulator: max77650: fix OF node reference imbalance",
                            "    - media: ti: vpe: Add missing v4l2_device_unregister in vip_remove()",
                            "    - media: rc: streamzap: Error handling in probe",
                            "    - media: i2c: imx283: Enter full standby when stopping streaming",
                            "    - regulator: bq257xx: fix OF node reference imbalance",
                            "    - regulator: rk808: fix OF node reference imbalance",
                            "    - media: videobuf2: Set vma_flags in vb2_dma_sg_mmap",
                            "    - media: mali-c55: Fully reset the ISP configuration",
                            "    - media: intel/ipu6: fix error pointer dereference",
                            "    - media: i2c: imx283: Fix hang when going from large to small resolution",
                            "    - regulator: act8945a: fix OF node reference imbalance",
                            "    - regulator: s2dos05: fix OF node reference imbalance",
                            "    - regulator: bd9571mwv: fix OF node reference imbalance",
                            "    - spi: lantiq-ssc: fix controller deregistration",
                            "    - spi: meson-spicc: fix controller deregistration",
                            "    - spi: qup: fix controller deregistration",
                            "    - arm64: dts: ti: k3-am69-aquila-clover: Fix DP regulator enable GPIO",
                            "    - spi: at91-usart: fix controller deregistration",
                            "    - media: ipu-bridge: Add upside-down sensor DMI quirk for Dell XPS 13 9340",
                            "      and XPS 14 9440",
                            "    - spi: amlogic-spisg: fix controller deregistration",
                            "    - spi: aspeed-smc: fix controller deregistration",
                            "    - drm/colorop: Preserve bypass value in duplicate_state()",
                            "    - drm/atomic: Add affected colorops with affected planes",
                            "    - platform/x86: hp-wmi: Ignore backlight and FnLock events",
                            "    - vsock/virtio: fix MSG_PEEK ignoring skb offset when calculating bytes to",
                            "      copy",
                            "    - arm64: dts: broadcom: bcm2712-d-rpi-5-b: add fixes for",
                            "      pinctrl/pinctrl_aon",
                            "    - arm64: dts: broadcom: bcm2712-d-rpi-5-b: update uart10 interrupt",
                            "    - media: pci: zoran: fix potential memory leak in zoran_probe()",
                            "    - media: dib8000: avoid division by 0 in dib8000_set_dds()",
                            "    - media: i2c: imx412: Assert reset GPIO during probe",
                            "    - media: staging: imx: request mbus_config in csi_start",
                            "    - media: i2c: ov08d10: fix image vertical start setting",
                            "    - media: i2c: ov08d10: fix runtime PM handling in probe",
                            "    - media: omap3isp: drop the use count of v4l2 pipeline",
                            "    - media: iris: fix QCOM_MDT_LOADER dependency",
                            "    - media: qcom: camss: Fix csid clock configuration for sa8775p",
                            "    - media: qcom: camss: Fix csid IRQ offset for sa8775p",
                            "    - media: qcom: iris: increase H265D_MAX_SLICE to fix H.265 decoding on",
                            "      SC7280",
                            "    - media: venus: fix QCOM_MDT_LOADER dependency",
                            "    - media: iris: Fix dma_free_attrs() size in iris_hfi_queues_init()",
                            "    - media: iris: switch to hardware mode after firmware boot",
                            "    - media: qcom: camss: Add missing clocks for VFE lite on sa8775p",
                            "    - spi: mxs: fix controller deregistration",
                            "    - spi: mt65xx: fix controller deregistration",
                            "    - spi: dln2: fix controller deregistration",
                            "    - spi: s3c64xx: fix controller deregistration",
                            "    - spi: fsl-espi: fix controller deregistration",
                            "    - spi: omap2-mcspi: fix controller deregistration",
                            "    - spi: pic32: fix controller deregistration",
                            "    - spi: ep93xx: fix controller deregistration",
                            "    - spi: mtk-nor: fix controller deregistration",
                            "    - spi: pl022: fix controller deregistration",
                            "    - spi: sh-hspi: fix controller deregistration",
                            "    - spi: bcmbca-hsspi: fix controller deregistration",
                            "    - spi: coldfire-qspi: fix controller deregistration",
                            "    - spi: npcm-pspi: fix controller deregistration",
                            "    - spi: cavium-thunderx: fix controller deregistration",
                            "    - spi: pic32-sqi: fix controller deregistration",
                            "    - spi: sprd: fix controller deregistration",
                            "    - spi: sh-msiof: fix controller deregistration",
                            "    - spi: slave-mt27xx: fix controller deregistration",
                            "    - spi: img-spfi: fix controller deregistration",
                            "    - spi: mpfs: fix controller deregistration",
                            "    - spi: octeon: fix controller deregistration",
                            "    - spi: imx: fix runtime pm leak on probe deferral",
                            "    - spi: mxic: fix controller deregistration",
                            "    - spi: orion: fix controller deregistration",
                            "    - spi: orion: fix runtime pm leak on unbind",
                            "    - spi: orion: fix clock imbalance on registration failure",
                            "    - spi: cadence: fix controller deregistration",
                            "    - spi: cadence-quadspi: fix controller deregistration",
                            "    - spi: cadence: fix unclocked access on unbind",
                            "    - spi: cadence: fix clock imbalance on probe failure",
                            "    - spi: cadence-quadspi: fix runtime pm disable imbalance on probe failure",
                            "    - spi: cadence-quadspi: fix clock imbalance on probe failure",
                            "    - spi: cadence-quadspi: fix runtime pm and clock imbalance on unbind",
                            "    - drm/colorop: Fix blob property reference tracking in state lifecycle",
                            "    - drm/imx: parallel-display: Prefer bus format set via legacy \"interface-",
                            "      pix-fmt\" DT property",
                            "    - drm/msm: always recover the gpu",
                            "    - drm/v3d: Reject empty multisync extension to prevent infinite loop",
                            "    - drm/i915/psr: Init variable to avoid early exit from et alignment loop",
                            "    - drm/amd/display: fix math_mod() using arg1 instead of arg2",
                            "    - drm/amd: Add missing firmware declaration for PSP v15.0.0",
                            "    - drm/amdgpu: Use NBIF offset for register RCC_STRAP0_RCC_DEV0_EPF0_STRAP0",
                            "      .",
                            "    - drm/amdgpu: Use SMUIO 15.0.0 offsets for TSC upper and lower count.",
                            "    - drm/amdgpu: gate VM CPU HDP flush on reset lock",
                            "    - drm/amd/pm: fix incorrect FeatureCtrlMask setting on smu v14.0.x",
                            "    - drm/amdkfd: Add upper bound check for num_of_nodes",
                            "    - drm/amdgpu/vce: Prevent partial address patches",
                            "    - drm/amd/display: Change dither policy for 10 bpc output back to",
                            "      dithering",
                            "    - drm/appletbdrm: Use kvzalloc for big allocations",
                            "    - drm/amdgpu: Avoid reset in AMDGPU unload path for APUs with GFX V11 and",
                            "      higher.",
                            "    - drm/udl: Increase GET_URB_TIMEOUT",
                            "    - drm/xe/bo: Fix bo leak on GGTT flag validation in xe_bo_init_locked()",
                            "    - drm/xe/bo: Fix bo leak on unaligned size validation in",
                            "      xe_bo_init_locked()",
                            "    - drm/xe/uapi: Reject coh_none PAT index for CPU cached memory in madvise",
                            "    - drm/radeon: add missing revision check for CI",
                            "    - drm/amdgpu: zero-initialize GART table on allocation",
                            "    - drm/exynos: remove bridge when component_add fails",
                            "    - drm/amdgpu/userq: fix access to stale wptr mapping",
                            "    - drm/panel: himax-hx83102: restore MODE_LPM after sending disable cmds",
                            "    - drm/amdgpu/gfx9: drop unnecessary 64-bit fence flag check in KIQ",
                            "    - drm/bridge: tda998x: Use __be32 for audio port OF property pointer",
                            "    - drm/sti: remove bridge when sti_hda component_add fails",
                            "    - drm/panel: boe-tv101wum-nl6: restore MODE_LPM after sending disable cmds",
                            "    - drm/amdkfd: Make all TLB-flushes heavy-weight",
                            "    - drm/amdgpu/pm: add missing revision check for CI",
                            "    - drm/amdgpu/pm: align Hawaii mclk workaround with radeon",
                            "    - arm64: dts: qcom: kodiak: Fix PCIe1 PHY ref clock voting",
                            "    - arm64: dts: qcom: lemans: Correct QUP interrupt numbers",
                            "    - arm64: dts: ti: k3-am62a7-sk: Fix pin name in comment from M19 to N22",
                            "    - arm64: dts: ti: k3-am69-aquila-dev: Fix DP regulator enable GPIO",
                            "    - batman-adv: tp_meter: fix tp_num leak on kmalloc failure",
                            "    - sched_ext: Use HK_TYPE_DOMAIN_BOOT to detect isolcpus= domain isolation",
                            "    - usb: typec: tcpm: reset internal port states on soft reset AMS",
                            "    - io_uring/zcrx: use guards for locking",
                            "    - io_uring/zcrx: warn on freelist violations",
                            "    - kho: fix error handling in kho_add_subtree()",
                            "    - EDAC/versalnet: Refactor memory controller initialization and cleanup",
                            "    - spi: uniphier: Simplify clock handling with devm_clk_get_enabled()",
                            "    - spi: uniphier: fix controller deregistration",
                            "    - cgroup: Increment nr_dying_subsys_* from rmdir context",
                            "    - sched_ext: Skip tasks with stale task_rq in bypass_lb_cpu()",
                            "    - perf build: fix \"argument list too long\" in second location",
                            "    - mm/vma: do not try to unmap a VMA if mmap_prepare() invoked from mmap()",
                            "    - vsock/virtio: fix length and offset in tap skb for split packets",
                            "    - drm/amdgpu/vcn3: Avoid overflow on msg bound check",
                            "    - drm/amdgpu/vcn4: Avoid overflow on msg bound check",
                            "    - Linux 7.0.9",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46214",
                            "    - vsock/virtio: fix accept queue count leak on transport mismatch",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46207",
                            "    - vsock/virtio: fix empty payload in tap skb for non-linear buffers",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46234",
                            "    - vsock: fix buffer size clamping order",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46223",
                            "    - cgroup: Defer css percpu_ref kill on rmdir until cgroup is depopulated",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46221",
                            "    - EDAC/versalnet: Fix device name memory leak",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46231",
                            "    - batman-adv: bla: put backbone reference on failed claim hash insert",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46233",
                            "    - batman-adv: bla: only purge non-released claims",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46212",
                            "    - batman-adv: bla: prevent use-after-free when deleting claims",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46238",
                            "    - batman-adv: stop caching unowned originator pointers in BAT IV",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46208",
                            "    - batman-adv: stop tp_meter sessions during mesh teardown",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46206",
                            "    - batman-adv: reject new tp_meter sessions during teardown",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46198",
                            "    - batman-adv: fix integer overflow on buff_pos",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46227",
                            "    - sctp: revalidate list cursor after sctp_sendmsg_to_asoc() in",
                            "      SCTP_SENDALL",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46220",
                            "    - drm/amdgpu/sdma4: replace BUG_ON with WARN_ON in fence emission",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46215",
                            "    - drm: Set old handle to NULL before prime swap in change_handle",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46201",
                            "    - drm/xe: Fix dma-buf attachment leak in xe_gem_prime_import()",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46224",
                            "    - drm/xe: Fix bo leak in xe_dma_buf_init_obj() on allocation failure",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46197",
                            "    - drm/amdkfd: validate SVM ioctl nattr against buffer size",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46209",
                            "    - drm/gem: Fix inconsistent plane dimension calculation in",
                            "      drm_gem_fb_init_with_funcs()",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46230",
                            "    - drm/amdgpu/vcn3: Prevent OOB reads when parsing dec msg",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46199",
                            "    - drm/amdgpu/vcn4: Prevent OOB reads when parsing dec msg",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46204",
                            "    - drm/amdgpu/vcn4: Prevent OOB reads when parsing IB",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46218",
                            "    - drm/amdgpu: Add bounds checking to ib_{get,set}_value",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46229",
                            "    - drm/amdkfd: Clear VRAM on allocation to prevent stale data exposure",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46211",
                            "    - drm/msm/gem: fix error handling in msm_ioctl_gem_info_get_metadata()",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46203",
                            "    - spi: cadence-quadspi: fix unclocked access on unbind",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46219",
                            "    - spi: mpc52xx: fix use-after-free on unbind",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46200",
                            "    - spi: mpc52xx: fix controller deregistration",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46241",
                            "    - spi: mpc52xx: fix use-after-free on registration failure",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46225",
                            "    - spi: rspi: fix controller deregistration",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46226",
                            "    - spi: fsl: fix controller deregistration",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46228",
                            "    - spi: ch341: fix devres lifetime",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46216",
                            "    - drm/xe/hdcp: Add NULL check for media_gt in",
                            "      intel_hdcp_gsc_check_status()",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46210",
                            "    - media: iris: fix use-after-free of fmt_src during MBPF check",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46240",
                            "    - media: iris: Fix use-after-free in iris_release_internal_buffers()",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46235",
                            "    - media: saa7164: add ioremap return checks and cleanups",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46222",
                            "    - media: rockchip: rkcif: Add missing MUST_CONNECT flag to pads",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46239",
                            "    - media: i2c: ov5647: Fix runtime PM refcount leak in s_ctrl",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46236",
                            "    - media: rc: xbox_remote: heed DMA restrictions",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46205",
                            "    - staging: media: atomisp: Disallow all private IOCTLs",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46202",
                            "    - HID: appletb-kbd: run inactivity autodim from workqueues",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46213",
                            "    - HID: appletb-kbd: fix UAF in inactivity-timer cleanup path",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46232",
                            "    - HID: playstation: Clamp num_touch_reports",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988)",
                            "    - ACPI: arm64: cpuidle: Tolerate platforms with no deep PSCI idle states",
                            "    - ACPI: scan: Use acpi_dev_put() in object add error paths",
                            "    - ACPI: video: Add backlight=native quirk for Dell OptiPlex 7770 AIO",
                            "    - ACPI: CPPC: Fix related_cpus inconsistency during CPU hotplug",
                            "    - ACPI: video: force native backlight on HP OMEN 16 (8A44)",
                            "    - iommufd: Fix a race with concurrent allocation and unmap",
                            "    - wifi: mt76: mt7925: fix incorrect TLV length in CLC command",
                            "    - spi: rockchip: fix controller deregistration",
                            "    - ksmbd: rewrite stop_sessions() with restartable iteration",
                            "    - flow_dissector: do not dissect PPPoE PFC frames",
                            "    - smb: client/smbdirect: fix MR registration for coalesced SG lists",
                            "    - wifi: mt76: mt7925: fix AMPDU state handling in mt7925_tx_check_aggr",
                            "    - wifi: mt76: mt7925: fix incorrect length field in txpower command",
                            "    - wifi: mt76: mt7921: fix ROC abort flow interruption in mt7921_roc_work",
                            "    - wifi: ath5k: do not access array OOB",
                            "    - ALSA: usb-audio: midi2: Restart output URBs on resume",
                            "    - ALSA: usb-audio: Fix UAC3 cluster descriptor size check",
                            "    - usb: dwc3: Move GUID programming after PHY initialization",
                            "    - USB: omap_udc: DMA: Don't enable burst 4 mode",
                            "    - USB: serial: option: add Telit Cinterion LE910Cx compositions",
                            "    - usb: typec: tcpm: fix debug accessory mode detection for sink ports",
                            "    - ALSA: hda: cs35l56: Propagate ASP TX source control errors",
                            "    - ALSA: hda/realtek: Fix speaker silence after S3 resume on Xiaomi Mi",
                            "      Laptop Pro 15",
                            "    - ALSA: firewire-tascam: Do not drop unread control events",
                            "    - ALSA: core: Serialize deferred fasync state checks",
                            "    - ALSA: seq: Fix UMP group 16 filtering",
                            "    - powerpc/kdump: fix KASAN sanitization flag for core_$(BITS).o",
                            "    - x86/efi: Restore IRQ state in EFI page fault handler",
                            "    - xfrm: provide message size for XFRM_MSG_MAPPING",
                            "    - selinux: fix avdcache auditing",
                            "    - selinux: don't reserve xattr slot when we won't fill it",
                            "    - selinux: shrink critical section in sel_write_load()",
                            "    - selinux: prune /sys/fs/selinux/checkreqprot",
                            "    - selinux: prune /sys/fs/selinux/disable",
                            "    - selinux: prune /sys/fs/selinux/user",
                            "    - selinux: allow multiple opens of /sys/fs/selinux/policy",
                            "    - io_uring/kbuf: support min length left for incremental buffers",
                            "    - io_uring/tw: serialize ctx->retry_llist with ->uring_lock",
                            "    - LoongArch: KVM: Fix missing EMULATE_FAIL in kvm_emu_mmio_read()",
                            "    - rust: drm: gem: clean up GEM state in init failure case",
                            "    - rust: allow `clippy::collapsible_match` globally",
                            "    - rust: allow `clippy::collapsible_if` globally",
                            "    - rust: pin-init: internal: move alignment check to `make_field_check`",
                            "    - spi: syncuacer: fix controller deregistration",
                            "    - spi: sun4i: fix controller deregistration",
                            "    - spi: zynq-qspi: fix controller deregistration",
                            "    - spi: ti-qspi: fix controller deregistration",
                            "    - spi: sun6i: fix controller deregistration",
                            "    - spi: tegra114: fix controller deregistration",
                            "    - spi: zynqmp-gqspi: fix controller deregistration",
                            "    - spi: tegra20-sflash: fix controller deregistration",
                            "    - spi: s3c64xx: fix NULL-deref on driver unbind",
                            "    - staging: rtl8723bs: os_dep: avoid NULL pointer dereference in",
                            "      rtw_cbuf_alloc",
                            "    - staging: vme_user: fix root device leak on init failure",
                            "    - KVM: arm64: Fix kvm_vcpu_initialized() macro parameter",
                            "    - arm64: signal: Preserve POR_EL0 if poe_context is missing",
                            "    - mm/hugetlb_cma: round up per_node before logging it",
                            "    - LoongArch: Fix SYM_SIGFUNC_START definition for 32BIT",
                            "    - LoongArch: KVM: Compile switch.S directly into the kernel",
                            "    - mptcp: pm: ADD_ADDR rtx: skip inactive subflows",
                            "    - perf/x86/intel: Improve validation and configuration of ACR masks",
                            "    - selftests/rseq: Don't run tests with runner scripts outside of the",
                            "      scripts",
                            "    - rseq: Set rseq::cpu_id_start to 0 on unregistration",
                            "    - rseq: Protect rseq_reset() against interrupts",
                            "    - rseq: Don't advertise time slice extensions if disabled",
                            "    - selftests/rseq: Make registration flexible for legacy and optimized mode",
                            "    - selftests/rseq: Skip tests if time slice extensions are not available",
                            "    - selftests/rseq: Validate legacy behavior",
                            "    - selftests/rseq: Expand for optimized RSEQ ABI v2",
                            "    - pseries/papr-hvpipe: Fix race with interrupt handler",
                            "    - pseries/papr-hvpipe: Fix & simplify error handling in papr_hvpipe_init()",
                            "    - pseries/papr-hvpipe: Fix the usage of copy_to_user()",
                            "    - net: libwx: use request_irq for VF misc interrupt",
                            "    - netpoll: pass buffer size to egress_dev() to avoid MAC truncation",
                            "    - ovl: fix verity lazy-load guard broken by fsverity_active() semantic",
                            "      change",
                            "    - parisc: Fix IRQ leak in LASI driver",
                            "    - x86/efi: Fix graceful fault handling after FPU softirq changes",
                            "    - hwmon: (ltc2992) Clamp threshold writes to hardware range",
                            "    - hwmon: (ltc2992) Fix u32 overflow in power read path",
                            "    - clk: rk808: fix OF node reference imbalance",
                            "    - hwmon: (corsair-psu) Close HID device on probe errors",
                            "    - af_unix: Reject SIOCATMARK on non-stream sockets",
                            "    - arm64/fpsimd: ptrace: zero target's fpsimd_state, not the tracer's",
                            "    - pmdomain: mediatek: fix use-after-free in",
                            "      scpsys_get_bus_protection_legacy()",
                            "    - block: fix zone write plug removal",
                            "    - block: only read from sqe on initial invocation of blkdev_uring_cmd()",
                            "    - cifs: abort open_cached_dir if we don't request leases",
                            "    - cifs: change_conf needs to be called for session setup",
                            "    - extcon: ptn5150: handle pending IRQ events during system resume",
                            "    - gpio: of: clear OF_POPULATED on hog nodes in remove path",
                            "    - hv: Select CONFIG_SYSFB only for CONFIG_HYPERV_VMBUS",
                            "    - hv_sock: fix ARM64 support",
                            "    - hv_sock: Report EOF instead of -EIO for FIN",
                            "    - hv_sock: Return -EIO for malformed/short packets",
                            "    - spi: microchip-core-qspi: fix controller deregistration",
                            "    - spi: microchip-core-spi: fix controller deregistration",
                            "    - tracefs: Fix default permissions not being applied on initial mount",
                            "    - udf: reject descriptors with oversized CRC length",
                            "    - x86/boot/e820: Re-enable BIOS fallback if e820 table is empty",
                            "    - thermal: core: Free thermal zone ID later during removal",
                            "    - thermal/drivers/sprd: Fix temperature clamping in",
                            "      sprd_thm_temp_to_rawdata",
                            "    - thermal/drivers/sprd: Fix raw temperature clamping in",
                            "      sprd_thm_rawdata_to_temp",
                            "    - spi: topcliff-pch: fix controller deregistration",
                            "    - spi: topcliff-pch: fix use-after-free on unbind",
                            "    - tracing/fprobe: Avoid kcalloc() in rcu_read_lock section",
                            "    - tracing/fprobe: Remove fprobe from hash in failure path",
                            "    - tracing/fprobe: Unregister fprobe even if memory allocation fails",
                            "    - tracing/probes: Limit size of event probe to 3K",
                            "    - tracing/fprobe: Check the same type fprobe on table as the unregistered",
                            "      one",
                            "    - clk: imx: imx8-acm: fix flags for acm clocks",
                            "    - clk: microchip: mpfs-ccc: fix out of bounds access during output",
                            "      registration",
                            "    - cpuidle: powerpc: avoid double clear when breaking snooze",
                            "    - ASoC: amd: yc: Add HP OMEN Gaming Laptop 16-ap0xxx product line in quirk",
                            "      table",
                            "    - ASoC: ES8389: convert to devm_clk_get_optional() to get clock",
                            "    - ASoC: fsl_easrc: fix comment typo",
                            "    - ASoC: Intel: bytcr_wm5102: Fix MCLK leak on platform_clock_control error",
                            "    - ASoC: qcom: q6apm-dai: reset queue ptr on trigger stop",
                            "    - ASoC: qcom: q6apm: remove child devices when apm is removed",
                            "    - btrfs: do not mark inode incompressible after inline attempt fails",
                            "    - dm: don't report warning when doing deferred remove",
                            "    - dm: fix a buffer overflow in ioctl processing",
                            "    - dm-verity-fec: correctly reject too-small FEC devices",
                            "    - dm-verity-fec: correctly reject too-small hash devices",
                            "    - dm-verity-fec: fix corrected block count stat",
                            "    - dm-verity-fec: fix the size of dm_verity_fec_io::erasures",
                            "    - isofs: validate Rock Ridge CE continuation extent against volume size",
                            "    - iommufd: Fix return value of iommufd_fault_fops_write()",
                            "    - iommu/vt-d: Block PASID attachment to nested domain with dirty tracking",
                            "    - iommu/arm-smmu-v3: Add a missing dma_wmb() for hitless STE update",
                            "    - lib/crc: tests: Make crc_kunit test only the enabled CRC variants",
                            "    - lib/scatterlist: fix temp buffer in extract_user_to_sg()",
                            "    - nvme-apple: drop invalid put of admin queue reference count",
                            "    - nvmet: avoid recursive nvmet-wq flush in nvmet_ctrl_free",
                            "    - pmdomain: core: Fix detach procedure for virtual devices in genpd",
                            "    - psp: strip variable-length PSP header in psp_dev_rcv()",
                            "    - s390/debug: Reject zero-length input in debug_input_flush_fn()",
                            "    - s390/debug: Reject zero-length input before trimming a newline",
                            "    - KVM: x86: Do IRR scan in __kvm_apic_update_irr even if PIR is empty",
                            "    - mm/damon/lru_sort: detect and use fresh enabled and kdamond_pid values",
                            "    - mm/damon/reclaim: detect and use fresh enabled and kdamond_pid values",
                            "    - mm/damon/stat: detect and use fresh enabled value",
                            "    - PCI: Update saved_config_space upon resource assignment",
                            "    - PCI/AER: Clear only error bits in PCIe Device Status",
                            "    - PCI/AER: Stop ruling out unbound devices as error source",
                            "    - PCI/ASPM: Fix pci_clear_and_set_config_dword() usage",
                            "    - power: supply: max17042: avoid overflow when determining health",
                            "    - perf/x86/intel: Always reprogram ACR events to prevent stale masks",
                            "    - perf/x86/intel: Disable PMI for self-reloaded ACR events",
                            "    - perf/x86/intel: Enable auto counter reload for DMR",
                            "    - RDMA/ionic: bound node_desc sysfs read with %.64s",
                            "    - RDMA/ionic: Fix typo in format string",
                            "    - remoteproc: imx_rproc: Fix NULL vs IS_ERR() bug in imx_rproc_addr_init()",
                            "    - remoteproc: k3: Fix NULL vs IS_ERR() bug in k3_reserved_mem_init()",
                            "    - sched_ext: idle: Recheck prev_cpu after narrowing allowed mask",
                            "    - sched_ext: Use dsq->first_task instead of list_empty() in",
                            "      dispatch_enqueue() FIFO-tail",
                            "    - selftests: mptcp: check output: catch cmd errors",
                            "    - selftests: mptcp: pm: restrict 'unknown' check to pm_nl_ctl",
                            "    - mptcp: fastclose msk when linger time is 0",
                            "    - mptcp: use MPJoinSynAckHMacFailure for SynAck HMAC failure",
                            "    - mptcp: use MPTCP_RST_EMPTCP for ACK HMAC validation failure",
                            "    - mptcp: sockopt: set timestamp flags on subflow socket, not msk",
                            "    - mptcp: sockopt: increase seq in mptcp_setsockopt_all_sf",
                            "    - mptcp: fix rx timestamp corruption on fastopen",
                            "    - mptcp: pm: prio: skip closed subflows",
                            "    - mptcp: pm: kernel: reset fullmesh counter after flush",
                            "    - mptcp: pm: kernel: correctly retransmit ADD_ADDR ID 0",
                            "    - mptcp: pm: ADD_ADDR rtx: resched blocked ADD_ADDR quicker",
                            "    - mptcp: pm: ADD_ADDR rtx: return early if no retrans",
                            "    - f2fs: add READ_ONCE() for i_blocks in f2fs_update_inode()",
                            "    - f2fs: fix false alarm of lockdep on cp_global_sem lock",
                            "    - f2fs: fix fiemap boundary handling when read extent cache is incomplete",
                            "    - f2fs: fix fsck inconsistency caused by incorrect nat_entry flag usage",
                            "    - f2fs: fix incorrect file address mapping when inline inode is unwritten",
                            "    - f2fs: fix incorrect multidevice info in trace_f2fs_map_blocks()",
                            "    - f2fs: fix uninitialized kobject put in f2fs_init_sysfs()",
                            "    - f2fs: refactor f2fs_move_node_folio function",
                            "    - f2fs: fix inline data not being written to disk in writeback path",
                            "    - KVM: arm64: Wake-up from WFI when iqrchip is in userspace",
                            "    - KVM: arm64: vgic: Fix IIDR revision field extracted from wrong value",
                            "    - KVM: arm64: Fix initialisation order in __pkvm_init_finalise()",
                            "    - KVM: arm64: Fix FEAT_SPE_FnE to use PMSIDR_EL1.FnE, not PMSVer",
                            "    - KVM: arm64: Fix FEAT_Debugv8p9 to check DebugVer, not PMUVer",
                            "    - LoongArch: KVM: Cap KVM_CAP_NR_VCPUS by KVM_CAP_MAX_VCPUS",
                            "    - LoongArch: KVM: Fix \"unreliable stack\" for kvm_exc_entry",
                            "    - LoongArch: KVM: Fix HW timer interrupt lost when inject interrupt by",
                            "      software",
                            "    - LoongArch: KVM: Move unconditional delay into timer clear scenery",
                            "    - LoongArch: KVM: Use kvm_set_pte() in kvm_flush_pte()",
                            "    - LoongArch: Use per-root-bridge PCIH flag to skip mem resource fixup",
                            "    - mmc: core: Adjust MDT beyond 2025",
                            "    - mmc: core: Add quirk for incorrect manufacturing date",
                            "    - mmc: core: Optimize time for secure erase/trim for some Kingston eMMCs",
                            "    - crypto: qat - fix indentation of macros in qat_hal.c",
                            "    - crypto: qat - fix firmware loading failure for GEN6 devices",
                            "    - hfsplus: fix held lock freed on hfsplus_fill_super()",
                            "    - 8021q: use RCU for egress QoS mappings",
                            "    - printk: add print_hex_dump_devel()",
                            "    - crypto: caam - guard HMAC key hex dumps in hash_digest_key",
                            "    - net: stmmac: rename STMMAC_GET_ENTRY() -> STMMAC_NEXT_ENTRY()",
                            "    - rust: pin-init: fix incorrect accessor reference lifetime",
                            "    - Linux 7.0.7",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-43490",
                            "    - ksmbd: validate inherited ACE SID length",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46174",
                            "    - x86/CPU/AMD: Prevent improper isolation of shared resources in Zen2's op",
                            "      cache",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46110",
                            "    - net: stmmac: Prevent NULL deref when RX memory exhausted",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46153",
                            "    - 8021q: delete cleared egress QoS mappings",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46169",
                            "    - hfsplus: fix uninit-value by validating catalog record size",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46188",
                            "    - octeon_ep_vf: add NULL check for napi_build_skb()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-45837",
                            "    - bpf: Fix use-after-free in arena_vm_close on fork",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46156",
                            "    - LoongArch: Fix potential ADE in loongson_gpu_fixup_dma_hang()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46147",
                            "    - KVM: arm64: Fix pin leak and publication ordering in __pkvm_init_vcpu()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46175",
                            "    - f2fs: fix fsck inconsistency caused by FGGC of node block",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46194",
                            "    - f2fs: fix node_cnt race between extent node destroy and writeback",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46170",
                            "    - mptcp: pm: ADD_ADDR rtx: free sk if last",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46158",
                            "    - mptcp: pm: ADD_ADDR rtx: always decrease sk refcount",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46168",
                            "    - mptcp: fix scheduling with atomic in timestamp sockopt",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46189",
                            "    - RDMA/vmw_pvrdma: Fix double free on pvrdma_alloc_ucontext() error path",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46133",
                            "    - RDMA/rxe: Reject unknown opcodes before ICRC processing",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46114",
                            "    - RDMA/rxe: Reject non-8-byte ATOMIC_WRITE payloads",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46127",
                            "    - RDMA/ocrdma: Don't NULL deref uctx on errors in ocrdma_copy_pd_uresp()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46176",
                            "    - RDMA/mlx5: Fix error path fall-through in mlx5_ib_dev_res_srq_init()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46178",
                            "    - RDMA/mlx4: Fix resource leak on error in mlx4_ib_create_srq()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46181",
                            "    - RDMA/mlx4: Fix mis-use of RCU in mlx4_srq_event()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46145",
                            "    - RDMA/mana: Validate rx_hash_key_len",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46117",
                            "    - RDMA/mana: Remove user triggerable WARN_ON() in mana_ib_create_qp_rss()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46126",
                            "    - RDMA/mana: Fix mana_destroy_wq_obj() cleanup in mana_ib_create_qp_rss()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46144",
                            "    - RDMA/mana: Fix error unwind in mana_ib_create_qp_rss()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46141",
                            "    - powerpc/xive: fix kmemleak caused by incorrect chip_data lookup",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46183",
                            "    - mm/damon/sysfs-schemes: protect path kfree() with damon_sysfs_lock",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46121",
                            "    - mm/damon/sysfs-schemes: protect memcg_path kfree() with damon_sysfs_lock",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46131",
                            "    - KVM: x86: check for nEPT/nNPT in slow flush hypercalls",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46139",
                            "    - smb: client: use kzalloc to zero-initialize security descriptor buffer",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46105",
                            "    - scsi: mpt3sas: Limit NVMe request size to 2 MiB",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46171",
                            "    - riscv: kvm: fix vector context allocation leak",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46112",
                            "    - RDMA/hns: Fix unlocked call to hns_roce_qp_remove()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46165",
                            "    - openvswitch: vport: fix self-deadlock on release of tunnel ports",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46161",
                            "    - md/raid10: fix divide-by-zero in setup_geo() with zero far_copies",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-43492",
                            "    - lib/crypto: mpi: Fix integer underflow in mpi_read_raw_from_sgl()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46124",
                            "    - isofs: validate block number from NFS file handle in isofs_export_iget",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46130",
                            "    - dm-verity-fec: fix reading parity bytes split across blocks (take 3)",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46106",
                            "    - eventfs: Hold eventfs_mutex and SRCU when remount walks events",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46107",
                            "    - dm-thin: fix metadata refcount underflow",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46160",
                            "    - btrfs: fix missing last_unlink_trans update when removing a directory",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46164",
                            "    - btrfs: fix double free in create_space_info_sub_group() error path",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46129",
                            "    - btrfs: fix double free in create_space_info() error path",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46159",
                            "    - btrfs: fix btrfs_ioctl_space_info() slot_count TOCTOU which can lead to",
                            "      info-leak",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46143",
                            "    - ASoC: qcom: q6apm-lpass-dai: Fix multiple graph opens",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46148",
                            "    - spi: microchip-core-qspi: control built-in cs manually",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46192",
                            "    - spi: microchip-core-qspi: don't attempt to transmit during emulated",
                            "      read-only dual/quad operations",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46162",
                            "    - ice: fix double free in ice_sf_eth_activate() error path",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46273",
                            "    - ibmveth: Disable GSO for packets with small MSS",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46191",
                            "    - fbcon: Avoid OOB font access if console rotation fails",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46134",
                            "    - platform/chrome: cros_ec_typec: Init mutex in Thunderbolt registration",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-43495",
                            "    - net: wwan: t7xx: validate port_count against message length in",
                            "      t7xx_port_enum_msg_handler",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-43502",
                            "    - net/rds: handle zerocopy send cleanup before the message is queued",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46120",
                            "    - ip6_gre: Use cached t->net in ip6erspan_changelink().",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46142",
                            "    - net: libwx: fix VF illegal register access",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46118",
                            "    - pseries/papr-hvpipe: Fix null ptr deref in",
                            "      papr_hvpipe_dev_create_handle()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46182",
                            "    - pseries/papr-hvpipe: Prevent kernel stack memory leak to userspace",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46184",
                            "    - sound: ua101: fix division by zero at probe",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-43498",
                            "    - accel/ivpu: Disallow re-exporting imported GEM objects",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46132",
                            "    - net: rtnetlink: zero ifla_vf_broadcast to avoid stack infoleak in",
                            "      rtnl_fill_vfinfo",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46190",
                            "    - mtd: spi-nor: debugfs: fix out-of-bounds read in spi_nor_params_show()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46150",
                            "    - fanotify: fix false positive on permission events",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-45836",
                            "    - Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_get_sndtimeo_cb()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-45834",
                            "    - Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_state_change_cb()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-45835",
                            "    - Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_new_connection_cb()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46138",
                            "    - Bluetooth: hci_event: Fix OOB read and infinite loop in",
                            "      hci_le_create_big_complete_evt",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46111",
                            "    - Bluetooth: hci_conn: fix potential UAF in create_big_sync",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46140",
                            "    - Bluetooth: btmtk: validate WMT event SKB length before struct access",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46186",
                            "    - Bluetooth: virtio_bt: validate rx pkt_type header length",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46123",
                            "    - Bluetooth: virtio_bt: clamp rx length before skb_put",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46104",
                            "    - selinux: use sk blob accessor in socket permission helpers",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46193",
                            "    - xfrm: ah: account for ESN high bits in async callbacks",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46172",
                            "    - ipv6: xfrm6: release dst on error in xfrm6_rcv_encap()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46116",
                            "    - xfrm: defensively unhash xfrm_state lists in __xfrm_state_delete",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46154",
                            "    - sched_ext: Read scx_root under scx_cgroup_ops_rwsem in cgroup setters",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46157",
                            "    - ALSA: pcm: oss: Fix data race at accessing runtime.oss.trigger",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46109",
                            "    - usb: ulpi: fix memory leak on ulpi_register() error paths",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46146",
                            "    - ALSA: usb-audio: Avoid potential endless loop in convert_chmap_v3()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46167",
                            "    - usb: usblp: fix uninitialized heap leak via LPGETSTATUS ioctl",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46151",
                            "    - usb: usblp: fix heap leak in IEEE 1284 device ID via short response",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46180",
                            "    - wifi: brcmfmac: Fix potential use-after-free issue when stopping",
                            "      watchdog task",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46122",
                            "    - wifi: b43: enforce bounds check on firmware key index in b43_rx()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46125",
                            "    - wifi: mac80211: remove station if connection prep fails",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46166",
                            "    - wifi: mac80211: use safe list iteration in radar detect work",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46187",
                            "    - wifi: rsi: fix kthread lifetime race between self-exit and external-stop",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46152",
                            "    - wifi: mac80211: drop stray 'static' from fast-RX rx_result",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46163",
                            "    - wifi: b43legacy: enforce bounds check on firmware key index in RX path",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46136",
                            "    - wifi: mt76: mt7921: fix a potential clc buffer length underflow",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46173",
                            "    - exit: prevent preemption of oopsing TASK_DEAD task",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-43496",
                            "    - net/sched: sch_red: Replace direct dequeue call with peek and",
                            "      qdisc_dequeue_peeked",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46113",
                            "    - KVM: x86: Fix shadow paging use-after-free due to unexpected GFN",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46179",
                            "    - ASoC: SOF: Don't allow pointer operations on unconfigured streams",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46196",
                            "    - tracepoint: balance regfunc() on func_add() failure in",
                            "      tracepoint_add_func()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-43497",
                            "    - fbdev: udlfb: add vm_ops to dlfb_ops_mmap to prevent use-after-free",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46108",
                            "    - ipmi:si: Return state to normal if message allocation fails",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46128",
                            "    - ipmi: Check event message buffer response for bad data",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46177",
                            "    - ipmi: Add limits to event and receive message requests",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46149",
                            "    - scsi: target: configfs: Bound snprintf() return in",
                            "      tg_pt_gp_members_show()",
                            "",
                            "  * Ubuntu 26.04 linux kernel has non-functional nova-core GPU driver enabled,",
                            "    conflicting with nouveau (LP: #2150845)",
                            "    - [Config] Disable NOVA_CORE",
                            "",
                            "  * CVE-2026-46244",
                            "    - netfilter: nft_inner: Fix IPv6 inner_thoff desync",
                            "",
                            "  * CVE-2026-46137",
                            "    - mptcp: pm: ADD_ADDR rtx: allow ID 0",
                            "    - mptcp: pm: ADD_ADDR rtx: fix potential data-race",
                            "",
                            "  * CVE-2026-46185",
                            "    - smb/client: fix out-of-bounds read in symlink_data()",
                            "",
                            "  * CVE-2026-46195",
                            "    - smb: client: validate dacloffset before building DACL pointers",
                            "",
                            "  * CVE-2026-46289",
                            "    - lib/scatterlist: fix length calculations in extract_kvec_to_sg",
                            "",
                            "  * CVE-2026-46119",
                            "    - libceph: Fix slab-out-of-bounds access in auth message processing",
                            "",
                            "  * CVE-2026-46135",
                            "    - nvmet-tcp: fix race between ICReq handling and queue teardown",
                            "",
                            "  * CVE-2026-46155",
                            "    - smb/client: fix out-of-bounds read in smb2_compound_op()",
                            "",
                            "  * CVE-2026-46115",
                            "    - block: add pgmap check to biovec_phys_mergeable",
                            "",
                            "  * CVE-2026-46243",
                            "    - smb: client: reject userspace cifs.spnego descriptions",
                            ""
                        ],
                        "package": "linux",
                        "version": "7.0.0-28.28",
                        "urgency": "medium",
                        "distributions": "resolute",
                        "launchpad_bugs_fixed": [
                            2157520,
                            2154418,
                            2155837,
                            2154174,
                            2154748,
                            2156559,
                            2156556,
                            2150640,
                            2156312,
                            2155096,
                            2154715,
                            2153159,
                            2150071,
                            2154343,
                            2149770,
                            2153155,
                            2152570,
                            2156636,
                            2156636,
                            2156636,
                            2156636,
                            2156636,
                            2156390,
                            2156385,
                            2156385,
                            2156385,
                            2156385,
                            2156385,
                            2156385,
                            2156385,
                            2156385,
                            2156385,
                            2156385,
                            2156385,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2150845
                        ],
                        "author": "Mehmet Basaran <mehmet.basaran@canonical.com>",
                        "date": "Sun, 21 Jun 2026 02:37:29 +0300"
                    }
                ],
                "notes": null,
                "is_version_downgrade": false
            },
            {
                "name": "linux-virtual",
                "from_version": {
                    "source_package_name": "linux-meta",
                    "source_package_version": "7.0.0-27.27",
                    "version": "7.0.0-27.27"
                },
                "to_version": {
                    "source_package_name": "linux-meta",
                    "source_package_version": "7.0.0-28.28",
                    "version": "7.0.0-28.28"
                },
                "cves": [],
                "launchpad_bugs_fixed": [],
                "changes": [
                    {
                        "cves": [],
                        "log": [
                            "",
                            "  * Main version: 7.0.0-28.28",
                            ""
                        ],
                        "package": "linux-meta",
                        "version": "7.0.0-28.28",
                        "urgency": "medium",
                        "distributions": "resolute",
                        "launchpad_bugs_fixed": [],
                        "author": "Mehmet Basaran <mehmet.basaran@canonical.com>",
                        "date": "Sun, 21 Jun 2026 00:59:14 +0300"
                    }
                ],
                "notes": null,
                "is_version_downgrade": false
            },
            {
                "name": "ntfs-3g",
                "from_version": {
                    "source_package_name": "ntfs-3g",
                    "source_package_version": "1:2022.10.3-5ubuntu1",
                    "version": "1:2022.10.3-5ubuntu1"
                },
                "to_version": {
                    "source_package_name": "ntfs-3g",
                    "source_package_version": "1:2022.10.3-5ubuntu1.1",
                    "version": "1:2022.10.3-5ubuntu1.1"
                },
                "cves": [
                    {
                        "cve": "CVE-2026-42616",
                        "url": "https://ubuntu.com/security/CVE-2026-42616",
                        "cve_description": "In NTFS-3G through 2026.2.25, a heap buffer overflow exists in cat() in  cat.c that allows an attacker to corrupt heap memory in the ntfscat  binary by crafting a malicious NTFS image. The overflow is triggered by  reading a file.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-07-15 12:00:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-42617",
                        "url": "https://ubuntu.com/security/CVE-2026-42617",
                        "cve_description": "In NTFS-3G through 2026.2.25, a heap buffer overflow exists in  ntfs_ir_to_ib() in index.c that allows an attacker to corrupt heap  memory in the SUID-root ntfs-3g binary by crafting a malicious NTFS  image. The overflow is triggered by extending a directory, e.g., by  creating a file.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-07-15 12:00:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46572",
                        "url": "https://ubuntu.com/security/CVE-2026-46572",
                        "cve_description": "In NTFS-3G through 2026.2.25, a heap buffer overflow exists in  ntfs_ib_cut_tail() in libntfs-3g/index.c that allows an attacker to  corrupt heap memory in the SUID-root ntfs-3g binary by crafting a  malicious NTFS image. The overflow is triggered by creating a file in a  crafted directory.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-07-15 12:00:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-56136",
                        "url": "https://ubuntu.com/security/CVE-2026-56136",
                        "cve_description": "In NTFS-3G through 2026.2.25, an out-of-bounds read exists in  ntfs_ir_nill() in libntfs-3g/index.c that allows an attacker to read  possibly confidential information in an ntfs-3g process by crafting a  malicious NTFS image. This read operation is triggered by creation of a  file with a crafted name.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-07-15 12:00:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-42618",
                        "url": "https://ubuntu.com/security/CVE-2026-42618",
                        "cve_description": "In NTFS-3G through 2026.2.25, a heap buffer overflow exists in  ntfs_decompress() in compress.c that allows an attacker to corrupt one  byte of heap memory in the SUID-root ntfs-3g binary by crafting a  malicious NTFS image. The overflow is triggered by reading the special  crafted file.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-07-15 12:00:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46569",
                        "url": "https://ubuntu.com/security/CVE-2026-46569",
                        "cve_description": "In NTFS-3G through 2026.2.25, a heap buffer overflow exists in  ntfs_ib_copy_tail(), in libntfs-3g/index.c, that allows an attacker to  corrupt heap memory in the SUID-root ntfs-3g binary by crafting a  malicious NTFS image. The overflow is triggered by extending a  directory, e.g., by creating a file.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-07-15 12:00:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46570",
                        "url": "https://ubuntu.com/security/CVE-2026-46570",
                        "cve_description": "In NTFS-3G through 2026.2.25, a heap buffer overflow exists in  ntfs_index_walk_down() in libntfs-3g/index.c that allows an attacker to  corrupt heap memory in the SUID-root ntfs-3g binary by crafting a  malicious NTFS image. The overflow is triggered by reading crafted file  metadata.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-07-15 12:00:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46571",
                        "url": "https://ubuntu.com/security/CVE-2026-46571",
                        "cve_description": "In NTFS-3G through 2026.2.25, a out-of-bounds read exists in  ntfs_fix_file_name() in libntfs-3g/reparse.c that allows an attacker to  read possibly confidential information in ntfs-3g process memory by  crafting a malicious NTFS image. The out-of-bounds read is triggered by  a readlink on a corrupted file.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-07-15 12:00:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-56135",
                        "url": "https://ubuntu.com/security/CVE-2026-56135",
                        "cve_description": "In NTFS-3G through 2026.2.25, a heap-based buffer overflow exists in the  function build_inherited_id() in libntfs-3g/security.c that allows an  attacker to corrupt heap memory in the SUID-root ntfs-3g binary by  crafting a malicious NTFS image. The overflow is triggered by creating a  file in a crafted directory.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-07-15 12:00:00 UTC"
                    }
                ],
                "launchpad_bugs_fixed": [],
                "changes": [
                    {
                        "cves": [
                            {
                                "cve": "CVE-2026-42616",
                                "url": "https://ubuntu.com/security/CVE-2026-42616",
                                "cve_description": "In NTFS-3G through 2026.2.25, a heap buffer overflow exists in cat() in  cat.c that allows an attacker to corrupt heap memory in the ntfscat  binary by crafting a malicious NTFS image. The overflow is triggered by  reading a file.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-07-15 12:00:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-42617",
                                "url": "https://ubuntu.com/security/CVE-2026-42617",
                                "cve_description": "In NTFS-3G through 2026.2.25, a heap buffer overflow exists in  ntfs_ir_to_ib() in index.c that allows an attacker to corrupt heap  memory in the SUID-root ntfs-3g binary by crafting a malicious NTFS  image. The overflow is triggered by extending a directory, e.g., by  creating a file.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-07-15 12:00:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46572",
                                "url": "https://ubuntu.com/security/CVE-2026-46572",
                                "cve_description": "In NTFS-3G through 2026.2.25, a heap buffer overflow exists in  ntfs_ib_cut_tail() in libntfs-3g/index.c that allows an attacker to  corrupt heap memory in the SUID-root ntfs-3g binary by crafting a  malicious NTFS image. The overflow is triggered by creating a file in a  crafted directory.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-07-15 12:00:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-56136",
                                "url": "https://ubuntu.com/security/CVE-2026-56136",
                                "cve_description": "In NTFS-3G through 2026.2.25, an out-of-bounds read exists in  ntfs_ir_nill() in libntfs-3g/index.c that allows an attacker to read  possibly confidential information in an ntfs-3g process by crafting a  malicious NTFS image. This read operation is triggered by creation of a  file with a crafted name.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-07-15 12:00:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-42618",
                                "url": "https://ubuntu.com/security/CVE-2026-42618",
                                "cve_description": "In NTFS-3G through 2026.2.25, a heap buffer overflow exists in  ntfs_decompress() in compress.c that allows an attacker to corrupt one  byte of heap memory in the SUID-root ntfs-3g binary by crafting a  malicious NTFS image. The overflow is triggered by reading the special  crafted file.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-07-15 12:00:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46569",
                                "url": "https://ubuntu.com/security/CVE-2026-46569",
                                "cve_description": "In NTFS-3G through 2026.2.25, a heap buffer overflow exists in  ntfs_ib_copy_tail(), in libntfs-3g/index.c, that allows an attacker to  corrupt heap memory in the SUID-root ntfs-3g binary by crafting a  malicious NTFS image. The overflow is triggered by extending a  directory, e.g., by creating a file.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-07-15 12:00:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46570",
                                "url": "https://ubuntu.com/security/CVE-2026-46570",
                                "cve_description": "In NTFS-3G through 2026.2.25, a heap buffer overflow exists in  ntfs_index_walk_down() in libntfs-3g/index.c that allows an attacker to  corrupt heap memory in the SUID-root ntfs-3g binary by crafting a  malicious NTFS image. The overflow is triggered by reading crafted file  metadata.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-07-15 12:00:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46571",
                                "url": "https://ubuntu.com/security/CVE-2026-46571",
                                "cve_description": "In NTFS-3G through 2026.2.25, a out-of-bounds read exists in  ntfs_fix_file_name() in libntfs-3g/reparse.c that allows an attacker to  read possibly confidential information in ntfs-3g process memory by  crafting a malicious NTFS image. The out-of-bounds read is triggered by  a readlink on a corrupted file.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-07-15 12:00:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-56135",
                                "url": "https://ubuntu.com/security/CVE-2026-56135",
                                "cve_description": "In NTFS-3G through 2026.2.25, a heap-based buffer overflow exists in the  function build_inherited_id() in libntfs-3g/security.c that allows an  attacker to corrupt heap memory in the SUID-root ntfs-3g binary by  crafting a malicious NTFS image. The overflow is triggered by creating a  file in a crafted directory.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-07-15 12:00:00 UTC"
                            }
                        ],
                        "log": [
                            "",
                            "  * SECURITY UPDATE: heap buffer overflow in cat()",
                            "    - debian/patches/CVE-2026-42616.patch: Fix logic in ntfsprogs/ntfscat.c.",
                            "    - CVE-2026-42616",
                            "  * SECURITY UPDATE: buffer overflows and OOB read",
                            "    - debian/patches/CVE-2026-42617_46572_56136.patch: Fix logic in",
                            "      include/ntfs-3g/index.h, libntfs-3g/attrib.c, libntfs-3g/index.c.",
                            "    - CVE-2026-42617",
                            "    - CVE-2026-46572",
                            "    - CVE-2026-56136",
                            "  * SECURITY UPDATE: heap buffer overflow in ntfs_decompress()",
                            "    - debian/patches/CVE-2026-42618.patch: Fix logic in libntfs-3g/compress.c.",
                            "    - CVE-2026-42618",
                            "  * SECURITY UPDATE: heap buffer overflow in ntfs_ib_copy_tail()",
                            "    - debian/patches/CVE-2026-46569.patch: Fix logic in libntfs-3g/index.c.",
                            "    - CVE-2026-46569",
                            "  * SECURITY UPDATE: heap buffer overflow in ntfs_index_walk_down()",
                            "    - debian/patches/CVE-2026-46570.patch: Fix logic in libntfs-3g/index.c.",
                            "    - CVE-2026-46570",
                            "  * SECURITY UPDATE: out-of-bounds read in ntfs_fix_file_name()",
                            "    - debian/patches/CVE-2026-46571.patch: Fix logic in libntfs-3g/reparse.c.",
                            "    - CVE-2026-46571",
                            "  * SECURITY UPDATE: heap-based overflow in function build_inherited_id()",
                            "    - debian/patches/CVE-2026-56135.patch: Fix logic in include/ntfs-3g/acls.h,",
                            "      libntfs-3g/acls.c, libntfs-3g/security.c.",
                            "    - CVE-2026-56135",
                            ""
                        ],
                        "package": "ntfs-3g",
                        "version": "1:2022.10.3-5ubuntu1.1",
                        "urgency": "medium",
                        "distributions": "resolute-security",
                        "launchpad_bugs_fixed": [],
                        "author": "Marc Deslauriers <marc.deslauriers@ubuntu.com>",
                        "date": "Sat, 11 Jul 2026 11:55:48 -0400"
                    }
                ],
                "notes": null,
                "is_version_downgrade": false
            },
            {
                "name": "python3-httplib2",
                "from_version": {
                    "source_package_name": "python-httplib2",
                    "source_package_version": "0.22.0-1build1",
                    "version": "0.22.0-1build1"
                },
                "to_version": {
                    "source_package_name": "python-httplib2",
                    "source_package_version": "0.22.0-1ubuntu0.1",
                    "version": "0.22.0-1ubuntu0.1"
                },
                "cves": [
                    {
                        "cve": "CVE-2026-59939",
                        "url": "https://ubuntu.com/security/CVE-2026-59939",
                        "cve_description": "httplib2 is a comprehensive HTTP client library for Python. Prior to 0.32.0, httplib2 performs unbounded decompression of HTTP response bodies encoded with Content-Encoding: gzip or deflate in _decompressContent in httplib2/init.py, allowing a malicious or compromised HTTP server to return a small compressed payload that expands to an arbitrarily large size in memory and causes MemoryError or OOM-kill in the client process. This issue is fixed in version 0.32.0.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-07-08 20:16:00 UTC"
                    }
                ],
                "launchpad_bugs_fixed": [],
                "changes": [
                    {
                        "cves": [
                            {
                                "cve": "CVE-2026-59939",
                                "url": "https://ubuntu.com/security/CVE-2026-59939",
                                "cve_description": "httplib2 is a comprehensive HTTP client library for Python. Prior to 0.32.0, httplib2 performs unbounded decompression of HTTP response bodies encoded with Content-Encoding: gzip or deflate in _decompressContent in httplib2/init.py, allowing a malicious or compromised HTTP server to return a small compressed payload that expands to an arbitrarily large size in memory and causes MemoryError or OOM-kill in the client process. This issue is fixed in version 0.32.0.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-07-08 20:16:00 UTC"
                            }
                        ],
                        "log": [
                            "",
                            "  * SECURITY UPDATE: unbounded decompression of HTTP response bodies",
                            "    - debian/patches/CVE-2026-59939.patch: decompression limited by size and",
                            "      ratio; require python 3.8+ in README.md, python3/httplib2/__init__.py,",
                            "      python3/httplib2/decode.py, setup.cfg, tests/__init__.py,",
                            "      tests/test_encoding.py.",
                            "    - CVE-2026-59939",
                            ""
                        ],
                        "package": "python-httplib2",
                        "version": "0.22.0-1ubuntu0.1",
                        "urgency": "medium",
                        "distributions": "resolute-security",
                        "launchpad_bugs_fixed": [],
                        "author": "Marc Deslauriers <marc.deslauriers@ubuntu.com>",
                        "date": "Fri, 10 Jul 2026 07:17:48 -0400"
                    }
                ],
                "notes": null,
                "is_version_downgrade": false
            },
            {
                "name": "python3-idna",
                "from_version": {
                    "source_package_name": "python-idna",
                    "source_package_version": "3.11-1",
                    "version": "3.11-1"
                },
                "to_version": {
                    "source_package_name": "python-idna",
                    "source_package_version": "3.11-1ubuntu0.1",
                    "version": "3.11-1ubuntu0.1"
                },
                "cves": [
                    {
                        "cve": "CVE-2026-45409",
                        "url": "https://ubuntu.com/security/CVE-2026-45409",
                        "cve_description": "Internationalized Domain Names in Applications (IDNA) for Python provides support for Internationalized Domain Names in Applications (IDNA) and Unicode IDNA Compatibility Processing. In versions prior to 3.15, payloads such as `\"\\u0660\" * N` or `\"\\u30fb\" * N + \"\\u6f22\"` utilize the `valid_contexto` function prior to length rejection, and for high values of `N` will take a long time to process. This is the same issue as CVE-2024-3651, however the original remediation in 2024 was not a complete fix. A specially crafted argument to the `idna.encode()` function could consume significant resources. This may lead to a denial-of-service. Starting in version 3.14, the function rejects long inputs as soon as practicable prior to any further processing to minimize resource consumption. In version 3.15, this approach was extended to lesser used alternate functions (i.e. per-label conversions and codec support). A workaround is available. Domain names cannot exceed 253 characters in length. If this length limit is enforced prior to passing the domain to the `idna.encode()` function, it should no longer consume significant resources. This is triggered by arbitrarily large inputs that would not occur in normal usage, but may be passed to the library assuming there is no preliminary input validation by the higher-level application.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-05 23:16:00 UTC"
                    }
                ],
                "launchpad_bugs_fixed": [],
                "changes": [
                    {
                        "cves": [
                            {
                                "cve": "CVE-2026-45409",
                                "url": "https://ubuntu.com/security/CVE-2026-45409",
                                "cve_description": "Internationalized Domain Names in Applications (IDNA) for Python provides support for Internationalized Domain Names in Applications (IDNA) and Unicode IDNA Compatibility Processing. In versions prior to 3.15, payloads such as `\"\\u0660\" * N` or `\"\\u30fb\" * N + \"\\u6f22\"` utilize the `valid_contexto` function prior to length rejection, and for high values of `N` will take a long time to process. This is the same issue as CVE-2024-3651, however the original remediation in 2024 was not a complete fix. A specially crafted argument to the `idna.encode()` function could consume significant resources. This may lead to a denial-of-service. Starting in version 3.14, the function rejects long inputs as soon as practicable prior to any further processing to minimize resource consumption. In version 3.15, this approach was extended to lesser used alternate functions (i.e. per-label conversions and codec support). A workaround is available. Domain names cannot exceed 253 characters in length. If this length limit is enforced prior to passing the domain to the `idna.encode()` function, it should no longer consume significant resources. This is triggered by arbitrarily large inputs that would not occur in normal usage, but may be passed to the library assuming there is no preliminary input validation by the higher-level application.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-05 23:16:00 UTC"
                            }
                        ],
                        "log": [
                            "",
                            "  * SECURITY UPDATE: DoS via specially crafted inputs to idna.encode()",
                            "    - debian/patches/CVE-2026-45409-1.patch: Reject oversized inputs up-front in",
                            "      idna/core.py, tests/test_idna.py.",
                            "    - debian/patches/CVE-2026-45409-2.patch: Use valid_string_length() for early",
                            "      oversized-input check in idna/core.py.",
                            "    - debian/patches/CVE-2026-45409-3.patch: Enforce early length limits in",
                            "      check_label in idna/core.py, tests/test_idna.py.",
                            "    - CVE-2026-45409",
                            ""
                        ],
                        "package": "python-idna",
                        "version": "3.11-1ubuntu0.1",
                        "urgency": "medium",
                        "distributions": "resolute-security",
                        "launchpad_bugs_fixed": [],
                        "author": "Marc Deslauriers <marc.deslauriers@ubuntu.com>",
                        "date": "Tue, 14 Jul 2026 13:17:09 -0400"
                    }
                ],
                "notes": null,
                "is_version_downgrade": false
            },
            {
                "name": "tar",
                "from_version": {
                    "source_package_name": "tar",
                    "source_package_version": "1.35+dfsg-4ubuntu0.2",
                    "version": "1.35+dfsg-4ubuntu0.2"
                },
                "to_version": {
                    "source_package_name": "tar",
                    "source_package_version": "1.35+dfsg-4ubuntu0.3",
                    "version": "1.35+dfsg-4ubuntu0.3"
                },
                "cves": [
                    {
                        "cve": "CVE-2026-5704",
                        "url": "https://ubuntu.com/security/CVE-2026-5704",
                        "cve_description": "A flaw was found in tar. A remote attacker could exploit this vulnerability by crafting a malicious archive, leading to hidden file injection with fully attacker-controlled content. This bypasses pre-extraction inspection mechanisms, potentially allowing an attacker to introduce malicious files onto a system without detection.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-04-06 16:16:00 UTC"
                    }
                ],
                "launchpad_bugs_fixed": [
                    2160650
                ],
                "changes": [
                    {
                        "cves": [
                            {
                                "cve": "CVE-2026-5704",
                                "url": "https://ubuntu.com/security/CVE-2026-5704",
                                "cve_description": "A flaw was found in tar. A remote attacker could exploit this vulnerability by crafting a malicious archive, leading to hidden file injection with fully attacker-controlled content. This bypasses pre-extraction inspection mechanisms, potentially allowing an attacker to introduce malicious files onto a system without detection.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-04-06 16:16:00 UTC"
                            }
                        ],
                        "log": [
                            "",
                            "  * SECURITY REGRESSION: Extract files issue",
                            "    - debian/patches/CVE-2026-5704-*.patch: address a regression",
                            "      that makes valid files not extract in src/list.c,",
                            "      tests/Makefile.am, tests/extrac32.at, tests/extrac34.at,",
                            "      test/testsuite.at, src/extract.c, tests/extract23,",
                            "      tests/extrac30.at (LP: #2160650).",
                            ""
                        ],
                        "package": "tar",
                        "version": "1.35+dfsg-4ubuntu0.3",
                        "urgency": "medium",
                        "distributions": "resolute-security",
                        "launchpad_bugs_fixed": [
                            2160650
                        ],
                        "author": "Leonidas Da Silva Barbosa <leo.barbosa@canonical.com>",
                        "date": "Wed, 15 Jul 2026 08:59:43 -0300"
                    }
                ],
                "notes": null,
                "is_version_downgrade": false
            },
            {
                "name": "ubuntu-pro-client",
                "from_version": {
                    "source_package_name": "ubuntu-advantage-tools",
                    "source_package_version": "37.2ubuntu",
                    "version": "37.2ubuntu"
                },
                "to_version": {
                    "source_package_name": "ubuntu-advantage-tools",
                    "source_package_version": "37.2ubuntu0.1",
                    "version": "37.2ubuntu0.1"
                },
                "cves": [
                    {
                        "cve": "CVE-2026-9494",
                        "url": "https://ubuntu.com/security/CVE-2026-9494",
                        "cve_description": "An information disclosure vulnerability exists in Canonical ubuntu-pro-client (formerly ubuntu-advantage-tools). The client validates Ubuntu Pro APT credentials by executing /usr/lib/apt/apt-helper using the download-file command. During this process, the secret bearer token is embedded directly in the cleartext URL component passed via the command-line arguments (argv), resulting in a URL format such as https://bearer:<token>@esm.ubuntu.com/.../. On systems utilizing a default-mounted /proc file system where process-hiding mitigations (such as hidepid) are disabled, an unprivileged local attacker can monitor system processes and read the sensitive bearer token directly from /proc/<pid>/cmdline while the helper process is actively running. This leaked token can subsequently be used to gain unauthorized access to the victim's Ubuntu Pro or Expanded Security Maintenance (ESM) repositories.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-07-17 14:00:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-11386",
                        "url": "https://ubuntu.com/security/CVE-2026-11386",
                        "cve_description": "An input validation and injection vulnerability exists in Canonical ubuntu-pro-client (formerly ubuntu-advantage-tools). The client constructs APT source files (such as /etc/apt/sources.list.d/ubuntu-<name>.list or their DEB822 equivalents) using data received directly from the contract server response via the directives.suites[] and directives.aptURL fields. Because the client utilizes Python's str.format() to write these files without performing escaping, validation, or newline character filtering, a malicious or tampered contract response containing embedded newline (\\n) characters can successfully inject arbitrary, attacker-controlled deb configuration lines into root-owned APT sources. When combined with the unvalidated additionalPackages[] field—which is passed positionally into a root-executed apt-get install command—an attacker capable of spoofing or manipulating the contract response (e.g., via a compromised internal infrastructure, an intercepted connection utilizing a trusted CA, or local logical bugs) can force the client to fetch and install malicious packages. This ultimately leads to arbitrary code execution with root privileges on the affected system. This component is preinstalled on supported Ubuntu Server releases and auto-attaches by default on cloud provider Ubuntu Pro images.",
                        "cve_priority": "high",
                        "cve_public_date": "2026-07-17 14:00:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-12391",
                        "url": "https://ubuntu.com/security/CVE-2026-12391",
                        "cve_description": "An insecure symlink following vulnerability exists in Canonical ubuntu-pro-client (formerly ubuntu-advantage-tools) within the pro collect-logs command framework. The utility creates or utilizes predictable temporary file paths or user-accessible log directories when gathering diagnostic information without verifying the file type or ownership. An unprivileged local attacker can exploit this behavior by creating a symbolic link (symlink) at a predictable destination path pointing to an arbitrary, root-readable file (such as /etc/shadow or private files within /root). When a root administrator or operator subsequently executes the pro collect-logs command, the tool follows the user-controlled symlink, reads the target file, and compresses its contents into the resulting diagnostic support archive. Because the output archive remains readable by the unprivileged user, the attacker can extract and read the sensitive root-owned files, leading to a complete information disclosure of system secrets.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-07-17 14:00:00 UTC"
                    }
                ],
                "launchpad_bugs_fixed": [],
                "changes": [
                    {
                        "cves": [
                            {
                                "cve": "CVE-2026-9494",
                                "url": "https://ubuntu.com/security/CVE-2026-9494",
                                "cve_description": "An information disclosure vulnerability exists in Canonical ubuntu-pro-client (formerly ubuntu-advantage-tools). The client validates Ubuntu Pro APT credentials by executing /usr/lib/apt/apt-helper using the download-file command. During this process, the secret bearer token is embedded directly in the cleartext URL component passed via the command-line arguments (argv), resulting in a URL format such as https://bearer:<token>@esm.ubuntu.com/.../. On systems utilizing a default-mounted /proc file system where process-hiding mitigations (such as hidepid) are disabled, an unprivileged local attacker can monitor system processes and read the sensitive bearer token directly from /proc/<pid>/cmdline while the helper process is actively running. This leaked token can subsequently be used to gain unauthorized access to the victim's Ubuntu Pro or Expanded Security Maintenance (ESM) repositories.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-07-17 14:00:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-11386",
                                "url": "https://ubuntu.com/security/CVE-2026-11386",
                                "cve_description": "An input validation and injection vulnerability exists in Canonical ubuntu-pro-client (formerly ubuntu-advantage-tools). The client constructs APT source files (such as /etc/apt/sources.list.d/ubuntu-<name>.list or their DEB822 equivalents) using data received directly from the contract server response via the directives.suites[] and directives.aptURL fields. Because the client utilizes Python's str.format() to write these files without performing escaping, validation, or newline character filtering, a malicious or tampered contract response containing embedded newline (\\n) characters can successfully inject arbitrary, attacker-controlled deb configuration lines into root-owned APT sources. When combined with the unvalidated additionalPackages[] field—which is passed positionally into a root-executed apt-get install command—an attacker capable of spoofing or manipulating the contract response (e.g., via a compromised internal infrastructure, an intercepted connection utilizing a trusted CA, or local logical bugs) can force the client to fetch and install malicious packages. This ultimately leads to arbitrary code execution with root privileges on the affected system. This component is preinstalled on supported Ubuntu Server releases and auto-attaches by default on cloud provider Ubuntu Pro images.",
                                "cve_priority": "high",
                                "cve_public_date": "2026-07-17 14:00:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-12391",
                                "url": "https://ubuntu.com/security/CVE-2026-12391",
                                "cve_description": "An insecure symlink following vulnerability exists in Canonical ubuntu-pro-client (formerly ubuntu-advantage-tools) within the pro collect-logs command framework. The utility creates or utilizes predictable temporary file paths or user-accessible log directories when gathering diagnostic information without verifying the file type or ownership. An unprivileged local attacker can exploit this behavior by creating a symbolic link (symlink) at a predictable destination path pointing to an arbitrary, root-readable file (such as /etc/shadow or private files within /root). When a root administrator or operator subsequently executes the pro collect-logs command, the tool follows the user-controlled symlink, reads the target file, and compresses its contents into the resulting diagnostic support archive. Because the output archive remains readable by the unprivileged user, the attacker can extract and read the sensitive root-owned files, leading to a complete information disclosure of system secrets.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-07-17 14:00:00 UTC"
                            }
                        ],
                        "log": [
                            "",
                            "  * SECURITY UPDATE: Information disclosure",
                            "    - Remove credentials out of argv into apt's own auth.conf.d facility.",
                            "    - CVE-2026-9494",
                            "  * SECURITY UPDATE: Improper input validation",
                            "    - enforce StrictStringDataValue to applicable fields in directives",
                            "    - reject newline, carriage return, spaces, and shell meta characters ",
                            "      in StrictStringDataValue",
                            "    - CVE-2026-11386",
                            "  * SECURITY UPDATE: Symlink attack",
                            "    - reject symlink log files in user-controlled directory trees during ",
                            "      pro collect-logs",
                            "    - restrict pro collect-logs generated support archive permission to ",
                            "      root only",
                            "    - CVE-2026-12391",
                            ""
                        ],
                        "package": "ubuntu-advantage-tools",
                        "version": "37.2ubuntu0.1",
                        "urgency": "medium",
                        "distributions": "resolute-security",
                        "launchpad_bugs_fixed": [],
                        "author": "Eduardo Barretto <eduardo.barretto@canonical.com>",
                        "date": "Mon, 06 Jul 2026 11:33:39 +0200"
                    }
                ],
                "notes": null,
                "is_version_downgrade": false
            },
            {
                "name": "ubuntu-pro-client-l10n",
                "from_version": {
                    "source_package_name": "ubuntu-advantage-tools",
                    "source_package_version": "37.2ubuntu",
                    "version": "37.2ubuntu"
                },
                "to_version": {
                    "source_package_name": "ubuntu-advantage-tools",
                    "source_package_version": "37.2ubuntu0.1",
                    "version": "37.2ubuntu0.1"
                },
                "cves": [
                    {
                        "cve": "CVE-2026-9494",
                        "url": "https://ubuntu.com/security/CVE-2026-9494",
                        "cve_description": "An information disclosure vulnerability exists in Canonical ubuntu-pro-client (formerly ubuntu-advantage-tools). The client validates Ubuntu Pro APT credentials by executing /usr/lib/apt/apt-helper using the download-file command. During this process, the secret bearer token is embedded directly in the cleartext URL component passed via the command-line arguments (argv), resulting in a URL format such as https://bearer:<token>@esm.ubuntu.com/.../. On systems utilizing a default-mounted /proc file system where process-hiding mitigations (such as hidepid) are disabled, an unprivileged local attacker can monitor system processes and read the sensitive bearer token directly from /proc/<pid>/cmdline while the helper process is actively running. This leaked token can subsequently be used to gain unauthorized access to the victim's Ubuntu Pro or Expanded Security Maintenance (ESM) repositories.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-07-17 14:00:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-11386",
                        "url": "https://ubuntu.com/security/CVE-2026-11386",
                        "cve_description": "An input validation and injection vulnerability exists in Canonical ubuntu-pro-client (formerly ubuntu-advantage-tools). The client constructs APT source files (such as /etc/apt/sources.list.d/ubuntu-<name>.list or their DEB822 equivalents) using data received directly from the contract server response via the directives.suites[] and directives.aptURL fields. Because the client utilizes Python's str.format() to write these files without performing escaping, validation, or newline character filtering, a malicious or tampered contract response containing embedded newline (\\n) characters can successfully inject arbitrary, attacker-controlled deb configuration lines into root-owned APT sources. When combined with the unvalidated additionalPackages[] field—which is passed positionally into a root-executed apt-get install command—an attacker capable of spoofing or manipulating the contract response (e.g., via a compromised internal infrastructure, an intercepted connection utilizing a trusted CA, or local logical bugs) can force the client to fetch and install malicious packages. This ultimately leads to arbitrary code execution with root privileges on the affected system. This component is preinstalled on supported Ubuntu Server releases and auto-attaches by default on cloud provider Ubuntu Pro images.",
                        "cve_priority": "high",
                        "cve_public_date": "2026-07-17 14:00:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-12391",
                        "url": "https://ubuntu.com/security/CVE-2026-12391",
                        "cve_description": "An insecure symlink following vulnerability exists in Canonical ubuntu-pro-client (formerly ubuntu-advantage-tools) within the pro collect-logs command framework. The utility creates or utilizes predictable temporary file paths or user-accessible log directories when gathering diagnostic information without verifying the file type or ownership. An unprivileged local attacker can exploit this behavior by creating a symbolic link (symlink) at a predictable destination path pointing to an arbitrary, root-readable file (such as /etc/shadow or private files within /root). When a root administrator or operator subsequently executes the pro collect-logs command, the tool follows the user-controlled symlink, reads the target file, and compresses its contents into the resulting diagnostic support archive. Because the output archive remains readable by the unprivileged user, the attacker can extract and read the sensitive root-owned files, leading to a complete information disclosure of system secrets.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-07-17 14:00:00 UTC"
                    }
                ],
                "launchpad_bugs_fixed": [],
                "changes": [
                    {
                        "cves": [
                            {
                                "cve": "CVE-2026-9494",
                                "url": "https://ubuntu.com/security/CVE-2026-9494",
                                "cve_description": "An information disclosure vulnerability exists in Canonical ubuntu-pro-client (formerly ubuntu-advantage-tools). The client validates Ubuntu Pro APT credentials by executing /usr/lib/apt/apt-helper using the download-file command. During this process, the secret bearer token is embedded directly in the cleartext URL component passed via the command-line arguments (argv), resulting in a URL format such as https://bearer:<token>@esm.ubuntu.com/.../. On systems utilizing a default-mounted /proc file system where process-hiding mitigations (such as hidepid) are disabled, an unprivileged local attacker can monitor system processes and read the sensitive bearer token directly from /proc/<pid>/cmdline while the helper process is actively running. This leaked token can subsequently be used to gain unauthorized access to the victim's Ubuntu Pro or Expanded Security Maintenance (ESM) repositories.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-07-17 14:00:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-11386",
                                "url": "https://ubuntu.com/security/CVE-2026-11386",
                                "cve_description": "An input validation and injection vulnerability exists in Canonical ubuntu-pro-client (formerly ubuntu-advantage-tools). The client constructs APT source files (such as /etc/apt/sources.list.d/ubuntu-<name>.list or their DEB822 equivalents) using data received directly from the contract server response via the directives.suites[] and directives.aptURL fields. Because the client utilizes Python's str.format() to write these files without performing escaping, validation, or newline character filtering, a malicious or tampered contract response containing embedded newline (\\n) characters can successfully inject arbitrary, attacker-controlled deb configuration lines into root-owned APT sources. When combined with the unvalidated additionalPackages[] field—which is passed positionally into a root-executed apt-get install command—an attacker capable of spoofing or manipulating the contract response (e.g., via a compromised internal infrastructure, an intercepted connection utilizing a trusted CA, or local logical bugs) can force the client to fetch and install malicious packages. This ultimately leads to arbitrary code execution with root privileges on the affected system. This component is preinstalled on supported Ubuntu Server releases and auto-attaches by default on cloud provider Ubuntu Pro images.",
                                "cve_priority": "high",
                                "cve_public_date": "2026-07-17 14:00:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-12391",
                                "url": "https://ubuntu.com/security/CVE-2026-12391",
                                "cve_description": "An insecure symlink following vulnerability exists in Canonical ubuntu-pro-client (formerly ubuntu-advantage-tools) within the pro collect-logs command framework. The utility creates or utilizes predictable temporary file paths or user-accessible log directories when gathering diagnostic information without verifying the file type or ownership. An unprivileged local attacker can exploit this behavior by creating a symbolic link (symlink) at a predictable destination path pointing to an arbitrary, root-readable file (such as /etc/shadow or private files within /root). When a root administrator or operator subsequently executes the pro collect-logs command, the tool follows the user-controlled symlink, reads the target file, and compresses its contents into the resulting diagnostic support archive. Because the output archive remains readable by the unprivileged user, the attacker can extract and read the sensitive root-owned files, leading to a complete information disclosure of system secrets.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-07-17 14:00:00 UTC"
                            }
                        ],
                        "log": [
                            "",
                            "  * SECURITY UPDATE: Information disclosure",
                            "    - Remove credentials out of argv into apt's own auth.conf.d facility.",
                            "    - CVE-2026-9494",
                            "  * SECURITY UPDATE: Improper input validation",
                            "    - enforce StrictStringDataValue to applicable fields in directives",
                            "    - reject newline, carriage return, spaces, and shell meta characters ",
                            "      in StrictStringDataValue",
                            "    - CVE-2026-11386",
                            "  * SECURITY UPDATE: Symlink attack",
                            "    - reject symlink log files in user-controlled directory trees during ",
                            "      pro collect-logs",
                            "    - restrict pro collect-logs generated support archive permission to ",
                            "      root only",
                            "    - CVE-2026-12391",
                            ""
                        ],
                        "package": "ubuntu-advantage-tools",
                        "version": "37.2ubuntu0.1",
                        "urgency": "medium",
                        "distributions": "resolute-security",
                        "launchpad_bugs_fixed": [],
                        "author": "Eduardo Barretto <eduardo.barretto@canonical.com>",
                        "date": "Mon, 06 Jul 2026 11:33:39 +0200"
                    }
                ],
                "notes": null,
                "is_version_downgrade": false
            },
            {
                "name": "vim",
                "from_version": {
                    "source_package_name": "vim",
                    "source_package_version": "2:9.1.2141-1ubuntu4.6",
                    "version": "2:9.1.2141-1ubuntu4.6"
                },
                "to_version": {
                    "source_package_name": "vim",
                    "source_package_version": "2:9.1.2141-1ubuntu4.7",
                    "version": "2:9.1.2141-1ubuntu4.7"
                },
                "cves": [
                    {
                        "cve": "CVE-2026-59856",
                        "url": "https://ubuntu.com/security/CVE-2026-59856",
                        "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0736, the PHP omni-completion script in runtime/autoload/phpcomplete.vim interpolates a class or trait name, taken from the contents of the edited buffer, into a search() pattern that is run via win_execute() without escaping. A name containing a single quote can terminate the search() string argument early, and because the bar is honored as an Ex command separator, the remainder of the name is run as Ex commands; via the :! command this allows arbitrary operating-system command execution when a victim opens a crafted PHP file and invokes omni-completion. This issue is fixed in version 9.2.0736.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-07-09 23:17:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-59857",
                        "url": "https://ubuntu.com/security/CVE-2026-59857",
                        "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0725, the single-byte branch of spell_soundfold_sal() in src/spell.c translates a word through a spell file's SAL sound-folding rules into a caller-owned result buffer, but its result writes are guarded with reslen < MAXWLEN, allowing reslen to reach MAXWLEN before res[reslen] = NUL writes one byte past the end of the MAXWLEN-element stack buffer. A boundary-length word passed to soundfold(), or reached via sound-based spell suggestion while a SAL-based spell language is active under a non-multibyte 8-bit encoding, can corrupt the eval_soundfold() stack frame and crash the editor. This issue is fixed in version 9.2.0725.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-07-09 23:17:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-59858",
                        "url": "https://ubuntu.com/security/CVE-2026-59858",
                        "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0735, the C omni-completion script in runtime/autoload/ccomplete.vim interpolates the typeref: or typename: extension field of a tags entry, without escaping, into a :vimgrep pattern that is run through :execute. Because :vimgrep honors the bar as a command separator, a crafted tag field can close the search pattern and append an arbitrary Ex command; opening a hostile .c file whose project tags file contains such an entry and invoking C omni-completion runs that command as the editing user. This issue is fixed in version 9.2.0735.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-07-09 23:17:00 UTC"
                    }
                ],
                "launchpad_bugs_fixed": [],
                "changes": [
                    {
                        "cves": [
                            {
                                "cve": "CVE-2026-59856",
                                "url": "https://ubuntu.com/security/CVE-2026-59856",
                                "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0736, the PHP omni-completion script in runtime/autoload/phpcomplete.vim interpolates a class or trait name, taken from the contents of the edited buffer, into a search() pattern that is run via win_execute() without escaping. A name containing a single quote can terminate the search() string argument early, and because the bar is honored as an Ex command separator, the remainder of the name is run as Ex commands; via the :! command this allows arbitrary operating-system command execution when a victim opens a crafted PHP file and invokes omni-completion. This issue is fixed in version 9.2.0736.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-07-09 23:17:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-59857",
                                "url": "https://ubuntu.com/security/CVE-2026-59857",
                                "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0725, the single-byte branch of spell_soundfold_sal() in src/spell.c translates a word through a spell file's SAL sound-folding rules into a caller-owned result buffer, but its result writes are guarded with reslen < MAXWLEN, allowing reslen to reach MAXWLEN before res[reslen] = NUL writes one byte past the end of the MAXWLEN-element stack buffer. A boundary-length word passed to soundfold(), or reached via sound-based spell suggestion while a SAL-based spell language is active under a non-multibyte 8-bit encoding, can corrupt the eval_soundfold() stack frame and crash the editor. This issue is fixed in version 9.2.0725.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-07-09 23:17:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-59858",
                                "url": "https://ubuntu.com/security/CVE-2026-59858",
                                "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0735, the C omni-completion script in runtime/autoload/ccomplete.vim interpolates the typeref: or typename: extension field of a tags entry, without escaping, into a :vimgrep pattern that is run through :execute. Because :vimgrep honors the bar as a command separator, a crafted tag field can close the search pattern and append an arbitrary Ex command; opening a hostile .c file whose project tags file contains such an entry and invoking C omni-completion runs that command as the editing user. This issue is fixed in version 9.2.0735.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-07-09 23:17:00 UTC"
                            }
                        ],
                        "log": [
                            "",
                            "  * SECURITY UPDATE: Command execution in PHP omni-completion.",
                            "    - debian/patches/CVE-2026-59856.patch: Quote the class name before",
                            "      inserting it into the search() in runtime/autoload/phpcomplete.vim",
                            "    - CVE-2026-59856",
                            "  * SECURITY UPDATE: Stack out-of-bounds write in spell_soundfold_sal().",
                            "    - debian/patches/CVE-2026-59857.patch: Bound the single-byte SAL result",
                            "      writes in src/spell.c",
                            "    - CVE-2026-59857",
                            "  * SECURITY UPDATE: Arbitrary command execution during C omni-completion.",
                            "    - debian/patches/CVE-2026-59858.patch: Escape the type field before",
                            "      inserting it into pattern in runtime/autoload/ccomplete.vim",
                            "    - CVE-2026-59858",
                            ""
                        ],
                        "package": "vim",
                        "version": "2:9.1.2141-1ubuntu4.7",
                        "urgency": "medium",
                        "distributions": "resolute-security",
                        "launchpad_bugs_fixed": [],
                        "author": "Kyle Kernick <kyle.kernick@canonical.com>",
                        "date": "Mon, 13 Jul 2026 11:06:53 -0600"
                    }
                ],
                "notes": null,
                "is_version_downgrade": false
            },
            {
                "name": "vim-common",
                "from_version": {
                    "source_package_name": "vim",
                    "source_package_version": "2:9.1.2141-1ubuntu4.6",
                    "version": "2:9.1.2141-1ubuntu4.6"
                },
                "to_version": {
                    "source_package_name": "vim",
                    "source_package_version": "2:9.1.2141-1ubuntu4.7",
                    "version": "2:9.1.2141-1ubuntu4.7"
                },
                "cves": [
                    {
                        "cve": "CVE-2026-59856",
                        "url": "https://ubuntu.com/security/CVE-2026-59856",
                        "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0736, the PHP omni-completion script in runtime/autoload/phpcomplete.vim interpolates a class or trait name, taken from the contents of the edited buffer, into a search() pattern that is run via win_execute() without escaping. A name containing a single quote can terminate the search() string argument early, and because the bar is honored as an Ex command separator, the remainder of the name is run as Ex commands; via the :! command this allows arbitrary operating-system command execution when a victim opens a crafted PHP file and invokes omni-completion. This issue is fixed in version 9.2.0736.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-07-09 23:17:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-59857",
                        "url": "https://ubuntu.com/security/CVE-2026-59857",
                        "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0725, the single-byte branch of spell_soundfold_sal() in src/spell.c translates a word through a spell file's SAL sound-folding rules into a caller-owned result buffer, but its result writes are guarded with reslen < MAXWLEN, allowing reslen to reach MAXWLEN before res[reslen] = NUL writes one byte past the end of the MAXWLEN-element stack buffer. A boundary-length word passed to soundfold(), or reached via sound-based spell suggestion while a SAL-based spell language is active under a non-multibyte 8-bit encoding, can corrupt the eval_soundfold() stack frame and crash the editor. This issue is fixed in version 9.2.0725.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-07-09 23:17:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-59858",
                        "url": "https://ubuntu.com/security/CVE-2026-59858",
                        "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0735, the C omni-completion script in runtime/autoload/ccomplete.vim interpolates the typeref: or typename: extension field of a tags entry, without escaping, into a :vimgrep pattern that is run through :execute. Because :vimgrep honors the bar as a command separator, a crafted tag field can close the search pattern and append an arbitrary Ex command; opening a hostile .c file whose project tags file contains such an entry and invoking C omni-completion runs that command as the editing user. This issue is fixed in version 9.2.0735.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-07-09 23:17:00 UTC"
                    }
                ],
                "launchpad_bugs_fixed": [],
                "changes": [
                    {
                        "cves": [
                            {
                                "cve": "CVE-2026-59856",
                                "url": "https://ubuntu.com/security/CVE-2026-59856",
                                "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0736, the PHP omni-completion script in runtime/autoload/phpcomplete.vim interpolates a class or trait name, taken from the contents of the edited buffer, into a search() pattern that is run via win_execute() without escaping. A name containing a single quote can terminate the search() string argument early, and because the bar is honored as an Ex command separator, the remainder of the name is run as Ex commands; via the :! command this allows arbitrary operating-system command execution when a victim opens a crafted PHP file and invokes omni-completion. This issue is fixed in version 9.2.0736.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-07-09 23:17:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-59857",
                                "url": "https://ubuntu.com/security/CVE-2026-59857",
                                "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0725, the single-byte branch of spell_soundfold_sal() in src/spell.c translates a word through a spell file's SAL sound-folding rules into a caller-owned result buffer, but its result writes are guarded with reslen < MAXWLEN, allowing reslen to reach MAXWLEN before res[reslen] = NUL writes one byte past the end of the MAXWLEN-element stack buffer. A boundary-length word passed to soundfold(), or reached via sound-based spell suggestion while a SAL-based spell language is active under a non-multibyte 8-bit encoding, can corrupt the eval_soundfold() stack frame and crash the editor. This issue is fixed in version 9.2.0725.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-07-09 23:17:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-59858",
                                "url": "https://ubuntu.com/security/CVE-2026-59858",
                                "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0735, the C omni-completion script in runtime/autoload/ccomplete.vim interpolates the typeref: or typename: extension field of a tags entry, without escaping, into a :vimgrep pattern that is run through :execute. Because :vimgrep honors the bar as a command separator, a crafted tag field can close the search pattern and append an arbitrary Ex command; opening a hostile .c file whose project tags file contains such an entry and invoking C omni-completion runs that command as the editing user. This issue is fixed in version 9.2.0735.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-07-09 23:17:00 UTC"
                            }
                        ],
                        "log": [
                            "",
                            "  * SECURITY UPDATE: Command execution in PHP omni-completion.",
                            "    - debian/patches/CVE-2026-59856.patch: Quote the class name before",
                            "      inserting it into the search() in runtime/autoload/phpcomplete.vim",
                            "    - CVE-2026-59856",
                            "  * SECURITY UPDATE: Stack out-of-bounds write in spell_soundfold_sal().",
                            "    - debian/patches/CVE-2026-59857.patch: Bound the single-byte SAL result",
                            "      writes in src/spell.c",
                            "    - CVE-2026-59857",
                            "  * SECURITY UPDATE: Arbitrary command execution during C omni-completion.",
                            "    - debian/patches/CVE-2026-59858.patch: Escape the type field before",
                            "      inserting it into pattern in runtime/autoload/ccomplete.vim",
                            "    - CVE-2026-59858",
                            ""
                        ],
                        "package": "vim",
                        "version": "2:9.1.2141-1ubuntu4.7",
                        "urgency": "medium",
                        "distributions": "resolute-security",
                        "launchpad_bugs_fixed": [],
                        "author": "Kyle Kernick <kyle.kernick@canonical.com>",
                        "date": "Mon, 13 Jul 2026 11:06:53 -0600"
                    }
                ],
                "notes": null,
                "is_version_downgrade": false
            },
            {
                "name": "vim-runtime",
                "from_version": {
                    "source_package_name": "vim",
                    "source_package_version": "2:9.1.2141-1ubuntu4.6",
                    "version": "2:9.1.2141-1ubuntu4.6"
                },
                "to_version": {
                    "source_package_name": "vim",
                    "source_package_version": "2:9.1.2141-1ubuntu4.7",
                    "version": "2:9.1.2141-1ubuntu4.7"
                },
                "cves": [
                    {
                        "cve": "CVE-2026-59856",
                        "url": "https://ubuntu.com/security/CVE-2026-59856",
                        "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0736, the PHP omni-completion script in runtime/autoload/phpcomplete.vim interpolates a class or trait name, taken from the contents of the edited buffer, into a search() pattern that is run via win_execute() without escaping. A name containing a single quote can terminate the search() string argument early, and because the bar is honored as an Ex command separator, the remainder of the name is run as Ex commands; via the :! command this allows arbitrary operating-system command execution when a victim opens a crafted PHP file and invokes omni-completion. This issue is fixed in version 9.2.0736.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-07-09 23:17:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-59857",
                        "url": "https://ubuntu.com/security/CVE-2026-59857",
                        "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0725, the single-byte branch of spell_soundfold_sal() in src/spell.c translates a word through a spell file's SAL sound-folding rules into a caller-owned result buffer, but its result writes are guarded with reslen < MAXWLEN, allowing reslen to reach MAXWLEN before res[reslen] = NUL writes one byte past the end of the MAXWLEN-element stack buffer. A boundary-length word passed to soundfold(), or reached via sound-based spell suggestion while a SAL-based spell language is active under a non-multibyte 8-bit encoding, can corrupt the eval_soundfold() stack frame and crash the editor. This issue is fixed in version 9.2.0725.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-07-09 23:17:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-59858",
                        "url": "https://ubuntu.com/security/CVE-2026-59858",
                        "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0735, the C omni-completion script in runtime/autoload/ccomplete.vim interpolates the typeref: or typename: extension field of a tags entry, without escaping, into a :vimgrep pattern that is run through :execute. Because :vimgrep honors the bar as a command separator, a crafted tag field can close the search pattern and append an arbitrary Ex command; opening a hostile .c file whose project tags file contains such an entry and invoking C omni-completion runs that command as the editing user. This issue is fixed in version 9.2.0735.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-07-09 23:17:00 UTC"
                    }
                ],
                "launchpad_bugs_fixed": [],
                "changes": [
                    {
                        "cves": [
                            {
                                "cve": "CVE-2026-59856",
                                "url": "https://ubuntu.com/security/CVE-2026-59856",
                                "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0736, the PHP omni-completion script in runtime/autoload/phpcomplete.vim interpolates a class or trait name, taken from the contents of the edited buffer, into a search() pattern that is run via win_execute() without escaping. A name containing a single quote can terminate the search() string argument early, and because the bar is honored as an Ex command separator, the remainder of the name is run as Ex commands; via the :! command this allows arbitrary operating-system command execution when a victim opens a crafted PHP file and invokes omni-completion. This issue is fixed in version 9.2.0736.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-07-09 23:17:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-59857",
                                "url": "https://ubuntu.com/security/CVE-2026-59857",
                                "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0725, the single-byte branch of spell_soundfold_sal() in src/spell.c translates a word through a spell file's SAL sound-folding rules into a caller-owned result buffer, but its result writes are guarded with reslen < MAXWLEN, allowing reslen to reach MAXWLEN before res[reslen] = NUL writes one byte past the end of the MAXWLEN-element stack buffer. A boundary-length word passed to soundfold(), or reached via sound-based spell suggestion while a SAL-based spell language is active under a non-multibyte 8-bit encoding, can corrupt the eval_soundfold() stack frame and crash the editor. This issue is fixed in version 9.2.0725.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-07-09 23:17:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-59858",
                                "url": "https://ubuntu.com/security/CVE-2026-59858",
                                "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0735, the C omni-completion script in runtime/autoload/ccomplete.vim interpolates the typeref: or typename: extension field of a tags entry, without escaping, into a :vimgrep pattern that is run through :execute. Because :vimgrep honors the bar as a command separator, a crafted tag field can close the search pattern and append an arbitrary Ex command; opening a hostile .c file whose project tags file contains such an entry and invoking C omni-completion runs that command as the editing user. This issue is fixed in version 9.2.0735.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-07-09 23:17:00 UTC"
                            }
                        ],
                        "log": [
                            "",
                            "  * SECURITY UPDATE: Command execution in PHP omni-completion.",
                            "    - debian/patches/CVE-2026-59856.patch: Quote the class name before",
                            "      inserting it into the search() in runtime/autoload/phpcomplete.vim",
                            "    - CVE-2026-59856",
                            "  * SECURITY UPDATE: Stack out-of-bounds write in spell_soundfold_sal().",
                            "    - debian/patches/CVE-2026-59857.patch: Bound the single-byte SAL result",
                            "      writes in src/spell.c",
                            "    - CVE-2026-59857",
                            "  * SECURITY UPDATE: Arbitrary command execution during C omni-completion.",
                            "    - debian/patches/CVE-2026-59858.patch: Escape the type field before",
                            "      inserting it into pattern in runtime/autoload/ccomplete.vim",
                            "    - CVE-2026-59858",
                            ""
                        ],
                        "package": "vim",
                        "version": "2:9.1.2141-1ubuntu4.7",
                        "urgency": "medium",
                        "distributions": "resolute-security",
                        "launchpad_bugs_fixed": [],
                        "author": "Kyle Kernick <kyle.kernick@canonical.com>",
                        "date": "Mon, 13 Jul 2026 11:06:53 -0600"
                    }
                ],
                "notes": null,
                "is_version_downgrade": false
            },
            {
                "name": "vim-tiny",
                "from_version": {
                    "source_package_name": "vim",
                    "source_package_version": "2:9.1.2141-1ubuntu4.6",
                    "version": "2:9.1.2141-1ubuntu4.6"
                },
                "to_version": {
                    "source_package_name": "vim",
                    "source_package_version": "2:9.1.2141-1ubuntu4.7",
                    "version": "2:9.1.2141-1ubuntu4.7"
                },
                "cves": [
                    {
                        "cve": "CVE-2026-59856",
                        "url": "https://ubuntu.com/security/CVE-2026-59856",
                        "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0736, the PHP omni-completion script in runtime/autoload/phpcomplete.vim interpolates a class or trait name, taken from the contents of the edited buffer, into a search() pattern that is run via win_execute() without escaping. A name containing a single quote can terminate the search() string argument early, and because the bar is honored as an Ex command separator, the remainder of the name is run as Ex commands; via the :! command this allows arbitrary operating-system command execution when a victim opens a crafted PHP file and invokes omni-completion. This issue is fixed in version 9.2.0736.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-07-09 23:17:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-59857",
                        "url": "https://ubuntu.com/security/CVE-2026-59857",
                        "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0725, the single-byte branch of spell_soundfold_sal() in src/spell.c translates a word through a spell file's SAL sound-folding rules into a caller-owned result buffer, but its result writes are guarded with reslen < MAXWLEN, allowing reslen to reach MAXWLEN before res[reslen] = NUL writes one byte past the end of the MAXWLEN-element stack buffer. A boundary-length word passed to soundfold(), or reached via sound-based spell suggestion while a SAL-based spell language is active under a non-multibyte 8-bit encoding, can corrupt the eval_soundfold() stack frame and crash the editor. This issue is fixed in version 9.2.0725.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-07-09 23:17:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-59858",
                        "url": "https://ubuntu.com/security/CVE-2026-59858",
                        "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0735, the C omni-completion script in runtime/autoload/ccomplete.vim interpolates the typeref: or typename: extension field of a tags entry, without escaping, into a :vimgrep pattern that is run through :execute. Because :vimgrep honors the bar as a command separator, a crafted tag field can close the search pattern and append an arbitrary Ex command; opening a hostile .c file whose project tags file contains such an entry and invoking C omni-completion runs that command as the editing user. This issue is fixed in version 9.2.0735.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-07-09 23:17:00 UTC"
                    }
                ],
                "launchpad_bugs_fixed": [],
                "changes": [
                    {
                        "cves": [
                            {
                                "cve": "CVE-2026-59856",
                                "url": "https://ubuntu.com/security/CVE-2026-59856",
                                "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0736, the PHP omni-completion script in runtime/autoload/phpcomplete.vim interpolates a class or trait name, taken from the contents of the edited buffer, into a search() pattern that is run via win_execute() without escaping. A name containing a single quote can terminate the search() string argument early, and because the bar is honored as an Ex command separator, the remainder of the name is run as Ex commands; via the :! command this allows arbitrary operating-system command execution when a victim opens a crafted PHP file and invokes omni-completion. This issue is fixed in version 9.2.0736.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-07-09 23:17:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-59857",
                                "url": "https://ubuntu.com/security/CVE-2026-59857",
                                "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0725, the single-byte branch of spell_soundfold_sal() in src/spell.c translates a word through a spell file's SAL sound-folding rules into a caller-owned result buffer, but its result writes are guarded with reslen < MAXWLEN, allowing reslen to reach MAXWLEN before res[reslen] = NUL writes one byte past the end of the MAXWLEN-element stack buffer. A boundary-length word passed to soundfold(), or reached via sound-based spell suggestion while a SAL-based spell language is active under a non-multibyte 8-bit encoding, can corrupt the eval_soundfold() stack frame and crash the editor. This issue is fixed in version 9.2.0725.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-07-09 23:17:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-59858",
                                "url": "https://ubuntu.com/security/CVE-2026-59858",
                                "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0735, the C omni-completion script in runtime/autoload/ccomplete.vim interpolates the typeref: or typename: extension field of a tags entry, without escaping, into a :vimgrep pattern that is run through :execute. Because :vimgrep honors the bar as a command separator, a crafted tag field can close the search pattern and append an arbitrary Ex command; opening a hostile .c file whose project tags file contains such an entry and invoking C omni-completion runs that command as the editing user. This issue is fixed in version 9.2.0735.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-07-09 23:17:00 UTC"
                            }
                        ],
                        "log": [
                            "",
                            "  * SECURITY UPDATE: Command execution in PHP omni-completion.",
                            "    - debian/patches/CVE-2026-59856.patch: Quote the class name before",
                            "      inserting it into the search() in runtime/autoload/phpcomplete.vim",
                            "    - CVE-2026-59856",
                            "  * SECURITY UPDATE: Stack out-of-bounds write in spell_soundfold_sal().",
                            "    - debian/patches/CVE-2026-59857.patch: Bound the single-byte SAL result",
                            "      writes in src/spell.c",
                            "    - CVE-2026-59857",
                            "  * SECURITY UPDATE: Arbitrary command execution during C omni-completion.",
                            "    - debian/patches/CVE-2026-59858.patch: Escape the type field before",
                            "      inserting it into pattern in runtime/autoload/ccomplete.vim",
                            "    - CVE-2026-59858",
                            ""
                        ],
                        "package": "vim",
                        "version": "2:9.1.2141-1ubuntu4.7",
                        "urgency": "medium",
                        "distributions": "resolute-security",
                        "launchpad_bugs_fixed": [],
                        "author": "Kyle Kernick <kyle.kernick@canonical.com>",
                        "date": "Mon, 13 Jul 2026 11:06:53 -0600"
                    }
                ],
                "notes": null,
                "is_version_downgrade": false
            },
            {
                "name": "wget",
                "from_version": {
                    "source_package_name": "wget",
                    "source_package_version": "1.25.0-2ubuntu4",
                    "version": "1.25.0-2ubuntu4"
                },
                "to_version": {
                    "source_package_name": "wget",
                    "source_package_version": "1.25.0-2ubuntu4.2",
                    "version": "1.25.0-2ubuntu4.2"
                },
                "cves": [
                    {
                        "cve": "CVE-2026-58469",
                        "url": "https://ubuntu.com/security/CVE-2026-58469",
                        "cve_description": "GNU Wget through 1.25.0, fixed in commit 37a40fc, contains a heap buffer underread vulnerability in the clean_metalink_string() function within src/metalink.c that allows a malicious server to trigger memory corruption by serving a Metalink document containing a whitespace-only URL. Attackers can cause the function to decrement a pointer past the start of the buffer when processing an all-whitespace Metalink URL, potentially leading to abnormal program behavior.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-07-07 21:17:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-58470",
                        "url": "https://ubuntu.com/security/CVE-2026-58470",
                        "cve_description": "GNU Wget through 1.25.0, fixed in commit 43d3ba9, contains an integer overflow vulnerability in the parse_content_range() function within src/http.c that allows server-controlled values to cause signed integer arithmetic to overflow. Attackers can supply malicious Content-Range header values to trigger undefined behavior and download desynchronization in the affected client.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-07-07 21:17:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-58471",
                        "url": "https://ubuntu.com/security/CVE-2026-58471",
                        "cve_description": "GNU Wget through 1.25.0, fixed in commit c2640fe, contains a heap buffer overflow vulnerability in the convert_fname() function within src/url.c that allows remote attackers to trigger memory corruption through a server-supplied filename requiring character set conversion. When the output buffer is too small during iconv E2BIG reallocation, the reallocation logic miscalculates the remaining space, leading to a heap buffer overflow that can be exploited via a maliciously crafted server response.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-07-07 21:17:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-58472",
                        "url": "https://ubuntu.com/security/CVE-2026-58472",
                        "cve_description": "GNU Wget through 1.25.0, fixed in commit dd692d9, contains a heap buffer overflow vulnerability in the html_quote_string() function in src/convert.c that allows a remote attacker to trigger memory corruption by supplying a crafted HTML attribute with a large number of characters requiring entity encoding. A server-supplied HTML attribute causes a signed integer counter to overflow during output size accumulation, resulting in an undersized heap allocation and subsequent heap buffer overflow during the copy phase.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-07-07 21:17:00 UTC"
                    }
                ],
                "launchpad_bugs_fixed": [],
                "changes": [
                    {
                        "cves": [
                            {
                                "cve": "CVE-2026-58469",
                                "url": "https://ubuntu.com/security/CVE-2026-58469",
                                "cve_description": "GNU Wget through 1.25.0, fixed in commit 37a40fc, contains a heap buffer underread vulnerability in the clean_metalink_string() function within src/metalink.c that allows a malicious server to trigger memory corruption by serving a Metalink document containing a whitespace-only URL. Attackers can cause the function to decrement a pointer past the start of the buffer when processing an all-whitespace Metalink URL, potentially leading to abnormal program behavior.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-07-07 21:17:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-58470",
                                "url": "https://ubuntu.com/security/CVE-2026-58470",
                                "cve_description": "GNU Wget through 1.25.0, fixed in commit 43d3ba9, contains an integer overflow vulnerability in the parse_content_range() function within src/http.c that allows server-controlled values to cause signed integer arithmetic to overflow. Attackers can supply malicious Content-Range header values to trigger undefined behavior and download desynchronization in the affected client.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-07-07 21:17:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-58471",
                                "url": "https://ubuntu.com/security/CVE-2026-58471",
                                "cve_description": "GNU Wget through 1.25.0, fixed in commit c2640fe, contains a heap buffer overflow vulnerability in the convert_fname() function within src/url.c that allows remote attackers to trigger memory corruption through a server-supplied filename requiring character set conversion. When the output buffer is too small during iconv E2BIG reallocation, the reallocation logic miscalculates the remaining space, leading to a heap buffer overflow that can be exploited via a maliciously crafted server response.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-07-07 21:17:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-58472",
                                "url": "https://ubuntu.com/security/CVE-2026-58472",
                                "cve_description": "GNU Wget through 1.25.0, fixed in commit dd692d9, contains a heap buffer overflow vulnerability in the html_quote_string() function in src/convert.c that allows a remote attacker to trigger memory corruption by supplying a crafted HTML attribute with a large number of characters requiring entity encoding. A server-supplied HTML attribute causes a signed integer counter to overflow during output size accumulation, resulting in an undersized heap allocation and subsequent heap buffer overflow during the copy phase.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-07-07 21:17:00 UTC"
                            }
                        ],
                        "log": [
                            "",
                            "  * SECURITY UPDATE: Buffer overflow in metalink.",
                            "    - debian/patches/CVE-2026-58469.patch: Fix buffer overflow in",
                            "      src/metalink.c",
                            "    - CVE-2026-58469",
                            "  * SECURITY UPDATE: Integer overflow in http",
                            "    - debian/patches/CVE-2026-58470.patch: Fix integer overflow in src/http.c",
                            "    - CVE-2026-58470",
                            "  * SECURITY UPDATE: Buffer overflow in convert_fname.",
                            "    - debian/patches/CVE-2026-58471.patch: Fix buffer overflow in src/url.c",
                            "    - CVE-2026-58471",
                            "  * SECURITY UPDATE: Integer and buffer overflow in html_quote_string.",
                            "    - debian/patches/CVE-2026-58472.patch: Fix integer+buffer overflow in",
                            "      src/convert.c",
                            "    - CVE-2026-58472",
                            ""
                        ],
                        "package": "wget",
                        "version": "1.25.0-2ubuntu4.2",
                        "urgency": "medium",
                        "distributions": "resolute-security",
                        "launchpad_bugs_fixed": [],
                        "author": "Kyle Kernick <kyle.kernick@canonical.com>",
                        "date": "Fri, 10 Jul 2026 15:58:26 -0600"
                    }
                ],
                "notes": null,
                "is_version_downgrade": false
            },
            {
                "name": "xxd",
                "from_version": {
                    "source_package_name": "vim",
                    "source_package_version": "2:9.1.2141-1ubuntu4.6",
                    "version": "2:9.1.2141-1ubuntu4.6"
                },
                "to_version": {
                    "source_package_name": "vim",
                    "source_package_version": "2:9.1.2141-1ubuntu4.7",
                    "version": "2:9.1.2141-1ubuntu4.7"
                },
                "cves": [
                    {
                        "cve": "CVE-2026-59856",
                        "url": "https://ubuntu.com/security/CVE-2026-59856",
                        "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0736, the PHP omni-completion script in runtime/autoload/phpcomplete.vim interpolates a class or trait name, taken from the contents of the edited buffer, into a search() pattern that is run via win_execute() without escaping. A name containing a single quote can terminate the search() string argument early, and because the bar is honored as an Ex command separator, the remainder of the name is run as Ex commands; via the :! command this allows arbitrary operating-system command execution when a victim opens a crafted PHP file and invokes omni-completion. This issue is fixed in version 9.2.0736.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-07-09 23:17:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-59857",
                        "url": "https://ubuntu.com/security/CVE-2026-59857",
                        "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0725, the single-byte branch of spell_soundfold_sal() in src/spell.c translates a word through a spell file's SAL sound-folding rules into a caller-owned result buffer, but its result writes are guarded with reslen < MAXWLEN, allowing reslen to reach MAXWLEN before res[reslen] = NUL writes one byte past the end of the MAXWLEN-element stack buffer. A boundary-length word passed to soundfold(), or reached via sound-based spell suggestion while a SAL-based spell language is active under a non-multibyte 8-bit encoding, can corrupt the eval_soundfold() stack frame and crash the editor. This issue is fixed in version 9.2.0725.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-07-09 23:17:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-59858",
                        "url": "https://ubuntu.com/security/CVE-2026-59858",
                        "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0735, the C omni-completion script in runtime/autoload/ccomplete.vim interpolates the typeref: or typename: extension field of a tags entry, without escaping, into a :vimgrep pattern that is run through :execute. Because :vimgrep honors the bar as a command separator, a crafted tag field can close the search pattern and append an arbitrary Ex command; opening a hostile .c file whose project tags file contains such an entry and invoking C omni-completion runs that command as the editing user. This issue is fixed in version 9.2.0735.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-07-09 23:17:00 UTC"
                    }
                ],
                "launchpad_bugs_fixed": [],
                "changes": [
                    {
                        "cves": [
                            {
                                "cve": "CVE-2026-59856",
                                "url": "https://ubuntu.com/security/CVE-2026-59856",
                                "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0736, the PHP omni-completion script in runtime/autoload/phpcomplete.vim interpolates a class or trait name, taken from the contents of the edited buffer, into a search() pattern that is run via win_execute() without escaping. A name containing a single quote can terminate the search() string argument early, and because the bar is honored as an Ex command separator, the remainder of the name is run as Ex commands; via the :! command this allows arbitrary operating-system command execution when a victim opens a crafted PHP file and invokes omni-completion. This issue is fixed in version 9.2.0736.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-07-09 23:17:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-59857",
                                "url": "https://ubuntu.com/security/CVE-2026-59857",
                                "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0725, the single-byte branch of spell_soundfold_sal() in src/spell.c translates a word through a spell file's SAL sound-folding rules into a caller-owned result buffer, but its result writes are guarded with reslen < MAXWLEN, allowing reslen to reach MAXWLEN before res[reslen] = NUL writes one byte past the end of the MAXWLEN-element stack buffer. A boundary-length word passed to soundfold(), or reached via sound-based spell suggestion while a SAL-based spell language is active under a non-multibyte 8-bit encoding, can corrupt the eval_soundfold() stack frame and crash the editor. This issue is fixed in version 9.2.0725.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-07-09 23:17:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-59858",
                                "url": "https://ubuntu.com/security/CVE-2026-59858",
                                "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0735, the C omni-completion script in runtime/autoload/ccomplete.vim interpolates the typeref: or typename: extension field of a tags entry, without escaping, into a :vimgrep pattern that is run through :execute. Because :vimgrep honors the bar as a command separator, a crafted tag field can close the search pattern and append an arbitrary Ex command; opening a hostile .c file whose project tags file contains such an entry and invoking C omni-completion runs that command as the editing user. This issue is fixed in version 9.2.0735.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-07-09 23:17:00 UTC"
                            }
                        ],
                        "log": [
                            "",
                            "  * SECURITY UPDATE: Command execution in PHP omni-completion.",
                            "    - debian/patches/CVE-2026-59856.patch: Quote the class name before",
                            "      inserting it into the search() in runtime/autoload/phpcomplete.vim",
                            "    - CVE-2026-59856",
                            "  * SECURITY UPDATE: Stack out-of-bounds write in spell_soundfold_sal().",
                            "    - debian/patches/CVE-2026-59857.patch: Bound the single-byte SAL result",
                            "      writes in src/spell.c",
                            "    - CVE-2026-59857",
                            "  * SECURITY UPDATE: Arbitrary command execution during C omni-completion.",
                            "    - debian/patches/CVE-2026-59858.patch: Escape the type field before",
                            "      inserting it into pattern in runtime/autoload/ccomplete.vim",
                            "    - CVE-2026-59858",
                            ""
                        ],
                        "package": "vim",
                        "version": "2:9.1.2141-1ubuntu4.7",
                        "urgency": "medium",
                        "distributions": "resolute-security",
                        "launchpad_bugs_fixed": [],
                        "author": "Kyle Kernick <kyle.kernick@canonical.com>",
                        "date": "Mon, 13 Jul 2026 11:06:53 -0600"
                    }
                ],
                "notes": null,
                "is_version_downgrade": false
            }
        ],
        "snap": []
    },
    "added": {
        "deb": [
            {
                "name": "linux-headers-7.0.0-28",
                "from_version": {
                    "source_package_name": "linux",
                    "source_package_version": "7.0.0-27.27",
                    "version": null
                },
                "to_version": {
                    "source_package_name": "linux",
                    "source_package_version": "7.0.0-28.28",
                    "version": "7.0.0-28.28"
                },
                "cves": [
                    {
                        "cve": "CVE-2026-46318",
                        "url": "https://ubuntu.com/security/CVE-2026-46318",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Revert \"mm/hugetlbfs: update hugetlbfs to use mmap_prepare\"  This reverts commit ea52cb24cd3f (\"mm/hugetlbfs: update hugetlbfs to use mmap_prepare\") with conflict resolution to account for changes in commit ea52cb24cd3f (\"mm/hugetlbfs: update hugetlbfs to use mmap_prepare\").  The patch incorrectly handled hugetlb VMA lock allocation at the mmap_prepare stage, where a failed allocation occurring after mmap_prepare is called might result in the lock leaking.  There is no risk of a merge causing a similar issues, as VMA_DONTEXPAND_BIT is set for hugetlb mappings.  As a first step in addressing this issue, simply revert the change so we can rework how we do this having corrected the underlying issues.  We maintain the VMA flags changes as best we can, accounting for the fact that we were working with a VMA descriptor previously and propagating like-for-like changes for this.  Note that we invoke vma_set_flags() and do not call vma_start_write() as vm_flags_set() does.  This is OK as it's being done in an .mmap hook where the VMA is not yet linked into the tree so nobody else can be accessing it.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-06-09 13:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46322",
                        "url": "https://ubuntu.com/security/CVE-2026-46322",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  tun: free page on build_skb failure in tun_xdp_one()  When build_skb() fails in tun_xdp_one(), the function sets ret to -ENOMEM and jumps to the out label, which returns without freeing the page that vhost_net_build_xdp() allocated for the frame. As with the short-frame rejection path, tun_sendmsg() discards the per-buffer error and still returns total_len, so vhost_tx_batch() takes the success path and never frees the page. Each build_skb() failure in a batch leaks one page-frag chunk.  Free the page before taking the error path, matching the put_page() the other error exits of tun_xdp_one() already perform.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-09 13:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46320",
                        "url": "https://ubuntu.com/security/CVE-2026-46320",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  tap: free page on error paths in tap_get_user_xdp()  tap_get_user_xdp() rejects a frame shorter than ETH_HLEN with -EINVAL, and returns -ENOMEM when build_skb() fails. Both paths jump to the err label without freeing the page that vhost_net_build_xdp() allocated for the frame. tap_sendmsg() discards the per-buffer return value and always returns 0, so vhost_tx_batch() takes the success path and never frees the page; each rejected frame in a batch leaks one page-frag chunk.  Free the page on both error paths, before the skb is built. This is the tap counterpart of the same leak in tun_xdp_one().",
                        "cve_priority": "high",
                        "cve_public_date": "2026-06-09 13:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46321",
                        "url": "https://ubuntu.com/security/CVE-2026-46321",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  tun: free page on short-frame rejection in tun_xdp_one()  tun_xdp_one() returns -EINVAL on a frame shorter than ETH_HLEN without freeing the page that vhost_net_build_xdp() allocated for it. tun_sendmsg() discards that -EINVAL and still returns total_len, so vhost_tx_batch() takes the success path and never frees the page; each short frame in a batch leaks one page-frag chunk.  A local process that can open /dev/net/tun and /dev/vhost-net can hit this path: it attaches a tun/tap device as the vhost-net backend and feeds TX descriptors whose length minus the virtio-net header is below ETH_HLEN. Each kick leaks the page-frag chunks for that batch, and a tight submission loop exhausts host memory and triggers an OOM panic. Free the page before returning -EINVAL, matching the XDP-program error path in the same function.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-09 13:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46316",
                        "url": "https://ubuntu.com/security/CVE-2026-46316",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  KVM: arm64: vgic-its: Drop the translation cache reference only for the erased entry  vgic_its_invalidate_cache() walks the per-ITS translation cache with xa_for_each() and drops the cache's reference on each entry with vgic_put_irq(). It puts the iterated pointer, though, rather than the value returned by xa_erase().  The function is called from contexts that do not exclude one another: the ITS command handlers hold its_lock, the GITS_CTLR write path holds cmd_lock, and the path that clears EnableLPIs in a redistributor's GICR_CTLR holds neither. Two or more of them can drain the same cache concurrently, and if each one observes the same entry, erases it and then puts it, the single reference the cache holds on that entry is dropped more than once. The entry can then be freed while an ITE still maps it.  xa_erase() is atomic and returns the previous entry, so put only the entry that this context actually removed. The cache reference is then dropped exactly once per entry even when the invalidations run concurrently, and the behavior is unchanged when only one context runs.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-09 13:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46317",
                        "url": "https://ubuntu.com/security/CVE-2026-46317",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  KVM: arm64: Reassign nested_mmus array behind mmu_lock  kvm->arch.nested_mmus[] is walked under kvm->mmu_lock, including from the MMU notifier path (kvm_unmap_gfn_range() -> kvm_nested_s2_unmap()), which can run at any time. kvm_vcpu_init_nested() reallocates the array and frees the old buffer while holding only kvm->arch.config_lock, so such a walker can reference the freed array.  Allocate the new array outside of mmu_lock, as the allocation can sleep. Under the lock, copy the existing entries, fix up the back pointers and reassign the array. Free the old buffer after dropping the lock, as kvfree() can sleep as well.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-09 13:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-45846",
                        "url": "https://ubuntu.com/security/CVE-2026-45846",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  bareudp: fix NULL pointer dereference in bareudp_fill_metadata_dst()  bareudp_fill_metadata_dst() passes bareudp->sock to udp_tunnel6_dst_lookup() in the IPv6 path without a NULL check. The socket is only created in bareudp_open() and NULLed in bareudp_stop(), so calling this function while the device is down triggers a NULL dereference via sock->sk.   BUG: kernel NULL pointer dereference, address: 0000000000000018  RIP: 0010:udp_tunnel6_dst_lookup (net/ipv6/ip6_udp_tunnel.c:160)  Call Trace:   <TASK>   bareudp_fill_metadata_dst (drivers/net/bareudp.c:532)   do_execute_actions (net/openvswitch/actions.c:901)   ovs_execute_actions (net/openvswitch/actions.c:1589)   ovs_packet_cmd_execute (net/openvswitch/datapath.c:700)   genl_family_rcv_msg_doit (net/netlink/genetlink.c:1114)   genl_rcv_msg (net/netlink/genetlink.c:1209)   netlink_rcv_skb (net/netlink/af_netlink.c:2550)   </TASK>  Add a NULL check returning -ESHUTDOWN, consistent with the xmit paths in the same driver.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-27 11:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-45845",
                        "url": "https://ubuntu.com/security/CVE-2026-45845",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net/sched: taprio: fix NULL pointer dereference in class dump  When a TAPRIO child qdisc is deleted via RTM_DELQDISC, taprio_graft() is called with new == NULL and stores NULL into q->qdiscs[cl - 1]. Subsequent RTM_GETTCLASS dump operations walk all classes via taprio_walk() and call taprio_dump_class(), which calls taprio_leaf() returning the NULL pointer, then dereferences it to read child->handle, causing a kernel NULL pointer dereference.  The bug is reachable with namespace-scoped CAP_NET_ADMIN on any kernel with CONFIG_NET_SCH_TAPRIO enabled. On systems with unprivileged user namespaces enabled, an unprivileged local user can trigger a kernel panic by creating a taprio qdisc inside a new network namespace, grafting an explicit child qdisc, deleting it, and requesting a class dump. The RTM_GETTCLASS dump itself requires no capability.   Oops: general protection fault, probably for non-canonical address 0xdffffc0000000007: 0000 [#1] SMP KASAN NOPTI  KASAN: null-ptr-deref in range [0x0000000000000038-0x000000000000003f]  RIP: 0010:taprio_dump_class (net/sched/sch_taprio.c:2478)  Call Trace:   <TASK>   tc_fill_tclass (net/sched/sch_api.c:1966)   qdisc_class_dump (net/sched/sch_api.c:2326)   taprio_walk (net/sched/sch_taprio.c:2514)   tc_dump_tclass_qdisc (net/sched/sch_api.c:2352)   tc_dump_tclass_root (net/sched/sch_api.c:2370)   tc_dump_tclass (net/sched/sch_api.c:2431)   rtnl_dumpit (net/core/rtnetlink.c:6864)   netlink_dump (net/netlink/af_netlink.c:2325)   rtnetlink_rcv_msg (net/core/rtnetlink.c:6959)   netlink_rcv_skb (net/netlink/af_netlink.c:2550)   </TASK>  Fix this by substituting &noop_qdisc when new is NULL in taprio_graft(), a common pattern used by other qdiscs (e.g., multiq_graft()) to ensure the q->qdiscs[] slots are never NULL. This makes control-plane dump paths safe without requiring individual NULL checks.  Since the data-plane paths (taprio_enqueue and taprio_dequeue_from_txq) previously had explicit NULL guards that would drop/skip the packet cleanly, update those checks to test for &noop_qdisc instead. Without this, packets would reach taprio_enqueue_one() which increments the root qdisc's qlen and backlog before calling the child's enqueue; noop_qdisc drops the packet but those counters are never rolled back, permanently inflating the root qdisc's statistics.  After this change *old can be a valid qdisc, NULL, or &noop_qdisc. Only call qdisc_put(*old) in the first case to avoid decreasing noop_qdisc's refcount, which was never increased.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-27 11:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-45844",
                        "url": "https://ubuntu.com/security/CVE-2026-45844",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  netfilter: arp_tables: fix IEEE1394 ARP payload parsing  Weiming Shi says:  \"arp_packet_match() unconditionally parses the ARP payload assuming two hardware addresses are present (source and target). However, IPv4-over-IEEE1394 ARP (RFC 2734) omits the target hardware address field, and arp_hdr_len() already accounts for this by returning a shorter length for ARPHRD_IEEE1394 devices.  As a result, on IEEE1394 interfaces arp_packet_match() advances past a nonexistent target hardware address and reads the wrong bytes for both the target device address comparison and the target IP address. This causes arptables rules to match against garbage data, leading to incorrect filtering decisions: packets that should be accepted may be dropped and vice versa.  The ARP stack in net/ipv4/arp.c (arp_create and arp_process) already handles this correctly by skipping the target hardware address for ARPHRD_IEEE1394. Apply the same pattern to arp_packet_match().\"  Mangle the original patch to always return 0 (no match) in case user matches on the target hardware address which is never present in IEEE1394.  Note that this returns 0 (no match) for either normal and inverse match because matching in the target hardware address in ARPHRD_IEEE1394 has never been supported by arptables. This is intentional, matching on the target hardware address should never evaluate true for ARPHRD_IEEE1394.  Moreover, adjust arpt_mangle to drop the packet too as AI suggests:  In arpt_mangle, the logic assumes a standard ARP layout. Because IEEE1394 (FireWire) omits the target hardware address, the linear pointer arithmetic miscalculates the offset for the target IP address. This causes mangling operations to write to the wrong location, leading to packet corruption. To ensure safety, this patch drops packets (NF_DROP) when mangling is requested for these fields on IEEE1394 devices, as the current implementation cannot correctly map the FireWire ARP payload.  This omits both mangling target hardware and IP address. Even if IP address mangling should be possible in IEEE1394, this would require to adjust arpt_mangle offset calculation, which has never been supported.  Based on patch from Weiming Shi <bestswngs@gmail.com>.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-05-27 11:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46242",
                        "url": "https://ubuntu.com/security/CVE-2026-46242",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  eventpoll: fix ep_remove struct eventpoll / struct file UAF  ep_remove() (via ep_remove_file()) cleared file->f_ep under file->f_lock but then kept using @file inside the critical section (is_file_epoll(), hlist_del_rcu() through the head, spin_unlock). A concurrent __fput() taking the eventpoll_release() fastpath in that window observed the transient NULL, skipped eventpoll_release_file() and ran to f_op->release / file_free().  For the epoll-watches-epoll case, f_op->release is ep_eventpoll_release() -> ep_clear_and_put() -> ep_free(), which kfree()s the watched struct eventpoll. Its embedded ->refs hlist_head is exactly where epi->fllink.pprev points, so the subsequent hlist_del_rcu()'s \"*pprev = next\" scribbles into freed kmalloc-192 memory.  In addition, struct file is SLAB_TYPESAFE_BY_RCU, so the slot backing @file could be recycled by alloc_empty_file() -- reinitializing f_lock and f_ep -- while ep_remove() is still nominally inside that lock. The upshot is an attacker-controllable kmem_cache_free() against the wrong slab cache.  Pin @file via epi_fget() at the top of ep_remove() and gate the critical section on the pin succeeding. With the pin held @file cannot reach refcount zero, which holds __fput() off and transitively keeps the watched struct eventpoll alive across the hlist_del_rcu() and the f_lock use, closing both UAFs.  If the pin fails @file has already reached refcount zero and its __fput() is in flight. Because we bailed before clearing f_ep, that path takes the eventpoll_release() slow path into eventpoll_release_file() and blocks on ep->mtx until the waiter side's ep_clear_and_put() drops it. The bailed epi's share of ep->refcount stays intact, so the trailing ep_refcount_dec_and_test() in ep_clear_and_put() cannot free the eventpoll out from under eventpoll_release_file(); the orphaned epi is then cleaned up there.  A successful pin also proves we are not racing eventpoll_release_file() on this epi, so drop the now-redundant re-check of epi->dying under f_lock. The cheap lockless READ_ONCE(epi->dying) fast-path bailout stays.",
                        "cve_priority": "high",
                        "cve_public_date": "2026-05-30 13:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-45843",
                        "url": "https://ubuntu.com/security/CVE-2026-45843",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  slip: bound decode() reads against the compressed packet length  slhc_uncompress() parses a VJ-compressed TCP header by advancing a pointer through the packet via decode() and pull16(). Neither helper bounds-checks against isize, and decode() masks its return with & 0xffff so it can never return the -1 that callers test for -- those error paths are dead code.  A short compressed frame whose change byte requests optional fields lets decode() read past the end of the packet. The over-read bytes are folded into the cached cstate and reflected into subsequent reconstructed packets.  Make decode() and pull16() take the packet end pointer and return -1 when exhausted. Add a bounds check before the TCP-checksum read. The existing == -1 tests now do what they were always meant to.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-27 11:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-45842",
                        "url": "https://ubuntu.com/security/CVE-2026-45842",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  slip: reject VJ receive packets on instances with no rstate array  slhc_init() accepts rslots == 0 as a valid configuration, with the documented meaning of 'no receive compression'. In that case the allocation loop in slhc_init() is skipped, so comp->rstate stays NULL and comp->rslot_limit stays 0 (from the kzalloc of struct slcompress).  The receive helpers do not defend against that configuration. slhc_uncompress() dereferences comp->rstate[x] when the VJ header carries an explicit connection ID, and slhc_remember() later assigns cs = &comp->rstate[...] after only comparing the packet's slot number to comp->rslot_limit. Because rslot_limit is 0, slot 0 passes the range check, and the code dereferences a NULL rstate.  The configuration is reachable in-tree through PPP. PPPIOCSMAXCID stores its argument in a signed int, and (val >> 16) uses arithmetic shift. Passing 0xffff0000 therefore sign-extends to -1, so val2 + 1 is 0 and ppp_generic.c ends up calling slhc_init(0, 1). Because /dev/ppp open is gated by ns_capable(CAP_NET_ADMIN), the whole path is reachable from an unprivileged user namespace. Once the malformed VJ state is installed, any inbound VJ-compressed or VJ-uncompressed frame that selects slot 0 crashes the kernel in softirq context:   Oops: general protection fault, probably for non-canonical        address 0xdffffc0000000000: 0000 [#1] SMP KASAN NOPTI  KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]  RIP: 0010:slhc_uncompress (drivers/net/slip/slhc.c:519)  Call Trace:   <TASK>   ppp_receive_nonmp_frame (drivers/net/ppp/ppp_generic.c:2466)   ppp_input (drivers/net/ppp/ppp_generic.c:2359)   ppp_async_process (drivers/net/ppp/ppp_async.c:492)   tasklet_action_common (kernel/softirq.c:926)   handle_softirqs (kernel/softirq.c:623)   run_ksoftirqd (kernel/softirq.c:1055)   smpboot_thread_fn (kernel/smpboot.c:160)   kthread (kernel/kthread.c:436)   ret_from_fork (arch/x86/kernel/process.c:164)   </TASK>  Reject the receive side on such instances instead of touching rstate. slhc_uncompress() falls through to its existing 'bad' label, which bumps sls_i_error and enters the toss state. slhc_remember() mirrors that with an explicit sls_i_error increment followed by slhc_toss(); the sls_i_runt counter is not used here because a missing rstate is an internal configuration state, not a runt packet.  The transmit path is unaffected: the only in-tree caller that picks rslots from userspace (ppp_generic.c) still supplies tslots >= 1, and slip.c always calls slhc_init(16, 16), so comp->tstate remains valid and slhc_compress() continues to work.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-27 11:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-45841",
                        "url": "https://ubuntu.com/security/CVE-2026-45841",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  netfilter: nfnetlink_osf: fix divide-by-zero in OSF_WSS_MODULO  nf_osf_match_one() computes ctx->window % f->wss.val in the OSF_WSS_MODULO branch with no guard for f->wss.val == 0. A CAP_NET_ADMIN user can add such a fingerprint via nfnetlink; a subsequent matching TCP SYN divides by zero and panics the kernel.  Reject the bogus fingerprint in nfnl_osf_add_callback() above the per-option for-loop. f->wss is per-fingerprint, not per-option, so the check must run regardless of f->opt_num (including 0). Also reject wss.wc >= OSF_WSS_MAX; nf_osf_match_one() already treats that as \"should not happen\".  Crash:  Oops: divide error: 0000 [#1] SMP KASAN NOPTI  RIP: 0010:nf_osf_match_one (net/netfilter/nfnetlink_osf.c:98)  Call Trace:  <IRQ>   nf_osf_match (net/netfilter/nfnetlink_osf.c:220)   xt_osf_match_packet (net/netfilter/xt_osf.c:32)   ipt_do_table (net/ipv4/netfilter/ip_tables.c:348)   nf_hook_slow (net/netfilter/core.c:622)   ip_local_deliver (net/ipv4/ip_input.c:265)   ip_rcv (include/linux/skbuff.h:1162)   __netif_receive_skb_one_core (net/core/dev.c:6181)   process_backlog (net/core/dev.c:6642)   __napi_poll (net/core/dev.c:7710)   net_rx_action (net/core/dev.c:7945)   handle_softirqs (kernel/softirq.c:622)",
                        "cve_priority": "low",
                        "cve_public_date": "2026-05-27 11:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-45840",
                        "url": "https://ubuntu.com/security/CVE-2026-45840",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  openvswitch: cap upcall PID array size and pre-size vport replies  The vport netlink reply helpers allocate a fixed-size skb with nlmsg_new(NLMSG_DEFAULT_SIZE, ...) but serialize the full upcall PID array via ovs_vport_get_upcall_portids().  Since ovs_vport_set_upcall_portids() accepts any non-zero multiple of sizeof(u32) with no upper bound, a CAP_NET_ADMIN user can install a PID array large enough to overflow the reply buffer, causing nla_put() to fail with -EMSGSIZE and hitting BUG_ON(err < 0).  On systems with unprivileged user namespaces enabled (e.g., Ubuntu default), this is reachable via unshare -Urn since OVS vport mutation operations use GENL_UNS_ADMIN_PERM.   kernel BUG at net/openvswitch/datapath.c:2414!  Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI  CPU: 1 UID: 0 PID: 65 Comm: poc Not tainted 7.0.0-rc7-00195-geb216e422044 #1  RIP: 0010:ovs_vport_cmd_set+0x34c/0x400  Call Trace:   <TASK>   genl_family_rcv_msg_doit (net/netlink/genetlink.c:1116)   genl_rcv_msg (net/netlink/genetlink.c:1194)   netlink_rcv_skb (net/netlink/af_netlink.c:2550)   genl_rcv (net/netlink/genetlink.c:1219)   netlink_unicast (net/netlink/af_netlink.c:1344)   netlink_sendmsg (net/netlink/af_netlink.c:1894)   __sys_sendto (net/socket.c:2206)   __x64_sys_sendto (net/socket.c:2209)   do_syscall_64 (arch/x86/entry/syscall_64.c:63)   entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)   </TASK>  Kernel panic - not syncing: Fatal exception  Reject attempts to set more PIDs than nr_cpu_ids in ovs_vport_set_upcall_portids(), and pre-compute the worst-case reply size in ovs_vport_cmd_msg_size() based on that bound, similar to the existing ovs_dp_cmd_msg_size().  nr_cpu_ids matches the cap already used by the per-CPU dispatch configuration on the datapath side (ovs_dp_cmd_fill_info() serialises at most nr_cpu_ids PIDs), so the two sides stay consistent.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-27 11:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-45839",
                        "url": "https://ubuntu.com/security/CVE-2026-45839",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  bpf: reject negative CO-RE accessor indices in bpf_core_parse_spec()  CO-RE accessor strings are colon-separated indices that describe a path from a root BTF type to a target field, e.g. \"0:1:2\" walks through nested struct members. bpf_core_parse_spec() parses each component with sscanf(\"%d\"), so negative values like -1 are silently accepted.  The subsequent bounds checks (access_idx >= btf_vlen(t)) only guard the upper bound and always pass for negative values because C integer promotion converts the __u16 btf_vlen result to int, making the comparison (int)(-1) >= (int)(N) false for any positive N.  When -1 reaches btf_member_bit_offset() it gets cast to u32 0xffffffff, producing an out-of-bounds read far past the members array.  A crafted BPF program with a negative CO-RE accessor on any struct that exists in vmlinux BTF (e.g. task_struct) crashes the kernel deterministically during BPF_PROG_LOAD on any system with CONFIG_DEBUG_INFO_BTF=y (default on major distributions).  The bug is reachable with CAP_BPF:   BUG: unable to handle page fault for address: ffffed11818b6626  #PF: supervisor read access in kernel mode  #PF: error_code(0x0000) - not-present page  Oops: Oops: 0000 [#1] SMP KASAN NOPTI  CPU: 0 UID: 0 PID: 85 Comm: poc Not tainted 7.0.0-rc6 #18 PREEMPT(full)  RIP: 0010:bpf_core_parse_spec (tools/lib/bpf/relo_core.c:354)  RAX: 00000000ffffffff  Call Trace:   <TASK>   bpf_core_calc_relo_insn (tools/lib/bpf/relo_core.c:1321)   bpf_core_apply (kernel/bpf/btf.c:9507)   check_core_relo (kernel/bpf/verifier.c:19475)   bpf_check (kernel/bpf/verifier.c:26031)   bpf_prog_load (kernel/bpf/syscall.c:3089)   __sys_bpf (kernel/bpf/syscall.c:6228)   </TASK>  CO-RE accessor indices are inherently non-negative (struct member index, array element index, or enumerator index), so reject them immediately after parsing.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-27 11:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-45838",
                        "url": "https://ubuntu.com/security/CVE-2026-45838",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  bpf: fix end-of-list detection in cgroup_storage_get_next_key()  list_next_entry() never returns NULL -- when the current element is the last entry it wraps to the list head via container_of(). The subsequent NULL check is therefore dead code and get_next_key() never returns -ENOENT for the last element, instead reading storage->key from a bogus pointer that aliases internal map fields and copying the result to userspace.  Replace it with list_entry_is_head() so the function correctly returns -ENOENT when there are no more entries.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-05-27 11:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46214",
                        "url": "https://ubuntu.com/security/CVE-2026-46214",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  vsock/virtio: fix accept queue count leak on transport mismatch  virtio_transport_recv_listen() calls sk_acceptq_added() before vsock_assign_transport(). If vsock_assign_transport() fails or selects a different transport, the error path returns without calling sk_acceptq_removed(), permanently incrementing sk_ack_backlog.  After approximately backlog+1 such failures, sk_acceptq_is_full() returns true, causing the listener to reject all new connections.  Fix by moving sk_acceptq_added() to after the transport validation, matching the pattern used by vmci_transport and hyperv_transport.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46207",
                        "url": "https://ubuntu.com/security/CVE-2026-46207",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  vsock/virtio: fix empty payload in tap skb for non-linear buffers  For non-linear skbs, virtio_transport_build_skb() goes through virtio_transport_copy_nonlinear_skb() to copy the original payload in the new skb to be delivered to the vsockmon tap device. This manually initializes an iov_iter but does not set iov_iter.count. Since the iov_iter is zero-initialized, the copy length is zero and no payload is actually copied to the monitor interface, leaving data un-initialized.  Fix this by removing the linear vs non-linear split and using skb_copy_datagram_iter() with iov_iter_kvec() for all cases, as vhost-vsock already does. This handles both linear and non-linear skbs, properly initializes the iov_iter, and removes the now unused virtio_transport_copy_nonlinear_skb().  While touching this code, let's also check the return value of skb_copy_datagram_iter(), even though it's unlikely to fail.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46234",
                        "url": "https://ubuntu.com/security/CVE-2026-46234",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  vsock: fix buffer size clamping order  In vsock_update_buffer_size(), the buffer size was being clamped to the maximum first, and then to the minimum. If a user sets a minimum buffer size larger than the maximum, the minimum check overrides the maximum check, inverting the constraint.  This breaks the intended socket memory boundaries by allowing the vsk->buffer_size to grow beyond the configured vsk->buffer_max_size.  Fix this by checking the minimum first, and then the maximum. This ensures the buffer size never exceeds the buffer_max_size.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46223",
                        "url": "https://ubuntu.com/security/CVE-2026-46223",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  cgroup: Defer css percpu_ref kill on rmdir until cgroup is depopulated  A chain of commits going back to v7.0 reworked rmdir to satisfy the controller invariant that a subsystem's ->css_offline() must not run while tasks are still doing kernel-side work in the cgroup.  [1] d245698d727a (\"cgroup: Defer task cgroup unlink until after the task is done switching out\") [2] a72f73c4dd9b (\"cgroup: Don't expose dead tasks in cgroup\") [3] 1b164b876c36 (\"cgroup: Wait for dying tasks to leave on rmdir\") [4] 4c56a8ac6869 (\"cgroup: Fix cgroup_drain_dying() testing the wrong condition\") [5] 13e786b64bd3 (\"cgroup: Increment nr_dying_subsys_* from rmdir context\")  [1] moved task cset unlink from do_exit() to finish_task_switch() so a task's cset link drops only after the task has fully stopped scheduling. That made tasks past exit_signals() linger on cset->tasks until their final context switch, which led to a series of problems as what userspace expected to see after rmdir diverged from what the kernel needs to wait for. [2]-[5] tried to bridge that divergence: [2] filtered the exiting tasks from cgroup.procs; [3] had rmdir(2) sleep in TASK_UNINTERRUPTIBLE for them; [4] fixed the wait's condition; [5] made nr_dying_subsys_* visible synchronously.  The cgroup_drain_dying() wait in [3] turned out to be a dead end. When the rmdir caller is also the reaper of a zombie that pins a pidns teardown (e.g. host PID 1 systemd reaping orphan pids that were re-parented to it during the same teardown), rmdir blocks in TASK_UNINTERRUPTIBLE waiting for those pids to free, the pids can't free because PID 1 is the reaper and it's stuck in rmdir, and the system A-A deadlocks. No internal lock ordering breaks this; the wait itself is the bug.  The css killing side that drove the original reorder, however, can be made cleanly asynchronous: ->css_offline() is already async, run from css_killed_work_fn() driven by percpu_ref_kill_and_confirm(). The fix is to make that chain start only after all tasks have left the cgroup. rmdir's user-visible side then returns as soon as cgroup.procs and friends are empty, while ->css_offline() still runs only after the cgroup is fully drained.  Verified by the original reproducer (pidns teardown + zombie reaper, runs under vng) which hangs vanilla and succeeds here, and by per-commit deterministic repros for [2], [3], [4], [5] with a boot parameter that widens the post-exit_signals() window so each state is reliably reachable. Some stress tests on top of that.  cgroup_apply_control_disable() has the same shape of pre-existing race: when a controller is disabled via subtree_control, kill_css() ran synchronously while tasks past exit_signals() could still be linked to the cgroup's csets, and ->css_offline() could fire before they drained. This patch preserves the existing synchronous behavior at that call site (kill_css_sync() + kill_css_finish() back-to-back) and a follow-up patch will defer kill_css_finish() there using a per-css trigger.  This seems like the right approach and I don't see problems with it. The changes are somewhat invasive but not excessively so, so backporting to -stable should be okay. If something does turn out to be wrong, the fallback is to revert the entire chain ([1]-[5]) and rework in the development branch instead.  v2: Pin cgrp across the deferred destroy work with explicit     cgroup_get()/cgroup_put() around queue_work() and the work_fn. v1     wasn't actually broken (ordered cgroup_offline_wq + queue_work order     in cgroup_task_dead() saved it) but the explicit ref removes the     dependency on those non-obvious invariants. Also note the     pre-existing cgroup_apply_control_disable() race in the description;     a follow-up will defer kill_css_finish() there.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46221",
                        "url": "https://ubuntu.com/security/CVE-2026-46221",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  EDAC/versalnet: Fix device name memory leak  The device name allocated via kzalloc() in init_one_mc() is assigned to dev->init_name but never freed on the normal removal path. device_register() copies init_name and then sets dev->init_name to NULL, so the name pointer becomes unreachable from the device. Thus leaking memory.  Use a stack-local char array instead of using kzalloc() for name.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46231",
                        "url": "https://ubuntu.com/security/CVE-2026-46231",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  batman-adv: bla: put backbone reference on failed claim hash insert  When batadv_bla_add_claim() fails to insert a new claim into the hash, it leaked a reference to the backbone_gw for which the claim was intended. Call batadv_backbone_gw_put() on the error path to release the reference and avoid leaking the backbone_gw object.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46233",
                        "url": "https://ubuntu.com/security/CVE-2026-46233",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  batman-adv: bla: only purge non-released claims  When batadv_bla_purge_claims() goes through the list of claims, it is only traversing the hash list with an rcu_read_lock(). Due to a potential parallel batadv_claim_put(), it can happen that it encounters a claim which was actually in the process of being released+freed by batadv_claim_release(). In this case, backbone_gw is set to NULL before the delayed RCU kfree is started. Calling batadv_bla_claim_get_backbone_gw() is then no longer allowed because it would cause a NULL-ptr derefence.  To avoid this, only claims with a valid reference counter must be purged. All others are already taken care of.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46212",
                        "url": "https://ubuntu.com/security/CVE-2026-46212",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  batman-adv: bla: prevent use-after-free when deleting claims  When batadv_bla_del_backbone_claims() removes all claims for a backbone, it does this by dropping the link entry in the hash list. This list entry itself was one of the references which need to be dropped at the same time via batadv_claim_put().  But the batadv_claim_put() must not be done before the last access to the claim object in this function. Otherwise the claim might be freed already by the batadv_claim_release() function before the list entry was dropped.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46238",
                        "url": "https://ubuntu.com/security/CVE-2026-46238",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  batman-adv: stop caching unowned originator pointers in BAT IV  BAT IV keeps the last-hop neighbor address in each neigh_node, but some paths also cache an originator pointer derived from a temporary lookup. That pointer is not owned by the neigh_node and may no longer refer to a live originator entry after purge handling runs.  Stop storing the auxiliary originator pointer in the BAT IV neighbor state. When BAT IV needs the neighbor originator data, resolve it from the stored neighbor address and drop the reference again after use.  [sven: avoid bonding logic for outgoing OGM]",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46208",
                        "url": "https://ubuntu.com/security/CVE-2026-46208",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  batman-adv: stop tp_meter sessions during mesh teardown  TP meter sessions remain linked on bat_priv->tp_list after the netlink request has already finished. When the mesh interface is removed, batadv_mesh_free() currently tears down the mesh without first draining these sessions.  A running sender thread or a late incoming tp_meter packet can then keep processing against a mesh instance which is already shutting down. Synchronize tp_meter with the mesh lifetime by stopping all active sessions from batadv_mesh_free() and waiting for sender threads to exit before teardown continues.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46206",
                        "url": "https://ubuntu.com/security/CVE-2026-46206",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  batman-adv: reject new tp_meter sessions during teardown  Prevent tp_meter from starting new sender or receiver sessions after mesh_state has left BATADV_MESH_ACTIVE.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46198",
                        "url": "https://ubuntu.com/security/CVE-2026-46198",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  batman-adv: fix integer overflow on buff_pos  Fixing an integer overflow present in batadv_iv_ogm_send_to_if. The size check is done using the int type in batadv_iv_ogm_aggr_packet whereas the buff_pos variable uses the s16 type. This could lead to an out-of-bound read.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46227",
                        "url": "https://ubuntu.com/security/CVE-2026-46227",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  sctp: revalidate list cursor after sctp_sendmsg_to_asoc() in SCTP_SENDALL  The SCTP_SENDALL path in sctp_sendmsg() iterates ep->asocs with list_for_each_entry_safe(), which caches the next entry in @tmp before the loop body runs.  The body calls sctp_sendmsg_to_asoc(), which may drop the socket lock inside sctp_wait_for_sndbuf().  While the lock is dropped, another thread can SCTP_SOCKOPT_PEELOFF the association cached in @tmp, migrating it to a new endpoint via sctp_sock_migrate() (list_del_init() + list_add_tail() to newep->asocs), and optionally close the new socket which frees the association via kfree_rcu().  The cached @tmp can also be freed by a network ABORT for that association, processed in softirq while the lock is dropped.  sctp_wait_for_sndbuf() revalidates @asoc (the current entry) on re-lock via the \"sk != asoc->base.sk\" and \"asoc->base.dead\" checks, but nothing revalidates @tmp.  After a successful return, the iterator advances to the stale @tmp, yielding either a use-after-free (if the peeled socket was closed) or a list-walk onto the new endpoint's list head (type confusion of &newep->asocs as a struct sctp_association *).  Both are reachable from CapEff=0; the type-confusion path gives controlled indirect call via the outqueue.sched->init_sid pointer.  Fix by re-deriving @tmp from @asoc after sctp_sendmsg_to_asoc() returns.  @asoc is known to still be on ep->asocs at that point: the only callers that list_del an association from ep->asocs are sctp_association_free() (which sets asoc->base.dead) and sctp_assoc_migrate() (which changes asoc->base.sk), and sctp_wait_for_sndbuf() checks both under the lock before any successful return; a tripped check propagates as err < 0 and the loop bails before the re-derive.  The SCTP_ABORT path in sctp_sendmsg_check_sflags() returns 0 and the loop hits 'continue' before sctp_sendmsg_to_asoc() is ever called, so the @tmp cached by list_for_each_entry_safe() still covers the lock-held free that ba59fb027307 (\"sctp: walk the list of asoc safely\") was added for.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46220",
                        "url": "https://ubuntu.com/security/CVE-2026-46220",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/amdgpu/sdma4: replace BUG_ON with WARN_ON in fence emission  sdma_v4_0_ring_emit_fence() contains two BUG_ON(addr & 0x3) assertions that verify fence writeback addresses are dword-aligned.  These assertions can be reached from unprivileged userspace via crafted DRM_IOCTL_AMDGPU_CS submissions, causing a fatal kernel panic in a scheduler worker thread.  Replace both BUG_ON() calls with WARN_ON() to log the condition without crashing the kernel.  A misaligned fence address at this point indicates a driver bug, but crashing the kernel is never the correct response when the assertion is reachable from userspace.  The CS IOCTL path is the correct place to filter invalid submissions; the ring emission callback is too late to do anything about it.  (cherry picked from commit b90250bd933afd1ba94d86d6b13821997b22b18e)",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46215",
                        "url": "https://ubuntu.com/security/CVE-2026-46215",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm: Set old handle to NULL before prime swap in change_handle  There was a potential race condition in change_handle. The ioctl briefly had a single object with two idr entries; a concurrent gem_close could delete the object and remove one of the handles while leaving the other one dangling, which could subsequently be dereferenced for a use-after-free.  To fix this, do the same dance that gem_close itself does. (f6cd7daecff5 drm: Release driver references to handle before making it available again) First idr_replace the old handle to NULL. Later, if the prime operations are successful, actually close it.  create_tail required a similar dance to avoid a similar problem. (bd46cece51a3 drm/gem: Fix race in drm_gem_handle_create_tail()) It idr_allocs the new handle with NULL, then swaps in the correct object later to avoid races. We don't need to do that here, since the only operations that could race are drm_prime, and change_handle holds the prime lock for the entire duration.  v2: cleanups of error paths",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46201",
                        "url": "https://ubuntu.com/security/CVE-2026-46201",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/xe: Fix dma-buf attachment leak in xe_gem_prime_import()  When xe_dma_buf_init_obj() fails, the attachment from dma_buf_dynamic_attach() is not detached. Add dma_buf_detach() before returning the error. Note: we cannot use goto out_err here because xe_dma_buf_init_obj() already frees bo on failure, and out_err would double-free it.  (cherry picked from commit a828eb185aac41800df8eae4b60501ccc0dbbe51)",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46224",
                        "url": "https://ubuntu.com/security/CVE-2026-46224",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/xe: Fix bo leak in xe_dma_buf_init_obj() on allocation failure  When drm_gpuvm_resv_object_alloc() fails, the pre-allocated storage bo is not freed. Add xe_bo_free(storage) before returning the error.  xe_dma_buf_init_obj() calls xe_bo_init_locked(), which frees the bo on error. Therefore, xe_dma_buf_init_obj() must also free the bo on its own error paths. Otherwise, since xe_gem_prime_import() cannot distinguish whether the failure originated from xe_dma_buf_init_obj() or from xe_bo_init_locked(), it cannot safely decide whether the bo should be freed.  Add comments documenting the ownership semantics: on success, ownership of storage is transferred to the returned drm_gem_object; on failure, storage is freed before returning.  v2: Add comments to explain the free logic.  (cherry picked from commit 78a6c5f899f22338bbf48b44fb8950409c5a69b9)",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46197",
                        "url": "https://ubuntu.com/security/CVE-2026-46197",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/amdkfd: validate SVM ioctl nattr against buffer size  Validate nattr field against the buffer size, preventing out-of-bounds buffer access via user-controlled attribute count.  (cherry picked from commit 5eca8bfdfa456c3304ca77523718fe24254c172f)",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46209",
                        "url": "https://ubuntu.com/security/CVE-2026-46209",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/gem: Fix inconsistent plane dimension calculation in drm_gem_fb_init_with_funcs()  drm_gem_fb_init_with_funcs() computes sub-sampled plane dimensions using plain integer division:    unsigned int width  = mode_cmd->width  / (i ? info->hsub : 1);   unsigned int height = mode_cmd->height / (i ? info->vsub : 1);  However, the ioctl-level framebuffer_check() in drm_framebuffer.c uses drm_format_info_plane_width/height() which round up dimensions via DIV_ROUND_UP(). This inconsistency corrupts the subsequent GEM object size check for certain pixel format and dimension combinations.  For example, with NV12 (vsub=2) and a 1-pixel-tall framebuffer the GEM size validation path sees height=0 instead of height=1. The expression (height - 1) then wraps to UINT_MAX as an unsigned int, causing min_size to overflow and wrap back to a small value. A tiny GEM object therefore passes the size guard, yet when the GPU accesses the chroma plane it will read or write memory beyond the object's bounds.  Fix by replacing the open-coded divisions with drm_format_info_plane_width() and drm_format_info_plane_height(), which use DIV_ROUND_UP() and match the calculation already used in framebuffer_check().",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46230",
                        "url": "https://ubuntu.com/security/CVE-2026-46230",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/amdgpu/vcn3: Prevent OOB reads when parsing dec msg  Check bounds against the end of the BO whenever we access the msg.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46199",
                        "url": "https://ubuntu.com/security/CVE-2026-46199",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/amdgpu/vcn4: Prevent OOB reads when parsing dec msg  Check bounds against the end of the BO whenever we access the msg.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46204",
                        "url": "https://ubuntu.com/security/CVE-2026-46204",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/amdgpu/vcn4: Prevent OOB reads when parsing IB  Rewrite the IB parsing to use amdgpu_ib_get_value() which handles the bounds checks.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46218",
                        "url": "https://ubuntu.com/security/CVE-2026-46218",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/amdgpu: Add bounds checking to ib_{get,set}_value  The uvd/vce/vcn code accesses the IB at predefined offsets without checking that the IB is large enough. Check the bounds here. The caller is responsible for making sure it can handle arbitrary return values.  Also make the idx a uint32_t to prevent overflows causing the condition to fail.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46229",
                        "url": "https://ubuntu.com/security/CVE-2026-46229",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/amdkfd: Clear VRAM on allocation to prevent stale data exposure  KFD VRAM allocations set AMDGPU_GEM_CREATE_VRAM_WIPE_ON_RELEASE but not AMDGPU_GEM_CREATE_VRAM_CLEARED, leaving freshly allocated VRAM with stale data from prior use observable by compute kernels.  The GEM ioctl path already sets VRAM_CLEARED for all userspace allocations via amdgpu_gem_create_ioctl() and amdgpu_mode_dumb_create(). The KFD path was missing this flag, allowing stale page table remnants to leak into user buffers.  This causes crashes in RCCL P2P transport where non-zero data in ptrExchange/head/tail fields corrupts the protocol handshake.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46211",
                        "url": "https://ubuntu.com/security/CVE-2026-46211",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/msm/gem: fix error handling in msm_ioctl_gem_info_get_metadata()  msm_ioctl_gem_info_get_metadata() always returns 0 regardless of errors. When copy_to_user() fails or the user buffer is too small, the error code stored in ret is ignored because the function unconditionally returns 0. This causes userspace to believe the ioctl succeeded when it did not.  Additionally, kmemdup() can return NULL on allocation failure, but the return value is not checked. This leads to a NULL pointer dereference in the subsequent copy_to_user() call.  Add the missing NULL check for kmemdup() and return ret instead of 0.  Note that the SET counterpart (msm_ioctl_gem_info_set_metadata) correctly returns ret.  Patchwork: https://patchwork.freedesktop.org/patch/714478/",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46203",
                        "url": "https://ubuntu.com/security/CVE-2026-46203",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: cadence-quadspi: fix unclocked access on unbind  Make sure that the controller is runtime resumed before disabling it during driver unbind to avoid an unclocked register access.  This issue was flagged by Sashiko when reviewing a controller deregistration fix.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46219",
                        "url": "https://ubuntu.com/security/CVE-2026-46219",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: mpc52xx: fix use-after-free on unbind  The state machine work is scheduled by the interrupt handler and therefore needs to be cancelled after disabling interrupts to avoid a potential use-after-free.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46200",
                        "url": "https://ubuntu.com/security/CVE-2026-46200",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: mpc52xx: fix controller deregistration  Make sure to deregister the controller before disabling and releasing underlying resources like interrupts and gpios during driver unbind.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46241",
                        "url": "https://ubuntu.com/security/CVE-2026-46241",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: mpc52xx: fix use-after-free on registration failure  Make sure to disable and free the interrupts in case controller registration fails to avoid a potential use-after-free and resource leak.  This issue was flagged by Sashiko when reviewing a controller deregistration fix.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46225",
                        "url": "https://ubuntu.com/security/CVE-2026-46225",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: rspi: fix controller deregistration  Make sure to deregister the controller before releasing underlying resources like DMA during driver unbind.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46226",
                        "url": "https://ubuntu.com/security/CVE-2026-46226",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: fsl: fix controller deregistration  Make sure to deregister the controller before releasing underlying resources like DMA during driver unbind.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46228",
                        "url": "https://ubuntu.com/security/CVE-2026-46228",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: ch341: fix devres lifetime  USB drivers bind to USB interfaces and any device managed resources should have their lifetime tied to the interface rather than parent USB device. This avoids issues like memory leaks when drivers are unbound without their devices being physically disconnected (e.g. on probe deferral or configuration changes).  Fix the controller and driver data lifetime so that they are released on driver unbind.  Note that this also makes sure that the SPI controller is placed correctly under the USB interface in the device tree.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46216",
                        "url": "https://ubuntu.com/security/CVE-2026-46216",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/xe/hdcp: Add NULL check for media_gt in intel_hdcp_gsc_check_status()  When media GT is disabled via configfs, there is no allocation for media_gt, which is kept as NULL.  In such scenario, intel_hdcp_gsc_check_status() results in a kernel pagefault error due to &gt->uc.gsc being evaluated as an invalid memory address.  Fix that by introducing a NULL check on media_gt and bailing out early if so.  While at it, also drop the NULL check for gsc, since it can't be NULL if media_gt is not NULL.  v2:   - Get address for gsc only after checking that gt is not NULL.     (Shuicheng)   - Drop the NULL check for gsc. (Shuicheng) v3:   - Add \"Fixes\" and \"Cc: <stable...>\" tags. (Matt)  (cherry picked from commit bfaf87e84ca3ca3f6e275f9ae56da47a8b55ffd1)",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46210",
                        "url": "https://ubuntu.com/security/CVE-2026-46210",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  media: iris: fix use-after-free of fmt_src during MBPF check  During concurrency testing, multiple instances can run in parallel, and each instance uses its own inst->lock while the core->lock protects the list of active instances. The race happens because these locks cover different scopes, inst->lock protects only the internals of a single instance, while the Macro Blocks Per Frame (MBPF) checker walks the core list under core->lock and reads fields like fmt_src->width and fmt_src->height. At the same time, iris_close() may free fmt_src and fmt_dst under inst->lock while the instance is still present in the core list. This allows a situation where the MBPF checker, still iterating through the core list, reaches an instance whose fmt_src was already freed by another thread and ends up dereferencing a dangling pointer, resulting in a use-after-free. This happens because the MBPF checker assumes that any instance in the core list is fully valid, but the freeing of fmt_src and fmt_dst without removing the instance from the core list is not correct.  The correct ordering is to defer freeing fmt_src and fmt_dst until after the instance has been removed from the core list and all teardown under the core lock has completed, ensuring that no dangling pointers are ever exposed during MBPF checks.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46240",
                        "url": "https://ubuntu.com/security/CVE-2026-46240",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  media: iris: Fix use-after-free in iris_release_internal_buffers()  The recent change in commit 1dabf00ee206 (\"media: iris: gen1: Destroy internal buffers after FW releases\") introduced a regression where session_release_buf() may free the buffer. The caller, iris_release_internal_buffers(), continued to access `buffer` after the call, leading to a potential use-after-free.  Fix this by setting BUF_ATTR_PENDING_RELEASE before calling session_release_buf(), and reverting the flag if the call fails. This ensures no dereference occurs after potential freeing.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46235",
                        "url": "https://ubuntu.com/security/CVE-2026-46235",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  media: saa7164: add ioremap return checks and cleanups  Add checks for ioremap return values in saa7164_dev_setup(). If ioremap for BAR0 or BAR2 fails, release the already allocated PCI memory regions, remove the device from the global list, decrement the device count, and return -ENODEV.  This prevents potential null pointer dereferences and ensures proper cleanup on memory mapping failures.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46222",
                        "url": "https://ubuntu.com/security/CVE-2026-46222",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  media: rockchip: rkcif: Add missing MUST_CONNECT flag to pads  The pads missed checks for connected devices which may a null dereference when the stream is enabled.  Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020 pc : rkcif_interface_enable_streams+0x48/0xf0 lr : rkcif_interface_enable_streams+0x44/0xf0 Call trace:  rkcif_interface_enable_streams+0x48/0xf0  v4l2_subdev_enable_streams+0x26c/0x3f0  rkcif_stream_start_streaming+0x140/0x278  vb2_start_streaming+0x74/0x188  vb2_core_streamon+0xe0/0x1d8  vb2_ioctl_streamon+0x60/0xa8  v4l_streamon+0x2c/0x40  __video_do_ioctl+0x34c/0x400  video_usercopy+0x2d0/0x800  video_ioctl2+0x20/0x60  v4l2_ioctl+0x48/0x78",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46239",
                        "url": "https://ubuntu.com/security/CVE-2026-46239",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  media: i2c: ov5647: Fix runtime PM refcount leak in s_ctrl  Three control cases (AUTOGAIN, EXPOSURE_AUTO, ANALOGUE_GAIN) directly return without calling pm_runtime_put(), causing runtime PM reference count leaks.  Change these cases from 'return' to 'ret = ... break' pattern to ensure pm_runtime_put() is always called before function exit.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46236",
                        "url": "https://ubuntu.com/security/CVE-2026-46236",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  media: rc: xbox_remote: heed DMA restrictions  The buffer for IO must not be part of the device structure because that violates the DMA coherency rules.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46205",
                        "url": "https://ubuntu.com/security/CVE-2026-46205",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  staging: media: atomisp: Disallow all private IOCTLs  Disallow all private IOCTLs. These aren't quite as safe as one could assume of IOCTL handlers; disable them for now. Instead of removing the code, return in the beginning of the function if cmd is non-zero in order to keep static checkers happy.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46202",
                        "url": "https://ubuntu.com/security/CVE-2026-46202",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  HID: appletb-kbd: run inactivity autodim from workqueues  The autodim code in hid-appletb-kbd takes backlight_device->ops_lock via backlight_device_set_brightness() -> mutex_lock() from two different atomic contexts:   * appletb_inactivity_timer() is a struct timer_list callback, so it    runs in softirq context.  Every expiry triggers       BUG: sleeping function called from invalid context at kernel/locking/mutex.c:591      Call Trace:       <IRQ>       __might_resched       __mutex_lock       backlight_device_set_brightness       appletb_inactivity_timer       call_timer_fn       run_timer_softirq   * reset_inactivity_timer() is called from appletb_kbd_hid_event() and    appletb_kbd_inp_event().  On real USB hardware these run in    softirq/IRQ context (URB completion and input-event dispatch).    When the Touch Bar has already been dimmed or turned off, the    reset path calls backlight_device_set_brightness() directly to    restore brightness, producing the same warning.  Both call sites hit the same mutex_lock()-from-atomic bug.  Fix them together by moving the blocking work onto the system workqueue:   * Convert the inactivity timer from struct timer_list to    struct delayed_work; the callback (appletb_inactivity_work) now    runs in process context where mutex_lock() is legal.  * Add a dedicated struct work_struct restore_brightness_work and have    reset_inactivity_timer() schedule it instead of calling    backlight_device_set_brightness() directly.  Cancel both works synchronously during driver tear-down alongside the existing backlight reference drop.  The semantics are unchanged (same delays, same state transitions on dim, turn-off and user activity); only the execution context of the sleeping call changes.  The timer field and callback are renamed to match their new type; reset_inactivity_timer() keeps its name because it is invoked from input event paths that read naturally as \"reset the inactivity timer\".",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46213",
                        "url": "https://ubuntu.com/security/CVE-2026-46213",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  HID: appletb-kbd: fix UAF in inactivity-timer cleanup path  Commit 38224c472a03 (\"HID: appletb-kbd: fix slab use-after-free bug in appletb_kbd_probe\") added timer_delete_sync(&kbd->inactivity_timer) to both the probe close_hw error path and appletb_kbd_remove(), but the way it was wired in left the inactivity timer reachable during driver tear-down via two distinct windows.  Window A -- put_device() before timer_delete_sync():  \tput_device(&kbd->backlight_dev->dev); \ttimer_delete_sync(&kbd->inactivity_timer);  The inactivity_timer softirq reads kbd->backlight_dev and calls backlight_device_set_brightness() -> mutex_lock(&ops_lock).  If a concurrent hid_appletb_bl unbind drops the last devm reference between these two calls, the backlight_device is freed and the mutex_lock() touches freed memory.  Window B -- backlight cleanup before hid_hw_stop():  \tif (kbd->backlight_dev) { \t\ttimer_delete_sync(...); \t\tput_device(...); \t} \thid_hw_close(hdev); \thid_hw_stop(hdev);  Even after Window A is closed, hid_hw_close()/hid_hw_stop() still run afterwards, so a late \".event\" callback from the HID core (USB URB completion on real Apple hardware) can arrive after timer_delete_sync() drained the softirq but before put_device() drops the reference.  That callback reaches reset_inactivity_timer(), which calls mod_timer() and re-arms the timer.  The freshly re-armed timer can then fire on the about-to-be-freed backlight_device.  Both windows produce the same KASAN slab-use-after-free:    BUG: KASAN: slab-use-after-free in __mutex_lock+0x1aab/0x21c0   Read of size 8 at addr ffff88803ee9a108 by task swapper/0/0   Call Trace:    <IRQ>    __mutex_lock    backlight_device_set_brightness    appletb_inactivity_timer    call_timer_fn    run_timer_softirq    handle_softirqs   Allocated by task N:    devm_backlight_device_register    appletb_bl_probe   Freed by task M:    (concurrent hid_appletb_bl unbind path)  Close both windows at once by reworking the tear-down in appletb_kbd_remove() and in the probe close_hw error path so that   1) hid_hw_close()/hid_hw_stop() run before the backlight cleanup,     guaranteeing no further .event callback can fire and re-arm the     timer, and  2) inside the \"if (kbd->backlight_dev)\" block, timer_delete_sync()     runs before put_device(), so the softirq is drained before the     final reference is dropped.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46232",
                        "url": "https://ubuntu.com/security/CVE-2026-46232",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  HID: playstation: Clamp num_touch_reports  A device would never lie about the number of touch reports would it?  If it does the loop in dualshock4_parse_report will read off the end of the touch_reports array, up to about 2 KiB for the maximum number of 256 loop iteraions. The data that is read is emitted via evdev if the DS4_TOUCH_POINT_INACTIVE bit happens to be set. Protect against this by clamping the num_touch_reports value provided by the device to the maximum size of the touch_reports array.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-43490",
                        "url": "https://ubuntu.com/security/CVE-2026-43490",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ksmbd: validate inherited ACE SID length  smb_inherit_dacl() walks the parent directory DACL loaded from the security descriptor xattr. It verifies that each ACE contains the fixed SID header before using it, but does not verify that the variable-length SID described by sid.num_subauth is fully contained in the ACE.  A malformed inheritable ACE can advertise more subauthorities than are present in the ACE. compare_sids() may then read past the ACE. smb_set_ace() also clamps the copied destination SID, but used the unchecked source SID count to compute the inherited ACE size. That could advance the temporary inherited ACE buffer pointer and nt_size accounting past the allocated buffer.  Fix this by validating the parent ACE SID count and SID length before using the SID during inheritance. Compute the inherited ACE size from the copied SID so the size matches the bounded destination SID. Reject the inherited DACL if size accumulation would overflow smb_acl.size or the security descriptor allocation size.",
                        "cve_priority": "high",
                        "cve_public_date": "2026-05-15 06:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46174",
                        "url": "https://ubuntu.com/security/CVE-2026-46174",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  x86/CPU/AMD: Prevent improper isolation of shared resources in Zen2's op cache  Make sure resources are not improperly shared in the op cache and cause instruction corruption this way.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46110",
                        "url": "https://ubuntu.com/security/CVE-2026-46110",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net: stmmac: Prevent NULL deref when RX memory exhausted  The CPU receives frames from the MAC through conventional DMA: the CPU allocates buffers for the MAC, then the MAC fills them and returns ownership to the CPU. For each hardware RX queue, the CPU and MAC coordinate through a shared ring array of DMA descriptors: one descriptor per DMA buffer. Each descriptor includes the buffer's physical address and a status flag (\"OWN\") indicating which side owns the buffer: OWN=0 for CPU, OWN=1 for MAC. The CPU is only allowed to set the flag and the MAC is only allowed to clear it, and both must move through the ring in sequence: thus the ring is used for both \"submissions\" and \"completions.\"  In the stmmac driver, stmmac_rx() bookmarks its position in the ring with the `cur_rx` index. The main receive loop in that function checks for rx_descs[cur_rx].own=0, gives the corresponding buffer to the network stack (NULLing the pointer), and increments `cur_rx` modulo the ring size. After the loop exits, stmmac_rx_refill(), which bookmarks its position with `dirty_rx`, allocates fresh buffers and rearms the descriptors (setting OWN=1). If it fails any allocation, it simply stops early (leaving OWN=0) and will retry where it left off when next called.  This means descriptors have a three-stage lifecycle (terms my own): - `empty` (OWN=1, buffer valid) - `full` (OWN=0, buffer valid and populated) - `dirty` (OWN=0, buffer NULL)  But because stmmac_rx() only checks OWN, it confuses `full`/`dirty`. In the past (see 'Fixes:'), there was a bug where the loop could cycle `cur_rx` all the way back to the first descriptor it dirtied, resulting in a NULL dereference when mistaken for `full`. The aforementioned commit resolved that *specific* failure by capping the loop's iteration limit at `dma_rx_size - 1`, but this is only a partial fix: if the previous stmmac_rx_refill() didn't complete, then there are leftover `dirty` descriptors that the loop might encounter without needing to cycle fully around. The current code therefore panics (see 'Closes:') when stmmac_rx_refill() is memory-starved long enough for `cur_rx` to catch up to `dirty_rx`.  Fix this by explicitly checking, before advancing `cur_rx`, if the next entry is dirty; exit the loop if so. This prevents processing of the final, used descriptor until stmmac_rx_refill() succeeds, but fully prevents the `cur_rx == dirty_rx` ambiguity as the previous bugfix intended: so remove the clamp as well. Since stmmac_rx_zc() is a copy-paste-and-tweak of stmmac_rx() and the code structure is identical, any fix to stmmac_rx() will also need a corresponding fix for stmmac_rx_zc(). Therefore, apply the same check there.  In stmmac_rx() (not stmmac_rx_zc()), a related bug remains: after the MAC sets OWN=0 on the final descriptor, it will be unable to send any further DMA-complete IRQs until it's given more `empty` descriptors. Currently, the driver simply *hopes* that the next stmmac_rx_refill() succeeds, risking an indefinite stall of the receive process if not. But this is not a regression, so it can be addressed in a future change.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46153",
                        "url": "https://ubuntu.com/security/CVE-2026-46153",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  8021q: delete cleared egress QoS mappings  vlan_dev_set_egress_priority() currently keeps cleared egress priority mappings in the hash as tombstones. Repeated set/clear cycles with distinct skb priorities therefore accumulate mapping nodes until device teardown and leak memory.  Delete mappings when vlan_prio is cleared instead of keeping tombstones. Now that the egress mapping lists are RCU protected, the node can be unlinked safely and freed after a grace period.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46169",
                        "url": "https://ubuntu.com/security/CVE-2026-46169",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  hfsplus: fix uninit-value by validating catalog record size  Syzbot reported a KMSAN uninit-value issue in hfsplus_strcasecmp(). The root cause is that hfs_brec_read() doesn't validate that the on-disk record size matches the expected size for the record type being read.  When mounting a corrupted filesystem, hfs_brec_read() may read less data than expected. For example, when reading a catalog thread record, the debug output showed:    HFSPLUS_BREC_READ: rec_len=520, fd->entrylength=26   HFSPLUS_BREC_READ: WARNING - entrylength (26) < rec_len (520) - PARTIAL READ!  hfs_brec_read() only validates that entrylength is not greater than the buffer size, but doesn't check if it's less than expected. It successfully reads 26 bytes into a 520-byte structure and returns success, leaving 494 bytes uninitialized.  This uninitialized data in tmp.thread.nodeName then gets copied by hfsplus_cat_build_key_uni() and used by hfsplus_strcasecmp(), triggering the KMSAN warning when the uninitialized bytes are used as array indices in case_fold().  Fix by introducing hfsplus_brec_read_cat() wrapper that: 1. Calls hfs_brec_read() to read the data 2. Validates the record size based on the type field:    - Fixed size for folder and file records    - Variable size for thread records (depends on string length) 3. Returns -EIO if size doesn't match expected  For thread records, check against HFSPLUS_MIN_THREAD_SZ before reading nodeName.length to avoid reading uninitialized data at call sites that don't zero-initialize the entry structure.  Also initialize the tmp variable in hfsplus_find_cat() as defensive programming to ensure no uninitialized data even if validation is bypassed.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46188",
                        "url": "https://ubuntu.com/security/CVE-2026-46188",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  octeon_ep_vf: add NULL check for napi_build_skb()  napi_build_skb() can return NULL on allocation failure. In __octep_vf_oq_process_rx(), the result is used directly without a NULL check in both the single-buffer and multi-fragment paths, leading to a NULL pointer dereference.  Add NULL checks after both napi_build_skb() calls, properly advancing descriptors and consuming remaining fragments on failure.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-45837",
                        "url": "https://ubuntu.com/security/CVE-2026-45837",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  bpf: Fix use-after-free in arena_vm_close on fork  arena_vm_open() only bumps vml->mmap_count but never registers the child VMA in arena->vma_list. The vml->vma always points at the parent VMA, so after parent munmap the pointer dangles. If the child then calls bpf_arena_free_pages(), zap_pages() reads the stale vml->vma triggering use-after-free.  Fix this by preventing the arena VMA from being inherited across fork with VM_DONTCOPY, and preventing VMA splits via the may_split callback.  Also reject mremap with a .mremap callback returning -EINVAL. A same-size mremap(MREMAP_FIXED) on the full arena VMA reaches copy_vma() through the following path:    check_prep_vma()       - returns 0 early: new_len == old_len                            skips VM_DONTEXPAND check   prep_move_vma()        - vm_start == old_addr and                            vm_end == old_addr + old_len                            so may_split is never called   move_vma()     copy_vma_and_data()       copy_vma()         vm_area_dup()    - copies vm_private_data (vml pointer)         vm_ops->open()   - bumps vml->mmap_count       vm_ops->mremap()   - returns -EINVAL, rollback unmaps new VMA  The refcount ensures the rollback's arena_vm_close does not free the vml shared with the original VMA.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-05-27 11:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46156",
                        "url": "https://ubuntu.com/security/CVE-2026-46156",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  LoongArch: Fix potential ADE in loongson_gpu_fixup_dma_hang()  The switch case in loongson_gpu_fixup_dma_hang() may not DC2 or DC3, and readl(crtc_reg) will access with random address, because the \"device\" is from \"base+PCI_DEVICE_ID\", \"base\" is from \"pdev->devfn+1\". This is wrong when my platform inserts a discrete GPU:  lspci -tv -[0000:00]-+-00.0  Loongson Technology LLC Hyper Transport Bridge Controller ...            +-06.0  Loongson Technology LLC LG100 GPU            +-06.2  Loongson Technology LLC Device 7a37 ...  Add a default switch case to fix the panic as below:   Kernel ade access[#1]:  CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.6.136-loong64-desktop-hwe+ #4  pc 90000000017e5534 ra 90000000017e54c0 tp 90000001002f8000 sp 90000001002fb6c0  a0 80000efe00003100 a1 0000000000003100 a2 0000000000000000 a3 0000000000000002  a4 90000001002fb6b4 a5 900000087cdb58fd a6 90000000027af000 a7 0000000000000001  t0 00000000000085b9 t1 000000000000ffff t2 0000000000000000 t3 0000000000000000  t4 fffffffffffffffd t5 00000000fffb6d9c t6 0000000000083b00 t7 00000000000070c0  t8 900000087cdb4d94 u0 900000087cdb58fd s9 90000001002fb826 s0 90000000031c12c8  s1 7fffffffffffff00 s2 90000000031c12d0 s3 0000000000002710 s4 0000000000000000  s5 0000000000000000 s6 9000000100053000 s7 7fffffffffffff00 s8 90000000030d4000     ra: 90000000017e54c0 loongson_gpu_fixup_dma_hang+0x40/0x210    ERA: 90000000017e5534 loongson_gpu_fixup_dma_hang+0xb4/0x210   CRMD: 000000b0 (PLV0 -IE -DA +PG DACF=CC DACM=CC -WE)   PRMD: 00000004 (PPLV0 +PIE -PWE)   EUEN: 00000000 (-FPE -SXE -ASXE -BTE)   ECFG: 00071c1d (LIE=0,2-4,10-12 VS=7)  ESTAT: 00480000 [ADEM] (IS= ECode=8 EsubCode=1)   BADV: 7fffffffffffff00   PRID: 0014d000 (Loongson-64bit, Loongson-3A6000-HV)  Modules linked in:  Process swapper/0 (pid: 1, threadinfo=(____ptrval____), task=(____ptrval____))  Stack : 0000000000000006 90000001002fb778 90000001002fb704 0000000000000007          0000000016a65700 90000000017e5690 000000000000ffff ffffffffffffffff          900000000209f7c0 9000000100053000 900000000209f7a8 9000000000eebc08          0000000000000000 0000000000000000 0000000000000006 90000001002fb778          90000001000530b8 90000000027af000 0000000000000000 9000000100054000          9000000100053000 9000000000ebb70c 9000000100004c00 9000000004000001          90000001002fb7e4 bae765461f31cb12 0000000000000000 0000000000000000          0000000000000006 90000000027af000 0000000000000030 90000000027af000          900000087cd6f800 9000000100053000 0000000000000000 9000000000ebc560          7a2500147cdaf720 bae765461f31cb12 0000000000000001 0000000000000030          ...  Call Trace:  [<90000000017e5534>] loongson_gpu_fixup_dma_hang+0xb4/0x210  [<9000000000eebc08>] pci_fixup_device+0x108/0x280  [<9000000000ebb70c>] pci_setup_device+0x24c/0x690  [<9000000000ebc560>] pci_scan_single_device+0xe0/0x140  [<9000000000ebc684>] pci_scan_slot+0xc4/0x280  [<9000000000ebdd00>] pci_scan_child_bus_extend+0x60/0x3f0  [<9000000000f5bc94>] acpi_pci_root_create+0x2b4/0x420  [<90000000017e5e74>] pci_acpi_scan_root+0x2d4/0x440  [<9000000000f5b02c>] acpi_pci_root_add+0x21c/0x3a0  [<9000000000f4ee54>] acpi_bus_attach+0x1a4/0x3c0  [<90000000010e200c>] device_for_each_child+0x6c/0xe0  [<9000000000f4bbf4>] acpi_dev_for_each_child+0x44/0x70  [<9000000000f4ef40>] acpi_bus_attach+0x290/0x3c0  [<90000000010e200c>] device_for_each_child+0x6c/0xe0  [<9000000000f4bbf4>] acpi_dev_for_each_child+0x44/0x70  [<9000000000f4ef40>] acpi_bus_attach+0x290/0x3c0  [<9000000000f5211c>] acpi_bus_scan+0x6c/0x280  [<900000000189c028>] acpi_scan_init+0x194/0x310  [<900000000189bc6c>] acpi_init+0xcc/0x140  [<9000000000220cdc>] do_one_initcall+0x4c/0x310  [<90000000018618fc>] kernel_init_freeable+0x258/0x2d4  [<900000000184326c>] kernel_init+0x28/0x13c  [<9000000000222008>] ret_from_kernel_thread+0xc/0xa4",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46147",
                        "url": "https://ubuntu.com/security/CVE-2026-46147",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  KVM: arm64: Fix pin leak and publication ordering in __pkvm_init_vcpu()  Two bugs exist in the vCPU initialisation path:  1. If a check fails after hyp_pin_shared_mem() succeeds, the cleanup    path jumps to 'unlock' without calling unpin_host_vcpu() or    unpin_host_sve_state(), permanently leaking pin references on the    host vCPU and SVE state pages.     Extract a register_hyp_vcpu() helper that performs the checks and    the store. When register_hyp_vcpu() returns an error, call    unpin_host_vcpu() and unpin_host_sve_state() inline before falling    through to the existing 'unlock' label.  2. register_hyp_vcpu() publishes the new vCPU pointer into    'hyp_vm->vcpus[]' with a bare store, allowing a concurrent caller    of pkvm_load_hyp_vcpu() to observe a partially initialised vCPU    object.     Ensure the store uses smp_store_release() and the load uses    smp_load_acquire(). While 'vm_table_lock' currently serialises the    store and the load, these barriers ensure the reader sees the fully    initialised 'hyp_vcpu' object even if there were a lockless path or    if the lock's own ordering guarantees were insufficient for nested    object initialization.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46175",
                        "url": "https://ubuntu.com/security/CVE-2026-46175",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  f2fs: fix fsck inconsistency caused by FGGC of node block  During FGGC node block migration, fsck may incorrectly treat the migrated node block as fsync-written data.  The reproduction scenario: root@vm:/mnt/f2fs# seq 1 2048 | xargs -n 1 ./test_sync // write inline inode and sync root@vm:/mnt/f2fs# rm -f 1 root@vm:/mnt/f2fs# sync root@vm:/mnt/f2fs# f2fs_io gc_range // move data block in sync mode and not write CP   SPO, \"fsck --dry-run\" find inode has already checkpointed but still   with DENT_BIT_SHIFT set  The root cause is that GC does not clear the dentry mark and fsync mark during node block migration, leading fsck to misinterpret them as user-issued fsync writes.  In BGGC mode, node block migration is handled by f2fs_sync_node_pages(), which guarantees the dentry and fsync marks are cleared before writing.  This patch move the set/clear of the fsync|dentry marks into __write_node_folio to make the logic clearer, and ensures the fsync|dentry mark is cleared in FGGC.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46194",
                        "url": "https://ubuntu.com/security/CVE-2026-46194",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  f2fs: fix node_cnt race between extent node destroy and writeback  f2fs_destroy_extent_node() does not set FI_NO_EXTENT before clearing extent nodes. When called from f2fs_drop_inode() with I_SYNC set, concurrent kworker writeback can insert new extent nodes into the same extent tree, racing with the destroy and triggering f2fs_bug_on() in __destroy_extent_node(). The scenario is as follows:  drop inode                            writeback  - iput   - f2fs_drop_inode  // I_SYNC set    - f2fs_destroy_extent_node     - __destroy_extent_node      - while (node_cnt) {         write_lock(&et->lock)         __free_extent_tree         write_unlock(&et->lock)                                        - __writeback_single_inode                                         - f2fs_outplace_write_data                                          - f2fs_update_read_extent_cache                                           - __update_extent_tree_range                                            // FI_NO_EXTENT not set,                                            // insert new extent node        } // node_cnt == 0, exit while      - f2fs_bug_on(node_cnt)  // node_cnt > 0  Additionally, __update_extent_tree_range() only checks FI_NO_EXTENT for EX_READ type, leaving EX_BLOCK_AGE updates completely unprotected.  This patch set FI_NO_EXTENT under et->lock in __destroy_extent_node(), consistent with other callers (__update_extent_tree_range and __drop_extent_tree) and check FI_NO_EXTENT for both EX_READ and EX_BLOCK_AGE tree.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46170",
                        "url": "https://ubuntu.com/security/CVE-2026-46170",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  mptcp: pm: ADD_ADDR rtx: free sk if last  When an ADD_ADDR is retransmitted, the sk is held in sk_reset_timer(), and released at the end.  If at that moment, it was the last reference being held, the sk would not be freed. sock_put() should then be called instead of __sock_put().  But that's not enough: if it is the last reference, sock_put() will call sk_free(), which will end up calling sk_stop_timer_sync() on the same timer, and waiting indefinitely to finish. So it is needed to mark that the timer is done at the end of the timer handler when it has not been rescheduled, not to call sk_stop_timer_sync() on \"itself\".",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46158",
                        "url": "https://ubuntu.com/security/CVE-2026-46158",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  mptcp: pm: ADD_ADDR rtx: always decrease sk refcount  When an ADD_ADDR is retransmitted, the sk is held in sk_reset_timer(). It should then be released in all cases at the end.  Some (unlikely) checks were returning directly instead of calling sock_put() to decrease the refcount. Jump to a new 'exit' label to call __sock_put() (which will become sock_put() in the next commit) to fix this potential leak.  While at it, drop the '!msk' check which cannot happen because it is never reset, and explicitly mark the remaining one as \"unlikely\".",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46168",
                        "url": "https://ubuntu.com/security/CVE-2026-46168",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  mptcp: fix scheduling with atomic in timestamp sockopt  Using lock_sock_fast() (atomic context) around sock_set_timestamp() and sock_set_timestamping() is unsafe, as both helpers can sleep.  Replace lock_sock_fast() with sleepable lock_sock()/release_sock() to avoid scheduling while atomic panic.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46189",
                        "url": "https://ubuntu.com/security/CVE-2026-46189",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/vmw_pvrdma: Fix double free on pvrdma_alloc_ucontext() error path  Sashiko points out that pvrdma_uar_free() is already called within pvrdma_dealloc_ucontext(), so calling it before triggers a double free.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46133",
                        "url": "https://ubuntu.com/security/CVE-2026-46133",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/rxe: Reject unknown opcodes before ICRC processing  Even after applying commit 7244491dab34 (\"RDMA/rxe: Validate pad and ICRC before payload_size() in rxe_rcv\"), a single unauthenticated UDP packet can still trigger panic.  That patch handled payload_size() underflow only for valid opcodes with short packets, not for packets carrying an unknown opcode.  The unknown-opcode OOB read described below predates that commit and reaches back to the initial Soft RoCE driver.  The check added there reads      pkt->paylen < header_size(pkt) + bth_pad(pkt) + RXE_ICRC_SIZE  where header_size(pkt) expands to rxe_opcode[pkt->opcode].length.  The rxe_opcode[] array has 256 entries but is only populated for defined IB opcodes; any other entry (for example opcode 0xff) is zero-initialized, so length == 0 and the check degenerates to      pkt->paylen < 0 + bth_pad(pkt) + RXE_ICRC_SIZE  which does not constrain pkt->paylen enough.  rxe_icrc_hdr() then computes      rxe_opcode[pkt->opcode].length - RXE_BTH_BYTES  which underflows when length == 0 and passes a huge value to rxe_crc32(), causing an out-of-bounds read of the skb payload.  Reproduced on v7.0-rc7 with that fix applied, QEMU/KVM with CONFIG_RDMA_RXE=y and CONFIG_KASAN=y, after      rdma link add rxe0 type rxe netdev eth0  A single 48-byte UDP packet to port 4791 with BTH opcode=0xff and QPN=IB_MULTICAST_QPN triggers:      BUG: KASAN: slab-out-of-bounds in crc32_le+0x115/0x170     Read of size 1 at addr ...     The buggy address is located 0 bytes to the right of      allocated 704-byte region     Call Trace:      crc32_le+0x115/0x170      rxe_icrc_hdr.isra.0+0x226/0x300      rxe_icrc_check+0x13f/0x3a0      rxe_rcv+0x6e1/0x16e0      rxe_udp_encap_recv+0x20a/0x320      udp_queue_rcv_one_skb+0x7ed/0x12c0  Subsequent packets with the same shape fault on unmapped memory and panic the kernel.  The trigger requires only module load and \"rdma link add\"; no QP, no connection, and no authentication.  Fix this by rejecting packets whose opcode has no rxe_opcode[] entry, detected via the zero mask or zero length, before any length arithmetic runs.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46114",
                        "url": "https://ubuntu.com/security/CVE-2026-46114",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/rxe: Reject non-8-byte ATOMIC_WRITE payloads  atomic_write_reply() at drivers/infiniband/sw/rxe/rxe_resp.c unconditionally dereferences 8 bytes at payload_addr(pkt):      value = *(u64 *)payload_addr(pkt);  check_rkey() previously accepted an ATOMIC_WRITE request with pktlen == resid == 0 because the length validation only compared pktlen against resid. A remote initiator that sets the RETH length to 0 therefore reaches atomic_write_reply() with a zero-byte logical payload, and the responder reads sizeof(u64) bytes from past the logical end of the packet into skb->head tailroom, then writes those 8 bytes into the attacker's MR via rxe_mr_do_atomic_write(). That is a remote disclosure of 4 bytes of kernel tailroom per probe (the other 4 bytes are the packet's own trailing ICRC).  IBA oA19-28 defines ATOMIC_WRITE as exactly 8 bytes. Anything else is protocol-invalid. Hoist a strict length check into check_rkey() so the responder never reaches the unchecked dereference, and keep the existing WRITE-family length logic for the normal RDMA WRITE path.  Reproduced on mainline with an unmodified rxe driver: a sustained zero-length ATOMIC_WRITE probe repeatedly leaks adjacent skb head-buffer bytes into the attacker's MR, including recognisable kernel strings and partial kernel-direct-map pointer words.  With this patch applied the responder rejects the PDU and the MR stays all-zero.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46127",
                        "url": "https://ubuntu.com/security/CVE-2026-46127",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/ocrdma: Don't NULL deref uctx on errors in ocrdma_copy_pd_uresp()  Sashiko points out that pd->uctx isn't initialized until late in the function so all these error flow references are NULL and will crash. Use the uctx that isn't NULL.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46176",
                        "url": "https://ubuntu.com/security/CVE-2026-46176",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/mlx5: Fix error path fall-through in mlx5_ib_dev_res_srq_init()  mlx5_ib_dev_res_srq_init() allocates two SRQs, s0 and s1. When ib_create_srq() fails for s1, the error branch destroys s0 but falls through and unconditionally assigns the freed s0 and the ERR_PTR s1 to devr->s0 and devr->s1.  This leads to several problems: the lock-free fast path checks \"if (devr->s1) return 0;\" and treats the ERR_PTR as already initialised; users in mlx5_ib_create_qp() dereference the freed SRQ or ERR_PTR via to_msrq(devr->s0)->msrq.srqn; and mlx5_ib_dev_res_cleanup() dereferences the ERR_PTR and double-frees s0 on teardown.  Fix by adding the same `goto unlock` in the s1 failure path.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46178",
                        "url": "https://ubuntu.com/security/CVE-2026-46178",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/mlx4: Fix resource leak on error in mlx4_ib_create_srq()  Sashiko points out that mlx4_srq_alloc() was not undone during error unwind, add the missing call to mlx4_srq_free().",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46181",
                        "url": "https://ubuntu.com/security/CVE-2026-46181",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/mlx4: Fix mis-use of RCU in mlx4_srq_event()  Sashiko points out the radix_tree itself is RCU safe, but nothing ever frees the mlx4_srq struct with RCU, and it isn't even accessed within the RCU critical section. It also will crash if an event is delivered before the srq object is finished initializing.  Use the spinlock since it isn't easy to make RCU work, use refcount_inc_not_zero() to protect against partially initialized objects, and order the refcount_set() to be after the srq is fully initialized.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46145",
                        "url": "https://ubuntu.com/security/CVE-2026-46145",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/mana: Validate rx_hash_key_len  Sashiko points out that rx_hash_key_len comes from a uAPI structure and is blindly passed to memcpy, allowing the userspace to trash kernel memory. Bounds check it so the memcpy cannot overflow.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46117",
                        "url": "https://ubuntu.com/security/CVE-2026-46117",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/mana: Remove user triggerable WARN_ON() in mana_ib_create_qp_rss()  Sashiko points out that the user can specify WQs sharing the same CQ as a part of the uAPI and this will trigger the WARN_ON() then go on to corrupt the kernel.  Just reject it outright and fail the QP creation.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46126",
                        "url": "https://ubuntu.com/security/CVE-2026-46126",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/mana: Fix mana_destroy_wq_obj() cleanup in mana_ib_create_qp_rss()  Sashiko points out there are two bugs here in the error unwind flow, both related to how the WQ table is unwound.  First there is a double i-- on the first failure path due to the while loop having a i--, remove it.  Second if mana_ib_install_cq_cb() fails then mana_create_wq_obj() is not undone due to the above i--.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46144",
                        "url": "https://ubuntu.com/security/CVE-2026-46144",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/mana: Fix error unwind in mana_ib_create_qp_rss()  Sashiko points out that mana_ib_cfg_vport_steering() is leaked, the normal destroy path cleans it up.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46141",
                        "url": "https://ubuntu.com/security/CVE-2026-46141",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  powerpc/xive: fix kmemleak caused by incorrect chip_data lookup  The kmemleak reports the following memory leak:  Unreferenced object 0xc0000002a7fbc640 (size 64):   comm \"kworker/8:1\", pid 540, jiffies 4294937872   hex dump (first 32 bytes):     01 00 00 00 00 00 00 00 00 00 09 04 00 04 00 00  ................     00 00 a7 81 00 00 0a c0 00 00 08 04 00 04 00 00  ................   backtrace (crc 177d48f6):     __kmalloc_cache_noprof+0x520/0x730     xive_irq_alloc_data.constprop.0+0x40/0xe0     xive_irq_domain_alloc+0xd0/0x1b0     irq_domain_alloc_irqs_parent+0x44/0x6c     pseries_irq_domain_alloc+0x1cc/0x354     irq_domain_alloc_irqs_parent+0x44/0x6c     msi_domain_alloc+0xb0/0x220     irq_domain_alloc_irqs_locked+0x138/0x4d0     __irq_domain_alloc_irqs+0x8c/0xfc     __msi_domain_alloc_irqs+0x214/0x4d8     msi_domain_alloc_irqs_all_locked+0x70/0xf8     pci_msi_setup_msi_irqs+0x60/0x78     __pci_enable_msix_range+0x54c/0x98c     pci_alloc_irq_vectors_affinity+0x16c/0x1d4     nvme_pci_enable+0xac/0x9c0 [nvme]     nvme_probe+0x340/0x764 [nvme]  This occurs when allocating MSI-X vectors for an NVMe device. During allocation the XIVE code creates a struct xive_irq_data and stores it in irq_data->chip_data.  When the MSI-X irqdomain is later freed, xive_irq_free_data() is responsible for retrieving this structure and freeing it. However, after commit cc0cc23babc9 (\"powerpc/xive: Untangle xive from child interrupt controller drivers\"), xive_irq_free_data() retrieves the chip_data using irq_get_chip_data(), which looks up the data through the child domain.  This is incorrect because the XIVE-specific irq data is associated with the XIVE (parent) domain. As a result the lookup fails and the allocated struct xive_irq_data is never freed, leading to the kmemleak report shown above.  Fix this by retrieving the irq_data from the correct domain using irq_domain_get_irq_data() and then accessing the chip_data via irq_data_get_irq_chip_data().",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46183",
                        "url": "https://ubuntu.com/security/CVE-2026-46183",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  mm/damon/sysfs-schemes: protect path kfree() with damon_sysfs_lock  damon_sysfs_quot_goal->path can be read and written by users, via DAMON sysfs 'path' file.  It can also be indirectly read, for the parameters {on,off}line committing to DAMON.  The reads for parameters committing are protected by damon_sysfs_lock to avoid the sysfs files being destroyed while any of the parameters are being read.  But the user-driven direct reads and writes are not protected by any lock, while the write is deallocating the path-pointing buffer.  As a result, the readers could read the already freed buffer (user-after-free).  Note that the user-reads don't race when the same open file is used by the writer, due to kernfs's open file locking.  Nonetheless, doing the reads and writes with separate open files would be common.  Fix it by protecting both the user-direct reads and writes with damon_sysfs_lock.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46121",
                        "url": "https://ubuntu.com/security/CVE-2026-46121",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  mm/damon/sysfs-schemes: protect memcg_path kfree() with damon_sysfs_lock  Patch series \"mm/damon/sysfs-schemes: fix use-after-free for [memcg_]path\".  Reads of 'memcg_path' and 'path' files in DAMON sysfs interface could race with their writes, results in use-after-free.  Fix those.   This patch (of 2):  damon_sysfs_scheme_filter->mmecg_path can be read and written by users, via DAMON sysfs memcg_path file.  It can also be indirectly read, for the parameters {on,off}line committing to DAMON.  The reads for parameters committing are protected by damon_sysfs_lock to avoid the sysfs files being destroyed while any of the parameters are being read.  But the user-driven direct reads and writes are not protected by any lock, while the write is deallocating the memcg_path-pointing buffer.  As a result, the readers could read the already freed buffer (user-after-free).  Note that the user-reads don't race when the same open file is used by the writer, due to kernfs's open file locking.  Nonetheless, doing the reads and writes with separate open files would be common.  Fix it by protecting both the user-direct reads and writes with damon_sysfs_lock.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46131",
                        "url": "https://ubuntu.com/security/CVE-2026-46131",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  KVM: x86: check for nEPT/nNPT in slow flush hypercalls  Checking is_guest_mode(vcpu) is incorrect, because translate_nested_gpa() is only valid if an L2 guest is running *with nested EPT/NPT enabled*. Instead use the same condition as translate_nested_gpa() itself.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46139",
                        "url": "https://ubuntu.com/security/CVE-2026-46139",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  smb: client: use kzalloc to zero-initialize security descriptor buffer  Commit 62e7dd0a39c2d (\"smb: common: change the data type of num_aces to le16\") split struct smb_acl's __le32 num_aces field into __le16 num_aces and __le16 reserved. The reserved field corresponds to Sbz2 in the MS-DTYP ACL wire format, which must be zero [1].  When building an ACL descriptor in build_sec_desc(), we are using a kmalloc()'ed descriptor buffer and writing the fields explicitly using le16() writes now. This never writes to the 2 byte reserved field, leaving it as uninitialized heap data.  When the reserved field happens to contain non-zero slab garbage, Samba rejects the security descriptor with \"ndr_pull_security_descriptor failed: Range Error\", causing chmod to fail with EINVAL.  Change kmalloc() to kzalloc() to ensure the entire buffer is zero-initialized.   [1] https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/20233ed8-a6c6-4097-aafa-dd545ed24428",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46105",
                        "url": "https://ubuntu.com/security/CVE-2026-46105",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  scsi: mpt3sas: Limit NVMe request size to 2 MiB  The HBA firmware reports NVMe MDTS values based on the underlying drive capability. However, because the driver allocates a fixed 4K buffer for the PRP list, accommodating at most 512 entries, the driver supports a maximum I/O transfer size of 2 MiB.  Limit max_hw_sectors to the smaller of the reported MDTS and the 2 MiB driver limit to prevent issuing oversized I/O that may lead to a kernel oops.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46171",
                        "url": "https://ubuntu.com/security/CVE-2026-46171",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  riscv: kvm: fix vector context allocation leak  When the second kzalloc (host_context.vector.datap) fails in kvm_riscv_vcpu_alloc_vector_context, the first allocation (guest_context.vector.datap) is leaked. Free it before returning.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46112",
                        "url": "https://ubuntu.com/security/CVE-2026-46112",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/hns: Fix unlocked call to hns_roce_qp_remove()  Sashiko points out that hns_roce_qp_remove() requires the caller to hold locks.  The error flow in hns_roce_create_qp_common() doesn't hold those locks for the error unwind so it risks corrupting memory.  Grab the same locks the other two callers use.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46165",
                        "url": "https://ubuntu.com/security/CVE-2026-46165",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  openvswitch: vport: fix self-deadlock on release of tunnel ports  vports are used concurrently and protected by RCU, so netdev_put() must happen after the RCU grace period.  So, either in an RCU call or after the synchronize_net().  The rtnl_delete_link() must happen under RTNL and so can't be executed in RCU context.  Calling synchronize_net() while holding RTNL is not a good idea for performance and system stability under load in general, so calling netdev_put() in RCU call is the right solution here.  However, when the device is deleted, rtnl_unlock() will call netdev_run_todo() and block until all the references are gone.  In the current code this means that we never reach the call_rcu() and the vport is never freed and the reference is never released, causing a self-deadlock on device removal.  Fix that by moving the rcu_call() before the rtnl_unlock(), so the scheduled RCU callback will be executed when synchronize_net() is called from the rtnl_unlock()->netdev_run_todo() while the RTNL itself is already released.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46161",
                        "url": "https://ubuntu.com/security/CVE-2026-46161",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  md/raid10: fix divide-by-zero in setup_geo() with zero far_copies  setup_geo() extracts near_copies (nc) and far_copies (fc) from the user-provided layout parameter without checking for zero. When fc=0 with the \"improved\" far set layout selected, 'geo->far_set_size = disks / fc' triggers a divide-by-zero.  Validate nc and fc immediately after extraction, returning -1 if either is zero.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-43492",
                        "url": "https://ubuntu.com/security/CVE-2026-43492",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  lib/crypto: mpi: Fix integer underflow in mpi_read_raw_from_sgl()  Yiming reports an integer underflow in mpi_read_raw_from_sgl() when subtracting \"lzeros\" from the unsigned \"nbytes\".  For this to happen, the scatterlist \"sgl\" needs to occupy more bytes than the \"nbytes\" parameter and the first \"nbytes + 1\" bytes of the scatterlist must be zero.  Under these conditions, the while loop iterating over the scatterlist will count more zeroes than \"nbytes\", subtract the number of zeroes from \"nbytes\" and cause the underflow.  When commit 2d4d1eea540b (\"lib/mpi: Add mpi sgl helpers\") originally introduced the bug, it couldn't be triggered because all callers of mpi_read_raw_from_sgl() passed a scatterlist whose length was equal to \"nbytes\".  However since commit 63ba4d67594a (\"KEYS: asymmetric: Use new crypto interface without scatterlists\"), the underflow can now actually be triggered.  When invoking a KEYCTL_PKEY_ENCRYPT system call with a larger \"out_len\" than \"in_len\" and filling the \"in\" buffer with zeroes, crypto_akcipher_sync_prep() will create an all-zero scatterlist used for both the \"src\" and \"dst\" member of struct akcipher_request and thereby fulfil the conditions to trigger the bug:    sys_keyctl()     keyctl_pkey_e_d_s()       asymmetric_key_eds_op()         software_key_eds_op()           crypto_akcipher_sync_encrypt()             crypto_akcipher_sync_prep()               crypto_akcipher_encrypt()                 rsa_enc()                   mpi_read_raw_from_sgl()  To the user this will be visible as a DoS as the kernel spins forever, causing soft lockup splats as a side effect.  Fix it.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-19 12:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46124",
                        "url": "https://ubuntu.com/security/CVE-2026-46124",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  isofs: validate block number from NFS file handle in isofs_export_iget  isofs_fh_to_dentry() and isofs_fh_to_parent() pass an attacker- controlled block number (ifid->block or ifid->parent_block) from the NFS file handle to isofs_export_iget(), which only rejects block == 0 before calling isofs_iget() and ultimately sb_bread(). A crafted file handle with fh_len sufficient to pass the check added by commit 0405d4b63d08 (\"isofs: Prevent the use of too small fid\") can still drive the server to read any in-range block on the backing device as if it were an iso_directory_record.  That earlier fix was assigned CVE-2025-37780.  sb_bread() on an out-of-range block returns NULL cleanly via the EIO path, so there is no memory-safety violation.  For in-range reads of adjacent-partition data on the same block device, the unrelated bytes end up in iso_inode_info fields that reach the NFS client as dentry metadata.  The deployment surface (isofs exported over NFS from loop-mounted images) is narrow and requires an authenticated NFS peer, but the malformed-file-handle class is reportable as hardening next to the existing CVE-2025-37780 fix.  Reject block >= ISOFS_SB(sb)->s_nzones in isofs_export_iget() so the check covers both isofs_fh_to_dentry() and isofs_fh_to_parent() call sites with a single line.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46130",
                        "url": "https://ubuntu.com/security/CVE-2026-46130",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  dm-verity-fec: fix reading parity bytes split across blocks (take 3)  fec_decode_bufs() assumes that the parity bytes of the first RS codeword it decodes are never split across parity blocks.  This assumption is false.  Consider v->fec->block_size == 4096 && v->fec->roots == 17 && fio->nbufs == 1, for example.  In that case, each call to fec_decode_bufs() consumes v->fec->roots * (fio->nbufs << DM_VERITY_FEC_BUF_RS_BITS) = 272 parity bytes.  Considering that the parity data for each message block starts on a block boundary, the byte alignment in the parity data will iterate through 272*i mod 4096 until the 3 parity blocks have been consumed.  On the 16th call (i=15), the alignment will be 4080 bytes into the first block.  Only 16 bytes remain in that block, but 17 parity bytes will be needed.  The code reads out-of-bounds from the parity block buffer.  Fortunately this doesn't normally happen, since it can occur only for certain non-default values of fec_roots *and* when the maximum number of buffers couldn't be allocated due to low memory.  For example with block_size=4096 only the following cases are affected:      fec_roots=17: nbufs in [1, 3, 5, 15]     fec_roots=19: nbufs in [1, 229]     fec_roots=21: nbufs in [1, 3, 5, 13, 15, 39, 65, 195]     fec_roots=23: nbufs in [1, 89]  Regardless, fix it by refactoring how the parity blocks are read.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46106",
                        "url": "https://ubuntu.com/security/CVE-2026-46106",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  eventfs: Hold eventfs_mutex and SRCU when remount walks events  Commit 340f0c7067a9 (\"eventfs: Update all the eventfs_inodes from the events descriptor\") had eventfs_set_attrs() recurse through ei->children on remount.  The walk only holds the rcu_read_lock() taken by tracefs_apply_options() over tracefs_inodes, which is wrong:    - list_for_each_entry over ei->children races with the list_del_rcu()     in eventfs_remove_rec() -- LIST_POISON1 deref, same shape as     d2603279c7d6.   - eventfs_inodes are freed via call_srcu(&eventfs_srcu, ...).     rcu_read_lock() does not extend an SRCU grace period, so ti->private     can be reclaimed under the walk.   - The writes to ei->attr race with eventfs_set_attr(), which holds     eventfs_mutex.  Reproducer:    while :; do mount -o remount,uid=$((RANDOM%1000)) /sys/kernel/tracing; done &   while :; do       echo \"p:kp submit_bio\" > /sys/kernel/tracing/kprobe_events       echo > /sys/kernel/tracing/kprobe_events   done  Wrap the events portion of tracefs_apply_options() in eventfs_remount_lock()/_unlock() that take eventfs_mutex and srcu_read_lock(&eventfs_srcu).  eventfs_set_attrs() doesn't sleep so the nested rcu_read_lock() is fine; lockdep_assert_held() pins the contract.  Comment in tracefs_drop_inode() said \"RCU cycle\" -- it is SRCU.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46107",
                        "url": "https://ubuntu.com/security/CVE-2026-46107",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  dm-thin: fix metadata refcount underflow  There's a bug in dm-thin in the function rebalance_children. If the internal btree node has one entry, the code tries to copy all btree entries from the node's child to the node itself and then decrement the child's reference count.  If the child node is shared (it has reference count > 1), we won't free it, so there would be two pointers to each of the grandchildren nodes. But the reference counts of the grandchildren is not increased, thus the reference count doesn't match the number of pointers that point to the grandchildren. This results in \"device mapper: space map common: unable to decrement block\" errors.  Fix this bug by incrementing reference counts on the grandchildren if the btree node is shared.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46160",
                        "url": "https://ubuntu.com/security/CVE-2026-46160",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  btrfs: fix missing last_unlink_trans update when removing a directory  When removing a directory we are not updating its last_unlink_trans field, which can result in incorrect fsync behaviour in case some one fsyncs the directory after it was removed because it's holding a file descriptor on it.  Example scenario:     mkdir /mnt/dir1    mkdir /mnt/dir1/dir2    mkdir /mnt/dir3     sync -f /mnt     # Do some change to the directory and fsync it.    chmod 700 /mnt/dir1    xfs_io -c fsync /mnt/dir1     # Move dir2 out of dir1 so that dir1 becomes empty.    mv /mnt/dir1/dir2 /mnt/dir3/     open fd on /mnt/dir1    call rmdir(2) on path \"/mnt/dir1\"    fsync fd     <trigger power failure>  When attempting to mount the filesystem, the log replay will fail with an -EIO error and dmesg/syslog has the following:     [445771.626482] BTRFS info (device dm-0): first mount of filesystem 0368bbea-6c5e-44b5-b409-09abe496e650    [445771.626486] BTRFS info (device dm-0): using crc32c checksum algorithm    [445771.627912] BTRFS info (device dm-0): start tree-log replay    [445771.628335] page: refcount:2 mapcount:0 mapping:0000000061443ddc index:0x1d00 pfn:0x7072a5    [445771.629453] memcg:ffff89f400351b00    [445771.629892] aops:btree_aops [btrfs] ino:1    [445771.630737] flags: 0x17fffc00000402a(uptodate|lru|private|writeback|node=0|zone=2|lastcpupid=0x1ffff)    [445771.632359] raw: 017fffc00000402a fffff47284d950c8 fffff472907b7c08 ffff89f458e412b8    [445771.633713] raw: 0000000000001d00 ffff89f6c51d1a90 00000002ffffffff ffff89f400351b00    [445771.635029] page dumped because: eb page dump    [445771.635825] BTRFS critical (device dm-0): corrupt leaf: root=5 block=30408704 slot=10 ino=258, invalid nlink: has 2 expect no more than 1 for dir    [445771.638088] BTRFS info (device dm-0): leaf 30408704 gen 10 total ptrs 17 free space 14878 owner 5    [445771.638091] BTRFS info (device dm-0): refs 4 lock_owner 0 current 3581087    [445771.638094] \titem 0 key (256 INODE_ITEM 0) itemoff 16123 itemsize 160    [445771.638097] \t\tinode generation 3 transid 9 size 16 nbytes 16384    [445771.638098] \t\tblock group 0 mode 40755 links 1 uid 0 gid 0    [445771.638100] \t\trdev 0 sequence 2 flags 0x0    [445771.638102] \t\tatime 1775744884.0    [445771.660056] \t\tctime 1775744885.645502983    [445771.660058] \t\tmtime 1775744885.645502983    [445771.660060] \t\totime 1775744884.0    [445771.660062] \titem 1 key (256 INODE_REF 256) itemoff 16111 itemsize 12    [445771.660064] \t\tindex 0 name_len 2    [445771.660066] \titem 2 key (256 DIR_ITEM 1843588421) itemoff 16077 itemsize 34    [445771.660068] \t\tlocation key (259 1 0) type 2    [445771.660070] \t\ttransid 9 data_len 0 name_len 4    [445771.660075] \titem 3 key (256 DIR_ITEM 2363071922) itemoff 16043 itemsize 34    [445771.660076] \t\tlocation key (257 1 0) type 2    [445771.660077] \t\ttransid 9 data_len 0 name_len 4    [445771.660078] \titem 4 key (256 DIR_INDEX 2) itemoff 16009 itemsize 34    [445771.660079] \t\tlocation key (257 1 0) type 2    [445771.660080] \t\ttransid 9 data_len 0 name_len 4    [445771.660081] \titem 5 key (256 DIR_INDEX 3) itemoff 15975 itemsize 34    [445771.660082] \t\tlocation key (259 1 0) type 2    [445771.660083] \t\ttransid 9 data_len 0 name_len 4    [445771.660084] \titem 6 key (257 INODE_ITEM 0) itemoff 15815 itemsize 160    [445771.660086] \t\tinode generation 9 transid 9 size 8 nbytes 0    [445771.660087] \t\tblock group 0 mode 40777 links 1 uid 0 gid 0    [445771.660088] \t\trdev 0 sequence 2 flags 0x0    [445771.660089] \t\tatime 1775744885.641174097    [445771.660090] \t\tctime 1775744885.645502983    [445771.660091] \t\tmtime 1775744885.645502983    [445771.660105] \t\totime 1775744885.641174097    [445771.660106] \titem 7 key (257 INODE_REF 256) itemoff 15801 itemsize 14    [445771.660107] \t\tindex 2 name_len 4    [445771.660108] \titem 8 key (257 DIR_ITEM 2676584006) itemoff 15767 itemsize 34    [445771.660109] \t\tlocation key (2 ---truncated---",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46164",
                        "url": "https://ubuntu.com/security/CVE-2026-46164",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  btrfs: fix double free in create_space_info_sub_group() error path  When kobject_init_and_add() fails, the call chain is:  create_space_info_sub_group() -> btrfs_sysfs_add_space_info_type() -> kobject_init_and_add() -> failure -> kobject_put(&sub_group->kobj) -> space_info_release() -> kfree(sub_group)  Then control returns to create_space_info_sub_group(), where:  btrfs_sysfs_add_space_info_type() returns error -> kfree(sub_group)  Thus, sub_group is freed twice.  Keep parent->sub_group[index] = NULL for the failure path, but after btrfs_sysfs_add_space_info_type() has called kobject_put(), let the kobject release callback handle the cleanup.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46129",
                        "url": "https://ubuntu.com/security/CVE-2026-46129",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  btrfs: fix double free in create_space_info() error path  When kobject_init_and_add() fails, the call chain is:  create_space_info() -> btrfs_sysfs_add_space_info_type() -> kobject_init_and_add() -> failure -> kobject_put(&space_info->kobj) -> space_info_release() -> kfree(space_info)  Then control returns to create_space_info():  btrfs_sysfs_add_space_info_type() returns error -> goto out_free -> kfree(space_info)  This causes a double free.  Keep the direct kfree(space_info) for the earlier failure path, but after btrfs_sysfs_add_space_info_type() has called kobject_put(), let the kobject release callback handle the cleanup.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46159",
                        "url": "https://ubuntu.com/security/CVE-2026-46159",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  btrfs: fix btrfs_ioctl_space_info() slot_count TOCTOU which can lead to info-leak  btrfs_ioctl_space_info() has a TOCTOU race between two passes over the block group RAID type lists. The first pass counts entries to determine the allocation size, then the second pass fills the buffer. The groups_sem rwlock is released between passes, allowing concurrent block group removal to reduce the entry count.  When the second pass fills fewer entries than the first pass counted, copy_to_user() copies the full alloc_size bytes including trailing uninitialized kmalloc bytes to userspace.  Fix by copying only total_spaces entries (the actually-filled count from the second pass) instead of alloc_size bytes, and switch to kzalloc so any future copy size mismatch cannot leak heap data.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46143",
                        "url": "https://ubuntu.com/security/CVE-2026-46143",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ASoC: qcom: q6apm-lpass-dai: Fix multiple graph opens  As prepare can be called mulitple times, this can result in multiple graph opens for playback path.  This will result in a memory leaks, fix this by adding a check before opening.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46148",
                        "url": "https://ubuntu.com/security/CVE-2026-46148",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: microchip-core-qspi: control built-in cs manually  The coreQSPI IP supports only a single chip select, which is automagically operated by the hardware - set low when the transmit buffer first gets written to and set high when the number of bytes written to the TOTALBYTES field of the FRAMES register have been sent on the bus. Additional devices must use GPIOs for their chip selects. It was reported to me that if there are two devices attached to this QSPI controller that the in-built chip select is set low while linux tries to access the device attached to the GPIO.  This went undetected as the boards that connected multiple devices to the SPI controller all exclusively used GPIOs for chip selects, not relying on the built-in chip select at all. It turns out that this was because the built-in chip select, when controlled automagically, is set low when active and high when inactive, thereby ruling out its use for active-high devices or devices that need to transmit with the chip select disabled.  Modify the driver so that it controls chip select directly, retaining the behaviour for mem_ops of setting the chip select active for the entire duration of the transfer in the exec_op callback. For regular transfers, implement the set_cs callback for the core to use.  As part of this, the existing setup callback, mchp_coreqspi_setup_op(), is removed. Modifying the CLKIDLE field is not safe to do during operation when there are multiple devices, so this code is removed entirely. Setting the MASTER and ENABLE fields is something that can be done once at probe, it doesn't need to be re-run for each device. Instead the new setup callback sets the built-in chip select to its inactive state for active-low devices, as the reset value of the chip select in software controlled mode is low.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46192",
                        "url": "https://ubuntu.com/security/CVE-2026-46192",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: microchip-core-qspi: don't attempt to transmit during emulated read-only dual/quad operations  The core will deal with reads by creating clock cycles itself, there's no need to generate clock cycles by transmitting garbage data at the driver level. Further, transmitting garbage data just bricks the transfer since QSPI doesn't have a dedicated master-out line like MOSI in regular SPI. I'm not entirely sure if the transfer is bricked because of the garbage data being transmitted on the bus or because the core loses track of whether it is supposed to be sending or receiving data.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46162",
                        "url": "https://ubuntu.com/security/CVE-2026-46162",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ice: fix double free in ice_sf_eth_activate() error path  When auxiliary_device_add() fails, ice_sf_eth_activate() jumps to aux_dev_uninit and calls auxiliary_device_uninit(&sf_dev->adev).  The device release callback ice_sf_dev_release() frees sf_dev, but the current error path falls through to sf_dev_free and calls kfree(sf_dev) again, causing a double free.  Keep kfree(sf_dev) for the auxiliary_device_init() failure path, but avoid falling through to sf_dev_free after auxiliary_device_uninit().",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46273",
                        "url": "https://ubuntu.com/security/CVE-2026-46273",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ibmveth: Disable GSO for packets with small MSS  Some physical adapters on Power systems do not support segmentation offload when the MSS is less than 224 bytes. Attempting to send such packets causes the adapter to freeze, stopping all traffic until manually reset.  Implement ndo_features_check to disable GSO for packets with small MSS values. The network stack will perform software segmentation instead.  The 224-byte minimum matches ibmvnic commit <f10b09ef687f> (\"ibmvnic: Enforce stronger sanity checks on GSO packets\") which uses the same physical adapters in SEA configurations.  The issue occurs specifically when the hardware attempts to perform segmentation (gso_segs > 1) with a small MSS. Single-segment GSO packets (gso_segs == 1) do not trigger the problematic LSO code path and are transmitted normally without segmentation.  Add an ndo_features_check callback to disable GSO when MSS < 224 bytes. Also call vlan_features_check() to ensure proper handling of VLAN packets, particularly QinQ (802.1ad) configurations where the hardware parser may not support certain offload features.  Validated using iptables to force small MSS values. Without the fix, the adapter freezes. With the fix, packets are segmented in software and transmission succeeds. Comprehensive regression testing completedd (MSS tests, performance, stability).",
                        "cve_priority": "high",
                        "cve_public_date": "2026-06-03 18:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46191",
                        "url": "https://ubuntu.com/security/CVE-2026-46191",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  fbcon: Avoid OOB font access if console rotation fails  Clear the font buffer if the reallocation during console rotation fails in fbcon_rotate_font(). The putcs implementations for the rotated buffer will return early in this case. See [1] for an example.  Currently, fbcon_rotate_font() keeps the old buffer, which is too small for the rotated font. Printing to the rotated console with a high-enough character code will overflow the font buffer.  v2: - fix typos in commit message",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46134",
                        "url": "https://ubuntu.com/security/CVE-2026-46134",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  platform/chrome: cros_ec_typec: Init mutex in Thunderbolt registration  cros_typec_register_thunderbolt() missed initializing the `adata->lock` mutex.  This leads to a NULL dereference when the mutex is later acquired (e.g. in cros_typec_altmode_work()).  Initialize the mutex in cros_typec_register_thunderbolt() to fix the issue.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-43495",
                        "url": "https://ubuntu.com/security/CVE-2026-43495",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net: wwan: t7xx: validate port_count against message length in t7xx_port_enum_msg_handler  t7xx_port_enum_msg_handler() uses the modem-supplied port_count field as a loop bound over port_msg->data[] without checking that the message buffer contains sufficient data. A modem sending port_count=65535 in a 12-byte buffer triggers a slab-out-of-bounds read of up to 262140 bytes.  Add a sizeof(*port_msg) check before accessing the port message header fields to guard against undersized messages.  Add a struct_size() check after extracting port_count and before the loop.  In t7xx_parse_host_rt_data(), guard the rt_feature header read with a remaining-buffer check before accessing data_len, validate feat_data_len against the actual remaining buffer to prevent OOB reads and signed integer overflow on offset.  Pass msg_len from both call sites: skb->len at the DPMAIF path after skb_pull(), and the validated feat_data_len at the handshake path.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-21 13:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-43502",
                        "url": "https://ubuntu.com/security/CVE-2026-43502",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net/rds: handle zerocopy send cleanup before the message is queued  A zerocopy send can fail after user pages have been pinned but before the message is attached to the sending socket.  The purge path currently infers zerocopy state from rm->m_rs, so an unqueued message can be cleaned up as if it owned normal payload pages. However, zerocopy ownership is really determined by the presence of op_mmp_znotifier, regardless of whether the message has reached the socket queue.  Capture op_mmp_znotifier up front in rds_message_purge() and use it as the cleanup discriminator. If the message is already associated with a socket, keep the existing completion path. Otherwise, drop the pinned page accounting directly and release the notifier before putting the payload pages.  This keeps early send failure cleanup consistent with the zerocopy lifetime rules without changing the normal queued completion path.",
                        "cve_priority": "high",
                        "cve_public_date": "2026-05-21 13:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46120",
                        "url": "https://ubuntu.com/security/CVE-2026-46120",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ip6_gre: Use cached t->net in ip6erspan_changelink().  After commit 5e72ce3e3980 (\"net: ipv6: Use link netns in newlink() of rtnl_link_ops\"), ip6erspan_newlink() correctly resolves the per-netns ip6gre hash via link_net. ip6erspan_changelink() was not converted in that series and still uses dev_net(dev), which diverges from the device's creation netns after IFLA_NET_NS_FD migration.  This re-inserts the tunnel into the wrong per-netns hash. The original netns keeps a stale entry. When that netns is later destroyed, ip6gre_exit_rtnl_net() walks the stale entry, producing a slab-use-after-free reported by KASAN, followed by a kernel BUG at net/core/dev.c (LIST_POISON1) in unregister_netdevice_many_notify().  Reachable from an unprivileged user namespace (unshare --user --map-root-user --net).  ip6gre_changelink() earlier in the same file already uses the cached t->net; only ip6erspan_changelink() has the wrong shape.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46142",
                        "url": "https://ubuntu.com/security/CVE-2026-46142",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net: libwx: fix VF illegal register access  Register WX_CFG_PORT_ST is a PF restricted register. When a VF is initialized, attempting to read this register triggers an illegal register access, which lead to a system hang.  When the device is VF, the bus function ID can be obtained directly from the PCI_FUNC(pdev->devfn).",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46118",
                        "url": "https://ubuntu.com/security/CVE-2026-46118",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  pseries/papr-hvpipe: Fix null ptr deref in papr_hvpipe_dev_create_handle()  commit 6d3789d347a7 (\"papr-hvpipe: convert papr_hvpipe_dev_create_handle() to FD_PREPARE()\"), changed the create handle to FD_PREPARE(), but it caused kernel null-ptr-deref because after call to retain_and_null_ptr(src_info), src_info is re-used for adding it to the global list.  Getting the following kernel panic in papr_hvpipe_dev_create_handle() when trying to add src_info to the list.  Kernel attempted to write user page (0) - exploit attempt? (uid: 0)  BUG: Kernel NULL pointer dereference on write at 0x00000000  Faulting instruction address: 0xc0000000001b44a0  Oops: Kernel access of bad area, sig: 11 [#1]  ...  Call Trace:  papr_hvpipe_dev_ioctl+0x1f4/0x48c (unreliable)  sys_ioctl+0x528/0x1064  system_call_exception+0x128/0x360  system_call_vectored_common+0x15c/0x2ec  Now, the error handling with FD_PREPARE's file cleanup and __free(kfree) auto cleanup is getting too convoluted. This is mainly because we need to ensure only 1 user get the srcID handle. To simplify this, we allocate prepare the src_info in the beginning and add it to the global list under a spinlock after checking that no duplicates exist.  This simplify the error handling where if the FD_ADD fails, we can simply remove the src_info from the list and consume any pending msg in hvpipe to be cleared, after src_info became visible in the global list.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46182",
                        "url": "https://ubuntu.com/security/CVE-2026-46182",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  pseries/papr-hvpipe: Prevent kernel stack memory leak to userspace  The hdr variable is allocated on the stack and only hdr.version and hdr.flags are initialized explicitly. Because the struct papr_hvpipe_hdr contains reserved padding bytes (reserved[3] and reserved2[40]), these could leak the uninitialized bytes to userspace after copy_to_user().  This patch fixes that by initializing the whole struct to 0.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46184",
                        "url": "https://ubuntu.com/security/CVE-2026-46184",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  sound: ua101: fix division by zero at probe  Add a missing sanity check for bNrChannels in detect_usb_format() to prevent a division by zero in playback_urb_complete() and capture_urb_complete().  USB core does not validate class-specific descriptor fields such as bNrChannels, so drivers must verify them before use. If a device provides bNrChannels = 0, frame_bytes becomes zero and is later used as a divisor in the URB completion handlers, leading to a kernel crash.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-43498",
                        "url": "https://ubuntu.com/security/CVE-2026-43498",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  accel/ivpu: Disallow re-exporting imported GEM objects  Prevent re-exporting of imported GEM buffers by adding a custom prime_handle_to_fd callback that checks if the object is imported and returns -EOPNOTSUPP if so.  Re-exporting imported GEM buffers causes loss of buffer flags settings, leading to incorrect device access and data corruption.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-21 13:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46132",
                        "url": "https://ubuntu.com/security/CVE-2026-46132",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net: rtnetlink: zero ifla_vf_broadcast to avoid stack infoleak in rtnl_fill_vfinfo  rtnl_fill_vfinfo() declares struct ifla_vf_broadcast on the stack without initialisation:  \tstruct ifla_vf_broadcast vf_broadcast;  The struct contains a single fixed 32-byte field:  \t/* include/uapi/linux/if_link.h */ \tstruct ifla_vf_broadcast { \t\t__u8 broadcast[32]; \t};  The function then copies dev->broadcast into it using dev->addr_len as the length:  \tmemcpy(vf_broadcast.broadcast, dev->broadcast, dev->addr_len);  On Ethernet devices (the overwhelming majority of SR-IOV NICs) dev->addr_len is 6, so only the first 6 bytes of broadcast[] are written. The remaining 26 bytes retain whatever was previously on the kernel stack. The full struct is then handed to userspace via:  \tnla_put(skb, IFLA_VF_BROADCAST, \t\tsizeof(vf_broadcast), &vf_broadcast)  leaking up to 26 bytes of uninitialised kernel stack per VF per RTM_GETLINK request, repeatable.  The other vf_* structs in the same function are explicitly zeroed for exactly this reason - see the memset() calls for ivi, vf_vlan_info, node_guid and port_guid a few lines above. vf_broadcast was simply missed when it was added.  Reachability: any unprivileged local process can open AF_NETLINK / NETLINK_ROUTE without capabilities and send RTM_GETLINK with an IFLA_EXT_MASK attribute carrying RTEXT_FILTER_VF. The kernel walks each VF and emits IFLA_VF_BROADCAST, leaking 26 bytes of stack per VF per request. Stack residue at this call site can include return addresses and transient sensitive data; KASAN with stack instrumentation, or KMSAN, will flag the nla_put() when reproduced.  Zero the on-stack struct before the partial memcpy, matching the existing pattern used for the other vf_* structs in the same function.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46190",
                        "url": "https://ubuntu.com/security/CVE-2026-46190",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  mtd: spi-nor: debugfs: fix out-of-bounds read in spi_nor_params_show()  Sashiko noticed an out-of-bounds read [1].  In spi_nor_params_show(), the snor_f_names array is passed to spi_nor_print_flags() using sizeof(snor_f_names).  Since snor_f_names is an array of pointers, sizeof() returns the total number of bytes occupied by the pointers \t(element_count * sizeof(void *)) rather than the element count itself. On 64-bit systems, this makes the passed length 8x larger than intended.  Inside spi_nor_print_flags(), the 'names_len' argument is used to bounds-check the 'names' array access. An out-of-bounds read occurs if a flag bit is set that exceeds the array's actual element count but is within the inflated byte-size count.  Correct this by using ARRAY_SIZE() to pass the actual number of string pointers in the array.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46150",
                        "url": "https://ubuntu.com/security/CVE-2026-46150",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  fanotify: fix false positive on permission events  fsnotify_get_mark_safe() may return false for a mark on an unrelated group, which results in bypassing the permission check.  Fix by skipping over detached marks that are not in the current group.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-45836",
                        "url": "https://ubuntu.com/security/CVE-2026-45836",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_get_sndtimeo_cb()  Add the same NULL guard already present in l2cap_sock_resume_cb() and l2cap_sock_ready_cb().",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-26 17:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-45834",
                        "url": "https://ubuntu.com/security/CVE-2026-45834",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_state_change_cb()  Add the same NULL guard already present in l2cap_sock_resume_cb() and l2cap_sock_ready_cb().",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-26 17:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-45835",
                        "url": "https://ubuntu.com/security/CVE-2026-45835",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_new_connection_cb()  Add the same NULL guard already present in l2cap_sock_resume_cb() and l2cap_sock_ready_cb().",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-26 17:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46138",
                        "url": "https://ubuntu.com/security/CVE-2026-46138",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Bluetooth: hci_event: Fix OOB read and infinite loop in hci_le_create_big_complete_evt  hci_le_create_big_complete_evt() iterates over BT_BOUND connections for a BIG handle using a while loop, accessing ev->bis_handle[i++] on each iteration.  However, there is no check that i stays within ev->num_bis before the array access.  When a controller sends a LE_Create_BIG_Complete event with fewer bis_handle entries than there are BT_BOUND connections for that BIG, or with num_bis=0, the loop reads beyond the valid bis_handle[] flex array into adjacent heap memory.  Since the out-of-bounds values typically exceed HCI_CONN_HANDLE_MAX (0x0EFF), hci_conn_set_handle() rejects them and the connection remains in BT_BOUND state.  The same connection is then found again by hci_conn_hash_lookup_big_state(), creating an infinite loop with hci_dev_lock held.  Fix this by terminating the BIG if in case not all BIS could be setup properly.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46111",
                        "url": "https://ubuntu.com/security/CVE-2026-46111",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Bluetooth: hci_conn: fix potential UAF in create_big_sync  Add hci_conn_valid() check in create_big_sync() to detect stale connections before proceeding with BIG creation. Handle the resulting -ECANCELED in create_big_complete() and re-validate the connection under hci_dev_lock() before dereferencing, matching the pattern used by create_le_conn_complete() and create_pa_complete().  Keep the hci_conn object alive across the async boundary by taking a reference via hci_conn_get() when queueing create_big_sync(), and dropping it in the completion callback. The refcount and the lock are complementary: the refcount keeps the object allocated, while hci_dev_lock() serializes hci_conn_hash_del()'s list_del_rcu() on hdev->conn_hash, as required by hci_conn_del().  hci_conn_put() is called outside hci_dev_unlock() so the final put (which resolves to kfree() via bt_link_release) does not run under hdev->lock, though the release path would be safe either way.  Without this, create_big_complete() would unconditionally dereference the conn pointer on error, causing a use-after-free via hci_connect_cfm() and hci_conn_del().",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46140",
                        "url": "https://ubuntu.com/security/CVE-2026-46140",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Bluetooth: btmtk: validate WMT event SKB length before struct access  btmtk_usb_hci_wmt_sync() casts the WMT event response SKB data to struct btmtk_hci_wmt_evt (7 bytes) and struct btmtk_hci_wmt_evt_funcc (9 bytes) without first checking that the SKB contains enough data. A short firmware response causes out-of-bounds reads from SKB tailroom.  Use skb_pull_data() to validate and advance past the base WMT event header. For the FUNC_CTRL case, pull the additional status field bytes before accessing them.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46186",
                        "url": "https://ubuntu.com/security/CVE-2026-46186",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Bluetooth: virtio_bt: validate rx pkt_type header length  virtbt_rx_handle() reads the leading pkt_type byte from the RX skb and forwards the remainder to hci_recv_frame() for every event/ACL/SCO/ISO type, without checking that the remaining payload is at least the fixed HCI header for that type.  After the preceding patch bounds the backend-supplied used.len to [1, VIRTBT_RX_BUF_SIZE], a one-byte completion still reaches hci_recv_frame() with skb->len already pulled to 0. If the byte happened to be HCI_ACLDATA_PKT, the ACL-vs-ISO classification fast-path in hci_dev_classify_pkt_type() dereferences hci_acl_hdr(skb)->handle whenever the HCI device has an active CIS_LINK, BIS_LINK, or PA_LINK connection, reading two bytes of uninitialized RX-buffer data. The same hazard exists for every packet type the driver accepts because none of the switch cases in virtbt_rx_handle() check skb->len against the per-type minimum HCI header size before handing the frame to the core.  After stripping pkt_type, require skb->len to cover the fixed header size for the selected type (event 2, ACL 4, SCO 3, ISO 4) before calling hci_recv_frame(); drop ratelimited otherwise. Unknown pkt_type values still take the original kfree_skb() default path.  Use bt_dev_err_ratelimited() because both the length and pkt_type values come from an untrusted backend that can otherwise flood the kernel log.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46123",
                        "url": "https://ubuntu.com/security/CVE-2026-46123",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Bluetooth: virtio_bt: clamp rx length before skb_put  virtbt_rx_work() calls skb_put(skb, len) where len comes directly from virtqueue_get_buf() with no validation against the buffer we posted to the device. The RX skb is allocated in virtbt_add_inbuf() and exposed to virtio as exactly 1000 bytes via sg_init_one().  Checking len against skb_tailroom(skb) is not sufficient because alloc_skb() can leave more tailroom than the 1000 bytes actually handed to the device. A malicious or buggy backend can therefore report used.len between 1001 and skb_tailroom(skb), causing skb_put() to include uninitialized kernel heap bytes that were never written by the device.  The same path also accepts len == 0, in which case skb_put(skb, 0) leaves the skb empty but virtbt_rx_handle() still reads the pkt_type byte from skb->data, consuming uninitialized memory.  Define VIRTBT_RX_BUF_SIZE once and reuse it in alloc_skb() and sg_init_one(), and gate virtbt_rx_work() on that same constant so the bound checked matches the buffer actually exposed to the device. Reject used.len == 0 in the same gate so an empty completion can no longer reach virtbt_rx_handle().  Use bt_dev_err_ratelimited() because the length value comes from an untrusted backend that can otherwise flood the kernel log.  Same class of bug as commit c04db81cd028 (\"net/9p: Fix buffer overflow in USB transport layer\"), which hardened the USB 9p transport against unchecked device-reported length.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46104",
                        "url": "https://ubuntu.com/security/CVE-2026-46104",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  selinux: use sk blob accessor in socket permission helpers  SELinux socket state lives in the composite LSM socket blob.  sock_has_perm() and nlmsg_sock_has_extended_perms() currently dereference sk->sk_security directly, which assumes the SELinux socket blob is at offset zero.  In stacked configurations that assumption does not hold. If another LSM allocates socket blob storage before SELinux, these helpers may read the wrong blob and feed invalid SID and class values into AVC checks.  Use selinux_sock() instead of accessing sk->sk_security directly.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46193",
                        "url": "https://ubuntu.com/security/CVE-2026-46193",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  xfrm: ah: account for ESN high bits in async callbacks  AH allocates its temporary auth/ICV layout differently when ESN is enabled: the async ahash setup appends a 4-byte seqhi slot before the ICV or auth_data area, but the async completion callbacks still reconstruct the temporary layout as if seqhi were absent.  With an async AH implementation selected, that makes AH copy or compare the wrong bytes on both the IPv4 and IPv6 paths. In UML repro on IPv4 AH with ESN and forced async hmac(sha1), ping fails with 100% packet loss, and the callback logs show the pre-fix drift:    ah4 output_done: esn=1 err=0 icv_off=20 expected_off=24   ah4 input_done: esn=1 auth_off=20 expected_auth_off=24 icv_off=32 expected_icv_off=36  Reconstruct the callback-side layout the same way the setup path built it by skipping the ESN seqhi slot before locating the saved auth_data or ICV. Per RFC 4302, the ESN high-order 32 bits participate in the AH ICV computation, so the async callbacks must account for the seqhi slot.  Post-fix, the same IPv4 AH+ESN+forced-async-hmac(sha1) UML repro shows the corrected offset (ah4 output_done: esn=1 err=0 icv_off=24 expected_off=24) and ping succeeds; net/ipv4/ah4.o and net/ipv6/ah6.o build clean at W=1. IPv6 AH+ESN was not exercised at runtime, and the change has not been tested against a real async hardware AH engine.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46172",
                        "url": "https://ubuntu.com/security/CVE-2026-46172",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ipv6: xfrm6: release dst on error in xfrm6_rcv_encap()  xfrm6_rcv_encap() performs an IPv6 route lookup when the skb does not already have a dst attached. ip6_route_input_lookup() returns a referenced dst entry even when the lookup resolves to an error route.  If dst->error is set, xfrm6_rcv_encap() drops the skb without attaching the dst to the skb and without releasing the reference returned by the lookup. Repeated packets hitting this path therefore leak dst entries.  Release the dst before jumping to the drop path.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46116",
                        "url": "https://ubuntu.com/security/CVE-2026-46116",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  xfrm: defensively unhash xfrm_state lists in __xfrm_state_delete  KASAN reproduces a slab-use-after-free in __xfrm_state_delete()'s hlist_del_rcu calls under syzkaller load on linux-6.12.y stable (reproduced on 6.12.47, also reachable via the same code path on torvalds/master and on the ipsec tree). Nine unique signatures cluster in the xfrm_state lifecycle, the load-bearing one being:    BUG: KASAN: slab-use-after-free in __hlist_del include/linux/list.h:990 [inline]   BUG: KASAN: slab-use-after-free in hlist_del_rcu include/linux/rculist.h:516 [inline]   BUG: KASAN: slab-use-after-free in __xfrm_state_delete net/xfrm/xfrm_state.c   Write of size 8 at addr ffff8881198bcb70 by task kworker/u8:9/435    Workqueue: netns cleanup_net   Call Trace:    __hlist_del / hlist_del_rcu    __xfrm_state_delete    xfrm_state_delete    xfrm_state_flush    xfrm_state_fini    ops_exit_list    cleanup_net  The other observed signatures hit the same slab object from __xfrm_state_lookup, xfrm_alloc_spi, __xfrm_state_insert and an OOB write variant of __xfrm_state_delete, all on the byseq/byspi hash chains.  __xfrm_state_delete() guards its byseq and byspi unhashes with value-based predicates:  \tif (x->km.seq) \t\thlist_del_rcu(&x->byseq); \tif (x->id.spi) \t\thlist_del_rcu(&x->byspi);  while everywhere else in the file (e.g. state_cache, state_cache_input) the safer hlist_unhashed() check is used. xfrm_alloc_spi() sets x->id.spi = newspi inside xfrm_state_lock and then immediately inserts into byspi, but a path that observes x->id.spi != 0 outside of xfrm_state_lock can still skip-or-hit the byspi unhash inconsistently with whether x is actually on the list. The same holds for x->km.seq versus byseq, and the bydst/bysrc unhashes have no predicate at all, so a second __xfrm_state_delete() on the same object writes through LIST_POISON pprev.  The defensive change here:    - Use hlist_del_init_rcu() instead of hlist_del_rcu() on bydst,     bysrc, byseq and byspi so a second deletion is a no-op rather     than a write through LIST_POISON pprev. The byseq/byspi nodes     are already initialised in xfrm_state_alloc().   - Test hlist_unhashed() rather than the value predicate for     byseq/byspi, so the unhash decision tracks list state rather than     mutable scalar fields.  Empirical verification: applied this patch on top of v6.12.47, rebuilt, and re-ran the same syzkaller harness for 1h16m on a previously-crashy configuration that produced ~100 hits each of slab-use-after-free Read in xfrm_alloc_spi / Read in __xfrm_state_lookup / Write in __xfrm_state_delete. After the patch, 7.1M execs across 32 VMs at ~1550 exec/sec produced zero xfrm_state UAF/OOB hits. /proc/slabinfo confirms the xfrm_state slab is actively allocated and freed during the run (~143 KiB resident), so the fuzzer is still exercising those code paths -- they just no longer crash.  Reproduction:    - Linux 6.12.47 x86_64 + KASAN_GENERIC + KASAN_INLINE + KCOV   - syzkaller @ 746545b8b1e4c3a128db8652b340d3df90ce61db   - 32 QEMU/KVM VMs x 2 vCPU on AWS c5.metal bare metal   - 9 unique signatures collected in ~9h, all within xfrm_state     lifecycle",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46154",
                        "url": "https://ubuntu.com/security/CVE-2026-46154",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  sched_ext: Read scx_root under scx_cgroup_ops_rwsem in cgroup setters  scx_group_set_{weight,idle,bandwidth}() cache scx_root before acquiring scx_cgroup_ops_rwsem, so the pointer can be stale by the time the op runs. If the loaded scheduler is disabled and freed (via RCU work) and another is enabled between the naked load and the rwsem acquire, the reader sees scx_cgroup_enabled=true (the new scheduler's) but dereferences the freed one - UAF on SCX_HAS_OP(sch, ...) / SCX_CALL_OP(sch, ...).  scx_cgroup_enabled is toggled only under scx_cgroup_ops_rwsem write (scx_cgroup_{init,exit}), so reading scx_root inside the rwsem read section correlates @sch with the enabled snapshot.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46157",
                        "url": "https://ubuntu.com/security/CVE-2026-46157",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ALSA: pcm: oss: Fix data race at accessing runtime.oss.trigger  Currently the runtime.oss.trigger field may be accessed concurrently without protection, which may lead to the data race.  And, in this case, it may lead to more severe problem because it's a bit field; as writing the data, it may overwrite other bit fields as well, which confuses the operation completely, as spotted by fuzzing.  Fix it by covering runtime.oss.trigger bit fled also with the existing params_lock mutex in both snd_pcm_oss_get_trigger() and snd_pcm_oss_poll().",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46109",
                        "url": "https://ubuntu.com/security/CVE-2026-46109",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  usb: ulpi: fix memory leak on ulpi_register() error paths  Commit 01af542392b5 (\"usb: ulpi: fix double free in ulpi_register_interface() error path\") removed kfree(ulpi) from ulpi_register_interface() to fix a double-free when device_register() fails.  But when ulpi_of_register() or ulpi_read_id() fail before device_register() is called, the ulpi allocation is leaked.  Add kfree(ulpi) on both error paths to properly clean up the allocation.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46146",
                        "url": "https://ubuntu.com/security/CVE-2026-46146",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ALSA: usb-audio: Avoid potential endless loop in convert_chmap_v3()  The convert_chmap_v3() has a loop with its increment size of cs_desc->wLength, but we forgot to validate cs_desc->wLength itself, which may lead to potential endless loop by a malformed descriptor.  Add a proper size check to abort the loop for plugging the hole.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46167",
                        "url": "https://ubuntu.com/security/CVE-2026-46167",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  usb: usblp: fix uninitialized heap leak via LPGETSTATUS ioctl  Just like in a previous problem in this driver, usblp_ctrl_msg() will collapse the usb_control_msg() return value to 0/-errno, discarding the actual number of bytes transferred.  Ideally that short command should be detected and error out, but many printers are known to send \"incorrect\" responses back so we can't just do that.  statusbuf is kmalloc(8) at probe time and never filled before the first LPGETSTATUS ioctl.  usblp_read_status() requests 1 byte. If a malicious printer responds with zero bytes, *statusbuf is one byte of stale kmalloc heap, sign-extended into the local int status, which the LPGETSTATUS path then copy_to_user()s directly to the ioctl caller.  Fix this all by just zapping out the memory buffer when allocated at probe time.  If a later call does a short read, the data will be identical to what the device sent it the last time, so there is no \"leak\" of information happening.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46151",
                        "url": "https://ubuntu.com/security/CVE-2026-46151",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  usb: usblp: fix heap leak in IEEE 1284 device ID via short response  usblp_ctrl_msg() collapses the usb_control_msg() return value to 0/-errno, discarding the actual number of bytes transferred.  A broken printer can complete the GET_DEVICE_ID control transfer short and the driver has no way to know.  usblp_cache_device_id_string() reads the 2-byte big-endian length prefix from the response and trusts it (clamped only to the buffer bounds). The buffer is kmalloc(1024) at probe time. A device that sends exactly two bytes (e.g. 0x03 0xFF, claiming a 1023-byte ID) leaves device_id_string[2..1022] holding stale kmalloc heap.  That stale data is then exposed:   - via the ieee1284_id sysfs attribute (sprintf(\"%s\", buf+2), truncated     at the first NUL in the stale heap), and   - via the IOCNR_GET_DEVICE_ID ioctl, which copy_to_user()s the full     claimed length regardless of NULs, up to 1021 bytes of uninitialized     heap, with the leak size chosen by the device.  Fix this up by just zapping the buffer with zeros before each request sent to the device.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46180",
                        "url": "https://ubuntu.com/security/CVE-2026-46180",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  wifi: brcmfmac: Fix potential use-after-free issue when stopping watchdog task  Watchdog task might end between send_sig() and kthread_stop() calls, what results in the use-after-free issue. Fix this by increasing watchdog task reference count before calling send_sig() and dropping it by switching to kthread_stop_put().",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46122",
                        "url": "https://ubuntu.com/security/CVE-2026-46122",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  wifi: b43: enforce bounds check on firmware key index in b43_rx()  The firmware-controlled key index in b43_rx() can exceed the dev->key[] array size (58 entries). The existing B43_WARN_ON is non-enforcing in production builds, allowing an out-of-bounds read.  Make the B43_WARN_ON check enforcing by dropping the frame when the firmware returns an invalid key index.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46125",
                        "url": "https://ubuntu.com/security/CVE-2026-46125",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  wifi: mac80211: remove station if connection prep fails  If connection preparation fails for MLO connections, then the interface is completely reset to non-MLD. In this case, we must not keep the station since it's related to the link of the vif being removed. Delete an existing station. Any \"new_sta\" is already being removed, so that doesn't need changes.  This fixes a use-after-free/double-free in debugfs if that's enabled, because a vif going from MLD (and to MLD, but that's not relevant here) recreates its entire debugfs.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46166",
                        "url": "https://ubuntu.com/security/CVE-2026-46166",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  wifi: mac80211: use safe list iteration in radar detect work  The call to ieee80211_dfs_cac_cancel can cause the iterated chanctx to be freed and removed from the list. Guard against this to avoid a slab-use-after-free error.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46187",
                        "url": "https://ubuntu.com/security/CVE-2026-46187",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  wifi: rsi: fix kthread lifetime race between self-exit and external-stop  RSI driver use both self-exit(kthread_complete_and_exit) and external-stop (kthread_stop) when killing a kthread. Generally, kthread_stop() is called first, and in this case, no particular issues occur.  However, in rare instances where kthread_complete_and_exit() is called first and then kthread_stop() is called, a UAF occurs because the kthread object, which has already exited and been freed, is accessed again.  Therefore, to prevent this with minimal modification, you must remove kthread_stop() and change the code to wait until the self-exit operation is completed.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46152",
                        "url": "https://ubuntu.com/security/CVE-2026-46152",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  wifi: mac80211: drop stray 'static' from fast-RX rx_result  ieee80211_invoke_fast_rx() is documented as safe for parallel RX, but its per-invocation rx_result is declared static. Concurrent callers then share one instance and can overwrite each other's result between ieee80211_rx_mesh_data() and the switch on res.  That can make a packet that was queued or consumed by ieee80211_rx_mesh_data() fall through into ieee80211_rx_8023(), or make a packet that should continue return as queued.  Make res an automatic variable so each invocation keeps its own result.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46163",
                        "url": "https://ubuntu.com/security/CVE-2026-46163",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  wifi: b43legacy: enforce bounds check on firmware key index in RX path  Same fix as b43: the firmware-controlled key index in b43legacy_rx() can exceed dev->max_nr_keys. The existing B43legacy_WARN_ON is non-enforcing in production builds, allowing an out-of-bounds read of dev->key[].  Make the check enforcing by dropping the frame for invalid indices.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46136",
                        "url": "https://ubuntu.com/security/CVE-2026-46136",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  wifi: mt76: mt7921: fix a potential clc buffer length underflow  The buf_len is used to limit the iterations for retrieving the country power setting and may underflow under certain conditions due to changes in the power table in CLC.  This underflow leads to an almost infinite loop or an invalid power setting resulting in driver initialization failure.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46173",
                        "url": "https://ubuntu.com/security/CVE-2026-46173",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  exit: prevent preemption of oopsing TASK_DEAD task  When an already-exiting task oopses, make_task_dead() currently calls do_task_dead() with preemption enabled.  That is forbidden: do_task_dead() calls __schedule(), which has a comment saying \"WARNING: must be called with preemption disabled!\".  If an oopsing task is preempted in do_task_dead(), between becoming TASK_DEAD and entering the scheduler explicitly, bad things happen: finish_task_switch() assumes that once the scheduler has switched away from a TASK_DEAD task, the task can never run again and its stack is no longer needed; but that assumption apparently doesn't hold if the dead task was preempted (the SM_PREEMPT case).  This means that the scheduler ends up repeatedly dropping references on the dead task's stack, which can lead to use-after-free or double-free of the entire task stack; in other words, two tasks can end up running on the same stack, resulting in various kinds of memory corruption.  (This does not just affect \"recursively oopsing\" tasks; it is enough to oops once during task exit, for example in a file_operations::release handler)",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-43496",
                        "url": "https://ubuntu.com/security/CVE-2026-43496",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net/sched: sch_red: Replace direct dequeue call with peek and qdisc_dequeue_peeked  When red qdisc has children (eg qfq qdisc) whose peek() callback is qdisc_peek_dequeued(), we could get a kernel panic. When the parent of such qdiscs (eg illustrated in patch #3 as tbf) wants to retrieve an skb from its child (red in this case), it will do the following:  1a. do a peek() - and when sensing there's an skb the child can offer, then      - the child in this case(red) calls its child's (qfq) peek.         qfq does the right thing and will return the gso_skb queue packet.         Note: if there wasnt a gso_skb entry then qfq will store it there.  1b. invoke a dequeue() on the child (red). And herein lies the problem.      - red will call the child's dequeue() which will essentially just        try to grab something of qfq's queue.  [   78.667668][  T363] KASAN: null-ptr-deref in range [0x0000000000000048-0x000000000000004f] [   78.667927][  T363] CPU: 1 UID: 0 PID: 363 Comm: ping Not tainted 7.1.0-rc1-00033-g46f74a3f7d57-dirty #790 PREEMPT(full) [   78.668263][  T363] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 [   78.668486][  T363] RIP: 0010:qfq_dequeue+0x446/0xc90 [sch_qfq] [   78.668718][  T363] Code: 54 c0 e8 dd 90 00 f1 48 c7 c7 e0 03 54 c0 48 89 de e8 ce 90 00 f1 48 8d 7b 48 b8 ff ff 37 00 48 89 fa 48 c1 e0 2a 48 c1 ea 03 <80> 3c 02 00 74 05 e8 ef a1 e1 f1 48 8b 7b 48 48 8d 54 24 58 48 8d [   78.669312][  T363] RSP: 0018:ffff88810de573e0 EFLAGS: 00010216 [   78.669533][  T363] RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000 [   78.669790][  T363] RDX: 0000000000000009 RSI: 0000000000000004 RDI: 0000000000000048 [   78.670044][  T363] RBP: ffff888110dc4000 R08: ffffffffb1b0885a R09: fffffbfff6ba9078 [   78.670297][  T363] R10: 0000000000000003 R11: ffff888110e31c80 R12: 0000001880000000 [   78.670560][  T363] R13: ffff888110dc4150 R14: ffff888110dc42b8 R15: 0000000000000200 [   78.670814][  T363] FS:  00007f66a8f09c40(0000) GS:ffff888163428000(0000) knlGS:0000000000000000 [   78.671110][  T363] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [   78.671324][  T363] CR2: 000055db4c6a30a8 CR3: 000000010da67000 CR4: 0000000000750ef0 [   78.671585][  T363] PKRU: 55555554 [   78.671713][  T363] Call Trace: [   78.671843][  T363]  <TASK> [   78.671936][  T363]  ? __pfx_qfq_dequeue+0x10/0x10 [sch_qfq] [   78.672148][  T363]  ? __pfx__printk+0x10/0x10 [   78.672322][  T363]  ? srso_alias_return_thunk+0x5/0xfbef5 [   78.672496][  T363]  ? lockdep_hardirqs_on_prepare+0xa8/0x1a0 [   78.672706][  T363]  ? srso_alias_return_thunk+0x5/0xfbef5 [   78.672875][  T363]  ? trace_hardirqs_on+0x19/0x1a0 [   78.673047][  T363]  red_dequeue+0x65/0x270 [sch_red] [   78.673217][  T363]  ? srso_alias_return_thunk+0x5/0xfbef5 [   78.673385][  T363]  tbf_dequeue.cold+0xb0/0x70c [sch_tbf] [   78.673566][  T363]  __qdisc_run+0x169/0x1900  The right thing to do in #1b is to grab the skb off gso_skb queue. This patchset fixes that issue by changing #1b to use qdisc_dequeue_peeked() method instead.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-21 13:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46113",
                        "url": "https://ubuntu.com/security/CVE-2026-46113",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  KVM: x86: Fix shadow paging use-after-free due to unexpected GFN  The shadow MMU computes GFNs for direct shadow pages using sp->gfn plus the SPTE index. This assumption breaks for shadow paging if the guest page tables are modified between VM entries (similar to commit aad885e77496, \"KVM: x86/mmu: Drop/zap existing present SPTE even when creating an MMIO SPTE\", 2026-03-27).  The flow is as follows:  - a PDE is installed for a 2MB mapping, and a page in that area is   accessed.  KVM creates a kvm_mmu_page consisting of 512 4KB pages;   the kvm_mmu_page is marked by FNAME(fetch) as direct-mapped because   the guest's mapping is a huge page (and thus contiguous).  - the PDE mapping is changed from outside the guest.  - the guest accesses another page in the same 2MB area.  KVM installs   a new leaf SPTE and rmap entry; the SPTE uses the \"correct\" GFN   (i.e. based on the new mapping, as changed in the previous step) but   that GFN is outside of the [sp->gfn, sp->gfn + 511] range; therefore   the rmap entry cannot be found and removed when the kvm_mmu_page   is zapped.  - the memslot that covers the first 2MB mapping is deleted, and the   kvm_mmu_page for the now-invalid GPA is zapped.  However, rmap_remove()   only looks at the [sp->gfn, sp->gfn + 511] range established in step 1,   and fails to find the rmap entry that was recorded by step 3.  - any operation that causes an rmap walk for the same page accessed   by step 3 then walks a stale rmap and dereferences a freed kvm_mmu_page.   This includes dirty logging or MMU notifier invalidations (e.g., from   MADV_DONTNEED).  The underlying issue is that KVM's walking of shadow PTEs assumes that if a SPTE is present when KVM wants to install a non-leaf SPTE, then the existing kvm_mmu_page must be for the correct gfn.  Because the only way for the gfn to be wrong is if KVM messed up and failed to zap a SPTE... which shouldn't happen, but *actually* only happens in response to a guest write.  That bug dates back literally forever, as even the first version of KVM assumes that the GFN matches and walks into the \"wrong\" shadow page. However, that was only an imprecision until 2032a93d66fa (\"KVM: MMU: Don't allocate gfns page for direct mmu pages\") came along.  Fix it by checking for a target gfn mismatch and zapping the existing SPTE.  That way the old SP and rmap entries are gone, KVM installs the rmap in the right location, and everyone is happy.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46179",
                        "url": "https://ubuntu.com/security/CVE-2026-46179",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ASoC: SOF: Don't allow pointer operations on unconfigured streams  When reporting the pointer for a compressed stream we report the current I/O frame position by dividing the position by the number of channels multiplied by the number of container bytes. These values default to 0 and are only configured as part of setting the stream parameters so this allows a divide by zero to be configured. Validate that they are non zero, returning an error if not",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46196",
                        "url": "https://ubuntu.com/security/CVE-2026-46196",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  tracepoint: balance regfunc() on func_add() failure in tracepoint_add_func()  When a tracepoint goes through the 0 -> 1 transition, tracepoint_add_func() invokes the subsystem's ext->regfunc() before attempting to install the new probe via func_add(). If func_add() then fails (for example, when allocate_probes() cannot allocate a new probe array under memory pressure and returns -ENOMEM), the function returns the error without calling the matching ext->unregfunc(), leaving the side effects of regfunc() behind with no installed probe to justify them.  For syscall tracepoints this is particularly unpleasant: syscall_regfunc() bumps sys_tracepoint_refcount and sets SYSCALL_TRACEPOINT on every task. After a leaked failure, the refcount is stuck at a non-zero value with no consumer, and every task continues paying the syscall trace entry/exit overhead until reboot. Other subsystems providing regfunc()/unregfunc() pairs exhibit similarly scoped persistent state.  Mirror the existing 1 -> 0 cleanup and call ext->unregfunc() in the func_add() error path, gated on the same condition used there so the unwind is symmetric with the registration.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-43497",
                        "url": "https://ubuntu.com/security/CVE-2026-43497",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  fbdev: udlfb: add vm_ops to dlfb_ops_mmap to prevent use-after-free  dlfb_ops_mmap() uses remap_pfn_range() to map vmalloc framebuffer pages to userspace but sets no vm_ops on the VMA. This means the kernel cannot track active mmaps. When dlfb_realloc_framebuffer() replaces the backing buffer via FBIOPUT_VSCREENINFO, existing mmap PTEs are not invalidated. On USB disconnect, dlfb_ops_destroy() calls vfree() on the old pages while userspace PTEs still reference them, resulting in a use-after-free: the process retains read/write access to freed kernel pages.  Add vm_operations_struct with open/close callbacks that maintain an atomic mmap_count on struct dlfb_data. In dlfb_realloc_framebuffer(), check mmap_count and return -EBUSY if the buffer is currently mapped, preventing buffer replacement while userspace holds stale PTEs.  Tested with PoC using dummy_hcd + raw_gadget USB device emulation.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-05-21 13:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46108",
                        "url": "https://ubuntu.com/security/CVE-2026-46108",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ipmi:si: Return state to normal if message allocation fails  There were places where nothing would get started if a message allocation failed, so the driver needs to return to normal state.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46128",
                        "url": "https://ubuntu.com/security/CVE-2026-46128",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ipmi: Check event message buffer response for bad data  The event message buffer response data size got checked later when processing, but check it right after the response comes back.  It appears some BMCs may return an empty message instead of an error when fetching events.  There are apparently some new BMCs that make this error, so we need to compensate.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46177",
                        "url": "https://ubuntu.com/security/CVE-2026-46177",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ipmi: Add limits to event and receive message requests  The driver would just fetch events and receive messages until the BMC said it was done.  To avoid issues with BMCs that never say they are done, add a limit of 10 fetches at a time.  In addition, an si interface has an attn state it can return from the hardware which is supposed to cause a flag fetch to see if the driver needs to fetch events or message or a few other things.  If the attn bit gets stuck, it's a similar problem.  So allow messages in between flag fetches so the driver itself doesn't get stuck.  This is a more general fix than the previous fix for the specific bad BMC, but should fix the more general issue of a BMC that won't stop saying it has data.  This has been there from the beginning of the driver.  It's not a bug per-se, but it is accounting for bugs in BMCs.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46149",
                        "url": "https://ubuntu.com/security/CVE-2026-46149",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  scsi: target: configfs: Bound snprintf() return in tg_pt_gp_members_show()  target_tg_pt_gp_members_show() formats LUN paths with snprintf() into a 256-byte stack buffer, then will memcpy() cur_len bytes from that buffer.  snprintf() returns the length the output would have had, which can exceed the buffer size when the fabric WWN is long because iSCSI IQN names can be up to 223 bytes.  The check at the memcpy() site only guards the destination page write, not the source read, so memcpy() will read past the stack buffer and copy adjacent stack contents to the sysfs reader, which when CONFIG_FORTIFY_SOURCE is enabled, fortify_panic() will be triggered.  Commit 27e06650a5ea (\"scsi: target: target_core_configfs: Add length check to avoid buffer overflow\") added the same bound to the target_lu_gp_members_show() but the tg_pt_gp variant was missed so resolve that here.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46244",
                        "url": "https://ubuntu.com/security/CVE-2026-46244",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  netfilter: nft_inner: Fix IPv6 inner_thoff desync  In nft_inner_parse_l2l3(), when processing inner IPv6 packets, ipv6_find_hdr() correctly computes the transport header offset traversing all extension headers, but the result is immediately overwritten with nhoff + sizeof(_ip6h) (40 bytes), which only accounts for the IPv6 base header. This creates a desync between inner_thoff (wrong — points to extension header start) and l4proto (correct — e.g., IPPROTO_TCP), enabling transport header forgery and potential firewall bypass. This issue affects stable versions from Linux 6.2.  For comparison, the normal (non-inner) IPv6 path correctly preserves ipv6_find_hdr()'s result. Removing the incorrect overwrite ensures that ipv6_find_hdr()'s calculated transport header offset is preserved, thereby fixing the desynchronization.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-03 18:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46137",
                        "url": "https://ubuntu.com/security/CVE-2026-46137",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  mptcp: pm: ADD_ADDR rtx: fix potential data-race  This mptcp_pm_add_timer() helper is executed as a timer callback in softirq context. To avoid any data races, the socket lock needs to be held with bh_lock_sock().  If the socket is in use, retry again soon after, similar to what is done with the keepalive timer.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46185",
                        "url": "https://ubuntu.com/security/CVE-2026-46185",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  smb/client: fix out-of-bounds read in symlink_data()  Since smb2_check_message() returns success without length validation for the symlink error response, in symlink_data() it is possible for iov->iov_len to be smaller than sizeof(struct smb2_err_rsp). If the buffer only contains the base SMB2 header (64 bytes), accessing err->ErrorContextCount (at offset 66) or err->ByteCount later in symlink_data() will cause an out-of-bounds read.",
                        "cve_priority": "high",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46195",
                        "url": "https://ubuntu.com/security/CVE-2026-46195",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  smb: client: validate dacloffset before building DACL pointers  parse_sec_desc(), build_sec_desc(), and the chown path in id_mode_to_cifs_acl() all add the server-supplied dacloffset to pntsd before proving a DACL header fits inside the returned security descriptor.  On 32-bit builds a malicious server can return dacloffset near U32_MAX, wrap the derived DACL pointer below end_of_acl, and then slip past the later pointer-based bounds checks. build_sec_desc() and id_mode_to_cifs_acl() can then dereference DACL fields from the wrapped pointer in the chmod/chown rewrite paths.  Validate dacloffset numerically before building any DACL pointer and reuse the same helper at the three DACL entry points.",
                        "cve_priority": "high",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46289",
                        "url": "https://ubuntu.com/security/CVE-2026-46289",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  lib/scatterlist: fix length calculations in extract_kvec_to_sg  Patch series \"Fix bugs in extract_iter_to_sg()\", v3.  Fix bugs in the kvec and user variants of extract_iter_to_sg.  This series is growing due to useful remarks made by sashiko.dev.  The main bugs are: - The length for an sglist entry when extracting from   a kvec can exceed the number of bytes in the page. This   is obviously not intended. - When extracting a user buffer the sglist is temporarily   used as a scratch buffer for extracted page pointers.   If the sglist already contains some elements this scratch   buffer could overlap with existing entries in the sglist.  The series adds test cases to the kunit_iov_iter test that demonstrate all of these bugs.  Additionally, there is a memory leak fix for the test itself.  The bugs were orignally introduced into kernel v6.3 where the function lived in fs/netfs/iterator.c.  It was later moved to lib/scatterlist.c in v6.5.  Thus the actual fix is only marked for backports to v6.5+.   This patch (of 5):  When extracting from a kvec to a scatterlist, do not cross page boundaries.  The required length was already calculated but not used as intended.  Adjust the copied length if the loop runs out of sglist entries without extracting everything.  While there, return immediately from extract_iter_to_sg if there are no sglist entries at all.  A subsequent commit will add kunit test cases that demonstrate that the patch is necessary.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-08 17:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46119",
                        "url": "https://ubuntu.com/security/CVE-2026-46119",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  libceph: Fix slab-out-of-bounds access in auth message processing  If a (potentially corrupted) message of type CEPH_MSG_AUTH_REPLY contains a positive value in its result field, it is treated as an error code by ceph_handle_auth_reply() and returned to handle_auth_reply(). Thereafter, an attempt is made to send the preallocated message of type CEPH_MSG_AUTH, where the returned value is interpreted as the size of the front segment to send. If the result value in the message is greater than the size of the memory buffer allocated for the front segment, an out-of-bounds access occurs, and the content of the memory region beyond this buffer is sent out.  This patch fixes the issue by treating only negative values in the result field as errors. Positive values are therefore treated as success in the same way as a zero value. Additionally, a BUG_ON is added to __send_prepared_auth_request() comparing the len parameter to front_alloc_len to prevent sending the message if it exceeds the bounds of the allocation and to make it easier to catch any logic flaws leading to this.",
                        "cve_priority": "high",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46135",
                        "url": "https://ubuntu.com/security/CVE-2026-46135",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  nvmet-tcp: fix race between ICReq handling and queue teardown  nvmet_tcp_handle_icreq() updates queue->state after sending an Initialization Connection Response (ICResp), but it does so without serializing against target-side queue teardown.  If an NVMe/TCP host sends an Initialization Connection Request (ICReq) and immediately closes the connection, target-side teardown may start in softirq context before io_work drains the already buffered ICReq. In that case, nvmet_tcp_schedule_release_queue() sets queue->state to NVMET_TCP_Q_DISCONNECTING and drops the queue reference under state_lock.  If io_work later processes that ICReq, nvmet_tcp_handle_icreq() can still overwrite the state back to NVMET_TCP_Q_LIVE. That defeats the DISCONNECTING-state guard in nvmet_tcp_schedule_release_queue() and allows a later socket state change to re-enter teardown and issue a second kref_put() on an already released queue.  The ICResp send failure path has the same problem. If teardown has already moved the queue to DISCONNECTING, a send error can still overwrite the state with NVMET_TCP_Q_FAILED, again reopening the window for a second teardown path to drop the queue reference.  Fix this by serializing both post-send state transitions with state_lock and bailing out if teardown has already started.  Use -ESHUTDOWN as an internal sentinel for that bail-out path rather than propagating it as a transport error like -ECONNRESET. Keep nvmet_tcp_socket_error() setting rcv_state to NVMET_TCP_RECV_ERR before honoring that sentinel so receive-side parsing stays quiesced until the existing release path completes.",
                        "cve_priority": "critical",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46155",
                        "url": "https://ubuntu.com/security/CVE-2026-46155",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  smb/client: fix out-of-bounds read in smb2_compound_op()  If a server sends a truncated response but a large OutputBufferLength, and terminates the EA list early, check_wsl_eas() returns success without validating that the entire OutputBufferLength fits within iov_len.  Then smb2_compound_op() does:     memcpy(idata->wsl.eas, data[0], size[0]);  Where size[0] is OutputBufferLength. If iov_len is smaller than size[0], memcpy can read beyond the end of the rsp_iov allocation and leak adjacent kernel heap memory.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46115",
                        "url": "https://ubuntu.com/security/CVE-2026-46115",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  block: add pgmap check to biovec_phys_mergeable  biovec_phys_mergeable() is used by the request merge, DMA mapping, and integrity merge paths to decide if two physically contiguous bvec segments can be coalesced into one. It currently has no check for whether the segments belong to different dev_pagemaps.  When zone device memory is registered in multiple chunks, each chunk gets its own dev_pagemap. A single bio can legitimately contain bvecs from different pgmaps -- iov_iter_extract_bvecs() breaks at pgmap boundaries but the outer loop in bio_iov_iter_get_pages() continues filling the same bio. If such bvecs are physically contiguous, biovec_phys_mergeable() will coalesce them, making it impossible to recover the correct pgmap for the merged segment via page_pgmap().  Add a zone_device_pages_have_same_pgmap() check to prevent merging bvec segments that span different pgmaps.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46243",
                        "url": "https://ubuntu.com/security/CVE-2026-46243",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  smb: client: reject userspace cifs.spnego descriptions  cifs.spnego key descriptions contain authority-bearing fields such as pid, uid, creduid, and upcall_target that cifs.upcall treats as kernel-originating inputs. However, userspace can also create keys of this type through request_key(2) or add_key(2), allowing those fields to be supplied without CIFS origin.  Only accept cifs.spnego descriptions while CIFS is using its private spnego_cred to request the key.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-01 17:17:00 UTC"
                    }
                ],
                "launchpad_bugs_fixed": [
                    2157520,
                    2154418,
                    2155837,
                    2154174,
                    2154748,
                    2156559,
                    2156556,
                    2150640,
                    2156312,
                    2155096,
                    2154715,
                    2153159,
                    2150071,
                    2154343,
                    2149770,
                    2153155,
                    2152570,
                    2156636,
                    2156636,
                    2156636,
                    2156636,
                    2156636,
                    2156390,
                    2156385,
                    2156385,
                    2156385,
                    2156385,
                    2156385,
                    2156385,
                    2156385,
                    2156385,
                    2156385,
                    2156385,
                    2156385,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2150845
                ],
                "changes": [
                    {
                        "cves": [
                            {
                                "cve": "CVE-2026-46318",
                                "url": "https://ubuntu.com/security/CVE-2026-46318",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Revert \"mm/hugetlbfs: update hugetlbfs to use mmap_prepare\"  This reverts commit ea52cb24cd3f (\"mm/hugetlbfs: update hugetlbfs to use mmap_prepare\") with conflict resolution to account for changes in commit ea52cb24cd3f (\"mm/hugetlbfs: update hugetlbfs to use mmap_prepare\").  The patch incorrectly handled hugetlb VMA lock allocation at the mmap_prepare stage, where a failed allocation occurring after mmap_prepare is called might result in the lock leaking.  There is no risk of a merge causing a similar issues, as VMA_DONTEXPAND_BIT is set for hugetlb mappings.  As a first step in addressing this issue, simply revert the change so we can rework how we do this having corrected the underlying issues.  We maintain the VMA flags changes as best we can, accounting for the fact that we were working with a VMA descriptor previously and propagating like-for-like changes for this.  Note that we invoke vma_set_flags() and do not call vma_start_write() as vm_flags_set() does.  This is OK as it's being done in an .mmap hook where the VMA is not yet linked into the tree so nobody else can be accessing it.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-06-09 13:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46322",
                                "url": "https://ubuntu.com/security/CVE-2026-46322",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  tun: free page on build_skb failure in tun_xdp_one()  When build_skb() fails in tun_xdp_one(), the function sets ret to -ENOMEM and jumps to the out label, which returns without freeing the page that vhost_net_build_xdp() allocated for the frame. As with the short-frame rejection path, tun_sendmsg() discards the per-buffer error and still returns total_len, so vhost_tx_batch() takes the success path and never frees the page. Each build_skb() failure in a batch leaks one page-frag chunk.  Free the page before taking the error path, matching the put_page() the other error exits of tun_xdp_one() already perform.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-09 13:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46320",
                                "url": "https://ubuntu.com/security/CVE-2026-46320",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  tap: free page on error paths in tap_get_user_xdp()  tap_get_user_xdp() rejects a frame shorter than ETH_HLEN with -EINVAL, and returns -ENOMEM when build_skb() fails. Both paths jump to the err label without freeing the page that vhost_net_build_xdp() allocated for the frame. tap_sendmsg() discards the per-buffer return value and always returns 0, so vhost_tx_batch() takes the success path and never frees the page; each rejected frame in a batch leaks one page-frag chunk.  Free the page on both error paths, before the skb is built. This is the tap counterpart of the same leak in tun_xdp_one().",
                                "cve_priority": "high",
                                "cve_public_date": "2026-06-09 13:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46321",
                                "url": "https://ubuntu.com/security/CVE-2026-46321",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  tun: free page on short-frame rejection in tun_xdp_one()  tun_xdp_one() returns -EINVAL on a frame shorter than ETH_HLEN without freeing the page that vhost_net_build_xdp() allocated for it. tun_sendmsg() discards that -EINVAL and still returns total_len, so vhost_tx_batch() takes the success path and never frees the page; each short frame in a batch leaks one page-frag chunk.  A local process that can open /dev/net/tun and /dev/vhost-net can hit this path: it attaches a tun/tap device as the vhost-net backend and feeds TX descriptors whose length minus the virtio-net header is below ETH_HLEN. Each kick leaks the page-frag chunks for that batch, and a tight submission loop exhausts host memory and triggers an OOM panic. Free the page before returning -EINVAL, matching the XDP-program error path in the same function.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-09 13:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46316",
                                "url": "https://ubuntu.com/security/CVE-2026-46316",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  KVM: arm64: vgic-its: Drop the translation cache reference only for the erased entry  vgic_its_invalidate_cache() walks the per-ITS translation cache with xa_for_each() and drops the cache's reference on each entry with vgic_put_irq(). It puts the iterated pointer, though, rather than the value returned by xa_erase().  The function is called from contexts that do not exclude one another: the ITS command handlers hold its_lock, the GITS_CTLR write path holds cmd_lock, and the path that clears EnableLPIs in a redistributor's GICR_CTLR holds neither. Two or more of them can drain the same cache concurrently, and if each one observes the same entry, erases it and then puts it, the single reference the cache holds on that entry is dropped more than once. The entry can then be freed while an ITE still maps it.  xa_erase() is atomic and returns the previous entry, so put only the entry that this context actually removed. The cache reference is then dropped exactly once per entry even when the invalidations run concurrently, and the behavior is unchanged when only one context runs.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-09 13:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46317",
                                "url": "https://ubuntu.com/security/CVE-2026-46317",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  KVM: arm64: Reassign nested_mmus array behind mmu_lock  kvm->arch.nested_mmus[] is walked under kvm->mmu_lock, including from the MMU notifier path (kvm_unmap_gfn_range() -> kvm_nested_s2_unmap()), which can run at any time. kvm_vcpu_init_nested() reallocates the array and frees the old buffer while holding only kvm->arch.config_lock, so such a walker can reference the freed array.  Allocate the new array outside of mmu_lock, as the allocation can sleep. Under the lock, copy the existing entries, fix up the back pointers and reassign the array. Free the old buffer after dropping the lock, as kvfree() can sleep as well.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-09 13:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-45846",
                                "url": "https://ubuntu.com/security/CVE-2026-45846",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  bareudp: fix NULL pointer dereference in bareudp_fill_metadata_dst()  bareudp_fill_metadata_dst() passes bareudp->sock to udp_tunnel6_dst_lookup() in the IPv6 path without a NULL check. The socket is only created in bareudp_open() and NULLed in bareudp_stop(), so calling this function while the device is down triggers a NULL dereference via sock->sk.   BUG: kernel NULL pointer dereference, address: 0000000000000018  RIP: 0010:udp_tunnel6_dst_lookup (net/ipv6/ip6_udp_tunnel.c:160)  Call Trace:   <TASK>   bareudp_fill_metadata_dst (drivers/net/bareudp.c:532)   do_execute_actions (net/openvswitch/actions.c:901)   ovs_execute_actions (net/openvswitch/actions.c:1589)   ovs_packet_cmd_execute (net/openvswitch/datapath.c:700)   genl_family_rcv_msg_doit (net/netlink/genetlink.c:1114)   genl_rcv_msg (net/netlink/genetlink.c:1209)   netlink_rcv_skb (net/netlink/af_netlink.c:2550)   </TASK>  Add a NULL check returning -ESHUTDOWN, consistent with the xmit paths in the same driver.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-27 11:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-45845",
                                "url": "https://ubuntu.com/security/CVE-2026-45845",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net/sched: taprio: fix NULL pointer dereference in class dump  When a TAPRIO child qdisc is deleted via RTM_DELQDISC, taprio_graft() is called with new == NULL and stores NULL into q->qdiscs[cl - 1]. Subsequent RTM_GETTCLASS dump operations walk all classes via taprio_walk() and call taprio_dump_class(), which calls taprio_leaf() returning the NULL pointer, then dereferences it to read child->handle, causing a kernel NULL pointer dereference.  The bug is reachable with namespace-scoped CAP_NET_ADMIN on any kernel with CONFIG_NET_SCH_TAPRIO enabled. On systems with unprivileged user namespaces enabled, an unprivileged local user can trigger a kernel panic by creating a taprio qdisc inside a new network namespace, grafting an explicit child qdisc, deleting it, and requesting a class dump. The RTM_GETTCLASS dump itself requires no capability.   Oops: general protection fault, probably for non-canonical address 0xdffffc0000000007: 0000 [#1] SMP KASAN NOPTI  KASAN: null-ptr-deref in range [0x0000000000000038-0x000000000000003f]  RIP: 0010:taprio_dump_class (net/sched/sch_taprio.c:2478)  Call Trace:   <TASK>   tc_fill_tclass (net/sched/sch_api.c:1966)   qdisc_class_dump (net/sched/sch_api.c:2326)   taprio_walk (net/sched/sch_taprio.c:2514)   tc_dump_tclass_qdisc (net/sched/sch_api.c:2352)   tc_dump_tclass_root (net/sched/sch_api.c:2370)   tc_dump_tclass (net/sched/sch_api.c:2431)   rtnl_dumpit (net/core/rtnetlink.c:6864)   netlink_dump (net/netlink/af_netlink.c:2325)   rtnetlink_rcv_msg (net/core/rtnetlink.c:6959)   netlink_rcv_skb (net/netlink/af_netlink.c:2550)   </TASK>  Fix this by substituting &noop_qdisc when new is NULL in taprio_graft(), a common pattern used by other qdiscs (e.g., multiq_graft()) to ensure the q->qdiscs[] slots are never NULL. This makes control-plane dump paths safe without requiring individual NULL checks.  Since the data-plane paths (taprio_enqueue and taprio_dequeue_from_txq) previously had explicit NULL guards that would drop/skip the packet cleanly, update those checks to test for &noop_qdisc instead. Without this, packets would reach taprio_enqueue_one() which increments the root qdisc's qlen and backlog before calling the child's enqueue; noop_qdisc drops the packet but those counters are never rolled back, permanently inflating the root qdisc's statistics.  After this change *old can be a valid qdisc, NULL, or &noop_qdisc. Only call qdisc_put(*old) in the first case to avoid decreasing noop_qdisc's refcount, which was never increased.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-27 11:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-45844",
                                "url": "https://ubuntu.com/security/CVE-2026-45844",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  netfilter: arp_tables: fix IEEE1394 ARP payload parsing  Weiming Shi says:  \"arp_packet_match() unconditionally parses the ARP payload assuming two hardware addresses are present (source and target). However, IPv4-over-IEEE1394 ARP (RFC 2734) omits the target hardware address field, and arp_hdr_len() already accounts for this by returning a shorter length for ARPHRD_IEEE1394 devices.  As a result, on IEEE1394 interfaces arp_packet_match() advances past a nonexistent target hardware address and reads the wrong bytes for both the target device address comparison and the target IP address. This causes arptables rules to match against garbage data, leading to incorrect filtering decisions: packets that should be accepted may be dropped and vice versa.  The ARP stack in net/ipv4/arp.c (arp_create and arp_process) already handles this correctly by skipping the target hardware address for ARPHRD_IEEE1394. Apply the same pattern to arp_packet_match().\"  Mangle the original patch to always return 0 (no match) in case user matches on the target hardware address which is never present in IEEE1394.  Note that this returns 0 (no match) for either normal and inverse match because matching in the target hardware address in ARPHRD_IEEE1394 has never been supported by arptables. This is intentional, matching on the target hardware address should never evaluate true for ARPHRD_IEEE1394.  Moreover, adjust arpt_mangle to drop the packet too as AI suggests:  In arpt_mangle, the logic assumes a standard ARP layout. Because IEEE1394 (FireWire) omits the target hardware address, the linear pointer arithmetic miscalculates the offset for the target IP address. This causes mangling operations to write to the wrong location, leading to packet corruption. To ensure safety, this patch drops packets (NF_DROP) when mangling is requested for these fields on IEEE1394 devices, as the current implementation cannot correctly map the FireWire ARP payload.  This omits both mangling target hardware and IP address. Even if IP address mangling should be possible in IEEE1394, this would require to adjust arpt_mangle offset calculation, which has never been supported.  Based on patch from Weiming Shi <bestswngs@gmail.com>.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-05-27 11:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46242",
                                "url": "https://ubuntu.com/security/CVE-2026-46242",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  eventpoll: fix ep_remove struct eventpoll / struct file UAF  ep_remove() (via ep_remove_file()) cleared file->f_ep under file->f_lock but then kept using @file inside the critical section (is_file_epoll(), hlist_del_rcu() through the head, spin_unlock). A concurrent __fput() taking the eventpoll_release() fastpath in that window observed the transient NULL, skipped eventpoll_release_file() and ran to f_op->release / file_free().  For the epoll-watches-epoll case, f_op->release is ep_eventpoll_release() -> ep_clear_and_put() -> ep_free(), which kfree()s the watched struct eventpoll. Its embedded ->refs hlist_head is exactly where epi->fllink.pprev points, so the subsequent hlist_del_rcu()'s \"*pprev = next\" scribbles into freed kmalloc-192 memory.  In addition, struct file is SLAB_TYPESAFE_BY_RCU, so the slot backing @file could be recycled by alloc_empty_file() -- reinitializing f_lock and f_ep -- while ep_remove() is still nominally inside that lock. The upshot is an attacker-controllable kmem_cache_free() against the wrong slab cache.  Pin @file via epi_fget() at the top of ep_remove() and gate the critical section on the pin succeeding. With the pin held @file cannot reach refcount zero, which holds __fput() off and transitively keeps the watched struct eventpoll alive across the hlist_del_rcu() and the f_lock use, closing both UAFs.  If the pin fails @file has already reached refcount zero and its __fput() is in flight. Because we bailed before clearing f_ep, that path takes the eventpoll_release() slow path into eventpoll_release_file() and blocks on ep->mtx until the waiter side's ep_clear_and_put() drops it. The bailed epi's share of ep->refcount stays intact, so the trailing ep_refcount_dec_and_test() in ep_clear_and_put() cannot free the eventpoll out from under eventpoll_release_file(); the orphaned epi is then cleaned up there.  A successful pin also proves we are not racing eventpoll_release_file() on this epi, so drop the now-redundant re-check of epi->dying under f_lock. The cheap lockless READ_ONCE(epi->dying) fast-path bailout stays.",
                                "cve_priority": "high",
                                "cve_public_date": "2026-05-30 13:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-45843",
                                "url": "https://ubuntu.com/security/CVE-2026-45843",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  slip: bound decode() reads against the compressed packet length  slhc_uncompress() parses a VJ-compressed TCP header by advancing a pointer through the packet via decode() and pull16(). Neither helper bounds-checks against isize, and decode() masks its return with & 0xffff so it can never return the -1 that callers test for -- those error paths are dead code.  A short compressed frame whose change byte requests optional fields lets decode() read past the end of the packet. The over-read bytes are folded into the cached cstate and reflected into subsequent reconstructed packets.  Make decode() and pull16() take the packet end pointer and return -1 when exhausted. Add a bounds check before the TCP-checksum read. The existing == -1 tests now do what they were always meant to.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-27 11:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-45842",
                                "url": "https://ubuntu.com/security/CVE-2026-45842",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  slip: reject VJ receive packets on instances with no rstate array  slhc_init() accepts rslots == 0 as a valid configuration, with the documented meaning of 'no receive compression'. In that case the allocation loop in slhc_init() is skipped, so comp->rstate stays NULL and comp->rslot_limit stays 0 (from the kzalloc of struct slcompress).  The receive helpers do not defend against that configuration. slhc_uncompress() dereferences comp->rstate[x] when the VJ header carries an explicit connection ID, and slhc_remember() later assigns cs = &comp->rstate[...] after only comparing the packet's slot number to comp->rslot_limit. Because rslot_limit is 0, slot 0 passes the range check, and the code dereferences a NULL rstate.  The configuration is reachable in-tree through PPP. PPPIOCSMAXCID stores its argument in a signed int, and (val >> 16) uses arithmetic shift. Passing 0xffff0000 therefore sign-extends to -1, so val2 + 1 is 0 and ppp_generic.c ends up calling slhc_init(0, 1). Because /dev/ppp open is gated by ns_capable(CAP_NET_ADMIN), the whole path is reachable from an unprivileged user namespace. Once the malformed VJ state is installed, any inbound VJ-compressed or VJ-uncompressed frame that selects slot 0 crashes the kernel in softirq context:   Oops: general protection fault, probably for non-canonical        address 0xdffffc0000000000: 0000 [#1] SMP KASAN NOPTI  KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]  RIP: 0010:slhc_uncompress (drivers/net/slip/slhc.c:519)  Call Trace:   <TASK>   ppp_receive_nonmp_frame (drivers/net/ppp/ppp_generic.c:2466)   ppp_input (drivers/net/ppp/ppp_generic.c:2359)   ppp_async_process (drivers/net/ppp/ppp_async.c:492)   tasklet_action_common (kernel/softirq.c:926)   handle_softirqs (kernel/softirq.c:623)   run_ksoftirqd (kernel/softirq.c:1055)   smpboot_thread_fn (kernel/smpboot.c:160)   kthread (kernel/kthread.c:436)   ret_from_fork (arch/x86/kernel/process.c:164)   </TASK>  Reject the receive side on such instances instead of touching rstate. slhc_uncompress() falls through to its existing 'bad' label, which bumps sls_i_error and enters the toss state. slhc_remember() mirrors that with an explicit sls_i_error increment followed by slhc_toss(); the sls_i_runt counter is not used here because a missing rstate is an internal configuration state, not a runt packet.  The transmit path is unaffected: the only in-tree caller that picks rslots from userspace (ppp_generic.c) still supplies tslots >= 1, and slip.c always calls slhc_init(16, 16), so comp->tstate remains valid and slhc_compress() continues to work.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-27 11:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-45841",
                                "url": "https://ubuntu.com/security/CVE-2026-45841",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  netfilter: nfnetlink_osf: fix divide-by-zero in OSF_WSS_MODULO  nf_osf_match_one() computes ctx->window % f->wss.val in the OSF_WSS_MODULO branch with no guard for f->wss.val == 0. A CAP_NET_ADMIN user can add such a fingerprint via nfnetlink; a subsequent matching TCP SYN divides by zero and panics the kernel.  Reject the bogus fingerprint in nfnl_osf_add_callback() above the per-option for-loop. f->wss is per-fingerprint, not per-option, so the check must run regardless of f->opt_num (including 0). Also reject wss.wc >= OSF_WSS_MAX; nf_osf_match_one() already treats that as \"should not happen\".  Crash:  Oops: divide error: 0000 [#1] SMP KASAN NOPTI  RIP: 0010:nf_osf_match_one (net/netfilter/nfnetlink_osf.c:98)  Call Trace:  <IRQ>   nf_osf_match (net/netfilter/nfnetlink_osf.c:220)   xt_osf_match_packet (net/netfilter/xt_osf.c:32)   ipt_do_table (net/ipv4/netfilter/ip_tables.c:348)   nf_hook_slow (net/netfilter/core.c:622)   ip_local_deliver (net/ipv4/ip_input.c:265)   ip_rcv (include/linux/skbuff.h:1162)   __netif_receive_skb_one_core (net/core/dev.c:6181)   process_backlog (net/core/dev.c:6642)   __napi_poll (net/core/dev.c:7710)   net_rx_action (net/core/dev.c:7945)   handle_softirqs (kernel/softirq.c:622)",
                                "cve_priority": "low",
                                "cve_public_date": "2026-05-27 11:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-45840",
                                "url": "https://ubuntu.com/security/CVE-2026-45840",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  openvswitch: cap upcall PID array size and pre-size vport replies  The vport netlink reply helpers allocate a fixed-size skb with nlmsg_new(NLMSG_DEFAULT_SIZE, ...) but serialize the full upcall PID array via ovs_vport_get_upcall_portids().  Since ovs_vport_set_upcall_portids() accepts any non-zero multiple of sizeof(u32) with no upper bound, a CAP_NET_ADMIN user can install a PID array large enough to overflow the reply buffer, causing nla_put() to fail with -EMSGSIZE and hitting BUG_ON(err < 0).  On systems with unprivileged user namespaces enabled (e.g., Ubuntu default), this is reachable via unshare -Urn since OVS vport mutation operations use GENL_UNS_ADMIN_PERM.   kernel BUG at net/openvswitch/datapath.c:2414!  Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI  CPU: 1 UID: 0 PID: 65 Comm: poc Not tainted 7.0.0-rc7-00195-geb216e422044 #1  RIP: 0010:ovs_vport_cmd_set+0x34c/0x400  Call Trace:   <TASK>   genl_family_rcv_msg_doit (net/netlink/genetlink.c:1116)   genl_rcv_msg (net/netlink/genetlink.c:1194)   netlink_rcv_skb (net/netlink/af_netlink.c:2550)   genl_rcv (net/netlink/genetlink.c:1219)   netlink_unicast (net/netlink/af_netlink.c:1344)   netlink_sendmsg (net/netlink/af_netlink.c:1894)   __sys_sendto (net/socket.c:2206)   __x64_sys_sendto (net/socket.c:2209)   do_syscall_64 (arch/x86/entry/syscall_64.c:63)   entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)   </TASK>  Kernel panic - not syncing: Fatal exception  Reject attempts to set more PIDs than nr_cpu_ids in ovs_vport_set_upcall_portids(), and pre-compute the worst-case reply size in ovs_vport_cmd_msg_size() based on that bound, similar to the existing ovs_dp_cmd_msg_size().  nr_cpu_ids matches the cap already used by the per-CPU dispatch configuration on the datapath side (ovs_dp_cmd_fill_info() serialises at most nr_cpu_ids PIDs), so the two sides stay consistent.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-27 11:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-45839",
                                "url": "https://ubuntu.com/security/CVE-2026-45839",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  bpf: reject negative CO-RE accessor indices in bpf_core_parse_spec()  CO-RE accessor strings are colon-separated indices that describe a path from a root BTF type to a target field, e.g. \"0:1:2\" walks through nested struct members. bpf_core_parse_spec() parses each component with sscanf(\"%d\"), so negative values like -1 are silently accepted.  The subsequent bounds checks (access_idx >= btf_vlen(t)) only guard the upper bound and always pass for negative values because C integer promotion converts the __u16 btf_vlen result to int, making the comparison (int)(-1) >= (int)(N) false for any positive N.  When -1 reaches btf_member_bit_offset() it gets cast to u32 0xffffffff, producing an out-of-bounds read far past the members array.  A crafted BPF program with a negative CO-RE accessor on any struct that exists in vmlinux BTF (e.g. task_struct) crashes the kernel deterministically during BPF_PROG_LOAD on any system with CONFIG_DEBUG_INFO_BTF=y (default on major distributions).  The bug is reachable with CAP_BPF:   BUG: unable to handle page fault for address: ffffed11818b6626  #PF: supervisor read access in kernel mode  #PF: error_code(0x0000) - not-present page  Oops: Oops: 0000 [#1] SMP KASAN NOPTI  CPU: 0 UID: 0 PID: 85 Comm: poc Not tainted 7.0.0-rc6 #18 PREEMPT(full)  RIP: 0010:bpf_core_parse_spec (tools/lib/bpf/relo_core.c:354)  RAX: 00000000ffffffff  Call Trace:   <TASK>   bpf_core_calc_relo_insn (tools/lib/bpf/relo_core.c:1321)   bpf_core_apply (kernel/bpf/btf.c:9507)   check_core_relo (kernel/bpf/verifier.c:19475)   bpf_check (kernel/bpf/verifier.c:26031)   bpf_prog_load (kernel/bpf/syscall.c:3089)   __sys_bpf (kernel/bpf/syscall.c:6228)   </TASK>  CO-RE accessor indices are inherently non-negative (struct member index, array element index, or enumerator index), so reject them immediately after parsing.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-27 11:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-45838",
                                "url": "https://ubuntu.com/security/CVE-2026-45838",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  bpf: fix end-of-list detection in cgroup_storage_get_next_key()  list_next_entry() never returns NULL -- when the current element is the last entry it wraps to the list head via container_of(). The subsequent NULL check is therefore dead code and get_next_key() never returns -ENOENT for the last element, instead reading storage->key from a bogus pointer that aliases internal map fields and copying the result to userspace.  Replace it with list_entry_is_head() so the function correctly returns -ENOENT when there are no more entries.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-05-27 11:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46214",
                                "url": "https://ubuntu.com/security/CVE-2026-46214",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  vsock/virtio: fix accept queue count leak on transport mismatch  virtio_transport_recv_listen() calls sk_acceptq_added() before vsock_assign_transport(). If vsock_assign_transport() fails or selects a different transport, the error path returns without calling sk_acceptq_removed(), permanently incrementing sk_ack_backlog.  After approximately backlog+1 such failures, sk_acceptq_is_full() returns true, causing the listener to reject all new connections.  Fix by moving sk_acceptq_added() to after the transport validation, matching the pattern used by vmci_transport and hyperv_transport.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46207",
                                "url": "https://ubuntu.com/security/CVE-2026-46207",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  vsock/virtio: fix empty payload in tap skb for non-linear buffers  For non-linear skbs, virtio_transport_build_skb() goes through virtio_transport_copy_nonlinear_skb() to copy the original payload in the new skb to be delivered to the vsockmon tap device. This manually initializes an iov_iter but does not set iov_iter.count. Since the iov_iter is zero-initialized, the copy length is zero and no payload is actually copied to the monitor interface, leaving data un-initialized.  Fix this by removing the linear vs non-linear split and using skb_copy_datagram_iter() with iov_iter_kvec() for all cases, as vhost-vsock already does. This handles both linear and non-linear skbs, properly initializes the iov_iter, and removes the now unused virtio_transport_copy_nonlinear_skb().  While touching this code, let's also check the return value of skb_copy_datagram_iter(), even though it's unlikely to fail.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46234",
                                "url": "https://ubuntu.com/security/CVE-2026-46234",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  vsock: fix buffer size clamping order  In vsock_update_buffer_size(), the buffer size was being clamped to the maximum first, and then to the minimum. If a user sets a minimum buffer size larger than the maximum, the minimum check overrides the maximum check, inverting the constraint.  This breaks the intended socket memory boundaries by allowing the vsk->buffer_size to grow beyond the configured vsk->buffer_max_size.  Fix this by checking the minimum first, and then the maximum. This ensures the buffer size never exceeds the buffer_max_size.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46223",
                                "url": "https://ubuntu.com/security/CVE-2026-46223",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  cgroup: Defer css percpu_ref kill on rmdir until cgroup is depopulated  A chain of commits going back to v7.0 reworked rmdir to satisfy the controller invariant that a subsystem's ->css_offline() must not run while tasks are still doing kernel-side work in the cgroup.  [1] d245698d727a (\"cgroup: Defer task cgroup unlink until after the task is done switching out\") [2] a72f73c4dd9b (\"cgroup: Don't expose dead tasks in cgroup\") [3] 1b164b876c36 (\"cgroup: Wait for dying tasks to leave on rmdir\") [4] 4c56a8ac6869 (\"cgroup: Fix cgroup_drain_dying() testing the wrong condition\") [5] 13e786b64bd3 (\"cgroup: Increment nr_dying_subsys_* from rmdir context\")  [1] moved task cset unlink from do_exit() to finish_task_switch() so a task's cset link drops only after the task has fully stopped scheduling. That made tasks past exit_signals() linger on cset->tasks until their final context switch, which led to a series of problems as what userspace expected to see after rmdir diverged from what the kernel needs to wait for. [2]-[5] tried to bridge that divergence: [2] filtered the exiting tasks from cgroup.procs; [3] had rmdir(2) sleep in TASK_UNINTERRUPTIBLE for them; [4] fixed the wait's condition; [5] made nr_dying_subsys_* visible synchronously.  The cgroup_drain_dying() wait in [3] turned out to be a dead end. When the rmdir caller is also the reaper of a zombie that pins a pidns teardown (e.g. host PID 1 systemd reaping orphan pids that were re-parented to it during the same teardown), rmdir blocks in TASK_UNINTERRUPTIBLE waiting for those pids to free, the pids can't free because PID 1 is the reaper and it's stuck in rmdir, and the system A-A deadlocks. No internal lock ordering breaks this; the wait itself is the bug.  The css killing side that drove the original reorder, however, can be made cleanly asynchronous: ->css_offline() is already async, run from css_killed_work_fn() driven by percpu_ref_kill_and_confirm(). The fix is to make that chain start only after all tasks have left the cgroup. rmdir's user-visible side then returns as soon as cgroup.procs and friends are empty, while ->css_offline() still runs only after the cgroup is fully drained.  Verified by the original reproducer (pidns teardown + zombie reaper, runs under vng) which hangs vanilla and succeeds here, and by per-commit deterministic repros for [2], [3], [4], [5] with a boot parameter that widens the post-exit_signals() window so each state is reliably reachable. Some stress tests on top of that.  cgroup_apply_control_disable() has the same shape of pre-existing race: when a controller is disabled via subtree_control, kill_css() ran synchronously while tasks past exit_signals() could still be linked to the cgroup's csets, and ->css_offline() could fire before they drained. This patch preserves the existing synchronous behavior at that call site (kill_css_sync() + kill_css_finish() back-to-back) and a follow-up patch will defer kill_css_finish() there using a per-css trigger.  This seems like the right approach and I don't see problems with it. The changes are somewhat invasive but not excessively so, so backporting to -stable should be okay. If something does turn out to be wrong, the fallback is to revert the entire chain ([1]-[5]) and rework in the development branch instead.  v2: Pin cgrp across the deferred destroy work with explicit     cgroup_get()/cgroup_put() around queue_work() and the work_fn. v1     wasn't actually broken (ordered cgroup_offline_wq + queue_work order     in cgroup_task_dead() saved it) but the explicit ref removes the     dependency on those non-obvious invariants. Also note the     pre-existing cgroup_apply_control_disable() race in the description;     a follow-up will defer kill_css_finish() there.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46221",
                                "url": "https://ubuntu.com/security/CVE-2026-46221",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  EDAC/versalnet: Fix device name memory leak  The device name allocated via kzalloc() in init_one_mc() is assigned to dev->init_name but never freed on the normal removal path. device_register() copies init_name and then sets dev->init_name to NULL, so the name pointer becomes unreachable from the device. Thus leaking memory.  Use a stack-local char array instead of using kzalloc() for name.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46231",
                                "url": "https://ubuntu.com/security/CVE-2026-46231",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  batman-adv: bla: put backbone reference on failed claim hash insert  When batadv_bla_add_claim() fails to insert a new claim into the hash, it leaked a reference to the backbone_gw for which the claim was intended. Call batadv_backbone_gw_put() on the error path to release the reference and avoid leaking the backbone_gw object.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46233",
                                "url": "https://ubuntu.com/security/CVE-2026-46233",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  batman-adv: bla: only purge non-released claims  When batadv_bla_purge_claims() goes through the list of claims, it is only traversing the hash list with an rcu_read_lock(). Due to a potential parallel batadv_claim_put(), it can happen that it encounters a claim which was actually in the process of being released+freed by batadv_claim_release(). In this case, backbone_gw is set to NULL before the delayed RCU kfree is started. Calling batadv_bla_claim_get_backbone_gw() is then no longer allowed because it would cause a NULL-ptr derefence.  To avoid this, only claims with a valid reference counter must be purged. All others are already taken care of.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46212",
                                "url": "https://ubuntu.com/security/CVE-2026-46212",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  batman-adv: bla: prevent use-after-free when deleting claims  When batadv_bla_del_backbone_claims() removes all claims for a backbone, it does this by dropping the link entry in the hash list. This list entry itself was one of the references which need to be dropped at the same time via batadv_claim_put().  But the batadv_claim_put() must not be done before the last access to the claim object in this function. Otherwise the claim might be freed already by the batadv_claim_release() function before the list entry was dropped.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46238",
                                "url": "https://ubuntu.com/security/CVE-2026-46238",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  batman-adv: stop caching unowned originator pointers in BAT IV  BAT IV keeps the last-hop neighbor address in each neigh_node, but some paths also cache an originator pointer derived from a temporary lookup. That pointer is not owned by the neigh_node and may no longer refer to a live originator entry after purge handling runs.  Stop storing the auxiliary originator pointer in the BAT IV neighbor state. When BAT IV needs the neighbor originator data, resolve it from the stored neighbor address and drop the reference again after use.  [sven: avoid bonding logic for outgoing OGM]",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46208",
                                "url": "https://ubuntu.com/security/CVE-2026-46208",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  batman-adv: stop tp_meter sessions during mesh teardown  TP meter sessions remain linked on bat_priv->tp_list after the netlink request has already finished. When the mesh interface is removed, batadv_mesh_free() currently tears down the mesh without first draining these sessions.  A running sender thread or a late incoming tp_meter packet can then keep processing against a mesh instance which is already shutting down. Synchronize tp_meter with the mesh lifetime by stopping all active sessions from batadv_mesh_free() and waiting for sender threads to exit before teardown continues.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46206",
                                "url": "https://ubuntu.com/security/CVE-2026-46206",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  batman-adv: reject new tp_meter sessions during teardown  Prevent tp_meter from starting new sender or receiver sessions after mesh_state has left BATADV_MESH_ACTIVE.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46198",
                                "url": "https://ubuntu.com/security/CVE-2026-46198",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  batman-adv: fix integer overflow on buff_pos  Fixing an integer overflow present in batadv_iv_ogm_send_to_if. The size check is done using the int type in batadv_iv_ogm_aggr_packet whereas the buff_pos variable uses the s16 type. This could lead to an out-of-bound read.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46227",
                                "url": "https://ubuntu.com/security/CVE-2026-46227",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  sctp: revalidate list cursor after sctp_sendmsg_to_asoc() in SCTP_SENDALL  The SCTP_SENDALL path in sctp_sendmsg() iterates ep->asocs with list_for_each_entry_safe(), which caches the next entry in @tmp before the loop body runs.  The body calls sctp_sendmsg_to_asoc(), which may drop the socket lock inside sctp_wait_for_sndbuf().  While the lock is dropped, another thread can SCTP_SOCKOPT_PEELOFF the association cached in @tmp, migrating it to a new endpoint via sctp_sock_migrate() (list_del_init() + list_add_tail() to newep->asocs), and optionally close the new socket which frees the association via kfree_rcu().  The cached @tmp can also be freed by a network ABORT for that association, processed in softirq while the lock is dropped.  sctp_wait_for_sndbuf() revalidates @asoc (the current entry) on re-lock via the \"sk != asoc->base.sk\" and \"asoc->base.dead\" checks, but nothing revalidates @tmp.  After a successful return, the iterator advances to the stale @tmp, yielding either a use-after-free (if the peeled socket was closed) or a list-walk onto the new endpoint's list head (type confusion of &newep->asocs as a struct sctp_association *).  Both are reachable from CapEff=0; the type-confusion path gives controlled indirect call via the outqueue.sched->init_sid pointer.  Fix by re-deriving @tmp from @asoc after sctp_sendmsg_to_asoc() returns.  @asoc is known to still be on ep->asocs at that point: the only callers that list_del an association from ep->asocs are sctp_association_free() (which sets asoc->base.dead) and sctp_assoc_migrate() (which changes asoc->base.sk), and sctp_wait_for_sndbuf() checks both under the lock before any successful return; a tripped check propagates as err < 0 and the loop bails before the re-derive.  The SCTP_ABORT path in sctp_sendmsg_check_sflags() returns 0 and the loop hits 'continue' before sctp_sendmsg_to_asoc() is ever called, so the @tmp cached by list_for_each_entry_safe() still covers the lock-held free that ba59fb027307 (\"sctp: walk the list of asoc safely\") was added for.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46220",
                                "url": "https://ubuntu.com/security/CVE-2026-46220",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/amdgpu/sdma4: replace BUG_ON with WARN_ON in fence emission  sdma_v4_0_ring_emit_fence() contains two BUG_ON(addr & 0x3) assertions that verify fence writeback addresses are dword-aligned.  These assertions can be reached from unprivileged userspace via crafted DRM_IOCTL_AMDGPU_CS submissions, causing a fatal kernel panic in a scheduler worker thread.  Replace both BUG_ON() calls with WARN_ON() to log the condition without crashing the kernel.  A misaligned fence address at this point indicates a driver bug, but crashing the kernel is never the correct response when the assertion is reachable from userspace.  The CS IOCTL path is the correct place to filter invalid submissions; the ring emission callback is too late to do anything about it.  (cherry picked from commit b90250bd933afd1ba94d86d6b13821997b22b18e)",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46215",
                                "url": "https://ubuntu.com/security/CVE-2026-46215",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm: Set old handle to NULL before prime swap in change_handle  There was a potential race condition in change_handle. The ioctl briefly had a single object with two idr entries; a concurrent gem_close could delete the object and remove one of the handles while leaving the other one dangling, which could subsequently be dereferenced for a use-after-free.  To fix this, do the same dance that gem_close itself does. (f6cd7daecff5 drm: Release driver references to handle before making it available again) First idr_replace the old handle to NULL. Later, if the prime operations are successful, actually close it.  create_tail required a similar dance to avoid a similar problem. (bd46cece51a3 drm/gem: Fix race in drm_gem_handle_create_tail()) It idr_allocs the new handle with NULL, then swaps in the correct object later to avoid races. We don't need to do that here, since the only operations that could race are drm_prime, and change_handle holds the prime lock for the entire duration.  v2: cleanups of error paths",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46201",
                                "url": "https://ubuntu.com/security/CVE-2026-46201",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/xe: Fix dma-buf attachment leak in xe_gem_prime_import()  When xe_dma_buf_init_obj() fails, the attachment from dma_buf_dynamic_attach() is not detached. Add dma_buf_detach() before returning the error. Note: we cannot use goto out_err here because xe_dma_buf_init_obj() already frees bo on failure, and out_err would double-free it.  (cherry picked from commit a828eb185aac41800df8eae4b60501ccc0dbbe51)",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46224",
                                "url": "https://ubuntu.com/security/CVE-2026-46224",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/xe: Fix bo leak in xe_dma_buf_init_obj() on allocation failure  When drm_gpuvm_resv_object_alloc() fails, the pre-allocated storage bo is not freed. Add xe_bo_free(storage) before returning the error.  xe_dma_buf_init_obj() calls xe_bo_init_locked(), which frees the bo on error. Therefore, xe_dma_buf_init_obj() must also free the bo on its own error paths. Otherwise, since xe_gem_prime_import() cannot distinguish whether the failure originated from xe_dma_buf_init_obj() or from xe_bo_init_locked(), it cannot safely decide whether the bo should be freed.  Add comments documenting the ownership semantics: on success, ownership of storage is transferred to the returned drm_gem_object; on failure, storage is freed before returning.  v2: Add comments to explain the free logic.  (cherry picked from commit 78a6c5f899f22338bbf48b44fb8950409c5a69b9)",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46197",
                                "url": "https://ubuntu.com/security/CVE-2026-46197",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/amdkfd: validate SVM ioctl nattr against buffer size  Validate nattr field against the buffer size, preventing out-of-bounds buffer access via user-controlled attribute count.  (cherry picked from commit 5eca8bfdfa456c3304ca77523718fe24254c172f)",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46209",
                                "url": "https://ubuntu.com/security/CVE-2026-46209",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/gem: Fix inconsistent plane dimension calculation in drm_gem_fb_init_with_funcs()  drm_gem_fb_init_with_funcs() computes sub-sampled plane dimensions using plain integer division:    unsigned int width  = mode_cmd->width  / (i ? info->hsub : 1);   unsigned int height = mode_cmd->height / (i ? info->vsub : 1);  However, the ioctl-level framebuffer_check() in drm_framebuffer.c uses drm_format_info_plane_width/height() which round up dimensions via DIV_ROUND_UP(). This inconsistency corrupts the subsequent GEM object size check for certain pixel format and dimension combinations.  For example, with NV12 (vsub=2) and a 1-pixel-tall framebuffer the GEM size validation path sees height=0 instead of height=1. The expression (height - 1) then wraps to UINT_MAX as an unsigned int, causing min_size to overflow and wrap back to a small value. A tiny GEM object therefore passes the size guard, yet when the GPU accesses the chroma plane it will read or write memory beyond the object's bounds.  Fix by replacing the open-coded divisions with drm_format_info_plane_width() and drm_format_info_plane_height(), which use DIV_ROUND_UP() and match the calculation already used in framebuffer_check().",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46230",
                                "url": "https://ubuntu.com/security/CVE-2026-46230",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/amdgpu/vcn3: Prevent OOB reads when parsing dec msg  Check bounds against the end of the BO whenever we access the msg.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46199",
                                "url": "https://ubuntu.com/security/CVE-2026-46199",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/amdgpu/vcn4: Prevent OOB reads when parsing dec msg  Check bounds against the end of the BO whenever we access the msg.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46204",
                                "url": "https://ubuntu.com/security/CVE-2026-46204",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/amdgpu/vcn4: Prevent OOB reads when parsing IB  Rewrite the IB parsing to use amdgpu_ib_get_value() which handles the bounds checks.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46218",
                                "url": "https://ubuntu.com/security/CVE-2026-46218",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/amdgpu: Add bounds checking to ib_{get,set}_value  The uvd/vce/vcn code accesses the IB at predefined offsets without checking that the IB is large enough. Check the bounds here. The caller is responsible for making sure it can handle arbitrary return values.  Also make the idx a uint32_t to prevent overflows causing the condition to fail.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46229",
                                "url": "https://ubuntu.com/security/CVE-2026-46229",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/amdkfd: Clear VRAM on allocation to prevent stale data exposure  KFD VRAM allocations set AMDGPU_GEM_CREATE_VRAM_WIPE_ON_RELEASE but not AMDGPU_GEM_CREATE_VRAM_CLEARED, leaving freshly allocated VRAM with stale data from prior use observable by compute kernels.  The GEM ioctl path already sets VRAM_CLEARED for all userspace allocations via amdgpu_gem_create_ioctl() and amdgpu_mode_dumb_create(). The KFD path was missing this flag, allowing stale page table remnants to leak into user buffers.  This causes crashes in RCCL P2P transport where non-zero data in ptrExchange/head/tail fields corrupts the protocol handshake.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46211",
                                "url": "https://ubuntu.com/security/CVE-2026-46211",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/msm/gem: fix error handling in msm_ioctl_gem_info_get_metadata()  msm_ioctl_gem_info_get_metadata() always returns 0 regardless of errors. When copy_to_user() fails or the user buffer is too small, the error code stored in ret is ignored because the function unconditionally returns 0. This causes userspace to believe the ioctl succeeded when it did not.  Additionally, kmemdup() can return NULL on allocation failure, but the return value is not checked. This leads to a NULL pointer dereference in the subsequent copy_to_user() call.  Add the missing NULL check for kmemdup() and return ret instead of 0.  Note that the SET counterpart (msm_ioctl_gem_info_set_metadata) correctly returns ret.  Patchwork: https://patchwork.freedesktop.org/patch/714478/",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46203",
                                "url": "https://ubuntu.com/security/CVE-2026-46203",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: cadence-quadspi: fix unclocked access on unbind  Make sure that the controller is runtime resumed before disabling it during driver unbind to avoid an unclocked register access.  This issue was flagged by Sashiko when reviewing a controller deregistration fix.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46219",
                                "url": "https://ubuntu.com/security/CVE-2026-46219",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: mpc52xx: fix use-after-free on unbind  The state machine work is scheduled by the interrupt handler and therefore needs to be cancelled after disabling interrupts to avoid a potential use-after-free.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46200",
                                "url": "https://ubuntu.com/security/CVE-2026-46200",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: mpc52xx: fix controller deregistration  Make sure to deregister the controller before disabling and releasing underlying resources like interrupts and gpios during driver unbind.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46241",
                                "url": "https://ubuntu.com/security/CVE-2026-46241",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: mpc52xx: fix use-after-free on registration failure  Make sure to disable and free the interrupts in case controller registration fails to avoid a potential use-after-free and resource leak.  This issue was flagged by Sashiko when reviewing a controller deregistration fix.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46225",
                                "url": "https://ubuntu.com/security/CVE-2026-46225",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: rspi: fix controller deregistration  Make sure to deregister the controller before releasing underlying resources like DMA during driver unbind.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46226",
                                "url": "https://ubuntu.com/security/CVE-2026-46226",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: fsl: fix controller deregistration  Make sure to deregister the controller before releasing underlying resources like DMA during driver unbind.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46228",
                                "url": "https://ubuntu.com/security/CVE-2026-46228",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: ch341: fix devres lifetime  USB drivers bind to USB interfaces and any device managed resources should have their lifetime tied to the interface rather than parent USB device. This avoids issues like memory leaks when drivers are unbound without their devices being physically disconnected (e.g. on probe deferral or configuration changes).  Fix the controller and driver data lifetime so that they are released on driver unbind.  Note that this also makes sure that the SPI controller is placed correctly under the USB interface in the device tree.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46216",
                                "url": "https://ubuntu.com/security/CVE-2026-46216",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/xe/hdcp: Add NULL check for media_gt in intel_hdcp_gsc_check_status()  When media GT is disabled via configfs, there is no allocation for media_gt, which is kept as NULL.  In such scenario, intel_hdcp_gsc_check_status() results in a kernel pagefault error due to &gt->uc.gsc being evaluated as an invalid memory address.  Fix that by introducing a NULL check on media_gt and bailing out early if so.  While at it, also drop the NULL check for gsc, since it can't be NULL if media_gt is not NULL.  v2:   - Get address for gsc only after checking that gt is not NULL.     (Shuicheng)   - Drop the NULL check for gsc. (Shuicheng) v3:   - Add \"Fixes\" and \"Cc: <stable...>\" tags. (Matt)  (cherry picked from commit bfaf87e84ca3ca3f6e275f9ae56da47a8b55ffd1)",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46210",
                                "url": "https://ubuntu.com/security/CVE-2026-46210",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  media: iris: fix use-after-free of fmt_src during MBPF check  During concurrency testing, multiple instances can run in parallel, and each instance uses its own inst->lock while the core->lock protects the list of active instances. The race happens because these locks cover different scopes, inst->lock protects only the internals of a single instance, while the Macro Blocks Per Frame (MBPF) checker walks the core list under core->lock and reads fields like fmt_src->width and fmt_src->height. At the same time, iris_close() may free fmt_src and fmt_dst under inst->lock while the instance is still present in the core list. This allows a situation where the MBPF checker, still iterating through the core list, reaches an instance whose fmt_src was already freed by another thread and ends up dereferencing a dangling pointer, resulting in a use-after-free. This happens because the MBPF checker assumes that any instance in the core list is fully valid, but the freeing of fmt_src and fmt_dst without removing the instance from the core list is not correct.  The correct ordering is to defer freeing fmt_src and fmt_dst until after the instance has been removed from the core list and all teardown under the core lock has completed, ensuring that no dangling pointers are ever exposed during MBPF checks.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46240",
                                "url": "https://ubuntu.com/security/CVE-2026-46240",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  media: iris: Fix use-after-free in iris_release_internal_buffers()  The recent change in commit 1dabf00ee206 (\"media: iris: gen1: Destroy internal buffers after FW releases\") introduced a regression where session_release_buf() may free the buffer. The caller, iris_release_internal_buffers(), continued to access `buffer` after the call, leading to a potential use-after-free.  Fix this by setting BUF_ATTR_PENDING_RELEASE before calling session_release_buf(), and reverting the flag if the call fails. This ensures no dereference occurs after potential freeing.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46235",
                                "url": "https://ubuntu.com/security/CVE-2026-46235",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  media: saa7164: add ioremap return checks and cleanups  Add checks for ioremap return values in saa7164_dev_setup(). If ioremap for BAR0 or BAR2 fails, release the already allocated PCI memory regions, remove the device from the global list, decrement the device count, and return -ENODEV.  This prevents potential null pointer dereferences and ensures proper cleanup on memory mapping failures.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46222",
                                "url": "https://ubuntu.com/security/CVE-2026-46222",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  media: rockchip: rkcif: Add missing MUST_CONNECT flag to pads  The pads missed checks for connected devices which may a null dereference when the stream is enabled.  Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020 pc : rkcif_interface_enable_streams+0x48/0xf0 lr : rkcif_interface_enable_streams+0x44/0xf0 Call trace:  rkcif_interface_enable_streams+0x48/0xf0  v4l2_subdev_enable_streams+0x26c/0x3f0  rkcif_stream_start_streaming+0x140/0x278  vb2_start_streaming+0x74/0x188  vb2_core_streamon+0xe0/0x1d8  vb2_ioctl_streamon+0x60/0xa8  v4l_streamon+0x2c/0x40  __video_do_ioctl+0x34c/0x400  video_usercopy+0x2d0/0x800  video_ioctl2+0x20/0x60  v4l2_ioctl+0x48/0x78",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46239",
                                "url": "https://ubuntu.com/security/CVE-2026-46239",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  media: i2c: ov5647: Fix runtime PM refcount leak in s_ctrl  Three control cases (AUTOGAIN, EXPOSURE_AUTO, ANALOGUE_GAIN) directly return without calling pm_runtime_put(), causing runtime PM reference count leaks.  Change these cases from 'return' to 'ret = ... break' pattern to ensure pm_runtime_put() is always called before function exit.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46236",
                                "url": "https://ubuntu.com/security/CVE-2026-46236",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  media: rc: xbox_remote: heed DMA restrictions  The buffer for IO must not be part of the device structure because that violates the DMA coherency rules.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46205",
                                "url": "https://ubuntu.com/security/CVE-2026-46205",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  staging: media: atomisp: Disallow all private IOCTLs  Disallow all private IOCTLs. These aren't quite as safe as one could assume of IOCTL handlers; disable them for now. Instead of removing the code, return in the beginning of the function if cmd is non-zero in order to keep static checkers happy.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46202",
                                "url": "https://ubuntu.com/security/CVE-2026-46202",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  HID: appletb-kbd: run inactivity autodim from workqueues  The autodim code in hid-appletb-kbd takes backlight_device->ops_lock via backlight_device_set_brightness() -> mutex_lock() from two different atomic contexts:   * appletb_inactivity_timer() is a struct timer_list callback, so it    runs in softirq context.  Every expiry triggers       BUG: sleeping function called from invalid context at kernel/locking/mutex.c:591      Call Trace:       <IRQ>       __might_resched       __mutex_lock       backlight_device_set_brightness       appletb_inactivity_timer       call_timer_fn       run_timer_softirq   * reset_inactivity_timer() is called from appletb_kbd_hid_event() and    appletb_kbd_inp_event().  On real USB hardware these run in    softirq/IRQ context (URB completion and input-event dispatch).    When the Touch Bar has already been dimmed or turned off, the    reset path calls backlight_device_set_brightness() directly to    restore brightness, producing the same warning.  Both call sites hit the same mutex_lock()-from-atomic bug.  Fix them together by moving the blocking work onto the system workqueue:   * Convert the inactivity timer from struct timer_list to    struct delayed_work; the callback (appletb_inactivity_work) now    runs in process context where mutex_lock() is legal.  * Add a dedicated struct work_struct restore_brightness_work and have    reset_inactivity_timer() schedule it instead of calling    backlight_device_set_brightness() directly.  Cancel both works synchronously during driver tear-down alongside the existing backlight reference drop.  The semantics are unchanged (same delays, same state transitions on dim, turn-off and user activity); only the execution context of the sleeping call changes.  The timer field and callback are renamed to match their new type; reset_inactivity_timer() keeps its name because it is invoked from input event paths that read naturally as \"reset the inactivity timer\".",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46213",
                                "url": "https://ubuntu.com/security/CVE-2026-46213",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  HID: appletb-kbd: fix UAF in inactivity-timer cleanup path  Commit 38224c472a03 (\"HID: appletb-kbd: fix slab use-after-free bug in appletb_kbd_probe\") added timer_delete_sync(&kbd->inactivity_timer) to both the probe close_hw error path and appletb_kbd_remove(), but the way it was wired in left the inactivity timer reachable during driver tear-down via two distinct windows.  Window A -- put_device() before timer_delete_sync():  \tput_device(&kbd->backlight_dev->dev); \ttimer_delete_sync(&kbd->inactivity_timer);  The inactivity_timer softirq reads kbd->backlight_dev and calls backlight_device_set_brightness() -> mutex_lock(&ops_lock).  If a concurrent hid_appletb_bl unbind drops the last devm reference between these two calls, the backlight_device is freed and the mutex_lock() touches freed memory.  Window B -- backlight cleanup before hid_hw_stop():  \tif (kbd->backlight_dev) { \t\ttimer_delete_sync(...); \t\tput_device(...); \t} \thid_hw_close(hdev); \thid_hw_stop(hdev);  Even after Window A is closed, hid_hw_close()/hid_hw_stop() still run afterwards, so a late \".event\" callback from the HID core (USB URB completion on real Apple hardware) can arrive after timer_delete_sync() drained the softirq but before put_device() drops the reference.  That callback reaches reset_inactivity_timer(), which calls mod_timer() and re-arms the timer.  The freshly re-armed timer can then fire on the about-to-be-freed backlight_device.  Both windows produce the same KASAN slab-use-after-free:    BUG: KASAN: slab-use-after-free in __mutex_lock+0x1aab/0x21c0   Read of size 8 at addr ffff88803ee9a108 by task swapper/0/0   Call Trace:    <IRQ>    __mutex_lock    backlight_device_set_brightness    appletb_inactivity_timer    call_timer_fn    run_timer_softirq    handle_softirqs   Allocated by task N:    devm_backlight_device_register    appletb_bl_probe   Freed by task M:    (concurrent hid_appletb_bl unbind path)  Close both windows at once by reworking the tear-down in appletb_kbd_remove() and in the probe close_hw error path so that   1) hid_hw_close()/hid_hw_stop() run before the backlight cleanup,     guaranteeing no further .event callback can fire and re-arm the     timer, and  2) inside the \"if (kbd->backlight_dev)\" block, timer_delete_sync()     runs before put_device(), so the softirq is drained before the     final reference is dropped.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46232",
                                "url": "https://ubuntu.com/security/CVE-2026-46232",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  HID: playstation: Clamp num_touch_reports  A device would never lie about the number of touch reports would it?  If it does the loop in dualshock4_parse_report will read off the end of the touch_reports array, up to about 2 KiB for the maximum number of 256 loop iteraions. The data that is read is emitted via evdev if the DS4_TOUCH_POINT_INACTIVE bit happens to be set. Protect against this by clamping the num_touch_reports value provided by the device to the maximum size of the touch_reports array.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-43490",
                                "url": "https://ubuntu.com/security/CVE-2026-43490",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ksmbd: validate inherited ACE SID length  smb_inherit_dacl() walks the parent directory DACL loaded from the security descriptor xattr. It verifies that each ACE contains the fixed SID header before using it, but does not verify that the variable-length SID described by sid.num_subauth is fully contained in the ACE.  A malformed inheritable ACE can advertise more subauthorities than are present in the ACE. compare_sids() may then read past the ACE. smb_set_ace() also clamps the copied destination SID, but used the unchecked source SID count to compute the inherited ACE size. That could advance the temporary inherited ACE buffer pointer and nt_size accounting past the allocated buffer.  Fix this by validating the parent ACE SID count and SID length before using the SID during inheritance. Compute the inherited ACE size from the copied SID so the size matches the bounded destination SID. Reject the inherited DACL if size accumulation would overflow smb_acl.size or the security descriptor allocation size.",
                                "cve_priority": "high",
                                "cve_public_date": "2026-05-15 06:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46174",
                                "url": "https://ubuntu.com/security/CVE-2026-46174",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  x86/CPU/AMD: Prevent improper isolation of shared resources in Zen2's op cache  Make sure resources are not improperly shared in the op cache and cause instruction corruption this way.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46110",
                                "url": "https://ubuntu.com/security/CVE-2026-46110",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net: stmmac: Prevent NULL deref when RX memory exhausted  The CPU receives frames from the MAC through conventional DMA: the CPU allocates buffers for the MAC, then the MAC fills them and returns ownership to the CPU. For each hardware RX queue, the CPU and MAC coordinate through a shared ring array of DMA descriptors: one descriptor per DMA buffer. Each descriptor includes the buffer's physical address and a status flag (\"OWN\") indicating which side owns the buffer: OWN=0 for CPU, OWN=1 for MAC. The CPU is only allowed to set the flag and the MAC is only allowed to clear it, and both must move through the ring in sequence: thus the ring is used for both \"submissions\" and \"completions.\"  In the stmmac driver, stmmac_rx() bookmarks its position in the ring with the `cur_rx` index. The main receive loop in that function checks for rx_descs[cur_rx].own=0, gives the corresponding buffer to the network stack (NULLing the pointer), and increments `cur_rx` modulo the ring size. After the loop exits, stmmac_rx_refill(), which bookmarks its position with `dirty_rx`, allocates fresh buffers and rearms the descriptors (setting OWN=1). If it fails any allocation, it simply stops early (leaving OWN=0) and will retry where it left off when next called.  This means descriptors have a three-stage lifecycle (terms my own): - `empty` (OWN=1, buffer valid) - `full` (OWN=0, buffer valid and populated) - `dirty` (OWN=0, buffer NULL)  But because stmmac_rx() only checks OWN, it confuses `full`/`dirty`. In the past (see 'Fixes:'), there was a bug where the loop could cycle `cur_rx` all the way back to the first descriptor it dirtied, resulting in a NULL dereference when mistaken for `full`. The aforementioned commit resolved that *specific* failure by capping the loop's iteration limit at `dma_rx_size - 1`, but this is only a partial fix: if the previous stmmac_rx_refill() didn't complete, then there are leftover `dirty` descriptors that the loop might encounter without needing to cycle fully around. The current code therefore panics (see 'Closes:') when stmmac_rx_refill() is memory-starved long enough for `cur_rx` to catch up to `dirty_rx`.  Fix this by explicitly checking, before advancing `cur_rx`, if the next entry is dirty; exit the loop if so. This prevents processing of the final, used descriptor until stmmac_rx_refill() succeeds, but fully prevents the `cur_rx == dirty_rx` ambiguity as the previous bugfix intended: so remove the clamp as well. Since stmmac_rx_zc() is a copy-paste-and-tweak of stmmac_rx() and the code structure is identical, any fix to stmmac_rx() will also need a corresponding fix for stmmac_rx_zc(). Therefore, apply the same check there.  In stmmac_rx() (not stmmac_rx_zc()), a related bug remains: after the MAC sets OWN=0 on the final descriptor, it will be unable to send any further DMA-complete IRQs until it's given more `empty` descriptors. Currently, the driver simply *hopes* that the next stmmac_rx_refill() succeeds, risking an indefinite stall of the receive process if not. But this is not a regression, so it can be addressed in a future change.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46153",
                                "url": "https://ubuntu.com/security/CVE-2026-46153",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  8021q: delete cleared egress QoS mappings  vlan_dev_set_egress_priority() currently keeps cleared egress priority mappings in the hash as tombstones. Repeated set/clear cycles with distinct skb priorities therefore accumulate mapping nodes until device teardown and leak memory.  Delete mappings when vlan_prio is cleared instead of keeping tombstones. Now that the egress mapping lists are RCU protected, the node can be unlinked safely and freed after a grace period.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46169",
                                "url": "https://ubuntu.com/security/CVE-2026-46169",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  hfsplus: fix uninit-value by validating catalog record size  Syzbot reported a KMSAN uninit-value issue in hfsplus_strcasecmp(). The root cause is that hfs_brec_read() doesn't validate that the on-disk record size matches the expected size for the record type being read.  When mounting a corrupted filesystem, hfs_brec_read() may read less data than expected. For example, when reading a catalog thread record, the debug output showed:    HFSPLUS_BREC_READ: rec_len=520, fd->entrylength=26   HFSPLUS_BREC_READ: WARNING - entrylength (26) < rec_len (520) - PARTIAL READ!  hfs_brec_read() only validates that entrylength is not greater than the buffer size, but doesn't check if it's less than expected. It successfully reads 26 bytes into a 520-byte structure and returns success, leaving 494 bytes uninitialized.  This uninitialized data in tmp.thread.nodeName then gets copied by hfsplus_cat_build_key_uni() and used by hfsplus_strcasecmp(), triggering the KMSAN warning when the uninitialized bytes are used as array indices in case_fold().  Fix by introducing hfsplus_brec_read_cat() wrapper that: 1. Calls hfs_brec_read() to read the data 2. Validates the record size based on the type field:    - Fixed size for folder and file records    - Variable size for thread records (depends on string length) 3. Returns -EIO if size doesn't match expected  For thread records, check against HFSPLUS_MIN_THREAD_SZ before reading nodeName.length to avoid reading uninitialized data at call sites that don't zero-initialize the entry structure.  Also initialize the tmp variable in hfsplus_find_cat() as defensive programming to ensure no uninitialized data even if validation is bypassed.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46188",
                                "url": "https://ubuntu.com/security/CVE-2026-46188",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  octeon_ep_vf: add NULL check for napi_build_skb()  napi_build_skb() can return NULL on allocation failure. In __octep_vf_oq_process_rx(), the result is used directly without a NULL check in both the single-buffer and multi-fragment paths, leading to a NULL pointer dereference.  Add NULL checks after both napi_build_skb() calls, properly advancing descriptors and consuming remaining fragments on failure.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-45837",
                                "url": "https://ubuntu.com/security/CVE-2026-45837",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  bpf: Fix use-after-free in arena_vm_close on fork  arena_vm_open() only bumps vml->mmap_count but never registers the child VMA in arena->vma_list. The vml->vma always points at the parent VMA, so after parent munmap the pointer dangles. If the child then calls bpf_arena_free_pages(), zap_pages() reads the stale vml->vma triggering use-after-free.  Fix this by preventing the arena VMA from being inherited across fork with VM_DONTCOPY, and preventing VMA splits via the may_split callback.  Also reject mremap with a .mremap callback returning -EINVAL. A same-size mremap(MREMAP_FIXED) on the full arena VMA reaches copy_vma() through the following path:    check_prep_vma()       - returns 0 early: new_len == old_len                            skips VM_DONTEXPAND check   prep_move_vma()        - vm_start == old_addr and                            vm_end == old_addr + old_len                            so may_split is never called   move_vma()     copy_vma_and_data()       copy_vma()         vm_area_dup()    - copies vm_private_data (vml pointer)         vm_ops->open()   - bumps vml->mmap_count       vm_ops->mremap()   - returns -EINVAL, rollback unmaps new VMA  The refcount ensures the rollback's arena_vm_close does not free the vml shared with the original VMA.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-05-27 11:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46156",
                                "url": "https://ubuntu.com/security/CVE-2026-46156",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  LoongArch: Fix potential ADE in loongson_gpu_fixup_dma_hang()  The switch case in loongson_gpu_fixup_dma_hang() may not DC2 or DC3, and readl(crtc_reg) will access with random address, because the \"device\" is from \"base+PCI_DEVICE_ID\", \"base\" is from \"pdev->devfn+1\". This is wrong when my platform inserts a discrete GPU:  lspci -tv -[0000:00]-+-00.0  Loongson Technology LLC Hyper Transport Bridge Controller ...            +-06.0  Loongson Technology LLC LG100 GPU            +-06.2  Loongson Technology LLC Device 7a37 ...  Add a default switch case to fix the panic as below:   Kernel ade access[#1]:  CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.6.136-loong64-desktop-hwe+ #4  pc 90000000017e5534 ra 90000000017e54c0 tp 90000001002f8000 sp 90000001002fb6c0  a0 80000efe00003100 a1 0000000000003100 a2 0000000000000000 a3 0000000000000002  a4 90000001002fb6b4 a5 900000087cdb58fd a6 90000000027af000 a7 0000000000000001  t0 00000000000085b9 t1 000000000000ffff t2 0000000000000000 t3 0000000000000000  t4 fffffffffffffffd t5 00000000fffb6d9c t6 0000000000083b00 t7 00000000000070c0  t8 900000087cdb4d94 u0 900000087cdb58fd s9 90000001002fb826 s0 90000000031c12c8  s1 7fffffffffffff00 s2 90000000031c12d0 s3 0000000000002710 s4 0000000000000000  s5 0000000000000000 s6 9000000100053000 s7 7fffffffffffff00 s8 90000000030d4000     ra: 90000000017e54c0 loongson_gpu_fixup_dma_hang+0x40/0x210    ERA: 90000000017e5534 loongson_gpu_fixup_dma_hang+0xb4/0x210   CRMD: 000000b0 (PLV0 -IE -DA +PG DACF=CC DACM=CC -WE)   PRMD: 00000004 (PPLV0 +PIE -PWE)   EUEN: 00000000 (-FPE -SXE -ASXE -BTE)   ECFG: 00071c1d (LIE=0,2-4,10-12 VS=7)  ESTAT: 00480000 [ADEM] (IS= ECode=8 EsubCode=1)   BADV: 7fffffffffffff00   PRID: 0014d000 (Loongson-64bit, Loongson-3A6000-HV)  Modules linked in:  Process swapper/0 (pid: 1, threadinfo=(____ptrval____), task=(____ptrval____))  Stack : 0000000000000006 90000001002fb778 90000001002fb704 0000000000000007          0000000016a65700 90000000017e5690 000000000000ffff ffffffffffffffff          900000000209f7c0 9000000100053000 900000000209f7a8 9000000000eebc08          0000000000000000 0000000000000000 0000000000000006 90000001002fb778          90000001000530b8 90000000027af000 0000000000000000 9000000100054000          9000000100053000 9000000000ebb70c 9000000100004c00 9000000004000001          90000001002fb7e4 bae765461f31cb12 0000000000000000 0000000000000000          0000000000000006 90000000027af000 0000000000000030 90000000027af000          900000087cd6f800 9000000100053000 0000000000000000 9000000000ebc560          7a2500147cdaf720 bae765461f31cb12 0000000000000001 0000000000000030          ...  Call Trace:  [<90000000017e5534>] loongson_gpu_fixup_dma_hang+0xb4/0x210  [<9000000000eebc08>] pci_fixup_device+0x108/0x280  [<9000000000ebb70c>] pci_setup_device+0x24c/0x690  [<9000000000ebc560>] pci_scan_single_device+0xe0/0x140  [<9000000000ebc684>] pci_scan_slot+0xc4/0x280  [<9000000000ebdd00>] pci_scan_child_bus_extend+0x60/0x3f0  [<9000000000f5bc94>] acpi_pci_root_create+0x2b4/0x420  [<90000000017e5e74>] pci_acpi_scan_root+0x2d4/0x440  [<9000000000f5b02c>] acpi_pci_root_add+0x21c/0x3a0  [<9000000000f4ee54>] acpi_bus_attach+0x1a4/0x3c0  [<90000000010e200c>] device_for_each_child+0x6c/0xe0  [<9000000000f4bbf4>] acpi_dev_for_each_child+0x44/0x70  [<9000000000f4ef40>] acpi_bus_attach+0x290/0x3c0  [<90000000010e200c>] device_for_each_child+0x6c/0xe0  [<9000000000f4bbf4>] acpi_dev_for_each_child+0x44/0x70  [<9000000000f4ef40>] acpi_bus_attach+0x290/0x3c0  [<9000000000f5211c>] acpi_bus_scan+0x6c/0x280  [<900000000189c028>] acpi_scan_init+0x194/0x310  [<900000000189bc6c>] acpi_init+0xcc/0x140  [<9000000000220cdc>] do_one_initcall+0x4c/0x310  [<90000000018618fc>] kernel_init_freeable+0x258/0x2d4  [<900000000184326c>] kernel_init+0x28/0x13c  [<9000000000222008>] ret_from_kernel_thread+0xc/0xa4",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46147",
                                "url": "https://ubuntu.com/security/CVE-2026-46147",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  KVM: arm64: Fix pin leak and publication ordering in __pkvm_init_vcpu()  Two bugs exist in the vCPU initialisation path:  1. If a check fails after hyp_pin_shared_mem() succeeds, the cleanup    path jumps to 'unlock' without calling unpin_host_vcpu() or    unpin_host_sve_state(), permanently leaking pin references on the    host vCPU and SVE state pages.     Extract a register_hyp_vcpu() helper that performs the checks and    the store. When register_hyp_vcpu() returns an error, call    unpin_host_vcpu() and unpin_host_sve_state() inline before falling    through to the existing 'unlock' label.  2. register_hyp_vcpu() publishes the new vCPU pointer into    'hyp_vm->vcpus[]' with a bare store, allowing a concurrent caller    of pkvm_load_hyp_vcpu() to observe a partially initialised vCPU    object.     Ensure the store uses smp_store_release() and the load uses    smp_load_acquire(). While 'vm_table_lock' currently serialises the    store and the load, these barriers ensure the reader sees the fully    initialised 'hyp_vcpu' object even if there were a lockless path or    if the lock's own ordering guarantees were insufficient for nested    object initialization.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46175",
                                "url": "https://ubuntu.com/security/CVE-2026-46175",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  f2fs: fix fsck inconsistency caused by FGGC of node block  During FGGC node block migration, fsck may incorrectly treat the migrated node block as fsync-written data.  The reproduction scenario: root@vm:/mnt/f2fs# seq 1 2048 | xargs -n 1 ./test_sync // write inline inode and sync root@vm:/mnt/f2fs# rm -f 1 root@vm:/mnt/f2fs# sync root@vm:/mnt/f2fs# f2fs_io gc_range // move data block in sync mode and not write CP   SPO, \"fsck --dry-run\" find inode has already checkpointed but still   with DENT_BIT_SHIFT set  The root cause is that GC does not clear the dentry mark and fsync mark during node block migration, leading fsck to misinterpret them as user-issued fsync writes.  In BGGC mode, node block migration is handled by f2fs_sync_node_pages(), which guarantees the dentry and fsync marks are cleared before writing.  This patch move the set/clear of the fsync|dentry marks into __write_node_folio to make the logic clearer, and ensures the fsync|dentry mark is cleared in FGGC.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46194",
                                "url": "https://ubuntu.com/security/CVE-2026-46194",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  f2fs: fix node_cnt race between extent node destroy and writeback  f2fs_destroy_extent_node() does not set FI_NO_EXTENT before clearing extent nodes. When called from f2fs_drop_inode() with I_SYNC set, concurrent kworker writeback can insert new extent nodes into the same extent tree, racing with the destroy and triggering f2fs_bug_on() in __destroy_extent_node(). The scenario is as follows:  drop inode                            writeback  - iput   - f2fs_drop_inode  // I_SYNC set    - f2fs_destroy_extent_node     - __destroy_extent_node      - while (node_cnt) {         write_lock(&et->lock)         __free_extent_tree         write_unlock(&et->lock)                                        - __writeback_single_inode                                         - f2fs_outplace_write_data                                          - f2fs_update_read_extent_cache                                           - __update_extent_tree_range                                            // FI_NO_EXTENT not set,                                            // insert new extent node        } // node_cnt == 0, exit while      - f2fs_bug_on(node_cnt)  // node_cnt > 0  Additionally, __update_extent_tree_range() only checks FI_NO_EXTENT for EX_READ type, leaving EX_BLOCK_AGE updates completely unprotected.  This patch set FI_NO_EXTENT under et->lock in __destroy_extent_node(), consistent with other callers (__update_extent_tree_range and __drop_extent_tree) and check FI_NO_EXTENT for both EX_READ and EX_BLOCK_AGE tree.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46170",
                                "url": "https://ubuntu.com/security/CVE-2026-46170",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  mptcp: pm: ADD_ADDR rtx: free sk if last  When an ADD_ADDR is retransmitted, the sk is held in sk_reset_timer(), and released at the end.  If at that moment, it was the last reference being held, the sk would not be freed. sock_put() should then be called instead of __sock_put().  But that's not enough: if it is the last reference, sock_put() will call sk_free(), which will end up calling sk_stop_timer_sync() on the same timer, and waiting indefinitely to finish. So it is needed to mark that the timer is done at the end of the timer handler when it has not been rescheduled, not to call sk_stop_timer_sync() on \"itself\".",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46158",
                                "url": "https://ubuntu.com/security/CVE-2026-46158",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  mptcp: pm: ADD_ADDR rtx: always decrease sk refcount  When an ADD_ADDR is retransmitted, the sk is held in sk_reset_timer(). It should then be released in all cases at the end.  Some (unlikely) checks were returning directly instead of calling sock_put() to decrease the refcount. Jump to a new 'exit' label to call __sock_put() (which will become sock_put() in the next commit) to fix this potential leak.  While at it, drop the '!msk' check which cannot happen because it is never reset, and explicitly mark the remaining one as \"unlikely\".",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46168",
                                "url": "https://ubuntu.com/security/CVE-2026-46168",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  mptcp: fix scheduling with atomic in timestamp sockopt  Using lock_sock_fast() (atomic context) around sock_set_timestamp() and sock_set_timestamping() is unsafe, as both helpers can sleep.  Replace lock_sock_fast() with sleepable lock_sock()/release_sock() to avoid scheduling while atomic panic.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46189",
                                "url": "https://ubuntu.com/security/CVE-2026-46189",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/vmw_pvrdma: Fix double free on pvrdma_alloc_ucontext() error path  Sashiko points out that pvrdma_uar_free() is already called within pvrdma_dealloc_ucontext(), so calling it before triggers a double free.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46133",
                                "url": "https://ubuntu.com/security/CVE-2026-46133",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/rxe: Reject unknown opcodes before ICRC processing  Even after applying commit 7244491dab34 (\"RDMA/rxe: Validate pad and ICRC before payload_size() in rxe_rcv\"), a single unauthenticated UDP packet can still trigger panic.  That patch handled payload_size() underflow only for valid opcodes with short packets, not for packets carrying an unknown opcode.  The unknown-opcode OOB read described below predates that commit and reaches back to the initial Soft RoCE driver.  The check added there reads      pkt->paylen < header_size(pkt) + bth_pad(pkt) + RXE_ICRC_SIZE  where header_size(pkt) expands to rxe_opcode[pkt->opcode].length.  The rxe_opcode[] array has 256 entries but is only populated for defined IB opcodes; any other entry (for example opcode 0xff) is zero-initialized, so length == 0 and the check degenerates to      pkt->paylen < 0 + bth_pad(pkt) + RXE_ICRC_SIZE  which does not constrain pkt->paylen enough.  rxe_icrc_hdr() then computes      rxe_opcode[pkt->opcode].length - RXE_BTH_BYTES  which underflows when length == 0 and passes a huge value to rxe_crc32(), causing an out-of-bounds read of the skb payload.  Reproduced on v7.0-rc7 with that fix applied, QEMU/KVM with CONFIG_RDMA_RXE=y and CONFIG_KASAN=y, after      rdma link add rxe0 type rxe netdev eth0  A single 48-byte UDP packet to port 4791 with BTH opcode=0xff and QPN=IB_MULTICAST_QPN triggers:      BUG: KASAN: slab-out-of-bounds in crc32_le+0x115/0x170     Read of size 1 at addr ...     The buggy address is located 0 bytes to the right of      allocated 704-byte region     Call Trace:      crc32_le+0x115/0x170      rxe_icrc_hdr.isra.0+0x226/0x300      rxe_icrc_check+0x13f/0x3a0      rxe_rcv+0x6e1/0x16e0      rxe_udp_encap_recv+0x20a/0x320      udp_queue_rcv_one_skb+0x7ed/0x12c0  Subsequent packets with the same shape fault on unmapped memory and panic the kernel.  The trigger requires only module load and \"rdma link add\"; no QP, no connection, and no authentication.  Fix this by rejecting packets whose opcode has no rxe_opcode[] entry, detected via the zero mask or zero length, before any length arithmetic runs.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46114",
                                "url": "https://ubuntu.com/security/CVE-2026-46114",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/rxe: Reject non-8-byte ATOMIC_WRITE payloads  atomic_write_reply() at drivers/infiniband/sw/rxe/rxe_resp.c unconditionally dereferences 8 bytes at payload_addr(pkt):      value = *(u64 *)payload_addr(pkt);  check_rkey() previously accepted an ATOMIC_WRITE request with pktlen == resid == 0 because the length validation only compared pktlen against resid. A remote initiator that sets the RETH length to 0 therefore reaches atomic_write_reply() with a zero-byte logical payload, and the responder reads sizeof(u64) bytes from past the logical end of the packet into skb->head tailroom, then writes those 8 bytes into the attacker's MR via rxe_mr_do_atomic_write(). That is a remote disclosure of 4 bytes of kernel tailroom per probe (the other 4 bytes are the packet's own trailing ICRC).  IBA oA19-28 defines ATOMIC_WRITE as exactly 8 bytes. Anything else is protocol-invalid. Hoist a strict length check into check_rkey() so the responder never reaches the unchecked dereference, and keep the existing WRITE-family length logic for the normal RDMA WRITE path.  Reproduced on mainline with an unmodified rxe driver: a sustained zero-length ATOMIC_WRITE probe repeatedly leaks adjacent skb head-buffer bytes into the attacker's MR, including recognisable kernel strings and partial kernel-direct-map pointer words.  With this patch applied the responder rejects the PDU and the MR stays all-zero.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46127",
                                "url": "https://ubuntu.com/security/CVE-2026-46127",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/ocrdma: Don't NULL deref uctx on errors in ocrdma_copy_pd_uresp()  Sashiko points out that pd->uctx isn't initialized until late in the function so all these error flow references are NULL and will crash. Use the uctx that isn't NULL.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46176",
                                "url": "https://ubuntu.com/security/CVE-2026-46176",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/mlx5: Fix error path fall-through in mlx5_ib_dev_res_srq_init()  mlx5_ib_dev_res_srq_init() allocates two SRQs, s0 and s1. When ib_create_srq() fails for s1, the error branch destroys s0 but falls through and unconditionally assigns the freed s0 and the ERR_PTR s1 to devr->s0 and devr->s1.  This leads to several problems: the lock-free fast path checks \"if (devr->s1) return 0;\" and treats the ERR_PTR as already initialised; users in mlx5_ib_create_qp() dereference the freed SRQ or ERR_PTR via to_msrq(devr->s0)->msrq.srqn; and mlx5_ib_dev_res_cleanup() dereferences the ERR_PTR and double-frees s0 on teardown.  Fix by adding the same `goto unlock` in the s1 failure path.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46178",
                                "url": "https://ubuntu.com/security/CVE-2026-46178",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/mlx4: Fix resource leak on error in mlx4_ib_create_srq()  Sashiko points out that mlx4_srq_alloc() was not undone during error unwind, add the missing call to mlx4_srq_free().",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46181",
                                "url": "https://ubuntu.com/security/CVE-2026-46181",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/mlx4: Fix mis-use of RCU in mlx4_srq_event()  Sashiko points out the radix_tree itself is RCU safe, but nothing ever frees the mlx4_srq struct with RCU, and it isn't even accessed within the RCU critical section. It also will crash if an event is delivered before the srq object is finished initializing.  Use the spinlock since it isn't easy to make RCU work, use refcount_inc_not_zero() to protect against partially initialized objects, and order the refcount_set() to be after the srq is fully initialized.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46145",
                                "url": "https://ubuntu.com/security/CVE-2026-46145",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/mana: Validate rx_hash_key_len  Sashiko points out that rx_hash_key_len comes from a uAPI structure and is blindly passed to memcpy, allowing the userspace to trash kernel memory. Bounds check it so the memcpy cannot overflow.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46117",
                                "url": "https://ubuntu.com/security/CVE-2026-46117",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/mana: Remove user triggerable WARN_ON() in mana_ib_create_qp_rss()  Sashiko points out that the user can specify WQs sharing the same CQ as a part of the uAPI and this will trigger the WARN_ON() then go on to corrupt the kernel.  Just reject it outright and fail the QP creation.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46126",
                                "url": "https://ubuntu.com/security/CVE-2026-46126",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/mana: Fix mana_destroy_wq_obj() cleanup in mana_ib_create_qp_rss()  Sashiko points out there are two bugs here in the error unwind flow, both related to how the WQ table is unwound.  First there is a double i-- on the first failure path due to the while loop having a i--, remove it.  Second if mana_ib_install_cq_cb() fails then mana_create_wq_obj() is not undone due to the above i--.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46144",
                                "url": "https://ubuntu.com/security/CVE-2026-46144",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/mana: Fix error unwind in mana_ib_create_qp_rss()  Sashiko points out that mana_ib_cfg_vport_steering() is leaked, the normal destroy path cleans it up.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46141",
                                "url": "https://ubuntu.com/security/CVE-2026-46141",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  powerpc/xive: fix kmemleak caused by incorrect chip_data lookup  The kmemleak reports the following memory leak:  Unreferenced object 0xc0000002a7fbc640 (size 64):   comm \"kworker/8:1\", pid 540, jiffies 4294937872   hex dump (first 32 bytes):     01 00 00 00 00 00 00 00 00 00 09 04 00 04 00 00  ................     00 00 a7 81 00 00 0a c0 00 00 08 04 00 04 00 00  ................   backtrace (crc 177d48f6):     __kmalloc_cache_noprof+0x520/0x730     xive_irq_alloc_data.constprop.0+0x40/0xe0     xive_irq_domain_alloc+0xd0/0x1b0     irq_domain_alloc_irqs_parent+0x44/0x6c     pseries_irq_domain_alloc+0x1cc/0x354     irq_domain_alloc_irqs_parent+0x44/0x6c     msi_domain_alloc+0xb0/0x220     irq_domain_alloc_irqs_locked+0x138/0x4d0     __irq_domain_alloc_irqs+0x8c/0xfc     __msi_domain_alloc_irqs+0x214/0x4d8     msi_domain_alloc_irqs_all_locked+0x70/0xf8     pci_msi_setup_msi_irqs+0x60/0x78     __pci_enable_msix_range+0x54c/0x98c     pci_alloc_irq_vectors_affinity+0x16c/0x1d4     nvme_pci_enable+0xac/0x9c0 [nvme]     nvme_probe+0x340/0x764 [nvme]  This occurs when allocating MSI-X vectors for an NVMe device. During allocation the XIVE code creates a struct xive_irq_data and stores it in irq_data->chip_data.  When the MSI-X irqdomain is later freed, xive_irq_free_data() is responsible for retrieving this structure and freeing it. However, after commit cc0cc23babc9 (\"powerpc/xive: Untangle xive from child interrupt controller drivers\"), xive_irq_free_data() retrieves the chip_data using irq_get_chip_data(), which looks up the data through the child domain.  This is incorrect because the XIVE-specific irq data is associated with the XIVE (parent) domain. As a result the lookup fails and the allocated struct xive_irq_data is never freed, leading to the kmemleak report shown above.  Fix this by retrieving the irq_data from the correct domain using irq_domain_get_irq_data() and then accessing the chip_data via irq_data_get_irq_chip_data().",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46183",
                                "url": "https://ubuntu.com/security/CVE-2026-46183",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  mm/damon/sysfs-schemes: protect path kfree() with damon_sysfs_lock  damon_sysfs_quot_goal->path can be read and written by users, via DAMON sysfs 'path' file.  It can also be indirectly read, for the parameters {on,off}line committing to DAMON.  The reads for parameters committing are protected by damon_sysfs_lock to avoid the sysfs files being destroyed while any of the parameters are being read.  But the user-driven direct reads and writes are not protected by any lock, while the write is deallocating the path-pointing buffer.  As a result, the readers could read the already freed buffer (user-after-free).  Note that the user-reads don't race when the same open file is used by the writer, due to kernfs's open file locking.  Nonetheless, doing the reads and writes with separate open files would be common.  Fix it by protecting both the user-direct reads and writes with damon_sysfs_lock.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46121",
                                "url": "https://ubuntu.com/security/CVE-2026-46121",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  mm/damon/sysfs-schemes: protect memcg_path kfree() with damon_sysfs_lock  Patch series \"mm/damon/sysfs-schemes: fix use-after-free for [memcg_]path\".  Reads of 'memcg_path' and 'path' files in DAMON sysfs interface could race with their writes, results in use-after-free.  Fix those.   This patch (of 2):  damon_sysfs_scheme_filter->mmecg_path can be read and written by users, via DAMON sysfs memcg_path file.  It can also be indirectly read, for the parameters {on,off}line committing to DAMON.  The reads for parameters committing are protected by damon_sysfs_lock to avoid the sysfs files being destroyed while any of the parameters are being read.  But the user-driven direct reads and writes are not protected by any lock, while the write is deallocating the memcg_path-pointing buffer.  As a result, the readers could read the already freed buffer (user-after-free).  Note that the user-reads don't race when the same open file is used by the writer, due to kernfs's open file locking.  Nonetheless, doing the reads and writes with separate open files would be common.  Fix it by protecting both the user-direct reads and writes with damon_sysfs_lock.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46131",
                                "url": "https://ubuntu.com/security/CVE-2026-46131",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  KVM: x86: check for nEPT/nNPT in slow flush hypercalls  Checking is_guest_mode(vcpu) is incorrect, because translate_nested_gpa() is only valid if an L2 guest is running *with nested EPT/NPT enabled*. Instead use the same condition as translate_nested_gpa() itself.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46139",
                                "url": "https://ubuntu.com/security/CVE-2026-46139",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  smb: client: use kzalloc to zero-initialize security descriptor buffer  Commit 62e7dd0a39c2d (\"smb: common: change the data type of num_aces to le16\") split struct smb_acl's __le32 num_aces field into __le16 num_aces and __le16 reserved. The reserved field corresponds to Sbz2 in the MS-DTYP ACL wire format, which must be zero [1].  When building an ACL descriptor in build_sec_desc(), we are using a kmalloc()'ed descriptor buffer and writing the fields explicitly using le16() writes now. This never writes to the 2 byte reserved field, leaving it as uninitialized heap data.  When the reserved field happens to contain non-zero slab garbage, Samba rejects the security descriptor with \"ndr_pull_security_descriptor failed: Range Error\", causing chmod to fail with EINVAL.  Change kmalloc() to kzalloc() to ensure the entire buffer is zero-initialized.   [1] https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/20233ed8-a6c6-4097-aafa-dd545ed24428",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46105",
                                "url": "https://ubuntu.com/security/CVE-2026-46105",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  scsi: mpt3sas: Limit NVMe request size to 2 MiB  The HBA firmware reports NVMe MDTS values based on the underlying drive capability. However, because the driver allocates a fixed 4K buffer for the PRP list, accommodating at most 512 entries, the driver supports a maximum I/O transfer size of 2 MiB.  Limit max_hw_sectors to the smaller of the reported MDTS and the 2 MiB driver limit to prevent issuing oversized I/O that may lead to a kernel oops.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46171",
                                "url": "https://ubuntu.com/security/CVE-2026-46171",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  riscv: kvm: fix vector context allocation leak  When the second kzalloc (host_context.vector.datap) fails in kvm_riscv_vcpu_alloc_vector_context, the first allocation (guest_context.vector.datap) is leaked. Free it before returning.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46112",
                                "url": "https://ubuntu.com/security/CVE-2026-46112",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/hns: Fix unlocked call to hns_roce_qp_remove()  Sashiko points out that hns_roce_qp_remove() requires the caller to hold locks.  The error flow in hns_roce_create_qp_common() doesn't hold those locks for the error unwind so it risks corrupting memory.  Grab the same locks the other two callers use.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46165",
                                "url": "https://ubuntu.com/security/CVE-2026-46165",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  openvswitch: vport: fix self-deadlock on release of tunnel ports  vports are used concurrently and protected by RCU, so netdev_put() must happen after the RCU grace period.  So, either in an RCU call or after the synchronize_net().  The rtnl_delete_link() must happen under RTNL and so can't be executed in RCU context.  Calling synchronize_net() while holding RTNL is not a good idea for performance and system stability under load in general, so calling netdev_put() in RCU call is the right solution here.  However, when the device is deleted, rtnl_unlock() will call netdev_run_todo() and block until all the references are gone.  In the current code this means that we never reach the call_rcu() and the vport is never freed and the reference is never released, causing a self-deadlock on device removal.  Fix that by moving the rcu_call() before the rtnl_unlock(), so the scheduled RCU callback will be executed when synchronize_net() is called from the rtnl_unlock()->netdev_run_todo() while the RTNL itself is already released.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46161",
                                "url": "https://ubuntu.com/security/CVE-2026-46161",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  md/raid10: fix divide-by-zero in setup_geo() with zero far_copies  setup_geo() extracts near_copies (nc) and far_copies (fc) from the user-provided layout parameter without checking for zero. When fc=0 with the \"improved\" far set layout selected, 'geo->far_set_size = disks / fc' triggers a divide-by-zero.  Validate nc and fc immediately after extraction, returning -1 if either is zero.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-43492",
                                "url": "https://ubuntu.com/security/CVE-2026-43492",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  lib/crypto: mpi: Fix integer underflow in mpi_read_raw_from_sgl()  Yiming reports an integer underflow in mpi_read_raw_from_sgl() when subtracting \"lzeros\" from the unsigned \"nbytes\".  For this to happen, the scatterlist \"sgl\" needs to occupy more bytes than the \"nbytes\" parameter and the first \"nbytes + 1\" bytes of the scatterlist must be zero.  Under these conditions, the while loop iterating over the scatterlist will count more zeroes than \"nbytes\", subtract the number of zeroes from \"nbytes\" and cause the underflow.  When commit 2d4d1eea540b (\"lib/mpi: Add mpi sgl helpers\") originally introduced the bug, it couldn't be triggered because all callers of mpi_read_raw_from_sgl() passed a scatterlist whose length was equal to \"nbytes\".  However since commit 63ba4d67594a (\"KEYS: asymmetric: Use new crypto interface without scatterlists\"), the underflow can now actually be triggered.  When invoking a KEYCTL_PKEY_ENCRYPT system call with a larger \"out_len\" than \"in_len\" and filling the \"in\" buffer with zeroes, crypto_akcipher_sync_prep() will create an all-zero scatterlist used for both the \"src\" and \"dst\" member of struct akcipher_request and thereby fulfil the conditions to trigger the bug:    sys_keyctl()     keyctl_pkey_e_d_s()       asymmetric_key_eds_op()         software_key_eds_op()           crypto_akcipher_sync_encrypt()             crypto_akcipher_sync_prep()               crypto_akcipher_encrypt()                 rsa_enc()                   mpi_read_raw_from_sgl()  To the user this will be visible as a DoS as the kernel spins forever, causing soft lockup splats as a side effect.  Fix it.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-19 12:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46124",
                                "url": "https://ubuntu.com/security/CVE-2026-46124",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  isofs: validate block number from NFS file handle in isofs_export_iget  isofs_fh_to_dentry() and isofs_fh_to_parent() pass an attacker- controlled block number (ifid->block or ifid->parent_block) from the NFS file handle to isofs_export_iget(), which only rejects block == 0 before calling isofs_iget() and ultimately sb_bread(). A crafted file handle with fh_len sufficient to pass the check added by commit 0405d4b63d08 (\"isofs: Prevent the use of too small fid\") can still drive the server to read any in-range block on the backing device as if it were an iso_directory_record.  That earlier fix was assigned CVE-2025-37780.  sb_bread() on an out-of-range block returns NULL cleanly via the EIO path, so there is no memory-safety violation.  For in-range reads of adjacent-partition data on the same block device, the unrelated bytes end up in iso_inode_info fields that reach the NFS client as dentry metadata.  The deployment surface (isofs exported over NFS from loop-mounted images) is narrow and requires an authenticated NFS peer, but the malformed-file-handle class is reportable as hardening next to the existing CVE-2025-37780 fix.  Reject block >= ISOFS_SB(sb)->s_nzones in isofs_export_iget() so the check covers both isofs_fh_to_dentry() and isofs_fh_to_parent() call sites with a single line.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46130",
                                "url": "https://ubuntu.com/security/CVE-2026-46130",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  dm-verity-fec: fix reading parity bytes split across blocks (take 3)  fec_decode_bufs() assumes that the parity bytes of the first RS codeword it decodes are never split across parity blocks.  This assumption is false.  Consider v->fec->block_size == 4096 && v->fec->roots == 17 && fio->nbufs == 1, for example.  In that case, each call to fec_decode_bufs() consumes v->fec->roots * (fio->nbufs << DM_VERITY_FEC_BUF_RS_BITS) = 272 parity bytes.  Considering that the parity data for each message block starts on a block boundary, the byte alignment in the parity data will iterate through 272*i mod 4096 until the 3 parity blocks have been consumed.  On the 16th call (i=15), the alignment will be 4080 bytes into the first block.  Only 16 bytes remain in that block, but 17 parity bytes will be needed.  The code reads out-of-bounds from the parity block buffer.  Fortunately this doesn't normally happen, since it can occur only for certain non-default values of fec_roots *and* when the maximum number of buffers couldn't be allocated due to low memory.  For example with block_size=4096 only the following cases are affected:      fec_roots=17: nbufs in [1, 3, 5, 15]     fec_roots=19: nbufs in [1, 229]     fec_roots=21: nbufs in [1, 3, 5, 13, 15, 39, 65, 195]     fec_roots=23: nbufs in [1, 89]  Regardless, fix it by refactoring how the parity blocks are read.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46106",
                                "url": "https://ubuntu.com/security/CVE-2026-46106",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  eventfs: Hold eventfs_mutex and SRCU when remount walks events  Commit 340f0c7067a9 (\"eventfs: Update all the eventfs_inodes from the events descriptor\") had eventfs_set_attrs() recurse through ei->children on remount.  The walk only holds the rcu_read_lock() taken by tracefs_apply_options() over tracefs_inodes, which is wrong:    - list_for_each_entry over ei->children races with the list_del_rcu()     in eventfs_remove_rec() -- LIST_POISON1 deref, same shape as     d2603279c7d6.   - eventfs_inodes are freed via call_srcu(&eventfs_srcu, ...).     rcu_read_lock() does not extend an SRCU grace period, so ti->private     can be reclaimed under the walk.   - The writes to ei->attr race with eventfs_set_attr(), which holds     eventfs_mutex.  Reproducer:    while :; do mount -o remount,uid=$((RANDOM%1000)) /sys/kernel/tracing; done &   while :; do       echo \"p:kp submit_bio\" > /sys/kernel/tracing/kprobe_events       echo > /sys/kernel/tracing/kprobe_events   done  Wrap the events portion of tracefs_apply_options() in eventfs_remount_lock()/_unlock() that take eventfs_mutex and srcu_read_lock(&eventfs_srcu).  eventfs_set_attrs() doesn't sleep so the nested rcu_read_lock() is fine; lockdep_assert_held() pins the contract.  Comment in tracefs_drop_inode() said \"RCU cycle\" -- it is SRCU.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46107",
                                "url": "https://ubuntu.com/security/CVE-2026-46107",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  dm-thin: fix metadata refcount underflow  There's a bug in dm-thin in the function rebalance_children. If the internal btree node has one entry, the code tries to copy all btree entries from the node's child to the node itself and then decrement the child's reference count.  If the child node is shared (it has reference count > 1), we won't free it, so there would be two pointers to each of the grandchildren nodes. But the reference counts of the grandchildren is not increased, thus the reference count doesn't match the number of pointers that point to the grandchildren. This results in \"device mapper: space map common: unable to decrement block\" errors.  Fix this bug by incrementing reference counts on the grandchildren if the btree node is shared.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46160",
                                "url": "https://ubuntu.com/security/CVE-2026-46160",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  btrfs: fix missing last_unlink_trans update when removing a directory  When removing a directory we are not updating its last_unlink_trans field, which can result in incorrect fsync behaviour in case some one fsyncs the directory after it was removed because it's holding a file descriptor on it.  Example scenario:     mkdir /mnt/dir1    mkdir /mnt/dir1/dir2    mkdir /mnt/dir3     sync -f /mnt     # Do some change to the directory and fsync it.    chmod 700 /mnt/dir1    xfs_io -c fsync /mnt/dir1     # Move dir2 out of dir1 so that dir1 becomes empty.    mv /mnt/dir1/dir2 /mnt/dir3/     open fd on /mnt/dir1    call rmdir(2) on path \"/mnt/dir1\"    fsync fd     <trigger power failure>  When attempting to mount the filesystem, the log replay will fail with an -EIO error and dmesg/syslog has the following:     [445771.626482] BTRFS info (device dm-0): first mount of filesystem 0368bbea-6c5e-44b5-b409-09abe496e650    [445771.626486] BTRFS info (device dm-0): using crc32c checksum algorithm    [445771.627912] BTRFS info (device dm-0): start tree-log replay    [445771.628335] page: refcount:2 mapcount:0 mapping:0000000061443ddc index:0x1d00 pfn:0x7072a5    [445771.629453] memcg:ffff89f400351b00    [445771.629892] aops:btree_aops [btrfs] ino:1    [445771.630737] flags: 0x17fffc00000402a(uptodate|lru|private|writeback|node=0|zone=2|lastcpupid=0x1ffff)    [445771.632359] raw: 017fffc00000402a fffff47284d950c8 fffff472907b7c08 ffff89f458e412b8    [445771.633713] raw: 0000000000001d00 ffff89f6c51d1a90 00000002ffffffff ffff89f400351b00    [445771.635029] page dumped because: eb page dump    [445771.635825] BTRFS critical (device dm-0): corrupt leaf: root=5 block=30408704 slot=10 ino=258, invalid nlink: has 2 expect no more than 1 for dir    [445771.638088] BTRFS info (device dm-0): leaf 30408704 gen 10 total ptrs 17 free space 14878 owner 5    [445771.638091] BTRFS info (device dm-0): refs 4 lock_owner 0 current 3581087    [445771.638094] \titem 0 key (256 INODE_ITEM 0) itemoff 16123 itemsize 160    [445771.638097] \t\tinode generation 3 transid 9 size 16 nbytes 16384    [445771.638098] \t\tblock group 0 mode 40755 links 1 uid 0 gid 0    [445771.638100] \t\trdev 0 sequence 2 flags 0x0    [445771.638102] \t\tatime 1775744884.0    [445771.660056] \t\tctime 1775744885.645502983    [445771.660058] \t\tmtime 1775744885.645502983    [445771.660060] \t\totime 1775744884.0    [445771.660062] \titem 1 key (256 INODE_REF 256) itemoff 16111 itemsize 12    [445771.660064] \t\tindex 0 name_len 2    [445771.660066] \titem 2 key (256 DIR_ITEM 1843588421) itemoff 16077 itemsize 34    [445771.660068] \t\tlocation key (259 1 0) type 2    [445771.660070] \t\ttransid 9 data_len 0 name_len 4    [445771.660075] \titem 3 key (256 DIR_ITEM 2363071922) itemoff 16043 itemsize 34    [445771.660076] \t\tlocation key (257 1 0) type 2    [445771.660077] \t\ttransid 9 data_len 0 name_len 4    [445771.660078] \titem 4 key (256 DIR_INDEX 2) itemoff 16009 itemsize 34    [445771.660079] \t\tlocation key (257 1 0) type 2    [445771.660080] \t\ttransid 9 data_len 0 name_len 4    [445771.660081] \titem 5 key (256 DIR_INDEX 3) itemoff 15975 itemsize 34    [445771.660082] \t\tlocation key (259 1 0) type 2    [445771.660083] \t\ttransid 9 data_len 0 name_len 4    [445771.660084] \titem 6 key (257 INODE_ITEM 0) itemoff 15815 itemsize 160    [445771.660086] \t\tinode generation 9 transid 9 size 8 nbytes 0    [445771.660087] \t\tblock group 0 mode 40777 links 1 uid 0 gid 0    [445771.660088] \t\trdev 0 sequence 2 flags 0x0    [445771.660089] \t\tatime 1775744885.641174097    [445771.660090] \t\tctime 1775744885.645502983    [445771.660091] \t\tmtime 1775744885.645502983    [445771.660105] \t\totime 1775744885.641174097    [445771.660106] \titem 7 key (257 INODE_REF 256) itemoff 15801 itemsize 14    [445771.660107] \t\tindex 2 name_len 4    [445771.660108] \titem 8 key (257 DIR_ITEM 2676584006) itemoff 15767 itemsize 34    [445771.660109] \t\tlocation key (2 ---truncated---",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46164",
                                "url": "https://ubuntu.com/security/CVE-2026-46164",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  btrfs: fix double free in create_space_info_sub_group() error path  When kobject_init_and_add() fails, the call chain is:  create_space_info_sub_group() -> btrfs_sysfs_add_space_info_type() -> kobject_init_and_add() -> failure -> kobject_put(&sub_group->kobj) -> space_info_release() -> kfree(sub_group)  Then control returns to create_space_info_sub_group(), where:  btrfs_sysfs_add_space_info_type() returns error -> kfree(sub_group)  Thus, sub_group is freed twice.  Keep parent->sub_group[index] = NULL for the failure path, but after btrfs_sysfs_add_space_info_type() has called kobject_put(), let the kobject release callback handle the cleanup.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46129",
                                "url": "https://ubuntu.com/security/CVE-2026-46129",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  btrfs: fix double free in create_space_info() error path  When kobject_init_and_add() fails, the call chain is:  create_space_info() -> btrfs_sysfs_add_space_info_type() -> kobject_init_and_add() -> failure -> kobject_put(&space_info->kobj) -> space_info_release() -> kfree(space_info)  Then control returns to create_space_info():  btrfs_sysfs_add_space_info_type() returns error -> goto out_free -> kfree(space_info)  This causes a double free.  Keep the direct kfree(space_info) for the earlier failure path, but after btrfs_sysfs_add_space_info_type() has called kobject_put(), let the kobject release callback handle the cleanup.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46159",
                                "url": "https://ubuntu.com/security/CVE-2026-46159",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  btrfs: fix btrfs_ioctl_space_info() slot_count TOCTOU which can lead to info-leak  btrfs_ioctl_space_info() has a TOCTOU race between two passes over the block group RAID type lists. The first pass counts entries to determine the allocation size, then the second pass fills the buffer. The groups_sem rwlock is released between passes, allowing concurrent block group removal to reduce the entry count.  When the second pass fills fewer entries than the first pass counted, copy_to_user() copies the full alloc_size bytes including trailing uninitialized kmalloc bytes to userspace.  Fix by copying only total_spaces entries (the actually-filled count from the second pass) instead of alloc_size bytes, and switch to kzalloc so any future copy size mismatch cannot leak heap data.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46143",
                                "url": "https://ubuntu.com/security/CVE-2026-46143",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ASoC: qcom: q6apm-lpass-dai: Fix multiple graph opens  As prepare can be called mulitple times, this can result in multiple graph opens for playback path.  This will result in a memory leaks, fix this by adding a check before opening.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46148",
                                "url": "https://ubuntu.com/security/CVE-2026-46148",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: microchip-core-qspi: control built-in cs manually  The coreQSPI IP supports only a single chip select, which is automagically operated by the hardware - set low when the transmit buffer first gets written to and set high when the number of bytes written to the TOTALBYTES field of the FRAMES register have been sent on the bus. Additional devices must use GPIOs for their chip selects. It was reported to me that if there are two devices attached to this QSPI controller that the in-built chip select is set low while linux tries to access the device attached to the GPIO.  This went undetected as the boards that connected multiple devices to the SPI controller all exclusively used GPIOs for chip selects, not relying on the built-in chip select at all. It turns out that this was because the built-in chip select, when controlled automagically, is set low when active and high when inactive, thereby ruling out its use for active-high devices or devices that need to transmit with the chip select disabled.  Modify the driver so that it controls chip select directly, retaining the behaviour for mem_ops of setting the chip select active for the entire duration of the transfer in the exec_op callback. For regular transfers, implement the set_cs callback for the core to use.  As part of this, the existing setup callback, mchp_coreqspi_setup_op(), is removed. Modifying the CLKIDLE field is not safe to do during operation when there are multiple devices, so this code is removed entirely. Setting the MASTER and ENABLE fields is something that can be done once at probe, it doesn't need to be re-run for each device. Instead the new setup callback sets the built-in chip select to its inactive state for active-low devices, as the reset value of the chip select in software controlled mode is low.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46192",
                                "url": "https://ubuntu.com/security/CVE-2026-46192",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: microchip-core-qspi: don't attempt to transmit during emulated read-only dual/quad operations  The core will deal with reads by creating clock cycles itself, there's no need to generate clock cycles by transmitting garbage data at the driver level. Further, transmitting garbage data just bricks the transfer since QSPI doesn't have a dedicated master-out line like MOSI in regular SPI. I'm not entirely sure if the transfer is bricked because of the garbage data being transmitted on the bus or because the core loses track of whether it is supposed to be sending or receiving data.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46162",
                                "url": "https://ubuntu.com/security/CVE-2026-46162",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ice: fix double free in ice_sf_eth_activate() error path  When auxiliary_device_add() fails, ice_sf_eth_activate() jumps to aux_dev_uninit and calls auxiliary_device_uninit(&sf_dev->adev).  The device release callback ice_sf_dev_release() frees sf_dev, but the current error path falls through to sf_dev_free and calls kfree(sf_dev) again, causing a double free.  Keep kfree(sf_dev) for the auxiliary_device_init() failure path, but avoid falling through to sf_dev_free after auxiliary_device_uninit().",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46273",
                                "url": "https://ubuntu.com/security/CVE-2026-46273",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ibmveth: Disable GSO for packets with small MSS  Some physical adapters on Power systems do not support segmentation offload when the MSS is less than 224 bytes. Attempting to send such packets causes the adapter to freeze, stopping all traffic until manually reset.  Implement ndo_features_check to disable GSO for packets with small MSS values. The network stack will perform software segmentation instead.  The 224-byte minimum matches ibmvnic commit <f10b09ef687f> (\"ibmvnic: Enforce stronger sanity checks on GSO packets\") which uses the same physical adapters in SEA configurations.  The issue occurs specifically when the hardware attempts to perform segmentation (gso_segs > 1) with a small MSS. Single-segment GSO packets (gso_segs == 1) do not trigger the problematic LSO code path and are transmitted normally without segmentation.  Add an ndo_features_check callback to disable GSO when MSS < 224 bytes. Also call vlan_features_check() to ensure proper handling of VLAN packets, particularly QinQ (802.1ad) configurations where the hardware parser may not support certain offload features.  Validated using iptables to force small MSS values. Without the fix, the adapter freezes. With the fix, packets are segmented in software and transmission succeeds. Comprehensive regression testing completedd (MSS tests, performance, stability).",
                                "cve_priority": "high",
                                "cve_public_date": "2026-06-03 18:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46191",
                                "url": "https://ubuntu.com/security/CVE-2026-46191",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  fbcon: Avoid OOB font access if console rotation fails  Clear the font buffer if the reallocation during console rotation fails in fbcon_rotate_font(). The putcs implementations for the rotated buffer will return early in this case. See [1] for an example.  Currently, fbcon_rotate_font() keeps the old buffer, which is too small for the rotated font. Printing to the rotated console with a high-enough character code will overflow the font buffer.  v2: - fix typos in commit message",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46134",
                                "url": "https://ubuntu.com/security/CVE-2026-46134",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  platform/chrome: cros_ec_typec: Init mutex in Thunderbolt registration  cros_typec_register_thunderbolt() missed initializing the `adata->lock` mutex.  This leads to a NULL dereference when the mutex is later acquired (e.g. in cros_typec_altmode_work()).  Initialize the mutex in cros_typec_register_thunderbolt() to fix the issue.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-43495",
                                "url": "https://ubuntu.com/security/CVE-2026-43495",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net: wwan: t7xx: validate port_count against message length in t7xx_port_enum_msg_handler  t7xx_port_enum_msg_handler() uses the modem-supplied port_count field as a loop bound over port_msg->data[] without checking that the message buffer contains sufficient data. A modem sending port_count=65535 in a 12-byte buffer triggers a slab-out-of-bounds read of up to 262140 bytes.  Add a sizeof(*port_msg) check before accessing the port message header fields to guard against undersized messages.  Add a struct_size() check after extracting port_count and before the loop.  In t7xx_parse_host_rt_data(), guard the rt_feature header read with a remaining-buffer check before accessing data_len, validate feat_data_len against the actual remaining buffer to prevent OOB reads and signed integer overflow on offset.  Pass msg_len from both call sites: skb->len at the DPMAIF path after skb_pull(), and the validated feat_data_len at the handshake path.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-21 13:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-43502",
                                "url": "https://ubuntu.com/security/CVE-2026-43502",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net/rds: handle zerocopy send cleanup before the message is queued  A zerocopy send can fail after user pages have been pinned but before the message is attached to the sending socket.  The purge path currently infers zerocopy state from rm->m_rs, so an unqueued message can be cleaned up as if it owned normal payload pages. However, zerocopy ownership is really determined by the presence of op_mmp_znotifier, regardless of whether the message has reached the socket queue.  Capture op_mmp_znotifier up front in rds_message_purge() and use it as the cleanup discriminator. If the message is already associated with a socket, keep the existing completion path. Otherwise, drop the pinned page accounting directly and release the notifier before putting the payload pages.  This keeps early send failure cleanup consistent with the zerocopy lifetime rules without changing the normal queued completion path.",
                                "cve_priority": "high",
                                "cve_public_date": "2026-05-21 13:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46120",
                                "url": "https://ubuntu.com/security/CVE-2026-46120",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ip6_gre: Use cached t->net in ip6erspan_changelink().  After commit 5e72ce3e3980 (\"net: ipv6: Use link netns in newlink() of rtnl_link_ops\"), ip6erspan_newlink() correctly resolves the per-netns ip6gre hash via link_net. ip6erspan_changelink() was not converted in that series and still uses dev_net(dev), which diverges from the device's creation netns after IFLA_NET_NS_FD migration.  This re-inserts the tunnel into the wrong per-netns hash. The original netns keeps a stale entry. When that netns is later destroyed, ip6gre_exit_rtnl_net() walks the stale entry, producing a slab-use-after-free reported by KASAN, followed by a kernel BUG at net/core/dev.c (LIST_POISON1) in unregister_netdevice_many_notify().  Reachable from an unprivileged user namespace (unshare --user --map-root-user --net).  ip6gre_changelink() earlier in the same file already uses the cached t->net; only ip6erspan_changelink() has the wrong shape.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46142",
                                "url": "https://ubuntu.com/security/CVE-2026-46142",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net: libwx: fix VF illegal register access  Register WX_CFG_PORT_ST is a PF restricted register. When a VF is initialized, attempting to read this register triggers an illegal register access, which lead to a system hang.  When the device is VF, the bus function ID can be obtained directly from the PCI_FUNC(pdev->devfn).",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46118",
                                "url": "https://ubuntu.com/security/CVE-2026-46118",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  pseries/papr-hvpipe: Fix null ptr deref in papr_hvpipe_dev_create_handle()  commit 6d3789d347a7 (\"papr-hvpipe: convert papr_hvpipe_dev_create_handle() to FD_PREPARE()\"), changed the create handle to FD_PREPARE(), but it caused kernel null-ptr-deref because after call to retain_and_null_ptr(src_info), src_info is re-used for adding it to the global list.  Getting the following kernel panic in papr_hvpipe_dev_create_handle() when trying to add src_info to the list.  Kernel attempted to write user page (0) - exploit attempt? (uid: 0)  BUG: Kernel NULL pointer dereference on write at 0x00000000  Faulting instruction address: 0xc0000000001b44a0  Oops: Kernel access of bad area, sig: 11 [#1]  ...  Call Trace:  papr_hvpipe_dev_ioctl+0x1f4/0x48c (unreliable)  sys_ioctl+0x528/0x1064  system_call_exception+0x128/0x360  system_call_vectored_common+0x15c/0x2ec  Now, the error handling with FD_PREPARE's file cleanup and __free(kfree) auto cleanup is getting too convoluted. This is mainly because we need to ensure only 1 user get the srcID handle. To simplify this, we allocate prepare the src_info in the beginning and add it to the global list under a spinlock after checking that no duplicates exist.  This simplify the error handling where if the FD_ADD fails, we can simply remove the src_info from the list and consume any pending msg in hvpipe to be cleared, after src_info became visible in the global list.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46182",
                                "url": "https://ubuntu.com/security/CVE-2026-46182",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  pseries/papr-hvpipe: Prevent kernel stack memory leak to userspace  The hdr variable is allocated on the stack and only hdr.version and hdr.flags are initialized explicitly. Because the struct papr_hvpipe_hdr contains reserved padding bytes (reserved[3] and reserved2[40]), these could leak the uninitialized bytes to userspace after copy_to_user().  This patch fixes that by initializing the whole struct to 0.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46184",
                                "url": "https://ubuntu.com/security/CVE-2026-46184",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  sound: ua101: fix division by zero at probe  Add a missing sanity check for bNrChannels in detect_usb_format() to prevent a division by zero in playback_urb_complete() and capture_urb_complete().  USB core does not validate class-specific descriptor fields such as bNrChannels, so drivers must verify them before use. If a device provides bNrChannels = 0, frame_bytes becomes zero and is later used as a divisor in the URB completion handlers, leading to a kernel crash.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-43498",
                                "url": "https://ubuntu.com/security/CVE-2026-43498",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  accel/ivpu: Disallow re-exporting imported GEM objects  Prevent re-exporting of imported GEM buffers by adding a custom prime_handle_to_fd callback that checks if the object is imported and returns -EOPNOTSUPP if so.  Re-exporting imported GEM buffers causes loss of buffer flags settings, leading to incorrect device access and data corruption.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-21 13:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46132",
                                "url": "https://ubuntu.com/security/CVE-2026-46132",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net: rtnetlink: zero ifla_vf_broadcast to avoid stack infoleak in rtnl_fill_vfinfo  rtnl_fill_vfinfo() declares struct ifla_vf_broadcast on the stack without initialisation:  \tstruct ifla_vf_broadcast vf_broadcast;  The struct contains a single fixed 32-byte field:  \t/* include/uapi/linux/if_link.h */ \tstruct ifla_vf_broadcast { \t\t__u8 broadcast[32]; \t};  The function then copies dev->broadcast into it using dev->addr_len as the length:  \tmemcpy(vf_broadcast.broadcast, dev->broadcast, dev->addr_len);  On Ethernet devices (the overwhelming majority of SR-IOV NICs) dev->addr_len is 6, so only the first 6 bytes of broadcast[] are written. The remaining 26 bytes retain whatever was previously on the kernel stack. The full struct is then handed to userspace via:  \tnla_put(skb, IFLA_VF_BROADCAST, \t\tsizeof(vf_broadcast), &vf_broadcast)  leaking up to 26 bytes of uninitialised kernel stack per VF per RTM_GETLINK request, repeatable.  The other vf_* structs in the same function are explicitly zeroed for exactly this reason - see the memset() calls for ivi, vf_vlan_info, node_guid and port_guid a few lines above. vf_broadcast was simply missed when it was added.  Reachability: any unprivileged local process can open AF_NETLINK / NETLINK_ROUTE without capabilities and send RTM_GETLINK with an IFLA_EXT_MASK attribute carrying RTEXT_FILTER_VF. The kernel walks each VF and emits IFLA_VF_BROADCAST, leaking 26 bytes of stack per VF per request. Stack residue at this call site can include return addresses and transient sensitive data; KASAN with stack instrumentation, or KMSAN, will flag the nla_put() when reproduced.  Zero the on-stack struct before the partial memcpy, matching the existing pattern used for the other vf_* structs in the same function.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46190",
                                "url": "https://ubuntu.com/security/CVE-2026-46190",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  mtd: spi-nor: debugfs: fix out-of-bounds read in spi_nor_params_show()  Sashiko noticed an out-of-bounds read [1].  In spi_nor_params_show(), the snor_f_names array is passed to spi_nor_print_flags() using sizeof(snor_f_names).  Since snor_f_names is an array of pointers, sizeof() returns the total number of bytes occupied by the pointers \t(element_count * sizeof(void *)) rather than the element count itself. On 64-bit systems, this makes the passed length 8x larger than intended.  Inside spi_nor_print_flags(), the 'names_len' argument is used to bounds-check the 'names' array access. An out-of-bounds read occurs if a flag bit is set that exceeds the array's actual element count but is within the inflated byte-size count.  Correct this by using ARRAY_SIZE() to pass the actual number of string pointers in the array.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46150",
                                "url": "https://ubuntu.com/security/CVE-2026-46150",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  fanotify: fix false positive on permission events  fsnotify_get_mark_safe() may return false for a mark on an unrelated group, which results in bypassing the permission check.  Fix by skipping over detached marks that are not in the current group.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-45836",
                                "url": "https://ubuntu.com/security/CVE-2026-45836",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_get_sndtimeo_cb()  Add the same NULL guard already present in l2cap_sock_resume_cb() and l2cap_sock_ready_cb().",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-26 17:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-45834",
                                "url": "https://ubuntu.com/security/CVE-2026-45834",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_state_change_cb()  Add the same NULL guard already present in l2cap_sock_resume_cb() and l2cap_sock_ready_cb().",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-26 17:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-45835",
                                "url": "https://ubuntu.com/security/CVE-2026-45835",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_new_connection_cb()  Add the same NULL guard already present in l2cap_sock_resume_cb() and l2cap_sock_ready_cb().",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-26 17:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46138",
                                "url": "https://ubuntu.com/security/CVE-2026-46138",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Bluetooth: hci_event: Fix OOB read and infinite loop in hci_le_create_big_complete_evt  hci_le_create_big_complete_evt() iterates over BT_BOUND connections for a BIG handle using a while loop, accessing ev->bis_handle[i++] on each iteration.  However, there is no check that i stays within ev->num_bis before the array access.  When a controller sends a LE_Create_BIG_Complete event with fewer bis_handle entries than there are BT_BOUND connections for that BIG, or with num_bis=0, the loop reads beyond the valid bis_handle[] flex array into adjacent heap memory.  Since the out-of-bounds values typically exceed HCI_CONN_HANDLE_MAX (0x0EFF), hci_conn_set_handle() rejects them and the connection remains in BT_BOUND state.  The same connection is then found again by hci_conn_hash_lookup_big_state(), creating an infinite loop with hci_dev_lock held.  Fix this by terminating the BIG if in case not all BIS could be setup properly.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46111",
                                "url": "https://ubuntu.com/security/CVE-2026-46111",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Bluetooth: hci_conn: fix potential UAF in create_big_sync  Add hci_conn_valid() check in create_big_sync() to detect stale connections before proceeding with BIG creation. Handle the resulting -ECANCELED in create_big_complete() and re-validate the connection under hci_dev_lock() before dereferencing, matching the pattern used by create_le_conn_complete() and create_pa_complete().  Keep the hci_conn object alive across the async boundary by taking a reference via hci_conn_get() when queueing create_big_sync(), and dropping it in the completion callback. The refcount and the lock are complementary: the refcount keeps the object allocated, while hci_dev_lock() serializes hci_conn_hash_del()'s list_del_rcu() on hdev->conn_hash, as required by hci_conn_del().  hci_conn_put() is called outside hci_dev_unlock() so the final put (which resolves to kfree() via bt_link_release) does not run under hdev->lock, though the release path would be safe either way.  Without this, create_big_complete() would unconditionally dereference the conn pointer on error, causing a use-after-free via hci_connect_cfm() and hci_conn_del().",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46140",
                                "url": "https://ubuntu.com/security/CVE-2026-46140",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Bluetooth: btmtk: validate WMT event SKB length before struct access  btmtk_usb_hci_wmt_sync() casts the WMT event response SKB data to struct btmtk_hci_wmt_evt (7 bytes) and struct btmtk_hci_wmt_evt_funcc (9 bytes) without first checking that the SKB contains enough data. A short firmware response causes out-of-bounds reads from SKB tailroom.  Use skb_pull_data() to validate and advance past the base WMT event header. For the FUNC_CTRL case, pull the additional status field bytes before accessing them.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46186",
                                "url": "https://ubuntu.com/security/CVE-2026-46186",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Bluetooth: virtio_bt: validate rx pkt_type header length  virtbt_rx_handle() reads the leading pkt_type byte from the RX skb and forwards the remainder to hci_recv_frame() for every event/ACL/SCO/ISO type, without checking that the remaining payload is at least the fixed HCI header for that type.  After the preceding patch bounds the backend-supplied used.len to [1, VIRTBT_RX_BUF_SIZE], a one-byte completion still reaches hci_recv_frame() with skb->len already pulled to 0. If the byte happened to be HCI_ACLDATA_PKT, the ACL-vs-ISO classification fast-path in hci_dev_classify_pkt_type() dereferences hci_acl_hdr(skb)->handle whenever the HCI device has an active CIS_LINK, BIS_LINK, or PA_LINK connection, reading two bytes of uninitialized RX-buffer data. The same hazard exists for every packet type the driver accepts because none of the switch cases in virtbt_rx_handle() check skb->len against the per-type minimum HCI header size before handing the frame to the core.  After stripping pkt_type, require skb->len to cover the fixed header size for the selected type (event 2, ACL 4, SCO 3, ISO 4) before calling hci_recv_frame(); drop ratelimited otherwise. Unknown pkt_type values still take the original kfree_skb() default path.  Use bt_dev_err_ratelimited() because both the length and pkt_type values come from an untrusted backend that can otherwise flood the kernel log.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46123",
                                "url": "https://ubuntu.com/security/CVE-2026-46123",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Bluetooth: virtio_bt: clamp rx length before skb_put  virtbt_rx_work() calls skb_put(skb, len) where len comes directly from virtqueue_get_buf() with no validation against the buffer we posted to the device. The RX skb is allocated in virtbt_add_inbuf() and exposed to virtio as exactly 1000 bytes via sg_init_one().  Checking len against skb_tailroom(skb) is not sufficient because alloc_skb() can leave more tailroom than the 1000 bytes actually handed to the device. A malicious or buggy backend can therefore report used.len between 1001 and skb_tailroom(skb), causing skb_put() to include uninitialized kernel heap bytes that were never written by the device.  The same path also accepts len == 0, in which case skb_put(skb, 0) leaves the skb empty but virtbt_rx_handle() still reads the pkt_type byte from skb->data, consuming uninitialized memory.  Define VIRTBT_RX_BUF_SIZE once and reuse it in alloc_skb() and sg_init_one(), and gate virtbt_rx_work() on that same constant so the bound checked matches the buffer actually exposed to the device. Reject used.len == 0 in the same gate so an empty completion can no longer reach virtbt_rx_handle().  Use bt_dev_err_ratelimited() because the length value comes from an untrusted backend that can otherwise flood the kernel log.  Same class of bug as commit c04db81cd028 (\"net/9p: Fix buffer overflow in USB transport layer\"), which hardened the USB 9p transport against unchecked device-reported length.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46104",
                                "url": "https://ubuntu.com/security/CVE-2026-46104",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  selinux: use sk blob accessor in socket permission helpers  SELinux socket state lives in the composite LSM socket blob.  sock_has_perm() and nlmsg_sock_has_extended_perms() currently dereference sk->sk_security directly, which assumes the SELinux socket blob is at offset zero.  In stacked configurations that assumption does not hold. If another LSM allocates socket blob storage before SELinux, these helpers may read the wrong blob and feed invalid SID and class values into AVC checks.  Use selinux_sock() instead of accessing sk->sk_security directly.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46193",
                                "url": "https://ubuntu.com/security/CVE-2026-46193",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  xfrm: ah: account for ESN high bits in async callbacks  AH allocates its temporary auth/ICV layout differently when ESN is enabled: the async ahash setup appends a 4-byte seqhi slot before the ICV or auth_data area, but the async completion callbacks still reconstruct the temporary layout as if seqhi were absent.  With an async AH implementation selected, that makes AH copy or compare the wrong bytes on both the IPv4 and IPv6 paths. In UML repro on IPv4 AH with ESN and forced async hmac(sha1), ping fails with 100% packet loss, and the callback logs show the pre-fix drift:    ah4 output_done: esn=1 err=0 icv_off=20 expected_off=24   ah4 input_done: esn=1 auth_off=20 expected_auth_off=24 icv_off=32 expected_icv_off=36  Reconstruct the callback-side layout the same way the setup path built it by skipping the ESN seqhi slot before locating the saved auth_data or ICV. Per RFC 4302, the ESN high-order 32 bits participate in the AH ICV computation, so the async callbacks must account for the seqhi slot.  Post-fix, the same IPv4 AH+ESN+forced-async-hmac(sha1) UML repro shows the corrected offset (ah4 output_done: esn=1 err=0 icv_off=24 expected_off=24) and ping succeeds; net/ipv4/ah4.o and net/ipv6/ah6.o build clean at W=1. IPv6 AH+ESN was not exercised at runtime, and the change has not been tested against a real async hardware AH engine.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46172",
                                "url": "https://ubuntu.com/security/CVE-2026-46172",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ipv6: xfrm6: release dst on error in xfrm6_rcv_encap()  xfrm6_rcv_encap() performs an IPv6 route lookup when the skb does not already have a dst attached. ip6_route_input_lookup() returns a referenced dst entry even when the lookup resolves to an error route.  If dst->error is set, xfrm6_rcv_encap() drops the skb without attaching the dst to the skb and without releasing the reference returned by the lookup. Repeated packets hitting this path therefore leak dst entries.  Release the dst before jumping to the drop path.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46116",
                                "url": "https://ubuntu.com/security/CVE-2026-46116",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  xfrm: defensively unhash xfrm_state lists in __xfrm_state_delete  KASAN reproduces a slab-use-after-free in __xfrm_state_delete()'s hlist_del_rcu calls under syzkaller load on linux-6.12.y stable (reproduced on 6.12.47, also reachable via the same code path on torvalds/master and on the ipsec tree). Nine unique signatures cluster in the xfrm_state lifecycle, the load-bearing one being:    BUG: KASAN: slab-use-after-free in __hlist_del include/linux/list.h:990 [inline]   BUG: KASAN: slab-use-after-free in hlist_del_rcu include/linux/rculist.h:516 [inline]   BUG: KASAN: slab-use-after-free in __xfrm_state_delete net/xfrm/xfrm_state.c   Write of size 8 at addr ffff8881198bcb70 by task kworker/u8:9/435    Workqueue: netns cleanup_net   Call Trace:    __hlist_del / hlist_del_rcu    __xfrm_state_delete    xfrm_state_delete    xfrm_state_flush    xfrm_state_fini    ops_exit_list    cleanup_net  The other observed signatures hit the same slab object from __xfrm_state_lookup, xfrm_alloc_spi, __xfrm_state_insert and an OOB write variant of __xfrm_state_delete, all on the byseq/byspi hash chains.  __xfrm_state_delete() guards its byseq and byspi unhashes with value-based predicates:  \tif (x->km.seq) \t\thlist_del_rcu(&x->byseq); \tif (x->id.spi) \t\thlist_del_rcu(&x->byspi);  while everywhere else in the file (e.g. state_cache, state_cache_input) the safer hlist_unhashed() check is used. xfrm_alloc_spi() sets x->id.spi = newspi inside xfrm_state_lock and then immediately inserts into byspi, but a path that observes x->id.spi != 0 outside of xfrm_state_lock can still skip-or-hit the byspi unhash inconsistently with whether x is actually on the list. The same holds for x->km.seq versus byseq, and the bydst/bysrc unhashes have no predicate at all, so a second __xfrm_state_delete() on the same object writes through LIST_POISON pprev.  The defensive change here:    - Use hlist_del_init_rcu() instead of hlist_del_rcu() on bydst,     bysrc, byseq and byspi so a second deletion is a no-op rather     than a write through LIST_POISON pprev. The byseq/byspi nodes     are already initialised in xfrm_state_alloc().   - Test hlist_unhashed() rather than the value predicate for     byseq/byspi, so the unhash decision tracks list state rather than     mutable scalar fields.  Empirical verification: applied this patch on top of v6.12.47, rebuilt, and re-ran the same syzkaller harness for 1h16m on a previously-crashy configuration that produced ~100 hits each of slab-use-after-free Read in xfrm_alloc_spi / Read in __xfrm_state_lookup / Write in __xfrm_state_delete. After the patch, 7.1M execs across 32 VMs at ~1550 exec/sec produced zero xfrm_state UAF/OOB hits. /proc/slabinfo confirms the xfrm_state slab is actively allocated and freed during the run (~143 KiB resident), so the fuzzer is still exercising those code paths -- they just no longer crash.  Reproduction:    - Linux 6.12.47 x86_64 + KASAN_GENERIC + KASAN_INLINE + KCOV   - syzkaller @ 746545b8b1e4c3a128db8652b340d3df90ce61db   - 32 QEMU/KVM VMs x 2 vCPU on AWS c5.metal bare metal   - 9 unique signatures collected in ~9h, all within xfrm_state     lifecycle",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46154",
                                "url": "https://ubuntu.com/security/CVE-2026-46154",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  sched_ext: Read scx_root under scx_cgroup_ops_rwsem in cgroup setters  scx_group_set_{weight,idle,bandwidth}() cache scx_root before acquiring scx_cgroup_ops_rwsem, so the pointer can be stale by the time the op runs. If the loaded scheduler is disabled and freed (via RCU work) and another is enabled between the naked load and the rwsem acquire, the reader sees scx_cgroup_enabled=true (the new scheduler's) but dereferences the freed one - UAF on SCX_HAS_OP(sch, ...) / SCX_CALL_OP(sch, ...).  scx_cgroup_enabled is toggled only under scx_cgroup_ops_rwsem write (scx_cgroup_{init,exit}), so reading scx_root inside the rwsem read section correlates @sch with the enabled snapshot.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46157",
                                "url": "https://ubuntu.com/security/CVE-2026-46157",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ALSA: pcm: oss: Fix data race at accessing runtime.oss.trigger  Currently the runtime.oss.trigger field may be accessed concurrently without protection, which may lead to the data race.  And, in this case, it may lead to more severe problem because it's a bit field; as writing the data, it may overwrite other bit fields as well, which confuses the operation completely, as spotted by fuzzing.  Fix it by covering runtime.oss.trigger bit fled also with the existing params_lock mutex in both snd_pcm_oss_get_trigger() and snd_pcm_oss_poll().",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46109",
                                "url": "https://ubuntu.com/security/CVE-2026-46109",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  usb: ulpi: fix memory leak on ulpi_register() error paths  Commit 01af542392b5 (\"usb: ulpi: fix double free in ulpi_register_interface() error path\") removed kfree(ulpi) from ulpi_register_interface() to fix a double-free when device_register() fails.  But when ulpi_of_register() or ulpi_read_id() fail before device_register() is called, the ulpi allocation is leaked.  Add kfree(ulpi) on both error paths to properly clean up the allocation.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46146",
                                "url": "https://ubuntu.com/security/CVE-2026-46146",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ALSA: usb-audio: Avoid potential endless loop in convert_chmap_v3()  The convert_chmap_v3() has a loop with its increment size of cs_desc->wLength, but we forgot to validate cs_desc->wLength itself, which may lead to potential endless loop by a malformed descriptor.  Add a proper size check to abort the loop for plugging the hole.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46167",
                                "url": "https://ubuntu.com/security/CVE-2026-46167",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  usb: usblp: fix uninitialized heap leak via LPGETSTATUS ioctl  Just like in a previous problem in this driver, usblp_ctrl_msg() will collapse the usb_control_msg() return value to 0/-errno, discarding the actual number of bytes transferred.  Ideally that short command should be detected and error out, but many printers are known to send \"incorrect\" responses back so we can't just do that.  statusbuf is kmalloc(8) at probe time and never filled before the first LPGETSTATUS ioctl.  usblp_read_status() requests 1 byte. If a malicious printer responds with zero bytes, *statusbuf is one byte of stale kmalloc heap, sign-extended into the local int status, which the LPGETSTATUS path then copy_to_user()s directly to the ioctl caller.  Fix this all by just zapping out the memory buffer when allocated at probe time.  If a later call does a short read, the data will be identical to what the device sent it the last time, so there is no \"leak\" of information happening.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46151",
                                "url": "https://ubuntu.com/security/CVE-2026-46151",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  usb: usblp: fix heap leak in IEEE 1284 device ID via short response  usblp_ctrl_msg() collapses the usb_control_msg() return value to 0/-errno, discarding the actual number of bytes transferred.  A broken printer can complete the GET_DEVICE_ID control transfer short and the driver has no way to know.  usblp_cache_device_id_string() reads the 2-byte big-endian length prefix from the response and trusts it (clamped only to the buffer bounds). The buffer is kmalloc(1024) at probe time. A device that sends exactly two bytes (e.g. 0x03 0xFF, claiming a 1023-byte ID) leaves device_id_string[2..1022] holding stale kmalloc heap.  That stale data is then exposed:   - via the ieee1284_id sysfs attribute (sprintf(\"%s\", buf+2), truncated     at the first NUL in the stale heap), and   - via the IOCNR_GET_DEVICE_ID ioctl, which copy_to_user()s the full     claimed length regardless of NULs, up to 1021 bytes of uninitialized     heap, with the leak size chosen by the device.  Fix this up by just zapping the buffer with zeros before each request sent to the device.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46180",
                                "url": "https://ubuntu.com/security/CVE-2026-46180",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  wifi: brcmfmac: Fix potential use-after-free issue when stopping watchdog task  Watchdog task might end between send_sig() and kthread_stop() calls, what results in the use-after-free issue. Fix this by increasing watchdog task reference count before calling send_sig() and dropping it by switching to kthread_stop_put().",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46122",
                                "url": "https://ubuntu.com/security/CVE-2026-46122",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  wifi: b43: enforce bounds check on firmware key index in b43_rx()  The firmware-controlled key index in b43_rx() can exceed the dev->key[] array size (58 entries). The existing B43_WARN_ON is non-enforcing in production builds, allowing an out-of-bounds read.  Make the B43_WARN_ON check enforcing by dropping the frame when the firmware returns an invalid key index.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46125",
                                "url": "https://ubuntu.com/security/CVE-2026-46125",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  wifi: mac80211: remove station if connection prep fails  If connection preparation fails for MLO connections, then the interface is completely reset to non-MLD. In this case, we must not keep the station since it's related to the link of the vif being removed. Delete an existing station. Any \"new_sta\" is already being removed, so that doesn't need changes.  This fixes a use-after-free/double-free in debugfs if that's enabled, because a vif going from MLD (and to MLD, but that's not relevant here) recreates its entire debugfs.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46166",
                                "url": "https://ubuntu.com/security/CVE-2026-46166",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  wifi: mac80211: use safe list iteration in radar detect work  The call to ieee80211_dfs_cac_cancel can cause the iterated chanctx to be freed and removed from the list. Guard against this to avoid a slab-use-after-free error.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46187",
                                "url": "https://ubuntu.com/security/CVE-2026-46187",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  wifi: rsi: fix kthread lifetime race between self-exit and external-stop  RSI driver use both self-exit(kthread_complete_and_exit) and external-stop (kthread_stop) when killing a kthread. Generally, kthread_stop() is called first, and in this case, no particular issues occur.  However, in rare instances where kthread_complete_and_exit() is called first and then kthread_stop() is called, a UAF occurs because the kthread object, which has already exited and been freed, is accessed again.  Therefore, to prevent this with minimal modification, you must remove kthread_stop() and change the code to wait until the self-exit operation is completed.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46152",
                                "url": "https://ubuntu.com/security/CVE-2026-46152",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  wifi: mac80211: drop stray 'static' from fast-RX rx_result  ieee80211_invoke_fast_rx() is documented as safe for parallel RX, but its per-invocation rx_result is declared static. Concurrent callers then share one instance and can overwrite each other's result between ieee80211_rx_mesh_data() and the switch on res.  That can make a packet that was queued or consumed by ieee80211_rx_mesh_data() fall through into ieee80211_rx_8023(), or make a packet that should continue return as queued.  Make res an automatic variable so each invocation keeps its own result.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46163",
                                "url": "https://ubuntu.com/security/CVE-2026-46163",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  wifi: b43legacy: enforce bounds check on firmware key index in RX path  Same fix as b43: the firmware-controlled key index in b43legacy_rx() can exceed dev->max_nr_keys. The existing B43legacy_WARN_ON is non-enforcing in production builds, allowing an out-of-bounds read of dev->key[].  Make the check enforcing by dropping the frame for invalid indices.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46136",
                                "url": "https://ubuntu.com/security/CVE-2026-46136",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  wifi: mt76: mt7921: fix a potential clc buffer length underflow  The buf_len is used to limit the iterations for retrieving the country power setting and may underflow under certain conditions due to changes in the power table in CLC.  This underflow leads to an almost infinite loop or an invalid power setting resulting in driver initialization failure.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46173",
                                "url": "https://ubuntu.com/security/CVE-2026-46173",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  exit: prevent preemption of oopsing TASK_DEAD task  When an already-exiting task oopses, make_task_dead() currently calls do_task_dead() with preemption enabled.  That is forbidden: do_task_dead() calls __schedule(), which has a comment saying \"WARNING: must be called with preemption disabled!\".  If an oopsing task is preempted in do_task_dead(), between becoming TASK_DEAD and entering the scheduler explicitly, bad things happen: finish_task_switch() assumes that once the scheduler has switched away from a TASK_DEAD task, the task can never run again and its stack is no longer needed; but that assumption apparently doesn't hold if the dead task was preempted (the SM_PREEMPT case).  This means that the scheduler ends up repeatedly dropping references on the dead task's stack, which can lead to use-after-free or double-free of the entire task stack; in other words, two tasks can end up running on the same stack, resulting in various kinds of memory corruption.  (This does not just affect \"recursively oopsing\" tasks; it is enough to oops once during task exit, for example in a file_operations::release handler)",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-43496",
                                "url": "https://ubuntu.com/security/CVE-2026-43496",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net/sched: sch_red: Replace direct dequeue call with peek and qdisc_dequeue_peeked  When red qdisc has children (eg qfq qdisc) whose peek() callback is qdisc_peek_dequeued(), we could get a kernel panic. When the parent of such qdiscs (eg illustrated in patch #3 as tbf) wants to retrieve an skb from its child (red in this case), it will do the following:  1a. do a peek() - and when sensing there's an skb the child can offer, then      - the child in this case(red) calls its child's (qfq) peek.         qfq does the right thing and will return the gso_skb queue packet.         Note: if there wasnt a gso_skb entry then qfq will store it there.  1b. invoke a dequeue() on the child (red). And herein lies the problem.      - red will call the child's dequeue() which will essentially just        try to grab something of qfq's queue.  [   78.667668][  T363] KASAN: null-ptr-deref in range [0x0000000000000048-0x000000000000004f] [   78.667927][  T363] CPU: 1 UID: 0 PID: 363 Comm: ping Not tainted 7.1.0-rc1-00033-g46f74a3f7d57-dirty #790 PREEMPT(full) [   78.668263][  T363] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 [   78.668486][  T363] RIP: 0010:qfq_dequeue+0x446/0xc90 [sch_qfq] [   78.668718][  T363] Code: 54 c0 e8 dd 90 00 f1 48 c7 c7 e0 03 54 c0 48 89 de e8 ce 90 00 f1 48 8d 7b 48 b8 ff ff 37 00 48 89 fa 48 c1 e0 2a 48 c1 ea 03 <80> 3c 02 00 74 05 e8 ef a1 e1 f1 48 8b 7b 48 48 8d 54 24 58 48 8d [   78.669312][  T363] RSP: 0018:ffff88810de573e0 EFLAGS: 00010216 [   78.669533][  T363] RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000 [   78.669790][  T363] RDX: 0000000000000009 RSI: 0000000000000004 RDI: 0000000000000048 [   78.670044][  T363] RBP: ffff888110dc4000 R08: ffffffffb1b0885a R09: fffffbfff6ba9078 [   78.670297][  T363] R10: 0000000000000003 R11: ffff888110e31c80 R12: 0000001880000000 [   78.670560][  T363] R13: ffff888110dc4150 R14: ffff888110dc42b8 R15: 0000000000000200 [   78.670814][  T363] FS:  00007f66a8f09c40(0000) GS:ffff888163428000(0000) knlGS:0000000000000000 [   78.671110][  T363] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [   78.671324][  T363] CR2: 000055db4c6a30a8 CR3: 000000010da67000 CR4: 0000000000750ef0 [   78.671585][  T363] PKRU: 55555554 [   78.671713][  T363] Call Trace: [   78.671843][  T363]  <TASK> [   78.671936][  T363]  ? __pfx_qfq_dequeue+0x10/0x10 [sch_qfq] [   78.672148][  T363]  ? __pfx__printk+0x10/0x10 [   78.672322][  T363]  ? srso_alias_return_thunk+0x5/0xfbef5 [   78.672496][  T363]  ? lockdep_hardirqs_on_prepare+0xa8/0x1a0 [   78.672706][  T363]  ? srso_alias_return_thunk+0x5/0xfbef5 [   78.672875][  T363]  ? trace_hardirqs_on+0x19/0x1a0 [   78.673047][  T363]  red_dequeue+0x65/0x270 [sch_red] [   78.673217][  T363]  ? srso_alias_return_thunk+0x5/0xfbef5 [   78.673385][  T363]  tbf_dequeue.cold+0xb0/0x70c [sch_tbf] [   78.673566][  T363]  __qdisc_run+0x169/0x1900  The right thing to do in #1b is to grab the skb off gso_skb queue. This patchset fixes that issue by changing #1b to use qdisc_dequeue_peeked() method instead.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-21 13:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46113",
                                "url": "https://ubuntu.com/security/CVE-2026-46113",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  KVM: x86: Fix shadow paging use-after-free due to unexpected GFN  The shadow MMU computes GFNs for direct shadow pages using sp->gfn plus the SPTE index. This assumption breaks for shadow paging if the guest page tables are modified between VM entries (similar to commit aad885e77496, \"KVM: x86/mmu: Drop/zap existing present SPTE even when creating an MMIO SPTE\", 2026-03-27).  The flow is as follows:  - a PDE is installed for a 2MB mapping, and a page in that area is   accessed.  KVM creates a kvm_mmu_page consisting of 512 4KB pages;   the kvm_mmu_page is marked by FNAME(fetch) as direct-mapped because   the guest's mapping is a huge page (and thus contiguous).  - the PDE mapping is changed from outside the guest.  - the guest accesses another page in the same 2MB area.  KVM installs   a new leaf SPTE and rmap entry; the SPTE uses the \"correct\" GFN   (i.e. based on the new mapping, as changed in the previous step) but   that GFN is outside of the [sp->gfn, sp->gfn + 511] range; therefore   the rmap entry cannot be found and removed when the kvm_mmu_page   is zapped.  - the memslot that covers the first 2MB mapping is deleted, and the   kvm_mmu_page for the now-invalid GPA is zapped.  However, rmap_remove()   only looks at the [sp->gfn, sp->gfn + 511] range established in step 1,   and fails to find the rmap entry that was recorded by step 3.  - any operation that causes an rmap walk for the same page accessed   by step 3 then walks a stale rmap and dereferences a freed kvm_mmu_page.   This includes dirty logging or MMU notifier invalidations (e.g., from   MADV_DONTNEED).  The underlying issue is that KVM's walking of shadow PTEs assumes that if a SPTE is present when KVM wants to install a non-leaf SPTE, then the existing kvm_mmu_page must be for the correct gfn.  Because the only way for the gfn to be wrong is if KVM messed up and failed to zap a SPTE... which shouldn't happen, but *actually* only happens in response to a guest write.  That bug dates back literally forever, as even the first version of KVM assumes that the GFN matches and walks into the \"wrong\" shadow page. However, that was only an imprecision until 2032a93d66fa (\"KVM: MMU: Don't allocate gfns page for direct mmu pages\") came along.  Fix it by checking for a target gfn mismatch and zapping the existing SPTE.  That way the old SP and rmap entries are gone, KVM installs the rmap in the right location, and everyone is happy.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46179",
                                "url": "https://ubuntu.com/security/CVE-2026-46179",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ASoC: SOF: Don't allow pointer operations on unconfigured streams  When reporting the pointer for a compressed stream we report the current I/O frame position by dividing the position by the number of channels multiplied by the number of container bytes. These values default to 0 and are only configured as part of setting the stream parameters so this allows a divide by zero to be configured. Validate that they are non zero, returning an error if not",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46196",
                                "url": "https://ubuntu.com/security/CVE-2026-46196",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  tracepoint: balance regfunc() on func_add() failure in tracepoint_add_func()  When a tracepoint goes through the 0 -> 1 transition, tracepoint_add_func() invokes the subsystem's ext->regfunc() before attempting to install the new probe via func_add(). If func_add() then fails (for example, when allocate_probes() cannot allocate a new probe array under memory pressure and returns -ENOMEM), the function returns the error without calling the matching ext->unregfunc(), leaving the side effects of regfunc() behind with no installed probe to justify them.  For syscall tracepoints this is particularly unpleasant: syscall_regfunc() bumps sys_tracepoint_refcount and sets SYSCALL_TRACEPOINT on every task. After a leaked failure, the refcount is stuck at a non-zero value with no consumer, and every task continues paying the syscall trace entry/exit overhead until reboot. Other subsystems providing regfunc()/unregfunc() pairs exhibit similarly scoped persistent state.  Mirror the existing 1 -> 0 cleanup and call ext->unregfunc() in the func_add() error path, gated on the same condition used there so the unwind is symmetric with the registration.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-43497",
                                "url": "https://ubuntu.com/security/CVE-2026-43497",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  fbdev: udlfb: add vm_ops to dlfb_ops_mmap to prevent use-after-free  dlfb_ops_mmap() uses remap_pfn_range() to map vmalloc framebuffer pages to userspace but sets no vm_ops on the VMA. This means the kernel cannot track active mmaps. When dlfb_realloc_framebuffer() replaces the backing buffer via FBIOPUT_VSCREENINFO, existing mmap PTEs are not invalidated. On USB disconnect, dlfb_ops_destroy() calls vfree() on the old pages while userspace PTEs still reference them, resulting in a use-after-free: the process retains read/write access to freed kernel pages.  Add vm_operations_struct with open/close callbacks that maintain an atomic mmap_count on struct dlfb_data. In dlfb_realloc_framebuffer(), check mmap_count and return -EBUSY if the buffer is currently mapped, preventing buffer replacement while userspace holds stale PTEs.  Tested with PoC using dummy_hcd + raw_gadget USB device emulation.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-05-21 13:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46108",
                                "url": "https://ubuntu.com/security/CVE-2026-46108",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ipmi:si: Return state to normal if message allocation fails  There were places where nothing would get started if a message allocation failed, so the driver needs to return to normal state.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46128",
                                "url": "https://ubuntu.com/security/CVE-2026-46128",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ipmi: Check event message buffer response for bad data  The event message buffer response data size got checked later when processing, but check it right after the response comes back.  It appears some BMCs may return an empty message instead of an error when fetching events.  There are apparently some new BMCs that make this error, so we need to compensate.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46177",
                                "url": "https://ubuntu.com/security/CVE-2026-46177",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ipmi: Add limits to event and receive message requests  The driver would just fetch events and receive messages until the BMC said it was done.  To avoid issues with BMCs that never say they are done, add a limit of 10 fetches at a time.  In addition, an si interface has an attn state it can return from the hardware which is supposed to cause a flag fetch to see if the driver needs to fetch events or message or a few other things.  If the attn bit gets stuck, it's a similar problem.  So allow messages in between flag fetches so the driver itself doesn't get stuck.  This is a more general fix than the previous fix for the specific bad BMC, but should fix the more general issue of a BMC that won't stop saying it has data.  This has been there from the beginning of the driver.  It's not a bug per-se, but it is accounting for bugs in BMCs.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46149",
                                "url": "https://ubuntu.com/security/CVE-2026-46149",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  scsi: target: configfs: Bound snprintf() return in tg_pt_gp_members_show()  target_tg_pt_gp_members_show() formats LUN paths with snprintf() into a 256-byte stack buffer, then will memcpy() cur_len bytes from that buffer.  snprintf() returns the length the output would have had, which can exceed the buffer size when the fabric WWN is long because iSCSI IQN names can be up to 223 bytes.  The check at the memcpy() site only guards the destination page write, not the source read, so memcpy() will read past the stack buffer and copy adjacent stack contents to the sysfs reader, which when CONFIG_FORTIFY_SOURCE is enabled, fortify_panic() will be triggered.  Commit 27e06650a5ea (\"scsi: target: target_core_configfs: Add length check to avoid buffer overflow\") added the same bound to the target_lu_gp_members_show() but the tg_pt_gp variant was missed so resolve that here.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46244",
                                "url": "https://ubuntu.com/security/CVE-2026-46244",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  netfilter: nft_inner: Fix IPv6 inner_thoff desync  In nft_inner_parse_l2l3(), when processing inner IPv6 packets, ipv6_find_hdr() correctly computes the transport header offset traversing all extension headers, but the result is immediately overwritten with nhoff + sizeof(_ip6h) (40 bytes), which only accounts for the IPv6 base header. This creates a desync between inner_thoff (wrong — points to extension header start) and l4proto (correct — e.g., IPPROTO_TCP), enabling transport header forgery and potential firewall bypass. This issue affects stable versions from Linux 6.2.  For comparison, the normal (non-inner) IPv6 path correctly preserves ipv6_find_hdr()'s result. Removing the incorrect overwrite ensures that ipv6_find_hdr()'s calculated transport header offset is preserved, thereby fixing the desynchronization.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-03 18:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46137",
                                "url": "https://ubuntu.com/security/CVE-2026-46137",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  mptcp: pm: ADD_ADDR rtx: fix potential data-race  This mptcp_pm_add_timer() helper is executed as a timer callback in softirq context. To avoid any data races, the socket lock needs to be held with bh_lock_sock().  If the socket is in use, retry again soon after, similar to what is done with the keepalive timer.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46185",
                                "url": "https://ubuntu.com/security/CVE-2026-46185",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  smb/client: fix out-of-bounds read in symlink_data()  Since smb2_check_message() returns success without length validation for the symlink error response, in symlink_data() it is possible for iov->iov_len to be smaller than sizeof(struct smb2_err_rsp). If the buffer only contains the base SMB2 header (64 bytes), accessing err->ErrorContextCount (at offset 66) or err->ByteCount later in symlink_data() will cause an out-of-bounds read.",
                                "cve_priority": "high",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46195",
                                "url": "https://ubuntu.com/security/CVE-2026-46195",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  smb: client: validate dacloffset before building DACL pointers  parse_sec_desc(), build_sec_desc(), and the chown path in id_mode_to_cifs_acl() all add the server-supplied dacloffset to pntsd before proving a DACL header fits inside the returned security descriptor.  On 32-bit builds a malicious server can return dacloffset near U32_MAX, wrap the derived DACL pointer below end_of_acl, and then slip past the later pointer-based bounds checks. build_sec_desc() and id_mode_to_cifs_acl() can then dereference DACL fields from the wrapped pointer in the chmod/chown rewrite paths.  Validate dacloffset numerically before building any DACL pointer and reuse the same helper at the three DACL entry points.",
                                "cve_priority": "high",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46289",
                                "url": "https://ubuntu.com/security/CVE-2026-46289",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  lib/scatterlist: fix length calculations in extract_kvec_to_sg  Patch series \"Fix bugs in extract_iter_to_sg()\", v3.  Fix bugs in the kvec and user variants of extract_iter_to_sg.  This series is growing due to useful remarks made by sashiko.dev.  The main bugs are: - The length for an sglist entry when extracting from   a kvec can exceed the number of bytes in the page. This   is obviously not intended. - When extracting a user buffer the sglist is temporarily   used as a scratch buffer for extracted page pointers.   If the sglist already contains some elements this scratch   buffer could overlap with existing entries in the sglist.  The series adds test cases to the kunit_iov_iter test that demonstrate all of these bugs.  Additionally, there is a memory leak fix for the test itself.  The bugs were orignally introduced into kernel v6.3 where the function lived in fs/netfs/iterator.c.  It was later moved to lib/scatterlist.c in v6.5.  Thus the actual fix is only marked for backports to v6.5+.   This patch (of 5):  When extracting from a kvec to a scatterlist, do not cross page boundaries.  The required length was already calculated but not used as intended.  Adjust the copied length if the loop runs out of sglist entries without extracting everything.  While there, return immediately from extract_iter_to_sg if there are no sglist entries at all.  A subsequent commit will add kunit test cases that demonstrate that the patch is necessary.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-08 17:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46119",
                                "url": "https://ubuntu.com/security/CVE-2026-46119",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  libceph: Fix slab-out-of-bounds access in auth message processing  If a (potentially corrupted) message of type CEPH_MSG_AUTH_REPLY contains a positive value in its result field, it is treated as an error code by ceph_handle_auth_reply() and returned to handle_auth_reply(). Thereafter, an attempt is made to send the preallocated message of type CEPH_MSG_AUTH, where the returned value is interpreted as the size of the front segment to send. If the result value in the message is greater than the size of the memory buffer allocated for the front segment, an out-of-bounds access occurs, and the content of the memory region beyond this buffer is sent out.  This patch fixes the issue by treating only negative values in the result field as errors. Positive values are therefore treated as success in the same way as a zero value. Additionally, a BUG_ON is added to __send_prepared_auth_request() comparing the len parameter to front_alloc_len to prevent sending the message if it exceeds the bounds of the allocation and to make it easier to catch any logic flaws leading to this.",
                                "cve_priority": "high",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46135",
                                "url": "https://ubuntu.com/security/CVE-2026-46135",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  nvmet-tcp: fix race between ICReq handling and queue teardown  nvmet_tcp_handle_icreq() updates queue->state after sending an Initialization Connection Response (ICResp), but it does so without serializing against target-side queue teardown.  If an NVMe/TCP host sends an Initialization Connection Request (ICReq) and immediately closes the connection, target-side teardown may start in softirq context before io_work drains the already buffered ICReq. In that case, nvmet_tcp_schedule_release_queue() sets queue->state to NVMET_TCP_Q_DISCONNECTING and drops the queue reference under state_lock.  If io_work later processes that ICReq, nvmet_tcp_handle_icreq() can still overwrite the state back to NVMET_TCP_Q_LIVE. That defeats the DISCONNECTING-state guard in nvmet_tcp_schedule_release_queue() and allows a later socket state change to re-enter teardown and issue a second kref_put() on an already released queue.  The ICResp send failure path has the same problem. If teardown has already moved the queue to DISCONNECTING, a send error can still overwrite the state with NVMET_TCP_Q_FAILED, again reopening the window for a second teardown path to drop the queue reference.  Fix this by serializing both post-send state transitions with state_lock and bailing out if teardown has already started.  Use -ESHUTDOWN as an internal sentinel for that bail-out path rather than propagating it as a transport error like -ECONNRESET. Keep nvmet_tcp_socket_error() setting rcv_state to NVMET_TCP_RECV_ERR before honoring that sentinel so receive-side parsing stays quiesced until the existing release path completes.",
                                "cve_priority": "critical",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46155",
                                "url": "https://ubuntu.com/security/CVE-2026-46155",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  smb/client: fix out-of-bounds read in smb2_compound_op()  If a server sends a truncated response but a large OutputBufferLength, and terminates the EA list early, check_wsl_eas() returns success without validating that the entire OutputBufferLength fits within iov_len.  Then smb2_compound_op() does:     memcpy(idata->wsl.eas, data[0], size[0]);  Where size[0] is OutputBufferLength. If iov_len is smaller than size[0], memcpy can read beyond the end of the rsp_iov allocation and leak adjacent kernel heap memory.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46115",
                                "url": "https://ubuntu.com/security/CVE-2026-46115",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  block: add pgmap check to biovec_phys_mergeable  biovec_phys_mergeable() is used by the request merge, DMA mapping, and integrity merge paths to decide if two physically contiguous bvec segments can be coalesced into one. It currently has no check for whether the segments belong to different dev_pagemaps.  When zone device memory is registered in multiple chunks, each chunk gets its own dev_pagemap. A single bio can legitimately contain bvecs from different pgmaps -- iov_iter_extract_bvecs() breaks at pgmap boundaries but the outer loop in bio_iov_iter_get_pages() continues filling the same bio. If such bvecs are physically contiguous, biovec_phys_mergeable() will coalesce them, making it impossible to recover the correct pgmap for the merged segment via page_pgmap().  Add a zone_device_pages_have_same_pgmap() check to prevent merging bvec segments that span different pgmaps.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46243",
                                "url": "https://ubuntu.com/security/CVE-2026-46243",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  smb: client: reject userspace cifs.spnego descriptions  cifs.spnego key descriptions contain authority-bearing fields such as pid, uid, creduid, and upcall_target that cifs.upcall treats as kernel-originating inputs. However, userspace can also create keys of this type through request_key(2) or add_key(2), allowing those fields to be supplied without CIFS origin.  Only accept cifs.spnego descriptions while CIFS is using its private spnego_cred to request the key.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-01 17:17:00 UTC"
                            }
                        ],
                        "log": [
                            "",
                            "  * resolute/linux: 7.0.0-28.28 -proposed tracker (LP: #2157520)",
                            "",
                            "  * Backport ASoC SDCA, AMD SoundWire, and RT722 audio fixes (LP: #2154418)",
                            "    - ASoC: amd: acp-sdw-legacy: rename the dmic component name",
                            "    - SAUCE: ASoC: rt722-sdca: add FU06 Playback Switch for speaker mute",
                            "      control",
                            "",
                            "  * MIPI camera of a BBG809N3A_B sensor SKU of the DELL Pro 14 Premium PA14260",
                            "    renders upside-down (LP: #2155837)",
                            "    - SAUCE: media: ipu-bridge: correct platform handling for DELL Pro 14",
                            "      Premium PA14260",
                            "",
                            "  * resolute ubuntu_kernel_selftests:seccomp_build test compilation issue",
                            "    (LP: #2154174)",
                            "    - SAUCE: selftests/seccomp fix compilation issue for amd64",
                            "",
                            "  * [Ubuntu 26.04] Severe Performance Degradation on kernel 7.0.0-15",
                            "    (LP: #2154748)",
                            "    - s390: Remove GENERIC_LOCKBREAK Kconfig option",
                            "    - UBUNTU [Config]: Remove GENERIC_LOCKBREAK in s390x",
                            "",
                            "  * Fix no sound output device on Dell GhostRider PTL no camera SKU",
                            "    (LP: #2156559)",
                            "    - ASoC: Intel: sof_sdw: append dai type to dai link name unconditionally",
                            "",
                            "  * Fix no audio from right built-in speaker on HP ZBook with TAS2781",
                            "    amplifier (LP: #2156556)",
                            "    - ALSA: hda/tas2781: Fix device-0 reset issue and handle -EXDEV in block",
                            "      data processing",
                            "",
                            "  * Installer fails internally with a RSync error due to page fault",
                            "    (LP: #2150640)",
                            "    - ovl: keep err zero after successful ovl_cache_get()",
                            "",
                            "  * Internal display black screen on Intel Lunar Lake with eDP panel",
                            "    (LP: #2156312)",
                            "    - drm/i915/alpm: Allow LOBF only for platform that have Always on VRR TG",
                            "",
                            "  * Thunderbolt DP tunnel torn down during boot with LUKS Full Disk Encryption",
                            "    (LP: #2155096)",
                            "    - SAUCE: thunderbolt: Defer DP tunnel teardown until display driver is",
                            "      ready",
                            "",
                            "  * watchdog: lenovo_se10_wdt: Add SE10 Gen 2 support (LP: #2154715)",
                            "    - watchdog: lenovo_se10_wdt: Add support for SE10 Gen 2 platform",
                            "    - watchdog: lenovo_se10_wdt: Fix use-after-free and resource leak risk",
                            "",
                            "  * [Ubuntu 26.04] KVM: IBM Test Accelerator for Z (TAZ) not working properly",
                            "    (LP: #2153159)",
                            "    - KVM: s390: only deliver service interrupt with payload",
                            "    - KVM: s390: vsie: Allow non-zarch guests",
                            "    - KVM: s390: vsie: Disable some bits when in ESA mode",
                            "    - KVM: s390: vsie: Accommodate ESA prefix pages",
                            "    - KVM: s390: Add KVM capability for ESA mode guests",
                            "",
                            "  * ubuntu_bpf failed to build on Resolute (error: expected ‘:’, ‘,’, ‘;’, ‘}’",
                            "    or ‘__attribute__’ before ‘__counted_by’) (LP: #2150071)",
                            "    - tools/headers: Regenerate stddef.h to fix BPF selftests",
                            "",
                            "  * ubuntu_bpf: FTBFS with clang 23 / gcc 15 (LP: #2154343)",
                            "    - selftests/bpf: Fix const qualifier warning in fexit_bpf2bpf.c",
                            "",
                            "  * ALSA: hda/tas2781 Audio Fix for the front-right speacker (LP: #2149770)",
                            "    - ALSA: hda/tas2781: Fix sound abnormal issue on some SPI device",
                            "",
                            "  * Fix bad audio record quality when volume above 50% on Framework PTL",
                            "    (LP: #2153155)",
                            "    - ALSA: hda/realtek: fix mic boost on Framework PTL",
                            "",
                            "  * Patchset for TUXEDO devices (LP: #2152570)",
                            "    - drm/i915/vbt: Add edp pipe joiner enable/disable bits",
                            "    - drm/i915/dp: Avoid joiner for eDP if not enabled in VBT",
                            "    - drm/amd/display: Add Idle state manager(ISM)",
                            "    - drm/i915/backlight: Remove try_vesa_interface",
                            "    - drm/i915/backlight: Use intel_panel variable instead of intel_connector",
                            "    - drm/i915/backlight: Take luminance_set into account for VESA backlight",
                            "    - drm/i915/backlight: Check luminance_set when disabling PWM via AUX VESA",
                            "      backlight",
                            "    - drm/i915/backlight: Short circuit intel_dp_aux_supports_hdr_backlight",
                            "    - drm/i915/backlight: Update debug log during backlight setup",
                            "    - drm/i915/backlight: Check if VESA backlight is possible",
                            "    - drm/i915/backlight: Provide clear description on how backlight level is",
                            "      controlled",
                            "    - drm/i915/backlight: Fix VESA backlight possible check condition",
                            "",
                            "  * Resolute update: v7.0.12 upstream stable release (LP: #2156636)",
                            "    - Input: usbtouchscreen - clamp NEXIO data_len/x_len to URB buffer size",
                            "    - ACPI: button: Fix ACPI GPE handler leak during removal",
                            "    - ACPI: button: Enable wakeup GPEs for ACPI buttons at probe time",
                            "    - xfrm: move policy_bydst RCU sync from per-netns .exit to .pre_exit",
                            "    - net/sched: sch_sfb: Replace direct dequeue call with peek and",
                            "      qdisc_dequeue_peeked",
                            "    - bcache: fix uninitialized closure object",
                            "    - nfc: llcp: Fix use-after-free in llcp_sock_release()",
                            "    - nfc: llcp: Fix use-after-free race in nfc_llcp_recv_cc()",
                            "    - xfrm: Check for underflow in xfrm_state_mtu",
                            "    - nfc: nxp-nci: i2c: use rising-edge IRQ on ACPI systems",
                            "    - tools/bootconfig: Fix buf leaks in apply_xbc",
                            "    - HID: remove duplicate hid_warn_ratelimited definition",
                            "    - kunit: fix use-after-free in debugfs when using kunit.filter",
                            "    - accel/rocket: fix UAF via dangling GEM handle in create_bo",
                            "    - netfilter: synproxy: refresh tcphdr after skb_ensure_writable",
                            "    - netfilter: xt_cpu: prefer raw_smp_processor_id",
                            "    - netfilter: ebtables: fix OOB read in compat_mtw_from_user",
                            "    - netfilter: nf_tables: fix dst corruption in same register operation",
                            "    - vsock: keep poll shutdown state consistent",
                            "    - net: netlink: fix sending unassigned nsid after assigned one",
                            "    - net: netlink: don't set nsid on local notifications",
                            "    - net/smc: Do not re-initialize smc hashtables",
                            "    - net/iucv: fix locking in .getsockopt",
                            "    - scsi: core: Run queues for all non-SDEV_DEL devices from",
                            "      scsi_run_host_queues",
                            "    - scsi: scsi_debug: Add missing newline in scsi_debug_device_reset()",
                            "    - ipv4: free net->ipv4.sysctl_local_reserved_ports after",
                            "      unregister_net_sysctl_table()",
                            "    - ALSA: hda: cs35l56: Fix system name string leaks",
                            "    - ALSA: pcm: oss: Fix setup list UAF on proc write error",
                            "    - ASoC: Intel: bytcht_es8316: Fix MCLK leak on init errors",
                            "    - net/mlx5: HWS: Reject unsupported remove-header action",
                            "    - net: hsr: fix potential OOB access in supervision frame handling",
                            "    - accel/ivpu: prevent uninitialized data bug in debugfs",
                            "    - gpio: mxc: fix irq_high handling",
                            "    - drm/i915/aux: use polling when irqs are unavailable",
                            "    - net: Avoid checksumming unreadable skb tail on trim",
                            "    - ethtool: rss: avoid modifying the RSS context response",
                            "    - ethtool: rss: add missing errno on RSS context delete",
                            "    - ethtool: rss: fix falsely ignoring indir table updates",
                            "    - ethtool: rss: fix indir_table and hkey leak on get_rxfh failure",
                            "    - ethtool: rss: fix hkey leak when indir_size is 0",
                            "    - ethtool: rss: avoid device context leak on reply-build failure",
                            "    - ethtool: module: call ethnl_ops_complete() on module flash errors",
                            "    - ethtool: module: avoid leaking a netdev ref on module flash errors",
                            "    - ethtool: module: avoid racy updates to dev->ethtool bitfield",
                            "    - ethtool: module: check fw_flash_in_progress under rtnl_lock",
                            "    - ethtool: module: fix cleanup if socket used for flashing multiple",
                            "      devices",
                            "    - ethtool: cmis: require exact CDB reply length",
                            "    - ethtool: cmis: fix u16-to-u8 truncation of msleep_pre_rpl",
                            "    - ethtool: cmis: validate start_cmd_payload_size from module",
                            "    - ethtool: cmis: validate fw->size against start_cmd_payload_size",
                            "    - cxl/test: Update mock dev array before calling platform_device_add()",
                            "    - blk-mq: reinsert cached request to the list",
                            "    - tunnels: load network headers after skb_cow() in",
                            "      iptunnel_pmtud_build_icmp[v6]()",
                            "    - vxlan: do not reuse cached ip_hdr() value after skb_tunnel_check_pmtu()",
                            "    - tunnels: do not assume transport header in iptunnel_pmtud_check_icmp()",
                            "    - ksmbd: fix FSCTL permission bypass by adding a permission check for",
                            "      FSCTL_SET_SPARSE",
                            "    - ASoC: codecs: simple-mux: Fix enum control bounds check",
                            "    - drm/xe: Restore IDLEDLY regiter on engine reset",
                            "    - Bluetooth: 6lowpan: check skb_clone() return value in send_mcast_pkt()",
                            "    - bonding: refuse to enslave CAN devices",
                            "    - bridge: Fix sleep in atomic context in netlink path",
                            "    - bridge: Fix sleep in atomic context in sysfs path",
                            "    - ethtool: coalesce: cap profile updates at NET_DIM_PARAMS_NUM_PROFILES",
                            "    - ethtool: tsconfig: fix reply error handling",
                            "    - ethtool: linkstate: fix unbalanced ethnl_ops_complete() on PHY lookup",
                            "      error",
                            "    - ethtool: pse-pd: fix missing ethnl_ops_complete()",
                            "    - ethtool: tsconfig: fix missing ethnl_ops_complete()",
                            "    - ethtool: tsinfo: fix uninitialized stats on the by-PHC path",
                            "    - ethtool: tsinfo: don't pass ERR_PTR to genlmsg_cancel on prepare failure",
                            "    - ethtool: strset: fix header attribute index in ethnl_req_get_phydev()",
                            "    - ethtool: eeprom: add missing ethnl_ops_begin() / _complete() during",
                            "      fallback",
                            "    - ethtool: eeprom: add more safeties to EEPROM Netlink fallback",
                            "    - ipv6: rpl: fix hdrlen overflow in ipv6_rpl_srh_decompress()",
                            "    - net/sched: Revert \"net/sched: Restrict conditions for adding duplicating",
                            "      netems to qdisc tree\"",
                            "    - net/sched: fix packet loop on netem when duplicate is on",
                            "    - net: Introduce skb tc depth field to track packet loops",
                            "    - net/sched: Fix ethx:ingress -> ethy:egress -> ethx:ingress mirred loop",
                            "    - net/sched: act_mirred: Fix blockcast recursion bypass leading to stack",
                            "      overflow",
                            "    - net/sched: act_mirred: Fix return code in early mirred redirect error",
                            "      paths",
                            "    - net: hibmcge: disable Relaxed Ordering to fix RX packet corruption",
                            "    - net: hibmcge: move dma_rmb() after dma_sync_single_for_cpu() in RX path",
                            "    - net/handshake: Use spin_lock_bh for hn_lock",
                            "    - nvme-tcp: store negative errno in queue->tls_err",
                            "    - net/handshake: Pass negative errno through handshake_complete()",
                            "    - net/handshake: hand off the pinned file reference to accept_doit",
                            "    - net/handshake: Take a long-lived file reference at submit",
                            "    - net/handshake: Drain pending requests at net namespace exit",
                            "    - dpll: zl3073x: detect DPLL channel count from chip ID at runtime",
                            "    - dpll: zl3073x: add die temperature reporting for supported chips",
                            "    - dpll: export __dpll_device_change_ntf() for use under dpll_lock",
                            "    - dpll: zl3073x: use __dpll_device_change_ntf() and remove change_work",
                            "    - Bluetooth: l2cap: clear chan->ident on ECRED reconfiguration success",
                            "    - Bluetooth: L2CAP: Fix possible crash on l2cap_ecred_conn_rsp",
                            "    - Bluetooth: hci_sync: Set HCI_CMD_DRAIN_WORKQUEUE during device close",
                            "    - Bluetooth: hci_sync: Reset device counters in hci_dev_close_sync()",
                            "    - gpio: adnp: fix flow control regression caused by scoped_guard()",
                            "    - gpio: virtuser: Fix uninitialized data bug in",
                            "      gpio_virtuser_direction_do_write()",
                            "    - gpio: rockchip: convert bank->clk to devm_clk_get_enabled()",
                            "    - gpio: rockchip: teardown bugs and resource leaks",
                            "    - net: mana: Add NULL guards in teardown path to prevent panic on attach",
                            "      failure",
                            "    - net: mana: Skip redundant detach on already-detached port",
                            "    - sctp: fix race between sctp_wait_for_connect and peeloff",
                            "    - net: pcs: pcs-mtk-lynxi: fix bpi-r3 serdes configuration",
                            "    - vsock/virtio: bind uarg before filling zerocopy skb",
                            "    - ipv6: fix possible infinite loop in rt6_fill_node()",
                            "    - ipv6: fix possible infinite loop in fib6_select_path()",
                            "    - net: skbuff: fix pskb_carve leaking zcopy pages",
                            "    - Revert \"ipv6: preserve insertion order for same-scope addresses\"",
                            "    - Revert \"x86/fpu: Refine and simplify the magic number check during",
                            "      signal return\"",
                            "    - drm/i915/psr: Add defininitions for INTEL_WA_REGISTER_CAPS DPCD register",
                            "    - drm/i915/psr: Read Intel DPCD workaround register",
                            "    - drm/i915/psr: Apply Intel DPCD workaround when SDP on prior line used",
                            "    - iio: imu: st_lsm6dsx: fix stack leak in tagged FIFO buffer",
                            "    - iio: imu: adis16550: fix stack leak in trigger handler",
                            "    - iio: pressure: bmp280: fix stack leak in bmp580 trigger handler",
                            "    - usb: typec: ucsi: ccg: reject firmware images without a ':' record",
                            "      header",
                            "    - usb: typec: tcpm: validate VDO count in Discover Identity ACK handlers",
                            "    - usb: typec: tcpm: bound altmode_desc[] per iteration in",
                            "      svdm_consume_modes()",
                            "    - usb: typec: ucsi: displayport: NAK DP_CMD_CONFIGURE without a payload",
                            "      VDO",
                            "    - usb: typec: altmodes/displayport: validate count before reading Status",
                            "      Update VDO",
                            "    - usb: typec: wcove: don't write past struct pd_message in",
                            "      wcove_read_rx_buffer()",
                            "    - usb: typec: tcpm/tcpci_maxim: validate header NDO against RX_BYTE_CNT",
                            "    - usb: typec: ucsi: validate connector number in ucsi_connector_change()",
                            "    - USB: serial: safe_serial: fix memory corruption with small endpoint",
                            "    - media: rc: igorplugusb: fix control request setup packet",
                            "    - Input: ims-pcu - fix usb_free_coherent() size in ims_pcu_buffers_free()",
                            "    - USB: serial: cypress_m8: fix memory corruption with small endpoint",
                            "    - HID: quirks: Add ALWAYS_POLL quirk for SIGMACHIP USB mouse",
                            "    - Bluetooth: btusb: Allow firmware re-download when version matches",
                            "    - mm/vmalloc: do not trigger BUG() on BH disabled context",
                            "    - hpfs: fix a crash if hpfs_map_dnode_bitmap fails",
                            "    - mm/damon/sysfs-schemes: delete tried region in regions_rmdirs()",
                            "    - ipc: limit next_id allocation to the valid ID range",
                            "    - mm: memcontrol: propagate NMI slab stats to memcg vmstats",
                            "    - mm/migrate_device: fix pgtable leak in migrate_vma_insert_huge_pmd_page",
                            "    - memfd: deny writeable mappings when implying SEAL_WRITE",
                            "    - zram: fix use-after-free in zram_writeback_endio",
                            "    - mm/rmap: initialize nr_pages to 1 at loop start in try_to_unmap_one",
                            "    - auxdisplay: line-display: fix OOB read on zero-length message_store()",
                            "    - smb: client: fix uninitialized variable in smb2_writev_callback",
                            "    - Bluetooth: L2CAP: use chan timer to close channels in cleanup_listen()",
                            "    - Bluetooth: L2CAP: fix chan ref leak in l2cap_chan_timeout() on !conn",
                            "    - Bluetooth: HIDP: fix missing length checks in hidp_input_report()",
                            "    - Bluetooth: ISO: fix UAF in iso_recv_frame",
                            "    - Bluetooth: ISO: serialize iso_sock_clear_timer with socket lock",
                            "    - Bluetooth: hci_conn: Fix memory leak in hci_le_big_terminate()",
                            "    - Bluetooth: hci_qca: Use 100 ms SSR delay for rampatch and NVM loading",
                            "    - Bluetooth: hci_sync: fix UAF in hci_le_create_cis_sync",
                            "    - Input: xpad - fix out-of-bounds access for Share button",
                            "    - parport: Fix race between port and client registration",
                            "    - rust_binder: Avoid holding lock when dropping delivered_death",
                            "    - rust_binder: avoid calling pending_oneway_finished() on TF_UPDATE_TXN",
                            "    - USB: cdc-acm: Fix bit overlap and move quirk definitions to header",
                            "    - KVM: arm64: Correctly cap ZCR_EL2 provided by a guest hypervisor",
                            "    - KVM: arm64: PMU: Preserve AArch32 counter low bits",
                            "    - KVM: SVM: Flush the current TLB when transitioning from xAVIC => x2AVIC",
                            "    - KVM: SEV: Require in-GHCB scratch area if GHCB v2+ is in use",
                            "    - KVM: SEV: Ignore Port I/O requests of length '0'",
                            "    - KVM: SEV: Use the size of the PSC header as the minimum size for PSC",
                            "      requests",
                            "    - KVM: SEV: WARN if KVM attempts to setup scratch area with min_len==0",
                            "    - KVM: SEV: Compute the correct max length of the in-GHCB scratch area",
                            "    - KVM: SEV: Check PSC request indices against the actual size of the",
                            "      buffer",
                            "    - KVM: SEV: Use READ_ONCE() when reading entries/indices from PSC buffer",
                            "    - KVM: SEV: Don't explicitly pass PSC buffer to snp_begin_psc()",
                            "    - gpio: shared: undo the vote of the proxy on GPIO free",
                            "    - gpio: shared: fix deadlock on shared proxy's parent removal",
                            "    - gpio: shared: fix lockdep false positive by removing unneeded lock",
                            "    - Disable -Wattribute-alias for clang-23 and newer",
                            "    - iio: adc: xilinx-xadc: Fix sequencer mode in postdisable for dual mux",
                            "    - iio: adc: npcm: fix unbalanced clk_disable_unprepare()",
                            "    - iio: dac: ad3530r: Fix AD3531/AD3531R powerdown mode strings",
                            "    - iio: dac: max5821: fix return value check in powerdown sync",
                            "    - iio: dac: ad5686: fix ref bit initialization for single-channel parts",
                            "    - iio: dac: ad5686: fix input raw value check",
                            "    - iio: dac: ad5686: acquire lock when doing powerdown control",
                            "    - iio: dac: ad5686: fix powerdown control on dual-channel devices",
                            "    - iio: adc: mt6359: fix unchecked return value in mt6358_read_imp",
                            "    - iio: adc: viperboard: Fix error handling in vprbrd_iio_read_raw",
                            "    - iio: adc: ad4695: Fix call ordering in offload buffer postenable",
                            "    - iio: adc: nxp-sar-adc: fix division by zero in write_raw",
                            "    - iio: adc: nxp-sar-adc: Avoid division by zero",
                            "    - iio: adc: nxp-sar-adc: zero-initialize dma_slave_config",
                            "    - iio: gyro: itg3200: fix i2c read into the wrong stack location",
                            "    - iio: gyro: adis16260: fix division by zero in write_raw",
                            "    - iio: ssp_sensors: cancel delayed work_refresh on remove",
                            "    - iio: temperature: tsys01: fix broken PROM checksum validation",
                            "    - iio: magnetometer: st_magn: fix default DRDY pin selection for LIS2MDL",
                            "    - iio: light: veml6070: Fix resource leak in probe error path",
                            "    - iio: Fix iio_multiply_value use in iio_read_channel_processed_scale",
                            "    - iio: chemical: mhz19b: reject oversized serial replies",
                            "    - iio: chemical: scd30: fix division by zero in write_raw",
                            "    - iio: light: cm3323: fix reg_conf not being initialized correctly",
                            "    - iio: buffer: hw-consumer: fix use-after-free in error path",
                            "    - iio: buffer: Fix DMA fence leak in iio_buffer_enqueue_dmabuf()",
                            "    - USB: serial: omninet: fix memory corruption with small endpoint",
                            "    - usb: cdns3: gadget: fix request skipping after clearing halt",
                            "    - usb: cdns3: plat: fix leaked usb2_phy initialization on usb3_phy",
                            "      acquisition failure",
                            "    - usb: cdns3: plat: fix unbalanced pm_runtime_forbid() call permanently",
                            "      leaks the runtime PM usage counter across bind/unbind cycles",
                            "    - usb: dwc2: Fix use after free in debug code",
                            "    - Input: elan_i2c - validate firmware size before use",
                            "    - i2c: davinci: fix division by zero on missing clock-frequency",
                            "    - x86/ftrace: Relocate %rip-relative percpu refs in dynamic trampolines",
                            "    - wireguard: send: append trailer after expanding head",
                            "    - bpf: sockmap: fix tail fragment offset in bpf_msg_push_data",
                            "    - macsec: fix replay protection at XPN lower-PN wrap",
                            "    - ipv6: exthdrs: refresh nh pointer after ipv6_hop_jumbo()",
                            "    - ASoC: qcom: q6asm-dai: fix error handling in prepare and set_params",
                            "    - octeontx2-af: validate body pcifunc in rvu_mbox_handler_rep_event_notify",
                            "    - ipv6: exthdrs: refresh nh after handling HAO option",
                            "    - ip6: vti: Use ip6_tnl.net in vti6_siocdevprivate().",
                            "    - ipv6: validate extension header length before copying to cmsg",
                            "    - xfrm: input: hold netns during deferred transport reinjection",
                            "    - l2tp: use refcount_inc_not_zero in l2tp_session_get_by_ifname",
                            "    - ip6: vti: Use ip6_tnl.net in vti6_changelink().",
                            "    - net: skbuff: fix missing zerocopy reference in pskb_carve helpers",
                            "    - spi: spi-mem: avoid mutating op template in spi_mem_supports_op()",
                            "    - HID: wacom: Fix OOB write in wacom_hid_set_device_mode()",
                            "    - iommu, debugobjects: avoid gcc-16.1 section mismatch warnings",
                            "    - nfc: hci: fix out-of-bounds read in HCP header parsing",
                            "    - xfrm: route MIGRATE notifications to caller's netns",
                            "    - xfrm: ipcomp: Free destination pages on acomp errors",
                            "    - xfrm: ah: use skb_to_full_sk in async output callbacks",
                            "    - ALSA: scarlett2: Fix 2i2 Gen 4 direct monitor gain on firmware 2417",
                            "    - ALSA: firewire-motu: Protect register DSP event queue positions",
                            "    - netfilter: conntrack: tcp: do not force CLOSE on invalid-seq RST without",
                            "      direction check",
                            "    - ASoC: qcom: q6asm-dai: close stream only when running",
                            "    - ASoC: qcom: q6asm-dai: do not set stream state in event and trigger",
                            "      callbacks",
                            "    - xfrm: esp: restore combined single-frag length gate",
                            "    - ALSA: hda/realtek: Fix speaker output on ASUS ROG Strix G615LP",
                            "    - xfrm: iptfs: reset runtime state when cloning SAs",
                            "    - dma-buf: fix UAF in dma_buf_fd() tracepoint",
                            "    - Input: xpad - add \"Nova 2 Lite\" from GameSir",
                            "    - Input: xpad - add support for ASUS ROG RAIKIRI II",
                            "    - ksmbd: OOB read regression in smb_check_perm_dacl() ACE-walk loops",
                            "    - misc: rp1: Send IACK on IRQ activate to fix kdump/kexec",
                            "    - Input: atmel_mxt_ts - fix boundary check in mxt_prepare_cfg_mem",
                            "    - Input: synaptics - add LEN2058 to SMBus passlist for ThinkPad E490",
                            "    - dt-bindings: usb: Fix EIC7700 USB reset's issue",
                            "    - comedi: comedi_test: fix check for valid scan_begin_src in",
                            "      waveform_ai_cmdtest()",
                            "    - comedi: comedi_test: Fix limiting of convert_arg in",
                            "      waveform_ai_cmdtest()",
                            "    - counter: Fix refcount leak in counter_alloc() error path",
                            "    - tty: serial: pch_uart: add check for dma_alloc_coherent()",
                            "    - tty: serial: samsung: Remove redundant port lock acquisition in rx",
                            "      helpers",
                            "    - uio: uio_pci_generic_sva: fix double free of devm_kzalloc() memory",
                            "    - usb: chipidea: core: convert ci_role_switch to local variable",
                            "    - usb: core: Fix up Interrupt IN endpoints with bogus wBytesPerInterval",
                            "    - usb: dwc3: xilinx: fix error handling in zynqmp init error paths",
                            "    - usb: musb: omap2430: Fix use-after-free in omap2430_probe()",
                            "    - USB: quirks: add NO_LPM for Lenovo ThinkPad USB-C Dock Gen2 hub",
                            "      controllers",
                            "    - usb: storage: Add quirks for PNY Elite Portable SSD",
                            "    - usbip: vudc: Fix use after free bug in vudc_remove due to race condition",
                            "    - usb: usbtmc: check URB actual_length for interrupt-IN notifications",
                            "    - usb: usbtmc: reject interrupt endpoints with small wMaxPacketSize",
                            "    - usb: typec: tipd: Fix error code in tps6598x_probe()",
                            "    - usb: typec: tcpm: improve handling of DISCOVER_MODES failures",
                            "    - usb: typec: ucsi: Check if power role change actually happened before",
                            "      handling",
                            "    - usb: typec: ucsi: Don't update power_supply on power role change if not",
                            "      connected",
                            "    - USB: serial: option: add MeiG SRM813Q",
                            "    - USB: serial: option: add missing RSVD(5) flag for Rolling RW135R-GL",
                            "    - USB: serial: belkin_sa: validate interrupt status length",
                            "    - USB: serial: cypress_m8: validate interrupt packet headers",
                            "    - USB: serial: digi_acceleport: fix memory corruption with small endpoints",
                            "    - USB: serial: keyspan: fix missing indat transfer sanity check",
                            "    - USB: serial: mxuport: fix memory corruption with small endpoint",
                            "    - USB: serial: mct_u232: fix memory corruption with small endpoint",
                            "    - USB: serial: mct_u232: fix missing interrupt-in transfer sanity check",
                            "    - usb: gadget: uvc: hold opts->lock across XU walks in uvc_function_bind",
                            "    - usb: gadget: net2280: Fix double free in probe error path",
                            "    - usb: gadget: f_hid: fix device reference leak in hidg_alloc()",
                            "    - usb: gadget: composite: fix integer underflow in WebUSB GET_URL handling",
                            "    - usb: gadget: dummy_hcd: Reject hub port requests for non-existent ports",
                            "    - usb: gadget: f_fs: copy only received bytes on short ep0 read",
                            "    - usb: gadget: f_fs: serialize DMABUF cancel against request completion",
                            "    - thunderbolt: property: Reject u32 wrap in tb_property_entry_valid()",
                            "    - thunderbolt: property: Reject dir_len < 4 to prevent size_t underflow",
                            "    - thunderbolt: property: Cap recursion depth in __tb_property_parse_dir()",
                            "    - scsi: fcoe: Reject FIP descriptors with zero fip_dlen in CVL walker",
                            "    - scsi: scsi_transport_fc: Widen FPIN pname walker counter to u32",
                            "    - scsi: target: iscsi: Fix CRC overread and double-free in",
                            "      iscsit_handle_text_cmd()",
                            "    - scsi: target: iscsi: Bound iscsi_encode_text_output() appends to rsp_buf",
                            "    - scsi: target: iscsi: Validate CHAP_R length before base64 decode",
                            "    - drm/hyperv: validate resolution_count and fix WIN8 fallback",
                            "    - drm/hyperv: validate VMBus packet size in receive callback",
                            "    - drm/gem: fix race between change_handle and handle_delete",
                            "    - drm/i915/color: Fix HDR pre-CSC LUT programming loop",
                            "    - drm/i915/psr: Block DC states on vblank enable when Panel Replay",
                            "      supported",
                            "    - drm/i915/psr: Use DC_OFF wake reference to block DC6 on vblank enable",
                            "    - drm/i915: Fix potential UAF in TTM object purge",
                            "    - drm/amd/pm/si: Disregard vblank time when no displays are connected",
                            "    - serial: altera_jtaguart: handle uart_add_one_port() failures",
                            "    - serial: qcom-geni: fix UART_RX_PAR_EN bit position",
                            "    - serial: qcom_geni: fix kfifo underflow when flush precedes DMA",
                            "      completion IRQ",
                            "    - serial: sh-sci: fix memory region release in error path",
                            "    - serial: zs: Fix swapped RI/DSR modem line transition counting",
                            "    - serial: fsl_lpuart: fix rx buffer and DMA map leaks in start_rx_dma",
                            "    - drm/amdkfd: fix NULL pointer bug in svm_range_set_attr",
                            "    - drm/amdkfd: fix a vulnerability of integer overflow in kfd debugger",
                            "    - drm/amdkfd: Check for pdd drm file first in CRIU restore path",
                            "    - drm/amdgpu: fix lock leak on ENOMEM in AMDGPU_GEM_OP_GET_MAPPING_INFO",
                            "    - drm/amdgpu: fix calling VM invalidation in amdgpu_hmm_invalidate_gfx",
                            "    - drm/amdgpu: fix amdgpu_hmm_range_get_pages",
                            "    - drm/amdgpu: check num_entries in GEM_OP GET_MAPPING_INFO",
                            "    - serial: dz: Fix bootconsole message clobbering at chip reset",
                            "    - serial: dz: Fix bootconsole handover lockup",
                            "    - serial: dz: Convert to use a platform device",
                            "    - serial: zs: Fix bootconsole handover lockup",
                            "    - serial: zs: Switch to using channel reset",
                            "    - serial: zs: Convert to use a platform device",
                            "    - serial: core: introduce guard(uart_port_lock_check_sysrq_irqsave)",
                            "    - serial: 8250: dispatch SysRq character in serial8250_handle_irq()",
                            "    - serial: 8250_dw: dispatch SysRq character in dw8250_handle_irq()",
                            "    - platform/x86/intel/vsec: Refactor base_addr handling",
                            "    - platform/x86/intel/vsec: Make driver_data info const",
                            "    - platform/x86/intel/vsec: Fix enable_cnt imbalance on PCIe error recovery",
                            "    - rxrpc: Fix RESPONSE packet verification to extract skb to a linear",
                            "      buffer",
                            "    - ALSA: hda/realtek: Fix mute and mic-mute LEDs for HP Envy X360 15-fh0xxx",
                            "    - ALSA: hda/realtek: Fix mute and mic-mute LEDs for HP 16 Piston OmniBook",
                            "      X",
                            "    - arm64: tlb: Flush walk cache when unsharing PMD tables",
                            "    - i2c: tegra: make tegra_i2c_mutex_unlock() return void",
                            "    - hwmon: (pmbus) Add support for guarded PMBus lock",
                            "    - hwmon: (pmbus/adm1266) serialize sequencer_state debugfs read with",
                            "      pmbus_lock",
                            "    - hwmon: (pmbus/adm1266) serialize GPIO PMBus accesses with pmbus_lock",
                            "    - net: phy: micrel: fix LAN8814 QSGMII soft reset",
                            "    - xhci: tegra: Fix ghost USB device on dual-role port unplug",
                            "    - mailbox: Fix NULL message support in mbox_send_message()",
                            "    - usb: core: Fix SuperSpeed root hub wMaxPacketSize",
                            "    - tools: ynl: add scope qualifier for definitions",
                            "    - Linux 7.0.12",
                            "",
                            "  * Resolute update: v7.0.12 upstream stable release (LP: #2156636) //",
                            "    CVE-2026-46318",
                            "    - Revert \"mm/hugetlbfs: update hugetlbfs to use mmap_prepare\"",
                            "",
                            "  * Resolute update: v7.0.12 upstream stable release (LP: #2156636) //",
                            "    CVE-2026-46322",
                            "    - tun: free page on build_skb failure in tun_xdp_one()",
                            "",
                            "  * Resolute update: v7.0.12 upstream stable release (LP: #2156636) //",
                            "    CVE-2026-46320",
                            "    - tap: free page on error paths in tap_get_user_xdp()",
                            "",
                            "  * Resolute update: v7.0.12 upstream stable release (LP: #2156636) //",
                            "    CVE-2026-46321",
                            "    - tun: free page on short-frame rejection in tun_xdp_one()",
                            "",
                            "  * CVE-2026-46316 // CVE-2026-46317",
                            "    - KVM: arm64: Reassign nested_mmus array behind mmu_lock",
                            "",
                            "  * CVE-2026-46316",
                            "    - KVM: arm64: vgic-its: Drop the translation cache reference only for the",
                            "      erased entry",
                            "    - KVM: arm64: Take the SRCU lock for page table walks in fault injection",
                            "      and AT emulation",
                            "",
                            "  * Resolute update: v7.0.11 upstream stable release (LP: #2156390)",
                            "    - iommu/amd: Fix illegal cap/mmio access in IOMMU debugfs",
                            "    - iommu/amd: Remove latent out-of-bounds access in IOMMU debugfs",
                            "    - ksmbd: close durable scavenger races against m_fp_list lookups",
                            "    - ata: libata-scsi: improve readability of ata_scsi_qc_issue()",
                            "    - ata: libata-scsi: do not use the deferred QC feature for ATA_DEFER_PORT",
                            "    - ata: libata-scsi: do not use the deferred QC feature on PMPs with CBS",
                            "    - ata: libata-scsi: do not needlessly defer commands when using PMP with",
                            "      FBS",
                            "    - sysfs: don't remove existing directory on update failure",
                            "    - mm/damon/sysfs-schemes: call missing mem_cgroup_iter_break()",
                            "    - ksmbd: fix null pointer dereference in compare_guid_key()",
                            "    - ksmbd: fix null pointer dereference in proc_show_files()",
                            "    - ksmbd: fix SID memory leak in set_posix_acl_entries_dacl() on overflow",
                            "    - ksmbd: validate SID in parent security descriptor during ACL inheritance",
                            "    - regulator: tps65219: fix irq_data.rdev not being assigned",
                            "    - x86/mm: Disable broadcast TLB flush when PCID is disabled",
                            "    - scripts/gdb: mm: cast untyped symbols in x86_page_ops",
                            "    - smb: client: require net admin for CIFS SWN netlink",
                            "    - smb: client: protect tc_count increment in",
                            "      smb2_find_smb_sess_tcon_unlocked()",
                            "    - smb: client: use data_len for SMB2 READ encrypted folioq copy",
                            "    - smb/server: promote S_DEL_ON_CLS to S_DEL_PENDING when close",
                            "    - hwmon: (pmbus/adm1266) widen blackbox-info buffer to I2C_SMBUS_BLOCK_MAX",
                            "    - ALSA: ua101: Reject too-short USB descriptors",
                            "    - ALSA: pcm: Don't setup bogus iov_iter for silencing",
                            "    - ALSA: asihpi: Fix potential OOB array access at reading cache",
                            "    - ALSA: scarlett2: Allow flash writes ending at segment boundary",
                            "    - ACPI: battery: Fix system wakeup on critical battery status",
                            "    - efi: Allocate runtime workqueue before ACPI init",
                            "    - spi: amd: Set correct bus number in ACPI probe path",
                            "    - io_uring/waitid: clear waitid info before copying it to userspace",
                            "    - drivers/base/memory: fix memory block reference leak in poison",
                            "      accounting",
                            "    - ipv6: ioam: refresh hdr pointer before ioam6_event()",
                            "    - mm/memory: fix spurious warning when unmapping device-private/exclusive",
                            "      pages",
                            "    - mm: fix __vm_normal_page() to handle missing support for",
                            "      pmd_special()/pud_special()",
                            "    - mm/memory_hotplug: fix memory block reference leak on remove",
                            "    - mm/page_alloc: fix initialization of tags of the huge zero folio with",
                            "      init_on_free",
                            "    - mm/migrate_device: fix spinlock leak in migrate_vma_insert_huge_pmd_page",
                            "    - selftests/mm: run_vmtests.sh: fix destructive tests invocation",
                            "    - mm/damon: fix damos_stat tracepoint format for sz_applied",
                            "    - net: wwan: iosm: fix potential memory leaks in ipc_imem_init()",
                            "    - Bluetooth: fix UAF in l2cap_sock_cleanup_listen() vs l2cap_conn_del()",
                            "    - Bluetooth: ISO: drop ISO_END frames received without prior ISO_START",
                            "    - Bluetooth: bnep: Fix UAF read of dev->name",
                            "    - Bluetooth: hci_uart: fix UAFs and race conditions in close and init",
                            "      paths",
                            "    - Bluetooth: L2CAP: ecred_reconfigure: send packed pdu, not stack pointer",
                            "    - Bluetooth: hci_qca: Convert timeout from jiffies to ms",
                            "    - Bluetooth: MGMT: validate Add Extended Advertising Data length",
                            "    - Bluetooth: serialize accept_q access",
                            "    - phonet/pep: disable BH around forwarded sk_receive_skb()",
                            "    - net: bcmgenet: keep RBUF EEE/PM disabled",
                            "    - net: devmem: reject dma-buf bind with non-page-aligned size or SG length",
                            "    - net: phy: skip EEE advertisement write when autoneg is disabled",
                            "    - net: hsr: defer node table free until after RCU readers",
                            "    - net/mlx5e: Fix use-after-free in mlx5e_tx_reporter_timeout_recover",
                            "    - net: ifb: report ethtool stats over num_tx_queues",
                            "    - net: pse-pd: fix sign on -ENOENT check in of_load_pse_pis()",
                            "    - netfilter: ip6t_hbh: reject oversized option lists",
                            "    - netfilter: nf_queue: hold bridge skb->dev while queued",
                            "    - netfilter: ipset: stop hash:* range iteration at end",
                            "    - net: ethtool: fix NULL pointer dereference in phy_reply_size",
                            "    - net: ethtool: phy: avoid NULL deref when PHY driver is unbound",
                            "    - ACPI: driver: Check ACPI_COMPANION() against NULL during probe",
                            "    - sched_ext: Fix missing warning in scx_set_task_state() default case",
                            "    - sched_ext: Avoid UAF in scx_root_enable_workfn() init failure path",
                            "    - l2tp: use list_del_rcu in l2tp_session_unhash",
                            "    - qed: fix double free in qed_cxt_tables_alloc()",
                            "    - ring-buffer: Fix reporting of missed events in iterator",
                            "    - ring-buffer: Flush and stop persistent ring buffer on panic",
                            "    - wifi: mac80211: capture fast-RX rate before mesh reuses skb->cb",
                            "    - ipv6: ioam: add NULL check for idev in ipv6_hop_ioam()",
                            "    - selftests: mptcp: drop nanoseconds width specifier",
                            "    - mptcp: pm: fix ADD_ADDR timer infinite retry on option space",
                            "      insufficient",
                            "    - vsock/vmci: fix UAF when peer resets connection during handshake",
                            "    - vsock/virtio: reset connection on receiving queue overflow",
                            "    - ice: fix VF queue configuration with low MTU values",
                            "    - wifi: ath11k: clear shared SRNG pointer state on restart",
                            "    - wifi: iwlwifi: mvm: fix driver-set TX rates on old devices",
                            "    - wifi: iwlwifi: mld: stop TX during firmware restart",
                            "    - ipv4: raw: reject IP_HDRINCL packets with ihl < 5",
                            "    - ixgbevf: fix use-after-free in VEPA multicast source pruning",
                            "    - rbd: eliminate a race in lock_dwork draining on unmap",
                            "    - mptcp: do not drop partial packets",
                            "    - mptcp: reset rcv wnd on disconnect",
                            "    - lsm: hold cred_guard_mutex for lsm_set_self_attr()",
                            "    - octeontx2-af: CGX: add bounds check to cgx_speed_mbps index",
                            "    - octeontx2-pf: fix double free in rvu_rep_rsrc_init()",
                            "    - igc: fix potential skb leak in igc_fpe_xmit_smd_frame()",
                            "    - ice: fix locking around wait_event_interruptible_locked_irq",
                            "    - ice: fix setting promisc mode while adding VID filter",
                            "    - ice: restore PTP Rx timestamp config after ethtool set-channels",
                            "    - wifi: cfg80211: advance loop vars in cfg80211_merge_profile()",
                            "    - af_unix: Fix UAF read of tail->len in unix_stream_data_wait()",
                            "    - wifi: mac80211: consume only present negotiated TTLM maps",
                            "    - octeontx2-pf: avoid double free of pool->stack on AQ init failure",
                            "    - cifs: Fix busy dentry used after unmounting",
                            "    - tracing: Do not call map->ops->elt_free() if elt_alloc() fails",
                            "    - ASoC: codecs: pcm512x: fix null-ptr dereference in",
                            "      pcm512x_overclock_xxx_put()",
                            "    - arm64: probes: Handle probes on hinted conditional branch instructions",
                            "    - KVM: arm64: vgic-its: Reject restored DTE with out-of-range",
                            "      num_eventid_bits",
                            "    - KVM: arm64: vgic: Free private_irqs when init fails after allocation",
                            "    - KVM: SVM: Disable AVIC IPI virtualization on Hygon Family 18h (erratum",
                            "      #1235)",
                            "    - riscv: kvm: return SBI_ERR_FAILURE for pmu_snapshot_set_shmem() when OOM",
                            "    - riscv: kvm: return SBI_ERR_FAILURE for pmu_event_info() when OOM",
                            "    - virt: sev-guest: Explicitly leak pages in unknown state",
                            "    - i2c: tegra: fix pm_runtime leak on mutex_lock failure",
                            "    - drm/bridge: chipone-icn6211: use devm_drm_bridge_add in i2c probe",
                            "    - spi: qup: fix error pointer deref after DMA setup failure",
                            "    - phy: exynos5-usbdrd: fix USB 2.0 HS PHY tuning values for Exynos7870",
                            "    - phy: tegra: xusb: Fix per-pad high-speed termination calibration",
                            "    - phy: qcom-qmp-ufs: Fix kaanapali PHY PLL lock failure after SM8650 G4",
                            "      fix",
                            "    - phy: qcom: edp: Unify generic DP/eDP swing and pre-emphasis tables",
                            "    - phy: qcom: edp: Add eDP/DP mode switch support",
                            "    - phy: qcom: edp: Fix AUX_CFG8 programming for DP mode",
                            "    - scsi: isci: Fix use-after-free in device removal path",
                            "    - spi: ep93xx: fix error pointer deref after DMA setup failure",
                            "    - spi: sprd: fix error pointer deref after DMA setup failure",
                            "    - spi: ti-qspi: fix use-after-free after DMA setup failure",
                            "    - mm/slub: hold cpus_read_lock around flush_rcu_sheaves_on_cache()",
                            "    - RDMA/siw: Reject MPA FPDU length underflow before signed receive math",
                            "    - s390/cio: Restore GFP_DMA for CHSC allocation",
                            "    - s390/pai: Disable duplicate read of kernel PAI counter value",
                            "    - s390/pai: Fix missing PAI counter increments under heavy load",
                            "    - fwctl: pds: Validate RPC input size before parsing",
                            "    - LoongArch: kprobes: Use larch_insn_text_copy() to patch instructions",
                            "    - LoongArch: Remove unused code to avoid build warning",
                            "    - cpufreq: intel_pstate: Use correct scaling factor on Raptor Lake-E",
                            "    - device property: set fwnode->secondary to NULL in fwnode_init()",
                            "    - drm/i915/display: Copy color pipeline from plane in the primary joiner",
                            "      pipe",
                            "    - drm/msm: Fix shrinker deadlock",
                            "    - drm/v3d: Fix use-after-free of CPU job query arrays on error path",
                            "    - drm/v3d: Release indirect CSD GEM reference on CPU job free",
                            "    - drm/virtio: use uninterruptible resv lock for plane updates",
                            "    - drm/xe/multi_queue: Fix secondary queue error case",
                            "    - drm/amdgpu/vpe: Force collaborate sync after TRAP",
                            "    - drm/bridge: it66121: acquire reset GPIO in probe",
                            "    - drm/bridge: megachips: remove bridge when irq request fails",
                            "    - drm/amd/display: Fix integer overflow in bios_get_image()",
                            "    - drm/amd/display: Validate GPIO pin LUT table size before iterating",
                            "    - drm/amd/display: Validate payload length and link_index in",
                            "      dc_process_dmub_aux_transfer_async",
                            "    - batman-adv: v: stop OGMv2 on disabled interface",
                            "    - batman-adv: tvlv: abort OGM send on tvlv append failure",
                            "    - batman-adv: tvlv: reject oversized TVLV packets",
                            "    - batman-adv: iv: recover OGM scheduling after forward packet error",
                            "    - batman-adv: mcast: fix use-after-free in orig_node RCU release",
                            "    - batman-adv: clear current gateway during teardown",
                            "    - batman-adv: dat: handle forward allocation error",
                            "    - batman-adv: fix fragment reassembly length accounting",
                            "    - batman-adv: fix tp_meter counter underflow during shutdown",
                            "    - batman-adv: frag: disallow unicast fragment in fragment",
                            "    - batman-adv: bla: fix report_work leak on backbone_gw purge",
                            "    - batman-adv: bla: avoid double decrement of bla.num_requests",
                            "    - batman-adv: bla: avoid NULL-ptr deref for claim via dropped interface",
                            "    - batman-adv: tp_meter: avoid use of uninit sender vars",
                            "    - batman-adv: tp_meter: directly shut down timer on cleanup",
                            "    - batman-adv: tp_meter: fix tp_vars reference leak in receiver shutdown",
                            "    - batman-adv: tp_meter: fix race condition in send error reporting",
                            "    - batman-adv: tp_meter: avoid role confusion in tp_list",
                            "    - batman-adv: tt: fix TOCTOU race for reported vlans",
                            "    - batman-adv: tt: reject oversized local TVLV buffers",
                            "    - batman-adv: tt: avoid empty VLAN responses",
                            "    - batman-adv: tt: fix negative last_changeset_len",
                            "    - batman-adv: tt: fix negative tt_buff_len",
                            "    - batman-adv: tt: prevent TVLV entry number overflow",
                            "    - hwmon: (pmbus/adm1266) seed timestamp from the real-time clock",
                            "    - hwmon: (pmbus/adm1266) reject implausible blackbox record_count",
                            "    - hwmon: (pmbus/adm1266) include PEC byte in pmbus_block_xfer read buffer",
                            "    - hwmon: (pmbus/adm1266) bounce blackbox records through a protocol-sized",
                            "      buffer",
                            "    - hwmon: (pmbus/adm1266) cap PDIO scan in get_multiple at ADM1266_PDIO_NR",
                            "    - hwmon: (pmbus/adm1266) don't clobber GPIO bits before PDIO read in",
                            "      get_multiple",
                            "    - hwmon: (pmbus/adm1266) register the gpio_chip after pmbus_do_probe()",
                            "    - hwmon: (pmbus/adm1266) register the nvmem device after pmbus_do_probe()",
                            "    - hwmon: (pmbus/adm1266) reject short block-read responses in the GPIO",
                            "      accessors",
                            "    - pinctrl: mediatek: moore: implement gpio_chip::get_direction()",
                            "    - pinctrl: qcom: ipq4019: mark gpio as a GPIO pin function",
                            "    - arm64: dts: renesas: r8a78000: Fix SCIF brg_int clocks",
                            "    - ARM: dts: renesas: genmai: Drop superfluous cells",
                            "    - ARM: dts: renesas: rskrza1: Drop superfluous cells",
                            "    - pinctrl: renesas: rzg2l: Fix incorrect PUPD register offset for high",
                            "      pins during suspend/resume",
                            "    - pinctrl: renesas: rzg2l: Fix SMT register cache handling",
                            "    - pinctrl: meson: amlogic-a4: fix deadlock issue",
                            "    - pinctrl: qcom: Fix GPIO to PDC wake irq map for qcs615",
                            "    - kho: skip KHO for crash kernel",
                            "    - mm/memfd_luo: report error when restoring a folio fails mid-loop",
                            "    - HID: intel-thc-hid: Intel-quickspi: Fix some error codes",
                            "    - HID: uclogic: Fix regression of input name assignment",
                            "    - firmware: arm_ffa: Check for NULL FF-A ID table while driver",
                            "      registration",
                            "    - firmware: arm_ffa: Skip free_pages on RX buffer alloc failure",
                            "    - firmware: arm_ffa: Fix per-vcpu self notifications handling in workqueue",
                            "    - firmware: arm_ffa: Unregister bus notifier on teardown for FF-A v1.0",
                            "    - riscv: errata: Fix bitwise vs logical AND in MIPS errata patching",
                            "    - riscv: Fix register corruption from uninitialized cregs on error",
                            "    - riscv: mm: Fixup no5lvl failure when vaddr is invalid",
                            "    - kunit: config: Enable KUNIT_DEBUGFS by default",
                            "    - kunit: config: KUNIT_DEBUGFS should depend on DEBUG_FS",
                            "    - pinctrl: qcom: Fix wakeirq map by removing disconnected irqs for sm8150",
                            "    - firmware: arm_ffa: Bound PARTITION_INFO_GET_REGS copies",
                            "    - firmware: arm_ffa: Keep framework RX release under lock",
                            "    - firmware: arm_ffa: Validate framework notification message layout",
                            "    - firmware: arm_ffa: Align RxTx buffer size before mapping",
                            "    - firmware: arm_ffa: Snapshot notifier callbacks under lock",
                            "    - firmware: arm_ffa: Fix sched-recv callback partition lookup",
                            "    - ARM: integrator: Fix early initialization",
                            "    - ALSA: hda: cs35l56: Put ACPI device after setting companion",
                            "    - ALSA: hda: cs35l41: Put ACPI device on missing physical node",
                            "    - btrfs: tracepoints: fix sleep while in atomic context in",
                            "      btrfs_sync_file()",
                            "    - netfilter: x_tables: allow initial table replace without emitting audit",
                            "      log message",
                            "    - netfilter: x_tables: allocate hook ops while under mutex",
                            "    - netfilter: x_tables: unregister the templates first",
                            "    - netfilter: x_tables: add and use xt_unregister_table_pre_exit",
                            "    - netfilter: x_tables: add and use xtables_unregister_table_exit",
                            "    - netfilter: ebtables: move to two-stage removal scheme",
                            "    - netfilter: ebtables: close dangling table module init race",
                            "    - netfilter: x_tables: close dangling table module init race",
                            "    - netfilter: bridge: eb_tables: close module init race",
                            "    - netfilter: nf_conntrack_expect: restore helper propagation via",
                            "      expectation",
                            "    - kprobes: skip non-symbol addresses in kprobe_add_ksym_blacklist()",
                            "    - test_kprobes: clear kprobes between test runs",
                            "    - tcp: Fix imbalanced icsk_accept_queue count.",
                            "    - net: napi: Avoid gro timer misfiring at end of busypoll",
                            "    - net: shaper: Reject reparenting of existing nodes",
                            "    - idpf: fix read_dev_clk_lock spinlock init in idpf_ptp_init()",
                            "    - ice: fix setting RSS VSI hash for E830",
                            "    - ice: fix locking in ice_dcb_rebuild()",
                            "    - ice: dpll: fix rclk pin state get for E810",
                            "    - ice: dpll: fix misplaced header macros",
                            "    - net: lan966x: avoid unregistering netdev on register failure",
                            "    - net: ti: icssm-prueth: fix eth_ports_node leak in probe",
                            "    - phy: marvell: mvebu-a3700-utmi: fix incorrect USB2_PHY_CTRL register",
                            "      access",
                            "    - phy: spacemit: Remove incorrect clk_disable() in spacemit_usb2phy_init()",
                            "    - NFSD: Fix infinite loop in layout state revocation",
                            "    - ASoC: sdw_utils: Add quirk to ignore RT712 CODEC_MIC",
                            "    - ASoC: sdw_utils: Add quirk to ignore RT721 CODEC_MIC",
                            "    - fprobe: Fix unregister_fprobe() to wait for RCU grace period",
                            "    - fs/statmount: fix slab out-of-bounds write in statmount_mnt_idmap",
                            "    - fs: Fix return in jfs_mkdir and orangefs_mkdir",
                            "    - irqchip/ath79-cpu: Remove unused function",
                            "    - fs: fix forced iversion increment on lazytime timestamp updates",
                            "    - ublk: reject max_sectors smaller than PAGE_SECTORS in parameter",
                            "      validation",
                            "    - nsfs: fix wrong error code returned for pidns ioctls",
                            "    - irq_work: Fix use-after-free in irq_work_single() on PREEMPT_RT",
                            "    - nvme: fix bio leak on mapping failure",
                            "    - nvme-pci: fix use-after-free in nvme_free_host_mem()",
                            "    - zonefs: handle integer overflow in zonefs_fname_to_fno",
                            "    - tcp: Fix out-of-bounds access for twsk in tcp_ao_established_key().",
                            "    - ASoC: SOF: amd: Fix error code handling in psp_send_cmd()",
                            "    - powerpc: 82xx: fix uninitialized pointers with free attribute",
                            "    - powerpc: fix dead default for GUEST_STATE_BUFFER_TEST",
                            "    - powerpc/hv-gpci: fix preempt count leak in sysfs show paths",
                            "    - netfs: Fix cancellation of a DIO and single read subrequests",
                            "    - netfs: Fix missing locking around retry adding new subreqs",
                            "    - netfs: Fix missing barriers when accessing stream->subrequests",
                            "      locklessly",
                            "    - netfs: Fix netfs_read_to_pagecache() to pause on subreq failure",
                            "    - netfs: Fix potential for tearing in ->remote_i_size and ->zero_point",
                            "    - netfs: Fix zeropoint update where i_size > remote_i_size",
                            "    - netfs: fix VM_BUG_ON_FOLIO() issue in netfs_write_begin() call",
                            "    - netfs: Fix overrun check in netfs_extract_user_iter()",
                            "    - netfs: Fix netfs_invalidate_folio() to clear dirty bit if all changes",
                            "      gone",
                            "    - netfs: Defer the emission of trace_netfs_folio()",
                            "    - netfs: Fix streaming write being overwritten",
                            "    - netfs: Fix potential deadlock in write-through mode",
                            "    - netfs: Fix read-gaps to remove netfs_folio from filled folio",
                            "    - netfs: Fix write streaming disablement if fd open O_RDWR",
                            "    - netfs: Fix early put of sink folio in netfs_read_gaps()",
                            "    - netfs: Fix leak of request in netfs_write_begin() error handling",
                            "    - netfs: Fix potential UAF in netfs_unlock_abandoned_read_pages()",
                            "    - netfs: Fix partial invalidation of streaming-write folio",
                            "    - netfs: Fix folio->private handling in netfs_perform_write()",
                            "    - netfs: Fix netfs_read_folio() to wait on writeback",
                            "    - netfs, afs: Fix write skipping in dir/link writepages",
                            "    - afs: Fix the locking used by afs_get_link()",
                            "    - net: ethernet: cortina: Make RX SKB per-port",
                            "    - net: ethernet: cortina: Drop half-assembled SKB",
                            "    - net: ethernet: cortina: Carry over frag counter",
                            "    - net: ethernet: cs89x0: remove stale CONFIG_MACH_MX31ADS reference",
                            "    - wifi: ath11k: fix error path leaks in some WMI WOW calls",
                            "    - wifi: ath11k: fix error path leak in ath11k_tm_cmd_wmi_ftm()",
                            "    - wifi: ath10k: skip WMI and beacon transmission when device is wedged",
                            "    - net: shaper: flip the polarity of the valid flag",
                            "    - net: shaper: fix trivial ordering issue in net_shaper_commit()",
                            "    - net: shaper: reject duplicate leaves in GROUP request",
                            "    - net: shaper: set ret to -ENOMEM when genlmsg_new() fails in group_doit",
                            "    - net: shaper: fix undersized reply skb allocation in GROUP command",
                            "    - net: shaper: enforce singleton NETDEV scope with id 0",
                            "    - net: shaper: reject QUEUE scope handle with missing id",
                            "    - block: don't overwrite bip_vcnt in bio_integrity_copy_user()",
                            "    - block: recompute nr_integrity_segments in blk_insert_cloned_request",
                            "    - HID: quirks: really enable the intended work around for appledisplay",
                            "    - block: bio-integrity: Fix null-ptr-deref in bio_integrity_map_user()",
                            "    - accel/qaic: Add overflow check to remap_pfn_range during mmap",
                            "    - net/smc: avoid NULL deref of conn->lnk in smc_msg_event tracepoint",
                            "    - ethtool: fix ethnl_bitmap32_not_zero() bit interval semantics",
                            "    - drm/msm/dpu: fix UV scanlines calculation for YUV UBWC formats",
                            "    - drm/msm/dpu: Fix Kaanapali CWB register configuration",
                            "    - drm/msm/dsi: don't dump registers past the mapped region",
                            "    - drm/msm/dpu: don't mix devm and drmm functions",
                            "    - block: rename struct gendisk zone_wplugs_lock field",
                            "    - block: allow submitting all zone writes from a single context",
                            "    - block: fix handling of dead zone write plugs",
                            "    - selftests: ublk: cap nthreads to kernel's actual nr_hw_queues",
                            "    - x86/mce: Restore MCA polling interval halving",
                            "    - Documentation: intel_pstate: Fix description of asymmetric packing with",
                            "      SMT",
                            "    - drm/msm: Fix GMEM_BASE for A650",
                            "    - drm/msm/a6xx: Add soft fuse detection support",
                            "    - drm/msm/adreno: Fix a reference leak in a6xx_gpu_init()",
                            "    - drm/msm/adreno: fix userspace-triggered crash on a2xx-a4xx",
                            "    - drm/msm/a6xx: Restore sysprof_active",
                            "    - drm/msm: Fix iommu_map_sgtable() return value check and avoid WARN",
                            "    - drm/msm/a6xx: Check kzalloc return in a8xx_hfi_send_perf_table",
                            "    - ASoC: intel: sof_sdw: Prepare for configuration without a jack",
                            "    - ASoC: sdw_utils: cs42l43: allow spk component names to be combined",
                            "    - ASoC: sdw_utils: Check speaker component string allocation",
                            "    - riscv: Docs: fix unmatched quote warning",
                            "    - powerpc/time: Remove redundant preempt_disable|enable() calls from",
                            "      arch_irq_work_raise()",
                            "    - net/smc: reject CHID-0 ACCEPT that matches an empty ism_dev slot",
                            "    - net: tls: fix off-by-one in sg_chain entry count for wrapped sk_msg ring",
                            "    - net: tls: prevent chain-after-chain in plain text SG",
                            "    - net: phy: DP83TC811: add reading of abilities",
                            "    - ovpn: tcp - use cached peer pointer in ovpn_tcp_close()",
                            "    - ovpn: respect peer refcount in CMD_NEW_PEER error path",
                            "    - ovpn: fix race between deleting interface and adding new peer",
                            "    - cifs: client: stage smb3_reconfigure() updates and restore ctx on",
                            "      failure",
                            "    - phy: apple: atc: Fix typec switch/mux leak on unbind",
                            "    - gcc-plugins: Always define CONST_CAST_GIMPLE and CONST_CAST_TREE",
                            "    - x86/xen: Fix xen_e820_swap_entry_with_ram()",
                            "    - vfio/pci: Check BAR resources before exporting a DMABUF",
                            "    - ovpn: disable BHs when updating device stats",
                            "    - tls: Preserve sk_err across recvmsg() when data has been copied",
                            "    - net/mlx5: Do not restore destination-less TC rules",
                            "    - net/mlx5: Skip disabled vports when setting max TX speed",
                            "    - scsi: sd: Fix return code handling in sd_spinup_disk()",
                            "    - ASoC: codecs: fs210x: fix possible buffer overflow",
                            "    - iommupt: Directly call iommupt's unmap_range()",
                            "    - iommupt: Avoid rewalking during map",
                            "    - iommu: Fix loss of errno on map failure for classic ops",
                            "    - iommu: Fix up map/unmap debugging for iommupt domains",
                            "    - iommu: Handle unmap error when iommu_debug is enabled",
                            "    - iommupt: Check for missing PAGE_SIZE in the pgsize_bitmap",
                            "    - iommupt: Fix the end_index calculation in __map_range_leaf()",
                            "    - ALSA: scarlett2: Add missing error check when initialise Autogain Status",
                            "    - ALSA: hda/ca0132: Disable auto-detect on manual output select",
                            "    - cachefiles: Fix error return when vfs_mkdir() fails",
                            "    - io_uring/net: punt IORING_OP_BIND async if it needs file create",
                            "    - vsock/virtio: fix zerocopy completion for multi-skb sends",
                            "    - btrfs: check for subvolume before deleting squota qgroup",
                            "    - btrfs: fix squota accounting during enable generation",
                            "    - ASoC: amd: acp-sdw-legacy: check CPU DAI name before logging",
                            "    - spi: mtk-snfi: Fix resource leak in mtk_snand_read_page_cache()",
                            "    - netfilter: nft_inner: release local_lock before re-enabling softirqs",
                            "    - ALSA: hda/realtek: Use ALC287_FIXUP_TXNW2781_I2C for ASUS Strix Gxx5",
                            "    - drm/msm/snapshot: fix dumping of the unaligned regions",
                            "    - hwmon: (lm90) Stop work before releasing hwmon device",
                            "    - hwmon: (lm90) Add lock protection to lm90_alert",
                            "    - wifi: iwlwifi: mld: fix TSO segmentation explosion when AMSDU is",
                            "      disabled",
                            "    - wifi: iwlwifi: mld: don't dereference a pointer before NULL checking it",
                            "    - dma-mapping: move dma_map_resource() sanity check into debug code",
                            "    - drm/gem: Make the GEM LRU lock part of drm_device",
                            "    - drm/xe/gsc: Fix double-free of managed BO in error path",
                            "    - drm/xe/vf: Fix signature of print functions",
                            "    - drm/xe/pf: Fix CFI failure in debugfs access",
                            "    - drm/xe: Consolidate workaround entries for Wa_14019988906",
                            "    - drm/xe: Consolidate workaround entries for Wa_18033852989",
                            "    - drm/xe: Define and use MCR version of COMMON_SLICE_CHICKEN1",
                            "    - drm/xe/tuning: Apply windower hardware filtering setting on Xe3 and Xe3p",
                            "    - drm/xe: Define and use MCR version of COMMON_SLICE_CHICKEN4",
                            "    - wifi: ath11k: fix peer resolution on rx path when peer_id=0",
                            "    - wifi: ath12k: fix EHT TX MCS limitation due to wrong 20 MHz-only parsing",
                            "    - drm/mediatek: mtk_hdmi_ddc_v2: Fix non-static global variable",
                            "    - drm/mediatek: mtk_hdmi_v2: Fix non-static global variable",
                            "    - drm/mediatek: mtk_cec: Fix non-static global variable",
                            "    - drm/mediatek: mtk_hdmi_ddc: Fix non-static global variable",
                            "    - io_uring: propagate array_index_nospec opcode into req->opcode",
                            "    - srcu: Don't queue workqueue handlers to never-online CPUs",
                            "    - cgroup/rstat: validate cpu before css_rstat_cpu() access",
                            "    - net/mlx5e: xsk: Fix unlocked writing to ICOSQ",
                            "    - cifs: Fix undefined variables",
                            "    - ice: ptp: serialize E825 PHY timer start with PTP lock",
                            "    - ice: ptp: use primary NAC semaphore on E825",
                            "    - igc: set tx buffer type for SMD frames",
                            "    - drm/i915/dp: Fix readback for target_rr in Adaptive Sync SDP",
                            "    - phy: qcom: qmp-usbc: Fix out-of-bounds array access in dp swing config",
                            "    - kbuild: pacman-pkg: make \"rc\" releases adhere to pacman versioning",
                            "      scheme",
                            "    - net: dsa: mt7530: fix FDB entries not aging out with short timeout",
                            "    - net: dsa: mt7530: preserve VLAN tags on trapped link-local frames",
                            "    - net: mana: Fix TOCTOU double-fetch of hwc_msg_id from DMA buffer",
                            "    - platform/surface: aggregator_registry: omit battery & AC nodes on",
                            "      Surface Laptop 7",
                            "    - platform/x86: adv_swbutton: Check ACPI_HANDLE() against NULL",
                            "    - platform/x86: hp_accel: Check ACPI_COMPANION() against NULL",
                            "    - platform/x86: intel-hid: Check ACPI_HANDLE() against NULL",
                            "    - platform/x86: intel_sar: Check ACPI_HANDLE() against NULL",
                            "    - platform/x86: intel-vbtn: Check ACPI_HANDLE() against NULL",
                            "    - platform/x86: uniwill-laptop: Properly initialize charging threshold",
                            "    - platform/x86: uniwill-laptop: Accept charging threshold of 0",
                            "    - platform/x86: uniwill-laptop: Fix behavior of \"force\" module param",
                            "    - platform/x86: asus-armoury: fix mini-LED mode get/set on MODE2 devices",
                            "    - ASoC: soc-utils: Add missing va_end in snd_soc_ret()",
                            "    - drm/amdgpu: Align amdgpu_gtt_mgr entries to TLB size on Tahiti (v2)",
                            "    - drm/amdgpu/vce1: Check that the GPU address is < 128 MiB",
                            "    - drm/amdgpu/vce1: Fix VCE 1 firmware size and offsets",
                            "    - RDMA/mana_ib: Report max_msg_sz in mana_ib_query_port",
                            "    - RDMA/rtrs: Fix use-after-free in path file creation cleanup",
                            "    - bridge: mcast: Fix a possible use-after-free when removing a bridge port",
                            "    - net: phy: honor eee_disabled_modes in phy_support_eee()",
                            "    - net: phy: honor eee_disabled_modes in phy_advertise_eee_all()",
                            "    - net: airoha: Fix NPU RX DMA descriptor bits",
                            "    - pds_core: fix error handling in pdsc_devcmd_wait",
                            "    - pds_core: fix debugfs_lookup dentry leak and error handling",
                            "    - erofs: fix managed cache race for unaligned extents",
                            "    - erofs: harden h_shared_count in erofs_init_inode_xattrs()",
                            "    - erofs: fix metabuf leak in inode xattr initialization",
                            "    - wifi: mac80211: bounds-check link_id in ieee80211_ml_epcs",
                            "    - wifi: mac80211: fix MLE defragmentation",
                            "    - wifi: mac80211: fix multi-link element inheritance",
                            "    - wifi: wilc1000: fix dma_buffer leak on bus acquire failure",
                            "    - ALSA: seq: Serialize UMP output teardown with event_input",
                            "    - cgroup: rstat: relax NMI guard after switch to try_cmpxchg",
                            "    - tracing: Avoid NULL return from hist_field_name() on truncation",
                            "    - Bluetooth: hci_sync: Fix not setting mask for",
                            "      HCI_EVT_LE_ALL_REMOTE_FEATURES_COMPLETE",
                            "    - Bluetooth: btintel_pcie: Fix incorrect MAC access programming",
                            "    - Bluetooth: btmtk: fix urb->setup_packet leak in error paths",
                            "    - udp: gso: Fix handling checksum in __udp_gso_segment",
                            "    - udp: Fix UDP length on last GSO_PARTIAL segment",
                            "    - net/mlx5e: Fix eswitch mode block underflow on IPsec acquire SA",
                            "    - net: shaper: annotate the data races",
                            "    - net: shaper: rework the VALID marking (again)",
                            "    - crypto/krb5, rxrpc: Fix lack of pre-decrypt/pre-verify length checks",
                            "    - rxrpc: Fix DATA decrypt vs splice() by copying data to buffer in recvmsg",
                            "    - net: ag71xx: check error for platform_get_irq",
                            "    - bpf, skmsg: fix verdict sk_data_ready racing with ktls rx",
                            "    - tcp: fix stale per-CPU tcp_tw_isn leak enabling ISN prediction",
                            "    - net: stmmac: eswin: fix HSP CSR init ordering after clock enable",
                            "    - net: stmmac: eswin: clear TXD and RXD delay registers during",
                            "      initialization",
                            "    - net: stmmac: eswin: correct RGMII delay granularity to 20 ps",
                            "    - net: stmmac: eswin: validate RGMII delay values",
                            "    - gpio: cdev: check if uAPI v2 config attributes are correctly zeroed",
                            "    - gpio: aggregator: fix a potential use-after-free",
                            "    - gpio: aggregator: stop using dev-sync-probe",
                            "    - gpio: aggregator: remove the software node when deactivating the",
                            "      aggregator",
                            "    - gpio: aggregator: lock device when calling device_is_bound()",
                            "    - ASoC: cs35l56: Fix flushing of IRQ work in cs35l56_sdw_remove()",
                            "    - drm/xe/oa: Fix exec_queue leak on width check in stream open",
                            "    - ASoC: cs-amp-lib: Fix wrong sizeof() in",
                            "      _cs_amp_set_efi_calibration_data()",
                            "    - ASoC: cs-amp-lib: Fix missing dput() after debugfs_lookup()",
                            "    - selftests: net: Fix checksums in xdp_native",
                            "    - nvme-pci: fix dma_vecs leak on p2p memory",
                            "    - nvme-pci: fix dma mapping leak on data setup error",
                            "    - octeontx2-af: npc: Fix allmulticast skip logic for LBK and SDP VFs",
                            "    - net: mana: validate rx_req_idx to prevent out-of-bounds array access",
                            "    - tap: fix stack info leak in tap_ioctl() SIOCGIFHWADDR",
                            "    - net: airoha: Disable GDM2 forwarding before configuring GDM2 loopback",
                            "    - pds_core: ensure null-termination for firmware version strings",
                            "    - net: enetc: fix missing error code when pf->vf_state allocation fails",
                            "    - io_uring/nop: pass all errors to userspace",
                            "    - blk-mq: pop cached request if it is usable",
                            "    - ksmbd: fix durable reconnect error path file lifetime",
                            "    - LoongArch: kprobes: Fix handling of fatal unrecoverable recursions",
                            "    - block: avoid use-after-free in disk_free_zone_resources()",
                            "    - Documentation: laptops: Update documentation for uniwill laptops",
                            "    - platform/x86: uniwill-laptop: Do not enable the charging limit even when",
                            "      forced",
                            "    - drm/msm: Restore second parameter name in purge() and evict()",
                            "    - security/keys: fix missed RCU read section on lookup",
                            "    - Linux 7.0.11",
                            "",
                            "  * Resolute update: v7.0.10 upstream stable release (LP: #2156385)",
                            "    - blk-cgroup: wait for blkcg cleanup before initializing new disk",
                            "    - md: suppress spurious superblock update error message for dm-raid",
                            "    - fs/omfs: reject s_sys_blocksize smaller than OMFS_DIR_START",
                            "    - fs/mbcache: cancel shrink work before destroying the cache",
                            "    - md/raid1: fix the comparing region of interval tree",
                            "    - fs: fix archiecture-specific compat_ftruncate64",
                            "    - drbd: Balance RCU calls in drbd_adm_dump_devices()",
                            "    - loop: fix partition scan race between udev and loop_reread_partitions()",
                            "    - block: fix zones_cond memory leak on zone revalidation error paths",
                            "    - nilfs2: reject zero bd_oblocknr in nilfs_ioctl_mark_blocks_dirty()",
                            "    - blk-cgroup: fix disk reference leak in blkcg_maybe_throttle_current()",
                            "    - pstore/ram: fix resource leak when ioremap() fails",
                            "    - erofs: include the trailing NUL in FS_IOC_GETFSLABEL",
                            "    - md: fix array_state=clear sysfs deadlock",
                            "    - ublk: reset per-IO canceled flag on each fetch",
                            "    - blk-wbt: remove WARN_ON_ONCE from wbt_init_enable_default()",
                            "    - erofs: handle 48-bit blocks/uniaddr for extra devices",
                            "    - md: remove unused static md_wq workqueue",
                            "    - md: wake raid456 reshape waiters before suspend",
                            "    - dcache: permit dynamic_dname()s up to NAME_MAX",
                            "    - btrfs: fix the inline compressed extent check in inode_need_compress()",
                            "    - btrfs: fix deadlock between reflink and transaction commit when using",
                            "      flushoncommit",
                            "    - btrfs: do not reject a valid running dev-replace",
                            "    - OPP: debugfs: Use performance level if available to distinguish between",
                            "      rates",
                            "    - OPP: Move break out of scoped_guard in dev_pm_opp_xlate_required_opp()",
                            "    - ACPI: x86: cmos_rtc: Clean up address space handler driver",
                            "    - ACPI: x86: cmos_rtc: Improve coordination with ACPI TAD driver",
                            "    - devres: fix missing node debug info in devm_krealloc()",
                            "    - thermal/drivers/spear: Fix error condition for reading st,thermal-flags",
                            "    - debugfs: check for NULL pointer in debugfs_create_str()",
                            "    - debugfs: fix placement of EXPORT_SYMBOL_GPL for debugfs_create_str()",
                            "    - soundwire: debugfs: initialize firmware_file to empty string",
                            "    - amd-pstate: Fix memory leak in amd_pstate_epp_cpu_init()",
                            "    - amd-pstate: Update cppc_req_cached in fast_switch case",
                            "    - cpufreq: Pass the policy to cpufreq_driver->adjust_perf()",
                            "    - PCI: use generic driver_override infrastructure",
                            "    - platform/wmi: use generic driver_override infrastructure",
                            "    - vdpa: use generic driver_override infrastructure",
                            "    - s390/cio: use generic driver_override infrastructure",
                            "    - s390/ap: use generic driver_override infrastructure",
                            "    - bus: fsl-mc: use generic driver_override infrastructure",
                            "    - locking/mutex: Rename mutex_init_lockep()",
                            "    - locking/mutex: Fix wrong comment for CONFIG_DEBUG_LOCK_ALLOC",
                            "    - irqchip/irq-pic32-evic: Address warning related to wrong printf()",
                            "      formatter",
                            "    - hrtimer: Avoid pointless reprogramming in __hrtimer_start_range_ns()",
                            "    - hrtimer: Reduce trace noise in hrtimer_start()",
                            "    - locking: Fix rwlock and spinlock lock context annotations",
                            "    - signal: Fix the lock_task_sighand() annotation",
                            "    - ww-mutex: Fix the ww_acquire_ctx function annotations",
                            "    - perf/amd/ibs: Account interrupt for discarded samples",
                            "    - perf/amd/ibs: Preserve PhyAddrVal bit when clearing PhyAddr MSR",
                            "    - perf/amd/ibs: Avoid calling perf_allow_kernel() from the IBS NMI handler",
                            "    - x86/tdx: Fix the typo in TDX_ATTR_MIGRTABLE",
                            "    - rust: sync: atomic: Remove bound `T: Sync` for `Atomic::from_ptr()`",
                            "    - sparc64: vdso: Link with -z noexecstack",
                            "    - scripts/gdb: timerlist: Adapt to move of tk_core",
                            "    - locking: Fix rwlock support in <linux/spinlock_up.h>",
                            "    - sched/topology: Compute sd_weight considering cpuset partitions",
                            "    - x86/irqflags: Preemptively move include paravirt.h directive where it",
                            "      belongs",
                            "    - sched/topology: Fix sched_domain_span()",
                            "    - irqchip/renesas-rzg2l: Fix error path in rzg2l_irqc_common_probe()",
                            "    - ASoC: Intel: avs: Check maximum valid CPUID leaf",
                            "    - ASoC: Intel: avs: Include CPUID header at file scope",
                            "    - x86/vdso: Clean up remnants of VDSO32_NOTE_MASK",
                            "    - firmware: dmi: Correct an indexing error in dmi.h",
                            "    - fs/resctrl: Report invalid domain ID when parsing io_alloc_cbm",
                            "    - sched: Make class_schedulers avoid pushing current, and get rid of",
                            "      proxy_tag_curr()",
                            "    - sched/rt: Skip group schedulable check with rt_group_sched=0",
                            "    - wifi: ath11k: fix memory leaks in beacon template setup",
                            "    - wifi: mwifiex: Fix memory leak in mwifiex_11n_aggregate_pkt()",
                            "    - wifi: rtlwifi: pci: fix possible use-after-free caused by unfinished",
                            "      irq_prepare_bcn_tasklet",
                            "    - bpf: test_run: Fix the null pointer dereference issue in",
                            "      bpf_lwt_xmit_push_encap",
                            "    - wifi: ath12k: account TX stats only when ACK/BA status is present",
                            "    - wifi: ath12k: Fix legacy rate mapping for monitor mode capture",
                            "    - selftests/bpf: Handle !CONFIG_SMC in bpf_smc.c",
                            "    - wifi: ieee80211: fix definition of EHT-MCS 15 in MRU",
                            "    - dpaa2: add independent dependencies for FSL_DPAA2_SWITCH",
                            "    - [Config] Disable CONFIG_FSL_DPAA2_SWITCH on armhf and ppc64el",
                            "    - dpaa2: compile dpaa2 even CONFIG_FSL_DPAA2_ETH=n",
                            "    - s390/bpf: Zero-extend bpf prog return values and kfunc arguments",
                            "    - powerpc/pgtable-frag: Fix bad page state in pte_frag_destroy",
                            "    - powerpc/64s: Fix unmap race with PMD migration entries",
                            "    - module: Fix freeing of charp module parameters when CONFIG_SYSFS=n",
                            "    - wifi: libertas: use USB anchors for tracking in-flight URBs",
                            "    - wifi: libertas: don't kill URBs in interrupt context",
                            "    - bpf: Do not allow deleting local storage in NMI",
                            "    - selftests/nolibc: fix test_file_stream() on musl libc",
                            "    - selftests/nolibc: Fix build with host headers and libc",
                            "    - tools/nolibc/printf: Change variables 'c' to 'ch' and 'tmpbuf[]' to",
                            "      'outbuf[]'",
                            "    - tools/nolibc/printf: Move snprintf length check to callback",
                            "    - tools/nolibc: MIPS: fix clobbers of 'lo' and 'hi' registers on different",
                            "      ISAs",
                            "    - tools/nolibc: avoid -Wundef warning for __STDC_VERSION__",
                            "    - wifi: mt76: mt7996: fix the behavior of radar detection",
                            "    - wifi: mt76: mt7996: fix iface combination for different chipsets",
                            "    - wifi: mt76: mt7996: Set mtxq->wcid just for primary link",
                            "    - wifi: mt76: mt7996: Reset mtxq->idx if primary link is removed in",
                            "      mt7996_vif_link_remove()",
                            "    - wifi: mt76: mt7996: Switch to the secondary link if the default one is",
                            "      removed",
                            "    - wifi: mt76: mt7996: Clear wcid pointer in mt7996_mac_sta_deinit_link()",
                            "    - wifi: mt76: mt7996: Reset ampdu_state state in case of failure in",
                            "      mt7996_tx_check_aggr()",
                            "    - wifi: mt76: mt7921: Reset ampdu_state state in case of failure in",
                            "      mt76_connac2_tx_check_aggr()",
                            "    - wifi: mt76: mt7925: Fix incorrect MLO mode in firmware control",
                            "    - wifi: mt76: mt7615: fix use_cts_prot support",
                            "    - wifi: mt76: mt7915: fix use_cts_prot support",
                            "    - wifi: mt76: mt7925: prevent NULL pointer dereference in",
                            "      mt7925_tx_check_aggr()",
                            "    - wifi: mt76: mt7925: prevent NULL vif dereference in",
                            "      mt7925_mac_write_txwi",
                            "    - wifi: mt76: mt7996: fix FCS error flag check in RX descriptor",
                            "    - wifi: mt76: mt7921: Place upper limit on station AID",
                            "    - wifi: mt76: Fix memory leak destroying device",
                            "    - wifi: mt76: mt7996: Fix NPU stop procedure",
                            "    - wifi: mt76: npu: Add missing rx_token_size initialization",
                            "    - wifi: mt76: mt7925: drop puncturing handling from BSS change path",
                            "    - wifi: mt76: mt7925: fix potential deadlock in mt7925_roc_abort_sync",
                            "    - wifi: mt76: Fix memory leak after mt76_connac_mcu_alloc_sta_req()",
                            "    - wifi: mt76: mt7925: fix tx power setting failure after chip reset",
                            "    - wifi: mt76: mt7921: fix potential deadlock in mt7921_roc_abort_sync",
                            "    - wifi: mt76: fix deadlock in remain-on-channel",
                            "    - wifi: mt76: fix backoff fields and max_power calculation",
                            "    - arm64: cpufeature: Make PMUVer and PerfMon unsigned",
                            "    - bpf: Switch CONFIG_CFI_CLANG to CONFIG_CFI",
                            "    - wifi: mt76: mt7996: fix wrong DMAD length when using MAC TXP",
                            "    - wifi: mt76: mt7996: fix struct mt7996_mcu_uni_event",
                            "    - wifi: mt76: mt7915: fix use-after-free bugs in mt7915_mac_dump_work()",
                            "    - wifi: mt76: mt7996: fix use-after-free bugs in mt7996_mac_dump_work()",
                            "    - wifi: mt76: mt7921: fix 6GHz regulatory update on connection",
                            "    - wifi: mt76: mt7996: Add missing CHANCTX_STA_CSA property",
                            "    - wifi: mt76: mt7996: Remove link pointer dependency in",
                            "      mt7996_mac_sta_remove_links()",
                            "    - wifi: mt76: mt7996: Decrement sta counter removing the link in",
                            "      mt7996_mac_reset_sta_iter()",
                            "    - wifi: mt76: fix multi-radio on-channel scanning",
                            "    - wifi: mt76: support upgrading passive scans to active",
                            "    - wifi: mt76: mt7996: fix RRO EMU configuration",
                            "    - bpf: Fix refcount check in check_struct_ops_btf_id()",
                            "    - selftests/bpf: Fix sockmap_multi_channels reliability",
                            "    - bpf: Use RCU-safe iteration in dev_map_redirect_multi() SKB path",
                            "    - bpf: Fix variable length stack write over spilled pointers",
                            "    - arm_mpam: Ensure in_reset_state is false after applying configuration",
                            "    - arm_mpam: Reset when feature configuration bit unset",
                            "    - bpf,arc_jit: Fix missing newline in pr_err messages",
                            "    - wifi: rtw89: phy: fix uninitialized variable access in",
                            "      rtw89_phy_cfo_set_crystal_cap()",
                            "    - drivers/vfio_pci_core: Change PXD_ORDER check from switch case to",
                            "      if/else block",
                            "    - r8152: fix incorrect register write to USB_UPHY_XTAL",
                            "    - selftests/tracing: Fix to make --logdir option work again",
                            "    - selftests/tracing: Fix to check awk supports non POSIX strtonum()",
                            "    - powerpc/crash: fix backup region offset update to elfcorehdr",
                            "    - powerpc/crash: Update backup region offset in elfcorehdr on memory",
                            "      hotplug",
                            "    - bpf: Fix abuse of kprobe_write_ctx via freplace",
                            "    - macvlan: annotate data-races around port->bc_queue_len_used",
                            "    - bpf: Use copy_map_value_locked() in alloc_htab_elem() for BPF_F_LOCK",
                            "    - bpf: Fix stale offload->prog pointer after constant blinding",
                            "    - net: ethernet: ti-cpsw:: rename soft_reset() function",
                            "    - net: ethernet: ti-cpsw: fix linking built-in code to modules",
                            "    - wifi: brcmfmac: Fix error pointer dereference",
                            "    - wifi: mac80211: handle VHT EXT NSS in ieee80211_determine_our_sta_mode()",
                            "    - bpf: Drop task_to_inode and inet_conn_established from lsm sleepable",
                            "      hooks",
                            "    - bpf: Prefer vmlinux symbols over module symbols for unqualified kprobes",
                            "    - wifi: ath10k: fix station lookup failure during disconnect",
                            "    - bpf: Fix linked reg delta tracking when src_reg == dst_reg",
                            "    - net: dropreason: add SKB_DROP_REASON_RECURSION_LIMIT",
                            "    - net: plumb drop reasons to __dev_queue_xmit()",
                            "    - net: qdisc_pkt_len_segs_init() cleanup",
                            "    - net: pull headers in qdisc_pkt_len_segs_init()",
                            "    - arm64: entry: Don't preempt with SError or Debug masked",
                            "    - ACPI: AGDI: fix missing newline in error message",
                            "    - arm64: kexec: Remove duplicate allocation for trans_pgd",
                            "    - bpf: Propagate error from visit_tailcall_insn",
                            "    - bpf: Fix ld_{abs,ind} failure path analysis in subprogs",
                            "    - bpf: Remove static qualifier from local subprog pointer",
                            "    - mptcp: better mptcp-level RTT estimator",
                            "    - bpf: Fix use-after-free in offloaded map/prog info fill",
                            "    - macsec: Support VLAN-filtering lower devices",
                            "    - net: bcmgenet: fix off-by-one in bcmgenet_put_txcb",
                            "    - net: bcmgenet: fix leaking free_bds",
                            "    - net: bcmgenet: fix racing timeout handler",
                            "    - net: airoha: Add dma_rmb() and READ_ONCE() in airoha_qdma_rx_process()",
                            "    - eth: fbnic: Use wake instead of start",
                            "    - netfilter: xt_socket: enable defrag after all other checks",
                            "    - netfilter: nft_fwd_netdev: check ttl/hl before forwarding",
                            "    - bpf: fix mm lifecycle in open-coded task_vma iterator",
                            "    - bpf: switch task_vma iterator from mmap_lock to per-VMA locks",
                            "    - bpf: return VMA snapshot from task_vma iterator",
                            "    - bpf: Fix RCU stall in bpf_fd_array_map_clear()",
                            "    - net: hamradio: 6pack: fix uninit-value in sixpack_receive_buf",
                            "    - net: airoha: Fix FE_PSE_BUF_SET configuration if PPE2 is available",
                            "    - bpf: Enforce regsafe base id consistency for BPF_ADD_CONST scalars",
                            "    - selftests/bpf: fix __jited_unpriv tag name",
                            "    - net/sched: cls_fw: fix NULL dereference of \"old\" filters before change()",
                            "    - net/sched: act_ct: Only release RCU read lock after ct_ft",
                            "    - selftests: netfilter: nft_tproxy.sh: adjust to socat changes",
                            "    - net: mana: Use pci_name() for debugfs directory naming",
                            "    - net: mana: Move current_speed debugfs file to mana_init_port()",
                            "    - net: airoha: Add missing RX_CPU_IDX() configuration in",
                            "      airoha_qdma_cleanup_rx_queue()",
                            "    - net_sched: fix skb memory leak in deferred qdisc drops",
                            "    - bpf: Fix same-register dst/src OOB read and pointer leak in sock_ops",
                            "    - bpf: Allow instructions with arena source and non-arena dest registers",
                            "    - selftests/bpf: Fix reg_bounds to match new tnum-based refinement",
                            "    - net/rds: Optimize rds_ib_laddr_check",
                            "    - net/rds: Restrict use of RDS/IB to the initial network namespace",
                            "    - bpf: Fix OOB in pcpu_init_value",
                            "    - ppp: require CAP_NET_ADMIN in target netns for unattached ioctls",
                            "    - net: ipa: Fix programming of QTIME_TIMESTAMP_CFG",
                            "    - net: ipa: Fix decoding EV_PER_EE for IPA v5.0+",
                            "    - dt-bindings: net: dsa: nxp,sja1105: make spi-cpol optional for sja1110",
                            "    - net: phy: fix a return path in get_phy_c45_ids()",
                            "    - net/mlx5e: Fix features not applied during netdev registration",
                            "    - net/mlx5e: IPsec, fix ASO poll timeout with read_poll_timeout_atomic()",
                            "    - net: ethernet: mtk_eth_soc: initialize PPE per-tag-layer MTU registers",
                            "    - net: fix skb_ext_total_length() BUILD_BUG_ON with",
                            "      CONFIG_GCOV_PROFILE_ALL",
                            "    - bpf: reject short IPv4/IPv6 inputs in bpf_prog_test_run_skb",
                            "    - Bluetooth: L2CAP: Fix printing wrong information if SDU length exceeds",
                            "      MTU",
                            "    - Bluetooth: hci_ldisc: Clear HCI_UART_PROTO_INIT on error",
                            "    - Bluetooth: fix locking in hci_conn_request_evt() with HCI_PROTO_DEFER",
                            "    - Bluetooth: l2cap: Add missing chan lock in l2cap_ecred_reconf_rsp",
                            "    - Bluetooth: SCO: check for codecs->num_codecs == 1 before assigning to",
                            "      sco_pi(sk)->codec",
                            "    - net: phy: qcom: at803x: Use the correct bit to disable extended next",
                            "      page",
                            "    - udp: Force compute_score to always inline",
                            "    - tcp: Don't set treq->req_usec_ts in cookie_tcp_reqsk_init().",
                            "    - sctp: fix missing encap_port propagation for GSO fragments",
                            "    - sctp: disable BH before calling udp_tunnel_xmit_skb()",
                            "    - selftests/namespaces: remove unused utils.h include from",
                            "      listns_efault_test",
                            "    - net, bpf: fix null-ptr-deref in xdp_master_redirect() for down master",
                            "    - net: airoha: Fix VIP configuration for AN7583 SoC",
                            "    - net: airoha: Add missing PPE configurations in airoha_ppe_hw_init()",
                            "    - drm/panel: ilitek-ili9882t: Select DRM_DISPLAY_DSC_HELPER",
                            "    - selftests/futex: Fix incorrect result reporting of futex_requeue test",
                            "      item",
                            "    - drm/komeda: fix integer overflow in AFBC framebuffer size check",
                            "    - dma-fence: Fix sparse warnings due __rcu annotations",
                            "    - drm/gpusvm: Fix unbalanced unlock in drm_gpusvm_scan_mm()",
                            "    - drm/virtio: Allow importing prime buffers when 3D is enabled",
                            "    - ASoC: soc-compress: use function to clear symmetric params",
                            "    - PCI/TPH: Allow TPH enable for RCiEPs",
                            "    - PCI: endpoint: pci-epf-vntb: Fix MSI doorbell IRQ unwind",
                            "    - PCI: endpoint: pci-epf-test: Don't free doorbell IRQ unless requested",
                            "    - PCI: endpoint: pci-ep-msi: Fix error unwind and prevent double alloc",
                            "    - drm/sun4i: mixer: Fix layer init code",
                            "    - drm/sun4i: backend: fix error pointer dereference",
                            "    - drm/xe: Consolidate workaround entries for Wa_14019877138",
                            "    - drm/xe: Consolidate workaround entries for Wa_14019386621",
                            "    - drm/xe/xe2_hpg: Drop invalid workaround Wa_15010599737",
                            "    - gpu: nova-core: gsp: use empty slices instead of [0..0] ranges",
                            "    - gpu: nova-core: gsp: fix improper handling of empty slot in cmdq",
                            "    - drm/amdkfd: Removed commented line for MQD queue priority",
                            "    - PCI: imx6: Fix device node reference leak in imx_pcie_probe()",
                            "    - crypto: inside-secure/eip93 - fix register definition",
                            "    - ASoC: sti: Return errors from regmap_field_alloc()",
                            "    - ASoC: sti: use managed regmap_field allocations",
                            "    - dm cache: fix null-deref with concurrent writes in passthrough mode",
                            "    - dm cache: fix write path cache coherency in passthrough mode",
                            "    - dm cache: fix write hang in passthrough mode",
                            "    - dm cache policy smq: fix missing locks in invalidating cache blocks",
                            "    - dm cache: fix concurrent write failure in passthrough mode",
                            "    - dm cache: fix dirty mapping checking in passthrough mode switching",
                            "    - dm-mpath: don't stop probing paths at presuspend",
                            "    - drm/amd/ras: Fix type size of remainder argument",
                            "    - dt-bindings: mmc: dwcmshc-sdhci: Fix resets array validation",
                            "    - drm/amdgpu: GFX12.1 scratch memory limit up to 57-bit",
                            "    - platform/chrome: chromeos_tbmc: Drop wakeup source on remove",
                            "    - gpu: nova-core: use checked arithmetic in FWSEC firmware parsing",
                            "    - gpu: nova-core: create falcon firmware DMA objects lazily",
                            "    - gpu: nova-core: falcon: rename load parameters to reflect DMA dependency",
                            "    - gpu: nova-core: firmware: fix and explain v2 header offsets computations",
                            "    - PCI: dwc: ep: Fix MSI-X Table Size configuration in",
                            "      dw_pcie_ep_set_msix()",
                            "    - PCI: dwc: ep: Mirror the max link width and speed fields to all",
                            "      functions",
                            "    - PCI: dwc: Perform cleanup in the error path of dw_pcie_resume_noirq()",
                            "    - dm cache metadata: fix memory leak on metadata abort retry",
                            "    - dm log: fix out-of-bounds write due to region_count overflow",
                            "    - iopoll: fix function parameter names in read_poll_timeout_atomic()",
                            "    - drm/bridge: cadence: cdns-mhdp8546-core: Set the mhdp connector earlier",
                            "      in atomic_enable()",
                            "    - drm/bridge: cadence: cdns-mhdp8546-core: Add mode_valid hook to",
                            "      drm_bridge_funcs",
                            "    - drm/bridge: cadence: cdns-mhdp8546-core: Handle HDCP state in bridge",
                            "      atomic check",
                            "    - spi: nxp-xspi: Use reinit_completion() for repeated operations",
                            "    - spi: nxp-fspi: Use reinit_completion() for repeated operations",
                            "    - spi: fsl-qspi: Use reinit_completion() for repeated operations",
                            "    - spi: axiado: Remove redundant pm_runtime_mark_last_busy() call",
                            "    - media: i2c: og01a1b: Fix V4L2 subdevice data initialization on probe",
                            "    - media: synopsys: VIDEO_DW_MIPI_CSI2RX should depend on ARCH_ROCKCHIP",
                            "    - [Config] VIDEO_DW_MIPI_CSI2RX depends on ARCH_ROCKCHIP",
                            "    - drm/amd/pm: Fix xgmi max speed reporting",
                            "    - spi: atcspi200: fix mutex initialization order",
                            "    - selftests/sched_ext: Add missing error check for exit__load()",
                            "    - drm/v3d: Handle error from drm_sched_entity_init()",
                            "    - drm/sun4i: Fix resource leaks",
                            "    - crypto: inside-secure/eip93 - register hash before authenc algorithms",
                            "    - PCI: rzg3s-host: Fix reset handling in probe error path",
                            "    - PCI: rzg3s-host: Reorder reset assertion during suspend",
                            "    - dt-bindings: PCI: renesas,r9a08g045s33-pcie: Fix naming properties",
                            "    - iommu/riscv: Add IOTINVAL after updating DDT/PDT entries",
                            "    - iommu/riscv: Skip IRQ count check when using MSI interrupts",
                            "    - iommu/riscv: Add missing GENERIC_MSI_IRQ",
                            "    - iommu/riscv: Stop polling when CQCSR reports an error",
                            "    - drm/amdkfd: Update queue properties for metadata ring",
                            "    - drm/amd/ras: Fix NULL deref in ras_core_ras_interrupt_detected()",
                            "    - drm/amdgpu: Add default case in DVI mode validation",
                            "    - regulator: dt-bindings: fp9931: Make vin-supply property as required",
                            "    - regulator: fp9931: Fix handling of mandatory \"vin\" supply",
                            "    - drm/amd/ras: Fix NULL deref in ras_core_get_utc_second_timestamp()",
                            "    - drm/amdgpu: Drop redundant queue NULL check in hang detect worker",
                            "    - drm/amdgpu: Remove dead negative offset check in",
                            "      amdgpu_virt_init_critical_region()",
                            "    - dm init: ensure device probing has finished in dm-mod.waitfor=",
                            "    - fbdev: matroxfb: Mark variable with __maybe_unused to avoid W=1 build",
                            "      break",
                            "    - crypto: simd - reject compat registrations without __ prefixes",
                            "    - crypto: tegra - Disable softirqs before finalizing request",
                            "    - crypto: atmel-aes - guard unregister on error in atmel_aes_register_algs",
                            "    - padata: Remove cpu online check from cpu add and removal",
                            "    - padata: Put CPU offline callback in ONLINE section to allow failure",
                            "    - PCI: dwc: rcar-gen4: Change EPC BAR alignment to 4K as per the",
                            "      documentation",
                            "    - accel/amdxdna: fix missing newline in pr_err message",
                            "    - drm/amd/ras: Remove redundant NULL check in pending bad-bank list",
                            "      iteration",
                            "    - drm/amdgpu/gfx10: look at the right prop for gfx queue priority",
                            "    - drm/amdgpu/gfx11: look at the right prop for gfx queue priority",
                            "    - spi: hisi-kunpeng: prevent infinite while() loop in hisi_spi_flush_fifo",
                            "    - PCI: sky1: Fix missing cleanup of ECAM config on probe failure",
                            "    - drm/imagination: Switch reset_reason fields from enum to u32",
                            "    - iommu/tegra241-cmdqv: Set supports_cmd op in tegra241_vcmdq_hw_init()",
                            "    - iommu/tegra241-cmdqv: Update uAPI to clarify HYP_OWN requirement",
                            "    - drm/msm: add missing MODULE_DEVICE_ID definitions",
                            "    - drm/msm/dpu: fix mismatch between power and frequency",
                            "    - drm/msm/dsi: add the missing parameter description",
                            "    - drm/msm/dpu: don't try using 2 LMs if only one DSC is available",
                            "    - drm/msm/dsi: fix bits_per_pclk",
                            "    - drm/msm/dsi: fix hdisplay calculation for CMD mode panel",
                            "    - drm/msm/dsi: rename MSM8998 DSI version from V2_2_0 to V2_0_0",
                            "    - ASoC: rockchip: rockchip_sai: Set slot width for non-TDM mode",
                            "    - tools/sched_ext: scx_pair: fix pair_ctx indexing for CPU pairs",
                            "    - drm/panel: sharp-ls043t1le01: make use of prepare_prev_first",
                            "    - drm/panel: simple: Correct G190EAN01 prepare timing",
                            "    - PCI: qcom: Advertise Hotplug Slot Capability with no Command Completion",
                            "      support",
                            "    - PCI: Prevent shrinking bridge window from its required size",
                            "    - PCI: Fix premature removal from realloc_head list during resource",
                            "      assignment",
                            "    - crypto: hisilicon/sec2 - prevent req used-after-free for sec",
                            "    - PCI: Fix alignment calculation for resource size larger than align",
                            "    - iommu/riscv: Fix signedness bug",
                            "    - ALSA: core: Validate compress device numbers without dynamic minors",
                            "    - drm/amd/display: Avoid NULL dereference in dc_dmub_srv error paths",
                            "    - ASoC: amd: acp: update dmic_num logic for acp pdm dmic",
                            "    - drm/amd/pm/ci: Use highest MCLK on CI when MCLK DPM is disabled",
                            "    - drm/amd/pm/ci: Disable MCLK DPM on problematic CI ASICs",
                            "    - drm/amd/pm/smu7: Fix SMU7 voltage dependency on display clock",
                            "    - drm/amd/pm/ci: Fix powertune defaults for Hawaii 0x67B0",
                            "    - drm/amd/pm/ci: Clear EnabledForActivity field for memory levels",
                            "    - drm/amd/pm/ci: Fill DW8 fields from SMC",
                            "    - drm/amd/pm/smu7: Add SCLK cap for quirky Hawaii board",
                            "    - drm/amdgpu/uvd4.2: Don't initialize UVD 4.2 when DPM is disabled",
                            "    - PCI/DPC: Log AER error info for DPC/EDR uncorrectable errors",
                            "    - hwmon: (aspeed-g6-pwm-tach): remove redundant driver remove callback",
                            "    - ALSA: hda/realtek: fix bad indentation for alc269",
                            "    - ALSA: hda/realtek: fix code style (ERROR: else should follow close brace",
                            "      '}')",
                            "    - ASoC: SOF: Intel: hda: Place check before dereference",
                            "    - drm/msm/vma: Avoid lock in VM_BIND fence signaling path",
                            "    - drm/msm/a6xx: Add missing aperture_lock init",
                            "    - drm/msm: Reject fb creation from _NO_SHARE objs",
                            "    - drm/msm: Fix VM_BIND UNMAP locking",
                            "    - drm/msm/a6xx: Fix HLSQ register dumping",
                            "    - drm/msm/shrinker: Fix can_block() logic",
                            "    - drm/msm/a6xx: Fix dumping A650+ debugbus blocks",
                            "    - drm/msm/a6xx: Use barriers while updating HFI Q headers",
                            "    - drm/msm/a8xx: Fix the ticks used in submit traces",
                            "    - drm/msm/a6xx: Switch to preemption safe AO counter",
                            "    - drm/msm/a6xx: Correct OOB usage",
                            "    - drm/msm/adreno: Implement gx_is_on() for A8x",
                            "    - drm/msm/a6xx: Fix gpu init from secure world",
                            "    - ALSA: hda/cmedia: Remove duplicate pin configuration parsing",
                            "    - pmdomain: ti: omap_prm: Fix a reference leak on device node",
                            "    - pmdomain: imx: scu-pd: Fix device_node reference leak during ->probe()",
                            "    - PM: domains: De-constify fields in struct dev_pm_domain_attach_data",
                            "    - drm/msm/dpu: drop INTF_0 on MSM8953",
                            "    - ASoC: fsl_micfil: Add access property for \"VAD Detected\"",
                            "    - ASoC: fsl_micfil: Fix event generation in hwvad_put_enable()",
                            "    - ASoC: fsl_micfil: Fix event generation in hwvad_put_init_mode()",
                            "    - ASoC: fsl_micfil: Fix event generation in micfil_range_set()",
                            "    - ASoC: fsl_micfil: Fix event generation in micfil_put_dc_remover_state()",
                            "    - ASoC: fsl_micfil: Fix event generation in micfil_quality_set()",
                            "    - ASoC: fsl_xcvr: Fix event generation in fsl_xcvr_arc_mode_put()",
                            "    - ASoC: fsl_xcvr: Fix event generation in fsl_xcvr_mode_put()",
                            "    - ASoC: fsl_easrc: Check the variable range in fsl_easrc_iec958_put_bits()",
                            "    - ASoC: fsl_easrc: Fix value type in fsl_easrc_iec958_get_bits()",
                            "    - ASoC: fsl_easrc: Change the type for iec958 channel status controls",
                            "    - iommu/amd: Fix clone_alias() to use the original device's devid",
                            "    - iommu/riscv: Remove overflows on the invalidation path",
                            "    - ASoC: qcom: qdsp6: topology: check widget type before accessing data",
                            "    - PCI: dwc: Fix type mismatch for kstrtou32_from_user() return value",
                            "    - crypto: qat - disable 4xxx AE cluster when lead engine is fused off",
                            "    - crypto: qat - disable 420xx AE cluster when lead engine is fused off",
                            "    - crypto: qat - fix compression instance leak",
                            "    - crypto: qat - fix type mismatch in RAS sysfs show functions",
                            "    - crypto: iaa - fix per-node CPU counter reset in rebalance_wq_table()",
                            "    - crypto: qat - use swab32 macro",
                            "    - ALSA: hda: Notify IEC958 Default PCM switch state changes",
                            "    - ASoC: rsnd: Fix potential out-of-bounds access of component_dais[]",
                            "    - PCI: Enable AtomicOps only if Root Port supports them",
                            "    - PCI: imx6: Keep Root Port MSI capability with iMSI-RX to work around",
                            "      hardware bug",
                            "    - PCI: aspeed: Fix IRQ domain leak on platform_get_irq() failure",
                            "    - dt-bindings: PCI: imx6q-pcie: Fix maxItems of clocks and clock-names",
                            "    - PCI: mediatek-gen3: Prevent leaking IRQ domains when IRQ not found",
                            "    - gpu: nova-core: bitfield: fix broken Default implementation",
                            "    - selftests/mm: skip migration tests if NUMA is unavailable",
                            "    - Documentation: fix a hugetlbfs reservation statement",
                            "    - Docs/admin-guide/mm/damn/lru_sort: fix intervals autotune parameter name",
                            "    - Docs/mm/damon/index: fix typo: autoamted -> automated",
                            "    - zram: do not permit params change after init",
                            "    - selftest: memcg: skip memcg_sock test if address family not supported",
                            "    - gpu: nova-core: remove redundant `.as_ref()` for `dev_*` print",
                            "    - gpu: nova-core: fix missing colon in SEC2 boot debug message",
                            "    - ALSA: scarlett2: Add missing sentinel initializer field",
                            "    - ASoC: qcom: audioreach: explicitly enable speaker protection modules",
                            "    - ASoC: SOF: compress: return the configured codec from get_params",
                            "    - PCI/NPEM: Set LED_HW_PLUGGABLE for hotplug-capable ports",
                            "    - tools/sched_ext: Fix off-by-one in scx_sdt payload zeroing",
                            "    - ASoC: soc-component: re-add pcm_new()/pcm_free()",
                            "    - ASoC: amd: name back to pcm_new()/pcm_free()",
                            "    - ASoC: amd: ps: fix the pcm device numbering for acp pdm dmic",
                            "    - ALSA: usb-audio: qcom: Fix incorrect type in enable_audio_stream",
                            "    - PCI: tegra194: Fix polling delay for L2 state",
                            "    - PCI: tegra194: Increase LTSSM poll time on surprise link down",
                            "    - PCI: tegra194: Disable LTSSM after transition to Detect on surprise link",
                            "      down",
                            "    - PCI: tegra194: Don't force the device into the D0 state before L2",
                            "    - PCI: tegra194: Disable PERST# IRQ only in Endpoint mode",
                            "    - PCI: tegra194: Use devm_gpiod_get_optional() to parse \"nvidia,refclk-",
                            "      select\"",
                            "    - PCI: tegra194: Disable direct speed change for Endpoint mode",
                            "    - PCI: tegra194: Set LTR message request before PCIe link up in Endpoint",
                            "      mode",
                            "    - PCI: tegra194: Allow system suspend when the Endpoint link is not up",
                            "    - PCI: tegra194: Free up Endpoint resources during remove()",
                            "    - PCI: tegra194: Use DWC IP core version",
                            "    - PCI: dwc: Apply ECRC workaround to DesignWare 5.00a as well",
                            "    - PCI: tegra194: Disable L1.2 capability of Tegra234 EP",
                            "    - PCI: tegra194: Fix CBB timeout caused by DBI access before core power-on",
                            "    - drm/fb-helper: Fix a locking bug in an error path",
                            "    - PCI: cadence: Add flags for disabling ASPM capability for broken Root",
                            "      Ports",
                            "    - PCI: sg2042: Avoid L0s and L1 on Sophgo 2042 PCIe Root Ports",
                            "    - ASoC: SDCA: Fix cleanup inversion in class driver",
                            "    - spi: rzv2h-rspi: Fix invalid SPR=0/BRDV=0 clock configuration",
                            "    - spi: mtk-snfi: unregister ECC engine on probe failure and remove()",
                            "      callback",
                            "    - ALSA: sc6000: Keep the programmed board state in card-private data",
                            "    - dm cache: fix missing return in invalidate_committed's error path",
                            "    - sched_ext: Track @p's rq lock across set_cpus_allowed_scx ->",
                            "      ops.set_cpumask",
                            "    - sched_ext: Fix ops.cgroup_move() invocation kf_mask and rq tracking",
                            "    - spi: cadence-qspi: Revert the filtering of certain opcodes in ODTR",
                            "    - crypto: jitterentropy - replace long-held spinlock with mutex",
                            "    - ALSA: usb-audio: Exclude Scarlett 18i20 1st Gen from SKIP_IFACE_SETUP",
                            "    - ALSA: hda/realtek - fixed speaker no sound update",
                            "    - gfs2: Call unlock_new_inode before d_instantiate",
                            "    - fanotify: avoid/silence premature LSM capability checks",
                            "    - fanotify: call fanotify_events_supported() before path_permission() and",
                            "      security_path_notify()",
                            "    - fuse: fix uninit-value in fuse_dentry_revalidate()",
                            "    - ktest: Avoid undef warning when WARNINGS_FILE is unset",
                            "    - ktest: Honor empty per-test option overrides",
                            "    - ktest: Run POST_KTEST hooks on failure and cancellation",
                            "    - vfio: selftests: fix crash in vfio_dma_mapping_mmio_test",
                            "    - rtla/utils: Fix resource leak in set_comm_sched_attr()",
                            "    - tools/rtla: Generate optstring from long options",
                            "    - rtla: Fix segfault on multiple SIGINTs",
                            "    - vfio: selftests: Build tests on aarch64",
                            "    - gfs2: less aggressive low-memory log flushing",
                            "    - quota: Fix race of dquot_scan_active() with quota deactivation",
                            "    - vfio: unhide vdev->debug_root",
                            "    - gfs2: add some missing log locking",
                            "    - gfs2: prevent NULL pointer dereference during unmount",
                            "    - efi/capsule-loader: fix incorrect sizeof in phys array reallocation",
                            "    - ksmbd: fix use-after-free from async crypto on Qualcomm crypto engine",
                            "    - arm64: dts: mediatek: mt8365: Describe infracfg-nao as a pure syscon",
                            "    - ARM: dts: mediatek: mt7623: fix efuse fallback compatible",
                            "    - memory: tegra124-emc: Fix dll_change check",
                            "    - memory: tegra30-emc: Fix dll_change check",
                            "    - arm64: dts: imx8-apalis: Fix LEDs name collision",
                            "    - arm64: dts: imx91-11x11-evk: change usdhc tuning step for eMMC and SD",
                            "    - riscv: dts: spacemit: pcie: fix missing power regulator",
                            "    - arm64: dts: mediatek: mt7988a-bpi-r4pro: fix model string",
                            "    - arm64: dts: rockchip: Make Jaguar PCIe-refclk pin use pull-up config",
                            "    - arm64: dts: imx8mp-evk: Enable pull select bit for PCIe regulator GPIO",
                            "      (M.2 W_DISABLE1)",
                            "    - iommufd: vfio compatibility extension check for noiommu mode",
                            "    - arm64: dts: qcom: sm6125-xiaomi-ginkgo: Remove board-id",
                            "    - arm64: dts: qcom: sm6125-xiaomi-ginkgo: Correct reserved memory ranges",
                            "    - arm64: dts: qcom: sm6125-xiaomi-ginkgo: Remove extcon",
                            "    - arm64: dts: qcom: sm6125-xiaomi-ginkgo: Fix reserved gpio ranges",
                            "    - arm64: dts: qcom: qcs6490-rubikpi3: Use lt9611 DSI Port B",
                            "    - arm64: dts: qcom: talos: Add missing clock-names to GCC",
                            "    - arm64: dts: ti: k3-am62l: include WKUP_UART0 in wakeup peripheral window",
                            "    - arm64: dts: mediatek: mt6795: Fix gpio-ranges pin count",
                            "    - arm64: dts: mediatek: mt7981b: Fix gpio-ranges pin count",
                            "    - arm64: dts: mediatek: mt7986a: Fix gpio-ranges pin count",
                            "    - iommufd/selftest: Fix page leaks in mock_viommu_{init,destroy}",
                            "    - arm64: dts: imx8mp-kontron: Fix touch reset configuration on DL devices",
                            "    - arm64: dts: imx8mp-kontron: Drop vmmc-supply to fix SD card on SMARC",
                            "      eval carrier",
                            "    - arm64: dts: imx8mp-hummingboard-pulse/cubox-m: fix vmmc gpio polarity",
                            "    - arm64: dts: imx8mp-hummingboard-pulse: fix mini-hdmi dsi port reference",
                            "    - ARM: dts: BCM5301X: Drop extra NAND controller compatible",
                            "    - arm64: dts: qcom: msm8953-xiaomi-vince: correct wled ovp value",
                            "    - arm64: dts: qcom: msm8937-xiaomi-land: correct wled ovp value",
                            "    - arm64: dts: qcom: msm8953-xiaomi-daisy: fix backlight",
                            "    - firmware: qcom_scm: don't opencode kmemdup",
                            "    - soc: qcom: ubwc: disable bank swizzling for Glymur platform",
                            "    - arm64: dts: rockchip: Fix Bluetooth stability on LCKFB TaiShan Pi",
                            "    - Revert \"arm64: dts: rockchip: add SPDIF audio to Beelink A1\"",
                            "    - arm64: dts: rockchip: Correct Fan Supply for Gameforce Ace",
                            "    - arm64: dts: rockchip: Correct Joystick Axes on Gameforce Ace",
                            "    - soc: qcom: ocmem: make the core clock optional",
                            "    - soc: qcom: ocmem: register reasons for probe deferrals",
                            "    - soc: qcom: ocmem: return -EPROBE_DEFER is ocmem is not available",
                            "    - riscv: dts: spacemit: drop incorrect pinctrl for combo PHY",
                            "    - arm64: dts: rockchip: Fix RK3562 EVB2 model name",
                            "    - arm64: dts: rockchip: Add mphy reset to ufshc node",
                            "    - bus: rifsc: fix RIF configuration check for peripherals",
                            "    - arm64: dts: qcom: arduino-imola: fix faulty spidev node",
                            "    - Revert \"UBUNTU: SAUCE: arm64: dts: add missing denali-oled.dtb to",
                            "      Makefile\"",
                            "    - arm64: dts: qcom: add missing denali-oled.dtb to Makefile",
                            "    - arm64: dts: qcom: hamoa: correct Iris corners for the MXC rail",
                            "    - arm64: dts: qcom: lemans: correct Iris corners for the MXC rail",
                            "    - arm64: dts: qcom: monaco: correct Iris corners for the MXC rail",
                            "    - arm64: dts: qcom: sm8550: correct Iris corners for the MXC rail",
                            "    - arm64: dts: qcom: sm8650: correct Iris corners for the MXC rail",
                            "    - arm64: dts: qcom: sm8750: correct Iris corners for the MXC rail",
                            "    - arm64: dts: qcom: kaanapali: Fix GIC_ITS range length",
                            "    - arm64: dts: qcom: milos: Fix GIC_ITS range length",
                            "    - arm64: dts: qcom: sm8450: Fix GIC_ITS range length",
                            "    - arm64: dts: qcom: sm8550: Fix GIC_ITS range length",
                            "    - arm64: dts: qcom: sm8650: Fix GIC_ITS range length",
                            "    - arm64: dts: qcom: sm8750: Fix GIC_ITS range length",
                            "    - arm64: dts: qcom: sm8550: Fix xo clock supply of platform SD host",
                            "      controller",
                            "    - arm64: dts: qcom: sm8650: Fix xo clock supply of SD host controller",
                            "    - arm64: dts: qcom: hamoa: Fix xo clock supply of platform SD host",
                            "      controller",
                            "    - arm64: dts: qcom: sm8450: Enable UHS-I SDR50 and SDR104 SD card modes",
                            "    - arm64: dts: qcom: sm8550: Enable UHS-I SDR50 and SDR104 SD card modes",
                            "    - arm64: dts: qcom: sm8650: Enable UHS-I SDR50 and SDR104 SD card modes",
                            "    - arm64: dts: qcom: sm7225-fairphone-fp4: Fix conflicting bias pinctrl",
                            "    - arm64: dts: qcom: sdm845-xiaomi-beryllium: Mark l1a regulator as powered",
                            "      during boot",
                            "    - arm64: dts: qcom: msm8917-xiaomi-riva: Fix board-id for all bootloader",
                            "    - arm64: dts: ti: k3-am62p5-sk: Disable MMC1 internal pulls on data pins",
                            "    - arm64: dts: ti: k3-am62l3-evm: Disable MMC1 internal pulls on data pins",
                            "    - arm64: dts: ti: k3-am62-lp-sk: Enable internal pulls for MMC0 data pins",
                            "    - arm64: dts: ti: k3-am62-verdin: Fix SPI_1 GPIO CS pinctrl label",
                            "    - arm64: dts: freescale: imx8mp-tqma8mpql-mba8mp-ras314: fix UART1 RTS/CTS",
                            "      muxing",
                            "    - arm64: dts: imx91: Remove TMU's superfluous sensor ID",
                            "    - arm64: dts: imx8mp-kontron: Fix boot order for PMIC and RTC",
                            "    - arm64: dts: imx8dxl-evk: Use audio-graph-card2 for wm8960-2 and wm8960-3",
                            "    - arm64: dts: imx8mp-evk: Specify ADV7535 register addresses",
                            "    - arm64: dts: lx2160a: change i2c0 (iic1) pinmux mask to one bit",
                            "    - arm64: dts: lx2160a: remove duplicate pinmux nodes",
                            "    - arm64: dts: lx2160a: rename pinmux nodes for readability",
                            "    - arm64: dts: lx2160a: add sda gpio references for i2c bus recovery",
                            "    - arm64: dts: lx2160a: change zeros to hexadecimal in pinmux nodes",
                            "    - arm64: dts: lx2160a: complete pinmux for rcwsr12 configuration word",
                            "    - arm64: dts: imx8qm-mek: switch Type-C connector power-role to dual",
                            "    - arm64: dts: imx8qxp-mek: switch Type-C connector power-role to dual",
                            "    - soc/tegra: cbb: Set ERD on resume for err interrupt",
                            "    - soc/tegra: cbb: Fix incorrect ARRAY_SIZE in fabric lookup tables",
                            "    - soc/tegra: cbb: Fix cross-fabric target timeout lookup",
                            "    - arm64: tegra: Fix RTC aliases",
                            "    - soc/tegra: pmc: Add kerneldoc for reboot notifier",
                            "    - soc/tegra: pmc: Correct function names in kerneldoc",
                            "    - soc/tegra: pmc: Add kerneldoc for wake-up variables",
                            "    - unshare: fix nsproxy leak in ksys_unshare() on set_cred_ucounts()",
                            "      failure",
                            "    - ocfs2/dlm: validate qr_numregions in dlm_match_regions()",
                            "    - ocfs2/dlm: fix off-by-one in dlm_match_regions() region comparison",
                            "    - soc: qcom: llcc: fix v1 SB syndrome register offset",
                            "    - soc: qcom: aoss: compare against normalized cooling state",
                            "    - arm64: dts: qcom: milos: Add missing CX power domain to GCC",
                            "    - arm64: dts: qcom: sm8250: Add missing CPU7 3.09GHz OPP",
                            "    - ARM: OMAP1: Fix DEBUG_LL and earlyprintk on OMAP16XX",
                            "    - arm64/xor: fix conflicting attributes for xor_block_template",
                            "    - lib: kunit_iov_iter: fix memory leaks",
                            "    - ARM: dts: imx27-eukrea: replace interrupts with interrupts-extended",
                            "    - firmware: arm_ffa: Use the correct buffer size during RXTX_MAP",
                            "    - fwctl: Fix class init ordering to avoid NULL pointer dereference on",
                            "      device removal",
                            "    - ocfs2: fix listxattr handling when the buffer is full",
                            "    - ocfs2: validate bg_bits during freefrag scan",
                            "    - ocfs2: validate group add input before caching",
                            "    - dmaengine: dw-axi-dmac: fix Alignment should match open parenthesis",
                            "    - dmaengine: dw-axi-dmac: Remove unnecessary return statement from void",
                            "      function",
                            "    - phy: apple: apple: Use local variable for ioremap return value",
                            "    - soundwire: bus: demote UNATTACHED state warnings to dev_dbg()",
                            "    - soundwire: Intel: test bus.bpt_stream before assigning it",
                            "    - dmaengine: mxs-dma: Fix missing return value from",
                            "      of_dma_controller_register()",
                            "    - soundwire: cadence: Clear message complete before signaling waiting",
                            "      thread",
                            "    - tracing: move __printf() attribute on __ftrace_vbprintk()",
                            "    - tracing: Rebuild full_name on each hist_field_name() call",
                            "    - hte: tegra194: remove Kconfig dependency on Tegra194 SoC",
                            "    - [Config] Enable CONFIG_HTE_TEGRA194 on armhf",
                            "    - remoteproc: xlnx: Fix sram property parsing",
                            "    - stop_machine: Fix the documentation for a NULL cpus argument",
                            "    - remoteproc: imx_rproc: Check return value of regmap_attach_dev() in",
                            "      imx_rproc_mmio_detect_mode()",
                            "    - ima: check return value of crypto_shash_final() in boot aggregate",
                            "    - HID: asus: make asus_resume adhere to linux kernel coding standards",
                            "    - HID: asus: do not abort probe when not necessary",
                            "    - workqueue: devres: Add device-managed allocate workqueue",
                            "    - power: supply: max77705: Drop duplicated IRQ error message",
                            "    - power: supply: max77705: Free allocated workqueue and fix removal order",
                            "    - mtd: physmap_of_gemini: Fix disabled pinctrl state check",
                            "    - ima_fs: Correctly create securityfs files for unsupported hash algos",
                            "    - dt-bindings: interrupt-controller: arm,gic-v3: Fix EPPI range",
                            "    - mtd: spi-nor: core: correct the op.dummy.nbytes when check read",
                            "      operations",
                            "    - mtd: spi-nor: update spi_nor_fixups::post_sfdp() documentation",
                            "    - mtd: spi-nor: micron-st: add SNOR_CMD_PP_8_8_8_DTR sfdp fixup for",
                            "      mt35xu512aba",
                            "    - mtd: spi-nor: swp: check SR_TB flag when getting tb_mask",
                            "    - mtd: parsers: ofpart: call of_node_put() only in ofpart_fail path",
                            "    - mtd: parsers: ofpart: call of_node_get() for dedicated subpartitions",
                            "    - cxl/pci: Check memdev driver binding status in cxl_reset_done()",
                            "    - mtd: rawnand: sunxi: fix sunxi_nfc_hw_ecc_read_extra_oob",
                            "    - mtd: spinand: winbond: Clarify when to enable the HS bit",
                            "    - HID: usbhid: fix deadlock in hid_post_reset()",
                            "    - ext4: fix miss unlock 'sb->s_umount' in extents_kunit_init()",
                            "    - ext4: call deactivate_super() in extents_kunit_exit()",
                            "    - ext4: fix the error handling process in extents_kunit_init).",
                            "    - ext4: fix possible null-ptr-deref in extents_kunit_exit()",
                            "    - ext4: fix possible null-ptr-deref in mbt_kunit_exit()",
                            "    - bpf, arm64: Reject out-of-range B.cond targets",
                            "    - bpf, arm64: Fix off-by-one in check_imm signed range check",
                            "    - bpf, arm64: Remove redundant bpf_flush_icache() after pack allocator",
                            "      finalize",
                            "    - bpf, riscv: Remove redundant bpf_flush_icache() after pack allocator",
                            "      finalize",
                            "    - bpf, sockmap: Fix af_unix iter deadlock",
                            "    - bpf, sockmap: Fix af_unix null-ptr-deref in proto update",
                            "    - bpf, sockmap: Take state lock for af_unix iter",
                            "    - bpf: Fix precedence bug in convert_bpf_ld_abs alignment check",
                            "    - bpf: Fix NULL deref in map_kptr_match_type for scalar regs",
                            "    - bpf: allow UTF-8 literals in bpf_bprintf_prepare()",
                            "    - libbpf: Prevent double close and leak of btf objects",
                            "    - bpf: Validate node_id in arena_alloc_pages()",
                            "    - bpf, arm32: Reject BPF-to-BPF calls and callbacks in the JIT",
                            "    - perf trace: Fix IS_ERR() vs NULL check bug",
                            "    - dt-bindings: pinctrl: marvell,armada3710-xb-pinctrl: add missing items",
                            "      keyword",
                            "    - pinctrl: pinctrl-pic32: Fix resource leak",
                            "    - perf trace: Avoid an ERR_PTR in syscall_stats",
                            "    - pinctrl: microchip-mssio: Fix missing return in probe",
                            "    - perf test type profiling: Remote typedef on struct",
                            "    - pinctrl: cy8c95x0: remove duplicate error message",
                            "    - pinctrl: cy8c95x0: Unify messages with help of dev_err_probe()",
                            "    - pinctrl: cy8c95x0: Avoid returning positive values to user space",
                            "    - perf branch: Avoid incrementing NULL",
                            "    - perf: tools: cs-etm: Fix print issue for Coresight debug in ETE/TRBE",
                            "      trace",
                            "    - pinctrl: pinconf-generic: Fully validate 'pinmux' property",
                            "    - pinctrl: realtek: Fix function signature for config argument",
                            "    - pinctrl: abx500: Fix type of 'argument' variable",
                            "    - pinctrl: renesas: rzg2l: Fix save/restore of {IOLH,IEN,PUPD,SMT}",
                            "      registers",
                            "    - tools build: Correct link flags for libopenssl",
                            "    - perf lock: Fix option value type in parse_max_stack",
                            "    - perf stat: Fix opt->value type for parse_cache_level",
                            "    - memblock: reserve_mem: fix end caclulation in",
                            "      reserve_mem_release_by_name()",
                            "    - perf stat: Fix crash on arm64",
                            "    - perf tools: Fix module symbol resolution for non-zero .text sh_addr",
                            "    - perf test: Fix ratio_to_prev event parsing test",
                            "    - perf test: Skip perf data type profiling tests for s390",
                            "    - perf expr: Return -EINVAL for syntax error in expr__find_ids()",
                            "    - perf metrics: Make common stalled metrics conditional on having the",
                            "      event",
                            "    - ipmi: ssif_bmc: fix missing check for copy_to_user() partial failure",
                            "    - ipmi: ssif_bmc: fix message desynchronization after truncated response",
                            "    - ipmi: ssif_bmc: change log level to dbg in irq callback",
                            "    - perf cgroup: Update metric leader in evlist__expand_cgroup",
                            "    - pinctrl: sophgo: pinctrl-sg2042: Fix wrong module description",
                            "    - pinctrl: sophgo: pinctrl-sg2044: Fix wrong module description",
                            "    - perf maps: Fix fixup_overlap_and_insert that can break sorted by name",
                            "      order",
                            "    - perf maps: Fix copy_from that can break sorted by name order",
                            "    - perf util: Kill die() prototype, dead for a long time",
                            "    - i3c: master: dw-i3c: Fix missing reset assertion in remove() callback",
                            "    - i3c: master: dw-i3c: Balance PM runtime usage count on probe failure",
                            "    - i3c: master: renesas: Fix memory leak in renesas_i3c_i3c_xfers()",
                            "    - i3c: dw: Fix memory leak in dw_i3c_master_i3c_xfers()",
                            "    - i3c: master: adi: Fix error propagation for CCCs",
                            "    - i3c: mipi-i3c-hci: fix IBI payload length calculation for final status",
                            "    - fs/ntfs3: prevent uninitialized lcn caused by zero len",
                            "    - backlight: sky81452-backlight: Check return value of",
                            "      devm_gpiod_get_optional() in sky81452_bl_parse_dt()",
                            "    - platform/surface: surfacepro3_button: Drop wakeup source on remove",
                            "    - leds: lgm-sso: Remove duplicate assignments for priv->mmap",
                            "    - usb: typec: Fix error pointer dereference",
                            "    - tty: hvc_iucv: fix off-by-one in number of supported devices",
                            "    - usb: typec: ps883x: Fix Oops at unbind",
                            "    - platform/x86: panasonic-laptop: Fix OPTD notifier registration and",
                            "      cleanup",
                            "    - platform/x86: barco-p50-gpio: normalize return value of gpio_get",
                            "    - fs/ntfs3: fix missing run load for vcn0 in attr_data_get_block_locked()",
                            "    - mfd: mc13xxx-core: Fix memory leak in mc13xxx_add_subdevice_pdata()",
                            "    - nfs/blocklayout: Fix compilation error (`make W=1`) in",
                            "      bl_write_pagelist()",
                            "    - sunrpc: Kill RPC_IFDEBUG()",
                            "    - sunrpc: Fix compilation error (`make W=1`) when dprintk() is no-op",
                            "    - NFSD: fix nfs4_file access extra count in nfsd4_add_rdaccess_to_wrdeleg",
                            "    - nfsd: use dynamic allocation for oversized NFSv4.0 replay cache",
                            "    - RDMA/umem: Use consistent DMA attributes when unmapping entries",
                            "    - greybus: raw: fix use-after-free on cdev close",
                            "    - greybus: raw: fix use-after-free if write is called after disconnect",
                            "    - platform/x86: asus-wmi: adjust screenpad power/brightness handling",
                            "    - platform/x86: asus-wmi: fix screenpad brightness range",
                            "    - tty: serial: ip22zilog: Fix section mispatch warning",
                            "    - fs/ntfs3: terminate the cached volume label after UTF-8 conversion",
                            "    - platform/x86: hp-wmi: fix ignored return values in fan settings",
                            "    - platform/x86: hp-wmi: avoid cancel_delayed_work_sync from work handler",
                            "    - platform/x86: hp-wmi: use mod_delayed_work to reset keep-alive timer",
                            "    - platform/x86: hp-wmi: fix u8 underflow in gpu_delta calculation",
                            "    - platform/x86: hp-wmi: add locking for concurrent hwmon access",
                            "    - platform/x86: dell_rbu: avoid uninit value usage in packet_size_write()",
                            "    - platform/x86: dell-wmi-sysman: bound enumeration string aggregation",
                            "    - RDMA/core: Prefer NLA_NUL_STRING",
                            "    - platform/x86: hp-wmi: fix fan table parsing",
                            "    - dt-bindings: clock: qcom: Add GCC video axi reset clock for Glymur",
                            "    - clk: qcom: gcc-glymur: Add video axi clock resets for glymur",
                            "    - clk: qcom: dispcc-glymur: use RCG2 ops for DPTX1 AUX clock source",
                            "    - clk: qcom: dispcc-sm8450: use RCG2 ops for DPTX1 AUX clock source",
                            "    - clk: renesas: r9a09g057: Fix ordering of module clocks array",
                            "    - clk: renesas: r9a09g056: Fix ordering of module clocks array",
                            "    - clk: sunxi-ng: sun55i-a523-r: Add missing r-spi module clock",
                            "    - scsi: sg: Fix sysctl sg-big-buff register during sg_init()",
                            "    - scsi: sg: Resolve soft lockup issue when opening /dev/sgX",
                            "    - clk: qcom: dispcc-sc8280xp: remove CLK_SET_RATE_PARENT from",
                            "      byte_div_clk_src dividers",
                            "    - clk: qcom: dispcc-glymur: Fix DSI byte clock rate setting",
                            "    - clk: qcom: dispcc-kaanapali: Fix DSI byte clock rate setting",
                            "    - clk: qcom: dispcc-milos: Fix DSI byte clock rate setting",
                            "    - clk: qcom: dispcc-sm4450: Fix DSI byte clock rate setting",
                            "    - clk: qcom: dispcc[01]-sa8775p: Fix DSI byte clock rate setting",
                            "    - clk: renesas: r9a09g057: Remove entries for WDT{0,2,3}",
                            "    - scsi: target: core: Fix integer overflow in UNMAP bounds check",
                            "    - scsi: ufs: rockchip,rk3576-ufshc: dt-bindings: Add new mphy reset item",
                            "    - dt-bindings: clock: qcom,gcc-sc8180x: Add missing GDSCs",
                            "    - clk: qcom: gcc-sc8180x: Add missing GDSCs",
                            "    - clk: qcom: gcc-sc8180x: Use retention for USB power domains",
                            "    - clk: qcom: gcc-sc8180x: Use retention for PCIe power domains",
                            "    - clk: qcom: dispcc-sm8250: Use shared ops on the mdss vsync clk",
                            "    - clk: qcom: dispcc-sm8250: Enable parents for pixel clocks",
                            "    - clk: imx: imx6q: Fix device node reference leak in pll6_bypassed()",
                            "    - clk: imx: imx6q: Fix device node reference leak in",
                            "      of_assigned_ldb_sels()",
                            "    - clk: imx8mq: Correct the CSI PHY sels",
                            "    - um: Fix potential race condition in TLB sync",
                            "    - x86/um: fix vDSO installation",
                            "    - clk: qoriq: avoid format string warning",
                            "    - clk: xgene: Fix mapping leak in xgene_pllclk_init()",
                            "    - clk: spacemit: ccu_mix: fix inverted condition in ccu_mix_trigger_fc()",
                            "    - f2fs: avoid reading already updated pages during GC",
                            "    - printk_ringbuffer: Fix get_data() size sanity check",
                            "    - clk: qcom: gdsc: Fix error path on registration of multiple pm",
                            "      subdomains",
                            "    - lib/hexdump: print_hex_dump_bytes() calls print_hex_dump_debug()",
                            "    - f2fs: fix data loss caused by incorrect use of nat_entry flag",
                            "    - f2fs: fix to preserve previous reserve_{blocks,node} value when remount",
                            "    - scsi: hpsa: Enlarge controller and IRQ name buffers",
                            "    - drm/amd/display: Fix parameter mismatch in panel self-refresh helper",
                            "    - clk: qcom: gcc-x1e80100: Keep GCC USB QTB clock always ON",
                            "    - clk: visconti: pll: initialize clk_init_data to zero",
                            "    - f2fs: allow empty mount string for Opt_usr|grp|projjquota",
                            "    - f2fs: protect extension_list reading with sb_lock in f2fs_sbi_show()",
                            "    - drm/i915/wm: Verify the correct plane DDB entry",
                            "    - virt: arm-cca-guest: fix error check for RSI_INCOMPLETE",
                            "    - crypto: eip93 - fix hmac setkey algo selection",
                            "    - crypto: sa2ul - Fix AEAD fallback algorithm names",
                            "    - crypto: ccp - copy IV using skcipher ivsize",
                            "    - sh: Include <linux/io.h> in dac.h",
                            "    - erofs: unify lcn as u64 for 32-bit platforms",
                            "    - tools: hv: Fix cross-compilation",
                            "    - Drivers: hv: vmbus: fix hyperv_cpuhp_online variable shadowing",
                            "    - arm64: dts: imx8mp-debix-model-a: Correct PAD settings for PMIC_nINT",
                            "    - arm64: dts: imx8mp-debix-som-a: Correct PAD settings for PMIC_nINT",
                            "    - arm64: dts: imx8mp-navqp: Correct PAD settings for PMIC_nINT",
                            "    - arm64: dts: imx8mp-icore-mx8mp: Correct PAD settings for PMIC_nINT",
                            "    - arm64: dts: imx8mp-edm-g: Correct PAD settings for PMIC_nINT",
                            "    - arm64: dts: imx8mp-aristainetos3a-som-v1: Correct PAD settings for",
                            "      PMIC_nINT",
                            "    - arm64: dts: imx8mp-nitrogen-som: Correct PAD settings for PMIC_nINT",
                            "    - arm64: dts: imx8mp-sr-som: Correct PAD settings for PMIC_nINT",
                            "    - arm64: dts: imx8mp-ultra-mach-sbc: Correct PAD settings for PMIC_nINT",
                            "    - arm64: dts: imx8mp-dhcom-som: Correct PAD settings for PMIC_nINT",
                            "    - arm64: dts: imx8mp-data-modul-edm-sbc: Correct PAD settings for",
                            "      PMIC_nINT",
                            "    - PCMCIA: Fix garbled log messages for KERN_CONT",
                            "    - reset: amlogic: t7: Fix null reset ops",
                            "    - arm64: dts: imx8mm-emtop-som: Correct PAD settings for PMIC_nINT",
                            "    - arm64: dts: imx8mn-tqma8mqnl: Correct PAD settings for PMIC_nINT",
                            "    - arm64: dts: imx8mm-tqma8mqml: Correct PAD settings for PMIC_nINT",
                            "    - arm64: dts: marvell: armada-37xx: use 'usb2-phy' in USB3 controller's",
                            "      phy-names",
                            "    - pwm: stm32: Fix rounding issue for requests with inverted polarity",
                            "    - net/sched: act_mirred: fix wrong device for mac_header_xmit check in",
                            "      tcf_blockcast_redir",
                            "    - macvlan: fix macvlan_get_size() not reserving space for",
                            "      IFLA_MACVLAN_BC_CUTOFF",
                            "    - net/sched: sch_cake: fix NAT destination port not being updated in",
                            "      cake_update_flowkeys",
                            "    - nexthop: fix IPv6 route referencing IPv4 nexthop",
                            "    - net: airoha: Wait for NPU PPE configuration to complete in",
                            "      airoha_ppe_offload_setup()",
                            "    - net/sched: taprio: fix use-after-free in advance_sched() on schedule",
                            "      switch",
                            "    - net: dsa: remove redundant netdev_lock_ops() from conduit ethtool ops",
                            "    - net: enetc: correct the command BD ring consumer index",
                            "    - net: enetc: fix NTMP DMA use-after-free issue",
                            "    - ksmbd: fix use-after-free in smb2_open during durable reconnect",
                            "    - tcp: move tp->chrono_type next tp->chrono_stat[]",
                            "    - tcp: inline tcp_chrono_start()",
                            "    - tcp: annotate data-races in tcp_get_info_chrono_stats()",
                            "    - tcp: add data-race annotations around tp->data_segs_out and",
                            "      tp->total_retrans",
                            "    - tcp: add data-races annotations around tp->reordering, tp->snd_cwnd",
                            "    - tcp: annotate data-races around tp->snd_ssthresh",
                            "    - tcp: annotate data-races around tp->delivered and tp->delivered_ce",
                            "    - tcp: add data-race annotations for TCP_NLA_SNDQ_SIZE",
                            "    - tcp: annotate data-races around tp->bytes_sent",
                            "    - tcp: annotate data-races around tp->bytes_retrans",
                            "    - tcp: annotate data-races around tp->dsack_dups",
                            "    - tcp: annotate data-races around tp->reord_seen",
                            "    - tcp: annotate data-races around tp->srtt_us",
                            "    - tcp: annotate data-races around tp->timeout_rehash",
                            "    - tcp: annotate data-races around (tp->write_seq - tp->snd_nxt)",
                            "    - tcp: annotate data-races around tp->plb_rehash",
                            "    - ice: fix 'adjust' timer programming for E830 devices",
                            "    - ice: update PCS latency settings for E825 10G/25Gb modes",
                            "    - ice: fix double-free of tx_buf skb",
                            "    - ice: fix PHY config on media change with link-down-on-close",
                            "    - ice: fix ICE_AQ_LINK_SPEED_M for 200G",
                            "    - ice: fix race condition in TX timestamp ring cleanup",
                            "    - ice: fix potential NULL pointer deref in error path of",
                            "      ice_set_ringparam()",
                            "    - i40e: don't advertise IFF_SUPP_NOFCS",
                            "    - iavf: fix wrong VLAN mask for legacy Rx descriptors L2TAG2",
                            "    - e1000e: Unroll PTP in probe error handling",
                            "    - ipv6: fix possible UAF in icmpv6_rcv()",
                            "    - af_unix: Drop all SCM attributes for SOCKMAP.",
                            "    - sctp: fix OOB write to userspace in sctp_getsockopt_peer_auth_chunks",
                            "    - pppoe: drop PFC frames",
                            "    - net/mlx5: Fix HCA caps leak on notifier init failure",
                            "    - net: airoha: Fix possible TX queue stall in airoha_qdma_tx_napi_poll()",
                            "    - netfilter: nft_osf: restrict it to ipv4",
                            "    - netfilter: conntrack: remove sprintf usage",
                            "    - netfilter: xtables: restrict several matches to inet family",
                            "    - netfilter: nat: use kfree_rcu to release ops",
                            "    - ipvs: fix MTU check for GSO packets in tunnel mode",
                            "    - netfilter: nfnetlink_osf: fix out-of-bounds read on option matching",
                            "    - netfilter: nfnetlink_osf: fix potential NULL dereference in ttl check",
                            "    - net/sched: sch_dualpi2: drain both C-queue and L-queue in",
                            "      dualpi2_change()",
                            "    - arm64: dts: amlogic: meson-axg: Add missing cache information to cpu0",
                            "    - arm64: dts: meson-gxl-p230: fix ethernet PHY interrupt number",
                            "    - vfio/pci: Clean up DMABUFs before disabling function",
                            "    - pwm: atmel-tcb: Cache clock rates and mark chip as atomic",
                            "    - ksmbd: destroy tree_conn_ida in ksmbd_session_destroy()",
                            "    - ksmbd: destroy async_ida in ksmbd_conn_free()",
                            "    - ksmbd: fix durable fd leak on ClientGUID mismatch in durable v2 open",
                            "    - ksmbd: scope conn->binding slowpath to bound sessions only",
                            "    - net: validate skb->napi_id in RX tracepoints",
                            "    - bnge: fix initial HWRM sequence",
                            "    - bnge: remove unsupported backing store type",
                            "    - sctp: fix sockets_allocated imbalance after sk_clone()",
                            "    - net/rds: zero per-item info buffer before handing it to visitors",
                            "    - ice: fix timestamp interrupt configuration for E825C",
                            "    - ice: perform PHY soft reset for E825C ports at initialization",
                            "    - ice: fix ready bitmap check for non-E822 devices",
                            "    - ice: fix ice_ptp_read_tx_hwtstamp_status_eth56g",
                            "    - net_sched: sch_hhf: annotate data-races in hhf_dump_stats()",
                            "    - net/sched: sch_pie: annotate data-races in pie_dump_stats()",
                            "    - net/sched: sch_fq_codel: remove data-races from fq_codel_dump_stats()",
                            "    - net/sched: sch_red: annotate data-races in red_dump_stats()",
                            "    - net/sched: sch_sfb: annotate data-races in sfb_dump_stats()",
                            "    - net: airoha: Move ndesc initialization at end of airoha_qdma_init_tx()",
                            "    - net: airoha: Add missing bits in airoha_qdma_cleanup_tx_queue()",
                            "    - net: dsa: realtek: rtl8365mb: fix mode mask calculation",
                            "    - net: airoha: Move ndesc initialization at end of",
                            "      airoha_qdma_init_rx_queue()",
                            "    - net: airoha: Rework the code flow in airoha_remove() and in",
                            "      airoha_probe() error path",
                            "    - net: airoha: Add size check for TX NAPIs in airoha_qdma_cleanup()",
                            "    - net: mana: Init link_change_work before potential error paths in probe",
                            "    - net: mana: Init gf_stats_work before potential error paths in probe",
                            "    - net: mana: Guard mana_remove against double invocation",
                            "    - net: mana: Don't overwrite port probe error with add_adev result",
                            "    - net: mana: Fix EQ leak in mana_remove on NULL port",
                            "    - vsock/virtio: fix MSG_ZEROCOPY pinned-pages accounting",
                            "    - virtio_net: sync rss_trailer.max_tx_vq on queue_pairs change via",
                            "      VQ_PAIRS_SET",
                            "    - nfp: fix swapped arguments in nfp_encode_basic_qdr() calls",
                            "    - tcp: send a challenge ACK on SEG.ACK > SND.NXT",
                            "    - tipc: fix double-free in tipc_buf_append()",
                            "    - vhost_net: fix sleeping with preempt-disabled in vhost_net_busy_poll()",
                            "    - nstree: fix func. parameter kernel-doc warnings",
                            "    - eventpoll: use hlist_is_singular_node() in __ep_remove()",
                            "    - eventpoll: split __ep_remove()",
                            "    - eventpoll: kill __ep_remove()",
                            "    - eventpoll: drop vestigial __ prefix from ep_remove_{file,epi}()",
                            "    - eventpoll: move epi_fget() up",
                            "    - fs/adfs: validate nzones in adfs_validate_bblk()",
                            "    - rtc: abx80x: Disable alarm feature if no interrupt attached",
                            "    - kbuild: builddeb - avoid recompiles for non-cross-compiles",
                            "    - tools/power turbostat: Fix AMD RAPL regression on big systems",
                            "    - fbdev: offb: fix PCI device reference leak on probe failure",
                            "    - tools/power turbostat: Fix unrecognized option '-P'",
                            "    - tools/power turbostat: Fix --cpu-set 0 regression on HT systems",
                            "    - tools/power turbostat: Fix --cpu-set 1 regression on HT systems",
                            "    - kbuild: Never respect CONFIG_WERROR / W=e to fixdep",
                            "    - mailbox: mtk-vcp-mailbox: Fix the return value in mtk_vcp_mbox_xlate()",
                            "    - mailbox: mtk-cmdq: Fix CURR and END addr for task insert case",
                            "    - mailbox: mailbox-test: free channels on probe error",
                            "    - sched/psi: fix race between file release and pressure write",
                            "    - cgroup/rdma: fix integer overflow in rdmacg_try_charge()",
                            "    - cgroup/cpuset: record DL BW alloc CPU for attach rollback",
                            "    - mailbox: add sanity check for channel array",
                            "    - mailbox: mailbox-test: handle channel errors consistently",
                            "    - mailbox: mailbox-test: don't free the reused channel",
                            "    - mailbox: mailbox-test: initialize struct earlier",
                            "    - mailbox: mailbox-test: make data_ready a per-instance variable",
                            "    - fsnotify: fix inode reference leak in fsnotify_recalc_mask()",
                            "    - btrfs: fix bytes_may_use leak in move_existing_remap()",
                            "    - btrfs: fix bytes_may_use leak in do_remap_reloc_trans()",
                            "    - btrfs: don't clobber errors in add_remap_tree_entries()",
                            "    - btrfs: fix double-decrement of bytes_may_use in",
                            "      submit_one_async_extent()",
                            "    - tracing: branch: Fix inverted check on stat tracer registration",
                            "    - nvmet-tcp: propagate nvmet_tcp_build_pdu_iovec() errors to its callers",
                            "    - netfilter: nf_tables: use list_del_rcu for netlink hooks",
                            "    - rculist: add list_splice_rcu() for private lists",
                            "    - netfilter: nf_tables: join hook list via splice_list_rcu() in commit",
                            "      phase",
                            "    - netfilter: nf_tables: add hook transactions for device deletions",
                            "    - nvme-pci: fix missed admin queue sq doorbell write",
                            "    - drm/amdgpu: avoid double drm_exec_fini() in userq validate",
                            "    - drm/amdgpu/gmc: Fix AMDGPU_GART_PLACEMENT_LOW to not overlap with VRAM",
                            "    - drm/amd/pm: fix missing fine-grained dpm table flag on aldebaran",
                            "    - drm/amdgpu: fix AMDGPU_INFO_READ_MMR_REG",
                            "    - drm/amdgpu/uvd3.1: Don't validate the firmware when already validated",
                            "    - drm/amdgpu/gfx6: Support harvested SI chips with disabled TCCs (v2)",
                            "    - drm/amdgpu: Only send RMA CPER when threshold is exceeded",
                            "    - netfilter: xt_policy: fix strict mode inbound policy matching",
                            "    - netfilter: nf_conntrack_sip: don't use simple_strtoul",
                            "    - spi: rzv2h-rspi: Fix silent failure in clock setup error path",
                            "    - ASoC: amd: acp: Add DMI quirk for Valve Steam Deck OLED",
                            "    - ASoC: SOF: Intel: add an empty adr_link",
                            "    - spi: rockchip: Read ISR, not IMR, to detect cs-inactive IRQ",
                            "    - ASoC: tas2764: Mark die temp register as volatile",
                            "    - ASoC: tas2770: Fix order of operations for temperature calculation",
                            "    - drm/sysfb: ofdrm: fix PCI device reference leaks",
                            "    - drm/color-mgmt: Typo s/R332/RGB332/",
                            "    - arm64/scs: Fix potential sign extension issue of advance_loc4",
                            "    - spi: spi-mem: Add a packed command operation",
                            "    - mtd: spinand: Add support for packed read data ODTR commands",
                            "    - mtd: spinand: winbond: Set the packed page read flag to W35N02/04JW",
                            "    - mtd: spinand: winbond: Fix ODTR write VCR on W35NxxJW",
                            "    - ACPICA: Provide #defines for EINJV2 error types",
                            "    - ACPI: APEI: EINJ: Fix EINJV2 memory error injection",
                            "    - cdrom, scsi: sr: propagate read-only status to block layer via",
                            "      set_disk_ro()",
                            "    - spi: axiado: replace usleep_range() with udelay() in IRQ path",
                            "    - netdevsim: zero initialize struct iphdr in dummy sk_buff",
                            "    - net/sched: netem: fix probability gaps in 4-state loss model",
                            "    - net/sched: netem: fix queue limit check to include reordered packets",
                            "    - net/sched: netem: only reseed PRNG when seed is explicitly provided",
                            "    - net/sched: netem: validate slot configuration",
                            "    - net/sched: netem: fix slot delay calculation overflow",
                            "    - net/sched: netem: check for negative latency and jitter",
                            "    - net: airoha: fix BQL imbalance in TX path",
                            "    - net: airoha: stop net_device TX queue before updating CPU index",
                            "    - net: airoha: fix typo in function name",
                            "    - net: airoha: Do not wake all netdev TX queues in",
                            "      airoha_qdma_wake_netdev_txqs()",
                            "    - net: airoha: Do not read uninitialized fragment address in",
                            "      airoha_dev_xmit()",
                            "    - net/sched: sch_choke: annotate data-races in choke_dump_stats()",
                            "    - net/sched: sch_fq_pie: annotate data-races in fq_pie_dump_stats()",
                            "    - vrf: Fix a potential NPD when removing a port from a VRF",
                            "    - net: usb: rtl8150: fix use-after-free in rtl8150_start_xmit()",
                            "    - net: usb: rtl8150: free skb on usb_submit_urb() failure in xmit",
                            "    - spi: amlogic-spisg: initialize completion before requesting IRQ",
                            "    - NFC: trf7970a: Ignore antenna noise when checking for RF field",
                            "    - net: phonet: do not BUG_ON() in pn_socket_autobind() on failed bind",
                            "    - neigh: let neigh_xmit take skb ownership",
                            "    - tcp: make probe0 timer handle expired user timeout",
                            "    - netpoll: fix IPv6 local-address corruption",
                            "    - ALSA: usb-audio: Fix potential leak of pd at parsing UAC3 streams",
                            "    - sched/fair: Fix wakeup_preempt_fair() vs delayed dequeue",
                            "    - sched/fair: Clear rel_deadline when initializing forked entities",
                            "    - net: mctp i2c: check length before marking flow active",
                            "    - md/raid1,raid10: don't fail devices for invalid IO errors",
                            "    - md: add fallback to correct bitmap_ops on version mismatch",
                            "    - md: factor bitmap creation away from sysfs handling",
                            "    - md/md-bitmap: split bitmap sysfs groups",
                            "    - md/md-bitmap: add a none backend for bitmap grow",
                            "    - s390/mm: Fix phys_to_folio() usage in do_secure_storage_access()",
                            "    - net: phy: dp83869: fix setting CLK_O_SEL field.",
                            "    - drm/amd/display: properly handle family setting for early GC 11.5.4",
                            "    - drm/amdgpu/vcn: set no_user_fence for VCN v2.0 enc/dec rings",
                            "    - drm/amdgpu/vcn: set no_user_fence for VCN v2.5 enc/dec rings",
                            "    - drm/amdgpu/vcn: set no_user_fence for VCN v3.0 enc/dec rings",
                            "    - drm/amdgpu/vcn: set no_user_fence for VCN v4.0 enc ring",
                            "    - drm/amdgpu/vcn: set no_user_fence for VCN v4.0.3 enc ring",
                            "    - drm/amdgpu/vcn: set no_user_fence for VCN v4.0.5 enc ring",
                            "    - drm/amdgpu/vcn: set no_user_fence for VCN v5.0.0 enc ring",
                            "    - drm/amdgpu/vcn: set no_user_fence for VCN v5.0.1 enc ring",
                            "    - drm/amdgpu/jpeg: set no_user_fence for JPEG v2.0 ring",
                            "    - drm/amdgpu/jpeg: set no_user_fence for JPEG v2.5 ring",
                            "    - drm/amdgpu/jpeg: set no_user_fence for JPEG v3.0 ring",
                            "    - drm/amdgpu/jpeg: set no_user_fence for JPEG v4.0 ring",
                            "    - drm/amdgpu/jpeg: set no_user_fence for JPEG v4.0.3 ring",
                            "    - drm/amdgpu/jpeg: set no_user_fence for JPEG v4.0.5 ring",
                            "    - drm/amdgpu/jpeg: set no_user_fence for JPEG v5.0.0 ring",
                            "    - drm/amdgpu/jpeg: set no_user_fence for JPEG v5.0.1 ring",
                            "    - drm/amdgpu/jpeg: set no_user_fence for JPEG v5.3.0 ring",
                            "    - drm/amd/pm: Add fine grained flag to SMU v13.0.6",
                            "    - io_uring/napi: cap busy_poll_to 10 msec",
                            "    - ASoC: cs35l56: Fix illegal writes to OTP_MEM registers",
                            "    - net: psp: check for device unregister when creating assoc",
                            "    - net: psp: require admin permission for dev-set and key-rotate",
                            "    - ASoC: codecs: ab8500: Fix casting of private data",
                            "    - netfilter: skip recording stale or retransmitted INIT",
                            "    - sctp: discard stale INIT after handshake completion",
                            "    - net/sched: sch_cake: annotate data-races in cake_dump_stats() (I)",
                            "    - net/sched: sch_cake: annotate data-races in cake_dump_stats() (II)",
                            "    - net/sched: sch_cake: annotate data-races in cake_dump_stats() (III)",
                            "    - net/sched: sch_cake: annotate data-races in cake_dump_stats() (IV)",
                            "    - net/sched: sch_cake: annotate data-races in cake_dump_stats() (V)",
                            "    - netconsole: return count instead of strnlen(buf, count) from store",
                            "      callbacks",
                            "    - netconsole: avoid clobbering userdatum value on truncated write",
                            "    - netconsole: propagate device name truncation in dev_name_store()",
                            "    - netconsole: restore userdatum value on update_userdata() failure",
                            "    - ALSA: hda/conexant: Fix missing error check for jack detection",
                            "    - ALSA: hda: cs35l56: Fix uninitialized value in cs35l56_hda_read_acpi()",
                            "    - ALSA: hda/tas2781: Fix incorrect bit update for non-book-zero or book 0",
                            "      pages >1",
                            "    - futex: Prevent lockup in requeue-PI during signal/ timeout wakeup",
                            "    - drm/amd/display: Allow embedded connectors without DDC",
                            "    - drm/amd/display: Allow DCE link encoder without AUX registers",
                            "    - drm/amd/display: Allow constructing DCE6 link encoder without DDC",
                            "    - drm/amd/display: Allow constructing DCE8 link encoder without DDC",
                            "    - drm/amd/display: Read EDID from VBIOS embedded panel info",
                            "    - drm/amd/display: Use EDID from VBIOS embedded panel info",
                            "    - drm/xe: Use XE_WEDGED_MODE_UPON_ANY_HANG_NO_RESET enum instead of magic",
                            "      number",
                            "    - drm/xe: Drop registration of guc_submit_wedged_fini from",
                            "      xe_guc_submit_wedge()",
                            "    - drm/xe/debugfs: Correct printing of register whitelist ranges",
                            "    - drm/xe: Fix potential NULL deref in",
                            "      xe_exec_queue_tlb_inval_last_fence_put_unlocked",
                            "    - drm/xe: Fix error cleanup in xe_exec_queue_create_ioctl()",
                            "    - drm/xe/eustall: Fix drm_dev_put called before stream disable in close",
                            "    - drm/xe/gsc: Fix BO leak on error in query_compatibility_version()",
                            "    - drm/xe/xelp: Fix Wa_18022495364",
                            "    - net: airoha: Do not return err in ndo_stop() callback",
                            "    - bonding: print churn state via netlink",
                            "    - bonding: 3ad: implement proper RCU rules for port->aggregator",
                            "    - page_pool: fix memory-provider leak in page_pool_create_percpu() error",
                            "      path",
                            "    - iavf: rename IAVF_VLAN_IS_NEW to IAVF_VLAN_ADDING",
                            "    - iavf: stop removing VLAN filters from PF on interface down",
                            "    - iavf: wait for PF confirmation before removing VLAN filters",
                            "    - iavf: add VIRTCHNL_OP_ADD_VLAN to success completion handler",
                            "    - ice: fix NULL pointer dereference in ice_reset_all_vfs()",
                            "    - ice: fix infinite recursion in ice_cfg_tx_topo via ice_init_dev_hw",
                            "    - ice: fix missing SMA pin initialization in DPLL subsystem",
                            "    - ice: fix SMA and U.FL pin state changes affecting paired pin",
                            "    - ice: fix missing dpll notifications for SW pins",
                            "    - dpll: export __dpll_pin_change_ntf() for use under dpll_lock",
                            "    - ice: add dpll peer notification for paired SMA and U.FL pins",
                            "    - net: tls: fix strparser anchor skb leak on offload RX setup failure",
                            "    - sfc: fix error code in efx_devlink_info_running_versions()",
                            "    - net/sched: cls_flower: revert unintended changes",
                            "    - kselftest/arm64: Include <asm/ptrace.h> for user_gcs definition",
                            "    - arm64: Reserve an extra page for early kernel mapping",
                            "    - futex: Drop CLONE_THREAD requirement for private default hash alloc",
                            "    - PCI: Initialize temporary device in new_id_store()",
                            "    - workqueue: fix devm_alloc_workqueue() va_list misuse",
                            "    - net/sched: sch_pie: annotate more data-races in pie_dump_stats()",
                            "    - sched/fair: Fix wakeup_preempt_fair() for not waking up task",
                            "    - crypto: af_alg - Cap AEAD AD length to 0x80000000",
                            "    - i40e: Cleanup PTP pins on probe failure",
                            "    - workqueue: Fix wq->cpu_pwq leak in alloc_and_link_pwqs() WQ_UNBOUND path",
                            "    - net: ena: PHC: Fix potential use-after-free in get_timestamp",
                            "    - cgroup/cpuset: Reset DL migration state on can_attach() failure",
                            "    - netfilter: nf_conntrack_sip: get helper before allocating expectation",
                            "    - audit: fix incorrect inheritable capability in CAPSET records",
                            "    - net: ena: PHC: Check return code before setting timestamp output",
                            "    - cgroup/dmem: Return -ENOMEM on failed pool preallocation",
                            "    - idpf: fix double free and use-after-free in aux device error paths",
                            "    - cgroup/cpuset: Reserve DL bandwidth only for root-domain moves",
                            "    - Revert \"ACPI: CPPC: Adjust debug messages in amd_set_max_freq_ratio() to",
                            "      warn\"",
                            "    - netfilter: nft_ct: fix missing expect put in obj eval",
                            "    - net: atlantic: preserve PCI wake-from-D3 on shutdown when WOL enabled",
                            "    - audit: enforce AUDIT_LOCKED for AUDIT_TRIM and AUDIT_MAKE_EQUIV",
                            "    - cgroup/cpuset: Return only actually allocated CPUs during partition",
                            "      invalidation",
                            "    - KVM: x86: Swap the dst and src operand for MOVNTDQA",
                            "    - KVM: Reject wrapped offset in kvm_reset_dirty_gfn()",
                            "    - KVM: s390: pci: fix GAIT table indexing due to double-scaling pointer",
                            "      arithmetic",
                            "    - KVM: x86: Fix Xen hypercall tracepoint argument assignment",
                            "    - HID: pass the buffer size to hid_report_raw_event",
                            "    - HID: core: introduce hid_safe_input_report()",
                            "    - rseq: Revert to historical performance killing behaviour",
                            "    - rseq: Implement read only ABI enforcement for optimized RSEQ V2 mode",
                            "    - rseq: Reenable performance optimizations conditionally",
                            "    - HID: core: Fix size_t specifier in hid_report_raw_event()",
                            "    - ata: libata-scsi: fix requeue of deferred ATA PASS-THROUGH commands",
                            "    - media: staging: imx: configure src_mux in csi_start",
                            "    - Bluetooth: btmtk: accept too short WMT FUNC_CTRL events",
                            "    - nvme-apple: Reset q->sq_tail during queue init",
                            "    - smb/client: fix possible infinite loop and oob read in symlink_data()",
                            "    - drm/loongson: Use managed KMS polling",
                            "    - drm: Replace old pointer to new idr",
                            "    - drm/bridge: imx8qxp-pxl2dpi: avoid ERR_PTR with device_node cleanup",
                            "    - drm/i915/dp: Fix VSC dynamic range signaling for RGB formats",
                            "    - drm/amd/display: Wrap DCN32 phantom-plane allocation in",
                            "      DC_RUN_WITH_PREEMPTION_ENABLED",
                            "    - drm/ttm: Fix ttm_bo_swapout() infinite LRU walk on swapout failure",
                            "    - platform/x86: intel: Move debugfs register before creating devices",
                            "    - platform/x86: lenovo-wmi-helpers: Move gamezone enums to wmi-helpers",
                            "    - platform/x86: lenovo-wmi-helpers: Fix memory leak in",
                            "      lwmi_dev_evaluate_int()",
                            "    - platform/x86: lenovo-wmi-other: Balance IDA id allocation and free",
                            "    - platform/x86: lenovo-wmi-other: Balance component bind and unbind",
                            "    - platform/x86: lenovo-wmi-other: Zero initialize WMI arguments",
                            "    - platform/x86: lenovo-wmi-other: Fix tunable_attr_01 struct members",
                            "    - platform/x86: lenovo-wmi-other: Add Attribute ID helper functions",
                            "    - platform/x86: lenovo-wmi-other: Limit adding attributes to supported",
                            "      devices",
                            "    - accel/rocket: Fix prep_bo ioctl leaking positive return from",
                            "      dma_resv_wait_timeout()",
                            "    - ALSA: hda/realtek: Add mute LED quirk for HP Pavilion Laptop 16-ag0xxx",
                            "    - ALSA: hda/realtek: Add quirk for Samsung Galaxy Book5 360 headphone",
                            "    - ALSA: usb-audio: Bound MIDI 2.0 endpoint descriptor scans",
                            "    - ALSA: usb-audio: Bound MIDI endpoint descriptor scans",
                            "    - ALSA: usb-audio: qcom: Check offload mapping failures",
                            "    - btrfs: only release the dirty pages io tree after successful writes",
                            "    - ceph: fix a buffer leak in __ceph_setxattr()",
                            "    - ceph: fix BUG_ON in __ceph_build_xattrs_blob() due to stale blob size",
                            "    - ceph: put folios not suitable for writeback",
                            "    - io-wq: check that the predecessor is hashed in io_wq_remove_pending()",
                            "    - iommu/amd: Bounds-check devid in __rlookup_amd_iommu()",
                            "    - x86/kexec: Push kjump return address even for non-kjump kexec",
                            "    - xfs: fix memory leak on error in xfs_alloc_zone_info()",
                            "    - virt: sev-guest: Do not use host-controlled page order in cleanup path",
                            "    - powerpc/warp: Fix error handling in pika_dtm_thread",
                            "    - netfs: fix error handling in netfs_extract_user_iter()",
                            "    - nfsd: fix GET_DIR_DELEGATION when VFS leases are disabled",
                            "    - nfsd: fix file change detection in CB_GETATTR",
                            "    - nfsd: update mtime/ctime on CLONE in presense of delegated attributes",
                            "    - nfsd: update mtime/ctime on COPY in presence of delegated attributes",
                            "    - irqchip/riscv-imsic: Clear interrupt move state during CPU offlining",
                            "    - irqchip/meson-gpio: Use the correct register in",
                            "      meson_s4_gpio_irq_set_type()",
                            "    - irqchip/gic-v5: Move LPI allocation into the LPI domain",
                            "    - irqchip/gic-v5: Support range allocation for LPIs",
                            "    - irqchip/gic-v5: Allocate ITS parent LPIs as a range",
                            "    - libceph: Fix potential out-of-bounds access in osdmap_decode()",
                            "    - libceph: Fix potential null-ptr-deref in decode_choose_args()",
                            "    - libceph: Fix potential out-of-bounds access in __ceph_x_decrypt()",
                            "    - libceph: Fix potential out-of-bounds access in crush_decode()",
                            "    - libceph: handle rbtree insertion error in decode_choose_args()",
                            "    - iommu/vt-d: Disable DMAR for Intel Q35 IGFX",
                            "    - iommu/vt-d: Fix oops due to out of scope access",
                            "    - iommu/vt-d: Avoid NULL pointer dereference or refcount corruption",
                            "    - iommu: Fix NULL group->domain dereference in pci_dev_reset_iommu_done()",
                            "    - iommu: Replace per-group resetting_domain with per-gdev blocked flag",
                            "    - iommu: Fix WARN_ON in __iommu_group_set_domain_nofail() due to reset",
                            "    - iommu: Fix pasid attach in pci_dev_reset_iommu_prepare/done()",
                            "    - iommu: Fix nested pci_dev_reset_iommu_prepare/done()",
                            "    - iommu: Fix ATS invalidation timeouts during __iommu_remove_group_pasid()",
                            "    - drm/i915: skip __i915_request_skip() for already signaled requests",
                            "    - drm/panfrost: Fix wait_bo ioctl leaking positive return from",
                            "      dma_resv_wait_timeout()",
                            "    - drm/xe/dma-buf: handle empty bo and UAF races",
                            "    - drm/xe/dma-buf: fix UAF with retry loop",
                            "    - drm/ttm: Fix ttm_bo_shrink() infinite LRU walk on backup failure",
                            "    - drm/ttm: Convert -EAGAIN from dmem_cgroup_try_charge to -ENOSPC",
                            "    - drm/gma500/oaktrail_hdmi: fix i2c adapter leak on setup",
                            "    - drm/gma500/oaktrail_lvds: fix hang on init failure",
                            "    - drm/gma500/oaktrail_lvds: fix i2c adapter leaks on init",
                            "    - arm_mpam: Fix monitor instance selection when checking for hardware NRDY",
                            "    - arm_mpam: Pretend that NRDY is always hardware managed",
                            "    - arm_mpam: Improve check for whether or not NRDY is hardware managed",
                            "    - arm_mpam: Fix false positive assert failure during mpam_disable()",
                            "    - arm_mpam: Check whether the config array is allocated before destroying",
                            "      it",
                            "    - eventfs: Simplify code using guard()s",
                            "    - eventfs: Use list_add_tail_rcu() for SRCU-protected children list",
                            "    - smb: client: Use FullSessionKey for AES-256 encryption key derivation",
                            "    - spi: sifive: Simplify clock handling with devm_clk_get_enabled()",
                            "    - spi: sifive: fix controller deregistration",
                            "    - tracefs: Removed unused 'ret' variable in eventfs_iterate()",
                            "    - workqueue: Annotate alloc_workqueue_va() with __printf(1, 0)",
                            "    - selftests/bpf: Remove test_access_variable_array",
                            "    - netfs: Fix potential uninitialised var in netfs_extract_user_iter()",
                            "    - Linux 7.0.10",
                            "",
                            "  * Resolute update: v7.0.10 upstream stable release (LP: #2156385) //",
                            "    CVE-2026-45846",
                            "    - bareudp: fix NULL pointer dereference in bareudp_fill_metadata_dst()",
                            "",
                            "  * Resolute update: v7.0.10 upstream stable release (LP: #2156385) //",
                            "    CVE-2026-45845",
                            "    - net/sched: taprio: fix NULL pointer dereference in class dump",
                            "",
                            "  * Resolute update: v7.0.10 upstream stable release (LP: #2156385) //",
                            "    CVE-2026-45844",
                            "    - netfilter: arp_tables: fix IEEE1394 ARP payload parsing",
                            "",
                            "  * Resolute update: v7.0.10 upstream stable release (LP: #2156385) //",
                            "    CVE-2026-46242",
                            "    - eventpoll: fix ep_remove struct eventpoll / struct file UAF",
                            "",
                            "  * Resolute update: v7.0.10 upstream stable release (LP: #2156385) //",
                            "    CVE-2026-45843",
                            "    - slip: bound decode() reads against the compressed packet length",
                            "",
                            "  * Resolute update: v7.0.10 upstream stable release (LP: #2156385) //",
                            "    CVE-2026-45842",
                            "    - slip: reject VJ receive packets on instances with no rstate array",
                            "",
                            "  * Resolute update: v7.0.10 upstream stable release (LP: #2156385) //",
                            "    CVE-2026-45841",
                            "    - netfilter: nfnetlink_osf: fix divide-by-zero in OSF_WSS_MODULO",
                            "",
                            "  * Resolute update: v7.0.10 upstream stable release (LP: #2156385) //",
                            "    CVE-2026-45840",
                            "    - openvswitch: cap upcall PID array size and pre-size vport replies",
                            "",
                            "  * Resolute update: v7.0.10 upstream stable release (LP: #2156385) //",
                            "    CVE-2026-45839",
                            "    - bpf: reject negative CO-RE accessor indices in bpf_core_parse_spec()",
                            "",
                            "  * Resolute update: v7.0.10 upstream stable release (LP: #2156385) //",
                            "    CVE-2026-45838",
                            "    - bpf: fix end-of-list detection in cgroup_storage_get_next_key()",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006)",
                            "    - Linux 7.0.8",
                            "    - HID: pidff: Fix integer overflow in pidff_rescale",
                            "    - media: uvcvideo: Enable VB2_DMABUF for metadata stream",
                            "    - drm/msm/hdmi: Fix wrong CTRL1 register used in writing info frames",
                            "    - media: rzv2h-ivc: Avoid double job scheduling",
                            "    - media: nxp: imx8-isi: Reduce minimum queued buffers from 2 to 0",
                            "    - media: rzv2h-ivc: Write AXIRX_PIXFMT once",
                            "    - media: rzv2h-ivc: Fix FM_STOP register write",
                            "    - media: rzv2h-ivc: Fix concurrent buffer list access",
                            "    - media: mali-c55: Initialize the ISP in enable_streams()",
                            "    - media: mali-c55: Fix Iridix bypass macros",
                            "    - media: renesas: vsp1: Fix NULL pointer deref on module unload",
                            "    - media: renesas: vin: Fix RAW8 (again)",
                            "    - media: i2c: ov8856: free control handler on error in",
                            "      ov8856_init_controls()",
                            "    - media: dt-bindings: rockchip,vdec: Add alternative reg-names order for",
                            "      RK35{76,88}",
                            "    - media: dt-bindings: rockchip,vdec: Mark reg-names required for",
                            "      RK35{76,88}",
                            "    - media: chips-media: wave5: fix a potential memory leak in",
                            "      wave5_vdi_init()",
                            "    - media: chips-media: wave5: add missing spinlock protection for",
                            "      send_eos_event()",
                            "    - media: chips-media: wave5: add missing spinlock protection for",
                            "      handle_dynamic_resolution_change()",
                            "    - arm64: dts: freescale: imx95-toradex-smarc: fix PMIC_SD2_VSEL label",
                            "      position",
                            "    - drm/gpusvm: Allow device pages to be mapped in mixed mappings after",
                            "      system pages",
                            "    - drm/gpusvm: Force unmapping on error in drm_gpusvm_get_pages",
                            "    - spi: bcm63xx: fix controller deregistration",
                            "    - spi: atmel: fix controller deregistration",
                            "    - arm64: dts: lx2160a-cex7/lx2162a-sr-som: fix usd-cd & gpio pinmux",
                            "    - regulator: mt6357: fix OF node reference imbalance",
                            "    - spi: st-ssc4: fix controller deregistration",
                            "    - regulator: max77650: fix OF node reference imbalance",
                            "    - media: ti: vpe: Add missing v4l2_device_unregister in vip_remove()",
                            "    - media: rc: streamzap: Error handling in probe",
                            "    - media: i2c: imx283: Enter full standby when stopping streaming",
                            "    - regulator: bq257xx: fix OF node reference imbalance",
                            "    - regulator: rk808: fix OF node reference imbalance",
                            "    - media: videobuf2: Set vma_flags in vb2_dma_sg_mmap",
                            "    - media: mali-c55: Fully reset the ISP configuration",
                            "    - media: intel/ipu6: fix error pointer dereference",
                            "    - media: i2c: imx283: Fix hang when going from large to small resolution",
                            "    - regulator: act8945a: fix OF node reference imbalance",
                            "    - regulator: s2dos05: fix OF node reference imbalance",
                            "    - regulator: bd9571mwv: fix OF node reference imbalance",
                            "    - spi: lantiq-ssc: fix controller deregistration",
                            "    - spi: meson-spicc: fix controller deregistration",
                            "    - spi: qup: fix controller deregistration",
                            "    - arm64: dts: ti: k3-am69-aquila-clover: Fix DP regulator enable GPIO",
                            "    - spi: at91-usart: fix controller deregistration",
                            "    - media: ipu-bridge: Add upside-down sensor DMI quirk for Dell XPS 13 9340",
                            "      and XPS 14 9440",
                            "    - spi: amlogic-spisg: fix controller deregistration",
                            "    - spi: aspeed-smc: fix controller deregistration",
                            "    - drm/colorop: Preserve bypass value in duplicate_state()",
                            "    - drm/atomic: Add affected colorops with affected planes",
                            "    - platform/x86: hp-wmi: Ignore backlight and FnLock events",
                            "    - vsock/virtio: fix MSG_PEEK ignoring skb offset when calculating bytes to",
                            "      copy",
                            "    - arm64: dts: broadcom: bcm2712-d-rpi-5-b: add fixes for",
                            "      pinctrl/pinctrl_aon",
                            "    - arm64: dts: broadcom: bcm2712-d-rpi-5-b: update uart10 interrupt",
                            "    - media: pci: zoran: fix potential memory leak in zoran_probe()",
                            "    - media: dib8000: avoid division by 0 in dib8000_set_dds()",
                            "    - media: i2c: imx412: Assert reset GPIO during probe",
                            "    - media: staging: imx: request mbus_config in csi_start",
                            "    - media: i2c: ov08d10: fix image vertical start setting",
                            "    - media: i2c: ov08d10: fix runtime PM handling in probe",
                            "    - media: omap3isp: drop the use count of v4l2 pipeline",
                            "    - media: iris: fix QCOM_MDT_LOADER dependency",
                            "    - media: qcom: camss: Fix csid clock configuration for sa8775p",
                            "    - media: qcom: camss: Fix csid IRQ offset for sa8775p",
                            "    - media: qcom: iris: increase H265D_MAX_SLICE to fix H.265 decoding on",
                            "      SC7280",
                            "    - media: venus: fix QCOM_MDT_LOADER dependency",
                            "    - media: iris: Fix dma_free_attrs() size in iris_hfi_queues_init()",
                            "    - media: iris: switch to hardware mode after firmware boot",
                            "    - media: qcom: camss: Add missing clocks for VFE lite on sa8775p",
                            "    - spi: mxs: fix controller deregistration",
                            "    - spi: mt65xx: fix controller deregistration",
                            "    - spi: dln2: fix controller deregistration",
                            "    - spi: s3c64xx: fix controller deregistration",
                            "    - spi: fsl-espi: fix controller deregistration",
                            "    - spi: omap2-mcspi: fix controller deregistration",
                            "    - spi: pic32: fix controller deregistration",
                            "    - spi: ep93xx: fix controller deregistration",
                            "    - spi: mtk-nor: fix controller deregistration",
                            "    - spi: pl022: fix controller deregistration",
                            "    - spi: sh-hspi: fix controller deregistration",
                            "    - spi: bcmbca-hsspi: fix controller deregistration",
                            "    - spi: coldfire-qspi: fix controller deregistration",
                            "    - spi: npcm-pspi: fix controller deregistration",
                            "    - spi: cavium-thunderx: fix controller deregistration",
                            "    - spi: pic32-sqi: fix controller deregistration",
                            "    - spi: sprd: fix controller deregistration",
                            "    - spi: sh-msiof: fix controller deregistration",
                            "    - spi: slave-mt27xx: fix controller deregistration",
                            "    - spi: img-spfi: fix controller deregistration",
                            "    - spi: mpfs: fix controller deregistration",
                            "    - spi: octeon: fix controller deregistration",
                            "    - spi: imx: fix runtime pm leak on probe deferral",
                            "    - spi: mxic: fix controller deregistration",
                            "    - spi: orion: fix controller deregistration",
                            "    - spi: orion: fix runtime pm leak on unbind",
                            "    - spi: orion: fix clock imbalance on registration failure",
                            "    - spi: cadence: fix controller deregistration",
                            "    - spi: cadence-quadspi: fix controller deregistration",
                            "    - spi: cadence: fix unclocked access on unbind",
                            "    - spi: cadence: fix clock imbalance on probe failure",
                            "    - spi: cadence-quadspi: fix runtime pm disable imbalance on probe failure",
                            "    - spi: cadence-quadspi: fix clock imbalance on probe failure",
                            "    - spi: cadence-quadspi: fix runtime pm and clock imbalance on unbind",
                            "    - drm/colorop: Fix blob property reference tracking in state lifecycle",
                            "    - drm/imx: parallel-display: Prefer bus format set via legacy \"interface-",
                            "      pix-fmt\" DT property",
                            "    - drm/msm: always recover the gpu",
                            "    - drm/v3d: Reject empty multisync extension to prevent infinite loop",
                            "    - drm/i915/psr: Init variable to avoid early exit from et alignment loop",
                            "    - drm/amd/display: fix math_mod() using arg1 instead of arg2",
                            "    - drm/amd: Add missing firmware declaration for PSP v15.0.0",
                            "    - drm/amdgpu: Use NBIF offset for register RCC_STRAP0_RCC_DEV0_EPF0_STRAP0",
                            "      .",
                            "    - drm/amdgpu: Use SMUIO 15.0.0 offsets for TSC upper and lower count.",
                            "    - drm/amdgpu: gate VM CPU HDP flush on reset lock",
                            "    - drm/amd/pm: fix incorrect FeatureCtrlMask setting on smu v14.0.x",
                            "    - drm/amdkfd: Add upper bound check for num_of_nodes",
                            "    - drm/amdgpu/vce: Prevent partial address patches",
                            "    - drm/amd/display: Change dither policy for 10 bpc output back to",
                            "      dithering",
                            "    - drm/appletbdrm: Use kvzalloc for big allocations",
                            "    - drm/amdgpu: Avoid reset in AMDGPU unload path for APUs with GFX V11 and",
                            "      higher.",
                            "    - drm/udl: Increase GET_URB_TIMEOUT",
                            "    - drm/xe/bo: Fix bo leak on GGTT flag validation in xe_bo_init_locked()",
                            "    - drm/xe/bo: Fix bo leak on unaligned size validation in",
                            "      xe_bo_init_locked()",
                            "    - drm/xe/uapi: Reject coh_none PAT index for CPU cached memory in madvise",
                            "    - drm/radeon: add missing revision check for CI",
                            "    - drm/amdgpu: zero-initialize GART table on allocation",
                            "    - drm/exynos: remove bridge when component_add fails",
                            "    - drm/amdgpu/userq: fix access to stale wptr mapping",
                            "    - drm/panel: himax-hx83102: restore MODE_LPM after sending disable cmds",
                            "    - drm/amdgpu/gfx9: drop unnecessary 64-bit fence flag check in KIQ",
                            "    - drm/bridge: tda998x: Use __be32 for audio port OF property pointer",
                            "    - drm/sti: remove bridge when sti_hda component_add fails",
                            "    - drm/panel: boe-tv101wum-nl6: restore MODE_LPM after sending disable cmds",
                            "    - drm/amdkfd: Make all TLB-flushes heavy-weight",
                            "    - drm/amdgpu/pm: add missing revision check for CI",
                            "    - drm/amdgpu/pm: align Hawaii mclk workaround with radeon",
                            "    - arm64: dts: qcom: kodiak: Fix PCIe1 PHY ref clock voting",
                            "    - arm64: dts: qcom: lemans: Correct QUP interrupt numbers",
                            "    - arm64: dts: ti: k3-am62a7-sk: Fix pin name in comment from M19 to N22",
                            "    - arm64: dts: ti: k3-am69-aquila-dev: Fix DP regulator enable GPIO",
                            "    - batman-adv: tp_meter: fix tp_num leak on kmalloc failure",
                            "    - sched_ext: Use HK_TYPE_DOMAIN_BOOT to detect isolcpus= domain isolation",
                            "    - usb: typec: tcpm: reset internal port states on soft reset AMS",
                            "    - io_uring/zcrx: use guards for locking",
                            "    - io_uring/zcrx: warn on freelist violations",
                            "    - kho: fix error handling in kho_add_subtree()",
                            "    - EDAC/versalnet: Refactor memory controller initialization and cleanup",
                            "    - spi: uniphier: Simplify clock handling with devm_clk_get_enabled()",
                            "    - spi: uniphier: fix controller deregistration",
                            "    - cgroup: Increment nr_dying_subsys_* from rmdir context",
                            "    - sched_ext: Skip tasks with stale task_rq in bypass_lb_cpu()",
                            "    - perf build: fix \"argument list too long\" in second location",
                            "    - mm/vma: do not try to unmap a VMA if mmap_prepare() invoked from mmap()",
                            "    - vsock/virtio: fix length and offset in tap skb for split packets",
                            "    - drm/amdgpu/vcn3: Avoid overflow on msg bound check",
                            "    - drm/amdgpu/vcn4: Avoid overflow on msg bound check",
                            "    - Linux 7.0.9",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46214",
                            "    - vsock/virtio: fix accept queue count leak on transport mismatch",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46207",
                            "    - vsock/virtio: fix empty payload in tap skb for non-linear buffers",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46234",
                            "    - vsock: fix buffer size clamping order",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46223",
                            "    - cgroup: Defer css percpu_ref kill on rmdir until cgroup is depopulated",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46221",
                            "    - EDAC/versalnet: Fix device name memory leak",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46231",
                            "    - batman-adv: bla: put backbone reference on failed claim hash insert",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46233",
                            "    - batman-adv: bla: only purge non-released claims",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46212",
                            "    - batman-adv: bla: prevent use-after-free when deleting claims",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46238",
                            "    - batman-adv: stop caching unowned originator pointers in BAT IV",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46208",
                            "    - batman-adv: stop tp_meter sessions during mesh teardown",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46206",
                            "    - batman-adv: reject new tp_meter sessions during teardown",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46198",
                            "    - batman-adv: fix integer overflow on buff_pos",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46227",
                            "    - sctp: revalidate list cursor after sctp_sendmsg_to_asoc() in",
                            "      SCTP_SENDALL",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46220",
                            "    - drm/amdgpu/sdma4: replace BUG_ON with WARN_ON in fence emission",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46215",
                            "    - drm: Set old handle to NULL before prime swap in change_handle",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46201",
                            "    - drm/xe: Fix dma-buf attachment leak in xe_gem_prime_import()",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46224",
                            "    - drm/xe: Fix bo leak in xe_dma_buf_init_obj() on allocation failure",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46197",
                            "    - drm/amdkfd: validate SVM ioctl nattr against buffer size",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46209",
                            "    - drm/gem: Fix inconsistent plane dimension calculation in",
                            "      drm_gem_fb_init_with_funcs()",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46230",
                            "    - drm/amdgpu/vcn3: Prevent OOB reads when parsing dec msg",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46199",
                            "    - drm/amdgpu/vcn4: Prevent OOB reads when parsing dec msg",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46204",
                            "    - drm/amdgpu/vcn4: Prevent OOB reads when parsing IB",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46218",
                            "    - drm/amdgpu: Add bounds checking to ib_{get,set}_value",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46229",
                            "    - drm/amdkfd: Clear VRAM on allocation to prevent stale data exposure",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46211",
                            "    - drm/msm/gem: fix error handling in msm_ioctl_gem_info_get_metadata()",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46203",
                            "    - spi: cadence-quadspi: fix unclocked access on unbind",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46219",
                            "    - spi: mpc52xx: fix use-after-free on unbind",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46200",
                            "    - spi: mpc52xx: fix controller deregistration",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46241",
                            "    - spi: mpc52xx: fix use-after-free on registration failure",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46225",
                            "    - spi: rspi: fix controller deregistration",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46226",
                            "    - spi: fsl: fix controller deregistration",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46228",
                            "    - spi: ch341: fix devres lifetime",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46216",
                            "    - drm/xe/hdcp: Add NULL check for media_gt in",
                            "      intel_hdcp_gsc_check_status()",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46210",
                            "    - media: iris: fix use-after-free of fmt_src during MBPF check",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46240",
                            "    - media: iris: Fix use-after-free in iris_release_internal_buffers()",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46235",
                            "    - media: saa7164: add ioremap return checks and cleanups",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46222",
                            "    - media: rockchip: rkcif: Add missing MUST_CONNECT flag to pads",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46239",
                            "    - media: i2c: ov5647: Fix runtime PM refcount leak in s_ctrl",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46236",
                            "    - media: rc: xbox_remote: heed DMA restrictions",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46205",
                            "    - staging: media: atomisp: Disallow all private IOCTLs",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46202",
                            "    - HID: appletb-kbd: run inactivity autodim from workqueues",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46213",
                            "    - HID: appletb-kbd: fix UAF in inactivity-timer cleanup path",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46232",
                            "    - HID: playstation: Clamp num_touch_reports",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988)",
                            "    - ACPI: arm64: cpuidle: Tolerate platforms with no deep PSCI idle states",
                            "    - ACPI: scan: Use acpi_dev_put() in object add error paths",
                            "    - ACPI: video: Add backlight=native quirk for Dell OptiPlex 7770 AIO",
                            "    - ACPI: CPPC: Fix related_cpus inconsistency during CPU hotplug",
                            "    - ACPI: video: force native backlight on HP OMEN 16 (8A44)",
                            "    - iommufd: Fix a race with concurrent allocation and unmap",
                            "    - wifi: mt76: mt7925: fix incorrect TLV length in CLC command",
                            "    - spi: rockchip: fix controller deregistration",
                            "    - ksmbd: rewrite stop_sessions() with restartable iteration",
                            "    - flow_dissector: do not dissect PPPoE PFC frames",
                            "    - smb: client/smbdirect: fix MR registration for coalesced SG lists",
                            "    - wifi: mt76: mt7925: fix AMPDU state handling in mt7925_tx_check_aggr",
                            "    - wifi: mt76: mt7925: fix incorrect length field in txpower command",
                            "    - wifi: mt76: mt7921: fix ROC abort flow interruption in mt7921_roc_work",
                            "    - wifi: ath5k: do not access array OOB",
                            "    - ALSA: usb-audio: midi2: Restart output URBs on resume",
                            "    - ALSA: usb-audio: Fix UAC3 cluster descriptor size check",
                            "    - usb: dwc3: Move GUID programming after PHY initialization",
                            "    - USB: omap_udc: DMA: Don't enable burst 4 mode",
                            "    - USB: serial: option: add Telit Cinterion LE910Cx compositions",
                            "    - usb: typec: tcpm: fix debug accessory mode detection for sink ports",
                            "    - ALSA: hda: cs35l56: Propagate ASP TX source control errors",
                            "    - ALSA: hda/realtek: Fix speaker silence after S3 resume on Xiaomi Mi",
                            "      Laptop Pro 15",
                            "    - ALSA: firewire-tascam: Do not drop unread control events",
                            "    - ALSA: core: Serialize deferred fasync state checks",
                            "    - ALSA: seq: Fix UMP group 16 filtering",
                            "    - powerpc/kdump: fix KASAN sanitization flag for core_$(BITS).o",
                            "    - x86/efi: Restore IRQ state in EFI page fault handler",
                            "    - xfrm: provide message size for XFRM_MSG_MAPPING",
                            "    - selinux: fix avdcache auditing",
                            "    - selinux: don't reserve xattr slot when we won't fill it",
                            "    - selinux: shrink critical section in sel_write_load()",
                            "    - selinux: prune /sys/fs/selinux/checkreqprot",
                            "    - selinux: prune /sys/fs/selinux/disable",
                            "    - selinux: prune /sys/fs/selinux/user",
                            "    - selinux: allow multiple opens of /sys/fs/selinux/policy",
                            "    - io_uring/kbuf: support min length left for incremental buffers",
                            "    - io_uring/tw: serialize ctx->retry_llist with ->uring_lock",
                            "    - LoongArch: KVM: Fix missing EMULATE_FAIL in kvm_emu_mmio_read()",
                            "    - rust: drm: gem: clean up GEM state in init failure case",
                            "    - rust: allow `clippy::collapsible_match` globally",
                            "    - rust: allow `clippy::collapsible_if` globally",
                            "    - rust: pin-init: internal: move alignment check to `make_field_check`",
                            "    - spi: syncuacer: fix controller deregistration",
                            "    - spi: sun4i: fix controller deregistration",
                            "    - spi: zynq-qspi: fix controller deregistration",
                            "    - spi: ti-qspi: fix controller deregistration",
                            "    - spi: sun6i: fix controller deregistration",
                            "    - spi: tegra114: fix controller deregistration",
                            "    - spi: zynqmp-gqspi: fix controller deregistration",
                            "    - spi: tegra20-sflash: fix controller deregistration",
                            "    - spi: s3c64xx: fix NULL-deref on driver unbind",
                            "    - staging: rtl8723bs: os_dep: avoid NULL pointer dereference in",
                            "      rtw_cbuf_alloc",
                            "    - staging: vme_user: fix root device leak on init failure",
                            "    - KVM: arm64: Fix kvm_vcpu_initialized() macro parameter",
                            "    - arm64: signal: Preserve POR_EL0 if poe_context is missing",
                            "    - mm/hugetlb_cma: round up per_node before logging it",
                            "    - LoongArch: Fix SYM_SIGFUNC_START definition for 32BIT",
                            "    - LoongArch: KVM: Compile switch.S directly into the kernel",
                            "    - mptcp: pm: ADD_ADDR rtx: skip inactive subflows",
                            "    - perf/x86/intel: Improve validation and configuration of ACR masks",
                            "    - selftests/rseq: Don't run tests with runner scripts outside of the",
                            "      scripts",
                            "    - rseq: Set rseq::cpu_id_start to 0 on unregistration",
                            "    - rseq: Protect rseq_reset() against interrupts",
                            "    - rseq: Don't advertise time slice extensions if disabled",
                            "    - selftests/rseq: Make registration flexible for legacy and optimized mode",
                            "    - selftests/rseq: Skip tests if time slice extensions are not available",
                            "    - selftests/rseq: Validate legacy behavior",
                            "    - selftests/rseq: Expand for optimized RSEQ ABI v2",
                            "    - pseries/papr-hvpipe: Fix race with interrupt handler",
                            "    - pseries/papr-hvpipe: Fix & simplify error handling in papr_hvpipe_init()",
                            "    - pseries/papr-hvpipe: Fix the usage of copy_to_user()",
                            "    - net: libwx: use request_irq for VF misc interrupt",
                            "    - netpoll: pass buffer size to egress_dev() to avoid MAC truncation",
                            "    - ovl: fix verity lazy-load guard broken by fsverity_active() semantic",
                            "      change",
                            "    - parisc: Fix IRQ leak in LASI driver",
                            "    - x86/efi: Fix graceful fault handling after FPU softirq changes",
                            "    - hwmon: (ltc2992) Clamp threshold writes to hardware range",
                            "    - hwmon: (ltc2992) Fix u32 overflow in power read path",
                            "    - clk: rk808: fix OF node reference imbalance",
                            "    - hwmon: (corsair-psu) Close HID device on probe errors",
                            "    - af_unix: Reject SIOCATMARK on non-stream sockets",
                            "    - arm64/fpsimd: ptrace: zero target's fpsimd_state, not the tracer's",
                            "    - pmdomain: mediatek: fix use-after-free in",
                            "      scpsys_get_bus_protection_legacy()",
                            "    - block: fix zone write plug removal",
                            "    - block: only read from sqe on initial invocation of blkdev_uring_cmd()",
                            "    - cifs: abort open_cached_dir if we don't request leases",
                            "    - cifs: change_conf needs to be called for session setup",
                            "    - extcon: ptn5150: handle pending IRQ events during system resume",
                            "    - gpio: of: clear OF_POPULATED on hog nodes in remove path",
                            "    - hv: Select CONFIG_SYSFB only for CONFIG_HYPERV_VMBUS",
                            "    - hv_sock: fix ARM64 support",
                            "    - hv_sock: Report EOF instead of -EIO for FIN",
                            "    - hv_sock: Return -EIO for malformed/short packets",
                            "    - spi: microchip-core-qspi: fix controller deregistration",
                            "    - spi: microchip-core-spi: fix controller deregistration",
                            "    - tracefs: Fix default permissions not being applied on initial mount",
                            "    - udf: reject descriptors with oversized CRC length",
                            "    - x86/boot/e820: Re-enable BIOS fallback if e820 table is empty",
                            "    - thermal: core: Free thermal zone ID later during removal",
                            "    - thermal/drivers/sprd: Fix temperature clamping in",
                            "      sprd_thm_temp_to_rawdata",
                            "    - thermal/drivers/sprd: Fix raw temperature clamping in",
                            "      sprd_thm_rawdata_to_temp",
                            "    - spi: topcliff-pch: fix controller deregistration",
                            "    - spi: topcliff-pch: fix use-after-free on unbind",
                            "    - tracing/fprobe: Avoid kcalloc() in rcu_read_lock section",
                            "    - tracing/fprobe: Remove fprobe from hash in failure path",
                            "    - tracing/fprobe: Unregister fprobe even if memory allocation fails",
                            "    - tracing/probes: Limit size of event probe to 3K",
                            "    - tracing/fprobe: Check the same type fprobe on table as the unregistered",
                            "      one",
                            "    - clk: imx: imx8-acm: fix flags for acm clocks",
                            "    - clk: microchip: mpfs-ccc: fix out of bounds access during output",
                            "      registration",
                            "    - cpuidle: powerpc: avoid double clear when breaking snooze",
                            "    - ASoC: amd: yc: Add HP OMEN Gaming Laptop 16-ap0xxx product line in quirk",
                            "      table",
                            "    - ASoC: ES8389: convert to devm_clk_get_optional() to get clock",
                            "    - ASoC: fsl_easrc: fix comment typo",
                            "    - ASoC: Intel: bytcr_wm5102: Fix MCLK leak on platform_clock_control error",
                            "    - ASoC: qcom: q6apm-dai: reset queue ptr on trigger stop",
                            "    - ASoC: qcom: q6apm: remove child devices when apm is removed",
                            "    - btrfs: do not mark inode incompressible after inline attempt fails",
                            "    - dm: don't report warning when doing deferred remove",
                            "    - dm: fix a buffer overflow in ioctl processing",
                            "    - dm-verity-fec: correctly reject too-small FEC devices",
                            "    - dm-verity-fec: correctly reject too-small hash devices",
                            "    - dm-verity-fec: fix corrected block count stat",
                            "    - dm-verity-fec: fix the size of dm_verity_fec_io::erasures",
                            "    - isofs: validate Rock Ridge CE continuation extent against volume size",
                            "    - iommufd: Fix return value of iommufd_fault_fops_write()",
                            "    - iommu/vt-d: Block PASID attachment to nested domain with dirty tracking",
                            "    - iommu/arm-smmu-v3: Add a missing dma_wmb() for hitless STE update",
                            "    - lib/crc: tests: Make crc_kunit test only the enabled CRC variants",
                            "    - lib/scatterlist: fix temp buffer in extract_user_to_sg()",
                            "    - nvme-apple: drop invalid put of admin queue reference count",
                            "    - nvmet: avoid recursive nvmet-wq flush in nvmet_ctrl_free",
                            "    - pmdomain: core: Fix detach procedure for virtual devices in genpd",
                            "    - psp: strip variable-length PSP header in psp_dev_rcv()",
                            "    - s390/debug: Reject zero-length input in debug_input_flush_fn()",
                            "    - s390/debug: Reject zero-length input before trimming a newline",
                            "    - KVM: x86: Do IRR scan in __kvm_apic_update_irr even if PIR is empty",
                            "    - mm/damon/lru_sort: detect and use fresh enabled and kdamond_pid values",
                            "    - mm/damon/reclaim: detect and use fresh enabled and kdamond_pid values",
                            "    - mm/damon/stat: detect and use fresh enabled value",
                            "    - PCI: Update saved_config_space upon resource assignment",
                            "    - PCI/AER: Clear only error bits in PCIe Device Status",
                            "    - PCI/AER: Stop ruling out unbound devices as error source",
                            "    - PCI/ASPM: Fix pci_clear_and_set_config_dword() usage",
                            "    - power: supply: max17042: avoid overflow when determining health",
                            "    - perf/x86/intel: Always reprogram ACR events to prevent stale masks",
                            "    - perf/x86/intel: Disable PMI for self-reloaded ACR events",
                            "    - perf/x86/intel: Enable auto counter reload for DMR",
                            "    - RDMA/ionic: bound node_desc sysfs read with %.64s",
                            "    - RDMA/ionic: Fix typo in format string",
                            "    - remoteproc: imx_rproc: Fix NULL vs IS_ERR() bug in imx_rproc_addr_init()",
                            "    - remoteproc: k3: Fix NULL vs IS_ERR() bug in k3_reserved_mem_init()",
                            "    - sched_ext: idle: Recheck prev_cpu after narrowing allowed mask",
                            "    - sched_ext: Use dsq->first_task instead of list_empty() in",
                            "      dispatch_enqueue() FIFO-tail",
                            "    - selftests: mptcp: check output: catch cmd errors",
                            "    - selftests: mptcp: pm: restrict 'unknown' check to pm_nl_ctl",
                            "    - mptcp: fastclose msk when linger time is 0",
                            "    - mptcp: use MPJoinSynAckHMacFailure for SynAck HMAC failure",
                            "    - mptcp: use MPTCP_RST_EMPTCP for ACK HMAC validation failure",
                            "    - mptcp: sockopt: set timestamp flags on subflow socket, not msk",
                            "    - mptcp: sockopt: increase seq in mptcp_setsockopt_all_sf",
                            "    - mptcp: fix rx timestamp corruption on fastopen",
                            "    - mptcp: pm: prio: skip closed subflows",
                            "    - mptcp: pm: kernel: reset fullmesh counter after flush",
                            "    - mptcp: pm: kernel: correctly retransmit ADD_ADDR ID 0",
                            "    - mptcp: pm: ADD_ADDR rtx: resched blocked ADD_ADDR quicker",
                            "    - mptcp: pm: ADD_ADDR rtx: return early if no retrans",
                            "    - f2fs: add READ_ONCE() for i_blocks in f2fs_update_inode()",
                            "    - f2fs: fix false alarm of lockdep on cp_global_sem lock",
                            "    - f2fs: fix fiemap boundary handling when read extent cache is incomplete",
                            "    - f2fs: fix fsck inconsistency caused by incorrect nat_entry flag usage",
                            "    - f2fs: fix incorrect file address mapping when inline inode is unwritten",
                            "    - f2fs: fix incorrect multidevice info in trace_f2fs_map_blocks()",
                            "    - f2fs: fix uninitialized kobject put in f2fs_init_sysfs()",
                            "    - f2fs: refactor f2fs_move_node_folio function",
                            "    - f2fs: fix inline data not being written to disk in writeback path",
                            "    - KVM: arm64: Wake-up from WFI when iqrchip is in userspace",
                            "    - KVM: arm64: vgic: Fix IIDR revision field extracted from wrong value",
                            "    - KVM: arm64: Fix initialisation order in __pkvm_init_finalise()",
                            "    - KVM: arm64: Fix FEAT_SPE_FnE to use PMSIDR_EL1.FnE, not PMSVer",
                            "    - KVM: arm64: Fix FEAT_Debugv8p9 to check DebugVer, not PMUVer",
                            "    - LoongArch: KVM: Cap KVM_CAP_NR_VCPUS by KVM_CAP_MAX_VCPUS",
                            "    - LoongArch: KVM: Fix \"unreliable stack\" for kvm_exc_entry",
                            "    - LoongArch: KVM: Fix HW timer interrupt lost when inject interrupt by",
                            "      software",
                            "    - LoongArch: KVM: Move unconditional delay into timer clear scenery",
                            "    - LoongArch: KVM: Use kvm_set_pte() in kvm_flush_pte()",
                            "    - LoongArch: Use per-root-bridge PCIH flag to skip mem resource fixup",
                            "    - mmc: core: Adjust MDT beyond 2025",
                            "    - mmc: core: Add quirk for incorrect manufacturing date",
                            "    - mmc: core: Optimize time for secure erase/trim for some Kingston eMMCs",
                            "    - crypto: qat - fix indentation of macros in qat_hal.c",
                            "    - crypto: qat - fix firmware loading failure for GEN6 devices",
                            "    - hfsplus: fix held lock freed on hfsplus_fill_super()",
                            "    - 8021q: use RCU for egress QoS mappings",
                            "    - printk: add print_hex_dump_devel()",
                            "    - crypto: caam - guard HMAC key hex dumps in hash_digest_key",
                            "    - net: stmmac: rename STMMAC_GET_ENTRY() -> STMMAC_NEXT_ENTRY()",
                            "    - rust: pin-init: fix incorrect accessor reference lifetime",
                            "    - Linux 7.0.7",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-43490",
                            "    - ksmbd: validate inherited ACE SID length",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46174",
                            "    - x86/CPU/AMD: Prevent improper isolation of shared resources in Zen2's op",
                            "      cache",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46110",
                            "    - net: stmmac: Prevent NULL deref when RX memory exhausted",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46153",
                            "    - 8021q: delete cleared egress QoS mappings",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46169",
                            "    - hfsplus: fix uninit-value by validating catalog record size",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46188",
                            "    - octeon_ep_vf: add NULL check for napi_build_skb()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-45837",
                            "    - bpf: Fix use-after-free in arena_vm_close on fork",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46156",
                            "    - LoongArch: Fix potential ADE in loongson_gpu_fixup_dma_hang()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46147",
                            "    - KVM: arm64: Fix pin leak and publication ordering in __pkvm_init_vcpu()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46175",
                            "    - f2fs: fix fsck inconsistency caused by FGGC of node block",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46194",
                            "    - f2fs: fix node_cnt race between extent node destroy and writeback",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46170",
                            "    - mptcp: pm: ADD_ADDR rtx: free sk if last",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46158",
                            "    - mptcp: pm: ADD_ADDR rtx: always decrease sk refcount",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46168",
                            "    - mptcp: fix scheduling with atomic in timestamp sockopt",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46189",
                            "    - RDMA/vmw_pvrdma: Fix double free on pvrdma_alloc_ucontext() error path",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46133",
                            "    - RDMA/rxe: Reject unknown opcodes before ICRC processing",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46114",
                            "    - RDMA/rxe: Reject non-8-byte ATOMIC_WRITE payloads",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46127",
                            "    - RDMA/ocrdma: Don't NULL deref uctx on errors in ocrdma_copy_pd_uresp()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46176",
                            "    - RDMA/mlx5: Fix error path fall-through in mlx5_ib_dev_res_srq_init()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46178",
                            "    - RDMA/mlx4: Fix resource leak on error in mlx4_ib_create_srq()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46181",
                            "    - RDMA/mlx4: Fix mis-use of RCU in mlx4_srq_event()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46145",
                            "    - RDMA/mana: Validate rx_hash_key_len",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46117",
                            "    - RDMA/mana: Remove user triggerable WARN_ON() in mana_ib_create_qp_rss()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46126",
                            "    - RDMA/mana: Fix mana_destroy_wq_obj() cleanup in mana_ib_create_qp_rss()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46144",
                            "    - RDMA/mana: Fix error unwind in mana_ib_create_qp_rss()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46141",
                            "    - powerpc/xive: fix kmemleak caused by incorrect chip_data lookup",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46183",
                            "    - mm/damon/sysfs-schemes: protect path kfree() with damon_sysfs_lock",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46121",
                            "    - mm/damon/sysfs-schemes: protect memcg_path kfree() with damon_sysfs_lock",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46131",
                            "    - KVM: x86: check for nEPT/nNPT in slow flush hypercalls",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46139",
                            "    - smb: client: use kzalloc to zero-initialize security descriptor buffer",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46105",
                            "    - scsi: mpt3sas: Limit NVMe request size to 2 MiB",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46171",
                            "    - riscv: kvm: fix vector context allocation leak",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46112",
                            "    - RDMA/hns: Fix unlocked call to hns_roce_qp_remove()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46165",
                            "    - openvswitch: vport: fix self-deadlock on release of tunnel ports",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46161",
                            "    - md/raid10: fix divide-by-zero in setup_geo() with zero far_copies",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-43492",
                            "    - lib/crypto: mpi: Fix integer underflow in mpi_read_raw_from_sgl()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46124",
                            "    - isofs: validate block number from NFS file handle in isofs_export_iget",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46130",
                            "    - dm-verity-fec: fix reading parity bytes split across blocks (take 3)",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46106",
                            "    - eventfs: Hold eventfs_mutex and SRCU when remount walks events",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46107",
                            "    - dm-thin: fix metadata refcount underflow",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46160",
                            "    - btrfs: fix missing last_unlink_trans update when removing a directory",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46164",
                            "    - btrfs: fix double free in create_space_info_sub_group() error path",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46129",
                            "    - btrfs: fix double free in create_space_info() error path",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46159",
                            "    - btrfs: fix btrfs_ioctl_space_info() slot_count TOCTOU which can lead to",
                            "      info-leak",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46143",
                            "    - ASoC: qcom: q6apm-lpass-dai: Fix multiple graph opens",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46148",
                            "    - spi: microchip-core-qspi: control built-in cs manually",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46192",
                            "    - spi: microchip-core-qspi: don't attempt to transmit during emulated",
                            "      read-only dual/quad operations",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46162",
                            "    - ice: fix double free in ice_sf_eth_activate() error path",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46273",
                            "    - ibmveth: Disable GSO for packets with small MSS",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46191",
                            "    - fbcon: Avoid OOB font access if console rotation fails",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46134",
                            "    - platform/chrome: cros_ec_typec: Init mutex in Thunderbolt registration",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-43495",
                            "    - net: wwan: t7xx: validate port_count against message length in",
                            "      t7xx_port_enum_msg_handler",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-43502",
                            "    - net/rds: handle zerocopy send cleanup before the message is queued",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46120",
                            "    - ip6_gre: Use cached t->net in ip6erspan_changelink().",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46142",
                            "    - net: libwx: fix VF illegal register access",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46118",
                            "    - pseries/papr-hvpipe: Fix null ptr deref in",
                            "      papr_hvpipe_dev_create_handle()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46182",
                            "    - pseries/papr-hvpipe: Prevent kernel stack memory leak to userspace",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46184",
                            "    - sound: ua101: fix division by zero at probe",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-43498",
                            "    - accel/ivpu: Disallow re-exporting imported GEM objects",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46132",
                            "    - net: rtnetlink: zero ifla_vf_broadcast to avoid stack infoleak in",
                            "      rtnl_fill_vfinfo",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46190",
                            "    - mtd: spi-nor: debugfs: fix out-of-bounds read in spi_nor_params_show()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46150",
                            "    - fanotify: fix false positive on permission events",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-45836",
                            "    - Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_get_sndtimeo_cb()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-45834",
                            "    - Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_state_change_cb()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-45835",
                            "    - Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_new_connection_cb()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46138",
                            "    - Bluetooth: hci_event: Fix OOB read and infinite loop in",
                            "      hci_le_create_big_complete_evt",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46111",
                            "    - Bluetooth: hci_conn: fix potential UAF in create_big_sync",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46140",
                            "    - Bluetooth: btmtk: validate WMT event SKB length before struct access",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46186",
                            "    - Bluetooth: virtio_bt: validate rx pkt_type header length",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46123",
                            "    - Bluetooth: virtio_bt: clamp rx length before skb_put",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46104",
                            "    - selinux: use sk blob accessor in socket permission helpers",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46193",
                            "    - xfrm: ah: account for ESN high bits in async callbacks",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46172",
                            "    - ipv6: xfrm6: release dst on error in xfrm6_rcv_encap()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46116",
                            "    - xfrm: defensively unhash xfrm_state lists in __xfrm_state_delete",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46154",
                            "    - sched_ext: Read scx_root under scx_cgroup_ops_rwsem in cgroup setters",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46157",
                            "    - ALSA: pcm: oss: Fix data race at accessing runtime.oss.trigger",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46109",
                            "    - usb: ulpi: fix memory leak on ulpi_register() error paths",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46146",
                            "    - ALSA: usb-audio: Avoid potential endless loop in convert_chmap_v3()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46167",
                            "    - usb: usblp: fix uninitialized heap leak via LPGETSTATUS ioctl",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46151",
                            "    - usb: usblp: fix heap leak in IEEE 1284 device ID via short response",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46180",
                            "    - wifi: brcmfmac: Fix potential use-after-free issue when stopping",
                            "      watchdog task",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46122",
                            "    - wifi: b43: enforce bounds check on firmware key index in b43_rx()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46125",
                            "    - wifi: mac80211: remove station if connection prep fails",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46166",
                            "    - wifi: mac80211: use safe list iteration in radar detect work",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46187",
                            "    - wifi: rsi: fix kthread lifetime race between self-exit and external-stop",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46152",
                            "    - wifi: mac80211: drop stray 'static' from fast-RX rx_result",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46163",
                            "    - wifi: b43legacy: enforce bounds check on firmware key index in RX path",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46136",
                            "    - wifi: mt76: mt7921: fix a potential clc buffer length underflow",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46173",
                            "    - exit: prevent preemption of oopsing TASK_DEAD task",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-43496",
                            "    - net/sched: sch_red: Replace direct dequeue call with peek and",
                            "      qdisc_dequeue_peeked",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46113",
                            "    - KVM: x86: Fix shadow paging use-after-free due to unexpected GFN",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46179",
                            "    - ASoC: SOF: Don't allow pointer operations on unconfigured streams",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46196",
                            "    - tracepoint: balance regfunc() on func_add() failure in",
                            "      tracepoint_add_func()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-43497",
                            "    - fbdev: udlfb: add vm_ops to dlfb_ops_mmap to prevent use-after-free",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46108",
                            "    - ipmi:si: Return state to normal if message allocation fails",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46128",
                            "    - ipmi: Check event message buffer response for bad data",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46177",
                            "    - ipmi: Add limits to event and receive message requests",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46149",
                            "    - scsi: target: configfs: Bound snprintf() return in",
                            "      tg_pt_gp_members_show()",
                            "",
                            "  * Ubuntu 26.04 linux kernel has non-functional nova-core GPU driver enabled,",
                            "    conflicting with nouveau (LP: #2150845)",
                            "    - [Config] Disable NOVA_CORE",
                            "",
                            "  * CVE-2026-46244",
                            "    - netfilter: nft_inner: Fix IPv6 inner_thoff desync",
                            "",
                            "  * CVE-2026-46137",
                            "    - mptcp: pm: ADD_ADDR rtx: allow ID 0",
                            "    - mptcp: pm: ADD_ADDR rtx: fix potential data-race",
                            "",
                            "  * CVE-2026-46185",
                            "    - smb/client: fix out-of-bounds read in symlink_data()",
                            "",
                            "  * CVE-2026-46195",
                            "    - smb: client: validate dacloffset before building DACL pointers",
                            "",
                            "  * CVE-2026-46289",
                            "    - lib/scatterlist: fix length calculations in extract_kvec_to_sg",
                            "",
                            "  * CVE-2026-46119",
                            "    - libceph: Fix slab-out-of-bounds access in auth message processing",
                            "",
                            "  * CVE-2026-46135",
                            "    - nvmet-tcp: fix race between ICReq handling and queue teardown",
                            "",
                            "  * CVE-2026-46155",
                            "    - smb/client: fix out-of-bounds read in smb2_compound_op()",
                            "",
                            "  * CVE-2026-46115",
                            "    - block: add pgmap check to biovec_phys_mergeable",
                            "",
                            "  * CVE-2026-46243",
                            "    - smb: client: reject userspace cifs.spnego descriptions",
                            ""
                        ],
                        "package": "linux",
                        "version": "7.0.0-28.28",
                        "urgency": "medium",
                        "distributions": "resolute",
                        "launchpad_bugs_fixed": [
                            2157520,
                            2154418,
                            2155837,
                            2154174,
                            2154748,
                            2156559,
                            2156556,
                            2150640,
                            2156312,
                            2155096,
                            2154715,
                            2153159,
                            2150071,
                            2154343,
                            2149770,
                            2153155,
                            2152570,
                            2156636,
                            2156636,
                            2156636,
                            2156636,
                            2156636,
                            2156390,
                            2156385,
                            2156385,
                            2156385,
                            2156385,
                            2156385,
                            2156385,
                            2156385,
                            2156385,
                            2156385,
                            2156385,
                            2156385,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2150845
                        ],
                        "author": "Mehmet Basaran <mehmet.basaran@canonical.com>",
                        "date": "Sun, 21 Jun 2026 02:37:29 +0300"
                    }
                ],
                "notes": "linux-headers-7.0.0-28 version '7.0.0-28.28' (source package linux version '7.0.0-28.28') was added. linux-headers-7.0.0-28 version '7.0.0-28.28' has the same source package name, linux, as removed package linux-headers-7.0.0-27. As such we can use the source package version of the removed package, '7.0.0-27.27', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package.",
                "is_version_downgrade": false
            },
            {
                "name": "linux-headers-7.0.0-28-generic",
                "from_version": {
                    "source_package_name": "linux",
                    "source_package_version": "7.0.0-27.27",
                    "version": null
                },
                "to_version": {
                    "source_package_name": "linux",
                    "source_package_version": "7.0.0-28.28",
                    "version": "7.0.0-28.28"
                },
                "cves": [
                    {
                        "cve": "CVE-2026-46318",
                        "url": "https://ubuntu.com/security/CVE-2026-46318",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Revert \"mm/hugetlbfs: update hugetlbfs to use mmap_prepare\"  This reverts commit ea52cb24cd3f (\"mm/hugetlbfs: update hugetlbfs to use mmap_prepare\") with conflict resolution to account for changes in commit ea52cb24cd3f (\"mm/hugetlbfs: update hugetlbfs to use mmap_prepare\").  The patch incorrectly handled hugetlb VMA lock allocation at the mmap_prepare stage, where a failed allocation occurring after mmap_prepare is called might result in the lock leaking.  There is no risk of a merge causing a similar issues, as VMA_DONTEXPAND_BIT is set for hugetlb mappings.  As a first step in addressing this issue, simply revert the change so we can rework how we do this having corrected the underlying issues.  We maintain the VMA flags changes as best we can, accounting for the fact that we were working with a VMA descriptor previously and propagating like-for-like changes for this.  Note that we invoke vma_set_flags() and do not call vma_start_write() as vm_flags_set() does.  This is OK as it's being done in an .mmap hook where the VMA is not yet linked into the tree so nobody else can be accessing it.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-06-09 13:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46322",
                        "url": "https://ubuntu.com/security/CVE-2026-46322",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  tun: free page on build_skb failure in tun_xdp_one()  When build_skb() fails in tun_xdp_one(), the function sets ret to -ENOMEM and jumps to the out label, which returns without freeing the page that vhost_net_build_xdp() allocated for the frame. As with the short-frame rejection path, tun_sendmsg() discards the per-buffer error and still returns total_len, so vhost_tx_batch() takes the success path and never frees the page. Each build_skb() failure in a batch leaks one page-frag chunk.  Free the page before taking the error path, matching the put_page() the other error exits of tun_xdp_one() already perform.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-09 13:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46320",
                        "url": "https://ubuntu.com/security/CVE-2026-46320",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  tap: free page on error paths in tap_get_user_xdp()  tap_get_user_xdp() rejects a frame shorter than ETH_HLEN with -EINVAL, and returns -ENOMEM when build_skb() fails. Both paths jump to the err label without freeing the page that vhost_net_build_xdp() allocated for the frame. tap_sendmsg() discards the per-buffer return value and always returns 0, so vhost_tx_batch() takes the success path and never frees the page; each rejected frame in a batch leaks one page-frag chunk.  Free the page on both error paths, before the skb is built. This is the tap counterpart of the same leak in tun_xdp_one().",
                        "cve_priority": "high",
                        "cve_public_date": "2026-06-09 13:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46321",
                        "url": "https://ubuntu.com/security/CVE-2026-46321",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  tun: free page on short-frame rejection in tun_xdp_one()  tun_xdp_one() returns -EINVAL on a frame shorter than ETH_HLEN without freeing the page that vhost_net_build_xdp() allocated for it. tun_sendmsg() discards that -EINVAL and still returns total_len, so vhost_tx_batch() takes the success path and never frees the page; each short frame in a batch leaks one page-frag chunk.  A local process that can open /dev/net/tun and /dev/vhost-net can hit this path: it attaches a tun/tap device as the vhost-net backend and feeds TX descriptors whose length minus the virtio-net header is below ETH_HLEN. Each kick leaks the page-frag chunks for that batch, and a tight submission loop exhausts host memory and triggers an OOM panic. Free the page before returning -EINVAL, matching the XDP-program error path in the same function.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-09 13:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46316",
                        "url": "https://ubuntu.com/security/CVE-2026-46316",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  KVM: arm64: vgic-its: Drop the translation cache reference only for the erased entry  vgic_its_invalidate_cache() walks the per-ITS translation cache with xa_for_each() and drops the cache's reference on each entry with vgic_put_irq(). It puts the iterated pointer, though, rather than the value returned by xa_erase().  The function is called from contexts that do not exclude one another: the ITS command handlers hold its_lock, the GITS_CTLR write path holds cmd_lock, and the path that clears EnableLPIs in a redistributor's GICR_CTLR holds neither. Two or more of them can drain the same cache concurrently, and if each one observes the same entry, erases it and then puts it, the single reference the cache holds on that entry is dropped more than once. The entry can then be freed while an ITE still maps it.  xa_erase() is atomic and returns the previous entry, so put only the entry that this context actually removed. The cache reference is then dropped exactly once per entry even when the invalidations run concurrently, and the behavior is unchanged when only one context runs.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-09 13:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46317",
                        "url": "https://ubuntu.com/security/CVE-2026-46317",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  KVM: arm64: Reassign nested_mmus array behind mmu_lock  kvm->arch.nested_mmus[] is walked under kvm->mmu_lock, including from the MMU notifier path (kvm_unmap_gfn_range() -> kvm_nested_s2_unmap()), which can run at any time. kvm_vcpu_init_nested() reallocates the array and frees the old buffer while holding only kvm->arch.config_lock, so such a walker can reference the freed array.  Allocate the new array outside of mmu_lock, as the allocation can sleep. Under the lock, copy the existing entries, fix up the back pointers and reassign the array. Free the old buffer after dropping the lock, as kvfree() can sleep as well.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-09 13:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-45846",
                        "url": "https://ubuntu.com/security/CVE-2026-45846",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  bareudp: fix NULL pointer dereference in bareudp_fill_metadata_dst()  bareudp_fill_metadata_dst() passes bareudp->sock to udp_tunnel6_dst_lookup() in the IPv6 path without a NULL check. The socket is only created in bareudp_open() and NULLed in bareudp_stop(), so calling this function while the device is down triggers a NULL dereference via sock->sk.   BUG: kernel NULL pointer dereference, address: 0000000000000018  RIP: 0010:udp_tunnel6_dst_lookup (net/ipv6/ip6_udp_tunnel.c:160)  Call Trace:   <TASK>   bareudp_fill_metadata_dst (drivers/net/bareudp.c:532)   do_execute_actions (net/openvswitch/actions.c:901)   ovs_execute_actions (net/openvswitch/actions.c:1589)   ovs_packet_cmd_execute (net/openvswitch/datapath.c:700)   genl_family_rcv_msg_doit (net/netlink/genetlink.c:1114)   genl_rcv_msg (net/netlink/genetlink.c:1209)   netlink_rcv_skb (net/netlink/af_netlink.c:2550)   </TASK>  Add a NULL check returning -ESHUTDOWN, consistent with the xmit paths in the same driver.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-27 11:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-45845",
                        "url": "https://ubuntu.com/security/CVE-2026-45845",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net/sched: taprio: fix NULL pointer dereference in class dump  When a TAPRIO child qdisc is deleted via RTM_DELQDISC, taprio_graft() is called with new == NULL and stores NULL into q->qdiscs[cl - 1]. Subsequent RTM_GETTCLASS dump operations walk all classes via taprio_walk() and call taprio_dump_class(), which calls taprio_leaf() returning the NULL pointer, then dereferences it to read child->handle, causing a kernel NULL pointer dereference.  The bug is reachable with namespace-scoped CAP_NET_ADMIN on any kernel with CONFIG_NET_SCH_TAPRIO enabled. On systems with unprivileged user namespaces enabled, an unprivileged local user can trigger a kernel panic by creating a taprio qdisc inside a new network namespace, grafting an explicit child qdisc, deleting it, and requesting a class dump. The RTM_GETTCLASS dump itself requires no capability.   Oops: general protection fault, probably for non-canonical address 0xdffffc0000000007: 0000 [#1] SMP KASAN NOPTI  KASAN: null-ptr-deref in range [0x0000000000000038-0x000000000000003f]  RIP: 0010:taprio_dump_class (net/sched/sch_taprio.c:2478)  Call Trace:   <TASK>   tc_fill_tclass (net/sched/sch_api.c:1966)   qdisc_class_dump (net/sched/sch_api.c:2326)   taprio_walk (net/sched/sch_taprio.c:2514)   tc_dump_tclass_qdisc (net/sched/sch_api.c:2352)   tc_dump_tclass_root (net/sched/sch_api.c:2370)   tc_dump_tclass (net/sched/sch_api.c:2431)   rtnl_dumpit (net/core/rtnetlink.c:6864)   netlink_dump (net/netlink/af_netlink.c:2325)   rtnetlink_rcv_msg (net/core/rtnetlink.c:6959)   netlink_rcv_skb (net/netlink/af_netlink.c:2550)   </TASK>  Fix this by substituting &noop_qdisc when new is NULL in taprio_graft(), a common pattern used by other qdiscs (e.g., multiq_graft()) to ensure the q->qdiscs[] slots are never NULL. This makes control-plane dump paths safe without requiring individual NULL checks.  Since the data-plane paths (taprio_enqueue and taprio_dequeue_from_txq) previously had explicit NULL guards that would drop/skip the packet cleanly, update those checks to test for &noop_qdisc instead. Without this, packets would reach taprio_enqueue_one() which increments the root qdisc's qlen and backlog before calling the child's enqueue; noop_qdisc drops the packet but those counters are never rolled back, permanently inflating the root qdisc's statistics.  After this change *old can be a valid qdisc, NULL, or &noop_qdisc. Only call qdisc_put(*old) in the first case to avoid decreasing noop_qdisc's refcount, which was never increased.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-27 11:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-45844",
                        "url": "https://ubuntu.com/security/CVE-2026-45844",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  netfilter: arp_tables: fix IEEE1394 ARP payload parsing  Weiming Shi says:  \"arp_packet_match() unconditionally parses the ARP payload assuming two hardware addresses are present (source and target). However, IPv4-over-IEEE1394 ARP (RFC 2734) omits the target hardware address field, and arp_hdr_len() already accounts for this by returning a shorter length for ARPHRD_IEEE1394 devices.  As a result, on IEEE1394 interfaces arp_packet_match() advances past a nonexistent target hardware address and reads the wrong bytes for both the target device address comparison and the target IP address. This causes arptables rules to match against garbage data, leading to incorrect filtering decisions: packets that should be accepted may be dropped and vice versa.  The ARP stack in net/ipv4/arp.c (arp_create and arp_process) already handles this correctly by skipping the target hardware address for ARPHRD_IEEE1394. Apply the same pattern to arp_packet_match().\"  Mangle the original patch to always return 0 (no match) in case user matches on the target hardware address which is never present in IEEE1394.  Note that this returns 0 (no match) for either normal and inverse match because matching in the target hardware address in ARPHRD_IEEE1394 has never been supported by arptables. This is intentional, matching on the target hardware address should never evaluate true for ARPHRD_IEEE1394.  Moreover, adjust arpt_mangle to drop the packet too as AI suggests:  In arpt_mangle, the logic assumes a standard ARP layout. Because IEEE1394 (FireWire) omits the target hardware address, the linear pointer arithmetic miscalculates the offset for the target IP address. This causes mangling operations to write to the wrong location, leading to packet corruption. To ensure safety, this patch drops packets (NF_DROP) when mangling is requested for these fields on IEEE1394 devices, as the current implementation cannot correctly map the FireWire ARP payload.  This omits both mangling target hardware and IP address. Even if IP address mangling should be possible in IEEE1394, this would require to adjust arpt_mangle offset calculation, which has never been supported.  Based on patch from Weiming Shi <bestswngs@gmail.com>.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-05-27 11:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46242",
                        "url": "https://ubuntu.com/security/CVE-2026-46242",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  eventpoll: fix ep_remove struct eventpoll / struct file UAF  ep_remove() (via ep_remove_file()) cleared file->f_ep under file->f_lock but then kept using @file inside the critical section (is_file_epoll(), hlist_del_rcu() through the head, spin_unlock). A concurrent __fput() taking the eventpoll_release() fastpath in that window observed the transient NULL, skipped eventpoll_release_file() and ran to f_op->release / file_free().  For the epoll-watches-epoll case, f_op->release is ep_eventpoll_release() -> ep_clear_and_put() -> ep_free(), which kfree()s the watched struct eventpoll. Its embedded ->refs hlist_head is exactly where epi->fllink.pprev points, so the subsequent hlist_del_rcu()'s \"*pprev = next\" scribbles into freed kmalloc-192 memory.  In addition, struct file is SLAB_TYPESAFE_BY_RCU, so the slot backing @file could be recycled by alloc_empty_file() -- reinitializing f_lock and f_ep -- while ep_remove() is still nominally inside that lock. The upshot is an attacker-controllable kmem_cache_free() against the wrong slab cache.  Pin @file via epi_fget() at the top of ep_remove() and gate the critical section on the pin succeeding. With the pin held @file cannot reach refcount zero, which holds __fput() off and transitively keeps the watched struct eventpoll alive across the hlist_del_rcu() and the f_lock use, closing both UAFs.  If the pin fails @file has already reached refcount zero and its __fput() is in flight. Because we bailed before clearing f_ep, that path takes the eventpoll_release() slow path into eventpoll_release_file() and blocks on ep->mtx until the waiter side's ep_clear_and_put() drops it. The bailed epi's share of ep->refcount stays intact, so the trailing ep_refcount_dec_and_test() in ep_clear_and_put() cannot free the eventpoll out from under eventpoll_release_file(); the orphaned epi is then cleaned up there.  A successful pin also proves we are not racing eventpoll_release_file() on this epi, so drop the now-redundant re-check of epi->dying under f_lock. The cheap lockless READ_ONCE(epi->dying) fast-path bailout stays.",
                        "cve_priority": "high",
                        "cve_public_date": "2026-05-30 13:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-45843",
                        "url": "https://ubuntu.com/security/CVE-2026-45843",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  slip: bound decode() reads against the compressed packet length  slhc_uncompress() parses a VJ-compressed TCP header by advancing a pointer through the packet via decode() and pull16(). Neither helper bounds-checks against isize, and decode() masks its return with & 0xffff so it can never return the -1 that callers test for -- those error paths are dead code.  A short compressed frame whose change byte requests optional fields lets decode() read past the end of the packet. The over-read bytes are folded into the cached cstate and reflected into subsequent reconstructed packets.  Make decode() and pull16() take the packet end pointer and return -1 when exhausted. Add a bounds check before the TCP-checksum read. The existing == -1 tests now do what they were always meant to.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-27 11:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-45842",
                        "url": "https://ubuntu.com/security/CVE-2026-45842",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  slip: reject VJ receive packets on instances with no rstate array  slhc_init() accepts rslots == 0 as a valid configuration, with the documented meaning of 'no receive compression'. In that case the allocation loop in slhc_init() is skipped, so comp->rstate stays NULL and comp->rslot_limit stays 0 (from the kzalloc of struct slcompress).  The receive helpers do not defend against that configuration. slhc_uncompress() dereferences comp->rstate[x] when the VJ header carries an explicit connection ID, and slhc_remember() later assigns cs = &comp->rstate[...] after only comparing the packet's slot number to comp->rslot_limit. Because rslot_limit is 0, slot 0 passes the range check, and the code dereferences a NULL rstate.  The configuration is reachable in-tree through PPP. PPPIOCSMAXCID stores its argument in a signed int, and (val >> 16) uses arithmetic shift. Passing 0xffff0000 therefore sign-extends to -1, so val2 + 1 is 0 and ppp_generic.c ends up calling slhc_init(0, 1). Because /dev/ppp open is gated by ns_capable(CAP_NET_ADMIN), the whole path is reachable from an unprivileged user namespace. Once the malformed VJ state is installed, any inbound VJ-compressed or VJ-uncompressed frame that selects slot 0 crashes the kernel in softirq context:   Oops: general protection fault, probably for non-canonical        address 0xdffffc0000000000: 0000 [#1] SMP KASAN NOPTI  KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]  RIP: 0010:slhc_uncompress (drivers/net/slip/slhc.c:519)  Call Trace:   <TASK>   ppp_receive_nonmp_frame (drivers/net/ppp/ppp_generic.c:2466)   ppp_input (drivers/net/ppp/ppp_generic.c:2359)   ppp_async_process (drivers/net/ppp/ppp_async.c:492)   tasklet_action_common (kernel/softirq.c:926)   handle_softirqs (kernel/softirq.c:623)   run_ksoftirqd (kernel/softirq.c:1055)   smpboot_thread_fn (kernel/smpboot.c:160)   kthread (kernel/kthread.c:436)   ret_from_fork (arch/x86/kernel/process.c:164)   </TASK>  Reject the receive side on such instances instead of touching rstate. slhc_uncompress() falls through to its existing 'bad' label, which bumps sls_i_error and enters the toss state. slhc_remember() mirrors that with an explicit sls_i_error increment followed by slhc_toss(); the sls_i_runt counter is not used here because a missing rstate is an internal configuration state, not a runt packet.  The transmit path is unaffected: the only in-tree caller that picks rslots from userspace (ppp_generic.c) still supplies tslots >= 1, and slip.c always calls slhc_init(16, 16), so comp->tstate remains valid and slhc_compress() continues to work.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-27 11:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-45841",
                        "url": "https://ubuntu.com/security/CVE-2026-45841",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  netfilter: nfnetlink_osf: fix divide-by-zero in OSF_WSS_MODULO  nf_osf_match_one() computes ctx->window % f->wss.val in the OSF_WSS_MODULO branch with no guard for f->wss.val == 0. A CAP_NET_ADMIN user can add such a fingerprint via nfnetlink; a subsequent matching TCP SYN divides by zero and panics the kernel.  Reject the bogus fingerprint in nfnl_osf_add_callback() above the per-option for-loop. f->wss is per-fingerprint, not per-option, so the check must run regardless of f->opt_num (including 0). Also reject wss.wc >= OSF_WSS_MAX; nf_osf_match_one() already treats that as \"should not happen\".  Crash:  Oops: divide error: 0000 [#1] SMP KASAN NOPTI  RIP: 0010:nf_osf_match_one (net/netfilter/nfnetlink_osf.c:98)  Call Trace:  <IRQ>   nf_osf_match (net/netfilter/nfnetlink_osf.c:220)   xt_osf_match_packet (net/netfilter/xt_osf.c:32)   ipt_do_table (net/ipv4/netfilter/ip_tables.c:348)   nf_hook_slow (net/netfilter/core.c:622)   ip_local_deliver (net/ipv4/ip_input.c:265)   ip_rcv (include/linux/skbuff.h:1162)   __netif_receive_skb_one_core (net/core/dev.c:6181)   process_backlog (net/core/dev.c:6642)   __napi_poll (net/core/dev.c:7710)   net_rx_action (net/core/dev.c:7945)   handle_softirqs (kernel/softirq.c:622)",
                        "cve_priority": "low",
                        "cve_public_date": "2026-05-27 11:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-45840",
                        "url": "https://ubuntu.com/security/CVE-2026-45840",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  openvswitch: cap upcall PID array size and pre-size vport replies  The vport netlink reply helpers allocate a fixed-size skb with nlmsg_new(NLMSG_DEFAULT_SIZE, ...) but serialize the full upcall PID array via ovs_vport_get_upcall_portids().  Since ovs_vport_set_upcall_portids() accepts any non-zero multiple of sizeof(u32) with no upper bound, a CAP_NET_ADMIN user can install a PID array large enough to overflow the reply buffer, causing nla_put() to fail with -EMSGSIZE and hitting BUG_ON(err < 0).  On systems with unprivileged user namespaces enabled (e.g., Ubuntu default), this is reachable via unshare -Urn since OVS vport mutation operations use GENL_UNS_ADMIN_PERM.   kernel BUG at net/openvswitch/datapath.c:2414!  Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI  CPU: 1 UID: 0 PID: 65 Comm: poc Not tainted 7.0.0-rc7-00195-geb216e422044 #1  RIP: 0010:ovs_vport_cmd_set+0x34c/0x400  Call Trace:   <TASK>   genl_family_rcv_msg_doit (net/netlink/genetlink.c:1116)   genl_rcv_msg (net/netlink/genetlink.c:1194)   netlink_rcv_skb (net/netlink/af_netlink.c:2550)   genl_rcv (net/netlink/genetlink.c:1219)   netlink_unicast (net/netlink/af_netlink.c:1344)   netlink_sendmsg (net/netlink/af_netlink.c:1894)   __sys_sendto (net/socket.c:2206)   __x64_sys_sendto (net/socket.c:2209)   do_syscall_64 (arch/x86/entry/syscall_64.c:63)   entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)   </TASK>  Kernel panic - not syncing: Fatal exception  Reject attempts to set more PIDs than nr_cpu_ids in ovs_vport_set_upcall_portids(), and pre-compute the worst-case reply size in ovs_vport_cmd_msg_size() based on that bound, similar to the existing ovs_dp_cmd_msg_size().  nr_cpu_ids matches the cap already used by the per-CPU dispatch configuration on the datapath side (ovs_dp_cmd_fill_info() serialises at most nr_cpu_ids PIDs), so the two sides stay consistent.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-27 11:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-45839",
                        "url": "https://ubuntu.com/security/CVE-2026-45839",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  bpf: reject negative CO-RE accessor indices in bpf_core_parse_spec()  CO-RE accessor strings are colon-separated indices that describe a path from a root BTF type to a target field, e.g. \"0:1:2\" walks through nested struct members. bpf_core_parse_spec() parses each component with sscanf(\"%d\"), so negative values like -1 are silently accepted.  The subsequent bounds checks (access_idx >= btf_vlen(t)) only guard the upper bound and always pass for negative values because C integer promotion converts the __u16 btf_vlen result to int, making the comparison (int)(-1) >= (int)(N) false for any positive N.  When -1 reaches btf_member_bit_offset() it gets cast to u32 0xffffffff, producing an out-of-bounds read far past the members array.  A crafted BPF program with a negative CO-RE accessor on any struct that exists in vmlinux BTF (e.g. task_struct) crashes the kernel deterministically during BPF_PROG_LOAD on any system with CONFIG_DEBUG_INFO_BTF=y (default on major distributions).  The bug is reachable with CAP_BPF:   BUG: unable to handle page fault for address: ffffed11818b6626  #PF: supervisor read access in kernel mode  #PF: error_code(0x0000) - not-present page  Oops: Oops: 0000 [#1] SMP KASAN NOPTI  CPU: 0 UID: 0 PID: 85 Comm: poc Not tainted 7.0.0-rc6 #18 PREEMPT(full)  RIP: 0010:bpf_core_parse_spec (tools/lib/bpf/relo_core.c:354)  RAX: 00000000ffffffff  Call Trace:   <TASK>   bpf_core_calc_relo_insn (tools/lib/bpf/relo_core.c:1321)   bpf_core_apply (kernel/bpf/btf.c:9507)   check_core_relo (kernel/bpf/verifier.c:19475)   bpf_check (kernel/bpf/verifier.c:26031)   bpf_prog_load (kernel/bpf/syscall.c:3089)   __sys_bpf (kernel/bpf/syscall.c:6228)   </TASK>  CO-RE accessor indices are inherently non-negative (struct member index, array element index, or enumerator index), so reject them immediately after parsing.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-27 11:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-45838",
                        "url": "https://ubuntu.com/security/CVE-2026-45838",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  bpf: fix end-of-list detection in cgroup_storage_get_next_key()  list_next_entry() never returns NULL -- when the current element is the last entry it wraps to the list head via container_of(). The subsequent NULL check is therefore dead code and get_next_key() never returns -ENOENT for the last element, instead reading storage->key from a bogus pointer that aliases internal map fields and copying the result to userspace.  Replace it with list_entry_is_head() so the function correctly returns -ENOENT when there are no more entries.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-05-27 11:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46214",
                        "url": "https://ubuntu.com/security/CVE-2026-46214",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  vsock/virtio: fix accept queue count leak on transport mismatch  virtio_transport_recv_listen() calls sk_acceptq_added() before vsock_assign_transport(). If vsock_assign_transport() fails or selects a different transport, the error path returns without calling sk_acceptq_removed(), permanently incrementing sk_ack_backlog.  After approximately backlog+1 such failures, sk_acceptq_is_full() returns true, causing the listener to reject all new connections.  Fix by moving sk_acceptq_added() to after the transport validation, matching the pattern used by vmci_transport and hyperv_transport.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46207",
                        "url": "https://ubuntu.com/security/CVE-2026-46207",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  vsock/virtio: fix empty payload in tap skb for non-linear buffers  For non-linear skbs, virtio_transport_build_skb() goes through virtio_transport_copy_nonlinear_skb() to copy the original payload in the new skb to be delivered to the vsockmon tap device. This manually initializes an iov_iter but does not set iov_iter.count. Since the iov_iter is zero-initialized, the copy length is zero and no payload is actually copied to the monitor interface, leaving data un-initialized.  Fix this by removing the linear vs non-linear split and using skb_copy_datagram_iter() with iov_iter_kvec() for all cases, as vhost-vsock already does. This handles both linear and non-linear skbs, properly initializes the iov_iter, and removes the now unused virtio_transport_copy_nonlinear_skb().  While touching this code, let's also check the return value of skb_copy_datagram_iter(), even though it's unlikely to fail.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46234",
                        "url": "https://ubuntu.com/security/CVE-2026-46234",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  vsock: fix buffer size clamping order  In vsock_update_buffer_size(), the buffer size was being clamped to the maximum first, and then to the minimum. If a user sets a minimum buffer size larger than the maximum, the minimum check overrides the maximum check, inverting the constraint.  This breaks the intended socket memory boundaries by allowing the vsk->buffer_size to grow beyond the configured vsk->buffer_max_size.  Fix this by checking the minimum first, and then the maximum. This ensures the buffer size never exceeds the buffer_max_size.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46223",
                        "url": "https://ubuntu.com/security/CVE-2026-46223",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  cgroup: Defer css percpu_ref kill on rmdir until cgroup is depopulated  A chain of commits going back to v7.0 reworked rmdir to satisfy the controller invariant that a subsystem's ->css_offline() must not run while tasks are still doing kernel-side work in the cgroup.  [1] d245698d727a (\"cgroup: Defer task cgroup unlink until after the task is done switching out\") [2] a72f73c4dd9b (\"cgroup: Don't expose dead tasks in cgroup\") [3] 1b164b876c36 (\"cgroup: Wait for dying tasks to leave on rmdir\") [4] 4c56a8ac6869 (\"cgroup: Fix cgroup_drain_dying() testing the wrong condition\") [5] 13e786b64bd3 (\"cgroup: Increment nr_dying_subsys_* from rmdir context\")  [1] moved task cset unlink from do_exit() to finish_task_switch() so a task's cset link drops only after the task has fully stopped scheduling. That made tasks past exit_signals() linger on cset->tasks until their final context switch, which led to a series of problems as what userspace expected to see after rmdir diverged from what the kernel needs to wait for. [2]-[5] tried to bridge that divergence: [2] filtered the exiting tasks from cgroup.procs; [3] had rmdir(2) sleep in TASK_UNINTERRUPTIBLE for them; [4] fixed the wait's condition; [5] made nr_dying_subsys_* visible synchronously.  The cgroup_drain_dying() wait in [3] turned out to be a dead end. When the rmdir caller is also the reaper of a zombie that pins a pidns teardown (e.g. host PID 1 systemd reaping orphan pids that were re-parented to it during the same teardown), rmdir blocks in TASK_UNINTERRUPTIBLE waiting for those pids to free, the pids can't free because PID 1 is the reaper and it's stuck in rmdir, and the system A-A deadlocks. No internal lock ordering breaks this; the wait itself is the bug.  The css killing side that drove the original reorder, however, can be made cleanly asynchronous: ->css_offline() is already async, run from css_killed_work_fn() driven by percpu_ref_kill_and_confirm(). The fix is to make that chain start only after all tasks have left the cgroup. rmdir's user-visible side then returns as soon as cgroup.procs and friends are empty, while ->css_offline() still runs only after the cgroup is fully drained.  Verified by the original reproducer (pidns teardown + zombie reaper, runs under vng) which hangs vanilla and succeeds here, and by per-commit deterministic repros for [2], [3], [4], [5] with a boot parameter that widens the post-exit_signals() window so each state is reliably reachable. Some stress tests on top of that.  cgroup_apply_control_disable() has the same shape of pre-existing race: when a controller is disabled via subtree_control, kill_css() ran synchronously while tasks past exit_signals() could still be linked to the cgroup's csets, and ->css_offline() could fire before they drained. This patch preserves the existing synchronous behavior at that call site (kill_css_sync() + kill_css_finish() back-to-back) and a follow-up patch will defer kill_css_finish() there using a per-css trigger.  This seems like the right approach and I don't see problems with it. The changes are somewhat invasive but not excessively so, so backporting to -stable should be okay. If something does turn out to be wrong, the fallback is to revert the entire chain ([1]-[5]) and rework in the development branch instead.  v2: Pin cgrp across the deferred destroy work with explicit     cgroup_get()/cgroup_put() around queue_work() and the work_fn. v1     wasn't actually broken (ordered cgroup_offline_wq + queue_work order     in cgroup_task_dead() saved it) but the explicit ref removes the     dependency on those non-obvious invariants. Also note the     pre-existing cgroup_apply_control_disable() race in the description;     a follow-up will defer kill_css_finish() there.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46221",
                        "url": "https://ubuntu.com/security/CVE-2026-46221",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  EDAC/versalnet: Fix device name memory leak  The device name allocated via kzalloc() in init_one_mc() is assigned to dev->init_name but never freed on the normal removal path. device_register() copies init_name and then sets dev->init_name to NULL, so the name pointer becomes unreachable from the device. Thus leaking memory.  Use a stack-local char array instead of using kzalloc() for name.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46231",
                        "url": "https://ubuntu.com/security/CVE-2026-46231",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  batman-adv: bla: put backbone reference on failed claim hash insert  When batadv_bla_add_claim() fails to insert a new claim into the hash, it leaked a reference to the backbone_gw for which the claim was intended. Call batadv_backbone_gw_put() on the error path to release the reference and avoid leaking the backbone_gw object.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46233",
                        "url": "https://ubuntu.com/security/CVE-2026-46233",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  batman-adv: bla: only purge non-released claims  When batadv_bla_purge_claims() goes through the list of claims, it is only traversing the hash list with an rcu_read_lock(). Due to a potential parallel batadv_claim_put(), it can happen that it encounters a claim which was actually in the process of being released+freed by batadv_claim_release(). In this case, backbone_gw is set to NULL before the delayed RCU kfree is started. Calling batadv_bla_claim_get_backbone_gw() is then no longer allowed because it would cause a NULL-ptr derefence.  To avoid this, only claims with a valid reference counter must be purged. All others are already taken care of.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46212",
                        "url": "https://ubuntu.com/security/CVE-2026-46212",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  batman-adv: bla: prevent use-after-free when deleting claims  When batadv_bla_del_backbone_claims() removes all claims for a backbone, it does this by dropping the link entry in the hash list. This list entry itself was one of the references which need to be dropped at the same time via batadv_claim_put().  But the batadv_claim_put() must not be done before the last access to the claim object in this function. Otherwise the claim might be freed already by the batadv_claim_release() function before the list entry was dropped.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46238",
                        "url": "https://ubuntu.com/security/CVE-2026-46238",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  batman-adv: stop caching unowned originator pointers in BAT IV  BAT IV keeps the last-hop neighbor address in each neigh_node, but some paths also cache an originator pointer derived from a temporary lookup. That pointer is not owned by the neigh_node and may no longer refer to a live originator entry after purge handling runs.  Stop storing the auxiliary originator pointer in the BAT IV neighbor state. When BAT IV needs the neighbor originator data, resolve it from the stored neighbor address and drop the reference again after use.  [sven: avoid bonding logic for outgoing OGM]",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46208",
                        "url": "https://ubuntu.com/security/CVE-2026-46208",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  batman-adv: stop tp_meter sessions during mesh teardown  TP meter sessions remain linked on bat_priv->tp_list after the netlink request has already finished. When the mesh interface is removed, batadv_mesh_free() currently tears down the mesh without first draining these sessions.  A running sender thread or a late incoming tp_meter packet can then keep processing against a mesh instance which is already shutting down. Synchronize tp_meter with the mesh lifetime by stopping all active sessions from batadv_mesh_free() and waiting for sender threads to exit before teardown continues.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46206",
                        "url": "https://ubuntu.com/security/CVE-2026-46206",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  batman-adv: reject new tp_meter sessions during teardown  Prevent tp_meter from starting new sender or receiver sessions after mesh_state has left BATADV_MESH_ACTIVE.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46198",
                        "url": "https://ubuntu.com/security/CVE-2026-46198",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  batman-adv: fix integer overflow on buff_pos  Fixing an integer overflow present in batadv_iv_ogm_send_to_if. The size check is done using the int type in batadv_iv_ogm_aggr_packet whereas the buff_pos variable uses the s16 type. This could lead to an out-of-bound read.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46227",
                        "url": "https://ubuntu.com/security/CVE-2026-46227",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  sctp: revalidate list cursor after sctp_sendmsg_to_asoc() in SCTP_SENDALL  The SCTP_SENDALL path in sctp_sendmsg() iterates ep->asocs with list_for_each_entry_safe(), which caches the next entry in @tmp before the loop body runs.  The body calls sctp_sendmsg_to_asoc(), which may drop the socket lock inside sctp_wait_for_sndbuf().  While the lock is dropped, another thread can SCTP_SOCKOPT_PEELOFF the association cached in @tmp, migrating it to a new endpoint via sctp_sock_migrate() (list_del_init() + list_add_tail() to newep->asocs), and optionally close the new socket which frees the association via kfree_rcu().  The cached @tmp can also be freed by a network ABORT for that association, processed in softirq while the lock is dropped.  sctp_wait_for_sndbuf() revalidates @asoc (the current entry) on re-lock via the \"sk != asoc->base.sk\" and \"asoc->base.dead\" checks, but nothing revalidates @tmp.  After a successful return, the iterator advances to the stale @tmp, yielding either a use-after-free (if the peeled socket was closed) or a list-walk onto the new endpoint's list head (type confusion of &newep->asocs as a struct sctp_association *).  Both are reachable from CapEff=0; the type-confusion path gives controlled indirect call via the outqueue.sched->init_sid pointer.  Fix by re-deriving @tmp from @asoc after sctp_sendmsg_to_asoc() returns.  @asoc is known to still be on ep->asocs at that point: the only callers that list_del an association from ep->asocs are sctp_association_free() (which sets asoc->base.dead) and sctp_assoc_migrate() (which changes asoc->base.sk), and sctp_wait_for_sndbuf() checks both under the lock before any successful return; a tripped check propagates as err < 0 and the loop bails before the re-derive.  The SCTP_ABORT path in sctp_sendmsg_check_sflags() returns 0 and the loop hits 'continue' before sctp_sendmsg_to_asoc() is ever called, so the @tmp cached by list_for_each_entry_safe() still covers the lock-held free that ba59fb027307 (\"sctp: walk the list of asoc safely\") was added for.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46220",
                        "url": "https://ubuntu.com/security/CVE-2026-46220",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/amdgpu/sdma4: replace BUG_ON with WARN_ON in fence emission  sdma_v4_0_ring_emit_fence() contains two BUG_ON(addr & 0x3) assertions that verify fence writeback addresses are dword-aligned.  These assertions can be reached from unprivileged userspace via crafted DRM_IOCTL_AMDGPU_CS submissions, causing a fatal kernel panic in a scheduler worker thread.  Replace both BUG_ON() calls with WARN_ON() to log the condition without crashing the kernel.  A misaligned fence address at this point indicates a driver bug, but crashing the kernel is never the correct response when the assertion is reachable from userspace.  The CS IOCTL path is the correct place to filter invalid submissions; the ring emission callback is too late to do anything about it.  (cherry picked from commit b90250bd933afd1ba94d86d6b13821997b22b18e)",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46215",
                        "url": "https://ubuntu.com/security/CVE-2026-46215",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm: Set old handle to NULL before prime swap in change_handle  There was a potential race condition in change_handle. The ioctl briefly had a single object with two idr entries; a concurrent gem_close could delete the object and remove one of the handles while leaving the other one dangling, which could subsequently be dereferenced for a use-after-free.  To fix this, do the same dance that gem_close itself does. (f6cd7daecff5 drm: Release driver references to handle before making it available again) First idr_replace the old handle to NULL. Later, if the prime operations are successful, actually close it.  create_tail required a similar dance to avoid a similar problem. (bd46cece51a3 drm/gem: Fix race in drm_gem_handle_create_tail()) It idr_allocs the new handle with NULL, then swaps in the correct object later to avoid races. We don't need to do that here, since the only operations that could race are drm_prime, and change_handle holds the prime lock for the entire duration.  v2: cleanups of error paths",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46201",
                        "url": "https://ubuntu.com/security/CVE-2026-46201",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/xe: Fix dma-buf attachment leak in xe_gem_prime_import()  When xe_dma_buf_init_obj() fails, the attachment from dma_buf_dynamic_attach() is not detached. Add dma_buf_detach() before returning the error. Note: we cannot use goto out_err here because xe_dma_buf_init_obj() already frees bo on failure, and out_err would double-free it.  (cherry picked from commit a828eb185aac41800df8eae4b60501ccc0dbbe51)",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46224",
                        "url": "https://ubuntu.com/security/CVE-2026-46224",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/xe: Fix bo leak in xe_dma_buf_init_obj() on allocation failure  When drm_gpuvm_resv_object_alloc() fails, the pre-allocated storage bo is not freed. Add xe_bo_free(storage) before returning the error.  xe_dma_buf_init_obj() calls xe_bo_init_locked(), which frees the bo on error. Therefore, xe_dma_buf_init_obj() must also free the bo on its own error paths. Otherwise, since xe_gem_prime_import() cannot distinguish whether the failure originated from xe_dma_buf_init_obj() or from xe_bo_init_locked(), it cannot safely decide whether the bo should be freed.  Add comments documenting the ownership semantics: on success, ownership of storage is transferred to the returned drm_gem_object; on failure, storage is freed before returning.  v2: Add comments to explain the free logic.  (cherry picked from commit 78a6c5f899f22338bbf48b44fb8950409c5a69b9)",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46197",
                        "url": "https://ubuntu.com/security/CVE-2026-46197",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/amdkfd: validate SVM ioctl nattr against buffer size  Validate nattr field against the buffer size, preventing out-of-bounds buffer access via user-controlled attribute count.  (cherry picked from commit 5eca8bfdfa456c3304ca77523718fe24254c172f)",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46209",
                        "url": "https://ubuntu.com/security/CVE-2026-46209",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/gem: Fix inconsistent plane dimension calculation in drm_gem_fb_init_with_funcs()  drm_gem_fb_init_with_funcs() computes sub-sampled plane dimensions using plain integer division:    unsigned int width  = mode_cmd->width  / (i ? info->hsub : 1);   unsigned int height = mode_cmd->height / (i ? info->vsub : 1);  However, the ioctl-level framebuffer_check() in drm_framebuffer.c uses drm_format_info_plane_width/height() which round up dimensions via DIV_ROUND_UP(). This inconsistency corrupts the subsequent GEM object size check for certain pixel format and dimension combinations.  For example, with NV12 (vsub=2) and a 1-pixel-tall framebuffer the GEM size validation path sees height=0 instead of height=1. The expression (height - 1) then wraps to UINT_MAX as an unsigned int, causing min_size to overflow and wrap back to a small value. A tiny GEM object therefore passes the size guard, yet when the GPU accesses the chroma plane it will read or write memory beyond the object's bounds.  Fix by replacing the open-coded divisions with drm_format_info_plane_width() and drm_format_info_plane_height(), which use DIV_ROUND_UP() and match the calculation already used in framebuffer_check().",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46230",
                        "url": "https://ubuntu.com/security/CVE-2026-46230",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/amdgpu/vcn3: Prevent OOB reads when parsing dec msg  Check bounds against the end of the BO whenever we access the msg.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46199",
                        "url": "https://ubuntu.com/security/CVE-2026-46199",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/amdgpu/vcn4: Prevent OOB reads when parsing dec msg  Check bounds against the end of the BO whenever we access the msg.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46204",
                        "url": "https://ubuntu.com/security/CVE-2026-46204",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/amdgpu/vcn4: Prevent OOB reads when parsing IB  Rewrite the IB parsing to use amdgpu_ib_get_value() which handles the bounds checks.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46218",
                        "url": "https://ubuntu.com/security/CVE-2026-46218",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/amdgpu: Add bounds checking to ib_{get,set}_value  The uvd/vce/vcn code accesses the IB at predefined offsets without checking that the IB is large enough. Check the bounds here. The caller is responsible for making sure it can handle arbitrary return values.  Also make the idx a uint32_t to prevent overflows causing the condition to fail.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46229",
                        "url": "https://ubuntu.com/security/CVE-2026-46229",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/amdkfd: Clear VRAM on allocation to prevent stale data exposure  KFD VRAM allocations set AMDGPU_GEM_CREATE_VRAM_WIPE_ON_RELEASE but not AMDGPU_GEM_CREATE_VRAM_CLEARED, leaving freshly allocated VRAM with stale data from prior use observable by compute kernels.  The GEM ioctl path already sets VRAM_CLEARED for all userspace allocations via amdgpu_gem_create_ioctl() and amdgpu_mode_dumb_create(). The KFD path was missing this flag, allowing stale page table remnants to leak into user buffers.  This causes crashes in RCCL P2P transport where non-zero data in ptrExchange/head/tail fields corrupts the protocol handshake.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46211",
                        "url": "https://ubuntu.com/security/CVE-2026-46211",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/msm/gem: fix error handling in msm_ioctl_gem_info_get_metadata()  msm_ioctl_gem_info_get_metadata() always returns 0 regardless of errors. When copy_to_user() fails or the user buffer is too small, the error code stored in ret is ignored because the function unconditionally returns 0. This causes userspace to believe the ioctl succeeded when it did not.  Additionally, kmemdup() can return NULL on allocation failure, but the return value is not checked. This leads to a NULL pointer dereference in the subsequent copy_to_user() call.  Add the missing NULL check for kmemdup() and return ret instead of 0.  Note that the SET counterpart (msm_ioctl_gem_info_set_metadata) correctly returns ret.  Patchwork: https://patchwork.freedesktop.org/patch/714478/",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46203",
                        "url": "https://ubuntu.com/security/CVE-2026-46203",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: cadence-quadspi: fix unclocked access on unbind  Make sure that the controller is runtime resumed before disabling it during driver unbind to avoid an unclocked register access.  This issue was flagged by Sashiko when reviewing a controller deregistration fix.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46219",
                        "url": "https://ubuntu.com/security/CVE-2026-46219",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: mpc52xx: fix use-after-free on unbind  The state machine work is scheduled by the interrupt handler and therefore needs to be cancelled after disabling interrupts to avoid a potential use-after-free.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46200",
                        "url": "https://ubuntu.com/security/CVE-2026-46200",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: mpc52xx: fix controller deregistration  Make sure to deregister the controller before disabling and releasing underlying resources like interrupts and gpios during driver unbind.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46241",
                        "url": "https://ubuntu.com/security/CVE-2026-46241",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: mpc52xx: fix use-after-free on registration failure  Make sure to disable and free the interrupts in case controller registration fails to avoid a potential use-after-free and resource leak.  This issue was flagged by Sashiko when reviewing a controller deregistration fix.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46225",
                        "url": "https://ubuntu.com/security/CVE-2026-46225",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: rspi: fix controller deregistration  Make sure to deregister the controller before releasing underlying resources like DMA during driver unbind.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46226",
                        "url": "https://ubuntu.com/security/CVE-2026-46226",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: fsl: fix controller deregistration  Make sure to deregister the controller before releasing underlying resources like DMA during driver unbind.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46228",
                        "url": "https://ubuntu.com/security/CVE-2026-46228",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: ch341: fix devres lifetime  USB drivers bind to USB interfaces and any device managed resources should have their lifetime tied to the interface rather than parent USB device. This avoids issues like memory leaks when drivers are unbound without their devices being physically disconnected (e.g. on probe deferral or configuration changes).  Fix the controller and driver data lifetime so that they are released on driver unbind.  Note that this also makes sure that the SPI controller is placed correctly under the USB interface in the device tree.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46216",
                        "url": "https://ubuntu.com/security/CVE-2026-46216",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/xe/hdcp: Add NULL check for media_gt in intel_hdcp_gsc_check_status()  When media GT is disabled via configfs, there is no allocation for media_gt, which is kept as NULL.  In such scenario, intel_hdcp_gsc_check_status() results in a kernel pagefault error due to &gt->uc.gsc being evaluated as an invalid memory address.  Fix that by introducing a NULL check on media_gt and bailing out early if so.  While at it, also drop the NULL check for gsc, since it can't be NULL if media_gt is not NULL.  v2:   - Get address for gsc only after checking that gt is not NULL.     (Shuicheng)   - Drop the NULL check for gsc. (Shuicheng) v3:   - Add \"Fixes\" and \"Cc: <stable...>\" tags. (Matt)  (cherry picked from commit bfaf87e84ca3ca3f6e275f9ae56da47a8b55ffd1)",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46210",
                        "url": "https://ubuntu.com/security/CVE-2026-46210",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  media: iris: fix use-after-free of fmt_src during MBPF check  During concurrency testing, multiple instances can run in parallel, and each instance uses its own inst->lock while the core->lock protects the list of active instances. The race happens because these locks cover different scopes, inst->lock protects only the internals of a single instance, while the Macro Blocks Per Frame (MBPF) checker walks the core list under core->lock and reads fields like fmt_src->width and fmt_src->height. At the same time, iris_close() may free fmt_src and fmt_dst under inst->lock while the instance is still present in the core list. This allows a situation where the MBPF checker, still iterating through the core list, reaches an instance whose fmt_src was already freed by another thread and ends up dereferencing a dangling pointer, resulting in a use-after-free. This happens because the MBPF checker assumes that any instance in the core list is fully valid, but the freeing of fmt_src and fmt_dst without removing the instance from the core list is not correct.  The correct ordering is to defer freeing fmt_src and fmt_dst until after the instance has been removed from the core list and all teardown under the core lock has completed, ensuring that no dangling pointers are ever exposed during MBPF checks.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46240",
                        "url": "https://ubuntu.com/security/CVE-2026-46240",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  media: iris: Fix use-after-free in iris_release_internal_buffers()  The recent change in commit 1dabf00ee206 (\"media: iris: gen1: Destroy internal buffers after FW releases\") introduced a regression where session_release_buf() may free the buffer. The caller, iris_release_internal_buffers(), continued to access `buffer` after the call, leading to a potential use-after-free.  Fix this by setting BUF_ATTR_PENDING_RELEASE before calling session_release_buf(), and reverting the flag if the call fails. This ensures no dereference occurs after potential freeing.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46235",
                        "url": "https://ubuntu.com/security/CVE-2026-46235",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  media: saa7164: add ioremap return checks and cleanups  Add checks for ioremap return values in saa7164_dev_setup(). If ioremap for BAR0 or BAR2 fails, release the already allocated PCI memory regions, remove the device from the global list, decrement the device count, and return -ENODEV.  This prevents potential null pointer dereferences and ensures proper cleanup on memory mapping failures.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46222",
                        "url": "https://ubuntu.com/security/CVE-2026-46222",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  media: rockchip: rkcif: Add missing MUST_CONNECT flag to pads  The pads missed checks for connected devices which may a null dereference when the stream is enabled.  Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020 pc : rkcif_interface_enable_streams+0x48/0xf0 lr : rkcif_interface_enable_streams+0x44/0xf0 Call trace:  rkcif_interface_enable_streams+0x48/0xf0  v4l2_subdev_enable_streams+0x26c/0x3f0  rkcif_stream_start_streaming+0x140/0x278  vb2_start_streaming+0x74/0x188  vb2_core_streamon+0xe0/0x1d8  vb2_ioctl_streamon+0x60/0xa8  v4l_streamon+0x2c/0x40  __video_do_ioctl+0x34c/0x400  video_usercopy+0x2d0/0x800  video_ioctl2+0x20/0x60  v4l2_ioctl+0x48/0x78",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46239",
                        "url": "https://ubuntu.com/security/CVE-2026-46239",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  media: i2c: ov5647: Fix runtime PM refcount leak in s_ctrl  Three control cases (AUTOGAIN, EXPOSURE_AUTO, ANALOGUE_GAIN) directly return without calling pm_runtime_put(), causing runtime PM reference count leaks.  Change these cases from 'return' to 'ret = ... break' pattern to ensure pm_runtime_put() is always called before function exit.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46236",
                        "url": "https://ubuntu.com/security/CVE-2026-46236",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  media: rc: xbox_remote: heed DMA restrictions  The buffer for IO must not be part of the device structure because that violates the DMA coherency rules.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46205",
                        "url": "https://ubuntu.com/security/CVE-2026-46205",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  staging: media: atomisp: Disallow all private IOCTLs  Disallow all private IOCTLs. These aren't quite as safe as one could assume of IOCTL handlers; disable them for now. Instead of removing the code, return in the beginning of the function if cmd is non-zero in order to keep static checkers happy.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46202",
                        "url": "https://ubuntu.com/security/CVE-2026-46202",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  HID: appletb-kbd: run inactivity autodim from workqueues  The autodim code in hid-appletb-kbd takes backlight_device->ops_lock via backlight_device_set_brightness() -> mutex_lock() from two different atomic contexts:   * appletb_inactivity_timer() is a struct timer_list callback, so it    runs in softirq context.  Every expiry triggers       BUG: sleeping function called from invalid context at kernel/locking/mutex.c:591      Call Trace:       <IRQ>       __might_resched       __mutex_lock       backlight_device_set_brightness       appletb_inactivity_timer       call_timer_fn       run_timer_softirq   * reset_inactivity_timer() is called from appletb_kbd_hid_event() and    appletb_kbd_inp_event().  On real USB hardware these run in    softirq/IRQ context (URB completion and input-event dispatch).    When the Touch Bar has already been dimmed or turned off, the    reset path calls backlight_device_set_brightness() directly to    restore brightness, producing the same warning.  Both call sites hit the same mutex_lock()-from-atomic bug.  Fix them together by moving the blocking work onto the system workqueue:   * Convert the inactivity timer from struct timer_list to    struct delayed_work; the callback (appletb_inactivity_work) now    runs in process context where mutex_lock() is legal.  * Add a dedicated struct work_struct restore_brightness_work and have    reset_inactivity_timer() schedule it instead of calling    backlight_device_set_brightness() directly.  Cancel both works synchronously during driver tear-down alongside the existing backlight reference drop.  The semantics are unchanged (same delays, same state transitions on dim, turn-off and user activity); only the execution context of the sleeping call changes.  The timer field and callback are renamed to match their new type; reset_inactivity_timer() keeps its name because it is invoked from input event paths that read naturally as \"reset the inactivity timer\".",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46213",
                        "url": "https://ubuntu.com/security/CVE-2026-46213",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  HID: appletb-kbd: fix UAF in inactivity-timer cleanup path  Commit 38224c472a03 (\"HID: appletb-kbd: fix slab use-after-free bug in appletb_kbd_probe\") added timer_delete_sync(&kbd->inactivity_timer) to both the probe close_hw error path and appletb_kbd_remove(), but the way it was wired in left the inactivity timer reachable during driver tear-down via two distinct windows.  Window A -- put_device() before timer_delete_sync():  \tput_device(&kbd->backlight_dev->dev); \ttimer_delete_sync(&kbd->inactivity_timer);  The inactivity_timer softirq reads kbd->backlight_dev and calls backlight_device_set_brightness() -> mutex_lock(&ops_lock).  If a concurrent hid_appletb_bl unbind drops the last devm reference between these two calls, the backlight_device is freed and the mutex_lock() touches freed memory.  Window B -- backlight cleanup before hid_hw_stop():  \tif (kbd->backlight_dev) { \t\ttimer_delete_sync(...); \t\tput_device(...); \t} \thid_hw_close(hdev); \thid_hw_stop(hdev);  Even after Window A is closed, hid_hw_close()/hid_hw_stop() still run afterwards, so a late \".event\" callback from the HID core (USB URB completion on real Apple hardware) can arrive after timer_delete_sync() drained the softirq but before put_device() drops the reference.  That callback reaches reset_inactivity_timer(), which calls mod_timer() and re-arms the timer.  The freshly re-armed timer can then fire on the about-to-be-freed backlight_device.  Both windows produce the same KASAN slab-use-after-free:    BUG: KASAN: slab-use-after-free in __mutex_lock+0x1aab/0x21c0   Read of size 8 at addr ffff88803ee9a108 by task swapper/0/0   Call Trace:    <IRQ>    __mutex_lock    backlight_device_set_brightness    appletb_inactivity_timer    call_timer_fn    run_timer_softirq    handle_softirqs   Allocated by task N:    devm_backlight_device_register    appletb_bl_probe   Freed by task M:    (concurrent hid_appletb_bl unbind path)  Close both windows at once by reworking the tear-down in appletb_kbd_remove() and in the probe close_hw error path so that   1) hid_hw_close()/hid_hw_stop() run before the backlight cleanup,     guaranteeing no further .event callback can fire and re-arm the     timer, and  2) inside the \"if (kbd->backlight_dev)\" block, timer_delete_sync()     runs before put_device(), so the softirq is drained before the     final reference is dropped.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46232",
                        "url": "https://ubuntu.com/security/CVE-2026-46232",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  HID: playstation: Clamp num_touch_reports  A device would never lie about the number of touch reports would it?  If it does the loop in dualshock4_parse_report will read off the end of the touch_reports array, up to about 2 KiB for the maximum number of 256 loop iteraions. The data that is read is emitted via evdev if the DS4_TOUCH_POINT_INACTIVE bit happens to be set. Protect against this by clamping the num_touch_reports value provided by the device to the maximum size of the touch_reports array.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-43490",
                        "url": "https://ubuntu.com/security/CVE-2026-43490",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ksmbd: validate inherited ACE SID length  smb_inherit_dacl() walks the parent directory DACL loaded from the security descriptor xattr. It verifies that each ACE contains the fixed SID header before using it, but does not verify that the variable-length SID described by sid.num_subauth is fully contained in the ACE.  A malformed inheritable ACE can advertise more subauthorities than are present in the ACE. compare_sids() may then read past the ACE. smb_set_ace() also clamps the copied destination SID, but used the unchecked source SID count to compute the inherited ACE size. That could advance the temporary inherited ACE buffer pointer and nt_size accounting past the allocated buffer.  Fix this by validating the parent ACE SID count and SID length before using the SID during inheritance. Compute the inherited ACE size from the copied SID so the size matches the bounded destination SID. Reject the inherited DACL if size accumulation would overflow smb_acl.size or the security descriptor allocation size.",
                        "cve_priority": "high",
                        "cve_public_date": "2026-05-15 06:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46174",
                        "url": "https://ubuntu.com/security/CVE-2026-46174",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  x86/CPU/AMD: Prevent improper isolation of shared resources in Zen2's op cache  Make sure resources are not improperly shared in the op cache and cause instruction corruption this way.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46110",
                        "url": "https://ubuntu.com/security/CVE-2026-46110",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net: stmmac: Prevent NULL deref when RX memory exhausted  The CPU receives frames from the MAC through conventional DMA: the CPU allocates buffers for the MAC, then the MAC fills them and returns ownership to the CPU. For each hardware RX queue, the CPU and MAC coordinate through a shared ring array of DMA descriptors: one descriptor per DMA buffer. Each descriptor includes the buffer's physical address and a status flag (\"OWN\") indicating which side owns the buffer: OWN=0 for CPU, OWN=1 for MAC. The CPU is only allowed to set the flag and the MAC is only allowed to clear it, and both must move through the ring in sequence: thus the ring is used for both \"submissions\" and \"completions.\"  In the stmmac driver, stmmac_rx() bookmarks its position in the ring with the `cur_rx` index. The main receive loop in that function checks for rx_descs[cur_rx].own=0, gives the corresponding buffer to the network stack (NULLing the pointer), and increments `cur_rx` modulo the ring size. After the loop exits, stmmac_rx_refill(), which bookmarks its position with `dirty_rx`, allocates fresh buffers and rearms the descriptors (setting OWN=1). If it fails any allocation, it simply stops early (leaving OWN=0) and will retry where it left off when next called.  This means descriptors have a three-stage lifecycle (terms my own): - `empty` (OWN=1, buffer valid) - `full` (OWN=0, buffer valid and populated) - `dirty` (OWN=0, buffer NULL)  But because stmmac_rx() only checks OWN, it confuses `full`/`dirty`. In the past (see 'Fixes:'), there was a bug where the loop could cycle `cur_rx` all the way back to the first descriptor it dirtied, resulting in a NULL dereference when mistaken for `full`. The aforementioned commit resolved that *specific* failure by capping the loop's iteration limit at `dma_rx_size - 1`, but this is only a partial fix: if the previous stmmac_rx_refill() didn't complete, then there are leftover `dirty` descriptors that the loop might encounter without needing to cycle fully around. The current code therefore panics (see 'Closes:') when stmmac_rx_refill() is memory-starved long enough for `cur_rx` to catch up to `dirty_rx`.  Fix this by explicitly checking, before advancing `cur_rx`, if the next entry is dirty; exit the loop if so. This prevents processing of the final, used descriptor until stmmac_rx_refill() succeeds, but fully prevents the `cur_rx == dirty_rx` ambiguity as the previous bugfix intended: so remove the clamp as well. Since stmmac_rx_zc() is a copy-paste-and-tweak of stmmac_rx() and the code structure is identical, any fix to stmmac_rx() will also need a corresponding fix for stmmac_rx_zc(). Therefore, apply the same check there.  In stmmac_rx() (not stmmac_rx_zc()), a related bug remains: after the MAC sets OWN=0 on the final descriptor, it will be unable to send any further DMA-complete IRQs until it's given more `empty` descriptors. Currently, the driver simply *hopes* that the next stmmac_rx_refill() succeeds, risking an indefinite stall of the receive process if not. But this is not a regression, so it can be addressed in a future change.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46153",
                        "url": "https://ubuntu.com/security/CVE-2026-46153",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  8021q: delete cleared egress QoS mappings  vlan_dev_set_egress_priority() currently keeps cleared egress priority mappings in the hash as tombstones. Repeated set/clear cycles with distinct skb priorities therefore accumulate mapping nodes until device teardown and leak memory.  Delete mappings when vlan_prio is cleared instead of keeping tombstones. Now that the egress mapping lists are RCU protected, the node can be unlinked safely and freed after a grace period.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46169",
                        "url": "https://ubuntu.com/security/CVE-2026-46169",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  hfsplus: fix uninit-value by validating catalog record size  Syzbot reported a KMSAN uninit-value issue in hfsplus_strcasecmp(). The root cause is that hfs_brec_read() doesn't validate that the on-disk record size matches the expected size for the record type being read.  When mounting a corrupted filesystem, hfs_brec_read() may read less data than expected. For example, when reading a catalog thread record, the debug output showed:    HFSPLUS_BREC_READ: rec_len=520, fd->entrylength=26   HFSPLUS_BREC_READ: WARNING - entrylength (26) < rec_len (520) - PARTIAL READ!  hfs_brec_read() only validates that entrylength is not greater than the buffer size, but doesn't check if it's less than expected. It successfully reads 26 bytes into a 520-byte structure and returns success, leaving 494 bytes uninitialized.  This uninitialized data in tmp.thread.nodeName then gets copied by hfsplus_cat_build_key_uni() and used by hfsplus_strcasecmp(), triggering the KMSAN warning when the uninitialized bytes are used as array indices in case_fold().  Fix by introducing hfsplus_brec_read_cat() wrapper that: 1. Calls hfs_brec_read() to read the data 2. Validates the record size based on the type field:    - Fixed size for folder and file records    - Variable size for thread records (depends on string length) 3. Returns -EIO if size doesn't match expected  For thread records, check against HFSPLUS_MIN_THREAD_SZ before reading nodeName.length to avoid reading uninitialized data at call sites that don't zero-initialize the entry structure.  Also initialize the tmp variable in hfsplus_find_cat() as defensive programming to ensure no uninitialized data even if validation is bypassed.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46188",
                        "url": "https://ubuntu.com/security/CVE-2026-46188",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  octeon_ep_vf: add NULL check for napi_build_skb()  napi_build_skb() can return NULL on allocation failure. In __octep_vf_oq_process_rx(), the result is used directly without a NULL check in both the single-buffer and multi-fragment paths, leading to a NULL pointer dereference.  Add NULL checks after both napi_build_skb() calls, properly advancing descriptors and consuming remaining fragments on failure.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-45837",
                        "url": "https://ubuntu.com/security/CVE-2026-45837",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  bpf: Fix use-after-free in arena_vm_close on fork  arena_vm_open() only bumps vml->mmap_count but never registers the child VMA in arena->vma_list. The vml->vma always points at the parent VMA, so after parent munmap the pointer dangles. If the child then calls bpf_arena_free_pages(), zap_pages() reads the stale vml->vma triggering use-after-free.  Fix this by preventing the arena VMA from being inherited across fork with VM_DONTCOPY, and preventing VMA splits via the may_split callback.  Also reject mremap with a .mremap callback returning -EINVAL. A same-size mremap(MREMAP_FIXED) on the full arena VMA reaches copy_vma() through the following path:    check_prep_vma()       - returns 0 early: new_len == old_len                            skips VM_DONTEXPAND check   prep_move_vma()        - vm_start == old_addr and                            vm_end == old_addr + old_len                            so may_split is never called   move_vma()     copy_vma_and_data()       copy_vma()         vm_area_dup()    - copies vm_private_data (vml pointer)         vm_ops->open()   - bumps vml->mmap_count       vm_ops->mremap()   - returns -EINVAL, rollback unmaps new VMA  The refcount ensures the rollback's arena_vm_close does not free the vml shared with the original VMA.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-05-27 11:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46156",
                        "url": "https://ubuntu.com/security/CVE-2026-46156",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  LoongArch: Fix potential ADE in loongson_gpu_fixup_dma_hang()  The switch case in loongson_gpu_fixup_dma_hang() may not DC2 or DC3, and readl(crtc_reg) will access with random address, because the \"device\" is from \"base+PCI_DEVICE_ID\", \"base\" is from \"pdev->devfn+1\". This is wrong when my platform inserts a discrete GPU:  lspci -tv -[0000:00]-+-00.0  Loongson Technology LLC Hyper Transport Bridge Controller ...            +-06.0  Loongson Technology LLC LG100 GPU            +-06.2  Loongson Technology LLC Device 7a37 ...  Add a default switch case to fix the panic as below:   Kernel ade access[#1]:  CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.6.136-loong64-desktop-hwe+ #4  pc 90000000017e5534 ra 90000000017e54c0 tp 90000001002f8000 sp 90000001002fb6c0  a0 80000efe00003100 a1 0000000000003100 a2 0000000000000000 a3 0000000000000002  a4 90000001002fb6b4 a5 900000087cdb58fd a6 90000000027af000 a7 0000000000000001  t0 00000000000085b9 t1 000000000000ffff t2 0000000000000000 t3 0000000000000000  t4 fffffffffffffffd t5 00000000fffb6d9c t6 0000000000083b00 t7 00000000000070c0  t8 900000087cdb4d94 u0 900000087cdb58fd s9 90000001002fb826 s0 90000000031c12c8  s1 7fffffffffffff00 s2 90000000031c12d0 s3 0000000000002710 s4 0000000000000000  s5 0000000000000000 s6 9000000100053000 s7 7fffffffffffff00 s8 90000000030d4000     ra: 90000000017e54c0 loongson_gpu_fixup_dma_hang+0x40/0x210    ERA: 90000000017e5534 loongson_gpu_fixup_dma_hang+0xb4/0x210   CRMD: 000000b0 (PLV0 -IE -DA +PG DACF=CC DACM=CC -WE)   PRMD: 00000004 (PPLV0 +PIE -PWE)   EUEN: 00000000 (-FPE -SXE -ASXE -BTE)   ECFG: 00071c1d (LIE=0,2-4,10-12 VS=7)  ESTAT: 00480000 [ADEM] (IS= ECode=8 EsubCode=1)   BADV: 7fffffffffffff00   PRID: 0014d000 (Loongson-64bit, Loongson-3A6000-HV)  Modules linked in:  Process swapper/0 (pid: 1, threadinfo=(____ptrval____), task=(____ptrval____))  Stack : 0000000000000006 90000001002fb778 90000001002fb704 0000000000000007          0000000016a65700 90000000017e5690 000000000000ffff ffffffffffffffff          900000000209f7c0 9000000100053000 900000000209f7a8 9000000000eebc08          0000000000000000 0000000000000000 0000000000000006 90000001002fb778          90000001000530b8 90000000027af000 0000000000000000 9000000100054000          9000000100053000 9000000000ebb70c 9000000100004c00 9000000004000001          90000001002fb7e4 bae765461f31cb12 0000000000000000 0000000000000000          0000000000000006 90000000027af000 0000000000000030 90000000027af000          900000087cd6f800 9000000100053000 0000000000000000 9000000000ebc560          7a2500147cdaf720 bae765461f31cb12 0000000000000001 0000000000000030          ...  Call Trace:  [<90000000017e5534>] loongson_gpu_fixup_dma_hang+0xb4/0x210  [<9000000000eebc08>] pci_fixup_device+0x108/0x280  [<9000000000ebb70c>] pci_setup_device+0x24c/0x690  [<9000000000ebc560>] pci_scan_single_device+0xe0/0x140  [<9000000000ebc684>] pci_scan_slot+0xc4/0x280  [<9000000000ebdd00>] pci_scan_child_bus_extend+0x60/0x3f0  [<9000000000f5bc94>] acpi_pci_root_create+0x2b4/0x420  [<90000000017e5e74>] pci_acpi_scan_root+0x2d4/0x440  [<9000000000f5b02c>] acpi_pci_root_add+0x21c/0x3a0  [<9000000000f4ee54>] acpi_bus_attach+0x1a4/0x3c0  [<90000000010e200c>] device_for_each_child+0x6c/0xe0  [<9000000000f4bbf4>] acpi_dev_for_each_child+0x44/0x70  [<9000000000f4ef40>] acpi_bus_attach+0x290/0x3c0  [<90000000010e200c>] device_for_each_child+0x6c/0xe0  [<9000000000f4bbf4>] acpi_dev_for_each_child+0x44/0x70  [<9000000000f4ef40>] acpi_bus_attach+0x290/0x3c0  [<9000000000f5211c>] acpi_bus_scan+0x6c/0x280  [<900000000189c028>] acpi_scan_init+0x194/0x310  [<900000000189bc6c>] acpi_init+0xcc/0x140  [<9000000000220cdc>] do_one_initcall+0x4c/0x310  [<90000000018618fc>] kernel_init_freeable+0x258/0x2d4  [<900000000184326c>] kernel_init+0x28/0x13c  [<9000000000222008>] ret_from_kernel_thread+0xc/0xa4",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46147",
                        "url": "https://ubuntu.com/security/CVE-2026-46147",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  KVM: arm64: Fix pin leak and publication ordering in __pkvm_init_vcpu()  Two bugs exist in the vCPU initialisation path:  1. If a check fails after hyp_pin_shared_mem() succeeds, the cleanup    path jumps to 'unlock' without calling unpin_host_vcpu() or    unpin_host_sve_state(), permanently leaking pin references on the    host vCPU and SVE state pages.     Extract a register_hyp_vcpu() helper that performs the checks and    the store. When register_hyp_vcpu() returns an error, call    unpin_host_vcpu() and unpin_host_sve_state() inline before falling    through to the existing 'unlock' label.  2. register_hyp_vcpu() publishes the new vCPU pointer into    'hyp_vm->vcpus[]' with a bare store, allowing a concurrent caller    of pkvm_load_hyp_vcpu() to observe a partially initialised vCPU    object.     Ensure the store uses smp_store_release() and the load uses    smp_load_acquire(). While 'vm_table_lock' currently serialises the    store and the load, these barriers ensure the reader sees the fully    initialised 'hyp_vcpu' object even if there were a lockless path or    if the lock's own ordering guarantees were insufficient for nested    object initialization.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46175",
                        "url": "https://ubuntu.com/security/CVE-2026-46175",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  f2fs: fix fsck inconsistency caused by FGGC of node block  During FGGC node block migration, fsck may incorrectly treat the migrated node block as fsync-written data.  The reproduction scenario: root@vm:/mnt/f2fs# seq 1 2048 | xargs -n 1 ./test_sync // write inline inode and sync root@vm:/mnt/f2fs# rm -f 1 root@vm:/mnt/f2fs# sync root@vm:/mnt/f2fs# f2fs_io gc_range // move data block in sync mode and not write CP   SPO, \"fsck --dry-run\" find inode has already checkpointed but still   with DENT_BIT_SHIFT set  The root cause is that GC does not clear the dentry mark and fsync mark during node block migration, leading fsck to misinterpret them as user-issued fsync writes.  In BGGC mode, node block migration is handled by f2fs_sync_node_pages(), which guarantees the dentry and fsync marks are cleared before writing.  This patch move the set/clear of the fsync|dentry marks into __write_node_folio to make the logic clearer, and ensures the fsync|dentry mark is cleared in FGGC.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46194",
                        "url": "https://ubuntu.com/security/CVE-2026-46194",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  f2fs: fix node_cnt race between extent node destroy and writeback  f2fs_destroy_extent_node() does not set FI_NO_EXTENT before clearing extent nodes. When called from f2fs_drop_inode() with I_SYNC set, concurrent kworker writeback can insert new extent nodes into the same extent tree, racing with the destroy and triggering f2fs_bug_on() in __destroy_extent_node(). The scenario is as follows:  drop inode                            writeback  - iput   - f2fs_drop_inode  // I_SYNC set    - f2fs_destroy_extent_node     - __destroy_extent_node      - while (node_cnt) {         write_lock(&et->lock)         __free_extent_tree         write_unlock(&et->lock)                                        - __writeback_single_inode                                         - f2fs_outplace_write_data                                          - f2fs_update_read_extent_cache                                           - __update_extent_tree_range                                            // FI_NO_EXTENT not set,                                            // insert new extent node        } // node_cnt == 0, exit while      - f2fs_bug_on(node_cnt)  // node_cnt > 0  Additionally, __update_extent_tree_range() only checks FI_NO_EXTENT for EX_READ type, leaving EX_BLOCK_AGE updates completely unprotected.  This patch set FI_NO_EXTENT under et->lock in __destroy_extent_node(), consistent with other callers (__update_extent_tree_range and __drop_extent_tree) and check FI_NO_EXTENT for both EX_READ and EX_BLOCK_AGE tree.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46170",
                        "url": "https://ubuntu.com/security/CVE-2026-46170",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  mptcp: pm: ADD_ADDR rtx: free sk if last  When an ADD_ADDR is retransmitted, the sk is held in sk_reset_timer(), and released at the end.  If at that moment, it was the last reference being held, the sk would not be freed. sock_put() should then be called instead of __sock_put().  But that's not enough: if it is the last reference, sock_put() will call sk_free(), which will end up calling sk_stop_timer_sync() on the same timer, and waiting indefinitely to finish. So it is needed to mark that the timer is done at the end of the timer handler when it has not been rescheduled, not to call sk_stop_timer_sync() on \"itself\".",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46158",
                        "url": "https://ubuntu.com/security/CVE-2026-46158",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  mptcp: pm: ADD_ADDR rtx: always decrease sk refcount  When an ADD_ADDR is retransmitted, the sk is held in sk_reset_timer(). It should then be released in all cases at the end.  Some (unlikely) checks were returning directly instead of calling sock_put() to decrease the refcount. Jump to a new 'exit' label to call __sock_put() (which will become sock_put() in the next commit) to fix this potential leak.  While at it, drop the '!msk' check which cannot happen because it is never reset, and explicitly mark the remaining one as \"unlikely\".",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46168",
                        "url": "https://ubuntu.com/security/CVE-2026-46168",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  mptcp: fix scheduling with atomic in timestamp sockopt  Using lock_sock_fast() (atomic context) around sock_set_timestamp() and sock_set_timestamping() is unsafe, as both helpers can sleep.  Replace lock_sock_fast() with sleepable lock_sock()/release_sock() to avoid scheduling while atomic panic.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46189",
                        "url": "https://ubuntu.com/security/CVE-2026-46189",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/vmw_pvrdma: Fix double free on pvrdma_alloc_ucontext() error path  Sashiko points out that pvrdma_uar_free() is already called within pvrdma_dealloc_ucontext(), so calling it before triggers a double free.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46133",
                        "url": "https://ubuntu.com/security/CVE-2026-46133",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/rxe: Reject unknown opcodes before ICRC processing  Even after applying commit 7244491dab34 (\"RDMA/rxe: Validate pad and ICRC before payload_size() in rxe_rcv\"), a single unauthenticated UDP packet can still trigger panic.  That patch handled payload_size() underflow only for valid opcodes with short packets, not for packets carrying an unknown opcode.  The unknown-opcode OOB read described below predates that commit and reaches back to the initial Soft RoCE driver.  The check added there reads      pkt->paylen < header_size(pkt) + bth_pad(pkt) + RXE_ICRC_SIZE  where header_size(pkt) expands to rxe_opcode[pkt->opcode].length.  The rxe_opcode[] array has 256 entries but is only populated for defined IB opcodes; any other entry (for example opcode 0xff) is zero-initialized, so length == 0 and the check degenerates to      pkt->paylen < 0 + bth_pad(pkt) + RXE_ICRC_SIZE  which does not constrain pkt->paylen enough.  rxe_icrc_hdr() then computes      rxe_opcode[pkt->opcode].length - RXE_BTH_BYTES  which underflows when length == 0 and passes a huge value to rxe_crc32(), causing an out-of-bounds read of the skb payload.  Reproduced on v7.0-rc7 with that fix applied, QEMU/KVM with CONFIG_RDMA_RXE=y and CONFIG_KASAN=y, after      rdma link add rxe0 type rxe netdev eth0  A single 48-byte UDP packet to port 4791 with BTH opcode=0xff and QPN=IB_MULTICAST_QPN triggers:      BUG: KASAN: slab-out-of-bounds in crc32_le+0x115/0x170     Read of size 1 at addr ...     The buggy address is located 0 bytes to the right of      allocated 704-byte region     Call Trace:      crc32_le+0x115/0x170      rxe_icrc_hdr.isra.0+0x226/0x300      rxe_icrc_check+0x13f/0x3a0      rxe_rcv+0x6e1/0x16e0      rxe_udp_encap_recv+0x20a/0x320      udp_queue_rcv_one_skb+0x7ed/0x12c0  Subsequent packets with the same shape fault on unmapped memory and panic the kernel.  The trigger requires only module load and \"rdma link add\"; no QP, no connection, and no authentication.  Fix this by rejecting packets whose opcode has no rxe_opcode[] entry, detected via the zero mask or zero length, before any length arithmetic runs.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46114",
                        "url": "https://ubuntu.com/security/CVE-2026-46114",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/rxe: Reject non-8-byte ATOMIC_WRITE payloads  atomic_write_reply() at drivers/infiniband/sw/rxe/rxe_resp.c unconditionally dereferences 8 bytes at payload_addr(pkt):      value = *(u64 *)payload_addr(pkt);  check_rkey() previously accepted an ATOMIC_WRITE request with pktlen == resid == 0 because the length validation only compared pktlen against resid. A remote initiator that sets the RETH length to 0 therefore reaches atomic_write_reply() with a zero-byte logical payload, and the responder reads sizeof(u64) bytes from past the logical end of the packet into skb->head tailroom, then writes those 8 bytes into the attacker's MR via rxe_mr_do_atomic_write(). That is a remote disclosure of 4 bytes of kernel tailroom per probe (the other 4 bytes are the packet's own trailing ICRC).  IBA oA19-28 defines ATOMIC_WRITE as exactly 8 bytes. Anything else is protocol-invalid. Hoist a strict length check into check_rkey() so the responder never reaches the unchecked dereference, and keep the existing WRITE-family length logic for the normal RDMA WRITE path.  Reproduced on mainline with an unmodified rxe driver: a sustained zero-length ATOMIC_WRITE probe repeatedly leaks adjacent skb head-buffer bytes into the attacker's MR, including recognisable kernel strings and partial kernel-direct-map pointer words.  With this patch applied the responder rejects the PDU and the MR stays all-zero.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46127",
                        "url": "https://ubuntu.com/security/CVE-2026-46127",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/ocrdma: Don't NULL deref uctx on errors in ocrdma_copy_pd_uresp()  Sashiko points out that pd->uctx isn't initialized until late in the function so all these error flow references are NULL and will crash. Use the uctx that isn't NULL.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46176",
                        "url": "https://ubuntu.com/security/CVE-2026-46176",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/mlx5: Fix error path fall-through in mlx5_ib_dev_res_srq_init()  mlx5_ib_dev_res_srq_init() allocates two SRQs, s0 and s1. When ib_create_srq() fails for s1, the error branch destroys s0 but falls through and unconditionally assigns the freed s0 and the ERR_PTR s1 to devr->s0 and devr->s1.  This leads to several problems: the lock-free fast path checks \"if (devr->s1) return 0;\" and treats the ERR_PTR as already initialised; users in mlx5_ib_create_qp() dereference the freed SRQ or ERR_PTR via to_msrq(devr->s0)->msrq.srqn; and mlx5_ib_dev_res_cleanup() dereferences the ERR_PTR and double-frees s0 on teardown.  Fix by adding the same `goto unlock` in the s1 failure path.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46178",
                        "url": "https://ubuntu.com/security/CVE-2026-46178",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/mlx4: Fix resource leak on error in mlx4_ib_create_srq()  Sashiko points out that mlx4_srq_alloc() was not undone during error unwind, add the missing call to mlx4_srq_free().",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46181",
                        "url": "https://ubuntu.com/security/CVE-2026-46181",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/mlx4: Fix mis-use of RCU in mlx4_srq_event()  Sashiko points out the radix_tree itself is RCU safe, but nothing ever frees the mlx4_srq struct with RCU, and it isn't even accessed within the RCU critical section. It also will crash if an event is delivered before the srq object is finished initializing.  Use the spinlock since it isn't easy to make RCU work, use refcount_inc_not_zero() to protect against partially initialized objects, and order the refcount_set() to be after the srq is fully initialized.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46145",
                        "url": "https://ubuntu.com/security/CVE-2026-46145",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/mana: Validate rx_hash_key_len  Sashiko points out that rx_hash_key_len comes from a uAPI structure and is blindly passed to memcpy, allowing the userspace to trash kernel memory. Bounds check it so the memcpy cannot overflow.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46117",
                        "url": "https://ubuntu.com/security/CVE-2026-46117",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/mana: Remove user triggerable WARN_ON() in mana_ib_create_qp_rss()  Sashiko points out that the user can specify WQs sharing the same CQ as a part of the uAPI and this will trigger the WARN_ON() then go on to corrupt the kernel.  Just reject it outright and fail the QP creation.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46126",
                        "url": "https://ubuntu.com/security/CVE-2026-46126",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/mana: Fix mana_destroy_wq_obj() cleanup in mana_ib_create_qp_rss()  Sashiko points out there are two bugs here in the error unwind flow, both related to how the WQ table is unwound.  First there is a double i-- on the first failure path due to the while loop having a i--, remove it.  Second if mana_ib_install_cq_cb() fails then mana_create_wq_obj() is not undone due to the above i--.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46144",
                        "url": "https://ubuntu.com/security/CVE-2026-46144",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/mana: Fix error unwind in mana_ib_create_qp_rss()  Sashiko points out that mana_ib_cfg_vport_steering() is leaked, the normal destroy path cleans it up.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46141",
                        "url": "https://ubuntu.com/security/CVE-2026-46141",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  powerpc/xive: fix kmemleak caused by incorrect chip_data lookup  The kmemleak reports the following memory leak:  Unreferenced object 0xc0000002a7fbc640 (size 64):   comm \"kworker/8:1\", pid 540, jiffies 4294937872   hex dump (first 32 bytes):     01 00 00 00 00 00 00 00 00 00 09 04 00 04 00 00  ................     00 00 a7 81 00 00 0a c0 00 00 08 04 00 04 00 00  ................   backtrace (crc 177d48f6):     __kmalloc_cache_noprof+0x520/0x730     xive_irq_alloc_data.constprop.0+0x40/0xe0     xive_irq_domain_alloc+0xd0/0x1b0     irq_domain_alloc_irqs_parent+0x44/0x6c     pseries_irq_domain_alloc+0x1cc/0x354     irq_domain_alloc_irqs_parent+0x44/0x6c     msi_domain_alloc+0xb0/0x220     irq_domain_alloc_irqs_locked+0x138/0x4d0     __irq_domain_alloc_irqs+0x8c/0xfc     __msi_domain_alloc_irqs+0x214/0x4d8     msi_domain_alloc_irqs_all_locked+0x70/0xf8     pci_msi_setup_msi_irqs+0x60/0x78     __pci_enable_msix_range+0x54c/0x98c     pci_alloc_irq_vectors_affinity+0x16c/0x1d4     nvme_pci_enable+0xac/0x9c0 [nvme]     nvme_probe+0x340/0x764 [nvme]  This occurs when allocating MSI-X vectors for an NVMe device. During allocation the XIVE code creates a struct xive_irq_data and stores it in irq_data->chip_data.  When the MSI-X irqdomain is later freed, xive_irq_free_data() is responsible for retrieving this structure and freeing it. However, after commit cc0cc23babc9 (\"powerpc/xive: Untangle xive from child interrupt controller drivers\"), xive_irq_free_data() retrieves the chip_data using irq_get_chip_data(), which looks up the data through the child domain.  This is incorrect because the XIVE-specific irq data is associated with the XIVE (parent) domain. As a result the lookup fails and the allocated struct xive_irq_data is never freed, leading to the kmemleak report shown above.  Fix this by retrieving the irq_data from the correct domain using irq_domain_get_irq_data() and then accessing the chip_data via irq_data_get_irq_chip_data().",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46183",
                        "url": "https://ubuntu.com/security/CVE-2026-46183",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  mm/damon/sysfs-schemes: protect path kfree() with damon_sysfs_lock  damon_sysfs_quot_goal->path can be read and written by users, via DAMON sysfs 'path' file.  It can also be indirectly read, for the parameters {on,off}line committing to DAMON.  The reads for parameters committing are protected by damon_sysfs_lock to avoid the sysfs files being destroyed while any of the parameters are being read.  But the user-driven direct reads and writes are not protected by any lock, while the write is deallocating the path-pointing buffer.  As a result, the readers could read the already freed buffer (user-after-free).  Note that the user-reads don't race when the same open file is used by the writer, due to kernfs's open file locking.  Nonetheless, doing the reads and writes with separate open files would be common.  Fix it by protecting both the user-direct reads and writes with damon_sysfs_lock.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46121",
                        "url": "https://ubuntu.com/security/CVE-2026-46121",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  mm/damon/sysfs-schemes: protect memcg_path kfree() with damon_sysfs_lock  Patch series \"mm/damon/sysfs-schemes: fix use-after-free for [memcg_]path\".  Reads of 'memcg_path' and 'path' files in DAMON sysfs interface could race with their writes, results in use-after-free.  Fix those.   This patch (of 2):  damon_sysfs_scheme_filter->mmecg_path can be read and written by users, via DAMON sysfs memcg_path file.  It can also be indirectly read, for the parameters {on,off}line committing to DAMON.  The reads for parameters committing are protected by damon_sysfs_lock to avoid the sysfs files being destroyed while any of the parameters are being read.  But the user-driven direct reads and writes are not protected by any lock, while the write is deallocating the memcg_path-pointing buffer.  As a result, the readers could read the already freed buffer (user-after-free).  Note that the user-reads don't race when the same open file is used by the writer, due to kernfs's open file locking.  Nonetheless, doing the reads and writes with separate open files would be common.  Fix it by protecting both the user-direct reads and writes with damon_sysfs_lock.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46131",
                        "url": "https://ubuntu.com/security/CVE-2026-46131",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  KVM: x86: check for nEPT/nNPT in slow flush hypercalls  Checking is_guest_mode(vcpu) is incorrect, because translate_nested_gpa() is only valid if an L2 guest is running *with nested EPT/NPT enabled*. Instead use the same condition as translate_nested_gpa() itself.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46139",
                        "url": "https://ubuntu.com/security/CVE-2026-46139",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  smb: client: use kzalloc to zero-initialize security descriptor buffer  Commit 62e7dd0a39c2d (\"smb: common: change the data type of num_aces to le16\") split struct smb_acl's __le32 num_aces field into __le16 num_aces and __le16 reserved. The reserved field corresponds to Sbz2 in the MS-DTYP ACL wire format, which must be zero [1].  When building an ACL descriptor in build_sec_desc(), we are using a kmalloc()'ed descriptor buffer and writing the fields explicitly using le16() writes now. This never writes to the 2 byte reserved field, leaving it as uninitialized heap data.  When the reserved field happens to contain non-zero slab garbage, Samba rejects the security descriptor with \"ndr_pull_security_descriptor failed: Range Error\", causing chmod to fail with EINVAL.  Change kmalloc() to kzalloc() to ensure the entire buffer is zero-initialized.   [1] https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/20233ed8-a6c6-4097-aafa-dd545ed24428",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46105",
                        "url": "https://ubuntu.com/security/CVE-2026-46105",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  scsi: mpt3sas: Limit NVMe request size to 2 MiB  The HBA firmware reports NVMe MDTS values based on the underlying drive capability. However, because the driver allocates a fixed 4K buffer for the PRP list, accommodating at most 512 entries, the driver supports a maximum I/O transfer size of 2 MiB.  Limit max_hw_sectors to the smaller of the reported MDTS and the 2 MiB driver limit to prevent issuing oversized I/O that may lead to a kernel oops.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46171",
                        "url": "https://ubuntu.com/security/CVE-2026-46171",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  riscv: kvm: fix vector context allocation leak  When the second kzalloc (host_context.vector.datap) fails in kvm_riscv_vcpu_alloc_vector_context, the first allocation (guest_context.vector.datap) is leaked. Free it before returning.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46112",
                        "url": "https://ubuntu.com/security/CVE-2026-46112",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/hns: Fix unlocked call to hns_roce_qp_remove()  Sashiko points out that hns_roce_qp_remove() requires the caller to hold locks.  The error flow in hns_roce_create_qp_common() doesn't hold those locks for the error unwind so it risks corrupting memory.  Grab the same locks the other two callers use.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46165",
                        "url": "https://ubuntu.com/security/CVE-2026-46165",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  openvswitch: vport: fix self-deadlock on release of tunnel ports  vports are used concurrently and protected by RCU, so netdev_put() must happen after the RCU grace period.  So, either in an RCU call or after the synchronize_net().  The rtnl_delete_link() must happen under RTNL and so can't be executed in RCU context.  Calling synchronize_net() while holding RTNL is not a good idea for performance and system stability under load in general, so calling netdev_put() in RCU call is the right solution here.  However, when the device is deleted, rtnl_unlock() will call netdev_run_todo() and block until all the references are gone.  In the current code this means that we never reach the call_rcu() and the vport is never freed and the reference is never released, causing a self-deadlock on device removal.  Fix that by moving the rcu_call() before the rtnl_unlock(), so the scheduled RCU callback will be executed when synchronize_net() is called from the rtnl_unlock()->netdev_run_todo() while the RTNL itself is already released.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46161",
                        "url": "https://ubuntu.com/security/CVE-2026-46161",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  md/raid10: fix divide-by-zero in setup_geo() with zero far_copies  setup_geo() extracts near_copies (nc) and far_copies (fc) from the user-provided layout parameter without checking for zero. When fc=0 with the \"improved\" far set layout selected, 'geo->far_set_size = disks / fc' triggers a divide-by-zero.  Validate nc and fc immediately after extraction, returning -1 if either is zero.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-43492",
                        "url": "https://ubuntu.com/security/CVE-2026-43492",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  lib/crypto: mpi: Fix integer underflow in mpi_read_raw_from_sgl()  Yiming reports an integer underflow in mpi_read_raw_from_sgl() when subtracting \"lzeros\" from the unsigned \"nbytes\".  For this to happen, the scatterlist \"sgl\" needs to occupy more bytes than the \"nbytes\" parameter and the first \"nbytes + 1\" bytes of the scatterlist must be zero.  Under these conditions, the while loop iterating over the scatterlist will count more zeroes than \"nbytes\", subtract the number of zeroes from \"nbytes\" and cause the underflow.  When commit 2d4d1eea540b (\"lib/mpi: Add mpi sgl helpers\") originally introduced the bug, it couldn't be triggered because all callers of mpi_read_raw_from_sgl() passed a scatterlist whose length was equal to \"nbytes\".  However since commit 63ba4d67594a (\"KEYS: asymmetric: Use new crypto interface without scatterlists\"), the underflow can now actually be triggered.  When invoking a KEYCTL_PKEY_ENCRYPT system call with a larger \"out_len\" than \"in_len\" and filling the \"in\" buffer with zeroes, crypto_akcipher_sync_prep() will create an all-zero scatterlist used for both the \"src\" and \"dst\" member of struct akcipher_request and thereby fulfil the conditions to trigger the bug:    sys_keyctl()     keyctl_pkey_e_d_s()       asymmetric_key_eds_op()         software_key_eds_op()           crypto_akcipher_sync_encrypt()             crypto_akcipher_sync_prep()               crypto_akcipher_encrypt()                 rsa_enc()                   mpi_read_raw_from_sgl()  To the user this will be visible as a DoS as the kernel spins forever, causing soft lockup splats as a side effect.  Fix it.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-19 12:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46124",
                        "url": "https://ubuntu.com/security/CVE-2026-46124",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  isofs: validate block number from NFS file handle in isofs_export_iget  isofs_fh_to_dentry() and isofs_fh_to_parent() pass an attacker- controlled block number (ifid->block or ifid->parent_block) from the NFS file handle to isofs_export_iget(), which only rejects block == 0 before calling isofs_iget() and ultimately sb_bread(). A crafted file handle with fh_len sufficient to pass the check added by commit 0405d4b63d08 (\"isofs: Prevent the use of too small fid\") can still drive the server to read any in-range block on the backing device as if it were an iso_directory_record.  That earlier fix was assigned CVE-2025-37780.  sb_bread() on an out-of-range block returns NULL cleanly via the EIO path, so there is no memory-safety violation.  For in-range reads of adjacent-partition data on the same block device, the unrelated bytes end up in iso_inode_info fields that reach the NFS client as dentry metadata.  The deployment surface (isofs exported over NFS from loop-mounted images) is narrow and requires an authenticated NFS peer, but the malformed-file-handle class is reportable as hardening next to the existing CVE-2025-37780 fix.  Reject block >= ISOFS_SB(sb)->s_nzones in isofs_export_iget() so the check covers both isofs_fh_to_dentry() and isofs_fh_to_parent() call sites with a single line.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46130",
                        "url": "https://ubuntu.com/security/CVE-2026-46130",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  dm-verity-fec: fix reading parity bytes split across blocks (take 3)  fec_decode_bufs() assumes that the parity bytes of the first RS codeword it decodes are never split across parity blocks.  This assumption is false.  Consider v->fec->block_size == 4096 && v->fec->roots == 17 && fio->nbufs == 1, for example.  In that case, each call to fec_decode_bufs() consumes v->fec->roots * (fio->nbufs << DM_VERITY_FEC_BUF_RS_BITS) = 272 parity bytes.  Considering that the parity data for each message block starts on a block boundary, the byte alignment in the parity data will iterate through 272*i mod 4096 until the 3 parity blocks have been consumed.  On the 16th call (i=15), the alignment will be 4080 bytes into the first block.  Only 16 bytes remain in that block, but 17 parity bytes will be needed.  The code reads out-of-bounds from the parity block buffer.  Fortunately this doesn't normally happen, since it can occur only for certain non-default values of fec_roots *and* when the maximum number of buffers couldn't be allocated due to low memory.  For example with block_size=4096 only the following cases are affected:      fec_roots=17: nbufs in [1, 3, 5, 15]     fec_roots=19: nbufs in [1, 229]     fec_roots=21: nbufs in [1, 3, 5, 13, 15, 39, 65, 195]     fec_roots=23: nbufs in [1, 89]  Regardless, fix it by refactoring how the parity blocks are read.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46106",
                        "url": "https://ubuntu.com/security/CVE-2026-46106",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  eventfs: Hold eventfs_mutex and SRCU when remount walks events  Commit 340f0c7067a9 (\"eventfs: Update all the eventfs_inodes from the events descriptor\") had eventfs_set_attrs() recurse through ei->children on remount.  The walk only holds the rcu_read_lock() taken by tracefs_apply_options() over tracefs_inodes, which is wrong:    - list_for_each_entry over ei->children races with the list_del_rcu()     in eventfs_remove_rec() -- LIST_POISON1 deref, same shape as     d2603279c7d6.   - eventfs_inodes are freed via call_srcu(&eventfs_srcu, ...).     rcu_read_lock() does not extend an SRCU grace period, so ti->private     can be reclaimed under the walk.   - The writes to ei->attr race with eventfs_set_attr(), which holds     eventfs_mutex.  Reproducer:    while :; do mount -o remount,uid=$((RANDOM%1000)) /sys/kernel/tracing; done &   while :; do       echo \"p:kp submit_bio\" > /sys/kernel/tracing/kprobe_events       echo > /sys/kernel/tracing/kprobe_events   done  Wrap the events portion of tracefs_apply_options() in eventfs_remount_lock()/_unlock() that take eventfs_mutex and srcu_read_lock(&eventfs_srcu).  eventfs_set_attrs() doesn't sleep so the nested rcu_read_lock() is fine; lockdep_assert_held() pins the contract.  Comment in tracefs_drop_inode() said \"RCU cycle\" -- it is SRCU.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46107",
                        "url": "https://ubuntu.com/security/CVE-2026-46107",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  dm-thin: fix metadata refcount underflow  There's a bug in dm-thin in the function rebalance_children. If the internal btree node has one entry, the code tries to copy all btree entries from the node's child to the node itself and then decrement the child's reference count.  If the child node is shared (it has reference count > 1), we won't free it, so there would be two pointers to each of the grandchildren nodes. But the reference counts of the grandchildren is not increased, thus the reference count doesn't match the number of pointers that point to the grandchildren. This results in \"device mapper: space map common: unable to decrement block\" errors.  Fix this bug by incrementing reference counts on the grandchildren if the btree node is shared.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46160",
                        "url": "https://ubuntu.com/security/CVE-2026-46160",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  btrfs: fix missing last_unlink_trans update when removing a directory  When removing a directory we are not updating its last_unlink_trans field, which can result in incorrect fsync behaviour in case some one fsyncs the directory after it was removed because it's holding a file descriptor on it.  Example scenario:     mkdir /mnt/dir1    mkdir /mnt/dir1/dir2    mkdir /mnt/dir3     sync -f /mnt     # Do some change to the directory and fsync it.    chmod 700 /mnt/dir1    xfs_io -c fsync /mnt/dir1     # Move dir2 out of dir1 so that dir1 becomes empty.    mv /mnt/dir1/dir2 /mnt/dir3/     open fd on /mnt/dir1    call rmdir(2) on path \"/mnt/dir1\"    fsync fd     <trigger power failure>  When attempting to mount the filesystem, the log replay will fail with an -EIO error and dmesg/syslog has the following:     [445771.626482] BTRFS info (device dm-0): first mount of filesystem 0368bbea-6c5e-44b5-b409-09abe496e650    [445771.626486] BTRFS info (device dm-0): using crc32c checksum algorithm    [445771.627912] BTRFS info (device dm-0): start tree-log replay    [445771.628335] page: refcount:2 mapcount:0 mapping:0000000061443ddc index:0x1d00 pfn:0x7072a5    [445771.629453] memcg:ffff89f400351b00    [445771.629892] aops:btree_aops [btrfs] ino:1    [445771.630737] flags: 0x17fffc00000402a(uptodate|lru|private|writeback|node=0|zone=2|lastcpupid=0x1ffff)    [445771.632359] raw: 017fffc00000402a fffff47284d950c8 fffff472907b7c08 ffff89f458e412b8    [445771.633713] raw: 0000000000001d00 ffff89f6c51d1a90 00000002ffffffff ffff89f400351b00    [445771.635029] page dumped because: eb page dump    [445771.635825] BTRFS critical (device dm-0): corrupt leaf: root=5 block=30408704 slot=10 ino=258, invalid nlink: has 2 expect no more than 1 for dir    [445771.638088] BTRFS info (device dm-0): leaf 30408704 gen 10 total ptrs 17 free space 14878 owner 5    [445771.638091] BTRFS info (device dm-0): refs 4 lock_owner 0 current 3581087    [445771.638094] \titem 0 key (256 INODE_ITEM 0) itemoff 16123 itemsize 160    [445771.638097] \t\tinode generation 3 transid 9 size 16 nbytes 16384    [445771.638098] \t\tblock group 0 mode 40755 links 1 uid 0 gid 0    [445771.638100] \t\trdev 0 sequence 2 flags 0x0    [445771.638102] \t\tatime 1775744884.0    [445771.660056] \t\tctime 1775744885.645502983    [445771.660058] \t\tmtime 1775744885.645502983    [445771.660060] \t\totime 1775744884.0    [445771.660062] \titem 1 key (256 INODE_REF 256) itemoff 16111 itemsize 12    [445771.660064] \t\tindex 0 name_len 2    [445771.660066] \titem 2 key (256 DIR_ITEM 1843588421) itemoff 16077 itemsize 34    [445771.660068] \t\tlocation key (259 1 0) type 2    [445771.660070] \t\ttransid 9 data_len 0 name_len 4    [445771.660075] \titem 3 key (256 DIR_ITEM 2363071922) itemoff 16043 itemsize 34    [445771.660076] \t\tlocation key (257 1 0) type 2    [445771.660077] \t\ttransid 9 data_len 0 name_len 4    [445771.660078] \titem 4 key (256 DIR_INDEX 2) itemoff 16009 itemsize 34    [445771.660079] \t\tlocation key (257 1 0) type 2    [445771.660080] \t\ttransid 9 data_len 0 name_len 4    [445771.660081] \titem 5 key (256 DIR_INDEX 3) itemoff 15975 itemsize 34    [445771.660082] \t\tlocation key (259 1 0) type 2    [445771.660083] \t\ttransid 9 data_len 0 name_len 4    [445771.660084] \titem 6 key (257 INODE_ITEM 0) itemoff 15815 itemsize 160    [445771.660086] \t\tinode generation 9 transid 9 size 8 nbytes 0    [445771.660087] \t\tblock group 0 mode 40777 links 1 uid 0 gid 0    [445771.660088] \t\trdev 0 sequence 2 flags 0x0    [445771.660089] \t\tatime 1775744885.641174097    [445771.660090] \t\tctime 1775744885.645502983    [445771.660091] \t\tmtime 1775744885.645502983    [445771.660105] \t\totime 1775744885.641174097    [445771.660106] \titem 7 key (257 INODE_REF 256) itemoff 15801 itemsize 14    [445771.660107] \t\tindex 2 name_len 4    [445771.660108] \titem 8 key (257 DIR_ITEM 2676584006) itemoff 15767 itemsize 34    [445771.660109] \t\tlocation key (2 ---truncated---",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46164",
                        "url": "https://ubuntu.com/security/CVE-2026-46164",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  btrfs: fix double free in create_space_info_sub_group() error path  When kobject_init_and_add() fails, the call chain is:  create_space_info_sub_group() -> btrfs_sysfs_add_space_info_type() -> kobject_init_and_add() -> failure -> kobject_put(&sub_group->kobj) -> space_info_release() -> kfree(sub_group)  Then control returns to create_space_info_sub_group(), where:  btrfs_sysfs_add_space_info_type() returns error -> kfree(sub_group)  Thus, sub_group is freed twice.  Keep parent->sub_group[index] = NULL for the failure path, but after btrfs_sysfs_add_space_info_type() has called kobject_put(), let the kobject release callback handle the cleanup.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46129",
                        "url": "https://ubuntu.com/security/CVE-2026-46129",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  btrfs: fix double free in create_space_info() error path  When kobject_init_and_add() fails, the call chain is:  create_space_info() -> btrfs_sysfs_add_space_info_type() -> kobject_init_and_add() -> failure -> kobject_put(&space_info->kobj) -> space_info_release() -> kfree(space_info)  Then control returns to create_space_info():  btrfs_sysfs_add_space_info_type() returns error -> goto out_free -> kfree(space_info)  This causes a double free.  Keep the direct kfree(space_info) for the earlier failure path, but after btrfs_sysfs_add_space_info_type() has called kobject_put(), let the kobject release callback handle the cleanup.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46159",
                        "url": "https://ubuntu.com/security/CVE-2026-46159",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  btrfs: fix btrfs_ioctl_space_info() slot_count TOCTOU which can lead to info-leak  btrfs_ioctl_space_info() has a TOCTOU race between two passes over the block group RAID type lists. The first pass counts entries to determine the allocation size, then the second pass fills the buffer. The groups_sem rwlock is released between passes, allowing concurrent block group removal to reduce the entry count.  When the second pass fills fewer entries than the first pass counted, copy_to_user() copies the full alloc_size bytes including trailing uninitialized kmalloc bytes to userspace.  Fix by copying only total_spaces entries (the actually-filled count from the second pass) instead of alloc_size bytes, and switch to kzalloc so any future copy size mismatch cannot leak heap data.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46143",
                        "url": "https://ubuntu.com/security/CVE-2026-46143",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ASoC: qcom: q6apm-lpass-dai: Fix multiple graph opens  As prepare can be called mulitple times, this can result in multiple graph opens for playback path.  This will result in a memory leaks, fix this by adding a check before opening.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46148",
                        "url": "https://ubuntu.com/security/CVE-2026-46148",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: microchip-core-qspi: control built-in cs manually  The coreQSPI IP supports only a single chip select, which is automagically operated by the hardware - set low when the transmit buffer first gets written to and set high when the number of bytes written to the TOTALBYTES field of the FRAMES register have been sent on the bus. Additional devices must use GPIOs for their chip selects. It was reported to me that if there are two devices attached to this QSPI controller that the in-built chip select is set low while linux tries to access the device attached to the GPIO.  This went undetected as the boards that connected multiple devices to the SPI controller all exclusively used GPIOs for chip selects, not relying on the built-in chip select at all. It turns out that this was because the built-in chip select, when controlled automagically, is set low when active and high when inactive, thereby ruling out its use for active-high devices or devices that need to transmit with the chip select disabled.  Modify the driver so that it controls chip select directly, retaining the behaviour for mem_ops of setting the chip select active for the entire duration of the transfer in the exec_op callback. For regular transfers, implement the set_cs callback for the core to use.  As part of this, the existing setup callback, mchp_coreqspi_setup_op(), is removed. Modifying the CLKIDLE field is not safe to do during operation when there are multiple devices, so this code is removed entirely. Setting the MASTER and ENABLE fields is something that can be done once at probe, it doesn't need to be re-run for each device. Instead the new setup callback sets the built-in chip select to its inactive state for active-low devices, as the reset value of the chip select in software controlled mode is low.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46192",
                        "url": "https://ubuntu.com/security/CVE-2026-46192",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: microchip-core-qspi: don't attempt to transmit during emulated read-only dual/quad operations  The core will deal with reads by creating clock cycles itself, there's no need to generate clock cycles by transmitting garbage data at the driver level. Further, transmitting garbage data just bricks the transfer since QSPI doesn't have a dedicated master-out line like MOSI in regular SPI. I'm not entirely sure if the transfer is bricked because of the garbage data being transmitted on the bus or because the core loses track of whether it is supposed to be sending or receiving data.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46162",
                        "url": "https://ubuntu.com/security/CVE-2026-46162",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ice: fix double free in ice_sf_eth_activate() error path  When auxiliary_device_add() fails, ice_sf_eth_activate() jumps to aux_dev_uninit and calls auxiliary_device_uninit(&sf_dev->adev).  The device release callback ice_sf_dev_release() frees sf_dev, but the current error path falls through to sf_dev_free and calls kfree(sf_dev) again, causing a double free.  Keep kfree(sf_dev) for the auxiliary_device_init() failure path, but avoid falling through to sf_dev_free after auxiliary_device_uninit().",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46273",
                        "url": "https://ubuntu.com/security/CVE-2026-46273",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ibmveth: Disable GSO for packets with small MSS  Some physical adapters on Power systems do not support segmentation offload when the MSS is less than 224 bytes. Attempting to send such packets causes the adapter to freeze, stopping all traffic until manually reset.  Implement ndo_features_check to disable GSO for packets with small MSS values. The network stack will perform software segmentation instead.  The 224-byte minimum matches ibmvnic commit <f10b09ef687f> (\"ibmvnic: Enforce stronger sanity checks on GSO packets\") which uses the same physical adapters in SEA configurations.  The issue occurs specifically when the hardware attempts to perform segmentation (gso_segs > 1) with a small MSS. Single-segment GSO packets (gso_segs == 1) do not trigger the problematic LSO code path and are transmitted normally without segmentation.  Add an ndo_features_check callback to disable GSO when MSS < 224 bytes. Also call vlan_features_check() to ensure proper handling of VLAN packets, particularly QinQ (802.1ad) configurations where the hardware parser may not support certain offload features.  Validated using iptables to force small MSS values. Without the fix, the adapter freezes. With the fix, packets are segmented in software and transmission succeeds. Comprehensive regression testing completedd (MSS tests, performance, stability).",
                        "cve_priority": "high",
                        "cve_public_date": "2026-06-03 18:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46191",
                        "url": "https://ubuntu.com/security/CVE-2026-46191",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  fbcon: Avoid OOB font access if console rotation fails  Clear the font buffer if the reallocation during console rotation fails in fbcon_rotate_font(). The putcs implementations for the rotated buffer will return early in this case. See [1] for an example.  Currently, fbcon_rotate_font() keeps the old buffer, which is too small for the rotated font. Printing to the rotated console with a high-enough character code will overflow the font buffer.  v2: - fix typos in commit message",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46134",
                        "url": "https://ubuntu.com/security/CVE-2026-46134",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  platform/chrome: cros_ec_typec: Init mutex in Thunderbolt registration  cros_typec_register_thunderbolt() missed initializing the `adata->lock` mutex.  This leads to a NULL dereference when the mutex is later acquired (e.g. in cros_typec_altmode_work()).  Initialize the mutex in cros_typec_register_thunderbolt() to fix the issue.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-43495",
                        "url": "https://ubuntu.com/security/CVE-2026-43495",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net: wwan: t7xx: validate port_count against message length in t7xx_port_enum_msg_handler  t7xx_port_enum_msg_handler() uses the modem-supplied port_count field as a loop bound over port_msg->data[] without checking that the message buffer contains sufficient data. A modem sending port_count=65535 in a 12-byte buffer triggers a slab-out-of-bounds read of up to 262140 bytes.  Add a sizeof(*port_msg) check before accessing the port message header fields to guard against undersized messages.  Add a struct_size() check after extracting port_count and before the loop.  In t7xx_parse_host_rt_data(), guard the rt_feature header read with a remaining-buffer check before accessing data_len, validate feat_data_len against the actual remaining buffer to prevent OOB reads and signed integer overflow on offset.  Pass msg_len from both call sites: skb->len at the DPMAIF path after skb_pull(), and the validated feat_data_len at the handshake path.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-21 13:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-43502",
                        "url": "https://ubuntu.com/security/CVE-2026-43502",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net/rds: handle zerocopy send cleanup before the message is queued  A zerocopy send can fail after user pages have been pinned but before the message is attached to the sending socket.  The purge path currently infers zerocopy state from rm->m_rs, so an unqueued message can be cleaned up as if it owned normal payload pages. However, zerocopy ownership is really determined by the presence of op_mmp_znotifier, regardless of whether the message has reached the socket queue.  Capture op_mmp_znotifier up front in rds_message_purge() and use it as the cleanup discriminator. If the message is already associated with a socket, keep the existing completion path. Otherwise, drop the pinned page accounting directly and release the notifier before putting the payload pages.  This keeps early send failure cleanup consistent with the zerocopy lifetime rules without changing the normal queued completion path.",
                        "cve_priority": "high",
                        "cve_public_date": "2026-05-21 13:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46120",
                        "url": "https://ubuntu.com/security/CVE-2026-46120",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ip6_gre: Use cached t->net in ip6erspan_changelink().  After commit 5e72ce3e3980 (\"net: ipv6: Use link netns in newlink() of rtnl_link_ops\"), ip6erspan_newlink() correctly resolves the per-netns ip6gre hash via link_net. ip6erspan_changelink() was not converted in that series and still uses dev_net(dev), which diverges from the device's creation netns after IFLA_NET_NS_FD migration.  This re-inserts the tunnel into the wrong per-netns hash. The original netns keeps a stale entry. When that netns is later destroyed, ip6gre_exit_rtnl_net() walks the stale entry, producing a slab-use-after-free reported by KASAN, followed by a kernel BUG at net/core/dev.c (LIST_POISON1) in unregister_netdevice_many_notify().  Reachable from an unprivileged user namespace (unshare --user --map-root-user --net).  ip6gre_changelink() earlier in the same file already uses the cached t->net; only ip6erspan_changelink() has the wrong shape.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46142",
                        "url": "https://ubuntu.com/security/CVE-2026-46142",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net: libwx: fix VF illegal register access  Register WX_CFG_PORT_ST is a PF restricted register. When a VF is initialized, attempting to read this register triggers an illegal register access, which lead to a system hang.  When the device is VF, the bus function ID can be obtained directly from the PCI_FUNC(pdev->devfn).",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46118",
                        "url": "https://ubuntu.com/security/CVE-2026-46118",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  pseries/papr-hvpipe: Fix null ptr deref in papr_hvpipe_dev_create_handle()  commit 6d3789d347a7 (\"papr-hvpipe: convert papr_hvpipe_dev_create_handle() to FD_PREPARE()\"), changed the create handle to FD_PREPARE(), but it caused kernel null-ptr-deref because after call to retain_and_null_ptr(src_info), src_info is re-used for adding it to the global list.  Getting the following kernel panic in papr_hvpipe_dev_create_handle() when trying to add src_info to the list.  Kernel attempted to write user page (0) - exploit attempt? (uid: 0)  BUG: Kernel NULL pointer dereference on write at 0x00000000  Faulting instruction address: 0xc0000000001b44a0  Oops: Kernel access of bad area, sig: 11 [#1]  ...  Call Trace:  papr_hvpipe_dev_ioctl+0x1f4/0x48c (unreliable)  sys_ioctl+0x528/0x1064  system_call_exception+0x128/0x360  system_call_vectored_common+0x15c/0x2ec  Now, the error handling with FD_PREPARE's file cleanup and __free(kfree) auto cleanup is getting too convoluted. This is mainly because we need to ensure only 1 user get the srcID handle. To simplify this, we allocate prepare the src_info in the beginning and add it to the global list under a spinlock after checking that no duplicates exist.  This simplify the error handling where if the FD_ADD fails, we can simply remove the src_info from the list and consume any pending msg in hvpipe to be cleared, after src_info became visible in the global list.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46182",
                        "url": "https://ubuntu.com/security/CVE-2026-46182",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  pseries/papr-hvpipe: Prevent kernel stack memory leak to userspace  The hdr variable is allocated on the stack and only hdr.version and hdr.flags are initialized explicitly. Because the struct papr_hvpipe_hdr contains reserved padding bytes (reserved[3] and reserved2[40]), these could leak the uninitialized bytes to userspace after copy_to_user().  This patch fixes that by initializing the whole struct to 0.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46184",
                        "url": "https://ubuntu.com/security/CVE-2026-46184",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  sound: ua101: fix division by zero at probe  Add a missing sanity check for bNrChannels in detect_usb_format() to prevent a division by zero in playback_urb_complete() and capture_urb_complete().  USB core does not validate class-specific descriptor fields such as bNrChannels, so drivers must verify them before use. If a device provides bNrChannels = 0, frame_bytes becomes zero and is later used as a divisor in the URB completion handlers, leading to a kernel crash.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-43498",
                        "url": "https://ubuntu.com/security/CVE-2026-43498",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  accel/ivpu: Disallow re-exporting imported GEM objects  Prevent re-exporting of imported GEM buffers by adding a custom prime_handle_to_fd callback that checks if the object is imported and returns -EOPNOTSUPP if so.  Re-exporting imported GEM buffers causes loss of buffer flags settings, leading to incorrect device access and data corruption.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-21 13:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46132",
                        "url": "https://ubuntu.com/security/CVE-2026-46132",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net: rtnetlink: zero ifla_vf_broadcast to avoid stack infoleak in rtnl_fill_vfinfo  rtnl_fill_vfinfo() declares struct ifla_vf_broadcast on the stack without initialisation:  \tstruct ifla_vf_broadcast vf_broadcast;  The struct contains a single fixed 32-byte field:  \t/* include/uapi/linux/if_link.h */ \tstruct ifla_vf_broadcast { \t\t__u8 broadcast[32]; \t};  The function then copies dev->broadcast into it using dev->addr_len as the length:  \tmemcpy(vf_broadcast.broadcast, dev->broadcast, dev->addr_len);  On Ethernet devices (the overwhelming majority of SR-IOV NICs) dev->addr_len is 6, so only the first 6 bytes of broadcast[] are written. The remaining 26 bytes retain whatever was previously on the kernel stack. The full struct is then handed to userspace via:  \tnla_put(skb, IFLA_VF_BROADCAST, \t\tsizeof(vf_broadcast), &vf_broadcast)  leaking up to 26 bytes of uninitialised kernel stack per VF per RTM_GETLINK request, repeatable.  The other vf_* structs in the same function are explicitly zeroed for exactly this reason - see the memset() calls for ivi, vf_vlan_info, node_guid and port_guid a few lines above. vf_broadcast was simply missed when it was added.  Reachability: any unprivileged local process can open AF_NETLINK / NETLINK_ROUTE without capabilities and send RTM_GETLINK with an IFLA_EXT_MASK attribute carrying RTEXT_FILTER_VF. The kernel walks each VF and emits IFLA_VF_BROADCAST, leaking 26 bytes of stack per VF per request. Stack residue at this call site can include return addresses and transient sensitive data; KASAN with stack instrumentation, or KMSAN, will flag the nla_put() when reproduced.  Zero the on-stack struct before the partial memcpy, matching the existing pattern used for the other vf_* structs in the same function.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46190",
                        "url": "https://ubuntu.com/security/CVE-2026-46190",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  mtd: spi-nor: debugfs: fix out-of-bounds read in spi_nor_params_show()  Sashiko noticed an out-of-bounds read [1].  In spi_nor_params_show(), the snor_f_names array is passed to spi_nor_print_flags() using sizeof(snor_f_names).  Since snor_f_names is an array of pointers, sizeof() returns the total number of bytes occupied by the pointers \t(element_count * sizeof(void *)) rather than the element count itself. On 64-bit systems, this makes the passed length 8x larger than intended.  Inside spi_nor_print_flags(), the 'names_len' argument is used to bounds-check the 'names' array access. An out-of-bounds read occurs if a flag bit is set that exceeds the array's actual element count but is within the inflated byte-size count.  Correct this by using ARRAY_SIZE() to pass the actual number of string pointers in the array.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46150",
                        "url": "https://ubuntu.com/security/CVE-2026-46150",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  fanotify: fix false positive on permission events  fsnotify_get_mark_safe() may return false for a mark on an unrelated group, which results in bypassing the permission check.  Fix by skipping over detached marks that are not in the current group.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-45836",
                        "url": "https://ubuntu.com/security/CVE-2026-45836",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_get_sndtimeo_cb()  Add the same NULL guard already present in l2cap_sock_resume_cb() and l2cap_sock_ready_cb().",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-26 17:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-45834",
                        "url": "https://ubuntu.com/security/CVE-2026-45834",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_state_change_cb()  Add the same NULL guard already present in l2cap_sock_resume_cb() and l2cap_sock_ready_cb().",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-26 17:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-45835",
                        "url": "https://ubuntu.com/security/CVE-2026-45835",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_new_connection_cb()  Add the same NULL guard already present in l2cap_sock_resume_cb() and l2cap_sock_ready_cb().",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-26 17:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46138",
                        "url": "https://ubuntu.com/security/CVE-2026-46138",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Bluetooth: hci_event: Fix OOB read and infinite loop in hci_le_create_big_complete_evt  hci_le_create_big_complete_evt() iterates over BT_BOUND connections for a BIG handle using a while loop, accessing ev->bis_handle[i++] on each iteration.  However, there is no check that i stays within ev->num_bis before the array access.  When a controller sends a LE_Create_BIG_Complete event with fewer bis_handle entries than there are BT_BOUND connections for that BIG, or with num_bis=0, the loop reads beyond the valid bis_handle[] flex array into adjacent heap memory.  Since the out-of-bounds values typically exceed HCI_CONN_HANDLE_MAX (0x0EFF), hci_conn_set_handle() rejects them and the connection remains in BT_BOUND state.  The same connection is then found again by hci_conn_hash_lookup_big_state(), creating an infinite loop with hci_dev_lock held.  Fix this by terminating the BIG if in case not all BIS could be setup properly.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46111",
                        "url": "https://ubuntu.com/security/CVE-2026-46111",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Bluetooth: hci_conn: fix potential UAF in create_big_sync  Add hci_conn_valid() check in create_big_sync() to detect stale connections before proceeding with BIG creation. Handle the resulting -ECANCELED in create_big_complete() and re-validate the connection under hci_dev_lock() before dereferencing, matching the pattern used by create_le_conn_complete() and create_pa_complete().  Keep the hci_conn object alive across the async boundary by taking a reference via hci_conn_get() when queueing create_big_sync(), and dropping it in the completion callback. The refcount and the lock are complementary: the refcount keeps the object allocated, while hci_dev_lock() serializes hci_conn_hash_del()'s list_del_rcu() on hdev->conn_hash, as required by hci_conn_del().  hci_conn_put() is called outside hci_dev_unlock() so the final put (which resolves to kfree() via bt_link_release) does not run under hdev->lock, though the release path would be safe either way.  Without this, create_big_complete() would unconditionally dereference the conn pointer on error, causing a use-after-free via hci_connect_cfm() and hci_conn_del().",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46140",
                        "url": "https://ubuntu.com/security/CVE-2026-46140",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Bluetooth: btmtk: validate WMT event SKB length before struct access  btmtk_usb_hci_wmt_sync() casts the WMT event response SKB data to struct btmtk_hci_wmt_evt (7 bytes) and struct btmtk_hci_wmt_evt_funcc (9 bytes) without first checking that the SKB contains enough data. A short firmware response causes out-of-bounds reads from SKB tailroom.  Use skb_pull_data() to validate and advance past the base WMT event header. For the FUNC_CTRL case, pull the additional status field bytes before accessing them.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46186",
                        "url": "https://ubuntu.com/security/CVE-2026-46186",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Bluetooth: virtio_bt: validate rx pkt_type header length  virtbt_rx_handle() reads the leading pkt_type byte from the RX skb and forwards the remainder to hci_recv_frame() for every event/ACL/SCO/ISO type, without checking that the remaining payload is at least the fixed HCI header for that type.  After the preceding patch bounds the backend-supplied used.len to [1, VIRTBT_RX_BUF_SIZE], a one-byte completion still reaches hci_recv_frame() with skb->len already pulled to 0. If the byte happened to be HCI_ACLDATA_PKT, the ACL-vs-ISO classification fast-path in hci_dev_classify_pkt_type() dereferences hci_acl_hdr(skb)->handle whenever the HCI device has an active CIS_LINK, BIS_LINK, or PA_LINK connection, reading two bytes of uninitialized RX-buffer data. The same hazard exists for every packet type the driver accepts because none of the switch cases in virtbt_rx_handle() check skb->len against the per-type minimum HCI header size before handing the frame to the core.  After stripping pkt_type, require skb->len to cover the fixed header size for the selected type (event 2, ACL 4, SCO 3, ISO 4) before calling hci_recv_frame(); drop ratelimited otherwise. Unknown pkt_type values still take the original kfree_skb() default path.  Use bt_dev_err_ratelimited() because both the length and pkt_type values come from an untrusted backend that can otherwise flood the kernel log.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46123",
                        "url": "https://ubuntu.com/security/CVE-2026-46123",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Bluetooth: virtio_bt: clamp rx length before skb_put  virtbt_rx_work() calls skb_put(skb, len) where len comes directly from virtqueue_get_buf() with no validation against the buffer we posted to the device. The RX skb is allocated in virtbt_add_inbuf() and exposed to virtio as exactly 1000 bytes via sg_init_one().  Checking len against skb_tailroom(skb) is not sufficient because alloc_skb() can leave more tailroom than the 1000 bytes actually handed to the device. A malicious or buggy backend can therefore report used.len between 1001 and skb_tailroom(skb), causing skb_put() to include uninitialized kernel heap bytes that were never written by the device.  The same path also accepts len == 0, in which case skb_put(skb, 0) leaves the skb empty but virtbt_rx_handle() still reads the pkt_type byte from skb->data, consuming uninitialized memory.  Define VIRTBT_RX_BUF_SIZE once and reuse it in alloc_skb() and sg_init_one(), and gate virtbt_rx_work() on that same constant so the bound checked matches the buffer actually exposed to the device. Reject used.len == 0 in the same gate so an empty completion can no longer reach virtbt_rx_handle().  Use bt_dev_err_ratelimited() because the length value comes from an untrusted backend that can otherwise flood the kernel log.  Same class of bug as commit c04db81cd028 (\"net/9p: Fix buffer overflow in USB transport layer\"), which hardened the USB 9p transport against unchecked device-reported length.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46104",
                        "url": "https://ubuntu.com/security/CVE-2026-46104",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  selinux: use sk blob accessor in socket permission helpers  SELinux socket state lives in the composite LSM socket blob.  sock_has_perm() and nlmsg_sock_has_extended_perms() currently dereference sk->sk_security directly, which assumes the SELinux socket blob is at offset zero.  In stacked configurations that assumption does not hold. If another LSM allocates socket blob storage before SELinux, these helpers may read the wrong blob and feed invalid SID and class values into AVC checks.  Use selinux_sock() instead of accessing sk->sk_security directly.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46193",
                        "url": "https://ubuntu.com/security/CVE-2026-46193",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  xfrm: ah: account for ESN high bits in async callbacks  AH allocates its temporary auth/ICV layout differently when ESN is enabled: the async ahash setup appends a 4-byte seqhi slot before the ICV or auth_data area, but the async completion callbacks still reconstruct the temporary layout as if seqhi were absent.  With an async AH implementation selected, that makes AH copy or compare the wrong bytes on both the IPv4 and IPv6 paths. In UML repro on IPv4 AH with ESN and forced async hmac(sha1), ping fails with 100% packet loss, and the callback logs show the pre-fix drift:    ah4 output_done: esn=1 err=0 icv_off=20 expected_off=24   ah4 input_done: esn=1 auth_off=20 expected_auth_off=24 icv_off=32 expected_icv_off=36  Reconstruct the callback-side layout the same way the setup path built it by skipping the ESN seqhi slot before locating the saved auth_data or ICV. Per RFC 4302, the ESN high-order 32 bits participate in the AH ICV computation, so the async callbacks must account for the seqhi slot.  Post-fix, the same IPv4 AH+ESN+forced-async-hmac(sha1) UML repro shows the corrected offset (ah4 output_done: esn=1 err=0 icv_off=24 expected_off=24) and ping succeeds; net/ipv4/ah4.o and net/ipv6/ah6.o build clean at W=1. IPv6 AH+ESN was not exercised at runtime, and the change has not been tested against a real async hardware AH engine.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46172",
                        "url": "https://ubuntu.com/security/CVE-2026-46172",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ipv6: xfrm6: release dst on error in xfrm6_rcv_encap()  xfrm6_rcv_encap() performs an IPv6 route lookup when the skb does not already have a dst attached. ip6_route_input_lookup() returns a referenced dst entry even when the lookup resolves to an error route.  If dst->error is set, xfrm6_rcv_encap() drops the skb without attaching the dst to the skb and without releasing the reference returned by the lookup. Repeated packets hitting this path therefore leak dst entries.  Release the dst before jumping to the drop path.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46116",
                        "url": "https://ubuntu.com/security/CVE-2026-46116",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  xfrm: defensively unhash xfrm_state lists in __xfrm_state_delete  KASAN reproduces a slab-use-after-free in __xfrm_state_delete()'s hlist_del_rcu calls under syzkaller load on linux-6.12.y stable (reproduced on 6.12.47, also reachable via the same code path on torvalds/master and on the ipsec tree). Nine unique signatures cluster in the xfrm_state lifecycle, the load-bearing one being:    BUG: KASAN: slab-use-after-free in __hlist_del include/linux/list.h:990 [inline]   BUG: KASAN: slab-use-after-free in hlist_del_rcu include/linux/rculist.h:516 [inline]   BUG: KASAN: slab-use-after-free in __xfrm_state_delete net/xfrm/xfrm_state.c   Write of size 8 at addr ffff8881198bcb70 by task kworker/u8:9/435    Workqueue: netns cleanup_net   Call Trace:    __hlist_del / hlist_del_rcu    __xfrm_state_delete    xfrm_state_delete    xfrm_state_flush    xfrm_state_fini    ops_exit_list    cleanup_net  The other observed signatures hit the same slab object from __xfrm_state_lookup, xfrm_alloc_spi, __xfrm_state_insert and an OOB write variant of __xfrm_state_delete, all on the byseq/byspi hash chains.  __xfrm_state_delete() guards its byseq and byspi unhashes with value-based predicates:  \tif (x->km.seq) \t\thlist_del_rcu(&x->byseq); \tif (x->id.spi) \t\thlist_del_rcu(&x->byspi);  while everywhere else in the file (e.g. state_cache, state_cache_input) the safer hlist_unhashed() check is used. xfrm_alloc_spi() sets x->id.spi = newspi inside xfrm_state_lock and then immediately inserts into byspi, but a path that observes x->id.spi != 0 outside of xfrm_state_lock can still skip-or-hit the byspi unhash inconsistently with whether x is actually on the list. The same holds for x->km.seq versus byseq, and the bydst/bysrc unhashes have no predicate at all, so a second __xfrm_state_delete() on the same object writes through LIST_POISON pprev.  The defensive change here:    - Use hlist_del_init_rcu() instead of hlist_del_rcu() on bydst,     bysrc, byseq and byspi so a second deletion is a no-op rather     than a write through LIST_POISON pprev. The byseq/byspi nodes     are already initialised in xfrm_state_alloc().   - Test hlist_unhashed() rather than the value predicate for     byseq/byspi, so the unhash decision tracks list state rather than     mutable scalar fields.  Empirical verification: applied this patch on top of v6.12.47, rebuilt, and re-ran the same syzkaller harness for 1h16m on a previously-crashy configuration that produced ~100 hits each of slab-use-after-free Read in xfrm_alloc_spi / Read in __xfrm_state_lookup / Write in __xfrm_state_delete. After the patch, 7.1M execs across 32 VMs at ~1550 exec/sec produced zero xfrm_state UAF/OOB hits. /proc/slabinfo confirms the xfrm_state slab is actively allocated and freed during the run (~143 KiB resident), so the fuzzer is still exercising those code paths -- they just no longer crash.  Reproduction:    - Linux 6.12.47 x86_64 + KASAN_GENERIC + KASAN_INLINE + KCOV   - syzkaller @ 746545b8b1e4c3a128db8652b340d3df90ce61db   - 32 QEMU/KVM VMs x 2 vCPU on AWS c5.metal bare metal   - 9 unique signatures collected in ~9h, all within xfrm_state     lifecycle",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46154",
                        "url": "https://ubuntu.com/security/CVE-2026-46154",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  sched_ext: Read scx_root under scx_cgroup_ops_rwsem in cgroup setters  scx_group_set_{weight,idle,bandwidth}() cache scx_root before acquiring scx_cgroup_ops_rwsem, so the pointer can be stale by the time the op runs. If the loaded scheduler is disabled and freed (via RCU work) and another is enabled between the naked load and the rwsem acquire, the reader sees scx_cgroup_enabled=true (the new scheduler's) but dereferences the freed one - UAF on SCX_HAS_OP(sch, ...) / SCX_CALL_OP(sch, ...).  scx_cgroup_enabled is toggled only under scx_cgroup_ops_rwsem write (scx_cgroup_{init,exit}), so reading scx_root inside the rwsem read section correlates @sch with the enabled snapshot.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46157",
                        "url": "https://ubuntu.com/security/CVE-2026-46157",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ALSA: pcm: oss: Fix data race at accessing runtime.oss.trigger  Currently the runtime.oss.trigger field may be accessed concurrently without protection, which may lead to the data race.  And, in this case, it may lead to more severe problem because it's a bit field; as writing the data, it may overwrite other bit fields as well, which confuses the operation completely, as spotted by fuzzing.  Fix it by covering runtime.oss.trigger bit fled also with the existing params_lock mutex in both snd_pcm_oss_get_trigger() and snd_pcm_oss_poll().",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46109",
                        "url": "https://ubuntu.com/security/CVE-2026-46109",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  usb: ulpi: fix memory leak on ulpi_register() error paths  Commit 01af542392b5 (\"usb: ulpi: fix double free in ulpi_register_interface() error path\") removed kfree(ulpi) from ulpi_register_interface() to fix a double-free when device_register() fails.  But when ulpi_of_register() or ulpi_read_id() fail before device_register() is called, the ulpi allocation is leaked.  Add kfree(ulpi) on both error paths to properly clean up the allocation.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46146",
                        "url": "https://ubuntu.com/security/CVE-2026-46146",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ALSA: usb-audio: Avoid potential endless loop in convert_chmap_v3()  The convert_chmap_v3() has a loop with its increment size of cs_desc->wLength, but we forgot to validate cs_desc->wLength itself, which may lead to potential endless loop by a malformed descriptor.  Add a proper size check to abort the loop for plugging the hole.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46167",
                        "url": "https://ubuntu.com/security/CVE-2026-46167",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  usb: usblp: fix uninitialized heap leak via LPGETSTATUS ioctl  Just like in a previous problem in this driver, usblp_ctrl_msg() will collapse the usb_control_msg() return value to 0/-errno, discarding the actual number of bytes transferred.  Ideally that short command should be detected and error out, but many printers are known to send \"incorrect\" responses back so we can't just do that.  statusbuf is kmalloc(8) at probe time and never filled before the first LPGETSTATUS ioctl.  usblp_read_status() requests 1 byte. If a malicious printer responds with zero bytes, *statusbuf is one byte of stale kmalloc heap, sign-extended into the local int status, which the LPGETSTATUS path then copy_to_user()s directly to the ioctl caller.  Fix this all by just zapping out the memory buffer when allocated at probe time.  If a later call does a short read, the data will be identical to what the device sent it the last time, so there is no \"leak\" of information happening.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46151",
                        "url": "https://ubuntu.com/security/CVE-2026-46151",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  usb: usblp: fix heap leak in IEEE 1284 device ID via short response  usblp_ctrl_msg() collapses the usb_control_msg() return value to 0/-errno, discarding the actual number of bytes transferred.  A broken printer can complete the GET_DEVICE_ID control transfer short and the driver has no way to know.  usblp_cache_device_id_string() reads the 2-byte big-endian length prefix from the response and trusts it (clamped only to the buffer bounds). The buffer is kmalloc(1024) at probe time. A device that sends exactly two bytes (e.g. 0x03 0xFF, claiming a 1023-byte ID) leaves device_id_string[2..1022] holding stale kmalloc heap.  That stale data is then exposed:   - via the ieee1284_id sysfs attribute (sprintf(\"%s\", buf+2), truncated     at the first NUL in the stale heap), and   - via the IOCNR_GET_DEVICE_ID ioctl, which copy_to_user()s the full     claimed length regardless of NULs, up to 1021 bytes of uninitialized     heap, with the leak size chosen by the device.  Fix this up by just zapping the buffer with zeros before each request sent to the device.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46180",
                        "url": "https://ubuntu.com/security/CVE-2026-46180",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  wifi: brcmfmac: Fix potential use-after-free issue when stopping watchdog task  Watchdog task might end between send_sig() and kthread_stop() calls, what results in the use-after-free issue. Fix this by increasing watchdog task reference count before calling send_sig() and dropping it by switching to kthread_stop_put().",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46122",
                        "url": "https://ubuntu.com/security/CVE-2026-46122",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  wifi: b43: enforce bounds check on firmware key index in b43_rx()  The firmware-controlled key index in b43_rx() can exceed the dev->key[] array size (58 entries). The existing B43_WARN_ON is non-enforcing in production builds, allowing an out-of-bounds read.  Make the B43_WARN_ON check enforcing by dropping the frame when the firmware returns an invalid key index.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46125",
                        "url": "https://ubuntu.com/security/CVE-2026-46125",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  wifi: mac80211: remove station if connection prep fails  If connection preparation fails for MLO connections, then the interface is completely reset to non-MLD. In this case, we must not keep the station since it's related to the link of the vif being removed. Delete an existing station. Any \"new_sta\" is already being removed, so that doesn't need changes.  This fixes a use-after-free/double-free in debugfs if that's enabled, because a vif going from MLD (and to MLD, but that's not relevant here) recreates its entire debugfs.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46166",
                        "url": "https://ubuntu.com/security/CVE-2026-46166",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  wifi: mac80211: use safe list iteration in radar detect work  The call to ieee80211_dfs_cac_cancel can cause the iterated chanctx to be freed and removed from the list. Guard against this to avoid a slab-use-after-free error.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46187",
                        "url": "https://ubuntu.com/security/CVE-2026-46187",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  wifi: rsi: fix kthread lifetime race between self-exit and external-stop  RSI driver use both self-exit(kthread_complete_and_exit) and external-stop (kthread_stop) when killing a kthread. Generally, kthread_stop() is called first, and in this case, no particular issues occur.  However, in rare instances where kthread_complete_and_exit() is called first and then kthread_stop() is called, a UAF occurs because the kthread object, which has already exited and been freed, is accessed again.  Therefore, to prevent this with minimal modification, you must remove kthread_stop() and change the code to wait until the self-exit operation is completed.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46152",
                        "url": "https://ubuntu.com/security/CVE-2026-46152",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  wifi: mac80211: drop stray 'static' from fast-RX rx_result  ieee80211_invoke_fast_rx() is documented as safe for parallel RX, but its per-invocation rx_result is declared static. Concurrent callers then share one instance and can overwrite each other's result between ieee80211_rx_mesh_data() and the switch on res.  That can make a packet that was queued or consumed by ieee80211_rx_mesh_data() fall through into ieee80211_rx_8023(), or make a packet that should continue return as queued.  Make res an automatic variable so each invocation keeps its own result.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46163",
                        "url": "https://ubuntu.com/security/CVE-2026-46163",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  wifi: b43legacy: enforce bounds check on firmware key index in RX path  Same fix as b43: the firmware-controlled key index in b43legacy_rx() can exceed dev->max_nr_keys. The existing B43legacy_WARN_ON is non-enforcing in production builds, allowing an out-of-bounds read of dev->key[].  Make the check enforcing by dropping the frame for invalid indices.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46136",
                        "url": "https://ubuntu.com/security/CVE-2026-46136",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  wifi: mt76: mt7921: fix a potential clc buffer length underflow  The buf_len is used to limit the iterations for retrieving the country power setting and may underflow under certain conditions due to changes in the power table in CLC.  This underflow leads to an almost infinite loop or an invalid power setting resulting in driver initialization failure.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46173",
                        "url": "https://ubuntu.com/security/CVE-2026-46173",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  exit: prevent preemption of oopsing TASK_DEAD task  When an already-exiting task oopses, make_task_dead() currently calls do_task_dead() with preemption enabled.  That is forbidden: do_task_dead() calls __schedule(), which has a comment saying \"WARNING: must be called with preemption disabled!\".  If an oopsing task is preempted in do_task_dead(), between becoming TASK_DEAD and entering the scheduler explicitly, bad things happen: finish_task_switch() assumes that once the scheduler has switched away from a TASK_DEAD task, the task can never run again and its stack is no longer needed; but that assumption apparently doesn't hold if the dead task was preempted (the SM_PREEMPT case).  This means that the scheduler ends up repeatedly dropping references on the dead task's stack, which can lead to use-after-free or double-free of the entire task stack; in other words, two tasks can end up running on the same stack, resulting in various kinds of memory corruption.  (This does not just affect \"recursively oopsing\" tasks; it is enough to oops once during task exit, for example in a file_operations::release handler)",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-43496",
                        "url": "https://ubuntu.com/security/CVE-2026-43496",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net/sched: sch_red: Replace direct dequeue call with peek and qdisc_dequeue_peeked  When red qdisc has children (eg qfq qdisc) whose peek() callback is qdisc_peek_dequeued(), we could get a kernel panic. When the parent of such qdiscs (eg illustrated in patch #3 as tbf) wants to retrieve an skb from its child (red in this case), it will do the following:  1a. do a peek() - and when sensing there's an skb the child can offer, then      - the child in this case(red) calls its child's (qfq) peek.         qfq does the right thing and will return the gso_skb queue packet.         Note: if there wasnt a gso_skb entry then qfq will store it there.  1b. invoke a dequeue() on the child (red). And herein lies the problem.      - red will call the child's dequeue() which will essentially just        try to grab something of qfq's queue.  [   78.667668][  T363] KASAN: null-ptr-deref in range [0x0000000000000048-0x000000000000004f] [   78.667927][  T363] CPU: 1 UID: 0 PID: 363 Comm: ping Not tainted 7.1.0-rc1-00033-g46f74a3f7d57-dirty #790 PREEMPT(full) [   78.668263][  T363] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 [   78.668486][  T363] RIP: 0010:qfq_dequeue+0x446/0xc90 [sch_qfq] [   78.668718][  T363] Code: 54 c0 e8 dd 90 00 f1 48 c7 c7 e0 03 54 c0 48 89 de e8 ce 90 00 f1 48 8d 7b 48 b8 ff ff 37 00 48 89 fa 48 c1 e0 2a 48 c1 ea 03 <80> 3c 02 00 74 05 e8 ef a1 e1 f1 48 8b 7b 48 48 8d 54 24 58 48 8d [   78.669312][  T363] RSP: 0018:ffff88810de573e0 EFLAGS: 00010216 [   78.669533][  T363] RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000 [   78.669790][  T363] RDX: 0000000000000009 RSI: 0000000000000004 RDI: 0000000000000048 [   78.670044][  T363] RBP: ffff888110dc4000 R08: ffffffffb1b0885a R09: fffffbfff6ba9078 [   78.670297][  T363] R10: 0000000000000003 R11: ffff888110e31c80 R12: 0000001880000000 [   78.670560][  T363] R13: ffff888110dc4150 R14: ffff888110dc42b8 R15: 0000000000000200 [   78.670814][  T363] FS:  00007f66a8f09c40(0000) GS:ffff888163428000(0000) knlGS:0000000000000000 [   78.671110][  T363] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [   78.671324][  T363] CR2: 000055db4c6a30a8 CR3: 000000010da67000 CR4: 0000000000750ef0 [   78.671585][  T363] PKRU: 55555554 [   78.671713][  T363] Call Trace: [   78.671843][  T363]  <TASK> [   78.671936][  T363]  ? __pfx_qfq_dequeue+0x10/0x10 [sch_qfq] [   78.672148][  T363]  ? __pfx__printk+0x10/0x10 [   78.672322][  T363]  ? srso_alias_return_thunk+0x5/0xfbef5 [   78.672496][  T363]  ? lockdep_hardirqs_on_prepare+0xa8/0x1a0 [   78.672706][  T363]  ? srso_alias_return_thunk+0x5/0xfbef5 [   78.672875][  T363]  ? trace_hardirqs_on+0x19/0x1a0 [   78.673047][  T363]  red_dequeue+0x65/0x270 [sch_red] [   78.673217][  T363]  ? srso_alias_return_thunk+0x5/0xfbef5 [   78.673385][  T363]  tbf_dequeue.cold+0xb0/0x70c [sch_tbf] [   78.673566][  T363]  __qdisc_run+0x169/0x1900  The right thing to do in #1b is to grab the skb off gso_skb queue. This patchset fixes that issue by changing #1b to use qdisc_dequeue_peeked() method instead.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-21 13:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46113",
                        "url": "https://ubuntu.com/security/CVE-2026-46113",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  KVM: x86: Fix shadow paging use-after-free due to unexpected GFN  The shadow MMU computes GFNs for direct shadow pages using sp->gfn plus the SPTE index. This assumption breaks for shadow paging if the guest page tables are modified between VM entries (similar to commit aad885e77496, \"KVM: x86/mmu: Drop/zap existing present SPTE even when creating an MMIO SPTE\", 2026-03-27).  The flow is as follows:  - a PDE is installed for a 2MB mapping, and a page in that area is   accessed.  KVM creates a kvm_mmu_page consisting of 512 4KB pages;   the kvm_mmu_page is marked by FNAME(fetch) as direct-mapped because   the guest's mapping is a huge page (and thus contiguous).  - the PDE mapping is changed from outside the guest.  - the guest accesses another page in the same 2MB area.  KVM installs   a new leaf SPTE and rmap entry; the SPTE uses the \"correct\" GFN   (i.e. based on the new mapping, as changed in the previous step) but   that GFN is outside of the [sp->gfn, sp->gfn + 511] range; therefore   the rmap entry cannot be found and removed when the kvm_mmu_page   is zapped.  - the memslot that covers the first 2MB mapping is deleted, and the   kvm_mmu_page for the now-invalid GPA is zapped.  However, rmap_remove()   only looks at the [sp->gfn, sp->gfn + 511] range established in step 1,   and fails to find the rmap entry that was recorded by step 3.  - any operation that causes an rmap walk for the same page accessed   by step 3 then walks a stale rmap and dereferences a freed kvm_mmu_page.   This includes dirty logging or MMU notifier invalidations (e.g., from   MADV_DONTNEED).  The underlying issue is that KVM's walking of shadow PTEs assumes that if a SPTE is present when KVM wants to install a non-leaf SPTE, then the existing kvm_mmu_page must be for the correct gfn.  Because the only way for the gfn to be wrong is if KVM messed up and failed to zap a SPTE... which shouldn't happen, but *actually* only happens in response to a guest write.  That bug dates back literally forever, as even the first version of KVM assumes that the GFN matches and walks into the \"wrong\" shadow page. However, that was only an imprecision until 2032a93d66fa (\"KVM: MMU: Don't allocate gfns page for direct mmu pages\") came along.  Fix it by checking for a target gfn mismatch and zapping the existing SPTE.  That way the old SP and rmap entries are gone, KVM installs the rmap in the right location, and everyone is happy.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46179",
                        "url": "https://ubuntu.com/security/CVE-2026-46179",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ASoC: SOF: Don't allow pointer operations on unconfigured streams  When reporting the pointer for a compressed stream we report the current I/O frame position by dividing the position by the number of channels multiplied by the number of container bytes. These values default to 0 and are only configured as part of setting the stream parameters so this allows a divide by zero to be configured. Validate that they are non zero, returning an error if not",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46196",
                        "url": "https://ubuntu.com/security/CVE-2026-46196",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  tracepoint: balance regfunc() on func_add() failure in tracepoint_add_func()  When a tracepoint goes through the 0 -> 1 transition, tracepoint_add_func() invokes the subsystem's ext->regfunc() before attempting to install the new probe via func_add(). If func_add() then fails (for example, when allocate_probes() cannot allocate a new probe array under memory pressure and returns -ENOMEM), the function returns the error without calling the matching ext->unregfunc(), leaving the side effects of regfunc() behind with no installed probe to justify them.  For syscall tracepoints this is particularly unpleasant: syscall_regfunc() bumps sys_tracepoint_refcount and sets SYSCALL_TRACEPOINT on every task. After a leaked failure, the refcount is stuck at a non-zero value with no consumer, and every task continues paying the syscall trace entry/exit overhead until reboot. Other subsystems providing regfunc()/unregfunc() pairs exhibit similarly scoped persistent state.  Mirror the existing 1 -> 0 cleanup and call ext->unregfunc() in the func_add() error path, gated on the same condition used there so the unwind is symmetric with the registration.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-43497",
                        "url": "https://ubuntu.com/security/CVE-2026-43497",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  fbdev: udlfb: add vm_ops to dlfb_ops_mmap to prevent use-after-free  dlfb_ops_mmap() uses remap_pfn_range() to map vmalloc framebuffer pages to userspace but sets no vm_ops on the VMA. This means the kernel cannot track active mmaps. When dlfb_realloc_framebuffer() replaces the backing buffer via FBIOPUT_VSCREENINFO, existing mmap PTEs are not invalidated. On USB disconnect, dlfb_ops_destroy() calls vfree() on the old pages while userspace PTEs still reference them, resulting in a use-after-free: the process retains read/write access to freed kernel pages.  Add vm_operations_struct with open/close callbacks that maintain an atomic mmap_count on struct dlfb_data. In dlfb_realloc_framebuffer(), check mmap_count and return -EBUSY if the buffer is currently mapped, preventing buffer replacement while userspace holds stale PTEs.  Tested with PoC using dummy_hcd + raw_gadget USB device emulation.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-05-21 13:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46108",
                        "url": "https://ubuntu.com/security/CVE-2026-46108",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ipmi:si: Return state to normal if message allocation fails  There were places where nothing would get started if a message allocation failed, so the driver needs to return to normal state.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46128",
                        "url": "https://ubuntu.com/security/CVE-2026-46128",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ipmi: Check event message buffer response for bad data  The event message buffer response data size got checked later when processing, but check it right after the response comes back.  It appears some BMCs may return an empty message instead of an error when fetching events.  There are apparently some new BMCs that make this error, so we need to compensate.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46177",
                        "url": "https://ubuntu.com/security/CVE-2026-46177",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ipmi: Add limits to event and receive message requests  The driver would just fetch events and receive messages until the BMC said it was done.  To avoid issues with BMCs that never say they are done, add a limit of 10 fetches at a time.  In addition, an si interface has an attn state it can return from the hardware which is supposed to cause a flag fetch to see if the driver needs to fetch events or message or a few other things.  If the attn bit gets stuck, it's a similar problem.  So allow messages in between flag fetches so the driver itself doesn't get stuck.  This is a more general fix than the previous fix for the specific bad BMC, but should fix the more general issue of a BMC that won't stop saying it has data.  This has been there from the beginning of the driver.  It's not a bug per-se, but it is accounting for bugs in BMCs.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46149",
                        "url": "https://ubuntu.com/security/CVE-2026-46149",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  scsi: target: configfs: Bound snprintf() return in tg_pt_gp_members_show()  target_tg_pt_gp_members_show() formats LUN paths with snprintf() into a 256-byte stack buffer, then will memcpy() cur_len bytes from that buffer.  snprintf() returns the length the output would have had, which can exceed the buffer size when the fabric WWN is long because iSCSI IQN names can be up to 223 bytes.  The check at the memcpy() site only guards the destination page write, not the source read, so memcpy() will read past the stack buffer and copy adjacent stack contents to the sysfs reader, which when CONFIG_FORTIFY_SOURCE is enabled, fortify_panic() will be triggered.  Commit 27e06650a5ea (\"scsi: target: target_core_configfs: Add length check to avoid buffer overflow\") added the same bound to the target_lu_gp_members_show() but the tg_pt_gp variant was missed so resolve that here.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46244",
                        "url": "https://ubuntu.com/security/CVE-2026-46244",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  netfilter: nft_inner: Fix IPv6 inner_thoff desync  In nft_inner_parse_l2l3(), when processing inner IPv6 packets, ipv6_find_hdr() correctly computes the transport header offset traversing all extension headers, but the result is immediately overwritten with nhoff + sizeof(_ip6h) (40 bytes), which only accounts for the IPv6 base header. This creates a desync between inner_thoff (wrong — points to extension header start) and l4proto (correct — e.g., IPPROTO_TCP), enabling transport header forgery and potential firewall bypass. This issue affects stable versions from Linux 6.2.  For comparison, the normal (non-inner) IPv6 path correctly preserves ipv6_find_hdr()'s result. Removing the incorrect overwrite ensures that ipv6_find_hdr()'s calculated transport header offset is preserved, thereby fixing the desynchronization.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-03 18:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46137",
                        "url": "https://ubuntu.com/security/CVE-2026-46137",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  mptcp: pm: ADD_ADDR rtx: fix potential data-race  This mptcp_pm_add_timer() helper is executed as a timer callback in softirq context. To avoid any data races, the socket lock needs to be held with bh_lock_sock().  If the socket is in use, retry again soon after, similar to what is done with the keepalive timer.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46185",
                        "url": "https://ubuntu.com/security/CVE-2026-46185",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  smb/client: fix out-of-bounds read in symlink_data()  Since smb2_check_message() returns success without length validation for the symlink error response, in symlink_data() it is possible for iov->iov_len to be smaller than sizeof(struct smb2_err_rsp). If the buffer only contains the base SMB2 header (64 bytes), accessing err->ErrorContextCount (at offset 66) or err->ByteCount later in symlink_data() will cause an out-of-bounds read.",
                        "cve_priority": "high",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46195",
                        "url": "https://ubuntu.com/security/CVE-2026-46195",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  smb: client: validate dacloffset before building DACL pointers  parse_sec_desc(), build_sec_desc(), and the chown path in id_mode_to_cifs_acl() all add the server-supplied dacloffset to pntsd before proving a DACL header fits inside the returned security descriptor.  On 32-bit builds a malicious server can return dacloffset near U32_MAX, wrap the derived DACL pointer below end_of_acl, and then slip past the later pointer-based bounds checks. build_sec_desc() and id_mode_to_cifs_acl() can then dereference DACL fields from the wrapped pointer in the chmod/chown rewrite paths.  Validate dacloffset numerically before building any DACL pointer and reuse the same helper at the three DACL entry points.",
                        "cve_priority": "high",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46289",
                        "url": "https://ubuntu.com/security/CVE-2026-46289",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  lib/scatterlist: fix length calculations in extract_kvec_to_sg  Patch series \"Fix bugs in extract_iter_to_sg()\", v3.  Fix bugs in the kvec and user variants of extract_iter_to_sg.  This series is growing due to useful remarks made by sashiko.dev.  The main bugs are: - The length for an sglist entry when extracting from   a kvec can exceed the number of bytes in the page. This   is obviously not intended. - When extracting a user buffer the sglist is temporarily   used as a scratch buffer for extracted page pointers.   If the sglist already contains some elements this scratch   buffer could overlap with existing entries in the sglist.  The series adds test cases to the kunit_iov_iter test that demonstrate all of these bugs.  Additionally, there is a memory leak fix for the test itself.  The bugs were orignally introduced into kernel v6.3 where the function lived in fs/netfs/iterator.c.  It was later moved to lib/scatterlist.c in v6.5.  Thus the actual fix is only marked for backports to v6.5+.   This patch (of 5):  When extracting from a kvec to a scatterlist, do not cross page boundaries.  The required length was already calculated but not used as intended.  Adjust the copied length if the loop runs out of sglist entries without extracting everything.  While there, return immediately from extract_iter_to_sg if there are no sglist entries at all.  A subsequent commit will add kunit test cases that demonstrate that the patch is necessary.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-08 17:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46119",
                        "url": "https://ubuntu.com/security/CVE-2026-46119",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  libceph: Fix slab-out-of-bounds access in auth message processing  If a (potentially corrupted) message of type CEPH_MSG_AUTH_REPLY contains a positive value in its result field, it is treated as an error code by ceph_handle_auth_reply() and returned to handle_auth_reply(). Thereafter, an attempt is made to send the preallocated message of type CEPH_MSG_AUTH, where the returned value is interpreted as the size of the front segment to send. If the result value in the message is greater than the size of the memory buffer allocated for the front segment, an out-of-bounds access occurs, and the content of the memory region beyond this buffer is sent out.  This patch fixes the issue by treating only negative values in the result field as errors. Positive values are therefore treated as success in the same way as a zero value. Additionally, a BUG_ON is added to __send_prepared_auth_request() comparing the len parameter to front_alloc_len to prevent sending the message if it exceeds the bounds of the allocation and to make it easier to catch any logic flaws leading to this.",
                        "cve_priority": "high",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46135",
                        "url": "https://ubuntu.com/security/CVE-2026-46135",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  nvmet-tcp: fix race between ICReq handling and queue teardown  nvmet_tcp_handle_icreq() updates queue->state after sending an Initialization Connection Response (ICResp), but it does so without serializing against target-side queue teardown.  If an NVMe/TCP host sends an Initialization Connection Request (ICReq) and immediately closes the connection, target-side teardown may start in softirq context before io_work drains the already buffered ICReq. In that case, nvmet_tcp_schedule_release_queue() sets queue->state to NVMET_TCP_Q_DISCONNECTING and drops the queue reference under state_lock.  If io_work later processes that ICReq, nvmet_tcp_handle_icreq() can still overwrite the state back to NVMET_TCP_Q_LIVE. That defeats the DISCONNECTING-state guard in nvmet_tcp_schedule_release_queue() and allows a later socket state change to re-enter teardown and issue a second kref_put() on an already released queue.  The ICResp send failure path has the same problem. If teardown has already moved the queue to DISCONNECTING, a send error can still overwrite the state with NVMET_TCP_Q_FAILED, again reopening the window for a second teardown path to drop the queue reference.  Fix this by serializing both post-send state transitions with state_lock and bailing out if teardown has already started.  Use -ESHUTDOWN as an internal sentinel for that bail-out path rather than propagating it as a transport error like -ECONNRESET. Keep nvmet_tcp_socket_error() setting rcv_state to NVMET_TCP_RECV_ERR before honoring that sentinel so receive-side parsing stays quiesced until the existing release path completes.",
                        "cve_priority": "critical",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46155",
                        "url": "https://ubuntu.com/security/CVE-2026-46155",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  smb/client: fix out-of-bounds read in smb2_compound_op()  If a server sends a truncated response but a large OutputBufferLength, and terminates the EA list early, check_wsl_eas() returns success without validating that the entire OutputBufferLength fits within iov_len.  Then smb2_compound_op() does:     memcpy(idata->wsl.eas, data[0], size[0]);  Where size[0] is OutputBufferLength. If iov_len is smaller than size[0], memcpy can read beyond the end of the rsp_iov allocation and leak adjacent kernel heap memory.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46115",
                        "url": "https://ubuntu.com/security/CVE-2026-46115",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  block: add pgmap check to biovec_phys_mergeable  biovec_phys_mergeable() is used by the request merge, DMA mapping, and integrity merge paths to decide if two physically contiguous bvec segments can be coalesced into one. It currently has no check for whether the segments belong to different dev_pagemaps.  When zone device memory is registered in multiple chunks, each chunk gets its own dev_pagemap. A single bio can legitimately contain bvecs from different pgmaps -- iov_iter_extract_bvecs() breaks at pgmap boundaries but the outer loop in bio_iov_iter_get_pages() continues filling the same bio. If such bvecs are physically contiguous, biovec_phys_mergeable() will coalesce them, making it impossible to recover the correct pgmap for the merged segment via page_pgmap().  Add a zone_device_pages_have_same_pgmap() check to prevent merging bvec segments that span different pgmaps.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46243",
                        "url": "https://ubuntu.com/security/CVE-2026-46243",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  smb: client: reject userspace cifs.spnego descriptions  cifs.spnego key descriptions contain authority-bearing fields such as pid, uid, creduid, and upcall_target that cifs.upcall treats as kernel-originating inputs. However, userspace can also create keys of this type through request_key(2) or add_key(2), allowing those fields to be supplied without CIFS origin.  Only accept cifs.spnego descriptions while CIFS is using its private spnego_cred to request the key.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-01 17:17:00 UTC"
                    }
                ],
                "launchpad_bugs_fixed": [
                    2157520,
                    2154418,
                    2155837,
                    2154174,
                    2154748,
                    2156559,
                    2156556,
                    2150640,
                    2156312,
                    2155096,
                    2154715,
                    2153159,
                    2150071,
                    2154343,
                    2149770,
                    2153155,
                    2152570,
                    2156636,
                    2156636,
                    2156636,
                    2156636,
                    2156636,
                    2156390,
                    2156385,
                    2156385,
                    2156385,
                    2156385,
                    2156385,
                    2156385,
                    2156385,
                    2156385,
                    2156385,
                    2156385,
                    2156385,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2150845
                ],
                "changes": [
                    {
                        "cves": [
                            {
                                "cve": "CVE-2026-46318",
                                "url": "https://ubuntu.com/security/CVE-2026-46318",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Revert \"mm/hugetlbfs: update hugetlbfs to use mmap_prepare\"  This reverts commit ea52cb24cd3f (\"mm/hugetlbfs: update hugetlbfs to use mmap_prepare\") with conflict resolution to account for changes in commit ea52cb24cd3f (\"mm/hugetlbfs: update hugetlbfs to use mmap_prepare\").  The patch incorrectly handled hugetlb VMA lock allocation at the mmap_prepare stage, where a failed allocation occurring after mmap_prepare is called might result in the lock leaking.  There is no risk of a merge causing a similar issues, as VMA_DONTEXPAND_BIT is set for hugetlb mappings.  As a first step in addressing this issue, simply revert the change so we can rework how we do this having corrected the underlying issues.  We maintain the VMA flags changes as best we can, accounting for the fact that we were working with a VMA descriptor previously and propagating like-for-like changes for this.  Note that we invoke vma_set_flags() and do not call vma_start_write() as vm_flags_set() does.  This is OK as it's being done in an .mmap hook where the VMA is not yet linked into the tree so nobody else can be accessing it.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-06-09 13:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46322",
                                "url": "https://ubuntu.com/security/CVE-2026-46322",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  tun: free page on build_skb failure in tun_xdp_one()  When build_skb() fails in tun_xdp_one(), the function sets ret to -ENOMEM and jumps to the out label, which returns without freeing the page that vhost_net_build_xdp() allocated for the frame. As with the short-frame rejection path, tun_sendmsg() discards the per-buffer error and still returns total_len, so vhost_tx_batch() takes the success path and never frees the page. Each build_skb() failure in a batch leaks one page-frag chunk.  Free the page before taking the error path, matching the put_page() the other error exits of tun_xdp_one() already perform.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-09 13:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46320",
                                "url": "https://ubuntu.com/security/CVE-2026-46320",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  tap: free page on error paths in tap_get_user_xdp()  tap_get_user_xdp() rejects a frame shorter than ETH_HLEN with -EINVAL, and returns -ENOMEM when build_skb() fails. Both paths jump to the err label without freeing the page that vhost_net_build_xdp() allocated for the frame. tap_sendmsg() discards the per-buffer return value and always returns 0, so vhost_tx_batch() takes the success path and never frees the page; each rejected frame in a batch leaks one page-frag chunk.  Free the page on both error paths, before the skb is built. This is the tap counterpart of the same leak in tun_xdp_one().",
                                "cve_priority": "high",
                                "cve_public_date": "2026-06-09 13:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46321",
                                "url": "https://ubuntu.com/security/CVE-2026-46321",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  tun: free page on short-frame rejection in tun_xdp_one()  tun_xdp_one() returns -EINVAL on a frame shorter than ETH_HLEN without freeing the page that vhost_net_build_xdp() allocated for it. tun_sendmsg() discards that -EINVAL and still returns total_len, so vhost_tx_batch() takes the success path and never frees the page; each short frame in a batch leaks one page-frag chunk.  A local process that can open /dev/net/tun and /dev/vhost-net can hit this path: it attaches a tun/tap device as the vhost-net backend and feeds TX descriptors whose length minus the virtio-net header is below ETH_HLEN. Each kick leaks the page-frag chunks for that batch, and a tight submission loop exhausts host memory and triggers an OOM panic. Free the page before returning -EINVAL, matching the XDP-program error path in the same function.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-09 13:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46316",
                                "url": "https://ubuntu.com/security/CVE-2026-46316",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  KVM: arm64: vgic-its: Drop the translation cache reference only for the erased entry  vgic_its_invalidate_cache() walks the per-ITS translation cache with xa_for_each() and drops the cache's reference on each entry with vgic_put_irq(). It puts the iterated pointer, though, rather than the value returned by xa_erase().  The function is called from contexts that do not exclude one another: the ITS command handlers hold its_lock, the GITS_CTLR write path holds cmd_lock, and the path that clears EnableLPIs in a redistributor's GICR_CTLR holds neither. Two or more of them can drain the same cache concurrently, and if each one observes the same entry, erases it and then puts it, the single reference the cache holds on that entry is dropped more than once. The entry can then be freed while an ITE still maps it.  xa_erase() is atomic and returns the previous entry, so put only the entry that this context actually removed. The cache reference is then dropped exactly once per entry even when the invalidations run concurrently, and the behavior is unchanged when only one context runs.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-09 13:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46317",
                                "url": "https://ubuntu.com/security/CVE-2026-46317",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  KVM: arm64: Reassign nested_mmus array behind mmu_lock  kvm->arch.nested_mmus[] is walked under kvm->mmu_lock, including from the MMU notifier path (kvm_unmap_gfn_range() -> kvm_nested_s2_unmap()), which can run at any time. kvm_vcpu_init_nested() reallocates the array and frees the old buffer while holding only kvm->arch.config_lock, so such a walker can reference the freed array.  Allocate the new array outside of mmu_lock, as the allocation can sleep. Under the lock, copy the existing entries, fix up the back pointers and reassign the array. Free the old buffer after dropping the lock, as kvfree() can sleep as well.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-09 13:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-45846",
                                "url": "https://ubuntu.com/security/CVE-2026-45846",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  bareudp: fix NULL pointer dereference in bareudp_fill_metadata_dst()  bareudp_fill_metadata_dst() passes bareudp->sock to udp_tunnel6_dst_lookup() in the IPv6 path without a NULL check. The socket is only created in bareudp_open() and NULLed in bareudp_stop(), so calling this function while the device is down triggers a NULL dereference via sock->sk.   BUG: kernel NULL pointer dereference, address: 0000000000000018  RIP: 0010:udp_tunnel6_dst_lookup (net/ipv6/ip6_udp_tunnel.c:160)  Call Trace:   <TASK>   bareudp_fill_metadata_dst (drivers/net/bareudp.c:532)   do_execute_actions (net/openvswitch/actions.c:901)   ovs_execute_actions (net/openvswitch/actions.c:1589)   ovs_packet_cmd_execute (net/openvswitch/datapath.c:700)   genl_family_rcv_msg_doit (net/netlink/genetlink.c:1114)   genl_rcv_msg (net/netlink/genetlink.c:1209)   netlink_rcv_skb (net/netlink/af_netlink.c:2550)   </TASK>  Add a NULL check returning -ESHUTDOWN, consistent with the xmit paths in the same driver.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-27 11:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-45845",
                                "url": "https://ubuntu.com/security/CVE-2026-45845",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net/sched: taprio: fix NULL pointer dereference in class dump  When a TAPRIO child qdisc is deleted via RTM_DELQDISC, taprio_graft() is called with new == NULL and stores NULL into q->qdiscs[cl - 1]. Subsequent RTM_GETTCLASS dump operations walk all classes via taprio_walk() and call taprio_dump_class(), which calls taprio_leaf() returning the NULL pointer, then dereferences it to read child->handle, causing a kernel NULL pointer dereference.  The bug is reachable with namespace-scoped CAP_NET_ADMIN on any kernel with CONFIG_NET_SCH_TAPRIO enabled. On systems with unprivileged user namespaces enabled, an unprivileged local user can trigger a kernel panic by creating a taprio qdisc inside a new network namespace, grafting an explicit child qdisc, deleting it, and requesting a class dump. The RTM_GETTCLASS dump itself requires no capability.   Oops: general protection fault, probably for non-canonical address 0xdffffc0000000007: 0000 [#1] SMP KASAN NOPTI  KASAN: null-ptr-deref in range [0x0000000000000038-0x000000000000003f]  RIP: 0010:taprio_dump_class (net/sched/sch_taprio.c:2478)  Call Trace:   <TASK>   tc_fill_tclass (net/sched/sch_api.c:1966)   qdisc_class_dump (net/sched/sch_api.c:2326)   taprio_walk (net/sched/sch_taprio.c:2514)   tc_dump_tclass_qdisc (net/sched/sch_api.c:2352)   tc_dump_tclass_root (net/sched/sch_api.c:2370)   tc_dump_tclass (net/sched/sch_api.c:2431)   rtnl_dumpit (net/core/rtnetlink.c:6864)   netlink_dump (net/netlink/af_netlink.c:2325)   rtnetlink_rcv_msg (net/core/rtnetlink.c:6959)   netlink_rcv_skb (net/netlink/af_netlink.c:2550)   </TASK>  Fix this by substituting &noop_qdisc when new is NULL in taprio_graft(), a common pattern used by other qdiscs (e.g., multiq_graft()) to ensure the q->qdiscs[] slots are never NULL. This makes control-plane dump paths safe without requiring individual NULL checks.  Since the data-plane paths (taprio_enqueue and taprio_dequeue_from_txq) previously had explicit NULL guards that would drop/skip the packet cleanly, update those checks to test for &noop_qdisc instead. Without this, packets would reach taprio_enqueue_one() which increments the root qdisc's qlen and backlog before calling the child's enqueue; noop_qdisc drops the packet but those counters are never rolled back, permanently inflating the root qdisc's statistics.  After this change *old can be a valid qdisc, NULL, or &noop_qdisc. Only call qdisc_put(*old) in the first case to avoid decreasing noop_qdisc's refcount, which was never increased.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-27 11:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-45844",
                                "url": "https://ubuntu.com/security/CVE-2026-45844",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  netfilter: arp_tables: fix IEEE1394 ARP payload parsing  Weiming Shi says:  \"arp_packet_match() unconditionally parses the ARP payload assuming two hardware addresses are present (source and target). However, IPv4-over-IEEE1394 ARP (RFC 2734) omits the target hardware address field, and arp_hdr_len() already accounts for this by returning a shorter length for ARPHRD_IEEE1394 devices.  As a result, on IEEE1394 interfaces arp_packet_match() advances past a nonexistent target hardware address and reads the wrong bytes for both the target device address comparison and the target IP address. This causes arptables rules to match against garbage data, leading to incorrect filtering decisions: packets that should be accepted may be dropped and vice versa.  The ARP stack in net/ipv4/arp.c (arp_create and arp_process) already handles this correctly by skipping the target hardware address for ARPHRD_IEEE1394. Apply the same pattern to arp_packet_match().\"  Mangle the original patch to always return 0 (no match) in case user matches on the target hardware address which is never present in IEEE1394.  Note that this returns 0 (no match) for either normal and inverse match because matching in the target hardware address in ARPHRD_IEEE1394 has never been supported by arptables. This is intentional, matching on the target hardware address should never evaluate true for ARPHRD_IEEE1394.  Moreover, adjust arpt_mangle to drop the packet too as AI suggests:  In arpt_mangle, the logic assumes a standard ARP layout. Because IEEE1394 (FireWire) omits the target hardware address, the linear pointer arithmetic miscalculates the offset for the target IP address. This causes mangling operations to write to the wrong location, leading to packet corruption. To ensure safety, this patch drops packets (NF_DROP) when mangling is requested for these fields on IEEE1394 devices, as the current implementation cannot correctly map the FireWire ARP payload.  This omits both mangling target hardware and IP address. Even if IP address mangling should be possible in IEEE1394, this would require to adjust arpt_mangle offset calculation, which has never been supported.  Based on patch from Weiming Shi <bestswngs@gmail.com>.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-05-27 11:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46242",
                                "url": "https://ubuntu.com/security/CVE-2026-46242",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  eventpoll: fix ep_remove struct eventpoll / struct file UAF  ep_remove() (via ep_remove_file()) cleared file->f_ep under file->f_lock but then kept using @file inside the critical section (is_file_epoll(), hlist_del_rcu() through the head, spin_unlock). A concurrent __fput() taking the eventpoll_release() fastpath in that window observed the transient NULL, skipped eventpoll_release_file() and ran to f_op->release / file_free().  For the epoll-watches-epoll case, f_op->release is ep_eventpoll_release() -> ep_clear_and_put() -> ep_free(), which kfree()s the watched struct eventpoll. Its embedded ->refs hlist_head is exactly where epi->fllink.pprev points, so the subsequent hlist_del_rcu()'s \"*pprev = next\" scribbles into freed kmalloc-192 memory.  In addition, struct file is SLAB_TYPESAFE_BY_RCU, so the slot backing @file could be recycled by alloc_empty_file() -- reinitializing f_lock and f_ep -- while ep_remove() is still nominally inside that lock. The upshot is an attacker-controllable kmem_cache_free() against the wrong slab cache.  Pin @file via epi_fget() at the top of ep_remove() and gate the critical section on the pin succeeding. With the pin held @file cannot reach refcount zero, which holds __fput() off and transitively keeps the watched struct eventpoll alive across the hlist_del_rcu() and the f_lock use, closing both UAFs.  If the pin fails @file has already reached refcount zero and its __fput() is in flight. Because we bailed before clearing f_ep, that path takes the eventpoll_release() slow path into eventpoll_release_file() and blocks on ep->mtx until the waiter side's ep_clear_and_put() drops it. The bailed epi's share of ep->refcount stays intact, so the trailing ep_refcount_dec_and_test() in ep_clear_and_put() cannot free the eventpoll out from under eventpoll_release_file(); the orphaned epi is then cleaned up there.  A successful pin also proves we are not racing eventpoll_release_file() on this epi, so drop the now-redundant re-check of epi->dying under f_lock. The cheap lockless READ_ONCE(epi->dying) fast-path bailout stays.",
                                "cve_priority": "high",
                                "cve_public_date": "2026-05-30 13:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-45843",
                                "url": "https://ubuntu.com/security/CVE-2026-45843",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  slip: bound decode() reads against the compressed packet length  slhc_uncompress() parses a VJ-compressed TCP header by advancing a pointer through the packet via decode() and pull16(). Neither helper bounds-checks against isize, and decode() masks its return with & 0xffff so it can never return the -1 that callers test for -- those error paths are dead code.  A short compressed frame whose change byte requests optional fields lets decode() read past the end of the packet. The over-read bytes are folded into the cached cstate and reflected into subsequent reconstructed packets.  Make decode() and pull16() take the packet end pointer and return -1 when exhausted. Add a bounds check before the TCP-checksum read. The existing == -1 tests now do what they were always meant to.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-27 11:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-45842",
                                "url": "https://ubuntu.com/security/CVE-2026-45842",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  slip: reject VJ receive packets on instances with no rstate array  slhc_init() accepts rslots == 0 as a valid configuration, with the documented meaning of 'no receive compression'. In that case the allocation loop in slhc_init() is skipped, so comp->rstate stays NULL and comp->rslot_limit stays 0 (from the kzalloc of struct slcompress).  The receive helpers do not defend against that configuration. slhc_uncompress() dereferences comp->rstate[x] when the VJ header carries an explicit connection ID, and slhc_remember() later assigns cs = &comp->rstate[...] after only comparing the packet's slot number to comp->rslot_limit. Because rslot_limit is 0, slot 0 passes the range check, and the code dereferences a NULL rstate.  The configuration is reachable in-tree through PPP. PPPIOCSMAXCID stores its argument in a signed int, and (val >> 16) uses arithmetic shift. Passing 0xffff0000 therefore sign-extends to -1, so val2 + 1 is 0 and ppp_generic.c ends up calling slhc_init(0, 1). Because /dev/ppp open is gated by ns_capable(CAP_NET_ADMIN), the whole path is reachable from an unprivileged user namespace. Once the malformed VJ state is installed, any inbound VJ-compressed or VJ-uncompressed frame that selects slot 0 crashes the kernel in softirq context:   Oops: general protection fault, probably for non-canonical        address 0xdffffc0000000000: 0000 [#1] SMP KASAN NOPTI  KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]  RIP: 0010:slhc_uncompress (drivers/net/slip/slhc.c:519)  Call Trace:   <TASK>   ppp_receive_nonmp_frame (drivers/net/ppp/ppp_generic.c:2466)   ppp_input (drivers/net/ppp/ppp_generic.c:2359)   ppp_async_process (drivers/net/ppp/ppp_async.c:492)   tasklet_action_common (kernel/softirq.c:926)   handle_softirqs (kernel/softirq.c:623)   run_ksoftirqd (kernel/softirq.c:1055)   smpboot_thread_fn (kernel/smpboot.c:160)   kthread (kernel/kthread.c:436)   ret_from_fork (arch/x86/kernel/process.c:164)   </TASK>  Reject the receive side on such instances instead of touching rstate. slhc_uncompress() falls through to its existing 'bad' label, which bumps sls_i_error and enters the toss state. slhc_remember() mirrors that with an explicit sls_i_error increment followed by slhc_toss(); the sls_i_runt counter is not used here because a missing rstate is an internal configuration state, not a runt packet.  The transmit path is unaffected: the only in-tree caller that picks rslots from userspace (ppp_generic.c) still supplies tslots >= 1, and slip.c always calls slhc_init(16, 16), so comp->tstate remains valid and slhc_compress() continues to work.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-27 11:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-45841",
                                "url": "https://ubuntu.com/security/CVE-2026-45841",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  netfilter: nfnetlink_osf: fix divide-by-zero in OSF_WSS_MODULO  nf_osf_match_one() computes ctx->window % f->wss.val in the OSF_WSS_MODULO branch with no guard for f->wss.val == 0. A CAP_NET_ADMIN user can add such a fingerprint via nfnetlink; a subsequent matching TCP SYN divides by zero and panics the kernel.  Reject the bogus fingerprint in nfnl_osf_add_callback() above the per-option for-loop. f->wss is per-fingerprint, not per-option, so the check must run regardless of f->opt_num (including 0). Also reject wss.wc >= OSF_WSS_MAX; nf_osf_match_one() already treats that as \"should not happen\".  Crash:  Oops: divide error: 0000 [#1] SMP KASAN NOPTI  RIP: 0010:nf_osf_match_one (net/netfilter/nfnetlink_osf.c:98)  Call Trace:  <IRQ>   nf_osf_match (net/netfilter/nfnetlink_osf.c:220)   xt_osf_match_packet (net/netfilter/xt_osf.c:32)   ipt_do_table (net/ipv4/netfilter/ip_tables.c:348)   nf_hook_slow (net/netfilter/core.c:622)   ip_local_deliver (net/ipv4/ip_input.c:265)   ip_rcv (include/linux/skbuff.h:1162)   __netif_receive_skb_one_core (net/core/dev.c:6181)   process_backlog (net/core/dev.c:6642)   __napi_poll (net/core/dev.c:7710)   net_rx_action (net/core/dev.c:7945)   handle_softirqs (kernel/softirq.c:622)",
                                "cve_priority": "low",
                                "cve_public_date": "2026-05-27 11:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-45840",
                                "url": "https://ubuntu.com/security/CVE-2026-45840",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  openvswitch: cap upcall PID array size and pre-size vport replies  The vport netlink reply helpers allocate a fixed-size skb with nlmsg_new(NLMSG_DEFAULT_SIZE, ...) but serialize the full upcall PID array via ovs_vport_get_upcall_portids().  Since ovs_vport_set_upcall_portids() accepts any non-zero multiple of sizeof(u32) with no upper bound, a CAP_NET_ADMIN user can install a PID array large enough to overflow the reply buffer, causing nla_put() to fail with -EMSGSIZE and hitting BUG_ON(err < 0).  On systems with unprivileged user namespaces enabled (e.g., Ubuntu default), this is reachable via unshare -Urn since OVS vport mutation operations use GENL_UNS_ADMIN_PERM.   kernel BUG at net/openvswitch/datapath.c:2414!  Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI  CPU: 1 UID: 0 PID: 65 Comm: poc Not tainted 7.0.0-rc7-00195-geb216e422044 #1  RIP: 0010:ovs_vport_cmd_set+0x34c/0x400  Call Trace:   <TASK>   genl_family_rcv_msg_doit (net/netlink/genetlink.c:1116)   genl_rcv_msg (net/netlink/genetlink.c:1194)   netlink_rcv_skb (net/netlink/af_netlink.c:2550)   genl_rcv (net/netlink/genetlink.c:1219)   netlink_unicast (net/netlink/af_netlink.c:1344)   netlink_sendmsg (net/netlink/af_netlink.c:1894)   __sys_sendto (net/socket.c:2206)   __x64_sys_sendto (net/socket.c:2209)   do_syscall_64 (arch/x86/entry/syscall_64.c:63)   entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)   </TASK>  Kernel panic - not syncing: Fatal exception  Reject attempts to set more PIDs than nr_cpu_ids in ovs_vport_set_upcall_portids(), and pre-compute the worst-case reply size in ovs_vport_cmd_msg_size() based on that bound, similar to the existing ovs_dp_cmd_msg_size().  nr_cpu_ids matches the cap already used by the per-CPU dispatch configuration on the datapath side (ovs_dp_cmd_fill_info() serialises at most nr_cpu_ids PIDs), so the two sides stay consistent.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-27 11:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-45839",
                                "url": "https://ubuntu.com/security/CVE-2026-45839",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  bpf: reject negative CO-RE accessor indices in bpf_core_parse_spec()  CO-RE accessor strings are colon-separated indices that describe a path from a root BTF type to a target field, e.g. \"0:1:2\" walks through nested struct members. bpf_core_parse_spec() parses each component with sscanf(\"%d\"), so negative values like -1 are silently accepted.  The subsequent bounds checks (access_idx >= btf_vlen(t)) only guard the upper bound and always pass for negative values because C integer promotion converts the __u16 btf_vlen result to int, making the comparison (int)(-1) >= (int)(N) false for any positive N.  When -1 reaches btf_member_bit_offset() it gets cast to u32 0xffffffff, producing an out-of-bounds read far past the members array.  A crafted BPF program with a negative CO-RE accessor on any struct that exists in vmlinux BTF (e.g. task_struct) crashes the kernel deterministically during BPF_PROG_LOAD on any system with CONFIG_DEBUG_INFO_BTF=y (default on major distributions).  The bug is reachable with CAP_BPF:   BUG: unable to handle page fault for address: ffffed11818b6626  #PF: supervisor read access in kernel mode  #PF: error_code(0x0000) - not-present page  Oops: Oops: 0000 [#1] SMP KASAN NOPTI  CPU: 0 UID: 0 PID: 85 Comm: poc Not tainted 7.0.0-rc6 #18 PREEMPT(full)  RIP: 0010:bpf_core_parse_spec (tools/lib/bpf/relo_core.c:354)  RAX: 00000000ffffffff  Call Trace:   <TASK>   bpf_core_calc_relo_insn (tools/lib/bpf/relo_core.c:1321)   bpf_core_apply (kernel/bpf/btf.c:9507)   check_core_relo (kernel/bpf/verifier.c:19475)   bpf_check (kernel/bpf/verifier.c:26031)   bpf_prog_load (kernel/bpf/syscall.c:3089)   __sys_bpf (kernel/bpf/syscall.c:6228)   </TASK>  CO-RE accessor indices are inherently non-negative (struct member index, array element index, or enumerator index), so reject them immediately after parsing.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-27 11:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-45838",
                                "url": "https://ubuntu.com/security/CVE-2026-45838",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  bpf: fix end-of-list detection in cgroup_storage_get_next_key()  list_next_entry() never returns NULL -- when the current element is the last entry it wraps to the list head via container_of(). The subsequent NULL check is therefore dead code and get_next_key() never returns -ENOENT for the last element, instead reading storage->key from a bogus pointer that aliases internal map fields and copying the result to userspace.  Replace it with list_entry_is_head() so the function correctly returns -ENOENT when there are no more entries.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-05-27 11:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46214",
                                "url": "https://ubuntu.com/security/CVE-2026-46214",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  vsock/virtio: fix accept queue count leak on transport mismatch  virtio_transport_recv_listen() calls sk_acceptq_added() before vsock_assign_transport(). If vsock_assign_transport() fails or selects a different transport, the error path returns without calling sk_acceptq_removed(), permanently incrementing sk_ack_backlog.  After approximately backlog+1 such failures, sk_acceptq_is_full() returns true, causing the listener to reject all new connections.  Fix by moving sk_acceptq_added() to after the transport validation, matching the pattern used by vmci_transport and hyperv_transport.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46207",
                                "url": "https://ubuntu.com/security/CVE-2026-46207",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  vsock/virtio: fix empty payload in tap skb for non-linear buffers  For non-linear skbs, virtio_transport_build_skb() goes through virtio_transport_copy_nonlinear_skb() to copy the original payload in the new skb to be delivered to the vsockmon tap device. This manually initializes an iov_iter but does not set iov_iter.count. Since the iov_iter is zero-initialized, the copy length is zero and no payload is actually copied to the monitor interface, leaving data un-initialized.  Fix this by removing the linear vs non-linear split and using skb_copy_datagram_iter() with iov_iter_kvec() for all cases, as vhost-vsock already does. This handles both linear and non-linear skbs, properly initializes the iov_iter, and removes the now unused virtio_transport_copy_nonlinear_skb().  While touching this code, let's also check the return value of skb_copy_datagram_iter(), even though it's unlikely to fail.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46234",
                                "url": "https://ubuntu.com/security/CVE-2026-46234",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  vsock: fix buffer size clamping order  In vsock_update_buffer_size(), the buffer size was being clamped to the maximum first, and then to the minimum. If a user sets a minimum buffer size larger than the maximum, the minimum check overrides the maximum check, inverting the constraint.  This breaks the intended socket memory boundaries by allowing the vsk->buffer_size to grow beyond the configured vsk->buffer_max_size.  Fix this by checking the minimum first, and then the maximum. This ensures the buffer size never exceeds the buffer_max_size.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46223",
                                "url": "https://ubuntu.com/security/CVE-2026-46223",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  cgroup: Defer css percpu_ref kill on rmdir until cgroup is depopulated  A chain of commits going back to v7.0 reworked rmdir to satisfy the controller invariant that a subsystem's ->css_offline() must not run while tasks are still doing kernel-side work in the cgroup.  [1] d245698d727a (\"cgroup: Defer task cgroup unlink until after the task is done switching out\") [2] a72f73c4dd9b (\"cgroup: Don't expose dead tasks in cgroup\") [3] 1b164b876c36 (\"cgroup: Wait for dying tasks to leave on rmdir\") [4] 4c56a8ac6869 (\"cgroup: Fix cgroup_drain_dying() testing the wrong condition\") [5] 13e786b64bd3 (\"cgroup: Increment nr_dying_subsys_* from rmdir context\")  [1] moved task cset unlink from do_exit() to finish_task_switch() so a task's cset link drops only after the task has fully stopped scheduling. That made tasks past exit_signals() linger on cset->tasks until their final context switch, which led to a series of problems as what userspace expected to see after rmdir diverged from what the kernel needs to wait for. [2]-[5] tried to bridge that divergence: [2] filtered the exiting tasks from cgroup.procs; [3] had rmdir(2) sleep in TASK_UNINTERRUPTIBLE for them; [4] fixed the wait's condition; [5] made nr_dying_subsys_* visible synchronously.  The cgroup_drain_dying() wait in [3] turned out to be a dead end. When the rmdir caller is also the reaper of a zombie that pins a pidns teardown (e.g. host PID 1 systemd reaping orphan pids that were re-parented to it during the same teardown), rmdir blocks in TASK_UNINTERRUPTIBLE waiting for those pids to free, the pids can't free because PID 1 is the reaper and it's stuck in rmdir, and the system A-A deadlocks. No internal lock ordering breaks this; the wait itself is the bug.  The css killing side that drove the original reorder, however, can be made cleanly asynchronous: ->css_offline() is already async, run from css_killed_work_fn() driven by percpu_ref_kill_and_confirm(). The fix is to make that chain start only after all tasks have left the cgroup. rmdir's user-visible side then returns as soon as cgroup.procs and friends are empty, while ->css_offline() still runs only after the cgroup is fully drained.  Verified by the original reproducer (pidns teardown + zombie reaper, runs under vng) which hangs vanilla and succeeds here, and by per-commit deterministic repros for [2], [3], [4], [5] with a boot parameter that widens the post-exit_signals() window so each state is reliably reachable. Some stress tests on top of that.  cgroup_apply_control_disable() has the same shape of pre-existing race: when a controller is disabled via subtree_control, kill_css() ran synchronously while tasks past exit_signals() could still be linked to the cgroup's csets, and ->css_offline() could fire before they drained. This patch preserves the existing synchronous behavior at that call site (kill_css_sync() + kill_css_finish() back-to-back) and a follow-up patch will defer kill_css_finish() there using a per-css trigger.  This seems like the right approach and I don't see problems with it. The changes are somewhat invasive but not excessively so, so backporting to -stable should be okay. If something does turn out to be wrong, the fallback is to revert the entire chain ([1]-[5]) and rework in the development branch instead.  v2: Pin cgrp across the deferred destroy work with explicit     cgroup_get()/cgroup_put() around queue_work() and the work_fn. v1     wasn't actually broken (ordered cgroup_offline_wq + queue_work order     in cgroup_task_dead() saved it) but the explicit ref removes the     dependency on those non-obvious invariants. Also note the     pre-existing cgroup_apply_control_disable() race in the description;     a follow-up will defer kill_css_finish() there.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46221",
                                "url": "https://ubuntu.com/security/CVE-2026-46221",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  EDAC/versalnet: Fix device name memory leak  The device name allocated via kzalloc() in init_one_mc() is assigned to dev->init_name but never freed on the normal removal path. device_register() copies init_name and then sets dev->init_name to NULL, so the name pointer becomes unreachable from the device. Thus leaking memory.  Use a stack-local char array instead of using kzalloc() for name.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46231",
                                "url": "https://ubuntu.com/security/CVE-2026-46231",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  batman-adv: bla: put backbone reference on failed claim hash insert  When batadv_bla_add_claim() fails to insert a new claim into the hash, it leaked a reference to the backbone_gw for which the claim was intended. Call batadv_backbone_gw_put() on the error path to release the reference and avoid leaking the backbone_gw object.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46233",
                                "url": "https://ubuntu.com/security/CVE-2026-46233",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  batman-adv: bla: only purge non-released claims  When batadv_bla_purge_claims() goes through the list of claims, it is only traversing the hash list with an rcu_read_lock(). Due to a potential parallel batadv_claim_put(), it can happen that it encounters a claim which was actually in the process of being released+freed by batadv_claim_release(). In this case, backbone_gw is set to NULL before the delayed RCU kfree is started. Calling batadv_bla_claim_get_backbone_gw() is then no longer allowed because it would cause a NULL-ptr derefence.  To avoid this, only claims with a valid reference counter must be purged. All others are already taken care of.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46212",
                                "url": "https://ubuntu.com/security/CVE-2026-46212",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  batman-adv: bla: prevent use-after-free when deleting claims  When batadv_bla_del_backbone_claims() removes all claims for a backbone, it does this by dropping the link entry in the hash list. This list entry itself was one of the references which need to be dropped at the same time via batadv_claim_put().  But the batadv_claim_put() must not be done before the last access to the claim object in this function. Otherwise the claim might be freed already by the batadv_claim_release() function before the list entry was dropped.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46238",
                                "url": "https://ubuntu.com/security/CVE-2026-46238",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  batman-adv: stop caching unowned originator pointers in BAT IV  BAT IV keeps the last-hop neighbor address in each neigh_node, but some paths also cache an originator pointer derived from a temporary lookup. That pointer is not owned by the neigh_node and may no longer refer to a live originator entry after purge handling runs.  Stop storing the auxiliary originator pointer in the BAT IV neighbor state. When BAT IV needs the neighbor originator data, resolve it from the stored neighbor address and drop the reference again after use.  [sven: avoid bonding logic for outgoing OGM]",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46208",
                                "url": "https://ubuntu.com/security/CVE-2026-46208",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  batman-adv: stop tp_meter sessions during mesh teardown  TP meter sessions remain linked on bat_priv->tp_list after the netlink request has already finished. When the mesh interface is removed, batadv_mesh_free() currently tears down the mesh without first draining these sessions.  A running sender thread or a late incoming tp_meter packet can then keep processing against a mesh instance which is already shutting down. Synchronize tp_meter with the mesh lifetime by stopping all active sessions from batadv_mesh_free() and waiting for sender threads to exit before teardown continues.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46206",
                                "url": "https://ubuntu.com/security/CVE-2026-46206",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  batman-adv: reject new tp_meter sessions during teardown  Prevent tp_meter from starting new sender or receiver sessions after mesh_state has left BATADV_MESH_ACTIVE.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46198",
                                "url": "https://ubuntu.com/security/CVE-2026-46198",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  batman-adv: fix integer overflow on buff_pos  Fixing an integer overflow present in batadv_iv_ogm_send_to_if. The size check is done using the int type in batadv_iv_ogm_aggr_packet whereas the buff_pos variable uses the s16 type. This could lead to an out-of-bound read.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46227",
                                "url": "https://ubuntu.com/security/CVE-2026-46227",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  sctp: revalidate list cursor after sctp_sendmsg_to_asoc() in SCTP_SENDALL  The SCTP_SENDALL path in sctp_sendmsg() iterates ep->asocs with list_for_each_entry_safe(), which caches the next entry in @tmp before the loop body runs.  The body calls sctp_sendmsg_to_asoc(), which may drop the socket lock inside sctp_wait_for_sndbuf().  While the lock is dropped, another thread can SCTP_SOCKOPT_PEELOFF the association cached in @tmp, migrating it to a new endpoint via sctp_sock_migrate() (list_del_init() + list_add_tail() to newep->asocs), and optionally close the new socket which frees the association via kfree_rcu().  The cached @tmp can also be freed by a network ABORT for that association, processed in softirq while the lock is dropped.  sctp_wait_for_sndbuf() revalidates @asoc (the current entry) on re-lock via the \"sk != asoc->base.sk\" and \"asoc->base.dead\" checks, but nothing revalidates @tmp.  After a successful return, the iterator advances to the stale @tmp, yielding either a use-after-free (if the peeled socket was closed) or a list-walk onto the new endpoint's list head (type confusion of &newep->asocs as a struct sctp_association *).  Both are reachable from CapEff=0; the type-confusion path gives controlled indirect call via the outqueue.sched->init_sid pointer.  Fix by re-deriving @tmp from @asoc after sctp_sendmsg_to_asoc() returns.  @asoc is known to still be on ep->asocs at that point: the only callers that list_del an association from ep->asocs are sctp_association_free() (which sets asoc->base.dead) and sctp_assoc_migrate() (which changes asoc->base.sk), and sctp_wait_for_sndbuf() checks both under the lock before any successful return; a tripped check propagates as err < 0 and the loop bails before the re-derive.  The SCTP_ABORT path in sctp_sendmsg_check_sflags() returns 0 and the loop hits 'continue' before sctp_sendmsg_to_asoc() is ever called, so the @tmp cached by list_for_each_entry_safe() still covers the lock-held free that ba59fb027307 (\"sctp: walk the list of asoc safely\") was added for.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46220",
                                "url": "https://ubuntu.com/security/CVE-2026-46220",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/amdgpu/sdma4: replace BUG_ON with WARN_ON in fence emission  sdma_v4_0_ring_emit_fence() contains two BUG_ON(addr & 0x3) assertions that verify fence writeback addresses are dword-aligned.  These assertions can be reached from unprivileged userspace via crafted DRM_IOCTL_AMDGPU_CS submissions, causing a fatal kernel panic in a scheduler worker thread.  Replace both BUG_ON() calls with WARN_ON() to log the condition without crashing the kernel.  A misaligned fence address at this point indicates a driver bug, but crashing the kernel is never the correct response when the assertion is reachable from userspace.  The CS IOCTL path is the correct place to filter invalid submissions; the ring emission callback is too late to do anything about it.  (cherry picked from commit b90250bd933afd1ba94d86d6b13821997b22b18e)",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46215",
                                "url": "https://ubuntu.com/security/CVE-2026-46215",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm: Set old handle to NULL before prime swap in change_handle  There was a potential race condition in change_handle. The ioctl briefly had a single object with two idr entries; a concurrent gem_close could delete the object and remove one of the handles while leaving the other one dangling, which could subsequently be dereferenced for a use-after-free.  To fix this, do the same dance that gem_close itself does. (f6cd7daecff5 drm: Release driver references to handle before making it available again) First idr_replace the old handle to NULL. Later, if the prime operations are successful, actually close it.  create_tail required a similar dance to avoid a similar problem. (bd46cece51a3 drm/gem: Fix race in drm_gem_handle_create_tail()) It idr_allocs the new handle with NULL, then swaps in the correct object later to avoid races. We don't need to do that here, since the only operations that could race are drm_prime, and change_handle holds the prime lock for the entire duration.  v2: cleanups of error paths",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46201",
                                "url": "https://ubuntu.com/security/CVE-2026-46201",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/xe: Fix dma-buf attachment leak in xe_gem_prime_import()  When xe_dma_buf_init_obj() fails, the attachment from dma_buf_dynamic_attach() is not detached. Add dma_buf_detach() before returning the error. Note: we cannot use goto out_err here because xe_dma_buf_init_obj() already frees bo on failure, and out_err would double-free it.  (cherry picked from commit a828eb185aac41800df8eae4b60501ccc0dbbe51)",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46224",
                                "url": "https://ubuntu.com/security/CVE-2026-46224",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/xe: Fix bo leak in xe_dma_buf_init_obj() on allocation failure  When drm_gpuvm_resv_object_alloc() fails, the pre-allocated storage bo is not freed. Add xe_bo_free(storage) before returning the error.  xe_dma_buf_init_obj() calls xe_bo_init_locked(), which frees the bo on error. Therefore, xe_dma_buf_init_obj() must also free the bo on its own error paths. Otherwise, since xe_gem_prime_import() cannot distinguish whether the failure originated from xe_dma_buf_init_obj() or from xe_bo_init_locked(), it cannot safely decide whether the bo should be freed.  Add comments documenting the ownership semantics: on success, ownership of storage is transferred to the returned drm_gem_object; on failure, storage is freed before returning.  v2: Add comments to explain the free logic.  (cherry picked from commit 78a6c5f899f22338bbf48b44fb8950409c5a69b9)",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46197",
                                "url": "https://ubuntu.com/security/CVE-2026-46197",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/amdkfd: validate SVM ioctl nattr against buffer size  Validate nattr field against the buffer size, preventing out-of-bounds buffer access via user-controlled attribute count.  (cherry picked from commit 5eca8bfdfa456c3304ca77523718fe24254c172f)",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46209",
                                "url": "https://ubuntu.com/security/CVE-2026-46209",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/gem: Fix inconsistent plane dimension calculation in drm_gem_fb_init_with_funcs()  drm_gem_fb_init_with_funcs() computes sub-sampled plane dimensions using plain integer division:    unsigned int width  = mode_cmd->width  / (i ? info->hsub : 1);   unsigned int height = mode_cmd->height / (i ? info->vsub : 1);  However, the ioctl-level framebuffer_check() in drm_framebuffer.c uses drm_format_info_plane_width/height() which round up dimensions via DIV_ROUND_UP(). This inconsistency corrupts the subsequent GEM object size check for certain pixel format and dimension combinations.  For example, with NV12 (vsub=2) and a 1-pixel-tall framebuffer the GEM size validation path sees height=0 instead of height=1. The expression (height - 1) then wraps to UINT_MAX as an unsigned int, causing min_size to overflow and wrap back to a small value. A tiny GEM object therefore passes the size guard, yet when the GPU accesses the chroma plane it will read or write memory beyond the object's bounds.  Fix by replacing the open-coded divisions with drm_format_info_plane_width() and drm_format_info_plane_height(), which use DIV_ROUND_UP() and match the calculation already used in framebuffer_check().",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46230",
                                "url": "https://ubuntu.com/security/CVE-2026-46230",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/amdgpu/vcn3: Prevent OOB reads when parsing dec msg  Check bounds against the end of the BO whenever we access the msg.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46199",
                                "url": "https://ubuntu.com/security/CVE-2026-46199",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/amdgpu/vcn4: Prevent OOB reads when parsing dec msg  Check bounds against the end of the BO whenever we access the msg.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46204",
                                "url": "https://ubuntu.com/security/CVE-2026-46204",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/amdgpu/vcn4: Prevent OOB reads when parsing IB  Rewrite the IB parsing to use amdgpu_ib_get_value() which handles the bounds checks.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46218",
                                "url": "https://ubuntu.com/security/CVE-2026-46218",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/amdgpu: Add bounds checking to ib_{get,set}_value  The uvd/vce/vcn code accesses the IB at predefined offsets without checking that the IB is large enough. Check the bounds here. The caller is responsible for making sure it can handle arbitrary return values.  Also make the idx a uint32_t to prevent overflows causing the condition to fail.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46229",
                                "url": "https://ubuntu.com/security/CVE-2026-46229",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/amdkfd: Clear VRAM on allocation to prevent stale data exposure  KFD VRAM allocations set AMDGPU_GEM_CREATE_VRAM_WIPE_ON_RELEASE but not AMDGPU_GEM_CREATE_VRAM_CLEARED, leaving freshly allocated VRAM with stale data from prior use observable by compute kernels.  The GEM ioctl path already sets VRAM_CLEARED for all userspace allocations via amdgpu_gem_create_ioctl() and amdgpu_mode_dumb_create(). The KFD path was missing this flag, allowing stale page table remnants to leak into user buffers.  This causes crashes in RCCL P2P transport where non-zero data in ptrExchange/head/tail fields corrupts the protocol handshake.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46211",
                                "url": "https://ubuntu.com/security/CVE-2026-46211",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/msm/gem: fix error handling in msm_ioctl_gem_info_get_metadata()  msm_ioctl_gem_info_get_metadata() always returns 0 regardless of errors. When copy_to_user() fails or the user buffer is too small, the error code stored in ret is ignored because the function unconditionally returns 0. This causes userspace to believe the ioctl succeeded when it did not.  Additionally, kmemdup() can return NULL on allocation failure, but the return value is not checked. This leads to a NULL pointer dereference in the subsequent copy_to_user() call.  Add the missing NULL check for kmemdup() and return ret instead of 0.  Note that the SET counterpart (msm_ioctl_gem_info_set_metadata) correctly returns ret.  Patchwork: https://patchwork.freedesktop.org/patch/714478/",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46203",
                                "url": "https://ubuntu.com/security/CVE-2026-46203",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: cadence-quadspi: fix unclocked access on unbind  Make sure that the controller is runtime resumed before disabling it during driver unbind to avoid an unclocked register access.  This issue was flagged by Sashiko when reviewing a controller deregistration fix.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46219",
                                "url": "https://ubuntu.com/security/CVE-2026-46219",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: mpc52xx: fix use-after-free on unbind  The state machine work is scheduled by the interrupt handler and therefore needs to be cancelled after disabling interrupts to avoid a potential use-after-free.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46200",
                                "url": "https://ubuntu.com/security/CVE-2026-46200",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: mpc52xx: fix controller deregistration  Make sure to deregister the controller before disabling and releasing underlying resources like interrupts and gpios during driver unbind.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46241",
                                "url": "https://ubuntu.com/security/CVE-2026-46241",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: mpc52xx: fix use-after-free on registration failure  Make sure to disable and free the interrupts in case controller registration fails to avoid a potential use-after-free and resource leak.  This issue was flagged by Sashiko when reviewing a controller deregistration fix.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46225",
                                "url": "https://ubuntu.com/security/CVE-2026-46225",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: rspi: fix controller deregistration  Make sure to deregister the controller before releasing underlying resources like DMA during driver unbind.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46226",
                                "url": "https://ubuntu.com/security/CVE-2026-46226",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: fsl: fix controller deregistration  Make sure to deregister the controller before releasing underlying resources like DMA during driver unbind.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46228",
                                "url": "https://ubuntu.com/security/CVE-2026-46228",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: ch341: fix devres lifetime  USB drivers bind to USB interfaces and any device managed resources should have their lifetime tied to the interface rather than parent USB device. This avoids issues like memory leaks when drivers are unbound without their devices being physically disconnected (e.g. on probe deferral or configuration changes).  Fix the controller and driver data lifetime so that they are released on driver unbind.  Note that this also makes sure that the SPI controller is placed correctly under the USB interface in the device tree.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46216",
                                "url": "https://ubuntu.com/security/CVE-2026-46216",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/xe/hdcp: Add NULL check for media_gt in intel_hdcp_gsc_check_status()  When media GT is disabled via configfs, there is no allocation for media_gt, which is kept as NULL.  In such scenario, intel_hdcp_gsc_check_status() results in a kernel pagefault error due to &gt->uc.gsc being evaluated as an invalid memory address.  Fix that by introducing a NULL check on media_gt and bailing out early if so.  While at it, also drop the NULL check for gsc, since it can't be NULL if media_gt is not NULL.  v2:   - Get address for gsc only after checking that gt is not NULL.     (Shuicheng)   - Drop the NULL check for gsc. (Shuicheng) v3:   - Add \"Fixes\" and \"Cc: <stable...>\" tags. (Matt)  (cherry picked from commit bfaf87e84ca3ca3f6e275f9ae56da47a8b55ffd1)",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46210",
                                "url": "https://ubuntu.com/security/CVE-2026-46210",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  media: iris: fix use-after-free of fmt_src during MBPF check  During concurrency testing, multiple instances can run in parallel, and each instance uses its own inst->lock while the core->lock protects the list of active instances. The race happens because these locks cover different scopes, inst->lock protects only the internals of a single instance, while the Macro Blocks Per Frame (MBPF) checker walks the core list under core->lock and reads fields like fmt_src->width and fmt_src->height. At the same time, iris_close() may free fmt_src and fmt_dst under inst->lock while the instance is still present in the core list. This allows a situation where the MBPF checker, still iterating through the core list, reaches an instance whose fmt_src was already freed by another thread and ends up dereferencing a dangling pointer, resulting in a use-after-free. This happens because the MBPF checker assumes that any instance in the core list is fully valid, but the freeing of fmt_src and fmt_dst without removing the instance from the core list is not correct.  The correct ordering is to defer freeing fmt_src and fmt_dst until after the instance has been removed from the core list and all teardown under the core lock has completed, ensuring that no dangling pointers are ever exposed during MBPF checks.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46240",
                                "url": "https://ubuntu.com/security/CVE-2026-46240",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  media: iris: Fix use-after-free in iris_release_internal_buffers()  The recent change in commit 1dabf00ee206 (\"media: iris: gen1: Destroy internal buffers after FW releases\") introduced a regression where session_release_buf() may free the buffer. The caller, iris_release_internal_buffers(), continued to access `buffer` after the call, leading to a potential use-after-free.  Fix this by setting BUF_ATTR_PENDING_RELEASE before calling session_release_buf(), and reverting the flag if the call fails. This ensures no dereference occurs after potential freeing.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46235",
                                "url": "https://ubuntu.com/security/CVE-2026-46235",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  media: saa7164: add ioremap return checks and cleanups  Add checks for ioremap return values in saa7164_dev_setup(). If ioremap for BAR0 or BAR2 fails, release the already allocated PCI memory regions, remove the device from the global list, decrement the device count, and return -ENODEV.  This prevents potential null pointer dereferences and ensures proper cleanup on memory mapping failures.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46222",
                                "url": "https://ubuntu.com/security/CVE-2026-46222",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  media: rockchip: rkcif: Add missing MUST_CONNECT flag to pads  The pads missed checks for connected devices which may a null dereference when the stream is enabled.  Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020 pc : rkcif_interface_enable_streams+0x48/0xf0 lr : rkcif_interface_enable_streams+0x44/0xf0 Call trace:  rkcif_interface_enable_streams+0x48/0xf0  v4l2_subdev_enable_streams+0x26c/0x3f0  rkcif_stream_start_streaming+0x140/0x278  vb2_start_streaming+0x74/0x188  vb2_core_streamon+0xe0/0x1d8  vb2_ioctl_streamon+0x60/0xa8  v4l_streamon+0x2c/0x40  __video_do_ioctl+0x34c/0x400  video_usercopy+0x2d0/0x800  video_ioctl2+0x20/0x60  v4l2_ioctl+0x48/0x78",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46239",
                                "url": "https://ubuntu.com/security/CVE-2026-46239",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  media: i2c: ov5647: Fix runtime PM refcount leak in s_ctrl  Three control cases (AUTOGAIN, EXPOSURE_AUTO, ANALOGUE_GAIN) directly return without calling pm_runtime_put(), causing runtime PM reference count leaks.  Change these cases from 'return' to 'ret = ... break' pattern to ensure pm_runtime_put() is always called before function exit.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46236",
                                "url": "https://ubuntu.com/security/CVE-2026-46236",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  media: rc: xbox_remote: heed DMA restrictions  The buffer for IO must not be part of the device structure because that violates the DMA coherency rules.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46205",
                                "url": "https://ubuntu.com/security/CVE-2026-46205",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  staging: media: atomisp: Disallow all private IOCTLs  Disallow all private IOCTLs. These aren't quite as safe as one could assume of IOCTL handlers; disable them for now. Instead of removing the code, return in the beginning of the function if cmd is non-zero in order to keep static checkers happy.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46202",
                                "url": "https://ubuntu.com/security/CVE-2026-46202",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  HID: appletb-kbd: run inactivity autodim from workqueues  The autodim code in hid-appletb-kbd takes backlight_device->ops_lock via backlight_device_set_brightness() -> mutex_lock() from two different atomic contexts:   * appletb_inactivity_timer() is a struct timer_list callback, so it    runs in softirq context.  Every expiry triggers       BUG: sleeping function called from invalid context at kernel/locking/mutex.c:591      Call Trace:       <IRQ>       __might_resched       __mutex_lock       backlight_device_set_brightness       appletb_inactivity_timer       call_timer_fn       run_timer_softirq   * reset_inactivity_timer() is called from appletb_kbd_hid_event() and    appletb_kbd_inp_event().  On real USB hardware these run in    softirq/IRQ context (URB completion and input-event dispatch).    When the Touch Bar has already been dimmed or turned off, the    reset path calls backlight_device_set_brightness() directly to    restore brightness, producing the same warning.  Both call sites hit the same mutex_lock()-from-atomic bug.  Fix them together by moving the blocking work onto the system workqueue:   * Convert the inactivity timer from struct timer_list to    struct delayed_work; the callback (appletb_inactivity_work) now    runs in process context where mutex_lock() is legal.  * Add a dedicated struct work_struct restore_brightness_work and have    reset_inactivity_timer() schedule it instead of calling    backlight_device_set_brightness() directly.  Cancel both works synchronously during driver tear-down alongside the existing backlight reference drop.  The semantics are unchanged (same delays, same state transitions on dim, turn-off and user activity); only the execution context of the sleeping call changes.  The timer field and callback are renamed to match their new type; reset_inactivity_timer() keeps its name because it is invoked from input event paths that read naturally as \"reset the inactivity timer\".",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46213",
                                "url": "https://ubuntu.com/security/CVE-2026-46213",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  HID: appletb-kbd: fix UAF in inactivity-timer cleanup path  Commit 38224c472a03 (\"HID: appletb-kbd: fix slab use-after-free bug in appletb_kbd_probe\") added timer_delete_sync(&kbd->inactivity_timer) to both the probe close_hw error path and appletb_kbd_remove(), but the way it was wired in left the inactivity timer reachable during driver tear-down via two distinct windows.  Window A -- put_device() before timer_delete_sync():  \tput_device(&kbd->backlight_dev->dev); \ttimer_delete_sync(&kbd->inactivity_timer);  The inactivity_timer softirq reads kbd->backlight_dev and calls backlight_device_set_brightness() -> mutex_lock(&ops_lock).  If a concurrent hid_appletb_bl unbind drops the last devm reference between these two calls, the backlight_device is freed and the mutex_lock() touches freed memory.  Window B -- backlight cleanup before hid_hw_stop():  \tif (kbd->backlight_dev) { \t\ttimer_delete_sync(...); \t\tput_device(...); \t} \thid_hw_close(hdev); \thid_hw_stop(hdev);  Even after Window A is closed, hid_hw_close()/hid_hw_stop() still run afterwards, so a late \".event\" callback from the HID core (USB URB completion on real Apple hardware) can arrive after timer_delete_sync() drained the softirq but before put_device() drops the reference.  That callback reaches reset_inactivity_timer(), which calls mod_timer() and re-arms the timer.  The freshly re-armed timer can then fire on the about-to-be-freed backlight_device.  Both windows produce the same KASAN slab-use-after-free:    BUG: KASAN: slab-use-after-free in __mutex_lock+0x1aab/0x21c0   Read of size 8 at addr ffff88803ee9a108 by task swapper/0/0   Call Trace:    <IRQ>    __mutex_lock    backlight_device_set_brightness    appletb_inactivity_timer    call_timer_fn    run_timer_softirq    handle_softirqs   Allocated by task N:    devm_backlight_device_register    appletb_bl_probe   Freed by task M:    (concurrent hid_appletb_bl unbind path)  Close both windows at once by reworking the tear-down in appletb_kbd_remove() and in the probe close_hw error path so that   1) hid_hw_close()/hid_hw_stop() run before the backlight cleanup,     guaranteeing no further .event callback can fire and re-arm the     timer, and  2) inside the \"if (kbd->backlight_dev)\" block, timer_delete_sync()     runs before put_device(), so the softirq is drained before the     final reference is dropped.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46232",
                                "url": "https://ubuntu.com/security/CVE-2026-46232",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  HID: playstation: Clamp num_touch_reports  A device would never lie about the number of touch reports would it?  If it does the loop in dualshock4_parse_report will read off the end of the touch_reports array, up to about 2 KiB for the maximum number of 256 loop iteraions. The data that is read is emitted via evdev if the DS4_TOUCH_POINT_INACTIVE bit happens to be set. Protect against this by clamping the num_touch_reports value provided by the device to the maximum size of the touch_reports array.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-43490",
                                "url": "https://ubuntu.com/security/CVE-2026-43490",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ksmbd: validate inherited ACE SID length  smb_inherit_dacl() walks the parent directory DACL loaded from the security descriptor xattr. It verifies that each ACE contains the fixed SID header before using it, but does not verify that the variable-length SID described by sid.num_subauth is fully contained in the ACE.  A malformed inheritable ACE can advertise more subauthorities than are present in the ACE. compare_sids() may then read past the ACE. smb_set_ace() also clamps the copied destination SID, but used the unchecked source SID count to compute the inherited ACE size. That could advance the temporary inherited ACE buffer pointer and nt_size accounting past the allocated buffer.  Fix this by validating the parent ACE SID count and SID length before using the SID during inheritance. Compute the inherited ACE size from the copied SID so the size matches the bounded destination SID. Reject the inherited DACL if size accumulation would overflow smb_acl.size or the security descriptor allocation size.",
                                "cve_priority": "high",
                                "cve_public_date": "2026-05-15 06:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46174",
                                "url": "https://ubuntu.com/security/CVE-2026-46174",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  x86/CPU/AMD: Prevent improper isolation of shared resources in Zen2's op cache  Make sure resources are not improperly shared in the op cache and cause instruction corruption this way.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46110",
                                "url": "https://ubuntu.com/security/CVE-2026-46110",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net: stmmac: Prevent NULL deref when RX memory exhausted  The CPU receives frames from the MAC through conventional DMA: the CPU allocates buffers for the MAC, then the MAC fills them and returns ownership to the CPU. For each hardware RX queue, the CPU and MAC coordinate through a shared ring array of DMA descriptors: one descriptor per DMA buffer. Each descriptor includes the buffer's physical address and a status flag (\"OWN\") indicating which side owns the buffer: OWN=0 for CPU, OWN=1 for MAC. The CPU is only allowed to set the flag and the MAC is only allowed to clear it, and both must move through the ring in sequence: thus the ring is used for both \"submissions\" and \"completions.\"  In the stmmac driver, stmmac_rx() bookmarks its position in the ring with the `cur_rx` index. The main receive loop in that function checks for rx_descs[cur_rx].own=0, gives the corresponding buffer to the network stack (NULLing the pointer), and increments `cur_rx` modulo the ring size. After the loop exits, stmmac_rx_refill(), which bookmarks its position with `dirty_rx`, allocates fresh buffers and rearms the descriptors (setting OWN=1). If it fails any allocation, it simply stops early (leaving OWN=0) and will retry where it left off when next called.  This means descriptors have a three-stage lifecycle (terms my own): - `empty` (OWN=1, buffer valid) - `full` (OWN=0, buffer valid and populated) - `dirty` (OWN=0, buffer NULL)  But because stmmac_rx() only checks OWN, it confuses `full`/`dirty`. In the past (see 'Fixes:'), there was a bug where the loop could cycle `cur_rx` all the way back to the first descriptor it dirtied, resulting in a NULL dereference when mistaken for `full`. The aforementioned commit resolved that *specific* failure by capping the loop's iteration limit at `dma_rx_size - 1`, but this is only a partial fix: if the previous stmmac_rx_refill() didn't complete, then there are leftover `dirty` descriptors that the loop might encounter without needing to cycle fully around. The current code therefore panics (see 'Closes:') when stmmac_rx_refill() is memory-starved long enough for `cur_rx` to catch up to `dirty_rx`.  Fix this by explicitly checking, before advancing `cur_rx`, if the next entry is dirty; exit the loop if so. This prevents processing of the final, used descriptor until stmmac_rx_refill() succeeds, but fully prevents the `cur_rx == dirty_rx` ambiguity as the previous bugfix intended: so remove the clamp as well. Since stmmac_rx_zc() is a copy-paste-and-tweak of stmmac_rx() and the code structure is identical, any fix to stmmac_rx() will also need a corresponding fix for stmmac_rx_zc(). Therefore, apply the same check there.  In stmmac_rx() (not stmmac_rx_zc()), a related bug remains: after the MAC sets OWN=0 on the final descriptor, it will be unable to send any further DMA-complete IRQs until it's given more `empty` descriptors. Currently, the driver simply *hopes* that the next stmmac_rx_refill() succeeds, risking an indefinite stall of the receive process if not. But this is not a regression, so it can be addressed in a future change.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46153",
                                "url": "https://ubuntu.com/security/CVE-2026-46153",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  8021q: delete cleared egress QoS mappings  vlan_dev_set_egress_priority() currently keeps cleared egress priority mappings in the hash as tombstones. Repeated set/clear cycles with distinct skb priorities therefore accumulate mapping nodes until device teardown and leak memory.  Delete mappings when vlan_prio is cleared instead of keeping tombstones. Now that the egress mapping lists are RCU protected, the node can be unlinked safely and freed after a grace period.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46169",
                                "url": "https://ubuntu.com/security/CVE-2026-46169",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  hfsplus: fix uninit-value by validating catalog record size  Syzbot reported a KMSAN uninit-value issue in hfsplus_strcasecmp(). The root cause is that hfs_brec_read() doesn't validate that the on-disk record size matches the expected size for the record type being read.  When mounting a corrupted filesystem, hfs_brec_read() may read less data than expected. For example, when reading a catalog thread record, the debug output showed:    HFSPLUS_BREC_READ: rec_len=520, fd->entrylength=26   HFSPLUS_BREC_READ: WARNING - entrylength (26) < rec_len (520) - PARTIAL READ!  hfs_brec_read() only validates that entrylength is not greater than the buffer size, but doesn't check if it's less than expected. It successfully reads 26 bytes into a 520-byte structure and returns success, leaving 494 bytes uninitialized.  This uninitialized data in tmp.thread.nodeName then gets copied by hfsplus_cat_build_key_uni() and used by hfsplus_strcasecmp(), triggering the KMSAN warning when the uninitialized bytes are used as array indices in case_fold().  Fix by introducing hfsplus_brec_read_cat() wrapper that: 1. Calls hfs_brec_read() to read the data 2. Validates the record size based on the type field:    - Fixed size for folder and file records    - Variable size for thread records (depends on string length) 3. Returns -EIO if size doesn't match expected  For thread records, check against HFSPLUS_MIN_THREAD_SZ before reading nodeName.length to avoid reading uninitialized data at call sites that don't zero-initialize the entry structure.  Also initialize the tmp variable in hfsplus_find_cat() as defensive programming to ensure no uninitialized data even if validation is bypassed.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46188",
                                "url": "https://ubuntu.com/security/CVE-2026-46188",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  octeon_ep_vf: add NULL check for napi_build_skb()  napi_build_skb() can return NULL on allocation failure. In __octep_vf_oq_process_rx(), the result is used directly without a NULL check in both the single-buffer and multi-fragment paths, leading to a NULL pointer dereference.  Add NULL checks after both napi_build_skb() calls, properly advancing descriptors and consuming remaining fragments on failure.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-45837",
                                "url": "https://ubuntu.com/security/CVE-2026-45837",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  bpf: Fix use-after-free in arena_vm_close on fork  arena_vm_open() only bumps vml->mmap_count but never registers the child VMA in arena->vma_list. The vml->vma always points at the parent VMA, so after parent munmap the pointer dangles. If the child then calls bpf_arena_free_pages(), zap_pages() reads the stale vml->vma triggering use-after-free.  Fix this by preventing the arena VMA from being inherited across fork with VM_DONTCOPY, and preventing VMA splits via the may_split callback.  Also reject mremap with a .mremap callback returning -EINVAL. A same-size mremap(MREMAP_FIXED) on the full arena VMA reaches copy_vma() through the following path:    check_prep_vma()       - returns 0 early: new_len == old_len                            skips VM_DONTEXPAND check   prep_move_vma()        - vm_start == old_addr and                            vm_end == old_addr + old_len                            so may_split is never called   move_vma()     copy_vma_and_data()       copy_vma()         vm_area_dup()    - copies vm_private_data (vml pointer)         vm_ops->open()   - bumps vml->mmap_count       vm_ops->mremap()   - returns -EINVAL, rollback unmaps new VMA  The refcount ensures the rollback's arena_vm_close does not free the vml shared with the original VMA.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-05-27 11:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46156",
                                "url": "https://ubuntu.com/security/CVE-2026-46156",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  LoongArch: Fix potential ADE in loongson_gpu_fixup_dma_hang()  The switch case in loongson_gpu_fixup_dma_hang() may not DC2 or DC3, and readl(crtc_reg) will access with random address, because the \"device\" is from \"base+PCI_DEVICE_ID\", \"base\" is from \"pdev->devfn+1\". This is wrong when my platform inserts a discrete GPU:  lspci -tv -[0000:00]-+-00.0  Loongson Technology LLC Hyper Transport Bridge Controller ...            +-06.0  Loongson Technology LLC LG100 GPU            +-06.2  Loongson Technology LLC Device 7a37 ...  Add a default switch case to fix the panic as below:   Kernel ade access[#1]:  CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.6.136-loong64-desktop-hwe+ #4  pc 90000000017e5534 ra 90000000017e54c0 tp 90000001002f8000 sp 90000001002fb6c0  a0 80000efe00003100 a1 0000000000003100 a2 0000000000000000 a3 0000000000000002  a4 90000001002fb6b4 a5 900000087cdb58fd a6 90000000027af000 a7 0000000000000001  t0 00000000000085b9 t1 000000000000ffff t2 0000000000000000 t3 0000000000000000  t4 fffffffffffffffd t5 00000000fffb6d9c t6 0000000000083b00 t7 00000000000070c0  t8 900000087cdb4d94 u0 900000087cdb58fd s9 90000001002fb826 s0 90000000031c12c8  s1 7fffffffffffff00 s2 90000000031c12d0 s3 0000000000002710 s4 0000000000000000  s5 0000000000000000 s6 9000000100053000 s7 7fffffffffffff00 s8 90000000030d4000     ra: 90000000017e54c0 loongson_gpu_fixup_dma_hang+0x40/0x210    ERA: 90000000017e5534 loongson_gpu_fixup_dma_hang+0xb4/0x210   CRMD: 000000b0 (PLV0 -IE -DA +PG DACF=CC DACM=CC -WE)   PRMD: 00000004 (PPLV0 +PIE -PWE)   EUEN: 00000000 (-FPE -SXE -ASXE -BTE)   ECFG: 00071c1d (LIE=0,2-4,10-12 VS=7)  ESTAT: 00480000 [ADEM] (IS= ECode=8 EsubCode=1)   BADV: 7fffffffffffff00   PRID: 0014d000 (Loongson-64bit, Loongson-3A6000-HV)  Modules linked in:  Process swapper/0 (pid: 1, threadinfo=(____ptrval____), task=(____ptrval____))  Stack : 0000000000000006 90000001002fb778 90000001002fb704 0000000000000007          0000000016a65700 90000000017e5690 000000000000ffff ffffffffffffffff          900000000209f7c0 9000000100053000 900000000209f7a8 9000000000eebc08          0000000000000000 0000000000000000 0000000000000006 90000001002fb778          90000001000530b8 90000000027af000 0000000000000000 9000000100054000          9000000100053000 9000000000ebb70c 9000000100004c00 9000000004000001          90000001002fb7e4 bae765461f31cb12 0000000000000000 0000000000000000          0000000000000006 90000000027af000 0000000000000030 90000000027af000          900000087cd6f800 9000000100053000 0000000000000000 9000000000ebc560          7a2500147cdaf720 bae765461f31cb12 0000000000000001 0000000000000030          ...  Call Trace:  [<90000000017e5534>] loongson_gpu_fixup_dma_hang+0xb4/0x210  [<9000000000eebc08>] pci_fixup_device+0x108/0x280  [<9000000000ebb70c>] pci_setup_device+0x24c/0x690  [<9000000000ebc560>] pci_scan_single_device+0xe0/0x140  [<9000000000ebc684>] pci_scan_slot+0xc4/0x280  [<9000000000ebdd00>] pci_scan_child_bus_extend+0x60/0x3f0  [<9000000000f5bc94>] acpi_pci_root_create+0x2b4/0x420  [<90000000017e5e74>] pci_acpi_scan_root+0x2d4/0x440  [<9000000000f5b02c>] acpi_pci_root_add+0x21c/0x3a0  [<9000000000f4ee54>] acpi_bus_attach+0x1a4/0x3c0  [<90000000010e200c>] device_for_each_child+0x6c/0xe0  [<9000000000f4bbf4>] acpi_dev_for_each_child+0x44/0x70  [<9000000000f4ef40>] acpi_bus_attach+0x290/0x3c0  [<90000000010e200c>] device_for_each_child+0x6c/0xe0  [<9000000000f4bbf4>] acpi_dev_for_each_child+0x44/0x70  [<9000000000f4ef40>] acpi_bus_attach+0x290/0x3c0  [<9000000000f5211c>] acpi_bus_scan+0x6c/0x280  [<900000000189c028>] acpi_scan_init+0x194/0x310  [<900000000189bc6c>] acpi_init+0xcc/0x140  [<9000000000220cdc>] do_one_initcall+0x4c/0x310  [<90000000018618fc>] kernel_init_freeable+0x258/0x2d4  [<900000000184326c>] kernel_init+0x28/0x13c  [<9000000000222008>] ret_from_kernel_thread+0xc/0xa4",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46147",
                                "url": "https://ubuntu.com/security/CVE-2026-46147",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  KVM: arm64: Fix pin leak and publication ordering in __pkvm_init_vcpu()  Two bugs exist in the vCPU initialisation path:  1. If a check fails after hyp_pin_shared_mem() succeeds, the cleanup    path jumps to 'unlock' without calling unpin_host_vcpu() or    unpin_host_sve_state(), permanently leaking pin references on the    host vCPU and SVE state pages.     Extract a register_hyp_vcpu() helper that performs the checks and    the store. When register_hyp_vcpu() returns an error, call    unpin_host_vcpu() and unpin_host_sve_state() inline before falling    through to the existing 'unlock' label.  2. register_hyp_vcpu() publishes the new vCPU pointer into    'hyp_vm->vcpus[]' with a bare store, allowing a concurrent caller    of pkvm_load_hyp_vcpu() to observe a partially initialised vCPU    object.     Ensure the store uses smp_store_release() and the load uses    smp_load_acquire(). While 'vm_table_lock' currently serialises the    store and the load, these barriers ensure the reader sees the fully    initialised 'hyp_vcpu' object even if there were a lockless path or    if the lock's own ordering guarantees were insufficient for nested    object initialization.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46175",
                                "url": "https://ubuntu.com/security/CVE-2026-46175",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  f2fs: fix fsck inconsistency caused by FGGC of node block  During FGGC node block migration, fsck may incorrectly treat the migrated node block as fsync-written data.  The reproduction scenario: root@vm:/mnt/f2fs# seq 1 2048 | xargs -n 1 ./test_sync // write inline inode and sync root@vm:/mnt/f2fs# rm -f 1 root@vm:/mnt/f2fs# sync root@vm:/mnt/f2fs# f2fs_io gc_range // move data block in sync mode and not write CP   SPO, \"fsck --dry-run\" find inode has already checkpointed but still   with DENT_BIT_SHIFT set  The root cause is that GC does not clear the dentry mark and fsync mark during node block migration, leading fsck to misinterpret them as user-issued fsync writes.  In BGGC mode, node block migration is handled by f2fs_sync_node_pages(), which guarantees the dentry and fsync marks are cleared before writing.  This patch move the set/clear of the fsync|dentry marks into __write_node_folio to make the logic clearer, and ensures the fsync|dentry mark is cleared in FGGC.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46194",
                                "url": "https://ubuntu.com/security/CVE-2026-46194",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  f2fs: fix node_cnt race between extent node destroy and writeback  f2fs_destroy_extent_node() does not set FI_NO_EXTENT before clearing extent nodes. When called from f2fs_drop_inode() with I_SYNC set, concurrent kworker writeback can insert new extent nodes into the same extent tree, racing with the destroy and triggering f2fs_bug_on() in __destroy_extent_node(). The scenario is as follows:  drop inode                            writeback  - iput   - f2fs_drop_inode  // I_SYNC set    - f2fs_destroy_extent_node     - __destroy_extent_node      - while (node_cnt) {         write_lock(&et->lock)         __free_extent_tree         write_unlock(&et->lock)                                        - __writeback_single_inode                                         - f2fs_outplace_write_data                                          - f2fs_update_read_extent_cache                                           - __update_extent_tree_range                                            // FI_NO_EXTENT not set,                                            // insert new extent node        } // node_cnt == 0, exit while      - f2fs_bug_on(node_cnt)  // node_cnt > 0  Additionally, __update_extent_tree_range() only checks FI_NO_EXTENT for EX_READ type, leaving EX_BLOCK_AGE updates completely unprotected.  This patch set FI_NO_EXTENT under et->lock in __destroy_extent_node(), consistent with other callers (__update_extent_tree_range and __drop_extent_tree) and check FI_NO_EXTENT for both EX_READ and EX_BLOCK_AGE tree.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46170",
                                "url": "https://ubuntu.com/security/CVE-2026-46170",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  mptcp: pm: ADD_ADDR rtx: free sk if last  When an ADD_ADDR is retransmitted, the sk is held in sk_reset_timer(), and released at the end.  If at that moment, it was the last reference being held, the sk would not be freed. sock_put() should then be called instead of __sock_put().  But that's not enough: if it is the last reference, sock_put() will call sk_free(), which will end up calling sk_stop_timer_sync() on the same timer, and waiting indefinitely to finish. So it is needed to mark that the timer is done at the end of the timer handler when it has not been rescheduled, not to call sk_stop_timer_sync() on \"itself\".",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46158",
                                "url": "https://ubuntu.com/security/CVE-2026-46158",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  mptcp: pm: ADD_ADDR rtx: always decrease sk refcount  When an ADD_ADDR is retransmitted, the sk is held in sk_reset_timer(). It should then be released in all cases at the end.  Some (unlikely) checks were returning directly instead of calling sock_put() to decrease the refcount. Jump to a new 'exit' label to call __sock_put() (which will become sock_put() in the next commit) to fix this potential leak.  While at it, drop the '!msk' check which cannot happen because it is never reset, and explicitly mark the remaining one as \"unlikely\".",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46168",
                                "url": "https://ubuntu.com/security/CVE-2026-46168",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  mptcp: fix scheduling with atomic in timestamp sockopt  Using lock_sock_fast() (atomic context) around sock_set_timestamp() and sock_set_timestamping() is unsafe, as both helpers can sleep.  Replace lock_sock_fast() with sleepable lock_sock()/release_sock() to avoid scheduling while atomic panic.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46189",
                                "url": "https://ubuntu.com/security/CVE-2026-46189",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/vmw_pvrdma: Fix double free on pvrdma_alloc_ucontext() error path  Sashiko points out that pvrdma_uar_free() is already called within pvrdma_dealloc_ucontext(), so calling it before triggers a double free.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46133",
                                "url": "https://ubuntu.com/security/CVE-2026-46133",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/rxe: Reject unknown opcodes before ICRC processing  Even after applying commit 7244491dab34 (\"RDMA/rxe: Validate pad and ICRC before payload_size() in rxe_rcv\"), a single unauthenticated UDP packet can still trigger panic.  That patch handled payload_size() underflow only for valid opcodes with short packets, not for packets carrying an unknown opcode.  The unknown-opcode OOB read described below predates that commit and reaches back to the initial Soft RoCE driver.  The check added there reads      pkt->paylen < header_size(pkt) + bth_pad(pkt) + RXE_ICRC_SIZE  where header_size(pkt) expands to rxe_opcode[pkt->opcode].length.  The rxe_opcode[] array has 256 entries but is only populated for defined IB opcodes; any other entry (for example opcode 0xff) is zero-initialized, so length == 0 and the check degenerates to      pkt->paylen < 0 + bth_pad(pkt) + RXE_ICRC_SIZE  which does not constrain pkt->paylen enough.  rxe_icrc_hdr() then computes      rxe_opcode[pkt->opcode].length - RXE_BTH_BYTES  which underflows when length == 0 and passes a huge value to rxe_crc32(), causing an out-of-bounds read of the skb payload.  Reproduced on v7.0-rc7 with that fix applied, QEMU/KVM with CONFIG_RDMA_RXE=y and CONFIG_KASAN=y, after      rdma link add rxe0 type rxe netdev eth0  A single 48-byte UDP packet to port 4791 with BTH opcode=0xff and QPN=IB_MULTICAST_QPN triggers:      BUG: KASAN: slab-out-of-bounds in crc32_le+0x115/0x170     Read of size 1 at addr ...     The buggy address is located 0 bytes to the right of      allocated 704-byte region     Call Trace:      crc32_le+0x115/0x170      rxe_icrc_hdr.isra.0+0x226/0x300      rxe_icrc_check+0x13f/0x3a0      rxe_rcv+0x6e1/0x16e0      rxe_udp_encap_recv+0x20a/0x320      udp_queue_rcv_one_skb+0x7ed/0x12c0  Subsequent packets with the same shape fault on unmapped memory and panic the kernel.  The trigger requires only module load and \"rdma link add\"; no QP, no connection, and no authentication.  Fix this by rejecting packets whose opcode has no rxe_opcode[] entry, detected via the zero mask or zero length, before any length arithmetic runs.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46114",
                                "url": "https://ubuntu.com/security/CVE-2026-46114",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/rxe: Reject non-8-byte ATOMIC_WRITE payloads  atomic_write_reply() at drivers/infiniband/sw/rxe/rxe_resp.c unconditionally dereferences 8 bytes at payload_addr(pkt):      value = *(u64 *)payload_addr(pkt);  check_rkey() previously accepted an ATOMIC_WRITE request with pktlen == resid == 0 because the length validation only compared pktlen against resid. A remote initiator that sets the RETH length to 0 therefore reaches atomic_write_reply() with a zero-byte logical payload, and the responder reads sizeof(u64) bytes from past the logical end of the packet into skb->head tailroom, then writes those 8 bytes into the attacker's MR via rxe_mr_do_atomic_write(). That is a remote disclosure of 4 bytes of kernel tailroom per probe (the other 4 bytes are the packet's own trailing ICRC).  IBA oA19-28 defines ATOMIC_WRITE as exactly 8 bytes. Anything else is protocol-invalid. Hoist a strict length check into check_rkey() so the responder never reaches the unchecked dereference, and keep the existing WRITE-family length logic for the normal RDMA WRITE path.  Reproduced on mainline with an unmodified rxe driver: a sustained zero-length ATOMIC_WRITE probe repeatedly leaks adjacent skb head-buffer bytes into the attacker's MR, including recognisable kernel strings and partial kernel-direct-map pointer words.  With this patch applied the responder rejects the PDU and the MR stays all-zero.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46127",
                                "url": "https://ubuntu.com/security/CVE-2026-46127",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/ocrdma: Don't NULL deref uctx on errors in ocrdma_copy_pd_uresp()  Sashiko points out that pd->uctx isn't initialized until late in the function so all these error flow references are NULL and will crash. Use the uctx that isn't NULL.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46176",
                                "url": "https://ubuntu.com/security/CVE-2026-46176",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/mlx5: Fix error path fall-through in mlx5_ib_dev_res_srq_init()  mlx5_ib_dev_res_srq_init() allocates two SRQs, s0 and s1. When ib_create_srq() fails for s1, the error branch destroys s0 but falls through and unconditionally assigns the freed s0 and the ERR_PTR s1 to devr->s0 and devr->s1.  This leads to several problems: the lock-free fast path checks \"if (devr->s1) return 0;\" and treats the ERR_PTR as already initialised; users in mlx5_ib_create_qp() dereference the freed SRQ or ERR_PTR via to_msrq(devr->s0)->msrq.srqn; and mlx5_ib_dev_res_cleanup() dereferences the ERR_PTR and double-frees s0 on teardown.  Fix by adding the same `goto unlock` in the s1 failure path.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46178",
                                "url": "https://ubuntu.com/security/CVE-2026-46178",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/mlx4: Fix resource leak on error in mlx4_ib_create_srq()  Sashiko points out that mlx4_srq_alloc() was not undone during error unwind, add the missing call to mlx4_srq_free().",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46181",
                                "url": "https://ubuntu.com/security/CVE-2026-46181",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/mlx4: Fix mis-use of RCU in mlx4_srq_event()  Sashiko points out the radix_tree itself is RCU safe, but nothing ever frees the mlx4_srq struct with RCU, and it isn't even accessed within the RCU critical section. It also will crash if an event is delivered before the srq object is finished initializing.  Use the spinlock since it isn't easy to make RCU work, use refcount_inc_not_zero() to protect against partially initialized objects, and order the refcount_set() to be after the srq is fully initialized.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46145",
                                "url": "https://ubuntu.com/security/CVE-2026-46145",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/mana: Validate rx_hash_key_len  Sashiko points out that rx_hash_key_len comes from a uAPI structure and is blindly passed to memcpy, allowing the userspace to trash kernel memory. Bounds check it so the memcpy cannot overflow.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46117",
                                "url": "https://ubuntu.com/security/CVE-2026-46117",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/mana: Remove user triggerable WARN_ON() in mana_ib_create_qp_rss()  Sashiko points out that the user can specify WQs sharing the same CQ as a part of the uAPI and this will trigger the WARN_ON() then go on to corrupt the kernel.  Just reject it outright and fail the QP creation.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46126",
                                "url": "https://ubuntu.com/security/CVE-2026-46126",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/mana: Fix mana_destroy_wq_obj() cleanup in mana_ib_create_qp_rss()  Sashiko points out there are two bugs here in the error unwind flow, both related to how the WQ table is unwound.  First there is a double i-- on the first failure path due to the while loop having a i--, remove it.  Second if mana_ib_install_cq_cb() fails then mana_create_wq_obj() is not undone due to the above i--.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46144",
                                "url": "https://ubuntu.com/security/CVE-2026-46144",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/mana: Fix error unwind in mana_ib_create_qp_rss()  Sashiko points out that mana_ib_cfg_vport_steering() is leaked, the normal destroy path cleans it up.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46141",
                                "url": "https://ubuntu.com/security/CVE-2026-46141",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  powerpc/xive: fix kmemleak caused by incorrect chip_data lookup  The kmemleak reports the following memory leak:  Unreferenced object 0xc0000002a7fbc640 (size 64):   comm \"kworker/8:1\", pid 540, jiffies 4294937872   hex dump (first 32 bytes):     01 00 00 00 00 00 00 00 00 00 09 04 00 04 00 00  ................     00 00 a7 81 00 00 0a c0 00 00 08 04 00 04 00 00  ................   backtrace (crc 177d48f6):     __kmalloc_cache_noprof+0x520/0x730     xive_irq_alloc_data.constprop.0+0x40/0xe0     xive_irq_domain_alloc+0xd0/0x1b0     irq_domain_alloc_irqs_parent+0x44/0x6c     pseries_irq_domain_alloc+0x1cc/0x354     irq_domain_alloc_irqs_parent+0x44/0x6c     msi_domain_alloc+0xb0/0x220     irq_domain_alloc_irqs_locked+0x138/0x4d0     __irq_domain_alloc_irqs+0x8c/0xfc     __msi_domain_alloc_irqs+0x214/0x4d8     msi_domain_alloc_irqs_all_locked+0x70/0xf8     pci_msi_setup_msi_irqs+0x60/0x78     __pci_enable_msix_range+0x54c/0x98c     pci_alloc_irq_vectors_affinity+0x16c/0x1d4     nvme_pci_enable+0xac/0x9c0 [nvme]     nvme_probe+0x340/0x764 [nvme]  This occurs when allocating MSI-X vectors for an NVMe device. During allocation the XIVE code creates a struct xive_irq_data and stores it in irq_data->chip_data.  When the MSI-X irqdomain is later freed, xive_irq_free_data() is responsible for retrieving this structure and freeing it. However, after commit cc0cc23babc9 (\"powerpc/xive: Untangle xive from child interrupt controller drivers\"), xive_irq_free_data() retrieves the chip_data using irq_get_chip_data(), which looks up the data through the child domain.  This is incorrect because the XIVE-specific irq data is associated with the XIVE (parent) domain. As a result the lookup fails and the allocated struct xive_irq_data is never freed, leading to the kmemleak report shown above.  Fix this by retrieving the irq_data from the correct domain using irq_domain_get_irq_data() and then accessing the chip_data via irq_data_get_irq_chip_data().",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46183",
                                "url": "https://ubuntu.com/security/CVE-2026-46183",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  mm/damon/sysfs-schemes: protect path kfree() with damon_sysfs_lock  damon_sysfs_quot_goal->path can be read and written by users, via DAMON sysfs 'path' file.  It can also be indirectly read, for the parameters {on,off}line committing to DAMON.  The reads for parameters committing are protected by damon_sysfs_lock to avoid the sysfs files being destroyed while any of the parameters are being read.  But the user-driven direct reads and writes are not protected by any lock, while the write is deallocating the path-pointing buffer.  As a result, the readers could read the already freed buffer (user-after-free).  Note that the user-reads don't race when the same open file is used by the writer, due to kernfs's open file locking.  Nonetheless, doing the reads and writes with separate open files would be common.  Fix it by protecting both the user-direct reads and writes with damon_sysfs_lock.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46121",
                                "url": "https://ubuntu.com/security/CVE-2026-46121",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  mm/damon/sysfs-schemes: protect memcg_path kfree() with damon_sysfs_lock  Patch series \"mm/damon/sysfs-schemes: fix use-after-free for [memcg_]path\".  Reads of 'memcg_path' and 'path' files in DAMON sysfs interface could race with their writes, results in use-after-free.  Fix those.   This patch (of 2):  damon_sysfs_scheme_filter->mmecg_path can be read and written by users, via DAMON sysfs memcg_path file.  It can also be indirectly read, for the parameters {on,off}line committing to DAMON.  The reads for parameters committing are protected by damon_sysfs_lock to avoid the sysfs files being destroyed while any of the parameters are being read.  But the user-driven direct reads and writes are not protected by any lock, while the write is deallocating the memcg_path-pointing buffer.  As a result, the readers could read the already freed buffer (user-after-free).  Note that the user-reads don't race when the same open file is used by the writer, due to kernfs's open file locking.  Nonetheless, doing the reads and writes with separate open files would be common.  Fix it by protecting both the user-direct reads and writes with damon_sysfs_lock.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46131",
                                "url": "https://ubuntu.com/security/CVE-2026-46131",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  KVM: x86: check for nEPT/nNPT in slow flush hypercalls  Checking is_guest_mode(vcpu) is incorrect, because translate_nested_gpa() is only valid if an L2 guest is running *with nested EPT/NPT enabled*. Instead use the same condition as translate_nested_gpa() itself.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46139",
                                "url": "https://ubuntu.com/security/CVE-2026-46139",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  smb: client: use kzalloc to zero-initialize security descriptor buffer  Commit 62e7dd0a39c2d (\"smb: common: change the data type of num_aces to le16\") split struct smb_acl's __le32 num_aces field into __le16 num_aces and __le16 reserved. The reserved field corresponds to Sbz2 in the MS-DTYP ACL wire format, which must be zero [1].  When building an ACL descriptor in build_sec_desc(), we are using a kmalloc()'ed descriptor buffer and writing the fields explicitly using le16() writes now. This never writes to the 2 byte reserved field, leaving it as uninitialized heap data.  When the reserved field happens to contain non-zero slab garbage, Samba rejects the security descriptor with \"ndr_pull_security_descriptor failed: Range Error\", causing chmod to fail with EINVAL.  Change kmalloc() to kzalloc() to ensure the entire buffer is zero-initialized.   [1] https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/20233ed8-a6c6-4097-aafa-dd545ed24428",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46105",
                                "url": "https://ubuntu.com/security/CVE-2026-46105",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  scsi: mpt3sas: Limit NVMe request size to 2 MiB  The HBA firmware reports NVMe MDTS values based on the underlying drive capability. However, because the driver allocates a fixed 4K buffer for the PRP list, accommodating at most 512 entries, the driver supports a maximum I/O transfer size of 2 MiB.  Limit max_hw_sectors to the smaller of the reported MDTS and the 2 MiB driver limit to prevent issuing oversized I/O that may lead to a kernel oops.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46171",
                                "url": "https://ubuntu.com/security/CVE-2026-46171",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  riscv: kvm: fix vector context allocation leak  When the second kzalloc (host_context.vector.datap) fails in kvm_riscv_vcpu_alloc_vector_context, the first allocation (guest_context.vector.datap) is leaked. Free it before returning.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46112",
                                "url": "https://ubuntu.com/security/CVE-2026-46112",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/hns: Fix unlocked call to hns_roce_qp_remove()  Sashiko points out that hns_roce_qp_remove() requires the caller to hold locks.  The error flow in hns_roce_create_qp_common() doesn't hold those locks for the error unwind so it risks corrupting memory.  Grab the same locks the other two callers use.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46165",
                                "url": "https://ubuntu.com/security/CVE-2026-46165",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  openvswitch: vport: fix self-deadlock on release of tunnel ports  vports are used concurrently and protected by RCU, so netdev_put() must happen after the RCU grace period.  So, either in an RCU call or after the synchronize_net().  The rtnl_delete_link() must happen under RTNL and so can't be executed in RCU context.  Calling synchronize_net() while holding RTNL is not a good idea for performance and system stability under load in general, so calling netdev_put() in RCU call is the right solution here.  However, when the device is deleted, rtnl_unlock() will call netdev_run_todo() and block until all the references are gone.  In the current code this means that we never reach the call_rcu() and the vport is never freed and the reference is never released, causing a self-deadlock on device removal.  Fix that by moving the rcu_call() before the rtnl_unlock(), so the scheduled RCU callback will be executed when synchronize_net() is called from the rtnl_unlock()->netdev_run_todo() while the RTNL itself is already released.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46161",
                                "url": "https://ubuntu.com/security/CVE-2026-46161",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  md/raid10: fix divide-by-zero in setup_geo() with zero far_copies  setup_geo() extracts near_copies (nc) and far_copies (fc) from the user-provided layout parameter without checking for zero. When fc=0 with the \"improved\" far set layout selected, 'geo->far_set_size = disks / fc' triggers a divide-by-zero.  Validate nc and fc immediately after extraction, returning -1 if either is zero.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-43492",
                                "url": "https://ubuntu.com/security/CVE-2026-43492",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  lib/crypto: mpi: Fix integer underflow in mpi_read_raw_from_sgl()  Yiming reports an integer underflow in mpi_read_raw_from_sgl() when subtracting \"lzeros\" from the unsigned \"nbytes\".  For this to happen, the scatterlist \"sgl\" needs to occupy more bytes than the \"nbytes\" parameter and the first \"nbytes + 1\" bytes of the scatterlist must be zero.  Under these conditions, the while loop iterating over the scatterlist will count more zeroes than \"nbytes\", subtract the number of zeroes from \"nbytes\" and cause the underflow.  When commit 2d4d1eea540b (\"lib/mpi: Add mpi sgl helpers\") originally introduced the bug, it couldn't be triggered because all callers of mpi_read_raw_from_sgl() passed a scatterlist whose length was equal to \"nbytes\".  However since commit 63ba4d67594a (\"KEYS: asymmetric: Use new crypto interface without scatterlists\"), the underflow can now actually be triggered.  When invoking a KEYCTL_PKEY_ENCRYPT system call with a larger \"out_len\" than \"in_len\" and filling the \"in\" buffer with zeroes, crypto_akcipher_sync_prep() will create an all-zero scatterlist used for both the \"src\" and \"dst\" member of struct akcipher_request and thereby fulfil the conditions to trigger the bug:    sys_keyctl()     keyctl_pkey_e_d_s()       asymmetric_key_eds_op()         software_key_eds_op()           crypto_akcipher_sync_encrypt()             crypto_akcipher_sync_prep()               crypto_akcipher_encrypt()                 rsa_enc()                   mpi_read_raw_from_sgl()  To the user this will be visible as a DoS as the kernel spins forever, causing soft lockup splats as a side effect.  Fix it.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-19 12:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46124",
                                "url": "https://ubuntu.com/security/CVE-2026-46124",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  isofs: validate block number from NFS file handle in isofs_export_iget  isofs_fh_to_dentry() and isofs_fh_to_parent() pass an attacker- controlled block number (ifid->block or ifid->parent_block) from the NFS file handle to isofs_export_iget(), which only rejects block == 0 before calling isofs_iget() and ultimately sb_bread(). A crafted file handle with fh_len sufficient to pass the check added by commit 0405d4b63d08 (\"isofs: Prevent the use of too small fid\") can still drive the server to read any in-range block on the backing device as if it were an iso_directory_record.  That earlier fix was assigned CVE-2025-37780.  sb_bread() on an out-of-range block returns NULL cleanly via the EIO path, so there is no memory-safety violation.  For in-range reads of adjacent-partition data on the same block device, the unrelated bytes end up in iso_inode_info fields that reach the NFS client as dentry metadata.  The deployment surface (isofs exported over NFS from loop-mounted images) is narrow and requires an authenticated NFS peer, but the malformed-file-handle class is reportable as hardening next to the existing CVE-2025-37780 fix.  Reject block >= ISOFS_SB(sb)->s_nzones in isofs_export_iget() so the check covers both isofs_fh_to_dentry() and isofs_fh_to_parent() call sites with a single line.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46130",
                                "url": "https://ubuntu.com/security/CVE-2026-46130",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  dm-verity-fec: fix reading parity bytes split across blocks (take 3)  fec_decode_bufs() assumes that the parity bytes of the first RS codeword it decodes are never split across parity blocks.  This assumption is false.  Consider v->fec->block_size == 4096 && v->fec->roots == 17 && fio->nbufs == 1, for example.  In that case, each call to fec_decode_bufs() consumes v->fec->roots * (fio->nbufs << DM_VERITY_FEC_BUF_RS_BITS) = 272 parity bytes.  Considering that the parity data for each message block starts on a block boundary, the byte alignment in the parity data will iterate through 272*i mod 4096 until the 3 parity blocks have been consumed.  On the 16th call (i=15), the alignment will be 4080 bytes into the first block.  Only 16 bytes remain in that block, but 17 parity bytes will be needed.  The code reads out-of-bounds from the parity block buffer.  Fortunately this doesn't normally happen, since it can occur only for certain non-default values of fec_roots *and* when the maximum number of buffers couldn't be allocated due to low memory.  For example with block_size=4096 only the following cases are affected:      fec_roots=17: nbufs in [1, 3, 5, 15]     fec_roots=19: nbufs in [1, 229]     fec_roots=21: nbufs in [1, 3, 5, 13, 15, 39, 65, 195]     fec_roots=23: nbufs in [1, 89]  Regardless, fix it by refactoring how the parity blocks are read.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46106",
                                "url": "https://ubuntu.com/security/CVE-2026-46106",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  eventfs: Hold eventfs_mutex and SRCU when remount walks events  Commit 340f0c7067a9 (\"eventfs: Update all the eventfs_inodes from the events descriptor\") had eventfs_set_attrs() recurse through ei->children on remount.  The walk only holds the rcu_read_lock() taken by tracefs_apply_options() over tracefs_inodes, which is wrong:    - list_for_each_entry over ei->children races with the list_del_rcu()     in eventfs_remove_rec() -- LIST_POISON1 deref, same shape as     d2603279c7d6.   - eventfs_inodes are freed via call_srcu(&eventfs_srcu, ...).     rcu_read_lock() does not extend an SRCU grace period, so ti->private     can be reclaimed under the walk.   - The writes to ei->attr race with eventfs_set_attr(), which holds     eventfs_mutex.  Reproducer:    while :; do mount -o remount,uid=$((RANDOM%1000)) /sys/kernel/tracing; done &   while :; do       echo \"p:kp submit_bio\" > /sys/kernel/tracing/kprobe_events       echo > /sys/kernel/tracing/kprobe_events   done  Wrap the events portion of tracefs_apply_options() in eventfs_remount_lock()/_unlock() that take eventfs_mutex and srcu_read_lock(&eventfs_srcu).  eventfs_set_attrs() doesn't sleep so the nested rcu_read_lock() is fine; lockdep_assert_held() pins the contract.  Comment in tracefs_drop_inode() said \"RCU cycle\" -- it is SRCU.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46107",
                                "url": "https://ubuntu.com/security/CVE-2026-46107",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  dm-thin: fix metadata refcount underflow  There's a bug in dm-thin in the function rebalance_children. If the internal btree node has one entry, the code tries to copy all btree entries from the node's child to the node itself and then decrement the child's reference count.  If the child node is shared (it has reference count > 1), we won't free it, so there would be two pointers to each of the grandchildren nodes. But the reference counts of the grandchildren is not increased, thus the reference count doesn't match the number of pointers that point to the grandchildren. This results in \"device mapper: space map common: unable to decrement block\" errors.  Fix this bug by incrementing reference counts on the grandchildren if the btree node is shared.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46160",
                                "url": "https://ubuntu.com/security/CVE-2026-46160",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  btrfs: fix missing last_unlink_trans update when removing a directory  When removing a directory we are not updating its last_unlink_trans field, which can result in incorrect fsync behaviour in case some one fsyncs the directory after it was removed because it's holding a file descriptor on it.  Example scenario:     mkdir /mnt/dir1    mkdir /mnt/dir1/dir2    mkdir /mnt/dir3     sync -f /mnt     # Do some change to the directory and fsync it.    chmod 700 /mnt/dir1    xfs_io -c fsync /mnt/dir1     # Move dir2 out of dir1 so that dir1 becomes empty.    mv /mnt/dir1/dir2 /mnt/dir3/     open fd on /mnt/dir1    call rmdir(2) on path \"/mnt/dir1\"    fsync fd     <trigger power failure>  When attempting to mount the filesystem, the log replay will fail with an -EIO error and dmesg/syslog has the following:     [445771.626482] BTRFS info (device dm-0): first mount of filesystem 0368bbea-6c5e-44b5-b409-09abe496e650    [445771.626486] BTRFS info (device dm-0): using crc32c checksum algorithm    [445771.627912] BTRFS info (device dm-0): start tree-log replay    [445771.628335] page: refcount:2 mapcount:0 mapping:0000000061443ddc index:0x1d00 pfn:0x7072a5    [445771.629453] memcg:ffff89f400351b00    [445771.629892] aops:btree_aops [btrfs] ino:1    [445771.630737] flags: 0x17fffc00000402a(uptodate|lru|private|writeback|node=0|zone=2|lastcpupid=0x1ffff)    [445771.632359] raw: 017fffc00000402a fffff47284d950c8 fffff472907b7c08 ffff89f458e412b8    [445771.633713] raw: 0000000000001d00 ffff89f6c51d1a90 00000002ffffffff ffff89f400351b00    [445771.635029] page dumped because: eb page dump    [445771.635825] BTRFS critical (device dm-0): corrupt leaf: root=5 block=30408704 slot=10 ino=258, invalid nlink: has 2 expect no more than 1 for dir    [445771.638088] BTRFS info (device dm-0): leaf 30408704 gen 10 total ptrs 17 free space 14878 owner 5    [445771.638091] BTRFS info (device dm-0): refs 4 lock_owner 0 current 3581087    [445771.638094] \titem 0 key (256 INODE_ITEM 0) itemoff 16123 itemsize 160    [445771.638097] \t\tinode generation 3 transid 9 size 16 nbytes 16384    [445771.638098] \t\tblock group 0 mode 40755 links 1 uid 0 gid 0    [445771.638100] \t\trdev 0 sequence 2 flags 0x0    [445771.638102] \t\tatime 1775744884.0    [445771.660056] \t\tctime 1775744885.645502983    [445771.660058] \t\tmtime 1775744885.645502983    [445771.660060] \t\totime 1775744884.0    [445771.660062] \titem 1 key (256 INODE_REF 256) itemoff 16111 itemsize 12    [445771.660064] \t\tindex 0 name_len 2    [445771.660066] \titem 2 key (256 DIR_ITEM 1843588421) itemoff 16077 itemsize 34    [445771.660068] \t\tlocation key (259 1 0) type 2    [445771.660070] \t\ttransid 9 data_len 0 name_len 4    [445771.660075] \titem 3 key (256 DIR_ITEM 2363071922) itemoff 16043 itemsize 34    [445771.660076] \t\tlocation key (257 1 0) type 2    [445771.660077] \t\ttransid 9 data_len 0 name_len 4    [445771.660078] \titem 4 key (256 DIR_INDEX 2) itemoff 16009 itemsize 34    [445771.660079] \t\tlocation key (257 1 0) type 2    [445771.660080] \t\ttransid 9 data_len 0 name_len 4    [445771.660081] \titem 5 key (256 DIR_INDEX 3) itemoff 15975 itemsize 34    [445771.660082] \t\tlocation key (259 1 0) type 2    [445771.660083] \t\ttransid 9 data_len 0 name_len 4    [445771.660084] \titem 6 key (257 INODE_ITEM 0) itemoff 15815 itemsize 160    [445771.660086] \t\tinode generation 9 transid 9 size 8 nbytes 0    [445771.660087] \t\tblock group 0 mode 40777 links 1 uid 0 gid 0    [445771.660088] \t\trdev 0 sequence 2 flags 0x0    [445771.660089] \t\tatime 1775744885.641174097    [445771.660090] \t\tctime 1775744885.645502983    [445771.660091] \t\tmtime 1775744885.645502983    [445771.660105] \t\totime 1775744885.641174097    [445771.660106] \titem 7 key (257 INODE_REF 256) itemoff 15801 itemsize 14    [445771.660107] \t\tindex 2 name_len 4    [445771.660108] \titem 8 key (257 DIR_ITEM 2676584006) itemoff 15767 itemsize 34    [445771.660109] \t\tlocation key (2 ---truncated---",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46164",
                                "url": "https://ubuntu.com/security/CVE-2026-46164",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  btrfs: fix double free in create_space_info_sub_group() error path  When kobject_init_and_add() fails, the call chain is:  create_space_info_sub_group() -> btrfs_sysfs_add_space_info_type() -> kobject_init_and_add() -> failure -> kobject_put(&sub_group->kobj) -> space_info_release() -> kfree(sub_group)  Then control returns to create_space_info_sub_group(), where:  btrfs_sysfs_add_space_info_type() returns error -> kfree(sub_group)  Thus, sub_group is freed twice.  Keep parent->sub_group[index] = NULL for the failure path, but after btrfs_sysfs_add_space_info_type() has called kobject_put(), let the kobject release callback handle the cleanup.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46129",
                                "url": "https://ubuntu.com/security/CVE-2026-46129",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  btrfs: fix double free in create_space_info() error path  When kobject_init_and_add() fails, the call chain is:  create_space_info() -> btrfs_sysfs_add_space_info_type() -> kobject_init_and_add() -> failure -> kobject_put(&space_info->kobj) -> space_info_release() -> kfree(space_info)  Then control returns to create_space_info():  btrfs_sysfs_add_space_info_type() returns error -> goto out_free -> kfree(space_info)  This causes a double free.  Keep the direct kfree(space_info) for the earlier failure path, but after btrfs_sysfs_add_space_info_type() has called kobject_put(), let the kobject release callback handle the cleanup.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46159",
                                "url": "https://ubuntu.com/security/CVE-2026-46159",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  btrfs: fix btrfs_ioctl_space_info() slot_count TOCTOU which can lead to info-leak  btrfs_ioctl_space_info() has a TOCTOU race between two passes over the block group RAID type lists. The first pass counts entries to determine the allocation size, then the second pass fills the buffer. The groups_sem rwlock is released between passes, allowing concurrent block group removal to reduce the entry count.  When the second pass fills fewer entries than the first pass counted, copy_to_user() copies the full alloc_size bytes including trailing uninitialized kmalloc bytes to userspace.  Fix by copying only total_spaces entries (the actually-filled count from the second pass) instead of alloc_size bytes, and switch to kzalloc so any future copy size mismatch cannot leak heap data.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46143",
                                "url": "https://ubuntu.com/security/CVE-2026-46143",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ASoC: qcom: q6apm-lpass-dai: Fix multiple graph opens  As prepare can be called mulitple times, this can result in multiple graph opens for playback path.  This will result in a memory leaks, fix this by adding a check before opening.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46148",
                                "url": "https://ubuntu.com/security/CVE-2026-46148",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: microchip-core-qspi: control built-in cs manually  The coreQSPI IP supports only a single chip select, which is automagically operated by the hardware - set low when the transmit buffer first gets written to and set high when the number of bytes written to the TOTALBYTES field of the FRAMES register have been sent on the bus. Additional devices must use GPIOs for their chip selects. It was reported to me that if there are two devices attached to this QSPI controller that the in-built chip select is set low while linux tries to access the device attached to the GPIO.  This went undetected as the boards that connected multiple devices to the SPI controller all exclusively used GPIOs for chip selects, not relying on the built-in chip select at all. It turns out that this was because the built-in chip select, when controlled automagically, is set low when active and high when inactive, thereby ruling out its use for active-high devices or devices that need to transmit with the chip select disabled.  Modify the driver so that it controls chip select directly, retaining the behaviour for mem_ops of setting the chip select active for the entire duration of the transfer in the exec_op callback. For regular transfers, implement the set_cs callback for the core to use.  As part of this, the existing setup callback, mchp_coreqspi_setup_op(), is removed. Modifying the CLKIDLE field is not safe to do during operation when there are multiple devices, so this code is removed entirely. Setting the MASTER and ENABLE fields is something that can be done once at probe, it doesn't need to be re-run for each device. Instead the new setup callback sets the built-in chip select to its inactive state for active-low devices, as the reset value of the chip select in software controlled mode is low.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46192",
                                "url": "https://ubuntu.com/security/CVE-2026-46192",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: microchip-core-qspi: don't attempt to transmit during emulated read-only dual/quad operations  The core will deal with reads by creating clock cycles itself, there's no need to generate clock cycles by transmitting garbage data at the driver level. Further, transmitting garbage data just bricks the transfer since QSPI doesn't have a dedicated master-out line like MOSI in regular SPI. I'm not entirely sure if the transfer is bricked because of the garbage data being transmitted on the bus or because the core loses track of whether it is supposed to be sending or receiving data.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46162",
                                "url": "https://ubuntu.com/security/CVE-2026-46162",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ice: fix double free in ice_sf_eth_activate() error path  When auxiliary_device_add() fails, ice_sf_eth_activate() jumps to aux_dev_uninit and calls auxiliary_device_uninit(&sf_dev->adev).  The device release callback ice_sf_dev_release() frees sf_dev, but the current error path falls through to sf_dev_free and calls kfree(sf_dev) again, causing a double free.  Keep kfree(sf_dev) for the auxiliary_device_init() failure path, but avoid falling through to sf_dev_free after auxiliary_device_uninit().",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46273",
                                "url": "https://ubuntu.com/security/CVE-2026-46273",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ibmveth: Disable GSO for packets with small MSS  Some physical adapters on Power systems do not support segmentation offload when the MSS is less than 224 bytes. Attempting to send such packets causes the adapter to freeze, stopping all traffic until manually reset.  Implement ndo_features_check to disable GSO for packets with small MSS values. The network stack will perform software segmentation instead.  The 224-byte minimum matches ibmvnic commit <f10b09ef687f> (\"ibmvnic: Enforce stronger sanity checks on GSO packets\") which uses the same physical adapters in SEA configurations.  The issue occurs specifically when the hardware attempts to perform segmentation (gso_segs > 1) with a small MSS. Single-segment GSO packets (gso_segs == 1) do not trigger the problematic LSO code path and are transmitted normally without segmentation.  Add an ndo_features_check callback to disable GSO when MSS < 224 bytes. Also call vlan_features_check() to ensure proper handling of VLAN packets, particularly QinQ (802.1ad) configurations where the hardware parser may not support certain offload features.  Validated using iptables to force small MSS values. Without the fix, the adapter freezes. With the fix, packets are segmented in software and transmission succeeds. Comprehensive regression testing completedd (MSS tests, performance, stability).",
                                "cve_priority": "high",
                                "cve_public_date": "2026-06-03 18:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46191",
                                "url": "https://ubuntu.com/security/CVE-2026-46191",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  fbcon: Avoid OOB font access if console rotation fails  Clear the font buffer if the reallocation during console rotation fails in fbcon_rotate_font(). The putcs implementations for the rotated buffer will return early in this case. See [1] for an example.  Currently, fbcon_rotate_font() keeps the old buffer, which is too small for the rotated font. Printing to the rotated console with a high-enough character code will overflow the font buffer.  v2: - fix typos in commit message",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46134",
                                "url": "https://ubuntu.com/security/CVE-2026-46134",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  platform/chrome: cros_ec_typec: Init mutex in Thunderbolt registration  cros_typec_register_thunderbolt() missed initializing the `adata->lock` mutex.  This leads to a NULL dereference when the mutex is later acquired (e.g. in cros_typec_altmode_work()).  Initialize the mutex in cros_typec_register_thunderbolt() to fix the issue.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-43495",
                                "url": "https://ubuntu.com/security/CVE-2026-43495",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net: wwan: t7xx: validate port_count against message length in t7xx_port_enum_msg_handler  t7xx_port_enum_msg_handler() uses the modem-supplied port_count field as a loop bound over port_msg->data[] without checking that the message buffer contains sufficient data. A modem sending port_count=65535 in a 12-byte buffer triggers a slab-out-of-bounds read of up to 262140 bytes.  Add a sizeof(*port_msg) check before accessing the port message header fields to guard against undersized messages.  Add a struct_size() check after extracting port_count and before the loop.  In t7xx_parse_host_rt_data(), guard the rt_feature header read with a remaining-buffer check before accessing data_len, validate feat_data_len against the actual remaining buffer to prevent OOB reads and signed integer overflow on offset.  Pass msg_len from both call sites: skb->len at the DPMAIF path after skb_pull(), and the validated feat_data_len at the handshake path.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-21 13:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-43502",
                                "url": "https://ubuntu.com/security/CVE-2026-43502",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net/rds: handle zerocopy send cleanup before the message is queued  A zerocopy send can fail after user pages have been pinned but before the message is attached to the sending socket.  The purge path currently infers zerocopy state from rm->m_rs, so an unqueued message can be cleaned up as if it owned normal payload pages. However, zerocopy ownership is really determined by the presence of op_mmp_znotifier, regardless of whether the message has reached the socket queue.  Capture op_mmp_znotifier up front in rds_message_purge() and use it as the cleanup discriminator. If the message is already associated with a socket, keep the existing completion path. Otherwise, drop the pinned page accounting directly and release the notifier before putting the payload pages.  This keeps early send failure cleanup consistent with the zerocopy lifetime rules without changing the normal queued completion path.",
                                "cve_priority": "high",
                                "cve_public_date": "2026-05-21 13:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46120",
                                "url": "https://ubuntu.com/security/CVE-2026-46120",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ip6_gre: Use cached t->net in ip6erspan_changelink().  After commit 5e72ce3e3980 (\"net: ipv6: Use link netns in newlink() of rtnl_link_ops\"), ip6erspan_newlink() correctly resolves the per-netns ip6gre hash via link_net. ip6erspan_changelink() was not converted in that series and still uses dev_net(dev), which diverges from the device's creation netns after IFLA_NET_NS_FD migration.  This re-inserts the tunnel into the wrong per-netns hash. The original netns keeps a stale entry. When that netns is later destroyed, ip6gre_exit_rtnl_net() walks the stale entry, producing a slab-use-after-free reported by KASAN, followed by a kernel BUG at net/core/dev.c (LIST_POISON1) in unregister_netdevice_many_notify().  Reachable from an unprivileged user namespace (unshare --user --map-root-user --net).  ip6gre_changelink() earlier in the same file already uses the cached t->net; only ip6erspan_changelink() has the wrong shape.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46142",
                                "url": "https://ubuntu.com/security/CVE-2026-46142",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net: libwx: fix VF illegal register access  Register WX_CFG_PORT_ST is a PF restricted register. When a VF is initialized, attempting to read this register triggers an illegal register access, which lead to a system hang.  When the device is VF, the bus function ID can be obtained directly from the PCI_FUNC(pdev->devfn).",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46118",
                                "url": "https://ubuntu.com/security/CVE-2026-46118",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  pseries/papr-hvpipe: Fix null ptr deref in papr_hvpipe_dev_create_handle()  commit 6d3789d347a7 (\"papr-hvpipe: convert papr_hvpipe_dev_create_handle() to FD_PREPARE()\"), changed the create handle to FD_PREPARE(), but it caused kernel null-ptr-deref because after call to retain_and_null_ptr(src_info), src_info is re-used for adding it to the global list.  Getting the following kernel panic in papr_hvpipe_dev_create_handle() when trying to add src_info to the list.  Kernel attempted to write user page (0) - exploit attempt? (uid: 0)  BUG: Kernel NULL pointer dereference on write at 0x00000000  Faulting instruction address: 0xc0000000001b44a0  Oops: Kernel access of bad area, sig: 11 [#1]  ...  Call Trace:  papr_hvpipe_dev_ioctl+0x1f4/0x48c (unreliable)  sys_ioctl+0x528/0x1064  system_call_exception+0x128/0x360  system_call_vectored_common+0x15c/0x2ec  Now, the error handling with FD_PREPARE's file cleanup and __free(kfree) auto cleanup is getting too convoluted. This is mainly because we need to ensure only 1 user get the srcID handle. To simplify this, we allocate prepare the src_info in the beginning and add it to the global list under a spinlock after checking that no duplicates exist.  This simplify the error handling where if the FD_ADD fails, we can simply remove the src_info from the list and consume any pending msg in hvpipe to be cleared, after src_info became visible in the global list.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46182",
                                "url": "https://ubuntu.com/security/CVE-2026-46182",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  pseries/papr-hvpipe: Prevent kernel stack memory leak to userspace  The hdr variable is allocated on the stack and only hdr.version and hdr.flags are initialized explicitly. Because the struct papr_hvpipe_hdr contains reserved padding bytes (reserved[3] and reserved2[40]), these could leak the uninitialized bytes to userspace after copy_to_user().  This patch fixes that by initializing the whole struct to 0.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46184",
                                "url": "https://ubuntu.com/security/CVE-2026-46184",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  sound: ua101: fix division by zero at probe  Add a missing sanity check for bNrChannels in detect_usb_format() to prevent a division by zero in playback_urb_complete() and capture_urb_complete().  USB core does not validate class-specific descriptor fields such as bNrChannels, so drivers must verify them before use. If a device provides bNrChannels = 0, frame_bytes becomes zero and is later used as a divisor in the URB completion handlers, leading to a kernel crash.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-43498",
                                "url": "https://ubuntu.com/security/CVE-2026-43498",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  accel/ivpu: Disallow re-exporting imported GEM objects  Prevent re-exporting of imported GEM buffers by adding a custom prime_handle_to_fd callback that checks if the object is imported and returns -EOPNOTSUPP if so.  Re-exporting imported GEM buffers causes loss of buffer flags settings, leading to incorrect device access and data corruption.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-21 13:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46132",
                                "url": "https://ubuntu.com/security/CVE-2026-46132",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net: rtnetlink: zero ifla_vf_broadcast to avoid stack infoleak in rtnl_fill_vfinfo  rtnl_fill_vfinfo() declares struct ifla_vf_broadcast on the stack without initialisation:  \tstruct ifla_vf_broadcast vf_broadcast;  The struct contains a single fixed 32-byte field:  \t/* include/uapi/linux/if_link.h */ \tstruct ifla_vf_broadcast { \t\t__u8 broadcast[32]; \t};  The function then copies dev->broadcast into it using dev->addr_len as the length:  \tmemcpy(vf_broadcast.broadcast, dev->broadcast, dev->addr_len);  On Ethernet devices (the overwhelming majority of SR-IOV NICs) dev->addr_len is 6, so only the first 6 bytes of broadcast[] are written. The remaining 26 bytes retain whatever was previously on the kernel stack. The full struct is then handed to userspace via:  \tnla_put(skb, IFLA_VF_BROADCAST, \t\tsizeof(vf_broadcast), &vf_broadcast)  leaking up to 26 bytes of uninitialised kernel stack per VF per RTM_GETLINK request, repeatable.  The other vf_* structs in the same function are explicitly zeroed for exactly this reason - see the memset() calls for ivi, vf_vlan_info, node_guid and port_guid a few lines above. vf_broadcast was simply missed when it was added.  Reachability: any unprivileged local process can open AF_NETLINK / NETLINK_ROUTE without capabilities and send RTM_GETLINK with an IFLA_EXT_MASK attribute carrying RTEXT_FILTER_VF. The kernel walks each VF and emits IFLA_VF_BROADCAST, leaking 26 bytes of stack per VF per request. Stack residue at this call site can include return addresses and transient sensitive data; KASAN with stack instrumentation, or KMSAN, will flag the nla_put() when reproduced.  Zero the on-stack struct before the partial memcpy, matching the existing pattern used for the other vf_* structs in the same function.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46190",
                                "url": "https://ubuntu.com/security/CVE-2026-46190",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  mtd: spi-nor: debugfs: fix out-of-bounds read in spi_nor_params_show()  Sashiko noticed an out-of-bounds read [1].  In spi_nor_params_show(), the snor_f_names array is passed to spi_nor_print_flags() using sizeof(snor_f_names).  Since snor_f_names is an array of pointers, sizeof() returns the total number of bytes occupied by the pointers \t(element_count * sizeof(void *)) rather than the element count itself. On 64-bit systems, this makes the passed length 8x larger than intended.  Inside spi_nor_print_flags(), the 'names_len' argument is used to bounds-check the 'names' array access. An out-of-bounds read occurs if a flag bit is set that exceeds the array's actual element count but is within the inflated byte-size count.  Correct this by using ARRAY_SIZE() to pass the actual number of string pointers in the array.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46150",
                                "url": "https://ubuntu.com/security/CVE-2026-46150",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  fanotify: fix false positive on permission events  fsnotify_get_mark_safe() may return false for a mark on an unrelated group, which results in bypassing the permission check.  Fix by skipping over detached marks that are not in the current group.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-45836",
                                "url": "https://ubuntu.com/security/CVE-2026-45836",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_get_sndtimeo_cb()  Add the same NULL guard already present in l2cap_sock_resume_cb() and l2cap_sock_ready_cb().",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-26 17:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-45834",
                                "url": "https://ubuntu.com/security/CVE-2026-45834",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_state_change_cb()  Add the same NULL guard already present in l2cap_sock_resume_cb() and l2cap_sock_ready_cb().",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-26 17:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-45835",
                                "url": "https://ubuntu.com/security/CVE-2026-45835",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_new_connection_cb()  Add the same NULL guard already present in l2cap_sock_resume_cb() and l2cap_sock_ready_cb().",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-26 17:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46138",
                                "url": "https://ubuntu.com/security/CVE-2026-46138",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Bluetooth: hci_event: Fix OOB read and infinite loop in hci_le_create_big_complete_evt  hci_le_create_big_complete_evt() iterates over BT_BOUND connections for a BIG handle using a while loop, accessing ev->bis_handle[i++] on each iteration.  However, there is no check that i stays within ev->num_bis before the array access.  When a controller sends a LE_Create_BIG_Complete event with fewer bis_handle entries than there are BT_BOUND connections for that BIG, or with num_bis=0, the loop reads beyond the valid bis_handle[] flex array into adjacent heap memory.  Since the out-of-bounds values typically exceed HCI_CONN_HANDLE_MAX (0x0EFF), hci_conn_set_handle() rejects them and the connection remains in BT_BOUND state.  The same connection is then found again by hci_conn_hash_lookup_big_state(), creating an infinite loop with hci_dev_lock held.  Fix this by terminating the BIG if in case not all BIS could be setup properly.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46111",
                                "url": "https://ubuntu.com/security/CVE-2026-46111",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Bluetooth: hci_conn: fix potential UAF in create_big_sync  Add hci_conn_valid() check in create_big_sync() to detect stale connections before proceeding with BIG creation. Handle the resulting -ECANCELED in create_big_complete() and re-validate the connection under hci_dev_lock() before dereferencing, matching the pattern used by create_le_conn_complete() and create_pa_complete().  Keep the hci_conn object alive across the async boundary by taking a reference via hci_conn_get() when queueing create_big_sync(), and dropping it in the completion callback. The refcount and the lock are complementary: the refcount keeps the object allocated, while hci_dev_lock() serializes hci_conn_hash_del()'s list_del_rcu() on hdev->conn_hash, as required by hci_conn_del().  hci_conn_put() is called outside hci_dev_unlock() so the final put (which resolves to kfree() via bt_link_release) does not run under hdev->lock, though the release path would be safe either way.  Without this, create_big_complete() would unconditionally dereference the conn pointer on error, causing a use-after-free via hci_connect_cfm() and hci_conn_del().",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46140",
                                "url": "https://ubuntu.com/security/CVE-2026-46140",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Bluetooth: btmtk: validate WMT event SKB length before struct access  btmtk_usb_hci_wmt_sync() casts the WMT event response SKB data to struct btmtk_hci_wmt_evt (7 bytes) and struct btmtk_hci_wmt_evt_funcc (9 bytes) without first checking that the SKB contains enough data. A short firmware response causes out-of-bounds reads from SKB tailroom.  Use skb_pull_data() to validate and advance past the base WMT event header. For the FUNC_CTRL case, pull the additional status field bytes before accessing them.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46186",
                                "url": "https://ubuntu.com/security/CVE-2026-46186",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Bluetooth: virtio_bt: validate rx pkt_type header length  virtbt_rx_handle() reads the leading pkt_type byte from the RX skb and forwards the remainder to hci_recv_frame() for every event/ACL/SCO/ISO type, without checking that the remaining payload is at least the fixed HCI header for that type.  After the preceding patch bounds the backend-supplied used.len to [1, VIRTBT_RX_BUF_SIZE], a one-byte completion still reaches hci_recv_frame() with skb->len already pulled to 0. If the byte happened to be HCI_ACLDATA_PKT, the ACL-vs-ISO classification fast-path in hci_dev_classify_pkt_type() dereferences hci_acl_hdr(skb)->handle whenever the HCI device has an active CIS_LINK, BIS_LINK, or PA_LINK connection, reading two bytes of uninitialized RX-buffer data. The same hazard exists for every packet type the driver accepts because none of the switch cases in virtbt_rx_handle() check skb->len against the per-type minimum HCI header size before handing the frame to the core.  After stripping pkt_type, require skb->len to cover the fixed header size for the selected type (event 2, ACL 4, SCO 3, ISO 4) before calling hci_recv_frame(); drop ratelimited otherwise. Unknown pkt_type values still take the original kfree_skb() default path.  Use bt_dev_err_ratelimited() because both the length and pkt_type values come from an untrusted backend that can otherwise flood the kernel log.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46123",
                                "url": "https://ubuntu.com/security/CVE-2026-46123",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Bluetooth: virtio_bt: clamp rx length before skb_put  virtbt_rx_work() calls skb_put(skb, len) where len comes directly from virtqueue_get_buf() with no validation against the buffer we posted to the device. The RX skb is allocated in virtbt_add_inbuf() and exposed to virtio as exactly 1000 bytes via sg_init_one().  Checking len against skb_tailroom(skb) is not sufficient because alloc_skb() can leave more tailroom than the 1000 bytes actually handed to the device. A malicious or buggy backend can therefore report used.len between 1001 and skb_tailroom(skb), causing skb_put() to include uninitialized kernel heap bytes that were never written by the device.  The same path also accepts len == 0, in which case skb_put(skb, 0) leaves the skb empty but virtbt_rx_handle() still reads the pkt_type byte from skb->data, consuming uninitialized memory.  Define VIRTBT_RX_BUF_SIZE once and reuse it in alloc_skb() and sg_init_one(), and gate virtbt_rx_work() on that same constant so the bound checked matches the buffer actually exposed to the device. Reject used.len == 0 in the same gate so an empty completion can no longer reach virtbt_rx_handle().  Use bt_dev_err_ratelimited() because the length value comes from an untrusted backend that can otherwise flood the kernel log.  Same class of bug as commit c04db81cd028 (\"net/9p: Fix buffer overflow in USB transport layer\"), which hardened the USB 9p transport against unchecked device-reported length.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46104",
                                "url": "https://ubuntu.com/security/CVE-2026-46104",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  selinux: use sk blob accessor in socket permission helpers  SELinux socket state lives in the composite LSM socket blob.  sock_has_perm() and nlmsg_sock_has_extended_perms() currently dereference sk->sk_security directly, which assumes the SELinux socket blob is at offset zero.  In stacked configurations that assumption does not hold. If another LSM allocates socket blob storage before SELinux, these helpers may read the wrong blob and feed invalid SID and class values into AVC checks.  Use selinux_sock() instead of accessing sk->sk_security directly.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46193",
                                "url": "https://ubuntu.com/security/CVE-2026-46193",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  xfrm: ah: account for ESN high bits in async callbacks  AH allocates its temporary auth/ICV layout differently when ESN is enabled: the async ahash setup appends a 4-byte seqhi slot before the ICV or auth_data area, but the async completion callbacks still reconstruct the temporary layout as if seqhi were absent.  With an async AH implementation selected, that makes AH copy or compare the wrong bytes on both the IPv4 and IPv6 paths. In UML repro on IPv4 AH with ESN and forced async hmac(sha1), ping fails with 100% packet loss, and the callback logs show the pre-fix drift:    ah4 output_done: esn=1 err=0 icv_off=20 expected_off=24   ah4 input_done: esn=1 auth_off=20 expected_auth_off=24 icv_off=32 expected_icv_off=36  Reconstruct the callback-side layout the same way the setup path built it by skipping the ESN seqhi slot before locating the saved auth_data or ICV. Per RFC 4302, the ESN high-order 32 bits participate in the AH ICV computation, so the async callbacks must account for the seqhi slot.  Post-fix, the same IPv4 AH+ESN+forced-async-hmac(sha1) UML repro shows the corrected offset (ah4 output_done: esn=1 err=0 icv_off=24 expected_off=24) and ping succeeds; net/ipv4/ah4.o and net/ipv6/ah6.o build clean at W=1. IPv6 AH+ESN was not exercised at runtime, and the change has not been tested against a real async hardware AH engine.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46172",
                                "url": "https://ubuntu.com/security/CVE-2026-46172",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ipv6: xfrm6: release dst on error in xfrm6_rcv_encap()  xfrm6_rcv_encap() performs an IPv6 route lookup when the skb does not already have a dst attached. ip6_route_input_lookup() returns a referenced dst entry even when the lookup resolves to an error route.  If dst->error is set, xfrm6_rcv_encap() drops the skb without attaching the dst to the skb and without releasing the reference returned by the lookup. Repeated packets hitting this path therefore leak dst entries.  Release the dst before jumping to the drop path.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46116",
                                "url": "https://ubuntu.com/security/CVE-2026-46116",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  xfrm: defensively unhash xfrm_state lists in __xfrm_state_delete  KASAN reproduces a slab-use-after-free in __xfrm_state_delete()'s hlist_del_rcu calls under syzkaller load on linux-6.12.y stable (reproduced on 6.12.47, also reachable via the same code path on torvalds/master and on the ipsec tree). Nine unique signatures cluster in the xfrm_state lifecycle, the load-bearing one being:    BUG: KASAN: slab-use-after-free in __hlist_del include/linux/list.h:990 [inline]   BUG: KASAN: slab-use-after-free in hlist_del_rcu include/linux/rculist.h:516 [inline]   BUG: KASAN: slab-use-after-free in __xfrm_state_delete net/xfrm/xfrm_state.c   Write of size 8 at addr ffff8881198bcb70 by task kworker/u8:9/435    Workqueue: netns cleanup_net   Call Trace:    __hlist_del / hlist_del_rcu    __xfrm_state_delete    xfrm_state_delete    xfrm_state_flush    xfrm_state_fini    ops_exit_list    cleanup_net  The other observed signatures hit the same slab object from __xfrm_state_lookup, xfrm_alloc_spi, __xfrm_state_insert and an OOB write variant of __xfrm_state_delete, all on the byseq/byspi hash chains.  __xfrm_state_delete() guards its byseq and byspi unhashes with value-based predicates:  \tif (x->km.seq) \t\thlist_del_rcu(&x->byseq); \tif (x->id.spi) \t\thlist_del_rcu(&x->byspi);  while everywhere else in the file (e.g. state_cache, state_cache_input) the safer hlist_unhashed() check is used. xfrm_alloc_spi() sets x->id.spi = newspi inside xfrm_state_lock and then immediately inserts into byspi, but a path that observes x->id.spi != 0 outside of xfrm_state_lock can still skip-or-hit the byspi unhash inconsistently with whether x is actually on the list. The same holds for x->km.seq versus byseq, and the bydst/bysrc unhashes have no predicate at all, so a second __xfrm_state_delete() on the same object writes through LIST_POISON pprev.  The defensive change here:    - Use hlist_del_init_rcu() instead of hlist_del_rcu() on bydst,     bysrc, byseq and byspi so a second deletion is a no-op rather     than a write through LIST_POISON pprev. The byseq/byspi nodes     are already initialised in xfrm_state_alloc().   - Test hlist_unhashed() rather than the value predicate for     byseq/byspi, so the unhash decision tracks list state rather than     mutable scalar fields.  Empirical verification: applied this patch on top of v6.12.47, rebuilt, and re-ran the same syzkaller harness for 1h16m on a previously-crashy configuration that produced ~100 hits each of slab-use-after-free Read in xfrm_alloc_spi / Read in __xfrm_state_lookup / Write in __xfrm_state_delete. After the patch, 7.1M execs across 32 VMs at ~1550 exec/sec produced zero xfrm_state UAF/OOB hits. /proc/slabinfo confirms the xfrm_state slab is actively allocated and freed during the run (~143 KiB resident), so the fuzzer is still exercising those code paths -- they just no longer crash.  Reproduction:    - Linux 6.12.47 x86_64 + KASAN_GENERIC + KASAN_INLINE + KCOV   - syzkaller @ 746545b8b1e4c3a128db8652b340d3df90ce61db   - 32 QEMU/KVM VMs x 2 vCPU on AWS c5.metal bare metal   - 9 unique signatures collected in ~9h, all within xfrm_state     lifecycle",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46154",
                                "url": "https://ubuntu.com/security/CVE-2026-46154",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  sched_ext: Read scx_root under scx_cgroup_ops_rwsem in cgroup setters  scx_group_set_{weight,idle,bandwidth}() cache scx_root before acquiring scx_cgroup_ops_rwsem, so the pointer can be stale by the time the op runs. If the loaded scheduler is disabled and freed (via RCU work) and another is enabled between the naked load and the rwsem acquire, the reader sees scx_cgroup_enabled=true (the new scheduler's) but dereferences the freed one - UAF on SCX_HAS_OP(sch, ...) / SCX_CALL_OP(sch, ...).  scx_cgroup_enabled is toggled only under scx_cgroup_ops_rwsem write (scx_cgroup_{init,exit}), so reading scx_root inside the rwsem read section correlates @sch with the enabled snapshot.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46157",
                                "url": "https://ubuntu.com/security/CVE-2026-46157",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ALSA: pcm: oss: Fix data race at accessing runtime.oss.trigger  Currently the runtime.oss.trigger field may be accessed concurrently without protection, which may lead to the data race.  And, in this case, it may lead to more severe problem because it's a bit field; as writing the data, it may overwrite other bit fields as well, which confuses the operation completely, as spotted by fuzzing.  Fix it by covering runtime.oss.trigger bit fled also with the existing params_lock mutex in both snd_pcm_oss_get_trigger() and snd_pcm_oss_poll().",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46109",
                                "url": "https://ubuntu.com/security/CVE-2026-46109",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  usb: ulpi: fix memory leak on ulpi_register() error paths  Commit 01af542392b5 (\"usb: ulpi: fix double free in ulpi_register_interface() error path\") removed kfree(ulpi) from ulpi_register_interface() to fix a double-free when device_register() fails.  But when ulpi_of_register() or ulpi_read_id() fail before device_register() is called, the ulpi allocation is leaked.  Add kfree(ulpi) on both error paths to properly clean up the allocation.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46146",
                                "url": "https://ubuntu.com/security/CVE-2026-46146",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ALSA: usb-audio: Avoid potential endless loop in convert_chmap_v3()  The convert_chmap_v3() has a loop with its increment size of cs_desc->wLength, but we forgot to validate cs_desc->wLength itself, which may lead to potential endless loop by a malformed descriptor.  Add a proper size check to abort the loop for plugging the hole.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46167",
                                "url": "https://ubuntu.com/security/CVE-2026-46167",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  usb: usblp: fix uninitialized heap leak via LPGETSTATUS ioctl  Just like in a previous problem in this driver, usblp_ctrl_msg() will collapse the usb_control_msg() return value to 0/-errno, discarding the actual number of bytes transferred.  Ideally that short command should be detected and error out, but many printers are known to send \"incorrect\" responses back so we can't just do that.  statusbuf is kmalloc(8) at probe time and never filled before the first LPGETSTATUS ioctl.  usblp_read_status() requests 1 byte. If a malicious printer responds with zero bytes, *statusbuf is one byte of stale kmalloc heap, sign-extended into the local int status, which the LPGETSTATUS path then copy_to_user()s directly to the ioctl caller.  Fix this all by just zapping out the memory buffer when allocated at probe time.  If a later call does a short read, the data will be identical to what the device sent it the last time, so there is no \"leak\" of information happening.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46151",
                                "url": "https://ubuntu.com/security/CVE-2026-46151",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  usb: usblp: fix heap leak in IEEE 1284 device ID via short response  usblp_ctrl_msg() collapses the usb_control_msg() return value to 0/-errno, discarding the actual number of bytes transferred.  A broken printer can complete the GET_DEVICE_ID control transfer short and the driver has no way to know.  usblp_cache_device_id_string() reads the 2-byte big-endian length prefix from the response and trusts it (clamped only to the buffer bounds). The buffer is kmalloc(1024) at probe time. A device that sends exactly two bytes (e.g. 0x03 0xFF, claiming a 1023-byte ID) leaves device_id_string[2..1022] holding stale kmalloc heap.  That stale data is then exposed:   - via the ieee1284_id sysfs attribute (sprintf(\"%s\", buf+2), truncated     at the first NUL in the stale heap), and   - via the IOCNR_GET_DEVICE_ID ioctl, which copy_to_user()s the full     claimed length regardless of NULs, up to 1021 bytes of uninitialized     heap, with the leak size chosen by the device.  Fix this up by just zapping the buffer with zeros before each request sent to the device.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46180",
                                "url": "https://ubuntu.com/security/CVE-2026-46180",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  wifi: brcmfmac: Fix potential use-after-free issue when stopping watchdog task  Watchdog task might end between send_sig() and kthread_stop() calls, what results in the use-after-free issue. Fix this by increasing watchdog task reference count before calling send_sig() and dropping it by switching to kthread_stop_put().",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46122",
                                "url": "https://ubuntu.com/security/CVE-2026-46122",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  wifi: b43: enforce bounds check on firmware key index in b43_rx()  The firmware-controlled key index in b43_rx() can exceed the dev->key[] array size (58 entries). The existing B43_WARN_ON is non-enforcing in production builds, allowing an out-of-bounds read.  Make the B43_WARN_ON check enforcing by dropping the frame when the firmware returns an invalid key index.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46125",
                                "url": "https://ubuntu.com/security/CVE-2026-46125",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  wifi: mac80211: remove station if connection prep fails  If connection preparation fails for MLO connections, then the interface is completely reset to non-MLD. In this case, we must not keep the station since it's related to the link of the vif being removed. Delete an existing station. Any \"new_sta\" is already being removed, so that doesn't need changes.  This fixes a use-after-free/double-free in debugfs if that's enabled, because a vif going from MLD (and to MLD, but that's not relevant here) recreates its entire debugfs.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46166",
                                "url": "https://ubuntu.com/security/CVE-2026-46166",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  wifi: mac80211: use safe list iteration in radar detect work  The call to ieee80211_dfs_cac_cancel can cause the iterated chanctx to be freed and removed from the list. Guard against this to avoid a slab-use-after-free error.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46187",
                                "url": "https://ubuntu.com/security/CVE-2026-46187",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  wifi: rsi: fix kthread lifetime race between self-exit and external-stop  RSI driver use both self-exit(kthread_complete_and_exit) and external-stop (kthread_stop) when killing a kthread. Generally, kthread_stop() is called first, and in this case, no particular issues occur.  However, in rare instances where kthread_complete_and_exit() is called first and then kthread_stop() is called, a UAF occurs because the kthread object, which has already exited and been freed, is accessed again.  Therefore, to prevent this with minimal modification, you must remove kthread_stop() and change the code to wait until the self-exit operation is completed.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46152",
                                "url": "https://ubuntu.com/security/CVE-2026-46152",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  wifi: mac80211: drop stray 'static' from fast-RX rx_result  ieee80211_invoke_fast_rx() is documented as safe for parallel RX, but its per-invocation rx_result is declared static. Concurrent callers then share one instance and can overwrite each other's result between ieee80211_rx_mesh_data() and the switch on res.  That can make a packet that was queued or consumed by ieee80211_rx_mesh_data() fall through into ieee80211_rx_8023(), or make a packet that should continue return as queued.  Make res an automatic variable so each invocation keeps its own result.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46163",
                                "url": "https://ubuntu.com/security/CVE-2026-46163",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  wifi: b43legacy: enforce bounds check on firmware key index in RX path  Same fix as b43: the firmware-controlled key index in b43legacy_rx() can exceed dev->max_nr_keys. The existing B43legacy_WARN_ON is non-enforcing in production builds, allowing an out-of-bounds read of dev->key[].  Make the check enforcing by dropping the frame for invalid indices.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46136",
                                "url": "https://ubuntu.com/security/CVE-2026-46136",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  wifi: mt76: mt7921: fix a potential clc buffer length underflow  The buf_len is used to limit the iterations for retrieving the country power setting and may underflow under certain conditions due to changes in the power table in CLC.  This underflow leads to an almost infinite loop or an invalid power setting resulting in driver initialization failure.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46173",
                                "url": "https://ubuntu.com/security/CVE-2026-46173",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  exit: prevent preemption of oopsing TASK_DEAD task  When an already-exiting task oopses, make_task_dead() currently calls do_task_dead() with preemption enabled.  That is forbidden: do_task_dead() calls __schedule(), which has a comment saying \"WARNING: must be called with preemption disabled!\".  If an oopsing task is preempted in do_task_dead(), between becoming TASK_DEAD and entering the scheduler explicitly, bad things happen: finish_task_switch() assumes that once the scheduler has switched away from a TASK_DEAD task, the task can never run again and its stack is no longer needed; but that assumption apparently doesn't hold if the dead task was preempted (the SM_PREEMPT case).  This means that the scheduler ends up repeatedly dropping references on the dead task's stack, which can lead to use-after-free or double-free of the entire task stack; in other words, two tasks can end up running on the same stack, resulting in various kinds of memory corruption.  (This does not just affect \"recursively oopsing\" tasks; it is enough to oops once during task exit, for example in a file_operations::release handler)",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-43496",
                                "url": "https://ubuntu.com/security/CVE-2026-43496",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net/sched: sch_red: Replace direct dequeue call with peek and qdisc_dequeue_peeked  When red qdisc has children (eg qfq qdisc) whose peek() callback is qdisc_peek_dequeued(), we could get a kernel panic. When the parent of such qdiscs (eg illustrated in patch #3 as tbf) wants to retrieve an skb from its child (red in this case), it will do the following:  1a. do a peek() - and when sensing there's an skb the child can offer, then      - the child in this case(red) calls its child's (qfq) peek.         qfq does the right thing and will return the gso_skb queue packet.         Note: if there wasnt a gso_skb entry then qfq will store it there.  1b. invoke a dequeue() on the child (red). And herein lies the problem.      - red will call the child's dequeue() which will essentially just        try to grab something of qfq's queue.  [   78.667668][  T363] KASAN: null-ptr-deref in range [0x0000000000000048-0x000000000000004f] [   78.667927][  T363] CPU: 1 UID: 0 PID: 363 Comm: ping Not tainted 7.1.0-rc1-00033-g46f74a3f7d57-dirty #790 PREEMPT(full) [   78.668263][  T363] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 [   78.668486][  T363] RIP: 0010:qfq_dequeue+0x446/0xc90 [sch_qfq] [   78.668718][  T363] Code: 54 c0 e8 dd 90 00 f1 48 c7 c7 e0 03 54 c0 48 89 de e8 ce 90 00 f1 48 8d 7b 48 b8 ff ff 37 00 48 89 fa 48 c1 e0 2a 48 c1 ea 03 <80> 3c 02 00 74 05 e8 ef a1 e1 f1 48 8b 7b 48 48 8d 54 24 58 48 8d [   78.669312][  T363] RSP: 0018:ffff88810de573e0 EFLAGS: 00010216 [   78.669533][  T363] RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000 [   78.669790][  T363] RDX: 0000000000000009 RSI: 0000000000000004 RDI: 0000000000000048 [   78.670044][  T363] RBP: ffff888110dc4000 R08: ffffffffb1b0885a R09: fffffbfff6ba9078 [   78.670297][  T363] R10: 0000000000000003 R11: ffff888110e31c80 R12: 0000001880000000 [   78.670560][  T363] R13: ffff888110dc4150 R14: ffff888110dc42b8 R15: 0000000000000200 [   78.670814][  T363] FS:  00007f66a8f09c40(0000) GS:ffff888163428000(0000) knlGS:0000000000000000 [   78.671110][  T363] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [   78.671324][  T363] CR2: 000055db4c6a30a8 CR3: 000000010da67000 CR4: 0000000000750ef0 [   78.671585][  T363] PKRU: 55555554 [   78.671713][  T363] Call Trace: [   78.671843][  T363]  <TASK> [   78.671936][  T363]  ? __pfx_qfq_dequeue+0x10/0x10 [sch_qfq] [   78.672148][  T363]  ? __pfx__printk+0x10/0x10 [   78.672322][  T363]  ? srso_alias_return_thunk+0x5/0xfbef5 [   78.672496][  T363]  ? lockdep_hardirqs_on_prepare+0xa8/0x1a0 [   78.672706][  T363]  ? srso_alias_return_thunk+0x5/0xfbef5 [   78.672875][  T363]  ? trace_hardirqs_on+0x19/0x1a0 [   78.673047][  T363]  red_dequeue+0x65/0x270 [sch_red] [   78.673217][  T363]  ? srso_alias_return_thunk+0x5/0xfbef5 [   78.673385][  T363]  tbf_dequeue.cold+0xb0/0x70c [sch_tbf] [   78.673566][  T363]  __qdisc_run+0x169/0x1900  The right thing to do in #1b is to grab the skb off gso_skb queue. This patchset fixes that issue by changing #1b to use qdisc_dequeue_peeked() method instead.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-21 13:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46113",
                                "url": "https://ubuntu.com/security/CVE-2026-46113",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  KVM: x86: Fix shadow paging use-after-free due to unexpected GFN  The shadow MMU computes GFNs for direct shadow pages using sp->gfn plus the SPTE index. This assumption breaks for shadow paging if the guest page tables are modified between VM entries (similar to commit aad885e77496, \"KVM: x86/mmu: Drop/zap existing present SPTE even when creating an MMIO SPTE\", 2026-03-27).  The flow is as follows:  - a PDE is installed for a 2MB mapping, and a page in that area is   accessed.  KVM creates a kvm_mmu_page consisting of 512 4KB pages;   the kvm_mmu_page is marked by FNAME(fetch) as direct-mapped because   the guest's mapping is a huge page (and thus contiguous).  - the PDE mapping is changed from outside the guest.  - the guest accesses another page in the same 2MB area.  KVM installs   a new leaf SPTE and rmap entry; the SPTE uses the \"correct\" GFN   (i.e. based on the new mapping, as changed in the previous step) but   that GFN is outside of the [sp->gfn, sp->gfn + 511] range; therefore   the rmap entry cannot be found and removed when the kvm_mmu_page   is zapped.  - the memslot that covers the first 2MB mapping is deleted, and the   kvm_mmu_page for the now-invalid GPA is zapped.  However, rmap_remove()   only looks at the [sp->gfn, sp->gfn + 511] range established in step 1,   and fails to find the rmap entry that was recorded by step 3.  - any operation that causes an rmap walk for the same page accessed   by step 3 then walks a stale rmap and dereferences a freed kvm_mmu_page.   This includes dirty logging or MMU notifier invalidations (e.g., from   MADV_DONTNEED).  The underlying issue is that KVM's walking of shadow PTEs assumes that if a SPTE is present when KVM wants to install a non-leaf SPTE, then the existing kvm_mmu_page must be for the correct gfn.  Because the only way for the gfn to be wrong is if KVM messed up and failed to zap a SPTE... which shouldn't happen, but *actually* only happens in response to a guest write.  That bug dates back literally forever, as even the first version of KVM assumes that the GFN matches and walks into the \"wrong\" shadow page. However, that was only an imprecision until 2032a93d66fa (\"KVM: MMU: Don't allocate gfns page for direct mmu pages\") came along.  Fix it by checking for a target gfn mismatch and zapping the existing SPTE.  That way the old SP and rmap entries are gone, KVM installs the rmap in the right location, and everyone is happy.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46179",
                                "url": "https://ubuntu.com/security/CVE-2026-46179",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ASoC: SOF: Don't allow pointer operations on unconfigured streams  When reporting the pointer for a compressed stream we report the current I/O frame position by dividing the position by the number of channels multiplied by the number of container bytes. These values default to 0 and are only configured as part of setting the stream parameters so this allows a divide by zero to be configured. Validate that they are non zero, returning an error if not",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46196",
                                "url": "https://ubuntu.com/security/CVE-2026-46196",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  tracepoint: balance regfunc() on func_add() failure in tracepoint_add_func()  When a tracepoint goes through the 0 -> 1 transition, tracepoint_add_func() invokes the subsystem's ext->regfunc() before attempting to install the new probe via func_add(). If func_add() then fails (for example, when allocate_probes() cannot allocate a new probe array under memory pressure and returns -ENOMEM), the function returns the error without calling the matching ext->unregfunc(), leaving the side effects of regfunc() behind with no installed probe to justify them.  For syscall tracepoints this is particularly unpleasant: syscall_regfunc() bumps sys_tracepoint_refcount and sets SYSCALL_TRACEPOINT on every task. After a leaked failure, the refcount is stuck at a non-zero value with no consumer, and every task continues paying the syscall trace entry/exit overhead until reboot. Other subsystems providing regfunc()/unregfunc() pairs exhibit similarly scoped persistent state.  Mirror the existing 1 -> 0 cleanup and call ext->unregfunc() in the func_add() error path, gated on the same condition used there so the unwind is symmetric with the registration.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-43497",
                                "url": "https://ubuntu.com/security/CVE-2026-43497",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  fbdev: udlfb: add vm_ops to dlfb_ops_mmap to prevent use-after-free  dlfb_ops_mmap() uses remap_pfn_range() to map vmalloc framebuffer pages to userspace but sets no vm_ops on the VMA. This means the kernel cannot track active mmaps. When dlfb_realloc_framebuffer() replaces the backing buffer via FBIOPUT_VSCREENINFO, existing mmap PTEs are not invalidated. On USB disconnect, dlfb_ops_destroy() calls vfree() on the old pages while userspace PTEs still reference them, resulting in a use-after-free: the process retains read/write access to freed kernel pages.  Add vm_operations_struct with open/close callbacks that maintain an atomic mmap_count on struct dlfb_data. In dlfb_realloc_framebuffer(), check mmap_count and return -EBUSY if the buffer is currently mapped, preventing buffer replacement while userspace holds stale PTEs.  Tested with PoC using dummy_hcd + raw_gadget USB device emulation.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-05-21 13:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46108",
                                "url": "https://ubuntu.com/security/CVE-2026-46108",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ipmi:si: Return state to normal if message allocation fails  There were places where nothing would get started if a message allocation failed, so the driver needs to return to normal state.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46128",
                                "url": "https://ubuntu.com/security/CVE-2026-46128",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ipmi: Check event message buffer response for bad data  The event message buffer response data size got checked later when processing, but check it right after the response comes back.  It appears some BMCs may return an empty message instead of an error when fetching events.  There are apparently some new BMCs that make this error, so we need to compensate.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46177",
                                "url": "https://ubuntu.com/security/CVE-2026-46177",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ipmi: Add limits to event and receive message requests  The driver would just fetch events and receive messages until the BMC said it was done.  To avoid issues with BMCs that never say they are done, add a limit of 10 fetches at a time.  In addition, an si interface has an attn state it can return from the hardware which is supposed to cause a flag fetch to see if the driver needs to fetch events or message or a few other things.  If the attn bit gets stuck, it's a similar problem.  So allow messages in between flag fetches so the driver itself doesn't get stuck.  This is a more general fix than the previous fix for the specific bad BMC, but should fix the more general issue of a BMC that won't stop saying it has data.  This has been there from the beginning of the driver.  It's not a bug per-se, but it is accounting for bugs in BMCs.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46149",
                                "url": "https://ubuntu.com/security/CVE-2026-46149",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  scsi: target: configfs: Bound snprintf() return in tg_pt_gp_members_show()  target_tg_pt_gp_members_show() formats LUN paths with snprintf() into a 256-byte stack buffer, then will memcpy() cur_len bytes from that buffer.  snprintf() returns the length the output would have had, which can exceed the buffer size when the fabric WWN is long because iSCSI IQN names can be up to 223 bytes.  The check at the memcpy() site only guards the destination page write, not the source read, so memcpy() will read past the stack buffer and copy adjacent stack contents to the sysfs reader, which when CONFIG_FORTIFY_SOURCE is enabled, fortify_panic() will be triggered.  Commit 27e06650a5ea (\"scsi: target: target_core_configfs: Add length check to avoid buffer overflow\") added the same bound to the target_lu_gp_members_show() but the tg_pt_gp variant was missed so resolve that here.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46244",
                                "url": "https://ubuntu.com/security/CVE-2026-46244",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  netfilter: nft_inner: Fix IPv6 inner_thoff desync  In nft_inner_parse_l2l3(), when processing inner IPv6 packets, ipv6_find_hdr() correctly computes the transport header offset traversing all extension headers, but the result is immediately overwritten with nhoff + sizeof(_ip6h) (40 bytes), which only accounts for the IPv6 base header. This creates a desync between inner_thoff (wrong — points to extension header start) and l4proto (correct — e.g., IPPROTO_TCP), enabling transport header forgery and potential firewall bypass. This issue affects stable versions from Linux 6.2.  For comparison, the normal (non-inner) IPv6 path correctly preserves ipv6_find_hdr()'s result. Removing the incorrect overwrite ensures that ipv6_find_hdr()'s calculated transport header offset is preserved, thereby fixing the desynchronization.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-03 18:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46137",
                                "url": "https://ubuntu.com/security/CVE-2026-46137",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  mptcp: pm: ADD_ADDR rtx: fix potential data-race  This mptcp_pm_add_timer() helper is executed as a timer callback in softirq context. To avoid any data races, the socket lock needs to be held with bh_lock_sock().  If the socket is in use, retry again soon after, similar to what is done with the keepalive timer.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46185",
                                "url": "https://ubuntu.com/security/CVE-2026-46185",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  smb/client: fix out-of-bounds read in symlink_data()  Since smb2_check_message() returns success without length validation for the symlink error response, in symlink_data() it is possible for iov->iov_len to be smaller than sizeof(struct smb2_err_rsp). If the buffer only contains the base SMB2 header (64 bytes), accessing err->ErrorContextCount (at offset 66) or err->ByteCount later in symlink_data() will cause an out-of-bounds read.",
                                "cve_priority": "high",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46195",
                                "url": "https://ubuntu.com/security/CVE-2026-46195",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  smb: client: validate dacloffset before building DACL pointers  parse_sec_desc(), build_sec_desc(), and the chown path in id_mode_to_cifs_acl() all add the server-supplied dacloffset to pntsd before proving a DACL header fits inside the returned security descriptor.  On 32-bit builds a malicious server can return dacloffset near U32_MAX, wrap the derived DACL pointer below end_of_acl, and then slip past the later pointer-based bounds checks. build_sec_desc() and id_mode_to_cifs_acl() can then dereference DACL fields from the wrapped pointer in the chmod/chown rewrite paths.  Validate dacloffset numerically before building any DACL pointer and reuse the same helper at the three DACL entry points.",
                                "cve_priority": "high",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46289",
                                "url": "https://ubuntu.com/security/CVE-2026-46289",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  lib/scatterlist: fix length calculations in extract_kvec_to_sg  Patch series \"Fix bugs in extract_iter_to_sg()\", v3.  Fix bugs in the kvec and user variants of extract_iter_to_sg.  This series is growing due to useful remarks made by sashiko.dev.  The main bugs are: - The length for an sglist entry when extracting from   a kvec can exceed the number of bytes in the page. This   is obviously not intended. - When extracting a user buffer the sglist is temporarily   used as a scratch buffer for extracted page pointers.   If the sglist already contains some elements this scratch   buffer could overlap with existing entries in the sglist.  The series adds test cases to the kunit_iov_iter test that demonstrate all of these bugs.  Additionally, there is a memory leak fix for the test itself.  The bugs were orignally introduced into kernel v6.3 where the function lived in fs/netfs/iterator.c.  It was later moved to lib/scatterlist.c in v6.5.  Thus the actual fix is only marked for backports to v6.5+.   This patch (of 5):  When extracting from a kvec to a scatterlist, do not cross page boundaries.  The required length was already calculated but not used as intended.  Adjust the copied length if the loop runs out of sglist entries without extracting everything.  While there, return immediately from extract_iter_to_sg if there are no sglist entries at all.  A subsequent commit will add kunit test cases that demonstrate that the patch is necessary.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-08 17:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46119",
                                "url": "https://ubuntu.com/security/CVE-2026-46119",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  libceph: Fix slab-out-of-bounds access in auth message processing  If a (potentially corrupted) message of type CEPH_MSG_AUTH_REPLY contains a positive value in its result field, it is treated as an error code by ceph_handle_auth_reply() and returned to handle_auth_reply(). Thereafter, an attempt is made to send the preallocated message of type CEPH_MSG_AUTH, where the returned value is interpreted as the size of the front segment to send. If the result value in the message is greater than the size of the memory buffer allocated for the front segment, an out-of-bounds access occurs, and the content of the memory region beyond this buffer is sent out.  This patch fixes the issue by treating only negative values in the result field as errors. Positive values are therefore treated as success in the same way as a zero value. Additionally, a BUG_ON is added to __send_prepared_auth_request() comparing the len parameter to front_alloc_len to prevent sending the message if it exceeds the bounds of the allocation and to make it easier to catch any logic flaws leading to this.",
                                "cve_priority": "high",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46135",
                                "url": "https://ubuntu.com/security/CVE-2026-46135",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  nvmet-tcp: fix race between ICReq handling and queue teardown  nvmet_tcp_handle_icreq() updates queue->state after sending an Initialization Connection Response (ICResp), but it does so without serializing against target-side queue teardown.  If an NVMe/TCP host sends an Initialization Connection Request (ICReq) and immediately closes the connection, target-side teardown may start in softirq context before io_work drains the already buffered ICReq. In that case, nvmet_tcp_schedule_release_queue() sets queue->state to NVMET_TCP_Q_DISCONNECTING and drops the queue reference under state_lock.  If io_work later processes that ICReq, nvmet_tcp_handle_icreq() can still overwrite the state back to NVMET_TCP_Q_LIVE. That defeats the DISCONNECTING-state guard in nvmet_tcp_schedule_release_queue() and allows a later socket state change to re-enter teardown and issue a second kref_put() on an already released queue.  The ICResp send failure path has the same problem. If teardown has already moved the queue to DISCONNECTING, a send error can still overwrite the state with NVMET_TCP_Q_FAILED, again reopening the window for a second teardown path to drop the queue reference.  Fix this by serializing both post-send state transitions with state_lock and bailing out if teardown has already started.  Use -ESHUTDOWN as an internal sentinel for that bail-out path rather than propagating it as a transport error like -ECONNRESET. Keep nvmet_tcp_socket_error() setting rcv_state to NVMET_TCP_RECV_ERR before honoring that sentinel so receive-side parsing stays quiesced until the existing release path completes.",
                                "cve_priority": "critical",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46155",
                                "url": "https://ubuntu.com/security/CVE-2026-46155",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  smb/client: fix out-of-bounds read in smb2_compound_op()  If a server sends a truncated response but a large OutputBufferLength, and terminates the EA list early, check_wsl_eas() returns success without validating that the entire OutputBufferLength fits within iov_len.  Then smb2_compound_op() does:     memcpy(idata->wsl.eas, data[0], size[0]);  Where size[0] is OutputBufferLength. If iov_len is smaller than size[0], memcpy can read beyond the end of the rsp_iov allocation and leak adjacent kernel heap memory.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46115",
                                "url": "https://ubuntu.com/security/CVE-2026-46115",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  block: add pgmap check to biovec_phys_mergeable  biovec_phys_mergeable() is used by the request merge, DMA mapping, and integrity merge paths to decide if two physically contiguous bvec segments can be coalesced into one. It currently has no check for whether the segments belong to different dev_pagemaps.  When zone device memory is registered in multiple chunks, each chunk gets its own dev_pagemap. A single bio can legitimately contain bvecs from different pgmaps -- iov_iter_extract_bvecs() breaks at pgmap boundaries but the outer loop in bio_iov_iter_get_pages() continues filling the same bio. If such bvecs are physically contiguous, biovec_phys_mergeable() will coalesce them, making it impossible to recover the correct pgmap for the merged segment via page_pgmap().  Add a zone_device_pages_have_same_pgmap() check to prevent merging bvec segments that span different pgmaps.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46243",
                                "url": "https://ubuntu.com/security/CVE-2026-46243",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  smb: client: reject userspace cifs.spnego descriptions  cifs.spnego key descriptions contain authority-bearing fields such as pid, uid, creduid, and upcall_target that cifs.upcall treats as kernel-originating inputs. However, userspace can also create keys of this type through request_key(2) or add_key(2), allowing those fields to be supplied without CIFS origin.  Only accept cifs.spnego descriptions while CIFS is using its private spnego_cred to request the key.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-01 17:17:00 UTC"
                            }
                        ],
                        "log": [
                            "",
                            "  * resolute/linux: 7.0.0-28.28 -proposed tracker (LP: #2157520)",
                            "",
                            "  * Backport ASoC SDCA, AMD SoundWire, and RT722 audio fixes (LP: #2154418)",
                            "    - ASoC: amd: acp-sdw-legacy: rename the dmic component name",
                            "    - SAUCE: ASoC: rt722-sdca: add FU06 Playback Switch for speaker mute",
                            "      control",
                            "",
                            "  * MIPI camera of a BBG809N3A_B sensor SKU of the DELL Pro 14 Premium PA14260",
                            "    renders upside-down (LP: #2155837)",
                            "    - SAUCE: media: ipu-bridge: correct platform handling for DELL Pro 14",
                            "      Premium PA14260",
                            "",
                            "  * resolute ubuntu_kernel_selftests:seccomp_build test compilation issue",
                            "    (LP: #2154174)",
                            "    - SAUCE: selftests/seccomp fix compilation issue for amd64",
                            "",
                            "  * [Ubuntu 26.04] Severe Performance Degradation on kernel 7.0.0-15",
                            "    (LP: #2154748)",
                            "    - s390: Remove GENERIC_LOCKBREAK Kconfig option",
                            "    - UBUNTU [Config]: Remove GENERIC_LOCKBREAK in s390x",
                            "",
                            "  * Fix no sound output device on Dell GhostRider PTL no camera SKU",
                            "    (LP: #2156559)",
                            "    - ASoC: Intel: sof_sdw: append dai type to dai link name unconditionally",
                            "",
                            "  * Fix no audio from right built-in speaker on HP ZBook with TAS2781",
                            "    amplifier (LP: #2156556)",
                            "    - ALSA: hda/tas2781: Fix device-0 reset issue and handle -EXDEV in block",
                            "      data processing",
                            "",
                            "  * Installer fails internally with a RSync error due to page fault",
                            "    (LP: #2150640)",
                            "    - ovl: keep err zero after successful ovl_cache_get()",
                            "",
                            "  * Internal display black screen on Intel Lunar Lake with eDP panel",
                            "    (LP: #2156312)",
                            "    - drm/i915/alpm: Allow LOBF only for platform that have Always on VRR TG",
                            "",
                            "  * Thunderbolt DP tunnel torn down during boot with LUKS Full Disk Encryption",
                            "    (LP: #2155096)",
                            "    - SAUCE: thunderbolt: Defer DP tunnel teardown until display driver is",
                            "      ready",
                            "",
                            "  * watchdog: lenovo_se10_wdt: Add SE10 Gen 2 support (LP: #2154715)",
                            "    - watchdog: lenovo_se10_wdt: Add support for SE10 Gen 2 platform",
                            "    - watchdog: lenovo_se10_wdt: Fix use-after-free and resource leak risk",
                            "",
                            "  * [Ubuntu 26.04] KVM: IBM Test Accelerator for Z (TAZ) not working properly",
                            "    (LP: #2153159)",
                            "    - KVM: s390: only deliver service interrupt with payload",
                            "    - KVM: s390: vsie: Allow non-zarch guests",
                            "    - KVM: s390: vsie: Disable some bits when in ESA mode",
                            "    - KVM: s390: vsie: Accommodate ESA prefix pages",
                            "    - KVM: s390: Add KVM capability for ESA mode guests",
                            "",
                            "  * ubuntu_bpf failed to build on Resolute (error: expected ‘:’, ‘,’, ‘;’, ‘}’",
                            "    or ‘__attribute__’ before ‘__counted_by’) (LP: #2150071)",
                            "    - tools/headers: Regenerate stddef.h to fix BPF selftests",
                            "",
                            "  * ubuntu_bpf: FTBFS with clang 23 / gcc 15 (LP: #2154343)",
                            "    - selftests/bpf: Fix const qualifier warning in fexit_bpf2bpf.c",
                            "",
                            "  * ALSA: hda/tas2781 Audio Fix for the front-right speacker (LP: #2149770)",
                            "    - ALSA: hda/tas2781: Fix sound abnormal issue on some SPI device",
                            "",
                            "  * Fix bad audio record quality when volume above 50% on Framework PTL",
                            "    (LP: #2153155)",
                            "    - ALSA: hda/realtek: fix mic boost on Framework PTL",
                            "",
                            "  * Patchset for TUXEDO devices (LP: #2152570)",
                            "    - drm/i915/vbt: Add edp pipe joiner enable/disable bits",
                            "    - drm/i915/dp: Avoid joiner for eDP if not enabled in VBT",
                            "    - drm/amd/display: Add Idle state manager(ISM)",
                            "    - drm/i915/backlight: Remove try_vesa_interface",
                            "    - drm/i915/backlight: Use intel_panel variable instead of intel_connector",
                            "    - drm/i915/backlight: Take luminance_set into account for VESA backlight",
                            "    - drm/i915/backlight: Check luminance_set when disabling PWM via AUX VESA",
                            "      backlight",
                            "    - drm/i915/backlight: Short circuit intel_dp_aux_supports_hdr_backlight",
                            "    - drm/i915/backlight: Update debug log during backlight setup",
                            "    - drm/i915/backlight: Check if VESA backlight is possible",
                            "    - drm/i915/backlight: Provide clear description on how backlight level is",
                            "      controlled",
                            "    - drm/i915/backlight: Fix VESA backlight possible check condition",
                            "",
                            "  * Resolute update: v7.0.12 upstream stable release (LP: #2156636)",
                            "    - Input: usbtouchscreen - clamp NEXIO data_len/x_len to URB buffer size",
                            "    - ACPI: button: Fix ACPI GPE handler leak during removal",
                            "    - ACPI: button: Enable wakeup GPEs for ACPI buttons at probe time",
                            "    - xfrm: move policy_bydst RCU sync from per-netns .exit to .pre_exit",
                            "    - net/sched: sch_sfb: Replace direct dequeue call with peek and",
                            "      qdisc_dequeue_peeked",
                            "    - bcache: fix uninitialized closure object",
                            "    - nfc: llcp: Fix use-after-free in llcp_sock_release()",
                            "    - nfc: llcp: Fix use-after-free race in nfc_llcp_recv_cc()",
                            "    - xfrm: Check for underflow in xfrm_state_mtu",
                            "    - nfc: nxp-nci: i2c: use rising-edge IRQ on ACPI systems",
                            "    - tools/bootconfig: Fix buf leaks in apply_xbc",
                            "    - HID: remove duplicate hid_warn_ratelimited definition",
                            "    - kunit: fix use-after-free in debugfs when using kunit.filter",
                            "    - accel/rocket: fix UAF via dangling GEM handle in create_bo",
                            "    - netfilter: synproxy: refresh tcphdr after skb_ensure_writable",
                            "    - netfilter: xt_cpu: prefer raw_smp_processor_id",
                            "    - netfilter: ebtables: fix OOB read in compat_mtw_from_user",
                            "    - netfilter: nf_tables: fix dst corruption in same register operation",
                            "    - vsock: keep poll shutdown state consistent",
                            "    - net: netlink: fix sending unassigned nsid after assigned one",
                            "    - net: netlink: don't set nsid on local notifications",
                            "    - net/smc: Do not re-initialize smc hashtables",
                            "    - net/iucv: fix locking in .getsockopt",
                            "    - scsi: core: Run queues for all non-SDEV_DEL devices from",
                            "      scsi_run_host_queues",
                            "    - scsi: scsi_debug: Add missing newline in scsi_debug_device_reset()",
                            "    - ipv4: free net->ipv4.sysctl_local_reserved_ports after",
                            "      unregister_net_sysctl_table()",
                            "    - ALSA: hda: cs35l56: Fix system name string leaks",
                            "    - ALSA: pcm: oss: Fix setup list UAF on proc write error",
                            "    - ASoC: Intel: bytcht_es8316: Fix MCLK leak on init errors",
                            "    - net/mlx5: HWS: Reject unsupported remove-header action",
                            "    - net: hsr: fix potential OOB access in supervision frame handling",
                            "    - accel/ivpu: prevent uninitialized data bug in debugfs",
                            "    - gpio: mxc: fix irq_high handling",
                            "    - drm/i915/aux: use polling when irqs are unavailable",
                            "    - net: Avoid checksumming unreadable skb tail on trim",
                            "    - ethtool: rss: avoid modifying the RSS context response",
                            "    - ethtool: rss: add missing errno on RSS context delete",
                            "    - ethtool: rss: fix falsely ignoring indir table updates",
                            "    - ethtool: rss: fix indir_table and hkey leak on get_rxfh failure",
                            "    - ethtool: rss: fix hkey leak when indir_size is 0",
                            "    - ethtool: rss: avoid device context leak on reply-build failure",
                            "    - ethtool: module: call ethnl_ops_complete() on module flash errors",
                            "    - ethtool: module: avoid leaking a netdev ref on module flash errors",
                            "    - ethtool: module: avoid racy updates to dev->ethtool bitfield",
                            "    - ethtool: module: check fw_flash_in_progress under rtnl_lock",
                            "    - ethtool: module: fix cleanup if socket used for flashing multiple",
                            "      devices",
                            "    - ethtool: cmis: require exact CDB reply length",
                            "    - ethtool: cmis: fix u16-to-u8 truncation of msleep_pre_rpl",
                            "    - ethtool: cmis: validate start_cmd_payload_size from module",
                            "    - ethtool: cmis: validate fw->size against start_cmd_payload_size",
                            "    - cxl/test: Update mock dev array before calling platform_device_add()",
                            "    - blk-mq: reinsert cached request to the list",
                            "    - tunnels: load network headers after skb_cow() in",
                            "      iptunnel_pmtud_build_icmp[v6]()",
                            "    - vxlan: do not reuse cached ip_hdr() value after skb_tunnel_check_pmtu()",
                            "    - tunnels: do not assume transport header in iptunnel_pmtud_check_icmp()",
                            "    - ksmbd: fix FSCTL permission bypass by adding a permission check for",
                            "      FSCTL_SET_SPARSE",
                            "    - ASoC: codecs: simple-mux: Fix enum control bounds check",
                            "    - drm/xe: Restore IDLEDLY regiter on engine reset",
                            "    - Bluetooth: 6lowpan: check skb_clone() return value in send_mcast_pkt()",
                            "    - bonding: refuse to enslave CAN devices",
                            "    - bridge: Fix sleep in atomic context in netlink path",
                            "    - bridge: Fix sleep in atomic context in sysfs path",
                            "    - ethtool: coalesce: cap profile updates at NET_DIM_PARAMS_NUM_PROFILES",
                            "    - ethtool: tsconfig: fix reply error handling",
                            "    - ethtool: linkstate: fix unbalanced ethnl_ops_complete() on PHY lookup",
                            "      error",
                            "    - ethtool: pse-pd: fix missing ethnl_ops_complete()",
                            "    - ethtool: tsconfig: fix missing ethnl_ops_complete()",
                            "    - ethtool: tsinfo: fix uninitialized stats on the by-PHC path",
                            "    - ethtool: tsinfo: don't pass ERR_PTR to genlmsg_cancel on prepare failure",
                            "    - ethtool: strset: fix header attribute index in ethnl_req_get_phydev()",
                            "    - ethtool: eeprom: add missing ethnl_ops_begin() / _complete() during",
                            "      fallback",
                            "    - ethtool: eeprom: add more safeties to EEPROM Netlink fallback",
                            "    - ipv6: rpl: fix hdrlen overflow in ipv6_rpl_srh_decompress()",
                            "    - net/sched: Revert \"net/sched: Restrict conditions for adding duplicating",
                            "      netems to qdisc tree\"",
                            "    - net/sched: fix packet loop on netem when duplicate is on",
                            "    - net: Introduce skb tc depth field to track packet loops",
                            "    - net/sched: Fix ethx:ingress -> ethy:egress -> ethx:ingress mirred loop",
                            "    - net/sched: act_mirred: Fix blockcast recursion bypass leading to stack",
                            "      overflow",
                            "    - net/sched: act_mirred: Fix return code in early mirred redirect error",
                            "      paths",
                            "    - net: hibmcge: disable Relaxed Ordering to fix RX packet corruption",
                            "    - net: hibmcge: move dma_rmb() after dma_sync_single_for_cpu() in RX path",
                            "    - net/handshake: Use spin_lock_bh for hn_lock",
                            "    - nvme-tcp: store negative errno in queue->tls_err",
                            "    - net/handshake: Pass negative errno through handshake_complete()",
                            "    - net/handshake: hand off the pinned file reference to accept_doit",
                            "    - net/handshake: Take a long-lived file reference at submit",
                            "    - net/handshake: Drain pending requests at net namespace exit",
                            "    - dpll: zl3073x: detect DPLL channel count from chip ID at runtime",
                            "    - dpll: zl3073x: add die temperature reporting for supported chips",
                            "    - dpll: export __dpll_device_change_ntf() for use under dpll_lock",
                            "    - dpll: zl3073x: use __dpll_device_change_ntf() and remove change_work",
                            "    - Bluetooth: l2cap: clear chan->ident on ECRED reconfiguration success",
                            "    - Bluetooth: L2CAP: Fix possible crash on l2cap_ecred_conn_rsp",
                            "    - Bluetooth: hci_sync: Set HCI_CMD_DRAIN_WORKQUEUE during device close",
                            "    - Bluetooth: hci_sync: Reset device counters in hci_dev_close_sync()",
                            "    - gpio: adnp: fix flow control regression caused by scoped_guard()",
                            "    - gpio: virtuser: Fix uninitialized data bug in",
                            "      gpio_virtuser_direction_do_write()",
                            "    - gpio: rockchip: convert bank->clk to devm_clk_get_enabled()",
                            "    - gpio: rockchip: teardown bugs and resource leaks",
                            "    - net: mana: Add NULL guards in teardown path to prevent panic on attach",
                            "      failure",
                            "    - net: mana: Skip redundant detach on already-detached port",
                            "    - sctp: fix race between sctp_wait_for_connect and peeloff",
                            "    - net: pcs: pcs-mtk-lynxi: fix bpi-r3 serdes configuration",
                            "    - vsock/virtio: bind uarg before filling zerocopy skb",
                            "    - ipv6: fix possible infinite loop in rt6_fill_node()",
                            "    - ipv6: fix possible infinite loop in fib6_select_path()",
                            "    - net: skbuff: fix pskb_carve leaking zcopy pages",
                            "    - Revert \"ipv6: preserve insertion order for same-scope addresses\"",
                            "    - Revert \"x86/fpu: Refine and simplify the magic number check during",
                            "      signal return\"",
                            "    - drm/i915/psr: Add defininitions for INTEL_WA_REGISTER_CAPS DPCD register",
                            "    - drm/i915/psr: Read Intel DPCD workaround register",
                            "    - drm/i915/psr: Apply Intel DPCD workaround when SDP on prior line used",
                            "    - iio: imu: st_lsm6dsx: fix stack leak in tagged FIFO buffer",
                            "    - iio: imu: adis16550: fix stack leak in trigger handler",
                            "    - iio: pressure: bmp280: fix stack leak in bmp580 trigger handler",
                            "    - usb: typec: ucsi: ccg: reject firmware images without a ':' record",
                            "      header",
                            "    - usb: typec: tcpm: validate VDO count in Discover Identity ACK handlers",
                            "    - usb: typec: tcpm: bound altmode_desc[] per iteration in",
                            "      svdm_consume_modes()",
                            "    - usb: typec: ucsi: displayport: NAK DP_CMD_CONFIGURE without a payload",
                            "      VDO",
                            "    - usb: typec: altmodes/displayport: validate count before reading Status",
                            "      Update VDO",
                            "    - usb: typec: wcove: don't write past struct pd_message in",
                            "      wcove_read_rx_buffer()",
                            "    - usb: typec: tcpm/tcpci_maxim: validate header NDO against RX_BYTE_CNT",
                            "    - usb: typec: ucsi: validate connector number in ucsi_connector_change()",
                            "    - USB: serial: safe_serial: fix memory corruption with small endpoint",
                            "    - media: rc: igorplugusb: fix control request setup packet",
                            "    - Input: ims-pcu - fix usb_free_coherent() size in ims_pcu_buffers_free()",
                            "    - USB: serial: cypress_m8: fix memory corruption with small endpoint",
                            "    - HID: quirks: Add ALWAYS_POLL quirk for SIGMACHIP USB mouse",
                            "    - Bluetooth: btusb: Allow firmware re-download when version matches",
                            "    - mm/vmalloc: do not trigger BUG() on BH disabled context",
                            "    - hpfs: fix a crash if hpfs_map_dnode_bitmap fails",
                            "    - mm/damon/sysfs-schemes: delete tried region in regions_rmdirs()",
                            "    - ipc: limit next_id allocation to the valid ID range",
                            "    - mm: memcontrol: propagate NMI slab stats to memcg vmstats",
                            "    - mm/migrate_device: fix pgtable leak in migrate_vma_insert_huge_pmd_page",
                            "    - memfd: deny writeable mappings when implying SEAL_WRITE",
                            "    - zram: fix use-after-free in zram_writeback_endio",
                            "    - mm/rmap: initialize nr_pages to 1 at loop start in try_to_unmap_one",
                            "    - auxdisplay: line-display: fix OOB read on zero-length message_store()",
                            "    - smb: client: fix uninitialized variable in smb2_writev_callback",
                            "    - Bluetooth: L2CAP: use chan timer to close channels in cleanup_listen()",
                            "    - Bluetooth: L2CAP: fix chan ref leak in l2cap_chan_timeout() on !conn",
                            "    - Bluetooth: HIDP: fix missing length checks in hidp_input_report()",
                            "    - Bluetooth: ISO: fix UAF in iso_recv_frame",
                            "    - Bluetooth: ISO: serialize iso_sock_clear_timer with socket lock",
                            "    - Bluetooth: hci_conn: Fix memory leak in hci_le_big_terminate()",
                            "    - Bluetooth: hci_qca: Use 100 ms SSR delay for rampatch and NVM loading",
                            "    - Bluetooth: hci_sync: fix UAF in hci_le_create_cis_sync",
                            "    - Input: xpad - fix out-of-bounds access for Share button",
                            "    - parport: Fix race between port and client registration",
                            "    - rust_binder: Avoid holding lock when dropping delivered_death",
                            "    - rust_binder: avoid calling pending_oneway_finished() on TF_UPDATE_TXN",
                            "    - USB: cdc-acm: Fix bit overlap and move quirk definitions to header",
                            "    - KVM: arm64: Correctly cap ZCR_EL2 provided by a guest hypervisor",
                            "    - KVM: arm64: PMU: Preserve AArch32 counter low bits",
                            "    - KVM: SVM: Flush the current TLB when transitioning from xAVIC => x2AVIC",
                            "    - KVM: SEV: Require in-GHCB scratch area if GHCB v2+ is in use",
                            "    - KVM: SEV: Ignore Port I/O requests of length '0'",
                            "    - KVM: SEV: Use the size of the PSC header as the minimum size for PSC",
                            "      requests",
                            "    - KVM: SEV: WARN if KVM attempts to setup scratch area with min_len==0",
                            "    - KVM: SEV: Compute the correct max length of the in-GHCB scratch area",
                            "    - KVM: SEV: Check PSC request indices against the actual size of the",
                            "      buffer",
                            "    - KVM: SEV: Use READ_ONCE() when reading entries/indices from PSC buffer",
                            "    - KVM: SEV: Don't explicitly pass PSC buffer to snp_begin_psc()",
                            "    - gpio: shared: undo the vote of the proxy on GPIO free",
                            "    - gpio: shared: fix deadlock on shared proxy's parent removal",
                            "    - gpio: shared: fix lockdep false positive by removing unneeded lock",
                            "    - Disable -Wattribute-alias for clang-23 and newer",
                            "    - iio: adc: xilinx-xadc: Fix sequencer mode in postdisable for dual mux",
                            "    - iio: adc: npcm: fix unbalanced clk_disable_unprepare()",
                            "    - iio: dac: ad3530r: Fix AD3531/AD3531R powerdown mode strings",
                            "    - iio: dac: max5821: fix return value check in powerdown sync",
                            "    - iio: dac: ad5686: fix ref bit initialization for single-channel parts",
                            "    - iio: dac: ad5686: fix input raw value check",
                            "    - iio: dac: ad5686: acquire lock when doing powerdown control",
                            "    - iio: dac: ad5686: fix powerdown control on dual-channel devices",
                            "    - iio: adc: mt6359: fix unchecked return value in mt6358_read_imp",
                            "    - iio: adc: viperboard: Fix error handling in vprbrd_iio_read_raw",
                            "    - iio: adc: ad4695: Fix call ordering in offload buffer postenable",
                            "    - iio: adc: nxp-sar-adc: fix division by zero in write_raw",
                            "    - iio: adc: nxp-sar-adc: Avoid division by zero",
                            "    - iio: adc: nxp-sar-adc: zero-initialize dma_slave_config",
                            "    - iio: gyro: itg3200: fix i2c read into the wrong stack location",
                            "    - iio: gyro: adis16260: fix division by zero in write_raw",
                            "    - iio: ssp_sensors: cancel delayed work_refresh on remove",
                            "    - iio: temperature: tsys01: fix broken PROM checksum validation",
                            "    - iio: magnetometer: st_magn: fix default DRDY pin selection for LIS2MDL",
                            "    - iio: light: veml6070: Fix resource leak in probe error path",
                            "    - iio: Fix iio_multiply_value use in iio_read_channel_processed_scale",
                            "    - iio: chemical: mhz19b: reject oversized serial replies",
                            "    - iio: chemical: scd30: fix division by zero in write_raw",
                            "    - iio: light: cm3323: fix reg_conf not being initialized correctly",
                            "    - iio: buffer: hw-consumer: fix use-after-free in error path",
                            "    - iio: buffer: Fix DMA fence leak in iio_buffer_enqueue_dmabuf()",
                            "    - USB: serial: omninet: fix memory corruption with small endpoint",
                            "    - usb: cdns3: gadget: fix request skipping after clearing halt",
                            "    - usb: cdns3: plat: fix leaked usb2_phy initialization on usb3_phy",
                            "      acquisition failure",
                            "    - usb: cdns3: plat: fix unbalanced pm_runtime_forbid() call permanently",
                            "      leaks the runtime PM usage counter across bind/unbind cycles",
                            "    - usb: dwc2: Fix use after free in debug code",
                            "    - Input: elan_i2c - validate firmware size before use",
                            "    - i2c: davinci: fix division by zero on missing clock-frequency",
                            "    - x86/ftrace: Relocate %rip-relative percpu refs in dynamic trampolines",
                            "    - wireguard: send: append trailer after expanding head",
                            "    - bpf: sockmap: fix tail fragment offset in bpf_msg_push_data",
                            "    - macsec: fix replay protection at XPN lower-PN wrap",
                            "    - ipv6: exthdrs: refresh nh pointer after ipv6_hop_jumbo()",
                            "    - ASoC: qcom: q6asm-dai: fix error handling in prepare and set_params",
                            "    - octeontx2-af: validate body pcifunc in rvu_mbox_handler_rep_event_notify",
                            "    - ipv6: exthdrs: refresh nh after handling HAO option",
                            "    - ip6: vti: Use ip6_tnl.net in vti6_siocdevprivate().",
                            "    - ipv6: validate extension header length before copying to cmsg",
                            "    - xfrm: input: hold netns during deferred transport reinjection",
                            "    - l2tp: use refcount_inc_not_zero in l2tp_session_get_by_ifname",
                            "    - ip6: vti: Use ip6_tnl.net in vti6_changelink().",
                            "    - net: skbuff: fix missing zerocopy reference in pskb_carve helpers",
                            "    - spi: spi-mem: avoid mutating op template in spi_mem_supports_op()",
                            "    - HID: wacom: Fix OOB write in wacom_hid_set_device_mode()",
                            "    - iommu, debugobjects: avoid gcc-16.1 section mismatch warnings",
                            "    - nfc: hci: fix out-of-bounds read in HCP header parsing",
                            "    - xfrm: route MIGRATE notifications to caller's netns",
                            "    - xfrm: ipcomp: Free destination pages on acomp errors",
                            "    - xfrm: ah: use skb_to_full_sk in async output callbacks",
                            "    - ALSA: scarlett2: Fix 2i2 Gen 4 direct monitor gain on firmware 2417",
                            "    - ALSA: firewire-motu: Protect register DSP event queue positions",
                            "    - netfilter: conntrack: tcp: do not force CLOSE on invalid-seq RST without",
                            "      direction check",
                            "    - ASoC: qcom: q6asm-dai: close stream only when running",
                            "    - ASoC: qcom: q6asm-dai: do not set stream state in event and trigger",
                            "      callbacks",
                            "    - xfrm: esp: restore combined single-frag length gate",
                            "    - ALSA: hda/realtek: Fix speaker output on ASUS ROG Strix G615LP",
                            "    - xfrm: iptfs: reset runtime state when cloning SAs",
                            "    - dma-buf: fix UAF in dma_buf_fd() tracepoint",
                            "    - Input: xpad - add \"Nova 2 Lite\" from GameSir",
                            "    - Input: xpad - add support for ASUS ROG RAIKIRI II",
                            "    - ksmbd: OOB read regression in smb_check_perm_dacl() ACE-walk loops",
                            "    - misc: rp1: Send IACK on IRQ activate to fix kdump/kexec",
                            "    - Input: atmel_mxt_ts - fix boundary check in mxt_prepare_cfg_mem",
                            "    - Input: synaptics - add LEN2058 to SMBus passlist for ThinkPad E490",
                            "    - dt-bindings: usb: Fix EIC7700 USB reset's issue",
                            "    - comedi: comedi_test: fix check for valid scan_begin_src in",
                            "      waveform_ai_cmdtest()",
                            "    - comedi: comedi_test: Fix limiting of convert_arg in",
                            "      waveform_ai_cmdtest()",
                            "    - counter: Fix refcount leak in counter_alloc() error path",
                            "    - tty: serial: pch_uart: add check for dma_alloc_coherent()",
                            "    - tty: serial: samsung: Remove redundant port lock acquisition in rx",
                            "      helpers",
                            "    - uio: uio_pci_generic_sva: fix double free of devm_kzalloc() memory",
                            "    - usb: chipidea: core: convert ci_role_switch to local variable",
                            "    - usb: core: Fix up Interrupt IN endpoints with bogus wBytesPerInterval",
                            "    - usb: dwc3: xilinx: fix error handling in zynqmp init error paths",
                            "    - usb: musb: omap2430: Fix use-after-free in omap2430_probe()",
                            "    - USB: quirks: add NO_LPM for Lenovo ThinkPad USB-C Dock Gen2 hub",
                            "      controllers",
                            "    - usb: storage: Add quirks for PNY Elite Portable SSD",
                            "    - usbip: vudc: Fix use after free bug in vudc_remove due to race condition",
                            "    - usb: usbtmc: check URB actual_length for interrupt-IN notifications",
                            "    - usb: usbtmc: reject interrupt endpoints with small wMaxPacketSize",
                            "    - usb: typec: tipd: Fix error code in tps6598x_probe()",
                            "    - usb: typec: tcpm: improve handling of DISCOVER_MODES failures",
                            "    - usb: typec: ucsi: Check if power role change actually happened before",
                            "      handling",
                            "    - usb: typec: ucsi: Don't update power_supply on power role change if not",
                            "      connected",
                            "    - USB: serial: option: add MeiG SRM813Q",
                            "    - USB: serial: option: add missing RSVD(5) flag for Rolling RW135R-GL",
                            "    - USB: serial: belkin_sa: validate interrupt status length",
                            "    - USB: serial: cypress_m8: validate interrupt packet headers",
                            "    - USB: serial: digi_acceleport: fix memory corruption with small endpoints",
                            "    - USB: serial: keyspan: fix missing indat transfer sanity check",
                            "    - USB: serial: mxuport: fix memory corruption with small endpoint",
                            "    - USB: serial: mct_u232: fix memory corruption with small endpoint",
                            "    - USB: serial: mct_u232: fix missing interrupt-in transfer sanity check",
                            "    - usb: gadget: uvc: hold opts->lock across XU walks in uvc_function_bind",
                            "    - usb: gadget: net2280: Fix double free in probe error path",
                            "    - usb: gadget: f_hid: fix device reference leak in hidg_alloc()",
                            "    - usb: gadget: composite: fix integer underflow in WebUSB GET_URL handling",
                            "    - usb: gadget: dummy_hcd: Reject hub port requests for non-existent ports",
                            "    - usb: gadget: f_fs: copy only received bytes on short ep0 read",
                            "    - usb: gadget: f_fs: serialize DMABUF cancel against request completion",
                            "    - thunderbolt: property: Reject u32 wrap in tb_property_entry_valid()",
                            "    - thunderbolt: property: Reject dir_len < 4 to prevent size_t underflow",
                            "    - thunderbolt: property: Cap recursion depth in __tb_property_parse_dir()",
                            "    - scsi: fcoe: Reject FIP descriptors with zero fip_dlen in CVL walker",
                            "    - scsi: scsi_transport_fc: Widen FPIN pname walker counter to u32",
                            "    - scsi: target: iscsi: Fix CRC overread and double-free in",
                            "      iscsit_handle_text_cmd()",
                            "    - scsi: target: iscsi: Bound iscsi_encode_text_output() appends to rsp_buf",
                            "    - scsi: target: iscsi: Validate CHAP_R length before base64 decode",
                            "    - drm/hyperv: validate resolution_count and fix WIN8 fallback",
                            "    - drm/hyperv: validate VMBus packet size in receive callback",
                            "    - drm/gem: fix race between change_handle and handle_delete",
                            "    - drm/i915/color: Fix HDR pre-CSC LUT programming loop",
                            "    - drm/i915/psr: Block DC states on vblank enable when Panel Replay",
                            "      supported",
                            "    - drm/i915/psr: Use DC_OFF wake reference to block DC6 on vblank enable",
                            "    - drm/i915: Fix potential UAF in TTM object purge",
                            "    - drm/amd/pm/si: Disregard vblank time when no displays are connected",
                            "    - serial: altera_jtaguart: handle uart_add_one_port() failures",
                            "    - serial: qcom-geni: fix UART_RX_PAR_EN bit position",
                            "    - serial: qcom_geni: fix kfifo underflow when flush precedes DMA",
                            "      completion IRQ",
                            "    - serial: sh-sci: fix memory region release in error path",
                            "    - serial: zs: Fix swapped RI/DSR modem line transition counting",
                            "    - serial: fsl_lpuart: fix rx buffer and DMA map leaks in start_rx_dma",
                            "    - drm/amdkfd: fix NULL pointer bug in svm_range_set_attr",
                            "    - drm/amdkfd: fix a vulnerability of integer overflow in kfd debugger",
                            "    - drm/amdkfd: Check for pdd drm file first in CRIU restore path",
                            "    - drm/amdgpu: fix lock leak on ENOMEM in AMDGPU_GEM_OP_GET_MAPPING_INFO",
                            "    - drm/amdgpu: fix calling VM invalidation in amdgpu_hmm_invalidate_gfx",
                            "    - drm/amdgpu: fix amdgpu_hmm_range_get_pages",
                            "    - drm/amdgpu: check num_entries in GEM_OP GET_MAPPING_INFO",
                            "    - serial: dz: Fix bootconsole message clobbering at chip reset",
                            "    - serial: dz: Fix bootconsole handover lockup",
                            "    - serial: dz: Convert to use a platform device",
                            "    - serial: zs: Fix bootconsole handover lockup",
                            "    - serial: zs: Switch to using channel reset",
                            "    - serial: zs: Convert to use a platform device",
                            "    - serial: core: introduce guard(uart_port_lock_check_sysrq_irqsave)",
                            "    - serial: 8250: dispatch SysRq character in serial8250_handle_irq()",
                            "    - serial: 8250_dw: dispatch SysRq character in dw8250_handle_irq()",
                            "    - platform/x86/intel/vsec: Refactor base_addr handling",
                            "    - platform/x86/intel/vsec: Make driver_data info const",
                            "    - platform/x86/intel/vsec: Fix enable_cnt imbalance on PCIe error recovery",
                            "    - rxrpc: Fix RESPONSE packet verification to extract skb to a linear",
                            "      buffer",
                            "    - ALSA: hda/realtek: Fix mute and mic-mute LEDs for HP Envy X360 15-fh0xxx",
                            "    - ALSA: hda/realtek: Fix mute and mic-mute LEDs for HP 16 Piston OmniBook",
                            "      X",
                            "    - arm64: tlb: Flush walk cache when unsharing PMD tables",
                            "    - i2c: tegra: make tegra_i2c_mutex_unlock() return void",
                            "    - hwmon: (pmbus) Add support for guarded PMBus lock",
                            "    - hwmon: (pmbus/adm1266) serialize sequencer_state debugfs read with",
                            "      pmbus_lock",
                            "    - hwmon: (pmbus/adm1266) serialize GPIO PMBus accesses with pmbus_lock",
                            "    - net: phy: micrel: fix LAN8814 QSGMII soft reset",
                            "    - xhci: tegra: Fix ghost USB device on dual-role port unplug",
                            "    - mailbox: Fix NULL message support in mbox_send_message()",
                            "    - usb: core: Fix SuperSpeed root hub wMaxPacketSize",
                            "    - tools: ynl: add scope qualifier for definitions",
                            "    - Linux 7.0.12",
                            "",
                            "  * Resolute update: v7.0.12 upstream stable release (LP: #2156636) //",
                            "    CVE-2026-46318",
                            "    - Revert \"mm/hugetlbfs: update hugetlbfs to use mmap_prepare\"",
                            "",
                            "  * Resolute update: v7.0.12 upstream stable release (LP: #2156636) //",
                            "    CVE-2026-46322",
                            "    - tun: free page on build_skb failure in tun_xdp_one()",
                            "",
                            "  * Resolute update: v7.0.12 upstream stable release (LP: #2156636) //",
                            "    CVE-2026-46320",
                            "    - tap: free page on error paths in tap_get_user_xdp()",
                            "",
                            "  * Resolute update: v7.0.12 upstream stable release (LP: #2156636) //",
                            "    CVE-2026-46321",
                            "    - tun: free page on short-frame rejection in tun_xdp_one()",
                            "",
                            "  * CVE-2026-46316 // CVE-2026-46317",
                            "    - KVM: arm64: Reassign nested_mmus array behind mmu_lock",
                            "",
                            "  * CVE-2026-46316",
                            "    - KVM: arm64: vgic-its: Drop the translation cache reference only for the",
                            "      erased entry",
                            "    - KVM: arm64: Take the SRCU lock for page table walks in fault injection",
                            "      and AT emulation",
                            "",
                            "  * Resolute update: v7.0.11 upstream stable release (LP: #2156390)",
                            "    - iommu/amd: Fix illegal cap/mmio access in IOMMU debugfs",
                            "    - iommu/amd: Remove latent out-of-bounds access in IOMMU debugfs",
                            "    - ksmbd: close durable scavenger races against m_fp_list lookups",
                            "    - ata: libata-scsi: improve readability of ata_scsi_qc_issue()",
                            "    - ata: libata-scsi: do not use the deferred QC feature for ATA_DEFER_PORT",
                            "    - ata: libata-scsi: do not use the deferred QC feature on PMPs with CBS",
                            "    - ata: libata-scsi: do not needlessly defer commands when using PMP with",
                            "      FBS",
                            "    - sysfs: don't remove existing directory on update failure",
                            "    - mm/damon/sysfs-schemes: call missing mem_cgroup_iter_break()",
                            "    - ksmbd: fix null pointer dereference in compare_guid_key()",
                            "    - ksmbd: fix null pointer dereference in proc_show_files()",
                            "    - ksmbd: fix SID memory leak in set_posix_acl_entries_dacl() on overflow",
                            "    - ksmbd: validate SID in parent security descriptor during ACL inheritance",
                            "    - regulator: tps65219: fix irq_data.rdev not being assigned",
                            "    - x86/mm: Disable broadcast TLB flush when PCID is disabled",
                            "    - scripts/gdb: mm: cast untyped symbols in x86_page_ops",
                            "    - smb: client: require net admin for CIFS SWN netlink",
                            "    - smb: client: protect tc_count increment in",
                            "      smb2_find_smb_sess_tcon_unlocked()",
                            "    - smb: client: use data_len for SMB2 READ encrypted folioq copy",
                            "    - smb/server: promote S_DEL_ON_CLS to S_DEL_PENDING when close",
                            "    - hwmon: (pmbus/adm1266) widen blackbox-info buffer to I2C_SMBUS_BLOCK_MAX",
                            "    - ALSA: ua101: Reject too-short USB descriptors",
                            "    - ALSA: pcm: Don't setup bogus iov_iter for silencing",
                            "    - ALSA: asihpi: Fix potential OOB array access at reading cache",
                            "    - ALSA: scarlett2: Allow flash writes ending at segment boundary",
                            "    - ACPI: battery: Fix system wakeup on critical battery status",
                            "    - efi: Allocate runtime workqueue before ACPI init",
                            "    - spi: amd: Set correct bus number in ACPI probe path",
                            "    - io_uring/waitid: clear waitid info before copying it to userspace",
                            "    - drivers/base/memory: fix memory block reference leak in poison",
                            "      accounting",
                            "    - ipv6: ioam: refresh hdr pointer before ioam6_event()",
                            "    - mm/memory: fix spurious warning when unmapping device-private/exclusive",
                            "      pages",
                            "    - mm: fix __vm_normal_page() to handle missing support for",
                            "      pmd_special()/pud_special()",
                            "    - mm/memory_hotplug: fix memory block reference leak on remove",
                            "    - mm/page_alloc: fix initialization of tags of the huge zero folio with",
                            "      init_on_free",
                            "    - mm/migrate_device: fix spinlock leak in migrate_vma_insert_huge_pmd_page",
                            "    - selftests/mm: run_vmtests.sh: fix destructive tests invocation",
                            "    - mm/damon: fix damos_stat tracepoint format for sz_applied",
                            "    - net: wwan: iosm: fix potential memory leaks in ipc_imem_init()",
                            "    - Bluetooth: fix UAF in l2cap_sock_cleanup_listen() vs l2cap_conn_del()",
                            "    - Bluetooth: ISO: drop ISO_END frames received without prior ISO_START",
                            "    - Bluetooth: bnep: Fix UAF read of dev->name",
                            "    - Bluetooth: hci_uart: fix UAFs and race conditions in close and init",
                            "      paths",
                            "    - Bluetooth: L2CAP: ecred_reconfigure: send packed pdu, not stack pointer",
                            "    - Bluetooth: hci_qca: Convert timeout from jiffies to ms",
                            "    - Bluetooth: MGMT: validate Add Extended Advertising Data length",
                            "    - Bluetooth: serialize accept_q access",
                            "    - phonet/pep: disable BH around forwarded sk_receive_skb()",
                            "    - net: bcmgenet: keep RBUF EEE/PM disabled",
                            "    - net: devmem: reject dma-buf bind with non-page-aligned size or SG length",
                            "    - net: phy: skip EEE advertisement write when autoneg is disabled",
                            "    - net: hsr: defer node table free until after RCU readers",
                            "    - net/mlx5e: Fix use-after-free in mlx5e_tx_reporter_timeout_recover",
                            "    - net: ifb: report ethtool stats over num_tx_queues",
                            "    - net: pse-pd: fix sign on -ENOENT check in of_load_pse_pis()",
                            "    - netfilter: ip6t_hbh: reject oversized option lists",
                            "    - netfilter: nf_queue: hold bridge skb->dev while queued",
                            "    - netfilter: ipset: stop hash:* range iteration at end",
                            "    - net: ethtool: fix NULL pointer dereference in phy_reply_size",
                            "    - net: ethtool: phy: avoid NULL deref when PHY driver is unbound",
                            "    - ACPI: driver: Check ACPI_COMPANION() against NULL during probe",
                            "    - sched_ext: Fix missing warning in scx_set_task_state() default case",
                            "    - sched_ext: Avoid UAF in scx_root_enable_workfn() init failure path",
                            "    - l2tp: use list_del_rcu in l2tp_session_unhash",
                            "    - qed: fix double free in qed_cxt_tables_alloc()",
                            "    - ring-buffer: Fix reporting of missed events in iterator",
                            "    - ring-buffer: Flush and stop persistent ring buffer on panic",
                            "    - wifi: mac80211: capture fast-RX rate before mesh reuses skb->cb",
                            "    - ipv6: ioam: add NULL check for idev in ipv6_hop_ioam()",
                            "    - selftests: mptcp: drop nanoseconds width specifier",
                            "    - mptcp: pm: fix ADD_ADDR timer infinite retry on option space",
                            "      insufficient",
                            "    - vsock/vmci: fix UAF when peer resets connection during handshake",
                            "    - vsock/virtio: reset connection on receiving queue overflow",
                            "    - ice: fix VF queue configuration with low MTU values",
                            "    - wifi: ath11k: clear shared SRNG pointer state on restart",
                            "    - wifi: iwlwifi: mvm: fix driver-set TX rates on old devices",
                            "    - wifi: iwlwifi: mld: stop TX during firmware restart",
                            "    - ipv4: raw: reject IP_HDRINCL packets with ihl < 5",
                            "    - ixgbevf: fix use-after-free in VEPA multicast source pruning",
                            "    - rbd: eliminate a race in lock_dwork draining on unmap",
                            "    - mptcp: do not drop partial packets",
                            "    - mptcp: reset rcv wnd on disconnect",
                            "    - lsm: hold cred_guard_mutex for lsm_set_self_attr()",
                            "    - octeontx2-af: CGX: add bounds check to cgx_speed_mbps index",
                            "    - octeontx2-pf: fix double free in rvu_rep_rsrc_init()",
                            "    - igc: fix potential skb leak in igc_fpe_xmit_smd_frame()",
                            "    - ice: fix locking around wait_event_interruptible_locked_irq",
                            "    - ice: fix setting promisc mode while adding VID filter",
                            "    - ice: restore PTP Rx timestamp config after ethtool set-channels",
                            "    - wifi: cfg80211: advance loop vars in cfg80211_merge_profile()",
                            "    - af_unix: Fix UAF read of tail->len in unix_stream_data_wait()",
                            "    - wifi: mac80211: consume only present negotiated TTLM maps",
                            "    - octeontx2-pf: avoid double free of pool->stack on AQ init failure",
                            "    - cifs: Fix busy dentry used after unmounting",
                            "    - tracing: Do not call map->ops->elt_free() if elt_alloc() fails",
                            "    - ASoC: codecs: pcm512x: fix null-ptr dereference in",
                            "      pcm512x_overclock_xxx_put()",
                            "    - arm64: probes: Handle probes on hinted conditional branch instructions",
                            "    - KVM: arm64: vgic-its: Reject restored DTE with out-of-range",
                            "      num_eventid_bits",
                            "    - KVM: arm64: vgic: Free private_irqs when init fails after allocation",
                            "    - KVM: SVM: Disable AVIC IPI virtualization on Hygon Family 18h (erratum",
                            "      #1235)",
                            "    - riscv: kvm: return SBI_ERR_FAILURE for pmu_snapshot_set_shmem() when OOM",
                            "    - riscv: kvm: return SBI_ERR_FAILURE for pmu_event_info() when OOM",
                            "    - virt: sev-guest: Explicitly leak pages in unknown state",
                            "    - i2c: tegra: fix pm_runtime leak on mutex_lock failure",
                            "    - drm/bridge: chipone-icn6211: use devm_drm_bridge_add in i2c probe",
                            "    - spi: qup: fix error pointer deref after DMA setup failure",
                            "    - phy: exynos5-usbdrd: fix USB 2.0 HS PHY tuning values for Exynos7870",
                            "    - phy: tegra: xusb: Fix per-pad high-speed termination calibration",
                            "    - phy: qcom-qmp-ufs: Fix kaanapali PHY PLL lock failure after SM8650 G4",
                            "      fix",
                            "    - phy: qcom: edp: Unify generic DP/eDP swing and pre-emphasis tables",
                            "    - phy: qcom: edp: Add eDP/DP mode switch support",
                            "    - phy: qcom: edp: Fix AUX_CFG8 programming for DP mode",
                            "    - scsi: isci: Fix use-after-free in device removal path",
                            "    - spi: ep93xx: fix error pointer deref after DMA setup failure",
                            "    - spi: sprd: fix error pointer deref after DMA setup failure",
                            "    - spi: ti-qspi: fix use-after-free after DMA setup failure",
                            "    - mm/slub: hold cpus_read_lock around flush_rcu_sheaves_on_cache()",
                            "    - RDMA/siw: Reject MPA FPDU length underflow before signed receive math",
                            "    - s390/cio: Restore GFP_DMA for CHSC allocation",
                            "    - s390/pai: Disable duplicate read of kernel PAI counter value",
                            "    - s390/pai: Fix missing PAI counter increments under heavy load",
                            "    - fwctl: pds: Validate RPC input size before parsing",
                            "    - LoongArch: kprobes: Use larch_insn_text_copy() to patch instructions",
                            "    - LoongArch: Remove unused code to avoid build warning",
                            "    - cpufreq: intel_pstate: Use correct scaling factor on Raptor Lake-E",
                            "    - device property: set fwnode->secondary to NULL in fwnode_init()",
                            "    - drm/i915/display: Copy color pipeline from plane in the primary joiner",
                            "      pipe",
                            "    - drm/msm: Fix shrinker deadlock",
                            "    - drm/v3d: Fix use-after-free of CPU job query arrays on error path",
                            "    - drm/v3d: Release indirect CSD GEM reference on CPU job free",
                            "    - drm/virtio: use uninterruptible resv lock for plane updates",
                            "    - drm/xe/multi_queue: Fix secondary queue error case",
                            "    - drm/amdgpu/vpe: Force collaborate sync after TRAP",
                            "    - drm/bridge: it66121: acquire reset GPIO in probe",
                            "    - drm/bridge: megachips: remove bridge when irq request fails",
                            "    - drm/amd/display: Fix integer overflow in bios_get_image()",
                            "    - drm/amd/display: Validate GPIO pin LUT table size before iterating",
                            "    - drm/amd/display: Validate payload length and link_index in",
                            "      dc_process_dmub_aux_transfer_async",
                            "    - batman-adv: v: stop OGMv2 on disabled interface",
                            "    - batman-adv: tvlv: abort OGM send on tvlv append failure",
                            "    - batman-adv: tvlv: reject oversized TVLV packets",
                            "    - batman-adv: iv: recover OGM scheduling after forward packet error",
                            "    - batman-adv: mcast: fix use-after-free in orig_node RCU release",
                            "    - batman-adv: clear current gateway during teardown",
                            "    - batman-adv: dat: handle forward allocation error",
                            "    - batman-adv: fix fragment reassembly length accounting",
                            "    - batman-adv: fix tp_meter counter underflow during shutdown",
                            "    - batman-adv: frag: disallow unicast fragment in fragment",
                            "    - batman-adv: bla: fix report_work leak on backbone_gw purge",
                            "    - batman-adv: bla: avoid double decrement of bla.num_requests",
                            "    - batman-adv: bla: avoid NULL-ptr deref for claim via dropped interface",
                            "    - batman-adv: tp_meter: avoid use of uninit sender vars",
                            "    - batman-adv: tp_meter: directly shut down timer on cleanup",
                            "    - batman-adv: tp_meter: fix tp_vars reference leak in receiver shutdown",
                            "    - batman-adv: tp_meter: fix race condition in send error reporting",
                            "    - batman-adv: tp_meter: avoid role confusion in tp_list",
                            "    - batman-adv: tt: fix TOCTOU race for reported vlans",
                            "    - batman-adv: tt: reject oversized local TVLV buffers",
                            "    - batman-adv: tt: avoid empty VLAN responses",
                            "    - batman-adv: tt: fix negative last_changeset_len",
                            "    - batman-adv: tt: fix negative tt_buff_len",
                            "    - batman-adv: tt: prevent TVLV entry number overflow",
                            "    - hwmon: (pmbus/adm1266) seed timestamp from the real-time clock",
                            "    - hwmon: (pmbus/adm1266) reject implausible blackbox record_count",
                            "    - hwmon: (pmbus/adm1266) include PEC byte in pmbus_block_xfer read buffer",
                            "    - hwmon: (pmbus/adm1266) bounce blackbox records through a protocol-sized",
                            "      buffer",
                            "    - hwmon: (pmbus/adm1266) cap PDIO scan in get_multiple at ADM1266_PDIO_NR",
                            "    - hwmon: (pmbus/adm1266) don't clobber GPIO bits before PDIO read in",
                            "      get_multiple",
                            "    - hwmon: (pmbus/adm1266) register the gpio_chip after pmbus_do_probe()",
                            "    - hwmon: (pmbus/adm1266) register the nvmem device after pmbus_do_probe()",
                            "    - hwmon: (pmbus/adm1266) reject short block-read responses in the GPIO",
                            "      accessors",
                            "    - pinctrl: mediatek: moore: implement gpio_chip::get_direction()",
                            "    - pinctrl: qcom: ipq4019: mark gpio as a GPIO pin function",
                            "    - arm64: dts: renesas: r8a78000: Fix SCIF brg_int clocks",
                            "    - ARM: dts: renesas: genmai: Drop superfluous cells",
                            "    - ARM: dts: renesas: rskrza1: Drop superfluous cells",
                            "    - pinctrl: renesas: rzg2l: Fix incorrect PUPD register offset for high",
                            "      pins during suspend/resume",
                            "    - pinctrl: renesas: rzg2l: Fix SMT register cache handling",
                            "    - pinctrl: meson: amlogic-a4: fix deadlock issue",
                            "    - pinctrl: qcom: Fix GPIO to PDC wake irq map for qcs615",
                            "    - kho: skip KHO for crash kernel",
                            "    - mm/memfd_luo: report error when restoring a folio fails mid-loop",
                            "    - HID: intel-thc-hid: Intel-quickspi: Fix some error codes",
                            "    - HID: uclogic: Fix regression of input name assignment",
                            "    - firmware: arm_ffa: Check for NULL FF-A ID table while driver",
                            "      registration",
                            "    - firmware: arm_ffa: Skip free_pages on RX buffer alloc failure",
                            "    - firmware: arm_ffa: Fix per-vcpu self notifications handling in workqueue",
                            "    - firmware: arm_ffa: Unregister bus notifier on teardown for FF-A v1.0",
                            "    - riscv: errata: Fix bitwise vs logical AND in MIPS errata patching",
                            "    - riscv: Fix register corruption from uninitialized cregs on error",
                            "    - riscv: mm: Fixup no5lvl failure when vaddr is invalid",
                            "    - kunit: config: Enable KUNIT_DEBUGFS by default",
                            "    - kunit: config: KUNIT_DEBUGFS should depend on DEBUG_FS",
                            "    - pinctrl: qcom: Fix wakeirq map by removing disconnected irqs for sm8150",
                            "    - firmware: arm_ffa: Bound PARTITION_INFO_GET_REGS copies",
                            "    - firmware: arm_ffa: Keep framework RX release under lock",
                            "    - firmware: arm_ffa: Validate framework notification message layout",
                            "    - firmware: arm_ffa: Align RxTx buffer size before mapping",
                            "    - firmware: arm_ffa: Snapshot notifier callbacks under lock",
                            "    - firmware: arm_ffa: Fix sched-recv callback partition lookup",
                            "    - ARM: integrator: Fix early initialization",
                            "    - ALSA: hda: cs35l56: Put ACPI device after setting companion",
                            "    - ALSA: hda: cs35l41: Put ACPI device on missing physical node",
                            "    - btrfs: tracepoints: fix sleep while in atomic context in",
                            "      btrfs_sync_file()",
                            "    - netfilter: x_tables: allow initial table replace without emitting audit",
                            "      log message",
                            "    - netfilter: x_tables: allocate hook ops while under mutex",
                            "    - netfilter: x_tables: unregister the templates first",
                            "    - netfilter: x_tables: add and use xt_unregister_table_pre_exit",
                            "    - netfilter: x_tables: add and use xtables_unregister_table_exit",
                            "    - netfilter: ebtables: move to two-stage removal scheme",
                            "    - netfilter: ebtables: close dangling table module init race",
                            "    - netfilter: x_tables: close dangling table module init race",
                            "    - netfilter: bridge: eb_tables: close module init race",
                            "    - netfilter: nf_conntrack_expect: restore helper propagation via",
                            "      expectation",
                            "    - kprobes: skip non-symbol addresses in kprobe_add_ksym_blacklist()",
                            "    - test_kprobes: clear kprobes between test runs",
                            "    - tcp: Fix imbalanced icsk_accept_queue count.",
                            "    - net: napi: Avoid gro timer misfiring at end of busypoll",
                            "    - net: shaper: Reject reparenting of existing nodes",
                            "    - idpf: fix read_dev_clk_lock spinlock init in idpf_ptp_init()",
                            "    - ice: fix setting RSS VSI hash for E830",
                            "    - ice: fix locking in ice_dcb_rebuild()",
                            "    - ice: dpll: fix rclk pin state get for E810",
                            "    - ice: dpll: fix misplaced header macros",
                            "    - net: lan966x: avoid unregistering netdev on register failure",
                            "    - net: ti: icssm-prueth: fix eth_ports_node leak in probe",
                            "    - phy: marvell: mvebu-a3700-utmi: fix incorrect USB2_PHY_CTRL register",
                            "      access",
                            "    - phy: spacemit: Remove incorrect clk_disable() in spacemit_usb2phy_init()",
                            "    - NFSD: Fix infinite loop in layout state revocation",
                            "    - ASoC: sdw_utils: Add quirk to ignore RT712 CODEC_MIC",
                            "    - ASoC: sdw_utils: Add quirk to ignore RT721 CODEC_MIC",
                            "    - fprobe: Fix unregister_fprobe() to wait for RCU grace period",
                            "    - fs/statmount: fix slab out-of-bounds write in statmount_mnt_idmap",
                            "    - fs: Fix return in jfs_mkdir and orangefs_mkdir",
                            "    - irqchip/ath79-cpu: Remove unused function",
                            "    - fs: fix forced iversion increment on lazytime timestamp updates",
                            "    - ublk: reject max_sectors smaller than PAGE_SECTORS in parameter",
                            "      validation",
                            "    - nsfs: fix wrong error code returned for pidns ioctls",
                            "    - irq_work: Fix use-after-free in irq_work_single() on PREEMPT_RT",
                            "    - nvme: fix bio leak on mapping failure",
                            "    - nvme-pci: fix use-after-free in nvme_free_host_mem()",
                            "    - zonefs: handle integer overflow in zonefs_fname_to_fno",
                            "    - tcp: Fix out-of-bounds access for twsk in tcp_ao_established_key().",
                            "    - ASoC: SOF: amd: Fix error code handling in psp_send_cmd()",
                            "    - powerpc: 82xx: fix uninitialized pointers with free attribute",
                            "    - powerpc: fix dead default for GUEST_STATE_BUFFER_TEST",
                            "    - powerpc/hv-gpci: fix preempt count leak in sysfs show paths",
                            "    - netfs: Fix cancellation of a DIO and single read subrequests",
                            "    - netfs: Fix missing locking around retry adding new subreqs",
                            "    - netfs: Fix missing barriers when accessing stream->subrequests",
                            "      locklessly",
                            "    - netfs: Fix netfs_read_to_pagecache() to pause on subreq failure",
                            "    - netfs: Fix potential for tearing in ->remote_i_size and ->zero_point",
                            "    - netfs: Fix zeropoint update where i_size > remote_i_size",
                            "    - netfs: fix VM_BUG_ON_FOLIO() issue in netfs_write_begin() call",
                            "    - netfs: Fix overrun check in netfs_extract_user_iter()",
                            "    - netfs: Fix netfs_invalidate_folio() to clear dirty bit if all changes",
                            "      gone",
                            "    - netfs: Defer the emission of trace_netfs_folio()",
                            "    - netfs: Fix streaming write being overwritten",
                            "    - netfs: Fix potential deadlock in write-through mode",
                            "    - netfs: Fix read-gaps to remove netfs_folio from filled folio",
                            "    - netfs: Fix write streaming disablement if fd open O_RDWR",
                            "    - netfs: Fix early put of sink folio in netfs_read_gaps()",
                            "    - netfs: Fix leak of request in netfs_write_begin() error handling",
                            "    - netfs: Fix potential UAF in netfs_unlock_abandoned_read_pages()",
                            "    - netfs: Fix partial invalidation of streaming-write folio",
                            "    - netfs: Fix folio->private handling in netfs_perform_write()",
                            "    - netfs: Fix netfs_read_folio() to wait on writeback",
                            "    - netfs, afs: Fix write skipping in dir/link writepages",
                            "    - afs: Fix the locking used by afs_get_link()",
                            "    - net: ethernet: cortina: Make RX SKB per-port",
                            "    - net: ethernet: cortina: Drop half-assembled SKB",
                            "    - net: ethernet: cortina: Carry over frag counter",
                            "    - net: ethernet: cs89x0: remove stale CONFIG_MACH_MX31ADS reference",
                            "    - wifi: ath11k: fix error path leaks in some WMI WOW calls",
                            "    - wifi: ath11k: fix error path leak in ath11k_tm_cmd_wmi_ftm()",
                            "    - wifi: ath10k: skip WMI and beacon transmission when device is wedged",
                            "    - net: shaper: flip the polarity of the valid flag",
                            "    - net: shaper: fix trivial ordering issue in net_shaper_commit()",
                            "    - net: shaper: reject duplicate leaves in GROUP request",
                            "    - net: shaper: set ret to -ENOMEM when genlmsg_new() fails in group_doit",
                            "    - net: shaper: fix undersized reply skb allocation in GROUP command",
                            "    - net: shaper: enforce singleton NETDEV scope with id 0",
                            "    - net: shaper: reject QUEUE scope handle with missing id",
                            "    - block: don't overwrite bip_vcnt in bio_integrity_copy_user()",
                            "    - block: recompute nr_integrity_segments in blk_insert_cloned_request",
                            "    - HID: quirks: really enable the intended work around for appledisplay",
                            "    - block: bio-integrity: Fix null-ptr-deref in bio_integrity_map_user()",
                            "    - accel/qaic: Add overflow check to remap_pfn_range during mmap",
                            "    - net/smc: avoid NULL deref of conn->lnk in smc_msg_event tracepoint",
                            "    - ethtool: fix ethnl_bitmap32_not_zero() bit interval semantics",
                            "    - drm/msm/dpu: fix UV scanlines calculation for YUV UBWC formats",
                            "    - drm/msm/dpu: Fix Kaanapali CWB register configuration",
                            "    - drm/msm/dsi: don't dump registers past the mapped region",
                            "    - drm/msm/dpu: don't mix devm and drmm functions",
                            "    - block: rename struct gendisk zone_wplugs_lock field",
                            "    - block: allow submitting all zone writes from a single context",
                            "    - block: fix handling of dead zone write plugs",
                            "    - selftests: ublk: cap nthreads to kernel's actual nr_hw_queues",
                            "    - x86/mce: Restore MCA polling interval halving",
                            "    - Documentation: intel_pstate: Fix description of asymmetric packing with",
                            "      SMT",
                            "    - drm/msm: Fix GMEM_BASE for A650",
                            "    - drm/msm/a6xx: Add soft fuse detection support",
                            "    - drm/msm/adreno: Fix a reference leak in a6xx_gpu_init()",
                            "    - drm/msm/adreno: fix userspace-triggered crash on a2xx-a4xx",
                            "    - drm/msm/a6xx: Restore sysprof_active",
                            "    - drm/msm: Fix iommu_map_sgtable() return value check and avoid WARN",
                            "    - drm/msm/a6xx: Check kzalloc return in a8xx_hfi_send_perf_table",
                            "    - ASoC: intel: sof_sdw: Prepare for configuration without a jack",
                            "    - ASoC: sdw_utils: cs42l43: allow spk component names to be combined",
                            "    - ASoC: sdw_utils: Check speaker component string allocation",
                            "    - riscv: Docs: fix unmatched quote warning",
                            "    - powerpc/time: Remove redundant preempt_disable|enable() calls from",
                            "      arch_irq_work_raise()",
                            "    - net/smc: reject CHID-0 ACCEPT that matches an empty ism_dev slot",
                            "    - net: tls: fix off-by-one in sg_chain entry count for wrapped sk_msg ring",
                            "    - net: tls: prevent chain-after-chain in plain text SG",
                            "    - net: phy: DP83TC811: add reading of abilities",
                            "    - ovpn: tcp - use cached peer pointer in ovpn_tcp_close()",
                            "    - ovpn: respect peer refcount in CMD_NEW_PEER error path",
                            "    - ovpn: fix race between deleting interface and adding new peer",
                            "    - cifs: client: stage smb3_reconfigure() updates and restore ctx on",
                            "      failure",
                            "    - phy: apple: atc: Fix typec switch/mux leak on unbind",
                            "    - gcc-plugins: Always define CONST_CAST_GIMPLE and CONST_CAST_TREE",
                            "    - x86/xen: Fix xen_e820_swap_entry_with_ram()",
                            "    - vfio/pci: Check BAR resources before exporting a DMABUF",
                            "    - ovpn: disable BHs when updating device stats",
                            "    - tls: Preserve sk_err across recvmsg() when data has been copied",
                            "    - net/mlx5: Do not restore destination-less TC rules",
                            "    - net/mlx5: Skip disabled vports when setting max TX speed",
                            "    - scsi: sd: Fix return code handling in sd_spinup_disk()",
                            "    - ASoC: codecs: fs210x: fix possible buffer overflow",
                            "    - iommupt: Directly call iommupt's unmap_range()",
                            "    - iommupt: Avoid rewalking during map",
                            "    - iommu: Fix loss of errno on map failure for classic ops",
                            "    - iommu: Fix up map/unmap debugging for iommupt domains",
                            "    - iommu: Handle unmap error when iommu_debug is enabled",
                            "    - iommupt: Check for missing PAGE_SIZE in the pgsize_bitmap",
                            "    - iommupt: Fix the end_index calculation in __map_range_leaf()",
                            "    - ALSA: scarlett2: Add missing error check when initialise Autogain Status",
                            "    - ALSA: hda/ca0132: Disable auto-detect on manual output select",
                            "    - cachefiles: Fix error return when vfs_mkdir() fails",
                            "    - io_uring/net: punt IORING_OP_BIND async if it needs file create",
                            "    - vsock/virtio: fix zerocopy completion for multi-skb sends",
                            "    - btrfs: check for subvolume before deleting squota qgroup",
                            "    - btrfs: fix squota accounting during enable generation",
                            "    - ASoC: amd: acp-sdw-legacy: check CPU DAI name before logging",
                            "    - spi: mtk-snfi: Fix resource leak in mtk_snand_read_page_cache()",
                            "    - netfilter: nft_inner: release local_lock before re-enabling softirqs",
                            "    - ALSA: hda/realtek: Use ALC287_FIXUP_TXNW2781_I2C for ASUS Strix Gxx5",
                            "    - drm/msm/snapshot: fix dumping of the unaligned regions",
                            "    - hwmon: (lm90) Stop work before releasing hwmon device",
                            "    - hwmon: (lm90) Add lock protection to lm90_alert",
                            "    - wifi: iwlwifi: mld: fix TSO segmentation explosion when AMSDU is",
                            "      disabled",
                            "    - wifi: iwlwifi: mld: don't dereference a pointer before NULL checking it",
                            "    - dma-mapping: move dma_map_resource() sanity check into debug code",
                            "    - drm/gem: Make the GEM LRU lock part of drm_device",
                            "    - drm/xe/gsc: Fix double-free of managed BO in error path",
                            "    - drm/xe/vf: Fix signature of print functions",
                            "    - drm/xe/pf: Fix CFI failure in debugfs access",
                            "    - drm/xe: Consolidate workaround entries for Wa_14019988906",
                            "    - drm/xe: Consolidate workaround entries for Wa_18033852989",
                            "    - drm/xe: Define and use MCR version of COMMON_SLICE_CHICKEN1",
                            "    - drm/xe/tuning: Apply windower hardware filtering setting on Xe3 and Xe3p",
                            "    - drm/xe: Define and use MCR version of COMMON_SLICE_CHICKEN4",
                            "    - wifi: ath11k: fix peer resolution on rx path when peer_id=0",
                            "    - wifi: ath12k: fix EHT TX MCS limitation due to wrong 20 MHz-only parsing",
                            "    - drm/mediatek: mtk_hdmi_ddc_v2: Fix non-static global variable",
                            "    - drm/mediatek: mtk_hdmi_v2: Fix non-static global variable",
                            "    - drm/mediatek: mtk_cec: Fix non-static global variable",
                            "    - drm/mediatek: mtk_hdmi_ddc: Fix non-static global variable",
                            "    - io_uring: propagate array_index_nospec opcode into req->opcode",
                            "    - srcu: Don't queue workqueue handlers to never-online CPUs",
                            "    - cgroup/rstat: validate cpu before css_rstat_cpu() access",
                            "    - net/mlx5e: xsk: Fix unlocked writing to ICOSQ",
                            "    - cifs: Fix undefined variables",
                            "    - ice: ptp: serialize E825 PHY timer start with PTP lock",
                            "    - ice: ptp: use primary NAC semaphore on E825",
                            "    - igc: set tx buffer type for SMD frames",
                            "    - drm/i915/dp: Fix readback for target_rr in Adaptive Sync SDP",
                            "    - phy: qcom: qmp-usbc: Fix out-of-bounds array access in dp swing config",
                            "    - kbuild: pacman-pkg: make \"rc\" releases adhere to pacman versioning",
                            "      scheme",
                            "    - net: dsa: mt7530: fix FDB entries not aging out with short timeout",
                            "    - net: dsa: mt7530: preserve VLAN tags on trapped link-local frames",
                            "    - net: mana: Fix TOCTOU double-fetch of hwc_msg_id from DMA buffer",
                            "    - platform/surface: aggregator_registry: omit battery & AC nodes on",
                            "      Surface Laptop 7",
                            "    - platform/x86: adv_swbutton: Check ACPI_HANDLE() against NULL",
                            "    - platform/x86: hp_accel: Check ACPI_COMPANION() against NULL",
                            "    - platform/x86: intel-hid: Check ACPI_HANDLE() against NULL",
                            "    - platform/x86: intel_sar: Check ACPI_HANDLE() against NULL",
                            "    - platform/x86: intel-vbtn: Check ACPI_HANDLE() against NULL",
                            "    - platform/x86: uniwill-laptop: Properly initialize charging threshold",
                            "    - platform/x86: uniwill-laptop: Accept charging threshold of 0",
                            "    - platform/x86: uniwill-laptop: Fix behavior of \"force\" module param",
                            "    - platform/x86: asus-armoury: fix mini-LED mode get/set on MODE2 devices",
                            "    - ASoC: soc-utils: Add missing va_end in snd_soc_ret()",
                            "    - drm/amdgpu: Align amdgpu_gtt_mgr entries to TLB size on Tahiti (v2)",
                            "    - drm/amdgpu/vce1: Check that the GPU address is < 128 MiB",
                            "    - drm/amdgpu/vce1: Fix VCE 1 firmware size and offsets",
                            "    - RDMA/mana_ib: Report max_msg_sz in mana_ib_query_port",
                            "    - RDMA/rtrs: Fix use-after-free in path file creation cleanup",
                            "    - bridge: mcast: Fix a possible use-after-free when removing a bridge port",
                            "    - net: phy: honor eee_disabled_modes in phy_support_eee()",
                            "    - net: phy: honor eee_disabled_modes in phy_advertise_eee_all()",
                            "    - net: airoha: Fix NPU RX DMA descriptor bits",
                            "    - pds_core: fix error handling in pdsc_devcmd_wait",
                            "    - pds_core: fix debugfs_lookup dentry leak and error handling",
                            "    - erofs: fix managed cache race for unaligned extents",
                            "    - erofs: harden h_shared_count in erofs_init_inode_xattrs()",
                            "    - erofs: fix metabuf leak in inode xattr initialization",
                            "    - wifi: mac80211: bounds-check link_id in ieee80211_ml_epcs",
                            "    - wifi: mac80211: fix MLE defragmentation",
                            "    - wifi: mac80211: fix multi-link element inheritance",
                            "    - wifi: wilc1000: fix dma_buffer leak on bus acquire failure",
                            "    - ALSA: seq: Serialize UMP output teardown with event_input",
                            "    - cgroup: rstat: relax NMI guard after switch to try_cmpxchg",
                            "    - tracing: Avoid NULL return from hist_field_name() on truncation",
                            "    - Bluetooth: hci_sync: Fix not setting mask for",
                            "      HCI_EVT_LE_ALL_REMOTE_FEATURES_COMPLETE",
                            "    - Bluetooth: btintel_pcie: Fix incorrect MAC access programming",
                            "    - Bluetooth: btmtk: fix urb->setup_packet leak in error paths",
                            "    - udp: gso: Fix handling checksum in __udp_gso_segment",
                            "    - udp: Fix UDP length on last GSO_PARTIAL segment",
                            "    - net/mlx5e: Fix eswitch mode block underflow on IPsec acquire SA",
                            "    - net: shaper: annotate the data races",
                            "    - net: shaper: rework the VALID marking (again)",
                            "    - crypto/krb5, rxrpc: Fix lack of pre-decrypt/pre-verify length checks",
                            "    - rxrpc: Fix DATA decrypt vs splice() by copying data to buffer in recvmsg",
                            "    - net: ag71xx: check error for platform_get_irq",
                            "    - bpf, skmsg: fix verdict sk_data_ready racing with ktls rx",
                            "    - tcp: fix stale per-CPU tcp_tw_isn leak enabling ISN prediction",
                            "    - net: stmmac: eswin: fix HSP CSR init ordering after clock enable",
                            "    - net: stmmac: eswin: clear TXD and RXD delay registers during",
                            "      initialization",
                            "    - net: stmmac: eswin: correct RGMII delay granularity to 20 ps",
                            "    - net: stmmac: eswin: validate RGMII delay values",
                            "    - gpio: cdev: check if uAPI v2 config attributes are correctly zeroed",
                            "    - gpio: aggregator: fix a potential use-after-free",
                            "    - gpio: aggregator: stop using dev-sync-probe",
                            "    - gpio: aggregator: remove the software node when deactivating the",
                            "      aggregator",
                            "    - gpio: aggregator: lock device when calling device_is_bound()",
                            "    - ASoC: cs35l56: Fix flushing of IRQ work in cs35l56_sdw_remove()",
                            "    - drm/xe/oa: Fix exec_queue leak on width check in stream open",
                            "    - ASoC: cs-amp-lib: Fix wrong sizeof() in",
                            "      _cs_amp_set_efi_calibration_data()",
                            "    - ASoC: cs-amp-lib: Fix missing dput() after debugfs_lookup()",
                            "    - selftests: net: Fix checksums in xdp_native",
                            "    - nvme-pci: fix dma_vecs leak on p2p memory",
                            "    - nvme-pci: fix dma mapping leak on data setup error",
                            "    - octeontx2-af: npc: Fix allmulticast skip logic for LBK and SDP VFs",
                            "    - net: mana: validate rx_req_idx to prevent out-of-bounds array access",
                            "    - tap: fix stack info leak in tap_ioctl() SIOCGIFHWADDR",
                            "    - net: airoha: Disable GDM2 forwarding before configuring GDM2 loopback",
                            "    - pds_core: ensure null-termination for firmware version strings",
                            "    - net: enetc: fix missing error code when pf->vf_state allocation fails",
                            "    - io_uring/nop: pass all errors to userspace",
                            "    - blk-mq: pop cached request if it is usable",
                            "    - ksmbd: fix durable reconnect error path file lifetime",
                            "    - LoongArch: kprobes: Fix handling of fatal unrecoverable recursions",
                            "    - block: avoid use-after-free in disk_free_zone_resources()",
                            "    - Documentation: laptops: Update documentation for uniwill laptops",
                            "    - platform/x86: uniwill-laptop: Do not enable the charging limit even when",
                            "      forced",
                            "    - drm/msm: Restore second parameter name in purge() and evict()",
                            "    - security/keys: fix missed RCU read section on lookup",
                            "    - Linux 7.0.11",
                            "",
                            "  * Resolute update: v7.0.10 upstream stable release (LP: #2156385)",
                            "    - blk-cgroup: wait for blkcg cleanup before initializing new disk",
                            "    - md: suppress spurious superblock update error message for dm-raid",
                            "    - fs/omfs: reject s_sys_blocksize smaller than OMFS_DIR_START",
                            "    - fs/mbcache: cancel shrink work before destroying the cache",
                            "    - md/raid1: fix the comparing region of interval tree",
                            "    - fs: fix archiecture-specific compat_ftruncate64",
                            "    - drbd: Balance RCU calls in drbd_adm_dump_devices()",
                            "    - loop: fix partition scan race between udev and loop_reread_partitions()",
                            "    - block: fix zones_cond memory leak on zone revalidation error paths",
                            "    - nilfs2: reject zero bd_oblocknr in nilfs_ioctl_mark_blocks_dirty()",
                            "    - blk-cgroup: fix disk reference leak in blkcg_maybe_throttle_current()",
                            "    - pstore/ram: fix resource leak when ioremap() fails",
                            "    - erofs: include the trailing NUL in FS_IOC_GETFSLABEL",
                            "    - md: fix array_state=clear sysfs deadlock",
                            "    - ublk: reset per-IO canceled flag on each fetch",
                            "    - blk-wbt: remove WARN_ON_ONCE from wbt_init_enable_default()",
                            "    - erofs: handle 48-bit blocks/uniaddr for extra devices",
                            "    - md: remove unused static md_wq workqueue",
                            "    - md: wake raid456 reshape waiters before suspend",
                            "    - dcache: permit dynamic_dname()s up to NAME_MAX",
                            "    - btrfs: fix the inline compressed extent check in inode_need_compress()",
                            "    - btrfs: fix deadlock between reflink and transaction commit when using",
                            "      flushoncommit",
                            "    - btrfs: do not reject a valid running dev-replace",
                            "    - OPP: debugfs: Use performance level if available to distinguish between",
                            "      rates",
                            "    - OPP: Move break out of scoped_guard in dev_pm_opp_xlate_required_opp()",
                            "    - ACPI: x86: cmos_rtc: Clean up address space handler driver",
                            "    - ACPI: x86: cmos_rtc: Improve coordination with ACPI TAD driver",
                            "    - devres: fix missing node debug info in devm_krealloc()",
                            "    - thermal/drivers/spear: Fix error condition for reading st,thermal-flags",
                            "    - debugfs: check for NULL pointer in debugfs_create_str()",
                            "    - debugfs: fix placement of EXPORT_SYMBOL_GPL for debugfs_create_str()",
                            "    - soundwire: debugfs: initialize firmware_file to empty string",
                            "    - amd-pstate: Fix memory leak in amd_pstate_epp_cpu_init()",
                            "    - amd-pstate: Update cppc_req_cached in fast_switch case",
                            "    - cpufreq: Pass the policy to cpufreq_driver->adjust_perf()",
                            "    - PCI: use generic driver_override infrastructure",
                            "    - platform/wmi: use generic driver_override infrastructure",
                            "    - vdpa: use generic driver_override infrastructure",
                            "    - s390/cio: use generic driver_override infrastructure",
                            "    - s390/ap: use generic driver_override infrastructure",
                            "    - bus: fsl-mc: use generic driver_override infrastructure",
                            "    - locking/mutex: Rename mutex_init_lockep()",
                            "    - locking/mutex: Fix wrong comment for CONFIG_DEBUG_LOCK_ALLOC",
                            "    - irqchip/irq-pic32-evic: Address warning related to wrong printf()",
                            "      formatter",
                            "    - hrtimer: Avoid pointless reprogramming in __hrtimer_start_range_ns()",
                            "    - hrtimer: Reduce trace noise in hrtimer_start()",
                            "    - locking: Fix rwlock and spinlock lock context annotations",
                            "    - signal: Fix the lock_task_sighand() annotation",
                            "    - ww-mutex: Fix the ww_acquire_ctx function annotations",
                            "    - perf/amd/ibs: Account interrupt for discarded samples",
                            "    - perf/amd/ibs: Preserve PhyAddrVal bit when clearing PhyAddr MSR",
                            "    - perf/amd/ibs: Avoid calling perf_allow_kernel() from the IBS NMI handler",
                            "    - x86/tdx: Fix the typo in TDX_ATTR_MIGRTABLE",
                            "    - rust: sync: atomic: Remove bound `T: Sync` for `Atomic::from_ptr()`",
                            "    - sparc64: vdso: Link with -z noexecstack",
                            "    - scripts/gdb: timerlist: Adapt to move of tk_core",
                            "    - locking: Fix rwlock support in <linux/spinlock_up.h>",
                            "    - sched/topology: Compute sd_weight considering cpuset partitions",
                            "    - x86/irqflags: Preemptively move include paravirt.h directive where it",
                            "      belongs",
                            "    - sched/topology: Fix sched_domain_span()",
                            "    - irqchip/renesas-rzg2l: Fix error path in rzg2l_irqc_common_probe()",
                            "    - ASoC: Intel: avs: Check maximum valid CPUID leaf",
                            "    - ASoC: Intel: avs: Include CPUID header at file scope",
                            "    - x86/vdso: Clean up remnants of VDSO32_NOTE_MASK",
                            "    - firmware: dmi: Correct an indexing error in dmi.h",
                            "    - fs/resctrl: Report invalid domain ID when parsing io_alloc_cbm",
                            "    - sched: Make class_schedulers avoid pushing current, and get rid of",
                            "      proxy_tag_curr()",
                            "    - sched/rt: Skip group schedulable check with rt_group_sched=0",
                            "    - wifi: ath11k: fix memory leaks in beacon template setup",
                            "    - wifi: mwifiex: Fix memory leak in mwifiex_11n_aggregate_pkt()",
                            "    - wifi: rtlwifi: pci: fix possible use-after-free caused by unfinished",
                            "      irq_prepare_bcn_tasklet",
                            "    - bpf: test_run: Fix the null pointer dereference issue in",
                            "      bpf_lwt_xmit_push_encap",
                            "    - wifi: ath12k: account TX stats only when ACK/BA status is present",
                            "    - wifi: ath12k: Fix legacy rate mapping for monitor mode capture",
                            "    - selftests/bpf: Handle !CONFIG_SMC in bpf_smc.c",
                            "    - wifi: ieee80211: fix definition of EHT-MCS 15 in MRU",
                            "    - dpaa2: add independent dependencies for FSL_DPAA2_SWITCH",
                            "    - [Config] Disable CONFIG_FSL_DPAA2_SWITCH on armhf and ppc64el",
                            "    - dpaa2: compile dpaa2 even CONFIG_FSL_DPAA2_ETH=n",
                            "    - s390/bpf: Zero-extend bpf prog return values and kfunc arguments",
                            "    - powerpc/pgtable-frag: Fix bad page state in pte_frag_destroy",
                            "    - powerpc/64s: Fix unmap race with PMD migration entries",
                            "    - module: Fix freeing of charp module parameters when CONFIG_SYSFS=n",
                            "    - wifi: libertas: use USB anchors for tracking in-flight URBs",
                            "    - wifi: libertas: don't kill URBs in interrupt context",
                            "    - bpf: Do not allow deleting local storage in NMI",
                            "    - selftests/nolibc: fix test_file_stream() on musl libc",
                            "    - selftests/nolibc: Fix build with host headers and libc",
                            "    - tools/nolibc/printf: Change variables 'c' to 'ch' and 'tmpbuf[]' to",
                            "      'outbuf[]'",
                            "    - tools/nolibc/printf: Move snprintf length check to callback",
                            "    - tools/nolibc: MIPS: fix clobbers of 'lo' and 'hi' registers on different",
                            "      ISAs",
                            "    - tools/nolibc: avoid -Wundef warning for __STDC_VERSION__",
                            "    - wifi: mt76: mt7996: fix the behavior of radar detection",
                            "    - wifi: mt76: mt7996: fix iface combination for different chipsets",
                            "    - wifi: mt76: mt7996: Set mtxq->wcid just for primary link",
                            "    - wifi: mt76: mt7996: Reset mtxq->idx if primary link is removed in",
                            "      mt7996_vif_link_remove()",
                            "    - wifi: mt76: mt7996: Switch to the secondary link if the default one is",
                            "      removed",
                            "    - wifi: mt76: mt7996: Clear wcid pointer in mt7996_mac_sta_deinit_link()",
                            "    - wifi: mt76: mt7996: Reset ampdu_state state in case of failure in",
                            "      mt7996_tx_check_aggr()",
                            "    - wifi: mt76: mt7921: Reset ampdu_state state in case of failure in",
                            "      mt76_connac2_tx_check_aggr()",
                            "    - wifi: mt76: mt7925: Fix incorrect MLO mode in firmware control",
                            "    - wifi: mt76: mt7615: fix use_cts_prot support",
                            "    - wifi: mt76: mt7915: fix use_cts_prot support",
                            "    - wifi: mt76: mt7925: prevent NULL pointer dereference in",
                            "      mt7925_tx_check_aggr()",
                            "    - wifi: mt76: mt7925: prevent NULL vif dereference in",
                            "      mt7925_mac_write_txwi",
                            "    - wifi: mt76: mt7996: fix FCS error flag check in RX descriptor",
                            "    - wifi: mt76: mt7921: Place upper limit on station AID",
                            "    - wifi: mt76: Fix memory leak destroying device",
                            "    - wifi: mt76: mt7996: Fix NPU stop procedure",
                            "    - wifi: mt76: npu: Add missing rx_token_size initialization",
                            "    - wifi: mt76: mt7925: drop puncturing handling from BSS change path",
                            "    - wifi: mt76: mt7925: fix potential deadlock in mt7925_roc_abort_sync",
                            "    - wifi: mt76: Fix memory leak after mt76_connac_mcu_alloc_sta_req()",
                            "    - wifi: mt76: mt7925: fix tx power setting failure after chip reset",
                            "    - wifi: mt76: mt7921: fix potential deadlock in mt7921_roc_abort_sync",
                            "    - wifi: mt76: fix deadlock in remain-on-channel",
                            "    - wifi: mt76: fix backoff fields and max_power calculation",
                            "    - arm64: cpufeature: Make PMUVer and PerfMon unsigned",
                            "    - bpf: Switch CONFIG_CFI_CLANG to CONFIG_CFI",
                            "    - wifi: mt76: mt7996: fix wrong DMAD length when using MAC TXP",
                            "    - wifi: mt76: mt7996: fix struct mt7996_mcu_uni_event",
                            "    - wifi: mt76: mt7915: fix use-after-free bugs in mt7915_mac_dump_work()",
                            "    - wifi: mt76: mt7996: fix use-after-free bugs in mt7996_mac_dump_work()",
                            "    - wifi: mt76: mt7921: fix 6GHz regulatory update on connection",
                            "    - wifi: mt76: mt7996: Add missing CHANCTX_STA_CSA property",
                            "    - wifi: mt76: mt7996: Remove link pointer dependency in",
                            "      mt7996_mac_sta_remove_links()",
                            "    - wifi: mt76: mt7996: Decrement sta counter removing the link in",
                            "      mt7996_mac_reset_sta_iter()",
                            "    - wifi: mt76: fix multi-radio on-channel scanning",
                            "    - wifi: mt76: support upgrading passive scans to active",
                            "    - wifi: mt76: mt7996: fix RRO EMU configuration",
                            "    - bpf: Fix refcount check in check_struct_ops_btf_id()",
                            "    - selftests/bpf: Fix sockmap_multi_channels reliability",
                            "    - bpf: Use RCU-safe iteration in dev_map_redirect_multi() SKB path",
                            "    - bpf: Fix variable length stack write over spilled pointers",
                            "    - arm_mpam: Ensure in_reset_state is false after applying configuration",
                            "    - arm_mpam: Reset when feature configuration bit unset",
                            "    - bpf,arc_jit: Fix missing newline in pr_err messages",
                            "    - wifi: rtw89: phy: fix uninitialized variable access in",
                            "      rtw89_phy_cfo_set_crystal_cap()",
                            "    - drivers/vfio_pci_core: Change PXD_ORDER check from switch case to",
                            "      if/else block",
                            "    - r8152: fix incorrect register write to USB_UPHY_XTAL",
                            "    - selftests/tracing: Fix to make --logdir option work again",
                            "    - selftests/tracing: Fix to check awk supports non POSIX strtonum()",
                            "    - powerpc/crash: fix backup region offset update to elfcorehdr",
                            "    - powerpc/crash: Update backup region offset in elfcorehdr on memory",
                            "      hotplug",
                            "    - bpf: Fix abuse of kprobe_write_ctx via freplace",
                            "    - macvlan: annotate data-races around port->bc_queue_len_used",
                            "    - bpf: Use copy_map_value_locked() in alloc_htab_elem() for BPF_F_LOCK",
                            "    - bpf: Fix stale offload->prog pointer after constant blinding",
                            "    - net: ethernet: ti-cpsw:: rename soft_reset() function",
                            "    - net: ethernet: ti-cpsw: fix linking built-in code to modules",
                            "    - wifi: brcmfmac: Fix error pointer dereference",
                            "    - wifi: mac80211: handle VHT EXT NSS in ieee80211_determine_our_sta_mode()",
                            "    - bpf: Drop task_to_inode and inet_conn_established from lsm sleepable",
                            "      hooks",
                            "    - bpf: Prefer vmlinux symbols over module symbols for unqualified kprobes",
                            "    - wifi: ath10k: fix station lookup failure during disconnect",
                            "    - bpf: Fix linked reg delta tracking when src_reg == dst_reg",
                            "    - net: dropreason: add SKB_DROP_REASON_RECURSION_LIMIT",
                            "    - net: plumb drop reasons to __dev_queue_xmit()",
                            "    - net: qdisc_pkt_len_segs_init() cleanup",
                            "    - net: pull headers in qdisc_pkt_len_segs_init()",
                            "    - arm64: entry: Don't preempt with SError or Debug masked",
                            "    - ACPI: AGDI: fix missing newline in error message",
                            "    - arm64: kexec: Remove duplicate allocation for trans_pgd",
                            "    - bpf: Propagate error from visit_tailcall_insn",
                            "    - bpf: Fix ld_{abs,ind} failure path analysis in subprogs",
                            "    - bpf: Remove static qualifier from local subprog pointer",
                            "    - mptcp: better mptcp-level RTT estimator",
                            "    - bpf: Fix use-after-free in offloaded map/prog info fill",
                            "    - macsec: Support VLAN-filtering lower devices",
                            "    - net: bcmgenet: fix off-by-one in bcmgenet_put_txcb",
                            "    - net: bcmgenet: fix leaking free_bds",
                            "    - net: bcmgenet: fix racing timeout handler",
                            "    - net: airoha: Add dma_rmb() and READ_ONCE() in airoha_qdma_rx_process()",
                            "    - eth: fbnic: Use wake instead of start",
                            "    - netfilter: xt_socket: enable defrag after all other checks",
                            "    - netfilter: nft_fwd_netdev: check ttl/hl before forwarding",
                            "    - bpf: fix mm lifecycle in open-coded task_vma iterator",
                            "    - bpf: switch task_vma iterator from mmap_lock to per-VMA locks",
                            "    - bpf: return VMA snapshot from task_vma iterator",
                            "    - bpf: Fix RCU stall in bpf_fd_array_map_clear()",
                            "    - net: hamradio: 6pack: fix uninit-value in sixpack_receive_buf",
                            "    - net: airoha: Fix FE_PSE_BUF_SET configuration if PPE2 is available",
                            "    - bpf: Enforce regsafe base id consistency for BPF_ADD_CONST scalars",
                            "    - selftests/bpf: fix __jited_unpriv tag name",
                            "    - net/sched: cls_fw: fix NULL dereference of \"old\" filters before change()",
                            "    - net/sched: act_ct: Only release RCU read lock after ct_ft",
                            "    - selftests: netfilter: nft_tproxy.sh: adjust to socat changes",
                            "    - net: mana: Use pci_name() for debugfs directory naming",
                            "    - net: mana: Move current_speed debugfs file to mana_init_port()",
                            "    - net: airoha: Add missing RX_CPU_IDX() configuration in",
                            "      airoha_qdma_cleanup_rx_queue()",
                            "    - net_sched: fix skb memory leak in deferred qdisc drops",
                            "    - bpf: Fix same-register dst/src OOB read and pointer leak in sock_ops",
                            "    - bpf: Allow instructions with arena source and non-arena dest registers",
                            "    - selftests/bpf: Fix reg_bounds to match new tnum-based refinement",
                            "    - net/rds: Optimize rds_ib_laddr_check",
                            "    - net/rds: Restrict use of RDS/IB to the initial network namespace",
                            "    - bpf: Fix OOB in pcpu_init_value",
                            "    - ppp: require CAP_NET_ADMIN in target netns for unattached ioctls",
                            "    - net: ipa: Fix programming of QTIME_TIMESTAMP_CFG",
                            "    - net: ipa: Fix decoding EV_PER_EE for IPA v5.0+",
                            "    - dt-bindings: net: dsa: nxp,sja1105: make spi-cpol optional for sja1110",
                            "    - net: phy: fix a return path in get_phy_c45_ids()",
                            "    - net/mlx5e: Fix features not applied during netdev registration",
                            "    - net/mlx5e: IPsec, fix ASO poll timeout with read_poll_timeout_atomic()",
                            "    - net: ethernet: mtk_eth_soc: initialize PPE per-tag-layer MTU registers",
                            "    - net: fix skb_ext_total_length() BUILD_BUG_ON with",
                            "      CONFIG_GCOV_PROFILE_ALL",
                            "    - bpf: reject short IPv4/IPv6 inputs in bpf_prog_test_run_skb",
                            "    - Bluetooth: L2CAP: Fix printing wrong information if SDU length exceeds",
                            "      MTU",
                            "    - Bluetooth: hci_ldisc: Clear HCI_UART_PROTO_INIT on error",
                            "    - Bluetooth: fix locking in hci_conn_request_evt() with HCI_PROTO_DEFER",
                            "    - Bluetooth: l2cap: Add missing chan lock in l2cap_ecred_reconf_rsp",
                            "    - Bluetooth: SCO: check for codecs->num_codecs == 1 before assigning to",
                            "      sco_pi(sk)->codec",
                            "    - net: phy: qcom: at803x: Use the correct bit to disable extended next",
                            "      page",
                            "    - udp: Force compute_score to always inline",
                            "    - tcp: Don't set treq->req_usec_ts in cookie_tcp_reqsk_init().",
                            "    - sctp: fix missing encap_port propagation for GSO fragments",
                            "    - sctp: disable BH before calling udp_tunnel_xmit_skb()",
                            "    - selftests/namespaces: remove unused utils.h include from",
                            "      listns_efault_test",
                            "    - net, bpf: fix null-ptr-deref in xdp_master_redirect() for down master",
                            "    - net: airoha: Fix VIP configuration for AN7583 SoC",
                            "    - net: airoha: Add missing PPE configurations in airoha_ppe_hw_init()",
                            "    - drm/panel: ilitek-ili9882t: Select DRM_DISPLAY_DSC_HELPER",
                            "    - selftests/futex: Fix incorrect result reporting of futex_requeue test",
                            "      item",
                            "    - drm/komeda: fix integer overflow in AFBC framebuffer size check",
                            "    - dma-fence: Fix sparse warnings due __rcu annotations",
                            "    - drm/gpusvm: Fix unbalanced unlock in drm_gpusvm_scan_mm()",
                            "    - drm/virtio: Allow importing prime buffers when 3D is enabled",
                            "    - ASoC: soc-compress: use function to clear symmetric params",
                            "    - PCI/TPH: Allow TPH enable for RCiEPs",
                            "    - PCI: endpoint: pci-epf-vntb: Fix MSI doorbell IRQ unwind",
                            "    - PCI: endpoint: pci-epf-test: Don't free doorbell IRQ unless requested",
                            "    - PCI: endpoint: pci-ep-msi: Fix error unwind and prevent double alloc",
                            "    - drm/sun4i: mixer: Fix layer init code",
                            "    - drm/sun4i: backend: fix error pointer dereference",
                            "    - drm/xe: Consolidate workaround entries for Wa_14019877138",
                            "    - drm/xe: Consolidate workaround entries for Wa_14019386621",
                            "    - drm/xe/xe2_hpg: Drop invalid workaround Wa_15010599737",
                            "    - gpu: nova-core: gsp: use empty slices instead of [0..0] ranges",
                            "    - gpu: nova-core: gsp: fix improper handling of empty slot in cmdq",
                            "    - drm/amdkfd: Removed commented line for MQD queue priority",
                            "    - PCI: imx6: Fix device node reference leak in imx_pcie_probe()",
                            "    - crypto: inside-secure/eip93 - fix register definition",
                            "    - ASoC: sti: Return errors from regmap_field_alloc()",
                            "    - ASoC: sti: use managed regmap_field allocations",
                            "    - dm cache: fix null-deref with concurrent writes in passthrough mode",
                            "    - dm cache: fix write path cache coherency in passthrough mode",
                            "    - dm cache: fix write hang in passthrough mode",
                            "    - dm cache policy smq: fix missing locks in invalidating cache blocks",
                            "    - dm cache: fix concurrent write failure in passthrough mode",
                            "    - dm cache: fix dirty mapping checking in passthrough mode switching",
                            "    - dm-mpath: don't stop probing paths at presuspend",
                            "    - drm/amd/ras: Fix type size of remainder argument",
                            "    - dt-bindings: mmc: dwcmshc-sdhci: Fix resets array validation",
                            "    - drm/amdgpu: GFX12.1 scratch memory limit up to 57-bit",
                            "    - platform/chrome: chromeos_tbmc: Drop wakeup source on remove",
                            "    - gpu: nova-core: use checked arithmetic in FWSEC firmware parsing",
                            "    - gpu: nova-core: create falcon firmware DMA objects lazily",
                            "    - gpu: nova-core: falcon: rename load parameters to reflect DMA dependency",
                            "    - gpu: nova-core: firmware: fix and explain v2 header offsets computations",
                            "    - PCI: dwc: ep: Fix MSI-X Table Size configuration in",
                            "      dw_pcie_ep_set_msix()",
                            "    - PCI: dwc: ep: Mirror the max link width and speed fields to all",
                            "      functions",
                            "    - PCI: dwc: Perform cleanup in the error path of dw_pcie_resume_noirq()",
                            "    - dm cache metadata: fix memory leak on metadata abort retry",
                            "    - dm log: fix out-of-bounds write due to region_count overflow",
                            "    - iopoll: fix function parameter names in read_poll_timeout_atomic()",
                            "    - drm/bridge: cadence: cdns-mhdp8546-core: Set the mhdp connector earlier",
                            "      in atomic_enable()",
                            "    - drm/bridge: cadence: cdns-mhdp8546-core: Add mode_valid hook to",
                            "      drm_bridge_funcs",
                            "    - drm/bridge: cadence: cdns-mhdp8546-core: Handle HDCP state in bridge",
                            "      atomic check",
                            "    - spi: nxp-xspi: Use reinit_completion() for repeated operations",
                            "    - spi: nxp-fspi: Use reinit_completion() for repeated operations",
                            "    - spi: fsl-qspi: Use reinit_completion() for repeated operations",
                            "    - spi: axiado: Remove redundant pm_runtime_mark_last_busy() call",
                            "    - media: i2c: og01a1b: Fix V4L2 subdevice data initialization on probe",
                            "    - media: synopsys: VIDEO_DW_MIPI_CSI2RX should depend on ARCH_ROCKCHIP",
                            "    - [Config] VIDEO_DW_MIPI_CSI2RX depends on ARCH_ROCKCHIP",
                            "    - drm/amd/pm: Fix xgmi max speed reporting",
                            "    - spi: atcspi200: fix mutex initialization order",
                            "    - selftests/sched_ext: Add missing error check for exit__load()",
                            "    - drm/v3d: Handle error from drm_sched_entity_init()",
                            "    - drm/sun4i: Fix resource leaks",
                            "    - crypto: inside-secure/eip93 - register hash before authenc algorithms",
                            "    - PCI: rzg3s-host: Fix reset handling in probe error path",
                            "    - PCI: rzg3s-host: Reorder reset assertion during suspend",
                            "    - dt-bindings: PCI: renesas,r9a08g045s33-pcie: Fix naming properties",
                            "    - iommu/riscv: Add IOTINVAL after updating DDT/PDT entries",
                            "    - iommu/riscv: Skip IRQ count check when using MSI interrupts",
                            "    - iommu/riscv: Add missing GENERIC_MSI_IRQ",
                            "    - iommu/riscv: Stop polling when CQCSR reports an error",
                            "    - drm/amdkfd: Update queue properties for metadata ring",
                            "    - drm/amd/ras: Fix NULL deref in ras_core_ras_interrupt_detected()",
                            "    - drm/amdgpu: Add default case in DVI mode validation",
                            "    - regulator: dt-bindings: fp9931: Make vin-supply property as required",
                            "    - regulator: fp9931: Fix handling of mandatory \"vin\" supply",
                            "    - drm/amd/ras: Fix NULL deref in ras_core_get_utc_second_timestamp()",
                            "    - drm/amdgpu: Drop redundant queue NULL check in hang detect worker",
                            "    - drm/amdgpu: Remove dead negative offset check in",
                            "      amdgpu_virt_init_critical_region()",
                            "    - dm init: ensure device probing has finished in dm-mod.waitfor=",
                            "    - fbdev: matroxfb: Mark variable with __maybe_unused to avoid W=1 build",
                            "      break",
                            "    - crypto: simd - reject compat registrations without __ prefixes",
                            "    - crypto: tegra - Disable softirqs before finalizing request",
                            "    - crypto: atmel-aes - guard unregister on error in atmel_aes_register_algs",
                            "    - padata: Remove cpu online check from cpu add and removal",
                            "    - padata: Put CPU offline callback in ONLINE section to allow failure",
                            "    - PCI: dwc: rcar-gen4: Change EPC BAR alignment to 4K as per the",
                            "      documentation",
                            "    - accel/amdxdna: fix missing newline in pr_err message",
                            "    - drm/amd/ras: Remove redundant NULL check in pending bad-bank list",
                            "      iteration",
                            "    - drm/amdgpu/gfx10: look at the right prop for gfx queue priority",
                            "    - drm/amdgpu/gfx11: look at the right prop for gfx queue priority",
                            "    - spi: hisi-kunpeng: prevent infinite while() loop in hisi_spi_flush_fifo",
                            "    - PCI: sky1: Fix missing cleanup of ECAM config on probe failure",
                            "    - drm/imagination: Switch reset_reason fields from enum to u32",
                            "    - iommu/tegra241-cmdqv: Set supports_cmd op in tegra241_vcmdq_hw_init()",
                            "    - iommu/tegra241-cmdqv: Update uAPI to clarify HYP_OWN requirement",
                            "    - drm/msm: add missing MODULE_DEVICE_ID definitions",
                            "    - drm/msm/dpu: fix mismatch between power and frequency",
                            "    - drm/msm/dsi: add the missing parameter description",
                            "    - drm/msm/dpu: don't try using 2 LMs if only one DSC is available",
                            "    - drm/msm/dsi: fix bits_per_pclk",
                            "    - drm/msm/dsi: fix hdisplay calculation for CMD mode panel",
                            "    - drm/msm/dsi: rename MSM8998 DSI version from V2_2_0 to V2_0_0",
                            "    - ASoC: rockchip: rockchip_sai: Set slot width for non-TDM mode",
                            "    - tools/sched_ext: scx_pair: fix pair_ctx indexing for CPU pairs",
                            "    - drm/panel: sharp-ls043t1le01: make use of prepare_prev_first",
                            "    - drm/panel: simple: Correct G190EAN01 prepare timing",
                            "    - PCI: qcom: Advertise Hotplug Slot Capability with no Command Completion",
                            "      support",
                            "    - PCI: Prevent shrinking bridge window from its required size",
                            "    - PCI: Fix premature removal from realloc_head list during resource",
                            "      assignment",
                            "    - crypto: hisilicon/sec2 - prevent req used-after-free for sec",
                            "    - PCI: Fix alignment calculation for resource size larger than align",
                            "    - iommu/riscv: Fix signedness bug",
                            "    - ALSA: core: Validate compress device numbers without dynamic minors",
                            "    - drm/amd/display: Avoid NULL dereference in dc_dmub_srv error paths",
                            "    - ASoC: amd: acp: update dmic_num logic for acp pdm dmic",
                            "    - drm/amd/pm/ci: Use highest MCLK on CI when MCLK DPM is disabled",
                            "    - drm/amd/pm/ci: Disable MCLK DPM on problematic CI ASICs",
                            "    - drm/amd/pm/smu7: Fix SMU7 voltage dependency on display clock",
                            "    - drm/amd/pm/ci: Fix powertune defaults for Hawaii 0x67B0",
                            "    - drm/amd/pm/ci: Clear EnabledForActivity field for memory levels",
                            "    - drm/amd/pm/ci: Fill DW8 fields from SMC",
                            "    - drm/amd/pm/smu7: Add SCLK cap for quirky Hawaii board",
                            "    - drm/amdgpu/uvd4.2: Don't initialize UVD 4.2 when DPM is disabled",
                            "    - PCI/DPC: Log AER error info for DPC/EDR uncorrectable errors",
                            "    - hwmon: (aspeed-g6-pwm-tach): remove redundant driver remove callback",
                            "    - ALSA: hda/realtek: fix bad indentation for alc269",
                            "    - ALSA: hda/realtek: fix code style (ERROR: else should follow close brace",
                            "      '}')",
                            "    - ASoC: SOF: Intel: hda: Place check before dereference",
                            "    - drm/msm/vma: Avoid lock in VM_BIND fence signaling path",
                            "    - drm/msm/a6xx: Add missing aperture_lock init",
                            "    - drm/msm: Reject fb creation from _NO_SHARE objs",
                            "    - drm/msm: Fix VM_BIND UNMAP locking",
                            "    - drm/msm/a6xx: Fix HLSQ register dumping",
                            "    - drm/msm/shrinker: Fix can_block() logic",
                            "    - drm/msm/a6xx: Fix dumping A650+ debugbus blocks",
                            "    - drm/msm/a6xx: Use barriers while updating HFI Q headers",
                            "    - drm/msm/a8xx: Fix the ticks used in submit traces",
                            "    - drm/msm/a6xx: Switch to preemption safe AO counter",
                            "    - drm/msm/a6xx: Correct OOB usage",
                            "    - drm/msm/adreno: Implement gx_is_on() for A8x",
                            "    - drm/msm/a6xx: Fix gpu init from secure world",
                            "    - ALSA: hda/cmedia: Remove duplicate pin configuration parsing",
                            "    - pmdomain: ti: omap_prm: Fix a reference leak on device node",
                            "    - pmdomain: imx: scu-pd: Fix device_node reference leak during ->probe()",
                            "    - PM: domains: De-constify fields in struct dev_pm_domain_attach_data",
                            "    - drm/msm/dpu: drop INTF_0 on MSM8953",
                            "    - ASoC: fsl_micfil: Add access property for \"VAD Detected\"",
                            "    - ASoC: fsl_micfil: Fix event generation in hwvad_put_enable()",
                            "    - ASoC: fsl_micfil: Fix event generation in hwvad_put_init_mode()",
                            "    - ASoC: fsl_micfil: Fix event generation in micfil_range_set()",
                            "    - ASoC: fsl_micfil: Fix event generation in micfil_put_dc_remover_state()",
                            "    - ASoC: fsl_micfil: Fix event generation in micfil_quality_set()",
                            "    - ASoC: fsl_xcvr: Fix event generation in fsl_xcvr_arc_mode_put()",
                            "    - ASoC: fsl_xcvr: Fix event generation in fsl_xcvr_mode_put()",
                            "    - ASoC: fsl_easrc: Check the variable range in fsl_easrc_iec958_put_bits()",
                            "    - ASoC: fsl_easrc: Fix value type in fsl_easrc_iec958_get_bits()",
                            "    - ASoC: fsl_easrc: Change the type for iec958 channel status controls",
                            "    - iommu/amd: Fix clone_alias() to use the original device's devid",
                            "    - iommu/riscv: Remove overflows on the invalidation path",
                            "    - ASoC: qcom: qdsp6: topology: check widget type before accessing data",
                            "    - PCI: dwc: Fix type mismatch for kstrtou32_from_user() return value",
                            "    - crypto: qat - disable 4xxx AE cluster when lead engine is fused off",
                            "    - crypto: qat - disable 420xx AE cluster when lead engine is fused off",
                            "    - crypto: qat - fix compression instance leak",
                            "    - crypto: qat - fix type mismatch in RAS sysfs show functions",
                            "    - crypto: iaa - fix per-node CPU counter reset in rebalance_wq_table()",
                            "    - crypto: qat - use swab32 macro",
                            "    - ALSA: hda: Notify IEC958 Default PCM switch state changes",
                            "    - ASoC: rsnd: Fix potential out-of-bounds access of component_dais[]",
                            "    - PCI: Enable AtomicOps only if Root Port supports them",
                            "    - PCI: imx6: Keep Root Port MSI capability with iMSI-RX to work around",
                            "      hardware bug",
                            "    - PCI: aspeed: Fix IRQ domain leak on platform_get_irq() failure",
                            "    - dt-bindings: PCI: imx6q-pcie: Fix maxItems of clocks and clock-names",
                            "    - PCI: mediatek-gen3: Prevent leaking IRQ domains when IRQ not found",
                            "    - gpu: nova-core: bitfield: fix broken Default implementation",
                            "    - selftests/mm: skip migration tests if NUMA is unavailable",
                            "    - Documentation: fix a hugetlbfs reservation statement",
                            "    - Docs/admin-guide/mm/damn/lru_sort: fix intervals autotune parameter name",
                            "    - Docs/mm/damon/index: fix typo: autoamted -> automated",
                            "    - zram: do not permit params change after init",
                            "    - selftest: memcg: skip memcg_sock test if address family not supported",
                            "    - gpu: nova-core: remove redundant `.as_ref()` for `dev_*` print",
                            "    - gpu: nova-core: fix missing colon in SEC2 boot debug message",
                            "    - ALSA: scarlett2: Add missing sentinel initializer field",
                            "    - ASoC: qcom: audioreach: explicitly enable speaker protection modules",
                            "    - ASoC: SOF: compress: return the configured codec from get_params",
                            "    - PCI/NPEM: Set LED_HW_PLUGGABLE for hotplug-capable ports",
                            "    - tools/sched_ext: Fix off-by-one in scx_sdt payload zeroing",
                            "    - ASoC: soc-component: re-add pcm_new()/pcm_free()",
                            "    - ASoC: amd: name back to pcm_new()/pcm_free()",
                            "    - ASoC: amd: ps: fix the pcm device numbering for acp pdm dmic",
                            "    - ALSA: usb-audio: qcom: Fix incorrect type in enable_audio_stream",
                            "    - PCI: tegra194: Fix polling delay for L2 state",
                            "    - PCI: tegra194: Increase LTSSM poll time on surprise link down",
                            "    - PCI: tegra194: Disable LTSSM after transition to Detect on surprise link",
                            "      down",
                            "    - PCI: tegra194: Don't force the device into the D0 state before L2",
                            "    - PCI: tegra194: Disable PERST# IRQ only in Endpoint mode",
                            "    - PCI: tegra194: Use devm_gpiod_get_optional() to parse \"nvidia,refclk-",
                            "      select\"",
                            "    - PCI: tegra194: Disable direct speed change for Endpoint mode",
                            "    - PCI: tegra194: Set LTR message request before PCIe link up in Endpoint",
                            "      mode",
                            "    - PCI: tegra194: Allow system suspend when the Endpoint link is not up",
                            "    - PCI: tegra194: Free up Endpoint resources during remove()",
                            "    - PCI: tegra194: Use DWC IP core version",
                            "    - PCI: dwc: Apply ECRC workaround to DesignWare 5.00a as well",
                            "    - PCI: tegra194: Disable L1.2 capability of Tegra234 EP",
                            "    - PCI: tegra194: Fix CBB timeout caused by DBI access before core power-on",
                            "    - drm/fb-helper: Fix a locking bug in an error path",
                            "    - PCI: cadence: Add flags for disabling ASPM capability for broken Root",
                            "      Ports",
                            "    - PCI: sg2042: Avoid L0s and L1 on Sophgo 2042 PCIe Root Ports",
                            "    - ASoC: SDCA: Fix cleanup inversion in class driver",
                            "    - spi: rzv2h-rspi: Fix invalid SPR=0/BRDV=0 clock configuration",
                            "    - spi: mtk-snfi: unregister ECC engine on probe failure and remove()",
                            "      callback",
                            "    - ALSA: sc6000: Keep the programmed board state in card-private data",
                            "    - dm cache: fix missing return in invalidate_committed's error path",
                            "    - sched_ext: Track @p's rq lock across set_cpus_allowed_scx ->",
                            "      ops.set_cpumask",
                            "    - sched_ext: Fix ops.cgroup_move() invocation kf_mask and rq tracking",
                            "    - spi: cadence-qspi: Revert the filtering of certain opcodes in ODTR",
                            "    - crypto: jitterentropy - replace long-held spinlock with mutex",
                            "    - ALSA: usb-audio: Exclude Scarlett 18i20 1st Gen from SKIP_IFACE_SETUP",
                            "    - ALSA: hda/realtek - fixed speaker no sound update",
                            "    - gfs2: Call unlock_new_inode before d_instantiate",
                            "    - fanotify: avoid/silence premature LSM capability checks",
                            "    - fanotify: call fanotify_events_supported() before path_permission() and",
                            "      security_path_notify()",
                            "    - fuse: fix uninit-value in fuse_dentry_revalidate()",
                            "    - ktest: Avoid undef warning when WARNINGS_FILE is unset",
                            "    - ktest: Honor empty per-test option overrides",
                            "    - ktest: Run POST_KTEST hooks on failure and cancellation",
                            "    - vfio: selftests: fix crash in vfio_dma_mapping_mmio_test",
                            "    - rtla/utils: Fix resource leak in set_comm_sched_attr()",
                            "    - tools/rtla: Generate optstring from long options",
                            "    - rtla: Fix segfault on multiple SIGINTs",
                            "    - vfio: selftests: Build tests on aarch64",
                            "    - gfs2: less aggressive low-memory log flushing",
                            "    - quota: Fix race of dquot_scan_active() with quota deactivation",
                            "    - vfio: unhide vdev->debug_root",
                            "    - gfs2: add some missing log locking",
                            "    - gfs2: prevent NULL pointer dereference during unmount",
                            "    - efi/capsule-loader: fix incorrect sizeof in phys array reallocation",
                            "    - ksmbd: fix use-after-free from async crypto on Qualcomm crypto engine",
                            "    - arm64: dts: mediatek: mt8365: Describe infracfg-nao as a pure syscon",
                            "    - ARM: dts: mediatek: mt7623: fix efuse fallback compatible",
                            "    - memory: tegra124-emc: Fix dll_change check",
                            "    - memory: tegra30-emc: Fix dll_change check",
                            "    - arm64: dts: imx8-apalis: Fix LEDs name collision",
                            "    - arm64: dts: imx91-11x11-evk: change usdhc tuning step for eMMC and SD",
                            "    - riscv: dts: spacemit: pcie: fix missing power regulator",
                            "    - arm64: dts: mediatek: mt7988a-bpi-r4pro: fix model string",
                            "    - arm64: dts: rockchip: Make Jaguar PCIe-refclk pin use pull-up config",
                            "    - arm64: dts: imx8mp-evk: Enable pull select bit for PCIe regulator GPIO",
                            "      (M.2 W_DISABLE1)",
                            "    - iommufd: vfio compatibility extension check for noiommu mode",
                            "    - arm64: dts: qcom: sm6125-xiaomi-ginkgo: Remove board-id",
                            "    - arm64: dts: qcom: sm6125-xiaomi-ginkgo: Correct reserved memory ranges",
                            "    - arm64: dts: qcom: sm6125-xiaomi-ginkgo: Remove extcon",
                            "    - arm64: dts: qcom: sm6125-xiaomi-ginkgo: Fix reserved gpio ranges",
                            "    - arm64: dts: qcom: qcs6490-rubikpi3: Use lt9611 DSI Port B",
                            "    - arm64: dts: qcom: talos: Add missing clock-names to GCC",
                            "    - arm64: dts: ti: k3-am62l: include WKUP_UART0 in wakeup peripheral window",
                            "    - arm64: dts: mediatek: mt6795: Fix gpio-ranges pin count",
                            "    - arm64: dts: mediatek: mt7981b: Fix gpio-ranges pin count",
                            "    - arm64: dts: mediatek: mt7986a: Fix gpio-ranges pin count",
                            "    - iommufd/selftest: Fix page leaks in mock_viommu_{init,destroy}",
                            "    - arm64: dts: imx8mp-kontron: Fix touch reset configuration on DL devices",
                            "    - arm64: dts: imx8mp-kontron: Drop vmmc-supply to fix SD card on SMARC",
                            "      eval carrier",
                            "    - arm64: dts: imx8mp-hummingboard-pulse/cubox-m: fix vmmc gpio polarity",
                            "    - arm64: dts: imx8mp-hummingboard-pulse: fix mini-hdmi dsi port reference",
                            "    - ARM: dts: BCM5301X: Drop extra NAND controller compatible",
                            "    - arm64: dts: qcom: msm8953-xiaomi-vince: correct wled ovp value",
                            "    - arm64: dts: qcom: msm8937-xiaomi-land: correct wled ovp value",
                            "    - arm64: dts: qcom: msm8953-xiaomi-daisy: fix backlight",
                            "    - firmware: qcom_scm: don't opencode kmemdup",
                            "    - soc: qcom: ubwc: disable bank swizzling for Glymur platform",
                            "    - arm64: dts: rockchip: Fix Bluetooth stability on LCKFB TaiShan Pi",
                            "    - Revert \"arm64: dts: rockchip: add SPDIF audio to Beelink A1\"",
                            "    - arm64: dts: rockchip: Correct Fan Supply for Gameforce Ace",
                            "    - arm64: dts: rockchip: Correct Joystick Axes on Gameforce Ace",
                            "    - soc: qcom: ocmem: make the core clock optional",
                            "    - soc: qcom: ocmem: register reasons for probe deferrals",
                            "    - soc: qcom: ocmem: return -EPROBE_DEFER is ocmem is not available",
                            "    - riscv: dts: spacemit: drop incorrect pinctrl for combo PHY",
                            "    - arm64: dts: rockchip: Fix RK3562 EVB2 model name",
                            "    - arm64: dts: rockchip: Add mphy reset to ufshc node",
                            "    - bus: rifsc: fix RIF configuration check for peripherals",
                            "    - arm64: dts: qcom: arduino-imola: fix faulty spidev node",
                            "    - Revert \"UBUNTU: SAUCE: arm64: dts: add missing denali-oled.dtb to",
                            "      Makefile\"",
                            "    - arm64: dts: qcom: add missing denali-oled.dtb to Makefile",
                            "    - arm64: dts: qcom: hamoa: correct Iris corners for the MXC rail",
                            "    - arm64: dts: qcom: lemans: correct Iris corners for the MXC rail",
                            "    - arm64: dts: qcom: monaco: correct Iris corners for the MXC rail",
                            "    - arm64: dts: qcom: sm8550: correct Iris corners for the MXC rail",
                            "    - arm64: dts: qcom: sm8650: correct Iris corners for the MXC rail",
                            "    - arm64: dts: qcom: sm8750: correct Iris corners for the MXC rail",
                            "    - arm64: dts: qcom: kaanapali: Fix GIC_ITS range length",
                            "    - arm64: dts: qcom: milos: Fix GIC_ITS range length",
                            "    - arm64: dts: qcom: sm8450: Fix GIC_ITS range length",
                            "    - arm64: dts: qcom: sm8550: Fix GIC_ITS range length",
                            "    - arm64: dts: qcom: sm8650: Fix GIC_ITS range length",
                            "    - arm64: dts: qcom: sm8750: Fix GIC_ITS range length",
                            "    - arm64: dts: qcom: sm8550: Fix xo clock supply of platform SD host",
                            "      controller",
                            "    - arm64: dts: qcom: sm8650: Fix xo clock supply of SD host controller",
                            "    - arm64: dts: qcom: hamoa: Fix xo clock supply of platform SD host",
                            "      controller",
                            "    - arm64: dts: qcom: sm8450: Enable UHS-I SDR50 and SDR104 SD card modes",
                            "    - arm64: dts: qcom: sm8550: Enable UHS-I SDR50 and SDR104 SD card modes",
                            "    - arm64: dts: qcom: sm8650: Enable UHS-I SDR50 and SDR104 SD card modes",
                            "    - arm64: dts: qcom: sm7225-fairphone-fp4: Fix conflicting bias pinctrl",
                            "    - arm64: dts: qcom: sdm845-xiaomi-beryllium: Mark l1a regulator as powered",
                            "      during boot",
                            "    - arm64: dts: qcom: msm8917-xiaomi-riva: Fix board-id for all bootloader",
                            "    - arm64: dts: ti: k3-am62p5-sk: Disable MMC1 internal pulls on data pins",
                            "    - arm64: dts: ti: k3-am62l3-evm: Disable MMC1 internal pulls on data pins",
                            "    - arm64: dts: ti: k3-am62-lp-sk: Enable internal pulls for MMC0 data pins",
                            "    - arm64: dts: ti: k3-am62-verdin: Fix SPI_1 GPIO CS pinctrl label",
                            "    - arm64: dts: freescale: imx8mp-tqma8mpql-mba8mp-ras314: fix UART1 RTS/CTS",
                            "      muxing",
                            "    - arm64: dts: imx91: Remove TMU's superfluous sensor ID",
                            "    - arm64: dts: imx8mp-kontron: Fix boot order for PMIC and RTC",
                            "    - arm64: dts: imx8dxl-evk: Use audio-graph-card2 for wm8960-2 and wm8960-3",
                            "    - arm64: dts: imx8mp-evk: Specify ADV7535 register addresses",
                            "    - arm64: dts: lx2160a: change i2c0 (iic1) pinmux mask to one bit",
                            "    - arm64: dts: lx2160a: remove duplicate pinmux nodes",
                            "    - arm64: dts: lx2160a: rename pinmux nodes for readability",
                            "    - arm64: dts: lx2160a: add sda gpio references for i2c bus recovery",
                            "    - arm64: dts: lx2160a: change zeros to hexadecimal in pinmux nodes",
                            "    - arm64: dts: lx2160a: complete pinmux for rcwsr12 configuration word",
                            "    - arm64: dts: imx8qm-mek: switch Type-C connector power-role to dual",
                            "    - arm64: dts: imx8qxp-mek: switch Type-C connector power-role to dual",
                            "    - soc/tegra: cbb: Set ERD on resume for err interrupt",
                            "    - soc/tegra: cbb: Fix incorrect ARRAY_SIZE in fabric lookup tables",
                            "    - soc/tegra: cbb: Fix cross-fabric target timeout lookup",
                            "    - arm64: tegra: Fix RTC aliases",
                            "    - soc/tegra: pmc: Add kerneldoc for reboot notifier",
                            "    - soc/tegra: pmc: Correct function names in kerneldoc",
                            "    - soc/tegra: pmc: Add kerneldoc for wake-up variables",
                            "    - unshare: fix nsproxy leak in ksys_unshare() on set_cred_ucounts()",
                            "      failure",
                            "    - ocfs2/dlm: validate qr_numregions in dlm_match_regions()",
                            "    - ocfs2/dlm: fix off-by-one in dlm_match_regions() region comparison",
                            "    - soc: qcom: llcc: fix v1 SB syndrome register offset",
                            "    - soc: qcom: aoss: compare against normalized cooling state",
                            "    - arm64: dts: qcom: milos: Add missing CX power domain to GCC",
                            "    - arm64: dts: qcom: sm8250: Add missing CPU7 3.09GHz OPP",
                            "    - ARM: OMAP1: Fix DEBUG_LL and earlyprintk on OMAP16XX",
                            "    - arm64/xor: fix conflicting attributes for xor_block_template",
                            "    - lib: kunit_iov_iter: fix memory leaks",
                            "    - ARM: dts: imx27-eukrea: replace interrupts with interrupts-extended",
                            "    - firmware: arm_ffa: Use the correct buffer size during RXTX_MAP",
                            "    - fwctl: Fix class init ordering to avoid NULL pointer dereference on",
                            "      device removal",
                            "    - ocfs2: fix listxattr handling when the buffer is full",
                            "    - ocfs2: validate bg_bits during freefrag scan",
                            "    - ocfs2: validate group add input before caching",
                            "    - dmaengine: dw-axi-dmac: fix Alignment should match open parenthesis",
                            "    - dmaengine: dw-axi-dmac: Remove unnecessary return statement from void",
                            "      function",
                            "    - phy: apple: apple: Use local variable for ioremap return value",
                            "    - soundwire: bus: demote UNATTACHED state warnings to dev_dbg()",
                            "    - soundwire: Intel: test bus.bpt_stream before assigning it",
                            "    - dmaengine: mxs-dma: Fix missing return value from",
                            "      of_dma_controller_register()",
                            "    - soundwire: cadence: Clear message complete before signaling waiting",
                            "      thread",
                            "    - tracing: move __printf() attribute on __ftrace_vbprintk()",
                            "    - tracing: Rebuild full_name on each hist_field_name() call",
                            "    - hte: tegra194: remove Kconfig dependency on Tegra194 SoC",
                            "    - [Config] Enable CONFIG_HTE_TEGRA194 on armhf",
                            "    - remoteproc: xlnx: Fix sram property parsing",
                            "    - stop_machine: Fix the documentation for a NULL cpus argument",
                            "    - remoteproc: imx_rproc: Check return value of regmap_attach_dev() in",
                            "      imx_rproc_mmio_detect_mode()",
                            "    - ima: check return value of crypto_shash_final() in boot aggregate",
                            "    - HID: asus: make asus_resume adhere to linux kernel coding standards",
                            "    - HID: asus: do not abort probe when not necessary",
                            "    - workqueue: devres: Add device-managed allocate workqueue",
                            "    - power: supply: max77705: Drop duplicated IRQ error message",
                            "    - power: supply: max77705: Free allocated workqueue and fix removal order",
                            "    - mtd: physmap_of_gemini: Fix disabled pinctrl state check",
                            "    - ima_fs: Correctly create securityfs files for unsupported hash algos",
                            "    - dt-bindings: interrupt-controller: arm,gic-v3: Fix EPPI range",
                            "    - mtd: spi-nor: core: correct the op.dummy.nbytes when check read",
                            "      operations",
                            "    - mtd: spi-nor: update spi_nor_fixups::post_sfdp() documentation",
                            "    - mtd: spi-nor: micron-st: add SNOR_CMD_PP_8_8_8_DTR sfdp fixup for",
                            "      mt35xu512aba",
                            "    - mtd: spi-nor: swp: check SR_TB flag when getting tb_mask",
                            "    - mtd: parsers: ofpart: call of_node_put() only in ofpart_fail path",
                            "    - mtd: parsers: ofpart: call of_node_get() for dedicated subpartitions",
                            "    - cxl/pci: Check memdev driver binding status in cxl_reset_done()",
                            "    - mtd: rawnand: sunxi: fix sunxi_nfc_hw_ecc_read_extra_oob",
                            "    - mtd: spinand: winbond: Clarify when to enable the HS bit",
                            "    - HID: usbhid: fix deadlock in hid_post_reset()",
                            "    - ext4: fix miss unlock 'sb->s_umount' in extents_kunit_init()",
                            "    - ext4: call deactivate_super() in extents_kunit_exit()",
                            "    - ext4: fix the error handling process in extents_kunit_init).",
                            "    - ext4: fix possible null-ptr-deref in extents_kunit_exit()",
                            "    - ext4: fix possible null-ptr-deref in mbt_kunit_exit()",
                            "    - bpf, arm64: Reject out-of-range B.cond targets",
                            "    - bpf, arm64: Fix off-by-one in check_imm signed range check",
                            "    - bpf, arm64: Remove redundant bpf_flush_icache() after pack allocator",
                            "      finalize",
                            "    - bpf, riscv: Remove redundant bpf_flush_icache() after pack allocator",
                            "      finalize",
                            "    - bpf, sockmap: Fix af_unix iter deadlock",
                            "    - bpf, sockmap: Fix af_unix null-ptr-deref in proto update",
                            "    - bpf, sockmap: Take state lock for af_unix iter",
                            "    - bpf: Fix precedence bug in convert_bpf_ld_abs alignment check",
                            "    - bpf: Fix NULL deref in map_kptr_match_type for scalar regs",
                            "    - bpf: allow UTF-8 literals in bpf_bprintf_prepare()",
                            "    - libbpf: Prevent double close and leak of btf objects",
                            "    - bpf: Validate node_id in arena_alloc_pages()",
                            "    - bpf, arm32: Reject BPF-to-BPF calls and callbacks in the JIT",
                            "    - perf trace: Fix IS_ERR() vs NULL check bug",
                            "    - dt-bindings: pinctrl: marvell,armada3710-xb-pinctrl: add missing items",
                            "      keyword",
                            "    - pinctrl: pinctrl-pic32: Fix resource leak",
                            "    - perf trace: Avoid an ERR_PTR in syscall_stats",
                            "    - pinctrl: microchip-mssio: Fix missing return in probe",
                            "    - perf test type profiling: Remote typedef on struct",
                            "    - pinctrl: cy8c95x0: remove duplicate error message",
                            "    - pinctrl: cy8c95x0: Unify messages with help of dev_err_probe()",
                            "    - pinctrl: cy8c95x0: Avoid returning positive values to user space",
                            "    - perf branch: Avoid incrementing NULL",
                            "    - perf: tools: cs-etm: Fix print issue for Coresight debug in ETE/TRBE",
                            "      trace",
                            "    - pinctrl: pinconf-generic: Fully validate 'pinmux' property",
                            "    - pinctrl: realtek: Fix function signature for config argument",
                            "    - pinctrl: abx500: Fix type of 'argument' variable",
                            "    - pinctrl: renesas: rzg2l: Fix save/restore of {IOLH,IEN,PUPD,SMT}",
                            "      registers",
                            "    - tools build: Correct link flags for libopenssl",
                            "    - perf lock: Fix option value type in parse_max_stack",
                            "    - perf stat: Fix opt->value type for parse_cache_level",
                            "    - memblock: reserve_mem: fix end caclulation in",
                            "      reserve_mem_release_by_name()",
                            "    - perf stat: Fix crash on arm64",
                            "    - perf tools: Fix module symbol resolution for non-zero .text sh_addr",
                            "    - perf test: Fix ratio_to_prev event parsing test",
                            "    - perf test: Skip perf data type profiling tests for s390",
                            "    - perf expr: Return -EINVAL for syntax error in expr__find_ids()",
                            "    - perf metrics: Make common stalled metrics conditional on having the",
                            "      event",
                            "    - ipmi: ssif_bmc: fix missing check for copy_to_user() partial failure",
                            "    - ipmi: ssif_bmc: fix message desynchronization after truncated response",
                            "    - ipmi: ssif_bmc: change log level to dbg in irq callback",
                            "    - perf cgroup: Update metric leader in evlist__expand_cgroup",
                            "    - pinctrl: sophgo: pinctrl-sg2042: Fix wrong module description",
                            "    - pinctrl: sophgo: pinctrl-sg2044: Fix wrong module description",
                            "    - perf maps: Fix fixup_overlap_and_insert that can break sorted by name",
                            "      order",
                            "    - perf maps: Fix copy_from that can break sorted by name order",
                            "    - perf util: Kill die() prototype, dead for a long time",
                            "    - i3c: master: dw-i3c: Fix missing reset assertion in remove() callback",
                            "    - i3c: master: dw-i3c: Balance PM runtime usage count on probe failure",
                            "    - i3c: master: renesas: Fix memory leak in renesas_i3c_i3c_xfers()",
                            "    - i3c: dw: Fix memory leak in dw_i3c_master_i3c_xfers()",
                            "    - i3c: master: adi: Fix error propagation for CCCs",
                            "    - i3c: mipi-i3c-hci: fix IBI payload length calculation for final status",
                            "    - fs/ntfs3: prevent uninitialized lcn caused by zero len",
                            "    - backlight: sky81452-backlight: Check return value of",
                            "      devm_gpiod_get_optional() in sky81452_bl_parse_dt()",
                            "    - platform/surface: surfacepro3_button: Drop wakeup source on remove",
                            "    - leds: lgm-sso: Remove duplicate assignments for priv->mmap",
                            "    - usb: typec: Fix error pointer dereference",
                            "    - tty: hvc_iucv: fix off-by-one in number of supported devices",
                            "    - usb: typec: ps883x: Fix Oops at unbind",
                            "    - platform/x86: panasonic-laptop: Fix OPTD notifier registration and",
                            "      cleanup",
                            "    - platform/x86: barco-p50-gpio: normalize return value of gpio_get",
                            "    - fs/ntfs3: fix missing run load for vcn0 in attr_data_get_block_locked()",
                            "    - mfd: mc13xxx-core: Fix memory leak in mc13xxx_add_subdevice_pdata()",
                            "    - nfs/blocklayout: Fix compilation error (`make W=1`) in",
                            "      bl_write_pagelist()",
                            "    - sunrpc: Kill RPC_IFDEBUG()",
                            "    - sunrpc: Fix compilation error (`make W=1`) when dprintk() is no-op",
                            "    - NFSD: fix nfs4_file access extra count in nfsd4_add_rdaccess_to_wrdeleg",
                            "    - nfsd: use dynamic allocation for oversized NFSv4.0 replay cache",
                            "    - RDMA/umem: Use consistent DMA attributes when unmapping entries",
                            "    - greybus: raw: fix use-after-free on cdev close",
                            "    - greybus: raw: fix use-after-free if write is called after disconnect",
                            "    - platform/x86: asus-wmi: adjust screenpad power/brightness handling",
                            "    - platform/x86: asus-wmi: fix screenpad brightness range",
                            "    - tty: serial: ip22zilog: Fix section mispatch warning",
                            "    - fs/ntfs3: terminate the cached volume label after UTF-8 conversion",
                            "    - platform/x86: hp-wmi: fix ignored return values in fan settings",
                            "    - platform/x86: hp-wmi: avoid cancel_delayed_work_sync from work handler",
                            "    - platform/x86: hp-wmi: use mod_delayed_work to reset keep-alive timer",
                            "    - platform/x86: hp-wmi: fix u8 underflow in gpu_delta calculation",
                            "    - platform/x86: hp-wmi: add locking for concurrent hwmon access",
                            "    - platform/x86: dell_rbu: avoid uninit value usage in packet_size_write()",
                            "    - platform/x86: dell-wmi-sysman: bound enumeration string aggregation",
                            "    - RDMA/core: Prefer NLA_NUL_STRING",
                            "    - platform/x86: hp-wmi: fix fan table parsing",
                            "    - dt-bindings: clock: qcom: Add GCC video axi reset clock for Glymur",
                            "    - clk: qcom: gcc-glymur: Add video axi clock resets for glymur",
                            "    - clk: qcom: dispcc-glymur: use RCG2 ops for DPTX1 AUX clock source",
                            "    - clk: qcom: dispcc-sm8450: use RCG2 ops for DPTX1 AUX clock source",
                            "    - clk: renesas: r9a09g057: Fix ordering of module clocks array",
                            "    - clk: renesas: r9a09g056: Fix ordering of module clocks array",
                            "    - clk: sunxi-ng: sun55i-a523-r: Add missing r-spi module clock",
                            "    - scsi: sg: Fix sysctl sg-big-buff register during sg_init()",
                            "    - scsi: sg: Resolve soft lockup issue when opening /dev/sgX",
                            "    - clk: qcom: dispcc-sc8280xp: remove CLK_SET_RATE_PARENT from",
                            "      byte_div_clk_src dividers",
                            "    - clk: qcom: dispcc-glymur: Fix DSI byte clock rate setting",
                            "    - clk: qcom: dispcc-kaanapali: Fix DSI byte clock rate setting",
                            "    - clk: qcom: dispcc-milos: Fix DSI byte clock rate setting",
                            "    - clk: qcom: dispcc-sm4450: Fix DSI byte clock rate setting",
                            "    - clk: qcom: dispcc[01]-sa8775p: Fix DSI byte clock rate setting",
                            "    - clk: renesas: r9a09g057: Remove entries for WDT{0,2,3}",
                            "    - scsi: target: core: Fix integer overflow in UNMAP bounds check",
                            "    - scsi: ufs: rockchip,rk3576-ufshc: dt-bindings: Add new mphy reset item",
                            "    - dt-bindings: clock: qcom,gcc-sc8180x: Add missing GDSCs",
                            "    - clk: qcom: gcc-sc8180x: Add missing GDSCs",
                            "    - clk: qcom: gcc-sc8180x: Use retention for USB power domains",
                            "    - clk: qcom: gcc-sc8180x: Use retention for PCIe power domains",
                            "    - clk: qcom: dispcc-sm8250: Use shared ops on the mdss vsync clk",
                            "    - clk: qcom: dispcc-sm8250: Enable parents for pixel clocks",
                            "    - clk: imx: imx6q: Fix device node reference leak in pll6_bypassed()",
                            "    - clk: imx: imx6q: Fix device node reference leak in",
                            "      of_assigned_ldb_sels()",
                            "    - clk: imx8mq: Correct the CSI PHY sels",
                            "    - um: Fix potential race condition in TLB sync",
                            "    - x86/um: fix vDSO installation",
                            "    - clk: qoriq: avoid format string warning",
                            "    - clk: xgene: Fix mapping leak in xgene_pllclk_init()",
                            "    - clk: spacemit: ccu_mix: fix inverted condition in ccu_mix_trigger_fc()",
                            "    - f2fs: avoid reading already updated pages during GC",
                            "    - printk_ringbuffer: Fix get_data() size sanity check",
                            "    - clk: qcom: gdsc: Fix error path on registration of multiple pm",
                            "      subdomains",
                            "    - lib/hexdump: print_hex_dump_bytes() calls print_hex_dump_debug()",
                            "    - f2fs: fix data loss caused by incorrect use of nat_entry flag",
                            "    - f2fs: fix to preserve previous reserve_{blocks,node} value when remount",
                            "    - scsi: hpsa: Enlarge controller and IRQ name buffers",
                            "    - drm/amd/display: Fix parameter mismatch in panel self-refresh helper",
                            "    - clk: qcom: gcc-x1e80100: Keep GCC USB QTB clock always ON",
                            "    - clk: visconti: pll: initialize clk_init_data to zero",
                            "    - f2fs: allow empty mount string for Opt_usr|grp|projjquota",
                            "    - f2fs: protect extension_list reading with sb_lock in f2fs_sbi_show()",
                            "    - drm/i915/wm: Verify the correct plane DDB entry",
                            "    - virt: arm-cca-guest: fix error check for RSI_INCOMPLETE",
                            "    - crypto: eip93 - fix hmac setkey algo selection",
                            "    - crypto: sa2ul - Fix AEAD fallback algorithm names",
                            "    - crypto: ccp - copy IV using skcipher ivsize",
                            "    - sh: Include <linux/io.h> in dac.h",
                            "    - erofs: unify lcn as u64 for 32-bit platforms",
                            "    - tools: hv: Fix cross-compilation",
                            "    - Drivers: hv: vmbus: fix hyperv_cpuhp_online variable shadowing",
                            "    - arm64: dts: imx8mp-debix-model-a: Correct PAD settings for PMIC_nINT",
                            "    - arm64: dts: imx8mp-debix-som-a: Correct PAD settings for PMIC_nINT",
                            "    - arm64: dts: imx8mp-navqp: Correct PAD settings for PMIC_nINT",
                            "    - arm64: dts: imx8mp-icore-mx8mp: Correct PAD settings for PMIC_nINT",
                            "    - arm64: dts: imx8mp-edm-g: Correct PAD settings for PMIC_nINT",
                            "    - arm64: dts: imx8mp-aristainetos3a-som-v1: Correct PAD settings for",
                            "      PMIC_nINT",
                            "    - arm64: dts: imx8mp-nitrogen-som: Correct PAD settings for PMIC_nINT",
                            "    - arm64: dts: imx8mp-sr-som: Correct PAD settings for PMIC_nINT",
                            "    - arm64: dts: imx8mp-ultra-mach-sbc: Correct PAD settings for PMIC_nINT",
                            "    - arm64: dts: imx8mp-dhcom-som: Correct PAD settings for PMIC_nINT",
                            "    - arm64: dts: imx8mp-data-modul-edm-sbc: Correct PAD settings for",
                            "      PMIC_nINT",
                            "    - PCMCIA: Fix garbled log messages for KERN_CONT",
                            "    - reset: amlogic: t7: Fix null reset ops",
                            "    - arm64: dts: imx8mm-emtop-som: Correct PAD settings for PMIC_nINT",
                            "    - arm64: dts: imx8mn-tqma8mqnl: Correct PAD settings for PMIC_nINT",
                            "    - arm64: dts: imx8mm-tqma8mqml: Correct PAD settings for PMIC_nINT",
                            "    - arm64: dts: marvell: armada-37xx: use 'usb2-phy' in USB3 controller's",
                            "      phy-names",
                            "    - pwm: stm32: Fix rounding issue for requests with inverted polarity",
                            "    - net/sched: act_mirred: fix wrong device for mac_header_xmit check in",
                            "      tcf_blockcast_redir",
                            "    - macvlan: fix macvlan_get_size() not reserving space for",
                            "      IFLA_MACVLAN_BC_CUTOFF",
                            "    - net/sched: sch_cake: fix NAT destination port not being updated in",
                            "      cake_update_flowkeys",
                            "    - nexthop: fix IPv6 route referencing IPv4 nexthop",
                            "    - net: airoha: Wait for NPU PPE configuration to complete in",
                            "      airoha_ppe_offload_setup()",
                            "    - net/sched: taprio: fix use-after-free in advance_sched() on schedule",
                            "      switch",
                            "    - net: dsa: remove redundant netdev_lock_ops() from conduit ethtool ops",
                            "    - net: enetc: correct the command BD ring consumer index",
                            "    - net: enetc: fix NTMP DMA use-after-free issue",
                            "    - ksmbd: fix use-after-free in smb2_open during durable reconnect",
                            "    - tcp: move tp->chrono_type next tp->chrono_stat[]",
                            "    - tcp: inline tcp_chrono_start()",
                            "    - tcp: annotate data-races in tcp_get_info_chrono_stats()",
                            "    - tcp: add data-race annotations around tp->data_segs_out and",
                            "      tp->total_retrans",
                            "    - tcp: add data-races annotations around tp->reordering, tp->snd_cwnd",
                            "    - tcp: annotate data-races around tp->snd_ssthresh",
                            "    - tcp: annotate data-races around tp->delivered and tp->delivered_ce",
                            "    - tcp: add data-race annotations for TCP_NLA_SNDQ_SIZE",
                            "    - tcp: annotate data-races around tp->bytes_sent",
                            "    - tcp: annotate data-races around tp->bytes_retrans",
                            "    - tcp: annotate data-races around tp->dsack_dups",
                            "    - tcp: annotate data-races around tp->reord_seen",
                            "    - tcp: annotate data-races around tp->srtt_us",
                            "    - tcp: annotate data-races around tp->timeout_rehash",
                            "    - tcp: annotate data-races around (tp->write_seq - tp->snd_nxt)",
                            "    - tcp: annotate data-races around tp->plb_rehash",
                            "    - ice: fix 'adjust' timer programming for E830 devices",
                            "    - ice: update PCS latency settings for E825 10G/25Gb modes",
                            "    - ice: fix double-free of tx_buf skb",
                            "    - ice: fix PHY config on media change with link-down-on-close",
                            "    - ice: fix ICE_AQ_LINK_SPEED_M for 200G",
                            "    - ice: fix race condition in TX timestamp ring cleanup",
                            "    - ice: fix potential NULL pointer deref in error path of",
                            "      ice_set_ringparam()",
                            "    - i40e: don't advertise IFF_SUPP_NOFCS",
                            "    - iavf: fix wrong VLAN mask for legacy Rx descriptors L2TAG2",
                            "    - e1000e: Unroll PTP in probe error handling",
                            "    - ipv6: fix possible UAF in icmpv6_rcv()",
                            "    - af_unix: Drop all SCM attributes for SOCKMAP.",
                            "    - sctp: fix OOB write to userspace in sctp_getsockopt_peer_auth_chunks",
                            "    - pppoe: drop PFC frames",
                            "    - net/mlx5: Fix HCA caps leak on notifier init failure",
                            "    - net: airoha: Fix possible TX queue stall in airoha_qdma_tx_napi_poll()",
                            "    - netfilter: nft_osf: restrict it to ipv4",
                            "    - netfilter: conntrack: remove sprintf usage",
                            "    - netfilter: xtables: restrict several matches to inet family",
                            "    - netfilter: nat: use kfree_rcu to release ops",
                            "    - ipvs: fix MTU check for GSO packets in tunnel mode",
                            "    - netfilter: nfnetlink_osf: fix out-of-bounds read on option matching",
                            "    - netfilter: nfnetlink_osf: fix potential NULL dereference in ttl check",
                            "    - net/sched: sch_dualpi2: drain both C-queue and L-queue in",
                            "      dualpi2_change()",
                            "    - arm64: dts: amlogic: meson-axg: Add missing cache information to cpu0",
                            "    - arm64: dts: meson-gxl-p230: fix ethernet PHY interrupt number",
                            "    - vfio/pci: Clean up DMABUFs before disabling function",
                            "    - pwm: atmel-tcb: Cache clock rates and mark chip as atomic",
                            "    - ksmbd: destroy tree_conn_ida in ksmbd_session_destroy()",
                            "    - ksmbd: destroy async_ida in ksmbd_conn_free()",
                            "    - ksmbd: fix durable fd leak on ClientGUID mismatch in durable v2 open",
                            "    - ksmbd: scope conn->binding slowpath to bound sessions only",
                            "    - net: validate skb->napi_id in RX tracepoints",
                            "    - bnge: fix initial HWRM sequence",
                            "    - bnge: remove unsupported backing store type",
                            "    - sctp: fix sockets_allocated imbalance after sk_clone()",
                            "    - net/rds: zero per-item info buffer before handing it to visitors",
                            "    - ice: fix timestamp interrupt configuration for E825C",
                            "    - ice: perform PHY soft reset for E825C ports at initialization",
                            "    - ice: fix ready bitmap check for non-E822 devices",
                            "    - ice: fix ice_ptp_read_tx_hwtstamp_status_eth56g",
                            "    - net_sched: sch_hhf: annotate data-races in hhf_dump_stats()",
                            "    - net/sched: sch_pie: annotate data-races in pie_dump_stats()",
                            "    - net/sched: sch_fq_codel: remove data-races from fq_codel_dump_stats()",
                            "    - net/sched: sch_red: annotate data-races in red_dump_stats()",
                            "    - net/sched: sch_sfb: annotate data-races in sfb_dump_stats()",
                            "    - net: airoha: Move ndesc initialization at end of airoha_qdma_init_tx()",
                            "    - net: airoha: Add missing bits in airoha_qdma_cleanup_tx_queue()",
                            "    - net: dsa: realtek: rtl8365mb: fix mode mask calculation",
                            "    - net: airoha: Move ndesc initialization at end of",
                            "      airoha_qdma_init_rx_queue()",
                            "    - net: airoha: Rework the code flow in airoha_remove() and in",
                            "      airoha_probe() error path",
                            "    - net: airoha: Add size check for TX NAPIs in airoha_qdma_cleanup()",
                            "    - net: mana: Init link_change_work before potential error paths in probe",
                            "    - net: mana: Init gf_stats_work before potential error paths in probe",
                            "    - net: mana: Guard mana_remove against double invocation",
                            "    - net: mana: Don't overwrite port probe error with add_adev result",
                            "    - net: mana: Fix EQ leak in mana_remove on NULL port",
                            "    - vsock/virtio: fix MSG_ZEROCOPY pinned-pages accounting",
                            "    - virtio_net: sync rss_trailer.max_tx_vq on queue_pairs change via",
                            "      VQ_PAIRS_SET",
                            "    - nfp: fix swapped arguments in nfp_encode_basic_qdr() calls",
                            "    - tcp: send a challenge ACK on SEG.ACK > SND.NXT",
                            "    - tipc: fix double-free in tipc_buf_append()",
                            "    - vhost_net: fix sleeping with preempt-disabled in vhost_net_busy_poll()",
                            "    - nstree: fix func. parameter kernel-doc warnings",
                            "    - eventpoll: use hlist_is_singular_node() in __ep_remove()",
                            "    - eventpoll: split __ep_remove()",
                            "    - eventpoll: kill __ep_remove()",
                            "    - eventpoll: drop vestigial __ prefix from ep_remove_{file,epi}()",
                            "    - eventpoll: move epi_fget() up",
                            "    - fs/adfs: validate nzones in adfs_validate_bblk()",
                            "    - rtc: abx80x: Disable alarm feature if no interrupt attached",
                            "    - kbuild: builddeb - avoid recompiles for non-cross-compiles",
                            "    - tools/power turbostat: Fix AMD RAPL regression on big systems",
                            "    - fbdev: offb: fix PCI device reference leak on probe failure",
                            "    - tools/power turbostat: Fix unrecognized option '-P'",
                            "    - tools/power turbostat: Fix --cpu-set 0 regression on HT systems",
                            "    - tools/power turbostat: Fix --cpu-set 1 regression on HT systems",
                            "    - kbuild: Never respect CONFIG_WERROR / W=e to fixdep",
                            "    - mailbox: mtk-vcp-mailbox: Fix the return value in mtk_vcp_mbox_xlate()",
                            "    - mailbox: mtk-cmdq: Fix CURR and END addr for task insert case",
                            "    - mailbox: mailbox-test: free channels on probe error",
                            "    - sched/psi: fix race between file release and pressure write",
                            "    - cgroup/rdma: fix integer overflow in rdmacg_try_charge()",
                            "    - cgroup/cpuset: record DL BW alloc CPU for attach rollback",
                            "    - mailbox: add sanity check for channel array",
                            "    - mailbox: mailbox-test: handle channel errors consistently",
                            "    - mailbox: mailbox-test: don't free the reused channel",
                            "    - mailbox: mailbox-test: initialize struct earlier",
                            "    - mailbox: mailbox-test: make data_ready a per-instance variable",
                            "    - fsnotify: fix inode reference leak in fsnotify_recalc_mask()",
                            "    - btrfs: fix bytes_may_use leak in move_existing_remap()",
                            "    - btrfs: fix bytes_may_use leak in do_remap_reloc_trans()",
                            "    - btrfs: don't clobber errors in add_remap_tree_entries()",
                            "    - btrfs: fix double-decrement of bytes_may_use in",
                            "      submit_one_async_extent()",
                            "    - tracing: branch: Fix inverted check on stat tracer registration",
                            "    - nvmet-tcp: propagate nvmet_tcp_build_pdu_iovec() errors to its callers",
                            "    - netfilter: nf_tables: use list_del_rcu for netlink hooks",
                            "    - rculist: add list_splice_rcu() for private lists",
                            "    - netfilter: nf_tables: join hook list via splice_list_rcu() in commit",
                            "      phase",
                            "    - netfilter: nf_tables: add hook transactions for device deletions",
                            "    - nvme-pci: fix missed admin queue sq doorbell write",
                            "    - drm/amdgpu: avoid double drm_exec_fini() in userq validate",
                            "    - drm/amdgpu/gmc: Fix AMDGPU_GART_PLACEMENT_LOW to not overlap with VRAM",
                            "    - drm/amd/pm: fix missing fine-grained dpm table flag on aldebaran",
                            "    - drm/amdgpu: fix AMDGPU_INFO_READ_MMR_REG",
                            "    - drm/amdgpu/uvd3.1: Don't validate the firmware when already validated",
                            "    - drm/amdgpu/gfx6: Support harvested SI chips with disabled TCCs (v2)",
                            "    - drm/amdgpu: Only send RMA CPER when threshold is exceeded",
                            "    - netfilter: xt_policy: fix strict mode inbound policy matching",
                            "    - netfilter: nf_conntrack_sip: don't use simple_strtoul",
                            "    - spi: rzv2h-rspi: Fix silent failure in clock setup error path",
                            "    - ASoC: amd: acp: Add DMI quirk for Valve Steam Deck OLED",
                            "    - ASoC: SOF: Intel: add an empty adr_link",
                            "    - spi: rockchip: Read ISR, not IMR, to detect cs-inactive IRQ",
                            "    - ASoC: tas2764: Mark die temp register as volatile",
                            "    - ASoC: tas2770: Fix order of operations for temperature calculation",
                            "    - drm/sysfb: ofdrm: fix PCI device reference leaks",
                            "    - drm/color-mgmt: Typo s/R332/RGB332/",
                            "    - arm64/scs: Fix potential sign extension issue of advance_loc4",
                            "    - spi: spi-mem: Add a packed command operation",
                            "    - mtd: spinand: Add support for packed read data ODTR commands",
                            "    - mtd: spinand: winbond: Set the packed page read flag to W35N02/04JW",
                            "    - mtd: spinand: winbond: Fix ODTR write VCR on W35NxxJW",
                            "    - ACPICA: Provide #defines for EINJV2 error types",
                            "    - ACPI: APEI: EINJ: Fix EINJV2 memory error injection",
                            "    - cdrom, scsi: sr: propagate read-only status to block layer via",
                            "      set_disk_ro()",
                            "    - spi: axiado: replace usleep_range() with udelay() in IRQ path",
                            "    - netdevsim: zero initialize struct iphdr in dummy sk_buff",
                            "    - net/sched: netem: fix probability gaps in 4-state loss model",
                            "    - net/sched: netem: fix queue limit check to include reordered packets",
                            "    - net/sched: netem: only reseed PRNG when seed is explicitly provided",
                            "    - net/sched: netem: validate slot configuration",
                            "    - net/sched: netem: fix slot delay calculation overflow",
                            "    - net/sched: netem: check for negative latency and jitter",
                            "    - net: airoha: fix BQL imbalance in TX path",
                            "    - net: airoha: stop net_device TX queue before updating CPU index",
                            "    - net: airoha: fix typo in function name",
                            "    - net: airoha: Do not wake all netdev TX queues in",
                            "      airoha_qdma_wake_netdev_txqs()",
                            "    - net: airoha: Do not read uninitialized fragment address in",
                            "      airoha_dev_xmit()",
                            "    - net/sched: sch_choke: annotate data-races in choke_dump_stats()",
                            "    - net/sched: sch_fq_pie: annotate data-races in fq_pie_dump_stats()",
                            "    - vrf: Fix a potential NPD when removing a port from a VRF",
                            "    - net: usb: rtl8150: fix use-after-free in rtl8150_start_xmit()",
                            "    - net: usb: rtl8150: free skb on usb_submit_urb() failure in xmit",
                            "    - spi: amlogic-spisg: initialize completion before requesting IRQ",
                            "    - NFC: trf7970a: Ignore antenna noise when checking for RF field",
                            "    - net: phonet: do not BUG_ON() in pn_socket_autobind() on failed bind",
                            "    - neigh: let neigh_xmit take skb ownership",
                            "    - tcp: make probe0 timer handle expired user timeout",
                            "    - netpoll: fix IPv6 local-address corruption",
                            "    - ALSA: usb-audio: Fix potential leak of pd at parsing UAC3 streams",
                            "    - sched/fair: Fix wakeup_preempt_fair() vs delayed dequeue",
                            "    - sched/fair: Clear rel_deadline when initializing forked entities",
                            "    - net: mctp i2c: check length before marking flow active",
                            "    - md/raid1,raid10: don't fail devices for invalid IO errors",
                            "    - md: add fallback to correct bitmap_ops on version mismatch",
                            "    - md: factor bitmap creation away from sysfs handling",
                            "    - md/md-bitmap: split bitmap sysfs groups",
                            "    - md/md-bitmap: add a none backend for bitmap grow",
                            "    - s390/mm: Fix phys_to_folio() usage in do_secure_storage_access()",
                            "    - net: phy: dp83869: fix setting CLK_O_SEL field.",
                            "    - drm/amd/display: properly handle family setting for early GC 11.5.4",
                            "    - drm/amdgpu/vcn: set no_user_fence for VCN v2.0 enc/dec rings",
                            "    - drm/amdgpu/vcn: set no_user_fence for VCN v2.5 enc/dec rings",
                            "    - drm/amdgpu/vcn: set no_user_fence for VCN v3.0 enc/dec rings",
                            "    - drm/amdgpu/vcn: set no_user_fence for VCN v4.0 enc ring",
                            "    - drm/amdgpu/vcn: set no_user_fence for VCN v4.0.3 enc ring",
                            "    - drm/amdgpu/vcn: set no_user_fence for VCN v4.0.5 enc ring",
                            "    - drm/amdgpu/vcn: set no_user_fence for VCN v5.0.0 enc ring",
                            "    - drm/amdgpu/vcn: set no_user_fence for VCN v5.0.1 enc ring",
                            "    - drm/amdgpu/jpeg: set no_user_fence for JPEG v2.0 ring",
                            "    - drm/amdgpu/jpeg: set no_user_fence for JPEG v2.5 ring",
                            "    - drm/amdgpu/jpeg: set no_user_fence for JPEG v3.0 ring",
                            "    - drm/amdgpu/jpeg: set no_user_fence for JPEG v4.0 ring",
                            "    - drm/amdgpu/jpeg: set no_user_fence for JPEG v4.0.3 ring",
                            "    - drm/amdgpu/jpeg: set no_user_fence for JPEG v4.0.5 ring",
                            "    - drm/amdgpu/jpeg: set no_user_fence for JPEG v5.0.0 ring",
                            "    - drm/amdgpu/jpeg: set no_user_fence for JPEG v5.0.1 ring",
                            "    - drm/amdgpu/jpeg: set no_user_fence for JPEG v5.3.0 ring",
                            "    - drm/amd/pm: Add fine grained flag to SMU v13.0.6",
                            "    - io_uring/napi: cap busy_poll_to 10 msec",
                            "    - ASoC: cs35l56: Fix illegal writes to OTP_MEM registers",
                            "    - net: psp: check for device unregister when creating assoc",
                            "    - net: psp: require admin permission for dev-set and key-rotate",
                            "    - ASoC: codecs: ab8500: Fix casting of private data",
                            "    - netfilter: skip recording stale or retransmitted INIT",
                            "    - sctp: discard stale INIT after handshake completion",
                            "    - net/sched: sch_cake: annotate data-races in cake_dump_stats() (I)",
                            "    - net/sched: sch_cake: annotate data-races in cake_dump_stats() (II)",
                            "    - net/sched: sch_cake: annotate data-races in cake_dump_stats() (III)",
                            "    - net/sched: sch_cake: annotate data-races in cake_dump_stats() (IV)",
                            "    - net/sched: sch_cake: annotate data-races in cake_dump_stats() (V)",
                            "    - netconsole: return count instead of strnlen(buf, count) from store",
                            "      callbacks",
                            "    - netconsole: avoid clobbering userdatum value on truncated write",
                            "    - netconsole: propagate device name truncation in dev_name_store()",
                            "    - netconsole: restore userdatum value on update_userdata() failure",
                            "    - ALSA: hda/conexant: Fix missing error check for jack detection",
                            "    - ALSA: hda: cs35l56: Fix uninitialized value in cs35l56_hda_read_acpi()",
                            "    - ALSA: hda/tas2781: Fix incorrect bit update for non-book-zero or book 0",
                            "      pages >1",
                            "    - futex: Prevent lockup in requeue-PI during signal/ timeout wakeup",
                            "    - drm/amd/display: Allow embedded connectors without DDC",
                            "    - drm/amd/display: Allow DCE link encoder without AUX registers",
                            "    - drm/amd/display: Allow constructing DCE6 link encoder without DDC",
                            "    - drm/amd/display: Allow constructing DCE8 link encoder without DDC",
                            "    - drm/amd/display: Read EDID from VBIOS embedded panel info",
                            "    - drm/amd/display: Use EDID from VBIOS embedded panel info",
                            "    - drm/xe: Use XE_WEDGED_MODE_UPON_ANY_HANG_NO_RESET enum instead of magic",
                            "      number",
                            "    - drm/xe: Drop registration of guc_submit_wedged_fini from",
                            "      xe_guc_submit_wedge()",
                            "    - drm/xe/debugfs: Correct printing of register whitelist ranges",
                            "    - drm/xe: Fix potential NULL deref in",
                            "      xe_exec_queue_tlb_inval_last_fence_put_unlocked",
                            "    - drm/xe: Fix error cleanup in xe_exec_queue_create_ioctl()",
                            "    - drm/xe/eustall: Fix drm_dev_put called before stream disable in close",
                            "    - drm/xe/gsc: Fix BO leak on error in query_compatibility_version()",
                            "    - drm/xe/xelp: Fix Wa_18022495364",
                            "    - net: airoha: Do not return err in ndo_stop() callback",
                            "    - bonding: print churn state via netlink",
                            "    - bonding: 3ad: implement proper RCU rules for port->aggregator",
                            "    - page_pool: fix memory-provider leak in page_pool_create_percpu() error",
                            "      path",
                            "    - iavf: rename IAVF_VLAN_IS_NEW to IAVF_VLAN_ADDING",
                            "    - iavf: stop removing VLAN filters from PF on interface down",
                            "    - iavf: wait for PF confirmation before removing VLAN filters",
                            "    - iavf: add VIRTCHNL_OP_ADD_VLAN to success completion handler",
                            "    - ice: fix NULL pointer dereference in ice_reset_all_vfs()",
                            "    - ice: fix infinite recursion in ice_cfg_tx_topo via ice_init_dev_hw",
                            "    - ice: fix missing SMA pin initialization in DPLL subsystem",
                            "    - ice: fix SMA and U.FL pin state changes affecting paired pin",
                            "    - ice: fix missing dpll notifications for SW pins",
                            "    - dpll: export __dpll_pin_change_ntf() for use under dpll_lock",
                            "    - ice: add dpll peer notification for paired SMA and U.FL pins",
                            "    - net: tls: fix strparser anchor skb leak on offload RX setup failure",
                            "    - sfc: fix error code in efx_devlink_info_running_versions()",
                            "    - net/sched: cls_flower: revert unintended changes",
                            "    - kselftest/arm64: Include <asm/ptrace.h> for user_gcs definition",
                            "    - arm64: Reserve an extra page for early kernel mapping",
                            "    - futex: Drop CLONE_THREAD requirement for private default hash alloc",
                            "    - PCI: Initialize temporary device in new_id_store()",
                            "    - workqueue: fix devm_alloc_workqueue() va_list misuse",
                            "    - net/sched: sch_pie: annotate more data-races in pie_dump_stats()",
                            "    - sched/fair: Fix wakeup_preempt_fair() for not waking up task",
                            "    - crypto: af_alg - Cap AEAD AD length to 0x80000000",
                            "    - i40e: Cleanup PTP pins on probe failure",
                            "    - workqueue: Fix wq->cpu_pwq leak in alloc_and_link_pwqs() WQ_UNBOUND path",
                            "    - net: ena: PHC: Fix potential use-after-free in get_timestamp",
                            "    - cgroup/cpuset: Reset DL migration state on can_attach() failure",
                            "    - netfilter: nf_conntrack_sip: get helper before allocating expectation",
                            "    - audit: fix incorrect inheritable capability in CAPSET records",
                            "    - net: ena: PHC: Check return code before setting timestamp output",
                            "    - cgroup/dmem: Return -ENOMEM on failed pool preallocation",
                            "    - idpf: fix double free and use-after-free in aux device error paths",
                            "    - cgroup/cpuset: Reserve DL bandwidth only for root-domain moves",
                            "    - Revert \"ACPI: CPPC: Adjust debug messages in amd_set_max_freq_ratio() to",
                            "      warn\"",
                            "    - netfilter: nft_ct: fix missing expect put in obj eval",
                            "    - net: atlantic: preserve PCI wake-from-D3 on shutdown when WOL enabled",
                            "    - audit: enforce AUDIT_LOCKED for AUDIT_TRIM and AUDIT_MAKE_EQUIV",
                            "    - cgroup/cpuset: Return only actually allocated CPUs during partition",
                            "      invalidation",
                            "    - KVM: x86: Swap the dst and src operand for MOVNTDQA",
                            "    - KVM: Reject wrapped offset in kvm_reset_dirty_gfn()",
                            "    - KVM: s390: pci: fix GAIT table indexing due to double-scaling pointer",
                            "      arithmetic",
                            "    - KVM: x86: Fix Xen hypercall tracepoint argument assignment",
                            "    - HID: pass the buffer size to hid_report_raw_event",
                            "    - HID: core: introduce hid_safe_input_report()",
                            "    - rseq: Revert to historical performance killing behaviour",
                            "    - rseq: Implement read only ABI enforcement for optimized RSEQ V2 mode",
                            "    - rseq: Reenable performance optimizations conditionally",
                            "    - HID: core: Fix size_t specifier in hid_report_raw_event()",
                            "    - ata: libata-scsi: fix requeue of deferred ATA PASS-THROUGH commands",
                            "    - media: staging: imx: configure src_mux in csi_start",
                            "    - Bluetooth: btmtk: accept too short WMT FUNC_CTRL events",
                            "    - nvme-apple: Reset q->sq_tail during queue init",
                            "    - smb/client: fix possible infinite loop and oob read in symlink_data()",
                            "    - drm/loongson: Use managed KMS polling",
                            "    - drm: Replace old pointer to new idr",
                            "    - drm/bridge: imx8qxp-pxl2dpi: avoid ERR_PTR with device_node cleanup",
                            "    - drm/i915/dp: Fix VSC dynamic range signaling for RGB formats",
                            "    - drm/amd/display: Wrap DCN32 phantom-plane allocation in",
                            "      DC_RUN_WITH_PREEMPTION_ENABLED",
                            "    - drm/ttm: Fix ttm_bo_swapout() infinite LRU walk on swapout failure",
                            "    - platform/x86: intel: Move debugfs register before creating devices",
                            "    - platform/x86: lenovo-wmi-helpers: Move gamezone enums to wmi-helpers",
                            "    - platform/x86: lenovo-wmi-helpers: Fix memory leak in",
                            "      lwmi_dev_evaluate_int()",
                            "    - platform/x86: lenovo-wmi-other: Balance IDA id allocation and free",
                            "    - platform/x86: lenovo-wmi-other: Balance component bind and unbind",
                            "    - platform/x86: lenovo-wmi-other: Zero initialize WMI arguments",
                            "    - platform/x86: lenovo-wmi-other: Fix tunable_attr_01 struct members",
                            "    - platform/x86: lenovo-wmi-other: Add Attribute ID helper functions",
                            "    - platform/x86: lenovo-wmi-other: Limit adding attributes to supported",
                            "      devices",
                            "    - accel/rocket: Fix prep_bo ioctl leaking positive return from",
                            "      dma_resv_wait_timeout()",
                            "    - ALSA: hda/realtek: Add mute LED quirk for HP Pavilion Laptop 16-ag0xxx",
                            "    - ALSA: hda/realtek: Add quirk for Samsung Galaxy Book5 360 headphone",
                            "    - ALSA: usb-audio: Bound MIDI 2.0 endpoint descriptor scans",
                            "    - ALSA: usb-audio: Bound MIDI endpoint descriptor scans",
                            "    - ALSA: usb-audio: qcom: Check offload mapping failures",
                            "    - btrfs: only release the dirty pages io tree after successful writes",
                            "    - ceph: fix a buffer leak in __ceph_setxattr()",
                            "    - ceph: fix BUG_ON in __ceph_build_xattrs_blob() due to stale blob size",
                            "    - ceph: put folios not suitable for writeback",
                            "    - io-wq: check that the predecessor is hashed in io_wq_remove_pending()",
                            "    - iommu/amd: Bounds-check devid in __rlookup_amd_iommu()",
                            "    - x86/kexec: Push kjump return address even for non-kjump kexec",
                            "    - xfs: fix memory leak on error in xfs_alloc_zone_info()",
                            "    - virt: sev-guest: Do not use host-controlled page order in cleanup path",
                            "    - powerpc/warp: Fix error handling in pika_dtm_thread",
                            "    - netfs: fix error handling in netfs_extract_user_iter()",
                            "    - nfsd: fix GET_DIR_DELEGATION when VFS leases are disabled",
                            "    - nfsd: fix file change detection in CB_GETATTR",
                            "    - nfsd: update mtime/ctime on CLONE in presense of delegated attributes",
                            "    - nfsd: update mtime/ctime on COPY in presence of delegated attributes",
                            "    - irqchip/riscv-imsic: Clear interrupt move state during CPU offlining",
                            "    - irqchip/meson-gpio: Use the correct register in",
                            "      meson_s4_gpio_irq_set_type()",
                            "    - irqchip/gic-v5: Move LPI allocation into the LPI domain",
                            "    - irqchip/gic-v5: Support range allocation for LPIs",
                            "    - irqchip/gic-v5: Allocate ITS parent LPIs as a range",
                            "    - libceph: Fix potential out-of-bounds access in osdmap_decode()",
                            "    - libceph: Fix potential null-ptr-deref in decode_choose_args()",
                            "    - libceph: Fix potential out-of-bounds access in __ceph_x_decrypt()",
                            "    - libceph: Fix potential out-of-bounds access in crush_decode()",
                            "    - libceph: handle rbtree insertion error in decode_choose_args()",
                            "    - iommu/vt-d: Disable DMAR for Intel Q35 IGFX",
                            "    - iommu/vt-d: Fix oops due to out of scope access",
                            "    - iommu/vt-d: Avoid NULL pointer dereference or refcount corruption",
                            "    - iommu: Fix NULL group->domain dereference in pci_dev_reset_iommu_done()",
                            "    - iommu: Replace per-group resetting_domain with per-gdev blocked flag",
                            "    - iommu: Fix WARN_ON in __iommu_group_set_domain_nofail() due to reset",
                            "    - iommu: Fix pasid attach in pci_dev_reset_iommu_prepare/done()",
                            "    - iommu: Fix nested pci_dev_reset_iommu_prepare/done()",
                            "    - iommu: Fix ATS invalidation timeouts during __iommu_remove_group_pasid()",
                            "    - drm/i915: skip __i915_request_skip() for already signaled requests",
                            "    - drm/panfrost: Fix wait_bo ioctl leaking positive return from",
                            "      dma_resv_wait_timeout()",
                            "    - drm/xe/dma-buf: handle empty bo and UAF races",
                            "    - drm/xe/dma-buf: fix UAF with retry loop",
                            "    - drm/ttm: Fix ttm_bo_shrink() infinite LRU walk on backup failure",
                            "    - drm/ttm: Convert -EAGAIN from dmem_cgroup_try_charge to -ENOSPC",
                            "    - drm/gma500/oaktrail_hdmi: fix i2c adapter leak on setup",
                            "    - drm/gma500/oaktrail_lvds: fix hang on init failure",
                            "    - drm/gma500/oaktrail_lvds: fix i2c adapter leaks on init",
                            "    - arm_mpam: Fix monitor instance selection when checking for hardware NRDY",
                            "    - arm_mpam: Pretend that NRDY is always hardware managed",
                            "    - arm_mpam: Improve check for whether or not NRDY is hardware managed",
                            "    - arm_mpam: Fix false positive assert failure during mpam_disable()",
                            "    - arm_mpam: Check whether the config array is allocated before destroying",
                            "      it",
                            "    - eventfs: Simplify code using guard()s",
                            "    - eventfs: Use list_add_tail_rcu() for SRCU-protected children list",
                            "    - smb: client: Use FullSessionKey for AES-256 encryption key derivation",
                            "    - spi: sifive: Simplify clock handling with devm_clk_get_enabled()",
                            "    - spi: sifive: fix controller deregistration",
                            "    - tracefs: Removed unused 'ret' variable in eventfs_iterate()",
                            "    - workqueue: Annotate alloc_workqueue_va() with __printf(1, 0)",
                            "    - selftests/bpf: Remove test_access_variable_array",
                            "    - netfs: Fix potential uninitialised var in netfs_extract_user_iter()",
                            "    - Linux 7.0.10",
                            "",
                            "  * Resolute update: v7.0.10 upstream stable release (LP: #2156385) //",
                            "    CVE-2026-45846",
                            "    - bareudp: fix NULL pointer dereference in bareudp_fill_metadata_dst()",
                            "",
                            "  * Resolute update: v7.0.10 upstream stable release (LP: #2156385) //",
                            "    CVE-2026-45845",
                            "    - net/sched: taprio: fix NULL pointer dereference in class dump",
                            "",
                            "  * Resolute update: v7.0.10 upstream stable release (LP: #2156385) //",
                            "    CVE-2026-45844",
                            "    - netfilter: arp_tables: fix IEEE1394 ARP payload parsing",
                            "",
                            "  * Resolute update: v7.0.10 upstream stable release (LP: #2156385) //",
                            "    CVE-2026-46242",
                            "    - eventpoll: fix ep_remove struct eventpoll / struct file UAF",
                            "",
                            "  * Resolute update: v7.0.10 upstream stable release (LP: #2156385) //",
                            "    CVE-2026-45843",
                            "    - slip: bound decode() reads against the compressed packet length",
                            "",
                            "  * Resolute update: v7.0.10 upstream stable release (LP: #2156385) //",
                            "    CVE-2026-45842",
                            "    - slip: reject VJ receive packets on instances with no rstate array",
                            "",
                            "  * Resolute update: v7.0.10 upstream stable release (LP: #2156385) //",
                            "    CVE-2026-45841",
                            "    - netfilter: nfnetlink_osf: fix divide-by-zero in OSF_WSS_MODULO",
                            "",
                            "  * Resolute update: v7.0.10 upstream stable release (LP: #2156385) //",
                            "    CVE-2026-45840",
                            "    - openvswitch: cap upcall PID array size and pre-size vport replies",
                            "",
                            "  * Resolute update: v7.0.10 upstream stable release (LP: #2156385) //",
                            "    CVE-2026-45839",
                            "    - bpf: reject negative CO-RE accessor indices in bpf_core_parse_spec()",
                            "",
                            "  * Resolute update: v7.0.10 upstream stable release (LP: #2156385) //",
                            "    CVE-2026-45838",
                            "    - bpf: fix end-of-list detection in cgroup_storage_get_next_key()",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006)",
                            "    - Linux 7.0.8",
                            "    - HID: pidff: Fix integer overflow in pidff_rescale",
                            "    - media: uvcvideo: Enable VB2_DMABUF for metadata stream",
                            "    - drm/msm/hdmi: Fix wrong CTRL1 register used in writing info frames",
                            "    - media: rzv2h-ivc: Avoid double job scheduling",
                            "    - media: nxp: imx8-isi: Reduce minimum queued buffers from 2 to 0",
                            "    - media: rzv2h-ivc: Write AXIRX_PIXFMT once",
                            "    - media: rzv2h-ivc: Fix FM_STOP register write",
                            "    - media: rzv2h-ivc: Fix concurrent buffer list access",
                            "    - media: mali-c55: Initialize the ISP in enable_streams()",
                            "    - media: mali-c55: Fix Iridix bypass macros",
                            "    - media: renesas: vsp1: Fix NULL pointer deref on module unload",
                            "    - media: renesas: vin: Fix RAW8 (again)",
                            "    - media: i2c: ov8856: free control handler on error in",
                            "      ov8856_init_controls()",
                            "    - media: dt-bindings: rockchip,vdec: Add alternative reg-names order for",
                            "      RK35{76,88}",
                            "    - media: dt-bindings: rockchip,vdec: Mark reg-names required for",
                            "      RK35{76,88}",
                            "    - media: chips-media: wave5: fix a potential memory leak in",
                            "      wave5_vdi_init()",
                            "    - media: chips-media: wave5: add missing spinlock protection for",
                            "      send_eos_event()",
                            "    - media: chips-media: wave5: add missing spinlock protection for",
                            "      handle_dynamic_resolution_change()",
                            "    - arm64: dts: freescale: imx95-toradex-smarc: fix PMIC_SD2_VSEL label",
                            "      position",
                            "    - drm/gpusvm: Allow device pages to be mapped in mixed mappings after",
                            "      system pages",
                            "    - drm/gpusvm: Force unmapping on error in drm_gpusvm_get_pages",
                            "    - spi: bcm63xx: fix controller deregistration",
                            "    - spi: atmel: fix controller deregistration",
                            "    - arm64: dts: lx2160a-cex7/lx2162a-sr-som: fix usd-cd & gpio pinmux",
                            "    - regulator: mt6357: fix OF node reference imbalance",
                            "    - spi: st-ssc4: fix controller deregistration",
                            "    - regulator: max77650: fix OF node reference imbalance",
                            "    - media: ti: vpe: Add missing v4l2_device_unregister in vip_remove()",
                            "    - media: rc: streamzap: Error handling in probe",
                            "    - media: i2c: imx283: Enter full standby when stopping streaming",
                            "    - regulator: bq257xx: fix OF node reference imbalance",
                            "    - regulator: rk808: fix OF node reference imbalance",
                            "    - media: videobuf2: Set vma_flags in vb2_dma_sg_mmap",
                            "    - media: mali-c55: Fully reset the ISP configuration",
                            "    - media: intel/ipu6: fix error pointer dereference",
                            "    - media: i2c: imx283: Fix hang when going from large to small resolution",
                            "    - regulator: act8945a: fix OF node reference imbalance",
                            "    - regulator: s2dos05: fix OF node reference imbalance",
                            "    - regulator: bd9571mwv: fix OF node reference imbalance",
                            "    - spi: lantiq-ssc: fix controller deregistration",
                            "    - spi: meson-spicc: fix controller deregistration",
                            "    - spi: qup: fix controller deregistration",
                            "    - arm64: dts: ti: k3-am69-aquila-clover: Fix DP regulator enable GPIO",
                            "    - spi: at91-usart: fix controller deregistration",
                            "    - media: ipu-bridge: Add upside-down sensor DMI quirk for Dell XPS 13 9340",
                            "      and XPS 14 9440",
                            "    - spi: amlogic-spisg: fix controller deregistration",
                            "    - spi: aspeed-smc: fix controller deregistration",
                            "    - drm/colorop: Preserve bypass value in duplicate_state()",
                            "    - drm/atomic: Add affected colorops with affected planes",
                            "    - platform/x86: hp-wmi: Ignore backlight and FnLock events",
                            "    - vsock/virtio: fix MSG_PEEK ignoring skb offset when calculating bytes to",
                            "      copy",
                            "    - arm64: dts: broadcom: bcm2712-d-rpi-5-b: add fixes for",
                            "      pinctrl/pinctrl_aon",
                            "    - arm64: dts: broadcom: bcm2712-d-rpi-5-b: update uart10 interrupt",
                            "    - media: pci: zoran: fix potential memory leak in zoran_probe()",
                            "    - media: dib8000: avoid division by 0 in dib8000_set_dds()",
                            "    - media: i2c: imx412: Assert reset GPIO during probe",
                            "    - media: staging: imx: request mbus_config in csi_start",
                            "    - media: i2c: ov08d10: fix image vertical start setting",
                            "    - media: i2c: ov08d10: fix runtime PM handling in probe",
                            "    - media: omap3isp: drop the use count of v4l2 pipeline",
                            "    - media: iris: fix QCOM_MDT_LOADER dependency",
                            "    - media: qcom: camss: Fix csid clock configuration for sa8775p",
                            "    - media: qcom: camss: Fix csid IRQ offset for sa8775p",
                            "    - media: qcom: iris: increase H265D_MAX_SLICE to fix H.265 decoding on",
                            "      SC7280",
                            "    - media: venus: fix QCOM_MDT_LOADER dependency",
                            "    - media: iris: Fix dma_free_attrs() size in iris_hfi_queues_init()",
                            "    - media: iris: switch to hardware mode after firmware boot",
                            "    - media: qcom: camss: Add missing clocks for VFE lite on sa8775p",
                            "    - spi: mxs: fix controller deregistration",
                            "    - spi: mt65xx: fix controller deregistration",
                            "    - spi: dln2: fix controller deregistration",
                            "    - spi: s3c64xx: fix controller deregistration",
                            "    - spi: fsl-espi: fix controller deregistration",
                            "    - spi: omap2-mcspi: fix controller deregistration",
                            "    - spi: pic32: fix controller deregistration",
                            "    - spi: ep93xx: fix controller deregistration",
                            "    - spi: mtk-nor: fix controller deregistration",
                            "    - spi: pl022: fix controller deregistration",
                            "    - spi: sh-hspi: fix controller deregistration",
                            "    - spi: bcmbca-hsspi: fix controller deregistration",
                            "    - spi: coldfire-qspi: fix controller deregistration",
                            "    - spi: npcm-pspi: fix controller deregistration",
                            "    - spi: cavium-thunderx: fix controller deregistration",
                            "    - spi: pic32-sqi: fix controller deregistration",
                            "    - spi: sprd: fix controller deregistration",
                            "    - spi: sh-msiof: fix controller deregistration",
                            "    - spi: slave-mt27xx: fix controller deregistration",
                            "    - spi: img-spfi: fix controller deregistration",
                            "    - spi: mpfs: fix controller deregistration",
                            "    - spi: octeon: fix controller deregistration",
                            "    - spi: imx: fix runtime pm leak on probe deferral",
                            "    - spi: mxic: fix controller deregistration",
                            "    - spi: orion: fix controller deregistration",
                            "    - spi: orion: fix runtime pm leak on unbind",
                            "    - spi: orion: fix clock imbalance on registration failure",
                            "    - spi: cadence: fix controller deregistration",
                            "    - spi: cadence-quadspi: fix controller deregistration",
                            "    - spi: cadence: fix unclocked access on unbind",
                            "    - spi: cadence: fix clock imbalance on probe failure",
                            "    - spi: cadence-quadspi: fix runtime pm disable imbalance on probe failure",
                            "    - spi: cadence-quadspi: fix clock imbalance on probe failure",
                            "    - spi: cadence-quadspi: fix runtime pm and clock imbalance on unbind",
                            "    - drm/colorop: Fix blob property reference tracking in state lifecycle",
                            "    - drm/imx: parallel-display: Prefer bus format set via legacy \"interface-",
                            "      pix-fmt\" DT property",
                            "    - drm/msm: always recover the gpu",
                            "    - drm/v3d: Reject empty multisync extension to prevent infinite loop",
                            "    - drm/i915/psr: Init variable to avoid early exit from et alignment loop",
                            "    - drm/amd/display: fix math_mod() using arg1 instead of arg2",
                            "    - drm/amd: Add missing firmware declaration for PSP v15.0.0",
                            "    - drm/amdgpu: Use NBIF offset for register RCC_STRAP0_RCC_DEV0_EPF0_STRAP0",
                            "      .",
                            "    - drm/amdgpu: Use SMUIO 15.0.0 offsets for TSC upper and lower count.",
                            "    - drm/amdgpu: gate VM CPU HDP flush on reset lock",
                            "    - drm/amd/pm: fix incorrect FeatureCtrlMask setting on smu v14.0.x",
                            "    - drm/amdkfd: Add upper bound check for num_of_nodes",
                            "    - drm/amdgpu/vce: Prevent partial address patches",
                            "    - drm/amd/display: Change dither policy for 10 bpc output back to",
                            "      dithering",
                            "    - drm/appletbdrm: Use kvzalloc for big allocations",
                            "    - drm/amdgpu: Avoid reset in AMDGPU unload path for APUs with GFX V11 and",
                            "      higher.",
                            "    - drm/udl: Increase GET_URB_TIMEOUT",
                            "    - drm/xe/bo: Fix bo leak on GGTT flag validation in xe_bo_init_locked()",
                            "    - drm/xe/bo: Fix bo leak on unaligned size validation in",
                            "      xe_bo_init_locked()",
                            "    - drm/xe/uapi: Reject coh_none PAT index for CPU cached memory in madvise",
                            "    - drm/radeon: add missing revision check for CI",
                            "    - drm/amdgpu: zero-initialize GART table on allocation",
                            "    - drm/exynos: remove bridge when component_add fails",
                            "    - drm/amdgpu/userq: fix access to stale wptr mapping",
                            "    - drm/panel: himax-hx83102: restore MODE_LPM after sending disable cmds",
                            "    - drm/amdgpu/gfx9: drop unnecessary 64-bit fence flag check in KIQ",
                            "    - drm/bridge: tda998x: Use __be32 for audio port OF property pointer",
                            "    - drm/sti: remove bridge when sti_hda component_add fails",
                            "    - drm/panel: boe-tv101wum-nl6: restore MODE_LPM after sending disable cmds",
                            "    - drm/amdkfd: Make all TLB-flushes heavy-weight",
                            "    - drm/amdgpu/pm: add missing revision check for CI",
                            "    - drm/amdgpu/pm: align Hawaii mclk workaround with radeon",
                            "    - arm64: dts: qcom: kodiak: Fix PCIe1 PHY ref clock voting",
                            "    - arm64: dts: qcom: lemans: Correct QUP interrupt numbers",
                            "    - arm64: dts: ti: k3-am62a7-sk: Fix pin name in comment from M19 to N22",
                            "    - arm64: dts: ti: k3-am69-aquila-dev: Fix DP regulator enable GPIO",
                            "    - batman-adv: tp_meter: fix tp_num leak on kmalloc failure",
                            "    - sched_ext: Use HK_TYPE_DOMAIN_BOOT to detect isolcpus= domain isolation",
                            "    - usb: typec: tcpm: reset internal port states on soft reset AMS",
                            "    - io_uring/zcrx: use guards for locking",
                            "    - io_uring/zcrx: warn on freelist violations",
                            "    - kho: fix error handling in kho_add_subtree()",
                            "    - EDAC/versalnet: Refactor memory controller initialization and cleanup",
                            "    - spi: uniphier: Simplify clock handling with devm_clk_get_enabled()",
                            "    - spi: uniphier: fix controller deregistration",
                            "    - cgroup: Increment nr_dying_subsys_* from rmdir context",
                            "    - sched_ext: Skip tasks with stale task_rq in bypass_lb_cpu()",
                            "    - perf build: fix \"argument list too long\" in second location",
                            "    - mm/vma: do not try to unmap a VMA if mmap_prepare() invoked from mmap()",
                            "    - vsock/virtio: fix length and offset in tap skb for split packets",
                            "    - drm/amdgpu/vcn3: Avoid overflow on msg bound check",
                            "    - drm/amdgpu/vcn4: Avoid overflow on msg bound check",
                            "    - Linux 7.0.9",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46214",
                            "    - vsock/virtio: fix accept queue count leak on transport mismatch",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46207",
                            "    - vsock/virtio: fix empty payload in tap skb for non-linear buffers",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46234",
                            "    - vsock: fix buffer size clamping order",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46223",
                            "    - cgroup: Defer css percpu_ref kill on rmdir until cgroup is depopulated",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46221",
                            "    - EDAC/versalnet: Fix device name memory leak",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46231",
                            "    - batman-adv: bla: put backbone reference on failed claim hash insert",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46233",
                            "    - batman-adv: bla: only purge non-released claims",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46212",
                            "    - batman-adv: bla: prevent use-after-free when deleting claims",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46238",
                            "    - batman-adv: stop caching unowned originator pointers in BAT IV",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46208",
                            "    - batman-adv: stop tp_meter sessions during mesh teardown",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46206",
                            "    - batman-adv: reject new tp_meter sessions during teardown",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46198",
                            "    - batman-adv: fix integer overflow on buff_pos",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46227",
                            "    - sctp: revalidate list cursor after sctp_sendmsg_to_asoc() in",
                            "      SCTP_SENDALL",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46220",
                            "    - drm/amdgpu/sdma4: replace BUG_ON with WARN_ON in fence emission",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46215",
                            "    - drm: Set old handle to NULL before prime swap in change_handle",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46201",
                            "    - drm/xe: Fix dma-buf attachment leak in xe_gem_prime_import()",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46224",
                            "    - drm/xe: Fix bo leak in xe_dma_buf_init_obj() on allocation failure",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46197",
                            "    - drm/amdkfd: validate SVM ioctl nattr against buffer size",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46209",
                            "    - drm/gem: Fix inconsistent plane dimension calculation in",
                            "      drm_gem_fb_init_with_funcs()",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46230",
                            "    - drm/amdgpu/vcn3: Prevent OOB reads when parsing dec msg",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46199",
                            "    - drm/amdgpu/vcn4: Prevent OOB reads when parsing dec msg",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46204",
                            "    - drm/amdgpu/vcn4: Prevent OOB reads when parsing IB",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46218",
                            "    - drm/amdgpu: Add bounds checking to ib_{get,set}_value",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46229",
                            "    - drm/amdkfd: Clear VRAM on allocation to prevent stale data exposure",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46211",
                            "    - drm/msm/gem: fix error handling in msm_ioctl_gem_info_get_metadata()",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46203",
                            "    - spi: cadence-quadspi: fix unclocked access on unbind",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46219",
                            "    - spi: mpc52xx: fix use-after-free on unbind",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46200",
                            "    - spi: mpc52xx: fix controller deregistration",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46241",
                            "    - spi: mpc52xx: fix use-after-free on registration failure",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46225",
                            "    - spi: rspi: fix controller deregistration",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46226",
                            "    - spi: fsl: fix controller deregistration",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46228",
                            "    - spi: ch341: fix devres lifetime",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46216",
                            "    - drm/xe/hdcp: Add NULL check for media_gt in",
                            "      intel_hdcp_gsc_check_status()",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46210",
                            "    - media: iris: fix use-after-free of fmt_src during MBPF check",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46240",
                            "    - media: iris: Fix use-after-free in iris_release_internal_buffers()",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46235",
                            "    - media: saa7164: add ioremap return checks and cleanups",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46222",
                            "    - media: rockchip: rkcif: Add missing MUST_CONNECT flag to pads",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46239",
                            "    - media: i2c: ov5647: Fix runtime PM refcount leak in s_ctrl",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46236",
                            "    - media: rc: xbox_remote: heed DMA restrictions",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46205",
                            "    - staging: media: atomisp: Disallow all private IOCTLs",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46202",
                            "    - HID: appletb-kbd: run inactivity autodim from workqueues",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46213",
                            "    - HID: appletb-kbd: fix UAF in inactivity-timer cleanup path",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46232",
                            "    - HID: playstation: Clamp num_touch_reports",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988)",
                            "    - ACPI: arm64: cpuidle: Tolerate platforms with no deep PSCI idle states",
                            "    - ACPI: scan: Use acpi_dev_put() in object add error paths",
                            "    - ACPI: video: Add backlight=native quirk for Dell OptiPlex 7770 AIO",
                            "    - ACPI: CPPC: Fix related_cpus inconsistency during CPU hotplug",
                            "    - ACPI: video: force native backlight on HP OMEN 16 (8A44)",
                            "    - iommufd: Fix a race with concurrent allocation and unmap",
                            "    - wifi: mt76: mt7925: fix incorrect TLV length in CLC command",
                            "    - spi: rockchip: fix controller deregistration",
                            "    - ksmbd: rewrite stop_sessions() with restartable iteration",
                            "    - flow_dissector: do not dissect PPPoE PFC frames",
                            "    - smb: client/smbdirect: fix MR registration for coalesced SG lists",
                            "    - wifi: mt76: mt7925: fix AMPDU state handling in mt7925_tx_check_aggr",
                            "    - wifi: mt76: mt7925: fix incorrect length field in txpower command",
                            "    - wifi: mt76: mt7921: fix ROC abort flow interruption in mt7921_roc_work",
                            "    - wifi: ath5k: do not access array OOB",
                            "    - ALSA: usb-audio: midi2: Restart output URBs on resume",
                            "    - ALSA: usb-audio: Fix UAC3 cluster descriptor size check",
                            "    - usb: dwc3: Move GUID programming after PHY initialization",
                            "    - USB: omap_udc: DMA: Don't enable burst 4 mode",
                            "    - USB: serial: option: add Telit Cinterion LE910Cx compositions",
                            "    - usb: typec: tcpm: fix debug accessory mode detection for sink ports",
                            "    - ALSA: hda: cs35l56: Propagate ASP TX source control errors",
                            "    - ALSA: hda/realtek: Fix speaker silence after S3 resume on Xiaomi Mi",
                            "      Laptop Pro 15",
                            "    - ALSA: firewire-tascam: Do not drop unread control events",
                            "    - ALSA: core: Serialize deferred fasync state checks",
                            "    - ALSA: seq: Fix UMP group 16 filtering",
                            "    - powerpc/kdump: fix KASAN sanitization flag for core_$(BITS).o",
                            "    - x86/efi: Restore IRQ state in EFI page fault handler",
                            "    - xfrm: provide message size for XFRM_MSG_MAPPING",
                            "    - selinux: fix avdcache auditing",
                            "    - selinux: don't reserve xattr slot when we won't fill it",
                            "    - selinux: shrink critical section in sel_write_load()",
                            "    - selinux: prune /sys/fs/selinux/checkreqprot",
                            "    - selinux: prune /sys/fs/selinux/disable",
                            "    - selinux: prune /sys/fs/selinux/user",
                            "    - selinux: allow multiple opens of /sys/fs/selinux/policy",
                            "    - io_uring/kbuf: support min length left for incremental buffers",
                            "    - io_uring/tw: serialize ctx->retry_llist with ->uring_lock",
                            "    - LoongArch: KVM: Fix missing EMULATE_FAIL in kvm_emu_mmio_read()",
                            "    - rust: drm: gem: clean up GEM state in init failure case",
                            "    - rust: allow `clippy::collapsible_match` globally",
                            "    - rust: allow `clippy::collapsible_if` globally",
                            "    - rust: pin-init: internal: move alignment check to `make_field_check`",
                            "    - spi: syncuacer: fix controller deregistration",
                            "    - spi: sun4i: fix controller deregistration",
                            "    - spi: zynq-qspi: fix controller deregistration",
                            "    - spi: ti-qspi: fix controller deregistration",
                            "    - spi: sun6i: fix controller deregistration",
                            "    - spi: tegra114: fix controller deregistration",
                            "    - spi: zynqmp-gqspi: fix controller deregistration",
                            "    - spi: tegra20-sflash: fix controller deregistration",
                            "    - spi: s3c64xx: fix NULL-deref on driver unbind",
                            "    - staging: rtl8723bs: os_dep: avoid NULL pointer dereference in",
                            "      rtw_cbuf_alloc",
                            "    - staging: vme_user: fix root device leak on init failure",
                            "    - KVM: arm64: Fix kvm_vcpu_initialized() macro parameter",
                            "    - arm64: signal: Preserve POR_EL0 if poe_context is missing",
                            "    - mm/hugetlb_cma: round up per_node before logging it",
                            "    - LoongArch: Fix SYM_SIGFUNC_START definition for 32BIT",
                            "    - LoongArch: KVM: Compile switch.S directly into the kernel",
                            "    - mptcp: pm: ADD_ADDR rtx: skip inactive subflows",
                            "    - perf/x86/intel: Improve validation and configuration of ACR masks",
                            "    - selftests/rseq: Don't run tests with runner scripts outside of the",
                            "      scripts",
                            "    - rseq: Set rseq::cpu_id_start to 0 on unregistration",
                            "    - rseq: Protect rseq_reset() against interrupts",
                            "    - rseq: Don't advertise time slice extensions if disabled",
                            "    - selftests/rseq: Make registration flexible for legacy and optimized mode",
                            "    - selftests/rseq: Skip tests if time slice extensions are not available",
                            "    - selftests/rseq: Validate legacy behavior",
                            "    - selftests/rseq: Expand for optimized RSEQ ABI v2",
                            "    - pseries/papr-hvpipe: Fix race with interrupt handler",
                            "    - pseries/papr-hvpipe: Fix & simplify error handling in papr_hvpipe_init()",
                            "    - pseries/papr-hvpipe: Fix the usage of copy_to_user()",
                            "    - net: libwx: use request_irq for VF misc interrupt",
                            "    - netpoll: pass buffer size to egress_dev() to avoid MAC truncation",
                            "    - ovl: fix verity lazy-load guard broken by fsverity_active() semantic",
                            "      change",
                            "    - parisc: Fix IRQ leak in LASI driver",
                            "    - x86/efi: Fix graceful fault handling after FPU softirq changes",
                            "    - hwmon: (ltc2992) Clamp threshold writes to hardware range",
                            "    - hwmon: (ltc2992) Fix u32 overflow in power read path",
                            "    - clk: rk808: fix OF node reference imbalance",
                            "    - hwmon: (corsair-psu) Close HID device on probe errors",
                            "    - af_unix: Reject SIOCATMARK on non-stream sockets",
                            "    - arm64/fpsimd: ptrace: zero target's fpsimd_state, not the tracer's",
                            "    - pmdomain: mediatek: fix use-after-free in",
                            "      scpsys_get_bus_protection_legacy()",
                            "    - block: fix zone write plug removal",
                            "    - block: only read from sqe on initial invocation of blkdev_uring_cmd()",
                            "    - cifs: abort open_cached_dir if we don't request leases",
                            "    - cifs: change_conf needs to be called for session setup",
                            "    - extcon: ptn5150: handle pending IRQ events during system resume",
                            "    - gpio: of: clear OF_POPULATED on hog nodes in remove path",
                            "    - hv: Select CONFIG_SYSFB only for CONFIG_HYPERV_VMBUS",
                            "    - hv_sock: fix ARM64 support",
                            "    - hv_sock: Report EOF instead of -EIO for FIN",
                            "    - hv_sock: Return -EIO for malformed/short packets",
                            "    - spi: microchip-core-qspi: fix controller deregistration",
                            "    - spi: microchip-core-spi: fix controller deregistration",
                            "    - tracefs: Fix default permissions not being applied on initial mount",
                            "    - udf: reject descriptors with oversized CRC length",
                            "    - x86/boot/e820: Re-enable BIOS fallback if e820 table is empty",
                            "    - thermal: core: Free thermal zone ID later during removal",
                            "    - thermal/drivers/sprd: Fix temperature clamping in",
                            "      sprd_thm_temp_to_rawdata",
                            "    - thermal/drivers/sprd: Fix raw temperature clamping in",
                            "      sprd_thm_rawdata_to_temp",
                            "    - spi: topcliff-pch: fix controller deregistration",
                            "    - spi: topcliff-pch: fix use-after-free on unbind",
                            "    - tracing/fprobe: Avoid kcalloc() in rcu_read_lock section",
                            "    - tracing/fprobe: Remove fprobe from hash in failure path",
                            "    - tracing/fprobe: Unregister fprobe even if memory allocation fails",
                            "    - tracing/probes: Limit size of event probe to 3K",
                            "    - tracing/fprobe: Check the same type fprobe on table as the unregistered",
                            "      one",
                            "    - clk: imx: imx8-acm: fix flags for acm clocks",
                            "    - clk: microchip: mpfs-ccc: fix out of bounds access during output",
                            "      registration",
                            "    - cpuidle: powerpc: avoid double clear when breaking snooze",
                            "    - ASoC: amd: yc: Add HP OMEN Gaming Laptop 16-ap0xxx product line in quirk",
                            "      table",
                            "    - ASoC: ES8389: convert to devm_clk_get_optional() to get clock",
                            "    - ASoC: fsl_easrc: fix comment typo",
                            "    - ASoC: Intel: bytcr_wm5102: Fix MCLK leak on platform_clock_control error",
                            "    - ASoC: qcom: q6apm-dai: reset queue ptr on trigger stop",
                            "    - ASoC: qcom: q6apm: remove child devices when apm is removed",
                            "    - btrfs: do not mark inode incompressible after inline attempt fails",
                            "    - dm: don't report warning when doing deferred remove",
                            "    - dm: fix a buffer overflow in ioctl processing",
                            "    - dm-verity-fec: correctly reject too-small FEC devices",
                            "    - dm-verity-fec: correctly reject too-small hash devices",
                            "    - dm-verity-fec: fix corrected block count stat",
                            "    - dm-verity-fec: fix the size of dm_verity_fec_io::erasures",
                            "    - isofs: validate Rock Ridge CE continuation extent against volume size",
                            "    - iommufd: Fix return value of iommufd_fault_fops_write()",
                            "    - iommu/vt-d: Block PASID attachment to nested domain with dirty tracking",
                            "    - iommu/arm-smmu-v3: Add a missing dma_wmb() for hitless STE update",
                            "    - lib/crc: tests: Make crc_kunit test only the enabled CRC variants",
                            "    - lib/scatterlist: fix temp buffer in extract_user_to_sg()",
                            "    - nvme-apple: drop invalid put of admin queue reference count",
                            "    - nvmet: avoid recursive nvmet-wq flush in nvmet_ctrl_free",
                            "    - pmdomain: core: Fix detach procedure for virtual devices in genpd",
                            "    - psp: strip variable-length PSP header in psp_dev_rcv()",
                            "    - s390/debug: Reject zero-length input in debug_input_flush_fn()",
                            "    - s390/debug: Reject zero-length input before trimming a newline",
                            "    - KVM: x86: Do IRR scan in __kvm_apic_update_irr even if PIR is empty",
                            "    - mm/damon/lru_sort: detect and use fresh enabled and kdamond_pid values",
                            "    - mm/damon/reclaim: detect and use fresh enabled and kdamond_pid values",
                            "    - mm/damon/stat: detect and use fresh enabled value",
                            "    - PCI: Update saved_config_space upon resource assignment",
                            "    - PCI/AER: Clear only error bits in PCIe Device Status",
                            "    - PCI/AER: Stop ruling out unbound devices as error source",
                            "    - PCI/ASPM: Fix pci_clear_and_set_config_dword() usage",
                            "    - power: supply: max17042: avoid overflow when determining health",
                            "    - perf/x86/intel: Always reprogram ACR events to prevent stale masks",
                            "    - perf/x86/intel: Disable PMI for self-reloaded ACR events",
                            "    - perf/x86/intel: Enable auto counter reload for DMR",
                            "    - RDMA/ionic: bound node_desc sysfs read with %.64s",
                            "    - RDMA/ionic: Fix typo in format string",
                            "    - remoteproc: imx_rproc: Fix NULL vs IS_ERR() bug in imx_rproc_addr_init()",
                            "    - remoteproc: k3: Fix NULL vs IS_ERR() bug in k3_reserved_mem_init()",
                            "    - sched_ext: idle: Recheck prev_cpu after narrowing allowed mask",
                            "    - sched_ext: Use dsq->first_task instead of list_empty() in",
                            "      dispatch_enqueue() FIFO-tail",
                            "    - selftests: mptcp: check output: catch cmd errors",
                            "    - selftests: mptcp: pm: restrict 'unknown' check to pm_nl_ctl",
                            "    - mptcp: fastclose msk when linger time is 0",
                            "    - mptcp: use MPJoinSynAckHMacFailure for SynAck HMAC failure",
                            "    - mptcp: use MPTCP_RST_EMPTCP for ACK HMAC validation failure",
                            "    - mptcp: sockopt: set timestamp flags on subflow socket, not msk",
                            "    - mptcp: sockopt: increase seq in mptcp_setsockopt_all_sf",
                            "    - mptcp: fix rx timestamp corruption on fastopen",
                            "    - mptcp: pm: prio: skip closed subflows",
                            "    - mptcp: pm: kernel: reset fullmesh counter after flush",
                            "    - mptcp: pm: kernel: correctly retransmit ADD_ADDR ID 0",
                            "    - mptcp: pm: ADD_ADDR rtx: resched blocked ADD_ADDR quicker",
                            "    - mptcp: pm: ADD_ADDR rtx: return early if no retrans",
                            "    - f2fs: add READ_ONCE() for i_blocks in f2fs_update_inode()",
                            "    - f2fs: fix false alarm of lockdep on cp_global_sem lock",
                            "    - f2fs: fix fiemap boundary handling when read extent cache is incomplete",
                            "    - f2fs: fix fsck inconsistency caused by incorrect nat_entry flag usage",
                            "    - f2fs: fix incorrect file address mapping when inline inode is unwritten",
                            "    - f2fs: fix incorrect multidevice info in trace_f2fs_map_blocks()",
                            "    - f2fs: fix uninitialized kobject put in f2fs_init_sysfs()",
                            "    - f2fs: refactor f2fs_move_node_folio function",
                            "    - f2fs: fix inline data not being written to disk in writeback path",
                            "    - KVM: arm64: Wake-up from WFI when iqrchip is in userspace",
                            "    - KVM: arm64: vgic: Fix IIDR revision field extracted from wrong value",
                            "    - KVM: arm64: Fix initialisation order in __pkvm_init_finalise()",
                            "    - KVM: arm64: Fix FEAT_SPE_FnE to use PMSIDR_EL1.FnE, not PMSVer",
                            "    - KVM: arm64: Fix FEAT_Debugv8p9 to check DebugVer, not PMUVer",
                            "    - LoongArch: KVM: Cap KVM_CAP_NR_VCPUS by KVM_CAP_MAX_VCPUS",
                            "    - LoongArch: KVM: Fix \"unreliable stack\" for kvm_exc_entry",
                            "    - LoongArch: KVM: Fix HW timer interrupt lost when inject interrupt by",
                            "      software",
                            "    - LoongArch: KVM: Move unconditional delay into timer clear scenery",
                            "    - LoongArch: KVM: Use kvm_set_pte() in kvm_flush_pte()",
                            "    - LoongArch: Use per-root-bridge PCIH flag to skip mem resource fixup",
                            "    - mmc: core: Adjust MDT beyond 2025",
                            "    - mmc: core: Add quirk for incorrect manufacturing date",
                            "    - mmc: core: Optimize time for secure erase/trim for some Kingston eMMCs",
                            "    - crypto: qat - fix indentation of macros in qat_hal.c",
                            "    - crypto: qat - fix firmware loading failure for GEN6 devices",
                            "    - hfsplus: fix held lock freed on hfsplus_fill_super()",
                            "    - 8021q: use RCU for egress QoS mappings",
                            "    - printk: add print_hex_dump_devel()",
                            "    - crypto: caam - guard HMAC key hex dumps in hash_digest_key",
                            "    - net: stmmac: rename STMMAC_GET_ENTRY() -> STMMAC_NEXT_ENTRY()",
                            "    - rust: pin-init: fix incorrect accessor reference lifetime",
                            "    - Linux 7.0.7",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-43490",
                            "    - ksmbd: validate inherited ACE SID length",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46174",
                            "    - x86/CPU/AMD: Prevent improper isolation of shared resources in Zen2's op",
                            "      cache",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46110",
                            "    - net: stmmac: Prevent NULL deref when RX memory exhausted",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46153",
                            "    - 8021q: delete cleared egress QoS mappings",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46169",
                            "    - hfsplus: fix uninit-value by validating catalog record size",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46188",
                            "    - octeon_ep_vf: add NULL check for napi_build_skb()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-45837",
                            "    - bpf: Fix use-after-free in arena_vm_close on fork",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46156",
                            "    - LoongArch: Fix potential ADE in loongson_gpu_fixup_dma_hang()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46147",
                            "    - KVM: arm64: Fix pin leak and publication ordering in __pkvm_init_vcpu()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46175",
                            "    - f2fs: fix fsck inconsistency caused by FGGC of node block",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46194",
                            "    - f2fs: fix node_cnt race between extent node destroy and writeback",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46170",
                            "    - mptcp: pm: ADD_ADDR rtx: free sk if last",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46158",
                            "    - mptcp: pm: ADD_ADDR rtx: always decrease sk refcount",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46168",
                            "    - mptcp: fix scheduling with atomic in timestamp sockopt",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46189",
                            "    - RDMA/vmw_pvrdma: Fix double free on pvrdma_alloc_ucontext() error path",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46133",
                            "    - RDMA/rxe: Reject unknown opcodes before ICRC processing",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46114",
                            "    - RDMA/rxe: Reject non-8-byte ATOMIC_WRITE payloads",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46127",
                            "    - RDMA/ocrdma: Don't NULL deref uctx on errors in ocrdma_copy_pd_uresp()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46176",
                            "    - RDMA/mlx5: Fix error path fall-through in mlx5_ib_dev_res_srq_init()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46178",
                            "    - RDMA/mlx4: Fix resource leak on error in mlx4_ib_create_srq()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46181",
                            "    - RDMA/mlx4: Fix mis-use of RCU in mlx4_srq_event()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46145",
                            "    - RDMA/mana: Validate rx_hash_key_len",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46117",
                            "    - RDMA/mana: Remove user triggerable WARN_ON() in mana_ib_create_qp_rss()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46126",
                            "    - RDMA/mana: Fix mana_destroy_wq_obj() cleanup in mana_ib_create_qp_rss()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46144",
                            "    - RDMA/mana: Fix error unwind in mana_ib_create_qp_rss()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46141",
                            "    - powerpc/xive: fix kmemleak caused by incorrect chip_data lookup",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46183",
                            "    - mm/damon/sysfs-schemes: protect path kfree() with damon_sysfs_lock",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46121",
                            "    - mm/damon/sysfs-schemes: protect memcg_path kfree() with damon_sysfs_lock",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46131",
                            "    - KVM: x86: check for nEPT/nNPT in slow flush hypercalls",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46139",
                            "    - smb: client: use kzalloc to zero-initialize security descriptor buffer",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46105",
                            "    - scsi: mpt3sas: Limit NVMe request size to 2 MiB",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46171",
                            "    - riscv: kvm: fix vector context allocation leak",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46112",
                            "    - RDMA/hns: Fix unlocked call to hns_roce_qp_remove()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46165",
                            "    - openvswitch: vport: fix self-deadlock on release of tunnel ports",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46161",
                            "    - md/raid10: fix divide-by-zero in setup_geo() with zero far_copies",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-43492",
                            "    - lib/crypto: mpi: Fix integer underflow in mpi_read_raw_from_sgl()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46124",
                            "    - isofs: validate block number from NFS file handle in isofs_export_iget",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46130",
                            "    - dm-verity-fec: fix reading parity bytes split across blocks (take 3)",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46106",
                            "    - eventfs: Hold eventfs_mutex and SRCU when remount walks events",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46107",
                            "    - dm-thin: fix metadata refcount underflow",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46160",
                            "    - btrfs: fix missing last_unlink_trans update when removing a directory",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46164",
                            "    - btrfs: fix double free in create_space_info_sub_group() error path",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46129",
                            "    - btrfs: fix double free in create_space_info() error path",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46159",
                            "    - btrfs: fix btrfs_ioctl_space_info() slot_count TOCTOU which can lead to",
                            "      info-leak",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46143",
                            "    - ASoC: qcom: q6apm-lpass-dai: Fix multiple graph opens",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46148",
                            "    - spi: microchip-core-qspi: control built-in cs manually",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46192",
                            "    - spi: microchip-core-qspi: don't attempt to transmit during emulated",
                            "      read-only dual/quad operations",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46162",
                            "    - ice: fix double free in ice_sf_eth_activate() error path",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46273",
                            "    - ibmveth: Disable GSO for packets with small MSS",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46191",
                            "    - fbcon: Avoid OOB font access if console rotation fails",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46134",
                            "    - platform/chrome: cros_ec_typec: Init mutex in Thunderbolt registration",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-43495",
                            "    - net: wwan: t7xx: validate port_count against message length in",
                            "      t7xx_port_enum_msg_handler",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-43502",
                            "    - net/rds: handle zerocopy send cleanup before the message is queued",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46120",
                            "    - ip6_gre: Use cached t->net in ip6erspan_changelink().",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46142",
                            "    - net: libwx: fix VF illegal register access",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46118",
                            "    - pseries/papr-hvpipe: Fix null ptr deref in",
                            "      papr_hvpipe_dev_create_handle()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46182",
                            "    - pseries/papr-hvpipe: Prevent kernel stack memory leak to userspace",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46184",
                            "    - sound: ua101: fix division by zero at probe",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-43498",
                            "    - accel/ivpu: Disallow re-exporting imported GEM objects",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46132",
                            "    - net: rtnetlink: zero ifla_vf_broadcast to avoid stack infoleak in",
                            "      rtnl_fill_vfinfo",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46190",
                            "    - mtd: spi-nor: debugfs: fix out-of-bounds read in spi_nor_params_show()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46150",
                            "    - fanotify: fix false positive on permission events",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-45836",
                            "    - Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_get_sndtimeo_cb()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-45834",
                            "    - Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_state_change_cb()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-45835",
                            "    - Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_new_connection_cb()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46138",
                            "    - Bluetooth: hci_event: Fix OOB read and infinite loop in",
                            "      hci_le_create_big_complete_evt",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46111",
                            "    - Bluetooth: hci_conn: fix potential UAF in create_big_sync",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46140",
                            "    - Bluetooth: btmtk: validate WMT event SKB length before struct access",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46186",
                            "    - Bluetooth: virtio_bt: validate rx pkt_type header length",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46123",
                            "    - Bluetooth: virtio_bt: clamp rx length before skb_put",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46104",
                            "    - selinux: use sk blob accessor in socket permission helpers",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46193",
                            "    - xfrm: ah: account for ESN high bits in async callbacks",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46172",
                            "    - ipv6: xfrm6: release dst on error in xfrm6_rcv_encap()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46116",
                            "    - xfrm: defensively unhash xfrm_state lists in __xfrm_state_delete",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46154",
                            "    - sched_ext: Read scx_root under scx_cgroup_ops_rwsem in cgroup setters",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46157",
                            "    - ALSA: pcm: oss: Fix data race at accessing runtime.oss.trigger",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46109",
                            "    - usb: ulpi: fix memory leak on ulpi_register() error paths",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46146",
                            "    - ALSA: usb-audio: Avoid potential endless loop in convert_chmap_v3()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46167",
                            "    - usb: usblp: fix uninitialized heap leak via LPGETSTATUS ioctl",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46151",
                            "    - usb: usblp: fix heap leak in IEEE 1284 device ID via short response",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46180",
                            "    - wifi: brcmfmac: Fix potential use-after-free issue when stopping",
                            "      watchdog task",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46122",
                            "    - wifi: b43: enforce bounds check on firmware key index in b43_rx()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46125",
                            "    - wifi: mac80211: remove station if connection prep fails",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46166",
                            "    - wifi: mac80211: use safe list iteration in radar detect work",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46187",
                            "    - wifi: rsi: fix kthread lifetime race between self-exit and external-stop",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46152",
                            "    - wifi: mac80211: drop stray 'static' from fast-RX rx_result",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46163",
                            "    - wifi: b43legacy: enforce bounds check on firmware key index in RX path",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46136",
                            "    - wifi: mt76: mt7921: fix a potential clc buffer length underflow",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46173",
                            "    - exit: prevent preemption of oopsing TASK_DEAD task",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-43496",
                            "    - net/sched: sch_red: Replace direct dequeue call with peek and",
                            "      qdisc_dequeue_peeked",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46113",
                            "    - KVM: x86: Fix shadow paging use-after-free due to unexpected GFN",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46179",
                            "    - ASoC: SOF: Don't allow pointer operations on unconfigured streams",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46196",
                            "    - tracepoint: balance regfunc() on func_add() failure in",
                            "      tracepoint_add_func()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-43497",
                            "    - fbdev: udlfb: add vm_ops to dlfb_ops_mmap to prevent use-after-free",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46108",
                            "    - ipmi:si: Return state to normal if message allocation fails",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46128",
                            "    - ipmi: Check event message buffer response for bad data",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46177",
                            "    - ipmi: Add limits to event and receive message requests",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46149",
                            "    - scsi: target: configfs: Bound snprintf() return in",
                            "      tg_pt_gp_members_show()",
                            "",
                            "  * Ubuntu 26.04 linux kernel has non-functional nova-core GPU driver enabled,",
                            "    conflicting with nouveau (LP: #2150845)",
                            "    - [Config] Disable NOVA_CORE",
                            "",
                            "  * CVE-2026-46244",
                            "    - netfilter: nft_inner: Fix IPv6 inner_thoff desync",
                            "",
                            "  * CVE-2026-46137",
                            "    - mptcp: pm: ADD_ADDR rtx: allow ID 0",
                            "    - mptcp: pm: ADD_ADDR rtx: fix potential data-race",
                            "",
                            "  * CVE-2026-46185",
                            "    - smb/client: fix out-of-bounds read in symlink_data()",
                            "",
                            "  * CVE-2026-46195",
                            "    - smb: client: validate dacloffset before building DACL pointers",
                            "",
                            "  * CVE-2026-46289",
                            "    - lib/scatterlist: fix length calculations in extract_kvec_to_sg",
                            "",
                            "  * CVE-2026-46119",
                            "    - libceph: Fix slab-out-of-bounds access in auth message processing",
                            "",
                            "  * CVE-2026-46135",
                            "    - nvmet-tcp: fix race between ICReq handling and queue teardown",
                            "",
                            "  * CVE-2026-46155",
                            "    - smb/client: fix out-of-bounds read in smb2_compound_op()",
                            "",
                            "  * CVE-2026-46115",
                            "    - block: add pgmap check to biovec_phys_mergeable",
                            "",
                            "  * CVE-2026-46243",
                            "    - smb: client: reject userspace cifs.spnego descriptions",
                            ""
                        ],
                        "package": "linux",
                        "version": "7.0.0-28.28",
                        "urgency": "medium",
                        "distributions": "resolute",
                        "launchpad_bugs_fixed": [
                            2157520,
                            2154418,
                            2155837,
                            2154174,
                            2154748,
                            2156559,
                            2156556,
                            2150640,
                            2156312,
                            2155096,
                            2154715,
                            2153159,
                            2150071,
                            2154343,
                            2149770,
                            2153155,
                            2152570,
                            2156636,
                            2156636,
                            2156636,
                            2156636,
                            2156636,
                            2156390,
                            2156385,
                            2156385,
                            2156385,
                            2156385,
                            2156385,
                            2156385,
                            2156385,
                            2156385,
                            2156385,
                            2156385,
                            2156385,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2150845
                        ],
                        "author": "Mehmet Basaran <mehmet.basaran@canonical.com>",
                        "date": "Sun, 21 Jun 2026 02:37:29 +0300"
                    }
                ],
                "notes": "linux-headers-7.0.0-28-generic version '7.0.0-28.28' (source package linux version '7.0.0-28.28') was added. linux-headers-7.0.0-28-generic version '7.0.0-28.28' has the same source package name, linux, as removed package linux-headers-7.0.0-27. As such we can use the source package version of the removed package, '7.0.0-27.27', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package.",
                "is_version_downgrade": false
            },
            {
                "name": "linux-image-7.0.0-28-generic",
                "from_version": {
                    "source_package_name": "linux-signed",
                    "source_package_version": "7.0.0-27.27",
                    "version": null
                },
                "to_version": {
                    "source_package_name": "linux-signed",
                    "source_package_version": "7.0.0-28.28",
                    "version": "7.0.0-28.28"
                },
                "cves": [],
                "launchpad_bugs_fixed": [
                    1786013
                ],
                "changes": [
                    {
                        "cves": [],
                        "log": [
                            "",
                            "  * Main version: 7.0.0-28.28",
                            "",
                            "  * Packaging resync (LP: #1786013)",
                            "    - [Packaging] debian/tracking-bug -- resync from main package",
                            ""
                        ],
                        "package": "linux-signed",
                        "version": "7.0.0-28.28",
                        "urgency": "medium",
                        "distributions": "resolute",
                        "launchpad_bugs_fixed": [
                            1786013
                        ],
                        "author": "Mehmet Basaran <mehmet.basaran@canonical.com>",
                        "date": "Sun, 21 Jun 2026 00:59:41 +0300"
                    }
                ],
                "notes": "linux-image-7.0.0-28-generic version '7.0.0-28.28' (source package linux-signed version '7.0.0-28.28') was added. linux-image-7.0.0-28-generic version '7.0.0-28.28' has the same source package name, linux-signed, as removed package linux-image-7.0.0-27-generic. As such we can use the source package version of the removed package, '7.0.0-27.27', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package.",
                "is_version_downgrade": false
            },
            {
                "name": "linux-main-modules-zfs-7.0.0-28-generic",
                "from_version": {
                    "source_package_name": "linux-main-signed",
                    "source_package_version": "7.0.0-27.27",
                    "version": null
                },
                "to_version": {
                    "source_package_name": "linux-main-signed",
                    "source_package_version": "7.0.0-28.28+1",
                    "version": "7.0.0-28.28+1"
                },
                "cves": [],
                "launchpad_bugs_fixed": [
                    1786013,
                    1786013
                ],
                "changes": [
                    {
                        "cves": [],
                        "log": [
                            "",
                            "",
                            "  * Packaging resync (LP: #1786013)",
                            "    - [Packaging] debian/dkms-versions -- update from kernel-versions",
                            "      (main/2026.06.22)",
                            ""
                        ],
                        "package": "linux-main-signed",
                        "version": "7.0.0-28.28+1",
                        "urgency": "medium",
                        "distributions": "resolute",
                        "launchpad_bugs_fixed": [
                            1786013
                        ],
                        "author": "Mehmet Basaran <mehmet.basaran@canonical.com>",
                        "date": "Tue, 23 Jun 2026 17:11:38 +0300"
                    },
                    {
                        "cves": [],
                        "log": [
                            "",
                            "  * Main version: 7.0.0-28.28",
                            "",
                            "  * Packaging resync (LP: #1786013)",
                            "    - [Packaging] debian/tracking-bug -- resync from main package",
                            "    - [Packaging] debian/dkms-versions -- update from kernel-versions",
                            "      (main/2026.06.22)",
                            ""
                        ],
                        "package": "linux-main-signed",
                        "version": "7.0.0-28.28",
                        "urgency": "medium",
                        "distributions": "resolute",
                        "launchpad_bugs_fixed": [
                            1786013
                        ],
                        "author": "Mehmet Basaran <mehmet.basaran@canonical.com>",
                        "date": "Sun, 21 Jun 2026 01:00:46 +0300"
                    }
                ],
                "notes": "linux-main-modules-zfs-7.0.0-28-generic version '7.0.0-28.28+1' (source package linux-main-signed version '7.0.0-28.28+1') was added. linux-main-modules-zfs-7.0.0-28-generic version '7.0.0-28.28+1' has the same source package name, linux-main-signed, as removed package linux-main-modules-zfs-7.0.0-27-generic. As such we can use the source package version of the removed package, '7.0.0-27.27', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package.",
                "is_version_downgrade": false
            },
            {
                "name": "linux-modules-7.0.0-28-generic",
                "from_version": {
                    "source_package_name": "linux",
                    "source_package_version": "7.0.0-27.27",
                    "version": null
                },
                "to_version": {
                    "source_package_name": "linux",
                    "source_package_version": "7.0.0-28.28",
                    "version": "7.0.0-28.28"
                },
                "cves": [
                    {
                        "cve": "CVE-2026-46318",
                        "url": "https://ubuntu.com/security/CVE-2026-46318",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Revert \"mm/hugetlbfs: update hugetlbfs to use mmap_prepare\"  This reverts commit ea52cb24cd3f (\"mm/hugetlbfs: update hugetlbfs to use mmap_prepare\") with conflict resolution to account for changes in commit ea52cb24cd3f (\"mm/hugetlbfs: update hugetlbfs to use mmap_prepare\").  The patch incorrectly handled hugetlb VMA lock allocation at the mmap_prepare stage, where a failed allocation occurring after mmap_prepare is called might result in the lock leaking.  There is no risk of a merge causing a similar issues, as VMA_DONTEXPAND_BIT is set for hugetlb mappings.  As a first step in addressing this issue, simply revert the change so we can rework how we do this having corrected the underlying issues.  We maintain the VMA flags changes as best we can, accounting for the fact that we were working with a VMA descriptor previously and propagating like-for-like changes for this.  Note that we invoke vma_set_flags() and do not call vma_start_write() as vm_flags_set() does.  This is OK as it's being done in an .mmap hook where the VMA is not yet linked into the tree so nobody else can be accessing it.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-06-09 13:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46322",
                        "url": "https://ubuntu.com/security/CVE-2026-46322",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  tun: free page on build_skb failure in tun_xdp_one()  When build_skb() fails in tun_xdp_one(), the function sets ret to -ENOMEM and jumps to the out label, which returns without freeing the page that vhost_net_build_xdp() allocated for the frame. As with the short-frame rejection path, tun_sendmsg() discards the per-buffer error and still returns total_len, so vhost_tx_batch() takes the success path and never frees the page. Each build_skb() failure in a batch leaks one page-frag chunk.  Free the page before taking the error path, matching the put_page() the other error exits of tun_xdp_one() already perform.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-09 13:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46320",
                        "url": "https://ubuntu.com/security/CVE-2026-46320",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  tap: free page on error paths in tap_get_user_xdp()  tap_get_user_xdp() rejects a frame shorter than ETH_HLEN with -EINVAL, and returns -ENOMEM when build_skb() fails. Both paths jump to the err label without freeing the page that vhost_net_build_xdp() allocated for the frame. tap_sendmsg() discards the per-buffer return value and always returns 0, so vhost_tx_batch() takes the success path and never frees the page; each rejected frame in a batch leaks one page-frag chunk.  Free the page on both error paths, before the skb is built. This is the tap counterpart of the same leak in tun_xdp_one().",
                        "cve_priority": "high",
                        "cve_public_date": "2026-06-09 13:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46321",
                        "url": "https://ubuntu.com/security/CVE-2026-46321",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  tun: free page on short-frame rejection in tun_xdp_one()  tun_xdp_one() returns -EINVAL on a frame shorter than ETH_HLEN without freeing the page that vhost_net_build_xdp() allocated for it. tun_sendmsg() discards that -EINVAL and still returns total_len, so vhost_tx_batch() takes the success path and never frees the page; each short frame in a batch leaks one page-frag chunk.  A local process that can open /dev/net/tun and /dev/vhost-net can hit this path: it attaches a tun/tap device as the vhost-net backend and feeds TX descriptors whose length minus the virtio-net header is below ETH_HLEN. Each kick leaks the page-frag chunks for that batch, and a tight submission loop exhausts host memory and triggers an OOM panic. Free the page before returning -EINVAL, matching the XDP-program error path in the same function.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-09 13:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46316",
                        "url": "https://ubuntu.com/security/CVE-2026-46316",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  KVM: arm64: vgic-its: Drop the translation cache reference only for the erased entry  vgic_its_invalidate_cache() walks the per-ITS translation cache with xa_for_each() and drops the cache's reference on each entry with vgic_put_irq(). It puts the iterated pointer, though, rather than the value returned by xa_erase().  The function is called from contexts that do not exclude one another: the ITS command handlers hold its_lock, the GITS_CTLR write path holds cmd_lock, and the path that clears EnableLPIs in a redistributor's GICR_CTLR holds neither. Two or more of them can drain the same cache concurrently, and if each one observes the same entry, erases it and then puts it, the single reference the cache holds on that entry is dropped more than once. The entry can then be freed while an ITE still maps it.  xa_erase() is atomic and returns the previous entry, so put only the entry that this context actually removed. The cache reference is then dropped exactly once per entry even when the invalidations run concurrently, and the behavior is unchanged when only one context runs.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-09 13:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46317",
                        "url": "https://ubuntu.com/security/CVE-2026-46317",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  KVM: arm64: Reassign nested_mmus array behind mmu_lock  kvm->arch.nested_mmus[] is walked under kvm->mmu_lock, including from the MMU notifier path (kvm_unmap_gfn_range() -> kvm_nested_s2_unmap()), which can run at any time. kvm_vcpu_init_nested() reallocates the array and frees the old buffer while holding only kvm->arch.config_lock, so such a walker can reference the freed array.  Allocate the new array outside of mmu_lock, as the allocation can sleep. Under the lock, copy the existing entries, fix up the back pointers and reassign the array. Free the old buffer after dropping the lock, as kvfree() can sleep as well.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-09 13:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-45846",
                        "url": "https://ubuntu.com/security/CVE-2026-45846",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  bareudp: fix NULL pointer dereference in bareudp_fill_metadata_dst()  bareudp_fill_metadata_dst() passes bareudp->sock to udp_tunnel6_dst_lookup() in the IPv6 path without a NULL check. The socket is only created in bareudp_open() and NULLed in bareudp_stop(), so calling this function while the device is down triggers a NULL dereference via sock->sk.   BUG: kernel NULL pointer dereference, address: 0000000000000018  RIP: 0010:udp_tunnel6_dst_lookup (net/ipv6/ip6_udp_tunnel.c:160)  Call Trace:   <TASK>   bareudp_fill_metadata_dst (drivers/net/bareudp.c:532)   do_execute_actions (net/openvswitch/actions.c:901)   ovs_execute_actions (net/openvswitch/actions.c:1589)   ovs_packet_cmd_execute (net/openvswitch/datapath.c:700)   genl_family_rcv_msg_doit (net/netlink/genetlink.c:1114)   genl_rcv_msg (net/netlink/genetlink.c:1209)   netlink_rcv_skb (net/netlink/af_netlink.c:2550)   </TASK>  Add a NULL check returning -ESHUTDOWN, consistent with the xmit paths in the same driver.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-27 11:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-45845",
                        "url": "https://ubuntu.com/security/CVE-2026-45845",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net/sched: taprio: fix NULL pointer dereference in class dump  When a TAPRIO child qdisc is deleted via RTM_DELQDISC, taprio_graft() is called with new == NULL and stores NULL into q->qdiscs[cl - 1]. Subsequent RTM_GETTCLASS dump operations walk all classes via taprio_walk() and call taprio_dump_class(), which calls taprio_leaf() returning the NULL pointer, then dereferences it to read child->handle, causing a kernel NULL pointer dereference.  The bug is reachable with namespace-scoped CAP_NET_ADMIN on any kernel with CONFIG_NET_SCH_TAPRIO enabled. On systems with unprivileged user namespaces enabled, an unprivileged local user can trigger a kernel panic by creating a taprio qdisc inside a new network namespace, grafting an explicit child qdisc, deleting it, and requesting a class dump. The RTM_GETTCLASS dump itself requires no capability.   Oops: general protection fault, probably for non-canonical address 0xdffffc0000000007: 0000 [#1] SMP KASAN NOPTI  KASAN: null-ptr-deref in range [0x0000000000000038-0x000000000000003f]  RIP: 0010:taprio_dump_class (net/sched/sch_taprio.c:2478)  Call Trace:   <TASK>   tc_fill_tclass (net/sched/sch_api.c:1966)   qdisc_class_dump (net/sched/sch_api.c:2326)   taprio_walk (net/sched/sch_taprio.c:2514)   tc_dump_tclass_qdisc (net/sched/sch_api.c:2352)   tc_dump_tclass_root (net/sched/sch_api.c:2370)   tc_dump_tclass (net/sched/sch_api.c:2431)   rtnl_dumpit (net/core/rtnetlink.c:6864)   netlink_dump (net/netlink/af_netlink.c:2325)   rtnetlink_rcv_msg (net/core/rtnetlink.c:6959)   netlink_rcv_skb (net/netlink/af_netlink.c:2550)   </TASK>  Fix this by substituting &noop_qdisc when new is NULL in taprio_graft(), a common pattern used by other qdiscs (e.g., multiq_graft()) to ensure the q->qdiscs[] slots are never NULL. This makes control-plane dump paths safe without requiring individual NULL checks.  Since the data-plane paths (taprio_enqueue and taprio_dequeue_from_txq) previously had explicit NULL guards that would drop/skip the packet cleanly, update those checks to test for &noop_qdisc instead. Without this, packets would reach taprio_enqueue_one() which increments the root qdisc's qlen and backlog before calling the child's enqueue; noop_qdisc drops the packet but those counters are never rolled back, permanently inflating the root qdisc's statistics.  After this change *old can be a valid qdisc, NULL, or &noop_qdisc. Only call qdisc_put(*old) in the first case to avoid decreasing noop_qdisc's refcount, which was never increased.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-27 11:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-45844",
                        "url": "https://ubuntu.com/security/CVE-2026-45844",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  netfilter: arp_tables: fix IEEE1394 ARP payload parsing  Weiming Shi says:  \"arp_packet_match() unconditionally parses the ARP payload assuming two hardware addresses are present (source and target). However, IPv4-over-IEEE1394 ARP (RFC 2734) omits the target hardware address field, and arp_hdr_len() already accounts for this by returning a shorter length for ARPHRD_IEEE1394 devices.  As a result, on IEEE1394 interfaces arp_packet_match() advances past a nonexistent target hardware address and reads the wrong bytes for both the target device address comparison and the target IP address. This causes arptables rules to match against garbage data, leading to incorrect filtering decisions: packets that should be accepted may be dropped and vice versa.  The ARP stack in net/ipv4/arp.c (arp_create and arp_process) already handles this correctly by skipping the target hardware address for ARPHRD_IEEE1394. Apply the same pattern to arp_packet_match().\"  Mangle the original patch to always return 0 (no match) in case user matches on the target hardware address which is never present in IEEE1394.  Note that this returns 0 (no match) for either normal and inverse match because matching in the target hardware address in ARPHRD_IEEE1394 has never been supported by arptables. This is intentional, matching on the target hardware address should never evaluate true for ARPHRD_IEEE1394.  Moreover, adjust arpt_mangle to drop the packet too as AI suggests:  In arpt_mangle, the logic assumes a standard ARP layout. Because IEEE1394 (FireWire) omits the target hardware address, the linear pointer arithmetic miscalculates the offset for the target IP address. This causes mangling operations to write to the wrong location, leading to packet corruption. To ensure safety, this patch drops packets (NF_DROP) when mangling is requested for these fields on IEEE1394 devices, as the current implementation cannot correctly map the FireWire ARP payload.  This omits both mangling target hardware and IP address. Even if IP address mangling should be possible in IEEE1394, this would require to adjust arpt_mangle offset calculation, which has never been supported.  Based on patch from Weiming Shi <bestswngs@gmail.com>.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-05-27 11:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46242",
                        "url": "https://ubuntu.com/security/CVE-2026-46242",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  eventpoll: fix ep_remove struct eventpoll / struct file UAF  ep_remove() (via ep_remove_file()) cleared file->f_ep under file->f_lock but then kept using @file inside the critical section (is_file_epoll(), hlist_del_rcu() through the head, spin_unlock). A concurrent __fput() taking the eventpoll_release() fastpath in that window observed the transient NULL, skipped eventpoll_release_file() and ran to f_op->release / file_free().  For the epoll-watches-epoll case, f_op->release is ep_eventpoll_release() -> ep_clear_and_put() -> ep_free(), which kfree()s the watched struct eventpoll. Its embedded ->refs hlist_head is exactly where epi->fllink.pprev points, so the subsequent hlist_del_rcu()'s \"*pprev = next\" scribbles into freed kmalloc-192 memory.  In addition, struct file is SLAB_TYPESAFE_BY_RCU, so the slot backing @file could be recycled by alloc_empty_file() -- reinitializing f_lock and f_ep -- while ep_remove() is still nominally inside that lock. The upshot is an attacker-controllable kmem_cache_free() against the wrong slab cache.  Pin @file via epi_fget() at the top of ep_remove() and gate the critical section on the pin succeeding. With the pin held @file cannot reach refcount zero, which holds __fput() off and transitively keeps the watched struct eventpoll alive across the hlist_del_rcu() and the f_lock use, closing both UAFs.  If the pin fails @file has already reached refcount zero and its __fput() is in flight. Because we bailed before clearing f_ep, that path takes the eventpoll_release() slow path into eventpoll_release_file() and blocks on ep->mtx until the waiter side's ep_clear_and_put() drops it. The bailed epi's share of ep->refcount stays intact, so the trailing ep_refcount_dec_and_test() in ep_clear_and_put() cannot free the eventpoll out from under eventpoll_release_file(); the orphaned epi is then cleaned up there.  A successful pin also proves we are not racing eventpoll_release_file() on this epi, so drop the now-redundant re-check of epi->dying under f_lock. The cheap lockless READ_ONCE(epi->dying) fast-path bailout stays.",
                        "cve_priority": "high",
                        "cve_public_date": "2026-05-30 13:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-45843",
                        "url": "https://ubuntu.com/security/CVE-2026-45843",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  slip: bound decode() reads against the compressed packet length  slhc_uncompress() parses a VJ-compressed TCP header by advancing a pointer through the packet via decode() and pull16(). Neither helper bounds-checks against isize, and decode() masks its return with & 0xffff so it can never return the -1 that callers test for -- those error paths are dead code.  A short compressed frame whose change byte requests optional fields lets decode() read past the end of the packet. The over-read bytes are folded into the cached cstate and reflected into subsequent reconstructed packets.  Make decode() and pull16() take the packet end pointer and return -1 when exhausted. Add a bounds check before the TCP-checksum read. The existing == -1 tests now do what they were always meant to.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-27 11:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-45842",
                        "url": "https://ubuntu.com/security/CVE-2026-45842",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  slip: reject VJ receive packets on instances with no rstate array  slhc_init() accepts rslots == 0 as a valid configuration, with the documented meaning of 'no receive compression'. In that case the allocation loop in slhc_init() is skipped, so comp->rstate stays NULL and comp->rslot_limit stays 0 (from the kzalloc of struct slcompress).  The receive helpers do not defend against that configuration. slhc_uncompress() dereferences comp->rstate[x] when the VJ header carries an explicit connection ID, and slhc_remember() later assigns cs = &comp->rstate[...] after only comparing the packet's slot number to comp->rslot_limit. Because rslot_limit is 0, slot 0 passes the range check, and the code dereferences a NULL rstate.  The configuration is reachable in-tree through PPP. PPPIOCSMAXCID stores its argument in a signed int, and (val >> 16) uses arithmetic shift. Passing 0xffff0000 therefore sign-extends to -1, so val2 + 1 is 0 and ppp_generic.c ends up calling slhc_init(0, 1). Because /dev/ppp open is gated by ns_capable(CAP_NET_ADMIN), the whole path is reachable from an unprivileged user namespace. Once the malformed VJ state is installed, any inbound VJ-compressed or VJ-uncompressed frame that selects slot 0 crashes the kernel in softirq context:   Oops: general protection fault, probably for non-canonical        address 0xdffffc0000000000: 0000 [#1] SMP KASAN NOPTI  KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]  RIP: 0010:slhc_uncompress (drivers/net/slip/slhc.c:519)  Call Trace:   <TASK>   ppp_receive_nonmp_frame (drivers/net/ppp/ppp_generic.c:2466)   ppp_input (drivers/net/ppp/ppp_generic.c:2359)   ppp_async_process (drivers/net/ppp/ppp_async.c:492)   tasklet_action_common (kernel/softirq.c:926)   handle_softirqs (kernel/softirq.c:623)   run_ksoftirqd (kernel/softirq.c:1055)   smpboot_thread_fn (kernel/smpboot.c:160)   kthread (kernel/kthread.c:436)   ret_from_fork (arch/x86/kernel/process.c:164)   </TASK>  Reject the receive side on such instances instead of touching rstate. slhc_uncompress() falls through to its existing 'bad' label, which bumps sls_i_error and enters the toss state. slhc_remember() mirrors that with an explicit sls_i_error increment followed by slhc_toss(); the sls_i_runt counter is not used here because a missing rstate is an internal configuration state, not a runt packet.  The transmit path is unaffected: the only in-tree caller that picks rslots from userspace (ppp_generic.c) still supplies tslots >= 1, and slip.c always calls slhc_init(16, 16), so comp->tstate remains valid and slhc_compress() continues to work.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-27 11:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-45841",
                        "url": "https://ubuntu.com/security/CVE-2026-45841",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  netfilter: nfnetlink_osf: fix divide-by-zero in OSF_WSS_MODULO  nf_osf_match_one() computes ctx->window % f->wss.val in the OSF_WSS_MODULO branch with no guard for f->wss.val == 0. A CAP_NET_ADMIN user can add such a fingerprint via nfnetlink; a subsequent matching TCP SYN divides by zero and panics the kernel.  Reject the bogus fingerprint in nfnl_osf_add_callback() above the per-option for-loop. f->wss is per-fingerprint, not per-option, so the check must run regardless of f->opt_num (including 0). Also reject wss.wc >= OSF_WSS_MAX; nf_osf_match_one() already treats that as \"should not happen\".  Crash:  Oops: divide error: 0000 [#1] SMP KASAN NOPTI  RIP: 0010:nf_osf_match_one (net/netfilter/nfnetlink_osf.c:98)  Call Trace:  <IRQ>   nf_osf_match (net/netfilter/nfnetlink_osf.c:220)   xt_osf_match_packet (net/netfilter/xt_osf.c:32)   ipt_do_table (net/ipv4/netfilter/ip_tables.c:348)   nf_hook_slow (net/netfilter/core.c:622)   ip_local_deliver (net/ipv4/ip_input.c:265)   ip_rcv (include/linux/skbuff.h:1162)   __netif_receive_skb_one_core (net/core/dev.c:6181)   process_backlog (net/core/dev.c:6642)   __napi_poll (net/core/dev.c:7710)   net_rx_action (net/core/dev.c:7945)   handle_softirqs (kernel/softirq.c:622)",
                        "cve_priority": "low",
                        "cve_public_date": "2026-05-27 11:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-45840",
                        "url": "https://ubuntu.com/security/CVE-2026-45840",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  openvswitch: cap upcall PID array size and pre-size vport replies  The vport netlink reply helpers allocate a fixed-size skb with nlmsg_new(NLMSG_DEFAULT_SIZE, ...) but serialize the full upcall PID array via ovs_vport_get_upcall_portids().  Since ovs_vport_set_upcall_portids() accepts any non-zero multiple of sizeof(u32) with no upper bound, a CAP_NET_ADMIN user can install a PID array large enough to overflow the reply buffer, causing nla_put() to fail with -EMSGSIZE and hitting BUG_ON(err < 0).  On systems with unprivileged user namespaces enabled (e.g., Ubuntu default), this is reachable via unshare -Urn since OVS vport mutation operations use GENL_UNS_ADMIN_PERM.   kernel BUG at net/openvswitch/datapath.c:2414!  Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI  CPU: 1 UID: 0 PID: 65 Comm: poc Not tainted 7.0.0-rc7-00195-geb216e422044 #1  RIP: 0010:ovs_vport_cmd_set+0x34c/0x400  Call Trace:   <TASK>   genl_family_rcv_msg_doit (net/netlink/genetlink.c:1116)   genl_rcv_msg (net/netlink/genetlink.c:1194)   netlink_rcv_skb (net/netlink/af_netlink.c:2550)   genl_rcv (net/netlink/genetlink.c:1219)   netlink_unicast (net/netlink/af_netlink.c:1344)   netlink_sendmsg (net/netlink/af_netlink.c:1894)   __sys_sendto (net/socket.c:2206)   __x64_sys_sendto (net/socket.c:2209)   do_syscall_64 (arch/x86/entry/syscall_64.c:63)   entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)   </TASK>  Kernel panic - not syncing: Fatal exception  Reject attempts to set more PIDs than nr_cpu_ids in ovs_vport_set_upcall_portids(), and pre-compute the worst-case reply size in ovs_vport_cmd_msg_size() based on that bound, similar to the existing ovs_dp_cmd_msg_size().  nr_cpu_ids matches the cap already used by the per-CPU dispatch configuration on the datapath side (ovs_dp_cmd_fill_info() serialises at most nr_cpu_ids PIDs), so the two sides stay consistent.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-27 11:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-45839",
                        "url": "https://ubuntu.com/security/CVE-2026-45839",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  bpf: reject negative CO-RE accessor indices in bpf_core_parse_spec()  CO-RE accessor strings are colon-separated indices that describe a path from a root BTF type to a target field, e.g. \"0:1:2\" walks through nested struct members. bpf_core_parse_spec() parses each component with sscanf(\"%d\"), so negative values like -1 are silently accepted.  The subsequent bounds checks (access_idx >= btf_vlen(t)) only guard the upper bound and always pass for negative values because C integer promotion converts the __u16 btf_vlen result to int, making the comparison (int)(-1) >= (int)(N) false for any positive N.  When -1 reaches btf_member_bit_offset() it gets cast to u32 0xffffffff, producing an out-of-bounds read far past the members array.  A crafted BPF program with a negative CO-RE accessor on any struct that exists in vmlinux BTF (e.g. task_struct) crashes the kernel deterministically during BPF_PROG_LOAD on any system with CONFIG_DEBUG_INFO_BTF=y (default on major distributions).  The bug is reachable with CAP_BPF:   BUG: unable to handle page fault for address: ffffed11818b6626  #PF: supervisor read access in kernel mode  #PF: error_code(0x0000) - not-present page  Oops: Oops: 0000 [#1] SMP KASAN NOPTI  CPU: 0 UID: 0 PID: 85 Comm: poc Not tainted 7.0.0-rc6 #18 PREEMPT(full)  RIP: 0010:bpf_core_parse_spec (tools/lib/bpf/relo_core.c:354)  RAX: 00000000ffffffff  Call Trace:   <TASK>   bpf_core_calc_relo_insn (tools/lib/bpf/relo_core.c:1321)   bpf_core_apply (kernel/bpf/btf.c:9507)   check_core_relo (kernel/bpf/verifier.c:19475)   bpf_check (kernel/bpf/verifier.c:26031)   bpf_prog_load (kernel/bpf/syscall.c:3089)   __sys_bpf (kernel/bpf/syscall.c:6228)   </TASK>  CO-RE accessor indices are inherently non-negative (struct member index, array element index, or enumerator index), so reject them immediately after parsing.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-27 11:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-45838",
                        "url": "https://ubuntu.com/security/CVE-2026-45838",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  bpf: fix end-of-list detection in cgroup_storage_get_next_key()  list_next_entry() never returns NULL -- when the current element is the last entry it wraps to the list head via container_of(). The subsequent NULL check is therefore dead code and get_next_key() never returns -ENOENT for the last element, instead reading storage->key from a bogus pointer that aliases internal map fields and copying the result to userspace.  Replace it with list_entry_is_head() so the function correctly returns -ENOENT when there are no more entries.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-05-27 11:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46214",
                        "url": "https://ubuntu.com/security/CVE-2026-46214",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  vsock/virtio: fix accept queue count leak on transport mismatch  virtio_transport_recv_listen() calls sk_acceptq_added() before vsock_assign_transport(). If vsock_assign_transport() fails or selects a different transport, the error path returns without calling sk_acceptq_removed(), permanently incrementing sk_ack_backlog.  After approximately backlog+1 such failures, sk_acceptq_is_full() returns true, causing the listener to reject all new connections.  Fix by moving sk_acceptq_added() to after the transport validation, matching the pattern used by vmci_transport and hyperv_transport.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46207",
                        "url": "https://ubuntu.com/security/CVE-2026-46207",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  vsock/virtio: fix empty payload in tap skb for non-linear buffers  For non-linear skbs, virtio_transport_build_skb() goes through virtio_transport_copy_nonlinear_skb() to copy the original payload in the new skb to be delivered to the vsockmon tap device. This manually initializes an iov_iter but does not set iov_iter.count. Since the iov_iter is zero-initialized, the copy length is zero and no payload is actually copied to the monitor interface, leaving data un-initialized.  Fix this by removing the linear vs non-linear split and using skb_copy_datagram_iter() with iov_iter_kvec() for all cases, as vhost-vsock already does. This handles both linear and non-linear skbs, properly initializes the iov_iter, and removes the now unused virtio_transport_copy_nonlinear_skb().  While touching this code, let's also check the return value of skb_copy_datagram_iter(), even though it's unlikely to fail.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46234",
                        "url": "https://ubuntu.com/security/CVE-2026-46234",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  vsock: fix buffer size clamping order  In vsock_update_buffer_size(), the buffer size was being clamped to the maximum first, and then to the minimum. If a user sets a minimum buffer size larger than the maximum, the minimum check overrides the maximum check, inverting the constraint.  This breaks the intended socket memory boundaries by allowing the vsk->buffer_size to grow beyond the configured vsk->buffer_max_size.  Fix this by checking the minimum first, and then the maximum. This ensures the buffer size never exceeds the buffer_max_size.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46223",
                        "url": "https://ubuntu.com/security/CVE-2026-46223",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  cgroup: Defer css percpu_ref kill on rmdir until cgroup is depopulated  A chain of commits going back to v7.0 reworked rmdir to satisfy the controller invariant that a subsystem's ->css_offline() must not run while tasks are still doing kernel-side work in the cgroup.  [1] d245698d727a (\"cgroup: Defer task cgroup unlink until after the task is done switching out\") [2] a72f73c4dd9b (\"cgroup: Don't expose dead tasks in cgroup\") [3] 1b164b876c36 (\"cgroup: Wait for dying tasks to leave on rmdir\") [4] 4c56a8ac6869 (\"cgroup: Fix cgroup_drain_dying() testing the wrong condition\") [5] 13e786b64bd3 (\"cgroup: Increment nr_dying_subsys_* from rmdir context\")  [1] moved task cset unlink from do_exit() to finish_task_switch() so a task's cset link drops only after the task has fully stopped scheduling. That made tasks past exit_signals() linger on cset->tasks until their final context switch, which led to a series of problems as what userspace expected to see after rmdir diverged from what the kernel needs to wait for. [2]-[5] tried to bridge that divergence: [2] filtered the exiting tasks from cgroup.procs; [3] had rmdir(2) sleep in TASK_UNINTERRUPTIBLE for them; [4] fixed the wait's condition; [5] made nr_dying_subsys_* visible synchronously.  The cgroup_drain_dying() wait in [3] turned out to be a dead end. When the rmdir caller is also the reaper of a zombie that pins a pidns teardown (e.g. host PID 1 systemd reaping orphan pids that were re-parented to it during the same teardown), rmdir blocks in TASK_UNINTERRUPTIBLE waiting for those pids to free, the pids can't free because PID 1 is the reaper and it's stuck in rmdir, and the system A-A deadlocks. No internal lock ordering breaks this; the wait itself is the bug.  The css killing side that drove the original reorder, however, can be made cleanly asynchronous: ->css_offline() is already async, run from css_killed_work_fn() driven by percpu_ref_kill_and_confirm(). The fix is to make that chain start only after all tasks have left the cgroup. rmdir's user-visible side then returns as soon as cgroup.procs and friends are empty, while ->css_offline() still runs only after the cgroup is fully drained.  Verified by the original reproducer (pidns teardown + zombie reaper, runs under vng) which hangs vanilla and succeeds here, and by per-commit deterministic repros for [2], [3], [4], [5] with a boot parameter that widens the post-exit_signals() window so each state is reliably reachable. Some stress tests on top of that.  cgroup_apply_control_disable() has the same shape of pre-existing race: when a controller is disabled via subtree_control, kill_css() ran synchronously while tasks past exit_signals() could still be linked to the cgroup's csets, and ->css_offline() could fire before they drained. This patch preserves the existing synchronous behavior at that call site (kill_css_sync() + kill_css_finish() back-to-back) and a follow-up patch will defer kill_css_finish() there using a per-css trigger.  This seems like the right approach and I don't see problems with it. The changes are somewhat invasive but not excessively so, so backporting to -stable should be okay. If something does turn out to be wrong, the fallback is to revert the entire chain ([1]-[5]) and rework in the development branch instead.  v2: Pin cgrp across the deferred destroy work with explicit     cgroup_get()/cgroup_put() around queue_work() and the work_fn. v1     wasn't actually broken (ordered cgroup_offline_wq + queue_work order     in cgroup_task_dead() saved it) but the explicit ref removes the     dependency on those non-obvious invariants. Also note the     pre-existing cgroup_apply_control_disable() race in the description;     a follow-up will defer kill_css_finish() there.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46221",
                        "url": "https://ubuntu.com/security/CVE-2026-46221",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  EDAC/versalnet: Fix device name memory leak  The device name allocated via kzalloc() in init_one_mc() is assigned to dev->init_name but never freed on the normal removal path. device_register() copies init_name and then sets dev->init_name to NULL, so the name pointer becomes unreachable from the device. Thus leaking memory.  Use a stack-local char array instead of using kzalloc() for name.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46231",
                        "url": "https://ubuntu.com/security/CVE-2026-46231",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  batman-adv: bla: put backbone reference on failed claim hash insert  When batadv_bla_add_claim() fails to insert a new claim into the hash, it leaked a reference to the backbone_gw for which the claim was intended. Call batadv_backbone_gw_put() on the error path to release the reference and avoid leaking the backbone_gw object.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46233",
                        "url": "https://ubuntu.com/security/CVE-2026-46233",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  batman-adv: bla: only purge non-released claims  When batadv_bla_purge_claims() goes through the list of claims, it is only traversing the hash list with an rcu_read_lock(). Due to a potential parallel batadv_claim_put(), it can happen that it encounters a claim which was actually in the process of being released+freed by batadv_claim_release(). In this case, backbone_gw is set to NULL before the delayed RCU kfree is started. Calling batadv_bla_claim_get_backbone_gw() is then no longer allowed because it would cause a NULL-ptr derefence.  To avoid this, only claims with a valid reference counter must be purged. All others are already taken care of.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46212",
                        "url": "https://ubuntu.com/security/CVE-2026-46212",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  batman-adv: bla: prevent use-after-free when deleting claims  When batadv_bla_del_backbone_claims() removes all claims for a backbone, it does this by dropping the link entry in the hash list. This list entry itself was one of the references which need to be dropped at the same time via batadv_claim_put().  But the batadv_claim_put() must not be done before the last access to the claim object in this function. Otherwise the claim might be freed already by the batadv_claim_release() function before the list entry was dropped.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46238",
                        "url": "https://ubuntu.com/security/CVE-2026-46238",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  batman-adv: stop caching unowned originator pointers in BAT IV  BAT IV keeps the last-hop neighbor address in each neigh_node, but some paths also cache an originator pointer derived from a temporary lookup. That pointer is not owned by the neigh_node and may no longer refer to a live originator entry after purge handling runs.  Stop storing the auxiliary originator pointer in the BAT IV neighbor state. When BAT IV needs the neighbor originator data, resolve it from the stored neighbor address and drop the reference again after use.  [sven: avoid bonding logic for outgoing OGM]",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46208",
                        "url": "https://ubuntu.com/security/CVE-2026-46208",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  batman-adv: stop tp_meter sessions during mesh teardown  TP meter sessions remain linked on bat_priv->tp_list after the netlink request has already finished. When the mesh interface is removed, batadv_mesh_free() currently tears down the mesh without first draining these sessions.  A running sender thread or a late incoming tp_meter packet can then keep processing against a mesh instance which is already shutting down. Synchronize tp_meter with the mesh lifetime by stopping all active sessions from batadv_mesh_free() and waiting for sender threads to exit before teardown continues.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46206",
                        "url": "https://ubuntu.com/security/CVE-2026-46206",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  batman-adv: reject new tp_meter sessions during teardown  Prevent tp_meter from starting new sender or receiver sessions after mesh_state has left BATADV_MESH_ACTIVE.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46198",
                        "url": "https://ubuntu.com/security/CVE-2026-46198",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  batman-adv: fix integer overflow on buff_pos  Fixing an integer overflow present in batadv_iv_ogm_send_to_if. The size check is done using the int type in batadv_iv_ogm_aggr_packet whereas the buff_pos variable uses the s16 type. This could lead to an out-of-bound read.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46227",
                        "url": "https://ubuntu.com/security/CVE-2026-46227",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  sctp: revalidate list cursor after sctp_sendmsg_to_asoc() in SCTP_SENDALL  The SCTP_SENDALL path in sctp_sendmsg() iterates ep->asocs with list_for_each_entry_safe(), which caches the next entry in @tmp before the loop body runs.  The body calls sctp_sendmsg_to_asoc(), which may drop the socket lock inside sctp_wait_for_sndbuf().  While the lock is dropped, another thread can SCTP_SOCKOPT_PEELOFF the association cached in @tmp, migrating it to a new endpoint via sctp_sock_migrate() (list_del_init() + list_add_tail() to newep->asocs), and optionally close the new socket which frees the association via kfree_rcu().  The cached @tmp can also be freed by a network ABORT for that association, processed in softirq while the lock is dropped.  sctp_wait_for_sndbuf() revalidates @asoc (the current entry) on re-lock via the \"sk != asoc->base.sk\" and \"asoc->base.dead\" checks, but nothing revalidates @tmp.  After a successful return, the iterator advances to the stale @tmp, yielding either a use-after-free (if the peeled socket was closed) or a list-walk onto the new endpoint's list head (type confusion of &newep->asocs as a struct sctp_association *).  Both are reachable from CapEff=0; the type-confusion path gives controlled indirect call via the outqueue.sched->init_sid pointer.  Fix by re-deriving @tmp from @asoc after sctp_sendmsg_to_asoc() returns.  @asoc is known to still be on ep->asocs at that point: the only callers that list_del an association from ep->asocs are sctp_association_free() (which sets asoc->base.dead) and sctp_assoc_migrate() (which changes asoc->base.sk), and sctp_wait_for_sndbuf() checks both under the lock before any successful return; a tripped check propagates as err < 0 and the loop bails before the re-derive.  The SCTP_ABORT path in sctp_sendmsg_check_sflags() returns 0 and the loop hits 'continue' before sctp_sendmsg_to_asoc() is ever called, so the @tmp cached by list_for_each_entry_safe() still covers the lock-held free that ba59fb027307 (\"sctp: walk the list of asoc safely\") was added for.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46220",
                        "url": "https://ubuntu.com/security/CVE-2026-46220",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/amdgpu/sdma4: replace BUG_ON with WARN_ON in fence emission  sdma_v4_0_ring_emit_fence() contains two BUG_ON(addr & 0x3) assertions that verify fence writeback addresses are dword-aligned.  These assertions can be reached from unprivileged userspace via crafted DRM_IOCTL_AMDGPU_CS submissions, causing a fatal kernel panic in a scheduler worker thread.  Replace both BUG_ON() calls with WARN_ON() to log the condition without crashing the kernel.  A misaligned fence address at this point indicates a driver bug, but crashing the kernel is never the correct response when the assertion is reachable from userspace.  The CS IOCTL path is the correct place to filter invalid submissions; the ring emission callback is too late to do anything about it.  (cherry picked from commit b90250bd933afd1ba94d86d6b13821997b22b18e)",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46215",
                        "url": "https://ubuntu.com/security/CVE-2026-46215",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm: Set old handle to NULL before prime swap in change_handle  There was a potential race condition in change_handle. The ioctl briefly had a single object with two idr entries; a concurrent gem_close could delete the object and remove one of the handles while leaving the other one dangling, which could subsequently be dereferenced for a use-after-free.  To fix this, do the same dance that gem_close itself does. (f6cd7daecff5 drm: Release driver references to handle before making it available again) First idr_replace the old handle to NULL. Later, if the prime operations are successful, actually close it.  create_tail required a similar dance to avoid a similar problem. (bd46cece51a3 drm/gem: Fix race in drm_gem_handle_create_tail()) It idr_allocs the new handle with NULL, then swaps in the correct object later to avoid races. We don't need to do that here, since the only operations that could race are drm_prime, and change_handle holds the prime lock for the entire duration.  v2: cleanups of error paths",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46201",
                        "url": "https://ubuntu.com/security/CVE-2026-46201",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/xe: Fix dma-buf attachment leak in xe_gem_prime_import()  When xe_dma_buf_init_obj() fails, the attachment from dma_buf_dynamic_attach() is not detached. Add dma_buf_detach() before returning the error. Note: we cannot use goto out_err here because xe_dma_buf_init_obj() already frees bo on failure, and out_err would double-free it.  (cherry picked from commit a828eb185aac41800df8eae4b60501ccc0dbbe51)",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46224",
                        "url": "https://ubuntu.com/security/CVE-2026-46224",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/xe: Fix bo leak in xe_dma_buf_init_obj() on allocation failure  When drm_gpuvm_resv_object_alloc() fails, the pre-allocated storage bo is not freed. Add xe_bo_free(storage) before returning the error.  xe_dma_buf_init_obj() calls xe_bo_init_locked(), which frees the bo on error. Therefore, xe_dma_buf_init_obj() must also free the bo on its own error paths. Otherwise, since xe_gem_prime_import() cannot distinguish whether the failure originated from xe_dma_buf_init_obj() or from xe_bo_init_locked(), it cannot safely decide whether the bo should be freed.  Add comments documenting the ownership semantics: on success, ownership of storage is transferred to the returned drm_gem_object; on failure, storage is freed before returning.  v2: Add comments to explain the free logic.  (cherry picked from commit 78a6c5f899f22338bbf48b44fb8950409c5a69b9)",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46197",
                        "url": "https://ubuntu.com/security/CVE-2026-46197",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/amdkfd: validate SVM ioctl nattr against buffer size  Validate nattr field against the buffer size, preventing out-of-bounds buffer access via user-controlled attribute count.  (cherry picked from commit 5eca8bfdfa456c3304ca77523718fe24254c172f)",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46209",
                        "url": "https://ubuntu.com/security/CVE-2026-46209",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/gem: Fix inconsistent plane dimension calculation in drm_gem_fb_init_with_funcs()  drm_gem_fb_init_with_funcs() computes sub-sampled plane dimensions using plain integer division:    unsigned int width  = mode_cmd->width  / (i ? info->hsub : 1);   unsigned int height = mode_cmd->height / (i ? info->vsub : 1);  However, the ioctl-level framebuffer_check() in drm_framebuffer.c uses drm_format_info_plane_width/height() which round up dimensions via DIV_ROUND_UP(). This inconsistency corrupts the subsequent GEM object size check for certain pixel format and dimension combinations.  For example, with NV12 (vsub=2) and a 1-pixel-tall framebuffer the GEM size validation path sees height=0 instead of height=1. The expression (height - 1) then wraps to UINT_MAX as an unsigned int, causing min_size to overflow and wrap back to a small value. A tiny GEM object therefore passes the size guard, yet when the GPU accesses the chroma plane it will read or write memory beyond the object's bounds.  Fix by replacing the open-coded divisions with drm_format_info_plane_width() and drm_format_info_plane_height(), which use DIV_ROUND_UP() and match the calculation already used in framebuffer_check().",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46230",
                        "url": "https://ubuntu.com/security/CVE-2026-46230",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/amdgpu/vcn3: Prevent OOB reads when parsing dec msg  Check bounds against the end of the BO whenever we access the msg.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46199",
                        "url": "https://ubuntu.com/security/CVE-2026-46199",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/amdgpu/vcn4: Prevent OOB reads when parsing dec msg  Check bounds against the end of the BO whenever we access the msg.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46204",
                        "url": "https://ubuntu.com/security/CVE-2026-46204",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/amdgpu/vcn4: Prevent OOB reads when parsing IB  Rewrite the IB parsing to use amdgpu_ib_get_value() which handles the bounds checks.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46218",
                        "url": "https://ubuntu.com/security/CVE-2026-46218",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/amdgpu: Add bounds checking to ib_{get,set}_value  The uvd/vce/vcn code accesses the IB at predefined offsets without checking that the IB is large enough. Check the bounds here. The caller is responsible for making sure it can handle arbitrary return values.  Also make the idx a uint32_t to prevent overflows causing the condition to fail.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46229",
                        "url": "https://ubuntu.com/security/CVE-2026-46229",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/amdkfd: Clear VRAM on allocation to prevent stale data exposure  KFD VRAM allocations set AMDGPU_GEM_CREATE_VRAM_WIPE_ON_RELEASE but not AMDGPU_GEM_CREATE_VRAM_CLEARED, leaving freshly allocated VRAM with stale data from prior use observable by compute kernels.  The GEM ioctl path already sets VRAM_CLEARED for all userspace allocations via amdgpu_gem_create_ioctl() and amdgpu_mode_dumb_create(). The KFD path was missing this flag, allowing stale page table remnants to leak into user buffers.  This causes crashes in RCCL P2P transport where non-zero data in ptrExchange/head/tail fields corrupts the protocol handshake.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46211",
                        "url": "https://ubuntu.com/security/CVE-2026-46211",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/msm/gem: fix error handling in msm_ioctl_gem_info_get_metadata()  msm_ioctl_gem_info_get_metadata() always returns 0 regardless of errors. When copy_to_user() fails or the user buffer is too small, the error code stored in ret is ignored because the function unconditionally returns 0. This causes userspace to believe the ioctl succeeded when it did not.  Additionally, kmemdup() can return NULL on allocation failure, but the return value is not checked. This leads to a NULL pointer dereference in the subsequent copy_to_user() call.  Add the missing NULL check for kmemdup() and return ret instead of 0.  Note that the SET counterpart (msm_ioctl_gem_info_set_metadata) correctly returns ret.  Patchwork: https://patchwork.freedesktop.org/patch/714478/",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46203",
                        "url": "https://ubuntu.com/security/CVE-2026-46203",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: cadence-quadspi: fix unclocked access on unbind  Make sure that the controller is runtime resumed before disabling it during driver unbind to avoid an unclocked register access.  This issue was flagged by Sashiko when reviewing a controller deregistration fix.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46219",
                        "url": "https://ubuntu.com/security/CVE-2026-46219",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: mpc52xx: fix use-after-free on unbind  The state machine work is scheduled by the interrupt handler and therefore needs to be cancelled after disabling interrupts to avoid a potential use-after-free.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46200",
                        "url": "https://ubuntu.com/security/CVE-2026-46200",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: mpc52xx: fix controller deregistration  Make sure to deregister the controller before disabling and releasing underlying resources like interrupts and gpios during driver unbind.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46241",
                        "url": "https://ubuntu.com/security/CVE-2026-46241",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: mpc52xx: fix use-after-free on registration failure  Make sure to disable and free the interrupts in case controller registration fails to avoid a potential use-after-free and resource leak.  This issue was flagged by Sashiko when reviewing a controller deregistration fix.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46225",
                        "url": "https://ubuntu.com/security/CVE-2026-46225",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: rspi: fix controller deregistration  Make sure to deregister the controller before releasing underlying resources like DMA during driver unbind.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46226",
                        "url": "https://ubuntu.com/security/CVE-2026-46226",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: fsl: fix controller deregistration  Make sure to deregister the controller before releasing underlying resources like DMA during driver unbind.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46228",
                        "url": "https://ubuntu.com/security/CVE-2026-46228",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: ch341: fix devres lifetime  USB drivers bind to USB interfaces and any device managed resources should have their lifetime tied to the interface rather than parent USB device. This avoids issues like memory leaks when drivers are unbound without their devices being physically disconnected (e.g. on probe deferral or configuration changes).  Fix the controller and driver data lifetime so that they are released on driver unbind.  Note that this also makes sure that the SPI controller is placed correctly under the USB interface in the device tree.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46216",
                        "url": "https://ubuntu.com/security/CVE-2026-46216",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/xe/hdcp: Add NULL check for media_gt in intel_hdcp_gsc_check_status()  When media GT is disabled via configfs, there is no allocation for media_gt, which is kept as NULL.  In such scenario, intel_hdcp_gsc_check_status() results in a kernel pagefault error due to &gt->uc.gsc being evaluated as an invalid memory address.  Fix that by introducing a NULL check on media_gt and bailing out early if so.  While at it, also drop the NULL check for gsc, since it can't be NULL if media_gt is not NULL.  v2:   - Get address for gsc only after checking that gt is not NULL.     (Shuicheng)   - Drop the NULL check for gsc. (Shuicheng) v3:   - Add \"Fixes\" and \"Cc: <stable...>\" tags. (Matt)  (cherry picked from commit bfaf87e84ca3ca3f6e275f9ae56da47a8b55ffd1)",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46210",
                        "url": "https://ubuntu.com/security/CVE-2026-46210",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  media: iris: fix use-after-free of fmt_src during MBPF check  During concurrency testing, multiple instances can run in parallel, and each instance uses its own inst->lock while the core->lock protects the list of active instances. The race happens because these locks cover different scopes, inst->lock protects only the internals of a single instance, while the Macro Blocks Per Frame (MBPF) checker walks the core list under core->lock and reads fields like fmt_src->width and fmt_src->height. At the same time, iris_close() may free fmt_src and fmt_dst under inst->lock while the instance is still present in the core list. This allows a situation where the MBPF checker, still iterating through the core list, reaches an instance whose fmt_src was already freed by another thread and ends up dereferencing a dangling pointer, resulting in a use-after-free. This happens because the MBPF checker assumes that any instance in the core list is fully valid, but the freeing of fmt_src and fmt_dst without removing the instance from the core list is not correct.  The correct ordering is to defer freeing fmt_src and fmt_dst until after the instance has been removed from the core list and all teardown under the core lock has completed, ensuring that no dangling pointers are ever exposed during MBPF checks.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46240",
                        "url": "https://ubuntu.com/security/CVE-2026-46240",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  media: iris: Fix use-after-free in iris_release_internal_buffers()  The recent change in commit 1dabf00ee206 (\"media: iris: gen1: Destroy internal buffers after FW releases\") introduced a regression where session_release_buf() may free the buffer. The caller, iris_release_internal_buffers(), continued to access `buffer` after the call, leading to a potential use-after-free.  Fix this by setting BUF_ATTR_PENDING_RELEASE before calling session_release_buf(), and reverting the flag if the call fails. This ensures no dereference occurs after potential freeing.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46235",
                        "url": "https://ubuntu.com/security/CVE-2026-46235",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  media: saa7164: add ioremap return checks and cleanups  Add checks for ioremap return values in saa7164_dev_setup(). If ioremap for BAR0 or BAR2 fails, release the already allocated PCI memory regions, remove the device from the global list, decrement the device count, and return -ENODEV.  This prevents potential null pointer dereferences and ensures proper cleanup on memory mapping failures.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46222",
                        "url": "https://ubuntu.com/security/CVE-2026-46222",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  media: rockchip: rkcif: Add missing MUST_CONNECT flag to pads  The pads missed checks for connected devices which may a null dereference when the stream is enabled.  Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020 pc : rkcif_interface_enable_streams+0x48/0xf0 lr : rkcif_interface_enable_streams+0x44/0xf0 Call trace:  rkcif_interface_enable_streams+0x48/0xf0  v4l2_subdev_enable_streams+0x26c/0x3f0  rkcif_stream_start_streaming+0x140/0x278  vb2_start_streaming+0x74/0x188  vb2_core_streamon+0xe0/0x1d8  vb2_ioctl_streamon+0x60/0xa8  v4l_streamon+0x2c/0x40  __video_do_ioctl+0x34c/0x400  video_usercopy+0x2d0/0x800  video_ioctl2+0x20/0x60  v4l2_ioctl+0x48/0x78",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46239",
                        "url": "https://ubuntu.com/security/CVE-2026-46239",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  media: i2c: ov5647: Fix runtime PM refcount leak in s_ctrl  Three control cases (AUTOGAIN, EXPOSURE_AUTO, ANALOGUE_GAIN) directly return without calling pm_runtime_put(), causing runtime PM reference count leaks.  Change these cases from 'return' to 'ret = ... break' pattern to ensure pm_runtime_put() is always called before function exit.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46236",
                        "url": "https://ubuntu.com/security/CVE-2026-46236",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  media: rc: xbox_remote: heed DMA restrictions  The buffer for IO must not be part of the device structure because that violates the DMA coherency rules.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46205",
                        "url": "https://ubuntu.com/security/CVE-2026-46205",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  staging: media: atomisp: Disallow all private IOCTLs  Disallow all private IOCTLs. These aren't quite as safe as one could assume of IOCTL handlers; disable them for now. Instead of removing the code, return in the beginning of the function if cmd is non-zero in order to keep static checkers happy.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46202",
                        "url": "https://ubuntu.com/security/CVE-2026-46202",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  HID: appletb-kbd: run inactivity autodim from workqueues  The autodim code in hid-appletb-kbd takes backlight_device->ops_lock via backlight_device_set_brightness() -> mutex_lock() from two different atomic contexts:   * appletb_inactivity_timer() is a struct timer_list callback, so it    runs in softirq context.  Every expiry triggers       BUG: sleeping function called from invalid context at kernel/locking/mutex.c:591      Call Trace:       <IRQ>       __might_resched       __mutex_lock       backlight_device_set_brightness       appletb_inactivity_timer       call_timer_fn       run_timer_softirq   * reset_inactivity_timer() is called from appletb_kbd_hid_event() and    appletb_kbd_inp_event().  On real USB hardware these run in    softirq/IRQ context (URB completion and input-event dispatch).    When the Touch Bar has already been dimmed or turned off, the    reset path calls backlight_device_set_brightness() directly to    restore brightness, producing the same warning.  Both call sites hit the same mutex_lock()-from-atomic bug.  Fix them together by moving the blocking work onto the system workqueue:   * Convert the inactivity timer from struct timer_list to    struct delayed_work; the callback (appletb_inactivity_work) now    runs in process context where mutex_lock() is legal.  * Add a dedicated struct work_struct restore_brightness_work and have    reset_inactivity_timer() schedule it instead of calling    backlight_device_set_brightness() directly.  Cancel both works synchronously during driver tear-down alongside the existing backlight reference drop.  The semantics are unchanged (same delays, same state transitions on dim, turn-off and user activity); only the execution context of the sleeping call changes.  The timer field and callback are renamed to match their new type; reset_inactivity_timer() keeps its name because it is invoked from input event paths that read naturally as \"reset the inactivity timer\".",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46213",
                        "url": "https://ubuntu.com/security/CVE-2026-46213",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  HID: appletb-kbd: fix UAF in inactivity-timer cleanup path  Commit 38224c472a03 (\"HID: appletb-kbd: fix slab use-after-free bug in appletb_kbd_probe\") added timer_delete_sync(&kbd->inactivity_timer) to both the probe close_hw error path and appletb_kbd_remove(), but the way it was wired in left the inactivity timer reachable during driver tear-down via two distinct windows.  Window A -- put_device() before timer_delete_sync():  \tput_device(&kbd->backlight_dev->dev); \ttimer_delete_sync(&kbd->inactivity_timer);  The inactivity_timer softirq reads kbd->backlight_dev and calls backlight_device_set_brightness() -> mutex_lock(&ops_lock).  If a concurrent hid_appletb_bl unbind drops the last devm reference between these two calls, the backlight_device is freed and the mutex_lock() touches freed memory.  Window B -- backlight cleanup before hid_hw_stop():  \tif (kbd->backlight_dev) { \t\ttimer_delete_sync(...); \t\tput_device(...); \t} \thid_hw_close(hdev); \thid_hw_stop(hdev);  Even after Window A is closed, hid_hw_close()/hid_hw_stop() still run afterwards, so a late \".event\" callback from the HID core (USB URB completion on real Apple hardware) can arrive after timer_delete_sync() drained the softirq but before put_device() drops the reference.  That callback reaches reset_inactivity_timer(), which calls mod_timer() and re-arms the timer.  The freshly re-armed timer can then fire on the about-to-be-freed backlight_device.  Both windows produce the same KASAN slab-use-after-free:    BUG: KASAN: slab-use-after-free in __mutex_lock+0x1aab/0x21c0   Read of size 8 at addr ffff88803ee9a108 by task swapper/0/0   Call Trace:    <IRQ>    __mutex_lock    backlight_device_set_brightness    appletb_inactivity_timer    call_timer_fn    run_timer_softirq    handle_softirqs   Allocated by task N:    devm_backlight_device_register    appletb_bl_probe   Freed by task M:    (concurrent hid_appletb_bl unbind path)  Close both windows at once by reworking the tear-down in appletb_kbd_remove() and in the probe close_hw error path so that   1) hid_hw_close()/hid_hw_stop() run before the backlight cleanup,     guaranteeing no further .event callback can fire and re-arm the     timer, and  2) inside the \"if (kbd->backlight_dev)\" block, timer_delete_sync()     runs before put_device(), so the softirq is drained before the     final reference is dropped.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46232",
                        "url": "https://ubuntu.com/security/CVE-2026-46232",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  HID: playstation: Clamp num_touch_reports  A device would never lie about the number of touch reports would it?  If it does the loop in dualshock4_parse_report will read off the end of the touch_reports array, up to about 2 KiB for the maximum number of 256 loop iteraions. The data that is read is emitted via evdev if the DS4_TOUCH_POINT_INACTIVE bit happens to be set. Protect against this by clamping the num_touch_reports value provided by the device to the maximum size of the touch_reports array.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-43490",
                        "url": "https://ubuntu.com/security/CVE-2026-43490",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ksmbd: validate inherited ACE SID length  smb_inherit_dacl() walks the parent directory DACL loaded from the security descriptor xattr. It verifies that each ACE contains the fixed SID header before using it, but does not verify that the variable-length SID described by sid.num_subauth is fully contained in the ACE.  A malformed inheritable ACE can advertise more subauthorities than are present in the ACE. compare_sids() may then read past the ACE. smb_set_ace() also clamps the copied destination SID, but used the unchecked source SID count to compute the inherited ACE size. That could advance the temporary inherited ACE buffer pointer and nt_size accounting past the allocated buffer.  Fix this by validating the parent ACE SID count and SID length before using the SID during inheritance. Compute the inherited ACE size from the copied SID so the size matches the bounded destination SID. Reject the inherited DACL if size accumulation would overflow smb_acl.size or the security descriptor allocation size.",
                        "cve_priority": "high",
                        "cve_public_date": "2026-05-15 06:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46174",
                        "url": "https://ubuntu.com/security/CVE-2026-46174",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  x86/CPU/AMD: Prevent improper isolation of shared resources in Zen2's op cache  Make sure resources are not improperly shared in the op cache and cause instruction corruption this way.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46110",
                        "url": "https://ubuntu.com/security/CVE-2026-46110",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net: stmmac: Prevent NULL deref when RX memory exhausted  The CPU receives frames from the MAC through conventional DMA: the CPU allocates buffers for the MAC, then the MAC fills them and returns ownership to the CPU. For each hardware RX queue, the CPU and MAC coordinate through a shared ring array of DMA descriptors: one descriptor per DMA buffer. Each descriptor includes the buffer's physical address and a status flag (\"OWN\") indicating which side owns the buffer: OWN=0 for CPU, OWN=1 for MAC. The CPU is only allowed to set the flag and the MAC is only allowed to clear it, and both must move through the ring in sequence: thus the ring is used for both \"submissions\" and \"completions.\"  In the stmmac driver, stmmac_rx() bookmarks its position in the ring with the `cur_rx` index. The main receive loop in that function checks for rx_descs[cur_rx].own=0, gives the corresponding buffer to the network stack (NULLing the pointer), and increments `cur_rx` modulo the ring size. After the loop exits, stmmac_rx_refill(), which bookmarks its position with `dirty_rx`, allocates fresh buffers and rearms the descriptors (setting OWN=1). If it fails any allocation, it simply stops early (leaving OWN=0) and will retry where it left off when next called.  This means descriptors have a three-stage lifecycle (terms my own): - `empty` (OWN=1, buffer valid) - `full` (OWN=0, buffer valid and populated) - `dirty` (OWN=0, buffer NULL)  But because stmmac_rx() only checks OWN, it confuses `full`/`dirty`. In the past (see 'Fixes:'), there was a bug where the loop could cycle `cur_rx` all the way back to the first descriptor it dirtied, resulting in a NULL dereference when mistaken for `full`. The aforementioned commit resolved that *specific* failure by capping the loop's iteration limit at `dma_rx_size - 1`, but this is only a partial fix: if the previous stmmac_rx_refill() didn't complete, then there are leftover `dirty` descriptors that the loop might encounter without needing to cycle fully around. The current code therefore panics (see 'Closes:') when stmmac_rx_refill() is memory-starved long enough for `cur_rx` to catch up to `dirty_rx`.  Fix this by explicitly checking, before advancing `cur_rx`, if the next entry is dirty; exit the loop if so. This prevents processing of the final, used descriptor until stmmac_rx_refill() succeeds, but fully prevents the `cur_rx == dirty_rx` ambiguity as the previous bugfix intended: so remove the clamp as well. Since stmmac_rx_zc() is a copy-paste-and-tweak of stmmac_rx() and the code structure is identical, any fix to stmmac_rx() will also need a corresponding fix for stmmac_rx_zc(). Therefore, apply the same check there.  In stmmac_rx() (not stmmac_rx_zc()), a related bug remains: after the MAC sets OWN=0 on the final descriptor, it will be unable to send any further DMA-complete IRQs until it's given more `empty` descriptors. Currently, the driver simply *hopes* that the next stmmac_rx_refill() succeeds, risking an indefinite stall of the receive process if not. But this is not a regression, so it can be addressed in a future change.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46153",
                        "url": "https://ubuntu.com/security/CVE-2026-46153",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  8021q: delete cleared egress QoS mappings  vlan_dev_set_egress_priority() currently keeps cleared egress priority mappings in the hash as tombstones. Repeated set/clear cycles with distinct skb priorities therefore accumulate mapping nodes until device teardown and leak memory.  Delete mappings when vlan_prio is cleared instead of keeping tombstones. Now that the egress mapping lists are RCU protected, the node can be unlinked safely and freed after a grace period.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46169",
                        "url": "https://ubuntu.com/security/CVE-2026-46169",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  hfsplus: fix uninit-value by validating catalog record size  Syzbot reported a KMSAN uninit-value issue in hfsplus_strcasecmp(). The root cause is that hfs_brec_read() doesn't validate that the on-disk record size matches the expected size for the record type being read.  When mounting a corrupted filesystem, hfs_brec_read() may read less data than expected. For example, when reading a catalog thread record, the debug output showed:    HFSPLUS_BREC_READ: rec_len=520, fd->entrylength=26   HFSPLUS_BREC_READ: WARNING - entrylength (26) < rec_len (520) - PARTIAL READ!  hfs_brec_read() only validates that entrylength is not greater than the buffer size, but doesn't check if it's less than expected. It successfully reads 26 bytes into a 520-byte structure and returns success, leaving 494 bytes uninitialized.  This uninitialized data in tmp.thread.nodeName then gets copied by hfsplus_cat_build_key_uni() and used by hfsplus_strcasecmp(), triggering the KMSAN warning when the uninitialized bytes are used as array indices in case_fold().  Fix by introducing hfsplus_brec_read_cat() wrapper that: 1. Calls hfs_brec_read() to read the data 2. Validates the record size based on the type field:    - Fixed size for folder and file records    - Variable size for thread records (depends on string length) 3. Returns -EIO if size doesn't match expected  For thread records, check against HFSPLUS_MIN_THREAD_SZ before reading nodeName.length to avoid reading uninitialized data at call sites that don't zero-initialize the entry structure.  Also initialize the tmp variable in hfsplus_find_cat() as defensive programming to ensure no uninitialized data even if validation is bypassed.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46188",
                        "url": "https://ubuntu.com/security/CVE-2026-46188",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  octeon_ep_vf: add NULL check for napi_build_skb()  napi_build_skb() can return NULL on allocation failure. In __octep_vf_oq_process_rx(), the result is used directly without a NULL check in both the single-buffer and multi-fragment paths, leading to a NULL pointer dereference.  Add NULL checks after both napi_build_skb() calls, properly advancing descriptors and consuming remaining fragments on failure.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-45837",
                        "url": "https://ubuntu.com/security/CVE-2026-45837",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  bpf: Fix use-after-free in arena_vm_close on fork  arena_vm_open() only bumps vml->mmap_count but never registers the child VMA in arena->vma_list. The vml->vma always points at the parent VMA, so after parent munmap the pointer dangles. If the child then calls bpf_arena_free_pages(), zap_pages() reads the stale vml->vma triggering use-after-free.  Fix this by preventing the arena VMA from being inherited across fork with VM_DONTCOPY, and preventing VMA splits via the may_split callback.  Also reject mremap with a .mremap callback returning -EINVAL. A same-size mremap(MREMAP_FIXED) on the full arena VMA reaches copy_vma() through the following path:    check_prep_vma()       - returns 0 early: new_len == old_len                            skips VM_DONTEXPAND check   prep_move_vma()        - vm_start == old_addr and                            vm_end == old_addr + old_len                            so may_split is never called   move_vma()     copy_vma_and_data()       copy_vma()         vm_area_dup()    - copies vm_private_data (vml pointer)         vm_ops->open()   - bumps vml->mmap_count       vm_ops->mremap()   - returns -EINVAL, rollback unmaps new VMA  The refcount ensures the rollback's arena_vm_close does not free the vml shared with the original VMA.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-05-27 11:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46156",
                        "url": "https://ubuntu.com/security/CVE-2026-46156",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  LoongArch: Fix potential ADE in loongson_gpu_fixup_dma_hang()  The switch case in loongson_gpu_fixup_dma_hang() may not DC2 or DC3, and readl(crtc_reg) will access with random address, because the \"device\" is from \"base+PCI_DEVICE_ID\", \"base\" is from \"pdev->devfn+1\". This is wrong when my platform inserts a discrete GPU:  lspci -tv -[0000:00]-+-00.0  Loongson Technology LLC Hyper Transport Bridge Controller ...            +-06.0  Loongson Technology LLC LG100 GPU            +-06.2  Loongson Technology LLC Device 7a37 ...  Add a default switch case to fix the panic as below:   Kernel ade access[#1]:  CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.6.136-loong64-desktop-hwe+ #4  pc 90000000017e5534 ra 90000000017e54c0 tp 90000001002f8000 sp 90000001002fb6c0  a0 80000efe00003100 a1 0000000000003100 a2 0000000000000000 a3 0000000000000002  a4 90000001002fb6b4 a5 900000087cdb58fd a6 90000000027af000 a7 0000000000000001  t0 00000000000085b9 t1 000000000000ffff t2 0000000000000000 t3 0000000000000000  t4 fffffffffffffffd t5 00000000fffb6d9c t6 0000000000083b00 t7 00000000000070c0  t8 900000087cdb4d94 u0 900000087cdb58fd s9 90000001002fb826 s0 90000000031c12c8  s1 7fffffffffffff00 s2 90000000031c12d0 s3 0000000000002710 s4 0000000000000000  s5 0000000000000000 s6 9000000100053000 s7 7fffffffffffff00 s8 90000000030d4000     ra: 90000000017e54c0 loongson_gpu_fixup_dma_hang+0x40/0x210    ERA: 90000000017e5534 loongson_gpu_fixup_dma_hang+0xb4/0x210   CRMD: 000000b0 (PLV0 -IE -DA +PG DACF=CC DACM=CC -WE)   PRMD: 00000004 (PPLV0 +PIE -PWE)   EUEN: 00000000 (-FPE -SXE -ASXE -BTE)   ECFG: 00071c1d (LIE=0,2-4,10-12 VS=7)  ESTAT: 00480000 [ADEM] (IS= ECode=8 EsubCode=1)   BADV: 7fffffffffffff00   PRID: 0014d000 (Loongson-64bit, Loongson-3A6000-HV)  Modules linked in:  Process swapper/0 (pid: 1, threadinfo=(____ptrval____), task=(____ptrval____))  Stack : 0000000000000006 90000001002fb778 90000001002fb704 0000000000000007          0000000016a65700 90000000017e5690 000000000000ffff ffffffffffffffff          900000000209f7c0 9000000100053000 900000000209f7a8 9000000000eebc08          0000000000000000 0000000000000000 0000000000000006 90000001002fb778          90000001000530b8 90000000027af000 0000000000000000 9000000100054000          9000000100053000 9000000000ebb70c 9000000100004c00 9000000004000001          90000001002fb7e4 bae765461f31cb12 0000000000000000 0000000000000000          0000000000000006 90000000027af000 0000000000000030 90000000027af000          900000087cd6f800 9000000100053000 0000000000000000 9000000000ebc560          7a2500147cdaf720 bae765461f31cb12 0000000000000001 0000000000000030          ...  Call Trace:  [<90000000017e5534>] loongson_gpu_fixup_dma_hang+0xb4/0x210  [<9000000000eebc08>] pci_fixup_device+0x108/0x280  [<9000000000ebb70c>] pci_setup_device+0x24c/0x690  [<9000000000ebc560>] pci_scan_single_device+0xe0/0x140  [<9000000000ebc684>] pci_scan_slot+0xc4/0x280  [<9000000000ebdd00>] pci_scan_child_bus_extend+0x60/0x3f0  [<9000000000f5bc94>] acpi_pci_root_create+0x2b4/0x420  [<90000000017e5e74>] pci_acpi_scan_root+0x2d4/0x440  [<9000000000f5b02c>] acpi_pci_root_add+0x21c/0x3a0  [<9000000000f4ee54>] acpi_bus_attach+0x1a4/0x3c0  [<90000000010e200c>] device_for_each_child+0x6c/0xe0  [<9000000000f4bbf4>] acpi_dev_for_each_child+0x44/0x70  [<9000000000f4ef40>] acpi_bus_attach+0x290/0x3c0  [<90000000010e200c>] device_for_each_child+0x6c/0xe0  [<9000000000f4bbf4>] acpi_dev_for_each_child+0x44/0x70  [<9000000000f4ef40>] acpi_bus_attach+0x290/0x3c0  [<9000000000f5211c>] acpi_bus_scan+0x6c/0x280  [<900000000189c028>] acpi_scan_init+0x194/0x310  [<900000000189bc6c>] acpi_init+0xcc/0x140  [<9000000000220cdc>] do_one_initcall+0x4c/0x310  [<90000000018618fc>] kernel_init_freeable+0x258/0x2d4  [<900000000184326c>] kernel_init+0x28/0x13c  [<9000000000222008>] ret_from_kernel_thread+0xc/0xa4",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46147",
                        "url": "https://ubuntu.com/security/CVE-2026-46147",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  KVM: arm64: Fix pin leak and publication ordering in __pkvm_init_vcpu()  Two bugs exist in the vCPU initialisation path:  1. If a check fails after hyp_pin_shared_mem() succeeds, the cleanup    path jumps to 'unlock' without calling unpin_host_vcpu() or    unpin_host_sve_state(), permanently leaking pin references on the    host vCPU and SVE state pages.     Extract a register_hyp_vcpu() helper that performs the checks and    the store. When register_hyp_vcpu() returns an error, call    unpin_host_vcpu() and unpin_host_sve_state() inline before falling    through to the existing 'unlock' label.  2. register_hyp_vcpu() publishes the new vCPU pointer into    'hyp_vm->vcpus[]' with a bare store, allowing a concurrent caller    of pkvm_load_hyp_vcpu() to observe a partially initialised vCPU    object.     Ensure the store uses smp_store_release() and the load uses    smp_load_acquire(). While 'vm_table_lock' currently serialises the    store and the load, these barriers ensure the reader sees the fully    initialised 'hyp_vcpu' object even if there were a lockless path or    if the lock's own ordering guarantees were insufficient for nested    object initialization.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46175",
                        "url": "https://ubuntu.com/security/CVE-2026-46175",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  f2fs: fix fsck inconsistency caused by FGGC of node block  During FGGC node block migration, fsck may incorrectly treat the migrated node block as fsync-written data.  The reproduction scenario: root@vm:/mnt/f2fs# seq 1 2048 | xargs -n 1 ./test_sync // write inline inode and sync root@vm:/mnt/f2fs# rm -f 1 root@vm:/mnt/f2fs# sync root@vm:/mnt/f2fs# f2fs_io gc_range // move data block in sync mode and not write CP   SPO, \"fsck --dry-run\" find inode has already checkpointed but still   with DENT_BIT_SHIFT set  The root cause is that GC does not clear the dentry mark and fsync mark during node block migration, leading fsck to misinterpret them as user-issued fsync writes.  In BGGC mode, node block migration is handled by f2fs_sync_node_pages(), which guarantees the dentry and fsync marks are cleared before writing.  This patch move the set/clear of the fsync|dentry marks into __write_node_folio to make the logic clearer, and ensures the fsync|dentry mark is cleared in FGGC.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46194",
                        "url": "https://ubuntu.com/security/CVE-2026-46194",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  f2fs: fix node_cnt race between extent node destroy and writeback  f2fs_destroy_extent_node() does not set FI_NO_EXTENT before clearing extent nodes. When called from f2fs_drop_inode() with I_SYNC set, concurrent kworker writeback can insert new extent nodes into the same extent tree, racing with the destroy and triggering f2fs_bug_on() in __destroy_extent_node(). The scenario is as follows:  drop inode                            writeback  - iput   - f2fs_drop_inode  // I_SYNC set    - f2fs_destroy_extent_node     - __destroy_extent_node      - while (node_cnt) {         write_lock(&et->lock)         __free_extent_tree         write_unlock(&et->lock)                                        - __writeback_single_inode                                         - f2fs_outplace_write_data                                          - f2fs_update_read_extent_cache                                           - __update_extent_tree_range                                            // FI_NO_EXTENT not set,                                            // insert new extent node        } // node_cnt == 0, exit while      - f2fs_bug_on(node_cnt)  // node_cnt > 0  Additionally, __update_extent_tree_range() only checks FI_NO_EXTENT for EX_READ type, leaving EX_BLOCK_AGE updates completely unprotected.  This patch set FI_NO_EXTENT under et->lock in __destroy_extent_node(), consistent with other callers (__update_extent_tree_range and __drop_extent_tree) and check FI_NO_EXTENT for both EX_READ and EX_BLOCK_AGE tree.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46170",
                        "url": "https://ubuntu.com/security/CVE-2026-46170",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  mptcp: pm: ADD_ADDR rtx: free sk if last  When an ADD_ADDR is retransmitted, the sk is held in sk_reset_timer(), and released at the end.  If at that moment, it was the last reference being held, the sk would not be freed. sock_put() should then be called instead of __sock_put().  But that's not enough: if it is the last reference, sock_put() will call sk_free(), which will end up calling sk_stop_timer_sync() on the same timer, and waiting indefinitely to finish. So it is needed to mark that the timer is done at the end of the timer handler when it has not been rescheduled, not to call sk_stop_timer_sync() on \"itself\".",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46158",
                        "url": "https://ubuntu.com/security/CVE-2026-46158",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  mptcp: pm: ADD_ADDR rtx: always decrease sk refcount  When an ADD_ADDR is retransmitted, the sk is held in sk_reset_timer(). It should then be released in all cases at the end.  Some (unlikely) checks were returning directly instead of calling sock_put() to decrease the refcount. Jump to a new 'exit' label to call __sock_put() (which will become sock_put() in the next commit) to fix this potential leak.  While at it, drop the '!msk' check which cannot happen because it is never reset, and explicitly mark the remaining one as \"unlikely\".",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46168",
                        "url": "https://ubuntu.com/security/CVE-2026-46168",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  mptcp: fix scheduling with atomic in timestamp sockopt  Using lock_sock_fast() (atomic context) around sock_set_timestamp() and sock_set_timestamping() is unsafe, as both helpers can sleep.  Replace lock_sock_fast() with sleepable lock_sock()/release_sock() to avoid scheduling while atomic panic.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46189",
                        "url": "https://ubuntu.com/security/CVE-2026-46189",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/vmw_pvrdma: Fix double free on pvrdma_alloc_ucontext() error path  Sashiko points out that pvrdma_uar_free() is already called within pvrdma_dealloc_ucontext(), so calling it before triggers a double free.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46133",
                        "url": "https://ubuntu.com/security/CVE-2026-46133",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/rxe: Reject unknown opcodes before ICRC processing  Even after applying commit 7244491dab34 (\"RDMA/rxe: Validate pad and ICRC before payload_size() in rxe_rcv\"), a single unauthenticated UDP packet can still trigger panic.  That patch handled payload_size() underflow only for valid opcodes with short packets, not for packets carrying an unknown opcode.  The unknown-opcode OOB read described below predates that commit and reaches back to the initial Soft RoCE driver.  The check added there reads      pkt->paylen < header_size(pkt) + bth_pad(pkt) + RXE_ICRC_SIZE  where header_size(pkt) expands to rxe_opcode[pkt->opcode].length.  The rxe_opcode[] array has 256 entries but is only populated for defined IB opcodes; any other entry (for example opcode 0xff) is zero-initialized, so length == 0 and the check degenerates to      pkt->paylen < 0 + bth_pad(pkt) + RXE_ICRC_SIZE  which does not constrain pkt->paylen enough.  rxe_icrc_hdr() then computes      rxe_opcode[pkt->opcode].length - RXE_BTH_BYTES  which underflows when length == 0 and passes a huge value to rxe_crc32(), causing an out-of-bounds read of the skb payload.  Reproduced on v7.0-rc7 with that fix applied, QEMU/KVM with CONFIG_RDMA_RXE=y and CONFIG_KASAN=y, after      rdma link add rxe0 type rxe netdev eth0  A single 48-byte UDP packet to port 4791 with BTH opcode=0xff and QPN=IB_MULTICAST_QPN triggers:      BUG: KASAN: slab-out-of-bounds in crc32_le+0x115/0x170     Read of size 1 at addr ...     The buggy address is located 0 bytes to the right of      allocated 704-byte region     Call Trace:      crc32_le+0x115/0x170      rxe_icrc_hdr.isra.0+0x226/0x300      rxe_icrc_check+0x13f/0x3a0      rxe_rcv+0x6e1/0x16e0      rxe_udp_encap_recv+0x20a/0x320      udp_queue_rcv_one_skb+0x7ed/0x12c0  Subsequent packets with the same shape fault on unmapped memory and panic the kernel.  The trigger requires only module load and \"rdma link add\"; no QP, no connection, and no authentication.  Fix this by rejecting packets whose opcode has no rxe_opcode[] entry, detected via the zero mask or zero length, before any length arithmetic runs.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46114",
                        "url": "https://ubuntu.com/security/CVE-2026-46114",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/rxe: Reject non-8-byte ATOMIC_WRITE payloads  atomic_write_reply() at drivers/infiniband/sw/rxe/rxe_resp.c unconditionally dereferences 8 bytes at payload_addr(pkt):      value = *(u64 *)payload_addr(pkt);  check_rkey() previously accepted an ATOMIC_WRITE request with pktlen == resid == 0 because the length validation only compared pktlen against resid. A remote initiator that sets the RETH length to 0 therefore reaches atomic_write_reply() with a zero-byte logical payload, and the responder reads sizeof(u64) bytes from past the logical end of the packet into skb->head tailroom, then writes those 8 bytes into the attacker's MR via rxe_mr_do_atomic_write(). That is a remote disclosure of 4 bytes of kernel tailroom per probe (the other 4 bytes are the packet's own trailing ICRC).  IBA oA19-28 defines ATOMIC_WRITE as exactly 8 bytes. Anything else is protocol-invalid. Hoist a strict length check into check_rkey() so the responder never reaches the unchecked dereference, and keep the existing WRITE-family length logic for the normal RDMA WRITE path.  Reproduced on mainline with an unmodified rxe driver: a sustained zero-length ATOMIC_WRITE probe repeatedly leaks adjacent skb head-buffer bytes into the attacker's MR, including recognisable kernel strings and partial kernel-direct-map pointer words.  With this patch applied the responder rejects the PDU and the MR stays all-zero.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46127",
                        "url": "https://ubuntu.com/security/CVE-2026-46127",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/ocrdma: Don't NULL deref uctx on errors in ocrdma_copy_pd_uresp()  Sashiko points out that pd->uctx isn't initialized until late in the function so all these error flow references are NULL and will crash. Use the uctx that isn't NULL.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46176",
                        "url": "https://ubuntu.com/security/CVE-2026-46176",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/mlx5: Fix error path fall-through in mlx5_ib_dev_res_srq_init()  mlx5_ib_dev_res_srq_init() allocates two SRQs, s0 and s1. When ib_create_srq() fails for s1, the error branch destroys s0 but falls through and unconditionally assigns the freed s0 and the ERR_PTR s1 to devr->s0 and devr->s1.  This leads to several problems: the lock-free fast path checks \"if (devr->s1) return 0;\" and treats the ERR_PTR as already initialised; users in mlx5_ib_create_qp() dereference the freed SRQ or ERR_PTR via to_msrq(devr->s0)->msrq.srqn; and mlx5_ib_dev_res_cleanup() dereferences the ERR_PTR and double-frees s0 on teardown.  Fix by adding the same `goto unlock` in the s1 failure path.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46178",
                        "url": "https://ubuntu.com/security/CVE-2026-46178",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/mlx4: Fix resource leak on error in mlx4_ib_create_srq()  Sashiko points out that mlx4_srq_alloc() was not undone during error unwind, add the missing call to mlx4_srq_free().",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46181",
                        "url": "https://ubuntu.com/security/CVE-2026-46181",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/mlx4: Fix mis-use of RCU in mlx4_srq_event()  Sashiko points out the radix_tree itself is RCU safe, but nothing ever frees the mlx4_srq struct with RCU, and it isn't even accessed within the RCU critical section. It also will crash if an event is delivered before the srq object is finished initializing.  Use the spinlock since it isn't easy to make RCU work, use refcount_inc_not_zero() to protect against partially initialized objects, and order the refcount_set() to be after the srq is fully initialized.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46145",
                        "url": "https://ubuntu.com/security/CVE-2026-46145",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/mana: Validate rx_hash_key_len  Sashiko points out that rx_hash_key_len comes from a uAPI structure and is blindly passed to memcpy, allowing the userspace to trash kernel memory. Bounds check it so the memcpy cannot overflow.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46117",
                        "url": "https://ubuntu.com/security/CVE-2026-46117",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/mana: Remove user triggerable WARN_ON() in mana_ib_create_qp_rss()  Sashiko points out that the user can specify WQs sharing the same CQ as a part of the uAPI and this will trigger the WARN_ON() then go on to corrupt the kernel.  Just reject it outright and fail the QP creation.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46126",
                        "url": "https://ubuntu.com/security/CVE-2026-46126",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/mana: Fix mana_destroy_wq_obj() cleanup in mana_ib_create_qp_rss()  Sashiko points out there are two bugs here in the error unwind flow, both related to how the WQ table is unwound.  First there is a double i-- on the first failure path due to the while loop having a i--, remove it.  Second if mana_ib_install_cq_cb() fails then mana_create_wq_obj() is not undone due to the above i--.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46144",
                        "url": "https://ubuntu.com/security/CVE-2026-46144",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/mana: Fix error unwind in mana_ib_create_qp_rss()  Sashiko points out that mana_ib_cfg_vport_steering() is leaked, the normal destroy path cleans it up.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46141",
                        "url": "https://ubuntu.com/security/CVE-2026-46141",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  powerpc/xive: fix kmemleak caused by incorrect chip_data lookup  The kmemleak reports the following memory leak:  Unreferenced object 0xc0000002a7fbc640 (size 64):   comm \"kworker/8:1\", pid 540, jiffies 4294937872   hex dump (first 32 bytes):     01 00 00 00 00 00 00 00 00 00 09 04 00 04 00 00  ................     00 00 a7 81 00 00 0a c0 00 00 08 04 00 04 00 00  ................   backtrace (crc 177d48f6):     __kmalloc_cache_noprof+0x520/0x730     xive_irq_alloc_data.constprop.0+0x40/0xe0     xive_irq_domain_alloc+0xd0/0x1b0     irq_domain_alloc_irqs_parent+0x44/0x6c     pseries_irq_domain_alloc+0x1cc/0x354     irq_domain_alloc_irqs_parent+0x44/0x6c     msi_domain_alloc+0xb0/0x220     irq_domain_alloc_irqs_locked+0x138/0x4d0     __irq_domain_alloc_irqs+0x8c/0xfc     __msi_domain_alloc_irqs+0x214/0x4d8     msi_domain_alloc_irqs_all_locked+0x70/0xf8     pci_msi_setup_msi_irqs+0x60/0x78     __pci_enable_msix_range+0x54c/0x98c     pci_alloc_irq_vectors_affinity+0x16c/0x1d4     nvme_pci_enable+0xac/0x9c0 [nvme]     nvme_probe+0x340/0x764 [nvme]  This occurs when allocating MSI-X vectors for an NVMe device. During allocation the XIVE code creates a struct xive_irq_data and stores it in irq_data->chip_data.  When the MSI-X irqdomain is later freed, xive_irq_free_data() is responsible for retrieving this structure and freeing it. However, after commit cc0cc23babc9 (\"powerpc/xive: Untangle xive from child interrupt controller drivers\"), xive_irq_free_data() retrieves the chip_data using irq_get_chip_data(), which looks up the data through the child domain.  This is incorrect because the XIVE-specific irq data is associated with the XIVE (parent) domain. As a result the lookup fails and the allocated struct xive_irq_data is never freed, leading to the kmemleak report shown above.  Fix this by retrieving the irq_data from the correct domain using irq_domain_get_irq_data() and then accessing the chip_data via irq_data_get_irq_chip_data().",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46183",
                        "url": "https://ubuntu.com/security/CVE-2026-46183",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  mm/damon/sysfs-schemes: protect path kfree() with damon_sysfs_lock  damon_sysfs_quot_goal->path can be read and written by users, via DAMON sysfs 'path' file.  It can also be indirectly read, for the parameters {on,off}line committing to DAMON.  The reads for parameters committing are protected by damon_sysfs_lock to avoid the sysfs files being destroyed while any of the parameters are being read.  But the user-driven direct reads and writes are not protected by any lock, while the write is deallocating the path-pointing buffer.  As a result, the readers could read the already freed buffer (user-after-free).  Note that the user-reads don't race when the same open file is used by the writer, due to kernfs's open file locking.  Nonetheless, doing the reads and writes with separate open files would be common.  Fix it by protecting both the user-direct reads and writes with damon_sysfs_lock.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46121",
                        "url": "https://ubuntu.com/security/CVE-2026-46121",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  mm/damon/sysfs-schemes: protect memcg_path kfree() with damon_sysfs_lock  Patch series \"mm/damon/sysfs-schemes: fix use-after-free for [memcg_]path\".  Reads of 'memcg_path' and 'path' files in DAMON sysfs interface could race with their writes, results in use-after-free.  Fix those.   This patch (of 2):  damon_sysfs_scheme_filter->mmecg_path can be read and written by users, via DAMON sysfs memcg_path file.  It can also be indirectly read, for the parameters {on,off}line committing to DAMON.  The reads for parameters committing are protected by damon_sysfs_lock to avoid the sysfs files being destroyed while any of the parameters are being read.  But the user-driven direct reads and writes are not protected by any lock, while the write is deallocating the memcg_path-pointing buffer.  As a result, the readers could read the already freed buffer (user-after-free).  Note that the user-reads don't race when the same open file is used by the writer, due to kernfs's open file locking.  Nonetheless, doing the reads and writes with separate open files would be common.  Fix it by protecting both the user-direct reads and writes with damon_sysfs_lock.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46131",
                        "url": "https://ubuntu.com/security/CVE-2026-46131",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  KVM: x86: check for nEPT/nNPT in slow flush hypercalls  Checking is_guest_mode(vcpu) is incorrect, because translate_nested_gpa() is only valid if an L2 guest is running *with nested EPT/NPT enabled*. Instead use the same condition as translate_nested_gpa() itself.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46139",
                        "url": "https://ubuntu.com/security/CVE-2026-46139",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  smb: client: use kzalloc to zero-initialize security descriptor buffer  Commit 62e7dd0a39c2d (\"smb: common: change the data type of num_aces to le16\") split struct smb_acl's __le32 num_aces field into __le16 num_aces and __le16 reserved. The reserved field corresponds to Sbz2 in the MS-DTYP ACL wire format, which must be zero [1].  When building an ACL descriptor in build_sec_desc(), we are using a kmalloc()'ed descriptor buffer and writing the fields explicitly using le16() writes now. This never writes to the 2 byte reserved field, leaving it as uninitialized heap data.  When the reserved field happens to contain non-zero slab garbage, Samba rejects the security descriptor with \"ndr_pull_security_descriptor failed: Range Error\", causing chmod to fail with EINVAL.  Change kmalloc() to kzalloc() to ensure the entire buffer is zero-initialized.   [1] https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/20233ed8-a6c6-4097-aafa-dd545ed24428",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46105",
                        "url": "https://ubuntu.com/security/CVE-2026-46105",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  scsi: mpt3sas: Limit NVMe request size to 2 MiB  The HBA firmware reports NVMe MDTS values based on the underlying drive capability. However, because the driver allocates a fixed 4K buffer for the PRP list, accommodating at most 512 entries, the driver supports a maximum I/O transfer size of 2 MiB.  Limit max_hw_sectors to the smaller of the reported MDTS and the 2 MiB driver limit to prevent issuing oversized I/O that may lead to a kernel oops.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46171",
                        "url": "https://ubuntu.com/security/CVE-2026-46171",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  riscv: kvm: fix vector context allocation leak  When the second kzalloc (host_context.vector.datap) fails in kvm_riscv_vcpu_alloc_vector_context, the first allocation (guest_context.vector.datap) is leaked. Free it before returning.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46112",
                        "url": "https://ubuntu.com/security/CVE-2026-46112",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/hns: Fix unlocked call to hns_roce_qp_remove()  Sashiko points out that hns_roce_qp_remove() requires the caller to hold locks.  The error flow in hns_roce_create_qp_common() doesn't hold those locks for the error unwind so it risks corrupting memory.  Grab the same locks the other two callers use.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46165",
                        "url": "https://ubuntu.com/security/CVE-2026-46165",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  openvswitch: vport: fix self-deadlock on release of tunnel ports  vports are used concurrently and protected by RCU, so netdev_put() must happen after the RCU grace period.  So, either in an RCU call or after the synchronize_net().  The rtnl_delete_link() must happen under RTNL and so can't be executed in RCU context.  Calling synchronize_net() while holding RTNL is not a good idea for performance and system stability under load in general, so calling netdev_put() in RCU call is the right solution here.  However, when the device is deleted, rtnl_unlock() will call netdev_run_todo() and block until all the references are gone.  In the current code this means that we never reach the call_rcu() and the vport is never freed and the reference is never released, causing a self-deadlock on device removal.  Fix that by moving the rcu_call() before the rtnl_unlock(), so the scheduled RCU callback will be executed when synchronize_net() is called from the rtnl_unlock()->netdev_run_todo() while the RTNL itself is already released.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46161",
                        "url": "https://ubuntu.com/security/CVE-2026-46161",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  md/raid10: fix divide-by-zero in setup_geo() with zero far_copies  setup_geo() extracts near_copies (nc) and far_copies (fc) from the user-provided layout parameter without checking for zero. When fc=0 with the \"improved\" far set layout selected, 'geo->far_set_size = disks / fc' triggers a divide-by-zero.  Validate nc and fc immediately after extraction, returning -1 if either is zero.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-43492",
                        "url": "https://ubuntu.com/security/CVE-2026-43492",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  lib/crypto: mpi: Fix integer underflow in mpi_read_raw_from_sgl()  Yiming reports an integer underflow in mpi_read_raw_from_sgl() when subtracting \"lzeros\" from the unsigned \"nbytes\".  For this to happen, the scatterlist \"sgl\" needs to occupy more bytes than the \"nbytes\" parameter and the first \"nbytes + 1\" bytes of the scatterlist must be zero.  Under these conditions, the while loop iterating over the scatterlist will count more zeroes than \"nbytes\", subtract the number of zeroes from \"nbytes\" and cause the underflow.  When commit 2d4d1eea540b (\"lib/mpi: Add mpi sgl helpers\") originally introduced the bug, it couldn't be triggered because all callers of mpi_read_raw_from_sgl() passed a scatterlist whose length was equal to \"nbytes\".  However since commit 63ba4d67594a (\"KEYS: asymmetric: Use new crypto interface without scatterlists\"), the underflow can now actually be triggered.  When invoking a KEYCTL_PKEY_ENCRYPT system call with a larger \"out_len\" than \"in_len\" and filling the \"in\" buffer with zeroes, crypto_akcipher_sync_prep() will create an all-zero scatterlist used for both the \"src\" and \"dst\" member of struct akcipher_request and thereby fulfil the conditions to trigger the bug:    sys_keyctl()     keyctl_pkey_e_d_s()       asymmetric_key_eds_op()         software_key_eds_op()           crypto_akcipher_sync_encrypt()             crypto_akcipher_sync_prep()               crypto_akcipher_encrypt()                 rsa_enc()                   mpi_read_raw_from_sgl()  To the user this will be visible as a DoS as the kernel spins forever, causing soft lockup splats as a side effect.  Fix it.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-19 12:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46124",
                        "url": "https://ubuntu.com/security/CVE-2026-46124",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  isofs: validate block number from NFS file handle in isofs_export_iget  isofs_fh_to_dentry() and isofs_fh_to_parent() pass an attacker- controlled block number (ifid->block or ifid->parent_block) from the NFS file handle to isofs_export_iget(), which only rejects block == 0 before calling isofs_iget() and ultimately sb_bread(). A crafted file handle with fh_len sufficient to pass the check added by commit 0405d4b63d08 (\"isofs: Prevent the use of too small fid\") can still drive the server to read any in-range block on the backing device as if it were an iso_directory_record.  That earlier fix was assigned CVE-2025-37780.  sb_bread() on an out-of-range block returns NULL cleanly via the EIO path, so there is no memory-safety violation.  For in-range reads of adjacent-partition data on the same block device, the unrelated bytes end up in iso_inode_info fields that reach the NFS client as dentry metadata.  The deployment surface (isofs exported over NFS from loop-mounted images) is narrow and requires an authenticated NFS peer, but the malformed-file-handle class is reportable as hardening next to the existing CVE-2025-37780 fix.  Reject block >= ISOFS_SB(sb)->s_nzones in isofs_export_iget() so the check covers both isofs_fh_to_dentry() and isofs_fh_to_parent() call sites with a single line.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46130",
                        "url": "https://ubuntu.com/security/CVE-2026-46130",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  dm-verity-fec: fix reading parity bytes split across blocks (take 3)  fec_decode_bufs() assumes that the parity bytes of the first RS codeword it decodes are never split across parity blocks.  This assumption is false.  Consider v->fec->block_size == 4096 && v->fec->roots == 17 && fio->nbufs == 1, for example.  In that case, each call to fec_decode_bufs() consumes v->fec->roots * (fio->nbufs << DM_VERITY_FEC_BUF_RS_BITS) = 272 parity bytes.  Considering that the parity data for each message block starts on a block boundary, the byte alignment in the parity data will iterate through 272*i mod 4096 until the 3 parity blocks have been consumed.  On the 16th call (i=15), the alignment will be 4080 bytes into the first block.  Only 16 bytes remain in that block, but 17 parity bytes will be needed.  The code reads out-of-bounds from the parity block buffer.  Fortunately this doesn't normally happen, since it can occur only for certain non-default values of fec_roots *and* when the maximum number of buffers couldn't be allocated due to low memory.  For example with block_size=4096 only the following cases are affected:      fec_roots=17: nbufs in [1, 3, 5, 15]     fec_roots=19: nbufs in [1, 229]     fec_roots=21: nbufs in [1, 3, 5, 13, 15, 39, 65, 195]     fec_roots=23: nbufs in [1, 89]  Regardless, fix it by refactoring how the parity blocks are read.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46106",
                        "url": "https://ubuntu.com/security/CVE-2026-46106",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  eventfs: Hold eventfs_mutex and SRCU when remount walks events  Commit 340f0c7067a9 (\"eventfs: Update all the eventfs_inodes from the events descriptor\") had eventfs_set_attrs() recurse through ei->children on remount.  The walk only holds the rcu_read_lock() taken by tracefs_apply_options() over tracefs_inodes, which is wrong:    - list_for_each_entry over ei->children races with the list_del_rcu()     in eventfs_remove_rec() -- LIST_POISON1 deref, same shape as     d2603279c7d6.   - eventfs_inodes are freed via call_srcu(&eventfs_srcu, ...).     rcu_read_lock() does not extend an SRCU grace period, so ti->private     can be reclaimed under the walk.   - The writes to ei->attr race with eventfs_set_attr(), which holds     eventfs_mutex.  Reproducer:    while :; do mount -o remount,uid=$((RANDOM%1000)) /sys/kernel/tracing; done &   while :; do       echo \"p:kp submit_bio\" > /sys/kernel/tracing/kprobe_events       echo > /sys/kernel/tracing/kprobe_events   done  Wrap the events portion of tracefs_apply_options() in eventfs_remount_lock()/_unlock() that take eventfs_mutex and srcu_read_lock(&eventfs_srcu).  eventfs_set_attrs() doesn't sleep so the nested rcu_read_lock() is fine; lockdep_assert_held() pins the contract.  Comment in tracefs_drop_inode() said \"RCU cycle\" -- it is SRCU.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46107",
                        "url": "https://ubuntu.com/security/CVE-2026-46107",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  dm-thin: fix metadata refcount underflow  There's a bug in dm-thin in the function rebalance_children. If the internal btree node has one entry, the code tries to copy all btree entries from the node's child to the node itself and then decrement the child's reference count.  If the child node is shared (it has reference count > 1), we won't free it, so there would be two pointers to each of the grandchildren nodes. But the reference counts of the grandchildren is not increased, thus the reference count doesn't match the number of pointers that point to the grandchildren. This results in \"device mapper: space map common: unable to decrement block\" errors.  Fix this bug by incrementing reference counts on the grandchildren if the btree node is shared.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46160",
                        "url": "https://ubuntu.com/security/CVE-2026-46160",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  btrfs: fix missing last_unlink_trans update when removing a directory  When removing a directory we are not updating its last_unlink_trans field, which can result in incorrect fsync behaviour in case some one fsyncs the directory after it was removed because it's holding a file descriptor on it.  Example scenario:     mkdir /mnt/dir1    mkdir /mnt/dir1/dir2    mkdir /mnt/dir3     sync -f /mnt     # Do some change to the directory and fsync it.    chmod 700 /mnt/dir1    xfs_io -c fsync /mnt/dir1     # Move dir2 out of dir1 so that dir1 becomes empty.    mv /mnt/dir1/dir2 /mnt/dir3/     open fd on /mnt/dir1    call rmdir(2) on path \"/mnt/dir1\"    fsync fd     <trigger power failure>  When attempting to mount the filesystem, the log replay will fail with an -EIO error and dmesg/syslog has the following:     [445771.626482] BTRFS info (device dm-0): first mount of filesystem 0368bbea-6c5e-44b5-b409-09abe496e650    [445771.626486] BTRFS info (device dm-0): using crc32c checksum algorithm    [445771.627912] BTRFS info (device dm-0): start tree-log replay    [445771.628335] page: refcount:2 mapcount:0 mapping:0000000061443ddc index:0x1d00 pfn:0x7072a5    [445771.629453] memcg:ffff89f400351b00    [445771.629892] aops:btree_aops [btrfs] ino:1    [445771.630737] flags: 0x17fffc00000402a(uptodate|lru|private|writeback|node=0|zone=2|lastcpupid=0x1ffff)    [445771.632359] raw: 017fffc00000402a fffff47284d950c8 fffff472907b7c08 ffff89f458e412b8    [445771.633713] raw: 0000000000001d00 ffff89f6c51d1a90 00000002ffffffff ffff89f400351b00    [445771.635029] page dumped because: eb page dump    [445771.635825] BTRFS critical (device dm-0): corrupt leaf: root=5 block=30408704 slot=10 ino=258, invalid nlink: has 2 expect no more than 1 for dir    [445771.638088] BTRFS info (device dm-0): leaf 30408704 gen 10 total ptrs 17 free space 14878 owner 5    [445771.638091] BTRFS info (device dm-0): refs 4 lock_owner 0 current 3581087    [445771.638094] \titem 0 key (256 INODE_ITEM 0) itemoff 16123 itemsize 160    [445771.638097] \t\tinode generation 3 transid 9 size 16 nbytes 16384    [445771.638098] \t\tblock group 0 mode 40755 links 1 uid 0 gid 0    [445771.638100] \t\trdev 0 sequence 2 flags 0x0    [445771.638102] \t\tatime 1775744884.0    [445771.660056] \t\tctime 1775744885.645502983    [445771.660058] \t\tmtime 1775744885.645502983    [445771.660060] \t\totime 1775744884.0    [445771.660062] \titem 1 key (256 INODE_REF 256) itemoff 16111 itemsize 12    [445771.660064] \t\tindex 0 name_len 2    [445771.660066] \titem 2 key (256 DIR_ITEM 1843588421) itemoff 16077 itemsize 34    [445771.660068] \t\tlocation key (259 1 0) type 2    [445771.660070] \t\ttransid 9 data_len 0 name_len 4    [445771.660075] \titem 3 key (256 DIR_ITEM 2363071922) itemoff 16043 itemsize 34    [445771.660076] \t\tlocation key (257 1 0) type 2    [445771.660077] \t\ttransid 9 data_len 0 name_len 4    [445771.660078] \titem 4 key (256 DIR_INDEX 2) itemoff 16009 itemsize 34    [445771.660079] \t\tlocation key (257 1 0) type 2    [445771.660080] \t\ttransid 9 data_len 0 name_len 4    [445771.660081] \titem 5 key (256 DIR_INDEX 3) itemoff 15975 itemsize 34    [445771.660082] \t\tlocation key (259 1 0) type 2    [445771.660083] \t\ttransid 9 data_len 0 name_len 4    [445771.660084] \titem 6 key (257 INODE_ITEM 0) itemoff 15815 itemsize 160    [445771.660086] \t\tinode generation 9 transid 9 size 8 nbytes 0    [445771.660087] \t\tblock group 0 mode 40777 links 1 uid 0 gid 0    [445771.660088] \t\trdev 0 sequence 2 flags 0x0    [445771.660089] \t\tatime 1775744885.641174097    [445771.660090] \t\tctime 1775744885.645502983    [445771.660091] \t\tmtime 1775744885.645502983    [445771.660105] \t\totime 1775744885.641174097    [445771.660106] \titem 7 key (257 INODE_REF 256) itemoff 15801 itemsize 14    [445771.660107] \t\tindex 2 name_len 4    [445771.660108] \titem 8 key (257 DIR_ITEM 2676584006) itemoff 15767 itemsize 34    [445771.660109] \t\tlocation key (2 ---truncated---",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46164",
                        "url": "https://ubuntu.com/security/CVE-2026-46164",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  btrfs: fix double free in create_space_info_sub_group() error path  When kobject_init_and_add() fails, the call chain is:  create_space_info_sub_group() -> btrfs_sysfs_add_space_info_type() -> kobject_init_and_add() -> failure -> kobject_put(&sub_group->kobj) -> space_info_release() -> kfree(sub_group)  Then control returns to create_space_info_sub_group(), where:  btrfs_sysfs_add_space_info_type() returns error -> kfree(sub_group)  Thus, sub_group is freed twice.  Keep parent->sub_group[index] = NULL for the failure path, but after btrfs_sysfs_add_space_info_type() has called kobject_put(), let the kobject release callback handle the cleanup.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46129",
                        "url": "https://ubuntu.com/security/CVE-2026-46129",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  btrfs: fix double free in create_space_info() error path  When kobject_init_and_add() fails, the call chain is:  create_space_info() -> btrfs_sysfs_add_space_info_type() -> kobject_init_and_add() -> failure -> kobject_put(&space_info->kobj) -> space_info_release() -> kfree(space_info)  Then control returns to create_space_info():  btrfs_sysfs_add_space_info_type() returns error -> goto out_free -> kfree(space_info)  This causes a double free.  Keep the direct kfree(space_info) for the earlier failure path, but after btrfs_sysfs_add_space_info_type() has called kobject_put(), let the kobject release callback handle the cleanup.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46159",
                        "url": "https://ubuntu.com/security/CVE-2026-46159",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  btrfs: fix btrfs_ioctl_space_info() slot_count TOCTOU which can lead to info-leak  btrfs_ioctl_space_info() has a TOCTOU race between two passes over the block group RAID type lists. The first pass counts entries to determine the allocation size, then the second pass fills the buffer. The groups_sem rwlock is released between passes, allowing concurrent block group removal to reduce the entry count.  When the second pass fills fewer entries than the first pass counted, copy_to_user() copies the full alloc_size bytes including trailing uninitialized kmalloc bytes to userspace.  Fix by copying only total_spaces entries (the actually-filled count from the second pass) instead of alloc_size bytes, and switch to kzalloc so any future copy size mismatch cannot leak heap data.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46143",
                        "url": "https://ubuntu.com/security/CVE-2026-46143",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ASoC: qcom: q6apm-lpass-dai: Fix multiple graph opens  As prepare can be called mulitple times, this can result in multiple graph opens for playback path.  This will result in a memory leaks, fix this by adding a check before opening.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46148",
                        "url": "https://ubuntu.com/security/CVE-2026-46148",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: microchip-core-qspi: control built-in cs manually  The coreQSPI IP supports only a single chip select, which is automagically operated by the hardware - set low when the transmit buffer first gets written to and set high when the number of bytes written to the TOTALBYTES field of the FRAMES register have been sent on the bus. Additional devices must use GPIOs for their chip selects. It was reported to me that if there are two devices attached to this QSPI controller that the in-built chip select is set low while linux tries to access the device attached to the GPIO.  This went undetected as the boards that connected multiple devices to the SPI controller all exclusively used GPIOs for chip selects, not relying on the built-in chip select at all. It turns out that this was because the built-in chip select, when controlled automagically, is set low when active and high when inactive, thereby ruling out its use for active-high devices or devices that need to transmit with the chip select disabled.  Modify the driver so that it controls chip select directly, retaining the behaviour for mem_ops of setting the chip select active for the entire duration of the transfer in the exec_op callback. For regular transfers, implement the set_cs callback for the core to use.  As part of this, the existing setup callback, mchp_coreqspi_setup_op(), is removed. Modifying the CLKIDLE field is not safe to do during operation when there are multiple devices, so this code is removed entirely. Setting the MASTER and ENABLE fields is something that can be done once at probe, it doesn't need to be re-run for each device. Instead the new setup callback sets the built-in chip select to its inactive state for active-low devices, as the reset value of the chip select in software controlled mode is low.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46192",
                        "url": "https://ubuntu.com/security/CVE-2026-46192",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: microchip-core-qspi: don't attempt to transmit during emulated read-only dual/quad operations  The core will deal with reads by creating clock cycles itself, there's no need to generate clock cycles by transmitting garbage data at the driver level. Further, transmitting garbage data just bricks the transfer since QSPI doesn't have a dedicated master-out line like MOSI in regular SPI. I'm not entirely sure if the transfer is bricked because of the garbage data being transmitted on the bus or because the core loses track of whether it is supposed to be sending or receiving data.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46162",
                        "url": "https://ubuntu.com/security/CVE-2026-46162",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ice: fix double free in ice_sf_eth_activate() error path  When auxiliary_device_add() fails, ice_sf_eth_activate() jumps to aux_dev_uninit and calls auxiliary_device_uninit(&sf_dev->adev).  The device release callback ice_sf_dev_release() frees sf_dev, but the current error path falls through to sf_dev_free and calls kfree(sf_dev) again, causing a double free.  Keep kfree(sf_dev) for the auxiliary_device_init() failure path, but avoid falling through to sf_dev_free after auxiliary_device_uninit().",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46273",
                        "url": "https://ubuntu.com/security/CVE-2026-46273",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ibmveth: Disable GSO for packets with small MSS  Some physical adapters on Power systems do not support segmentation offload when the MSS is less than 224 bytes. Attempting to send such packets causes the adapter to freeze, stopping all traffic until manually reset.  Implement ndo_features_check to disable GSO for packets with small MSS values. The network stack will perform software segmentation instead.  The 224-byte minimum matches ibmvnic commit <f10b09ef687f> (\"ibmvnic: Enforce stronger sanity checks on GSO packets\") which uses the same physical adapters in SEA configurations.  The issue occurs specifically when the hardware attempts to perform segmentation (gso_segs > 1) with a small MSS. Single-segment GSO packets (gso_segs == 1) do not trigger the problematic LSO code path and are transmitted normally without segmentation.  Add an ndo_features_check callback to disable GSO when MSS < 224 bytes. Also call vlan_features_check() to ensure proper handling of VLAN packets, particularly QinQ (802.1ad) configurations where the hardware parser may not support certain offload features.  Validated using iptables to force small MSS values. Without the fix, the adapter freezes. With the fix, packets are segmented in software and transmission succeeds. Comprehensive regression testing completedd (MSS tests, performance, stability).",
                        "cve_priority": "high",
                        "cve_public_date": "2026-06-03 18:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46191",
                        "url": "https://ubuntu.com/security/CVE-2026-46191",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  fbcon: Avoid OOB font access if console rotation fails  Clear the font buffer if the reallocation during console rotation fails in fbcon_rotate_font(). The putcs implementations for the rotated buffer will return early in this case. See [1] for an example.  Currently, fbcon_rotate_font() keeps the old buffer, which is too small for the rotated font. Printing to the rotated console with a high-enough character code will overflow the font buffer.  v2: - fix typos in commit message",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46134",
                        "url": "https://ubuntu.com/security/CVE-2026-46134",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  platform/chrome: cros_ec_typec: Init mutex in Thunderbolt registration  cros_typec_register_thunderbolt() missed initializing the `adata->lock` mutex.  This leads to a NULL dereference when the mutex is later acquired (e.g. in cros_typec_altmode_work()).  Initialize the mutex in cros_typec_register_thunderbolt() to fix the issue.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-43495",
                        "url": "https://ubuntu.com/security/CVE-2026-43495",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net: wwan: t7xx: validate port_count against message length in t7xx_port_enum_msg_handler  t7xx_port_enum_msg_handler() uses the modem-supplied port_count field as a loop bound over port_msg->data[] without checking that the message buffer contains sufficient data. A modem sending port_count=65535 in a 12-byte buffer triggers a slab-out-of-bounds read of up to 262140 bytes.  Add a sizeof(*port_msg) check before accessing the port message header fields to guard against undersized messages.  Add a struct_size() check after extracting port_count and before the loop.  In t7xx_parse_host_rt_data(), guard the rt_feature header read with a remaining-buffer check before accessing data_len, validate feat_data_len against the actual remaining buffer to prevent OOB reads and signed integer overflow on offset.  Pass msg_len from both call sites: skb->len at the DPMAIF path after skb_pull(), and the validated feat_data_len at the handshake path.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-21 13:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-43502",
                        "url": "https://ubuntu.com/security/CVE-2026-43502",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net/rds: handle zerocopy send cleanup before the message is queued  A zerocopy send can fail after user pages have been pinned but before the message is attached to the sending socket.  The purge path currently infers zerocopy state from rm->m_rs, so an unqueued message can be cleaned up as if it owned normal payload pages. However, zerocopy ownership is really determined by the presence of op_mmp_znotifier, regardless of whether the message has reached the socket queue.  Capture op_mmp_znotifier up front in rds_message_purge() and use it as the cleanup discriminator. If the message is already associated with a socket, keep the existing completion path. Otherwise, drop the pinned page accounting directly and release the notifier before putting the payload pages.  This keeps early send failure cleanup consistent with the zerocopy lifetime rules without changing the normal queued completion path.",
                        "cve_priority": "high",
                        "cve_public_date": "2026-05-21 13:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46120",
                        "url": "https://ubuntu.com/security/CVE-2026-46120",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ip6_gre: Use cached t->net in ip6erspan_changelink().  After commit 5e72ce3e3980 (\"net: ipv6: Use link netns in newlink() of rtnl_link_ops\"), ip6erspan_newlink() correctly resolves the per-netns ip6gre hash via link_net. ip6erspan_changelink() was not converted in that series and still uses dev_net(dev), which diverges from the device's creation netns after IFLA_NET_NS_FD migration.  This re-inserts the tunnel into the wrong per-netns hash. The original netns keeps a stale entry. When that netns is later destroyed, ip6gre_exit_rtnl_net() walks the stale entry, producing a slab-use-after-free reported by KASAN, followed by a kernel BUG at net/core/dev.c (LIST_POISON1) in unregister_netdevice_many_notify().  Reachable from an unprivileged user namespace (unshare --user --map-root-user --net).  ip6gre_changelink() earlier in the same file already uses the cached t->net; only ip6erspan_changelink() has the wrong shape.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46142",
                        "url": "https://ubuntu.com/security/CVE-2026-46142",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net: libwx: fix VF illegal register access  Register WX_CFG_PORT_ST is a PF restricted register. When a VF is initialized, attempting to read this register triggers an illegal register access, which lead to a system hang.  When the device is VF, the bus function ID can be obtained directly from the PCI_FUNC(pdev->devfn).",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46118",
                        "url": "https://ubuntu.com/security/CVE-2026-46118",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  pseries/papr-hvpipe: Fix null ptr deref in papr_hvpipe_dev_create_handle()  commit 6d3789d347a7 (\"papr-hvpipe: convert papr_hvpipe_dev_create_handle() to FD_PREPARE()\"), changed the create handle to FD_PREPARE(), but it caused kernel null-ptr-deref because after call to retain_and_null_ptr(src_info), src_info is re-used for adding it to the global list.  Getting the following kernel panic in papr_hvpipe_dev_create_handle() when trying to add src_info to the list.  Kernel attempted to write user page (0) - exploit attempt? (uid: 0)  BUG: Kernel NULL pointer dereference on write at 0x00000000  Faulting instruction address: 0xc0000000001b44a0  Oops: Kernel access of bad area, sig: 11 [#1]  ...  Call Trace:  papr_hvpipe_dev_ioctl+0x1f4/0x48c (unreliable)  sys_ioctl+0x528/0x1064  system_call_exception+0x128/0x360  system_call_vectored_common+0x15c/0x2ec  Now, the error handling with FD_PREPARE's file cleanup and __free(kfree) auto cleanup is getting too convoluted. This is mainly because we need to ensure only 1 user get the srcID handle. To simplify this, we allocate prepare the src_info in the beginning and add it to the global list under a spinlock after checking that no duplicates exist.  This simplify the error handling where if the FD_ADD fails, we can simply remove the src_info from the list and consume any pending msg in hvpipe to be cleared, after src_info became visible in the global list.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46182",
                        "url": "https://ubuntu.com/security/CVE-2026-46182",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  pseries/papr-hvpipe: Prevent kernel stack memory leak to userspace  The hdr variable is allocated on the stack and only hdr.version and hdr.flags are initialized explicitly. Because the struct papr_hvpipe_hdr contains reserved padding bytes (reserved[3] and reserved2[40]), these could leak the uninitialized bytes to userspace after copy_to_user().  This patch fixes that by initializing the whole struct to 0.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46184",
                        "url": "https://ubuntu.com/security/CVE-2026-46184",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  sound: ua101: fix division by zero at probe  Add a missing sanity check for bNrChannels in detect_usb_format() to prevent a division by zero in playback_urb_complete() and capture_urb_complete().  USB core does not validate class-specific descriptor fields such as bNrChannels, so drivers must verify them before use. If a device provides bNrChannels = 0, frame_bytes becomes zero and is later used as a divisor in the URB completion handlers, leading to a kernel crash.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-43498",
                        "url": "https://ubuntu.com/security/CVE-2026-43498",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  accel/ivpu: Disallow re-exporting imported GEM objects  Prevent re-exporting of imported GEM buffers by adding a custom prime_handle_to_fd callback that checks if the object is imported and returns -EOPNOTSUPP if so.  Re-exporting imported GEM buffers causes loss of buffer flags settings, leading to incorrect device access and data corruption.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-21 13:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46132",
                        "url": "https://ubuntu.com/security/CVE-2026-46132",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net: rtnetlink: zero ifla_vf_broadcast to avoid stack infoleak in rtnl_fill_vfinfo  rtnl_fill_vfinfo() declares struct ifla_vf_broadcast on the stack without initialisation:  \tstruct ifla_vf_broadcast vf_broadcast;  The struct contains a single fixed 32-byte field:  \t/* include/uapi/linux/if_link.h */ \tstruct ifla_vf_broadcast { \t\t__u8 broadcast[32]; \t};  The function then copies dev->broadcast into it using dev->addr_len as the length:  \tmemcpy(vf_broadcast.broadcast, dev->broadcast, dev->addr_len);  On Ethernet devices (the overwhelming majority of SR-IOV NICs) dev->addr_len is 6, so only the first 6 bytes of broadcast[] are written. The remaining 26 bytes retain whatever was previously on the kernel stack. The full struct is then handed to userspace via:  \tnla_put(skb, IFLA_VF_BROADCAST, \t\tsizeof(vf_broadcast), &vf_broadcast)  leaking up to 26 bytes of uninitialised kernel stack per VF per RTM_GETLINK request, repeatable.  The other vf_* structs in the same function are explicitly zeroed for exactly this reason - see the memset() calls for ivi, vf_vlan_info, node_guid and port_guid a few lines above. vf_broadcast was simply missed when it was added.  Reachability: any unprivileged local process can open AF_NETLINK / NETLINK_ROUTE without capabilities and send RTM_GETLINK with an IFLA_EXT_MASK attribute carrying RTEXT_FILTER_VF. The kernel walks each VF and emits IFLA_VF_BROADCAST, leaking 26 bytes of stack per VF per request. Stack residue at this call site can include return addresses and transient sensitive data; KASAN with stack instrumentation, or KMSAN, will flag the nla_put() when reproduced.  Zero the on-stack struct before the partial memcpy, matching the existing pattern used for the other vf_* structs in the same function.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46190",
                        "url": "https://ubuntu.com/security/CVE-2026-46190",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  mtd: spi-nor: debugfs: fix out-of-bounds read in spi_nor_params_show()  Sashiko noticed an out-of-bounds read [1].  In spi_nor_params_show(), the snor_f_names array is passed to spi_nor_print_flags() using sizeof(snor_f_names).  Since snor_f_names is an array of pointers, sizeof() returns the total number of bytes occupied by the pointers \t(element_count * sizeof(void *)) rather than the element count itself. On 64-bit systems, this makes the passed length 8x larger than intended.  Inside spi_nor_print_flags(), the 'names_len' argument is used to bounds-check the 'names' array access. An out-of-bounds read occurs if a flag bit is set that exceeds the array's actual element count but is within the inflated byte-size count.  Correct this by using ARRAY_SIZE() to pass the actual number of string pointers in the array.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46150",
                        "url": "https://ubuntu.com/security/CVE-2026-46150",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  fanotify: fix false positive on permission events  fsnotify_get_mark_safe() may return false for a mark on an unrelated group, which results in bypassing the permission check.  Fix by skipping over detached marks that are not in the current group.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-45836",
                        "url": "https://ubuntu.com/security/CVE-2026-45836",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_get_sndtimeo_cb()  Add the same NULL guard already present in l2cap_sock_resume_cb() and l2cap_sock_ready_cb().",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-26 17:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-45834",
                        "url": "https://ubuntu.com/security/CVE-2026-45834",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_state_change_cb()  Add the same NULL guard already present in l2cap_sock_resume_cb() and l2cap_sock_ready_cb().",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-26 17:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-45835",
                        "url": "https://ubuntu.com/security/CVE-2026-45835",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_new_connection_cb()  Add the same NULL guard already present in l2cap_sock_resume_cb() and l2cap_sock_ready_cb().",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-26 17:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46138",
                        "url": "https://ubuntu.com/security/CVE-2026-46138",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Bluetooth: hci_event: Fix OOB read and infinite loop in hci_le_create_big_complete_evt  hci_le_create_big_complete_evt() iterates over BT_BOUND connections for a BIG handle using a while loop, accessing ev->bis_handle[i++] on each iteration.  However, there is no check that i stays within ev->num_bis before the array access.  When a controller sends a LE_Create_BIG_Complete event with fewer bis_handle entries than there are BT_BOUND connections for that BIG, or with num_bis=0, the loop reads beyond the valid bis_handle[] flex array into adjacent heap memory.  Since the out-of-bounds values typically exceed HCI_CONN_HANDLE_MAX (0x0EFF), hci_conn_set_handle() rejects them and the connection remains in BT_BOUND state.  The same connection is then found again by hci_conn_hash_lookup_big_state(), creating an infinite loop with hci_dev_lock held.  Fix this by terminating the BIG if in case not all BIS could be setup properly.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46111",
                        "url": "https://ubuntu.com/security/CVE-2026-46111",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Bluetooth: hci_conn: fix potential UAF in create_big_sync  Add hci_conn_valid() check in create_big_sync() to detect stale connections before proceeding with BIG creation. Handle the resulting -ECANCELED in create_big_complete() and re-validate the connection under hci_dev_lock() before dereferencing, matching the pattern used by create_le_conn_complete() and create_pa_complete().  Keep the hci_conn object alive across the async boundary by taking a reference via hci_conn_get() when queueing create_big_sync(), and dropping it in the completion callback. The refcount and the lock are complementary: the refcount keeps the object allocated, while hci_dev_lock() serializes hci_conn_hash_del()'s list_del_rcu() on hdev->conn_hash, as required by hci_conn_del().  hci_conn_put() is called outside hci_dev_unlock() so the final put (which resolves to kfree() via bt_link_release) does not run under hdev->lock, though the release path would be safe either way.  Without this, create_big_complete() would unconditionally dereference the conn pointer on error, causing a use-after-free via hci_connect_cfm() and hci_conn_del().",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46140",
                        "url": "https://ubuntu.com/security/CVE-2026-46140",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Bluetooth: btmtk: validate WMT event SKB length before struct access  btmtk_usb_hci_wmt_sync() casts the WMT event response SKB data to struct btmtk_hci_wmt_evt (7 bytes) and struct btmtk_hci_wmt_evt_funcc (9 bytes) without first checking that the SKB contains enough data. A short firmware response causes out-of-bounds reads from SKB tailroom.  Use skb_pull_data() to validate and advance past the base WMT event header. For the FUNC_CTRL case, pull the additional status field bytes before accessing them.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46186",
                        "url": "https://ubuntu.com/security/CVE-2026-46186",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Bluetooth: virtio_bt: validate rx pkt_type header length  virtbt_rx_handle() reads the leading pkt_type byte from the RX skb and forwards the remainder to hci_recv_frame() for every event/ACL/SCO/ISO type, without checking that the remaining payload is at least the fixed HCI header for that type.  After the preceding patch bounds the backend-supplied used.len to [1, VIRTBT_RX_BUF_SIZE], a one-byte completion still reaches hci_recv_frame() with skb->len already pulled to 0. If the byte happened to be HCI_ACLDATA_PKT, the ACL-vs-ISO classification fast-path in hci_dev_classify_pkt_type() dereferences hci_acl_hdr(skb)->handle whenever the HCI device has an active CIS_LINK, BIS_LINK, or PA_LINK connection, reading two bytes of uninitialized RX-buffer data. The same hazard exists for every packet type the driver accepts because none of the switch cases in virtbt_rx_handle() check skb->len against the per-type minimum HCI header size before handing the frame to the core.  After stripping pkt_type, require skb->len to cover the fixed header size for the selected type (event 2, ACL 4, SCO 3, ISO 4) before calling hci_recv_frame(); drop ratelimited otherwise. Unknown pkt_type values still take the original kfree_skb() default path.  Use bt_dev_err_ratelimited() because both the length and pkt_type values come from an untrusted backend that can otherwise flood the kernel log.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46123",
                        "url": "https://ubuntu.com/security/CVE-2026-46123",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Bluetooth: virtio_bt: clamp rx length before skb_put  virtbt_rx_work() calls skb_put(skb, len) where len comes directly from virtqueue_get_buf() with no validation against the buffer we posted to the device. The RX skb is allocated in virtbt_add_inbuf() and exposed to virtio as exactly 1000 bytes via sg_init_one().  Checking len against skb_tailroom(skb) is not sufficient because alloc_skb() can leave more tailroom than the 1000 bytes actually handed to the device. A malicious or buggy backend can therefore report used.len between 1001 and skb_tailroom(skb), causing skb_put() to include uninitialized kernel heap bytes that were never written by the device.  The same path also accepts len == 0, in which case skb_put(skb, 0) leaves the skb empty but virtbt_rx_handle() still reads the pkt_type byte from skb->data, consuming uninitialized memory.  Define VIRTBT_RX_BUF_SIZE once and reuse it in alloc_skb() and sg_init_one(), and gate virtbt_rx_work() on that same constant so the bound checked matches the buffer actually exposed to the device. Reject used.len == 0 in the same gate so an empty completion can no longer reach virtbt_rx_handle().  Use bt_dev_err_ratelimited() because the length value comes from an untrusted backend that can otherwise flood the kernel log.  Same class of bug as commit c04db81cd028 (\"net/9p: Fix buffer overflow in USB transport layer\"), which hardened the USB 9p transport against unchecked device-reported length.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46104",
                        "url": "https://ubuntu.com/security/CVE-2026-46104",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  selinux: use sk blob accessor in socket permission helpers  SELinux socket state lives in the composite LSM socket blob.  sock_has_perm() and nlmsg_sock_has_extended_perms() currently dereference sk->sk_security directly, which assumes the SELinux socket blob is at offset zero.  In stacked configurations that assumption does not hold. If another LSM allocates socket blob storage before SELinux, these helpers may read the wrong blob and feed invalid SID and class values into AVC checks.  Use selinux_sock() instead of accessing sk->sk_security directly.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46193",
                        "url": "https://ubuntu.com/security/CVE-2026-46193",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  xfrm: ah: account for ESN high bits in async callbacks  AH allocates its temporary auth/ICV layout differently when ESN is enabled: the async ahash setup appends a 4-byte seqhi slot before the ICV or auth_data area, but the async completion callbacks still reconstruct the temporary layout as if seqhi were absent.  With an async AH implementation selected, that makes AH copy or compare the wrong bytes on both the IPv4 and IPv6 paths. In UML repro on IPv4 AH with ESN and forced async hmac(sha1), ping fails with 100% packet loss, and the callback logs show the pre-fix drift:    ah4 output_done: esn=1 err=0 icv_off=20 expected_off=24   ah4 input_done: esn=1 auth_off=20 expected_auth_off=24 icv_off=32 expected_icv_off=36  Reconstruct the callback-side layout the same way the setup path built it by skipping the ESN seqhi slot before locating the saved auth_data or ICV. Per RFC 4302, the ESN high-order 32 bits participate in the AH ICV computation, so the async callbacks must account for the seqhi slot.  Post-fix, the same IPv4 AH+ESN+forced-async-hmac(sha1) UML repro shows the corrected offset (ah4 output_done: esn=1 err=0 icv_off=24 expected_off=24) and ping succeeds; net/ipv4/ah4.o and net/ipv6/ah6.o build clean at W=1. IPv6 AH+ESN was not exercised at runtime, and the change has not been tested against a real async hardware AH engine.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46172",
                        "url": "https://ubuntu.com/security/CVE-2026-46172",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ipv6: xfrm6: release dst on error in xfrm6_rcv_encap()  xfrm6_rcv_encap() performs an IPv6 route lookup when the skb does not already have a dst attached. ip6_route_input_lookup() returns a referenced dst entry even when the lookup resolves to an error route.  If dst->error is set, xfrm6_rcv_encap() drops the skb without attaching the dst to the skb and without releasing the reference returned by the lookup. Repeated packets hitting this path therefore leak dst entries.  Release the dst before jumping to the drop path.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46116",
                        "url": "https://ubuntu.com/security/CVE-2026-46116",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  xfrm: defensively unhash xfrm_state lists in __xfrm_state_delete  KASAN reproduces a slab-use-after-free in __xfrm_state_delete()'s hlist_del_rcu calls under syzkaller load on linux-6.12.y stable (reproduced on 6.12.47, also reachable via the same code path on torvalds/master and on the ipsec tree). Nine unique signatures cluster in the xfrm_state lifecycle, the load-bearing one being:    BUG: KASAN: slab-use-after-free in __hlist_del include/linux/list.h:990 [inline]   BUG: KASAN: slab-use-after-free in hlist_del_rcu include/linux/rculist.h:516 [inline]   BUG: KASAN: slab-use-after-free in __xfrm_state_delete net/xfrm/xfrm_state.c   Write of size 8 at addr ffff8881198bcb70 by task kworker/u8:9/435    Workqueue: netns cleanup_net   Call Trace:    __hlist_del / hlist_del_rcu    __xfrm_state_delete    xfrm_state_delete    xfrm_state_flush    xfrm_state_fini    ops_exit_list    cleanup_net  The other observed signatures hit the same slab object from __xfrm_state_lookup, xfrm_alloc_spi, __xfrm_state_insert and an OOB write variant of __xfrm_state_delete, all on the byseq/byspi hash chains.  __xfrm_state_delete() guards its byseq and byspi unhashes with value-based predicates:  \tif (x->km.seq) \t\thlist_del_rcu(&x->byseq); \tif (x->id.spi) \t\thlist_del_rcu(&x->byspi);  while everywhere else in the file (e.g. state_cache, state_cache_input) the safer hlist_unhashed() check is used. xfrm_alloc_spi() sets x->id.spi = newspi inside xfrm_state_lock and then immediately inserts into byspi, but a path that observes x->id.spi != 0 outside of xfrm_state_lock can still skip-or-hit the byspi unhash inconsistently with whether x is actually on the list. The same holds for x->km.seq versus byseq, and the bydst/bysrc unhashes have no predicate at all, so a second __xfrm_state_delete() on the same object writes through LIST_POISON pprev.  The defensive change here:    - Use hlist_del_init_rcu() instead of hlist_del_rcu() on bydst,     bysrc, byseq and byspi so a second deletion is a no-op rather     than a write through LIST_POISON pprev. The byseq/byspi nodes     are already initialised in xfrm_state_alloc().   - Test hlist_unhashed() rather than the value predicate for     byseq/byspi, so the unhash decision tracks list state rather than     mutable scalar fields.  Empirical verification: applied this patch on top of v6.12.47, rebuilt, and re-ran the same syzkaller harness for 1h16m on a previously-crashy configuration that produced ~100 hits each of slab-use-after-free Read in xfrm_alloc_spi / Read in __xfrm_state_lookup / Write in __xfrm_state_delete. After the patch, 7.1M execs across 32 VMs at ~1550 exec/sec produced zero xfrm_state UAF/OOB hits. /proc/slabinfo confirms the xfrm_state slab is actively allocated and freed during the run (~143 KiB resident), so the fuzzer is still exercising those code paths -- they just no longer crash.  Reproduction:    - Linux 6.12.47 x86_64 + KASAN_GENERIC + KASAN_INLINE + KCOV   - syzkaller @ 746545b8b1e4c3a128db8652b340d3df90ce61db   - 32 QEMU/KVM VMs x 2 vCPU on AWS c5.metal bare metal   - 9 unique signatures collected in ~9h, all within xfrm_state     lifecycle",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46154",
                        "url": "https://ubuntu.com/security/CVE-2026-46154",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  sched_ext: Read scx_root under scx_cgroup_ops_rwsem in cgroup setters  scx_group_set_{weight,idle,bandwidth}() cache scx_root before acquiring scx_cgroup_ops_rwsem, so the pointer can be stale by the time the op runs. If the loaded scheduler is disabled and freed (via RCU work) and another is enabled between the naked load and the rwsem acquire, the reader sees scx_cgroup_enabled=true (the new scheduler's) but dereferences the freed one - UAF on SCX_HAS_OP(sch, ...) / SCX_CALL_OP(sch, ...).  scx_cgroup_enabled is toggled only under scx_cgroup_ops_rwsem write (scx_cgroup_{init,exit}), so reading scx_root inside the rwsem read section correlates @sch with the enabled snapshot.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46157",
                        "url": "https://ubuntu.com/security/CVE-2026-46157",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ALSA: pcm: oss: Fix data race at accessing runtime.oss.trigger  Currently the runtime.oss.trigger field may be accessed concurrently without protection, which may lead to the data race.  And, in this case, it may lead to more severe problem because it's a bit field; as writing the data, it may overwrite other bit fields as well, which confuses the operation completely, as spotted by fuzzing.  Fix it by covering runtime.oss.trigger bit fled also with the existing params_lock mutex in both snd_pcm_oss_get_trigger() and snd_pcm_oss_poll().",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46109",
                        "url": "https://ubuntu.com/security/CVE-2026-46109",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  usb: ulpi: fix memory leak on ulpi_register() error paths  Commit 01af542392b5 (\"usb: ulpi: fix double free in ulpi_register_interface() error path\") removed kfree(ulpi) from ulpi_register_interface() to fix a double-free when device_register() fails.  But when ulpi_of_register() or ulpi_read_id() fail before device_register() is called, the ulpi allocation is leaked.  Add kfree(ulpi) on both error paths to properly clean up the allocation.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46146",
                        "url": "https://ubuntu.com/security/CVE-2026-46146",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ALSA: usb-audio: Avoid potential endless loop in convert_chmap_v3()  The convert_chmap_v3() has a loop with its increment size of cs_desc->wLength, but we forgot to validate cs_desc->wLength itself, which may lead to potential endless loop by a malformed descriptor.  Add a proper size check to abort the loop for plugging the hole.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46167",
                        "url": "https://ubuntu.com/security/CVE-2026-46167",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  usb: usblp: fix uninitialized heap leak via LPGETSTATUS ioctl  Just like in a previous problem in this driver, usblp_ctrl_msg() will collapse the usb_control_msg() return value to 0/-errno, discarding the actual number of bytes transferred.  Ideally that short command should be detected and error out, but many printers are known to send \"incorrect\" responses back so we can't just do that.  statusbuf is kmalloc(8) at probe time and never filled before the first LPGETSTATUS ioctl.  usblp_read_status() requests 1 byte. If a malicious printer responds with zero bytes, *statusbuf is one byte of stale kmalloc heap, sign-extended into the local int status, which the LPGETSTATUS path then copy_to_user()s directly to the ioctl caller.  Fix this all by just zapping out the memory buffer when allocated at probe time.  If a later call does a short read, the data will be identical to what the device sent it the last time, so there is no \"leak\" of information happening.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46151",
                        "url": "https://ubuntu.com/security/CVE-2026-46151",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  usb: usblp: fix heap leak in IEEE 1284 device ID via short response  usblp_ctrl_msg() collapses the usb_control_msg() return value to 0/-errno, discarding the actual number of bytes transferred.  A broken printer can complete the GET_DEVICE_ID control transfer short and the driver has no way to know.  usblp_cache_device_id_string() reads the 2-byte big-endian length prefix from the response and trusts it (clamped only to the buffer bounds). The buffer is kmalloc(1024) at probe time. A device that sends exactly two bytes (e.g. 0x03 0xFF, claiming a 1023-byte ID) leaves device_id_string[2..1022] holding stale kmalloc heap.  That stale data is then exposed:   - via the ieee1284_id sysfs attribute (sprintf(\"%s\", buf+2), truncated     at the first NUL in the stale heap), and   - via the IOCNR_GET_DEVICE_ID ioctl, which copy_to_user()s the full     claimed length regardless of NULs, up to 1021 bytes of uninitialized     heap, with the leak size chosen by the device.  Fix this up by just zapping the buffer with zeros before each request sent to the device.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46180",
                        "url": "https://ubuntu.com/security/CVE-2026-46180",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  wifi: brcmfmac: Fix potential use-after-free issue when stopping watchdog task  Watchdog task might end between send_sig() and kthread_stop() calls, what results in the use-after-free issue. Fix this by increasing watchdog task reference count before calling send_sig() and dropping it by switching to kthread_stop_put().",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46122",
                        "url": "https://ubuntu.com/security/CVE-2026-46122",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  wifi: b43: enforce bounds check on firmware key index in b43_rx()  The firmware-controlled key index in b43_rx() can exceed the dev->key[] array size (58 entries). The existing B43_WARN_ON is non-enforcing in production builds, allowing an out-of-bounds read.  Make the B43_WARN_ON check enforcing by dropping the frame when the firmware returns an invalid key index.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46125",
                        "url": "https://ubuntu.com/security/CVE-2026-46125",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  wifi: mac80211: remove station if connection prep fails  If connection preparation fails for MLO connections, then the interface is completely reset to non-MLD. In this case, we must not keep the station since it's related to the link of the vif being removed. Delete an existing station. Any \"new_sta\" is already being removed, so that doesn't need changes.  This fixes a use-after-free/double-free in debugfs if that's enabled, because a vif going from MLD (and to MLD, but that's not relevant here) recreates its entire debugfs.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46166",
                        "url": "https://ubuntu.com/security/CVE-2026-46166",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  wifi: mac80211: use safe list iteration in radar detect work  The call to ieee80211_dfs_cac_cancel can cause the iterated chanctx to be freed and removed from the list. Guard against this to avoid a slab-use-after-free error.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46187",
                        "url": "https://ubuntu.com/security/CVE-2026-46187",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  wifi: rsi: fix kthread lifetime race between self-exit and external-stop  RSI driver use both self-exit(kthread_complete_and_exit) and external-stop (kthread_stop) when killing a kthread. Generally, kthread_stop() is called first, and in this case, no particular issues occur.  However, in rare instances where kthread_complete_and_exit() is called first and then kthread_stop() is called, a UAF occurs because the kthread object, which has already exited and been freed, is accessed again.  Therefore, to prevent this with minimal modification, you must remove kthread_stop() and change the code to wait until the self-exit operation is completed.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46152",
                        "url": "https://ubuntu.com/security/CVE-2026-46152",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  wifi: mac80211: drop stray 'static' from fast-RX rx_result  ieee80211_invoke_fast_rx() is documented as safe for parallel RX, but its per-invocation rx_result is declared static. Concurrent callers then share one instance and can overwrite each other's result between ieee80211_rx_mesh_data() and the switch on res.  That can make a packet that was queued or consumed by ieee80211_rx_mesh_data() fall through into ieee80211_rx_8023(), or make a packet that should continue return as queued.  Make res an automatic variable so each invocation keeps its own result.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46163",
                        "url": "https://ubuntu.com/security/CVE-2026-46163",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  wifi: b43legacy: enforce bounds check on firmware key index in RX path  Same fix as b43: the firmware-controlled key index in b43legacy_rx() can exceed dev->max_nr_keys. The existing B43legacy_WARN_ON is non-enforcing in production builds, allowing an out-of-bounds read of dev->key[].  Make the check enforcing by dropping the frame for invalid indices.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46136",
                        "url": "https://ubuntu.com/security/CVE-2026-46136",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  wifi: mt76: mt7921: fix a potential clc buffer length underflow  The buf_len is used to limit the iterations for retrieving the country power setting and may underflow under certain conditions due to changes in the power table in CLC.  This underflow leads to an almost infinite loop or an invalid power setting resulting in driver initialization failure.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46173",
                        "url": "https://ubuntu.com/security/CVE-2026-46173",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  exit: prevent preemption of oopsing TASK_DEAD task  When an already-exiting task oopses, make_task_dead() currently calls do_task_dead() with preemption enabled.  That is forbidden: do_task_dead() calls __schedule(), which has a comment saying \"WARNING: must be called with preemption disabled!\".  If an oopsing task is preempted in do_task_dead(), between becoming TASK_DEAD and entering the scheduler explicitly, bad things happen: finish_task_switch() assumes that once the scheduler has switched away from a TASK_DEAD task, the task can never run again and its stack is no longer needed; but that assumption apparently doesn't hold if the dead task was preempted (the SM_PREEMPT case).  This means that the scheduler ends up repeatedly dropping references on the dead task's stack, which can lead to use-after-free or double-free of the entire task stack; in other words, two tasks can end up running on the same stack, resulting in various kinds of memory corruption.  (This does not just affect \"recursively oopsing\" tasks; it is enough to oops once during task exit, for example in a file_operations::release handler)",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-43496",
                        "url": "https://ubuntu.com/security/CVE-2026-43496",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net/sched: sch_red: Replace direct dequeue call with peek and qdisc_dequeue_peeked  When red qdisc has children (eg qfq qdisc) whose peek() callback is qdisc_peek_dequeued(), we could get a kernel panic. When the parent of such qdiscs (eg illustrated in patch #3 as tbf) wants to retrieve an skb from its child (red in this case), it will do the following:  1a. do a peek() - and when sensing there's an skb the child can offer, then      - the child in this case(red) calls its child's (qfq) peek.         qfq does the right thing and will return the gso_skb queue packet.         Note: if there wasnt a gso_skb entry then qfq will store it there.  1b. invoke a dequeue() on the child (red). And herein lies the problem.      - red will call the child's dequeue() which will essentially just        try to grab something of qfq's queue.  [   78.667668][  T363] KASAN: null-ptr-deref in range [0x0000000000000048-0x000000000000004f] [   78.667927][  T363] CPU: 1 UID: 0 PID: 363 Comm: ping Not tainted 7.1.0-rc1-00033-g46f74a3f7d57-dirty #790 PREEMPT(full) [   78.668263][  T363] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 [   78.668486][  T363] RIP: 0010:qfq_dequeue+0x446/0xc90 [sch_qfq] [   78.668718][  T363] Code: 54 c0 e8 dd 90 00 f1 48 c7 c7 e0 03 54 c0 48 89 de e8 ce 90 00 f1 48 8d 7b 48 b8 ff ff 37 00 48 89 fa 48 c1 e0 2a 48 c1 ea 03 <80> 3c 02 00 74 05 e8 ef a1 e1 f1 48 8b 7b 48 48 8d 54 24 58 48 8d [   78.669312][  T363] RSP: 0018:ffff88810de573e0 EFLAGS: 00010216 [   78.669533][  T363] RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000 [   78.669790][  T363] RDX: 0000000000000009 RSI: 0000000000000004 RDI: 0000000000000048 [   78.670044][  T363] RBP: ffff888110dc4000 R08: ffffffffb1b0885a R09: fffffbfff6ba9078 [   78.670297][  T363] R10: 0000000000000003 R11: ffff888110e31c80 R12: 0000001880000000 [   78.670560][  T363] R13: ffff888110dc4150 R14: ffff888110dc42b8 R15: 0000000000000200 [   78.670814][  T363] FS:  00007f66a8f09c40(0000) GS:ffff888163428000(0000) knlGS:0000000000000000 [   78.671110][  T363] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [   78.671324][  T363] CR2: 000055db4c6a30a8 CR3: 000000010da67000 CR4: 0000000000750ef0 [   78.671585][  T363] PKRU: 55555554 [   78.671713][  T363] Call Trace: [   78.671843][  T363]  <TASK> [   78.671936][  T363]  ? __pfx_qfq_dequeue+0x10/0x10 [sch_qfq] [   78.672148][  T363]  ? __pfx__printk+0x10/0x10 [   78.672322][  T363]  ? srso_alias_return_thunk+0x5/0xfbef5 [   78.672496][  T363]  ? lockdep_hardirqs_on_prepare+0xa8/0x1a0 [   78.672706][  T363]  ? srso_alias_return_thunk+0x5/0xfbef5 [   78.672875][  T363]  ? trace_hardirqs_on+0x19/0x1a0 [   78.673047][  T363]  red_dequeue+0x65/0x270 [sch_red] [   78.673217][  T363]  ? srso_alias_return_thunk+0x5/0xfbef5 [   78.673385][  T363]  tbf_dequeue.cold+0xb0/0x70c [sch_tbf] [   78.673566][  T363]  __qdisc_run+0x169/0x1900  The right thing to do in #1b is to grab the skb off gso_skb queue. This patchset fixes that issue by changing #1b to use qdisc_dequeue_peeked() method instead.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-21 13:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46113",
                        "url": "https://ubuntu.com/security/CVE-2026-46113",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  KVM: x86: Fix shadow paging use-after-free due to unexpected GFN  The shadow MMU computes GFNs for direct shadow pages using sp->gfn plus the SPTE index. This assumption breaks for shadow paging if the guest page tables are modified between VM entries (similar to commit aad885e77496, \"KVM: x86/mmu: Drop/zap existing present SPTE even when creating an MMIO SPTE\", 2026-03-27).  The flow is as follows:  - a PDE is installed for a 2MB mapping, and a page in that area is   accessed.  KVM creates a kvm_mmu_page consisting of 512 4KB pages;   the kvm_mmu_page is marked by FNAME(fetch) as direct-mapped because   the guest's mapping is a huge page (and thus contiguous).  - the PDE mapping is changed from outside the guest.  - the guest accesses another page in the same 2MB area.  KVM installs   a new leaf SPTE and rmap entry; the SPTE uses the \"correct\" GFN   (i.e. based on the new mapping, as changed in the previous step) but   that GFN is outside of the [sp->gfn, sp->gfn + 511] range; therefore   the rmap entry cannot be found and removed when the kvm_mmu_page   is zapped.  - the memslot that covers the first 2MB mapping is deleted, and the   kvm_mmu_page for the now-invalid GPA is zapped.  However, rmap_remove()   only looks at the [sp->gfn, sp->gfn + 511] range established in step 1,   and fails to find the rmap entry that was recorded by step 3.  - any operation that causes an rmap walk for the same page accessed   by step 3 then walks a stale rmap and dereferences a freed kvm_mmu_page.   This includes dirty logging or MMU notifier invalidations (e.g., from   MADV_DONTNEED).  The underlying issue is that KVM's walking of shadow PTEs assumes that if a SPTE is present when KVM wants to install a non-leaf SPTE, then the existing kvm_mmu_page must be for the correct gfn.  Because the only way for the gfn to be wrong is if KVM messed up and failed to zap a SPTE... which shouldn't happen, but *actually* only happens in response to a guest write.  That bug dates back literally forever, as even the first version of KVM assumes that the GFN matches and walks into the \"wrong\" shadow page. However, that was only an imprecision until 2032a93d66fa (\"KVM: MMU: Don't allocate gfns page for direct mmu pages\") came along.  Fix it by checking for a target gfn mismatch and zapping the existing SPTE.  That way the old SP and rmap entries are gone, KVM installs the rmap in the right location, and everyone is happy.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46179",
                        "url": "https://ubuntu.com/security/CVE-2026-46179",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ASoC: SOF: Don't allow pointer operations on unconfigured streams  When reporting the pointer for a compressed stream we report the current I/O frame position by dividing the position by the number of channels multiplied by the number of container bytes. These values default to 0 and are only configured as part of setting the stream parameters so this allows a divide by zero to be configured. Validate that they are non zero, returning an error if not",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46196",
                        "url": "https://ubuntu.com/security/CVE-2026-46196",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  tracepoint: balance regfunc() on func_add() failure in tracepoint_add_func()  When a tracepoint goes through the 0 -> 1 transition, tracepoint_add_func() invokes the subsystem's ext->regfunc() before attempting to install the new probe via func_add(). If func_add() then fails (for example, when allocate_probes() cannot allocate a new probe array under memory pressure and returns -ENOMEM), the function returns the error without calling the matching ext->unregfunc(), leaving the side effects of regfunc() behind with no installed probe to justify them.  For syscall tracepoints this is particularly unpleasant: syscall_regfunc() bumps sys_tracepoint_refcount and sets SYSCALL_TRACEPOINT on every task. After a leaked failure, the refcount is stuck at a non-zero value with no consumer, and every task continues paying the syscall trace entry/exit overhead until reboot. Other subsystems providing regfunc()/unregfunc() pairs exhibit similarly scoped persistent state.  Mirror the existing 1 -> 0 cleanup and call ext->unregfunc() in the func_add() error path, gated on the same condition used there so the unwind is symmetric with the registration.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-43497",
                        "url": "https://ubuntu.com/security/CVE-2026-43497",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  fbdev: udlfb: add vm_ops to dlfb_ops_mmap to prevent use-after-free  dlfb_ops_mmap() uses remap_pfn_range() to map vmalloc framebuffer pages to userspace but sets no vm_ops on the VMA. This means the kernel cannot track active mmaps. When dlfb_realloc_framebuffer() replaces the backing buffer via FBIOPUT_VSCREENINFO, existing mmap PTEs are not invalidated. On USB disconnect, dlfb_ops_destroy() calls vfree() on the old pages while userspace PTEs still reference them, resulting in a use-after-free: the process retains read/write access to freed kernel pages.  Add vm_operations_struct with open/close callbacks that maintain an atomic mmap_count on struct dlfb_data. In dlfb_realloc_framebuffer(), check mmap_count and return -EBUSY if the buffer is currently mapped, preventing buffer replacement while userspace holds stale PTEs.  Tested with PoC using dummy_hcd + raw_gadget USB device emulation.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-05-21 13:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46108",
                        "url": "https://ubuntu.com/security/CVE-2026-46108",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ipmi:si: Return state to normal if message allocation fails  There were places where nothing would get started if a message allocation failed, so the driver needs to return to normal state.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46128",
                        "url": "https://ubuntu.com/security/CVE-2026-46128",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ipmi: Check event message buffer response for bad data  The event message buffer response data size got checked later when processing, but check it right after the response comes back.  It appears some BMCs may return an empty message instead of an error when fetching events.  There are apparently some new BMCs that make this error, so we need to compensate.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46177",
                        "url": "https://ubuntu.com/security/CVE-2026-46177",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ipmi: Add limits to event and receive message requests  The driver would just fetch events and receive messages until the BMC said it was done.  To avoid issues with BMCs that never say they are done, add a limit of 10 fetches at a time.  In addition, an si interface has an attn state it can return from the hardware which is supposed to cause a flag fetch to see if the driver needs to fetch events or message or a few other things.  If the attn bit gets stuck, it's a similar problem.  So allow messages in between flag fetches so the driver itself doesn't get stuck.  This is a more general fix than the previous fix for the specific bad BMC, but should fix the more general issue of a BMC that won't stop saying it has data.  This has been there from the beginning of the driver.  It's not a bug per-se, but it is accounting for bugs in BMCs.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46149",
                        "url": "https://ubuntu.com/security/CVE-2026-46149",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  scsi: target: configfs: Bound snprintf() return in tg_pt_gp_members_show()  target_tg_pt_gp_members_show() formats LUN paths with snprintf() into a 256-byte stack buffer, then will memcpy() cur_len bytes from that buffer.  snprintf() returns the length the output would have had, which can exceed the buffer size when the fabric WWN is long because iSCSI IQN names can be up to 223 bytes.  The check at the memcpy() site only guards the destination page write, not the source read, so memcpy() will read past the stack buffer and copy adjacent stack contents to the sysfs reader, which when CONFIG_FORTIFY_SOURCE is enabled, fortify_panic() will be triggered.  Commit 27e06650a5ea (\"scsi: target: target_core_configfs: Add length check to avoid buffer overflow\") added the same bound to the target_lu_gp_members_show() but the tg_pt_gp variant was missed so resolve that here.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46244",
                        "url": "https://ubuntu.com/security/CVE-2026-46244",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  netfilter: nft_inner: Fix IPv6 inner_thoff desync  In nft_inner_parse_l2l3(), when processing inner IPv6 packets, ipv6_find_hdr() correctly computes the transport header offset traversing all extension headers, but the result is immediately overwritten with nhoff + sizeof(_ip6h) (40 bytes), which only accounts for the IPv6 base header. This creates a desync between inner_thoff (wrong — points to extension header start) and l4proto (correct — e.g., IPPROTO_TCP), enabling transport header forgery and potential firewall bypass. This issue affects stable versions from Linux 6.2.  For comparison, the normal (non-inner) IPv6 path correctly preserves ipv6_find_hdr()'s result. Removing the incorrect overwrite ensures that ipv6_find_hdr()'s calculated transport header offset is preserved, thereby fixing the desynchronization.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-03 18:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46137",
                        "url": "https://ubuntu.com/security/CVE-2026-46137",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  mptcp: pm: ADD_ADDR rtx: fix potential data-race  This mptcp_pm_add_timer() helper is executed as a timer callback in softirq context. To avoid any data races, the socket lock needs to be held with bh_lock_sock().  If the socket is in use, retry again soon after, similar to what is done with the keepalive timer.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46185",
                        "url": "https://ubuntu.com/security/CVE-2026-46185",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  smb/client: fix out-of-bounds read in symlink_data()  Since smb2_check_message() returns success without length validation for the symlink error response, in symlink_data() it is possible for iov->iov_len to be smaller than sizeof(struct smb2_err_rsp). If the buffer only contains the base SMB2 header (64 bytes), accessing err->ErrorContextCount (at offset 66) or err->ByteCount later in symlink_data() will cause an out-of-bounds read.",
                        "cve_priority": "high",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46195",
                        "url": "https://ubuntu.com/security/CVE-2026-46195",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  smb: client: validate dacloffset before building DACL pointers  parse_sec_desc(), build_sec_desc(), and the chown path in id_mode_to_cifs_acl() all add the server-supplied dacloffset to pntsd before proving a DACL header fits inside the returned security descriptor.  On 32-bit builds a malicious server can return dacloffset near U32_MAX, wrap the derived DACL pointer below end_of_acl, and then slip past the later pointer-based bounds checks. build_sec_desc() and id_mode_to_cifs_acl() can then dereference DACL fields from the wrapped pointer in the chmod/chown rewrite paths.  Validate dacloffset numerically before building any DACL pointer and reuse the same helper at the three DACL entry points.",
                        "cve_priority": "high",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46289",
                        "url": "https://ubuntu.com/security/CVE-2026-46289",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  lib/scatterlist: fix length calculations in extract_kvec_to_sg  Patch series \"Fix bugs in extract_iter_to_sg()\", v3.  Fix bugs in the kvec and user variants of extract_iter_to_sg.  This series is growing due to useful remarks made by sashiko.dev.  The main bugs are: - The length for an sglist entry when extracting from   a kvec can exceed the number of bytes in the page. This   is obviously not intended. - When extracting a user buffer the sglist is temporarily   used as a scratch buffer for extracted page pointers.   If the sglist already contains some elements this scratch   buffer could overlap with existing entries in the sglist.  The series adds test cases to the kunit_iov_iter test that demonstrate all of these bugs.  Additionally, there is a memory leak fix for the test itself.  The bugs were orignally introduced into kernel v6.3 where the function lived in fs/netfs/iterator.c.  It was later moved to lib/scatterlist.c in v6.5.  Thus the actual fix is only marked for backports to v6.5+.   This patch (of 5):  When extracting from a kvec to a scatterlist, do not cross page boundaries.  The required length was already calculated but not used as intended.  Adjust the copied length if the loop runs out of sglist entries without extracting everything.  While there, return immediately from extract_iter_to_sg if there are no sglist entries at all.  A subsequent commit will add kunit test cases that demonstrate that the patch is necessary.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-08 17:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46119",
                        "url": "https://ubuntu.com/security/CVE-2026-46119",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  libceph: Fix slab-out-of-bounds access in auth message processing  If a (potentially corrupted) message of type CEPH_MSG_AUTH_REPLY contains a positive value in its result field, it is treated as an error code by ceph_handle_auth_reply() and returned to handle_auth_reply(). Thereafter, an attempt is made to send the preallocated message of type CEPH_MSG_AUTH, where the returned value is interpreted as the size of the front segment to send. If the result value in the message is greater than the size of the memory buffer allocated for the front segment, an out-of-bounds access occurs, and the content of the memory region beyond this buffer is sent out.  This patch fixes the issue by treating only negative values in the result field as errors. Positive values are therefore treated as success in the same way as a zero value. Additionally, a BUG_ON is added to __send_prepared_auth_request() comparing the len parameter to front_alloc_len to prevent sending the message if it exceeds the bounds of the allocation and to make it easier to catch any logic flaws leading to this.",
                        "cve_priority": "high",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46135",
                        "url": "https://ubuntu.com/security/CVE-2026-46135",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  nvmet-tcp: fix race between ICReq handling and queue teardown  nvmet_tcp_handle_icreq() updates queue->state after sending an Initialization Connection Response (ICResp), but it does so without serializing against target-side queue teardown.  If an NVMe/TCP host sends an Initialization Connection Request (ICReq) and immediately closes the connection, target-side teardown may start in softirq context before io_work drains the already buffered ICReq. In that case, nvmet_tcp_schedule_release_queue() sets queue->state to NVMET_TCP_Q_DISCONNECTING and drops the queue reference under state_lock.  If io_work later processes that ICReq, nvmet_tcp_handle_icreq() can still overwrite the state back to NVMET_TCP_Q_LIVE. That defeats the DISCONNECTING-state guard in nvmet_tcp_schedule_release_queue() and allows a later socket state change to re-enter teardown and issue a second kref_put() on an already released queue.  The ICResp send failure path has the same problem. If teardown has already moved the queue to DISCONNECTING, a send error can still overwrite the state with NVMET_TCP_Q_FAILED, again reopening the window for a second teardown path to drop the queue reference.  Fix this by serializing both post-send state transitions with state_lock and bailing out if teardown has already started.  Use -ESHUTDOWN as an internal sentinel for that bail-out path rather than propagating it as a transport error like -ECONNRESET. Keep nvmet_tcp_socket_error() setting rcv_state to NVMET_TCP_RECV_ERR before honoring that sentinel so receive-side parsing stays quiesced until the existing release path completes.",
                        "cve_priority": "critical",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46155",
                        "url": "https://ubuntu.com/security/CVE-2026-46155",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  smb/client: fix out-of-bounds read in smb2_compound_op()  If a server sends a truncated response but a large OutputBufferLength, and terminates the EA list early, check_wsl_eas() returns success without validating that the entire OutputBufferLength fits within iov_len.  Then smb2_compound_op() does:     memcpy(idata->wsl.eas, data[0], size[0]);  Where size[0] is OutputBufferLength. If iov_len is smaller than size[0], memcpy can read beyond the end of the rsp_iov allocation and leak adjacent kernel heap memory.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46115",
                        "url": "https://ubuntu.com/security/CVE-2026-46115",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  block: add pgmap check to biovec_phys_mergeable  biovec_phys_mergeable() is used by the request merge, DMA mapping, and integrity merge paths to decide if two physically contiguous bvec segments can be coalesced into one. It currently has no check for whether the segments belong to different dev_pagemaps.  When zone device memory is registered in multiple chunks, each chunk gets its own dev_pagemap. A single bio can legitimately contain bvecs from different pgmaps -- iov_iter_extract_bvecs() breaks at pgmap boundaries but the outer loop in bio_iov_iter_get_pages() continues filling the same bio. If such bvecs are physically contiguous, biovec_phys_mergeable() will coalesce them, making it impossible to recover the correct pgmap for the merged segment via page_pgmap().  Add a zone_device_pages_have_same_pgmap() check to prevent merging bvec segments that span different pgmaps.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46243",
                        "url": "https://ubuntu.com/security/CVE-2026-46243",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  smb: client: reject userspace cifs.spnego descriptions  cifs.spnego key descriptions contain authority-bearing fields such as pid, uid, creduid, and upcall_target that cifs.upcall treats as kernel-originating inputs. However, userspace can also create keys of this type through request_key(2) or add_key(2), allowing those fields to be supplied without CIFS origin.  Only accept cifs.spnego descriptions while CIFS is using its private spnego_cred to request the key.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-01 17:17:00 UTC"
                    }
                ],
                "launchpad_bugs_fixed": [
                    2157520,
                    2154418,
                    2155837,
                    2154174,
                    2154748,
                    2156559,
                    2156556,
                    2150640,
                    2156312,
                    2155096,
                    2154715,
                    2153159,
                    2150071,
                    2154343,
                    2149770,
                    2153155,
                    2152570,
                    2156636,
                    2156636,
                    2156636,
                    2156636,
                    2156636,
                    2156390,
                    2156385,
                    2156385,
                    2156385,
                    2156385,
                    2156385,
                    2156385,
                    2156385,
                    2156385,
                    2156385,
                    2156385,
                    2156385,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2150845
                ],
                "changes": [
                    {
                        "cves": [
                            {
                                "cve": "CVE-2026-46318",
                                "url": "https://ubuntu.com/security/CVE-2026-46318",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Revert \"mm/hugetlbfs: update hugetlbfs to use mmap_prepare\"  This reverts commit ea52cb24cd3f (\"mm/hugetlbfs: update hugetlbfs to use mmap_prepare\") with conflict resolution to account for changes in commit ea52cb24cd3f (\"mm/hugetlbfs: update hugetlbfs to use mmap_prepare\").  The patch incorrectly handled hugetlb VMA lock allocation at the mmap_prepare stage, where a failed allocation occurring after mmap_prepare is called might result in the lock leaking.  There is no risk of a merge causing a similar issues, as VMA_DONTEXPAND_BIT is set for hugetlb mappings.  As a first step in addressing this issue, simply revert the change so we can rework how we do this having corrected the underlying issues.  We maintain the VMA flags changes as best we can, accounting for the fact that we were working with a VMA descriptor previously and propagating like-for-like changes for this.  Note that we invoke vma_set_flags() and do not call vma_start_write() as vm_flags_set() does.  This is OK as it's being done in an .mmap hook where the VMA is not yet linked into the tree so nobody else can be accessing it.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-06-09 13:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46322",
                                "url": "https://ubuntu.com/security/CVE-2026-46322",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  tun: free page on build_skb failure in tun_xdp_one()  When build_skb() fails in tun_xdp_one(), the function sets ret to -ENOMEM and jumps to the out label, which returns without freeing the page that vhost_net_build_xdp() allocated for the frame. As with the short-frame rejection path, tun_sendmsg() discards the per-buffer error and still returns total_len, so vhost_tx_batch() takes the success path and never frees the page. Each build_skb() failure in a batch leaks one page-frag chunk.  Free the page before taking the error path, matching the put_page() the other error exits of tun_xdp_one() already perform.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-09 13:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46320",
                                "url": "https://ubuntu.com/security/CVE-2026-46320",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  tap: free page on error paths in tap_get_user_xdp()  tap_get_user_xdp() rejects a frame shorter than ETH_HLEN with -EINVAL, and returns -ENOMEM when build_skb() fails. Both paths jump to the err label without freeing the page that vhost_net_build_xdp() allocated for the frame. tap_sendmsg() discards the per-buffer return value and always returns 0, so vhost_tx_batch() takes the success path and never frees the page; each rejected frame in a batch leaks one page-frag chunk.  Free the page on both error paths, before the skb is built. This is the tap counterpart of the same leak in tun_xdp_one().",
                                "cve_priority": "high",
                                "cve_public_date": "2026-06-09 13:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46321",
                                "url": "https://ubuntu.com/security/CVE-2026-46321",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  tun: free page on short-frame rejection in tun_xdp_one()  tun_xdp_one() returns -EINVAL on a frame shorter than ETH_HLEN without freeing the page that vhost_net_build_xdp() allocated for it. tun_sendmsg() discards that -EINVAL and still returns total_len, so vhost_tx_batch() takes the success path and never frees the page; each short frame in a batch leaks one page-frag chunk.  A local process that can open /dev/net/tun and /dev/vhost-net can hit this path: it attaches a tun/tap device as the vhost-net backend and feeds TX descriptors whose length minus the virtio-net header is below ETH_HLEN. Each kick leaks the page-frag chunks for that batch, and a tight submission loop exhausts host memory and triggers an OOM panic. Free the page before returning -EINVAL, matching the XDP-program error path in the same function.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-09 13:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46316",
                                "url": "https://ubuntu.com/security/CVE-2026-46316",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  KVM: arm64: vgic-its: Drop the translation cache reference only for the erased entry  vgic_its_invalidate_cache() walks the per-ITS translation cache with xa_for_each() and drops the cache's reference on each entry with vgic_put_irq(). It puts the iterated pointer, though, rather than the value returned by xa_erase().  The function is called from contexts that do not exclude one another: the ITS command handlers hold its_lock, the GITS_CTLR write path holds cmd_lock, and the path that clears EnableLPIs in a redistributor's GICR_CTLR holds neither. Two or more of them can drain the same cache concurrently, and if each one observes the same entry, erases it and then puts it, the single reference the cache holds on that entry is dropped more than once. The entry can then be freed while an ITE still maps it.  xa_erase() is atomic and returns the previous entry, so put only the entry that this context actually removed. The cache reference is then dropped exactly once per entry even when the invalidations run concurrently, and the behavior is unchanged when only one context runs.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-09 13:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46317",
                                "url": "https://ubuntu.com/security/CVE-2026-46317",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  KVM: arm64: Reassign nested_mmus array behind mmu_lock  kvm->arch.nested_mmus[] is walked under kvm->mmu_lock, including from the MMU notifier path (kvm_unmap_gfn_range() -> kvm_nested_s2_unmap()), which can run at any time. kvm_vcpu_init_nested() reallocates the array and frees the old buffer while holding only kvm->arch.config_lock, so such a walker can reference the freed array.  Allocate the new array outside of mmu_lock, as the allocation can sleep. Under the lock, copy the existing entries, fix up the back pointers and reassign the array. Free the old buffer after dropping the lock, as kvfree() can sleep as well.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-09 13:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-45846",
                                "url": "https://ubuntu.com/security/CVE-2026-45846",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  bareudp: fix NULL pointer dereference in bareudp_fill_metadata_dst()  bareudp_fill_metadata_dst() passes bareudp->sock to udp_tunnel6_dst_lookup() in the IPv6 path without a NULL check. The socket is only created in bareudp_open() and NULLed in bareudp_stop(), so calling this function while the device is down triggers a NULL dereference via sock->sk.   BUG: kernel NULL pointer dereference, address: 0000000000000018  RIP: 0010:udp_tunnel6_dst_lookup (net/ipv6/ip6_udp_tunnel.c:160)  Call Trace:   <TASK>   bareudp_fill_metadata_dst (drivers/net/bareudp.c:532)   do_execute_actions (net/openvswitch/actions.c:901)   ovs_execute_actions (net/openvswitch/actions.c:1589)   ovs_packet_cmd_execute (net/openvswitch/datapath.c:700)   genl_family_rcv_msg_doit (net/netlink/genetlink.c:1114)   genl_rcv_msg (net/netlink/genetlink.c:1209)   netlink_rcv_skb (net/netlink/af_netlink.c:2550)   </TASK>  Add a NULL check returning -ESHUTDOWN, consistent with the xmit paths in the same driver.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-27 11:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-45845",
                                "url": "https://ubuntu.com/security/CVE-2026-45845",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net/sched: taprio: fix NULL pointer dereference in class dump  When a TAPRIO child qdisc is deleted via RTM_DELQDISC, taprio_graft() is called with new == NULL and stores NULL into q->qdiscs[cl - 1]. Subsequent RTM_GETTCLASS dump operations walk all classes via taprio_walk() and call taprio_dump_class(), which calls taprio_leaf() returning the NULL pointer, then dereferences it to read child->handle, causing a kernel NULL pointer dereference.  The bug is reachable with namespace-scoped CAP_NET_ADMIN on any kernel with CONFIG_NET_SCH_TAPRIO enabled. On systems with unprivileged user namespaces enabled, an unprivileged local user can trigger a kernel panic by creating a taprio qdisc inside a new network namespace, grafting an explicit child qdisc, deleting it, and requesting a class dump. The RTM_GETTCLASS dump itself requires no capability.   Oops: general protection fault, probably for non-canonical address 0xdffffc0000000007: 0000 [#1] SMP KASAN NOPTI  KASAN: null-ptr-deref in range [0x0000000000000038-0x000000000000003f]  RIP: 0010:taprio_dump_class (net/sched/sch_taprio.c:2478)  Call Trace:   <TASK>   tc_fill_tclass (net/sched/sch_api.c:1966)   qdisc_class_dump (net/sched/sch_api.c:2326)   taprio_walk (net/sched/sch_taprio.c:2514)   tc_dump_tclass_qdisc (net/sched/sch_api.c:2352)   tc_dump_tclass_root (net/sched/sch_api.c:2370)   tc_dump_tclass (net/sched/sch_api.c:2431)   rtnl_dumpit (net/core/rtnetlink.c:6864)   netlink_dump (net/netlink/af_netlink.c:2325)   rtnetlink_rcv_msg (net/core/rtnetlink.c:6959)   netlink_rcv_skb (net/netlink/af_netlink.c:2550)   </TASK>  Fix this by substituting &noop_qdisc when new is NULL in taprio_graft(), a common pattern used by other qdiscs (e.g., multiq_graft()) to ensure the q->qdiscs[] slots are never NULL. This makes control-plane dump paths safe without requiring individual NULL checks.  Since the data-plane paths (taprio_enqueue and taprio_dequeue_from_txq) previously had explicit NULL guards that would drop/skip the packet cleanly, update those checks to test for &noop_qdisc instead. Without this, packets would reach taprio_enqueue_one() which increments the root qdisc's qlen and backlog before calling the child's enqueue; noop_qdisc drops the packet but those counters are never rolled back, permanently inflating the root qdisc's statistics.  After this change *old can be a valid qdisc, NULL, or &noop_qdisc. Only call qdisc_put(*old) in the first case to avoid decreasing noop_qdisc's refcount, which was never increased.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-27 11:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-45844",
                                "url": "https://ubuntu.com/security/CVE-2026-45844",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  netfilter: arp_tables: fix IEEE1394 ARP payload parsing  Weiming Shi says:  \"arp_packet_match() unconditionally parses the ARP payload assuming two hardware addresses are present (source and target). However, IPv4-over-IEEE1394 ARP (RFC 2734) omits the target hardware address field, and arp_hdr_len() already accounts for this by returning a shorter length for ARPHRD_IEEE1394 devices.  As a result, on IEEE1394 interfaces arp_packet_match() advances past a nonexistent target hardware address and reads the wrong bytes for both the target device address comparison and the target IP address. This causes arptables rules to match against garbage data, leading to incorrect filtering decisions: packets that should be accepted may be dropped and vice versa.  The ARP stack in net/ipv4/arp.c (arp_create and arp_process) already handles this correctly by skipping the target hardware address for ARPHRD_IEEE1394. Apply the same pattern to arp_packet_match().\"  Mangle the original patch to always return 0 (no match) in case user matches on the target hardware address which is never present in IEEE1394.  Note that this returns 0 (no match) for either normal and inverse match because matching in the target hardware address in ARPHRD_IEEE1394 has never been supported by arptables. This is intentional, matching on the target hardware address should never evaluate true for ARPHRD_IEEE1394.  Moreover, adjust arpt_mangle to drop the packet too as AI suggests:  In arpt_mangle, the logic assumes a standard ARP layout. Because IEEE1394 (FireWire) omits the target hardware address, the linear pointer arithmetic miscalculates the offset for the target IP address. This causes mangling operations to write to the wrong location, leading to packet corruption. To ensure safety, this patch drops packets (NF_DROP) when mangling is requested for these fields on IEEE1394 devices, as the current implementation cannot correctly map the FireWire ARP payload.  This omits both mangling target hardware and IP address. Even if IP address mangling should be possible in IEEE1394, this would require to adjust arpt_mangle offset calculation, which has never been supported.  Based on patch from Weiming Shi <bestswngs@gmail.com>.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-05-27 11:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46242",
                                "url": "https://ubuntu.com/security/CVE-2026-46242",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  eventpoll: fix ep_remove struct eventpoll / struct file UAF  ep_remove() (via ep_remove_file()) cleared file->f_ep under file->f_lock but then kept using @file inside the critical section (is_file_epoll(), hlist_del_rcu() through the head, spin_unlock). A concurrent __fput() taking the eventpoll_release() fastpath in that window observed the transient NULL, skipped eventpoll_release_file() and ran to f_op->release / file_free().  For the epoll-watches-epoll case, f_op->release is ep_eventpoll_release() -> ep_clear_and_put() -> ep_free(), which kfree()s the watched struct eventpoll. Its embedded ->refs hlist_head is exactly where epi->fllink.pprev points, so the subsequent hlist_del_rcu()'s \"*pprev = next\" scribbles into freed kmalloc-192 memory.  In addition, struct file is SLAB_TYPESAFE_BY_RCU, so the slot backing @file could be recycled by alloc_empty_file() -- reinitializing f_lock and f_ep -- while ep_remove() is still nominally inside that lock. The upshot is an attacker-controllable kmem_cache_free() against the wrong slab cache.  Pin @file via epi_fget() at the top of ep_remove() and gate the critical section on the pin succeeding. With the pin held @file cannot reach refcount zero, which holds __fput() off and transitively keeps the watched struct eventpoll alive across the hlist_del_rcu() and the f_lock use, closing both UAFs.  If the pin fails @file has already reached refcount zero and its __fput() is in flight. Because we bailed before clearing f_ep, that path takes the eventpoll_release() slow path into eventpoll_release_file() and blocks on ep->mtx until the waiter side's ep_clear_and_put() drops it. The bailed epi's share of ep->refcount stays intact, so the trailing ep_refcount_dec_and_test() in ep_clear_and_put() cannot free the eventpoll out from under eventpoll_release_file(); the orphaned epi is then cleaned up there.  A successful pin also proves we are not racing eventpoll_release_file() on this epi, so drop the now-redundant re-check of epi->dying under f_lock. The cheap lockless READ_ONCE(epi->dying) fast-path bailout stays.",
                                "cve_priority": "high",
                                "cve_public_date": "2026-05-30 13:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-45843",
                                "url": "https://ubuntu.com/security/CVE-2026-45843",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  slip: bound decode() reads against the compressed packet length  slhc_uncompress() parses a VJ-compressed TCP header by advancing a pointer through the packet via decode() and pull16(). Neither helper bounds-checks against isize, and decode() masks its return with & 0xffff so it can never return the -1 that callers test for -- those error paths are dead code.  A short compressed frame whose change byte requests optional fields lets decode() read past the end of the packet. The over-read bytes are folded into the cached cstate and reflected into subsequent reconstructed packets.  Make decode() and pull16() take the packet end pointer and return -1 when exhausted. Add a bounds check before the TCP-checksum read. The existing == -1 tests now do what they were always meant to.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-27 11:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-45842",
                                "url": "https://ubuntu.com/security/CVE-2026-45842",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  slip: reject VJ receive packets on instances with no rstate array  slhc_init() accepts rslots == 0 as a valid configuration, with the documented meaning of 'no receive compression'. In that case the allocation loop in slhc_init() is skipped, so comp->rstate stays NULL and comp->rslot_limit stays 0 (from the kzalloc of struct slcompress).  The receive helpers do not defend against that configuration. slhc_uncompress() dereferences comp->rstate[x] when the VJ header carries an explicit connection ID, and slhc_remember() later assigns cs = &comp->rstate[...] after only comparing the packet's slot number to comp->rslot_limit. Because rslot_limit is 0, slot 0 passes the range check, and the code dereferences a NULL rstate.  The configuration is reachable in-tree through PPP. PPPIOCSMAXCID stores its argument in a signed int, and (val >> 16) uses arithmetic shift. Passing 0xffff0000 therefore sign-extends to -1, so val2 + 1 is 0 and ppp_generic.c ends up calling slhc_init(0, 1). Because /dev/ppp open is gated by ns_capable(CAP_NET_ADMIN), the whole path is reachable from an unprivileged user namespace. Once the malformed VJ state is installed, any inbound VJ-compressed or VJ-uncompressed frame that selects slot 0 crashes the kernel in softirq context:   Oops: general protection fault, probably for non-canonical        address 0xdffffc0000000000: 0000 [#1] SMP KASAN NOPTI  KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]  RIP: 0010:slhc_uncompress (drivers/net/slip/slhc.c:519)  Call Trace:   <TASK>   ppp_receive_nonmp_frame (drivers/net/ppp/ppp_generic.c:2466)   ppp_input (drivers/net/ppp/ppp_generic.c:2359)   ppp_async_process (drivers/net/ppp/ppp_async.c:492)   tasklet_action_common (kernel/softirq.c:926)   handle_softirqs (kernel/softirq.c:623)   run_ksoftirqd (kernel/softirq.c:1055)   smpboot_thread_fn (kernel/smpboot.c:160)   kthread (kernel/kthread.c:436)   ret_from_fork (arch/x86/kernel/process.c:164)   </TASK>  Reject the receive side on such instances instead of touching rstate. slhc_uncompress() falls through to its existing 'bad' label, which bumps sls_i_error and enters the toss state. slhc_remember() mirrors that with an explicit sls_i_error increment followed by slhc_toss(); the sls_i_runt counter is not used here because a missing rstate is an internal configuration state, not a runt packet.  The transmit path is unaffected: the only in-tree caller that picks rslots from userspace (ppp_generic.c) still supplies tslots >= 1, and slip.c always calls slhc_init(16, 16), so comp->tstate remains valid and slhc_compress() continues to work.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-27 11:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-45841",
                                "url": "https://ubuntu.com/security/CVE-2026-45841",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  netfilter: nfnetlink_osf: fix divide-by-zero in OSF_WSS_MODULO  nf_osf_match_one() computes ctx->window % f->wss.val in the OSF_WSS_MODULO branch with no guard for f->wss.val == 0. A CAP_NET_ADMIN user can add such a fingerprint via nfnetlink; a subsequent matching TCP SYN divides by zero and panics the kernel.  Reject the bogus fingerprint in nfnl_osf_add_callback() above the per-option for-loop. f->wss is per-fingerprint, not per-option, so the check must run regardless of f->opt_num (including 0). Also reject wss.wc >= OSF_WSS_MAX; nf_osf_match_one() already treats that as \"should not happen\".  Crash:  Oops: divide error: 0000 [#1] SMP KASAN NOPTI  RIP: 0010:nf_osf_match_one (net/netfilter/nfnetlink_osf.c:98)  Call Trace:  <IRQ>   nf_osf_match (net/netfilter/nfnetlink_osf.c:220)   xt_osf_match_packet (net/netfilter/xt_osf.c:32)   ipt_do_table (net/ipv4/netfilter/ip_tables.c:348)   nf_hook_slow (net/netfilter/core.c:622)   ip_local_deliver (net/ipv4/ip_input.c:265)   ip_rcv (include/linux/skbuff.h:1162)   __netif_receive_skb_one_core (net/core/dev.c:6181)   process_backlog (net/core/dev.c:6642)   __napi_poll (net/core/dev.c:7710)   net_rx_action (net/core/dev.c:7945)   handle_softirqs (kernel/softirq.c:622)",
                                "cve_priority": "low",
                                "cve_public_date": "2026-05-27 11:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-45840",
                                "url": "https://ubuntu.com/security/CVE-2026-45840",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  openvswitch: cap upcall PID array size and pre-size vport replies  The vport netlink reply helpers allocate a fixed-size skb with nlmsg_new(NLMSG_DEFAULT_SIZE, ...) but serialize the full upcall PID array via ovs_vport_get_upcall_portids().  Since ovs_vport_set_upcall_portids() accepts any non-zero multiple of sizeof(u32) with no upper bound, a CAP_NET_ADMIN user can install a PID array large enough to overflow the reply buffer, causing nla_put() to fail with -EMSGSIZE and hitting BUG_ON(err < 0).  On systems with unprivileged user namespaces enabled (e.g., Ubuntu default), this is reachable via unshare -Urn since OVS vport mutation operations use GENL_UNS_ADMIN_PERM.   kernel BUG at net/openvswitch/datapath.c:2414!  Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI  CPU: 1 UID: 0 PID: 65 Comm: poc Not tainted 7.0.0-rc7-00195-geb216e422044 #1  RIP: 0010:ovs_vport_cmd_set+0x34c/0x400  Call Trace:   <TASK>   genl_family_rcv_msg_doit (net/netlink/genetlink.c:1116)   genl_rcv_msg (net/netlink/genetlink.c:1194)   netlink_rcv_skb (net/netlink/af_netlink.c:2550)   genl_rcv (net/netlink/genetlink.c:1219)   netlink_unicast (net/netlink/af_netlink.c:1344)   netlink_sendmsg (net/netlink/af_netlink.c:1894)   __sys_sendto (net/socket.c:2206)   __x64_sys_sendto (net/socket.c:2209)   do_syscall_64 (arch/x86/entry/syscall_64.c:63)   entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)   </TASK>  Kernel panic - not syncing: Fatal exception  Reject attempts to set more PIDs than nr_cpu_ids in ovs_vport_set_upcall_portids(), and pre-compute the worst-case reply size in ovs_vport_cmd_msg_size() based on that bound, similar to the existing ovs_dp_cmd_msg_size().  nr_cpu_ids matches the cap already used by the per-CPU dispatch configuration on the datapath side (ovs_dp_cmd_fill_info() serialises at most nr_cpu_ids PIDs), so the two sides stay consistent.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-27 11:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-45839",
                                "url": "https://ubuntu.com/security/CVE-2026-45839",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  bpf: reject negative CO-RE accessor indices in bpf_core_parse_spec()  CO-RE accessor strings are colon-separated indices that describe a path from a root BTF type to a target field, e.g. \"0:1:2\" walks through nested struct members. bpf_core_parse_spec() parses each component with sscanf(\"%d\"), so negative values like -1 are silently accepted.  The subsequent bounds checks (access_idx >= btf_vlen(t)) only guard the upper bound and always pass for negative values because C integer promotion converts the __u16 btf_vlen result to int, making the comparison (int)(-1) >= (int)(N) false for any positive N.  When -1 reaches btf_member_bit_offset() it gets cast to u32 0xffffffff, producing an out-of-bounds read far past the members array.  A crafted BPF program with a negative CO-RE accessor on any struct that exists in vmlinux BTF (e.g. task_struct) crashes the kernel deterministically during BPF_PROG_LOAD on any system with CONFIG_DEBUG_INFO_BTF=y (default on major distributions).  The bug is reachable with CAP_BPF:   BUG: unable to handle page fault for address: ffffed11818b6626  #PF: supervisor read access in kernel mode  #PF: error_code(0x0000) - not-present page  Oops: Oops: 0000 [#1] SMP KASAN NOPTI  CPU: 0 UID: 0 PID: 85 Comm: poc Not tainted 7.0.0-rc6 #18 PREEMPT(full)  RIP: 0010:bpf_core_parse_spec (tools/lib/bpf/relo_core.c:354)  RAX: 00000000ffffffff  Call Trace:   <TASK>   bpf_core_calc_relo_insn (tools/lib/bpf/relo_core.c:1321)   bpf_core_apply (kernel/bpf/btf.c:9507)   check_core_relo (kernel/bpf/verifier.c:19475)   bpf_check (kernel/bpf/verifier.c:26031)   bpf_prog_load (kernel/bpf/syscall.c:3089)   __sys_bpf (kernel/bpf/syscall.c:6228)   </TASK>  CO-RE accessor indices are inherently non-negative (struct member index, array element index, or enumerator index), so reject them immediately after parsing.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-27 11:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-45838",
                                "url": "https://ubuntu.com/security/CVE-2026-45838",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  bpf: fix end-of-list detection in cgroup_storage_get_next_key()  list_next_entry() never returns NULL -- when the current element is the last entry it wraps to the list head via container_of(). The subsequent NULL check is therefore dead code and get_next_key() never returns -ENOENT for the last element, instead reading storage->key from a bogus pointer that aliases internal map fields and copying the result to userspace.  Replace it with list_entry_is_head() so the function correctly returns -ENOENT when there are no more entries.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-05-27 11:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46214",
                                "url": "https://ubuntu.com/security/CVE-2026-46214",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  vsock/virtio: fix accept queue count leak on transport mismatch  virtio_transport_recv_listen() calls sk_acceptq_added() before vsock_assign_transport(). If vsock_assign_transport() fails or selects a different transport, the error path returns without calling sk_acceptq_removed(), permanently incrementing sk_ack_backlog.  After approximately backlog+1 such failures, sk_acceptq_is_full() returns true, causing the listener to reject all new connections.  Fix by moving sk_acceptq_added() to after the transport validation, matching the pattern used by vmci_transport and hyperv_transport.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46207",
                                "url": "https://ubuntu.com/security/CVE-2026-46207",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  vsock/virtio: fix empty payload in tap skb for non-linear buffers  For non-linear skbs, virtio_transport_build_skb() goes through virtio_transport_copy_nonlinear_skb() to copy the original payload in the new skb to be delivered to the vsockmon tap device. This manually initializes an iov_iter but does not set iov_iter.count. Since the iov_iter is zero-initialized, the copy length is zero and no payload is actually copied to the monitor interface, leaving data un-initialized.  Fix this by removing the linear vs non-linear split and using skb_copy_datagram_iter() with iov_iter_kvec() for all cases, as vhost-vsock already does. This handles both linear and non-linear skbs, properly initializes the iov_iter, and removes the now unused virtio_transport_copy_nonlinear_skb().  While touching this code, let's also check the return value of skb_copy_datagram_iter(), even though it's unlikely to fail.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46234",
                                "url": "https://ubuntu.com/security/CVE-2026-46234",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  vsock: fix buffer size clamping order  In vsock_update_buffer_size(), the buffer size was being clamped to the maximum first, and then to the minimum. If a user sets a minimum buffer size larger than the maximum, the minimum check overrides the maximum check, inverting the constraint.  This breaks the intended socket memory boundaries by allowing the vsk->buffer_size to grow beyond the configured vsk->buffer_max_size.  Fix this by checking the minimum first, and then the maximum. This ensures the buffer size never exceeds the buffer_max_size.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46223",
                                "url": "https://ubuntu.com/security/CVE-2026-46223",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  cgroup: Defer css percpu_ref kill on rmdir until cgroup is depopulated  A chain of commits going back to v7.0 reworked rmdir to satisfy the controller invariant that a subsystem's ->css_offline() must not run while tasks are still doing kernel-side work in the cgroup.  [1] d245698d727a (\"cgroup: Defer task cgroup unlink until after the task is done switching out\") [2] a72f73c4dd9b (\"cgroup: Don't expose dead tasks in cgroup\") [3] 1b164b876c36 (\"cgroup: Wait for dying tasks to leave on rmdir\") [4] 4c56a8ac6869 (\"cgroup: Fix cgroup_drain_dying() testing the wrong condition\") [5] 13e786b64bd3 (\"cgroup: Increment nr_dying_subsys_* from rmdir context\")  [1] moved task cset unlink from do_exit() to finish_task_switch() so a task's cset link drops only after the task has fully stopped scheduling. That made tasks past exit_signals() linger on cset->tasks until their final context switch, which led to a series of problems as what userspace expected to see after rmdir diverged from what the kernel needs to wait for. [2]-[5] tried to bridge that divergence: [2] filtered the exiting tasks from cgroup.procs; [3] had rmdir(2) sleep in TASK_UNINTERRUPTIBLE for them; [4] fixed the wait's condition; [5] made nr_dying_subsys_* visible synchronously.  The cgroup_drain_dying() wait in [3] turned out to be a dead end. When the rmdir caller is also the reaper of a zombie that pins a pidns teardown (e.g. host PID 1 systemd reaping orphan pids that were re-parented to it during the same teardown), rmdir blocks in TASK_UNINTERRUPTIBLE waiting for those pids to free, the pids can't free because PID 1 is the reaper and it's stuck in rmdir, and the system A-A deadlocks. No internal lock ordering breaks this; the wait itself is the bug.  The css killing side that drove the original reorder, however, can be made cleanly asynchronous: ->css_offline() is already async, run from css_killed_work_fn() driven by percpu_ref_kill_and_confirm(). The fix is to make that chain start only after all tasks have left the cgroup. rmdir's user-visible side then returns as soon as cgroup.procs and friends are empty, while ->css_offline() still runs only after the cgroup is fully drained.  Verified by the original reproducer (pidns teardown + zombie reaper, runs under vng) which hangs vanilla and succeeds here, and by per-commit deterministic repros for [2], [3], [4], [5] with a boot parameter that widens the post-exit_signals() window so each state is reliably reachable. Some stress tests on top of that.  cgroup_apply_control_disable() has the same shape of pre-existing race: when a controller is disabled via subtree_control, kill_css() ran synchronously while tasks past exit_signals() could still be linked to the cgroup's csets, and ->css_offline() could fire before they drained. This patch preserves the existing synchronous behavior at that call site (kill_css_sync() + kill_css_finish() back-to-back) and a follow-up patch will defer kill_css_finish() there using a per-css trigger.  This seems like the right approach and I don't see problems with it. The changes are somewhat invasive but not excessively so, so backporting to -stable should be okay. If something does turn out to be wrong, the fallback is to revert the entire chain ([1]-[5]) and rework in the development branch instead.  v2: Pin cgrp across the deferred destroy work with explicit     cgroup_get()/cgroup_put() around queue_work() and the work_fn. v1     wasn't actually broken (ordered cgroup_offline_wq + queue_work order     in cgroup_task_dead() saved it) but the explicit ref removes the     dependency on those non-obvious invariants. Also note the     pre-existing cgroup_apply_control_disable() race in the description;     a follow-up will defer kill_css_finish() there.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46221",
                                "url": "https://ubuntu.com/security/CVE-2026-46221",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  EDAC/versalnet: Fix device name memory leak  The device name allocated via kzalloc() in init_one_mc() is assigned to dev->init_name but never freed on the normal removal path. device_register() copies init_name and then sets dev->init_name to NULL, so the name pointer becomes unreachable from the device. Thus leaking memory.  Use a stack-local char array instead of using kzalloc() for name.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46231",
                                "url": "https://ubuntu.com/security/CVE-2026-46231",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  batman-adv: bla: put backbone reference on failed claim hash insert  When batadv_bla_add_claim() fails to insert a new claim into the hash, it leaked a reference to the backbone_gw for which the claim was intended. Call batadv_backbone_gw_put() on the error path to release the reference and avoid leaking the backbone_gw object.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46233",
                                "url": "https://ubuntu.com/security/CVE-2026-46233",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  batman-adv: bla: only purge non-released claims  When batadv_bla_purge_claims() goes through the list of claims, it is only traversing the hash list with an rcu_read_lock(). Due to a potential parallel batadv_claim_put(), it can happen that it encounters a claim which was actually in the process of being released+freed by batadv_claim_release(). In this case, backbone_gw is set to NULL before the delayed RCU kfree is started. Calling batadv_bla_claim_get_backbone_gw() is then no longer allowed because it would cause a NULL-ptr derefence.  To avoid this, only claims with a valid reference counter must be purged. All others are already taken care of.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46212",
                                "url": "https://ubuntu.com/security/CVE-2026-46212",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  batman-adv: bla: prevent use-after-free when deleting claims  When batadv_bla_del_backbone_claims() removes all claims for a backbone, it does this by dropping the link entry in the hash list. This list entry itself was one of the references which need to be dropped at the same time via batadv_claim_put().  But the batadv_claim_put() must not be done before the last access to the claim object in this function. Otherwise the claim might be freed already by the batadv_claim_release() function before the list entry was dropped.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46238",
                                "url": "https://ubuntu.com/security/CVE-2026-46238",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  batman-adv: stop caching unowned originator pointers in BAT IV  BAT IV keeps the last-hop neighbor address in each neigh_node, but some paths also cache an originator pointer derived from a temporary lookup. That pointer is not owned by the neigh_node and may no longer refer to a live originator entry after purge handling runs.  Stop storing the auxiliary originator pointer in the BAT IV neighbor state. When BAT IV needs the neighbor originator data, resolve it from the stored neighbor address and drop the reference again after use.  [sven: avoid bonding logic for outgoing OGM]",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46208",
                                "url": "https://ubuntu.com/security/CVE-2026-46208",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  batman-adv: stop tp_meter sessions during mesh teardown  TP meter sessions remain linked on bat_priv->tp_list after the netlink request has already finished. When the mesh interface is removed, batadv_mesh_free() currently tears down the mesh without first draining these sessions.  A running sender thread or a late incoming tp_meter packet can then keep processing against a mesh instance which is already shutting down. Synchronize tp_meter with the mesh lifetime by stopping all active sessions from batadv_mesh_free() and waiting for sender threads to exit before teardown continues.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46206",
                                "url": "https://ubuntu.com/security/CVE-2026-46206",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  batman-adv: reject new tp_meter sessions during teardown  Prevent tp_meter from starting new sender or receiver sessions after mesh_state has left BATADV_MESH_ACTIVE.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46198",
                                "url": "https://ubuntu.com/security/CVE-2026-46198",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  batman-adv: fix integer overflow on buff_pos  Fixing an integer overflow present in batadv_iv_ogm_send_to_if. The size check is done using the int type in batadv_iv_ogm_aggr_packet whereas the buff_pos variable uses the s16 type. This could lead to an out-of-bound read.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46227",
                                "url": "https://ubuntu.com/security/CVE-2026-46227",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  sctp: revalidate list cursor after sctp_sendmsg_to_asoc() in SCTP_SENDALL  The SCTP_SENDALL path in sctp_sendmsg() iterates ep->asocs with list_for_each_entry_safe(), which caches the next entry in @tmp before the loop body runs.  The body calls sctp_sendmsg_to_asoc(), which may drop the socket lock inside sctp_wait_for_sndbuf().  While the lock is dropped, another thread can SCTP_SOCKOPT_PEELOFF the association cached in @tmp, migrating it to a new endpoint via sctp_sock_migrate() (list_del_init() + list_add_tail() to newep->asocs), and optionally close the new socket which frees the association via kfree_rcu().  The cached @tmp can also be freed by a network ABORT for that association, processed in softirq while the lock is dropped.  sctp_wait_for_sndbuf() revalidates @asoc (the current entry) on re-lock via the \"sk != asoc->base.sk\" and \"asoc->base.dead\" checks, but nothing revalidates @tmp.  After a successful return, the iterator advances to the stale @tmp, yielding either a use-after-free (if the peeled socket was closed) or a list-walk onto the new endpoint's list head (type confusion of &newep->asocs as a struct sctp_association *).  Both are reachable from CapEff=0; the type-confusion path gives controlled indirect call via the outqueue.sched->init_sid pointer.  Fix by re-deriving @tmp from @asoc after sctp_sendmsg_to_asoc() returns.  @asoc is known to still be on ep->asocs at that point: the only callers that list_del an association from ep->asocs are sctp_association_free() (which sets asoc->base.dead) and sctp_assoc_migrate() (which changes asoc->base.sk), and sctp_wait_for_sndbuf() checks both under the lock before any successful return; a tripped check propagates as err < 0 and the loop bails before the re-derive.  The SCTP_ABORT path in sctp_sendmsg_check_sflags() returns 0 and the loop hits 'continue' before sctp_sendmsg_to_asoc() is ever called, so the @tmp cached by list_for_each_entry_safe() still covers the lock-held free that ba59fb027307 (\"sctp: walk the list of asoc safely\") was added for.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46220",
                                "url": "https://ubuntu.com/security/CVE-2026-46220",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/amdgpu/sdma4: replace BUG_ON with WARN_ON in fence emission  sdma_v4_0_ring_emit_fence() contains two BUG_ON(addr & 0x3) assertions that verify fence writeback addresses are dword-aligned.  These assertions can be reached from unprivileged userspace via crafted DRM_IOCTL_AMDGPU_CS submissions, causing a fatal kernel panic in a scheduler worker thread.  Replace both BUG_ON() calls with WARN_ON() to log the condition without crashing the kernel.  A misaligned fence address at this point indicates a driver bug, but crashing the kernel is never the correct response when the assertion is reachable from userspace.  The CS IOCTL path is the correct place to filter invalid submissions; the ring emission callback is too late to do anything about it.  (cherry picked from commit b90250bd933afd1ba94d86d6b13821997b22b18e)",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46215",
                                "url": "https://ubuntu.com/security/CVE-2026-46215",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm: Set old handle to NULL before prime swap in change_handle  There was a potential race condition in change_handle. The ioctl briefly had a single object with two idr entries; a concurrent gem_close could delete the object and remove one of the handles while leaving the other one dangling, which could subsequently be dereferenced for a use-after-free.  To fix this, do the same dance that gem_close itself does. (f6cd7daecff5 drm: Release driver references to handle before making it available again) First idr_replace the old handle to NULL. Later, if the prime operations are successful, actually close it.  create_tail required a similar dance to avoid a similar problem. (bd46cece51a3 drm/gem: Fix race in drm_gem_handle_create_tail()) It idr_allocs the new handle with NULL, then swaps in the correct object later to avoid races. We don't need to do that here, since the only operations that could race are drm_prime, and change_handle holds the prime lock for the entire duration.  v2: cleanups of error paths",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46201",
                                "url": "https://ubuntu.com/security/CVE-2026-46201",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/xe: Fix dma-buf attachment leak in xe_gem_prime_import()  When xe_dma_buf_init_obj() fails, the attachment from dma_buf_dynamic_attach() is not detached. Add dma_buf_detach() before returning the error. Note: we cannot use goto out_err here because xe_dma_buf_init_obj() already frees bo on failure, and out_err would double-free it.  (cherry picked from commit a828eb185aac41800df8eae4b60501ccc0dbbe51)",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46224",
                                "url": "https://ubuntu.com/security/CVE-2026-46224",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/xe: Fix bo leak in xe_dma_buf_init_obj() on allocation failure  When drm_gpuvm_resv_object_alloc() fails, the pre-allocated storage bo is not freed. Add xe_bo_free(storage) before returning the error.  xe_dma_buf_init_obj() calls xe_bo_init_locked(), which frees the bo on error. Therefore, xe_dma_buf_init_obj() must also free the bo on its own error paths. Otherwise, since xe_gem_prime_import() cannot distinguish whether the failure originated from xe_dma_buf_init_obj() or from xe_bo_init_locked(), it cannot safely decide whether the bo should be freed.  Add comments documenting the ownership semantics: on success, ownership of storage is transferred to the returned drm_gem_object; on failure, storage is freed before returning.  v2: Add comments to explain the free logic.  (cherry picked from commit 78a6c5f899f22338bbf48b44fb8950409c5a69b9)",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46197",
                                "url": "https://ubuntu.com/security/CVE-2026-46197",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/amdkfd: validate SVM ioctl nattr against buffer size  Validate nattr field against the buffer size, preventing out-of-bounds buffer access via user-controlled attribute count.  (cherry picked from commit 5eca8bfdfa456c3304ca77523718fe24254c172f)",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46209",
                                "url": "https://ubuntu.com/security/CVE-2026-46209",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/gem: Fix inconsistent plane dimension calculation in drm_gem_fb_init_with_funcs()  drm_gem_fb_init_with_funcs() computes sub-sampled plane dimensions using plain integer division:    unsigned int width  = mode_cmd->width  / (i ? info->hsub : 1);   unsigned int height = mode_cmd->height / (i ? info->vsub : 1);  However, the ioctl-level framebuffer_check() in drm_framebuffer.c uses drm_format_info_plane_width/height() which round up dimensions via DIV_ROUND_UP(). This inconsistency corrupts the subsequent GEM object size check for certain pixel format and dimension combinations.  For example, with NV12 (vsub=2) and a 1-pixel-tall framebuffer the GEM size validation path sees height=0 instead of height=1. The expression (height - 1) then wraps to UINT_MAX as an unsigned int, causing min_size to overflow and wrap back to a small value. A tiny GEM object therefore passes the size guard, yet when the GPU accesses the chroma plane it will read or write memory beyond the object's bounds.  Fix by replacing the open-coded divisions with drm_format_info_plane_width() and drm_format_info_plane_height(), which use DIV_ROUND_UP() and match the calculation already used in framebuffer_check().",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46230",
                                "url": "https://ubuntu.com/security/CVE-2026-46230",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/amdgpu/vcn3: Prevent OOB reads when parsing dec msg  Check bounds against the end of the BO whenever we access the msg.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46199",
                                "url": "https://ubuntu.com/security/CVE-2026-46199",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/amdgpu/vcn4: Prevent OOB reads when parsing dec msg  Check bounds against the end of the BO whenever we access the msg.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46204",
                                "url": "https://ubuntu.com/security/CVE-2026-46204",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/amdgpu/vcn4: Prevent OOB reads when parsing IB  Rewrite the IB parsing to use amdgpu_ib_get_value() which handles the bounds checks.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46218",
                                "url": "https://ubuntu.com/security/CVE-2026-46218",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/amdgpu: Add bounds checking to ib_{get,set}_value  The uvd/vce/vcn code accesses the IB at predefined offsets without checking that the IB is large enough. Check the bounds here. The caller is responsible for making sure it can handle arbitrary return values.  Also make the idx a uint32_t to prevent overflows causing the condition to fail.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46229",
                                "url": "https://ubuntu.com/security/CVE-2026-46229",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/amdkfd: Clear VRAM on allocation to prevent stale data exposure  KFD VRAM allocations set AMDGPU_GEM_CREATE_VRAM_WIPE_ON_RELEASE but not AMDGPU_GEM_CREATE_VRAM_CLEARED, leaving freshly allocated VRAM with stale data from prior use observable by compute kernels.  The GEM ioctl path already sets VRAM_CLEARED for all userspace allocations via amdgpu_gem_create_ioctl() and amdgpu_mode_dumb_create(). The KFD path was missing this flag, allowing stale page table remnants to leak into user buffers.  This causes crashes in RCCL P2P transport where non-zero data in ptrExchange/head/tail fields corrupts the protocol handshake.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46211",
                                "url": "https://ubuntu.com/security/CVE-2026-46211",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/msm/gem: fix error handling in msm_ioctl_gem_info_get_metadata()  msm_ioctl_gem_info_get_metadata() always returns 0 regardless of errors. When copy_to_user() fails or the user buffer is too small, the error code stored in ret is ignored because the function unconditionally returns 0. This causes userspace to believe the ioctl succeeded when it did not.  Additionally, kmemdup() can return NULL on allocation failure, but the return value is not checked. This leads to a NULL pointer dereference in the subsequent copy_to_user() call.  Add the missing NULL check for kmemdup() and return ret instead of 0.  Note that the SET counterpart (msm_ioctl_gem_info_set_metadata) correctly returns ret.  Patchwork: https://patchwork.freedesktop.org/patch/714478/",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46203",
                                "url": "https://ubuntu.com/security/CVE-2026-46203",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: cadence-quadspi: fix unclocked access on unbind  Make sure that the controller is runtime resumed before disabling it during driver unbind to avoid an unclocked register access.  This issue was flagged by Sashiko when reviewing a controller deregistration fix.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46219",
                                "url": "https://ubuntu.com/security/CVE-2026-46219",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: mpc52xx: fix use-after-free on unbind  The state machine work is scheduled by the interrupt handler and therefore needs to be cancelled after disabling interrupts to avoid a potential use-after-free.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46200",
                                "url": "https://ubuntu.com/security/CVE-2026-46200",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: mpc52xx: fix controller deregistration  Make sure to deregister the controller before disabling and releasing underlying resources like interrupts and gpios during driver unbind.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46241",
                                "url": "https://ubuntu.com/security/CVE-2026-46241",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: mpc52xx: fix use-after-free on registration failure  Make sure to disable and free the interrupts in case controller registration fails to avoid a potential use-after-free and resource leak.  This issue was flagged by Sashiko when reviewing a controller deregistration fix.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46225",
                                "url": "https://ubuntu.com/security/CVE-2026-46225",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: rspi: fix controller deregistration  Make sure to deregister the controller before releasing underlying resources like DMA during driver unbind.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46226",
                                "url": "https://ubuntu.com/security/CVE-2026-46226",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: fsl: fix controller deregistration  Make sure to deregister the controller before releasing underlying resources like DMA during driver unbind.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46228",
                                "url": "https://ubuntu.com/security/CVE-2026-46228",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: ch341: fix devres lifetime  USB drivers bind to USB interfaces and any device managed resources should have their lifetime tied to the interface rather than parent USB device. This avoids issues like memory leaks when drivers are unbound without their devices being physically disconnected (e.g. on probe deferral or configuration changes).  Fix the controller and driver data lifetime so that they are released on driver unbind.  Note that this also makes sure that the SPI controller is placed correctly under the USB interface in the device tree.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46216",
                                "url": "https://ubuntu.com/security/CVE-2026-46216",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/xe/hdcp: Add NULL check for media_gt in intel_hdcp_gsc_check_status()  When media GT is disabled via configfs, there is no allocation for media_gt, which is kept as NULL.  In such scenario, intel_hdcp_gsc_check_status() results in a kernel pagefault error due to &gt->uc.gsc being evaluated as an invalid memory address.  Fix that by introducing a NULL check on media_gt and bailing out early if so.  While at it, also drop the NULL check for gsc, since it can't be NULL if media_gt is not NULL.  v2:   - Get address for gsc only after checking that gt is not NULL.     (Shuicheng)   - Drop the NULL check for gsc. (Shuicheng) v3:   - Add \"Fixes\" and \"Cc: <stable...>\" tags. (Matt)  (cherry picked from commit bfaf87e84ca3ca3f6e275f9ae56da47a8b55ffd1)",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46210",
                                "url": "https://ubuntu.com/security/CVE-2026-46210",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  media: iris: fix use-after-free of fmt_src during MBPF check  During concurrency testing, multiple instances can run in parallel, and each instance uses its own inst->lock while the core->lock protects the list of active instances. The race happens because these locks cover different scopes, inst->lock protects only the internals of a single instance, while the Macro Blocks Per Frame (MBPF) checker walks the core list under core->lock and reads fields like fmt_src->width and fmt_src->height. At the same time, iris_close() may free fmt_src and fmt_dst under inst->lock while the instance is still present in the core list. This allows a situation where the MBPF checker, still iterating through the core list, reaches an instance whose fmt_src was already freed by another thread and ends up dereferencing a dangling pointer, resulting in a use-after-free. This happens because the MBPF checker assumes that any instance in the core list is fully valid, but the freeing of fmt_src and fmt_dst without removing the instance from the core list is not correct.  The correct ordering is to defer freeing fmt_src and fmt_dst until after the instance has been removed from the core list and all teardown under the core lock has completed, ensuring that no dangling pointers are ever exposed during MBPF checks.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46240",
                                "url": "https://ubuntu.com/security/CVE-2026-46240",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  media: iris: Fix use-after-free in iris_release_internal_buffers()  The recent change in commit 1dabf00ee206 (\"media: iris: gen1: Destroy internal buffers after FW releases\") introduced a regression where session_release_buf() may free the buffer. The caller, iris_release_internal_buffers(), continued to access `buffer` after the call, leading to a potential use-after-free.  Fix this by setting BUF_ATTR_PENDING_RELEASE before calling session_release_buf(), and reverting the flag if the call fails. This ensures no dereference occurs after potential freeing.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46235",
                                "url": "https://ubuntu.com/security/CVE-2026-46235",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  media: saa7164: add ioremap return checks and cleanups  Add checks for ioremap return values in saa7164_dev_setup(). If ioremap for BAR0 or BAR2 fails, release the already allocated PCI memory regions, remove the device from the global list, decrement the device count, and return -ENODEV.  This prevents potential null pointer dereferences and ensures proper cleanup on memory mapping failures.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46222",
                                "url": "https://ubuntu.com/security/CVE-2026-46222",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  media: rockchip: rkcif: Add missing MUST_CONNECT flag to pads  The pads missed checks for connected devices which may a null dereference when the stream is enabled.  Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020 pc : rkcif_interface_enable_streams+0x48/0xf0 lr : rkcif_interface_enable_streams+0x44/0xf0 Call trace:  rkcif_interface_enable_streams+0x48/0xf0  v4l2_subdev_enable_streams+0x26c/0x3f0  rkcif_stream_start_streaming+0x140/0x278  vb2_start_streaming+0x74/0x188  vb2_core_streamon+0xe0/0x1d8  vb2_ioctl_streamon+0x60/0xa8  v4l_streamon+0x2c/0x40  __video_do_ioctl+0x34c/0x400  video_usercopy+0x2d0/0x800  video_ioctl2+0x20/0x60  v4l2_ioctl+0x48/0x78",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46239",
                                "url": "https://ubuntu.com/security/CVE-2026-46239",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  media: i2c: ov5647: Fix runtime PM refcount leak in s_ctrl  Three control cases (AUTOGAIN, EXPOSURE_AUTO, ANALOGUE_GAIN) directly return without calling pm_runtime_put(), causing runtime PM reference count leaks.  Change these cases from 'return' to 'ret = ... break' pattern to ensure pm_runtime_put() is always called before function exit.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46236",
                                "url": "https://ubuntu.com/security/CVE-2026-46236",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  media: rc: xbox_remote: heed DMA restrictions  The buffer for IO must not be part of the device structure because that violates the DMA coherency rules.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46205",
                                "url": "https://ubuntu.com/security/CVE-2026-46205",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  staging: media: atomisp: Disallow all private IOCTLs  Disallow all private IOCTLs. These aren't quite as safe as one could assume of IOCTL handlers; disable them for now. Instead of removing the code, return in the beginning of the function if cmd is non-zero in order to keep static checkers happy.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46202",
                                "url": "https://ubuntu.com/security/CVE-2026-46202",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  HID: appletb-kbd: run inactivity autodim from workqueues  The autodim code in hid-appletb-kbd takes backlight_device->ops_lock via backlight_device_set_brightness() -> mutex_lock() from two different atomic contexts:   * appletb_inactivity_timer() is a struct timer_list callback, so it    runs in softirq context.  Every expiry triggers       BUG: sleeping function called from invalid context at kernel/locking/mutex.c:591      Call Trace:       <IRQ>       __might_resched       __mutex_lock       backlight_device_set_brightness       appletb_inactivity_timer       call_timer_fn       run_timer_softirq   * reset_inactivity_timer() is called from appletb_kbd_hid_event() and    appletb_kbd_inp_event().  On real USB hardware these run in    softirq/IRQ context (URB completion and input-event dispatch).    When the Touch Bar has already been dimmed or turned off, the    reset path calls backlight_device_set_brightness() directly to    restore brightness, producing the same warning.  Both call sites hit the same mutex_lock()-from-atomic bug.  Fix them together by moving the blocking work onto the system workqueue:   * Convert the inactivity timer from struct timer_list to    struct delayed_work; the callback (appletb_inactivity_work) now    runs in process context where mutex_lock() is legal.  * Add a dedicated struct work_struct restore_brightness_work and have    reset_inactivity_timer() schedule it instead of calling    backlight_device_set_brightness() directly.  Cancel both works synchronously during driver tear-down alongside the existing backlight reference drop.  The semantics are unchanged (same delays, same state transitions on dim, turn-off and user activity); only the execution context of the sleeping call changes.  The timer field and callback are renamed to match their new type; reset_inactivity_timer() keeps its name because it is invoked from input event paths that read naturally as \"reset the inactivity timer\".",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46213",
                                "url": "https://ubuntu.com/security/CVE-2026-46213",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  HID: appletb-kbd: fix UAF in inactivity-timer cleanup path  Commit 38224c472a03 (\"HID: appletb-kbd: fix slab use-after-free bug in appletb_kbd_probe\") added timer_delete_sync(&kbd->inactivity_timer) to both the probe close_hw error path and appletb_kbd_remove(), but the way it was wired in left the inactivity timer reachable during driver tear-down via two distinct windows.  Window A -- put_device() before timer_delete_sync():  \tput_device(&kbd->backlight_dev->dev); \ttimer_delete_sync(&kbd->inactivity_timer);  The inactivity_timer softirq reads kbd->backlight_dev and calls backlight_device_set_brightness() -> mutex_lock(&ops_lock).  If a concurrent hid_appletb_bl unbind drops the last devm reference between these two calls, the backlight_device is freed and the mutex_lock() touches freed memory.  Window B -- backlight cleanup before hid_hw_stop():  \tif (kbd->backlight_dev) { \t\ttimer_delete_sync(...); \t\tput_device(...); \t} \thid_hw_close(hdev); \thid_hw_stop(hdev);  Even after Window A is closed, hid_hw_close()/hid_hw_stop() still run afterwards, so a late \".event\" callback from the HID core (USB URB completion on real Apple hardware) can arrive after timer_delete_sync() drained the softirq but before put_device() drops the reference.  That callback reaches reset_inactivity_timer(), which calls mod_timer() and re-arms the timer.  The freshly re-armed timer can then fire on the about-to-be-freed backlight_device.  Both windows produce the same KASAN slab-use-after-free:    BUG: KASAN: slab-use-after-free in __mutex_lock+0x1aab/0x21c0   Read of size 8 at addr ffff88803ee9a108 by task swapper/0/0   Call Trace:    <IRQ>    __mutex_lock    backlight_device_set_brightness    appletb_inactivity_timer    call_timer_fn    run_timer_softirq    handle_softirqs   Allocated by task N:    devm_backlight_device_register    appletb_bl_probe   Freed by task M:    (concurrent hid_appletb_bl unbind path)  Close both windows at once by reworking the tear-down in appletb_kbd_remove() and in the probe close_hw error path so that   1) hid_hw_close()/hid_hw_stop() run before the backlight cleanup,     guaranteeing no further .event callback can fire and re-arm the     timer, and  2) inside the \"if (kbd->backlight_dev)\" block, timer_delete_sync()     runs before put_device(), so the softirq is drained before the     final reference is dropped.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46232",
                                "url": "https://ubuntu.com/security/CVE-2026-46232",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  HID: playstation: Clamp num_touch_reports  A device would never lie about the number of touch reports would it?  If it does the loop in dualshock4_parse_report will read off the end of the touch_reports array, up to about 2 KiB for the maximum number of 256 loop iteraions. The data that is read is emitted via evdev if the DS4_TOUCH_POINT_INACTIVE bit happens to be set. Protect against this by clamping the num_touch_reports value provided by the device to the maximum size of the touch_reports array.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-43490",
                                "url": "https://ubuntu.com/security/CVE-2026-43490",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ksmbd: validate inherited ACE SID length  smb_inherit_dacl() walks the parent directory DACL loaded from the security descriptor xattr. It verifies that each ACE contains the fixed SID header before using it, but does not verify that the variable-length SID described by sid.num_subauth is fully contained in the ACE.  A malformed inheritable ACE can advertise more subauthorities than are present in the ACE. compare_sids() may then read past the ACE. smb_set_ace() also clamps the copied destination SID, but used the unchecked source SID count to compute the inherited ACE size. That could advance the temporary inherited ACE buffer pointer and nt_size accounting past the allocated buffer.  Fix this by validating the parent ACE SID count and SID length before using the SID during inheritance. Compute the inherited ACE size from the copied SID so the size matches the bounded destination SID. Reject the inherited DACL if size accumulation would overflow smb_acl.size or the security descriptor allocation size.",
                                "cve_priority": "high",
                                "cve_public_date": "2026-05-15 06:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46174",
                                "url": "https://ubuntu.com/security/CVE-2026-46174",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  x86/CPU/AMD: Prevent improper isolation of shared resources in Zen2's op cache  Make sure resources are not improperly shared in the op cache and cause instruction corruption this way.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46110",
                                "url": "https://ubuntu.com/security/CVE-2026-46110",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net: stmmac: Prevent NULL deref when RX memory exhausted  The CPU receives frames from the MAC through conventional DMA: the CPU allocates buffers for the MAC, then the MAC fills them and returns ownership to the CPU. For each hardware RX queue, the CPU and MAC coordinate through a shared ring array of DMA descriptors: one descriptor per DMA buffer. Each descriptor includes the buffer's physical address and a status flag (\"OWN\") indicating which side owns the buffer: OWN=0 for CPU, OWN=1 for MAC. The CPU is only allowed to set the flag and the MAC is only allowed to clear it, and both must move through the ring in sequence: thus the ring is used for both \"submissions\" and \"completions.\"  In the stmmac driver, stmmac_rx() bookmarks its position in the ring with the `cur_rx` index. The main receive loop in that function checks for rx_descs[cur_rx].own=0, gives the corresponding buffer to the network stack (NULLing the pointer), and increments `cur_rx` modulo the ring size. After the loop exits, stmmac_rx_refill(), which bookmarks its position with `dirty_rx`, allocates fresh buffers and rearms the descriptors (setting OWN=1). If it fails any allocation, it simply stops early (leaving OWN=0) and will retry where it left off when next called.  This means descriptors have a three-stage lifecycle (terms my own): - `empty` (OWN=1, buffer valid) - `full` (OWN=0, buffer valid and populated) - `dirty` (OWN=0, buffer NULL)  But because stmmac_rx() only checks OWN, it confuses `full`/`dirty`. In the past (see 'Fixes:'), there was a bug where the loop could cycle `cur_rx` all the way back to the first descriptor it dirtied, resulting in a NULL dereference when mistaken for `full`. The aforementioned commit resolved that *specific* failure by capping the loop's iteration limit at `dma_rx_size - 1`, but this is only a partial fix: if the previous stmmac_rx_refill() didn't complete, then there are leftover `dirty` descriptors that the loop might encounter without needing to cycle fully around. The current code therefore panics (see 'Closes:') when stmmac_rx_refill() is memory-starved long enough for `cur_rx` to catch up to `dirty_rx`.  Fix this by explicitly checking, before advancing `cur_rx`, if the next entry is dirty; exit the loop if so. This prevents processing of the final, used descriptor until stmmac_rx_refill() succeeds, but fully prevents the `cur_rx == dirty_rx` ambiguity as the previous bugfix intended: so remove the clamp as well. Since stmmac_rx_zc() is a copy-paste-and-tweak of stmmac_rx() and the code structure is identical, any fix to stmmac_rx() will also need a corresponding fix for stmmac_rx_zc(). Therefore, apply the same check there.  In stmmac_rx() (not stmmac_rx_zc()), a related bug remains: after the MAC sets OWN=0 on the final descriptor, it will be unable to send any further DMA-complete IRQs until it's given more `empty` descriptors. Currently, the driver simply *hopes* that the next stmmac_rx_refill() succeeds, risking an indefinite stall of the receive process if not. But this is not a regression, so it can be addressed in a future change.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46153",
                                "url": "https://ubuntu.com/security/CVE-2026-46153",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  8021q: delete cleared egress QoS mappings  vlan_dev_set_egress_priority() currently keeps cleared egress priority mappings in the hash as tombstones. Repeated set/clear cycles with distinct skb priorities therefore accumulate mapping nodes until device teardown and leak memory.  Delete mappings when vlan_prio is cleared instead of keeping tombstones. Now that the egress mapping lists are RCU protected, the node can be unlinked safely and freed after a grace period.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46169",
                                "url": "https://ubuntu.com/security/CVE-2026-46169",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  hfsplus: fix uninit-value by validating catalog record size  Syzbot reported a KMSAN uninit-value issue in hfsplus_strcasecmp(). The root cause is that hfs_brec_read() doesn't validate that the on-disk record size matches the expected size for the record type being read.  When mounting a corrupted filesystem, hfs_brec_read() may read less data than expected. For example, when reading a catalog thread record, the debug output showed:    HFSPLUS_BREC_READ: rec_len=520, fd->entrylength=26   HFSPLUS_BREC_READ: WARNING - entrylength (26) < rec_len (520) - PARTIAL READ!  hfs_brec_read() only validates that entrylength is not greater than the buffer size, but doesn't check if it's less than expected. It successfully reads 26 bytes into a 520-byte structure and returns success, leaving 494 bytes uninitialized.  This uninitialized data in tmp.thread.nodeName then gets copied by hfsplus_cat_build_key_uni() and used by hfsplus_strcasecmp(), triggering the KMSAN warning when the uninitialized bytes are used as array indices in case_fold().  Fix by introducing hfsplus_brec_read_cat() wrapper that: 1. Calls hfs_brec_read() to read the data 2. Validates the record size based on the type field:    - Fixed size for folder and file records    - Variable size for thread records (depends on string length) 3. Returns -EIO if size doesn't match expected  For thread records, check against HFSPLUS_MIN_THREAD_SZ before reading nodeName.length to avoid reading uninitialized data at call sites that don't zero-initialize the entry structure.  Also initialize the tmp variable in hfsplus_find_cat() as defensive programming to ensure no uninitialized data even if validation is bypassed.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46188",
                                "url": "https://ubuntu.com/security/CVE-2026-46188",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  octeon_ep_vf: add NULL check for napi_build_skb()  napi_build_skb() can return NULL on allocation failure. In __octep_vf_oq_process_rx(), the result is used directly without a NULL check in both the single-buffer and multi-fragment paths, leading to a NULL pointer dereference.  Add NULL checks after both napi_build_skb() calls, properly advancing descriptors and consuming remaining fragments on failure.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-45837",
                                "url": "https://ubuntu.com/security/CVE-2026-45837",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  bpf: Fix use-after-free in arena_vm_close on fork  arena_vm_open() only bumps vml->mmap_count but never registers the child VMA in arena->vma_list. The vml->vma always points at the parent VMA, so after parent munmap the pointer dangles. If the child then calls bpf_arena_free_pages(), zap_pages() reads the stale vml->vma triggering use-after-free.  Fix this by preventing the arena VMA from being inherited across fork with VM_DONTCOPY, and preventing VMA splits via the may_split callback.  Also reject mremap with a .mremap callback returning -EINVAL. A same-size mremap(MREMAP_FIXED) on the full arena VMA reaches copy_vma() through the following path:    check_prep_vma()       - returns 0 early: new_len == old_len                            skips VM_DONTEXPAND check   prep_move_vma()        - vm_start == old_addr and                            vm_end == old_addr + old_len                            so may_split is never called   move_vma()     copy_vma_and_data()       copy_vma()         vm_area_dup()    - copies vm_private_data (vml pointer)         vm_ops->open()   - bumps vml->mmap_count       vm_ops->mremap()   - returns -EINVAL, rollback unmaps new VMA  The refcount ensures the rollback's arena_vm_close does not free the vml shared with the original VMA.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-05-27 11:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46156",
                                "url": "https://ubuntu.com/security/CVE-2026-46156",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  LoongArch: Fix potential ADE in loongson_gpu_fixup_dma_hang()  The switch case in loongson_gpu_fixup_dma_hang() may not DC2 or DC3, and readl(crtc_reg) will access with random address, because the \"device\" is from \"base+PCI_DEVICE_ID\", \"base\" is from \"pdev->devfn+1\". This is wrong when my platform inserts a discrete GPU:  lspci -tv -[0000:00]-+-00.0  Loongson Technology LLC Hyper Transport Bridge Controller ...            +-06.0  Loongson Technology LLC LG100 GPU            +-06.2  Loongson Technology LLC Device 7a37 ...  Add a default switch case to fix the panic as below:   Kernel ade access[#1]:  CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.6.136-loong64-desktop-hwe+ #4  pc 90000000017e5534 ra 90000000017e54c0 tp 90000001002f8000 sp 90000001002fb6c0  a0 80000efe00003100 a1 0000000000003100 a2 0000000000000000 a3 0000000000000002  a4 90000001002fb6b4 a5 900000087cdb58fd a6 90000000027af000 a7 0000000000000001  t0 00000000000085b9 t1 000000000000ffff t2 0000000000000000 t3 0000000000000000  t4 fffffffffffffffd t5 00000000fffb6d9c t6 0000000000083b00 t7 00000000000070c0  t8 900000087cdb4d94 u0 900000087cdb58fd s9 90000001002fb826 s0 90000000031c12c8  s1 7fffffffffffff00 s2 90000000031c12d0 s3 0000000000002710 s4 0000000000000000  s5 0000000000000000 s6 9000000100053000 s7 7fffffffffffff00 s8 90000000030d4000     ra: 90000000017e54c0 loongson_gpu_fixup_dma_hang+0x40/0x210    ERA: 90000000017e5534 loongson_gpu_fixup_dma_hang+0xb4/0x210   CRMD: 000000b0 (PLV0 -IE -DA +PG DACF=CC DACM=CC -WE)   PRMD: 00000004 (PPLV0 +PIE -PWE)   EUEN: 00000000 (-FPE -SXE -ASXE -BTE)   ECFG: 00071c1d (LIE=0,2-4,10-12 VS=7)  ESTAT: 00480000 [ADEM] (IS= ECode=8 EsubCode=1)   BADV: 7fffffffffffff00   PRID: 0014d000 (Loongson-64bit, Loongson-3A6000-HV)  Modules linked in:  Process swapper/0 (pid: 1, threadinfo=(____ptrval____), task=(____ptrval____))  Stack : 0000000000000006 90000001002fb778 90000001002fb704 0000000000000007          0000000016a65700 90000000017e5690 000000000000ffff ffffffffffffffff          900000000209f7c0 9000000100053000 900000000209f7a8 9000000000eebc08          0000000000000000 0000000000000000 0000000000000006 90000001002fb778          90000001000530b8 90000000027af000 0000000000000000 9000000100054000          9000000100053000 9000000000ebb70c 9000000100004c00 9000000004000001          90000001002fb7e4 bae765461f31cb12 0000000000000000 0000000000000000          0000000000000006 90000000027af000 0000000000000030 90000000027af000          900000087cd6f800 9000000100053000 0000000000000000 9000000000ebc560          7a2500147cdaf720 bae765461f31cb12 0000000000000001 0000000000000030          ...  Call Trace:  [<90000000017e5534>] loongson_gpu_fixup_dma_hang+0xb4/0x210  [<9000000000eebc08>] pci_fixup_device+0x108/0x280  [<9000000000ebb70c>] pci_setup_device+0x24c/0x690  [<9000000000ebc560>] pci_scan_single_device+0xe0/0x140  [<9000000000ebc684>] pci_scan_slot+0xc4/0x280  [<9000000000ebdd00>] pci_scan_child_bus_extend+0x60/0x3f0  [<9000000000f5bc94>] acpi_pci_root_create+0x2b4/0x420  [<90000000017e5e74>] pci_acpi_scan_root+0x2d4/0x440  [<9000000000f5b02c>] acpi_pci_root_add+0x21c/0x3a0  [<9000000000f4ee54>] acpi_bus_attach+0x1a4/0x3c0  [<90000000010e200c>] device_for_each_child+0x6c/0xe0  [<9000000000f4bbf4>] acpi_dev_for_each_child+0x44/0x70  [<9000000000f4ef40>] acpi_bus_attach+0x290/0x3c0  [<90000000010e200c>] device_for_each_child+0x6c/0xe0  [<9000000000f4bbf4>] acpi_dev_for_each_child+0x44/0x70  [<9000000000f4ef40>] acpi_bus_attach+0x290/0x3c0  [<9000000000f5211c>] acpi_bus_scan+0x6c/0x280  [<900000000189c028>] acpi_scan_init+0x194/0x310  [<900000000189bc6c>] acpi_init+0xcc/0x140  [<9000000000220cdc>] do_one_initcall+0x4c/0x310  [<90000000018618fc>] kernel_init_freeable+0x258/0x2d4  [<900000000184326c>] kernel_init+0x28/0x13c  [<9000000000222008>] ret_from_kernel_thread+0xc/0xa4",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46147",
                                "url": "https://ubuntu.com/security/CVE-2026-46147",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  KVM: arm64: Fix pin leak and publication ordering in __pkvm_init_vcpu()  Two bugs exist in the vCPU initialisation path:  1. If a check fails after hyp_pin_shared_mem() succeeds, the cleanup    path jumps to 'unlock' without calling unpin_host_vcpu() or    unpin_host_sve_state(), permanently leaking pin references on the    host vCPU and SVE state pages.     Extract a register_hyp_vcpu() helper that performs the checks and    the store. When register_hyp_vcpu() returns an error, call    unpin_host_vcpu() and unpin_host_sve_state() inline before falling    through to the existing 'unlock' label.  2. register_hyp_vcpu() publishes the new vCPU pointer into    'hyp_vm->vcpus[]' with a bare store, allowing a concurrent caller    of pkvm_load_hyp_vcpu() to observe a partially initialised vCPU    object.     Ensure the store uses smp_store_release() and the load uses    smp_load_acquire(). While 'vm_table_lock' currently serialises the    store and the load, these barriers ensure the reader sees the fully    initialised 'hyp_vcpu' object even if there were a lockless path or    if the lock's own ordering guarantees were insufficient for nested    object initialization.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46175",
                                "url": "https://ubuntu.com/security/CVE-2026-46175",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  f2fs: fix fsck inconsistency caused by FGGC of node block  During FGGC node block migration, fsck may incorrectly treat the migrated node block as fsync-written data.  The reproduction scenario: root@vm:/mnt/f2fs# seq 1 2048 | xargs -n 1 ./test_sync // write inline inode and sync root@vm:/mnt/f2fs# rm -f 1 root@vm:/mnt/f2fs# sync root@vm:/mnt/f2fs# f2fs_io gc_range // move data block in sync mode and not write CP   SPO, \"fsck --dry-run\" find inode has already checkpointed but still   with DENT_BIT_SHIFT set  The root cause is that GC does not clear the dentry mark and fsync mark during node block migration, leading fsck to misinterpret them as user-issued fsync writes.  In BGGC mode, node block migration is handled by f2fs_sync_node_pages(), which guarantees the dentry and fsync marks are cleared before writing.  This patch move the set/clear of the fsync|dentry marks into __write_node_folio to make the logic clearer, and ensures the fsync|dentry mark is cleared in FGGC.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46194",
                                "url": "https://ubuntu.com/security/CVE-2026-46194",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  f2fs: fix node_cnt race between extent node destroy and writeback  f2fs_destroy_extent_node() does not set FI_NO_EXTENT before clearing extent nodes. When called from f2fs_drop_inode() with I_SYNC set, concurrent kworker writeback can insert new extent nodes into the same extent tree, racing with the destroy and triggering f2fs_bug_on() in __destroy_extent_node(). The scenario is as follows:  drop inode                            writeback  - iput   - f2fs_drop_inode  // I_SYNC set    - f2fs_destroy_extent_node     - __destroy_extent_node      - while (node_cnt) {         write_lock(&et->lock)         __free_extent_tree         write_unlock(&et->lock)                                        - __writeback_single_inode                                         - f2fs_outplace_write_data                                          - f2fs_update_read_extent_cache                                           - __update_extent_tree_range                                            // FI_NO_EXTENT not set,                                            // insert new extent node        } // node_cnt == 0, exit while      - f2fs_bug_on(node_cnt)  // node_cnt > 0  Additionally, __update_extent_tree_range() only checks FI_NO_EXTENT for EX_READ type, leaving EX_BLOCK_AGE updates completely unprotected.  This patch set FI_NO_EXTENT under et->lock in __destroy_extent_node(), consistent with other callers (__update_extent_tree_range and __drop_extent_tree) and check FI_NO_EXTENT for both EX_READ and EX_BLOCK_AGE tree.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46170",
                                "url": "https://ubuntu.com/security/CVE-2026-46170",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  mptcp: pm: ADD_ADDR rtx: free sk if last  When an ADD_ADDR is retransmitted, the sk is held in sk_reset_timer(), and released at the end.  If at that moment, it was the last reference being held, the sk would not be freed. sock_put() should then be called instead of __sock_put().  But that's not enough: if it is the last reference, sock_put() will call sk_free(), which will end up calling sk_stop_timer_sync() on the same timer, and waiting indefinitely to finish. So it is needed to mark that the timer is done at the end of the timer handler when it has not been rescheduled, not to call sk_stop_timer_sync() on \"itself\".",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46158",
                                "url": "https://ubuntu.com/security/CVE-2026-46158",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  mptcp: pm: ADD_ADDR rtx: always decrease sk refcount  When an ADD_ADDR is retransmitted, the sk is held in sk_reset_timer(). It should then be released in all cases at the end.  Some (unlikely) checks were returning directly instead of calling sock_put() to decrease the refcount. Jump to a new 'exit' label to call __sock_put() (which will become sock_put() in the next commit) to fix this potential leak.  While at it, drop the '!msk' check which cannot happen because it is never reset, and explicitly mark the remaining one as \"unlikely\".",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46168",
                                "url": "https://ubuntu.com/security/CVE-2026-46168",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  mptcp: fix scheduling with atomic in timestamp sockopt  Using lock_sock_fast() (atomic context) around sock_set_timestamp() and sock_set_timestamping() is unsafe, as both helpers can sleep.  Replace lock_sock_fast() with sleepable lock_sock()/release_sock() to avoid scheduling while atomic panic.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46189",
                                "url": "https://ubuntu.com/security/CVE-2026-46189",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/vmw_pvrdma: Fix double free on pvrdma_alloc_ucontext() error path  Sashiko points out that pvrdma_uar_free() is already called within pvrdma_dealloc_ucontext(), so calling it before triggers a double free.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46133",
                                "url": "https://ubuntu.com/security/CVE-2026-46133",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/rxe: Reject unknown opcodes before ICRC processing  Even after applying commit 7244491dab34 (\"RDMA/rxe: Validate pad and ICRC before payload_size() in rxe_rcv\"), a single unauthenticated UDP packet can still trigger panic.  That patch handled payload_size() underflow only for valid opcodes with short packets, not for packets carrying an unknown opcode.  The unknown-opcode OOB read described below predates that commit and reaches back to the initial Soft RoCE driver.  The check added there reads      pkt->paylen < header_size(pkt) + bth_pad(pkt) + RXE_ICRC_SIZE  where header_size(pkt) expands to rxe_opcode[pkt->opcode].length.  The rxe_opcode[] array has 256 entries but is only populated for defined IB opcodes; any other entry (for example opcode 0xff) is zero-initialized, so length == 0 and the check degenerates to      pkt->paylen < 0 + bth_pad(pkt) + RXE_ICRC_SIZE  which does not constrain pkt->paylen enough.  rxe_icrc_hdr() then computes      rxe_opcode[pkt->opcode].length - RXE_BTH_BYTES  which underflows when length == 0 and passes a huge value to rxe_crc32(), causing an out-of-bounds read of the skb payload.  Reproduced on v7.0-rc7 with that fix applied, QEMU/KVM with CONFIG_RDMA_RXE=y and CONFIG_KASAN=y, after      rdma link add rxe0 type rxe netdev eth0  A single 48-byte UDP packet to port 4791 with BTH opcode=0xff and QPN=IB_MULTICAST_QPN triggers:      BUG: KASAN: slab-out-of-bounds in crc32_le+0x115/0x170     Read of size 1 at addr ...     The buggy address is located 0 bytes to the right of      allocated 704-byte region     Call Trace:      crc32_le+0x115/0x170      rxe_icrc_hdr.isra.0+0x226/0x300      rxe_icrc_check+0x13f/0x3a0      rxe_rcv+0x6e1/0x16e0      rxe_udp_encap_recv+0x20a/0x320      udp_queue_rcv_one_skb+0x7ed/0x12c0  Subsequent packets with the same shape fault on unmapped memory and panic the kernel.  The trigger requires only module load and \"rdma link add\"; no QP, no connection, and no authentication.  Fix this by rejecting packets whose opcode has no rxe_opcode[] entry, detected via the zero mask or zero length, before any length arithmetic runs.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46114",
                                "url": "https://ubuntu.com/security/CVE-2026-46114",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/rxe: Reject non-8-byte ATOMIC_WRITE payloads  atomic_write_reply() at drivers/infiniband/sw/rxe/rxe_resp.c unconditionally dereferences 8 bytes at payload_addr(pkt):      value = *(u64 *)payload_addr(pkt);  check_rkey() previously accepted an ATOMIC_WRITE request with pktlen == resid == 0 because the length validation only compared pktlen against resid. A remote initiator that sets the RETH length to 0 therefore reaches atomic_write_reply() with a zero-byte logical payload, and the responder reads sizeof(u64) bytes from past the logical end of the packet into skb->head tailroom, then writes those 8 bytes into the attacker's MR via rxe_mr_do_atomic_write(). That is a remote disclosure of 4 bytes of kernel tailroom per probe (the other 4 bytes are the packet's own trailing ICRC).  IBA oA19-28 defines ATOMIC_WRITE as exactly 8 bytes. Anything else is protocol-invalid. Hoist a strict length check into check_rkey() so the responder never reaches the unchecked dereference, and keep the existing WRITE-family length logic for the normal RDMA WRITE path.  Reproduced on mainline with an unmodified rxe driver: a sustained zero-length ATOMIC_WRITE probe repeatedly leaks adjacent skb head-buffer bytes into the attacker's MR, including recognisable kernel strings and partial kernel-direct-map pointer words.  With this patch applied the responder rejects the PDU and the MR stays all-zero.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46127",
                                "url": "https://ubuntu.com/security/CVE-2026-46127",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/ocrdma: Don't NULL deref uctx on errors in ocrdma_copy_pd_uresp()  Sashiko points out that pd->uctx isn't initialized until late in the function so all these error flow references are NULL and will crash. Use the uctx that isn't NULL.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46176",
                                "url": "https://ubuntu.com/security/CVE-2026-46176",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/mlx5: Fix error path fall-through in mlx5_ib_dev_res_srq_init()  mlx5_ib_dev_res_srq_init() allocates two SRQs, s0 and s1. When ib_create_srq() fails for s1, the error branch destroys s0 but falls through and unconditionally assigns the freed s0 and the ERR_PTR s1 to devr->s0 and devr->s1.  This leads to several problems: the lock-free fast path checks \"if (devr->s1) return 0;\" and treats the ERR_PTR as already initialised; users in mlx5_ib_create_qp() dereference the freed SRQ or ERR_PTR via to_msrq(devr->s0)->msrq.srqn; and mlx5_ib_dev_res_cleanup() dereferences the ERR_PTR and double-frees s0 on teardown.  Fix by adding the same `goto unlock` in the s1 failure path.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46178",
                                "url": "https://ubuntu.com/security/CVE-2026-46178",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/mlx4: Fix resource leak on error in mlx4_ib_create_srq()  Sashiko points out that mlx4_srq_alloc() was not undone during error unwind, add the missing call to mlx4_srq_free().",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46181",
                                "url": "https://ubuntu.com/security/CVE-2026-46181",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/mlx4: Fix mis-use of RCU in mlx4_srq_event()  Sashiko points out the radix_tree itself is RCU safe, but nothing ever frees the mlx4_srq struct with RCU, and it isn't even accessed within the RCU critical section. It also will crash if an event is delivered before the srq object is finished initializing.  Use the spinlock since it isn't easy to make RCU work, use refcount_inc_not_zero() to protect against partially initialized objects, and order the refcount_set() to be after the srq is fully initialized.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46145",
                                "url": "https://ubuntu.com/security/CVE-2026-46145",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/mana: Validate rx_hash_key_len  Sashiko points out that rx_hash_key_len comes from a uAPI structure and is blindly passed to memcpy, allowing the userspace to trash kernel memory. Bounds check it so the memcpy cannot overflow.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46117",
                                "url": "https://ubuntu.com/security/CVE-2026-46117",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/mana: Remove user triggerable WARN_ON() in mana_ib_create_qp_rss()  Sashiko points out that the user can specify WQs sharing the same CQ as a part of the uAPI and this will trigger the WARN_ON() then go on to corrupt the kernel.  Just reject it outright and fail the QP creation.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46126",
                                "url": "https://ubuntu.com/security/CVE-2026-46126",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/mana: Fix mana_destroy_wq_obj() cleanup in mana_ib_create_qp_rss()  Sashiko points out there are two bugs here in the error unwind flow, both related to how the WQ table is unwound.  First there is a double i-- on the first failure path due to the while loop having a i--, remove it.  Second if mana_ib_install_cq_cb() fails then mana_create_wq_obj() is not undone due to the above i--.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46144",
                                "url": "https://ubuntu.com/security/CVE-2026-46144",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/mana: Fix error unwind in mana_ib_create_qp_rss()  Sashiko points out that mana_ib_cfg_vport_steering() is leaked, the normal destroy path cleans it up.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46141",
                                "url": "https://ubuntu.com/security/CVE-2026-46141",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  powerpc/xive: fix kmemleak caused by incorrect chip_data lookup  The kmemleak reports the following memory leak:  Unreferenced object 0xc0000002a7fbc640 (size 64):   comm \"kworker/8:1\", pid 540, jiffies 4294937872   hex dump (first 32 bytes):     01 00 00 00 00 00 00 00 00 00 09 04 00 04 00 00  ................     00 00 a7 81 00 00 0a c0 00 00 08 04 00 04 00 00  ................   backtrace (crc 177d48f6):     __kmalloc_cache_noprof+0x520/0x730     xive_irq_alloc_data.constprop.0+0x40/0xe0     xive_irq_domain_alloc+0xd0/0x1b0     irq_domain_alloc_irqs_parent+0x44/0x6c     pseries_irq_domain_alloc+0x1cc/0x354     irq_domain_alloc_irqs_parent+0x44/0x6c     msi_domain_alloc+0xb0/0x220     irq_domain_alloc_irqs_locked+0x138/0x4d0     __irq_domain_alloc_irqs+0x8c/0xfc     __msi_domain_alloc_irqs+0x214/0x4d8     msi_domain_alloc_irqs_all_locked+0x70/0xf8     pci_msi_setup_msi_irqs+0x60/0x78     __pci_enable_msix_range+0x54c/0x98c     pci_alloc_irq_vectors_affinity+0x16c/0x1d4     nvme_pci_enable+0xac/0x9c0 [nvme]     nvme_probe+0x340/0x764 [nvme]  This occurs when allocating MSI-X vectors for an NVMe device. During allocation the XIVE code creates a struct xive_irq_data and stores it in irq_data->chip_data.  When the MSI-X irqdomain is later freed, xive_irq_free_data() is responsible for retrieving this structure and freeing it. However, after commit cc0cc23babc9 (\"powerpc/xive: Untangle xive from child interrupt controller drivers\"), xive_irq_free_data() retrieves the chip_data using irq_get_chip_data(), which looks up the data through the child domain.  This is incorrect because the XIVE-specific irq data is associated with the XIVE (parent) domain. As a result the lookup fails and the allocated struct xive_irq_data is never freed, leading to the kmemleak report shown above.  Fix this by retrieving the irq_data from the correct domain using irq_domain_get_irq_data() and then accessing the chip_data via irq_data_get_irq_chip_data().",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46183",
                                "url": "https://ubuntu.com/security/CVE-2026-46183",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  mm/damon/sysfs-schemes: protect path kfree() with damon_sysfs_lock  damon_sysfs_quot_goal->path can be read and written by users, via DAMON sysfs 'path' file.  It can also be indirectly read, for the parameters {on,off}line committing to DAMON.  The reads for parameters committing are protected by damon_sysfs_lock to avoid the sysfs files being destroyed while any of the parameters are being read.  But the user-driven direct reads and writes are not protected by any lock, while the write is deallocating the path-pointing buffer.  As a result, the readers could read the already freed buffer (user-after-free).  Note that the user-reads don't race when the same open file is used by the writer, due to kernfs's open file locking.  Nonetheless, doing the reads and writes with separate open files would be common.  Fix it by protecting both the user-direct reads and writes with damon_sysfs_lock.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46121",
                                "url": "https://ubuntu.com/security/CVE-2026-46121",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  mm/damon/sysfs-schemes: protect memcg_path kfree() with damon_sysfs_lock  Patch series \"mm/damon/sysfs-schemes: fix use-after-free for [memcg_]path\".  Reads of 'memcg_path' and 'path' files in DAMON sysfs interface could race with their writes, results in use-after-free.  Fix those.   This patch (of 2):  damon_sysfs_scheme_filter->mmecg_path can be read and written by users, via DAMON sysfs memcg_path file.  It can also be indirectly read, for the parameters {on,off}line committing to DAMON.  The reads for parameters committing are protected by damon_sysfs_lock to avoid the sysfs files being destroyed while any of the parameters are being read.  But the user-driven direct reads and writes are not protected by any lock, while the write is deallocating the memcg_path-pointing buffer.  As a result, the readers could read the already freed buffer (user-after-free).  Note that the user-reads don't race when the same open file is used by the writer, due to kernfs's open file locking.  Nonetheless, doing the reads and writes with separate open files would be common.  Fix it by protecting both the user-direct reads and writes with damon_sysfs_lock.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46131",
                                "url": "https://ubuntu.com/security/CVE-2026-46131",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  KVM: x86: check for nEPT/nNPT in slow flush hypercalls  Checking is_guest_mode(vcpu) is incorrect, because translate_nested_gpa() is only valid if an L2 guest is running *with nested EPT/NPT enabled*. Instead use the same condition as translate_nested_gpa() itself.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46139",
                                "url": "https://ubuntu.com/security/CVE-2026-46139",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  smb: client: use kzalloc to zero-initialize security descriptor buffer  Commit 62e7dd0a39c2d (\"smb: common: change the data type of num_aces to le16\") split struct smb_acl's __le32 num_aces field into __le16 num_aces and __le16 reserved. The reserved field corresponds to Sbz2 in the MS-DTYP ACL wire format, which must be zero [1].  When building an ACL descriptor in build_sec_desc(), we are using a kmalloc()'ed descriptor buffer and writing the fields explicitly using le16() writes now. This never writes to the 2 byte reserved field, leaving it as uninitialized heap data.  When the reserved field happens to contain non-zero slab garbage, Samba rejects the security descriptor with \"ndr_pull_security_descriptor failed: Range Error\", causing chmod to fail with EINVAL.  Change kmalloc() to kzalloc() to ensure the entire buffer is zero-initialized.   [1] https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/20233ed8-a6c6-4097-aafa-dd545ed24428",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46105",
                                "url": "https://ubuntu.com/security/CVE-2026-46105",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  scsi: mpt3sas: Limit NVMe request size to 2 MiB  The HBA firmware reports NVMe MDTS values based on the underlying drive capability. However, because the driver allocates a fixed 4K buffer for the PRP list, accommodating at most 512 entries, the driver supports a maximum I/O transfer size of 2 MiB.  Limit max_hw_sectors to the smaller of the reported MDTS and the 2 MiB driver limit to prevent issuing oversized I/O that may lead to a kernel oops.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46171",
                                "url": "https://ubuntu.com/security/CVE-2026-46171",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  riscv: kvm: fix vector context allocation leak  When the second kzalloc (host_context.vector.datap) fails in kvm_riscv_vcpu_alloc_vector_context, the first allocation (guest_context.vector.datap) is leaked. Free it before returning.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46112",
                                "url": "https://ubuntu.com/security/CVE-2026-46112",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/hns: Fix unlocked call to hns_roce_qp_remove()  Sashiko points out that hns_roce_qp_remove() requires the caller to hold locks.  The error flow in hns_roce_create_qp_common() doesn't hold those locks for the error unwind so it risks corrupting memory.  Grab the same locks the other two callers use.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46165",
                                "url": "https://ubuntu.com/security/CVE-2026-46165",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  openvswitch: vport: fix self-deadlock on release of tunnel ports  vports are used concurrently and protected by RCU, so netdev_put() must happen after the RCU grace period.  So, either in an RCU call or after the synchronize_net().  The rtnl_delete_link() must happen under RTNL and so can't be executed in RCU context.  Calling synchronize_net() while holding RTNL is not a good idea for performance and system stability under load in general, so calling netdev_put() in RCU call is the right solution here.  However, when the device is deleted, rtnl_unlock() will call netdev_run_todo() and block until all the references are gone.  In the current code this means that we never reach the call_rcu() and the vport is never freed and the reference is never released, causing a self-deadlock on device removal.  Fix that by moving the rcu_call() before the rtnl_unlock(), so the scheduled RCU callback will be executed when synchronize_net() is called from the rtnl_unlock()->netdev_run_todo() while the RTNL itself is already released.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46161",
                                "url": "https://ubuntu.com/security/CVE-2026-46161",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  md/raid10: fix divide-by-zero in setup_geo() with zero far_copies  setup_geo() extracts near_copies (nc) and far_copies (fc) from the user-provided layout parameter without checking for zero. When fc=0 with the \"improved\" far set layout selected, 'geo->far_set_size = disks / fc' triggers a divide-by-zero.  Validate nc and fc immediately after extraction, returning -1 if either is zero.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-43492",
                                "url": "https://ubuntu.com/security/CVE-2026-43492",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  lib/crypto: mpi: Fix integer underflow in mpi_read_raw_from_sgl()  Yiming reports an integer underflow in mpi_read_raw_from_sgl() when subtracting \"lzeros\" from the unsigned \"nbytes\".  For this to happen, the scatterlist \"sgl\" needs to occupy more bytes than the \"nbytes\" parameter and the first \"nbytes + 1\" bytes of the scatterlist must be zero.  Under these conditions, the while loop iterating over the scatterlist will count more zeroes than \"nbytes\", subtract the number of zeroes from \"nbytes\" and cause the underflow.  When commit 2d4d1eea540b (\"lib/mpi: Add mpi sgl helpers\") originally introduced the bug, it couldn't be triggered because all callers of mpi_read_raw_from_sgl() passed a scatterlist whose length was equal to \"nbytes\".  However since commit 63ba4d67594a (\"KEYS: asymmetric: Use new crypto interface without scatterlists\"), the underflow can now actually be triggered.  When invoking a KEYCTL_PKEY_ENCRYPT system call with a larger \"out_len\" than \"in_len\" and filling the \"in\" buffer with zeroes, crypto_akcipher_sync_prep() will create an all-zero scatterlist used for both the \"src\" and \"dst\" member of struct akcipher_request and thereby fulfil the conditions to trigger the bug:    sys_keyctl()     keyctl_pkey_e_d_s()       asymmetric_key_eds_op()         software_key_eds_op()           crypto_akcipher_sync_encrypt()             crypto_akcipher_sync_prep()               crypto_akcipher_encrypt()                 rsa_enc()                   mpi_read_raw_from_sgl()  To the user this will be visible as a DoS as the kernel spins forever, causing soft lockup splats as a side effect.  Fix it.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-19 12:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46124",
                                "url": "https://ubuntu.com/security/CVE-2026-46124",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  isofs: validate block number from NFS file handle in isofs_export_iget  isofs_fh_to_dentry() and isofs_fh_to_parent() pass an attacker- controlled block number (ifid->block or ifid->parent_block) from the NFS file handle to isofs_export_iget(), which only rejects block == 0 before calling isofs_iget() and ultimately sb_bread(). A crafted file handle with fh_len sufficient to pass the check added by commit 0405d4b63d08 (\"isofs: Prevent the use of too small fid\") can still drive the server to read any in-range block on the backing device as if it were an iso_directory_record.  That earlier fix was assigned CVE-2025-37780.  sb_bread() on an out-of-range block returns NULL cleanly via the EIO path, so there is no memory-safety violation.  For in-range reads of adjacent-partition data on the same block device, the unrelated bytes end up in iso_inode_info fields that reach the NFS client as dentry metadata.  The deployment surface (isofs exported over NFS from loop-mounted images) is narrow and requires an authenticated NFS peer, but the malformed-file-handle class is reportable as hardening next to the existing CVE-2025-37780 fix.  Reject block >= ISOFS_SB(sb)->s_nzones in isofs_export_iget() so the check covers both isofs_fh_to_dentry() and isofs_fh_to_parent() call sites with a single line.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46130",
                                "url": "https://ubuntu.com/security/CVE-2026-46130",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  dm-verity-fec: fix reading parity bytes split across blocks (take 3)  fec_decode_bufs() assumes that the parity bytes of the first RS codeword it decodes are never split across parity blocks.  This assumption is false.  Consider v->fec->block_size == 4096 && v->fec->roots == 17 && fio->nbufs == 1, for example.  In that case, each call to fec_decode_bufs() consumes v->fec->roots * (fio->nbufs << DM_VERITY_FEC_BUF_RS_BITS) = 272 parity bytes.  Considering that the parity data for each message block starts on a block boundary, the byte alignment in the parity data will iterate through 272*i mod 4096 until the 3 parity blocks have been consumed.  On the 16th call (i=15), the alignment will be 4080 bytes into the first block.  Only 16 bytes remain in that block, but 17 parity bytes will be needed.  The code reads out-of-bounds from the parity block buffer.  Fortunately this doesn't normally happen, since it can occur only for certain non-default values of fec_roots *and* when the maximum number of buffers couldn't be allocated due to low memory.  For example with block_size=4096 only the following cases are affected:      fec_roots=17: nbufs in [1, 3, 5, 15]     fec_roots=19: nbufs in [1, 229]     fec_roots=21: nbufs in [1, 3, 5, 13, 15, 39, 65, 195]     fec_roots=23: nbufs in [1, 89]  Regardless, fix it by refactoring how the parity blocks are read.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46106",
                                "url": "https://ubuntu.com/security/CVE-2026-46106",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  eventfs: Hold eventfs_mutex and SRCU when remount walks events  Commit 340f0c7067a9 (\"eventfs: Update all the eventfs_inodes from the events descriptor\") had eventfs_set_attrs() recurse through ei->children on remount.  The walk only holds the rcu_read_lock() taken by tracefs_apply_options() over tracefs_inodes, which is wrong:    - list_for_each_entry over ei->children races with the list_del_rcu()     in eventfs_remove_rec() -- LIST_POISON1 deref, same shape as     d2603279c7d6.   - eventfs_inodes are freed via call_srcu(&eventfs_srcu, ...).     rcu_read_lock() does not extend an SRCU grace period, so ti->private     can be reclaimed under the walk.   - The writes to ei->attr race with eventfs_set_attr(), which holds     eventfs_mutex.  Reproducer:    while :; do mount -o remount,uid=$((RANDOM%1000)) /sys/kernel/tracing; done &   while :; do       echo \"p:kp submit_bio\" > /sys/kernel/tracing/kprobe_events       echo > /sys/kernel/tracing/kprobe_events   done  Wrap the events portion of tracefs_apply_options() in eventfs_remount_lock()/_unlock() that take eventfs_mutex and srcu_read_lock(&eventfs_srcu).  eventfs_set_attrs() doesn't sleep so the nested rcu_read_lock() is fine; lockdep_assert_held() pins the contract.  Comment in tracefs_drop_inode() said \"RCU cycle\" -- it is SRCU.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46107",
                                "url": "https://ubuntu.com/security/CVE-2026-46107",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  dm-thin: fix metadata refcount underflow  There's a bug in dm-thin in the function rebalance_children. If the internal btree node has one entry, the code tries to copy all btree entries from the node's child to the node itself and then decrement the child's reference count.  If the child node is shared (it has reference count > 1), we won't free it, so there would be two pointers to each of the grandchildren nodes. But the reference counts of the grandchildren is not increased, thus the reference count doesn't match the number of pointers that point to the grandchildren. This results in \"device mapper: space map common: unable to decrement block\" errors.  Fix this bug by incrementing reference counts on the grandchildren if the btree node is shared.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46160",
                                "url": "https://ubuntu.com/security/CVE-2026-46160",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  btrfs: fix missing last_unlink_trans update when removing a directory  When removing a directory we are not updating its last_unlink_trans field, which can result in incorrect fsync behaviour in case some one fsyncs the directory after it was removed because it's holding a file descriptor on it.  Example scenario:     mkdir /mnt/dir1    mkdir /mnt/dir1/dir2    mkdir /mnt/dir3     sync -f /mnt     # Do some change to the directory and fsync it.    chmod 700 /mnt/dir1    xfs_io -c fsync /mnt/dir1     # Move dir2 out of dir1 so that dir1 becomes empty.    mv /mnt/dir1/dir2 /mnt/dir3/     open fd on /mnt/dir1    call rmdir(2) on path \"/mnt/dir1\"    fsync fd     <trigger power failure>  When attempting to mount the filesystem, the log replay will fail with an -EIO error and dmesg/syslog has the following:     [445771.626482] BTRFS info (device dm-0): first mount of filesystem 0368bbea-6c5e-44b5-b409-09abe496e650    [445771.626486] BTRFS info (device dm-0): using crc32c checksum algorithm    [445771.627912] BTRFS info (device dm-0): start tree-log replay    [445771.628335] page: refcount:2 mapcount:0 mapping:0000000061443ddc index:0x1d00 pfn:0x7072a5    [445771.629453] memcg:ffff89f400351b00    [445771.629892] aops:btree_aops [btrfs] ino:1    [445771.630737] flags: 0x17fffc00000402a(uptodate|lru|private|writeback|node=0|zone=2|lastcpupid=0x1ffff)    [445771.632359] raw: 017fffc00000402a fffff47284d950c8 fffff472907b7c08 ffff89f458e412b8    [445771.633713] raw: 0000000000001d00 ffff89f6c51d1a90 00000002ffffffff ffff89f400351b00    [445771.635029] page dumped because: eb page dump    [445771.635825] BTRFS critical (device dm-0): corrupt leaf: root=5 block=30408704 slot=10 ino=258, invalid nlink: has 2 expect no more than 1 for dir    [445771.638088] BTRFS info (device dm-0): leaf 30408704 gen 10 total ptrs 17 free space 14878 owner 5    [445771.638091] BTRFS info (device dm-0): refs 4 lock_owner 0 current 3581087    [445771.638094] \titem 0 key (256 INODE_ITEM 0) itemoff 16123 itemsize 160    [445771.638097] \t\tinode generation 3 transid 9 size 16 nbytes 16384    [445771.638098] \t\tblock group 0 mode 40755 links 1 uid 0 gid 0    [445771.638100] \t\trdev 0 sequence 2 flags 0x0    [445771.638102] \t\tatime 1775744884.0    [445771.660056] \t\tctime 1775744885.645502983    [445771.660058] \t\tmtime 1775744885.645502983    [445771.660060] \t\totime 1775744884.0    [445771.660062] \titem 1 key (256 INODE_REF 256) itemoff 16111 itemsize 12    [445771.660064] \t\tindex 0 name_len 2    [445771.660066] \titem 2 key (256 DIR_ITEM 1843588421) itemoff 16077 itemsize 34    [445771.660068] \t\tlocation key (259 1 0) type 2    [445771.660070] \t\ttransid 9 data_len 0 name_len 4    [445771.660075] \titem 3 key (256 DIR_ITEM 2363071922) itemoff 16043 itemsize 34    [445771.660076] \t\tlocation key (257 1 0) type 2    [445771.660077] \t\ttransid 9 data_len 0 name_len 4    [445771.660078] \titem 4 key (256 DIR_INDEX 2) itemoff 16009 itemsize 34    [445771.660079] \t\tlocation key (257 1 0) type 2    [445771.660080] \t\ttransid 9 data_len 0 name_len 4    [445771.660081] \titem 5 key (256 DIR_INDEX 3) itemoff 15975 itemsize 34    [445771.660082] \t\tlocation key (259 1 0) type 2    [445771.660083] \t\ttransid 9 data_len 0 name_len 4    [445771.660084] \titem 6 key (257 INODE_ITEM 0) itemoff 15815 itemsize 160    [445771.660086] \t\tinode generation 9 transid 9 size 8 nbytes 0    [445771.660087] \t\tblock group 0 mode 40777 links 1 uid 0 gid 0    [445771.660088] \t\trdev 0 sequence 2 flags 0x0    [445771.660089] \t\tatime 1775744885.641174097    [445771.660090] \t\tctime 1775744885.645502983    [445771.660091] \t\tmtime 1775744885.645502983    [445771.660105] \t\totime 1775744885.641174097    [445771.660106] \titem 7 key (257 INODE_REF 256) itemoff 15801 itemsize 14    [445771.660107] \t\tindex 2 name_len 4    [445771.660108] \titem 8 key (257 DIR_ITEM 2676584006) itemoff 15767 itemsize 34    [445771.660109] \t\tlocation key (2 ---truncated---",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46164",
                                "url": "https://ubuntu.com/security/CVE-2026-46164",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  btrfs: fix double free in create_space_info_sub_group() error path  When kobject_init_and_add() fails, the call chain is:  create_space_info_sub_group() -> btrfs_sysfs_add_space_info_type() -> kobject_init_and_add() -> failure -> kobject_put(&sub_group->kobj) -> space_info_release() -> kfree(sub_group)  Then control returns to create_space_info_sub_group(), where:  btrfs_sysfs_add_space_info_type() returns error -> kfree(sub_group)  Thus, sub_group is freed twice.  Keep parent->sub_group[index] = NULL for the failure path, but after btrfs_sysfs_add_space_info_type() has called kobject_put(), let the kobject release callback handle the cleanup.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46129",
                                "url": "https://ubuntu.com/security/CVE-2026-46129",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  btrfs: fix double free in create_space_info() error path  When kobject_init_and_add() fails, the call chain is:  create_space_info() -> btrfs_sysfs_add_space_info_type() -> kobject_init_and_add() -> failure -> kobject_put(&space_info->kobj) -> space_info_release() -> kfree(space_info)  Then control returns to create_space_info():  btrfs_sysfs_add_space_info_type() returns error -> goto out_free -> kfree(space_info)  This causes a double free.  Keep the direct kfree(space_info) for the earlier failure path, but after btrfs_sysfs_add_space_info_type() has called kobject_put(), let the kobject release callback handle the cleanup.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46159",
                                "url": "https://ubuntu.com/security/CVE-2026-46159",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  btrfs: fix btrfs_ioctl_space_info() slot_count TOCTOU which can lead to info-leak  btrfs_ioctl_space_info() has a TOCTOU race between two passes over the block group RAID type lists. The first pass counts entries to determine the allocation size, then the second pass fills the buffer. The groups_sem rwlock is released between passes, allowing concurrent block group removal to reduce the entry count.  When the second pass fills fewer entries than the first pass counted, copy_to_user() copies the full alloc_size bytes including trailing uninitialized kmalloc bytes to userspace.  Fix by copying only total_spaces entries (the actually-filled count from the second pass) instead of alloc_size bytes, and switch to kzalloc so any future copy size mismatch cannot leak heap data.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46143",
                                "url": "https://ubuntu.com/security/CVE-2026-46143",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ASoC: qcom: q6apm-lpass-dai: Fix multiple graph opens  As prepare can be called mulitple times, this can result in multiple graph opens for playback path.  This will result in a memory leaks, fix this by adding a check before opening.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46148",
                                "url": "https://ubuntu.com/security/CVE-2026-46148",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: microchip-core-qspi: control built-in cs manually  The coreQSPI IP supports only a single chip select, which is automagically operated by the hardware - set low when the transmit buffer first gets written to and set high when the number of bytes written to the TOTALBYTES field of the FRAMES register have been sent on the bus. Additional devices must use GPIOs for their chip selects. It was reported to me that if there are two devices attached to this QSPI controller that the in-built chip select is set low while linux tries to access the device attached to the GPIO.  This went undetected as the boards that connected multiple devices to the SPI controller all exclusively used GPIOs for chip selects, not relying on the built-in chip select at all. It turns out that this was because the built-in chip select, when controlled automagically, is set low when active and high when inactive, thereby ruling out its use for active-high devices or devices that need to transmit with the chip select disabled.  Modify the driver so that it controls chip select directly, retaining the behaviour for mem_ops of setting the chip select active for the entire duration of the transfer in the exec_op callback. For regular transfers, implement the set_cs callback for the core to use.  As part of this, the existing setup callback, mchp_coreqspi_setup_op(), is removed. Modifying the CLKIDLE field is not safe to do during operation when there are multiple devices, so this code is removed entirely. Setting the MASTER and ENABLE fields is something that can be done once at probe, it doesn't need to be re-run for each device. Instead the new setup callback sets the built-in chip select to its inactive state for active-low devices, as the reset value of the chip select in software controlled mode is low.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46192",
                                "url": "https://ubuntu.com/security/CVE-2026-46192",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: microchip-core-qspi: don't attempt to transmit during emulated read-only dual/quad operations  The core will deal with reads by creating clock cycles itself, there's no need to generate clock cycles by transmitting garbage data at the driver level. Further, transmitting garbage data just bricks the transfer since QSPI doesn't have a dedicated master-out line like MOSI in regular SPI. I'm not entirely sure if the transfer is bricked because of the garbage data being transmitted on the bus or because the core loses track of whether it is supposed to be sending or receiving data.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46162",
                                "url": "https://ubuntu.com/security/CVE-2026-46162",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ice: fix double free in ice_sf_eth_activate() error path  When auxiliary_device_add() fails, ice_sf_eth_activate() jumps to aux_dev_uninit and calls auxiliary_device_uninit(&sf_dev->adev).  The device release callback ice_sf_dev_release() frees sf_dev, but the current error path falls through to sf_dev_free and calls kfree(sf_dev) again, causing a double free.  Keep kfree(sf_dev) for the auxiliary_device_init() failure path, but avoid falling through to sf_dev_free after auxiliary_device_uninit().",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46273",
                                "url": "https://ubuntu.com/security/CVE-2026-46273",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ibmveth: Disable GSO for packets with small MSS  Some physical adapters on Power systems do not support segmentation offload when the MSS is less than 224 bytes. Attempting to send such packets causes the adapter to freeze, stopping all traffic until manually reset.  Implement ndo_features_check to disable GSO for packets with small MSS values. The network stack will perform software segmentation instead.  The 224-byte minimum matches ibmvnic commit <f10b09ef687f> (\"ibmvnic: Enforce stronger sanity checks on GSO packets\") which uses the same physical adapters in SEA configurations.  The issue occurs specifically when the hardware attempts to perform segmentation (gso_segs > 1) with a small MSS. Single-segment GSO packets (gso_segs == 1) do not trigger the problematic LSO code path and are transmitted normally without segmentation.  Add an ndo_features_check callback to disable GSO when MSS < 224 bytes. Also call vlan_features_check() to ensure proper handling of VLAN packets, particularly QinQ (802.1ad) configurations where the hardware parser may not support certain offload features.  Validated using iptables to force small MSS values. Without the fix, the adapter freezes. With the fix, packets are segmented in software and transmission succeeds. Comprehensive regression testing completedd (MSS tests, performance, stability).",
                                "cve_priority": "high",
                                "cve_public_date": "2026-06-03 18:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46191",
                                "url": "https://ubuntu.com/security/CVE-2026-46191",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  fbcon: Avoid OOB font access if console rotation fails  Clear the font buffer if the reallocation during console rotation fails in fbcon_rotate_font(). The putcs implementations for the rotated buffer will return early in this case. See [1] for an example.  Currently, fbcon_rotate_font() keeps the old buffer, which is too small for the rotated font. Printing to the rotated console with a high-enough character code will overflow the font buffer.  v2: - fix typos in commit message",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46134",
                                "url": "https://ubuntu.com/security/CVE-2026-46134",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  platform/chrome: cros_ec_typec: Init mutex in Thunderbolt registration  cros_typec_register_thunderbolt() missed initializing the `adata->lock` mutex.  This leads to a NULL dereference when the mutex is later acquired (e.g. in cros_typec_altmode_work()).  Initialize the mutex in cros_typec_register_thunderbolt() to fix the issue.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-43495",
                                "url": "https://ubuntu.com/security/CVE-2026-43495",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net: wwan: t7xx: validate port_count against message length in t7xx_port_enum_msg_handler  t7xx_port_enum_msg_handler() uses the modem-supplied port_count field as a loop bound over port_msg->data[] without checking that the message buffer contains sufficient data. A modem sending port_count=65535 in a 12-byte buffer triggers a slab-out-of-bounds read of up to 262140 bytes.  Add a sizeof(*port_msg) check before accessing the port message header fields to guard against undersized messages.  Add a struct_size() check after extracting port_count and before the loop.  In t7xx_parse_host_rt_data(), guard the rt_feature header read with a remaining-buffer check before accessing data_len, validate feat_data_len against the actual remaining buffer to prevent OOB reads and signed integer overflow on offset.  Pass msg_len from both call sites: skb->len at the DPMAIF path after skb_pull(), and the validated feat_data_len at the handshake path.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-21 13:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-43502",
                                "url": "https://ubuntu.com/security/CVE-2026-43502",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net/rds: handle zerocopy send cleanup before the message is queued  A zerocopy send can fail after user pages have been pinned but before the message is attached to the sending socket.  The purge path currently infers zerocopy state from rm->m_rs, so an unqueued message can be cleaned up as if it owned normal payload pages. However, zerocopy ownership is really determined by the presence of op_mmp_znotifier, regardless of whether the message has reached the socket queue.  Capture op_mmp_znotifier up front in rds_message_purge() and use it as the cleanup discriminator. If the message is already associated with a socket, keep the existing completion path. Otherwise, drop the pinned page accounting directly and release the notifier before putting the payload pages.  This keeps early send failure cleanup consistent with the zerocopy lifetime rules without changing the normal queued completion path.",
                                "cve_priority": "high",
                                "cve_public_date": "2026-05-21 13:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46120",
                                "url": "https://ubuntu.com/security/CVE-2026-46120",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ip6_gre: Use cached t->net in ip6erspan_changelink().  After commit 5e72ce3e3980 (\"net: ipv6: Use link netns in newlink() of rtnl_link_ops\"), ip6erspan_newlink() correctly resolves the per-netns ip6gre hash via link_net. ip6erspan_changelink() was not converted in that series and still uses dev_net(dev), which diverges from the device's creation netns after IFLA_NET_NS_FD migration.  This re-inserts the tunnel into the wrong per-netns hash. The original netns keeps a stale entry. When that netns is later destroyed, ip6gre_exit_rtnl_net() walks the stale entry, producing a slab-use-after-free reported by KASAN, followed by a kernel BUG at net/core/dev.c (LIST_POISON1) in unregister_netdevice_many_notify().  Reachable from an unprivileged user namespace (unshare --user --map-root-user --net).  ip6gre_changelink() earlier in the same file already uses the cached t->net; only ip6erspan_changelink() has the wrong shape.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46142",
                                "url": "https://ubuntu.com/security/CVE-2026-46142",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net: libwx: fix VF illegal register access  Register WX_CFG_PORT_ST is a PF restricted register. When a VF is initialized, attempting to read this register triggers an illegal register access, which lead to a system hang.  When the device is VF, the bus function ID can be obtained directly from the PCI_FUNC(pdev->devfn).",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46118",
                                "url": "https://ubuntu.com/security/CVE-2026-46118",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  pseries/papr-hvpipe: Fix null ptr deref in papr_hvpipe_dev_create_handle()  commit 6d3789d347a7 (\"papr-hvpipe: convert papr_hvpipe_dev_create_handle() to FD_PREPARE()\"), changed the create handle to FD_PREPARE(), but it caused kernel null-ptr-deref because after call to retain_and_null_ptr(src_info), src_info is re-used for adding it to the global list.  Getting the following kernel panic in papr_hvpipe_dev_create_handle() when trying to add src_info to the list.  Kernel attempted to write user page (0) - exploit attempt? (uid: 0)  BUG: Kernel NULL pointer dereference on write at 0x00000000  Faulting instruction address: 0xc0000000001b44a0  Oops: Kernel access of bad area, sig: 11 [#1]  ...  Call Trace:  papr_hvpipe_dev_ioctl+0x1f4/0x48c (unreliable)  sys_ioctl+0x528/0x1064  system_call_exception+0x128/0x360  system_call_vectored_common+0x15c/0x2ec  Now, the error handling with FD_PREPARE's file cleanup and __free(kfree) auto cleanup is getting too convoluted. This is mainly because we need to ensure only 1 user get the srcID handle. To simplify this, we allocate prepare the src_info in the beginning and add it to the global list under a spinlock after checking that no duplicates exist.  This simplify the error handling where if the FD_ADD fails, we can simply remove the src_info from the list and consume any pending msg in hvpipe to be cleared, after src_info became visible in the global list.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46182",
                                "url": "https://ubuntu.com/security/CVE-2026-46182",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  pseries/papr-hvpipe: Prevent kernel stack memory leak to userspace  The hdr variable is allocated on the stack and only hdr.version and hdr.flags are initialized explicitly. Because the struct papr_hvpipe_hdr contains reserved padding bytes (reserved[3] and reserved2[40]), these could leak the uninitialized bytes to userspace after copy_to_user().  This patch fixes that by initializing the whole struct to 0.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46184",
                                "url": "https://ubuntu.com/security/CVE-2026-46184",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  sound: ua101: fix division by zero at probe  Add a missing sanity check for bNrChannels in detect_usb_format() to prevent a division by zero in playback_urb_complete() and capture_urb_complete().  USB core does not validate class-specific descriptor fields such as bNrChannels, so drivers must verify them before use. If a device provides bNrChannels = 0, frame_bytes becomes zero and is later used as a divisor in the URB completion handlers, leading to a kernel crash.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-43498",
                                "url": "https://ubuntu.com/security/CVE-2026-43498",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  accel/ivpu: Disallow re-exporting imported GEM objects  Prevent re-exporting of imported GEM buffers by adding a custom prime_handle_to_fd callback that checks if the object is imported and returns -EOPNOTSUPP if so.  Re-exporting imported GEM buffers causes loss of buffer flags settings, leading to incorrect device access and data corruption.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-21 13:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46132",
                                "url": "https://ubuntu.com/security/CVE-2026-46132",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net: rtnetlink: zero ifla_vf_broadcast to avoid stack infoleak in rtnl_fill_vfinfo  rtnl_fill_vfinfo() declares struct ifla_vf_broadcast on the stack without initialisation:  \tstruct ifla_vf_broadcast vf_broadcast;  The struct contains a single fixed 32-byte field:  \t/* include/uapi/linux/if_link.h */ \tstruct ifla_vf_broadcast { \t\t__u8 broadcast[32]; \t};  The function then copies dev->broadcast into it using dev->addr_len as the length:  \tmemcpy(vf_broadcast.broadcast, dev->broadcast, dev->addr_len);  On Ethernet devices (the overwhelming majority of SR-IOV NICs) dev->addr_len is 6, so only the first 6 bytes of broadcast[] are written. The remaining 26 bytes retain whatever was previously on the kernel stack. The full struct is then handed to userspace via:  \tnla_put(skb, IFLA_VF_BROADCAST, \t\tsizeof(vf_broadcast), &vf_broadcast)  leaking up to 26 bytes of uninitialised kernel stack per VF per RTM_GETLINK request, repeatable.  The other vf_* structs in the same function are explicitly zeroed for exactly this reason - see the memset() calls for ivi, vf_vlan_info, node_guid and port_guid a few lines above. vf_broadcast was simply missed when it was added.  Reachability: any unprivileged local process can open AF_NETLINK / NETLINK_ROUTE without capabilities and send RTM_GETLINK with an IFLA_EXT_MASK attribute carrying RTEXT_FILTER_VF. The kernel walks each VF and emits IFLA_VF_BROADCAST, leaking 26 bytes of stack per VF per request. Stack residue at this call site can include return addresses and transient sensitive data; KASAN with stack instrumentation, or KMSAN, will flag the nla_put() when reproduced.  Zero the on-stack struct before the partial memcpy, matching the existing pattern used for the other vf_* structs in the same function.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46190",
                                "url": "https://ubuntu.com/security/CVE-2026-46190",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  mtd: spi-nor: debugfs: fix out-of-bounds read in spi_nor_params_show()  Sashiko noticed an out-of-bounds read [1].  In spi_nor_params_show(), the snor_f_names array is passed to spi_nor_print_flags() using sizeof(snor_f_names).  Since snor_f_names is an array of pointers, sizeof() returns the total number of bytes occupied by the pointers \t(element_count * sizeof(void *)) rather than the element count itself. On 64-bit systems, this makes the passed length 8x larger than intended.  Inside spi_nor_print_flags(), the 'names_len' argument is used to bounds-check the 'names' array access. An out-of-bounds read occurs if a flag bit is set that exceeds the array's actual element count but is within the inflated byte-size count.  Correct this by using ARRAY_SIZE() to pass the actual number of string pointers in the array.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46150",
                                "url": "https://ubuntu.com/security/CVE-2026-46150",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  fanotify: fix false positive on permission events  fsnotify_get_mark_safe() may return false for a mark on an unrelated group, which results in bypassing the permission check.  Fix by skipping over detached marks that are not in the current group.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-45836",
                                "url": "https://ubuntu.com/security/CVE-2026-45836",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_get_sndtimeo_cb()  Add the same NULL guard already present in l2cap_sock_resume_cb() and l2cap_sock_ready_cb().",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-26 17:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-45834",
                                "url": "https://ubuntu.com/security/CVE-2026-45834",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_state_change_cb()  Add the same NULL guard already present in l2cap_sock_resume_cb() and l2cap_sock_ready_cb().",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-26 17:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-45835",
                                "url": "https://ubuntu.com/security/CVE-2026-45835",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_new_connection_cb()  Add the same NULL guard already present in l2cap_sock_resume_cb() and l2cap_sock_ready_cb().",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-26 17:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46138",
                                "url": "https://ubuntu.com/security/CVE-2026-46138",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Bluetooth: hci_event: Fix OOB read and infinite loop in hci_le_create_big_complete_evt  hci_le_create_big_complete_evt() iterates over BT_BOUND connections for a BIG handle using a while loop, accessing ev->bis_handle[i++] on each iteration.  However, there is no check that i stays within ev->num_bis before the array access.  When a controller sends a LE_Create_BIG_Complete event with fewer bis_handle entries than there are BT_BOUND connections for that BIG, or with num_bis=0, the loop reads beyond the valid bis_handle[] flex array into adjacent heap memory.  Since the out-of-bounds values typically exceed HCI_CONN_HANDLE_MAX (0x0EFF), hci_conn_set_handle() rejects them and the connection remains in BT_BOUND state.  The same connection is then found again by hci_conn_hash_lookup_big_state(), creating an infinite loop with hci_dev_lock held.  Fix this by terminating the BIG if in case not all BIS could be setup properly.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46111",
                                "url": "https://ubuntu.com/security/CVE-2026-46111",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Bluetooth: hci_conn: fix potential UAF in create_big_sync  Add hci_conn_valid() check in create_big_sync() to detect stale connections before proceeding with BIG creation. Handle the resulting -ECANCELED in create_big_complete() and re-validate the connection under hci_dev_lock() before dereferencing, matching the pattern used by create_le_conn_complete() and create_pa_complete().  Keep the hci_conn object alive across the async boundary by taking a reference via hci_conn_get() when queueing create_big_sync(), and dropping it in the completion callback. The refcount and the lock are complementary: the refcount keeps the object allocated, while hci_dev_lock() serializes hci_conn_hash_del()'s list_del_rcu() on hdev->conn_hash, as required by hci_conn_del().  hci_conn_put() is called outside hci_dev_unlock() so the final put (which resolves to kfree() via bt_link_release) does not run under hdev->lock, though the release path would be safe either way.  Without this, create_big_complete() would unconditionally dereference the conn pointer on error, causing a use-after-free via hci_connect_cfm() and hci_conn_del().",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46140",
                                "url": "https://ubuntu.com/security/CVE-2026-46140",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Bluetooth: btmtk: validate WMT event SKB length before struct access  btmtk_usb_hci_wmt_sync() casts the WMT event response SKB data to struct btmtk_hci_wmt_evt (7 bytes) and struct btmtk_hci_wmt_evt_funcc (9 bytes) without first checking that the SKB contains enough data. A short firmware response causes out-of-bounds reads from SKB tailroom.  Use skb_pull_data() to validate and advance past the base WMT event header. For the FUNC_CTRL case, pull the additional status field bytes before accessing them.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46186",
                                "url": "https://ubuntu.com/security/CVE-2026-46186",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Bluetooth: virtio_bt: validate rx pkt_type header length  virtbt_rx_handle() reads the leading pkt_type byte from the RX skb and forwards the remainder to hci_recv_frame() for every event/ACL/SCO/ISO type, without checking that the remaining payload is at least the fixed HCI header for that type.  After the preceding patch bounds the backend-supplied used.len to [1, VIRTBT_RX_BUF_SIZE], a one-byte completion still reaches hci_recv_frame() with skb->len already pulled to 0. If the byte happened to be HCI_ACLDATA_PKT, the ACL-vs-ISO classification fast-path in hci_dev_classify_pkt_type() dereferences hci_acl_hdr(skb)->handle whenever the HCI device has an active CIS_LINK, BIS_LINK, or PA_LINK connection, reading two bytes of uninitialized RX-buffer data. The same hazard exists for every packet type the driver accepts because none of the switch cases in virtbt_rx_handle() check skb->len against the per-type minimum HCI header size before handing the frame to the core.  After stripping pkt_type, require skb->len to cover the fixed header size for the selected type (event 2, ACL 4, SCO 3, ISO 4) before calling hci_recv_frame(); drop ratelimited otherwise. Unknown pkt_type values still take the original kfree_skb() default path.  Use bt_dev_err_ratelimited() because both the length and pkt_type values come from an untrusted backend that can otherwise flood the kernel log.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46123",
                                "url": "https://ubuntu.com/security/CVE-2026-46123",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Bluetooth: virtio_bt: clamp rx length before skb_put  virtbt_rx_work() calls skb_put(skb, len) where len comes directly from virtqueue_get_buf() with no validation against the buffer we posted to the device. The RX skb is allocated in virtbt_add_inbuf() and exposed to virtio as exactly 1000 bytes via sg_init_one().  Checking len against skb_tailroom(skb) is not sufficient because alloc_skb() can leave more tailroom than the 1000 bytes actually handed to the device. A malicious or buggy backend can therefore report used.len between 1001 and skb_tailroom(skb), causing skb_put() to include uninitialized kernel heap bytes that were never written by the device.  The same path also accepts len == 0, in which case skb_put(skb, 0) leaves the skb empty but virtbt_rx_handle() still reads the pkt_type byte from skb->data, consuming uninitialized memory.  Define VIRTBT_RX_BUF_SIZE once and reuse it in alloc_skb() and sg_init_one(), and gate virtbt_rx_work() on that same constant so the bound checked matches the buffer actually exposed to the device. Reject used.len == 0 in the same gate so an empty completion can no longer reach virtbt_rx_handle().  Use bt_dev_err_ratelimited() because the length value comes from an untrusted backend that can otherwise flood the kernel log.  Same class of bug as commit c04db81cd028 (\"net/9p: Fix buffer overflow in USB transport layer\"), which hardened the USB 9p transport against unchecked device-reported length.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46104",
                                "url": "https://ubuntu.com/security/CVE-2026-46104",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  selinux: use sk blob accessor in socket permission helpers  SELinux socket state lives in the composite LSM socket blob.  sock_has_perm() and nlmsg_sock_has_extended_perms() currently dereference sk->sk_security directly, which assumes the SELinux socket blob is at offset zero.  In stacked configurations that assumption does not hold. If another LSM allocates socket blob storage before SELinux, these helpers may read the wrong blob and feed invalid SID and class values into AVC checks.  Use selinux_sock() instead of accessing sk->sk_security directly.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46193",
                                "url": "https://ubuntu.com/security/CVE-2026-46193",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  xfrm: ah: account for ESN high bits in async callbacks  AH allocates its temporary auth/ICV layout differently when ESN is enabled: the async ahash setup appends a 4-byte seqhi slot before the ICV or auth_data area, but the async completion callbacks still reconstruct the temporary layout as if seqhi were absent.  With an async AH implementation selected, that makes AH copy or compare the wrong bytes on both the IPv4 and IPv6 paths. In UML repro on IPv4 AH with ESN and forced async hmac(sha1), ping fails with 100% packet loss, and the callback logs show the pre-fix drift:    ah4 output_done: esn=1 err=0 icv_off=20 expected_off=24   ah4 input_done: esn=1 auth_off=20 expected_auth_off=24 icv_off=32 expected_icv_off=36  Reconstruct the callback-side layout the same way the setup path built it by skipping the ESN seqhi slot before locating the saved auth_data or ICV. Per RFC 4302, the ESN high-order 32 bits participate in the AH ICV computation, so the async callbacks must account for the seqhi slot.  Post-fix, the same IPv4 AH+ESN+forced-async-hmac(sha1) UML repro shows the corrected offset (ah4 output_done: esn=1 err=0 icv_off=24 expected_off=24) and ping succeeds; net/ipv4/ah4.o and net/ipv6/ah6.o build clean at W=1. IPv6 AH+ESN was not exercised at runtime, and the change has not been tested against a real async hardware AH engine.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46172",
                                "url": "https://ubuntu.com/security/CVE-2026-46172",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ipv6: xfrm6: release dst on error in xfrm6_rcv_encap()  xfrm6_rcv_encap() performs an IPv6 route lookup when the skb does not already have a dst attached. ip6_route_input_lookup() returns a referenced dst entry even when the lookup resolves to an error route.  If dst->error is set, xfrm6_rcv_encap() drops the skb without attaching the dst to the skb and without releasing the reference returned by the lookup. Repeated packets hitting this path therefore leak dst entries.  Release the dst before jumping to the drop path.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46116",
                                "url": "https://ubuntu.com/security/CVE-2026-46116",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  xfrm: defensively unhash xfrm_state lists in __xfrm_state_delete  KASAN reproduces a slab-use-after-free in __xfrm_state_delete()'s hlist_del_rcu calls under syzkaller load on linux-6.12.y stable (reproduced on 6.12.47, also reachable via the same code path on torvalds/master and on the ipsec tree). Nine unique signatures cluster in the xfrm_state lifecycle, the load-bearing one being:    BUG: KASAN: slab-use-after-free in __hlist_del include/linux/list.h:990 [inline]   BUG: KASAN: slab-use-after-free in hlist_del_rcu include/linux/rculist.h:516 [inline]   BUG: KASAN: slab-use-after-free in __xfrm_state_delete net/xfrm/xfrm_state.c   Write of size 8 at addr ffff8881198bcb70 by task kworker/u8:9/435    Workqueue: netns cleanup_net   Call Trace:    __hlist_del / hlist_del_rcu    __xfrm_state_delete    xfrm_state_delete    xfrm_state_flush    xfrm_state_fini    ops_exit_list    cleanup_net  The other observed signatures hit the same slab object from __xfrm_state_lookup, xfrm_alloc_spi, __xfrm_state_insert and an OOB write variant of __xfrm_state_delete, all on the byseq/byspi hash chains.  __xfrm_state_delete() guards its byseq and byspi unhashes with value-based predicates:  \tif (x->km.seq) \t\thlist_del_rcu(&x->byseq); \tif (x->id.spi) \t\thlist_del_rcu(&x->byspi);  while everywhere else in the file (e.g. state_cache, state_cache_input) the safer hlist_unhashed() check is used. xfrm_alloc_spi() sets x->id.spi = newspi inside xfrm_state_lock and then immediately inserts into byspi, but a path that observes x->id.spi != 0 outside of xfrm_state_lock can still skip-or-hit the byspi unhash inconsistently with whether x is actually on the list. The same holds for x->km.seq versus byseq, and the bydst/bysrc unhashes have no predicate at all, so a second __xfrm_state_delete() on the same object writes through LIST_POISON pprev.  The defensive change here:    - Use hlist_del_init_rcu() instead of hlist_del_rcu() on bydst,     bysrc, byseq and byspi so a second deletion is a no-op rather     than a write through LIST_POISON pprev. The byseq/byspi nodes     are already initialised in xfrm_state_alloc().   - Test hlist_unhashed() rather than the value predicate for     byseq/byspi, so the unhash decision tracks list state rather than     mutable scalar fields.  Empirical verification: applied this patch on top of v6.12.47, rebuilt, and re-ran the same syzkaller harness for 1h16m on a previously-crashy configuration that produced ~100 hits each of slab-use-after-free Read in xfrm_alloc_spi / Read in __xfrm_state_lookup / Write in __xfrm_state_delete. After the patch, 7.1M execs across 32 VMs at ~1550 exec/sec produced zero xfrm_state UAF/OOB hits. /proc/slabinfo confirms the xfrm_state slab is actively allocated and freed during the run (~143 KiB resident), so the fuzzer is still exercising those code paths -- they just no longer crash.  Reproduction:    - Linux 6.12.47 x86_64 + KASAN_GENERIC + KASAN_INLINE + KCOV   - syzkaller @ 746545b8b1e4c3a128db8652b340d3df90ce61db   - 32 QEMU/KVM VMs x 2 vCPU on AWS c5.metal bare metal   - 9 unique signatures collected in ~9h, all within xfrm_state     lifecycle",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46154",
                                "url": "https://ubuntu.com/security/CVE-2026-46154",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  sched_ext: Read scx_root under scx_cgroup_ops_rwsem in cgroup setters  scx_group_set_{weight,idle,bandwidth}() cache scx_root before acquiring scx_cgroup_ops_rwsem, so the pointer can be stale by the time the op runs. If the loaded scheduler is disabled and freed (via RCU work) and another is enabled between the naked load and the rwsem acquire, the reader sees scx_cgroup_enabled=true (the new scheduler's) but dereferences the freed one - UAF on SCX_HAS_OP(sch, ...) / SCX_CALL_OP(sch, ...).  scx_cgroup_enabled is toggled only under scx_cgroup_ops_rwsem write (scx_cgroup_{init,exit}), so reading scx_root inside the rwsem read section correlates @sch with the enabled snapshot.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46157",
                                "url": "https://ubuntu.com/security/CVE-2026-46157",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ALSA: pcm: oss: Fix data race at accessing runtime.oss.trigger  Currently the runtime.oss.trigger field may be accessed concurrently without protection, which may lead to the data race.  And, in this case, it may lead to more severe problem because it's a bit field; as writing the data, it may overwrite other bit fields as well, which confuses the operation completely, as spotted by fuzzing.  Fix it by covering runtime.oss.trigger bit fled also with the existing params_lock mutex in both snd_pcm_oss_get_trigger() and snd_pcm_oss_poll().",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46109",
                                "url": "https://ubuntu.com/security/CVE-2026-46109",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  usb: ulpi: fix memory leak on ulpi_register() error paths  Commit 01af542392b5 (\"usb: ulpi: fix double free in ulpi_register_interface() error path\") removed kfree(ulpi) from ulpi_register_interface() to fix a double-free when device_register() fails.  But when ulpi_of_register() or ulpi_read_id() fail before device_register() is called, the ulpi allocation is leaked.  Add kfree(ulpi) on both error paths to properly clean up the allocation.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46146",
                                "url": "https://ubuntu.com/security/CVE-2026-46146",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ALSA: usb-audio: Avoid potential endless loop in convert_chmap_v3()  The convert_chmap_v3() has a loop with its increment size of cs_desc->wLength, but we forgot to validate cs_desc->wLength itself, which may lead to potential endless loop by a malformed descriptor.  Add a proper size check to abort the loop for plugging the hole.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46167",
                                "url": "https://ubuntu.com/security/CVE-2026-46167",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  usb: usblp: fix uninitialized heap leak via LPGETSTATUS ioctl  Just like in a previous problem in this driver, usblp_ctrl_msg() will collapse the usb_control_msg() return value to 0/-errno, discarding the actual number of bytes transferred.  Ideally that short command should be detected and error out, but many printers are known to send \"incorrect\" responses back so we can't just do that.  statusbuf is kmalloc(8) at probe time and never filled before the first LPGETSTATUS ioctl.  usblp_read_status() requests 1 byte. If a malicious printer responds with zero bytes, *statusbuf is one byte of stale kmalloc heap, sign-extended into the local int status, which the LPGETSTATUS path then copy_to_user()s directly to the ioctl caller.  Fix this all by just zapping out the memory buffer when allocated at probe time.  If a later call does a short read, the data will be identical to what the device sent it the last time, so there is no \"leak\" of information happening.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46151",
                                "url": "https://ubuntu.com/security/CVE-2026-46151",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  usb: usblp: fix heap leak in IEEE 1284 device ID via short response  usblp_ctrl_msg() collapses the usb_control_msg() return value to 0/-errno, discarding the actual number of bytes transferred.  A broken printer can complete the GET_DEVICE_ID control transfer short and the driver has no way to know.  usblp_cache_device_id_string() reads the 2-byte big-endian length prefix from the response and trusts it (clamped only to the buffer bounds). The buffer is kmalloc(1024) at probe time. A device that sends exactly two bytes (e.g. 0x03 0xFF, claiming a 1023-byte ID) leaves device_id_string[2..1022] holding stale kmalloc heap.  That stale data is then exposed:   - via the ieee1284_id sysfs attribute (sprintf(\"%s\", buf+2), truncated     at the first NUL in the stale heap), and   - via the IOCNR_GET_DEVICE_ID ioctl, which copy_to_user()s the full     claimed length regardless of NULs, up to 1021 bytes of uninitialized     heap, with the leak size chosen by the device.  Fix this up by just zapping the buffer with zeros before each request sent to the device.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46180",
                                "url": "https://ubuntu.com/security/CVE-2026-46180",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  wifi: brcmfmac: Fix potential use-after-free issue when stopping watchdog task  Watchdog task might end between send_sig() and kthread_stop() calls, what results in the use-after-free issue. Fix this by increasing watchdog task reference count before calling send_sig() and dropping it by switching to kthread_stop_put().",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46122",
                                "url": "https://ubuntu.com/security/CVE-2026-46122",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  wifi: b43: enforce bounds check on firmware key index in b43_rx()  The firmware-controlled key index in b43_rx() can exceed the dev->key[] array size (58 entries). The existing B43_WARN_ON is non-enforcing in production builds, allowing an out-of-bounds read.  Make the B43_WARN_ON check enforcing by dropping the frame when the firmware returns an invalid key index.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46125",
                                "url": "https://ubuntu.com/security/CVE-2026-46125",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  wifi: mac80211: remove station if connection prep fails  If connection preparation fails for MLO connections, then the interface is completely reset to non-MLD. In this case, we must not keep the station since it's related to the link of the vif being removed. Delete an existing station. Any \"new_sta\" is already being removed, so that doesn't need changes.  This fixes a use-after-free/double-free in debugfs if that's enabled, because a vif going from MLD (and to MLD, but that's not relevant here) recreates its entire debugfs.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46166",
                                "url": "https://ubuntu.com/security/CVE-2026-46166",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  wifi: mac80211: use safe list iteration in radar detect work  The call to ieee80211_dfs_cac_cancel can cause the iterated chanctx to be freed and removed from the list. Guard against this to avoid a slab-use-after-free error.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46187",
                                "url": "https://ubuntu.com/security/CVE-2026-46187",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  wifi: rsi: fix kthread lifetime race between self-exit and external-stop  RSI driver use both self-exit(kthread_complete_and_exit) and external-stop (kthread_stop) when killing a kthread. Generally, kthread_stop() is called first, and in this case, no particular issues occur.  However, in rare instances where kthread_complete_and_exit() is called first and then kthread_stop() is called, a UAF occurs because the kthread object, which has already exited and been freed, is accessed again.  Therefore, to prevent this with minimal modification, you must remove kthread_stop() and change the code to wait until the self-exit operation is completed.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46152",
                                "url": "https://ubuntu.com/security/CVE-2026-46152",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  wifi: mac80211: drop stray 'static' from fast-RX rx_result  ieee80211_invoke_fast_rx() is documented as safe for parallel RX, but its per-invocation rx_result is declared static. Concurrent callers then share one instance and can overwrite each other's result between ieee80211_rx_mesh_data() and the switch on res.  That can make a packet that was queued or consumed by ieee80211_rx_mesh_data() fall through into ieee80211_rx_8023(), or make a packet that should continue return as queued.  Make res an automatic variable so each invocation keeps its own result.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46163",
                                "url": "https://ubuntu.com/security/CVE-2026-46163",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  wifi: b43legacy: enforce bounds check on firmware key index in RX path  Same fix as b43: the firmware-controlled key index in b43legacy_rx() can exceed dev->max_nr_keys. The existing B43legacy_WARN_ON is non-enforcing in production builds, allowing an out-of-bounds read of dev->key[].  Make the check enforcing by dropping the frame for invalid indices.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46136",
                                "url": "https://ubuntu.com/security/CVE-2026-46136",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  wifi: mt76: mt7921: fix a potential clc buffer length underflow  The buf_len is used to limit the iterations for retrieving the country power setting and may underflow under certain conditions due to changes in the power table in CLC.  This underflow leads to an almost infinite loop or an invalid power setting resulting in driver initialization failure.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46173",
                                "url": "https://ubuntu.com/security/CVE-2026-46173",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  exit: prevent preemption of oopsing TASK_DEAD task  When an already-exiting task oopses, make_task_dead() currently calls do_task_dead() with preemption enabled.  That is forbidden: do_task_dead() calls __schedule(), which has a comment saying \"WARNING: must be called with preemption disabled!\".  If an oopsing task is preempted in do_task_dead(), between becoming TASK_DEAD and entering the scheduler explicitly, bad things happen: finish_task_switch() assumes that once the scheduler has switched away from a TASK_DEAD task, the task can never run again and its stack is no longer needed; but that assumption apparently doesn't hold if the dead task was preempted (the SM_PREEMPT case).  This means that the scheduler ends up repeatedly dropping references on the dead task's stack, which can lead to use-after-free or double-free of the entire task stack; in other words, two tasks can end up running on the same stack, resulting in various kinds of memory corruption.  (This does not just affect \"recursively oopsing\" tasks; it is enough to oops once during task exit, for example in a file_operations::release handler)",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-43496",
                                "url": "https://ubuntu.com/security/CVE-2026-43496",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net/sched: sch_red: Replace direct dequeue call with peek and qdisc_dequeue_peeked  When red qdisc has children (eg qfq qdisc) whose peek() callback is qdisc_peek_dequeued(), we could get a kernel panic. When the parent of such qdiscs (eg illustrated in patch #3 as tbf) wants to retrieve an skb from its child (red in this case), it will do the following:  1a. do a peek() - and when sensing there's an skb the child can offer, then      - the child in this case(red) calls its child's (qfq) peek.         qfq does the right thing and will return the gso_skb queue packet.         Note: if there wasnt a gso_skb entry then qfq will store it there.  1b. invoke a dequeue() on the child (red). And herein lies the problem.      - red will call the child's dequeue() which will essentially just        try to grab something of qfq's queue.  [   78.667668][  T363] KASAN: null-ptr-deref in range [0x0000000000000048-0x000000000000004f] [   78.667927][  T363] CPU: 1 UID: 0 PID: 363 Comm: ping Not tainted 7.1.0-rc1-00033-g46f74a3f7d57-dirty #790 PREEMPT(full) [   78.668263][  T363] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 [   78.668486][  T363] RIP: 0010:qfq_dequeue+0x446/0xc90 [sch_qfq] [   78.668718][  T363] Code: 54 c0 e8 dd 90 00 f1 48 c7 c7 e0 03 54 c0 48 89 de e8 ce 90 00 f1 48 8d 7b 48 b8 ff ff 37 00 48 89 fa 48 c1 e0 2a 48 c1 ea 03 <80> 3c 02 00 74 05 e8 ef a1 e1 f1 48 8b 7b 48 48 8d 54 24 58 48 8d [   78.669312][  T363] RSP: 0018:ffff88810de573e0 EFLAGS: 00010216 [   78.669533][  T363] RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000 [   78.669790][  T363] RDX: 0000000000000009 RSI: 0000000000000004 RDI: 0000000000000048 [   78.670044][  T363] RBP: ffff888110dc4000 R08: ffffffffb1b0885a R09: fffffbfff6ba9078 [   78.670297][  T363] R10: 0000000000000003 R11: ffff888110e31c80 R12: 0000001880000000 [   78.670560][  T363] R13: ffff888110dc4150 R14: ffff888110dc42b8 R15: 0000000000000200 [   78.670814][  T363] FS:  00007f66a8f09c40(0000) GS:ffff888163428000(0000) knlGS:0000000000000000 [   78.671110][  T363] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [   78.671324][  T363] CR2: 000055db4c6a30a8 CR3: 000000010da67000 CR4: 0000000000750ef0 [   78.671585][  T363] PKRU: 55555554 [   78.671713][  T363] Call Trace: [   78.671843][  T363]  <TASK> [   78.671936][  T363]  ? __pfx_qfq_dequeue+0x10/0x10 [sch_qfq] [   78.672148][  T363]  ? __pfx__printk+0x10/0x10 [   78.672322][  T363]  ? srso_alias_return_thunk+0x5/0xfbef5 [   78.672496][  T363]  ? lockdep_hardirqs_on_prepare+0xa8/0x1a0 [   78.672706][  T363]  ? srso_alias_return_thunk+0x5/0xfbef5 [   78.672875][  T363]  ? trace_hardirqs_on+0x19/0x1a0 [   78.673047][  T363]  red_dequeue+0x65/0x270 [sch_red] [   78.673217][  T363]  ? srso_alias_return_thunk+0x5/0xfbef5 [   78.673385][  T363]  tbf_dequeue.cold+0xb0/0x70c [sch_tbf] [   78.673566][  T363]  __qdisc_run+0x169/0x1900  The right thing to do in #1b is to grab the skb off gso_skb queue. This patchset fixes that issue by changing #1b to use qdisc_dequeue_peeked() method instead.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-21 13:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46113",
                                "url": "https://ubuntu.com/security/CVE-2026-46113",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  KVM: x86: Fix shadow paging use-after-free due to unexpected GFN  The shadow MMU computes GFNs for direct shadow pages using sp->gfn plus the SPTE index. This assumption breaks for shadow paging if the guest page tables are modified between VM entries (similar to commit aad885e77496, \"KVM: x86/mmu: Drop/zap existing present SPTE even when creating an MMIO SPTE\", 2026-03-27).  The flow is as follows:  - a PDE is installed for a 2MB mapping, and a page in that area is   accessed.  KVM creates a kvm_mmu_page consisting of 512 4KB pages;   the kvm_mmu_page is marked by FNAME(fetch) as direct-mapped because   the guest's mapping is a huge page (and thus contiguous).  - the PDE mapping is changed from outside the guest.  - the guest accesses another page in the same 2MB area.  KVM installs   a new leaf SPTE and rmap entry; the SPTE uses the \"correct\" GFN   (i.e. based on the new mapping, as changed in the previous step) but   that GFN is outside of the [sp->gfn, sp->gfn + 511] range; therefore   the rmap entry cannot be found and removed when the kvm_mmu_page   is zapped.  - the memslot that covers the first 2MB mapping is deleted, and the   kvm_mmu_page for the now-invalid GPA is zapped.  However, rmap_remove()   only looks at the [sp->gfn, sp->gfn + 511] range established in step 1,   and fails to find the rmap entry that was recorded by step 3.  - any operation that causes an rmap walk for the same page accessed   by step 3 then walks a stale rmap and dereferences a freed kvm_mmu_page.   This includes dirty logging or MMU notifier invalidations (e.g., from   MADV_DONTNEED).  The underlying issue is that KVM's walking of shadow PTEs assumes that if a SPTE is present when KVM wants to install a non-leaf SPTE, then the existing kvm_mmu_page must be for the correct gfn.  Because the only way for the gfn to be wrong is if KVM messed up and failed to zap a SPTE... which shouldn't happen, but *actually* only happens in response to a guest write.  That bug dates back literally forever, as even the first version of KVM assumes that the GFN matches and walks into the \"wrong\" shadow page. However, that was only an imprecision until 2032a93d66fa (\"KVM: MMU: Don't allocate gfns page for direct mmu pages\") came along.  Fix it by checking for a target gfn mismatch and zapping the existing SPTE.  That way the old SP and rmap entries are gone, KVM installs the rmap in the right location, and everyone is happy.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46179",
                                "url": "https://ubuntu.com/security/CVE-2026-46179",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ASoC: SOF: Don't allow pointer operations on unconfigured streams  When reporting the pointer for a compressed stream we report the current I/O frame position by dividing the position by the number of channels multiplied by the number of container bytes. These values default to 0 and are only configured as part of setting the stream parameters so this allows a divide by zero to be configured. Validate that they are non zero, returning an error if not",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46196",
                                "url": "https://ubuntu.com/security/CVE-2026-46196",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  tracepoint: balance regfunc() on func_add() failure in tracepoint_add_func()  When a tracepoint goes through the 0 -> 1 transition, tracepoint_add_func() invokes the subsystem's ext->regfunc() before attempting to install the new probe via func_add(). If func_add() then fails (for example, when allocate_probes() cannot allocate a new probe array under memory pressure and returns -ENOMEM), the function returns the error without calling the matching ext->unregfunc(), leaving the side effects of regfunc() behind with no installed probe to justify them.  For syscall tracepoints this is particularly unpleasant: syscall_regfunc() bumps sys_tracepoint_refcount and sets SYSCALL_TRACEPOINT on every task. After a leaked failure, the refcount is stuck at a non-zero value with no consumer, and every task continues paying the syscall trace entry/exit overhead until reboot. Other subsystems providing regfunc()/unregfunc() pairs exhibit similarly scoped persistent state.  Mirror the existing 1 -> 0 cleanup and call ext->unregfunc() in the func_add() error path, gated on the same condition used there so the unwind is symmetric with the registration.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-43497",
                                "url": "https://ubuntu.com/security/CVE-2026-43497",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  fbdev: udlfb: add vm_ops to dlfb_ops_mmap to prevent use-after-free  dlfb_ops_mmap() uses remap_pfn_range() to map vmalloc framebuffer pages to userspace but sets no vm_ops on the VMA. This means the kernel cannot track active mmaps. When dlfb_realloc_framebuffer() replaces the backing buffer via FBIOPUT_VSCREENINFO, existing mmap PTEs are not invalidated. On USB disconnect, dlfb_ops_destroy() calls vfree() on the old pages while userspace PTEs still reference them, resulting in a use-after-free: the process retains read/write access to freed kernel pages.  Add vm_operations_struct with open/close callbacks that maintain an atomic mmap_count on struct dlfb_data. In dlfb_realloc_framebuffer(), check mmap_count and return -EBUSY if the buffer is currently mapped, preventing buffer replacement while userspace holds stale PTEs.  Tested with PoC using dummy_hcd + raw_gadget USB device emulation.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-05-21 13:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46108",
                                "url": "https://ubuntu.com/security/CVE-2026-46108",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ipmi:si: Return state to normal if message allocation fails  There were places where nothing would get started if a message allocation failed, so the driver needs to return to normal state.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46128",
                                "url": "https://ubuntu.com/security/CVE-2026-46128",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ipmi: Check event message buffer response for bad data  The event message buffer response data size got checked later when processing, but check it right after the response comes back.  It appears some BMCs may return an empty message instead of an error when fetching events.  There are apparently some new BMCs that make this error, so we need to compensate.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46177",
                                "url": "https://ubuntu.com/security/CVE-2026-46177",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ipmi: Add limits to event and receive message requests  The driver would just fetch events and receive messages until the BMC said it was done.  To avoid issues with BMCs that never say they are done, add a limit of 10 fetches at a time.  In addition, an si interface has an attn state it can return from the hardware which is supposed to cause a flag fetch to see if the driver needs to fetch events or message or a few other things.  If the attn bit gets stuck, it's a similar problem.  So allow messages in between flag fetches so the driver itself doesn't get stuck.  This is a more general fix than the previous fix for the specific bad BMC, but should fix the more general issue of a BMC that won't stop saying it has data.  This has been there from the beginning of the driver.  It's not a bug per-se, but it is accounting for bugs in BMCs.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46149",
                                "url": "https://ubuntu.com/security/CVE-2026-46149",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  scsi: target: configfs: Bound snprintf() return in tg_pt_gp_members_show()  target_tg_pt_gp_members_show() formats LUN paths with snprintf() into a 256-byte stack buffer, then will memcpy() cur_len bytes from that buffer.  snprintf() returns the length the output would have had, which can exceed the buffer size when the fabric WWN is long because iSCSI IQN names can be up to 223 bytes.  The check at the memcpy() site only guards the destination page write, not the source read, so memcpy() will read past the stack buffer and copy adjacent stack contents to the sysfs reader, which when CONFIG_FORTIFY_SOURCE is enabled, fortify_panic() will be triggered.  Commit 27e06650a5ea (\"scsi: target: target_core_configfs: Add length check to avoid buffer overflow\") added the same bound to the target_lu_gp_members_show() but the tg_pt_gp variant was missed so resolve that here.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46244",
                                "url": "https://ubuntu.com/security/CVE-2026-46244",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  netfilter: nft_inner: Fix IPv6 inner_thoff desync  In nft_inner_parse_l2l3(), when processing inner IPv6 packets, ipv6_find_hdr() correctly computes the transport header offset traversing all extension headers, but the result is immediately overwritten with nhoff + sizeof(_ip6h) (40 bytes), which only accounts for the IPv6 base header. This creates a desync between inner_thoff (wrong — points to extension header start) and l4proto (correct — e.g., IPPROTO_TCP), enabling transport header forgery and potential firewall bypass. This issue affects stable versions from Linux 6.2.  For comparison, the normal (non-inner) IPv6 path correctly preserves ipv6_find_hdr()'s result. Removing the incorrect overwrite ensures that ipv6_find_hdr()'s calculated transport header offset is preserved, thereby fixing the desynchronization.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-03 18:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46137",
                                "url": "https://ubuntu.com/security/CVE-2026-46137",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  mptcp: pm: ADD_ADDR rtx: fix potential data-race  This mptcp_pm_add_timer() helper is executed as a timer callback in softirq context. To avoid any data races, the socket lock needs to be held with bh_lock_sock().  If the socket is in use, retry again soon after, similar to what is done with the keepalive timer.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46185",
                                "url": "https://ubuntu.com/security/CVE-2026-46185",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  smb/client: fix out-of-bounds read in symlink_data()  Since smb2_check_message() returns success without length validation for the symlink error response, in symlink_data() it is possible for iov->iov_len to be smaller than sizeof(struct smb2_err_rsp). If the buffer only contains the base SMB2 header (64 bytes), accessing err->ErrorContextCount (at offset 66) or err->ByteCount later in symlink_data() will cause an out-of-bounds read.",
                                "cve_priority": "high",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46195",
                                "url": "https://ubuntu.com/security/CVE-2026-46195",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  smb: client: validate dacloffset before building DACL pointers  parse_sec_desc(), build_sec_desc(), and the chown path in id_mode_to_cifs_acl() all add the server-supplied dacloffset to pntsd before proving a DACL header fits inside the returned security descriptor.  On 32-bit builds a malicious server can return dacloffset near U32_MAX, wrap the derived DACL pointer below end_of_acl, and then slip past the later pointer-based bounds checks. build_sec_desc() and id_mode_to_cifs_acl() can then dereference DACL fields from the wrapped pointer in the chmod/chown rewrite paths.  Validate dacloffset numerically before building any DACL pointer and reuse the same helper at the three DACL entry points.",
                                "cve_priority": "high",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46289",
                                "url": "https://ubuntu.com/security/CVE-2026-46289",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  lib/scatterlist: fix length calculations in extract_kvec_to_sg  Patch series \"Fix bugs in extract_iter_to_sg()\", v3.  Fix bugs in the kvec and user variants of extract_iter_to_sg.  This series is growing due to useful remarks made by sashiko.dev.  The main bugs are: - The length for an sglist entry when extracting from   a kvec can exceed the number of bytes in the page. This   is obviously not intended. - When extracting a user buffer the sglist is temporarily   used as a scratch buffer for extracted page pointers.   If the sglist already contains some elements this scratch   buffer could overlap with existing entries in the sglist.  The series adds test cases to the kunit_iov_iter test that demonstrate all of these bugs.  Additionally, there is a memory leak fix for the test itself.  The bugs were orignally introduced into kernel v6.3 where the function lived in fs/netfs/iterator.c.  It was later moved to lib/scatterlist.c in v6.5.  Thus the actual fix is only marked for backports to v6.5+.   This patch (of 5):  When extracting from a kvec to a scatterlist, do not cross page boundaries.  The required length was already calculated but not used as intended.  Adjust the copied length if the loop runs out of sglist entries without extracting everything.  While there, return immediately from extract_iter_to_sg if there are no sglist entries at all.  A subsequent commit will add kunit test cases that demonstrate that the patch is necessary.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-08 17:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46119",
                                "url": "https://ubuntu.com/security/CVE-2026-46119",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  libceph: Fix slab-out-of-bounds access in auth message processing  If a (potentially corrupted) message of type CEPH_MSG_AUTH_REPLY contains a positive value in its result field, it is treated as an error code by ceph_handle_auth_reply() and returned to handle_auth_reply(). Thereafter, an attempt is made to send the preallocated message of type CEPH_MSG_AUTH, where the returned value is interpreted as the size of the front segment to send. If the result value in the message is greater than the size of the memory buffer allocated for the front segment, an out-of-bounds access occurs, and the content of the memory region beyond this buffer is sent out.  This patch fixes the issue by treating only negative values in the result field as errors. Positive values are therefore treated as success in the same way as a zero value. Additionally, a BUG_ON is added to __send_prepared_auth_request() comparing the len parameter to front_alloc_len to prevent sending the message if it exceeds the bounds of the allocation and to make it easier to catch any logic flaws leading to this.",
                                "cve_priority": "high",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46135",
                                "url": "https://ubuntu.com/security/CVE-2026-46135",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  nvmet-tcp: fix race between ICReq handling and queue teardown  nvmet_tcp_handle_icreq() updates queue->state after sending an Initialization Connection Response (ICResp), but it does so without serializing against target-side queue teardown.  If an NVMe/TCP host sends an Initialization Connection Request (ICReq) and immediately closes the connection, target-side teardown may start in softirq context before io_work drains the already buffered ICReq. In that case, nvmet_tcp_schedule_release_queue() sets queue->state to NVMET_TCP_Q_DISCONNECTING and drops the queue reference under state_lock.  If io_work later processes that ICReq, nvmet_tcp_handle_icreq() can still overwrite the state back to NVMET_TCP_Q_LIVE. That defeats the DISCONNECTING-state guard in nvmet_tcp_schedule_release_queue() and allows a later socket state change to re-enter teardown and issue a second kref_put() on an already released queue.  The ICResp send failure path has the same problem. If teardown has already moved the queue to DISCONNECTING, a send error can still overwrite the state with NVMET_TCP_Q_FAILED, again reopening the window for a second teardown path to drop the queue reference.  Fix this by serializing both post-send state transitions with state_lock and bailing out if teardown has already started.  Use -ESHUTDOWN as an internal sentinel for that bail-out path rather than propagating it as a transport error like -ECONNRESET. Keep nvmet_tcp_socket_error() setting rcv_state to NVMET_TCP_RECV_ERR before honoring that sentinel so receive-side parsing stays quiesced until the existing release path completes.",
                                "cve_priority": "critical",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46155",
                                "url": "https://ubuntu.com/security/CVE-2026-46155",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  smb/client: fix out-of-bounds read in smb2_compound_op()  If a server sends a truncated response but a large OutputBufferLength, and terminates the EA list early, check_wsl_eas() returns success without validating that the entire OutputBufferLength fits within iov_len.  Then smb2_compound_op() does:     memcpy(idata->wsl.eas, data[0], size[0]);  Where size[0] is OutputBufferLength. If iov_len is smaller than size[0], memcpy can read beyond the end of the rsp_iov allocation and leak adjacent kernel heap memory.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46115",
                                "url": "https://ubuntu.com/security/CVE-2026-46115",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  block: add pgmap check to biovec_phys_mergeable  biovec_phys_mergeable() is used by the request merge, DMA mapping, and integrity merge paths to decide if two physically contiguous bvec segments can be coalesced into one. It currently has no check for whether the segments belong to different dev_pagemaps.  When zone device memory is registered in multiple chunks, each chunk gets its own dev_pagemap. A single bio can legitimately contain bvecs from different pgmaps -- iov_iter_extract_bvecs() breaks at pgmap boundaries but the outer loop in bio_iov_iter_get_pages() continues filling the same bio. If such bvecs are physically contiguous, biovec_phys_mergeable() will coalesce them, making it impossible to recover the correct pgmap for the merged segment via page_pgmap().  Add a zone_device_pages_have_same_pgmap() check to prevent merging bvec segments that span different pgmaps.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46243",
                                "url": "https://ubuntu.com/security/CVE-2026-46243",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  smb: client: reject userspace cifs.spnego descriptions  cifs.spnego key descriptions contain authority-bearing fields such as pid, uid, creduid, and upcall_target that cifs.upcall treats as kernel-originating inputs. However, userspace can also create keys of this type through request_key(2) or add_key(2), allowing those fields to be supplied without CIFS origin.  Only accept cifs.spnego descriptions while CIFS is using its private spnego_cred to request the key.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-01 17:17:00 UTC"
                            }
                        ],
                        "log": [
                            "",
                            "  * resolute/linux: 7.0.0-28.28 -proposed tracker (LP: #2157520)",
                            "",
                            "  * Backport ASoC SDCA, AMD SoundWire, and RT722 audio fixes (LP: #2154418)",
                            "    - ASoC: amd: acp-sdw-legacy: rename the dmic component name",
                            "    - SAUCE: ASoC: rt722-sdca: add FU06 Playback Switch for speaker mute",
                            "      control",
                            "",
                            "  * MIPI camera of a BBG809N3A_B sensor SKU of the DELL Pro 14 Premium PA14260",
                            "    renders upside-down (LP: #2155837)",
                            "    - SAUCE: media: ipu-bridge: correct platform handling for DELL Pro 14",
                            "      Premium PA14260",
                            "",
                            "  * resolute ubuntu_kernel_selftests:seccomp_build test compilation issue",
                            "    (LP: #2154174)",
                            "    - SAUCE: selftests/seccomp fix compilation issue for amd64",
                            "",
                            "  * [Ubuntu 26.04] Severe Performance Degradation on kernel 7.0.0-15",
                            "    (LP: #2154748)",
                            "    - s390: Remove GENERIC_LOCKBREAK Kconfig option",
                            "    - UBUNTU [Config]: Remove GENERIC_LOCKBREAK in s390x",
                            "",
                            "  * Fix no sound output device on Dell GhostRider PTL no camera SKU",
                            "    (LP: #2156559)",
                            "    - ASoC: Intel: sof_sdw: append dai type to dai link name unconditionally",
                            "",
                            "  * Fix no audio from right built-in speaker on HP ZBook with TAS2781",
                            "    amplifier (LP: #2156556)",
                            "    - ALSA: hda/tas2781: Fix device-0 reset issue and handle -EXDEV in block",
                            "      data processing",
                            "",
                            "  * Installer fails internally with a RSync error due to page fault",
                            "    (LP: #2150640)",
                            "    - ovl: keep err zero after successful ovl_cache_get()",
                            "",
                            "  * Internal display black screen on Intel Lunar Lake with eDP panel",
                            "    (LP: #2156312)",
                            "    - drm/i915/alpm: Allow LOBF only for platform that have Always on VRR TG",
                            "",
                            "  * Thunderbolt DP tunnel torn down during boot with LUKS Full Disk Encryption",
                            "    (LP: #2155096)",
                            "    - SAUCE: thunderbolt: Defer DP tunnel teardown until display driver is",
                            "      ready",
                            "",
                            "  * watchdog: lenovo_se10_wdt: Add SE10 Gen 2 support (LP: #2154715)",
                            "    - watchdog: lenovo_se10_wdt: Add support for SE10 Gen 2 platform",
                            "    - watchdog: lenovo_se10_wdt: Fix use-after-free and resource leak risk",
                            "",
                            "  * [Ubuntu 26.04] KVM: IBM Test Accelerator for Z (TAZ) not working properly",
                            "    (LP: #2153159)",
                            "    - KVM: s390: only deliver service interrupt with payload",
                            "    - KVM: s390: vsie: Allow non-zarch guests",
                            "    - KVM: s390: vsie: Disable some bits when in ESA mode",
                            "    - KVM: s390: vsie: Accommodate ESA prefix pages",
                            "    - KVM: s390: Add KVM capability for ESA mode guests",
                            "",
                            "  * ubuntu_bpf failed to build on Resolute (error: expected ‘:’, ‘,’, ‘;’, ‘}’",
                            "    or ‘__attribute__’ before ‘__counted_by’) (LP: #2150071)",
                            "    - tools/headers: Regenerate stddef.h to fix BPF selftests",
                            "",
                            "  * ubuntu_bpf: FTBFS with clang 23 / gcc 15 (LP: #2154343)",
                            "    - selftests/bpf: Fix const qualifier warning in fexit_bpf2bpf.c",
                            "",
                            "  * ALSA: hda/tas2781 Audio Fix for the front-right speacker (LP: #2149770)",
                            "    - ALSA: hda/tas2781: Fix sound abnormal issue on some SPI device",
                            "",
                            "  * Fix bad audio record quality when volume above 50% on Framework PTL",
                            "    (LP: #2153155)",
                            "    - ALSA: hda/realtek: fix mic boost on Framework PTL",
                            "",
                            "  * Patchset for TUXEDO devices (LP: #2152570)",
                            "    - drm/i915/vbt: Add edp pipe joiner enable/disable bits",
                            "    - drm/i915/dp: Avoid joiner for eDP if not enabled in VBT",
                            "    - drm/amd/display: Add Idle state manager(ISM)",
                            "    - drm/i915/backlight: Remove try_vesa_interface",
                            "    - drm/i915/backlight: Use intel_panel variable instead of intel_connector",
                            "    - drm/i915/backlight: Take luminance_set into account for VESA backlight",
                            "    - drm/i915/backlight: Check luminance_set when disabling PWM via AUX VESA",
                            "      backlight",
                            "    - drm/i915/backlight: Short circuit intel_dp_aux_supports_hdr_backlight",
                            "    - drm/i915/backlight: Update debug log during backlight setup",
                            "    - drm/i915/backlight: Check if VESA backlight is possible",
                            "    - drm/i915/backlight: Provide clear description on how backlight level is",
                            "      controlled",
                            "    - drm/i915/backlight: Fix VESA backlight possible check condition",
                            "",
                            "  * Resolute update: v7.0.12 upstream stable release (LP: #2156636)",
                            "    - Input: usbtouchscreen - clamp NEXIO data_len/x_len to URB buffer size",
                            "    - ACPI: button: Fix ACPI GPE handler leak during removal",
                            "    - ACPI: button: Enable wakeup GPEs for ACPI buttons at probe time",
                            "    - xfrm: move policy_bydst RCU sync from per-netns .exit to .pre_exit",
                            "    - net/sched: sch_sfb: Replace direct dequeue call with peek and",
                            "      qdisc_dequeue_peeked",
                            "    - bcache: fix uninitialized closure object",
                            "    - nfc: llcp: Fix use-after-free in llcp_sock_release()",
                            "    - nfc: llcp: Fix use-after-free race in nfc_llcp_recv_cc()",
                            "    - xfrm: Check for underflow in xfrm_state_mtu",
                            "    - nfc: nxp-nci: i2c: use rising-edge IRQ on ACPI systems",
                            "    - tools/bootconfig: Fix buf leaks in apply_xbc",
                            "    - HID: remove duplicate hid_warn_ratelimited definition",
                            "    - kunit: fix use-after-free in debugfs when using kunit.filter",
                            "    - accel/rocket: fix UAF via dangling GEM handle in create_bo",
                            "    - netfilter: synproxy: refresh tcphdr after skb_ensure_writable",
                            "    - netfilter: xt_cpu: prefer raw_smp_processor_id",
                            "    - netfilter: ebtables: fix OOB read in compat_mtw_from_user",
                            "    - netfilter: nf_tables: fix dst corruption in same register operation",
                            "    - vsock: keep poll shutdown state consistent",
                            "    - net: netlink: fix sending unassigned nsid after assigned one",
                            "    - net: netlink: don't set nsid on local notifications",
                            "    - net/smc: Do not re-initialize smc hashtables",
                            "    - net/iucv: fix locking in .getsockopt",
                            "    - scsi: core: Run queues for all non-SDEV_DEL devices from",
                            "      scsi_run_host_queues",
                            "    - scsi: scsi_debug: Add missing newline in scsi_debug_device_reset()",
                            "    - ipv4: free net->ipv4.sysctl_local_reserved_ports after",
                            "      unregister_net_sysctl_table()",
                            "    - ALSA: hda: cs35l56: Fix system name string leaks",
                            "    - ALSA: pcm: oss: Fix setup list UAF on proc write error",
                            "    - ASoC: Intel: bytcht_es8316: Fix MCLK leak on init errors",
                            "    - net/mlx5: HWS: Reject unsupported remove-header action",
                            "    - net: hsr: fix potential OOB access in supervision frame handling",
                            "    - accel/ivpu: prevent uninitialized data bug in debugfs",
                            "    - gpio: mxc: fix irq_high handling",
                            "    - drm/i915/aux: use polling when irqs are unavailable",
                            "    - net: Avoid checksumming unreadable skb tail on trim",
                            "    - ethtool: rss: avoid modifying the RSS context response",
                            "    - ethtool: rss: add missing errno on RSS context delete",
                            "    - ethtool: rss: fix falsely ignoring indir table updates",
                            "    - ethtool: rss: fix indir_table and hkey leak on get_rxfh failure",
                            "    - ethtool: rss: fix hkey leak when indir_size is 0",
                            "    - ethtool: rss: avoid device context leak on reply-build failure",
                            "    - ethtool: module: call ethnl_ops_complete() on module flash errors",
                            "    - ethtool: module: avoid leaking a netdev ref on module flash errors",
                            "    - ethtool: module: avoid racy updates to dev->ethtool bitfield",
                            "    - ethtool: module: check fw_flash_in_progress under rtnl_lock",
                            "    - ethtool: module: fix cleanup if socket used for flashing multiple",
                            "      devices",
                            "    - ethtool: cmis: require exact CDB reply length",
                            "    - ethtool: cmis: fix u16-to-u8 truncation of msleep_pre_rpl",
                            "    - ethtool: cmis: validate start_cmd_payload_size from module",
                            "    - ethtool: cmis: validate fw->size against start_cmd_payload_size",
                            "    - cxl/test: Update mock dev array before calling platform_device_add()",
                            "    - blk-mq: reinsert cached request to the list",
                            "    - tunnels: load network headers after skb_cow() in",
                            "      iptunnel_pmtud_build_icmp[v6]()",
                            "    - vxlan: do not reuse cached ip_hdr() value after skb_tunnel_check_pmtu()",
                            "    - tunnels: do not assume transport header in iptunnel_pmtud_check_icmp()",
                            "    - ksmbd: fix FSCTL permission bypass by adding a permission check for",
                            "      FSCTL_SET_SPARSE",
                            "    - ASoC: codecs: simple-mux: Fix enum control bounds check",
                            "    - drm/xe: Restore IDLEDLY regiter on engine reset",
                            "    - Bluetooth: 6lowpan: check skb_clone() return value in send_mcast_pkt()",
                            "    - bonding: refuse to enslave CAN devices",
                            "    - bridge: Fix sleep in atomic context in netlink path",
                            "    - bridge: Fix sleep in atomic context in sysfs path",
                            "    - ethtool: coalesce: cap profile updates at NET_DIM_PARAMS_NUM_PROFILES",
                            "    - ethtool: tsconfig: fix reply error handling",
                            "    - ethtool: linkstate: fix unbalanced ethnl_ops_complete() on PHY lookup",
                            "      error",
                            "    - ethtool: pse-pd: fix missing ethnl_ops_complete()",
                            "    - ethtool: tsconfig: fix missing ethnl_ops_complete()",
                            "    - ethtool: tsinfo: fix uninitialized stats on the by-PHC path",
                            "    - ethtool: tsinfo: don't pass ERR_PTR to genlmsg_cancel on prepare failure",
                            "    - ethtool: strset: fix header attribute index in ethnl_req_get_phydev()",
                            "    - ethtool: eeprom: add missing ethnl_ops_begin() / _complete() during",
                            "      fallback",
                            "    - ethtool: eeprom: add more safeties to EEPROM Netlink fallback",
                            "    - ipv6: rpl: fix hdrlen overflow in ipv6_rpl_srh_decompress()",
                            "    - net/sched: Revert \"net/sched: Restrict conditions for adding duplicating",
                            "      netems to qdisc tree\"",
                            "    - net/sched: fix packet loop on netem when duplicate is on",
                            "    - net: Introduce skb tc depth field to track packet loops",
                            "    - net/sched: Fix ethx:ingress -> ethy:egress -> ethx:ingress mirred loop",
                            "    - net/sched: act_mirred: Fix blockcast recursion bypass leading to stack",
                            "      overflow",
                            "    - net/sched: act_mirred: Fix return code in early mirred redirect error",
                            "      paths",
                            "    - net: hibmcge: disable Relaxed Ordering to fix RX packet corruption",
                            "    - net: hibmcge: move dma_rmb() after dma_sync_single_for_cpu() in RX path",
                            "    - net/handshake: Use spin_lock_bh for hn_lock",
                            "    - nvme-tcp: store negative errno in queue->tls_err",
                            "    - net/handshake: Pass negative errno through handshake_complete()",
                            "    - net/handshake: hand off the pinned file reference to accept_doit",
                            "    - net/handshake: Take a long-lived file reference at submit",
                            "    - net/handshake: Drain pending requests at net namespace exit",
                            "    - dpll: zl3073x: detect DPLL channel count from chip ID at runtime",
                            "    - dpll: zl3073x: add die temperature reporting for supported chips",
                            "    - dpll: export __dpll_device_change_ntf() for use under dpll_lock",
                            "    - dpll: zl3073x: use __dpll_device_change_ntf() and remove change_work",
                            "    - Bluetooth: l2cap: clear chan->ident on ECRED reconfiguration success",
                            "    - Bluetooth: L2CAP: Fix possible crash on l2cap_ecred_conn_rsp",
                            "    - Bluetooth: hci_sync: Set HCI_CMD_DRAIN_WORKQUEUE during device close",
                            "    - Bluetooth: hci_sync: Reset device counters in hci_dev_close_sync()",
                            "    - gpio: adnp: fix flow control regression caused by scoped_guard()",
                            "    - gpio: virtuser: Fix uninitialized data bug in",
                            "      gpio_virtuser_direction_do_write()",
                            "    - gpio: rockchip: convert bank->clk to devm_clk_get_enabled()",
                            "    - gpio: rockchip: teardown bugs and resource leaks",
                            "    - net: mana: Add NULL guards in teardown path to prevent panic on attach",
                            "      failure",
                            "    - net: mana: Skip redundant detach on already-detached port",
                            "    - sctp: fix race between sctp_wait_for_connect and peeloff",
                            "    - net: pcs: pcs-mtk-lynxi: fix bpi-r3 serdes configuration",
                            "    - vsock/virtio: bind uarg before filling zerocopy skb",
                            "    - ipv6: fix possible infinite loop in rt6_fill_node()",
                            "    - ipv6: fix possible infinite loop in fib6_select_path()",
                            "    - net: skbuff: fix pskb_carve leaking zcopy pages",
                            "    - Revert \"ipv6: preserve insertion order for same-scope addresses\"",
                            "    - Revert \"x86/fpu: Refine and simplify the magic number check during",
                            "      signal return\"",
                            "    - drm/i915/psr: Add defininitions for INTEL_WA_REGISTER_CAPS DPCD register",
                            "    - drm/i915/psr: Read Intel DPCD workaround register",
                            "    - drm/i915/psr: Apply Intel DPCD workaround when SDP on prior line used",
                            "    - iio: imu: st_lsm6dsx: fix stack leak in tagged FIFO buffer",
                            "    - iio: imu: adis16550: fix stack leak in trigger handler",
                            "    - iio: pressure: bmp280: fix stack leak in bmp580 trigger handler",
                            "    - usb: typec: ucsi: ccg: reject firmware images without a ':' record",
                            "      header",
                            "    - usb: typec: tcpm: validate VDO count in Discover Identity ACK handlers",
                            "    - usb: typec: tcpm: bound altmode_desc[] per iteration in",
                            "      svdm_consume_modes()",
                            "    - usb: typec: ucsi: displayport: NAK DP_CMD_CONFIGURE without a payload",
                            "      VDO",
                            "    - usb: typec: altmodes/displayport: validate count before reading Status",
                            "      Update VDO",
                            "    - usb: typec: wcove: don't write past struct pd_message in",
                            "      wcove_read_rx_buffer()",
                            "    - usb: typec: tcpm/tcpci_maxim: validate header NDO against RX_BYTE_CNT",
                            "    - usb: typec: ucsi: validate connector number in ucsi_connector_change()",
                            "    - USB: serial: safe_serial: fix memory corruption with small endpoint",
                            "    - media: rc: igorplugusb: fix control request setup packet",
                            "    - Input: ims-pcu - fix usb_free_coherent() size in ims_pcu_buffers_free()",
                            "    - USB: serial: cypress_m8: fix memory corruption with small endpoint",
                            "    - HID: quirks: Add ALWAYS_POLL quirk for SIGMACHIP USB mouse",
                            "    - Bluetooth: btusb: Allow firmware re-download when version matches",
                            "    - mm/vmalloc: do not trigger BUG() on BH disabled context",
                            "    - hpfs: fix a crash if hpfs_map_dnode_bitmap fails",
                            "    - mm/damon/sysfs-schemes: delete tried region in regions_rmdirs()",
                            "    - ipc: limit next_id allocation to the valid ID range",
                            "    - mm: memcontrol: propagate NMI slab stats to memcg vmstats",
                            "    - mm/migrate_device: fix pgtable leak in migrate_vma_insert_huge_pmd_page",
                            "    - memfd: deny writeable mappings when implying SEAL_WRITE",
                            "    - zram: fix use-after-free in zram_writeback_endio",
                            "    - mm/rmap: initialize nr_pages to 1 at loop start in try_to_unmap_one",
                            "    - auxdisplay: line-display: fix OOB read on zero-length message_store()",
                            "    - smb: client: fix uninitialized variable in smb2_writev_callback",
                            "    - Bluetooth: L2CAP: use chan timer to close channels in cleanup_listen()",
                            "    - Bluetooth: L2CAP: fix chan ref leak in l2cap_chan_timeout() on !conn",
                            "    - Bluetooth: HIDP: fix missing length checks in hidp_input_report()",
                            "    - Bluetooth: ISO: fix UAF in iso_recv_frame",
                            "    - Bluetooth: ISO: serialize iso_sock_clear_timer with socket lock",
                            "    - Bluetooth: hci_conn: Fix memory leak in hci_le_big_terminate()",
                            "    - Bluetooth: hci_qca: Use 100 ms SSR delay for rampatch and NVM loading",
                            "    - Bluetooth: hci_sync: fix UAF in hci_le_create_cis_sync",
                            "    - Input: xpad - fix out-of-bounds access for Share button",
                            "    - parport: Fix race between port and client registration",
                            "    - rust_binder: Avoid holding lock when dropping delivered_death",
                            "    - rust_binder: avoid calling pending_oneway_finished() on TF_UPDATE_TXN",
                            "    - USB: cdc-acm: Fix bit overlap and move quirk definitions to header",
                            "    - KVM: arm64: Correctly cap ZCR_EL2 provided by a guest hypervisor",
                            "    - KVM: arm64: PMU: Preserve AArch32 counter low bits",
                            "    - KVM: SVM: Flush the current TLB when transitioning from xAVIC => x2AVIC",
                            "    - KVM: SEV: Require in-GHCB scratch area if GHCB v2+ is in use",
                            "    - KVM: SEV: Ignore Port I/O requests of length '0'",
                            "    - KVM: SEV: Use the size of the PSC header as the minimum size for PSC",
                            "      requests",
                            "    - KVM: SEV: WARN if KVM attempts to setup scratch area with min_len==0",
                            "    - KVM: SEV: Compute the correct max length of the in-GHCB scratch area",
                            "    - KVM: SEV: Check PSC request indices against the actual size of the",
                            "      buffer",
                            "    - KVM: SEV: Use READ_ONCE() when reading entries/indices from PSC buffer",
                            "    - KVM: SEV: Don't explicitly pass PSC buffer to snp_begin_psc()",
                            "    - gpio: shared: undo the vote of the proxy on GPIO free",
                            "    - gpio: shared: fix deadlock on shared proxy's parent removal",
                            "    - gpio: shared: fix lockdep false positive by removing unneeded lock",
                            "    - Disable -Wattribute-alias for clang-23 and newer",
                            "    - iio: adc: xilinx-xadc: Fix sequencer mode in postdisable for dual mux",
                            "    - iio: adc: npcm: fix unbalanced clk_disable_unprepare()",
                            "    - iio: dac: ad3530r: Fix AD3531/AD3531R powerdown mode strings",
                            "    - iio: dac: max5821: fix return value check in powerdown sync",
                            "    - iio: dac: ad5686: fix ref bit initialization for single-channel parts",
                            "    - iio: dac: ad5686: fix input raw value check",
                            "    - iio: dac: ad5686: acquire lock when doing powerdown control",
                            "    - iio: dac: ad5686: fix powerdown control on dual-channel devices",
                            "    - iio: adc: mt6359: fix unchecked return value in mt6358_read_imp",
                            "    - iio: adc: viperboard: Fix error handling in vprbrd_iio_read_raw",
                            "    - iio: adc: ad4695: Fix call ordering in offload buffer postenable",
                            "    - iio: adc: nxp-sar-adc: fix division by zero in write_raw",
                            "    - iio: adc: nxp-sar-adc: Avoid division by zero",
                            "    - iio: adc: nxp-sar-adc: zero-initialize dma_slave_config",
                            "    - iio: gyro: itg3200: fix i2c read into the wrong stack location",
                            "    - iio: gyro: adis16260: fix division by zero in write_raw",
                            "    - iio: ssp_sensors: cancel delayed work_refresh on remove",
                            "    - iio: temperature: tsys01: fix broken PROM checksum validation",
                            "    - iio: magnetometer: st_magn: fix default DRDY pin selection for LIS2MDL",
                            "    - iio: light: veml6070: Fix resource leak in probe error path",
                            "    - iio: Fix iio_multiply_value use in iio_read_channel_processed_scale",
                            "    - iio: chemical: mhz19b: reject oversized serial replies",
                            "    - iio: chemical: scd30: fix division by zero in write_raw",
                            "    - iio: light: cm3323: fix reg_conf not being initialized correctly",
                            "    - iio: buffer: hw-consumer: fix use-after-free in error path",
                            "    - iio: buffer: Fix DMA fence leak in iio_buffer_enqueue_dmabuf()",
                            "    - USB: serial: omninet: fix memory corruption with small endpoint",
                            "    - usb: cdns3: gadget: fix request skipping after clearing halt",
                            "    - usb: cdns3: plat: fix leaked usb2_phy initialization on usb3_phy",
                            "      acquisition failure",
                            "    - usb: cdns3: plat: fix unbalanced pm_runtime_forbid() call permanently",
                            "      leaks the runtime PM usage counter across bind/unbind cycles",
                            "    - usb: dwc2: Fix use after free in debug code",
                            "    - Input: elan_i2c - validate firmware size before use",
                            "    - i2c: davinci: fix division by zero on missing clock-frequency",
                            "    - x86/ftrace: Relocate %rip-relative percpu refs in dynamic trampolines",
                            "    - wireguard: send: append trailer after expanding head",
                            "    - bpf: sockmap: fix tail fragment offset in bpf_msg_push_data",
                            "    - macsec: fix replay protection at XPN lower-PN wrap",
                            "    - ipv6: exthdrs: refresh nh pointer after ipv6_hop_jumbo()",
                            "    - ASoC: qcom: q6asm-dai: fix error handling in prepare and set_params",
                            "    - octeontx2-af: validate body pcifunc in rvu_mbox_handler_rep_event_notify",
                            "    - ipv6: exthdrs: refresh nh after handling HAO option",
                            "    - ip6: vti: Use ip6_tnl.net in vti6_siocdevprivate().",
                            "    - ipv6: validate extension header length before copying to cmsg",
                            "    - xfrm: input: hold netns during deferred transport reinjection",
                            "    - l2tp: use refcount_inc_not_zero in l2tp_session_get_by_ifname",
                            "    - ip6: vti: Use ip6_tnl.net in vti6_changelink().",
                            "    - net: skbuff: fix missing zerocopy reference in pskb_carve helpers",
                            "    - spi: spi-mem: avoid mutating op template in spi_mem_supports_op()",
                            "    - HID: wacom: Fix OOB write in wacom_hid_set_device_mode()",
                            "    - iommu, debugobjects: avoid gcc-16.1 section mismatch warnings",
                            "    - nfc: hci: fix out-of-bounds read in HCP header parsing",
                            "    - xfrm: route MIGRATE notifications to caller's netns",
                            "    - xfrm: ipcomp: Free destination pages on acomp errors",
                            "    - xfrm: ah: use skb_to_full_sk in async output callbacks",
                            "    - ALSA: scarlett2: Fix 2i2 Gen 4 direct monitor gain on firmware 2417",
                            "    - ALSA: firewire-motu: Protect register DSP event queue positions",
                            "    - netfilter: conntrack: tcp: do not force CLOSE on invalid-seq RST without",
                            "      direction check",
                            "    - ASoC: qcom: q6asm-dai: close stream only when running",
                            "    - ASoC: qcom: q6asm-dai: do not set stream state in event and trigger",
                            "      callbacks",
                            "    - xfrm: esp: restore combined single-frag length gate",
                            "    - ALSA: hda/realtek: Fix speaker output on ASUS ROG Strix G615LP",
                            "    - xfrm: iptfs: reset runtime state when cloning SAs",
                            "    - dma-buf: fix UAF in dma_buf_fd() tracepoint",
                            "    - Input: xpad - add \"Nova 2 Lite\" from GameSir",
                            "    - Input: xpad - add support for ASUS ROG RAIKIRI II",
                            "    - ksmbd: OOB read regression in smb_check_perm_dacl() ACE-walk loops",
                            "    - misc: rp1: Send IACK on IRQ activate to fix kdump/kexec",
                            "    - Input: atmel_mxt_ts - fix boundary check in mxt_prepare_cfg_mem",
                            "    - Input: synaptics - add LEN2058 to SMBus passlist for ThinkPad E490",
                            "    - dt-bindings: usb: Fix EIC7700 USB reset's issue",
                            "    - comedi: comedi_test: fix check for valid scan_begin_src in",
                            "      waveform_ai_cmdtest()",
                            "    - comedi: comedi_test: Fix limiting of convert_arg in",
                            "      waveform_ai_cmdtest()",
                            "    - counter: Fix refcount leak in counter_alloc() error path",
                            "    - tty: serial: pch_uart: add check for dma_alloc_coherent()",
                            "    - tty: serial: samsung: Remove redundant port lock acquisition in rx",
                            "      helpers",
                            "    - uio: uio_pci_generic_sva: fix double free of devm_kzalloc() memory",
                            "    - usb: chipidea: core: convert ci_role_switch to local variable",
                            "    - usb: core: Fix up Interrupt IN endpoints with bogus wBytesPerInterval",
                            "    - usb: dwc3: xilinx: fix error handling in zynqmp init error paths",
                            "    - usb: musb: omap2430: Fix use-after-free in omap2430_probe()",
                            "    - USB: quirks: add NO_LPM for Lenovo ThinkPad USB-C Dock Gen2 hub",
                            "      controllers",
                            "    - usb: storage: Add quirks for PNY Elite Portable SSD",
                            "    - usbip: vudc: Fix use after free bug in vudc_remove due to race condition",
                            "    - usb: usbtmc: check URB actual_length for interrupt-IN notifications",
                            "    - usb: usbtmc: reject interrupt endpoints with small wMaxPacketSize",
                            "    - usb: typec: tipd: Fix error code in tps6598x_probe()",
                            "    - usb: typec: tcpm: improve handling of DISCOVER_MODES failures",
                            "    - usb: typec: ucsi: Check if power role change actually happened before",
                            "      handling",
                            "    - usb: typec: ucsi: Don't update power_supply on power role change if not",
                            "      connected",
                            "    - USB: serial: option: add MeiG SRM813Q",
                            "    - USB: serial: option: add missing RSVD(5) flag for Rolling RW135R-GL",
                            "    - USB: serial: belkin_sa: validate interrupt status length",
                            "    - USB: serial: cypress_m8: validate interrupt packet headers",
                            "    - USB: serial: digi_acceleport: fix memory corruption with small endpoints",
                            "    - USB: serial: keyspan: fix missing indat transfer sanity check",
                            "    - USB: serial: mxuport: fix memory corruption with small endpoint",
                            "    - USB: serial: mct_u232: fix memory corruption with small endpoint",
                            "    - USB: serial: mct_u232: fix missing interrupt-in transfer sanity check",
                            "    - usb: gadget: uvc: hold opts->lock across XU walks in uvc_function_bind",
                            "    - usb: gadget: net2280: Fix double free in probe error path",
                            "    - usb: gadget: f_hid: fix device reference leak in hidg_alloc()",
                            "    - usb: gadget: composite: fix integer underflow in WebUSB GET_URL handling",
                            "    - usb: gadget: dummy_hcd: Reject hub port requests for non-existent ports",
                            "    - usb: gadget: f_fs: copy only received bytes on short ep0 read",
                            "    - usb: gadget: f_fs: serialize DMABUF cancel against request completion",
                            "    - thunderbolt: property: Reject u32 wrap in tb_property_entry_valid()",
                            "    - thunderbolt: property: Reject dir_len < 4 to prevent size_t underflow",
                            "    - thunderbolt: property: Cap recursion depth in __tb_property_parse_dir()",
                            "    - scsi: fcoe: Reject FIP descriptors with zero fip_dlen in CVL walker",
                            "    - scsi: scsi_transport_fc: Widen FPIN pname walker counter to u32",
                            "    - scsi: target: iscsi: Fix CRC overread and double-free in",
                            "      iscsit_handle_text_cmd()",
                            "    - scsi: target: iscsi: Bound iscsi_encode_text_output() appends to rsp_buf",
                            "    - scsi: target: iscsi: Validate CHAP_R length before base64 decode",
                            "    - drm/hyperv: validate resolution_count and fix WIN8 fallback",
                            "    - drm/hyperv: validate VMBus packet size in receive callback",
                            "    - drm/gem: fix race between change_handle and handle_delete",
                            "    - drm/i915/color: Fix HDR pre-CSC LUT programming loop",
                            "    - drm/i915/psr: Block DC states on vblank enable when Panel Replay",
                            "      supported",
                            "    - drm/i915/psr: Use DC_OFF wake reference to block DC6 on vblank enable",
                            "    - drm/i915: Fix potential UAF in TTM object purge",
                            "    - drm/amd/pm/si: Disregard vblank time when no displays are connected",
                            "    - serial: altera_jtaguart: handle uart_add_one_port() failures",
                            "    - serial: qcom-geni: fix UART_RX_PAR_EN bit position",
                            "    - serial: qcom_geni: fix kfifo underflow when flush precedes DMA",
                            "      completion IRQ",
                            "    - serial: sh-sci: fix memory region release in error path",
                            "    - serial: zs: Fix swapped RI/DSR modem line transition counting",
                            "    - serial: fsl_lpuart: fix rx buffer and DMA map leaks in start_rx_dma",
                            "    - drm/amdkfd: fix NULL pointer bug in svm_range_set_attr",
                            "    - drm/amdkfd: fix a vulnerability of integer overflow in kfd debugger",
                            "    - drm/amdkfd: Check for pdd drm file first in CRIU restore path",
                            "    - drm/amdgpu: fix lock leak on ENOMEM in AMDGPU_GEM_OP_GET_MAPPING_INFO",
                            "    - drm/amdgpu: fix calling VM invalidation in amdgpu_hmm_invalidate_gfx",
                            "    - drm/amdgpu: fix amdgpu_hmm_range_get_pages",
                            "    - drm/amdgpu: check num_entries in GEM_OP GET_MAPPING_INFO",
                            "    - serial: dz: Fix bootconsole message clobbering at chip reset",
                            "    - serial: dz: Fix bootconsole handover lockup",
                            "    - serial: dz: Convert to use a platform device",
                            "    - serial: zs: Fix bootconsole handover lockup",
                            "    - serial: zs: Switch to using channel reset",
                            "    - serial: zs: Convert to use a platform device",
                            "    - serial: core: introduce guard(uart_port_lock_check_sysrq_irqsave)",
                            "    - serial: 8250: dispatch SysRq character in serial8250_handle_irq()",
                            "    - serial: 8250_dw: dispatch SysRq character in dw8250_handle_irq()",
                            "    - platform/x86/intel/vsec: Refactor base_addr handling",
                            "    - platform/x86/intel/vsec: Make driver_data info const",
                            "    - platform/x86/intel/vsec: Fix enable_cnt imbalance on PCIe error recovery",
                            "    - rxrpc: Fix RESPONSE packet verification to extract skb to a linear",
                            "      buffer",
                            "    - ALSA: hda/realtek: Fix mute and mic-mute LEDs for HP Envy X360 15-fh0xxx",
                            "    - ALSA: hda/realtek: Fix mute and mic-mute LEDs for HP 16 Piston OmniBook",
                            "      X",
                            "    - arm64: tlb: Flush walk cache when unsharing PMD tables",
                            "    - i2c: tegra: make tegra_i2c_mutex_unlock() return void",
                            "    - hwmon: (pmbus) Add support for guarded PMBus lock",
                            "    - hwmon: (pmbus/adm1266) serialize sequencer_state debugfs read with",
                            "      pmbus_lock",
                            "    - hwmon: (pmbus/adm1266) serialize GPIO PMBus accesses with pmbus_lock",
                            "    - net: phy: micrel: fix LAN8814 QSGMII soft reset",
                            "    - xhci: tegra: Fix ghost USB device on dual-role port unplug",
                            "    - mailbox: Fix NULL message support in mbox_send_message()",
                            "    - usb: core: Fix SuperSpeed root hub wMaxPacketSize",
                            "    - tools: ynl: add scope qualifier for definitions",
                            "    - Linux 7.0.12",
                            "",
                            "  * Resolute update: v7.0.12 upstream stable release (LP: #2156636) //",
                            "    CVE-2026-46318",
                            "    - Revert \"mm/hugetlbfs: update hugetlbfs to use mmap_prepare\"",
                            "",
                            "  * Resolute update: v7.0.12 upstream stable release (LP: #2156636) //",
                            "    CVE-2026-46322",
                            "    - tun: free page on build_skb failure in tun_xdp_one()",
                            "",
                            "  * Resolute update: v7.0.12 upstream stable release (LP: #2156636) //",
                            "    CVE-2026-46320",
                            "    - tap: free page on error paths in tap_get_user_xdp()",
                            "",
                            "  * Resolute update: v7.0.12 upstream stable release (LP: #2156636) //",
                            "    CVE-2026-46321",
                            "    - tun: free page on short-frame rejection in tun_xdp_one()",
                            "",
                            "  * CVE-2026-46316 // CVE-2026-46317",
                            "    - KVM: arm64: Reassign nested_mmus array behind mmu_lock",
                            "",
                            "  * CVE-2026-46316",
                            "    - KVM: arm64: vgic-its: Drop the translation cache reference only for the",
                            "      erased entry",
                            "    - KVM: arm64: Take the SRCU lock for page table walks in fault injection",
                            "      and AT emulation",
                            "",
                            "  * Resolute update: v7.0.11 upstream stable release (LP: #2156390)",
                            "    - iommu/amd: Fix illegal cap/mmio access in IOMMU debugfs",
                            "    - iommu/amd: Remove latent out-of-bounds access in IOMMU debugfs",
                            "    - ksmbd: close durable scavenger races against m_fp_list lookups",
                            "    - ata: libata-scsi: improve readability of ata_scsi_qc_issue()",
                            "    - ata: libata-scsi: do not use the deferred QC feature for ATA_DEFER_PORT",
                            "    - ata: libata-scsi: do not use the deferred QC feature on PMPs with CBS",
                            "    - ata: libata-scsi: do not needlessly defer commands when using PMP with",
                            "      FBS",
                            "    - sysfs: don't remove existing directory on update failure",
                            "    - mm/damon/sysfs-schemes: call missing mem_cgroup_iter_break()",
                            "    - ksmbd: fix null pointer dereference in compare_guid_key()",
                            "    - ksmbd: fix null pointer dereference in proc_show_files()",
                            "    - ksmbd: fix SID memory leak in set_posix_acl_entries_dacl() on overflow",
                            "    - ksmbd: validate SID in parent security descriptor during ACL inheritance",
                            "    - regulator: tps65219: fix irq_data.rdev not being assigned",
                            "    - x86/mm: Disable broadcast TLB flush when PCID is disabled",
                            "    - scripts/gdb: mm: cast untyped symbols in x86_page_ops",
                            "    - smb: client: require net admin for CIFS SWN netlink",
                            "    - smb: client: protect tc_count increment in",
                            "      smb2_find_smb_sess_tcon_unlocked()",
                            "    - smb: client: use data_len for SMB2 READ encrypted folioq copy",
                            "    - smb/server: promote S_DEL_ON_CLS to S_DEL_PENDING when close",
                            "    - hwmon: (pmbus/adm1266) widen blackbox-info buffer to I2C_SMBUS_BLOCK_MAX",
                            "    - ALSA: ua101: Reject too-short USB descriptors",
                            "    - ALSA: pcm: Don't setup bogus iov_iter for silencing",
                            "    - ALSA: asihpi: Fix potential OOB array access at reading cache",
                            "    - ALSA: scarlett2: Allow flash writes ending at segment boundary",
                            "    - ACPI: battery: Fix system wakeup on critical battery status",
                            "    - efi: Allocate runtime workqueue before ACPI init",
                            "    - spi: amd: Set correct bus number in ACPI probe path",
                            "    - io_uring/waitid: clear waitid info before copying it to userspace",
                            "    - drivers/base/memory: fix memory block reference leak in poison",
                            "      accounting",
                            "    - ipv6: ioam: refresh hdr pointer before ioam6_event()",
                            "    - mm/memory: fix spurious warning when unmapping device-private/exclusive",
                            "      pages",
                            "    - mm: fix __vm_normal_page() to handle missing support for",
                            "      pmd_special()/pud_special()",
                            "    - mm/memory_hotplug: fix memory block reference leak on remove",
                            "    - mm/page_alloc: fix initialization of tags of the huge zero folio with",
                            "      init_on_free",
                            "    - mm/migrate_device: fix spinlock leak in migrate_vma_insert_huge_pmd_page",
                            "    - selftests/mm: run_vmtests.sh: fix destructive tests invocation",
                            "    - mm/damon: fix damos_stat tracepoint format for sz_applied",
                            "    - net: wwan: iosm: fix potential memory leaks in ipc_imem_init()",
                            "    - Bluetooth: fix UAF in l2cap_sock_cleanup_listen() vs l2cap_conn_del()",
                            "    - Bluetooth: ISO: drop ISO_END frames received without prior ISO_START",
                            "    - Bluetooth: bnep: Fix UAF read of dev->name",
                            "    - Bluetooth: hci_uart: fix UAFs and race conditions in close and init",
                            "      paths",
                            "    - Bluetooth: L2CAP: ecred_reconfigure: send packed pdu, not stack pointer",
                            "    - Bluetooth: hci_qca: Convert timeout from jiffies to ms",
                            "    - Bluetooth: MGMT: validate Add Extended Advertising Data length",
                            "    - Bluetooth: serialize accept_q access",
                            "    - phonet/pep: disable BH around forwarded sk_receive_skb()",
                            "    - net: bcmgenet: keep RBUF EEE/PM disabled",
                            "    - net: devmem: reject dma-buf bind with non-page-aligned size or SG length",
                            "    - net: phy: skip EEE advertisement write when autoneg is disabled",
                            "    - net: hsr: defer node table free until after RCU readers",
                            "    - net/mlx5e: Fix use-after-free in mlx5e_tx_reporter_timeout_recover",
                            "    - net: ifb: report ethtool stats over num_tx_queues",
                            "    - net: pse-pd: fix sign on -ENOENT check in of_load_pse_pis()",
                            "    - netfilter: ip6t_hbh: reject oversized option lists",
                            "    - netfilter: nf_queue: hold bridge skb->dev while queued",
                            "    - netfilter: ipset: stop hash:* range iteration at end",
                            "    - net: ethtool: fix NULL pointer dereference in phy_reply_size",
                            "    - net: ethtool: phy: avoid NULL deref when PHY driver is unbound",
                            "    - ACPI: driver: Check ACPI_COMPANION() against NULL during probe",
                            "    - sched_ext: Fix missing warning in scx_set_task_state() default case",
                            "    - sched_ext: Avoid UAF in scx_root_enable_workfn() init failure path",
                            "    - l2tp: use list_del_rcu in l2tp_session_unhash",
                            "    - qed: fix double free in qed_cxt_tables_alloc()",
                            "    - ring-buffer: Fix reporting of missed events in iterator",
                            "    - ring-buffer: Flush and stop persistent ring buffer on panic",
                            "    - wifi: mac80211: capture fast-RX rate before mesh reuses skb->cb",
                            "    - ipv6: ioam: add NULL check for idev in ipv6_hop_ioam()",
                            "    - selftests: mptcp: drop nanoseconds width specifier",
                            "    - mptcp: pm: fix ADD_ADDR timer infinite retry on option space",
                            "      insufficient",
                            "    - vsock/vmci: fix UAF when peer resets connection during handshake",
                            "    - vsock/virtio: reset connection on receiving queue overflow",
                            "    - ice: fix VF queue configuration with low MTU values",
                            "    - wifi: ath11k: clear shared SRNG pointer state on restart",
                            "    - wifi: iwlwifi: mvm: fix driver-set TX rates on old devices",
                            "    - wifi: iwlwifi: mld: stop TX during firmware restart",
                            "    - ipv4: raw: reject IP_HDRINCL packets with ihl < 5",
                            "    - ixgbevf: fix use-after-free in VEPA multicast source pruning",
                            "    - rbd: eliminate a race in lock_dwork draining on unmap",
                            "    - mptcp: do not drop partial packets",
                            "    - mptcp: reset rcv wnd on disconnect",
                            "    - lsm: hold cred_guard_mutex for lsm_set_self_attr()",
                            "    - octeontx2-af: CGX: add bounds check to cgx_speed_mbps index",
                            "    - octeontx2-pf: fix double free in rvu_rep_rsrc_init()",
                            "    - igc: fix potential skb leak in igc_fpe_xmit_smd_frame()",
                            "    - ice: fix locking around wait_event_interruptible_locked_irq",
                            "    - ice: fix setting promisc mode while adding VID filter",
                            "    - ice: restore PTP Rx timestamp config after ethtool set-channels",
                            "    - wifi: cfg80211: advance loop vars in cfg80211_merge_profile()",
                            "    - af_unix: Fix UAF read of tail->len in unix_stream_data_wait()",
                            "    - wifi: mac80211: consume only present negotiated TTLM maps",
                            "    - octeontx2-pf: avoid double free of pool->stack on AQ init failure",
                            "    - cifs: Fix busy dentry used after unmounting",
                            "    - tracing: Do not call map->ops->elt_free() if elt_alloc() fails",
                            "    - ASoC: codecs: pcm512x: fix null-ptr dereference in",
                            "      pcm512x_overclock_xxx_put()",
                            "    - arm64: probes: Handle probes on hinted conditional branch instructions",
                            "    - KVM: arm64: vgic-its: Reject restored DTE with out-of-range",
                            "      num_eventid_bits",
                            "    - KVM: arm64: vgic: Free private_irqs when init fails after allocation",
                            "    - KVM: SVM: Disable AVIC IPI virtualization on Hygon Family 18h (erratum",
                            "      #1235)",
                            "    - riscv: kvm: return SBI_ERR_FAILURE for pmu_snapshot_set_shmem() when OOM",
                            "    - riscv: kvm: return SBI_ERR_FAILURE for pmu_event_info() when OOM",
                            "    - virt: sev-guest: Explicitly leak pages in unknown state",
                            "    - i2c: tegra: fix pm_runtime leak on mutex_lock failure",
                            "    - drm/bridge: chipone-icn6211: use devm_drm_bridge_add in i2c probe",
                            "    - spi: qup: fix error pointer deref after DMA setup failure",
                            "    - phy: exynos5-usbdrd: fix USB 2.0 HS PHY tuning values for Exynos7870",
                            "    - phy: tegra: xusb: Fix per-pad high-speed termination calibration",
                            "    - phy: qcom-qmp-ufs: Fix kaanapali PHY PLL lock failure after SM8650 G4",
                            "      fix",
                            "    - phy: qcom: edp: Unify generic DP/eDP swing and pre-emphasis tables",
                            "    - phy: qcom: edp: Add eDP/DP mode switch support",
                            "    - phy: qcom: edp: Fix AUX_CFG8 programming for DP mode",
                            "    - scsi: isci: Fix use-after-free in device removal path",
                            "    - spi: ep93xx: fix error pointer deref after DMA setup failure",
                            "    - spi: sprd: fix error pointer deref after DMA setup failure",
                            "    - spi: ti-qspi: fix use-after-free after DMA setup failure",
                            "    - mm/slub: hold cpus_read_lock around flush_rcu_sheaves_on_cache()",
                            "    - RDMA/siw: Reject MPA FPDU length underflow before signed receive math",
                            "    - s390/cio: Restore GFP_DMA for CHSC allocation",
                            "    - s390/pai: Disable duplicate read of kernel PAI counter value",
                            "    - s390/pai: Fix missing PAI counter increments under heavy load",
                            "    - fwctl: pds: Validate RPC input size before parsing",
                            "    - LoongArch: kprobes: Use larch_insn_text_copy() to patch instructions",
                            "    - LoongArch: Remove unused code to avoid build warning",
                            "    - cpufreq: intel_pstate: Use correct scaling factor on Raptor Lake-E",
                            "    - device property: set fwnode->secondary to NULL in fwnode_init()",
                            "    - drm/i915/display: Copy color pipeline from plane in the primary joiner",
                            "      pipe",
                            "    - drm/msm: Fix shrinker deadlock",
                            "    - drm/v3d: Fix use-after-free of CPU job query arrays on error path",
                            "    - drm/v3d: Release indirect CSD GEM reference on CPU job free",
                            "    - drm/virtio: use uninterruptible resv lock for plane updates",
                            "    - drm/xe/multi_queue: Fix secondary queue error case",
                            "    - drm/amdgpu/vpe: Force collaborate sync after TRAP",
                            "    - drm/bridge: it66121: acquire reset GPIO in probe",
                            "    - drm/bridge: megachips: remove bridge when irq request fails",
                            "    - drm/amd/display: Fix integer overflow in bios_get_image()",
                            "    - drm/amd/display: Validate GPIO pin LUT table size before iterating",
                            "    - drm/amd/display: Validate payload length and link_index in",
                            "      dc_process_dmub_aux_transfer_async",
                            "    - batman-adv: v: stop OGMv2 on disabled interface",
                            "    - batman-adv: tvlv: abort OGM send on tvlv append failure",
                            "    - batman-adv: tvlv: reject oversized TVLV packets",
                            "    - batman-adv: iv: recover OGM scheduling after forward packet error",
                            "    - batman-adv: mcast: fix use-after-free in orig_node RCU release",
                            "    - batman-adv: clear current gateway during teardown",
                            "    - batman-adv: dat: handle forward allocation error",
                            "    - batman-adv: fix fragment reassembly length accounting",
                            "    - batman-adv: fix tp_meter counter underflow during shutdown",
                            "    - batman-adv: frag: disallow unicast fragment in fragment",
                            "    - batman-adv: bla: fix report_work leak on backbone_gw purge",
                            "    - batman-adv: bla: avoid double decrement of bla.num_requests",
                            "    - batman-adv: bla: avoid NULL-ptr deref for claim via dropped interface",
                            "    - batman-adv: tp_meter: avoid use of uninit sender vars",
                            "    - batman-adv: tp_meter: directly shut down timer on cleanup",
                            "    - batman-adv: tp_meter: fix tp_vars reference leak in receiver shutdown",
                            "    - batman-adv: tp_meter: fix race condition in send error reporting",
                            "    - batman-adv: tp_meter: avoid role confusion in tp_list",
                            "    - batman-adv: tt: fix TOCTOU race for reported vlans",
                            "    - batman-adv: tt: reject oversized local TVLV buffers",
                            "    - batman-adv: tt: avoid empty VLAN responses",
                            "    - batman-adv: tt: fix negative last_changeset_len",
                            "    - batman-adv: tt: fix negative tt_buff_len",
                            "    - batman-adv: tt: prevent TVLV entry number overflow",
                            "    - hwmon: (pmbus/adm1266) seed timestamp from the real-time clock",
                            "    - hwmon: (pmbus/adm1266) reject implausible blackbox record_count",
                            "    - hwmon: (pmbus/adm1266) include PEC byte in pmbus_block_xfer read buffer",
                            "    - hwmon: (pmbus/adm1266) bounce blackbox records through a protocol-sized",
                            "      buffer",
                            "    - hwmon: (pmbus/adm1266) cap PDIO scan in get_multiple at ADM1266_PDIO_NR",
                            "    - hwmon: (pmbus/adm1266) don't clobber GPIO bits before PDIO read in",
                            "      get_multiple",
                            "    - hwmon: (pmbus/adm1266) register the gpio_chip after pmbus_do_probe()",
                            "    - hwmon: (pmbus/adm1266) register the nvmem device after pmbus_do_probe()",
                            "    - hwmon: (pmbus/adm1266) reject short block-read responses in the GPIO",
                            "      accessors",
                            "    - pinctrl: mediatek: moore: implement gpio_chip::get_direction()",
                            "    - pinctrl: qcom: ipq4019: mark gpio as a GPIO pin function",
                            "    - arm64: dts: renesas: r8a78000: Fix SCIF brg_int clocks",
                            "    - ARM: dts: renesas: genmai: Drop superfluous cells",
                            "    - ARM: dts: renesas: rskrza1: Drop superfluous cells",
                            "    - pinctrl: renesas: rzg2l: Fix incorrect PUPD register offset for high",
                            "      pins during suspend/resume",
                            "    - pinctrl: renesas: rzg2l: Fix SMT register cache handling",
                            "    - pinctrl: meson: amlogic-a4: fix deadlock issue",
                            "    - pinctrl: qcom: Fix GPIO to PDC wake irq map for qcs615",
                            "    - kho: skip KHO for crash kernel",
                            "    - mm/memfd_luo: report error when restoring a folio fails mid-loop",
                            "    - HID: intel-thc-hid: Intel-quickspi: Fix some error codes",
                            "    - HID: uclogic: Fix regression of input name assignment",
                            "    - firmware: arm_ffa: Check for NULL FF-A ID table while driver",
                            "      registration",
                            "    - firmware: arm_ffa: Skip free_pages on RX buffer alloc failure",
                            "    - firmware: arm_ffa: Fix per-vcpu self notifications handling in workqueue",
                            "    - firmware: arm_ffa: Unregister bus notifier on teardown for FF-A v1.0",
                            "    - riscv: errata: Fix bitwise vs logical AND in MIPS errata patching",
                            "    - riscv: Fix register corruption from uninitialized cregs on error",
                            "    - riscv: mm: Fixup no5lvl failure when vaddr is invalid",
                            "    - kunit: config: Enable KUNIT_DEBUGFS by default",
                            "    - kunit: config: KUNIT_DEBUGFS should depend on DEBUG_FS",
                            "    - pinctrl: qcom: Fix wakeirq map by removing disconnected irqs for sm8150",
                            "    - firmware: arm_ffa: Bound PARTITION_INFO_GET_REGS copies",
                            "    - firmware: arm_ffa: Keep framework RX release under lock",
                            "    - firmware: arm_ffa: Validate framework notification message layout",
                            "    - firmware: arm_ffa: Align RxTx buffer size before mapping",
                            "    - firmware: arm_ffa: Snapshot notifier callbacks under lock",
                            "    - firmware: arm_ffa: Fix sched-recv callback partition lookup",
                            "    - ARM: integrator: Fix early initialization",
                            "    - ALSA: hda: cs35l56: Put ACPI device after setting companion",
                            "    - ALSA: hda: cs35l41: Put ACPI device on missing physical node",
                            "    - btrfs: tracepoints: fix sleep while in atomic context in",
                            "      btrfs_sync_file()",
                            "    - netfilter: x_tables: allow initial table replace without emitting audit",
                            "      log message",
                            "    - netfilter: x_tables: allocate hook ops while under mutex",
                            "    - netfilter: x_tables: unregister the templates first",
                            "    - netfilter: x_tables: add and use xt_unregister_table_pre_exit",
                            "    - netfilter: x_tables: add and use xtables_unregister_table_exit",
                            "    - netfilter: ebtables: move to two-stage removal scheme",
                            "    - netfilter: ebtables: close dangling table module init race",
                            "    - netfilter: x_tables: close dangling table module init race",
                            "    - netfilter: bridge: eb_tables: close module init race",
                            "    - netfilter: nf_conntrack_expect: restore helper propagation via",
                            "      expectation",
                            "    - kprobes: skip non-symbol addresses in kprobe_add_ksym_blacklist()",
                            "    - test_kprobes: clear kprobes between test runs",
                            "    - tcp: Fix imbalanced icsk_accept_queue count.",
                            "    - net: napi: Avoid gro timer misfiring at end of busypoll",
                            "    - net: shaper: Reject reparenting of existing nodes",
                            "    - idpf: fix read_dev_clk_lock spinlock init in idpf_ptp_init()",
                            "    - ice: fix setting RSS VSI hash for E830",
                            "    - ice: fix locking in ice_dcb_rebuild()",
                            "    - ice: dpll: fix rclk pin state get for E810",
                            "    - ice: dpll: fix misplaced header macros",
                            "    - net: lan966x: avoid unregistering netdev on register failure",
                            "    - net: ti: icssm-prueth: fix eth_ports_node leak in probe",
                            "    - phy: marvell: mvebu-a3700-utmi: fix incorrect USB2_PHY_CTRL register",
                            "      access",
                            "    - phy: spacemit: Remove incorrect clk_disable() in spacemit_usb2phy_init()",
                            "    - NFSD: Fix infinite loop in layout state revocation",
                            "    - ASoC: sdw_utils: Add quirk to ignore RT712 CODEC_MIC",
                            "    - ASoC: sdw_utils: Add quirk to ignore RT721 CODEC_MIC",
                            "    - fprobe: Fix unregister_fprobe() to wait for RCU grace period",
                            "    - fs/statmount: fix slab out-of-bounds write in statmount_mnt_idmap",
                            "    - fs: Fix return in jfs_mkdir and orangefs_mkdir",
                            "    - irqchip/ath79-cpu: Remove unused function",
                            "    - fs: fix forced iversion increment on lazytime timestamp updates",
                            "    - ublk: reject max_sectors smaller than PAGE_SECTORS in parameter",
                            "      validation",
                            "    - nsfs: fix wrong error code returned for pidns ioctls",
                            "    - irq_work: Fix use-after-free in irq_work_single() on PREEMPT_RT",
                            "    - nvme: fix bio leak on mapping failure",
                            "    - nvme-pci: fix use-after-free in nvme_free_host_mem()",
                            "    - zonefs: handle integer overflow in zonefs_fname_to_fno",
                            "    - tcp: Fix out-of-bounds access for twsk in tcp_ao_established_key().",
                            "    - ASoC: SOF: amd: Fix error code handling in psp_send_cmd()",
                            "    - powerpc: 82xx: fix uninitialized pointers with free attribute",
                            "    - powerpc: fix dead default for GUEST_STATE_BUFFER_TEST",
                            "    - powerpc/hv-gpci: fix preempt count leak in sysfs show paths",
                            "    - netfs: Fix cancellation of a DIO and single read subrequests",
                            "    - netfs: Fix missing locking around retry adding new subreqs",
                            "    - netfs: Fix missing barriers when accessing stream->subrequests",
                            "      locklessly",
                            "    - netfs: Fix netfs_read_to_pagecache() to pause on subreq failure",
                            "    - netfs: Fix potential for tearing in ->remote_i_size and ->zero_point",
                            "    - netfs: Fix zeropoint update where i_size > remote_i_size",
                            "    - netfs: fix VM_BUG_ON_FOLIO() issue in netfs_write_begin() call",
                            "    - netfs: Fix overrun check in netfs_extract_user_iter()",
                            "    - netfs: Fix netfs_invalidate_folio() to clear dirty bit if all changes",
                            "      gone",
                            "    - netfs: Defer the emission of trace_netfs_folio()",
                            "    - netfs: Fix streaming write being overwritten",
                            "    - netfs: Fix potential deadlock in write-through mode",
                            "    - netfs: Fix read-gaps to remove netfs_folio from filled folio",
                            "    - netfs: Fix write streaming disablement if fd open O_RDWR",
                            "    - netfs: Fix early put of sink folio in netfs_read_gaps()",
                            "    - netfs: Fix leak of request in netfs_write_begin() error handling",
                            "    - netfs: Fix potential UAF in netfs_unlock_abandoned_read_pages()",
                            "    - netfs: Fix partial invalidation of streaming-write folio",
                            "    - netfs: Fix folio->private handling in netfs_perform_write()",
                            "    - netfs: Fix netfs_read_folio() to wait on writeback",
                            "    - netfs, afs: Fix write skipping in dir/link writepages",
                            "    - afs: Fix the locking used by afs_get_link()",
                            "    - net: ethernet: cortina: Make RX SKB per-port",
                            "    - net: ethernet: cortina: Drop half-assembled SKB",
                            "    - net: ethernet: cortina: Carry over frag counter",
                            "    - net: ethernet: cs89x0: remove stale CONFIG_MACH_MX31ADS reference",
                            "    - wifi: ath11k: fix error path leaks in some WMI WOW calls",
                            "    - wifi: ath11k: fix error path leak in ath11k_tm_cmd_wmi_ftm()",
                            "    - wifi: ath10k: skip WMI and beacon transmission when device is wedged",
                            "    - net: shaper: flip the polarity of the valid flag",
                            "    - net: shaper: fix trivial ordering issue in net_shaper_commit()",
                            "    - net: shaper: reject duplicate leaves in GROUP request",
                            "    - net: shaper: set ret to -ENOMEM when genlmsg_new() fails in group_doit",
                            "    - net: shaper: fix undersized reply skb allocation in GROUP command",
                            "    - net: shaper: enforce singleton NETDEV scope with id 0",
                            "    - net: shaper: reject QUEUE scope handle with missing id",
                            "    - block: don't overwrite bip_vcnt in bio_integrity_copy_user()",
                            "    - block: recompute nr_integrity_segments in blk_insert_cloned_request",
                            "    - HID: quirks: really enable the intended work around for appledisplay",
                            "    - block: bio-integrity: Fix null-ptr-deref in bio_integrity_map_user()",
                            "    - accel/qaic: Add overflow check to remap_pfn_range during mmap",
                            "    - net/smc: avoid NULL deref of conn->lnk in smc_msg_event tracepoint",
                            "    - ethtool: fix ethnl_bitmap32_not_zero() bit interval semantics",
                            "    - drm/msm/dpu: fix UV scanlines calculation for YUV UBWC formats",
                            "    - drm/msm/dpu: Fix Kaanapali CWB register configuration",
                            "    - drm/msm/dsi: don't dump registers past the mapped region",
                            "    - drm/msm/dpu: don't mix devm and drmm functions",
                            "    - block: rename struct gendisk zone_wplugs_lock field",
                            "    - block: allow submitting all zone writes from a single context",
                            "    - block: fix handling of dead zone write plugs",
                            "    - selftests: ublk: cap nthreads to kernel's actual nr_hw_queues",
                            "    - x86/mce: Restore MCA polling interval halving",
                            "    - Documentation: intel_pstate: Fix description of asymmetric packing with",
                            "      SMT",
                            "    - drm/msm: Fix GMEM_BASE for A650",
                            "    - drm/msm/a6xx: Add soft fuse detection support",
                            "    - drm/msm/adreno: Fix a reference leak in a6xx_gpu_init()",
                            "    - drm/msm/adreno: fix userspace-triggered crash on a2xx-a4xx",
                            "    - drm/msm/a6xx: Restore sysprof_active",
                            "    - drm/msm: Fix iommu_map_sgtable() return value check and avoid WARN",
                            "    - drm/msm/a6xx: Check kzalloc return in a8xx_hfi_send_perf_table",
                            "    - ASoC: intel: sof_sdw: Prepare for configuration without a jack",
                            "    - ASoC: sdw_utils: cs42l43: allow spk component names to be combined",
                            "    - ASoC: sdw_utils: Check speaker component string allocation",
                            "    - riscv: Docs: fix unmatched quote warning",
                            "    - powerpc/time: Remove redundant preempt_disable|enable() calls from",
                            "      arch_irq_work_raise()",
                            "    - net/smc: reject CHID-0 ACCEPT that matches an empty ism_dev slot",
                            "    - net: tls: fix off-by-one in sg_chain entry count for wrapped sk_msg ring",
                            "    - net: tls: prevent chain-after-chain in plain text SG",
                            "    - net: phy: DP83TC811: add reading of abilities",
                            "    - ovpn: tcp - use cached peer pointer in ovpn_tcp_close()",
                            "    - ovpn: respect peer refcount in CMD_NEW_PEER error path",
                            "    - ovpn: fix race between deleting interface and adding new peer",
                            "    - cifs: client: stage smb3_reconfigure() updates and restore ctx on",
                            "      failure",
                            "    - phy: apple: atc: Fix typec switch/mux leak on unbind",
                            "    - gcc-plugins: Always define CONST_CAST_GIMPLE and CONST_CAST_TREE",
                            "    - x86/xen: Fix xen_e820_swap_entry_with_ram()",
                            "    - vfio/pci: Check BAR resources before exporting a DMABUF",
                            "    - ovpn: disable BHs when updating device stats",
                            "    - tls: Preserve sk_err across recvmsg() when data has been copied",
                            "    - net/mlx5: Do not restore destination-less TC rules",
                            "    - net/mlx5: Skip disabled vports when setting max TX speed",
                            "    - scsi: sd: Fix return code handling in sd_spinup_disk()",
                            "    - ASoC: codecs: fs210x: fix possible buffer overflow",
                            "    - iommupt: Directly call iommupt's unmap_range()",
                            "    - iommupt: Avoid rewalking during map",
                            "    - iommu: Fix loss of errno on map failure for classic ops",
                            "    - iommu: Fix up map/unmap debugging for iommupt domains",
                            "    - iommu: Handle unmap error when iommu_debug is enabled",
                            "    - iommupt: Check for missing PAGE_SIZE in the pgsize_bitmap",
                            "    - iommupt: Fix the end_index calculation in __map_range_leaf()",
                            "    - ALSA: scarlett2: Add missing error check when initialise Autogain Status",
                            "    - ALSA: hda/ca0132: Disable auto-detect on manual output select",
                            "    - cachefiles: Fix error return when vfs_mkdir() fails",
                            "    - io_uring/net: punt IORING_OP_BIND async if it needs file create",
                            "    - vsock/virtio: fix zerocopy completion for multi-skb sends",
                            "    - btrfs: check for subvolume before deleting squota qgroup",
                            "    - btrfs: fix squota accounting during enable generation",
                            "    - ASoC: amd: acp-sdw-legacy: check CPU DAI name before logging",
                            "    - spi: mtk-snfi: Fix resource leak in mtk_snand_read_page_cache()",
                            "    - netfilter: nft_inner: release local_lock before re-enabling softirqs",
                            "    - ALSA: hda/realtek: Use ALC287_FIXUP_TXNW2781_I2C for ASUS Strix Gxx5",
                            "    - drm/msm/snapshot: fix dumping of the unaligned regions",
                            "    - hwmon: (lm90) Stop work before releasing hwmon device",
                            "    - hwmon: (lm90) Add lock protection to lm90_alert",
                            "    - wifi: iwlwifi: mld: fix TSO segmentation explosion when AMSDU is",
                            "      disabled",
                            "    - wifi: iwlwifi: mld: don't dereference a pointer before NULL checking it",
                            "    - dma-mapping: move dma_map_resource() sanity check into debug code",
                            "    - drm/gem: Make the GEM LRU lock part of drm_device",
                            "    - drm/xe/gsc: Fix double-free of managed BO in error path",
                            "    - drm/xe/vf: Fix signature of print functions",
                            "    - drm/xe/pf: Fix CFI failure in debugfs access",
                            "    - drm/xe: Consolidate workaround entries for Wa_14019988906",
                            "    - drm/xe: Consolidate workaround entries for Wa_18033852989",
                            "    - drm/xe: Define and use MCR version of COMMON_SLICE_CHICKEN1",
                            "    - drm/xe/tuning: Apply windower hardware filtering setting on Xe3 and Xe3p",
                            "    - drm/xe: Define and use MCR version of COMMON_SLICE_CHICKEN4",
                            "    - wifi: ath11k: fix peer resolution on rx path when peer_id=0",
                            "    - wifi: ath12k: fix EHT TX MCS limitation due to wrong 20 MHz-only parsing",
                            "    - drm/mediatek: mtk_hdmi_ddc_v2: Fix non-static global variable",
                            "    - drm/mediatek: mtk_hdmi_v2: Fix non-static global variable",
                            "    - drm/mediatek: mtk_cec: Fix non-static global variable",
                            "    - drm/mediatek: mtk_hdmi_ddc: Fix non-static global variable",
                            "    - io_uring: propagate array_index_nospec opcode into req->opcode",
                            "    - srcu: Don't queue workqueue handlers to never-online CPUs",
                            "    - cgroup/rstat: validate cpu before css_rstat_cpu() access",
                            "    - net/mlx5e: xsk: Fix unlocked writing to ICOSQ",
                            "    - cifs: Fix undefined variables",
                            "    - ice: ptp: serialize E825 PHY timer start with PTP lock",
                            "    - ice: ptp: use primary NAC semaphore on E825",
                            "    - igc: set tx buffer type for SMD frames",
                            "    - drm/i915/dp: Fix readback for target_rr in Adaptive Sync SDP",
                            "    - phy: qcom: qmp-usbc: Fix out-of-bounds array access in dp swing config",
                            "    - kbuild: pacman-pkg: make \"rc\" releases adhere to pacman versioning",
                            "      scheme",
                            "    - net: dsa: mt7530: fix FDB entries not aging out with short timeout",
                            "    - net: dsa: mt7530: preserve VLAN tags on trapped link-local frames",
                            "    - net: mana: Fix TOCTOU double-fetch of hwc_msg_id from DMA buffer",
                            "    - platform/surface: aggregator_registry: omit battery & AC nodes on",
                            "      Surface Laptop 7",
                            "    - platform/x86: adv_swbutton: Check ACPI_HANDLE() against NULL",
                            "    - platform/x86: hp_accel: Check ACPI_COMPANION() against NULL",
                            "    - platform/x86: intel-hid: Check ACPI_HANDLE() against NULL",
                            "    - platform/x86: intel_sar: Check ACPI_HANDLE() against NULL",
                            "    - platform/x86: intel-vbtn: Check ACPI_HANDLE() against NULL",
                            "    - platform/x86: uniwill-laptop: Properly initialize charging threshold",
                            "    - platform/x86: uniwill-laptop: Accept charging threshold of 0",
                            "    - platform/x86: uniwill-laptop: Fix behavior of \"force\" module param",
                            "    - platform/x86: asus-armoury: fix mini-LED mode get/set on MODE2 devices",
                            "    - ASoC: soc-utils: Add missing va_end in snd_soc_ret()",
                            "    - drm/amdgpu: Align amdgpu_gtt_mgr entries to TLB size on Tahiti (v2)",
                            "    - drm/amdgpu/vce1: Check that the GPU address is < 128 MiB",
                            "    - drm/amdgpu/vce1: Fix VCE 1 firmware size and offsets",
                            "    - RDMA/mana_ib: Report max_msg_sz in mana_ib_query_port",
                            "    - RDMA/rtrs: Fix use-after-free in path file creation cleanup",
                            "    - bridge: mcast: Fix a possible use-after-free when removing a bridge port",
                            "    - net: phy: honor eee_disabled_modes in phy_support_eee()",
                            "    - net: phy: honor eee_disabled_modes in phy_advertise_eee_all()",
                            "    - net: airoha: Fix NPU RX DMA descriptor bits",
                            "    - pds_core: fix error handling in pdsc_devcmd_wait",
                            "    - pds_core: fix debugfs_lookup dentry leak and error handling",
                            "    - erofs: fix managed cache race for unaligned extents",
                            "    - erofs: harden h_shared_count in erofs_init_inode_xattrs()",
                            "    - erofs: fix metabuf leak in inode xattr initialization",
                            "    - wifi: mac80211: bounds-check link_id in ieee80211_ml_epcs",
                            "    - wifi: mac80211: fix MLE defragmentation",
                            "    - wifi: mac80211: fix multi-link element inheritance",
                            "    - wifi: wilc1000: fix dma_buffer leak on bus acquire failure",
                            "    - ALSA: seq: Serialize UMP output teardown with event_input",
                            "    - cgroup: rstat: relax NMI guard after switch to try_cmpxchg",
                            "    - tracing: Avoid NULL return from hist_field_name() on truncation",
                            "    - Bluetooth: hci_sync: Fix not setting mask for",
                            "      HCI_EVT_LE_ALL_REMOTE_FEATURES_COMPLETE",
                            "    - Bluetooth: btintel_pcie: Fix incorrect MAC access programming",
                            "    - Bluetooth: btmtk: fix urb->setup_packet leak in error paths",
                            "    - udp: gso: Fix handling checksum in __udp_gso_segment",
                            "    - udp: Fix UDP length on last GSO_PARTIAL segment",
                            "    - net/mlx5e: Fix eswitch mode block underflow on IPsec acquire SA",
                            "    - net: shaper: annotate the data races",
                            "    - net: shaper: rework the VALID marking (again)",
                            "    - crypto/krb5, rxrpc: Fix lack of pre-decrypt/pre-verify length checks",
                            "    - rxrpc: Fix DATA decrypt vs splice() by copying data to buffer in recvmsg",
                            "    - net: ag71xx: check error for platform_get_irq",
                            "    - bpf, skmsg: fix verdict sk_data_ready racing with ktls rx",
                            "    - tcp: fix stale per-CPU tcp_tw_isn leak enabling ISN prediction",
                            "    - net: stmmac: eswin: fix HSP CSR init ordering after clock enable",
                            "    - net: stmmac: eswin: clear TXD and RXD delay registers during",
                            "      initialization",
                            "    - net: stmmac: eswin: correct RGMII delay granularity to 20 ps",
                            "    - net: stmmac: eswin: validate RGMII delay values",
                            "    - gpio: cdev: check if uAPI v2 config attributes are correctly zeroed",
                            "    - gpio: aggregator: fix a potential use-after-free",
                            "    - gpio: aggregator: stop using dev-sync-probe",
                            "    - gpio: aggregator: remove the software node when deactivating the",
                            "      aggregator",
                            "    - gpio: aggregator: lock device when calling device_is_bound()",
                            "    - ASoC: cs35l56: Fix flushing of IRQ work in cs35l56_sdw_remove()",
                            "    - drm/xe/oa: Fix exec_queue leak on width check in stream open",
                            "    - ASoC: cs-amp-lib: Fix wrong sizeof() in",
                            "      _cs_amp_set_efi_calibration_data()",
                            "    - ASoC: cs-amp-lib: Fix missing dput() after debugfs_lookup()",
                            "    - selftests: net: Fix checksums in xdp_native",
                            "    - nvme-pci: fix dma_vecs leak on p2p memory",
                            "    - nvme-pci: fix dma mapping leak on data setup error",
                            "    - octeontx2-af: npc: Fix allmulticast skip logic for LBK and SDP VFs",
                            "    - net: mana: validate rx_req_idx to prevent out-of-bounds array access",
                            "    - tap: fix stack info leak in tap_ioctl() SIOCGIFHWADDR",
                            "    - net: airoha: Disable GDM2 forwarding before configuring GDM2 loopback",
                            "    - pds_core: ensure null-termination for firmware version strings",
                            "    - net: enetc: fix missing error code when pf->vf_state allocation fails",
                            "    - io_uring/nop: pass all errors to userspace",
                            "    - blk-mq: pop cached request if it is usable",
                            "    - ksmbd: fix durable reconnect error path file lifetime",
                            "    - LoongArch: kprobes: Fix handling of fatal unrecoverable recursions",
                            "    - block: avoid use-after-free in disk_free_zone_resources()",
                            "    - Documentation: laptops: Update documentation for uniwill laptops",
                            "    - platform/x86: uniwill-laptop: Do not enable the charging limit even when",
                            "      forced",
                            "    - drm/msm: Restore second parameter name in purge() and evict()",
                            "    - security/keys: fix missed RCU read section on lookup",
                            "    - Linux 7.0.11",
                            "",
                            "  * Resolute update: v7.0.10 upstream stable release (LP: #2156385)",
                            "    - blk-cgroup: wait for blkcg cleanup before initializing new disk",
                            "    - md: suppress spurious superblock update error message for dm-raid",
                            "    - fs/omfs: reject s_sys_blocksize smaller than OMFS_DIR_START",
                            "    - fs/mbcache: cancel shrink work before destroying the cache",
                            "    - md/raid1: fix the comparing region of interval tree",
                            "    - fs: fix archiecture-specific compat_ftruncate64",
                            "    - drbd: Balance RCU calls in drbd_adm_dump_devices()",
                            "    - loop: fix partition scan race between udev and loop_reread_partitions()",
                            "    - block: fix zones_cond memory leak on zone revalidation error paths",
                            "    - nilfs2: reject zero bd_oblocknr in nilfs_ioctl_mark_blocks_dirty()",
                            "    - blk-cgroup: fix disk reference leak in blkcg_maybe_throttle_current()",
                            "    - pstore/ram: fix resource leak when ioremap() fails",
                            "    - erofs: include the trailing NUL in FS_IOC_GETFSLABEL",
                            "    - md: fix array_state=clear sysfs deadlock",
                            "    - ublk: reset per-IO canceled flag on each fetch",
                            "    - blk-wbt: remove WARN_ON_ONCE from wbt_init_enable_default()",
                            "    - erofs: handle 48-bit blocks/uniaddr for extra devices",
                            "    - md: remove unused static md_wq workqueue",
                            "    - md: wake raid456 reshape waiters before suspend",
                            "    - dcache: permit dynamic_dname()s up to NAME_MAX",
                            "    - btrfs: fix the inline compressed extent check in inode_need_compress()",
                            "    - btrfs: fix deadlock between reflink and transaction commit when using",
                            "      flushoncommit",
                            "    - btrfs: do not reject a valid running dev-replace",
                            "    - OPP: debugfs: Use performance level if available to distinguish between",
                            "      rates",
                            "    - OPP: Move break out of scoped_guard in dev_pm_opp_xlate_required_opp()",
                            "    - ACPI: x86: cmos_rtc: Clean up address space handler driver",
                            "    - ACPI: x86: cmos_rtc: Improve coordination with ACPI TAD driver",
                            "    - devres: fix missing node debug info in devm_krealloc()",
                            "    - thermal/drivers/spear: Fix error condition for reading st,thermal-flags",
                            "    - debugfs: check for NULL pointer in debugfs_create_str()",
                            "    - debugfs: fix placement of EXPORT_SYMBOL_GPL for debugfs_create_str()",
                            "    - soundwire: debugfs: initialize firmware_file to empty string",
                            "    - amd-pstate: Fix memory leak in amd_pstate_epp_cpu_init()",
                            "    - amd-pstate: Update cppc_req_cached in fast_switch case",
                            "    - cpufreq: Pass the policy to cpufreq_driver->adjust_perf()",
                            "    - PCI: use generic driver_override infrastructure",
                            "    - platform/wmi: use generic driver_override infrastructure",
                            "    - vdpa: use generic driver_override infrastructure",
                            "    - s390/cio: use generic driver_override infrastructure",
                            "    - s390/ap: use generic driver_override infrastructure",
                            "    - bus: fsl-mc: use generic driver_override infrastructure",
                            "    - locking/mutex: Rename mutex_init_lockep()",
                            "    - locking/mutex: Fix wrong comment for CONFIG_DEBUG_LOCK_ALLOC",
                            "    - irqchip/irq-pic32-evic: Address warning related to wrong printf()",
                            "      formatter",
                            "    - hrtimer: Avoid pointless reprogramming in __hrtimer_start_range_ns()",
                            "    - hrtimer: Reduce trace noise in hrtimer_start()",
                            "    - locking: Fix rwlock and spinlock lock context annotations",
                            "    - signal: Fix the lock_task_sighand() annotation",
                            "    - ww-mutex: Fix the ww_acquire_ctx function annotations",
                            "    - perf/amd/ibs: Account interrupt for discarded samples",
                            "    - perf/amd/ibs: Preserve PhyAddrVal bit when clearing PhyAddr MSR",
                            "    - perf/amd/ibs: Avoid calling perf_allow_kernel() from the IBS NMI handler",
                            "    - x86/tdx: Fix the typo in TDX_ATTR_MIGRTABLE",
                            "    - rust: sync: atomic: Remove bound `T: Sync` for `Atomic::from_ptr()`",
                            "    - sparc64: vdso: Link with -z noexecstack",
                            "    - scripts/gdb: timerlist: Adapt to move of tk_core",
                            "    - locking: Fix rwlock support in <linux/spinlock_up.h>",
                            "    - sched/topology: Compute sd_weight considering cpuset partitions",
                            "    - x86/irqflags: Preemptively move include paravirt.h directive where it",
                            "      belongs",
                            "    - sched/topology: Fix sched_domain_span()",
                            "    - irqchip/renesas-rzg2l: Fix error path in rzg2l_irqc_common_probe()",
                            "    - ASoC: Intel: avs: Check maximum valid CPUID leaf",
                            "    - ASoC: Intel: avs: Include CPUID header at file scope",
                            "    - x86/vdso: Clean up remnants of VDSO32_NOTE_MASK",
                            "    - firmware: dmi: Correct an indexing error in dmi.h",
                            "    - fs/resctrl: Report invalid domain ID when parsing io_alloc_cbm",
                            "    - sched: Make class_schedulers avoid pushing current, and get rid of",
                            "      proxy_tag_curr()",
                            "    - sched/rt: Skip group schedulable check with rt_group_sched=0",
                            "    - wifi: ath11k: fix memory leaks in beacon template setup",
                            "    - wifi: mwifiex: Fix memory leak in mwifiex_11n_aggregate_pkt()",
                            "    - wifi: rtlwifi: pci: fix possible use-after-free caused by unfinished",
                            "      irq_prepare_bcn_tasklet",
                            "    - bpf: test_run: Fix the null pointer dereference issue in",
                            "      bpf_lwt_xmit_push_encap",
                            "    - wifi: ath12k: account TX stats only when ACK/BA status is present",
                            "    - wifi: ath12k: Fix legacy rate mapping for monitor mode capture",
                            "    - selftests/bpf: Handle !CONFIG_SMC in bpf_smc.c",
                            "    - wifi: ieee80211: fix definition of EHT-MCS 15 in MRU",
                            "    - dpaa2: add independent dependencies for FSL_DPAA2_SWITCH",
                            "    - [Config] Disable CONFIG_FSL_DPAA2_SWITCH on armhf and ppc64el",
                            "    - dpaa2: compile dpaa2 even CONFIG_FSL_DPAA2_ETH=n",
                            "    - s390/bpf: Zero-extend bpf prog return values and kfunc arguments",
                            "    - powerpc/pgtable-frag: Fix bad page state in pte_frag_destroy",
                            "    - powerpc/64s: Fix unmap race with PMD migration entries",
                            "    - module: Fix freeing of charp module parameters when CONFIG_SYSFS=n",
                            "    - wifi: libertas: use USB anchors for tracking in-flight URBs",
                            "    - wifi: libertas: don't kill URBs in interrupt context",
                            "    - bpf: Do not allow deleting local storage in NMI",
                            "    - selftests/nolibc: fix test_file_stream() on musl libc",
                            "    - selftests/nolibc: Fix build with host headers and libc",
                            "    - tools/nolibc/printf: Change variables 'c' to 'ch' and 'tmpbuf[]' to",
                            "      'outbuf[]'",
                            "    - tools/nolibc/printf: Move snprintf length check to callback",
                            "    - tools/nolibc: MIPS: fix clobbers of 'lo' and 'hi' registers on different",
                            "      ISAs",
                            "    - tools/nolibc: avoid -Wundef warning for __STDC_VERSION__",
                            "    - wifi: mt76: mt7996: fix the behavior of radar detection",
                            "    - wifi: mt76: mt7996: fix iface combination for different chipsets",
                            "    - wifi: mt76: mt7996: Set mtxq->wcid just for primary link",
                            "    - wifi: mt76: mt7996: Reset mtxq->idx if primary link is removed in",
                            "      mt7996_vif_link_remove()",
                            "    - wifi: mt76: mt7996: Switch to the secondary link if the default one is",
                            "      removed",
                            "    - wifi: mt76: mt7996: Clear wcid pointer in mt7996_mac_sta_deinit_link()",
                            "    - wifi: mt76: mt7996: Reset ampdu_state state in case of failure in",
                            "      mt7996_tx_check_aggr()",
                            "    - wifi: mt76: mt7921: Reset ampdu_state state in case of failure in",
                            "      mt76_connac2_tx_check_aggr()",
                            "    - wifi: mt76: mt7925: Fix incorrect MLO mode in firmware control",
                            "    - wifi: mt76: mt7615: fix use_cts_prot support",
                            "    - wifi: mt76: mt7915: fix use_cts_prot support",
                            "    - wifi: mt76: mt7925: prevent NULL pointer dereference in",
                            "      mt7925_tx_check_aggr()",
                            "    - wifi: mt76: mt7925: prevent NULL vif dereference in",
                            "      mt7925_mac_write_txwi",
                            "    - wifi: mt76: mt7996: fix FCS error flag check in RX descriptor",
                            "    - wifi: mt76: mt7921: Place upper limit on station AID",
                            "    - wifi: mt76: Fix memory leak destroying device",
                            "    - wifi: mt76: mt7996: Fix NPU stop procedure",
                            "    - wifi: mt76: npu: Add missing rx_token_size initialization",
                            "    - wifi: mt76: mt7925: drop puncturing handling from BSS change path",
                            "    - wifi: mt76: mt7925: fix potential deadlock in mt7925_roc_abort_sync",
                            "    - wifi: mt76: Fix memory leak after mt76_connac_mcu_alloc_sta_req()",
                            "    - wifi: mt76: mt7925: fix tx power setting failure after chip reset",
                            "    - wifi: mt76: mt7921: fix potential deadlock in mt7921_roc_abort_sync",
                            "    - wifi: mt76: fix deadlock in remain-on-channel",
                            "    - wifi: mt76: fix backoff fields and max_power calculation",
                            "    - arm64: cpufeature: Make PMUVer and PerfMon unsigned",
                            "    - bpf: Switch CONFIG_CFI_CLANG to CONFIG_CFI",
                            "    - wifi: mt76: mt7996: fix wrong DMAD length when using MAC TXP",
                            "    - wifi: mt76: mt7996: fix struct mt7996_mcu_uni_event",
                            "    - wifi: mt76: mt7915: fix use-after-free bugs in mt7915_mac_dump_work()",
                            "    - wifi: mt76: mt7996: fix use-after-free bugs in mt7996_mac_dump_work()",
                            "    - wifi: mt76: mt7921: fix 6GHz regulatory update on connection",
                            "    - wifi: mt76: mt7996: Add missing CHANCTX_STA_CSA property",
                            "    - wifi: mt76: mt7996: Remove link pointer dependency in",
                            "      mt7996_mac_sta_remove_links()",
                            "    - wifi: mt76: mt7996: Decrement sta counter removing the link in",
                            "      mt7996_mac_reset_sta_iter()",
                            "    - wifi: mt76: fix multi-radio on-channel scanning",
                            "    - wifi: mt76: support upgrading passive scans to active",
                            "    - wifi: mt76: mt7996: fix RRO EMU configuration",
                            "    - bpf: Fix refcount check in check_struct_ops_btf_id()",
                            "    - selftests/bpf: Fix sockmap_multi_channels reliability",
                            "    - bpf: Use RCU-safe iteration in dev_map_redirect_multi() SKB path",
                            "    - bpf: Fix variable length stack write over spilled pointers",
                            "    - arm_mpam: Ensure in_reset_state is false after applying configuration",
                            "    - arm_mpam: Reset when feature configuration bit unset",
                            "    - bpf,arc_jit: Fix missing newline in pr_err messages",
                            "    - wifi: rtw89: phy: fix uninitialized variable access in",
                            "      rtw89_phy_cfo_set_crystal_cap()",
                            "    - drivers/vfio_pci_core: Change PXD_ORDER check from switch case to",
                            "      if/else block",
                            "    - r8152: fix incorrect register write to USB_UPHY_XTAL",
                            "    - selftests/tracing: Fix to make --logdir option work again",
                            "    - selftests/tracing: Fix to check awk supports non POSIX strtonum()",
                            "    - powerpc/crash: fix backup region offset update to elfcorehdr",
                            "    - powerpc/crash: Update backup region offset in elfcorehdr on memory",
                            "      hotplug",
                            "    - bpf: Fix abuse of kprobe_write_ctx via freplace",
                            "    - macvlan: annotate data-races around port->bc_queue_len_used",
                            "    - bpf: Use copy_map_value_locked() in alloc_htab_elem() for BPF_F_LOCK",
                            "    - bpf: Fix stale offload->prog pointer after constant blinding",
                            "    - net: ethernet: ti-cpsw:: rename soft_reset() function",
                            "    - net: ethernet: ti-cpsw: fix linking built-in code to modules",
                            "    - wifi: brcmfmac: Fix error pointer dereference",
                            "    - wifi: mac80211: handle VHT EXT NSS in ieee80211_determine_our_sta_mode()",
                            "    - bpf: Drop task_to_inode and inet_conn_established from lsm sleepable",
                            "      hooks",
                            "    - bpf: Prefer vmlinux symbols over module symbols for unqualified kprobes",
                            "    - wifi: ath10k: fix station lookup failure during disconnect",
                            "    - bpf: Fix linked reg delta tracking when src_reg == dst_reg",
                            "    - net: dropreason: add SKB_DROP_REASON_RECURSION_LIMIT",
                            "    - net: plumb drop reasons to __dev_queue_xmit()",
                            "    - net: qdisc_pkt_len_segs_init() cleanup",
                            "    - net: pull headers in qdisc_pkt_len_segs_init()",
                            "    - arm64: entry: Don't preempt with SError or Debug masked",
                            "    - ACPI: AGDI: fix missing newline in error message",
                            "    - arm64: kexec: Remove duplicate allocation for trans_pgd",
                            "    - bpf: Propagate error from visit_tailcall_insn",
                            "    - bpf: Fix ld_{abs,ind} failure path analysis in subprogs",
                            "    - bpf: Remove static qualifier from local subprog pointer",
                            "    - mptcp: better mptcp-level RTT estimator",
                            "    - bpf: Fix use-after-free in offloaded map/prog info fill",
                            "    - macsec: Support VLAN-filtering lower devices",
                            "    - net: bcmgenet: fix off-by-one in bcmgenet_put_txcb",
                            "    - net: bcmgenet: fix leaking free_bds",
                            "    - net: bcmgenet: fix racing timeout handler",
                            "    - net: airoha: Add dma_rmb() and READ_ONCE() in airoha_qdma_rx_process()",
                            "    - eth: fbnic: Use wake instead of start",
                            "    - netfilter: xt_socket: enable defrag after all other checks",
                            "    - netfilter: nft_fwd_netdev: check ttl/hl before forwarding",
                            "    - bpf: fix mm lifecycle in open-coded task_vma iterator",
                            "    - bpf: switch task_vma iterator from mmap_lock to per-VMA locks",
                            "    - bpf: return VMA snapshot from task_vma iterator",
                            "    - bpf: Fix RCU stall in bpf_fd_array_map_clear()",
                            "    - net: hamradio: 6pack: fix uninit-value in sixpack_receive_buf",
                            "    - net: airoha: Fix FE_PSE_BUF_SET configuration if PPE2 is available",
                            "    - bpf: Enforce regsafe base id consistency for BPF_ADD_CONST scalars",
                            "    - selftests/bpf: fix __jited_unpriv tag name",
                            "    - net/sched: cls_fw: fix NULL dereference of \"old\" filters before change()",
                            "    - net/sched: act_ct: Only release RCU read lock after ct_ft",
                            "    - selftests: netfilter: nft_tproxy.sh: adjust to socat changes",
                            "    - net: mana: Use pci_name() for debugfs directory naming",
                            "    - net: mana: Move current_speed debugfs file to mana_init_port()",
                            "    - net: airoha: Add missing RX_CPU_IDX() configuration in",
                            "      airoha_qdma_cleanup_rx_queue()",
                            "    - net_sched: fix skb memory leak in deferred qdisc drops",
                            "    - bpf: Fix same-register dst/src OOB read and pointer leak in sock_ops",
                            "    - bpf: Allow instructions with arena source and non-arena dest registers",
                            "    - selftests/bpf: Fix reg_bounds to match new tnum-based refinement",
                            "    - net/rds: Optimize rds_ib_laddr_check",
                            "    - net/rds: Restrict use of RDS/IB to the initial network namespace",
                            "    - bpf: Fix OOB in pcpu_init_value",
                            "    - ppp: require CAP_NET_ADMIN in target netns for unattached ioctls",
                            "    - net: ipa: Fix programming of QTIME_TIMESTAMP_CFG",
                            "    - net: ipa: Fix decoding EV_PER_EE for IPA v5.0+",
                            "    - dt-bindings: net: dsa: nxp,sja1105: make spi-cpol optional for sja1110",
                            "    - net: phy: fix a return path in get_phy_c45_ids()",
                            "    - net/mlx5e: Fix features not applied during netdev registration",
                            "    - net/mlx5e: IPsec, fix ASO poll timeout with read_poll_timeout_atomic()",
                            "    - net: ethernet: mtk_eth_soc: initialize PPE per-tag-layer MTU registers",
                            "    - net: fix skb_ext_total_length() BUILD_BUG_ON with",
                            "      CONFIG_GCOV_PROFILE_ALL",
                            "    - bpf: reject short IPv4/IPv6 inputs in bpf_prog_test_run_skb",
                            "    - Bluetooth: L2CAP: Fix printing wrong information if SDU length exceeds",
                            "      MTU",
                            "    - Bluetooth: hci_ldisc: Clear HCI_UART_PROTO_INIT on error",
                            "    - Bluetooth: fix locking in hci_conn_request_evt() with HCI_PROTO_DEFER",
                            "    - Bluetooth: l2cap: Add missing chan lock in l2cap_ecred_reconf_rsp",
                            "    - Bluetooth: SCO: check for codecs->num_codecs == 1 before assigning to",
                            "      sco_pi(sk)->codec",
                            "    - net: phy: qcom: at803x: Use the correct bit to disable extended next",
                            "      page",
                            "    - udp: Force compute_score to always inline",
                            "    - tcp: Don't set treq->req_usec_ts in cookie_tcp_reqsk_init().",
                            "    - sctp: fix missing encap_port propagation for GSO fragments",
                            "    - sctp: disable BH before calling udp_tunnel_xmit_skb()",
                            "    - selftests/namespaces: remove unused utils.h include from",
                            "      listns_efault_test",
                            "    - net, bpf: fix null-ptr-deref in xdp_master_redirect() for down master",
                            "    - net: airoha: Fix VIP configuration for AN7583 SoC",
                            "    - net: airoha: Add missing PPE configurations in airoha_ppe_hw_init()",
                            "    - drm/panel: ilitek-ili9882t: Select DRM_DISPLAY_DSC_HELPER",
                            "    - selftests/futex: Fix incorrect result reporting of futex_requeue test",
                            "      item",
                            "    - drm/komeda: fix integer overflow in AFBC framebuffer size check",
                            "    - dma-fence: Fix sparse warnings due __rcu annotations",
                            "    - drm/gpusvm: Fix unbalanced unlock in drm_gpusvm_scan_mm()",
                            "    - drm/virtio: Allow importing prime buffers when 3D is enabled",
                            "    - ASoC: soc-compress: use function to clear symmetric params",
                            "    - PCI/TPH: Allow TPH enable for RCiEPs",
                            "    - PCI: endpoint: pci-epf-vntb: Fix MSI doorbell IRQ unwind",
                            "    - PCI: endpoint: pci-epf-test: Don't free doorbell IRQ unless requested",
                            "    - PCI: endpoint: pci-ep-msi: Fix error unwind and prevent double alloc",
                            "    - drm/sun4i: mixer: Fix layer init code",
                            "    - drm/sun4i: backend: fix error pointer dereference",
                            "    - drm/xe: Consolidate workaround entries for Wa_14019877138",
                            "    - drm/xe: Consolidate workaround entries for Wa_14019386621",
                            "    - drm/xe/xe2_hpg: Drop invalid workaround Wa_15010599737",
                            "    - gpu: nova-core: gsp: use empty slices instead of [0..0] ranges",
                            "    - gpu: nova-core: gsp: fix improper handling of empty slot in cmdq",
                            "    - drm/amdkfd: Removed commented line for MQD queue priority",
                            "    - PCI: imx6: Fix device node reference leak in imx_pcie_probe()",
                            "    - crypto: inside-secure/eip93 - fix register definition",
                            "    - ASoC: sti: Return errors from regmap_field_alloc()",
                            "    - ASoC: sti: use managed regmap_field allocations",
                            "    - dm cache: fix null-deref with concurrent writes in passthrough mode",
                            "    - dm cache: fix write path cache coherency in passthrough mode",
                            "    - dm cache: fix write hang in passthrough mode",
                            "    - dm cache policy smq: fix missing locks in invalidating cache blocks",
                            "    - dm cache: fix concurrent write failure in passthrough mode",
                            "    - dm cache: fix dirty mapping checking in passthrough mode switching",
                            "    - dm-mpath: don't stop probing paths at presuspend",
                            "    - drm/amd/ras: Fix type size of remainder argument",
                            "    - dt-bindings: mmc: dwcmshc-sdhci: Fix resets array validation",
                            "    - drm/amdgpu: GFX12.1 scratch memory limit up to 57-bit",
                            "    - platform/chrome: chromeos_tbmc: Drop wakeup source on remove",
                            "    - gpu: nova-core: use checked arithmetic in FWSEC firmware parsing",
                            "    - gpu: nova-core: create falcon firmware DMA objects lazily",
                            "    - gpu: nova-core: falcon: rename load parameters to reflect DMA dependency",
                            "    - gpu: nova-core: firmware: fix and explain v2 header offsets computations",
                            "    - PCI: dwc: ep: Fix MSI-X Table Size configuration in",
                            "      dw_pcie_ep_set_msix()",
                            "    - PCI: dwc: ep: Mirror the max link width and speed fields to all",
                            "      functions",
                            "    - PCI: dwc: Perform cleanup in the error path of dw_pcie_resume_noirq()",
                            "    - dm cache metadata: fix memory leak on metadata abort retry",
                            "    - dm log: fix out-of-bounds write due to region_count overflow",
                            "    - iopoll: fix function parameter names in read_poll_timeout_atomic()",
                            "    - drm/bridge: cadence: cdns-mhdp8546-core: Set the mhdp connector earlier",
                            "      in atomic_enable()",
                            "    - drm/bridge: cadence: cdns-mhdp8546-core: Add mode_valid hook to",
                            "      drm_bridge_funcs",
                            "    - drm/bridge: cadence: cdns-mhdp8546-core: Handle HDCP state in bridge",
                            "      atomic check",
                            "    - spi: nxp-xspi: Use reinit_completion() for repeated operations",
                            "    - spi: nxp-fspi: Use reinit_completion() for repeated operations",
                            "    - spi: fsl-qspi: Use reinit_completion() for repeated operations",
                            "    - spi: axiado: Remove redundant pm_runtime_mark_last_busy() call",
                            "    - media: i2c: og01a1b: Fix V4L2 subdevice data initialization on probe",
                            "    - media: synopsys: VIDEO_DW_MIPI_CSI2RX should depend on ARCH_ROCKCHIP",
                            "    - [Config] VIDEO_DW_MIPI_CSI2RX depends on ARCH_ROCKCHIP",
                            "    - drm/amd/pm: Fix xgmi max speed reporting",
                            "    - spi: atcspi200: fix mutex initialization order",
                            "    - selftests/sched_ext: Add missing error check for exit__load()",
                            "    - drm/v3d: Handle error from drm_sched_entity_init()",
                            "    - drm/sun4i: Fix resource leaks",
                            "    - crypto: inside-secure/eip93 - register hash before authenc algorithms",
                            "    - PCI: rzg3s-host: Fix reset handling in probe error path",
                            "    - PCI: rzg3s-host: Reorder reset assertion during suspend",
                            "    - dt-bindings: PCI: renesas,r9a08g045s33-pcie: Fix naming properties",
                            "    - iommu/riscv: Add IOTINVAL after updating DDT/PDT entries",
                            "    - iommu/riscv: Skip IRQ count check when using MSI interrupts",
                            "    - iommu/riscv: Add missing GENERIC_MSI_IRQ",
                            "    - iommu/riscv: Stop polling when CQCSR reports an error",
                            "    - drm/amdkfd: Update queue properties for metadata ring",
                            "    - drm/amd/ras: Fix NULL deref in ras_core_ras_interrupt_detected()",
                            "    - drm/amdgpu: Add default case in DVI mode validation",
                            "    - regulator: dt-bindings: fp9931: Make vin-supply property as required",
                            "    - regulator: fp9931: Fix handling of mandatory \"vin\" supply",
                            "    - drm/amd/ras: Fix NULL deref in ras_core_get_utc_second_timestamp()",
                            "    - drm/amdgpu: Drop redundant queue NULL check in hang detect worker",
                            "    - drm/amdgpu: Remove dead negative offset check in",
                            "      amdgpu_virt_init_critical_region()",
                            "    - dm init: ensure device probing has finished in dm-mod.waitfor=",
                            "    - fbdev: matroxfb: Mark variable with __maybe_unused to avoid W=1 build",
                            "      break",
                            "    - crypto: simd - reject compat registrations without __ prefixes",
                            "    - crypto: tegra - Disable softirqs before finalizing request",
                            "    - crypto: atmel-aes - guard unregister on error in atmel_aes_register_algs",
                            "    - padata: Remove cpu online check from cpu add and removal",
                            "    - padata: Put CPU offline callback in ONLINE section to allow failure",
                            "    - PCI: dwc: rcar-gen4: Change EPC BAR alignment to 4K as per the",
                            "      documentation",
                            "    - accel/amdxdna: fix missing newline in pr_err message",
                            "    - drm/amd/ras: Remove redundant NULL check in pending bad-bank list",
                            "      iteration",
                            "    - drm/amdgpu/gfx10: look at the right prop for gfx queue priority",
                            "    - drm/amdgpu/gfx11: look at the right prop for gfx queue priority",
                            "    - spi: hisi-kunpeng: prevent infinite while() loop in hisi_spi_flush_fifo",
                            "    - PCI: sky1: Fix missing cleanup of ECAM config on probe failure",
                            "    - drm/imagination: Switch reset_reason fields from enum to u32",
                            "    - iommu/tegra241-cmdqv: Set supports_cmd op in tegra241_vcmdq_hw_init()",
                            "    - iommu/tegra241-cmdqv: Update uAPI to clarify HYP_OWN requirement",
                            "    - drm/msm: add missing MODULE_DEVICE_ID definitions",
                            "    - drm/msm/dpu: fix mismatch between power and frequency",
                            "    - drm/msm/dsi: add the missing parameter description",
                            "    - drm/msm/dpu: don't try using 2 LMs if only one DSC is available",
                            "    - drm/msm/dsi: fix bits_per_pclk",
                            "    - drm/msm/dsi: fix hdisplay calculation for CMD mode panel",
                            "    - drm/msm/dsi: rename MSM8998 DSI version from V2_2_0 to V2_0_0",
                            "    - ASoC: rockchip: rockchip_sai: Set slot width for non-TDM mode",
                            "    - tools/sched_ext: scx_pair: fix pair_ctx indexing for CPU pairs",
                            "    - drm/panel: sharp-ls043t1le01: make use of prepare_prev_first",
                            "    - drm/panel: simple: Correct G190EAN01 prepare timing",
                            "    - PCI: qcom: Advertise Hotplug Slot Capability with no Command Completion",
                            "      support",
                            "    - PCI: Prevent shrinking bridge window from its required size",
                            "    - PCI: Fix premature removal from realloc_head list during resource",
                            "      assignment",
                            "    - crypto: hisilicon/sec2 - prevent req used-after-free for sec",
                            "    - PCI: Fix alignment calculation for resource size larger than align",
                            "    - iommu/riscv: Fix signedness bug",
                            "    - ALSA: core: Validate compress device numbers without dynamic minors",
                            "    - drm/amd/display: Avoid NULL dereference in dc_dmub_srv error paths",
                            "    - ASoC: amd: acp: update dmic_num logic for acp pdm dmic",
                            "    - drm/amd/pm/ci: Use highest MCLK on CI when MCLK DPM is disabled",
                            "    - drm/amd/pm/ci: Disable MCLK DPM on problematic CI ASICs",
                            "    - drm/amd/pm/smu7: Fix SMU7 voltage dependency on display clock",
                            "    - drm/amd/pm/ci: Fix powertune defaults for Hawaii 0x67B0",
                            "    - drm/amd/pm/ci: Clear EnabledForActivity field for memory levels",
                            "    - drm/amd/pm/ci: Fill DW8 fields from SMC",
                            "    - drm/amd/pm/smu7: Add SCLK cap for quirky Hawaii board",
                            "    - drm/amdgpu/uvd4.2: Don't initialize UVD 4.2 when DPM is disabled",
                            "    - PCI/DPC: Log AER error info for DPC/EDR uncorrectable errors",
                            "    - hwmon: (aspeed-g6-pwm-tach): remove redundant driver remove callback",
                            "    - ALSA: hda/realtek: fix bad indentation for alc269",
                            "    - ALSA: hda/realtek: fix code style (ERROR: else should follow close brace",
                            "      '}')",
                            "    - ASoC: SOF: Intel: hda: Place check before dereference",
                            "    - drm/msm/vma: Avoid lock in VM_BIND fence signaling path",
                            "    - drm/msm/a6xx: Add missing aperture_lock init",
                            "    - drm/msm: Reject fb creation from _NO_SHARE objs",
                            "    - drm/msm: Fix VM_BIND UNMAP locking",
                            "    - drm/msm/a6xx: Fix HLSQ register dumping",
                            "    - drm/msm/shrinker: Fix can_block() logic",
                            "    - drm/msm/a6xx: Fix dumping A650+ debugbus blocks",
                            "    - drm/msm/a6xx: Use barriers while updating HFI Q headers",
                            "    - drm/msm/a8xx: Fix the ticks used in submit traces",
                            "    - drm/msm/a6xx: Switch to preemption safe AO counter",
                            "    - drm/msm/a6xx: Correct OOB usage",
                            "    - drm/msm/adreno: Implement gx_is_on() for A8x",
                            "    - drm/msm/a6xx: Fix gpu init from secure world",
                            "    - ALSA: hda/cmedia: Remove duplicate pin configuration parsing",
                            "    - pmdomain: ti: omap_prm: Fix a reference leak on device node",
                            "    - pmdomain: imx: scu-pd: Fix device_node reference leak during ->probe()",
                            "    - PM: domains: De-constify fields in struct dev_pm_domain_attach_data",
                            "    - drm/msm/dpu: drop INTF_0 on MSM8953",
                            "    - ASoC: fsl_micfil: Add access property for \"VAD Detected\"",
                            "    - ASoC: fsl_micfil: Fix event generation in hwvad_put_enable()",
                            "    - ASoC: fsl_micfil: Fix event generation in hwvad_put_init_mode()",
                            "    - ASoC: fsl_micfil: Fix event generation in micfil_range_set()",
                            "    - ASoC: fsl_micfil: Fix event generation in micfil_put_dc_remover_state()",
                            "    - ASoC: fsl_micfil: Fix event generation in micfil_quality_set()",
                            "    - ASoC: fsl_xcvr: Fix event generation in fsl_xcvr_arc_mode_put()",
                            "    - ASoC: fsl_xcvr: Fix event generation in fsl_xcvr_mode_put()",
                            "    - ASoC: fsl_easrc: Check the variable range in fsl_easrc_iec958_put_bits()",
                            "    - ASoC: fsl_easrc: Fix value type in fsl_easrc_iec958_get_bits()",
                            "    - ASoC: fsl_easrc: Change the type for iec958 channel status controls",
                            "    - iommu/amd: Fix clone_alias() to use the original device's devid",
                            "    - iommu/riscv: Remove overflows on the invalidation path",
                            "    - ASoC: qcom: qdsp6: topology: check widget type before accessing data",
                            "    - PCI: dwc: Fix type mismatch for kstrtou32_from_user() return value",
                            "    - crypto: qat - disable 4xxx AE cluster when lead engine is fused off",
                            "    - crypto: qat - disable 420xx AE cluster when lead engine is fused off",
                            "    - crypto: qat - fix compression instance leak",
                            "    - crypto: qat - fix type mismatch in RAS sysfs show functions",
                            "    - crypto: iaa - fix per-node CPU counter reset in rebalance_wq_table()",
                            "    - crypto: qat - use swab32 macro",
                            "    - ALSA: hda: Notify IEC958 Default PCM switch state changes",
                            "    - ASoC: rsnd: Fix potential out-of-bounds access of component_dais[]",
                            "    - PCI: Enable AtomicOps only if Root Port supports them",
                            "    - PCI: imx6: Keep Root Port MSI capability with iMSI-RX to work around",
                            "      hardware bug",
                            "    - PCI: aspeed: Fix IRQ domain leak on platform_get_irq() failure",
                            "    - dt-bindings: PCI: imx6q-pcie: Fix maxItems of clocks and clock-names",
                            "    - PCI: mediatek-gen3: Prevent leaking IRQ domains when IRQ not found",
                            "    - gpu: nova-core: bitfield: fix broken Default implementation",
                            "    - selftests/mm: skip migration tests if NUMA is unavailable",
                            "    - Documentation: fix a hugetlbfs reservation statement",
                            "    - Docs/admin-guide/mm/damn/lru_sort: fix intervals autotune parameter name",
                            "    - Docs/mm/damon/index: fix typo: autoamted -> automated",
                            "    - zram: do not permit params change after init",
                            "    - selftest: memcg: skip memcg_sock test if address family not supported",
                            "    - gpu: nova-core: remove redundant `.as_ref()` for `dev_*` print",
                            "    - gpu: nova-core: fix missing colon in SEC2 boot debug message",
                            "    - ALSA: scarlett2: Add missing sentinel initializer field",
                            "    - ASoC: qcom: audioreach: explicitly enable speaker protection modules",
                            "    - ASoC: SOF: compress: return the configured codec from get_params",
                            "    - PCI/NPEM: Set LED_HW_PLUGGABLE for hotplug-capable ports",
                            "    - tools/sched_ext: Fix off-by-one in scx_sdt payload zeroing",
                            "    - ASoC: soc-component: re-add pcm_new()/pcm_free()",
                            "    - ASoC: amd: name back to pcm_new()/pcm_free()",
                            "    - ASoC: amd: ps: fix the pcm device numbering for acp pdm dmic",
                            "    - ALSA: usb-audio: qcom: Fix incorrect type in enable_audio_stream",
                            "    - PCI: tegra194: Fix polling delay for L2 state",
                            "    - PCI: tegra194: Increase LTSSM poll time on surprise link down",
                            "    - PCI: tegra194: Disable LTSSM after transition to Detect on surprise link",
                            "      down",
                            "    - PCI: tegra194: Don't force the device into the D0 state before L2",
                            "    - PCI: tegra194: Disable PERST# IRQ only in Endpoint mode",
                            "    - PCI: tegra194: Use devm_gpiod_get_optional() to parse \"nvidia,refclk-",
                            "      select\"",
                            "    - PCI: tegra194: Disable direct speed change for Endpoint mode",
                            "    - PCI: tegra194: Set LTR message request before PCIe link up in Endpoint",
                            "      mode",
                            "    - PCI: tegra194: Allow system suspend when the Endpoint link is not up",
                            "    - PCI: tegra194: Free up Endpoint resources during remove()",
                            "    - PCI: tegra194: Use DWC IP core version",
                            "    - PCI: dwc: Apply ECRC workaround to DesignWare 5.00a as well",
                            "    - PCI: tegra194: Disable L1.2 capability of Tegra234 EP",
                            "    - PCI: tegra194: Fix CBB timeout caused by DBI access before core power-on",
                            "    - drm/fb-helper: Fix a locking bug in an error path",
                            "    - PCI: cadence: Add flags for disabling ASPM capability for broken Root",
                            "      Ports",
                            "    - PCI: sg2042: Avoid L0s and L1 on Sophgo 2042 PCIe Root Ports",
                            "    - ASoC: SDCA: Fix cleanup inversion in class driver",
                            "    - spi: rzv2h-rspi: Fix invalid SPR=0/BRDV=0 clock configuration",
                            "    - spi: mtk-snfi: unregister ECC engine on probe failure and remove()",
                            "      callback",
                            "    - ALSA: sc6000: Keep the programmed board state in card-private data",
                            "    - dm cache: fix missing return in invalidate_committed's error path",
                            "    - sched_ext: Track @p's rq lock across set_cpus_allowed_scx ->",
                            "      ops.set_cpumask",
                            "    - sched_ext: Fix ops.cgroup_move() invocation kf_mask and rq tracking",
                            "    - spi: cadence-qspi: Revert the filtering of certain opcodes in ODTR",
                            "    - crypto: jitterentropy - replace long-held spinlock with mutex",
                            "    - ALSA: usb-audio: Exclude Scarlett 18i20 1st Gen from SKIP_IFACE_SETUP",
                            "    - ALSA: hda/realtek - fixed speaker no sound update",
                            "    - gfs2: Call unlock_new_inode before d_instantiate",
                            "    - fanotify: avoid/silence premature LSM capability checks",
                            "    - fanotify: call fanotify_events_supported() before path_permission() and",
                            "      security_path_notify()",
                            "    - fuse: fix uninit-value in fuse_dentry_revalidate()",
                            "    - ktest: Avoid undef warning when WARNINGS_FILE is unset",
                            "    - ktest: Honor empty per-test option overrides",
                            "    - ktest: Run POST_KTEST hooks on failure and cancellation",
                            "    - vfio: selftests: fix crash in vfio_dma_mapping_mmio_test",
                            "    - rtla/utils: Fix resource leak in set_comm_sched_attr()",
                            "    - tools/rtla: Generate optstring from long options",
                            "    - rtla: Fix segfault on multiple SIGINTs",
                            "    - vfio: selftests: Build tests on aarch64",
                            "    - gfs2: less aggressive low-memory log flushing",
                            "    - quota: Fix race of dquot_scan_active() with quota deactivation",
                            "    - vfio: unhide vdev->debug_root",
                            "    - gfs2: add some missing log locking",
                            "    - gfs2: prevent NULL pointer dereference during unmount",
                            "    - efi/capsule-loader: fix incorrect sizeof in phys array reallocation",
                            "    - ksmbd: fix use-after-free from async crypto on Qualcomm crypto engine",
                            "    - arm64: dts: mediatek: mt8365: Describe infracfg-nao as a pure syscon",
                            "    - ARM: dts: mediatek: mt7623: fix efuse fallback compatible",
                            "    - memory: tegra124-emc: Fix dll_change check",
                            "    - memory: tegra30-emc: Fix dll_change check",
                            "    - arm64: dts: imx8-apalis: Fix LEDs name collision",
                            "    - arm64: dts: imx91-11x11-evk: change usdhc tuning step for eMMC and SD",
                            "    - riscv: dts: spacemit: pcie: fix missing power regulator",
                            "    - arm64: dts: mediatek: mt7988a-bpi-r4pro: fix model string",
                            "    - arm64: dts: rockchip: Make Jaguar PCIe-refclk pin use pull-up config",
                            "    - arm64: dts: imx8mp-evk: Enable pull select bit for PCIe regulator GPIO",
                            "      (M.2 W_DISABLE1)",
                            "    - iommufd: vfio compatibility extension check for noiommu mode",
                            "    - arm64: dts: qcom: sm6125-xiaomi-ginkgo: Remove board-id",
                            "    - arm64: dts: qcom: sm6125-xiaomi-ginkgo: Correct reserved memory ranges",
                            "    - arm64: dts: qcom: sm6125-xiaomi-ginkgo: Remove extcon",
                            "    - arm64: dts: qcom: sm6125-xiaomi-ginkgo: Fix reserved gpio ranges",
                            "    - arm64: dts: qcom: qcs6490-rubikpi3: Use lt9611 DSI Port B",
                            "    - arm64: dts: qcom: talos: Add missing clock-names to GCC",
                            "    - arm64: dts: ti: k3-am62l: include WKUP_UART0 in wakeup peripheral window",
                            "    - arm64: dts: mediatek: mt6795: Fix gpio-ranges pin count",
                            "    - arm64: dts: mediatek: mt7981b: Fix gpio-ranges pin count",
                            "    - arm64: dts: mediatek: mt7986a: Fix gpio-ranges pin count",
                            "    - iommufd/selftest: Fix page leaks in mock_viommu_{init,destroy}",
                            "    - arm64: dts: imx8mp-kontron: Fix touch reset configuration on DL devices",
                            "    - arm64: dts: imx8mp-kontron: Drop vmmc-supply to fix SD card on SMARC",
                            "      eval carrier",
                            "    - arm64: dts: imx8mp-hummingboard-pulse/cubox-m: fix vmmc gpio polarity",
                            "    - arm64: dts: imx8mp-hummingboard-pulse: fix mini-hdmi dsi port reference",
                            "    - ARM: dts: BCM5301X: Drop extra NAND controller compatible",
                            "    - arm64: dts: qcom: msm8953-xiaomi-vince: correct wled ovp value",
                            "    - arm64: dts: qcom: msm8937-xiaomi-land: correct wled ovp value",
                            "    - arm64: dts: qcom: msm8953-xiaomi-daisy: fix backlight",
                            "    - firmware: qcom_scm: don't opencode kmemdup",
                            "    - soc: qcom: ubwc: disable bank swizzling for Glymur platform",
                            "    - arm64: dts: rockchip: Fix Bluetooth stability on LCKFB TaiShan Pi",
                            "    - Revert \"arm64: dts: rockchip: add SPDIF audio to Beelink A1\"",
                            "    - arm64: dts: rockchip: Correct Fan Supply for Gameforce Ace",
                            "    - arm64: dts: rockchip: Correct Joystick Axes on Gameforce Ace",
                            "    - soc: qcom: ocmem: make the core clock optional",
                            "    - soc: qcom: ocmem: register reasons for probe deferrals",
                            "    - soc: qcom: ocmem: return -EPROBE_DEFER is ocmem is not available",
                            "    - riscv: dts: spacemit: drop incorrect pinctrl for combo PHY",
                            "    - arm64: dts: rockchip: Fix RK3562 EVB2 model name",
                            "    - arm64: dts: rockchip: Add mphy reset to ufshc node",
                            "    - bus: rifsc: fix RIF configuration check for peripherals",
                            "    - arm64: dts: qcom: arduino-imola: fix faulty spidev node",
                            "    - Revert \"UBUNTU: SAUCE: arm64: dts: add missing denali-oled.dtb to",
                            "      Makefile\"",
                            "    - arm64: dts: qcom: add missing denali-oled.dtb to Makefile",
                            "    - arm64: dts: qcom: hamoa: correct Iris corners for the MXC rail",
                            "    - arm64: dts: qcom: lemans: correct Iris corners for the MXC rail",
                            "    - arm64: dts: qcom: monaco: correct Iris corners for the MXC rail",
                            "    - arm64: dts: qcom: sm8550: correct Iris corners for the MXC rail",
                            "    - arm64: dts: qcom: sm8650: correct Iris corners for the MXC rail",
                            "    - arm64: dts: qcom: sm8750: correct Iris corners for the MXC rail",
                            "    - arm64: dts: qcom: kaanapali: Fix GIC_ITS range length",
                            "    - arm64: dts: qcom: milos: Fix GIC_ITS range length",
                            "    - arm64: dts: qcom: sm8450: Fix GIC_ITS range length",
                            "    - arm64: dts: qcom: sm8550: Fix GIC_ITS range length",
                            "    - arm64: dts: qcom: sm8650: Fix GIC_ITS range length",
                            "    - arm64: dts: qcom: sm8750: Fix GIC_ITS range length",
                            "    - arm64: dts: qcom: sm8550: Fix xo clock supply of platform SD host",
                            "      controller",
                            "    - arm64: dts: qcom: sm8650: Fix xo clock supply of SD host controller",
                            "    - arm64: dts: qcom: hamoa: Fix xo clock supply of platform SD host",
                            "      controller",
                            "    - arm64: dts: qcom: sm8450: Enable UHS-I SDR50 and SDR104 SD card modes",
                            "    - arm64: dts: qcom: sm8550: Enable UHS-I SDR50 and SDR104 SD card modes",
                            "    - arm64: dts: qcom: sm8650: Enable UHS-I SDR50 and SDR104 SD card modes",
                            "    - arm64: dts: qcom: sm7225-fairphone-fp4: Fix conflicting bias pinctrl",
                            "    - arm64: dts: qcom: sdm845-xiaomi-beryllium: Mark l1a regulator as powered",
                            "      during boot",
                            "    - arm64: dts: qcom: msm8917-xiaomi-riva: Fix board-id for all bootloader",
                            "    - arm64: dts: ti: k3-am62p5-sk: Disable MMC1 internal pulls on data pins",
                            "    - arm64: dts: ti: k3-am62l3-evm: Disable MMC1 internal pulls on data pins",
                            "    - arm64: dts: ti: k3-am62-lp-sk: Enable internal pulls for MMC0 data pins",
                            "    - arm64: dts: ti: k3-am62-verdin: Fix SPI_1 GPIO CS pinctrl label",
                            "    - arm64: dts: freescale: imx8mp-tqma8mpql-mba8mp-ras314: fix UART1 RTS/CTS",
                            "      muxing",
                            "    - arm64: dts: imx91: Remove TMU's superfluous sensor ID",
                            "    - arm64: dts: imx8mp-kontron: Fix boot order for PMIC and RTC",
                            "    - arm64: dts: imx8dxl-evk: Use audio-graph-card2 for wm8960-2 and wm8960-3",
                            "    - arm64: dts: imx8mp-evk: Specify ADV7535 register addresses",
                            "    - arm64: dts: lx2160a: change i2c0 (iic1) pinmux mask to one bit",
                            "    - arm64: dts: lx2160a: remove duplicate pinmux nodes",
                            "    - arm64: dts: lx2160a: rename pinmux nodes for readability",
                            "    - arm64: dts: lx2160a: add sda gpio references for i2c bus recovery",
                            "    - arm64: dts: lx2160a: change zeros to hexadecimal in pinmux nodes",
                            "    - arm64: dts: lx2160a: complete pinmux for rcwsr12 configuration word",
                            "    - arm64: dts: imx8qm-mek: switch Type-C connector power-role to dual",
                            "    - arm64: dts: imx8qxp-mek: switch Type-C connector power-role to dual",
                            "    - soc/tegra: cbb: Set ERD on resume for err interrupt",
                            "    - soc/tegra: cbb: Fix incorrect ARRAY_SIZE in fabric lookup tables",
                            "    - soc/tegra: cbb: Fix cross-fabric target timeout lookup",
                            "    - arm64: tegra: Fix RTC aliases",
                            "    - soc/tegra: pmc: Add kerneldoc for reboot notifier",
                            "    - soc/tegra: pmc: Correct function names in kerneldoc",
                            "    - soc/tegra: pmc: Add kerneldoc for wake-up variables",
                            "    - unshare: fix nsproxy leak in ksys_unshare() on set_cred_ucounts()",
                            "      failure",
                            "    - ocfs2/dlm: validate qr_numregions in dlm_match_regions()",
                            "    - ocfs2/dlm: fix off-by-one in dlm_match_regions() region comparison",
                            "    - soc: qcom: llcc: fix v1 SB syndrome register offset",
                            "    - soc: qcom: aoss: compare against normalized cooling state",
                            "    - arm64: dts: qcom: milos: Add missing CX power domain to GCC",
                            "    - arm64: dts: qcom: sm8250: Add missing CPU7 3.09GHz OPP",
                            "    - ARM: OMAP1: Fix DEBUG_LL and earlyprintk on OMAP16XX",
                            "    - arm64/xor: fix conflicting attributes for xor_block_template",
                            "    - lib: kunit_iov_iter: fix memory leaks",
                            "    - ARM: dts: imx27-eukrea: replace interrupts with interrupts-extended",
                            "    - firmware: arm_ffa: Use the correct buffer size during RXTX_MAP",
                            "    - fwctl: Fix class init ordering to avoid NULL pointer dereference on",
                            "      device removal",
                            "    - ocfs2: fix listxattr handling when the buffer is full",
                            "    - ocfs2: validate bg_bits during freefrag scan",
                            "    - ocfs2: validate group add input before caching",
                            "    - dmaengine: dw-axi-dmac: fix Alignment should match open parenthesis",
                            "    - dmaengine: dw-axi-dmac: Remove unnecessary return statement from void",
                            "      function",
                            "    - phy: apple: apple: Use local variable for ioremap return value",
                            "    - soundwire: bus: demote UNATTACHED state warnings to dev_dbg()",
                            "    - soundwire: Intel: test bus.bpt_stream before assigning it",
                            "    - dmaengine: mxs-dma: Fix missing return value from",
                            "      of_dma_controller_register()",
                            "    - soundwire: cadence: Clear message complete before signaling waiting",
                            "      thread",
                            "    - tracing: move __printf() attribute on __ftrace_vbprintk()",
                            "    - tracing: Rebuild full_name on each hist_field_name() call",
                            "    - hte: tegra194: remove Kconfig dependency on Tegra194 SoC",
                            "    - [Config] Enable CONFIG_HTE_TEGRA194 on armhf",
                            "    - remoteproc: xlnx: Fix sram property parsing",
                            "    - stop_machine: Fix the documentation for a NULL cpus argument",
                            "    - remoteproc: imx_rproc: Check return value of regmap_attach_dev() in",
                            "      imx_rproc_mmio_detect_mode()",
                            "    - ima: check return value of crypto_shash_final() in boot aggregate",
                            "    - HID: asus: make asus_resume adhere to linux kernel coding standards",
                            "    - HID: asus: do not abort probe when not necessary",
                            "    - workqueue: devres: Add device-managed allocate workqueue",
                            "    - power: supply: max77705: Drop duplicated IRQ error message",
                            "    - power: supply: max77705: Free allocated workqueue and fix removal order",
                            "    - mtd: physmap_of_gemini: Fix disabled pinctrl state check",
                            "    - ima_fs: Correctly create securityfs files for unsupported hash algos",
                            "    - dt-bindings: interrupt-controller: arm,gic-v3: Fix EPPI range",
                            "    - mtd: spi-nor: core: correct the op.dummy.nbytes when check read",
                            "      operations",
                            "    - mtd: spi-nor: update spi_nor_fixups::post_sfdp() documentation",
                            "    - mtd: spi-nor: micron-st: add SNOR_CMD_PP_8_8_8_DTR sfdp fixup for",
                            "      mt35xu512aba",
                            "    - mtd: spi-nor: swp: check SR_TB flag when getting tb_mask",
                            "    - mtd: parsers: ofpart: call of_node_put() only in ofpart_fail path",
                            "    - mtd: parsers: ofpart: call of_node_get() for dedicated subpartitions",
                            "    - cxl/pci: Check memdev driver binding status in cxl_reset_done()",
                            "    - mtd: rawnand: sunxi: fix sunxi_nfc_hw_ecc_read_extra_oob",
                            "    - mtd: spinand: winbond: Clarify when to enable the HS bit",
                            "    - HID: usbhid: fix deadlock in hid_post_reset()",
                            "    - ext4: fix miss unlock 'sb->s_umount' in extents_kunit_init()",
                            "    - ext4: call deactivate_super() in extents_kunit_exit()",
                            "    - ext4: fix the error handling process in extents_kunit_init).",
                            "    - ext4: fix possible null-ptr-deref in extents_kunit_exit()",
                            "    - ext4: fix possible null-ptr-deref in mbt_kunit_exit()",
                            "    - bpf, arm64: Reject out-of-range B.cond targets",
                            "    - bpf, arm64: Fix off-by-one in check_imm signed range check",
                            "    - bpf, arm64: Remove redundant bpf_flush_icache() after pack allocator",
                            "      finalize",
                            "    - bpf, riscv: Remove redundant bpf_flush_icache() after pack allocator",
                            "      finalize",
                            "    - bpf, sockmap: Fix af_unix iter deadlock",
                            "    - bpf, sockmap: Fix af_unix null-ptr-deref in proto update",
                            "    - bpf, sockmap: Take state lock for af_unix iter",
                            "    - bpf: Fix precedence bug in convert_bpf_ld_abs alignment check",
                            "    - bpf: Fix NULL deref in map_kptr_match_type for scalar regs",
                            "    - bpf: allow UTF-8 literals in bpf_bprintf_prepare()",
                            "    - libbpf: Prevent double close and leak of btf objects",
                            "    - bpf: Validate node_id in arena_alloc_pages()",
                            "    - bpf, arm32: Reject BPF-to-BPF calls and callbacks in the JIT",
                            "    - perf trace: Fix IS_ERR() vs NULL check bug",
                            "    - dt-bindings: pinctrl: marvell,armada3710-xb-pinctrl: add missing items",
                            "      keyword",
                            "    - pinctrl: pinctrl-pic32: Fix resource leak",
                            "    - perf trace: Avoid an ERR_PTR in syscall_stats",
                            "    - pinctrl: microchip-mssio: Fix missing return in probe",
                            "    - perf test type profiling: Remote typedef on struct",
                            "    - pinctrl: cy8c95x0: remove duplicate error message",
                            "    - pinctrl: cy8c95x0: Unify messages with help of dev_err_probe()",
                            "    - pinctrl: cy8c95x0: Avoid returning positive values to user space",
                            "    - perf branch: Avoid incrementing NULL",
                            "    - perf: tools: cs-etm: Fix print issue for Coresight debug in ETE/TRBE",
                            "      trace",
                            "    - pinctrl: pinconf-generic: Fully validate 'pinmux' property",
                            "    - pinctrl: realtek: Fix function signature for config argument",
                            "    - pinctrl: abx500: Fix type of 'argument' variable",
                            "    - pinctrl: renesas: rzg2l: Fix save/restore of {IOLH,IEN,PUPD,SMT}",
                            "      registers",
                            "    - tools build: Correct link flags for libopenssl",
                            "    - perf lock: Fix option value type in parse_max_stack",
                            "    - perf stat: Fix opt->value type for parse_cache_level",
                            "    - memblock: reserve_mem: fix end caclulation in",
                            "      reserve_mem_release_by_name()",
                            "    - perf stat: Fix crash on arm64",
                            "    - perf tools: Fix module symbol resolution for non-zero .text sh_addr",
                            "    - perf test: Fix ratio_to_prev event parsing test",
                            "    - perf test: Skip perf data type profiling tests for s390",
                            "    - perf expr: Return -EINVAL for syntax error in expr__find_ids()",
                            "    - perf metrics: Make common stalled metrics conditional on having the",
                            "      event",
                            "    - ipmi: ssif_bmc: fix missing check for copy_to_user() partial failure",
                            "    - ipmi: ssif_bmc: fix message desynchronization after truncated response",
                            "    - ipmi: ssif_bmc: change log level to dbg in irq callback",
                            "    - perf cgroup: Update metric leader in evlist__expand_cgroup",
                            "    - pinctrl: sophgo: pinctrl-sg2042: Fix wrong module description",
                            "    - pinctrl: sophgo: pinctrl-sg2044: Fix wrong module description",
                            "    - perf maps: Fix fixup_overlap_and_insert that can break sorted by name",
                            "      order",
                            "    - perf maps: Fix copy_from that can break sorted by name order",
                            "    - perf util: Kill die() prototype, dead for a long time",
                            "    - i3c: master: dw-i3c: Fix missing reset assertion in remove() callback",
                            "    - i3c: master: dw-i3c: Balance PM runtime usage count on probe failure",
                            "    - i3c: master: renesas: Fix memory leak in renesas_i3c_i3c_xfers()",
                            "    - i3c: dw: Fix memory leak in dw_i3c_master_i3c_xfers()",
                            "    - i3c: master: adi: Fix error propagation for CCCs",
                            "    - i3c: mipi-i3c-hci: fix IBI payload length calculation for final status",
                            "    - fs/ntfs3: prevent uninitialized lcn caused by zero len",
                            "    - backlight: sky81452-backlight: Check return value of",
                            "      devm_gpiod_get_optional() in sky81452_bl_parse_dt()",
                            "    - platform/surface: surfacepro3_button: Drop wakeup source on remove",
                            "    - leds: lgm-sso: Remove duplicate assignments for priv->mmap",
                            "    - usb: typec: Fix error pointer dereference",
                            "    - tty: hvc_iucv: fix off-by-one in number of supported devices",
                            "    - usb: typec: ps883x: Fix Oops at unbind",
                            "    - platform/x86: panasonic-laptop: Fix OPTD notifier registration and",
                            "      cleanup",
                            "    - platform/x86: barco-p50-gpio: normalize return value of gpio_get",
                            "    - fs/ntfs3: fix missing run load for vcn0 in attr_data_get_block_locked()",
                            "    - mfd: mc13xxx-core: Fix memory leak in mc13xxx_add_subdevice_pdata()",
                            "    - nfs/blocklayout: Fix compilation error (`make W=1`) in",
                            "      bl_write_pagelist()",
                            "    - sunrpc: Kill RPC_IFDEBUG()",
                            "    - sunrpc: Fix compilation error (`make W=1`) when dprintk() is no-op",
                            "    - NFSD: fix nfs4_file access extra count in nfsd4_add_rdaccess_to_wrdeleg",
                            "    - nfsd: use dynamic allocation for oversized NFSv4.0 replay cache",
                            "    - RDMA/umem: Use consistent DMA attributes when unmapping entries",
                            "    - greybus: raw: fix use-after-free on cdev close",
                            "    - greybus: raw: fix use-after-free if write is called after disconnect",
                            "    - platform/x86: asus-wmi: adjust screenpad power/brightness handling",
                            "    - platform/x86: asus-wmi: fix screenpad brightness range",
                            "    - tty: serial: ip22zilog: Fix section mispatch warning",
                            "    - fs/ntfs3: terminate the cached volume label after UTF-8 conversion",
                            "    - platform/x86: hp-wmi: fix ignored return values in fan settings",
                            "    - platform/x86: hp-wmi: avoid cancel_delayed_work_sync from work handler",
                            "    - platform/x86: hp-wmi: use mod_delayed_work to reset keep-alive timer",
                            "    - platform/x86: hp-wmi: fix u8 underflow in gpu_delta calculation",
                            "    - platform/x86: hp-wmi: add locking for concurrent hwmon access",
                            "    - platform/x86: dell_rbu: avoid uninit value usage in packet_size_write()",
                            "    - platform/x86: dell-wmi-sysman: bound enumeration string aggregation",
                            "    - RDMA/core: Prefer NLA_NUL_STRING",
                            "    - platform/x86: hp-wmi: fix fan table parsing",
                            "    - dt-bindings: clock: qcom: Add GCC video axi reset clock for Glymur",
                            "    - clk: qcom: gcc-glymur: Add video axi clock resets for glymur",
                            "    - clk: qcom: dispcc-glymur: use RCG2 ops for DPTX1 AUX clock source",
                            "    - clk: qcom: dispcc-sm8450: use RCG2 ops for DPTX1 AUX clock source",
                            "    - clk: renesas: r9a09g057: Fix ordering of module clocks array",
                            "    - clk: renesas: r9a09g056: Fix ordering of module clocks array",
                            "    - clk: sunxi-ng: sun55i-a523-r: Add missing r-spi module clock",
                            "    - scsi: sg: Fix sysctl sg-big-buff register during sg_init()",
                            "    - scsi: sg: Resolve soft lockup issue when opening /dev/sgX",
                            "    - clk: qcom: dispcc-sc8280xp: remove CLK_SET_RATE_PARENT from",
                            "      byte_div_clk_src dividers",
                            "    - clk: qcom: dispcc-glymur: Fix DSI byte clock rate setting",
                            "    - clk: qcom: dispcc-kaanapali: Fix DSI byte clock rate setting",
                            "    - clk: qcom: dispcc-milos: Fix DSI byte clock rate setting",
                            "    - clk: qcom: dispcc-sm4450: Fix DSI byte clock rate setting",
                            "    - clk: qcom: dispcc[01]-sa8775p: Fix DSI byte clock rate setting",
                            "    - clk: renesas: r9a09g057: Remove entries for WDT{0,2,3}",
                            "    - scsi: target: core: Fix integer overflow in UNMAP bounds check",
                            "    - scsi: ufs: rockchip,rk3576-ufshc: dt-bindings: Add new mphy reset item",
                            "    - dt-bindings: clock: qcom,gcc-sc8180x: Add missing GDSCs",
                            "    - clk: qcom: gcc-sc8180x: Add missing GDSCs",
                            "    - clk: qcom: gcc-sc8180x: Use retention for USB power domains",
                            "    - clk: qcom: gcc-sc8180x: Use retention for PCIe power domains",
                            "    - clk: qcom: dispcc-sm8250: Use shared ops on the mdss vsync clk",
                            "    - clk: qcom: dispcc-sm8250: Enable parents for pixel clocks",
                            "    - clk: imx: imx6q: Fix device node reference leak in pll6_bypassed()",
                            "    - clk: imx: imx6q: Fix device node reference leak in",
                            "      of_assigned_ldb_sels()",
                            "    - clk: imx8mq: Correct the CSI PHY sels",
                            "    - um: Fix potential race condition in TLB sync",
                            "    - x86/um: fix vDSO installation",
                            "    - clk: qoriq: avoid format string warning",
                            "    - clk: xgene: Fix mapping leak in xgene_pllclk_init()",
                            "    - clk: spacemit: ccu_mix: fix inverted condition in ccu_mix_trigger_fc()",
                            "    - f2fs: avoid reading already updated pages during GC",
                            "    - printk_ringbuffer: Fix get_data() size sanity check",
                            "    - clk: qcom: gdsc: Fix error path on registration of multiple pm",
                            "      subdomains",
                            "    - lib/hexdump: print_hex_dump_bytes() calls print_hex_dump_debug()",
                            "    - f2fs: fix data loss caused by incorrect use of nat_entry flag",
                            "    - f2fs: fix to preserve previous reserve_{blocks,node} value when remount",
                            "    - scsi: hpsa: Enlarge controller and IRQ name buffers",
                            "    - drm/amd/display: Fix parameter mismatch in panel self-refresh helper",
                            "    - clk: qcom: gcc-x1e80100: Keep GCC USB QTB clock always ON",
                            "    - clk: visconti: pll: initialize clk_init_data to zero",
                            "    - f2fs: allow empty mount string for Opt_usr|grp|projjquota",
                            "    - f2fs: protect extension_list reading with sb_lock in f2fs_sbi_show()",
                            "    - drm/i915/wm: Verify the correct plane DDB entry",
                            "    - virt: arm-cca-guest: fix error check for RSI_INCOMPLETE",
                            "    - crypto: eip93 - fix hmac setkey algo selection",
                            "    - crypto: sa2ul - Fix AEAD fallback algorithm names",
                            "    - crypto: ccp - copy IV using skcipher ivsize",
                            "    - sh: Include <linux/io.h> in dac.h",
                            "    - erofs: unify lcn as u64 for 32-bit platforms",
                            "    - tools: hv: Fix cross-compilation",
                            "    - Drivers: hv: vmbus: fix hyperv_cpuhp_online variable shadowing",
                            "    - arm64: dts: imx8mp-debix-model-a: Correct PAD settings for PMIC_nINT",
                            "    - arm64: dts: imx8mp-debix-som-a: Correct PAD settings for PMIC_nINT",
                            "    - arm64: dts: imx8mp-navqp: Correct PAD settings for PMIC_nINT",
                            "    - arm64: dts: imx8mp-icore-mx8mp: Correct PAD settings for PMIC_nINT",
                            "    - arm64: dts: imx8mp-edm-g: Correct PAD settings for PMIC_nINT",
                            "    - arm64: dts: imx8mp-aristainetos3a-som-v1: Correct PAD settings for",
                            "      PMIC_nINT",
                            "    - arm64: dts: imx8mp-nitrogen-som: Correct PAD settings for PMIC_nINT",
                            "    - arm64: dts: imx8mp-sr-som: Correct PAD settings for PMIC_nINT",
                            "    - arm64: dts: imx8mp-ultra-mach-sbc: Correct PAD settings for PMIC_nINT",
                            "    - arm64: dts: imx8mp-dhcom-som: Correct PAD settings for PMIC_nINT",
                            "    - arm64: dts: imx8mp-data-modul-edm-sbc: Correct PAD settings for",
                            "      PMIC_nINT",
                            "    - PCMCIA: Fix garbled log messages for KERN_CONT",
                            "    - reset: amlogic: t7: Fix null reset ops",
                            "    - arm64: dts: imx8mm-emtop-som: Correct PAD settings for PMIC_nINT",
                            "    - arm64: dts: imx8mn-tqma8mqnl: Correct PAD settings for PMIC_nINT",
                            "    - arm64: dts: imx8mm-tqma8mqml: Correct PAD settings for PMIC_nINT",
                            "    - arm64: dts: marvell: armada-37xx: use 'usb2-phy' in USB3 controller's",
                            "      phy-names",
                            "    - pwm: stm32: Fix rounding issue for requests with inverted polarity",
                            "    - net/sched: act_mirred: fix wrong device for mac_header_xmit check in",
                            "      tcf_blockcast_redir",
                            "    - macvlan: fix macvlan_get_size() not reserving space for",
                            "      IFLA_MACVLAN_BC_CUTOFF",
                            "    - net/sched: sch_cake: fix NAT destination port not being updated in",
                            "      cake_update_flowkeys",
                            "    - nexthop: fix IPv6 route referencing IPv4 nexthop",
                            "    - net: airoha: Wait for NPU PPE configuration to complete in",
                            "      airoha_ppe_offload_setup()",
                            "    - net/sched: taprio: fix use-after-free in advance_sched() on schedule",
                            "      switch",
                            "    - net: dsa: remove redundant netdev_lock_ops() from conduit ethtool ops",
                            "    - net: enetc: correct the command BD ring consumer index",
                            "    - net: enetc: fix NTMP DMA use-after-free issue",
                            "    - ksmbd: fix use-after-free in smb2_open during durable reconnect",
                            "    - tcp: move tp->chrono_type next tp->chrono_stat[]",
                            "    - tcp: inline tcp_chrono_start()",
                            "    - tcp: annotate data-races in tcp_get_info_chrono_stats()",
                            "    - tcp: add data-race annotations around tp->data_segs_out and",
                            "      tp->total_retrans",
                            "    - tcp: add data-races annotations around tp->reordering, tp->snd_cwnd",
                            "    - tcp: annotate data-races around tp->snd_ssthresh",
                            "    - tcp: annotate data-races around tp->delivered and tp->delivered_ce",
                            "    - tcp: add data-race annotations for TCP_NLA_SNDQ_SIZE",
                            "    - tcp: annotate data-races around tp->bytes_sent",
                            "    - tcp: annotate data-races around tp->bytes_retrans",
                            "    - tcp: annotate data-races around tp->dsack_dups",
                            "    - tcp: annotate data-races around tp->reord_seen",
                            "    - tcp: annotate data-races around tp->srtt_us",
                            "    - tcp: annotate data-races around tp->timeout_rehash",
                            "    - tcp: annotate data-races around (tp->write_seq - tp->snd_nxt)",
                            "    - tcp: annotate data-races around tp->plb_rehash",
                            "    - ice: fix 'adjust' timer programming for E830 devices",
                            "    - ice: update PCS latency settings for E825 10G/25Gb modes",
                            "    - ice: fix double-free of tx_buf skb",
                            "    - ice: fix PHY config on media change with link-down-on-close",
                            "    - ice: fix ICE_AQ_LINK_SPEED_M for 200G",
                            "    - ice: fix race condition in TX timestamp ring cleanup",
                            "    - ice: fix potential NULL pointer deref in error path of",
                            "      ice_set_ringparam()",
                            "    - i40e: don't advertise IFF_SUPP_NOFCS",
                            "    - iavf: fix wrong VLAN mask for legacy Rx descriptors L2TAG2",
                            "    - e1000e: Unroll PTP in probe error handling",
                            "    - ipv6: fix possible UAF in icmpv6_rcv()",
                            "    - af_unix: Drop all SCM attributes for SOCKMAP.",
                            "    - sctp: fix OOB write to userspace in sctp_getsockopt_peer_auth_chunks",
                            "    - pppoe: drop PFC frames",
                            "    - net/mlx5: Fix HCA caps leak on notifier init failure",
                            "    - net: airoha: Fix possible TX queue stall in airoha_qdma_tx_napi_poll()",
                            "    - netfilter: nft_osf: restrict it to ipv4",
                            "    - netfilter: conntrack: remove sprintf usage",
                            "    - netfilter: xtables: restrict several matches to inet family",
                            "    - netfilter: nat: use kfree_rcu to release ops",
                            "    - ipvs: fix MTU check for GSO packets in tunnel mode",
                            "    - netfilter: nfnetlink_osf: fix out-of-bounds read on option matching",
                            "    - netfilter: nfnetlink_osf: fix potential NULL dereference in ttl check",
                            "    - net/sched: sch_dualpi2: drain both C-queue and L-queue in",
                            "      dualpi2_change()",
                            "    - arm64: dts: amlogic: meson-axg: Add missing cache information to cpu0",
                            "    - arm64: dts: meson-gxl-p230: fix ethernet PHY interrupt number",
                            "    - vfio/pci: Clean up DMABUFs before disabling function",
                            "    - pwm: atmel-tcb: Cache clock rates and mark chip as atomic",
                            "    - ksmbd: destroy tree_conn_ida in ksmbd_session_destroy()",
                            "    - ksmbd: destroy async_ida in ksmbd_conn_free()",
                            "    - ksmbd: fix durable fd leak on ClientGUID mismatch in durable v2 open",
                            "    - ksmbd: scope conn->binding slowpath to bound sessions only",
                            "    - net: validate skb->napi_id in RX tracepoints",
                            "    - bnge: fix initial HWRM sequence",
                            "    - bnge: remove unsupported backing store type",
                            "    - sctp: fix sockets_allocated imbalance after sk_clone()",
                            "    - net/rds: zero per-item info buffer before handing it to visitors",
                            "    - ice: fix timestamp interrupt configuration for E825C",
                            "    - ice: perform PHY soft reset for E825C ports at initialization",
                            "    - ice: fix ready bitmap check for non-E822 devices",
                            "    - ice: fix ice_ptp_read_tx_hwtstamp_status_eth56g",
                            "    - net_sched: sch_hhf: annotate data-races in hhf_dump_stats()",
                            "    - net/sched: sch_pie: annotate data-races in pie_dump_stats()",
                            "    - net/sched: sch_fq_codel: remove data-races from fq_codel_dump_stats()",
                            "    - net/sched: sch_red: annotate data-races in red_dump_stats()",
                            "    - net/sched: sch_sfb: annotate data-races in sfb_dump_stats()",
                            "    - net: airoha: Move ndesc initialization at end of airoha_qdma_init_tx()",
                            "    - net: airoha: Add missing bits in airoha_qdma_cleanup_tx_queue()",
                            "    - net: dsa: realtek: rtl8365mb: fix mode mask calculation",
                            "    - net: airoha: Move ndesc initialization at end of",
                            "      airoha_qdma_init_rx_queue()",
                            "    - net: airoha: Rework the code flow in airoha_remove() and in",
                            "      airoha_probe() error path",
                            "    - net: airoha: Add size check for TX NAPIs in airoha_qdma_cleanup()",
                            "    - net: mana: Init link_change_work before potential error paths in probe",
                            "    - net: mana: Init gf_stats_work before potential error paths in probe",
                            "    - net: mana: Guard mana_remove against double invocation",
                            "    - net: mana: Don't overwrite port probe error with add_adev result",
                            "    - net: mana: Fix EQ leak in mana_remove on NULL port",
                            "    - vsock/virtio: fix MSG_ZEROCOPY pinned-pages accounting",
                            "    - virtio_net: sync rss_trailer.max_tx_vq on queue_pairs change via",
                            "      VQ_PAIRS_SET",
                            "    - nfp: fix swapped arguments in nfp_encode_basic_qdr() calls",
                            "    - tcp: send a challenge ACK on SEG.ACK > SND.NXT",
                            "    - tipc: fix double-free in tipc_buf_append()",
                            "    - vhost_net: fix sleeping with preempt-disabled in vhost_net_busy_poll()",
                            "    - nstree: fix func. parameter kernel-doc warnings",
                            "    - eventpoll: use hlist_is_singular_node() in __ep_remove()",
                            "    - eventpoll: split __ep_remove()",
                            "    - eventpoll: kill __ep_remove()",
                            "    - eventpoll: drop vestigial __ prefix from ep_remove_{file,epi}()",
                            "    - eventpoll: move epi_fget() up",
                            "    - fs/adfs: validate nzones in adfs_validate_bblk()",
                            "    - rtc: abx80x: Disable alarm feature if no interrupt attached",
                            "    - kbuild: builddeb - avoid recompiles for non-cross-compiles",
                            "    - tools/power turbostat: Fix AMD RAPL regression on big systems",
                            "    - fbdev: offb: fix PCI device reference leak on probe failure",
                            "    - tools/power turbostat: Fix unrecognized option '-P'",
                            "    - tools/power turbostat: Fix --cpu-set 0 regression on HT systems",
                            "    - tools/power turbostat: Fix --cpu-set 1 regression on HT systems",
                            "    - kbuild: Never respect CONFIG_WERROR / W=e to fixdep",
                            "    - mailbox: mtk-vcp-mailbox: Fix the return value in mtk_vcp_mbox_xlate()",
                            "    - mailbox: mtk-cmdq: Fix CURR and END addr for task insert case",
                            "    - mailbox: mailbox-test: free channels on probe error",
                            "    - sched/psi: fix race between file release and pressure write",
                            "    - cgroup/rdma: fix integer overflow in rdmacg_try_charge()",
                            "    - cgroup/cpuset: record DL BW alloc CPU for attach rollback",
                            "    - mailbox: add sanity check for channel array",
                            "    - mailbox: mailbox-test: handle channel errors consistently",
                            "    - mailbox: mailbox-test: don't free the reused channel",
                            "    - mailbox: mailbox-test: initialize struct earlier",
                            "    - mailbox: mailbox-test: make data_ready a per-instance variable",
                            "    - fsnotify: fix inode reference leak in fsnotify_recalc_mask()",
                            "    - btrfs: fix bytes_may_use leak in move_existing_remap()",
                            "    - btrfs: fix bytes_may_use leak in do_remap_reloc_trans()",
                            "    - btrfs: don't clobber errors in add_remap_tree_entries()",
                            "    - btrfs: fix double-decrement of bytes_may_use in",
                            "      submit_one_async_extent()",
                            "    - tracing: branch: Fix inverted check on stat tracer registration",
                            "    - nvmet-tcp: propagate nvmet_tcp_build_pdu_iovec() errors to its callers",
                            "    - netfilter: nf_tables: use list_del_rcu for netlink hooks",
                            "    - rculist: add list_splice_rcu() for private lists",
                            "    - netfilter: nf_tables: join hook list via splice_list_rcu() in commit",
                            "      phase",
                            "    - netfilter: nf_tables: add hook transactions for device deletions",
                            "    - nvme-pci: fix missed admin queue sq doorbell write",
                            "    - drm/amdgpu: avoid double drm_exec_fini() in userq validate",
                            "    - drm/amdgpu/gmc: Fix AMDGPU_GART_PLACEMENT_LOW to not overlap with VRAM",
                            "    - drm/amd/pm: fix missing fine-grained dpm table flag on aldebaran",
                            "    - drm/amdgpu: fix AMDGPU_INFO_READ_MMR_REG",
                            "    - drm/amdgpu/uvd3.1: Don't validate the firmware when already validated",
                            "    - drm/amdgpu/gfx6: Support harvested SI chips with disabled TCCs (v2)",
                            "    - drm/amdgpu: Only send RMA CPER when threshold is exceeded",
                            "    - netfilter: xt_policy: fix strict mode inbound policy matching",
                            "    - netfilter: nf_conntrack_sip: don't use simple_strtoul",
                            "    - spi: rzv2h-rspi: Fix silent failure in clock setup error path",
                            "    - ASoC: amd: acp: Add DMI quirk for Valve Steam Deck OLED",
                            "    - ASoC: SOF: Intel: add an empty adr_link",
                            "    - spi: rockchip: Read ISR, not IMR, to detect cs-inactive IRQ",
                            "    - ASoC: tas2764: Mark die temp register as volatile",
                            "    - ASoC: tas2770: Fix order of operations for temperature calculation",
                            "    - drm/sysfb: ofdrm: fix PCI device reference leaks",
                            "    - drm/color-mgmt: Typo s/R332/RGB332/",
                            "    - arm64/scs: Fix potential sign extension issue of advance_loc4",
                            "    - spi: spi-mem: Add a packed command operation",
                            "    - mtd: spinand: Add support for packed read data ODTR commands",
                            "    - mtd: spinand: winbond: Set the packed page read flag to W35N02/04JW",
                            "    - mtd: spinand: winbond: Fix ODTR write VCR on W35NxxJW",
                            "    - ACPICA: Provide #defines for EINJV2 error types",
                            "    - ACPI: APEI: EINJ: Fix EINJV2 memory error injection",
                            "    - cdrom, scsi: sr: propagate read-only status to block layer via",
                            "      set_disk_ro()",
                            "    - spi: axiado: replace usleep_range() with udelay() in IRQ path",
                            "    - netdevsim: zero initialize struct iphdr in dummy sk_buff",
                            "    - net/sched: netem: fix probability gaps in 4-state loss model",
                            "    - net/sched: netem: fix queue limit check to include reordered packets",
                            "    - net/sched: netem: only reseed PRNG when seed is explicitly provided",
                            "    - net/sched: netem: validate slot configuration",
                            "    - net/sched: netem: fix slot delay calculation overflow",
                            "    - net/sched: netem: check for negative latency and jitter",
                            "    - net: airoha: fix BQL imbalance in TX path",
                            "    - net: airoha: stop net_device TX queue before updating CPU index",
                            "    - net: airoha: fix typo in function name",
                            "    - net: airoha: Do not wake all netdev TX queues in",
                            "      airoha_qdma_wake_netdev_txqs()",
                            "    - net: airoha: Do not read uninitialized fragment address in",
                            "      airoha_dev_xmit()",
                            "    - net/sched: sch_choke: annotate data-races in choke_dump_stats()",
                            "    - net/sched: sch_fq_pie: annotate data-races in fq_pie_dump_stats()",
                            "    - vrf: Fix a potential NPD when removing a port from a VRF",
                            "    - net: usb: rtl8150: fix use-after-free in rtl8150_start_xmit()",
                            "    - net: usb: rtl8150: free skb on usb_submit_urb() failure in xmit",
                            "    - spi: amlogic-spisg: initialize completion before requesting IRQ",
                            "    - NFC: trf7970a: Ignore antenna noise when checking for RF field",
                            "    - net: phonet: do not BUG_ON() in pn_socket_autobind() on failed bind",
                            "    - neigh: let neigh_xmit take skb ownership",
                            "    - tcp: make probe0 timer handle expired user timeout",
                            "    - netpoll: fix IPv6 local-address corruption",
                            "    - ALSA: usb-audio: Fix potential leak of pd at parsing UAC3 streams",
                            "    - sched/fair: Fix wakeup_preempt_fair() vs delayed dequeue",
                            "    - sched/fair: Clear rel_deadline when initializing forked entities",
                            "    - net: mctp i2c: check length before marking flow active",
                            "    - md/raid1,raid10: don't fail devices for invalid IO errors",
                            "    - md: add fallback to correct bitmap_ops on version mismatch",
                            "    - md: factor bitmap creation away from sysfs handling",
                            "    - md/md-bitmap: split bitmap sysfs groups",
                            "    - md/md-bitmap: add a none backend for bitmap grow",
                            "    - s390/mm: Fix phys_to_folio() usage in do_secure_storage_access()",
                            "    - net: phy: dp83869: fix setting CLK_O_SEL field.",
                            "    - drm/amd/display: properly handle family setting for early GC 11.5.4",
                            "    - drm/amdgpu/vcn: set no_user_fence for VCN v2.0 enc/dec rings",
                            "    - drm/amdgpu/vcn: set no_user_fence for VCN v2.5 enc/dec rings",
                            "    - drm/amdgpu/vcn: set no_user_fence for VCN v3.0 enc/dec rings",
                            "    - drm/amdgpu/vcn: set no_user_fence for VCN v4.0 enc ring",
                            "    - drm/amdgpu/vcn: set no_user_fence for VCN v4.0.3 enc ring",
                            "    - drm/amdgpu/vcn: set no_user_fence for VCN v4.0.5 enc ring",
                            "    - drm/amdgpu/vcn: set no_user_fence for VCN v5.0.0 enc ring",
                            "    - drm/amdgpu/vcn: set no_user_fence for VCN v5.0.1 enc ring",
                            "    - drm/amdgpu/jpeg: set no_user_fence for JPEG v2.0 ring",
                            "    - drm/amdgpu/jpeg: set no_user_fence for JPEG v2.5 ring",
                            "    - drm/amdgpu/jpeg: set no_user_fence for JPEG v3.0 ring",
                            "    - drm/amdgpu/jpeg: set no_user_fence for JPEG v4.0 ring",
                            "    - drm/amdgpu/jpeg: set no_user_fence for JPEG v4.0.3 ring",
                            "    - drm/amdgpu/jpeg: set no_user_fence for JPEG v4.0.5 ring",
                            "    - drm/amdgpu/jpeg: set no_user_fence for JPEG v5.0.0 ring",
                            "    - drm/amdgpu/jpeg: set no_user_fence for JPEG v5.0.1 ring",
                            "    - drm/amdgpu/jpeg: set no_user_fence for JPEG v5.3.0 ring",
                            "    - drm/amd/pm: Add fine grained flag to SMU v13.0.6",
                            "    - io_uring/napi: cap busy_poll_to 10 msec",
                            "    - ASoC: cs35l56: Fix illegal writes to OTP_MEM registers",
                            "    - net: psp: check for device unregister when creating assoc",
                            "    - net: psp: require admin permission for dev-set and key-rotate",
                            "    - ASoC: codecs: ab8500: Fix casting of private data",
                            "    - netfilter: skip recording stale or retransmitted INIT",
                            "    - sctp: discard stale INIT after handshake completion",
                            "    - net/sched: sch_cake: annotate data-races in cake_dump_stats() (I)",
                            "    - net/sched: sch_cake: annotate data-races in cake_dump_stats() (II)",
                            "    - net/sched: sch_cake: annotate data-races in cake_dump_stats() (III)",
                            "    - net/sched: sch_cake: annotate data-races in cake_dump_stats() (IV)",
                            "    - net/sched: sch_cake: annotate data-races in cake_dump_stats() (V)",
                            "    - netconsole: return count instead of strnlen(buf, count) from store",
                            "      callbacks",
                            "    - netconsole: avoid clobbering userdatum value on truncated write",
                            "    - netconsole: propagate device name truncation in dev_name_store()",
                            "    - netconsole: restore userdatum value on update_userdata() failure",
                            "    - ALSA: hda/conexant: Fix missing error check for jack detection",
                            "    - ALSA: hda: cs35l56: Fix uninitialized value in cs35l56_hda_read_acpi()",
                            "    - ALSA: hda/tas2781: Fix incorrect bit update for non-book-zero or book 0",
                            "      pages >1",
                            "    - futex: Prevent lockup in requeue-PI during signal/ timeout wakeup",
                            "    - drm/amd/display: Allow embedded connectors without DDC",
                            "    - drm/amd/display: Allow DCE link encoder without AUX registers",
                            "    - drm/amd/display: Allow constructing DCE6 link encoder without DDC",
                            "    - drm/amd/display: Allow constructing DCE8 link encoder without DDC",
                            "    - drm/amd/display: Read EDID from VBIOS embedded panel info",
                            "    - drm/amd/display: Use EDID from VBIOS embedded panel info",
                            "    - drm/xe: Use XE_WEDGED_MODE_UPON_ANY_HANG_NO_RESET enum instead of magic",
                            "      number",
                            "    - drm/xe: Drop registration of guc_submit_wedged_fini from",
                            "      xe_guc_submit_wedge()",
                            "    - drm/xe/debugfs: Correct printing of register whitelist ranges",
                            "    - drm/xe: Fix potential NULL deref in",
                            "      xe_exec_queue_tlb_inval_last_fence_put_unlocked",
                            "    - drm/xe: Fix error cleanup in xe_exec_queue_create_ioctl()",
                            "    - drm/xe/eustall: Fix drm_dev_put called before stream disable in close",
                            "    - drm/xe/gsc: Fix BO leak on error in query_compatibility_version()",
                            "    - drm/xe/xelp: Fix Wa_18022495364",
                            "    - net: airoha: Do not return err in ndo_stop() callback",
                            "    - bonding: print churn state via netlink",
                            "    - bonding: 3ad: implement proper RCU rules for port->aggregator",
                            "    - page_pool: fix memory-provider leak in page_pool_create_percpu() error",
                            "      path",
                            "    - iavf: rename IAVF_VLAN_IS_NEW to IAVF_VLAN_ADDING",
                            "    - iavf: stop removing VLAN filters from PF on interface down",
                            "    - iavf: wait for PF confirmation before removing VLAN filters",
                            "    - iavf: add VIRTCHNL_OP_ADD_VLAN to success completion handler",
                            "    - ice: fix NULL pointer dereference in ice_reset_all_vfs()",
                            "    - ice: fix infinite recursion in ice_cfg_tx_topo via ice_init_dev_hw",
                            "    - ice: fix missing SMA pin initialization in DPLL subsystem",
                            "    - ice: fix SMA and U.FL pin state changes affecting paired pin",
                            "    - ice: fix missing dpll notifications for SW pins",
                            "    - dpll: export __dpll_pin_change_ntf() for use under dpll_lock",
                            "    - ice: add dpll peer notification for paired SMA and U.FL pins",
                            "    - net: tls: fix strparser anchor skb leak on offload RX setup failure",
                            "    - sfc: fix error code in efx_devlink_info_running_versions()",
                            "    - net/sched: cls_flower: revert unintended changes",
                            "    - kselftest/arm64: Include <asm/ptrace.h> for user_gcs definition",
                            "    - arm64: Reserve an extra page for early kernel mapping",
                            "    - futex: Drop CLONE_THREAD requirement for private default hash alloc",
                            "    - PCI: Initialize temporary device in new_id_store()",
                            "    - workqueue: fix devm_alloc_workqueue() va_list misuse",
                            "    - net/sched: sch_pie: annotate more data-races in pie_dump_stats()",
                            "    - sched/fair: Fix wakeup_preempt_fair() for not waking up task",
                            "    - crypto: af_alg - Cap AEAD AD length to 0x80000000",
                            "    - i40e: Cleanup PTP pins on probe failure",
                            "    - workqueue: Fix wq->cpu_pwq leak in alloc_and_link_pwqs() WQ_UNBOUND path",
                            "    - net: ena: PHC: Fix potential use-after-free in get_timestamp",
                            "    - cgroup/cpuset: Reset DL migration state on can_attach() failure",
                            "    - netfilter: nf_conntrack_sip: get helper before allocating expectation",
                            "    - audit: fix incorrect inheritable capability in CAPSET records",
                            "    - net: ena: PHC: Check return code before setting timestamp output",
                            "    - cgroup/dmem: Return -ENOMEM on failed pool preallocation",
                            "    - idpf: fix double free and use-after-free in aux device error paths",
                            "    - cgroup/cpuset: Reserve DL bandwidth only for root-domain moves",
                            "    - Revert \"ACPI: CPPC: Adjust debug messages in amd_set_max_freq_ratio() to",
                            "      warn\"",
                            "    - netfilter: nft_ct: fix missing expect put in obj eval",
                            "    - net: atlantic: preserve PCI wake-from-D3 on shutdown when WOL enabled",
                            "    - audit: enforce AUDIT_LOCKED for AUDIT_TRIM and AUDIT_MAKE_EQUIV",
                            "    - cgroup/cpuset: Return only actually allocated CPUs during partition",
                            "      invalidation",
                            "    - KVM: x86: Swap the dst and src operand for MOVNTDQA",
                            "    - KVM: Reject wrapped offset in kvm_reset_dirty_gfn()",
                            "    - KVM: s390: pci: fix GAIT table indexing due to double-scaling pointer",
                            "      arithmetic",
                            "    - KVM: x86: Fix Xen hypercall tracepoint argument assignment",
                            "    - HID: pass the buffer size to hid_report_raw_event",
                            "    - HID: core: introduce hid_safe_input_report()",
                            "    - rseq: Revert to historical performance killing behaviour",
                            "    - rseq: Implement read only ABI enforcement for optimized RSEQ V2 mode",
                            "    - rseq: Reenable performance optimizations conditionally",
                            "    - HID: core: Fix size_t specifier in hid_report_raw_event()",
                            "    - ata: libata-scsi: fix requeue of deferred ATA PASS-THROUGH commands",
                            "    - media: staging: imx: configure src_mux in csi_start",
                            "    - Bluetooth: btmtk: accept too short WMT FUNC_CTRL events",
                            "    - nvme-apple: Reset q->sq_tail during queue init",
                            "    - smb/client: fix possible infinite loop and oob read in symlink_data()",
                            "    - drm/loongson: Use managed KMS polling",
                            "    - drm: Replace old pointer to new idr",
                            "    - drm/bridge: imx8qxp-pxl2dpi: avoid ERR_PTR with device_node cleanup",
                            "    - drm/i915/dp: Fix VSC dynamic range signaling for RGB formats",
                            "    - drm/amd/display: Wrap DCN32 phantom-plane allocation in",
                            "      DC_RUN_WITH_PREEMPTION_ENABLED",
                            "    - drm/ttm: Fix ttm_bo_swapout() infinite LRU walk on swapout failure",
                            "    - platform/x86: intel: Move debugfs register before creating devices",
                            "    - platform/x86: lenovo-wmi-helpers: Move gamezone enums to wmi-helpers",
                            "    - platform/x86: lenovo-wmi-helpers: Fix memory leak in",
                            "      lwmi_dev_evaluate_int()",
                            "    - platform/x86: lenovo-wmi-other: Balance IDA id allocation and free",
                            "    - platform/x86: lenovo-wmi-other: Balance component bind and unbind",
                            "    - platform/x86: lenovo-wmi-other: Zero initialize WMI arguments",
                            "    - platform/x86: lenovo-wmi-other: Fix tunable_attr_01 struct members",
                            "    - platform/x86: lenovo-wmi-other: Add Attribute ID helper functions",
                            "    - platform/x86: lenovo-wmi-other: Limit adding attributes to supported",
                            "      devices",
                            "    - accel/rocket: Fix prep_bo ioctl leaking positive return from",
                            "      dma_resv_wait_timeout()",
                            "    - ALSA: hda/realtek: Add mute LED quirk for HP Pavilion Laptop 16-ag0xxx",
                            "    - ALSA: hda/realtek: Add quirk for Samsung Galaxy Book5 360 headphone",
                            "    - ALSA: usb-audio: Bound MIDI 2.0 endpoint descriptor scans",
                            "    - ALSA: usb-audio: Bound MIDI endpoint descriptor scans",
                            "    - ALSA: usb-audio: qcom: Check offload mapping failures",
                            "    - btrfs: only release the dirty pages io tree after successful writes",
                            "    - ceph: fix a buffer leak in __ceph_setxattr()",
                            "    - ceph: fix BUG_ON in __ceph_build_xattrs_blob() due to stale blob size",
                            "    - ceph: put folios not suitable for writeback",
                            "    - io-wq: check that the predecessor is hashed in io_wq_remove_pending()",
                            "    - iommu/amd: Bounds-check devid in __rlookup_amd_iommu()",
                            "    - x86/kexec: Push kjump return address even for non-kjump kexec",
                            "    - xfs: fix memory leak on error in xfs_alloc_zone_info()",
                            "    - virt: sev-guest: Do not use host-controlled page order in cleanup path",
                            "    - powerpc/warp: Fix error handling in pika_dtm_thread",
                            "    - netfs: fix error handling in netfs_extract_user_iter()",
                            "    - nfsd: fix GET_DIR_DELEGATION when VFS leases are disabled",
                            "    - nfsd: fix file change detection in CB_GETATTR",
                            "    - nfsd: update mtime/ctime on CLONE in presense of delegated attributes",
                            "    - nfsd: update mtime/ctime on COPY in presence of delegated attributes",
                            "    - irqchip/riscv-imsic: Clear interrupt move state during CPU offlining",
                            "    - irqchip/meson-gpio: Use the correct register in",
                            "      meson_s4_gpio_irq_set_type()",
                            "    - irqchip/gic-v5: Move LPI allocation into the LPI domain",
                            "    - irqchip/gic-v5: Support range allocation for LPIs",
                            "    - irqchip/gic-v5: Allocate ITS parent LPIs as a range",
                            "    - libceph: Fix potential out-of-bounds access in osdmap_decode()",
                            "    - libceph: Fix potential null-ptr-deref in decode_choose_args()",
                            "    - libceph: Fix potential out-of-bounds access in __ceph_x_decrypt()",
                            "    - libceph: Fix potential out-of-bounds access in crush_decode()",
                            "    - libceph: handle rbtree insertion error in decode_choose_args()",
                            "    - iommu/vt-d: Disable DMAR for Intel Q35 IGFX",
                            "    - iommu/vt-d: Fix oops due to out of scope access",
                            "    - iommu/vt-d: Avoid NULL pointer dereference or refcount corruption",
                            "    - iommu: Fix NULL group->domain dereference in pci_dev_reset_iommu_done()",
                            "    - iommu: Replace per-group resetting_domain with per-gdev blocked flag",
                            "    - iommu: Fix WARN_ON in __iommu_group_set_domain_nofail() due to reset",
                            "    - iommu: Fix pasid attach in pci_dev_reset_iommu_prepare/done()",
                            "    - iommu: Fix nested pci_dev_reset_iommu_prepare/done()",
                            "    - iommu: Fix ATS invalidation timeouts during __iommu_remove_group_pasid()",
                            "    - drm/i915: skip __i915_request_skip() for already signaled requests",
                            "    - drm/panfrost: Fix wait_bo ioctl leaking positive return from",
                            "      dma_resv_wait_timeout()",
                            "    - drm/xe/dma-buf: handle empty bo and UAF races",
                            "    - drm/xe/dma-buf: fix UAF with retry loop",
                            "    - drm/ttm: Fix ttm_bo_shrink() infinite LRU walk on backup failure",
                            "    - drm/ttm: Convert -EAGAIN from dmem_cgroup_try_charge to -ENOSPC",
                            "    - drm/gma500/oaktrail_hdmi: fix i2c adapter leak on setup",
                            "    - drm/gma500/oaktrail_lvds: fix hang on init failure",
                            "    - drm/gma500/oaktrail_lvds: fix i2c adapter leaks on init",
                            "    - arm_mpam: Fix monitor instance selection when checking for hardware NRDY",
                            "    - arm_mpam: Pretend that NRDY is always hardware managed",
                            "    - arm_mpam: Improve check for whether or not NRDY is hardware managed",
                            "    - arm_mpam: Fix false positive assert failure during mpam_disable()",
                            "    - arm_mpam: Check whether the config array is allocated before destroying",
                            "      it",
                            "    - eventfs: Simplify code using guard()s",
                            "    - eventfs: Use list_add_tail_rcu() for SRCU-protected children list",
                            "    - smb: client: Use FullSessionKey for AES-256 encryption key derivation",
                            "    - spi: sifive: Simplify clock handling with devm_clk_get_enabled()",
                            "    - spi: sifive: fix controller deregistration",
                            "    - tracefs: Removed unused 'ret' variable in eventfs_iterate()",
                            "    - workqueue: Annotate alloc_workqueue_va() with __printf(1, 0)",
                            "    - selftests/bpf: Remove test_access_variable_array",
                            "    - netfs: Fix potential uninitialised var in netfs_extract_user_iter()",
                            "    - Linux 7.0.10",
                            "",
                            "  * Resolute update: v7.0.10 upstream stable release (LP: #2156385) //",
                            "    CVE-2026-45846",
                            "    - bareudp: fix NULL pointer dereference in bareudp_fill_metadata_dst()",
                            "",
                            "  * Resolute update: v7.0.10 upstream stable release (LP: #2156385) //",
                            "    CVE-2026-45845",
                            "    - net/sched: taprio: fix NULL pointer dereference in class dump",
                            "",
                            "  * Resolute update: v7.0.10 upstream stable release (LP: #2156385) //",
                            "    CVE-2026-45844",
                            "    - netfilter: arp_tables: fix IEEE1394 ARP payload parsing",
                            "",
                            "  * Resolute update: v7.0.10 upstream stable release (LP: #2156385) //",
                            "    CVE-2026-46242",
                            "    - eventpoll: fix ep_remove struct eventpoll / struct file UAF",
                            "",
                            "  * Resolute update: v7.0.10 upstream stable release (LP: #2156385) //",
                            "    CVE-2026-45843",
                            "    - slip: bound decode() reads against the compressed packet length",
                            "",
                            "  * Resolute update: v7.0.10 upstream stable release (LP: #2156385) //",
                            "    CVE-2026-45842",
                            "    - slip: reject VJ receive packets on instances with no rstate array",
                            "",
                            "  * Resolute update: v7.0.10 upstream stable release (LP: #2156385) //",
                            "    CVE-2026-45841",
                            "    - netfilter: nfnetlink_osf: fix divide-by-zero in OSF_WSS_MODULO",
                            "",
                            "  * Resolute update: v7.0.10 upstream stable release (LP: #2156385) //",
                            "    CVE-2026-45840",
                            "    - openvswitch: cap upcall PID array size and pre-size vport replies",
                            "",
                            "  * Resolute update: v7.0.10 upstream stable release (LP: #2156385) //",
                            "    CVE-2026-45839",
                            "    - bpf: reject negative CO-RE accessor indices in bpf_core_parse_spec()",
                            "",
                            "  * Resolute update: v7.0.10 upstream stable release (LP: #2156385) //",
                            "    CVE-2026-45838",
                            "    - bpf: fix end-of-list detection in cgroup_storage_get_next_key()",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006)",
                            "    - Linux 7.0.8",
                            "    - HID: pidff: Fix integer overflow in pidff_rescale",
                            "    - media: uvcvideo: Enable VB2_DMABUF for metadata stream",
                            "    - drm/msm/hdmi: Fix wrong CTRL1 register used in writing info frames",
                            "    - media: rzv2h-ivc: Avoid double job scheduling",
                            "    - media: nxp: imx8-isi: Reduce minimum queued buffers from 2 to 0",
                            "    - media: rzv2h-ivc: Write AXIRX_PIXFMT once",
                            "    - media: rzv2h-ivc: Fix FM_STOP register write",
                            "    - media: rzv2h-ivc: Fix concurrent buffer list access",
                            "    - media: mali-c55: Initialize the ISP in enable_streams()",
                            "    - media: mali-c55: Fix Iridix bypass macros",
                            "    - media: renesas: vsp1: Fix NULL pointer deref on module unload",
                            "    - media: renesas: vin: Fix RAW8 (again)",
                            "    - media: i2c: ov8856: free control handler on error in",
                            "      ov8856_init_controls()",
                            "    - media: dt-bindings: rockchip,vdec: Add alternative reg-names order for",
                            "      RK35{76,88}",
                            "    - media: dt-bindings: rockchip,vdec: Mark reg-names required for",
                            "      RK35{76,88}",
                            "    - media: chips-media: wave5: fix a potential memory leak in",
                            "      wave5_vdi_init()",
                            "    - media: chips-media: wave5: add missing spinlock protection for",
                            "      send_eos_event()",
                            "    - media: chips-media: wave5: add missing spinlock protection for",
                            "      handle_dynamic_resolution_change()",
                            "    - arm64: dts: freescale: imx95-toradex-smarc: fix PMIC_SD2_VSEL label",
                            "      position",
                            "    - drm/gpusvm: Allow device pages to be mapped in mixed mappings after",
                            "      system pages",
                            "    - drm/gpusvm: Force unmapping on error in drm_gpusvm_get_pages",
                            "    - spi: bcm63xx: fix controller deregistration",
                            "    - spi: atmel: fix controller deregistration",
                            "    - arm64: dts: lx2160a-cex7/lx2162a-sr-som: fix usd-cd & gpio pinmux",
                            "    - regulator: mt6357: fix OF node reference imbalance",
                            "    - spi: st-ssc4: fix controller deregistration",
                            "    - regulator: max77650: fix OF node reference imbalance",
                            "    - media: ti: vpe: Add missing v4l2_device_unregister in vip_remove()",
                            "    - media: rc: streamzap: Error handling in probe",
                            "    - media: i2c: imx283: Enter full standby when stopping streaming",
                            "    - regulator: bq257xx: fix OF node reference imbalance",
                            "    - regulator: rk808: fix OF node reference imbalance",
                            "    - media: videobuf2: Set vma_flags in vb2_dma_sg_mmap",
                            "    - media: mali-c55: Fully reset the ISP configuration",
                            "    - media: intel/ipu6: fix error pointer dereference",
                            "    - media: i2c: imx283: Fix hang when going from large to small resolution",
                            "    - regulator: act8945a: fix OF node reference imbalance",
                            "    - regulator: s2dos05: fix OF node reference imbalance",
                            "    - regulator: bd9571mwv: fix OF node reference imbalance",
                            "    - spi: lantiq-ssc: fix controller deregistration",
                            "    - spi: meson-spicc: fix controller deregistration",
                            "    - spi: qup: fix controller deregistration",
                            "    - arm64: dts: ti: k3-am69-aquila-clover: Fix DP regulator enable GPIO",
                            "    - spi: at91-usart: fix controller deregistration",
                            "    - media: ipu-bridge: Add upside-down sensor DMI quirk for Dell XPS 13 9340",
                            "      and XPS 14 9440",
                            "    - spi: amlogic-spisg: fix controller deregistration",
                            "    - spi: aspeed-smc: fix controller deregistration",
                            "    - drm/colorop: Preserve bypass value in duplicate_state()",
                            "    - drm/atomic: Add affected colorops with affected planes",
                            "    - platform/x86: hp-wmi: Ignore backlight and FnLock events",
                            "    - vsock/virtio: fix MSG_PEEK ignoring skb offset when calculating bytes to",
                            "      copy",
                            "    - arm64: dts: broadcom: bcm2712-d-rpi-5-b: add fixes for",
                            "      pinctrl/pinctrl_aon",
                            "    - arm64: dts: broadcom: bcm2712-d-rpi-5-b: update uart10 interrupt",
                            "    - media: pci: zoran: fix potential memory leak in zoran_probe()",
                            "    - media: dib8000: avoid division by 0 in dib8000_set_dds()",
                            "    - media: i2c: imx412: Assert reset GPIO during probe",
                            "    - media: staging: imx: request mbus_config in csi_start",
                            "    - media: i2c: ov08d10: fix image vertical start setting",
                            "    - media: i2c: ov08d10: fix runtime PM handling in probe",
                            "    - media: omap3isp: drop the use count of v4l2 pipeline",
                            "    - media: iris: fix QCOM_MDT_LOADER dependency",
                            "    - media: qcom: camss: Fix csid clock configuration for sa8775p",
                            "    - media: qcom: camss: Fix csid IRQ offset for sa8775p",
                            "    - media: qcom: iris: increase H265D_MAX_SLICE to fix H.265 decoding on",
                            "      SC7280",
                            "    - media: venus: fix QCOM_MDT_LOADER dependency",
                            "    - media: iris: Fix dma_free_attrs() size in iris_hfi_queues_init()",
                            "    - media: iris: switch to hardware mode after firmware boot",
                            "    - media: qcom: camss: Add missing clocks for VFE lite on sa8775p",
                            "    - spi: mxs: fix controller deregistration",
                            "    - spi: mt65xx: fix controller deregistration",
                            "    - spi: dln2: fix controller deregistration",
                            "    - spi: s3c64xx: fix controller deregistration",
                            "    - spi: fsl-espi: fix controller deregistration",
                            "    - spi: omap2-mcspi: fix controller deregistration",
                            "    - spi: pic32: fix controller deregistration",
                            "    - spi: ep93xx: fix controller deregistration",
                            "    - spi: mtk-nor: fix controller deregistration",
                            "    - spi: pl022: fix controller deregistration",
                            "    - spi: sh-hspi: fix controller deregistration",
                            "    - spi: bcmbca-hsspi: fix controller deregistration",
                            "    - spi: coldfire-qspi: fix controller deregistration",
                            "    - spi: npcm-pspi: fix controller deregistration",
                            "    - spi: cavium-thunderx: fix controller deregistration",
                            "    - spi: pic32-sqi: fix controller deregistration",
                            "    - spi: sprd: fix controller deregistration",
                            "    - spi: sh-msiof: fix controller deregistration",
                            "    - spi: slave-mt27xx: fix controller deregistration",
                            "    - spi: img-spfi: fix controller deregistration",
                            "    - spi: mpfs: fix controller deregistration",
                            "    - spi: octeon: fix controller deregistration",
                            "    - spi: imx: fix runtime pm leak on probe deferral",
                            "    - spi: mxic: fix controller deregistration",
                            "    - spi: orion: fix controller deregistration",
                            "    - spi: orion: fix runtime pm leak on unbind",
                            "    - spi: orion: fix clock imbalance on registration failure",
                            "    - spi: cadence: fix controller deregistration",
                            "    - spi: cadence-quadspi: fix controller deregistration",
                            "    - spi: cadence: fix unclocked access on unbind",
                            "    - spi: cadence: fix clock imbalance on probe failure",
                            "    - spi: cadence-quadspi: fix runtime pm disable imbalance on probe failure",
                            "    - spi: cadence-quadspi: fix clock imbalance on probe failure",
                            "    - spi: cadence-quadspi: fix runtime pm and clock imbalance on unbind",
                            "    - drm/colorop: Fix blob property reference tracking in state lifecycle",
                            "    - drm/imx: parallel-display: Prefer bus format set via legacy \"interface-",
                            "      pix-fmt\" DT property",
                            "    - drm/msm: always recover the gpu",
                            "    - drm/v3d: Reject empty multisync extension to prevent infinite loop",
                            "    - drm/i915/psr: Init variable to avoid early exit from et alignment loop",
                            "    - drm/amd/display: fix math_mod() using arg1 instead of arg2",
                            "    - drm/amd: Add missing firmware declaration for PSP v15.0.0",
                            "    - drm/amdgpu: Use NBIF offset for register RCC_STRAP0_RCC_DEV0_EPF0_STRAP0",
                            "      .",
                            "    - drm/amdgpu: Use SMUIO 15.0.0 offsets for TSC upper and lower count.",
                            "    - drm/amdgpu: gate VM CPU HDP flush on reset lock",
                            "    - drm/amd/pm: fix incorrect FeatureCtrlMask setting on smu v14.0.x",
                            "    - drm/amdkfd: Add upper bound check for num_of_nodes",
                            "    - drm/amdgpu/vce: Prevent partial address patches",
                            "    - drm/amd/display: Change dither policy for 10 bpc output back to",
                            "      dithering",
                            "    - drm/appletbdrm: Use kvzalloc for big allocations",
                            "    - drm/amdgpu: Avoid reset in AMDGPU unload path for APUs with GFX V11 and",
                            "      higher.",
                            "    - drm/udl: Increase GET_URB_TIMEOUT",
                            "    - drm/xe/bo: Fix bo leak on GGTT flag validation in xe_bo_init_locked()",
                            "    - drm/xe/bo: Fix bo leak on unaligned size validation in",
                            "      xe_bo_init_locked()",
                            "    - drm/xe/uapi: Reject coh_none PAT index for CPU cached memory in madvise",
                            "    - drm/radeon: add missing revision check for CI",
                            "    - drm/amdgpu: zero-initialize GART table on allocation",
                            "    - drm/exynos: remove bridge when component_add fails",
                            "    - drm/amdgpu/userq: fix access to stale wptr mapping",
                            "    - drm/panel: himax-hx83102: restore MODE_LPM after sending disable cmds",
                            "    - drm/amdgpu/gfx9: drop unnecessary 64-bit fence flag check in KIQ",
                            "    - drm/bridge: tda998x: Use __be32 for audio port OF property pointer",
                            "    - drm/sti: remove bridge when sti_hda component_add fails",
                            "    - drm/panel: boe-tv101wum-nl6: restore MODE_LPM after sending disable cmds",
                            "    - drm/amdkfd: Make all TLB-flushes heavy-weight",
                            "    - drm/amdgpu/pm: add missing revision check for CI",
                            "    - drm/amdgpu/pm: align Hawaii mclk workaround with radeon",
                            "    - arm64: dts: qcom: kodiak: Fix PCIe1 PHY ref clock voting",
                            "    - arm64: dts: qcom: lemans: Correct QUP interrupt numbers",
                            "    - arm64: dts: ti: k3-am62a7-sk: Fix pin name in comment from M19 to N22",
                            "    - arm64: dts: ti: k3-am69-aquila-dev: Fix DP regulator enable GPIO",
                            "    - batman-adv: tp_meter: fix tp_num leak on kmalloc failure",
                            "    - sched_ext: Use HK_TYPE_DOMAIN_BOOT to detect isolcpus= domain isolation",
                            "    - usb: typec: tcpm: reset internal port states on soft reset AMS",
                            "    - io_uring/zcrx: use guards for locking",
                            "    - io_uring/zcrx: warn on freelist violations",
                            "    - kho: fix error handling in kho_add_subtree()",
                            "    - EDAC/versalnet: Refactor memory controller initialization and cleanup",
                            "    - spi: uniphier: Simplify clock handling with devm_clk_get_enabled()",
                            "    - spi: uniphier: fix controller deregistration",
                            "    - cgroup: Increment nr_dying_subsys_* from rmdir context",
                            "    - sched_ext: Skip tasks with stale task_rq in bypass_lb_cpu()",
                            "    - perf build: fix \"argument list too long\" in second location",
                            "    - mm/vma: do not try to unmap a VMA if mmap_prepare() invoked from mmap()",
                            "    - vsock/virtio: fix length and offset in tap skb for split packets",
                            "    - drm/amdgpu/vcn3: Avoid overflow on msg bound check",
                            "    - drm/amdgpu/vcn4: Avoid overflow on msg bound check",
                            "    - Linux 7.0.9",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46214",
                            "    - vsock/virtio: fix accept queue count leak on transport mismatch",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46207",
                            "    - vsock/virtio: fix empty payload in tap skb for non-linear buffers",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46234",
                            "    - vsock: fix buffer size clamping order",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46223",
                            "    - cgroup: Defer css percpu_ref kill on rmdir until cgroup is depopulated",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46221",
                            "    - EDAC/versalnet: Fix device name memory leak",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46231",
                            "    - batman-adv: bla: put backbone reference on failed claim hash insert",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46233",
                            "    - batman-adv: bla: only purge non-released claims",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46212",
                            "    - batman-adv: bla: prevent use-after-free when deleting claims",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46238",
                            "    - batman-adv: stop caching unowned originator pointers in BAT IV",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46208",
                            "    - batman-adv: stop tp_meter sessions during mesh teardown",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46206",
                            "    - batman-adv: reject new tp_meter sessions during teardown",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46198",
                            "    - batman-adv: fix integer overflow on buff_pos",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46227",
                            "    - sctp: revalidate list cursor after sctp_sendmsg_to_asoc() in",
                            "      SCTP_SENDALL",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46220",
                            "    - drm/amdgpu/sdma4: replace BUG_ON with WARN_ON in fence emission",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46215",
                            "    - drm: Set old handle to NULL before prime swap in change_handle",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46201",
                            "    - drm/xe: Fix dma-buf attachment leak in xe_gem_prime_import()",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46224",
                            "    - drm/xe: Fix bo leak in xe_dma_buf_init_obj() on allocation failure",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46197",
                            "    - drm/amdkfd: validate SVM ioctl nattr against buffer size",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46209",
                            "    - drm/gem: Fix inconsistent plane dimension calculation in",
                            "      drm_gem_fb_init_with_funcs()",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46230",
                            "    - drm/amdgpu/vcn3: Prevent OOB reads when parsing dec msg",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46199",
                            "    - drm/amdgpu/vcn4: Prevent OOB reads when parsing dec msg",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46204",
                            "    - drm/amdgpu/vcn4: Prevent OOB reads when parsing IB",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46218",
                            "    - drm/amdgpu: Add bounds checking to ib_{get,set}_value",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46229",
                            "    - drm/amdkfd: Clear VRAM on allocation to prevent stale data exposure",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46211",
                            "    - drm/msm/gem: fix error handling in msm_ioctl_gem_info_get_metadata()",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46203",
                            "    - spi: cadence-quadspi: fix unclocked access on unbind",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46219",
                            "    - spi: mpc52xx: fix use-after-free on unbind",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46200",
                            "    - spi: mpc52xx: fix controller deregistration",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46241",
                            "    - spi: mpc52xx: fix use-after-free on registration failure",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46225",
                            "    - spi: rspi: fix controller deregistration",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46226",
                            "    - spi: fsl: fix controller deregistration",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46228",
                            "    - spi: ch341: fix devres lifetime",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46216",
                            "    - drm/xe/hdcp: Add NULL check for media_gt in",
                            "      intel_hdcp_gsc_check_status()",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46210",
                            "    - media: iris: fix use-after-free of fmt_src during MBPF check",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46240",
                            "    - media: iris: Fix use-after-free in iris_release_internal_buffers()",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46235",
                            "    - media: saa7164: add ioremap return checks and cleanups",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46222",
                            "    - media: rockchip: rkcif: Add missing MUST_CONNECT flag to pads",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46239",
                            "    - media: i2c: ov5647: Fix runtime PM refcount leak in s_ctrl",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46236",
                            "    - media: rc: xbox_remote: heed DMA restrictions",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46205",
                            "    - staging: media: atomisp: Disallow all private IOCTLs",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46202",
                            "    - HID: appletb-kbd: run inactivity autodim from workqueues",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46213",
                            "    - HID: appletb-kbd: fix UAF in inactivity-timer cleanup path",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46232",
                            "    - HID: playstation: Clamp num_touch_reports",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988)",
                            "    - ACPI: arm64: cpuidle: Tolerate platforms with no deep PSCI idle states",
                            "    - ACPI: scan: Use acpi_dev_put() in object add error paths",
                            "    - ACPI: video: Add backlight=native quirk for Dell OptiPlex 7770 AIO",
                            "    - ACPI: CPPC: Fix related_cpus inconsistency during CPU hotplug",
                            "    - ACPI: video: force native backlight on HP OMEN 16 (8A44)",
                            "    - iommufd: Fix a race with concurrent allocation and unmap",
                            "    - wifi: mt76: mt7925: fix incorrect TLV length in CLC command",
                            "    - spi: rockchip: fix controller deregistration",
                            "    - ksmbd: rewrite stop_sessions() with restartable iteration",
                            "    - flow_dissector: do not dissect PPPoE PFC frames",
                            "    - smb: client/smbdirect: fix MR registration for coalesced SG lists",
                            "    - wifi: mt76: mt7925: fix AMPDU state handling in mt7925_tx_check_aggr",
                            "    - wifi: mt76: mt7925: fix incorrect length field in txpower command",
                            "    - wifi: mt76: mt7921: fix ROC abort flow interruption in mt7921_roc_work",
                            "    - wifi: ath5k: do not access array OOB",
                            "    - ALSA: usb-audio: midi2: Restart output URBs on resume",
                            "    - ALSA: usb-audio: Fix UAC3 cluster descriptor size check",
                            "    - usb: dwc3: Move GUID programming after PHY initialization",
                            "    - USB: omap_udc: DMA: Don't enable burst 4 mode",
                            "    - USB: serial: option: add Telit Cinterion LE910Cx compositions",
                            "    - usb: typec: tcpm: fix debug accessory mode detection for sink ports",
                            "    - ALSA: hda: cs35l56: Propagate ASP TX source control errors",
                            "    - ALSA: hda/realtek: Fix speaker silence after S3 resume on Xiaomi Mi",
                            "      Laptop Pro 15",
                            "    - ALSA: firewire-tascam: Do not drop unread control events",
                            "    - ALSA: core: Serialize deferred fasync state checks",
                            "    - ALSA: seq: Fix UMP group 16 filtering",
                            "    - powerpc/kdump: fix KASAN sanitization flag for core_$(BITS).o",
                            "    - x86/efi: Restore IRQ state in EFI page fault handler",
                            "    - xfrm: provide message size for XFRM_MSG_MAPPING",
                            "    - selinux: fix avdcache auditing",
                            "    - selinux: don't reserve xattr slot when we won't fill it",
                            "    - selinux: shrink critical section in sel_write_load()",
                            "    - selinux: prune /sys/fs/selinux/checkreqprot",
                            "    - selinux: prune /sys/fs/selinux/disable",
                            "    - selinux: prune /sys/fs/selinux/user",
                            "    - selinux: allow multiple opens of /sys/fs/selinux/policy",
                            "    - io_uring/kbuf: support min length left for incremental buffers",
                            "    - io_uring/tw: serialize ctx->retry_llist with ->uring_lock",
                            "    - LoongArch: KVM: Fix missing EMULATE_FAIL in kvm_emu_mmio_read()",
                            "    - rust: drm: gem: clean up GEM state in init failure case",
                            "    - rust: allow `clippy::collapsible_match` globally",
                            "    - rust: allow `clippy::collapsible_if` globally",
                            "    - rust: pin-init: internal: move alignment check to `make_field_check`",
                            "    - spi: syncuacer: fix controller deregistration",
                            "    - spi: sun4i: fix controller deregistration",
                            "    - spi: zynq-qspi: fix controller deregistration",
                            "    - spi: ti-qspi: fix controller deregistration",
                            "    - spi: sun6i: fix controller deregistration",
                            "    - spi: tegra114: fix controller deregistration",
                            "    - spi: zynqmp-gqspi: fix controller deregistration",
                            "    - spi: tegra20-sflash: fix controller deregistration",
                            "    - spi: s3c64xx: fix NULL-deref on driver unbind",
                            "    - staging: rtl8723bs: os_dep: avoid NULL pointer dereference in",
                            "      rtw_cbuf_alloc",
                            "    - staging: vme_user: fix root device leak on init failure",
                            "    - KVM: arm64: Fix kvm_vcpu_initialized() macro parameter",
                            "    - arm64: signal: Preserve POR_EL0 if poe_context is missing",
                            "    - mm/hugetlb_cma: round up per_node before logging it",
                            "    - LoongArch: Fix SYM_SIGFUNC_START definition for 32BIT",
                            "    - LoongArch: KVM: Compile switch.S directly into the kernel",
                            "    - mptcp: pm: ADD_ADDR rtx: skip inactive subflows",
                            "    - perf/x86/intel: Improve validation and configuration of ACR masks",
                            "    - selftests/rseq: Don't run tests with runner scripts outside of the",
                            "      scripts",
                            "    - rseq: Set rseq::cpu_id_start to 0 on unregistration",
                            "    - rseq: Protect rseq_reset() against interrupts",
                            "    - rseq: Don't advertise time slice extensions if disabled",
                            "    - selftests/rseq: Make registration flexible for legacy and optimized mode",
                            "    - selftests/rseq: Skip tests if time slice extensions are not available",
                            "    - selftests/rseq: Validate legacy behavior",
                            "    - selftests/rseq: Expand for optimized RSEQ ABI v2",
                            "    - pseries/papr-hvpipe: Fix race with interrupt handler",
                            "    - pseries/papr-hvpipe: Fix & simplify error handling in papr_hvpipe_init()",
                            "    - pseries/papr-hvpipe: Fix the usage of copy_to_user()",
                            "    - net: libwx: use request_irq for VF misc interrupt",
                            "    - netpoll: pass buffer size to egress_dev() to avoid MAC truncation",
                            "    - ovl: fix verity lazy-load guard broken by fsverity_active() semantic",
                            "      change",
                            "    - parisc: Fix IRQ leak in LASI driver",
                            "    - x86/efi: Fix graceful fault handling after FPU softirq changes",
                            "    - hwmon: (ltc2992) Clamp threshold writes to hardware range",
                            "    - hwmon: (ltc2992) Fix u32 overflow in power read path",
                            "    - clk: rk808: fix OF node reference imbalance",
                            "    - hwmon: (corsair-psu) Close HID device on probe errors",
                            "    - af_unix: Reject SIOCATMARK on non-stream sockets",
                            "    - arm64/fpsimd: ptrace: zero target's fpsimd_state, not the tracer's",
                            "    - pmdomain: mediatek: fix use-after-free in",
                            "      scpsys_get_bus_protection_legacy()",
                            "    - block: fix zone write plug removal",
                            "    - block: only read from sqe on initial invocation of blkdev_uring_cmd()",
                            "    - cifs: abort open_cached_dir if we don't request leases",
                            "    - cifs: change_conf needs to be called for session setup",
                            "    - extcon: ptn5150: handle pending IRQ events during system resume",
                            "    - gpio: of: clear OF_POPULATED on hog nodes in remove path",
                            "    - hv: Select CONFIG_SYSFB only for CONFIG_HYPERV_VMBUS",
                            "    - hv_sock: fix ARM64 support",
                            "    - hv_sock: Report EOF instead of -EIO for FIN",
                            "    - hv_sock: Return -EIO for malformed/short packets",
                            "    - spi: microchip-core-qspi: fix controller deregistration",
                            "    - spi: microchip-core-spi: fix controller deregistration",
                            "    - tracefs: Fix default permissions not being applied on initial mount",
                            "    - udf: reject descriptors with oversized CRC length",
                            "    - x86/boot/e820: Re-enable BIOS fallback if e820 table is empty",
                            "    - thermal: core: Free thermal zone ID later during removal",
                            "    - thermal/drivers/sprd: Fix temperature clamping in",
                            "      sprd_thm_temp_to_rawdata",
                            "    - thermal/drivers/sprd: Fix raw temperature clamping in",
                            "      sprd_thm_rawdata_to_temp",
                            "    - spi: topcliff-pch: fix controller deregistration",
                            "    - spi: topcliff-pch: fix use-after-free on unbind",
                            "    - tracing/fprobe: Avoid kcalloc() in rcu_read_lock section",
                            "    - tracing/fprobe: Remove fprobe from hash in failure path",
                            "    - tracing/fprobe: Unregister fprobe even if memory allocation fails",
                            "    - tracing/probes: Limit size of event probe to 3K",
                            "    - tracing/fprobe: Check the same type fprobe on table as the unregistered",
                            "      one",
                            "    - clk: imx: imx8-acm: fix flags for acm clocks",
                            "    - clk: microchip: mpfs-ccc: fix out of bounds access during output",
                            "      registration",
                            "    - cpuidle: powerpc: avoid double clear when breaking snooze",
                            "    - ASoC: amd: yc: Add HP OMEN Gaming Laptop 16-ap0xxx product line in quirk",
                            "      table",
                            "    - ASoC: ES8389: convert to devm_clk_get_optional() to get clock",
                            "    - ASoC: fsl_easrc: fix comment typo",
                            "    - ASoC: Intel: bytcr_wm5102: Fix MCLK leak on platform_clock_control error",
                            "    - ASoC: qcom: q6apm-dai: reset queue ptr on trigger stop",
                            "    - ASoC: qcom: q6apm: remove child devices when apm is removed",
                            "    - btrfs: do not mark inode incompressible after inline attempt fails",
                            "    - dm: don't report warning when doing deferred remove",
                            "    - dm: fix a buffer overflow in ioctl processing",
                            "    - dm-verity-fec: correctly reject too-small FEC devices",
                            "    - dm-verity-fec: correctly reject too-small hash devices",
                            "    - dm-verity-fec: fix corrected block count stat",
                            "    - dm-verity-fec: fix the size of dm_verity_fec_io::erasures",
                            "    - isofs: validate Rock Ridge CE continuation extent against volume size",
                            "    - iommufd: Fix return value of iommufd_fault_fops_write()",
                            "    - iommu/vt-d: Block PASID attachment to nested domain with dirty tracking",
                            "    - iommu/arm-smmu-v3: Add a missing dma_wmb() for hitless STE update",
                            "    - lib/crc: tests: Make crc_kunit test only the enabled CRC variants",
                            "    - lib/scatterlist: fix temp buffer in extract_user_to_sg()",
                            "    - nvme-apple: drop invalid put of admin queue reference count",
                            "    - nvmet: avoid recursive nvmet-wq flush in nvmet_ctrl_free",
                            "    - pmdomain: core: Fix detach procedure for virtual devices in genpd",
                            "    - psp: strip variable-length PSP header in psp_dev_rcv()",
                            "    - s390/debug: Reject zero-length input in debug_input_flush_fn()",
                            "    - s390/debug: Reject zero-length input before trimming a newline",
                            "    - KVM: x86: Do IRR scan in __kvm_apic_update_irr even if PIR is empty",
                            "    - mm/damon/lru_sort: detect and use fresh enabled and kdamond_pid values",
                            "    - mm/damon/reclaim: detect and use fresh enabled and kdamond_pid values",
                            "    - mm/damon/stat: detect and use fresh enabled value",
                            "    - PCI: Update saved_config_space upon resource assignment",
                            "    - PCI/AER: Clear only error bits in PCIe Device Status",
                            "    - PCI/AER: Stop ruling out unbound devices as error source",
                            "    - PCI/ASPM: Fix pci_clear_and_set_config_dword() usage",
                            "    - power: supply: max17042: avoid overflow when determining health",
                            "    - perf/x86/intel: Always reprogram ACR events to prevent stale masks",
                            "    - perf/x86/intel: Disable PMI for self-reloaded ACR events",
                            "    - perf/x86/intel: Enable auto counter reload for DMR",
                            "    - RDMA/ionic: bound node_desc sysfs read with %.64s",
                            "    - RDMA/ionic: Fix typo in format string",
                            "    - remoteproc: imx_rproc: Fix NULL vs IS_ERR() bug in imx_rproc_addr_init()",
                            "    - remoteproc: k3: Fix NULL vs IS_ERR() bug in k3_reserved_mem_init()",
                            "    - sched_ext: idle: Recheck prev_cpu after narrowing allowed mask",
                            "    - sched_ext: Use dsq->first_task instead of list_empty() in",
                            "      dispatch_enqueue() FIFO-tail",
                            "    - selftests: mptcp: check output: catch cmd errors",
                            "    - selftests: mptcp: pm: restrict 'unknown' check to pm_nl_ctl",
                            "    - mptcp: fastclose msk when linger time is 0",
                            "    - mptcp: use MPJoinSynAckHMacFailure for SynAck HMAC failure",
                            "    - mptcp: use MPTCP_RST_EMPTCP for ACK HMAC validation failure",
                            "    - mptcp: sockopt: set timestamp flags on subflow socket, not msk",
                            "    - mptcp: sockopt: increase seq in mptcp_setsockopt_all_sf",
                            "    - mptcp: fix rx timestamp corruption on fastopen",
                            "    - mptcp: pm: prio: skip closed subflows",
                            "    - mptcp: pm: kernel: reset fullmesh counter after flush",
                            "    - mptcp: pm: kernel: correctly retransmit ADD_ADDR ID 0",
                            "    - mptcp: pm: ADD_ADDR rtx: resched blocked ADD_ADDR quicker",
                            "    - mptcp: pm: ADD_ADDR rtx: return early if no retrans",
                            "    - f2fs: add READ_ONCE() for i_blocks in f2fs_update_inode()",
                            "    - f2fs: fix false alarm of lockdep on cp_global_sem lock",
                            "    - f2fs: fix fiemap boundary handling when read extent cache is incomplete",
                            "    - f2fs: fix fsck inconsistency caused by incorrect nat_entry flag usage",
                            "    - f2fs: fix incorrect file address mapping when inline inode is unwritten",
                            "    - f2fs: fix incorrect multidevice info in trace_f2fs_map_blocks()",
                            "    - f2fs: fix uninitialized kobject put in f2fs_init_sysfs()",
                            "    - f2fs: refactor f2fs_move_node_folio function",
                            "    - f2fs: fix inline data not being written to disk in writeback path",
                            "    - KVM: arm64: Wake-up from WFI when iqrchip is in userspace",
                            "    - KVM: arm64: vgic: Fix IIDR revision field extracted from wrong value",
                            "    - KVM: arm64: Fix initialisation order in __pkvm_init_finalise()",
                            "    - KVM: arm64: Fix FEAT_SPE_FnE to use PMSIDR_EL1.FnE, not PMSVer",
                            "    - KVM: arm64: Fix FEAT_Debugv8p9 to check DebugVer, not PMUVer",
                            "    - LoongArch: KVM: Cap KVM_CAP_NR_VCPUS by KVM_CAP_MAX_VCPUS",
                            "    - LoongArch: KVM: Fix \"unreliable stack\" for kvm_exc_entry",
                            "    - LoongArch: KVM: Fix HW timer interrupt lost when inject interrupt by",
                            "      software",
                            "    - LoongArch: KVM: Move unconditional delay into timer clear scenery",
                            "    - LoongArch: KVM: Use kvm_set_pte() in kvm_flush_pte()",
                            "    - LoongArch: Use per-root-bridge PCIH flag to skip mem resource fixup",
                            "    - mmc: core: Adjust MDT beyond 2025",
                            "    - mmc: core: Add quirk for incorrect manufacturing date",
                            "    - mmc: core: Optimize time for secure erase/trim for some Kingston eMMCs",
                            "    - crypto: qat - fix indentation of macros in qat_hal.c",
                            "    - crypto: qat - fix firmware loading failure for GEN6 devices",
                            "    - hfsplus: fix held lock freed on hfsplus_fill_super()",
                            "    - 8021q: use RCU for egress QoS mappings",
                            "    - printk: add print_hex_dump_devel()",
                            "    - crypto: caam - guard HMAC key hex dumps in hash_digest_key",
                            "    - net: stmmac: rename STMMAC_GET_ENTRY() -> STMMAC_NEXT_ENTRY()",
                            "    - rust: pin-init: fix incorrect accessor reference lifetime",
                            "    - Linux 7.0.7",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-43490",
                            "    - ksmbd: validate inherited ACE SID length",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46174",
                            "    - x86/CPU/AMD: Prevent improper isolation of shared resources in Zen2's op",
                            "      cache",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46110",
                            "    - net: stmmac: Prevent NULL deref when RX memory exhausted",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46153",
                            "    - 8021q: delete cleared egress QoS mappings",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46169",
                            "    - hfsplus: fix uninit-value by validating catalog record size",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46188",
                            "    - octeon_ep_vf: add NULL check for napi_build_skb()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-45837",
                            "    - bpf: Fix use-after-free in arena_vm_close on fork",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46156",
                            "    - LoongArch: Fix potential ADE in loongson_gpu_fixup_dma_hang()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46147",
                            "    - KVM: arm64: Fix pin leak and publication ordering in __pkvm_init_vcpu()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46175",
                            "    - f2fs: fix fsck inconsistency caused by FGGC of node block",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46194",
                            "    - f2fs: fix node_cnt race between extent node destroy and writeback",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46170",
                            "    - mptcp: pm: ADD_ADDR rtx: free sk if last",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46158",
                            "    - mptcp: pm: ADD_ADDR rtx: always decrease sk refcount",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46168",
                            "    - mptcp: fix scheduling with atomic in timestamp sockopt",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46189",
                            "    - RDMA/vmw_pvrdma: Fix double free on pvrdma_alloc_ucontext() error path",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46133",
                            "    - RDMA/rxe: Reject unknown opcodes before ICRC processing",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46114",
                            "    - RDMA/rxe: Reject non-8-byte ATOMIC_WRITE payloads",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46127",
                            "    - RDMA/ocrdma: Don't NULL deref uctx on errors in ocrdma_copy_pd_uresp()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46176",
                            "    - RDMA/mlx5: Fix error path fall-through in mlx5_ib_dev_res_srq_init()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46178",
                            "    - RDMA/mlx4: Fix resource leak on error in mlx4_ib_create_srq()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46181",
                            "    - RDMA/mlx4: Fix mis-use of RCU in mlx4_srq_event()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46145",
                            "    - RDMA/mana: Validate rx_hash_key_len",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46117",
                            "    - RDMA/mana: Remove user triggerable WARN_ON() in mana_ib_create_qp_rss()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46126",
                            "    - RDMA/mana: Fix mana_destroy_wq_obj() cleanup in mana_ib_create_qp_rss()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46144",
                            "    - RDMA/mana: Fix error unwind in mana_ib_create_qp_rss()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46141",
                            "    - powerpc/xive: fix kmemleak caused by incorrect chip_data lookup",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46183",
                            "    - mm/damon/sysfs-schemes: protect path kfree() with damon_sysfs_lock",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46121",
                            "    - mm/damon/sysfs-schemes: protect memcg_path kfree() with damon_sysfs_lock",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46131",
                            "    - KVM: x86: check for nEPT/nNPT in slow flush hypercalls",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46139",
                            "    - smb: client: use kzalloc to zero-initialize security descriptor buffer",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46105",
                            "    - scsi: mpt3sas: Limit NVMe request size to 2 MiB",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46171",
                            "    - riscv: kvm: fix vector context allocation leak",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46112",
                            "    - RDMA/hns: Fix unlocked call to hns_roce_qp_remove()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46165",
                            "    - openvswitch: vport: fix self-deadlock on release of tunnel ports",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46161",
                            "    - md/raid10: fix divide-by-zero in setup_geo() with zero far_copies",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-43492",
                            "    - lib/crypto: mpi: Fix integer underflow in mpi_read_raw_from_sgl()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46124",
                            "    - isofs: validate block number from NFS file handle in isofs_export_iget",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46130",
                            "    - dm-verity-fec: fix reading parity bytes split across blocks (take 3)",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46106",
                            "    - eventfs: Hold eventfs_mutex and SRCU when remount walks events",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46107",
                            "    - dm-thin: fix metadata refcount underflow",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46160",
                            "    - btrfs: fix missing last_unlink_trans update when removing a directory",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46164",
                            "    - btrfs: fix double free in create_space_info_sub_group() error path",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46129",
                            "    - btrfs: fix double free in create_space_info() error path",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46159",
                            "    - btrfs: fix btrfs_ioctl_space_info() slot_count TOCTOU which can lead to",
                            "      info-leak",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46143",
                            "    - ASoC: qcom: q6apm-lpass-dai: Fix multiple graph opens",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46148",
                            "    - spi: microchip-core-qspi: control built-in cs manually",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46192",
                            "    - spi: microchip-core-qspi: don't attempt to transmit during emulated",
                            "      read-only dual/quad operations",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46162",
                            "    - ice: fix double free in ice_sf_eth_activate() error path",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46273",
                            "    - ibmveth: Disable GSO for packets with small MSS",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46191",
                            "    - fbcon: Avoid OOB font access if console rotation fails",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46134",
                            "    - platform/chrome: cros_ec_typec: Init mutex in Thunderbolt registration",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-43495",
                            "    - net: wwan: t7xx: validate port_count against message length in",
                            "      t7xx_port_enum_msg_handler",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-43502",
                            "    - net/rds: handle zerocopy send cleanup before the message is queued",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46120",
                            "    - ip6_gre: Use cached t->net in ip6erspan_changelink().",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46142",
                            "    - net: libwx: fix VF illegal register access",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46118",
                            "    - pseries/papr-hvpipe: Fix null ptr deref in",
                            "      papr_hvpipe_dev_create_handle()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46182",
                            "    - pseries/papr-hvpipe: Prevent kernel stack memory leak to userspace",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46184",
                            "    - sound: ua101: fix division by zero at probe",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-43498",
                            "    - accel/ivpu: Disallow re-exporting imported GEM objects",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46132",
                            "    - net: rtnetlink: zero ifla_vf_broadcast to avoid stack infoleak in",
                            "      rtnl_fill_vfinfo",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46190",
                            "    - mtd: spi-nor: debugfs: fix out-of-bounds read in spi_nor_params_show()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46150",
                            "    - fanotify: fix false positive on permission events",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-45836",
                            "    - Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_get_sndtimeo_cb()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-45834",
                            "    - Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_state_change_cb()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-45835",
                            "    - Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_new_connection_cb()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46138",
                            "    - Bluetooth: hci_event: Fix OOB read and infinite loop in",
                            "      hci_le_create_big_complete_evt",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46111",
                            "    - Bluetooth: hci_conn: fix potential UAF in create_big_sync",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46140",
                            "    - Bluetooth: btmtk: validate WMT event SKB length before struct access",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46186",
                            "    - Bluetooth: virtio_bt: validate rx pkt_type header length",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46123",
                            "    - Bluetooth: virtio_bt: clamp rx length before skb_put",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46104",
                            "    - selinux: use sk blob accessor in socket permission helpers",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46193",
                            "    - xfrm: ah: account for ESN high bits in async callbacks",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46172",
                            "    - ipv6: xfrm6: release dst on error in xfrm6_rcv_encap()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46116",
                            "    - xfrm: defensively unhash xfrm_state lists in __xfrm_state_delete",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46154",
                            "    - sched_ext: Read scx_root under scx_cgroup_ops_rwsem in cgroup setters",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46157",
                            "    - ALSA: pcm: oss: Fix data race at accessing runtime.oss.trigger",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46109",
                            "    - usb: ulpi: fix memory leak on ulpi_register() error paths",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46146",
                            "    - ALSA: usb-audio: Avoid potential endless loop in convert_chmap_v3()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46167",
                            "    - usb: usblp: fix uninitialized heap leak via LPGETSTATUS ioctl",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46151",
                            "    - usb: usblp: fix heap leak in IEEE 1284 device ID via short response",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46180",
                            "    - wifi: brcmfmac: Fix potential use-after-free issue when stopping",
                            "      watchdog task",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46122",
                            "    - wifi: b43: enforce bounds check on firmware key index in b43_rx()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46125",
                            "    - wifi: mac80211: remove station if connection prep fails",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46166",
                            "    - wifi: mac80211: use safe list iteration in radar detect work",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46187",
                            "    - wifi: rsi: fix kthread lifetime race between self-exit and external-stop",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46152",
                            "    - wifi: mac80211: drop stray 'static' from fast-RX rx_result",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46163",
                            "    - wifi: b43legacy: enforce bounds check on firmware key index in RX path",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46136",
                            "    - wifi: mt76: mt7921: fix a potential clc buffer length underflow",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46173",
                            "    - exit: prevent preemption of oopsing TASK_DEAD task",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-43496",
                            "    - net/sched: sch_red: Replace direct dequeue call with peek and",
                            "      qdisc_dequeue_peeked",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46113",
                            "    - KVM: x86: Fix shadow paging use-after-free due to unexpected GFN",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46179",
                            "    - ASoC: SOF: Don't allow pointer operations on unconfigured streams",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46196",
                            "    - tracepoint: balance regfunc() on func_add() failure in",
                            "      tracepoint_add_func()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-43497",
                            "    - fbdev: udlfb: add vm_ops to dlfb_ops_mmap to prevent use-after-free",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46108",
                            "    - ipmi:si: Return state to normal if message allocation fails",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46128",
                            "    - ipmi: Check event message buffer response for bad data",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46177",
                            "    - ipmi: Add limits to event and receive message requests",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46149",
                            "    - scsi: target: configfs: Bound snprintf() return in",
                            "      tg_pt_gp_members_show()",
                            "",
                            "  * Ubuntu 26.04 linux kernel has non-functional nova-core GPU driver enabled,",
                            "    conflicting with nouveau (LP: #2150845)",
                            "    - [Config] Disable NOVA_CORE",
                            "",
                            "  * CVE-2026-46244",
                            "    - netfilter: nft_inner: Fix IPv6 inner_thoff desync",
                            "",
                            "  * CVE-2026-46137",
                            "    - mptcp: pm: ADD_ADDR rtx: allow ID 0",
                            "    - mptcp: pm: ADD_ADDR rtx: fix potential data-race",
                            "",
                            "  * CVE-2026-46185",
                            "    - smb/client: fix out-of-bounds read in symlink_data()",
                            "",
                            "  * CVE-2026-46195",
                            "    - smb: client: validate dacloffset before building DACL pointers",
                            "",
                            "  * CVE-2026-46289",
                            "    - lib/scatterlist: fix length calculations in extract_kvec_to_sg",
                            "",
                            "  * CVE-2026-46119",
                            "    - libceph: Fix slab-out-of-bounds access in auth message processing",
                            "",
                            "  * CVE-2026-46135",
                            "    - nvmet-tcp: fix race between ICReq handling and queue teardown",
                            "",
                            "  * CVE-2026-46155",
                            "    - smb/client: fix out-of-bounds read in smb2_compound_op()",
                            "",
                            "  * CVE-2026-46115",
                            "    - block: add pgmap check to biovec_phys_mergeable",
                            "",
                            "  * CVE-2026-46243",
                            "    - smb: client: reject userspace cifs.spnego descriptions",
                            ""
                        ],
                        "package": "linux",
                        "version": "7.0.0-28.28",
                        "urgency": "medium",
                        "distributions": "resolute",
                        "launchpad_bugs_fixed": [
                            2157520,
                            2154418,
                            2155837,
                            2154174,
                            2154748,
                            2156559,
                            2156556,
                            2150640,
                            2156312,
                            2155096,
                            2154715,
                            2153159,
                            2150071,
                            2154343,
                            2149770,
                            2153155,
                            2152570,
                            2156636,
                            2156636,
                            2156636,
                            2156636,
                            2156636,
                            2156390,
                            2156385,
                            2156385,
                            2156385,
                            2156385,
                            2156385,
                            2156385,
                            2156385,
                            2156385,
                            2156385,
                            2156385,
                            2156385,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2150845
                        ],
                        "author": "Mehmet Basaran <mehmet.basaran@canonical.com>",
                        "date": "Sun, 21 Jun 2026 02:37:29 +0300"
                    }
                ],
                "notes": "linux-modules-7.0.0-28-generic version '7.0.0-28.28' (source package linux version '7.0.0-28.28') was added. linux-modules-7.0.0-28-generic version '7.0.0-28.28' has the same source package name, linux, as removed package linux-headers-7.0.0-27. As such we can use the source package version of the removed package, '7.0.0-27.27', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package.",
                "is_version_downgrade": false
            },
            {
                "name": "linux-tools-7.0.0-28",
                "from_version": {
                    "source_package_name": "linux",
                    "source_package_version": "7.0.0-27.27",
                    "version": null
                },
                "to_version": {
                    "source_package_name": "linux",
                    "source_package_version": "7.0.0-28.28",
                    "version": "7.0.0-28.28"
                },
                "cves": [
                    {
                        "cve": "CVE-2026-46318",
                        "url": "https://ubuntu.com/security/CVE-2026-46318",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Revert \"mm/hugetlbfs: update hugetlbfs to use mmap_prepare\"  This reverts commit ea52cb24cd3f (\"mm/hugetlbfs: update hugetlbfs to use mmap_prepare\") with conflict resolution to account for changes in commit ea52cb24cd3f (\"mm/hugetlbfs: update hugetlbfs to use mmap_prepare\").  The patch incorrectly handled hugetlb VMA lock allocation at the mmap_prepare stage, where a failed allocation occurring after mmap_prepare is called might result in the lock leaking.  There is no risk of a merge causing a similar issues, as VMA_DONTEXPAND_BIT is set for hugetlb mappings.  As a first step in addressing this issue, simply revert the change so we can rework how we do this having corrected the underlying issues.  We maintain the VMA flags changes as best we can, accounting for the fact that we were working with a VMA descriptor previously and propagating like-for-like changes for this.  Note that we invoke vma_set_flags() and do not call vma_start_write() as vm_flags_set() does.  This is OK as it's being done in an .mmap hook where the VMA is not yet linked into the tree so nobody else can be accessing it.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-06-09 13:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46322",
                        "url": "https://ubuntu.com/security/CVE-2026-46322",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  tun: free page on build_skb failure in tun_xdp_one()  When build_skb() fails in tun_xdp_one(), the function sets ret to -ENOMEM and jumps to the out label, which returns without freeing the page that vhost_net_build_xdp() allocated for the frame. As with the short-frame rejection path, tun_sendmsg() discards the per-buffer error and still returns total_len, so vhost_tx_batch() takes the success path and never frees the page. Each build_skb() failure in a batch leaks one page-frag chunk.  Free the page before taking the error path, matching the put_page() the other error exits of tun_xdp_one() already perform.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-09 13:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46320",
                        "url": "https://ubuntu.com/security/CVE-2026-46320",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  tap: free page on error paths in tap_get_user_xdp()  tap_get_user_xdp() rejects a frame shorter than ETH_HLEN with -EINVAL, and returns -ENOMEM when build_skb() fails. Both paths jump to the err label without freeing the page that vhost_net_build_xdp() allocated for the frame. tap_sendmsg() discards the per-buffer return value and always returns 0, so vhost_tx_batch() takes the success path and never frees the page; each rejected frame in a batch leaks one page-frag chunk.  Free the page on both error paths, before the skb is built. This is the tap counterpart of the same leak in tun_xdp_one().",
                        "cve_priority": "high",
                        "cve_public_date": "2026-06-09 13:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46321",
                        "url": "https://ubuntu.com/security/CVE-2026-46321",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  tun: free page on short-frame rejection in tun_xdp_one()  tun_xdp_one() returns -EINVAL on a frame shorter than ETH_HLEN without freeing the page that vhost_net_build_xdp() allocated for it. tun_sendmsg() discards that -EINVAL and still returns total_len, so vhost_tx_batch() takes the success path and never frees the page; each short frame in a batch leaks one page-frag chunk.  A local process that can open /dev/net/tun and /dev/vhost-net can hit this path: it attaches a tun/tap device as the vhost-net backend and feeds TX descriptors whose length minus the virtio-net header is below ETH_HLEN. Each kick leaks the page-frag chunks for that batch, and a tight submission loop exhausts host memory and triggers an OOM panic. Free the page before returning -EINVAL, matching the XDP-program error path in the same function.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-09 13:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46316",
                        "url": "https://ubuntu.com/security/CVE-2026-46316",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  KVM: arm64: vgic-its: Drop the translation cache reference only for the erased entry  vgic_its_invalidate_cache() walks the per-ITS translation cache with xa_for_each() and drops the cache's reference on each entry with vgic_put_irq(). It puts the iterated pointer, though, rather than the value returned by xa_erase().  The function is called from contexts that do not exclude one another: the ITS command handlers hold its_lock, the GITS_CTLR write path holds cmd_lock, and the path that clears EnableLPIs in a redistributor's GICR_CTLR holds neither. Two or more of them can drain the same cache concurrently, and if each one observes the same entry, erases it and then puts it, the single reference the cache holds on that entry is dropped more than once. The entry can then be freed while an ITE still maps it.  xa_erase() is atomic and returns the previous entry, so put only the entry that this context actually removed. The cache reference is then dropped exactly once per entry even when the invalidations run concurrently, and the behavior is unchanged when only one context runs.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-09 13:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46317",
                        "url": "https://ubuntu.com/security/CVE-2026-46317",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  KVM: arm64: Reassign nested_mmus array behind mmu_lock  kvm->arch.nested_mmus[] is walked under kvm->mmu_lock, including from the MMU notifier path (kvm_unmap_gfn_range() -> kvm_nested_s2_unmap()), which can run at any time. kvm_vcpu_init_nested() reallocates the array and frees the old buffer while holding only kvm->arch.config_lock, so such a walker can reference the freed array.  Allocate the new array outside of mmu_lock, as the allocation can sleep. Under the lock, copy the existing entries, fix up the back pointers and reassign the array. Free the old buffer after dropping the lock, as kvfree() can sleep as well.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-09 13:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-45846",
                        "url": "https://ubuntu.com/security/CVE-2026-45846",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  bareudp: fix NULL pointer dereference in bareudp_fill_metadata_dst()  bareudp_fill_metadata_dst() passes bareudp->sock to udp_tunnel6_dst_lookup() in the IPv6 path without a NULL check. The socket is only created in bareudp_open() and NULLed in bareudp_stop(), so calling this function while the device is down triggers a NULL dereference via sock->sk.   BUG: kernel NULL pointer dereference, address: 0000000000000018  RIP: 0010:udp_tunnel6_dst_lookup (net/ipv6/ip6_udp_tunnel.c:160)  Call Trace:   <TASK>   bareudp_fill_metadata_dst (drivers/net/bareudp.c:532)   do_execute_actions (net/openvswitch/actions.c:901)   ovs_execute_actions (net/openvswitch/actions.c:1589)   ovs_packet_cmd_execute (net/openvswitch/datapath.c:700)   genl_family_rcv_msg_doit (net/netlink/genetlink.c:1114)   genl_rcv_msg (net/netlink/genetlink.c:1209)   netlink_rcv_skb (net/netlink/af_netlink.c:2550)   </TASK>  Add a NULL check returning -ESHUTDOWN, consistent with the xmit paths in the same driver.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-27 11:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-45845",
                        "url": "https://ubuntu.com/security/CVE-2026-45845",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net/sched: taprio: fix NULL pointer dereference in class dump  When a TAPRIO child qdisc is deleted via RTM_DELQDISC, taprio_graft() is called with new == NULL and stores NULL into q->qdiscs[cl - 1]. Subsequent RTM_GETTCLASS dump operations walk all classes via taprio_walk() and call taprio_dump_class(), which calls taprio_leaf() returning the NULL pointer, then dereferences it to read child->handle, causing a kernel NULL pointer dereference.  The bug is reachable with namespace-scoped CAP_NET_ADMIN on any kernel with CONFIG_NET_SCH_TAPRIO enabled. On systems with unprivileged user namespaces enabled, an unprivileged local user can trigger a kernel panic by creating a taprio qdisc inside a new network namespace, grafting an explicit child qdisc, deleting it, and requesting a class dump. The RTM_GETTCLASS dump itself requires no capability.   Oops: general protection fault, probably for non-canonical address 0xdffffc0000000007: 0000 [#1] SMP KASAN NOPTI  KASAN: null-ptr-deref in range [0x0000000000000038-0x000000000000003f]  RIP: 0010:taprio_dump_class (net/sched/sch_taprio.c:2478)  Call Trace:   <TASK>   tc_fill_tclass (net/sched/sch_api.c:1966)   qdisc_class_dump (net/sched/sch_api.c:2326)   taprio_walk (net/sched/sch_taprio.c:2514)   tc_dump_tclass_qdisc (net/sched/sch_api.c:2352)   tc_dump_tclass_root (net/sched/sch_api.c:2370)   tc_dump_tclass (net/sched/sch_api.c:2431)   rtnl_dumpit (net/core/rtnetlink.c:6864)   netlink_dump (net/netlink/af_netlink.c:2325)   rtnetlink_rcv_msg (net/core/rtnetlink.c:6959)   netlink_rcv_skb (net/netlink/af_netlink.c:2550)   </TASK>  Fix this by substituting &noop_qdisc when new is NULL in taprio_graft(), a common pattern used by other qdiscs (e.g., multiq_graft()) to ensure the q->qdiscs[] slots are never NULL. This makes control-plane dump paths safe without requiring individual NULL checks.  Since the data-plane paths (taprio_enqueue and taprio_dequeue_from_txq) previously had explicit NULL guards that would drop/skip the packet cleanly, update those checks to test for &noop_qdisc instead. Without this, packets would reach taprio_enqueue_one() which increments the root qdisc's qlen and backlog before calling the child's enqueue; noop_qdisc drops the packet but those counters are never rolled back, permanently inflating the root qdisc's statistics.  After this change *old can be a valid qdisc, NULL, or &noop_qdisc. Only call qdisc_put(*old) in the first case to avoid decreasing noop_qdisc's refcount, which was never increased.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-27 11:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-45844",
                        "url": "https://ubuntu.com/security/CVE-2026-45844",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  netfilter: arp_tables: fix IEEE1394 ARP payload parsing  Weiming Shi says:  \"arp_packet_match() unconditionally parses the ARP payload assuming two hardware addresses are present (source and target). However, IPv4-over-IEEE1394 ARP (RFC 2734) omits the target hardware address field, and arp_hdr_len() already accounts for this by returning a shorter length for ARPHRD_IEEE1394 devices.  As a result, on IEEE1394 interfaces arp_packet_match() advances past a nonexistent target hardware address and reads the wrong bytes for both the target device address comparison and the target IP address. This causes arptables rules to match against garbage data, leading to incorrect filtering decisions: packets that should be accepted may be dropped and vice versa.  The ARP stack in net/ipv4/arp.c (arp_create and arp_process) already handles this correctly by skipping the target hardware address for ARPHRD_IEEE1394. Apply the same pattern to arp_packet_match().\"  Mangle the original patch to always return 0 (no match) in case user matches on the target hardware address which is never present in IEEE1394.  Note that this returns 0 (no match) for either normal and inverse match because matching in the target hardware address in ARPHRD_IEEE1394 has never been supported by arptables. This is intentional, matching on the target hardware address should never evaluate true for ARPHRD_IEEE1394.  Moreover, adjust arpt_mangle to drop the packet too as AI suggests:  In arpt_mangle, the logic assumes a standard ARP layout. Because IEEE1394 (FireWire) omits the target hardware address, the linear pointer arithmetic miscalculates the offset for the target IP address. This causes mangling operations to write to the wrong location, leading to packet corruption. To ensure safety, this patch drops packets (NF_DROP) when mangling is requested for these fields on IEEE1394 devices, as the current implementation cannot correctly map the FireWire ARP payload.  This omits both mangling target hardware and IP address. Even if IP address mangling should be possible in IEEE1394, this would require to adjust arpt_mangle offset calculation, which has never been supported.  Based on patch from Weiming Shi <bestswngs@gmail.com>.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-05-27 11:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46242",
                        "url": "https://ubuntu.com/security/CVE-2026-46242",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  eventpoll: fix ep_remove struct eventpoll / struct file UAF  ep_remove() (via ep_remove_file()) cleared file->f_ep under file->f_lock but then kept using @file inside the critical section (is_file_epoll(), hlist_del_rcu() through the head, spin_unlock). A concurrent __fput() taking the eventpoll_release() fastpath in that window observed the transient NULL, skipped eventpoll_release_file() and ran to f_op->release / file_free().  For the epoll-watches-epoll case, f_op->release is ep_eventpoll_release() -> ep_clear_and_put() -> ep_free(), which kfree()s the watched struct eventpoll. Its embedded ->refs hlist_head is exactly where epi->fllink.pprev points, so the subsequent hlist_del_rcu()'s \"*pprev = next\" scribbles into freed kmalloc-192 memory.  In addition, struct file is SLAB_TYPESAFE_BY_RCU, so the slot backing @file could be recycled by alloc_empty_file() -- reinitializing f_lock and f_ep -- while ep_remove() is still nominally inside that lock. The upshot is an attacker-controllable kmem_cache_free() against the wrong slab cache.  Pin @file via epi_fget() at the top of ep_remove() and gate the critical section on the pin succeeding. With the pin held @file cannot reach refcount zero, which holds __fput() off and transitively keeps the watched struct eventpoll alive across the hlist_del_rcu() and the f_lock use, closing both UAFs.  If the pin fails @file has already reached refcount zero and its __fput() is in flight. Because we bailed before clearing f_ep, that path takes the eventpoll_release() slow path into eventpoll_release_file() and blocks on ep->mtx until the waiter side's ep_clear_and_put() drops it. The bailed epi's share of ep->refcount stays intact, so the trailing ep_refcount_dec_and_test() in ep_clear_and_put() cannot free the eventpoll out from under eventpoll_release_file(); the orphaned epi is then cleaned up there.  A successful pin also proves we are not racing eventpoll_release_file() on this epi, so drop the now-redundant re-check of epi->dying under f_lock. The cheap lockless READ_ONCE(epi->dying) fast-path bailout stays.",
                        "cve_priority": "high",
                        "cve_public_date": "2026-05-30 13:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-45843",
                        "url": "https://ubuntu.com/security/CVE-2026-45843",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  slip: bound decode() reads against the compressed packet length  slhc_uncompress() parses a VJ-compressed TCP header by advancing a pointer through the packet via decode() and pull16(). Neither helper bounds-checks against isize, and decode() masks its return with & 0xffff so it can never return the -1 that callers test for -- those error paths are dead code.  A short compressed frame whose change byte requests optional fields lets decode() read past the end of the packet. The over-read bytes are folded into the cached cstate and reflected into subsequent reconstructed packets.  Make decode() and pull16() take the packet end pointer and return -1 when exhausted. Add a bounds check before the TCP-checksum read. The existing == -1 tests now do what they were always meant to.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-27 11:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-45842",
                        "url": "https://ubuntu.com/security/CVE-2026-45842",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  slip: reject VJ receive packets on instances with no rstate array  slhc_init() accepts rslots == 0 as a valid configuration, with the documented meaning of 'no receive compression'. In that case the allocation loop in slhc_init() is skipped, so comp->rstate stays NULL and comp->rslot_limit stays 0 (from the kzalloc of struct slcompress).  The receive helpers do not defend against that configuration. slhc_uncompress() dereferences comp->rstate[x] when the VJ header carries an explicit connection ID, and slhc_remember() later assigns cs = &comp->rstate[...] after only comparing the packet's slot number to comp->rslot_limit. Because rslot_limit is 0, slot 0 passes the range check, and the code dereferences a NULL rstate.  The configuration is reachable in-tree through PPP. PPPIOCSMAXCID stores its argument in a signed int, and (val >> 16) uses arithmetic shift. Passing 0xffff0000 therefore sign-extends to -1, so val2 + 1 is 0 and ppp_generic.c ends up calling slhc_init(0, 1). Because /dev/ppp open is gated by ns_capable(CAP_NET_ADMIN), the whole path is reachable from an unprivileged user namespace. Once the malformed VJ state is installed, any inbound VJ-compressed or VJ-uncompressed frame that selects slot 0 crashes the kernel in softirq context:   Oops: general protection fault, probably for non-canonical        address 0xdffffc0000000000: 0000 [#1] SMP KASAN NOPTI  KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]  RIP: 0010:slhc_uncompress (drivers/net/slip/slhc.c:519)  Call Trace:   <TASK>   ppp_receive_nonmp_frame (drivers/net/ppp/ppp_generic.c:2466)   ppp_input (drivers/net/ppp/ppp_generic.c:2359)   ppp_async_process (drivers/net/ppp/ppp_async.c:492)   tasklet_action_common (kernel/softirq.c:926)   handle_softirqs (kernel/softirq.c:623)   run_ksoftirqd (kernel/softirq.c:1055)   smpboot_thread_fn (kernel/smpboot.c:160)   kthread (kernel/kthread.c:436)   ret_from_fork (arch/x86/kernel/process.c:164)   </TASK>  Reject the receive side on such instances instead of touching rstate. slhc_uncompress() falls through to its existing 'bad' label, which bumps sls_i_error and enters the toss state. slhc_remember() mirrors that with an explicit sls_i_error increment followed by slhc_toss(); the sls_i_runt counter is not used here because a missing rstate is an internal configuration state, not a runt packet.  The transmit path is unaffected: the only in-tree caller that picks rslots from userspace (ppp_generic.c) still supplies tslots >= 1, and slip.c always calls slhc_init(16, 16), so comp->tstate remains valid and slhc_compress() continues to work.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-27 11:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-45841",
                        "url": "https://ubuntu.com/security/CVE-2026-45841",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  netfilter: nfnetlink_osf: fix divide-by-zero in OSF_WSS_MODULO  nf_osf_match_one() computes ctx->window % f->wss.val in the OSF_WSS_MODULO branch with no guard for f->wss.val == 0. A CAP_NET_ADMIN user can add such a fingerprint via nfnetlink; a subsequent matching TCP SYN divides by zero and panics the kernel.  Reject the bogus fingerprint in nfnl_osf_add_callback() above the per-option for-loop. f->wss is per-fingerprint, not per-option, so the check must run regardless of f->opt_num (including 0). Also reject wss.wc >= OSF_WSS_MAX; nf_osf_match_one() already treats that as \"should not happen\".  Crash:  Oops: divide error: 0000 [#1] SMP KASAN NOPTI  RIP: 0010:nf_osf_match_one (net/netfilter/nfnetlink_osf.c:98)  Call Trace:  <IRQ>   nf_osf_match (net/netfilter/nfnetlink_osf.c:220)   xt_osf_match_packet (net/netfilter/xt_osf.c:32)   ipt_do_table (net/ipv4/netfilter/ip_tables.c:348)   nf_hook_slow (net/netfilter/core.c:622)   ip_local_deliver (net/ipv4/ip_input.c:265)   ip_rcv (include/linux/skbuff.h:1162)   __netif_receive_skb_one_core (net/core/dev.c:6181)   process_backlog (net/core/dev.c:6642)   __napi_poll (net/core/dev.c:7710)   net_rx_action (net/core/dev.c:7945)   handle_softirqs (kernel/softirq.c:622)",
                        "cve_priority": "low",
                        "cve_public_date": "2026-05-27 11:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-45840",
                        "url": "https://ubuntu.com/security/CVE-2026-45840",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  openvswitch: cap upcall PID array size and pre-size vport replies  The vport netlink reply helpers allocate a fixed-size skb with nlmsg_new(NLMSG_DEFAULT_SIZE, ...) but serialize the full upcall PID array via ovs_vport_get_upcall_portids().  Since ovs_vport_set_upcall_portids() accepts any non-zero multiple of sizeof(u32) with no upper bound, a CAP_NET_ADMIN user can install a PID array large enough to overflow the reply buffer, causing nla_put() to fail with -EMSGSIZE and hitting BUG_ON(err < 0).  On systems with unprivileged user namespaces enabled (e.g., Ubuntu default), this is reachable via unshare -Urn since OVS vport mutation operations use GENL_UNS_ADMIN_PERM.   kernel BUG at net/openvswitch/datapath.c:2414!  Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI  CPU: 1 UID: 0 PID: 65 Comm: poc Not tainted 7.0.0-rc7-00195-geb216e422044 #1  RIP: 0010:ovs_vport_cmd_set+0x34c/0x400  Call Trace:   <TASK>   genl_family_rcv_msg_doit (net/netlink/genetlink.c:1116)   genl_rcv_msg (net/netlink/genetlink.c:1194)   netlink_rcv_skb (net/netlink/af_netlink.c:2550)   genl_rcv (net/netlink/genetlink.c:1219)   netlink_unicast (net/netlink/af_netlink.c:1344)   netlink_sendmsg (net/netlink/af_netlink.c:1894)   __sys_sendto (net/socket.c:2206)   __x64_sys_sendto (net/socket.c:2209)   do_syscall_64 (arch/x86/entry/syscall_64.c:63)   entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)   </TASK>  Kernel panic - not syncing: Fatal exception  Reject attempts to set more PIDs than nr_cpu_ids in ovs_vport_set_upcall_portids(), and pre-compute the worst-case reply size in ovs_vport_cmd_msg_size() based on that bound, similar to the existing ovs_dp_cmd_msg_size().  nr_cpu_ids matches the cap already used by the per-CPU dispatch configuration on the datapath side (ovs_dp_cmd_fill_info() serialises at most nr_cpu_ids PIDs), so the two sides stay consistent.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-27 11:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-45839",
                        "url": "https://ubuntu.com/security/CVE-2026-45839",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  bpf: reject negative CO-RE accessor indices in bpf_core_parse_spec()  CO-RE accessor strings are colon-separated indices that describe a path from a root BTF type to a target field, e.g. \"0:1:2\" walks through nested struct members. bpf_core_parse_spec() parses each component with sscanf(\"%d\"), so negative values like -1 are silently accepted.  The subsequent bounds checks (access_idx >= btf_vlen(t)) only guard the upper bound and always pass for negative values because C integer promotion converts the __u16 btf_vlen result to int, making the comparison (int)(-1) >= (int)(N) false for any positive N.  When -1 reaches btf_member_bit_offset() it gets cast to u32 0xffffffff, producing an out-of-bounds read far past the members array.  A crafted BPF program with a negative CO-RE accessor on any struct that exists in vmlinux BTF (e.g. task_struct) crashes the kernel deterministically during BPF_PROG_LOAD on any system with CONFIG_DEBUG_INFO_BTF=y (default on major distributions).  The bug is reachable with CAP_BPF:   BUG: unable to handle page fault for address: ffffed11818b6626  #PF: supervisor read access in kernel mode  #PF: error_code(0x0000) - not-present page  Oops: Oops: 0000 [#1] SMP KASAN NOPTI  CPU: 0 UID: 0 PID: 85 Comm: poc Not tainted 7.0.0-rc6 #18 PREEMPT(full)  RIP: 0010:bpf_core_parse_spec (tools/lib/bpf/relo_core.c:354)  RAX: 00000000ffffffff  Call Trace:   <TASK>   bpf_core_calc_relo_insn (tools/lib/bpf/relo_core.c:1321)   bpf_core_apply (kernel/bpf/btf.c:9507)   check_core_relo (kernel/bpf/verifier.c:19475)   bpf_check (kernel/bpf/verifier.c:26031)   bpf_prog_load (kernel/bpf/syscall.c:3089)   __sys_bpf (kernel/bpf/syscall.c:6228)   </TASK>  CO-RE accessor indices are inherently non-negative (struct member index, array element index, or enumerator index), so reject them immediately after parsing.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-27 11:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-45838",
                        "url": "https://ubuntu.com/security/CVE-2026-45838",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  bpf: fix end-of-list detection in cgroup_storage_get_next_key()  list_next_entry() never returns NULL -- when the current element is the last entry it wraps to the list head via container_of(). The subsequent NULL check is therefore dead code and get_next_key() never returns -ENOENT for the last element, instead reading storage->key from a bogus pointer that aliases internal map fields and copying the result to userspace.  Replace it with list_entry_is_head() so the function correctly returns -ENOENT when there are no more entries.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-05-27 11:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46214",
                        "url": "https://ubuntu.com/security/CVE-2026-46214",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  vsock/virtio: fix accept queue count leak on transport mismatch  virtio_transport_recv_listen() calls sk_acceptq_added() before vsock_assign_transport(). If vsock_assign_transport() fails or selects a different transport, the error path returns without calling sk_acceptq_removed(), permanently incrementing sk_ack_backlog.  After approximately backlog+1 such failures, sk_acceptq_is_full() returns true, causing the listener to reject all new connections.  Fix by moving sk_acceptq_added() to after the transport validation, matching the pattern used by vmci_transport and hyperv_transport.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46207",
                        "url": "https://ubuntu.com/security/CVE-2026-46207",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  vsock/virtio: fix empty payload in tap skb for non-linear buffers  For non-linear skbs, virtio_transport_build_skb() goes through virtio_transport_copy_nonlinear_skb() to copy the original payload in the new skb to be delivered to the vsockmon tap device. This manually initializes an iov_iter but does not set iov_iter.count. Since the iov_iter is zero-initialized, the copy length is zero and no payload is actually copied to the monitor interface, leaving data un-initialized.  Fix this by removing the linear vs non-linear split and using skb_copy_datagram_iter() with iov_iter_kvec() for all cases, as vhost-vsock already does. This handles both linear and non-linear skbs, properly initializes the iov_iter, and removes the now unused virtio_transport_copy_nonlinear_skb().  While touching this code, let's also check the return value of skb_copy_datagram_iter(), even though it's unlikely to fail.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46234",
                        "url": "https://ubuntu.com/security/CVE-2026-46234",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  vsock: fix buffer size clamping order  In vsock_update_buffer_size(), the buffer size was being clamped to the maximum first, and then to the minimum. If a user sets a minimum buffer size larger than the maximum, the minimum check overrides the maximum check, inverting the constraint.  This breaks the intended socket memory boundaries by allowing the vsk->buffer_size to grow beyond the configured vsk->buffer_max_size.  Fix this by checking the minimum first, and then the maximum. This ensures the buffer size never exceeds the buffer_max_size.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46223",
                        "url": "https://ubuntu.com/security/CVE-2026-46223",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  cgroup: Defer css percpu_ref kill on rmdir until cgroup is depopulated  A chain of commits going back to v7.0 reworked rmdir to satisfy the controller invariant that a subsystem's ->css_offline() must not run while tasks are still doing kernel-side work in the cgroup.  [1] d245698d727a (\"cgroup: Defer task cgroup unlink until after the task is done switching out\") [2] a72f73c4dd9b (\"cgroup: Don't expose dead tasks in cgroup\") [3] 1b164b876c36 (\"cgroup: Wait for dying tasks to leave on rmdir\") [4] 4c56a8ac6869 (\"cgroup: Fix cgroup_drain_dying() testing the wrong condition\") [5] 13e786b64bd3 (\"cgroup: Increment nr_dying_subsys_* from rmdir context\")  [1] moved task cset unlink from do_exit() to finish_task_switch() so a task's cset link drops only after the task has fully stopped scheduling. That made tasks past exit_signals() linger on cset->tasks until their final context switch, which led to a series of problems as what userspace expected to see after rmdir diverged from what the kernel needs to wait for. [2]-[5] tried to bridge that divergence: [2] filtered the exiting tasks from cgroup.procs; [3] had rmdir(2) sleep in TASK_UNINTERRUPTIBLE for them; [4] fixed the wait's condition; [5] made nr_dying_subsys_* visible synchronously.  The cgroup_drain_dying() wait in [3] turned out to be a dead end. When the rmdir caller is also the reaper of a zombie that pins a pidns teardown (e.g. host PID 1 systemd reaping orphan pids that were re-parented to it during the same teardown), rmdir blocks in TASK_UNINTERRUPTIBLE waiting for those pids to free, the pids can't free because PID 1 is the reaper and it's stuck in rmdir, and the system A-A deadlocks. No internal lock ordering breaks this; the wait itself is the bug.  The css killing side that drove the original reorder, however, can be made cleanly asynchronous: ->css_offline() is already async, run from css_killed_work_fn() driven by percpu_ref_kill_and_confirm(). The fix is to make that chain start only after all tasks have left the cgroup. rmdir's user-visible side then returns as soon as cgroup.procs and friends are empty, while ->css_offline() still runs only after the cgroup is fully drained.  Verified by the original reproducer (pidns teardown + zombie reaper, runs under vng) which hangs vanilla and succeeds here, and by per-commit deterministic repros for [2], [3], [4], [5] with a boot parameter that widens the post-exit_signals() window so each state is reliably reachable. Some stress tests on top of that.  cgroup_apply_control_disable() has the same shape of pre-existing race: when a controller is disabled via subtree_control, kill_css() ran synchronously while tasks past exit_signals() could still be linked to the cgroup's csets, and ->css_offline() could fire before they drained. This patch preserves the existing synchronous behavior at that call site (kill_css_sync() + kill_css_finish() back-to-back) and a follow-up patch will defer kill_css_finish() there using a per-css trigger.  This seems like the right approach and I don't see problems with it. The changes are somewhat invasive but not excessively so, so backporting to -stable should be okay. If something does turn out to be wrong, the fallback is to revert the entire chain ([1]-[5]) and rework in the development branch instead.  v2: Pin cgrp across the deferred destroy work with explicit     cgroup_get()/cgroup_put() around queue_work() and the work_fn. v1     wasn't actually broken (ordered cgroup_offline_wq + queue_work order     in cgroup_task_dead() saved it) but the explicit ref removes the     dependency on those non-obvious invariants. Also note the     pre-existing cgroup_apply_control_disable() race in the description;     a follow-up will defer kill_css_finish() there.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46221",
                        "url": "https://ubuntu.com/security/CVE-2026-46221",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  EDAC/versalnet: Fix device name memory leak  The device name allocated via kzalloc() in init_one_mc() is assigned to dev->init_name but never freed on the normal removal path. device_register() copies init_name and then sets dev->init_name to NULL, so the name pointer becomes unreachable from the device. Thus leaking memory.  Use a stack-local char array instead of using kzalloc() for name.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46231",
                        "url": "https://ubuntu.com/security/CVE-2026-46231",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  batman-adv: bla: put backbone reference on failed claim hash insert  When batadv_bla_add_claim() fails to insert a new claim into the hash, it leaked a reference to the backbone_gw for which the claim was intended. Call batadv_backbone_gw_put() on the error path to release the reference and avoid leaking the backbone_gw object.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46233",
                        "url": "https://ubuntu.com/security/CVE-2026-46233",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  batman-adv: bla: only purge non-released claims  When batadv_bla_purge_claims() goes through the list of claims, it is only traversing the hash list with an rcu_read_lock(). Due to a potential parallel batadv_claim_put(), it can happen that it encounters a claim which was actually in the process of being released+freed by batadv_claim_release(). In this case, backbone_gw is set to NULL before the delayed RCU kfree is started. Calling batadv_bla_claim_get_backbone_gw() is then no longer allowed because it would cause a NULL-ptr derefence.  To avoid this, only claims with a valid reference counter must be purged. All others are already taken care of.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46212",
                        "url": "https://ubuntu.com/security/CVE-2026-46212",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  batman-adv: bla: prevent use-after-free when deleting claims  When batadv_bla_del_backbone_claims() removes all claims for a backbone, it does this by dropping the link entry in the hash list. This list entry itself was one of the references which need to be dropped at the same time via batadv_claim_put().  But the batadv_claim_put() must not be done before the last access to the claim object in this function. Otherwise the claim might be freed already by the batadv_claim_release() function before the list entry was dropped.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46238",
                        "url": "https://ubuntu.com/security/CVE-2026-46238",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  batman-adv: stop caching unowned originator pointers in BAT IV  BAT IV keeps the last-hop neighbor address in each neigh_node, but some paths also cache an originator pointer derived from a temporary lookup. That pointer is not owned by the neigh_node and may no longer refer to a live originator entry after purge handling runs.  Stop storing the auxiliary originator pointer in the BAT IV neighbor state. When BAT IV needs the neighbor originator data, resolve it from the stored neighbor address and drop the reference again after use.  [sven: avoid bonding logic for outgoing OGM]",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46208",
                        "url": "https://ubuntu.com/security/CVE-2026-46208",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  batman-adv: stop tp_meter sessions during mesh teardown  TP meter sessions remain linked on bat_priv->tp_list after the netlink request has already finished. When the mesh interface is removed, batadv_mesh_free() currently tears down the mesh without first draining these sessions.  A running sender thread or a late incoming tp_meter packet can then keep processing against a mesh instance which is already shutting down. Synchronize tp_meter with the mesh lifetime by stopping all active sessions from batadv_mesh_free() and waiting for sender threads to exit before teardown continues.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46206",
                        "url": "https://ubuntu.com/security/CVE-2026-46206",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  batman-adv: reject new tp_meter sessions during teardown  Prevent tp_meter from starting new sender or receiver sessions after mesh_state has left BATADV_MESH_ACTIVE.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46198",
                        "url": "https://ubuntu.com/security/CVE-2026-46198",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  batman-adv: fix integer overflow on buff_pos  Fixing an integer overflow present in batadv_iv_ogm_send_to_if. The size check is done using the int type in batadv_iv_ogm_aggr_packet whereas the buff_pos variable uses the s16 type. This could lead to an out-of-bound read.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46227",
                        "url": "https://ubuntu.com/security/CVE-2026-46227",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  sctp: revalidate list cursor after sctp_sendmsg_to_asoc() in SCTP_SENDALL  The SCTP_SENDALL path in sctp_sendmsg() iterates ep->asocs with list_for_each_entry_safe(), which caches the next entry in @tmp before the loop body runs.  The body calls sctp_sendmsg_to_asoc(), which may drop the socket lock inside sctp_wait_for_sndbuf().  While the lock is dropped, another thread can SCTP_SOCKOPT_PEELOFF the association cached in @tmp, migrating it to a new endpoint via sctp_sock_migrate() (list_del_init() + list_add_tail() to newep->asocs), and optionally close the new socket which frees the association via kfree_rcu().  The cached @tmp can also be freed by a network ABORT for that association, processed in softirq while the lock is dropped.  sctp_wait_for_sndbuf() revalidates @asoc (the current entry) on re-lock via the \"sk != asoc->base.sk\" and \"asoc->base.dead\" checks, but nothing revalidates @tmp.  After a successful return, the iterator advances to the stale @tmp, yielding either a use-after-free (if the peeled socket was closed) or a list-walk onto the new endpoint's list head (type confusion of &newep->asocs as a struct sctp_association *).  Both are reachable from CapEff=0; the type-confusion path gives controlled indirect call via the outqueue.sched->init_sid pointer.  Fix by re-deriving @tmp from @asoc after sctp_sendmsg_to_asoc() returns.  @asoc is known to still be on ep->asocs at that point: the only callers that list_del an association from ep->asocs are sctp_association_free() (which sets asoc->base.dead) and sctp_assoc_migrate() (which changes asoc->base.sk), and sctp_wait_for_sndbuf() checks both under the lock before any successful return; a tripped check propagates as err < 0 and the loop bails before the re-derive.  The SCTP_ABORT path in sctp_sendmsg_check_sflags() returns 0 and the loop hits 'continue' before sctp_sendmsg_to_asoc() is ever called, so the @tmp cached by list_for_each_entry_safe() still covers the lock-held free that ba59fb027307 (\"sctp: walk the list of asoc safely\") was added for.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46220",
                        "url": "https://ubuntu.com/security/CVE-2026-46220",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/amdgpu/sdma4: replace BUG_ON with WARN_ON in fence emission  sdma_v4_0_ring_emit_fence() contains two BUG_ON(addr & 0x3) assertions that verify fence writeback addresses are dword-aligned.  These assertions can be reached from unprivileged userspace via crafted DRM_IOCTL_AMDGPU_CS submissions, causing a fatal kernel panic in a scheduler worker thread.  Replace both BUG_ON() calls with WARN_ON() to log the condition without crashing the kernel.  A misaligned fence address at this point indicates a driver bug, but crashing the kernel is never the correct response when the assertion is reachable from userspace.  The CS IOCTL path is the correct place to filter invalid submissions; the ring emission callback is too late to do anything about it.  (cherry picked from commit b90250bd933afd1ba94d86d6b13821997b22b18e)",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46215",
                        "url": "https://ubuntu.com/security/CVE-2026-46215",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm: Set old handle to NULL before prime swap in change_handle  There was a potential race condition in change_handle. The ioctl briefly had a single object with two idr entries; a concurrent gem_close could delete the object and remove one of the handles while leaving the other one dangling, which could subsequently be dereferenced for a use-after-free.  To fix this, do the same dance that gem_close itself does. (f6cd7daecff5 drm: Release driver references to handle before making it available again) First idr_replace the old handle to NULL. Later, if the prime operations are successful, actually close it.  create_tail required a similar dance to avoid a similar problem. (bd46cece51a3 drm/gem: Fix race in drm_gem_handle_create_tail()) It idr_allocs the new handle with NULL, then swaps in the correct object later to avoid races. We don't need to do that here, since the only operations that could race are drm_prime, and change_handle holds the prime lock for the entire duration.  v2: cleanups of error paths",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46201",
                        "url": "https://ubuntu.com/security/CVE-2026-46201",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/xe: Fix dma-buf attachment leak in xe_gem_prime_import()  When xe_dma_buf_init_obj() fails, the attachment from dma_buf_dynamic_attach() is not detached. Add dma_buf_detach() before returning the error. Note: we cannot use goto out_err here because xe_dma_buf_init_obj() already frees bo on failure, and out_err would double-free it.  (cherry picked from commit a828eb185aac41800df8eae4b60501ccc0dbbe51)",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46224",
                        "url": "https://ubuntu.com/security/CVE-2026-46224",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/xe: Fix bo leak in xe_dma_buf_init_obj() on allocation failure  When drm_gpuvm_resv_object_alloc() fails, the pre-allocated storage bo is not freed. Add xe_bo_free(storage) before returning the error.  xe_dma_buf_init_obj() calls xe_bo_init_locked(), which frees the bo on error. Therefore, xe_dma_buf_init_obj() must also free the bo on its own error paths. Otherwise, since xe_gem_prime_import() cannot distinguish whether the failure originated from xe_dma_buf_init_obj() or from xe_bo_init_locked(), it cannot safely decide whether the bo should be freed.  Add comments documenting the ownership semantics: on success, ownership of storage is transferred to the returned drm_gem_object; on failure, storage is freed before returning.  v2: Add comments to explain the free logic.  (cherry picked from commit 78a6c5f899f22338bbf48b44fb8950409c5a69b9)",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46197",
                        "url": "https://ubuntu.com/security/CVE-2026-46197",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/amdkfd: validate SVM ioctl nattr against buffer size  Validate nattr field against the buffer size, preventing out-of-bounds buffer access via user-controlled attribute count.  (cherry picked from commit 5eca8bfdfa456c3304ca77523718fe24254c172f)",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46209",
                        "url": "https://ubuntu.com/security/CVE-2026-46209",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/gem: Fix inconsistent plane dimension calculation in drm_gem_fb_init_with_funcs()  drm_gem_fb_init_with_funcs() computes sub-sampled plane dimensions using plain integer division:    unsigned int width  = mode_cmd->width  / (i ? info->hsub : 1);   unsigned int height = mode_cmd->height / (i ? info->vsub : 1);  However, the ioctl-level framebuffer_check() in drm_framebuffer.c uses drm_format_info_plane_width/height() which round up dimensions via DIV_ROUND_UP(). This inconsistency corrupts the subsequent GEM object size check for certain pixel format and dimension combinations.  For example, with NV12 (vsub=2) and a 1-pixel-tall framebuffer the GEM size validation path sees height=0 instead of height=1. The expression (height - 1) then wraps to UINT_MAX as an unsigned int, causing min_size to overflow and wrap back to a small value. A tiny GEM object therefore passes the size guard, yet when the GPU accesses the chroma plane it will read or write memory beyond the object's bounds.  Fix by replacing the open-coded divisions with drm_format_info_plane_width() and drm_format_info_plane_height(), which use DIV_ROUND_UP() and match the calculation already used in framebuffer_check().",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46230",
                        "url": "https://ubuntu.com/security/CVE-2026-46230",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/amdgpu/vcn3: Prevent OOB reads when parsing dec msg  Check bounds against the end of the BO whenever we access the msg.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46199",
                        "url": "https://ubuntu.com/security/CVE-2026-46199",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/amdgpu/vcn4: Prevent OOB reads when parsing dec msg  Check bounds against the end of the BO whenever we access the msg.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46204",
                        "url": "https://ubuntu.com/security/CVE-2026-46204",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/amdgpu/vcn4: Prevent OOB reads when parsing IB  Rewrite the IB parsing to use amdgpu_ib_get_value() which handles the bounds checks.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46218",
                        "url": "https://ubuntu.com/security/CVE-2026-46218",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/amdgpu: Add bounds checking to ib_{get,set}_value  The uvd/vce/vcn code accesses the IB at predefined offsets without checking that the IB is large enough. Check the bounds here. The caller is responsible for making sure it can handle arbitrary return values.  Also make the idx a uint32_t to prevent overflows causing the condition to fail.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46229",
                        "url": "https://ubuntu.com/security/CVE-2026-46229",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/amdkfd: Clear VRAM on allocation to prevent stale data exposure  KFD VRAM allocations set AMDGPU_GEM_CREATE_VRAM_WIPE_ON_RELEASE but not AMDGPU_GEM_CREATE_VRAM_CLEARED, leaving freshly allocated VRAM with stale data from prior use observable by compute kernels.  The GEM ioctl path already sets VRAM_CLEARED for all userspace allocations via amdgpu_gem_create_ioctl() and amdgpu_mode_dumb_create(). The KFD path was missing this flag, allowing stale page table remnants to leak into user buffers.  This causes crashes in RCCL P2P transport where non-zero data in ptrExchange/head/tail fields corrupts the protocol handshake.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46211",
                        "url": "https://ubuntu.com/security/CVE-2026-46211",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/msm/gem: fix error handling in msm_ioctl_gem_info_get_metadata()  msm_ioctl_gem_info_get_metadata() always returns 0 regardless of errors. When copy_to_user() fails or the user buffer is too small, the error code stored in ret is ignored because the function unconditionally returns 0. This causes userspace to believe the ioctl succeeded when it did not.  Additionally, kmemdup() can return NULL on allocation failure, but the return value is not checked. This leads to a NULL pointer dereference in the subsequent copy_to_user() call.  Add the missing NULL check for kmemdup() and return ret instead of 0.  Note that the SET counterpart (msm_ioctl_gem_info_set_metadata) correctly returns ret.  Patchwork: https://patchwork.freedesktop.org/patch/714478/",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46203",
                        "url": "https://ubuntu.com/security/CVE-2026-46203",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: cadence-quadspi: fix unclocked access on unbind  Make sure that the controller is runtime resumed before disabling it during driver unbind to avoid an unclocked register access.  This issue was flagged by Sashiko when reviewing a controller deregistration fix.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46219",
                        "url": "https://ubuntu.com/security/CVE-2026-46219",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: mpc52xx: fix use-after-free on unbind  The state machine work is scheduled by the interrupt handler and therefore needs to be cancelled after disabling interrupts to avoid a potential use-after-free.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46200",
                        "url": "https://ubuntu.com/security/CVE-2026-46200",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: mpc52xx: fix controller deregistration  Make sure to deregister the controller before disabling and releasing underlying resources like interrupts and gpios during driver unbind.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46241",
                        "url": "https://ubuntu.com/security/CVE-2026-46241",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: mpc52xx: fix use-after-free on registration failure  Make sure to disable and free the interrupts in case controller registration fails to avoid a potential use-after-free and resource leak.  This issue was flagged by Sashiko when reviewing a controller deregistration fix.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46225",
                        "url": "https://ubuntu.com/security/CVE-2026-46225",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: rspi: fix controller deregistration  Make sure to deregister the controller before releasing underlying resources like DMA during driver unbind.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46226",
                        "url": "https://ubuntu.com/security/CVE-2026-46226",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: fsl: fix controller deregistration  Make sure to deregister the controller before releasing underlying resources like DMA during driver unbind.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46228",
                        "url": "https://ubuntu.com/security/CVE-2026-46228",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: ch341: fix devres lifetime  USB drivers bind to USB interfaces and any device managed resources should have their lifetime tied to the interface rather than parent USB device. This avoids issues like memory leaks when drivers are unbound without their devices being physically disconnected (e.g. on probe deferral or configuration changes).  Fix the controller and driver data lifetime so that they are released on driver unbind.  Note that this also makes sure that the SPI controller is placed correctly under the USB interface in the device tree.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46216",
                        "url": "https://ubuntu.com/security/CVE-2026-46216",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/xe/hdcp: Add NULL check for media_gt in intel_hdcp_gsc_check_status()  When media GT is disabled via configfs, there is no allocation for media_gt, which is kept as NULL.  In such scenario, intel_hdcp_gsc_check_status() results in a kernel pagefault error due to &gt->uc.gsc being evaluated as an invalid memory address.  Fix that by introducing a NULL check on media_gt and bailing out early if so.  While at it, also drop the NULL check for gsc, since it can't be NULL if media_gt is not NULL.  v2:   - Get address for gsc only after checking that gt is not NULL.     (Shuicheng)   - Drop the NULL check for gsc. (Shuicheng) v3:   - Add \"Fixes\" and \"Cc: <stable...>\" tags. (Matt)  (cherry picked from commit bfaf87e84ca3ca3f6e275f9ae56da47a8b55ffd1)",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46210",
                        "url": "https://ubuntu.com/security/CVE-2026-46210",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  media: iris: fix use-after-free of fmt_src during MBPF check  During concurrency testing, multiple instances can run in parallel, and each instance uses its own inst->lock while the core->lock protects the list of active instances. The race happens because these locks cover different scopes, inst->lock protects only the internals of a single instance, while the Macro Blocks Per Frame (MBPF) checker walks the core list under core->lock and reads fields like fmt_src->width and fmt_src->height. At the same time, iris_close() may free fmt_src and fmt_dst under inst->lock while the instance is still present in the core list. This allows a situation where the MBPF checker, still iterating through the core list, reaches an instance whose fmt_src was already freed by another thread and ends up dereferencing a dangling pointer, resulting in a use-after-free. This happens because the MBPF checker assumes that any instance in the core list is fully valid, but the freeing of fmt_src and fmt_dst without removing the instance from the core list is not correct.  The correct ordering is to defer freeing fmt_src and fmt_dst until after the instance has been removed from the core list and all teardown under the core lock has completed, ensuring that no dangling pointers are ever exposed during MBPF checks.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46240",
                        "url": "https://ubuntu.com/security/CVE-2026-46240",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  media: iris: Fix use-after-free in iris_release_internal_buffers()  The recent change in commit 1dabf00ee206 (\"media: iris: gen1: Destroy internal buffers after FW releases\") introduced a regression where session_release_buf() may free the buffer. The caller, iris_release_internal_buffers(), continued to access `buffer` after the call, leading to a potential use-after-free.  Fix this by setting BUF_ATTR_PENDING_RELEASE before calling session_release_buf(), and reverting the flag if the call fails. This ensures no dereference occurs after potential freeing.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46235",
                        "url": "https://ubuntu.com/security/CVE-2026-46235",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  media: saa7164: add ioremap return checks and cleanups  Add checks for ioremap return values in saa7164_dev_setup(). If ioremap for BAR0 or BAR2 fails, release the already allocated PCI memory regions, remove the device from the global list, decrement the device count, and return -ENODEV.  This prevents potential null pointer dereferences and ensures proper cleanup on memory mapping failures.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46222",
                        "url": "https://ubuntu.com/security/CVE-2026-46222",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  media: rockchip: rkcif: Add missing MUST_CONNECT flag to pads  The pads missed checks for connected devices which may a null dereference when the stream is enabled.  Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020 pc : rkcif_interface_enable_streams+0x48/0xf0 lr : rkcif_interface_enable_streams+0x44/0xf0 Call trace:  rkcif_interface_enable_streams+0x48/0xf0  v4l2_subdev_enable_streams+0x26c/0x3f0  rkcif_stream_start_streaming+0x140/0x278  vb2_start_streaming+0x74/0x188  vb2_core_streamon+0xe0/0x1d8  vb2_ioctl_streamon+0x60/0xa8  v4l_streamon+0x2c/0x40  __video_do_ioctl+0x34c/0x400  video_usercopy+0x2d0/0x800  video_ioctl2+0x20/0x60  v4l2_ioctl+0x48/0x78",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46239",
                        "url": "https://ubuntu.com/security/CVE-2026-46239",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  media: i2c: ov5647: Fix runtime PM refcount leak in s_ctrl  Three control cases (AUTOGAIN, EXPOSURE_AUTO, ANALOGUE_GAIN) directly return without calling pm_runtime_put(), causing runtime PM reference count leaks.  Change these cases from 'return' to 'ret = ... break' pattern to ensure pm_runtime_put() is always called before function exit.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46236",
                        "url": "https://ubuntu.com/security/CVE-2026-46236",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  media: rc: xbox_remote: heed DMA restrictions  The buffer for IO must not be part of the device structure because that violates the DMA coherency rules.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46205",
                        "url": "https://ubuntu.com/security/CVE-2026-46205",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  staging: media: atomisp: Disallow all private IOCTLs  Disallow all private IOCTLs. These aren't quite as safe as one could assume of IOCTL handlers; disable them for now. Instead of removing the code, return in the beginning of the function if cmd is non-zero in order to keep static checkers happy.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46202",
                        "url": "https://ubuntu.com/security/CVE-2026-46202",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  HID: appletb-kbd: run inactivity autodim from workqueues  The autodim code in hid-appletb-kbd takes backlight_device->ops_lock via backlight_device_set_brightness() -> mutex_lock() from two different atomic contexts:   * appletb_inactivity_timer() is a struct timer_list callback, so it    runs in softirq context.  Every expiry triggers       BUG: sleeping function called from invalid context at kernel/locking/mutex.c:591      Call Trace:       <IRQ>       __might_resched       __mutex_lock       backlight_device_set_brightness       appletb_inactivity_timer       call_timer_fn       run_timer_softirq   * reset_inactivity_timer() is called from appletb_kbd_hid_event() and    appletb_kbd_inp_event().  On real USB hardware these run in    softirq/IRQ context (URB completion and input-event dispatch).    When the Touch Bar has already been dimmed or turned off, the    reset path calls backlight_device_set_brightness() directly to    restore brightness, producing the same warning.  Both call sites hit the same mutex_lock()-from-atomic bug.  Fix them together by moving the blocking work onto the system workqueue:   * Convert the inactivity timer from struct timer_list to    struct delayed_work; the callback (appletb_inactivity_work) now    runs in process context where mutex_lock() is legal.  * Add a dedicated struct work_struct restore_brightness_work and have    reset_inactivity_timer() schedule it instead of calling    backlight_device_set_brightness() directly.  Cancel both works synchronously during driver tear-down alongside the existing backlight reference drop.  The semantics are unchanged (same delays, same state transitions on dim, turn-off and user activity); only the execution context of the sleeping call changes.  The timer field and callback are renamed to match their new type; reset_inactivity_timer() keeps its name because it is invoked from input event paths that read naturally as \"reset the inactivity timer\".",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46213",
                        "url": "https://ubuntu.com/security/CVE-2026-46213",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  HID: appletb-kbd: fix UAF in inactivity-timer cleanup path  Commit 38224c472a03 (\"HID: appletb-kbd: fix slab use-after-free bug in appletb_kbd_probe\") added timer_delete_sync(&kbd->inactivity_timer) to both the probe close_hw error path and appletb_kbd_remove(), but the way it was wired in left the inactivity timer reachable during driver tear-down via two distinct windows.  Window A -- put_device() before timer_delete_sync():  \tput_device(&kbd->backlight_dev->dev); \ttimer_delete_sync(&kbd->inactivity_timer);  The inactivity_timer softirq reads kbd->backlight_dev and calls backlight_device_set_brightness() -> mutex_lock(&ops_lock).  If a concurrent hid_appletb_bl unbind drops the last devm reference between these two calls, the backlight_device is freed and the mutex_lock() touches freed memory.  Window B -- backlight cleanup before hid_hw_stop():  \tif (kbd->backlight_dev) { \t\ttimer_delete_sync(...); \t\tput_device(...); \t} \thid_hw_close(hdev); \thid_hw_stop(hdev);  Even after Window A is closed, hid_hw_close()/hid_hw_stop() still run afterwards, so a late \".event\" callback from the HID core (USB URB completion on real Apple hardware) can arrive after timer_delete_sync() drained the softirq but before put_device() drops the reference.  That callback reaches reset_inactivity_timer(), which calls mod_timer() and re-arms the timer.  The freshly re-armed timer can then fire on the about-to-be-freed backlight_device.  Both windows produce the same KASAN slab-use-after-free:    BUG: KASAN: slab-use-after-free in __mutex_lock+0x1aab/0x21c0   Read of size 8 at addr ffff88803ee9a108 by task swapper/0/0   Call Trace:    <IRQ>    __mutex_lock    backlight_device_set_brightness    appletb_inactivity_timer    call_timer_fn    run_timer_softirq    handle_softirqs   Allocated by task N:    devm_backlight_device_register    appletb_bl_probe   Freed by task M:    (concurrent hid_appletb_bl unbind path)  Close both windows at once by reworking the tear-down in appletb_kbd_remove() and in the probe close_hw error path so that   1) hid_hw_close()/hid_hw_stop() run before the backlight cleanup,     guaranteeing no further .event callback can fire and re-arm the     timer, and  2) inside the \"if (kbd->backlight_dev)\" block, timer_delete_sync()     runs before put_device(), so the softirq is drained before the     final reference is dropped.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46232",
                        "url": "https://ubuntu.com/security/CVE-2026-46232",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  HID: playstation: Clamp num_touch_reports  A device would never lie about the number of touch reports would it?  If it does the loop in dualshock4_parse_report will read off the end of the touch_reports array, up to about 2 KiB for the maximum number of 256 loop iteraions. The data that is read is emitted via evdev if the DS4_TOUCH_POINT_INACTIVE bit happens to be set. Protect against this by clamping the num_touch_reports value provided by the device to the maximum size of the touch_reports array.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-43490",
                        "url": "https://ubuntu.com/security/CVE-2026-43490",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ksmbd: validate inherited ACE SID length  smb_inherit_dacl() walks the parent directory DACL loaded from the security descriptor xattr. It verifies that each ACE contains the fixed SID header before using it, but does not verify that the variable-length SID described by sid.num_subauth is fully contained in the ACE.  A malformed inheritable ACE can advertise more subauthorities than are present in the ACE. compare_sids() may then read past the ACE. smb_set_ace() also clamps the copied destination SID, but used the unchecked source SID count to compute the inherited ACE size. That could advance the temporary inherited ACE buffer pointer and nt_size accounting past the allocated buffer.  Fix this by validating the parent ACE SID count and SID length before using the SID during inheritance. Compute the inherited ACE size from the copied SID so the size matches the bounded destination SID. Reject the inherited DACL if size accumulation would overflow smb_acl.size or the security descriptor allocation size.",
                        "cve_priority": "high",
                        "cve_public_date": "2026-05-15 06:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46174",
                        "url": "https://ubuntu.com/security/CVE-2026-46174",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  x86/CPU/AMD: Prevent improper isolation of shared resources in Zen2's op cache  Make sure resources are not improperly shared in the op cache and cause instruction corruption this way.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46110",
                        "url": "https://ubuntu.com/security/CVE-2026-46110",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net: stmmac: Prevent NULL deref when RX memory exhausted  The CPU receives frames from the MAC through conventional DMA: the CPU allocates buffers for the MAC, then the MAC fills them and returns ownership to the CPU. For each hardware RX queue, the CPU and MAC coordinate through a shared ring array of DMA descriptors: one descriptor per DMA buffer. Each descriptor includes the buffer's physical address and a status flag (\"OWN\") indicating which side owns the buffer: OWN=0 for CPU, OWN=1 for MAC. The CPU is only allowed to set the flag and the MAC is only allowed to clear it, and both must move through the ring in sequence: thus the ring is used for both \"submissions\" and \"completions.\"  In the stmmac driver, stmmac_rx() bookmarks its position in the ring with the `cur_rx` index. The main receive loop in that function checks for rx_descs[cur_rx].own=0, gives the corresponding buffer to the network stack (NULLing the pointer), and increments `cur_rx` modulo the ring size. After the loop exits, stmmac_rx_refill(), which bookmarks its position with `dirty_rx`, allocates fresh buffers and rearms the descriptors (setting OWN=1). If it fails any allocation, it simply stops early (leaving OWN=0) and will retry where it left off when next called.  This means descriptors have a three-stage lifecycle (terms my own): - `empty` (OWN=1, buffer valid) - `full` (OWN=0, buffer valid and populated) - `dirty` (OWN=0, buffer NULL)  But because stmmac_rx() only checks OWN, it confuses `full`/`dirty`. In the past (see 'Fixes:'), there was a bug where the loop could cycle `cur_rx` all the way back to the first descriptor it dirtied, resulting in a NULL dereference when mistaken for `full`. The aforementioned commit resolved that *specific* failure by capping the loop's iteration limit at `dma_rx_size - 1`, but this is only a partial fix: if the previous stmmac_rx_refill() didn't complete, then there are leftover `dirty` descriptors that the loop might encounter without needing to cycle fully around. The current code therefore panics (see 'Closes:') when stmmac_rx_refill() is memory-starved long enough for `cur_rx` to catch up to `dirty_rx`.  Fix this by explicitly checking, before advancing `cur_rx`, if the next entry is dirty; exit the loop if so. This prevents processing of the final, used descriptor until stmmac_rx_refill() succeeds, but fully prevents the `cur_rx == dirty_rx` ambiguity as the previous bugfix intended: so remove the clamp as well. Since stmmac_rx_zc() is a copy-paste-and-tweak of stmmac_rx() and the code structure is identical, any fix to stmmac_rx() will also need a corresponding fix for stmmac_rx_zc(). Therefore, apply the same check there.  In stmmac_rx() (not stmmac_rx_zc()), a related bug remains: after the MAC sets OWN=0 on the final descriptor, it will be unable to send any further DMA-complete IRQs until it's given more `empty` descriptors. Currently, the driver simply *hopes* that the next stmmac_rx_refill() succeeds, risking an indefinite stall of the receive process if not. But this is not a regression, so it can be addressed in a future change.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46153",
                        "url": "https://ubuntu.com/security/CVE-2026-46153",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  8021q: delete cleared egress QoS mappings  vlan_dev_set_egress_priority() currently keeps cleared egress priority mappings in the hash as tombstones. Repeated set/clear cycles with distinct skb priorities therefore accumulate mapping nodes until device teardown and leak memory.  Delete mappings when vlan_prio is cleared instead of keeping tombstones. Now that the egress mapping lists are RCU protected, the node can be unlinked safely and freed after a grace period.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46169",
                        "url": "https://ubuntu.com/security/CVE-2026-46169",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  hfsplus: fix uninit-value by validating catalog record size  Syzbot reported a KMSAN uninit-value issue in hfsplus_strcasecmp(). The root cause is that hfs_brec_read() doesn't validate that the on-disk record size matches the expected size for the record type being read.  When mounting a corrupted filesystem, hfs_brec_read() may read less data than expected. For example, when reading a catalog thread record, the debug output showed:    HFSPLUS_BREC_READ: rec_len=520, fd->entrylength=26   HFSPLUS_BREC_READ: WARNING - entrylength (26) < rec_len (520) - PARTIAL READ!  hfs_brec_read() only validates that entrylength is not greater than the buffer size, but doesn't check if it's less than expected. It successfully reads 26 bytes into a 520-byte structure and returns success, leaving 494 bytes uninitialized.  This uninitialized data in tmp.thread.nodeName then gets copied by hfsplus_cat_build_key_uni() and used by hfsplus_strcasecmp(), triggering the KMSAN warning when the uninitialized bytes are used as array indices in case_fold().  Fix by introducing hfsplus_brec_read_cat() wrapper that: 1. Calls hfs_brec_read() to read the data 2. Validates the record size based on the type field:    - Fixed size for folder and file records    - Variable size for thread records (depends on string length) 3. Returns -EIO if size doesn't match expected  For thread records, check against HFSPLUS_MIN_THREAD_SZ before reading nodeName.length to avoid reading uninitialized data at call sites that don't zero-initialize the entry structure.  Also initialize the tmp variable in hfsplus_find_cat() as defensive programming to ensure no uninitialized data even if validation is bypassed.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46188",
                        "url": "https://ubuntu.com/security/CVE-2026-46188",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  octeon_ep_vf: add NULL check for napi_build_skb()  napi_build_skb() can return NULL on allocation failure. In __octep_vf_oq_process_rx(), the result is used directly without a NULL check in both the single-buffer and multi-fragment paths, leading to a NULL pointer dereference.  Add NULL checks after both napi_build_skb() calls, properly advancing descriptors and consuming remaining fragments on failure.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-45837",
                        "url": "https://ubuntu.com/security/CVE-2026-45837",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  bpf: Fix use-after-free in arena_vm_close on fork  arena_vm_open() only bumps vml->mmap_count but never registers the child VMA in arena->vma_list. The vml->vma always points at the parent VMA, so after parent munmap the pointer dangles. If the child then calls bpf_arena_free_pages(), zap_pages() reads the stale vml->vma triggering use-after-free.  Fix this by preventing the arena VMA from being inherited across fork with VM_DONTCOPY, and preventing VMA splits via the may_split callback.  Also reject mremap with a .mremap callback returning -EINVAL. A same-size mremap(MREMAP_FIXED) on the full arena VMA reaches copy_vma() through the following path:    check_prep_vma()       - returns 0 early: new_len == old_len                            skips VM_DONTEXPAND check   prep_move_vma()        - vm_start == old_addr and                            vm_end == old_addr + old_len                            so may_split is never called   move_vma()     copy_vma_and_data()       copy_vma()         vm_area_dup()    - copies vm_private_data (vml pointer)         vm_ops->open()   - bumps vml->mmap_count       vm_ops->mremap()   - returns -EINVAL, rollback unmaps new VMA  The refcount ensures the rollback's arena_vm_close does not free the vml shared with the original VMA.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-05-27 11:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46156",
                        "url": "https://ubuntu.com/security/CVE-2026-46156",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  LoongArch: Fix potential ADE in loongson_gpu_fixup_dma_hang()  The switch case in loongson_gpu_fixup_dma_hang() may not DC2 or DC3, and readl(crtc_reg) will access with random address, because the \"device\" is from \"base+PCI_DEVICE_ID\", \"base\" is from \"pdev->devfn+1\". This is wrong when my platform inserts a discrete GPU:  lspci -tv -[0000:00]-+-00.0  Loongson Technology LLC Hyper Transport Bridge Controller ...            +-06.0  Loongson Technology LLC LG100 GPU            +-06.2  Loongson Technology LLC Device 7a37 ...  Add a default switch case to fix the panic as below:   Kernel ade access[#1]:  CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.6.136-loong64-desktop-hwe+ #4  pc 90000000017e5534 ra 90000000017e54c0 tp 90000001002f8000 sp 90000001002fb6c0  a0 80000efe00003100 a1 0000000000003100 a2 0000000000000000 a3 0000000000000002  a4 90000001002fb6b4 a5 900000087cdb58fd a6 90000000027af000 a7 0000000000000001  t0 00000000000085b9 t1 000000000000ffff t2 0000000000000000 t3 0000000000000000  t4 fffffffffffffffd t5 00000000fffb6d9c t6 0000000000083b00 t7 00000000000070c0  t8 900000087cdb4d94 u0 900000087cdb58fd s9 90000001002fb826 s0 90000000031c12c8  s1 7fffffffffffff00 s2 90000000031c12d0 s3 0000000000002710 s4 0000000000000000  s5 0000000000000000 s6 9000000100053000 s7 7fffffffffffff00 s8 90000000030d4000     ra: 90000000017e54c0 loongson_gpu_fixup_dma_hang+0x40/0x210    ERA: 90000000017e5534 loongson_gpu_fixup_dma_hang+0xb4/0x210   CRMD: 000000b0 (PLV0 -IE -DA +PG DACF=CC DACM=CC -WE)   PRMD: 00000004 (PPLV0 +PIE -PWE)   EUEN: 00000000 (-FPE -SXE -ASXE -BTE)   ECFG: 00071c1d (LIE=0,2-4,10-12 VS=7)  ESTAT: 00480000 [ADEM] (IS= ECode=8 EsubCode=1)   BADV: 7fffffffffffff00   PRID: 0014d000 (Loongson-64bit, Loongson-3A6000-HV)  Modules linked in:  Process swapper/0 (pid: 1, threadinfo=(____ptrval____), task=(____ptrval____))  Stack : 0000000000000006 90000001002fb778 90000001002fb704 0000000000000007          0000000016a65700 90000000017e5690 000000000000ffff ffffffffffffffff          900000000209f7c0 9000000100053000 900000000209f7a8 9000000000eebc08          0000000000000000 0000000000000000 0000000000000006 90000001002fb778          90000001000530b8 90000000027af000 0000000000000000 9000000100054000          9000000100053000 9000000000ebb70c 9000000100004c00 9000000004000001          90000001002fb7e4 bae765461f31cb12 0000000000000000 0000000000000000          0000000000000006 90000000027af000 0000000000000030 90000000027af000          900000087cd6f800 9000000100053000 0000000000000000 9000000000ebc560          7a2500147cdaf720 bae765461f31cb12 0000000000000001 0000000000000030          ...  Call Trace:  [<90000000017e5534>] loongson_gpu_fixup_dma_hang+0xb4/0x210  [<9000000000eebc08>] pci_fixup_device+0x108/0x280  [<9000000000ebb70c>] pci_setup_device+0x24c/0x690  [<9000000000ebc560>] pci_scan_single_device+0xe0/0x140  [<9000000000ebc684>] pci_scan_slot+0xc4/0x280  [<9000000000ebdd00>] pci_scan_child_bus_extend+0x60/0x3f0  [<9000000000f5bc94>] acpi_pci_root_create+0x2b4/0x420  [<90000000017e5e74>] pci_acpi_scan_root+0x2d4/0x440  [<9000000000f5b02c>] acpi_pci_root_add+0x21c/0x3a0  [<9000000000f4ee54>] acpi_bus_attach+0x1a4/0x3c0  [<90000000010e200c>] device_for_each_child+0x6c/0xe0  [<9000000000f4bbf4>] acpi_dev_for_each_child+0x44/0x70  [<9000000000f4ef40>] acpi_bus_attach+0x290/0x3c0  [<90000000010e200c>] device_for_each_child+0x6c/0xe0  [<9000000000f4bbf4>] acpi_dev_for_each_child+0x44/0x70  [<9000000000f4ef40>] acpi_bus_attach+0x290/0x3c0  [<9000000000f5211c>] acpi_bus_scan+0x6c/0x280  [<900000000189c028>] acpi_scan_init+0x194/0x310  [<900000000189bc6c>] acpi_init+0xcc/0x140  [<9000000000220cdc>] do_one_initcall+0x4c/0x310  [<90000000018618fc>] kernel_init_freeable+0x258/0x2d4  [<900000000184326c>] kernel_init+0x28/0x13c  [<9000000000222008>] ret_from_kernel_thread+0xc/0xa4",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46147",
                        "url": "https://ubuntu.com/security/CVE-2026-46147",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  KVM: arm64: Fix pin leak and publication ordering in __pkvm_init_vcpu()  Two bugs exist in the vCPU initialisation path:  1. If a check fails after hyp_pin_shared_mem() succeeds, the cleanup    path jumps to 'unlock' without calling unpin_host_vcpu() or    unpin_host_sve_state(), permanently leaking pin references on the    host vCPU and SVE state pages.     Extract a register_hyp_vcpu() helper that performs the checks and    the store. When register_hyp_vcpu() returns an error, call    unpin_host_vcpu() and unpin_host_sve_state() inline before falling    through to the existing 'unlock' label.  2. register_hyp_vcpu() publishes the new vCPU pointer into    'hyp_vm->vcpus[]' with a bare store, allowing a concurrent caller    of pkvm_load_hyp_vcpu() to observe a partially initialised vCPU    object.     Ensure the store uses smp_store_release() and the load uses    smp_load_acquire(). While 'vm_table_lock' currently serialises the    store and the load, these barriers ensure the reader sees the fully    initialised 'hyp_vcpu' object even if there were a lockless path or    if the lock's own ordering guarantees were insufficient for nested    object initialization.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46175",
                        "url": "https://ubuntu.com/security/CVE-2026-46175",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  f2fs: fix fsck inconsistency caused by FGGC of node block  During FGGC node block migration, fsck may incorrectly treat the migrated node block as fsync-written data.  The reproduction scenario: root@vm:/mnt/f2fs# seq 1 2048 | xargs -n 1 ./test_sync // write inline inode and sync root@vm:/mnt/f2fs# rm -f 1 root@vm:/mnt/f2fs# sync root@vm:/mnt/f2fs# f2fs_io gc_range // move data block in sync mode and not write CP   SPO, \"fsck --dry-run\" find inode has already checkpointed but still   with DENT_BIT_SHIFT set  The root cause is that GC does not clear the dentry mark and fsync mark during node block migration, leading fsck to misinterpret them as user-issued fsync writes.  In BGGC mode, node block migration is handled by f2fs_sync_node_pages(), which guarantees the dentry and fsync marks are cleared before writing.  This patch move the set/clear of the fsync|dentry marks into __write_node_folio to make the logic clearer, and ensures the fsync|dentry mark is cleared in FGGC.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46194",
                        "url": "https://ubuntu.com/security/CVE-2026-46194",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  f2fs: fix node_cnt race between extent node destroy and writeback  f2fs_destroy_extent_node() does not set FI_NO_EXTENT before clearing extent nodes. When called from f2fs_drop_inode() with I_SYNC set, concurrent kworker writeback can insert new extent nodes into the same extent tree, racing with the destroy and triggering f2fs_bug_on() in __destroy_extent_node(). The scenario is as follows:  drop inode                            writeback  - iput   - f2fs_drop_inode  // I_SYNC set    - f2fs_destroy_extent_node     - __destroy_extent_node      - while (node_cnt) {         write_lock(&et->lock)         __free_extent_tree         write_unlock(&et->lock)                                        - __writeback_single_inode                                         - f2fs_outplace_write_data                                          - f2fs_update_read_extent_cache                                           - __update_extent_tree_range                                            // FI_NO_EXTENT not set,                                            // insert new extent node        } // node_cnt == 0, exit while      - f2fs_bug_on(node_cnt)  // node_cnt > 0  Additionally, __update_extent_tree_range() only checks FI_NO_EXTENT for EX_READ type, leaving EX_BLOCK_AGE updates completely unprotected.  This patch set FI_NO_EXTENT under et->lock in __destroy_extent_node(), consistent with other callers (__update_extent_tree_range and __drop_extent_tree) and check FI_NO_EXTENT for both EX_READ and EX_BLOCK_AGE tree.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46170",
                        "url": "https://ubuntu.com/security/CVE-2026-46170",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  mptcp: pm: ADD_ADDR rtx: free sk if last  When an ADD_ADDR is retransmitted, the sk is held in sk_reset_timer(), and released at the end.  If at that moment, it was the last reference being held, the sk would not be freed. sock_put() should then be called instead of __sock_put().  But that's not enough: if it is the last reference, sock_put() will call sk_free(), which will end up calling sk_stop_timer_sync() on the same timer, and waiting indefinitely to finish. So it is needed to mark that the timer is done at the end of the timer handler when it has not been rescheduled, not to call sk_stop_timer_sync() on \"itself\".",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46158",
                        "url": "https://ubuntu.com/security/CVE-2026-46158",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  mptcp: pm: ADD_ADDR rtx: always decrease sk refcount  When an ADD_ADDR is retransmitted, the sk is held in sk_reset_timer(). It should then be released in all cases at the end.  Some (unlikely) checks were returning directly instead of calling sock_put() to decrease the refcount. Jump to a new 'exit' label to call __sock_put() (which will become sock_put() in the next commit) to fix this potential leak.  While at it, drop the '!msk' check which cannot happen because it is never reset, and explicitly mark the remaining one as \"unlikely\".",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46168",
                        "url": "https://ubuntu.com/security/CVE-2026-46168",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  mptcp: fix scheduling with atomic in timestamp sockopt  Using lock_sock_fast() (atomic context) around sock_set_timestamp() and sock_set_timestamping() is unsafe, as both helpers can sleep.  Replace lock_sock_fast() with sleepable lock_sock()/release_sock() to avoid scheduling while atomic panic.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46189",
                        "url": "https://ubuntu.com/security/CVE-2026-46189",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/vmw_pvrdma: Fix double free on pvrdma_alloc_ucontext() error path  Sashiko points out that pvrdma_uar_free() is already called within pvrdma_dealloc_ucontext(), so calling it before triggers a double free.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46133",
                        "url": "https://ubuntu.com/security/CVE-2026-46133",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/rxe: Reject unknown opcodes before ICRC processing  Even after applying commit 7244491dab34 (\"RDMA/rxe: Validate pad and ICRC before payload_size() in rxe_rcv\"), a single unauthenticated UDP packet can still trigger panic.  That patch handled payload_size() underflow only for valid opcodes with short packets, not for packets carrying an unknown opcode.  The unknown-opcode OOB read described below predates that commit and reaches back to the initial Soft RoCE driver.  The check added there reads      pkt->paylen < header_size(pkt) + bth_pad(pkt) + RXE_ICRC_SIZE  where header_size(pkt) expands to rxe_opcode[pkt->opcode].length.  The rxe_opcode[] array has 256 entries but is only populated for defined IB opcodes; any other entry (for example opcode 0xff) is zero-initialized, so length == 0 and the check degenerates to      pkt->paylen < 0 + bth_pad(pkt) + RXE_ICRC_SIZE  which does not constrain pkt->paylen enough.  rxe_icrc_hdr() then computes      rxe_opcode[pkt->opcode].length - RXE_BTH_BYTES  which underflows when length == 0 and passes a huge value to rxe_crc32(), causing an out-of-bounds read of the skb payload.  Reproduced on v7.0-rc7 with that fix applied, QEMU/KVM with CONFIG_RDMA_RXE=y and CONFIG_KASAN=y, after      rdma link add rxe0 type rxe netdev eth0  A single 48-byte UDP packet to port 4791 with BTH opcode=0xff and QPN=IB_MULTICAST_QPN triggers:      BUG: KASAN: slab-out-of-bounds in crc32_le+0x115/0x170     Read of size 1 at addr ...     The buggy address is located 0 bytes to the right of      allocated 704-byte region     Call Trace:      crc32_le+0x115/0x170      rxe_icrc_hdr.isra.0+0x226/0x300      rxe_icrc_check+0x13f/0x3a0      rxe_rcv+0x6e1/0x16e0      rxe_udp_encap_recv+0x20a/0x320      udp_queue_rcv_one_skb+0x7ed/0x12c0  Subsequent packets with the same shape fault on unmapped memory and panic the kernel.  The trigger requires only module load and \"rdma link add\"; no QP, no connection, and no authentication.  Fix this by rejecting packets whose opcode has no rxe_opcode[] entry, detected via the zero mask or zero length, before any length arithmetic runs.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46114",
                        "url": "https://ubuntu.com/security/CVE-2026-46114",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/rxe: Reject non-8-byte ATOMIC_WRITE payloads  atomic_write_reply() at drivers/infiniband/sw/rxe/rxe_resp.c unconditionally dereferences 8 bytes at payload_addr(pkt):      value = *(u64 *)payload_addr(pkt);  check_rkey() previously accepted an ATOMIC_WRITE request with pktlen == resid == 0 because the length validation only compared pktlen against resid. A remote initiator that sets the RETH length to 0 therefore reaches atomic_write_reply() with a zero-byte logical payload, and the responder reads sizeof(u64) bytes from past the logical end of the packet into skb->head tailroom, then writes those 8 bytes into the attacker's MR via rxe_mr_do_atomic_write(). That is a remote disclosure of 4 bytes of kernel tailroom per probe (the other 4 bytes are the packet's own trailing ICRC).  IBA oA19-28 defines ATOMIC_WRITE as exactly 8 bytes. Anything else is protocol-invalid. Hoist a strict length check into check_rkey() so the responder never reaches the unchecked dereference, and keep the existing WRITE-family length logic for the normal RDMA WRITE path.  Reproduced on mainline with an unmodified rxe driver: a sustained zero-length ATOMIC_WRITE probe repeatedly leaks adjacent skb head-buffer bytes into the attacker's MR, including recognisable kernel strings and partial kernel-direct-map pointer words.  With this patch applied the responder rejects the PDU and the MR stays all-zero.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46127",
                        "url": "https://ubuntu.com/security/CVE-2026-46127",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/ocrdma: Don't NULL deref uctx on errors in ocrdma_copy_pd_uresp()  Sashiko points out that pd->uctx isn't initialized until late in the function so all these error flow references are NULL and will crash. Use the uctx that isn't NULL.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46176",
                        "url": "https://ubuntu.com/security/CVE-2026-46176",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/mlx5: Fix error path fall-through in mlx5_ib_dev_res_srq_init()  mlx5_ib_dev_res_srq_init() allocates two SRQs, s0 and s1. When ib_create_srq() fails for s1, the error branch destroys s0 but falls through and unconditionally assigns the freed s0 and the ERR_PTR s1 to devr->s0 and devr->s1.  This leads to several problems: the lock-free fast path checks \"if (devr->s1) return 0;\" and treats the ERR_PTR as already initialised; users in mlx5_ib_create_qp() dereference the freed SRQ or ERR_PTR via to_msrq(devr->s0)->msrq.srqn; and mlx5_ib_dev_res_cleanup() dereferences the ERR_PTR and double-frees s0 on teardown.  Fix by adding the same `goto unlock` in the s1 failure path.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46178",
                        "url": "https://ubuntu.com/security/CVE-2026-46178",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/mlx4: Fix resource leak on error in mlx4_ib_create_srq()  Sashiko points out that mlx4_srq_alloc() was not undone during error unwind, add the missing call to mlx4_srq_free().",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46181",
                        "url": "https://ubuntu.com/security/CVE-2026-46181",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/mlx4: Fix mis-use of RCU in mlx4_srq_event()  Sashiko points out the radix_tree itself is RCU safe, but nothing ever frees the mlx4_srq struct with RCU, and it isn't even accessed within the RCU critical section. It also will crash if an event is delivered before the srq object is finished initializing.  Use the spinlock since it isn't easy to make RCU work, use refcount_inc_not_zero() to protect against partially initialized objects, and order the refcount_set() to be after the srq is fully initialized.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46145",
                        "url": "https://ubuntu.com/security/CVE-2026-46145",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/mana: Validate rx_hash_key_len  Sashiko points out that rx_hash_key_len comes from a uAPI structure and is blindly passed to memcpy, allowing the userspace to trash kernel memory. Bounds check it so the memcpy cannot overflow.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46117",
                        "url": "https://ubuntu.com/security/CVE-2026-46117",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/mana: Remove user triggerable WARN_ON() in mana_ib_create_qp_rss()  Sashiko points out that the user can specify WQs sharing the same CQ as a part of the uAPI and this will trigger the WARN_ON() then go on to corrupt the kernel.  Just reject it outright and fail the QP creation.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46126",
                        "url": "https://ubuntu.com/security/CVE-2026-46126",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/mana: Fix mana_destroy_wq_obj() cleanup in mana_ib_create_qp_rss()  Sashiko points out there are two bugs here in the error unwind flow, both related to how the WQ table is unwound.  First there is a double i-- on the first failure path due to the while loop having a i--, remove it.  Second if mana_ib_install_cq_cb() fails then mana_create_wq_obj() is not undone due to the above i--.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46144",
                        "url": "https://ubuntu.com/security/CVE-2026-46144",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/mana: Fix error unwind in mana_ib_create_qp_rss()  Sashiko points out that mana_ib_cfg_vport_steering() is leaked, the normal destroy path cleans it up.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46141",
                        "url": "https://ubuntu.com/security/CVE-2026-46141",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  powerpc/xive: fix kmemleak caused by incorrect chip_data lookup  The kmemleak reports the following memory leak:  Unreferenced object 0xc0000002a7fbc640 (size 64):   comm \"kworker/8:1\", pid 540, jiffies 4294937872   hex dump (first 32 bytes):     01 00 00 00 00 00 00 00 00 00 09 04 00 04 00 00  ................     00 00 a7 81 00 00 0a c0 00 00 08 04 00 04 00 00  ................   backtrace (crc 177d48f6):     __kmalloc_cache_noprof+0x520/0x730     xive_irq_alloc_data.constprop.0+0x40/0xe0     xive_irq_domain_alloc+0xd0/0x1b0     irq_domain_alloc_irqs_parent+0x44/0x6c     pseries_irq_domain_alloc+0x1cc/0x354     irq_domain_alloc_irqs_parent+0x44/0x6c     msi_domain_alloc+0xb0/0x220     irq_domain_alloc_irqs_locked+0x138/0x4d0     __irq_domain_alloc_irqs+0x8c/0xfc     __msi_domain_alloc_irqs+0x214/0x4d8     msi_domain_alloc_irqs_all_locked+0x70/0xf8     pci_msi_setup_msi_irqs+0x60/0x78     __pci_enable_msix_range+0x54c/0x98c     pci_alloc_irq_vectors_affinity+0x16c/0x1d4     nvme_pci_enable+0xac/0x9c0 [nvme]     nvme_probe+0x340/0x764 [nvme]  This occurs when allocating MSI-X vectors for an NVMe device. During allocation the XIVE code creates a struct xive_irq_data and stores it in irq_data->chip_data.  When the MSI-X irqdomain is later freed, xive_irq_free_data() is responsible for retrieving this structure and freeing it. However, after commit cc0cc23babc9 (\"powerpc/xive: Untangle xive from child interrupt controller drivers\"), xive_irq_free_data() retrieves the chip_data using irq_get_chip_data(), which looks up the data through the child domain.  This is incorrect because the XIVE-specific irq data is associated with the XIVE (parent) domain. As a result the lookup fails and the allocated struct xive_irq_data is never freed, leading to the kmemleak report shown above.  Fix this by retrieving the irq_data from the correct domain using irq_domain_get_irq_data() and then accessing the chip_data via irq_data_get_irq_chip_data().",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46183",
                        "url": "https://ubuntu.com/security/CVE-2026-46183",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  mm/damon/sysfs-schemes: protect path kfree() with damon_sysfs_lock  damon_sysfs_quot_goal->path can be read and written by users, via DAMON sysfs 'path' file.  It can also be indirectly read, for the parameters {on,off}line committing to DAMON.  The reads for parameters committing are protected by damon_sysfs_lock to avoid the sysfs files being destroyed while any of the parameters are being read.  But the user-driven direct reads and writes are not protected by any lock, while the write is deallocating the path-pointing buffer.  As a result, the readers could read the already freed buffer (user-after-free).  Note that the user-reads don't race when the same open file is used by the writer, due to kernfs's open file locking.  Nonetheless, doing the reads and writes with separate open files would be common.  Fix it by protecting both the user-direct reads and writes with damon_sysfs_lock.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46121",
                        "url": "https://ubuntu.com/security/CVE-2026-46121",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  mm/damon/sysfs-schemes: protect memcg_path kfree() with damon_sysfs_lock  Patch series \"mm/damon/sysfs-schemes: fix use-after-free for [memcg_]path\".  Reads of 'memcg_path' and 'path' files in DAMON sysfs interface could race with their writes, results in use-after-free.  Fix those.   This patch (of 2):  damon_sysfs_scheme_filter->mmecg_path can be read and written by users, via DAMON sysfs memcg_path file.  It can also be indirectly read, for the parameters {on,off}line committing to DAMON.  The reads for parameters committing are protected by damon_sysfs_lock to avoid the sysfs files being destroyed while any of the parameters are being read.  But the user-driven direct reads and writes are not protected by any lock, while the write is deallocating the memcg_path-pointing buffer.  As a result, the readers could read the already freed buffer (user-after-free).  Note that the user-reads don't race when the same open file is used by the writer, due to kernfs's open file locking.  Nonetheless, doing the reads and writes with separate open files would be common.  Fix it by protecting both the user-direct reads and writes with damon_sysfs_lock.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46131",
                        "url": "https://ubuntu.com/security/CVE-2026-46131",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  KVM: x86: check for nEPT/nNPT in slow flush hypercalls  Checking is_guest_mode(vcpu) is incorrect, because translate_nested_gpa() is only valid if an L2 guest is running *with nested EPT/NPT enabled*. Instead use the same condition as translate_nested_gpa() itself.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46139",
                        "url": "https://ubuntu.com/security/CVE-2026-46139",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  smb: client: use kzalloc to zero-initialize security descriptor buffer  Commit 62e7dd0a39c2d (\"smb: common: change the data type of num_aces to le16\") split struct smb_acl's __le32 num_aces field into __le16 num_aces and __le16 reserved. The reserved field corresponds to Sbz2 in the MS-DTYP ACL wire format, which must be zero [1].  When building an ACL descriptor in build_sec_desc(), we are using a kmalloc()'ed descriptor buffer and writing the fields explicitly using le16() writes now. This never writes to the 2 byte reserved field, leaving it as uninitialized heap data.  When the reserved field happens to contain non-zero slab garbage, Samba rejects the security descriptor with \"ndr_pull_security_descriptor failed: Range Error\", causing chmod to fail with EINVAL.  Change kmalloc() to kzalloc() to ensure the entire buffer is zero-initialized.   [1] https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/20233ed8-a6c6-4097-aafa-dd545ed24428",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46105",
                        "url": "https://ubuntu.com/security/CVE-2026-46105",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  scsi: mpt3sas: Limit NVMe request size to 2 MiB  The HBA firmware reports NVMe MDTS values based on the underlying drive capability. However, because the driver allocates a fixed 4K buffer for the PRP list, accommodating at most 512 entries, the driver supports a maximum I/O transfer size of 2 MiB.  Limit max_hw_sectors to the smaller of the reported MDTS and the 2 MiB driver limit to prevent issuing oversized I/O that may lead to a kernel oops.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46171",
                        "url": "https://ubuntu.com/security/CVE-2026-46171",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  riscv: kvm: fix vector context allocation leak  When the second kzalloc (host_context.vector.datap) fails in kvm_riscv_vcpu_alloc_vector_context, the first allocation (guest_context.vector.datap) is leaked. Free it before returning.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46112",
                        "url": "https://ubuntu.com/security/CVE-2026-46112",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/hns: Fix unlocked call to hns_roce_qp_remove()  Sashiko points out that hns_roce_qp_remove() requires the caller to hold locks.  The error flow in hns_roce_create_qp_common() doesn't hold those locks for the error unwind so it risks corrupting memory.  Grab the same locks the other two callers use.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46165",
                        "url": "https://ubuntu.com/security/CVE-2026-46165",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  openvswitch: vport: fix self-deadlock on release of tunnel ports  vports are used concurrently and protected by RCU, so netdev_put() must happen after the RCU grace period.  So, either in an RCU call or after the synchronize_net().  The rtnl_delete_link() must happen under RTNL and so can't be executed in RCU context.  Calling synchronize_net() while holding RTNL is not a good idea for performance and system stability under load in general, so calling netdev_put() in RCU call is the right solution here.  However, when the device is deleted, rtnl_unlock() will call netdev_run_todo() and block until all the references are gone.  In the current code this means that we never reach the call_rcu() and the vport is never freed and the reference is never released, causing a self-deadlock on device removal.  Fix that by moving the rcu_call() before the rtnl_unlock(), so the scheduled RCU callback will be executed when synchronize_net() is called from the rtnl_unlock()->netdev_run_todo() while the RTNL itself is already released.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46161",
                        "url": "https://ubuntu.com/security/CVE-2026-46161",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  md/raid10: fix divide-by-zero in setup_geo() with zero far_copies  setup_geo() extracts near_copies (nc) and far_copies (fc) from the user-provided layout parameter without checking for zero. When fc=0 with the \"improved\" far set layout selected, 'geo->far_set_size = disks / fc' triggers a divide-by-zero.  Validate nc and fc immediately after extraction, returning -1 if either is zero.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-43492",
                        "url": "https://ubuntu.com/security/CVE-2026-43492",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  lib/crypto: mpi: Fix integer underflow in mpi_read_raw_from_sgl()  Yiming reports an integer underflow in mpi_read_raw_from_sgl() when subtracting \"lzeros\" from the unsigned \"nbytes\".  For this to happen, the scatterlist \"sgl\" needs to occupy more bytes than the \"nbytes\" parameter and the first \"nbytes + 1\" bytes of the scatterlist must be zero.  Under these conditions, the while loop iterating over the scatterlist will count more zeroes than \"nbytes\", subtract the number of zeroes from \"nbytes\" and cause the underflow.  When commit 2d4d1eea540b (\"lib/mpi: Add mpi sgl helpers\") originally introduced the bug, it couldn't be triggered because all callers of mpi_read_raw_from_sgl() passed a scatterlist whose length was equal to \"nbytes\".  However since commit 63ba4d67594a (\"KEYS: asymmetric: Use new crypto interface without scatterlists\"), the underflow can now actually be triggered.  When invoking a KEYCTL_PKEY_ENCRYPT system call with a larger \"out_len\" than \"in_len\" and filling the \"in\" buffer with zeroes, crypto_akcipher_sync_prep() will create an all-zero scatterlist used for both the \"src\" and \"dst\" member of struct akcipher_request and thereby fulfil the conditions to trigger the bug:    sys_keyctl()     keyctl_pkey_e_d_s()       asymmetric_key_eds_op()         software_key_eds_op()           crypto_akcipher_sync_encrypt()             crypto_akcipher_sync_prep()               crypto_akcipher_encrypt()                 rsa_enc()                   mpi_read_raw_from_sgl()  To the user this will be visible as a DoS as the kernel spins forever, causing soft lockup splats as a side effect.  Fix it.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-19 12:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46124",
                        "url": "https://ubuntu.com/security/CVE-2026-46124",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  isofs: validate block number from NFS file handle in isofs_export_iget  isofs_fh_to_dentry() and isofs_fh_to_parent() pass an attacker- controlled block number (ifid->block or ifid->parent_block) from the NFS file handle to isofs_export_iget(), which only rejects block == 0 before calling isofs_iget() and ultimately sb_bread(). A crafted file handle with fh_len sufficient to pass the check added by commit 0405d4b63d08 (\"isofs: Prevent the use of too small fid\") can still drive the server to read any in-range block on the backing device as if it were an iso_directory_record.  That earlier fix was assigned CVE-2025-37780.  sb_bread() on an out-of-range block returns NULL cleanly via the EIO path, so there is no memory-safety violation.  For in-range reads of adjacent-partition data on the same block device, the unrelated bytes end up in iso_inode_info fields that reach the NFS client as dentry metadata.  The deployment surface (isofs exported over NFS from loop-mounted images) is narrow and requires an authenticated NFS peer, but the malformed-file-handle class is reportable as hardening next to the existing CVE-2025-37780 fix.  Reject block >= ISOFS_SB(sb)->s_nzones in isofs_export_iget() so the check covers both isofs_fh_to_dentry() and isofs_fh_to_parent() call sites with a single line.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46130",
                        "url": "https://ubuntu.com/security/CVE-2026-46130",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  dm-verity-fec: fix reading parity bytes split across blocks (take 3)  fec_decode_bufs() assumes that the parity bytes of the first RS codeword it decodes are never split across parity blocks.  This assumption is false.  Consider v->fec->block_size == 4096 && v->fec->roots == 17 && fio->nbufs == 1, for example.  In that case, each call to fec_decode_bufs() consumes v->fec->roots * (fio->nbufs << DM_VERITY_FEC_BUF_RS_BITS) = 272 parity bytes.  Considering that the parity data for each message block starts on a block boundary, the byte alignment in the parity data will iterate through 272*i mod 4096 until the 3 parity blocks have been consumed.  On the 16th call (i=15), the alignment will be 4080 bytes into the first block.  Only 16 bytes remain in that block, but 17 parity bytes will be needed.  The code reads out-of-bounds from the parity block buffer.  Fortunately this doesn't normally happen, since it can occur only for certain non-default values of fec_roots *and* when the maximum number of buffers couldn't be allocated due to low memory.  For example with block_size=4096 only the following cases are affected:      fec_roots=17: nbufs in [1, 3, 5, 15]     fec_roots=19: nbufs in [1, 229]     fec_roots=21: nbufs in [1, 3, 5, 13, 15, 39, 65, 195]     fec_roots=23: nbufs in [1, 89]  Regardless, fix it by refactoring how the parity blocks are read.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46106",
                        "url": "https://ubuntu.com/security/CVE-2026-46106",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  eventfs: Hold eventfs_mutex and SRCU when remount walks events  Commit 340f0c7067a9 (\"eventfs: Update all the eventfs_inodes from the events descriptor\") had eventfs_set_attrs() recurse through ei->children on remount.  The walk only holds the rcu_read_lock() taken by tracefs_apply_options() over tracefs_inodes, which is wrong:    - list_for_each_entry over ei->children races with the list_del_rcu()     in eventfs_remove_rec() -- LIST_POISON1 deref, same shape as     d2603279c7d6.   - eventfs_inodes are freed via call_srcu(&eventfs_srcu, ...).     rcu_read_lock() does not extend an SRCU grace period, so ti->private     can be reclaimed under the walk.   - The writes to ei->attr race with eventfs_set_attr(), which holds     eventfs_mutex.  Reproducer:    while :; do mount -o remount,uid=$((RANDOM%1000)) /sys/kernel/tracing; done &   while :; do       echo \"p:kp submit_bio\" > /sys/kernel/tracing/kprobe_events       echo > /sys/kernel/tracing/kprobe_events   done  Wrap the events portion of tracefs_apply_options() in eventfs_remount_lock()/_unlock() that take eventfs_mutex and srcu_read_lock(&eventfs_srcu).  eventfs_set_attrs() doesn't sleep so the nested rcu_read_lock() is fine; lockdep_assert_held() pins the contract.  Comment in tracefs_drop_inode() said \"RCU cycle\" -- it is SRCU.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46107",
                        "url": "https://ubuntu.com/security/CVE-2026-46107",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  dm-thin: fix metadata refcount underflow  There's a bug in dm-thin in the function rebalance_children. If the internal btree node has one entry, the code tries to copy all btree entries from the node's child to the node itself and then decrement the child's reference count.  If the child node is shared (it has reference count > 1), we won't free it, so there would be two pointers to each of the grandchildren nodes. But the reference counts of the grandchildren is not increased, thus the reference count doesn't match the number of pointers that point to the grandchildren. This results in \"device mapper: space map common: unable to decrement block\" errors.  Fix this bug by incrementing reference counts on the grandchildren if the btree node is shared.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46160",
                        "url": "https://ubuntu.com/security/CVE-2026-46160",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  btrfs: fix missing last_unlink_trans update when removing a directory  When removing a directory we are not updating its last_unlink_trans field, which can result in incorrect fsync behaviour in case some one fsyncs the directory after it was removed because it's holding a file descriptor on it.  Example scenario:     mkdir /mnt/dir1    mkdir /mnt/dir1/dir2    mkdir /mnt/dir3     sync -f /mnt     # Do some change to the directory and fsync it.    chmod 700 /mnt/dir1    xfs_io -c fsync /mnt/dir1     # Move dir2 out of dir1 so that dir1 becomes empty.    mv /mnt/dir1/dir2 /mnt/dir3/     open fd on /mnt/dir1    call rmdir(2) on path \"/mnt/dir1\"    fsync fd     <trigger power failure>  When attempting to mount the filesystem, the log replay will fail with an -EIO error and dmesg/syslog has the following:     [445771.626482] BTRFS info (device dm-0): first mount of filesystem 0368bbea-6c5e-44b5-b409-09abe496e650    [445771.626486] BTRFS info (device dm-0): using crc32c checksum algorithm    [445771.627912] BTRFS info (device dm-0): start tree-log replay    [445771.628335] page: refcount:2 mapcount:0 mapping:0000000061443ddc index:0x1d00 pfn:0x7072a5    [445771.629453] memcg:ffff89f400351b00    [445771.629892] aops:btree_aops [btrfs] ino:1    [445771.630737] flags: 0x17fffc00000402a(uptodate|lru|private|writeback|node=0|zone=2|lastcpupid=0x1ffff)    [445771.632359] raw: 017fffc00000402a fffff47284d950c8 fffff472907b7c08 ffff89f458e412b8    [445771.633713] raw: 0000000000001d00 ffff89f6c51d1a90 00000002ffffffff ffff89f400351b00    [445771.635029] page dumped because: eb page dump    [445771.635825] BTRFS critical (device dm-0): corrupt leaf: root=5 block=30408704 slot=10 ino=258, invalid nlink: has 2 expect no more than 1 for dir    [445771.638088] BTRFS info (device dm-0): leaf 30408704 gen 10 total ptrs 17 free space 14878 owner 5    [445771.638091] BTRFS info (device dm-0): refs 4 lock_owner 0 current 3581087    [445771.638094] \titem 0 key (256 INODE_ITEM 0) itemoff 16123 itemsize 160    [445771.638097] \t\tinode generation 3 transid 9 size 16 nbytes 16384    [445771.638098] \t\tblock group 0 mode 40755 links 1 uid 0 gid 0    [445771.638100] \t\trdev 0 sequence 2 flags 0x0    [445771.638102] \t\tatime 1775744884.0    [445771.660056] \t\tctime 1775744885.645502983    [445771.660058] \t\tmtime 1775744885.645502983    [445771.660060] \t\totime 1775744884.0    [445771.660062] \titem 1 key (256 INODE_REF 256) itemoff 16111 itemsize 12    [445771.660064] \t\tindex 0 name_len 2    [445771.660066] \titem 2 key (256 DIR_ITEM 1843588421) itemoff 16077 itemsize 34    [445771.660068] \t\tlocation key (259 1 0) type 2    [445771.660070] \t\ttransid 9 data_len 0 name_len 4    [445771.660075] \titem 3 key (256 DIR_ITEM 2363071922) itemoff 16043 itemsize 34    [445771.660076] \t\tlocation key (257 1 0) type 2    [445771.660077] \t\ttransid 9 data_len 0 name_len 4    [445771.660078] \titem 4 key (256 DIR_INDEX 2) itemoff 16009 itemsize 34    [445771.660079] \t\tlocation key (257 1 0) type 2    [445771.660080] \t\ttransid 9 data_len 0 name_len 4    [445771.660081] \titem 5 key (256 DIR_INDEX 3) itemoff 15975 itemsize 34    [445771.660082] \t\tlocation key (259 1 0) type 2    [445771.660083] \t\ttransid 9 data_len 0 name_len 4    [445771.660084] \titem 6 key (257 INODE_ITEM 0) itemoff 15815 itemsize 160    [445771.660086] \t\tinode generation 9 transid 9 size 8 nbytes 0    [445771.660087] \t\tblock group 0 mode 40777 links 1 uid 0 gid 0    [445771.660088] \t\trdev 0 sequence 2 flags 0x0    [445771.660089] \t\tatime 1775744885.641174097    [445771.660090] \t\tctime 1775744885.645502983    [445771.660091] \t\tmtime 1775744885.645502983    [445771.660105] \t\totime 1775744885.641174097    [445771.660106] \titem 7 key (257 INODE_REF 256) itemoff 15801 itemsize 14    [445771.660107] \t\tindex 2 name_len 4    [445771.660108] \titem 8 key (257 DIR_ITEM 2676584006) itemoff 15767 itemsize 34    [445771.660109] \t\tlocation key (2 ---truncated---",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46164",
                        "url": "https://ubuntu.com/security/CVE-2026-46164",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  btrfs: fix double free in create_space_info_sub_group() error path  When kobject_init_and_add() fails, the call chain is:  create_space_info_sub_group() -> btrfs_sysfs_add_space_info_type() -> kobject_init_and_add() -> failure -> kobject_put(&sub_group->kobj) -> space_info_release() -> kfree(sub_group)  Then control returns to create_space_info_sub_group(), where:  btrfs_sysfs_add_space_info_type() returns error -> kfree(sub_group)  Thus, sub_group is freed twice.  Keep parent->sub_group[index] = NULL for the failure path, but after btrfs_sysfs_add_space_info_type() has called kobject_put(), let the kobject release callback handle the cleanup.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46129",
                        "url": "https://ubuntu.com/security/CVE-2026-46129",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  btrfs: fix double free in create_space_info() error path  When kobject_init_and_add() fails, the call chain is:  create_space_info() -> btrfs_sysfs_add_space_info_type() -> kobject_init_and_add() -> failure -> kobject_put(&space_info->kobj) -> space_info_release() -> kfree(space_info)  Then control returns to create_space_info():  btrfs_sysfs_add_space_info_type() returns error -> goto out_free -> kfree(space_info)  This causes a double free.  Keep the direct kfree(space_info) for the earlier failure path, but after btrfs_sysfs_add_space_info_type() has called kobject_put(), let the kobject release callback handle the cleanup.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46159",
                        "url": "https://ubuntu.com/security/CVE-2026-46159",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  btrfs: fix btrfs_ioctl_space_info() slot_count TOCTOU which can lead to info-leak  btrfs_ioctl_space_info() has a TOCTOU race between two passes over the block group RAID type lists. The first pass counts entries to determine the allocation size, then the second pass fills the buffer. The groups_sem rwlock is released between passes, allowing concurrent block group removal to reduce the entry count.  When the second pass fills fewer entries than the first pass counted, copy_to_user() copies the full alloc_size bytes including trailing uninitialized kmalloc bytes to userspace.  Fix by copying only total_spaces entries (the actually-filled count from the second pass) instead of alloc_size bytes, and switch to kzalloc so any future copy size mismatch cannot leak heap data.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46143",
                        "url": "https://ubuntu.com/security/CVE-2026-46143",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ASoC: qcom: q6apm-lpass-dai: Fix multiple graph opens  As prepare can be called mulitple times, this can result in multiple graph opens for playback path.  This will result in a memory leaks, fix this by adding a check before opening.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46148",
                        "url": "https://ubuntu.com/security/CVE-2026-46148",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: microchip-core-qspi: control built-in cs manually  The coreQSPI IP supports only a single chip select, which is automagically operated by the hardware - set low when the transmit buffer first gets written to and set high when the number of bytes written to the TOTALBYTES field of the FRAMES register have been sent on the bus. Additional devices must use GPIOs for their chip selects. It was reported to me that if there are two devices attached to this QSPI controller that the in-built chip select is set low while linux tries to access the device attached to the GPIO.  This went undetected as the boards that connected multiple devices to the SPI controller all exclusively used GPIOs for chip selects, not relying on the built-in chip select at all. It turns out that this was because the built-in chip select, when controlled automagically, is set low when active and high when inactive, thereby ruling out its use for active-high devices or devices that need to transmit with the chip select disabled.  Modify the driver so that it controls chip select directly, retaining the behaviour for mem_ops of setting the chip select active for the entire duration of the transfer in the exec_op callback. For regular transfers, implement the set_cs callback for the core to use.  As part of this, the existing setup callback, mchp_coreqspi_setup_op(), is removed. Modifying the CLKIDLE field is not safe to do during operation when there are multiple devices, so this code is removed entirely. Setting the MASTER and ENABLE fields is something that can be done once at probe, it doesn't need to be re-run for each device. Instead the new setup callback sets the built-in chip select to its inactive state for active-low devices, as the reset value of the chip select in software controlled mode is low.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46192",
                        "url": "https://ubuntu.com/security/CVE-2026-46192",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: microchip-core-qspi: don't attempt to transmit during emulated read-only dual/quad operations  The core will deal with reads by creating clock cycles itself, there's no need to generate clock cycles by transmitting garbage data at the driver level. Further, transmitting garbage data just bricks the transfer since QSPI doesn't have a dedicated master-out line like MOSI in regular SPI. I'm not entirely sure if the transfer is bricked because of the garbage data being transmitted on the bus or because the core loses track of whether it is supposed to be sending or receiving data.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46162",
                        "url": "https://ubuntu.com/security/CVE-2026-46162",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ice: fix double free in ice_sf_eth_activate() error path  When auxiliary_device_add() fails, ice_sf_eth_activate() jumps to aux_dev_uninit and calls auxiliary_device_uninit(&sf_dev->adev).  The device release callback ice_sf_dev_release() frees sf_dev, but the current error path falls through to sf_dev_free and calls kfree(sf_dev) again, causing a double free.  Keep kfree(sf_dev) for the auxiliary_device_init() failure path, but avoid falling through to sf_dev_free after auxiliary_device_uninit().",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46273",
                        "url": "https://ubuntu.com/security/CVE-2026-46273",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ibmveth: Disable GSO for packets with small MSS  Some physical adapters on Power systems do not support segmentation offload when the MSS is less than 224 bytes. Attempting to send such packets causes the adapter to freeze, stopping all traffic until manually reset.  Implement ndo_features_check to disable GSO for packets with small MSS values. The network stack will perform software segmentation instead.  The 224-byte minimum matches ibmvnic commit <f10b09ef687f> (\"ibmvnic: Enforce stronger sanity checks on GSO packets\") which uses the same physical adapters in SEA configurations.  The issue occurs specifically when the hardware attempts to perform segmentation (gso_segs > 1) with a small MSS. Single-segment GSO packets (gso_segs == 1) do not trigger the problematic LSO code path and are transmitted normally without segmentation.  Add an ndo_features_check callback to disable GSO when MSS < 224 bytes. Also call vlan_features_check() to ensure proper handling of VLAN packets, particularly QinQ (802.1ad) configurations where the hardware parser may not support certain offload features.  Validated using iptables to force small MSS values. Without the fix, the adapter freezes. With the fix, packets are segmented in software and transmission succeeds. Comprehensive regression testing completedd (MSS tests, performance, stability).",
                        "cve_priority": "high",
                        "cve_public_date": "2026-06-03 18:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46191",
                        "url": "https://ubuntu.com/security/CVE-2026-46191",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  fbcon: Avoid OOB font access if console rotation fails  Clear the font buffer if the reallocation during console rotation fails in fbcon_rotate_font(). The putcs implementations for the rotated buffer will return early in this case. See [1] for an example.  Currently, fbcon_rotate_font() keeps the old buffer, which is too small for the rotated font. Printing to the rotated console with a high-enough character code will overflow the font buffer.  v2: - fix typos in commit message",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46134",
                        "url": "https://ubuntu.com/security/CVE-2026-46134",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  platform/chrome: cros_ec_typec: Init mutex in Thunderbolt registration  cros_typec_register_thunderbolt() missed initializing the `adata->lock` mutex.  This leads to a NULL dereference when the mutex is later acquired (e.g. in cros_typec_altmode_work()).  Initialize the mutex in cros_typec_register_thunderbolt() to fix the issue.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-43495",
                        "url": "https://ubuntu.com/security/CVE-2026-43495",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net: wwan: t7xx: validate port_count against message length in t7xx_port_enum_msg_handler  t7xx_port_enum_msg_handler() uses the modem-supplied port_count field as a loop bound over port_msg->data[] without checking that the message buffer contains sufficient data. A modem sending port_count=65535 in a 12-byte buffer triggers a slab-out-of-bounds read of up to 262140 bytes.  Add a sizeof(*port_msg) check before accessing the port message header fields to guard against undersized messages.  Add a struct_size() check after extracting port_count and before the loop.  In t7xx_parse_host_rt_data(), guard the rt_feature header read with a remaining-buffer check before accessing data_len, validate feat_data_len against the actual remaining buffer to prevent OOB reads and signed integer overflow on offset.  Pass msg_len from both call sites: skb->len at the DPMAIF path after skb_pull(), and the validated feat_data_len at the handshake path.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-21 13:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-43502",
                        "url": "https://ubuntu.com/security/CVE-2026-43502",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net/rds: handle zerocopy send cleanup before the message is queued  A zerocopy send can fail after user pages have been pinned but before the message is attached to the sending socket.  The purge path currently infers zerocopy state from rm->m_rs, so an unqueued message can be cleaned up as if it owned normal payload pages. However, zerocopy ownership is really determined by the presence of op_mmp_znotifier, regardless of whether the message has reached the socket queue.  Capture op_mmp_znotifier up front in rds_message_purge() and use it as the cleanup discriminator. If the message is already associated with a socket, keep the existing completion path. Otherwise, drop the pinned page accounting directly and release the notifier before putting the payload pages.  This keeps early send failure cleanup consistent with the zerocopy lifetime rules without changing the normal queued completion path.",
                        "cve_priority": "high",
                        "cve_public_date": "2026-05-21 13:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46120",
                        "url": "https://ubuntu.com/security/CVE-2026-46120",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ip6_gre: Use cached t->net in ip6erspan_changelink().  After commit 5e72ce3e3980 (\"net: ipv6: Use link netns in newlink() of rtnl_link_ops\"), ip6erspan_newlink() correctly resolves the per-netns ip6gre hash via link_net. ip6erspan_changelink() was not converted in that series and still uses dev_net(dev), which diverges from the device's creation netns after IFLA_NET_NS_FD migration.  This re-inserts the tunnel into the wrong per-netns hash. The original netns keeps a stale entry. When that netns is later destroyed, ip6gre_exit_rtnl_net() walks the stale entry, producing a slab-use-after-free reported by KASAN, followed by a kernel BUG at net/core/dev.c (LIST_POISON1) in unregister_netdevice_many_notify().  Reachable from an unprivileged user namespace (unshare --user --map-root-user --net).  ip6gre_changelink() earlier in the same file already uses the cached t->net; only ip6erspan_changelink() has the wrong shape.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46142",
                        "url": "https://ubuntu.com/security/CVE-2026-46142",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net: libwx: fix VF illegal register access  Register WX_CFG_PORT_ST is a PF restricted register. When a VF is initialized, attempting to read this register triggers an illegal register access, which lead to a system hang.  When the device is VF, the bus function ID can be obtained directly from the PCI_FUNC(pdev->devfn).",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46118",
                        "url": "https://ubuntu.com/security/CVE-2026-46118",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  pseries/papr-hvpipe: Fix null ptr deref in papr_hvpipe_dev_create_handle()  commit 6d3789d347a7 (\"papr-hvpipe: convert papr_hvpipe_dev_create_handle() to FD_PREPARE()\"), changed the create handle to FD_PREPARE(), but it caused kernel null-ptr-deref because after call to retain_and_null_ptr(src_info), src_info is re-used for adding it to the global list.  Getting the following kernel panic in papr_hvpipe_dev_create_handle() when trying to add src_info to the list.  Kernel attempted to write user page (0) - exploit attempt? (uid: 0)  BUG: Kernel NULL pointer dereference on write at 0x00000000  Faulting instruction address: 0xc0000000001b44a0  Oops: Kernel access of bad area, sig: 11 [#1]  ...  Call Trace:  papr_hvpipe_dev_ioctl+0x1f4/0x48c (unreliable)  sys_ioctl+0x528/0x1064  system_call_exception+0x128/0x360  system_call_vectored_common+0x15c/0x2ec  Now, the error handling with FD_PREPARE's file cleanup and __free(kfree) auto cleanup is getting too convoluted. This is mainly because we need to ensure only 1 user get the srcID handle. To simplify this, we allocate prepare the src_info in the beginning and add it to the global list under a spinlock after checking that no duplicates exist.  This simplify the error handling where if the FD_ADD fails, we can simply remove the src_info from the list and consume any pending msg in hvpipe to be cleared, after src_info became visible in the global list.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46182",
                        "url": "https://ubuntu.com/security/CVE-2026-46182",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  pseries/papr-hvpipe: Prevent kernel stack memory leak to userspace  The hdr variable is allocated on the stack and only hdr.version and hdr.flags are initialized explicitly. Because the struct papr_hvpipe_hdr contains reserved padding bytes (reserved[3] and reserved2[40]), these could leak the uninitialized bytes to userspace after copy_to_user().  This patch fixes that by initializing the whole struct to 0.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46184",
                        "url": "https://ubuntu.com/security/CVE-2026-46184",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  sound: ua101: fix division by zero at probe  Add a missing sanity check for bNrChannels in detect_usb_format() to prevent a division by zero in playback_urb_complete() and capture_urb_complete().  USB core does not validate class-specific descriptor fields such as bNrChannels, so drivers must verify them before use. If a device provides bNrChannels = 0, frame_bytes becomes zero and is later used as a divisor in the URB completion handlers, leading to a kernel crash.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-43498",
                        "url": "https://ubuntu.com/security/CVE-2026-43498",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  accel/ivpu: Disallow re-exporting imported GEM objects  Prevent re-exporting of imported GEM buffers by adding a custom prime_handle_to_fd callback that checks if the object is imported and returns -EOPNOTSUPP if so.  Re-exporting imported GEM buffers causes loss of buffer flags settings, leading to incorrect device access and data corruption.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-21 13:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46132",
                        "url": "https://ubuntu.com/security/CVE-2026-46132",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net: rtnetlink: zero ifla_vf_broadcast to avoid stack infoleak in rtnl_fill_vfinfo  rtnl_fill_vfinfo() declares struct ifla_vf_broadcast on the stack without initialisation:  \tstruct ifla_vf_broadcast vf_broadcast;  The struct contains a single fixed 32-byte field:  \t/* include/uapi/linux/if_link.h */ \tstruct ifla_vf_broadcast { \t\t__u8 broadcast[32]; \t};  The function then copies dev->broadcast into it using dev->addr_len as the length:  \tmemcpy(vf_broadcast.broadcast, dev->broadcast, dev->addr_len);  On Ethernet devices (the overwhelming majority of SR-IOV NICs) dev->addr_len is 6, so only the first 6 bytes of broadcast[] are written. The remaining 26 bytes retain whatever was previously on the kernel stack. The full struct is then handed to userspace via:  \tnla_put(skb, IFLA_VF_BROADCAST, \t\tsizeof(vf_broadcast), &vf_broadcast)  leaking up to 26 bytes of uninitialised kernel stack per VF per RTM_GETLINK request, repeatable.  The other vf_* structs in the same function are explicitly zeroed for exactly this reason - see the memset() calls for ivi, vf_vlan_info, node_guid and port_guid a few lines above. vf_broadcast was simply missed when it was added.  Reachability: any unprivileged local process can open AF_NETLINK / NETLINK_ROUTE without capabilities and send RTM_GETLINK with an IFLA_EXT_MASK attribute carrying RTEXT_FILTER_VF. The kernel walks each VF and emits IFLA_VF_BROADCAST, leaking 26 bytes of stack per VF per request. Stack residue at this call site can include return addresses and transient sensitive data; KASAN with stack instrumentation, or KMSAN, will flag the nla_put() when reproduced.  Zero the on-stack struct before the partial memcpy, matching the existing pattern used for the other vf_* structs in the same function.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46190",
                        "url": "https://ubuntu.com/security/CVE-2026-46190",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  mtd: spi-nor: debugfs: fix out-of-bounds read in spi_nor_params_show()  Sashiko noticed an out-of-bounds read [1].  In spi_nor_params_show(), the snor_f_names array is passed to spi_nor_print_flags() using sizeof(snor_f_names).  Since snor_f_names is an array of pointers, sizeof() returns the total number of bytes occupied by the pointers \t(element_count * sizeof(void *)) rather than the element count itself. On 64-bit systems, this makes the passed length 8x larger than intended.  Inside spi_nor_print_flags(), the 'names_len' argument is used to bounds-check the 'names' array access. An out-of-bounds read occurs if a flag bit is set that exceeds the array's actual element count but is within the inflated byte-size count.  Correct this by using ARRAY_SIZE() to pass the actual number of string pointers in the array.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46150",
                        "url": "https://ubuntu.com/security/CVE-2026-46150",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  fanotify: fix false positive on permission events  fsnotify_get_mark_safe() may return false for a mark on an unrelated group, which results in bypassing the permission check.  Fix by skipping over detached marks that are not in the current group.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-45836",
                        "url": "https://ubuntu.com/security/CVE-2026-45836",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_get_sndtimeo_cb()  Add the same NULL guard already present in l2cap_sock_resume_cb() and l2cap_sock_ready_cb().",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-26 17:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-45834",
                        "url": "https://ubuntu.com/security/CVE-2026-45834",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_state_change_cb()  Add the same NULL guard already present in l2cap_sock_resume_cb() and l2cap_sock_ready_cb().",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-26 17:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-45835",
                        "url": "https://ubuntu.com/security/CVE-2026-45835",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_new_connection_cb()  Add the same NULL guard already present in l2cap_sock_resume_cb() and l2cap_sock_ready_cb().",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-26 17:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46138",
                        "url": "https://ubuntu.com/security/CVE-2026-46138",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Bluetooth: hci_event: Fix OOB read and infinite loop in hci_le_create_big_complete_evt  hci_le_create_big_complete_evt() iterates over BT_BOUND connections for a BIG handle using a while loop, accessing ev->bis_handle[i++] on each iteration.  However, there is no check that i stays within ev->num_bis before the array access.  When a controller sends a LE_Create_BIG_Complete event with fewer bis_handle entries than there are BT_BOUND connections for that BIG, or with num_bis=0, the loop reads beyond the valid bis_handle[] flex array into adjacent heap memory.  Since the out-of-bounds values typically exceed HCI_CONN_HANDLE_MAX (0x0EFF), hci_conn_set_handle() rejects them and the connection remains in BT_BOUND state.  The same connection is then found again by hci_conn_hash_lookup_big_state(), creating an infinite loop with hci_dev_lock held.  Fix this by terminating the BIG if in case not all BIS could be setup properly.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46111",
                        "url": "https://ubuntu.com/security/CVE-2026-46111",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Bluetooth: hci_conn: fix potential UAF in create_big_sync  Add hci_conn_valid() check in create_big_sync() to detect stale connections before proceeding with BIG creation. Handle the resulting -ECANCELED in create_big_complete() and re-validate the connection under hci_dev_lock() before dereferencing, matching the pattern used by create_le_conn_complete() and create_pa_complete().  Keep the hci_conn object alive across the async boundary by taking a reference via hci_conn_get() when queueing create_big_sync(), and dropping it in the completion callback. The refcount and the lock are complementary: the refcount keeps the object allocated, while hci_dev_lock() serializes hci_conn_hash_del()'s list_del_rcu() on hdev->conn_hash, as required by hci_conn_del().  hci_conn_put() is called outside hci_dev_unlock() so the final put (which resolves to kfree() via bt_link_release) does not run under hdev->lock, though the release path would be safe either way.  Without this, create_big_complete() would unconditionally dereference the conn pointer on error, causing a use-after-free via hci_connect_cfm() and hci_conn_del().",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46140",
                        "url": "https://ubuntu.com/security/CVE-2026-46140",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Bluetooth: btmtk: validate WMT event SKB length before struct access  btmtk_usb_hci_wmt_sync() casts the WMT event response SKB data to struct btmtk_hci_wmt_evt (7 bytes) and struct btmtk_hci_wmt_evt_funcc (9 bytes) without first checking that the SKB contains enough data. A short firmware response causes out-of-bounds reads from SKB tailroom.  Use skb_pull_data() to validate and advance past the base WMT event header. For the FUNC_CTRL case, pull the additional status field bytes before accessing them.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46186",
                        "url": "https://ubuntu.com/security/CVE-2026-46186",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Bluetooth: virtio_bt: validate rx pkt_type header length  virtbt_rx_handle() reads the leading pkt_type byte from the RX skb and forwards the remainder to hci_recv_frame() for every event/ACL/SCO/ISO type, without checking that the remaining payload is at least the fixed HCI header for that type.  After the preceding patch bounds the backend-supplied used.len to [1, VIRTBT_RX_BUF_SIZE], a one-byte completion still reaches hci_recv_frame() with skb->len already pulled to 0. If the byte happened to be HCI_ACLDATA_PKT, the ACL-vs-ISO classification fast-path in hci_dev_classify_pkt_type() dereferences hci_acl_hdr(skb)->handle whenever the HCI device has an active CIS_LINK, BIS_LINK, or PA_LINK connection, reading two bytes of uninitialized RX-buffer data. The same hazard exists for every packet type the driver accepts because none of the switch cases in virtbt_rx_handle() check skb->len against the per-type minimum HCI header size before handing the frame to the core.  After stripping pkt_type, require skb->len to cover the fixed header size for the selected type (event 2, ACL 4, SCO 3, ISO 4) before calling hci_recv_frame(); drop ratelimited otherwise. Unknown pkt_type values still take the original kfree_skb() default path.  Use bt_dev_err_ratelimited() because both the length and pkt_type values come from an untrusted backend that can otherwise flood the kernel log.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46123",
                        "url": "https://ubuntu.com/security/CVE-2026-46123",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Bluetooth: virtio_bt: clamp rx length before skb_put  virtbt_rx_work() calls skb_put(skb, len) where len comes directly from virtqueue_get_buf() with no validation against the buffer we posted to the device. The RX skb is allocated in virtbt_add_inbuf() and exposed to virtio as exactly 1000 bytes via sg_init_one().  Checking len against skb_tailroom(skb) is not sufficient because alloc_skb() can leave more tailroom than the 1000 bytes actually handed to the device. A malicious or buggy backend can therefore report used.len between 1001 and skb_tailroom(skb), causing skb_put() to include uninitialized kernel heap bytes that were never written by the device.  The same path also accepts len == 0, in which case skb_put(skb, 0) leaves the skb empty but virtbt_rx_handle() still reads the pkt_type byte from skb->data, consuming uninitialized memory.  Define VIRTBT_RX_BUF_SIZE once and reuse it in alloc_skb() and sg_init_one(), and gate virtbt_rx_work() on that same constant so the bound checked matches the buffer actually exposed to the device. Reject used.len == 0 in the same gate so an empty completion can no longer reach virtbt_rx_handle().  Use bt_dev_err_ratelimited() because the length value comes from an untrusted backend that can otherwise flood the kernel log.  Same class of bug as commit c04db81cd028 (\"net/9p: Fix buffer overflow in USB transport layer\"), which hardened the USB 9p transport against unchecked device-reported length.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46104",
                        "url": "https://ubuntu.com/security/CVE-2026-46104",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  selinux: use sk blob accessor in socket permission helpers  SELinux socket state lives in the composite LSM socket blob.  sock_has_perm() and nlmsg_sock_has_extended_perms() currently dereference sk->sk_security directly, which assumes the SELinux socket blob is at offset zero.  In stacked configurations that assumption does not hold. If another LSM allocates socket blob storage before SELinux, these helpers may read the wrong blob and feed invalid SID and class values into AVC checks.  Use selinux_sock() instead of accessing sk->sk_security directly.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46193",
                        "url": "https://ubuntu.com/security/CVE-2026-46193",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  xfrm: ah: account for ESN high bits in async callbacks  AH allocates its temporary auth/ICV layout differently when ESN is enabled: the async ahash setup appends a 4-byte seqhi slot before the ICV or auth_data area, but the async completion callbacks still reconstruct the temporary layout as if seqhi were absent.  With an async AH implementation selected, that makes AH copy or compare the wrong bytes on both the IPv4 and IPv6 paths. In UML repro on IPv4 AH with ESN and forced async hmac(sha1), ping fails with 100% packet loss, and the callback logs show the pre-fix drift:    ah4 output_done: esn=1 err=0 icv_off=20 expected_off=24   ah4 input_done: esn=1 auth_off=20 expected_auth_off=24 icv_off=32 expected_icv_off=36  Reconstruct the callback-side layout the same way the setup path built it by skipping the ESN seqhi slot before locating the saved auth_data or ICV. Per RFC 4302, the ESN high-order 32 bits participate in the AH ICV computation, so the async callbacks must account for the seqhi slot.  Post-fix, the same IPv4 AH+ESN+forced-async-hmac(sha1) UML repro shows the corrected offset (ah4 output_done: esn=1 err=0 icv_off=24 expected_off=24) and ping succeeds; net/ipv4/ah4.o and net/ipv6/ah6.o build clean at W=1. IPv6 AH+ESN was not exercised at runtime, and the change has not been tested against a real async hardware AH engine.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46172",
                        "url": "https://ubuntu.com/security/CVE-2026-46172",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ipv6: xfrm6: release dst on error in xfrm6_rcv_encap()  xfrm6_rcv_encap() performs an IPv6 route lookup when the skb does not already have a dst attached. ip6_route_input_lookup() returns a referenced dst entry even when the lookup resolves to an error route.  If dst->error is set, xfrm6_rcv_encap() drops the skb without attaching the dst to the skb and without releasing the reference returned by the lookup. Repeated packets hitting this path therefore leak dst entries.  Release the dst before jumping to the drop path.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46116",
                        "url": "https://ubuntu.com/security/CVE-2026-46116",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  xfrm: defensively unhash xfrm_state lists in __xfrm_state_delete  KASAN reproduces a slab-use-after-free in __xfrm_state_delete()'s hlist_del_rcu calls under syzkaller load on linux-6.12.y stable (reproduced on 6.12.47, also reachable via the same code path on torvalds/master and on the ipsec tree). Nine unique signatures cluster in the xfrm_state lifecycle, the load-bearing one being:    BUG: KASAN: slab-use-after-free in __hlist_del include/linux/list.h:990 [inline]   BUG: KASAN: slab-use-after-free in hlist_del_rcu include/linux/rculist.h:516 [inline]   BUG: KASAN: slab-use-after-free in __xfrm_state_delete net/xfrm/xfrm_state.c   Write of size 8 at addr ffff8881198bcb70 by task kworker/u8:9/435    Workqueue: netns cleanup_net   Call Trace:    __hlist_del / hlist_del_rcu    __xfrm_state_delete    xfrm_state_delete    xfrm_state_flush    xfrm_state_fini    ops_exit_list    cleanup_net  The other observed signatures hit the same slab object from __xfrm_state_lookup, xfrm_alloc_spi, __xfrm_state_insert and an OOB write variant of __xfrm_state_delete, all on the byseq/byspi hash chains.  __xfrm_state_delete() guards its byseq and byspi unhashes with value-based predicates:  \tif (x->km.seq) \t\thlist_del_rcu(&x->byseq); \tif (x->id.spi) \t\thlist_del_rcu(&x->byspi);  while everywhere else in the file (e.g. state_cache, state_cache_input) the safer hlist_unhashed() check is used. xfrm_alloc_spi() sets x->id.spi = newspi inside xfrm_state_lock and then immediately inserts into byspi, but a path that observes x->id.spi != 0 outside of xfrm_state_lock can still skip-or-hit the byspi unhash inconsistently with whether x is actually on the list. The same holds for x->km.seq versus byseq, and the bydst/bysrc unhashes have no predicate at all, so a second __xfrm_state_delete() on the same object writes through LIST_POISON pprev.  The defensive change here:    - Use hlist_del_init_rcu() instead of hlist_del_rcu() on bydst,     bysrc, byseq and byspi so a second deletion is a no-op rather     than a write through LIST_POISON pprev. The byseq/byspi nodes     are already initialised in xfrm_state_alloc().   - Test hlist_unhashed() rather than the value predicate for     byseq/byspi, so the unhash decision tracks list state rather than     mutable scalar fields.  Empirical verification: applied this patch on top of v6.12.47, rebuilt, and re-ran the same syzkaller harness for 1h16m on a previously-crashy configuration that produced ~100 hits each of slab-use-after-free Read in xfrm_alloc_spi / Read in __xfrm_state_lookup / Write in __xfrm_state_delete. After the patch, 7.1M execs across 32 VMs at ~1550 exec/sec produced zero xfrm_state UAF/OOB hits. /proc/slabinfo confirms the xfrm_state slab is actively allocated and freed during the run (~143 KiB resident), so the fuzzer is still exercising those code paths -- they just no longer crash.  Reproduction:    - Linux 6.12.47 x86_64 + KASAN_GENERIC + KASAN_INLINE + KCOV   - syzkaller @ 746545b8b1e4c3a128db8652b340d3df90ce61db   - 32 QEMU/KVM VMs x 2 vCPU on AWS c5.metal bare metal   - 9 unique signatures collected in ~9h, all within xfrm_state     lifecycle",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46154",
                        "url": "https://ubuntu.com/security/CVE-2026-46154",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  sched_ext: Read scx_root under scx_cgroup_ops_rwsem in cgroup setters  scx_group_set_{weight,idle,bandwidth}() cache scx_root before acquiring scx_cgroup_ops_rwsem, so the pointer can be stale by the time the op runs. If the loaded scheduler is disabled and freed (via RCU work) and another is enabled between the naked load and the rwsem acquire, the reader sees scx_cgroup_enabled=true (the new scheduler's) but dereferences the freed one - UAF on SCX_HAS_OP(sch, ...) / SCX_CALL_OP(sch, ...).  scx_cgroup_enabled is toggled only under scx_cgroup_ops_rwsem write (scx_cgroup_{init,exit}), so reading scx_root inside the rwsem read section correlates @sch with the enabled snapshot.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46157",
                        "url": "https://ubuntu.com/security/CVE-2026-46157",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ALSA: pcm: oss: Fix data race at accessing runtime.oss.trigger  Currently the runtime.oss.trigger field may be accessed concurrently without protection, which may lead to the data race.  And, in this case, it may lead to more severe problem because it's a bit field; as writing the data, it may overwrite other bit fields as well, which confuses the operation completely, as spotted by fuzzing.  Fix it by covering runtime.oss.trigger bit fled also with the existing params_lock mutex in both snd_pcm_oss_get_trigger() and snd_pcm_oss_poll().",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46109",
                        "url": "https://ubuntu.com/security/CVE-2026-46109",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  usb: ulpi: fix memory leak on ulpi_register() error paths  Commit 01af542392b5 (\"usb: ulpi: fix double free in ulpi_register_interface() error path\") removed kfree(ulpi) from ulpi_register_interface() to fix a double-free when device_register() fails.  But when ulpi_of_register() or ulpi_read_id() fail before device_register() is called, the ulpi allocation is leaked.  Add kfree(ulpi) on both error paths to properly clean up the allocation.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46146",
                        "url": "https://ubuntu.com/security/CVE-2026-46146",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ALSA: usb-audio: Avoid potential endless loop in convert_chmap_v3()  The convert_chmap_v3() has a loop with its increment size of cs_desc->wLength, but we forgot to validate cs_desc->wLength itself, which may lead to potential endless loop by a malformed descriptor.  Add a proper size check to abort the loop for plugging the hole.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46167",
                        "url": "https://ubuntu.com/security/CVE-2026-46167",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  usb: usblp: fix uninitialized heap leak via LPGETSTATUS ioctl  Just like in a previous problem in this driver, usblp_ctrl_msg() will collapse the usb_control_msg() return value to 0/-errno, discarding the actual number of bytes transferred.  Ideally that short command should be detected and error out, but many printers are known to send \"incorrect\" responses back so we can't just do that.  statusbuf is kmalloc(8) at probe time and never filled before the first LPGETSTATUS ioctl.  usblp_read_status() requests 1 byte. If a malicious printer responds with zero bytes, *statusbuf is one byte of stale kmalloc heap, sign-extended into the local int status, which the LPGETSTATUS path then copy_to_user()s directly to the ioctl caller.  Fix this all by just zapping out the memory buffer when allocated at probe time.  If a later call does a short read, the data will be identical to what the device sent it the last time, so there is no \"leak\" of information happening.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46151",
                        "url": "https://ubuntu.com/security/CVE-2026-46151",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  usb: usblp: fix heap leak in IEEE 1284 device ID via short response  usblp_ctrl_msg() collapses the usb_control_msg() return value to 0/-errno, discarding the actual number of bytes transferred.  A broken printer can complete the GET_DEVICE_ID control transfer short and the driver has no way to know.  usblp_cache_device_id_string() reads the 2-byte big-endian length prefix from the response and trusts it (clamped only to the buffer bounds). The buffer is kmalloc(1024) at probe time. A device that sends exactly two bytes (e.g. 0x03 0xFF, claiming a 1023-byte ID) leaves device_id_string[2..1022] holding stale kmalloc heap.  That stale data is then exposed:   - via the ieee1284_id sysfs attribute (sprintf(\"%s\", buf+2), truncated     at the first NUL in the stale heap), and   - via the IOCNR_GET_DEVICE_ID ioctl, which copy_to_user()s the full     claimed length regardless of NULs, up to 1021 bytes of uninitialized     heap, with the leak size chosen by the device.  Fix this up by just zapping the buffer with zeros before each request sent to the device.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46180",
                        "url": "https://ubuntu.com/security/CVE-2026-46180",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  wifi: brcmfmac: Fix potential use-after-free issue when stopping watchdog task  Watchdog task might end between send_sig() and kthread_stop() calls, what results in the use-after-free issue. Fix this by increasing watchdog task reference count before calling send_sig() and dropping it by switching to kthread_stop_put().",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46122",
                        "url": "https://ubuntu.com/security/CVE-2026-46122",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  wifi: b43: enforce bounds check on firmware key index in b43_rx()  The firmware-controlled key index in b43_rx() can exceed the dev->key[] array size (58 entries). The existing B43_WARN_ON is non-enforcing in production builds, allowing an out-of-bounds read.  Make the B43_WARN_ON check enforcing by dropping the frame when the firmware returns an invalid key index.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46125",
                        "url": "https://ubuntu.com/security/CVE-2026-46125",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  wifi: mac80211: remove station if connection prep fails  If connection preparation fails for MLO connections, then the interface is completely reset to non-MLD. In this case, we must not keep the station since it's related to the link of the vif being removed. Delete an existing station. Any \"new_sta\" is already being removed, so that doesn't need changes.  This fixes a use-after-free/double-free in debugfs if that's enabled, because a vif going from MLD (and to MLD, but that's not relevant here) recreates its entire debugfs.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46166",
                        "url": "https://ubuntu.com/security/CVE-2026-46166",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  wifi: mac80211: use safe list iteration in radar detect work  The call to ieee80211_dfs_cac_cancel can cause the iterated chanctx to be freed and removed from the list. Guard against this to avoid a slab-use-after-free error.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46187",
                        "url": "https://ubuntu.com/security/CVE-2026-46187",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  wifi: rsi: fix kthread lifetime race between self-exit and external-stop  RSI driver use both self-exit(kthread_complete_and_exit) and external-stop (kthread_stop) when killing a kthread. Generally, kthread_stop() is called first, and in this case, no particular issues occur.  However, in rare instances where kthread_complete_and_exit() is called first and then kthread_stop() is called, a UAF occurs because the kthread object, which has already exited and been freed, is accessed again.  Therefore, to prevent this with minimal modification, you must remove kthread_stop() and change the code to wait until the self-exit operation is completed.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46152",
                        "url": "https://ubuntu.com/security/CVE-2026-46152",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  wifi: mac80211: drop stray 'static' from fast-RX rx_result  ieee80211_invoke_fast_rx() is documented as safe for parallel RX, but its per-invocation rx_result is declared static. Concurrent callers then share one instance and can overwrite each other's result between ieee80211_rx_mesh_data() and the switch on res.  That can make a packet that was queued or consumed by ieee80211_rx_mesh_data() fall through into ieee80211_rx_8023(), or make a packet that should continue return as queued.  Make res an automatic variable so each invocation keeps its own result.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46163",
                        "url": "https://ubuntu.com/security/CVE-2026-46163",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  wifi: b43legacy: enforce bounds check on firmware key index in RX path  Same fix as b43: the firmware-controlled key index in b43legacy_rx() can exceed dev->max_nr_keys. The existing B43legacy_WARN_ON is non-enforcing in production builds, allowing an out-of-bounds read of dev->key[].  Make the check enforcing by dropping the frame for invalid indices.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46136",
                        "url": "https://ubuntu.com/security/CVE-2026-46136",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  wifi: mt76: mt7921: fix a potential clc buffer length underflow  The buf_len is used to limit the iterations for retrieving the country power setting and may underflow under certain conditions due to changes in the power table in CLC.  This underflow leads to an almost infinite loop or an invalid power setting resulting in driver initialization failure.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46173",
                        "url": "https://ubuntu.com/security/CVE-2026-46173",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  exit: prevent preemption of oopsing TASK_DEAD task  When an already-exiting task oopses, make_task_dead() currently calls do_task_dead() with preemption enabled.  That is forbidden: do_task_dead() calls __schedule(), which has a comment saying \"WARNING: must be called with preemption disabled!\".  If an oopsing task is preempted in do_task_dead(), between becoming TASK_DEAD and entering the scheduler explicitly, bad things happen: finish_task_switch() assumes that once the scheduler has switched away from a TASK_DEAD task, the task can never run again and its stack is no longer needed; but that assumption apparently doesn't hold if the dead task was preempted (the SM_PREEMPT case).  This means that the scheduler ends up repeatedly dropping references on the dead task's stack, which can lead to use-after-free or double-free of the entire task stack; in other words, two tasks can end up running on the same stack, resulting in various kinds of memory corruption.  (This does not just affect \"recursively oopsing\" tasks; it is enough to oops once during task exit, for example in a file_operations::release handler)",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-43496",
                        "url": "https://ubuntu.com/security/CVE-2026-43496",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net/sched: sch_red: Replace direct dequeue call with peek and qdisc_dequeue_peeked  When red qdisc has children (eg qfq qdisc) whose peek() callback is qdisc_peek_dequeued(), we could get a kernel panic. When the parent of such qdiscs (eg illustrated in patch #3 as tbf) wants to retrieve an skb from its child (red in this case), it will do the following:  1a. do a peek() - and when sensing there's an skb the child can offer, then      - the child in this case(red) calls its child's (qfq) peek.         qfq does the right thing and will return the gso_skb queue packet.         Note: if there wasnt a gso_skb entry then qfq will store it there.  1b. invoke a dequeue() on the child (red). And herein lies the problem.      - red will call the child's dequeue() which will essentially just        try to grab something of qfq's queue.  [   78.667668][  T363] KASAN: null-ptr-deref in range [0x0000000000000048-0x000000000000004f] [   78.667927][  T363] CPU: 1 UID: 0 PID: 363 Comm: ping Not tainted 7.1.0-rc1-00033-g46f74a3f7d57-dirty #790 PREEMPT(full) [   78.668263][  T363] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 [   78.668486][  T363] RIP: 0010:qfq_dequeue+0x446/0xc90 [sch_qfq] [   78.668718][  T363] Code: 54 c0 e8 dd 90 00 f1 48 c7 c7 e0 03 54 c0 48 89 de e8 ce 90 00 f1 48 8d 7b 48 b8 ff ff 37 00 48 89 fa 48 c1 e0 2a 48 c1 ea 03 <80> 3c 02 00 74 05 e8 ef a1 e1 f1 48 8b 7b 48 48 8d 54 24 58 48 8d [   78.669312][  T363] RSP: 0018:ffff88810de573e0 EFLAGS: 00010216 [   78.669533][  T363] RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000 [   78.669790][  T363] RDX: 0000000000000009 RSI: 0000000000000004 RDI: 0000000000000048 [   78.670044][  T363] RBP: ffff888110dc4000 R08: ffffffffb1b0885a R09: fffffbfff6ba9078 [   78.670297][  T363] R10: 0000000000000003 R11: ffff888110e31c80 R12: 0000001880000000 [   78.670560][  T363] R13: ffff888110dc4150 R14: ffff888110dc42b8 R15: 0000000000000200 [   78.670814][  T363] FS:  00007f66a8f09c40(0000) GS:ffff888163428000(0000) knlGS:0000000000000000 [   78.671110][  T363] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [   78.671324][  T363] CR2: 000055db4c6a30a8 CR3: 000000010da67000 CR4: 0000000000750ef0 [   78.671585][  T363] PKRU: 55555554 [   78.671713][  T363] Call Trace: [   78.671843][  T363]  <TASK> [   78.671936][  T363]  ? __pfx_qfq_dequeue+0x10/0x10 [sch_qfq] [   78.672148][  T363]  ? __pfx__printk+0x10/0x10 [   78.672322][  T363]  ? srso_alias_return_thunk+0x5/0xfbef5 [   78.672496][  T363]  ? lockdep_hardirqs_on_prepare+0xa8/0x1a0 [   78.672706][  T363]  ? srso_alias_return_thunk+0x5/0xfbef5 [   78.672875][  T363]  ? trace_hardirqs_on+0x19/0x1a0 [   78.673047][  T363]  red_dequeue+0x65/0x270 [sch_red] [   78.673217][  T363]  ? srso_alias_return_thunk+0x5/0xfbef5 [   78.673385][  T363]  tbf_dequeue.cold+0xb0/0x70c [sch_tbf] [   78.673566][  T363]  __qdisc_run+0x169/0x1900  The right thing to do in #1b is to grab the skb off gso_skb queue. This patchset fixes that issue by changing #1b to use qdisc_dequeue_peeked() method instead.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-21 13:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46113",
                        "url": "https://ubuntu.com/security/CVE-2026-46113",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  KVM: x86: Fix shadow paging use-after-free due to unexpected GFN  The shadow MMU computes GFNs for direct shadow pages using sp->gfn plus the SPTE index. This assumption breaks for shadow paging if the guest page tables are modified between VM entries (similar to commit aad885e77496, \"KVM: x86/mmu: Drop/zap existing present SPTE even when creating an MMIO SPTE\", 2026-03-27).  The flow is as follows:  - a PDE is installed for a 2MB mapping, and a page in that area is   accessed.  KVM creates a kvm_mmu_page consisting of 512 4KB pages;   the kvm_mmu_page is marked by FNAME(fetch) as direct-mapped because   the guest's mapping is a huge page (and thus contiguous).  - the PDE mapping is changed from outside the guest.  - the guest accesses another page in the same 2MB area.  KVM installs   a new leaf SPTE and rmap entry; the SPTE uses the \"correct\" GFN   (i.e. based on the new mapping, as changed in the previous step) but   that GFN is outside of the [sp->gfn, sp->gfn + 511] range; therefore   the rmap entry cannot be found and removed when the kvm_mmu_page   is zapped.  - the memslot that covers the first 2MB mapping is deleted, and the   kvm_mmu_page for the now-invalid GPA is zapped.  However, rmap_remove()   only looks at the [sp->gfn, sp->gfn + 511] range established in step 1,   and fails to find the rmap entry that was recorded by step 3.  - any operation that causes an rmap walk for the same page accessed   by step 3 then walks a stale rmap and dereferences a freed kvm_mmu_page.   This includes dirty logging or MMU notifier invalidations (e.g., from   MADV_DONTNEED).  The underlying issue is that KVM's walking of shadow PTEs assumes that if a SPTE is present when KVM wants to install a non-leaf SPTE, then the existing kvm_mmu_page must be for the correct gfn.  Because the only way for the gfn to be wrong is if KVM messed up and failed to zap a SPTE... which shouldn't happen, but *actually* only happens in response to a guest write.  That bug dates back literally forever, as even the first version of KVM assumes that the GFN matches and walks into the \"wrong\" shadow page. However, that was only an imprecision until 2032a93d66fa (\"KVM: MMU: Don't allocate gfns page for direct mmu pages\") came along.  Fix it by checking for a target gfn mismatch and zapping the existing SPTE.  That way the old SP and rmap entries are gone, KVM installs the rmap in the right location, and everyone is happy.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46179",
                        "url": "https://ubuntu.com/security/CVE-2026-46179",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ASoC: SOF: Don't allow pointer operations on unconfigured streams  When reporting the pointer for a compressed stream we report the current I/O frame position by dividing the position by the number of channels multiplied by the number of container bytes. These values default to 0 and are only configured as part of setting the stream parameters so this allows a divide by zero to be configured. Validate that they are non zero, returning an error if not",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46196",
                        "url": "https://ubuntu.com/security/CVE-2026-46196",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  tracepoint: balance regfunc() on func_add() failure in tracepoint_add_func()  When a tracepoint goes through the 0 -> 1 transition, tracepoint_add_func() invokes the subsystem's ext->regfunc() before attempting to install the new probe via func_add(). If func_add() then fails (for example, when allocate_probes() cannot allocate a new probe array under memory pressure and returns -ENOMEM), the function returns the error without calling the matching ext->unregfunc(), leaving the side effects of regfunc() behind with no installed probe to justify them.  For syscall tracepoints this is particularly unpleasant: syscall_regfunc() bumps sys_tracepoint_refcount and sets SYSCALL_TRACEPOINT on every task. After a leaked failure, the refcount is stuck at a non-zero value with no consumer, and every task continues paying the syscall trace entry/exit overhead until reboot. Other subsystems providing regfunc()/unregfunc() pairs exhibit similarly scoped persistent state.  Mirror the existing 1 -> 0 cleanup and call ext->unregfunc() in the func_add() error path, gated on the same condition used there so the unwind is symmetric with the registration.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-43497",
                        "url": "https://ubuntu.com/security/CVE-2026-43497",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  fbdev: udlfb: add vm_ops to dlfb_ops_mmap to prevent use-after-free  dlfb_ops_mmap() uses remap_pfn_range() to map vmalloc framebuffer pages to userspace but sets no vm_ops on the VMA. This means the kernel cannot track active mmaps. When dlfb_realloc_framebuffer() replaces the backing buffer via FBIOPUT_VSCREENINFO, existing mmap PTEs are not invalidated. On USB disconnect, dlfb_ops_destroy() calls vfree() on the old pages while userspace PTEs still reference them, resulting in a use-after-free: the process retains read/write access to freed kernel pages.  Add vm_operations_struct with open/close callbacks that maintain an atomic mmap_count on struct dlfb_data. In dlfb_realloc_framebuffer(), check mmap_count and return -EBUSY if the buffer is currently mapped, preventing buffer replacement while userspace holds stale PTEs.  Tested with PoC using dummy_hcd + raw_gadget USB device emulation.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-05-21 13:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46108",
                        "url": "https://ubuntu.com/security/CVE-2026-46108",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ipmi:si: Return state to normal if message allocation fails  There were places where nothing would get started if a message allocation failed, so the driver needs to return to normal state.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46128",
                        "url": "https://ubuntu.com/security/CVE-2026-46128",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ipmi: Check event message buffer response for bad data  The event message buffer response data size got checked later when processing, but check it right after the response comes back.  It appears some BMCs may return an empty message instead of an error when fetching events.  There are apparently some new BMCs that make this error, so we need to compensate.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46177",
                        "url": "https://ubuntu.com/security/CVE-2026-46177",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ipmi: Add limits to event and receive message requests  The driver would just fetch events and receive messages until the BMC said it was done.  To avoid issues with BMCs that never say they are done, add a limit of 10 fetches at a time.  In addition, an si interface has an attn state it can return from the hardware which is supposed to cause a flag fetch to see if the driver needs to fetch events or message or a few other things.  If the attn bit gets stuck, it's a similar problem.  So allow messages in between flag fetches so the driver itself doesn't get stuck.  This is a more general fix than the previous fix for the specific bad BMC, but should fix the more general issue of a BMC that won't stop saying it has data.  This has been there from the beginning of the driver.  It's not a bug per-se, but it is accounting for bugs in BMCs.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46149",
                        "url": "https://ubuntu.com/security/CVE-2026-46149",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  scsi: target: configfs: Bound snprintf() return in tg_pt_gp_members_show()  target_tg_pt_gp_members_show() formats LUN paths with snprintf() into a 256-byte stack buffer, then will memcpy() cur_len bytes from that buffer.  snprintf() returns the length the output would have had, which can exceed the buffer size when the fabric WWN is long because iSCSI IQN names can be up to 223 bytes.  The check at the memcpy() site only guards the destination page write, not the source read, so memcpy() will read past the stack buffer and copy adjacent stack contents to the sysfs reader, which when CONFIG_FORTIFY_SOURCE is enabled, fortify_panic() will be triggered.  Commit 27e06650a5ea (\"scsi: target: target_core_configfs: Add length check to avoid buffer overflow\") added the same bound to the target_lu_gp_members_show() but the tg_pt_gp variant was missed so resolve that here.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46244",
                        "url": "https://ubuntu.com/security/CVE-2026-46244",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  netfilter: nft_inner: Fix IPv6 inner_thoff desync  In nft_inner_parse_l2l3(), when processing inner IPv6 packets, ipv6_find_hdr() correctly computes the transport header offset traversing all extension headers, but the result is immediately overwritten with nhoff + sizeof(_ip6h) (40 bytes), which only accounts for the IPv6 base header. This creates a desync between inner_thoff (wrong — points to extension header start) and l4proto (correct — e.g., IPPROTO_TCP), enabling transport header forgery and potential firewall bypass. This issue affects stable versions from Linux 6.2.  For comparison, the normal (non-inner) IPv6 path correctly preserves ipv6_find_hdr()'s result. Removing the incorrect overwrite ensures that ipv6_find_hdr()'s calculated transport header offset is preserved, thereby fixing the desynchronization.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-03 18:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46137",
                        "url": "https://ubuntu.com/security/CVE-2026-46137",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  mptcp: pm: ADD_ADDR rtx: fix potential data-race  This mptcp_pm_add_timer() helper is executed as a timer callback in softirq context. To avoid any data races, the socket lock needs to be held with bh_lock_sock().  If the socket is in use, retry again soon after, similar to what is done with the keepalive timer.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46185",
                        "url": "https://ubuntu.com/security/CVE-2026-46185",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  smb/client: fix out-of-bounds read in symlink_data()  Since smb2_check_message() returns success without length validation for the symlink error response, in symlink_data() it is possible for iov->iov_len to be smaller than sizeof(struct smb2_err_rsp). If the buffer only contains the base SMB2 header (64 bytes), accessing err->ErrorContextCount (at offset 66) or err->ByteCount later in symlink_data() will cause an out-of-bounds read.",
                        "cve_priority": "high",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46195",
                        "url": "https://ubuntu.com/security/CVE-2026-46195",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  smb: client: validate dacloffset before building DACL pointers  parse_sec_desc(), build_sec_desc(), and the chown path in id_mode_to_cifs_acl() all add the server-supplied dacloffset to pntsd before proving a DACL header fits inside the returned security descriptor.  On 32-bit builds a malicious server can return dacloffset near U32_MAX, wrap the derived DACL pointer below end_of_acl, and then slip past the later pointer-based bounds checks. build_sec_desc() and id_mode_to_cifs_acl() can then dereference DACL fields from the wrapped pointer in the chmod/chown rewrite paths.  Validate dacloffset numerically before building any DACL pointer and reuse the same helper at the three DACL entry points.",
                        "cve_priority": "high",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46289",
                        "url": "https://ubuntu.com/security/CVE-2026-46289",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  lib/scatterlist: fix length calculations in extract_kvec_to_sg  Patch series \"Fix bugs in extract_iter_to_sg()\", v3.  Fix bugs in the kvec and user variants of extract_iter_to_sg.  This series is growing due to useful remarks made by sashiko.dev.  The main bugs are: - The length for an sglist entry when extracting from   a kvec can exceed the number of bytes in the page. This   is obviously not intended. - When extracting a user buffer the sglist is temporarily   used as a scratch buffer for extracted page pointers.   If the sglist already contains some elements this scratch   buffer could overlap with existing entries in the sglist.  The series adds test cases to the kunit_iov_iter test that demonstrate all of these bugs.  Additionally, there is a memory leak fix for the test itself.  The bugs were orignally introduced into kernel v6.3 where the function lived in fs/netfs/iterator.c.  It was later moved to lib/scatterlist.c in v6.5.  Thus the actual fix is only marked for backports to v6.5+.   This patch (of 5):  When extracting from a kvec to a scatterlist, do not cross page boundaries.  The required length was already calculated but not used as intended.  Adjust the copied length if the loop runs out of sglist entries without extracting everything.  While there, return immediately from extract_iter_to_sg if there are no sglist entries at all.  A subsequent commit will add kunit test cases that demonstrate that the patch is necessary.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-08 17:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46119",
                        "url": "https://ubuntu.com/security/CVE-2026-46119",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  libceph: Fix slab-out-of-bounds access in auth message processing  If a (potentially corrupted) message of type CEPH_MSG_AUTH_REPLY contains a positive value in its result field, it is treated as an error code by ceph_handle_auth_reply() and returned to handle_auth_reply(). Thereafter, an attempt is made to send the preallocated message of type CEPH_MSG_AUTH, where the returned value is interpreted as the size of the front segment to send. If the result value in the message is greater than the size of the memory buffer allocated for the front segment, an out-of-bounds access occurs, and the content of the memory region beyond this buffer is sent out.  This patch fixes the issue by treating only negative values in the result field as errors. Positive values are therefore treated as success in the same way as a zero value. Additionally, a BUG_ON is added to __send_prepared_auth_request() comparing the len parameter to front_alloc_len to prevent sending the message if it exceeds the bounds of the allocation and to make it easier to catch any logic flaws leading to this.",
                        "cve_priority": "high",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46135",
                        "url": "https://ubuntu.com/security/CVE-2026-46135",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  nvmet-tcp: fix race between ICReq handling and queue teardown  nvmet_tcp_handle_icreq() updates queue->state after sending an Initialization Connection Response (ICResp), but it does so without serializing against target-side queue teardown.  If an NVMe/TCP host sends an Initialization Connection Request (ICReq) and immediately closes the connection, target-side teardown may start in softirq context before io_work drains the already buffered ICReq. In that case, nvmet_tcp_schedule_release_queue() sets queue->state to NVMET_TCP_Q_DISCONNECTING and drops the queue reference under state_lock.  If io_work later processes that ICReq, nvmet_tcp_handle_icreq() can still overwrite the state back to NVMET_TCP_Q_LIVE. That defeats the DISCONNECTING-state guard in nvmet_tcp_schedule_release_queue() and allows a later socket state change to re-enter teardown and issue a second kref_put() on an already released queue.  The ICResp send failure path has the same problem. If teardown has already moved the queue to DISCONNECTING, a send error can still overwrite the state with NVMET_TCP_Q_FAILED, again reopening the window for a second teardown path to drop the queue reference.  Fix this by serializing both post-send state transitions with state_lock and bailing out if teardown has already started.  Use -ESHUTDOWN as an internal sentinel for that bail-out path rather than propagating it as a transport error like -ECONNRESET. Keep nvmet_tcp_socket_error() setting rcv_state to NVMET_TCP_RECV_ERR before honoring that sentinel so receive-side parsing stays quiesced until the existing release path completes.",
                        "cve_priority": "critical",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46155",
                        "url": "https://ubuntu.com/security/CVE-2026-46155",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  smb/client: fix out-of-bounds read in smb2_compound_op()  If a server sends a truncated response but a large OutputBufferLength, and terminates the EA list early, check_wsl_eas() returns success without validating that the entire OutputBufferLength fits within iov_len.  Then smb2_compound_op() does:     memcpy(idata->wsl.eas, data[0], size[0]);  Where size[0] is OutputBufferLength. If iov_len is smaller than size[0], memcpy can read beyond the end of the rsp_iov allocation and leak adjacent kernel heap memory.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46115",
                        "url": "https://ubuntu.com/security/CVE-2026-46115",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  block: add pgmap check to biovec_phys_mergeable  biovec_phys_mergeable() is used by the request merge, DMA mapping, and integrity merge paths to decide if two physically contiguous bvec segments can be coalesced into one. It currently has no check for whether the segments belong to different dev_pagemaps.  When zone device memory is registered in multiple chunks, each chunk gets its own dev_pagemap. A single bio can legitimately contain bvecs from different pgmaps -- iov_iter_extract_bvecs() breaks at pgmap boundaries but the outer loop in bio_iov_iter_get_pages() continues filling the same bio. If such bvecs are physically contiguous, biovec_phys_mergeable() will coalesce them, making it impossible to recover the correct pgmap for the merged segment via page_pgmap().  Add a zone_device_pages_have_same_pgmap() check to prevent merging bvec segments that span different pgmaps.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46243",
                        "url": "https://ubuntu.com/security/CVE-2026-46243",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  smb: client: reject userspace cifs.spnego descriptions  cifs.spnego key descriptions contain authority-bearing fields such as pid, uid, creduid, and upcall_target that cifs.upcall treats as kernel-originating inputs. However, userspace can also create keys of this type through request_key(2) or add_key(2), allowing those fields to be supplied without CIFS origin.  Only accept cifs.spnego descriptions while CIFS is using its private spnego_cred to request the key.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-01 17:17:00 UTC"
                    }
                ],
                "launchpad_bugs_fixed": [
                    2157520,
                    2154418,
                    2155837,
                    2154174,
                    2154748,
                    2156559,
                    2156556,
                    2150640,
                    2156312,
                    2155096,
                    2154715,
                    2153159,
                    2150071,
                    2154343,
                    2149770,
                    2153155,
                    2152570,
                    2156636,
                    2156636,
                    2156636,
                    2156636,
                    2156636,
                    2156390,
                    2156385,
                    2156385,
                    2156385,
                    2156385,
                    2156385,
                    2156385,
                    2156385,
                    2156385,
                    2156385,
                    2156385,
                    2156385,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2150845
                ],
                "changes": [
                    {
                        "cves": [
                            {
                                "cve": "CVE-2026-46318",
                                "url": "https://ubuntu.com/security/CVE-2026-46318",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Revert \"mm/hugetlbfs: update hugetlbfs to use mmap_prepare\"  This reverts commit ea52cb24cd3f (\"mm/hugetlbfs: update hugetlbfs to use mmap_prepare\") with conflict resolution to account for changes in commit ea52cb24cd3f (\"mm/hugetlbfs: update hugetlbfs to use mmap_prepare\").  The patch incorrectly handled hugetlb VMA lock allocation at the mmap_prepare stage, where a failed allocation occurring after mmap_prepare is called might result in the lock leaking.  There is no risk of a merge causing a similar issues, as VMA_DONTEXPAND_BIT is set for hugetlb mappings.  As a first step in addressing this issue, simply revert the change so we can rework how we do this having corrected the underlying issues.  We maintain the VMA flags changes as best we can, accounting for the fact that we were working with a VMA descriptor previously and propagating like-for-like changes for this.  Note that we invoke vma_set_flags() and do not call vma_start_write() as vm_flags_set() does.  This is OK as it's being done in an .mmap hook where the VMA is not yet linked into the tree so nobody else can be accessing it.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-06-09 13:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46322",
                                "url": "https://ubuntu.com/security/CVE-2026-46322",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  tun: free page on build_skb failure in tun_xdp_one()  When build_skb() fails in tun_xdp_one(), the function sets ret to -ENOMEM and jumps to the out label, which returns without freeing the page that vhost_net_build_xdp() allocated for the frame. As with the short-frame rejection path, tun_sendmsg() discards the per-buffer error and still returns total_len, so vhost_tx_batch() takes the success path and never frees the page. Each build_skb() failure in a batch leaks one page-frag chunk.  Free the page before taking the error path, matching the put_page() the other error exits of tun_xdp_one() already perform.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-09 13:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46320",
                                "url": "https://ubuntu.com/security/CVE-2026-46320",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  tap: free page on error paths in tap_get_user_xdp()  tap_get_user_xdp() rejects a frame shorter than ETH_HLEN with -EINVAL, and returns -ENOMEM when build_skb() fails. Both paths jump to the err label without freeing the page that vhost_net_build_xdp() allocated for the frame. tap_sendmsg() discards the per-buffer return value and always returns 0, so vhost_tx_batch() takes the success path and never frees the page; each rejected frame in a batch leaks one page-frag chunk.  Free the page on both error paths, before the skb is built. This is the tap counterpart of the same leak in tun_xdp_one().",
                                "cve_priority": "high",
                                "cve_public_date": "2026-06-09 13:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46321",
                                "url": "https://ubuntu.com/security/CVE-2026-46321",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  tun: free page on short-frame rejection in tun_xdp_one()  tun_xdp_one() returns -EINVAL on a frame shorter than ETH_HLEN without freeing the page that vhost_net_build_xdp() allocated for it. tun_sendmsg() discards that -EINVAL and still returns total_len, so vhost_tx_batch() takes the success path and never frees the page; each short frame in a batch leaks one page-frag chunk.  A local process that can open /dev/net/tun and /dev/vhost-net can hit this path: it attaches a tun/tap device as the vhost-net backend and feeds TX descriptors whose length minus the virtio-net header is below ETH_HLEN. Each kick leaks the page-frag chunks for that batch, and a tight submission loop exhausts host memory and triggers an OOM panic. Free the page before returning -EINVAL, matching the XDP-program error path in the same function.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-09 13:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46316",
                                "url": "https://ubuntu.com/security/CVE-2026-46316",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  KVM: arm64: vgic-its: Drop the translation cache reference only for the erased entry  vgic_its_invalidate_cache() walks the per-ITS translation cache with xa_for_each() and drops the cache's reference on each entry with vgic_put_irq(). It puts the iterated pointer, though, rather than the value returned by xa_erase().  The function is called from contexts that do not exclude one another: the ITS command handlers hold its_lock, the GITS_CTLR write path holds cmd_lock, and the path that clears EnableLPIs in a redistributor's GICR_CTLR holds neither. Two or more of them can drain the same cache concurrently, and if each one observes the same entry, erases it and then puts it, the single reference the cache holds on that entry is dropped more than once. The entry can then be freed while an ITE still maps it.  xa_erase() is atomic and returns the previous entry, so put only the entry that this context actually removed. The cache reference is then dropped exactly once per entry even when the invalidations run concurrently, and the behavior is unchanged when only one context runs.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-09 13:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46317",
                                "url": "https://ubuntu.com/security/CVE-2026-46317",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  KVM: arm64: Reassign nested_mmus array behind mmu_lock  kvm->arch.nested_mmus[] is walked under kvm->mmu_lock, including from the MMU notifier path (kvm_unmap_gfn_range() -> kvm_nested_s2_unmap()), which can run at any time. kvm_vcpu_init_nested() reallocates the array and frees the old buffer while holding only kvm->arch.config_lock, so such a walker can reference the freed array.  Allocate the new array outside of mmu_lock, as the allocation can sleep. Under the lock, copy the existing entries, fix up the back pointers and reassign the array. Free the old buffer after dropping the lock, as kvfree() can sleep as well.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-09 13:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-45846",
                                "url": "https://ubuntu.com/security/CVE-2026-45846",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  bareudp: fix NULL pointer dereference in bareudp_fill_metadata_dst()  bareudp_fill_metadata_dst() passes bareudp->sock to udp_tunnel6_dst_lookup() in the IPv6 path without a NULL check. The socket is only created in bareudp_open() and NULLed in bareudp_stop(), so calling this function while the device is down triggers a NULL dereference via sock->sk.   BUG: kernel NULL pointer dereference, address: 0000000000000018  RIP: 0010:udp_tunnel6_dst_lookup (net/ipv6/ip6_udp_tunnel.c:160)  Call Trace:   <TASK>   bareudp_fill_metadata_dst (drivers/net/bareudp.c:532)   do_execute_actions (net/openvswitch/actions.c:901)   ovs_execute_actions (net/openvswitch/actions.c:1589)   ovs_packet_cmd_execute (net/openvswitch/datapath.c:700)   genl_family_rcv_msg_doit (net/netlink/genetlink.c:1114)   genl_rcv_msg (net/netlink/genetlink.c:1209)   netlink_rcv_skb (net/netlink/af_netlink.c:2550)   </TASK>  Add a NULL check returning -ESHUTDOWN, consistent with the xmit paths in the same driver.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-27 11:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-45845",
                                "url": "https://ubuntu.com/security/CVE-2026-45845",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net/sched: taprio: fix NULL pointer dereference in class dump  When a TAPRIO child qdisc is deleted via RTM_DELQDISC, taprio_graft() is called with new == NULL and stores NULL into q->qdiscs[cl - 1]. Subsequent RTM_GETTCLASS dump operations walk all classes via taprio_walk() and call taprio_dump_class(), which calls taprio_leaf() returning the NULL pointer, then dereferences it to read child->handle, causing a kernel NULL pointer dereference.  The bug is reachable with namespace-scoped CAP_NET_ADMIN on any kernel with CONFIG_NET_SCH_TAPRIO enabled. On systems with unprivileged user namespaces enabled, an unprivileged local user can trigger a kernel panic by creating a taprio qdisc inside a new network namespace, grafting an explicit child qdisc, deleting it, and requesting a class dump. The RTM_GETTCLASS dump itself requires no capability.   Oops: general protection fault, probably for non-canonical address 0xdffffc0000000007: 0000 [#1] SMP KASAN NOPTI  KASAN: null-ptr-deref in range [0x0000000000000038-0x000000000000003f]  RIP: 0010:taprio_dump_class (net/sched/sch_taprio.c:2478)  Call Trace:   <TASK>   tc_fill_tclass (net/sched/sch_api.c:1966)   qdisc_class_dump (net/sched/sch_api.c:2326)   taprio_walk (net/sched/sch_taprio.c:2514)   tc_dump_tclass_qdisc (net/sched/sch_api.c:2352)   tc_dump_tclass_root (net/sched/sch_api.c:2370)   tc_dump_tclass (net/sched/sch_api.c:2431)   rtnl_dumpit (net/core/rtnetlink.c:6864)   netlink_dump (net/netlink/af_netlink.c:2325)   rtnetlink_rcv_msg (net/core/rtnetlink.c:6959)   netlink_rcv_skb (net/netlink/af_netlink.c:2550)   </TASK>  Fix this by substituting &noop_qdisc when new is NULL in taprio_graft(), a common pattern used by other qdiscs (e.g., multiq_graft()) to ensure the q->qdiscs[] slots are never NULL. This makes control-plane dump paths safe without requiring individual NULL checks.  Since the data-plane paths (taprio_enqueue and taprio_dequeue_from_txq) previously had explicit NULL guards that would drop/skip the packet cleanly, update those checks to test for &noop_qdisc instead. Without this, packets would reach taprio_enqueue_one() which increments the root qdisc's qlen and backlog before calling the child's enqueue; noop_qdisc drops the packet but those counters are never rolled back, permanently inflating the root qdisc's statistics.  After this change *old can be a valid qdisc, NULL, or &noop_qdisc. Only call qdisc_put(*old) in the first case to avoid decreasing noop_qdisc's refcount, which was never increased.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-27 11:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-45844",
                                "url": "https://ubuntu.com/security/CVE-2026-45844",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  netfilter: arp_tables: fix IEEE1394 ARP payload parsing  Weiming Shi says:  \"arp_packet_match() unconditionally parses the ARP payload assuming two hardware addresses are present (source and target). However, IPv4-over-IEEE1394 ARP (RFC 2734) omits the target hardware address field, and arp_hdr_len() already accounts for this by returning a shorter length for ARPHRD_IEEE1394 devices.  As a result, on IEEE1394 interfaces arp_packet_match() advances past a nonexistent target hardware address and reads the wrong bytes for both the target device address comparison and the target IP address. This causes arptables rules to match against garbage data, leading to incorrect filtering decisions: packets that should be accepted may be dropped and vice versa.  The ARP stack in net/ipv4/arp.c (arp_create and arp_process) already handles this correctly by skipping the target hardware address for ARPHRD_IEEE1394. Apply the same pattern to arp_packet_match().\"  Mangle the original patch to always return 0 (no match) in case user matches on the target hardware address which is never present in IEEE1394.  Note that this returns 0 (no match) for either normal and inverse match because matching in the target hardware address in ARPHRD_IEEE1394 has never been supported by arptables. This is intentional, matching on the target hardware address should never evaluate true for ARPHRD_IEEE1394.  Moreover, adjust arpt_mangle to drop the packet too as AI suggests:  In arpt_mangle, the logic assumes a standard ARP layout. Because IEEE1394 (FireWire) omits the target hardware address, the linear pointer arithmetic miscalculates the offset for the target IP address. This causes mangling operations to write to the wrong location, leading to packet corruption. To ensure safety, this patch drops packets (NF_DROP) when mangling is requested for these fields on IEEE1394 devices, as the current implementation cannot correctly map the FireWire ARP payload.  This omits both mangling target hardware and IP address. Even if IP address mangling should be possible in IEEE1394, this would require to adjust arpt_mangle offset calculation, which has never been supported.  Based on patch from Weiming Shi <bestswngs@gmail.com>.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-05-27 11:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46242",
                                "url": "https://ubuntu.com/security/CVE-2026-46242",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  eventpoll: fix ep_remove struct eventpoll / struct file UAF  ep_remove() (via ep_remove_file()) cleared file->f_ep under file->f_lock but then kept using @file inside the critical section (is_file_epoll(), hlist_del_rcu() through the head, spin_unlock). A concurrent __fput() taking the eventpoll_release() fastpath in that window observed the transient NULL, skipped eventpoll_release_file() and ran to f_op->release / file_free().  For the epoll-watches-epoll case, f_op->release is ep_eventpoll_release() -> ep_clear_and_put() -> ep_free(), which kfree()s the watched struct eventpoll. Its embedded ->refs hlist_head is exactly where epi->fllink.pprev points, so the subsequent hlist_del_rcu()'s \"*pprev = next\" scribbles into freed kmalloc-192 memory.  In addition, struct file is SLAB_TYPESAFE_BY_RCU, so the slot backing @file could be recycled by alloc_empty_file() -- reinitializing f_lock and f_ep -- while ep_remove() is still nominally inside that lock. The upshot is an attacker-controllable kmem_cache_free() against the wrong slab cache.  Pin @file via epi_fget() at the top of ep_remove() and gate the critical section on the pin succeeding. With the pin held @file cannot reach refcount zero, which holds __fput() off and transitively keeps the watched struct eventpoll alive across the hlist_del_rcu() and the f_lock use, closing both UAFs.  If the pin fails @file has already reached refcount zero and its __fput() is in flight. Because we bailed before clearing f_ep, that path takes the eventpoll_release() slow path into eventpoll_release_file() and blocks on ep->mtx until the waiter side's ep_clear_and_put() drops it. The bailed epi's share of ep->refcount stays intact, so the trailing ep_refcount_dec_and_test() in ep_clear_and_put() cannot free the eventpoll out from under eventpoll_release_file(); the orphaned epi is then cleaned up there.  A successful pin also proves we are not racing eventpoll_release_file() on this epi, so drop the now-redundant re-check of epi->dying under f_lock. The cheap lockless READ_ONCE(epi->dying) fast-path bailout stays.",
                                "cve_priority": "high",
                                "cve_public_date": "2026-05-30 13:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-45843",
                                "url": "https://ubuntu.com/security/CVE-2026-45843",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  slip: bound decode() reads against the compressed packet length  slhc_uncompress() parses a VJ-compressed TCP header by advancing a pointer through the packet via decode() and pull16(). Neither helper bounds-checks against isize, and decode() masks its return with & 0xffff so it can never return the -1 that callers test for -- those error paths are dead code.  A short compressed frame whose change byte requests optional fields lets decode() read past the end of the packet. The over-read bytes are folded into the cached cstate and reflected into subsequent reconstructed packets.  Make decode() and pull16() take the packet end pointer and return -1 when exhausted. Add a bounds check before the TCP-checksum read. The existing == -1 tests now do what they were always meant to.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-27 11:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-45842",
                                "url": "https://ubuntu.com/security/CVE-2026-45842",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  slip: reject VJ receive packets on instances with no rstate array  slhc_init() accepts rslots == 0 as a valid configuration, with the documented meaning of 'no receive compression'. In that case the allocation loop in slhc_init() is skipped, so comp->rstate stays NULL and comp->rslot_limit stays 0 (from the kzalloc of struct slcompress).  The receive helpers do not defend against that configuration. slhc_uncompress() dereferences comp->rstate[x] when the VJ header carries an explicit connection ID, and slhc_remember() later assigns cs = &comp->rstate[...] after only comparing the packet's slot number to comp->rslot_limit. Because rslot_limit is 0, slot 0 passes the range check, and the code dereferences a NULL rstate.  The configuration is reachable in-tree through PPP. PPPIOCSMAXCID stores its argument in a signed int, and (val >> 16) uses arithmetic shift. Passing 0xffff0000 therefore sign-extends to -1, so val2 + 1 is 0 and ppp_generic.c ends up calling slhc_init(0, 1). Because /dev/ppp open is gated by ns_capable(CAP_NET_ADMIN), the whole path is reachable from an unprivileged user namespace. Once the malformed VJ state is installed, any inbound VJ-compressed or VJ-uncompressed frame that selects slot 0 crashes the kernel in softirq context:   Oops: general protection fault, probably for non-canonical        address 0xdffffc0000000000: 0000 [#1] SMP KASAN NOPTI  KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]  RIP: 0010:slhc_uncompress (drivers/net/slip/slhc.c:519)  Call Trace:   <TASK>   ppp_receive_nonmp_frame (drivers/net/ppp/ppp_generic.c:2466)   ppp_input (drivers/net/ppp/ppp_generic.c:2359)   ppp_async_process (drivers/net/ppp/ppp_async.c:492)   tasklet_action_common (kernel/softirq.c:926)   handle_softirqs (kernel/softirq.c:623)   run_ksoftirqd (kernel/softirq.c:1055)   smpboot_thread_fn (kernel/smpboot.c:160)   kthread (kernel/kthread.c:436)   ret_from_fork (arch/x86/kernel/process.c:164)   </TASK>  Reject the receive side on such instances instead of touching rstate. slhc_uncompress() falls through to its existing 'bad' label, which bumps sls_i_error and enters the toss state. slhc_remember() mirrors that with an explicit sls_i_error increment followed by slhc_toss(); the sls_i_runt counter is not used here because a missing rstate is an internal configuration state, not a runt packet.  The transmit path is unaffected: the only in-tree caller that picks rslots from userspace (ppp_generic.c) still supplies tslots >= 1, and slip.c always calls slhc_init(16, 16), so comp->tstate remains valid and slhc_compress() continues to work.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-27 11:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-45841",
                                "url": "https://ubuntu.com/security/CVE-2026-45841",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  netfilter: nfnetlink_osf: fix divide-by-zero in OSF_WSS_MODULO  nf_osf_match_one() computes ctx->window % f->wss.val in the OSF_WSS_MODULO branch with no guard for f->wss.val == 0. A CAP_NET_ADMIN user can add such a fingerprint via nfnetlink; a subsequent matching TCP SYN divides by zero and panics the kernel.  Reject the bogus fingerprint in nfnl_osf_add_callback() above the per-option for-loop. f->wss is per-fingerprint, not per-option, so the check must run regardless of f->opt_num (including 0). Also reject wss.wc >= OSF_WSS_MAX; nf_osf_match_one() already treats that as \"should not happen\".  Crash:  Oops: divide error: 0000 [#1] SMP KASAN NOPTI  RIP: 0010:nf_osf_match_one (net/netfilter/nfnetlink_osf.c:98)  Call Trace:  <IRQ>   nf_osf_match (net/netfilter/nfnetlink_osf.c:220)   xt_osf_match_packet (net/netfilter/xt_osf.c:32)   ipt_do_table (net/ipv4/netfilter/ip_tables.c:348)   nf_hook_slow (net/netfilter/core.c:622)   ip_local_deliver (net/ipv4/ip_input.c:265)   ip_rcv (include/linux/skbuff.h:1162)   __netif_receive_skb_one_core (net/core/dev.c:6181)   process_backlog (net/core/dev.c:6642)   __napi_poll (net/core/dev.c:7710)   net_rx_action (net/core/dev.c:7945)   handle_softirqs (kernel/softirq.c:622)",
                                "cve_priority": "low",
                                "cve_public_date": "2026-05-27 11:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-45840",
                                "url": "https://ubuntu.com/security/CVE-2026-45840",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  openvswitch: cap upcall PID array size and pre-size vport replies  The vport netlink reply helpers allocate a fixed-size skb with nlmsg_new(NLMSG_DEFAULT_SIZE, ...) but serialize the full upcall PID array via ovs_vport_get_upcall_portids().  Since ovs_vport_set_upcall_portids() accepts any non-zero multiple of sizeof(u32) with no upper bound, a CAP_NET_ADMIN user can install a PID array large enough to overflow the reply buffer, causing nla_put() to fail with -EMSGSIZE and hitting BUG_ON(err < 0).  On systems with unprivileged user namespaces enabled (e.g., Ubuntu default), this is reachable via unshare -Urn since OVS vport mutation operations use GENL_UNS_ADMIN_PERM.   kernel BUG at net/openvswitch/datapath.c:2414!  Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI  CPU: 1 UID: 0 PID: 65 Comm: poc Not tainted 7.0.0-rc7-00195-geb216e422044 #1  RIP: 0010:ovs_vport_cmd_set+0x34c/0x400  Call Trace:   <TASK>   genl_family_rcv_msg_doit (net/netlink/genetlink.c:1116)   genl_rcv_msg (net/netlink/genetlink.c:1194)   netlink_rcv_skb (net/netlink/af_netlink.c:2550)   genl_rcv (net/netlink/genetlink.c:1219)   netlink_unicast (net/netlink/af_netlink.c:1344)   netlink_sendmsg (net/netlink/af_netlink.c:1894)   __sys_sendto (net/socket.c:2206)   __x64_sys_sendto (net/socket.c:2209)   do_syscall_64 (arch/x86/entry/syscall_64.c:63)   entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)   </TASK>  Kernel panic - not syncing: Fatal exception  Reject attempts to set more PIDs than nr_cpu_ids in ovs_vport_set_upcall_portids(), and pre-compute the worst-case reply size in ovs_vport_cmd_msg_size() based on that bound, similar to the existing ovs_dp_cmd_msg_size().  nr_cpu_ids matches the cap already used by the per-CPU dispatch configuration on the datapath side (ovs_dp_cmd_fill_info() serialises at most nr_cpu_ids PIDs), so the two sides stay consistent.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-27 11:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-45839",
                                "url": "https://ubuntu.com/security/CVE-2026-45839",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  bpf: reject negative CO-RE accessor indices in bpf_core_parse_spec()  CO-RE accessor strings are colon-separated indices that describe a path from a root BTF type to a target field, e.g. \"0:1:2\" walks through nested struct members. bpf_core_parse_spec() parses each component with sscanf(\"%d\"), so negative values like -1 are silently accepted.  The subsequent bounds checks (access_idx >= btf_vlen(t)) only guard the upper bound and always pass for negative values because C integer promotion converts the __u16 btf_vlen result to int, making the comparison (int)(-1) >= (int)(N) false for any positive N.  When -1 reaches btf_member_bit_offset() it gets cast to u32 0xffffffff, producing an out-of-bounds read far past the members array.  A crafted BPF program with a negative CO-RE accessor on any struct that exists in vmlinux BTF (e.g. task_struct) crashes the kernel deterministically during BPF_PROG_LOAD on any system with CONFIG_DEBUG_INFO_BTF=y (default on major distributions).  The bug is reachable with CAP_BPF:   BUG: unable to handle page fault for address: ffffed11818b6626  #PF: supervisor read access in kernel mode  #PF: error_code(0x0000) - not-present page  Oops: Oops: 0000 [#1] SMP KASAN NOPTI  CPU: 0 UID: 0 PID: 85 Comm: poc Not tainted 7.0.0-rc6 #18 PREEMPT(full)  RIP: 0010:bpf_core_parse_spec (tools/lib/bpf/relo_core.c:354)  RAX: 00000000ffffffff  Call Trace:   <TASK>   bpf_core_calc_relo_insn (tools/lib/bpf/relo_core.c:1321)   bpf_core_apply (kernel/bpf/btf.c:9507)   check_core_relo (kernel/bpf/verifier.c:19475)   bpf_check (kernel/bpf/verifier.c:26031)   bpf_prog_load (kernel/bpf/syscall.c:3089)   __sys_bpf (kernel/bpf/syscall.c:6228)   </TASK>  CO-RE accessor indices are inherently non-negative (struct member index, array element index, or enumerator index), so reject them immediately after parsing.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-27 11:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-45838",
                                "url": "https://ubuntu.com/security/CVE-2026-45838",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  bpf: fix end-of-list detection in cgroup_storage_get_next_key()  list_next_entry() never returns NULL -- when the current element is the last entry it wraps to the list head via container_of(). The subsequent NULL check is therefore dead code and get_next_key() never returns -ENOENT for the last element, instead reading storage->key from a bogus pointer that aliases internal map fields and copying the result to userspace.  Replace it with list_entry_is_head() so the function correctly returns -ENOENT when there are no more entries.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-05-27 11:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46214",
                                "url": "https://ubuntu.com/security/CVE-2026-46214",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  vsock/virtio: fix accept queue count leak on transport mismatch  virtio_transport_recv_listen() calls sk_acceptq_added() before vsock_assign_transport(). If vsock_assign_transport() fails or selects a different transport, the error path returns without calling sk_acceptq_removed(), permanently incrementing sk_ack_backlog.  After approximately backlog+1 such failures, sk_acceptq_is_full() returns true, causing the listener to reject all new connections.  Fix by moving sk_acceptq_added() to after the transport validation, matching the pattern used by vmci_transport and hyperv_transport.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46207",
                                "url": "https://ubuntu.com/security/CVE-2026-46207",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  vsock/virtio: fix empty payload in tap skb for non-linear buffers  For non-linear skbs, virtio_transport_build_skb() goes through virtio_transport_copy_nonlinear_skb() to copy the original payload in the new skb to be delivered to the vsockmon tap device. This manually initializes an iov_iter but does not set iov_iter.count. Since the iov_iter is zero-initialized, the copy length is zero and no payload is actually copied to the monitor interface, leaving data un-initialized.  Fix this by removing the linear vs non-linear split and using skb_copy_datagram_iter() with iov_iter_kvec() for all cases, as vhost-vsock already does. This handles both linear and non-linear skbs, properly initializes the iov_iter, and removes the now unused virtio_transport_copy_nonlinear_skb().  While touching this code, let's also check the return value of skb_copy_datagram_iter(), even though it's unlikely to fail.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46234",
                                "url": "https://ubuntu.com/security/CVE-2026-46234",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  vsock: fix buffer size clamping order  In vsock_update_buffer_size(), the buffer size was being clamped to the maximum first, and then to the minimum. If a user sets a minimum buffer size larger than the maximum, the minimum check overrides the maximum check, inverting the constraint.  This breaks the intended socket memory boundaries by allowing the vsk->buffer_size to grow beyond the configured vsk->buffer_max_size.  Fix this by checking the minimum first, and then the maximum. This ensures the buffer size never exceeds the buffer_max_size.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46223",
                                "url": "https://ubuntu.com/security/CVE-2026-46223",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  cgroup: Defer css percpu_ref kill on rmdir until cgroup is depopulated  A chain of commits going back to v7.0 reworked rmdir to satisfy the controller invariant that a subsystem's ->css_offline() must not run while tasks are still doing kernel-side work in the cgroup.  [1] d245698d727a (\"cgroup: Defer task cgroup unlink until after the task is done switching out\") [2] a72f73c4dd9b (\"cgroup: Don't expose dead tasks in cgroup\") [3] 1b164b876c36 (\"cgroup: Wait for dying tasks to leave on rmdir\") [4] 4c56a8ac6869 (\"cgroup: Fix cgroup_drain_dying() testing the wrong condition\") [5] 13e786b64bd3 (\"cgroup: Increment nr_dying_subsys_* from rmdir context\")  [1] moved task cset unlink from do_exit() to finish_task_switch() so a task's cset link drops only after the task has fully stopped scheduling. That made tasks past exit_signals() linger on cset->tasks until their final context switch, which led to a series of problems as what userspace expected to see after rmdir diverged from what the kernel needs to wait for. [2]-[5] tried to bridge that divergence: [2] filtered the exiting tasks from cgroup.procs; [3] had rmdir(2) sleep in TASK_UNINTERRUPTIBLE for them; [4] fixed the wait's condition; [5] made nr_dying_subsys_* visible synchronously.  The cgroup_drain_dying() wait in [3] turned out to be a dead end. When the rmdir caller is also the reaper of a zombie that pins a pidns teardown (e.g. host PID 1 systemd reaping orphan pids that were re-parented to it during the same teardown), rmdir blocks in TASK_UNINTERRUPTIBLE waiting for those pids to free, the pids can't free because PID 1 is the reaper and it's stuck in rmdir, and the system A-A deadlocks. No internal lock ordering breaks this; the wait itself is the bug.  The css killing side that drove the original reorder, however, can be made cleanly asynchronous: ->css_offline() is already async, run from css_killed_work_fn() driven by percpu_ref_kill_and_confirm(). The fix is to make that chain start only after all tasks have left the cgroup. rmdir's user-visible side then returns as soon as cgroup.procs and friends are empty, while ->css_offline() still runs only after the cgroup is fully drained.  Verified by the original reproducer (pidns teardown + zombie reaper, runs under vng) which hangs vanilla and succeeds here, and by per-commit deterministic repros for [2], [3], [4], [5] with a boot parameter that widens the post-exit_signals() window so each state is reliably reachable. Some stress tests on top of that.  cgroup_apply_control_disable() has the same shape of pre-existing race: when a controller is disabled via subtree_control, kill_css() ran synchronously while tasks past exit_signals() could still be linked to the cgroup's csets, and ->css_offline() could fire before they drained. This patch preserves the existing synchronous behavior at that call site (kill_css_sync() + kill_css_finish() back-to-back) and a follow-up patch will defer kill_css_finish() there using a per-css trigger.  This seems like the right approach and I don't see problems with it. The changes are somewhat invasive but not excessively so, so backporting to -stable should be okay. If something does turn out to be wrong, the fallback is to revert the entire chain ([1]-[5]) and rework in the development branch instead.  v2: Pin cgrp across the deferred destroy work with explicit     cgroup_get()/cgroup_put() around queue_work() and the work_fn. v1     wasn't actually broken (ordered cgroup_offline_wq + queue_work order     in cgroup_task_dead() saved it) but the explicit ref removes the     dependency on those non-obvious invariants. Also note the     pre-existing cgroup_apply_control_disable() race in the description;     a follow-up will defer kill_css_finish() there.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46221",
                                "url": "https://ubuntu.com/security/CVE-2026-46221",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  EDAC/versalnet: Fix device name memory leak  The device name allocated via kzalloc() in init_one_mc() is assigned to dev->init_name but never freed on the normal removal path. device_register() copies init_name and then sets dev->init_name to NULL, so the name pointer becomes unreachable from the device. Thus leaking memory.  Use a stack-local char array instead of using kzalloc() for name.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46231",
                                "url": "https://ubuntu.com/security/CVE-2026-46231",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  batman-adv: bla: put backbone reference on failed claim hash insert  When batadv_bla_add_claim() fails to insert a new claim into the hash, it leaked a reference to the backbone_gw for which the claim was intended. Call batadv_backbone_gw_put() on the error path to release the reference and avoid leaking the backbone_gw object.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46233",
                                "url": "https://ubuntu.com/security/CVE-2026-46233",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  batman-adv: bla: only purge non-released claims  When batadv_bla_purge_claims() goes through the list of claims, it is only traversing the hash list with an rcu_read_lock(). Due to a potential parallel batadv_claim_put(), it can happen that it encounters a claim which was actually in the process of being released+freed by batadv_claim_release(). In this case, backbone_gw is set to NULL before the delayed RCU kfree is started. Calling batadv_bla_claim_get_backbone_gw() is then no longer allowed because it would cause a NULL-ptr derefence.  To avoid this, only claims with a valid reference counter must be purged. All others are already taken care of.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46212",
                                "url": "https://ubuntu.com/security/CVE-2026-46212",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  batman-adv: bla: prevent use-after-free when deleting claims  When batadv_bla_del_backbone_claims() removes all claims for a backbone, it does this by dropping the link entry in the hash list. This list entry itself was one of the references which need to be dropped at the same time via batadv_claim_put().  But the batadv_claim_put() must not be done before the last access to the claim object in this function. Otherwise the claim might be freed already by the batadv_claim_release() function before the list entry was dropped.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46238",
                                "url": "https://ubuntu.com/security/CVE-2026-46238",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  batman-adv: stop caching unowned originator pointers in BAT IV  BAT IV keeps the last-hop neighbor address in each neigh_node, but some paths also cache an originator pointer derived from a temporary lookup. That pointer is not owned by the neigh_node and may no longer refer to a live originator entry after purge handling runs.  Stop storing the auxiliary originator pointer in the BAT IV neighbor state. When BAT IV needs the neighbor originator data, resolve it from the stored neighbor address and drop the reference again after use.  [sven: avoid bonding logic for outgoing OGM]",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46208",
                                "url": "https://ubuntu.com/security/CVE-2026-46208",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  batman-adv: stop tp_meter sessions during mesh teardown  TP meter sessions remain linked on bat_priv->tp_list after the netlink request has already finished. When the mesh interface is removed, batadv_mesh_free() currently tears down the mesh without first draining these sessions.  A running sender thread or a late incoming tp_meter packet can then keep processing against a mesh instance which is already shutting down. Synchronize tp_meter with the mesh lifetime by stopping all active sessions from batadv_mesh_free() and waiting for sender threads to exit before teardown continues.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46206",
                                "url": "https://ubuntu.com/security/CVE-2026-46206",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  batman-adv: reject new tp_meter sessions during teardown  Prevent tp_meter from starting new sender or receiver sessions after mesh_state has left BATADV_MESH_ACTIVE.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46198",
                                "url": "https://ubuntu.com/security/CVE-2026-46198",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  batman-adv: fix integer overflow on buff_pos  Fixing an integer overflow present in batadv_iv_ogm_send_to_if. The size check is done using the int type in batadv_iv_ogm_aggr_packet whereas the buff_pos variable uses the s16 type. This could lead to an out-of-bound read.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46227",
                                "url": "https://ubuntu.com/security/CVE-2026-46227",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  sctp: revalidate list cursor after sctp_sendmsg_to_asoc() in SCTP_SENDALL  The SCTP_SENDALL path in sctp_sendmsg() iterates ep->asocs with list_for_each_entry_safe(), which caches the next entry in @tmp before the loop body runs.  The body calls sctp_sendmsg_to_asoc(), which may drop the socket lock inside sctp_wait_for_sndbuf().  While the lock is dropped, another thread can SCTP_SOCKOPT_PEELOFF the association cached in @tmp, migrating it to a new endpoint via sctp_sock_migrate() (list_del_init() + list_add_tail() to newep->asocs), and optionally close the new socket which frees the association via kfree_rcu().  The cached @tmp can also be freed by a network ABORT for that association, processed in softirq while the lock is dropped.  sctp_wait_for_sndbuf() revalidates @asoc (the current entry) on re-lock via the \"sk != asoc->base.sk\" and \"asoc->base.dead\" checks, but nothing revalidates @tmp.  After a successful return, the iterator advances to the stale @tmp, yielding either a use-after-free (if the peeled socket was closed) or a list-walk onto the new endpoint's list head (type confusion of &newep->asocs as a struct sctp_association *).  Both are reachable from CapEff=0; the type-confusion path gives controlled indirect call via the outqueue.sched->init_sid pointer.  Fix by re-deriving @tmp from @asoc after sctp_sendmsg_to_asoc() returns.  @asoc is known to still be on ep->asocs at that point: the only callers that list_del an association from ep->asocs are sctp_association_free() (which sets asoc->base.dead) and sctp_assoc_migrate() (which changes asoc->base.sk), and sctp_wait_for_sndbuf() checks both under the lock before any successful return; a tripped check propagates as err < 0 and the loop bails before the re-derive.  The SCTP_ABORT path in sctp_sendmsg_check_sflags() returns 0 and the loop hits 'continue' before sctp_sendmsg_to_asoc() is ever called, so the @tmp cached by list_for_each_entry_safe() still covers the lock-held free that ba59fb027307 (\"sctp: walk the list of asoc safely\") was added for.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46220",
                                "url": "https://ubuntu.com/security/CVE-2026-46220",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/amdgpu/sdma4: replace BUG_ON with WARN_ON in fence emission  sdma_v4_0_ring_emit_fence() contains two BUG_ON(addr & 0x3) assertions that verify fence writeback addresses are dword-aligned.  These assertions can be reached from unprivileged userspace via crafted DRM_IOCTL_AMDGPU_CS submissions, causing a fatal kernel panic in a scheduler worker thread.  Replace both BUG_ON() calls with WARN_ON() to log the condition without crashing the kernel.  A misaligned fence address at this point indicates a driver bug, but crashing the kernel is never the correct response when the assertion is reachable from userspace.  The CS IOCTL path is the correct place to filter invalid submissions; the ring emission callback is too late to do anything about it.  (cherry picked from commit b90250bd933afd1ba94d86d6b13821997b22b18e)",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46215",
                                "url": "https://ubuntu.com/security/CVE-2026-46215",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm: Set old handle to NULL before prime swap in change_handle  There was a potential race condition in change_handle. The ioctl briefly had a single object with two idr entries; a concurrent gem_close could delete the object and remove one of the handles while leaving the other one dangling, which could subsequently be dereferenced for a use-after-free.  To fix this, do the same dance that gem_close itself does. (f6cd7daecff5 drm: Release driver references to handle before making it available again) First idr_replace the old handle to NULL. Later, if the prime operations are successful, actually close it.  create_tail required a similar dance to avoid a similar problem. (bd46cece51a3 drm/gem: Fix race in drm_gem_handle_create_tail()) It idr_allocs the new handle with NULL, then swaps in the correct object later to avoid races. We don't need to do that here, since the only operations that could race are drm_prime, and change_handle holds the prime lock for the entire duration.  v2: cleanups of error paths",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46201",
                                "url": "https://ubuntu.com/security/CVE-2026-46201",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/xe: Fix dma-buf attachment leak in xe_gem_prime_import()  When xe_dma_buf_init_obj() fails, the attachment from dma_buf_dynamic_attach() is not detached. Add dma_buf_detach() before returning the error. Note: we cannot use goto out_err here because xe_dma_buf_init_obj() already frees bo on failure, and out_err would double-free it.  (cherry picked from commit a828eb185aac41800df8eae4b60501ccc0dbbe51)",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46224",
                                "url": "https://ubuntu.com/security/CVE-2026-46224",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/xe: Fix bo leak in xe_dma_buf_init_obj() on allocation failure  When drm_gpuvm_resv_object_alloc() fails, the pre-allocated storage bo is not freed. Add xe_bo_free(storage) before returning the error.  xe_dma_buf_init_obj() calls xe_bo_init_locked(), which frees the bo on error. Therefore, xe_dma_buf_init_obj() must also free the bo on its own error paths. Otherwise, since xe_gem_prime_import() cannot distinguish whether the failure originated from xe_dma_buf_init_obj() or from xe_bo_init_locked(), it cannot safely decide whether the bo should be freed.  Add comments documenting the ownership semantics: on success, ownership of storage is transferred to the returned drm_gem_object; on failure, storage is freed before returning.  v2: Add comments to explain the free logic.  (cherry picked from commit 78a6c5f899f22338bbf48b44fb8950409c5a69b9)",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46197",
                                "url": "https://ubuntu.com/security/CVE-2026-46197",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/amdkfd: validate SVM ioctl nattr against buffer size  Validate nattr field against the buffer size, preventing out-of-bounds buffer access via user-controlled attribute count.  (cherry picked from commit 5eca8bfdfa456c3304ca77523718fe24254c172f)",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46209",
                                "url": "https://ubuntu.com/security/CVE-2026-46209",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/gem: Fix inconsistent plane dimension calculation in drm_gem_fb_init_with_funcs()  drm_gem_fb_init_with_funcs() computes sub-sampled plane dimensions using plain integer division:    unsigned int width  = mode_cmd->width  / (i ? info->hsub : 1);   unsigned int height = mode_cmd->height / (i ? info->vsub : 1);  However, the ioctl-level framebuffer_check() in drm_framebuffer.c uses drm_format_info_plane_width/height() which round up dimensions via DIV_ROUND_UP(). This inconsistency corrupts the subsequent GEM object size check for certain pixel format and dimension combinations.  For example, with NV12 (vsub=2) and a 1-pixel-tall framebuffer the GEM size validation path sees height=0 instead of height=1. The expression (height - 1) then wraps to UINT_MAX as an unsigned int, causing min_size to overflow and wrap back to a small value. A tiny GEM object therefore passes the size guard, yet when the GPU accesses the chroma plane it will read or write memory beyond the object's bounds.  Fix by replacing the open-coded divisions with drm_format_info_plane_width() and drm_format_info_plane_height(), which use DIV_ROUND_UP() and match the calculation already used in framebuffer_check().",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46230",
                                "url": "https://ubuntu.com/security/CVE-2026-46230",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/amdgpu/vcn3: Prevent OOB reads when parsing dec msg  Check bounds against the end of the BO whenever we access the msg.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46199",
                                "url": "https://ubuntu.com/security/CVE-2026-46199",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/amdgpu/vcn4: Prevent OOB reads when parsing dec msg  Check bounds against the end of the BO whenever we access the msg.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46204",
                                "url": "https://ubuntu.com/security/CVE-2026-46204",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/amdgpu/vcn4: Prevent OOB reads when parsing IB  Rewrite the IB parsing to use amdgpu_ib_get_value() which handles the bounds checks.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46218",
                                "url": "https://ubuntu.com/security/CVE-2026-46218",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/amdgpu: Add bounds checking to ib_{get,set}_value  The uvd/vce/vcn code accesses the IB at predefined offsets without checking that the IB is large enough. Check the bounds here. The caller is responsible for making sure it can handle arbitrary return values.  Also make the idx a uint32_t to prevent overflows causing the condition to fail.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46229",
                                "url": "https://ubuntu.com/security/CVE-2026-46229",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/amdkfd: Clear VRAM on allocation to prevent stale data exposure  KFD VRAM allocations set AMDGPU_GEM_CREATE_VRAM_WIPE_ON_RELEASE but not AMDGPU_GEM_CREATE_VRAM_CLEARED, leaving freshly allocated VRAM with stale data from prior use observable by compute kernels.  The GEM ioctl path already sets VRAM_CLEARED for all userspace allocations via amdgpu_gem_create_ioctl() and amdgpu_mode_dumb_create(). The KFD path was missing this flag, allowing stale page table remnants to leak into user buffers.  This causes crashes in RCCL P2P transport where non-zero data in ptrExchange/head/tail fields corrupts the protocol handshake.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46211",
                                "url": "https://ubuntu.com/security/CVE-2026-46211",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/msm/gem: fix error handling in msm_ioctl_gem_info_get_metadata()  msm_ioctl_gem_info_get_metadata() always returns 0 regardless of errors. When copy_to_user() fails or the user buffer is too small, the error code stored in ret is ignored because the function unconditionally returns 0. This causes userspace to believe the ioctl succeeded when it did not.  Additionally, kmemdup() can return NULL on allocation failure, but the return value is not checked. This leads to a NULL pointer dereference in the subsequent copy_to_user() call.  Add the missing NULL check for kmemdup() and return ret instead of 0.  Note that the SET counterpart (msm_ioctl_gem_info_set_metadata) correctly returns ret.  Patchwork: https://patchwork.freedesktop.org/patch/714478/",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46203",
                                "url": "https://ubuntu.com/security/CVE-2026-46203",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: cadence-quadspi: fix unclocked access on unbind  Make sure that the controller is runtime resumed before disabling it during driver unbind to avoid an unclocked register access.  This issue was flagged by Sashiko when reviewing a controller deregistration fix.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46219",
                                "url": "https://ubuntu.com/security/CVE-2026-46219",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: mpc52xx: fix use-after-free on unbind  The state machine work is scheduled by the interrupt handler and therefore needs to be cancelled after disabling interrupts to avoid a potential use-after-free.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46200",
                                "url": "https://ubuntu.com/security/CVE-2026-46200",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: mpc52xx: fix controller deregistration  Make sure to deregister the controller before disabling and releasing underlying resources like interrupts and gpios during driver unbind.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46241",
                                "url": "https://ubuntu.com/security/CVE-2026-46241",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: mpc52xx: fix use-after-free on registration failure  Make sure to disable and free the interrupts in case controller registration fails to avoid a potential use-after-free and resource leak.  This issue was flagged by Sashiko when reviewing a controller deregistration fix.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46225",
                                "url": "https://ubuntu.com/security/CVE-2026-46225",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: rspi: fix controller deregistration  Make sure to deregister the controller before releasing underlying resources like DMA during driver unbind.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46226",
                                "url": "https://ubuntu.com/security/CVE-2026-46226",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: fsl: fix controller deregistration  Make sure to deregister the controller before releasing underlying resources like DMA during driver unbind.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46228",
                                "url": "https://ubuntu.com/security/CVE-2026-46228",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: ch341: fix devres lifetime  USB drivers bind to USB interfaces and any device managed resources should have their lifetime tied to the interface rather than parent USB device. This avoids issues like memory leaks when drivers are unbound without their devices being physically disconnected (e.g. on probe deferral or configuration changes).  Fix the controller and driver data lifetime so that they are released on driver unbind.  Note that this also makes sure that the SPI controller is placed correctly under the USB interface in the device tree.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46216",
                                "url": "https://ubuntu.com/security/CVE-2026-46216",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/xe/hdcp: Add NULL check for media_gt in intel_hdcp_gsc_check_status()  When media GT is disabled via configfs, there is no allocation for media_gt, which is kept as NULL.  In such scenario, intel_hdcp_gsc_check_status() results in a kernel pagefault error due to &gt->uc.gsc being evaluated as an invalid memory address.  Fix that by introducing a NULL check on media_gt and bailing out early if so.  While at it, also drop the NULL check for gsc, since it can't be NULL if media_gt is not NULL.  v2:   - Get address for gsc only after checking that gt is not NULL.     (Shuicheng)   - Drop the NULL check for gsc. (Shuicheng) v3:   - Add \"Fixes\" and \"Cc: <stable...>\" tags. (Matt)  (cherry picked from commit bfaf87e84ca3ca3f6e275f9ae56da47a8b55ffd1)",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46210",
                                "url": "https://ubuntu.com/security/CVE-2026-46210",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  media: iris: fix use-after-free of fmt_src during MBPF check  During concurrency testing, multiple instances can run in parallel, and each instance uses its own inst->lock while the core->lock protects the list of active instances. The race happens because these locks cover different scopes, inst->lock protects only the internals of a single instance, while the Macro Blocks Per Frame (MBPF) checker walks the core list under core->lock and reads fields like fmt_src->width and fmt_src->height. At the same time, iris_close() may free fmt_src and fmt_dst under inst->lock while the instance is still present in the core list. This allows a situation where the MBPF checker, still iterating through the core list, reaches an instance whose fmt_src was already freed by another thread and ends up dereferencing a dangling pointer, resulting in a use-after-free. This happens because the MBPF checker assumes that any instance in the core list is fully valid, but the freeing of fmt_src and fmt_dst without removing the instance from the core list is not correct.  The correct ordering is to defer freeing fmt_src and fmt_dst until after the instance has been removed from the core list and all teardown under the core lock has completed, ensuring that no dangling pointers are ever exposed during MBPF checks.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46240",
                                "url": "https://ubuntu.com/security/CVE-2026-46240",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  media: iris: Fix use-after-free in iris_release_internal_buffers()  The recent change in commit 1dabf00ee206 (\"media: iris: gen1: Destroy internal buffers after FW releases\") introduced a regression where session_release_buf() may free the buffer. The caller, iris_release_internal_buffers(), continued to access `buffer` after the call, leading to a potential use-after-free.  Fix this by setting BUF_ATTR_PENDING_RELEASE before calling session_release_buf(), and reverting the flag if the call fails. This ensures no dereference occurs after potential freeing.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46235",
                                "url": "https://ubuntu.com/security/CVE-2026-46235",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  media: saa7164: add ioremap return checks and cleanups  Add checks for ioremap return values in saa7164_dev_setup(). If ioremap for BAR0 or BAR2 fails, release the already allocated PCI memory regions, remove the device from the global list, decrement the device count, and return -ENODEV.  This prevents potential null pointer dereferences and ensures proper cleanup on memory mapping failures.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46222",
                                "url": "https://ubuntu.com/security/CVE-2026-46222",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  media: rockchip: rkcif: Add missing MUST_CONNECT flag to pads  The pads missed checks for connected devices which may a null dereference when the stream is enabled.  Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020 pc : rkcif_interface_enable_streams+0x48/0xf0 lr : rkcif_interface_enable_streams+0x44/0xf0 Call trace:  rkcif_interface_enable_streams+0x48/0xf0  v4l2_subdev_enable_streams+0x26c/0x3f0  rkcif_stream_start_streaming+0x140/0x278  vb2_start_streaming+0x74/0x188  vb2_core_streamon+0xe0/0x1d8  vb2_ioctl_streamon+0x60/0xa8  v4l_streamon+0x2c/0x40  __video_do_ioctl+0x34c/0x400  video_usercopy+0x2d0/0x800  video_ioctl2+0x20/0x60  v4l2_ioctl+0x48/0x78",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46239",
                                "url": "https://ubuntu.com/security/CVE-2026-46239",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  media: i2c: ov5647: Fix runtime PM refcount leak in s_ctrl  Three control cases (AUTOGAIN, EXPOSURE_AUTO, ANALOGUE_GAIN) directly return without calling pm_runtime_put(), causing runtime PM reference count leaks.  Change these cases from 'return' to 'ret = ... break' pattern to ensure pm_runtime_put() is always called before function exit.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46236",
                                "url": "https://ubuntu.com/security/CVE-2026-46236",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  media: rc: xbox_remote: heed DMA restrictions  The buffer for IO must not be part of the device structure because that violates the DMA coherency rules.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46205",
                                "url": "https://ubuntu.com/security/CVE-2026-46205",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  staging: media: atomisp: Disallow all private IOCTLs  Disallow all private IOCTLs. These aren't quite as safe as one could assume of IOCTL handlers; disable them for now. Instead of removing the code, return in the beginning of the function if cmd is non-zero in order to keep static checkers happy.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46202",
                                "url": "https://ubuntu.com/security/CVE-2026-46202",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  HID: appletb-kbd: run inactivity autodim from workqueues  The autodim code in hid-appletb-kbd takes backlight_device->ops_lock via backlight_device_set_brightness() -> mutex_lock() from two different atomic contexts:   * appletb_inactivity_timer() is a struct timer_list callback, so it    runs in softirq context.  Every expiry triggers       BUG: sleeping function called from invalid context at kernel/locking/mutex.c:591      Call Trace:       <IRQ>       __might_resched       __mutex_lock       backlight_device_set_brightness       appletb_inactivity_timer       call_timer_fn       run_timer_softirq   * reset_inactivity_timer() is called from appletb_kbd_hid_event() and    appletb_kbd_inp_event().  On real USB hardware these run in    softirq/IRQ context (URB completion and input-event dispatch).    When the Touch Bar has already been dimmed or turned off, the    reset path calls backlight_device_set_brightness() directly to    restore brightness, producing the same warning.  Both call sites hit the same mutex_lock()-from-atomic bug.  Fix them together by moving the blocking work onto the system workqueue:   * Convert the inactivity timer from struct timer_list to    struct delayed_work; the callback (appletb_inactivity_work) now    runs in process context where mutex_lock() is legal.  * Add a dedicated struct work_struct restore_brightness_work and have    reset_inactivity_timer() schedule it instead of calling    backlight_device_set_brightness() directly.  Cancel both works synchronously during driver tear-down alongside the existing backlight reference drop.  The semantics are unchanged (same delays, same state transitions on dim, turn-off and user activity); only the execution context of the sleeping call changes.  The timer field and callback are renamed to match their new type; reset_inactivity_timer() keeps its name because it is invoked from input event paths that read naturally as \"reset the inactivity timer\".",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46213",
                                "url": "https://ubuntu.com/security/CVE-2026-46213",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  HID: appletb-kbd: fix UAF in inactivity-timer cleanup path  Commit 38224c472a03 (\"HID: appletb-kbd: fix slab use-after-free bug in appletb_kbd_probe\") added timer_delete_sync(&kbd->inactivity_timer) to both the probe close_hw error path and appletb_kbd_remove(), but the way it was wired in left the inactivity timer reachable during driver tear-down via two distinct windows.  Window A -- put_device() before timer_delete_sync():  \tput_device(&kbd->backlight_dev->dev); \ttimer_delete_sync(&kbd->inactivity_timer);  The inactivity_timer softirq reads kbd->backlight_dev and calls backlight_device_set_brightness() -> mutex_lock(&ops_lock).  If a concurrent hid_appletb_bl unbind drops the last devm reference between these two calls, the backlight_device is freed and the mutex_lock() touches freed memory.  Window B -- backlight cleanup before hid_hw_stop():  \tif (kbd->backlight_dev) { \t\ttimer_delete_sync(...); \t\tput_device(...); \t} \thid_hw_close(hdev); \thid_hw_stop(hdev);  Even after Window A is closed, hid_hw_close()/hid_hw_stop() still run afterwards, so a late \".event\" callback from the HID core (USB URB completion on real Apple hardware) can arrive after timer_delete_sync() drained the softirq but before put_device() drops the reference.  That callback reaches reset_inactivity_timer(), which calls mod_timer() and re-arms the timer.  The freshly re-armed timer can then fire on the about-to-be-freed backlight_device.  Both windows produce the same KASAN slab-use-after-free:    BUG: KASAN: slab-use-after-free in __mutex_lock+0x1aab/0x21c0   Read of size 8 at addr ffff88803ee9a108 by task swapper/0/0   Call Trace:    <IRQ>    __mutex_lock    backlight_device_set_brightness    appletb_inactivity_timer    call_timer_fn    run_timer_softirq    handle_softirqs   Allocated by task N:    devm_backlight_device_register    appletb_bl_probe   Freed by task M:    (concurrent hid_appletb_bl unbind path)  Close both windows at once by reworking the tear-down in appletb_kbd_remove() and in the probe close_hw error path so that   1) hid_hw_close()/hid_hw_stop() run before the backlight cleanup,     guaranteeing no further .event callback can fire and re-arm the     timer, and  2) inside the \"if (kbd->backlight_dev)\" block, timer_delete_sync()     runs before put_device(), so the softirq is drained before the     final reference is dropped.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46232",
                                "url": "https://ubuntu.com/security/CVE-2026-46232",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  HID: playstation: Clamp num_touch_reports  A device would never lie about the number of touch reports would it?  If it does the loop in dualshock4_parse_report will read off the end of the touch_reports array, up to about 2 KiB for the maximum number of 256 loop iteraions. The data that is read is emitted via evdev if the DS4_TOUCH_POINT_INACTIVE bit happens to be set. Protect against this by clamping the num_touch_reports value provided by the device to the maximum size of the touch_reports array.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-43490",
                                "url": "https://ubuntu.com/security/CVE-2026-43490",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ksmbd: validate inherited ACE SID length  smb_inherit_dacl() walks the parent directory DACL loaded from the security descriptor xattr. It verifies that each ACE contains the fixed SID header before using it, but does not verify that the variable-length SID described by sid.num_subauth is fully contained in the ACE.  A malformed inheritable ACE can advertise more subauthorities than are present in the ACE. compare_sids() may then read past the ACE. smb_set_ace() also clamps the copied destination SID, but used the unchecked source SID count to compute the inherited ACE size. That could advance the temporary inherited ACE buffer pointer and nt_size accounting past the allocated buffer.  Fix this by validating the parent ACE SID count and SID length before using the SID during inheritance. Compute the inherited ACE size from the copied SID so the size matches the bounded destination SID. Reject the inherited DACL if size accumulation would overflow smb_acl.size or the security descriptor allocation size.",
                                "cve_priority": "high",
                                "cve_public_date": "2026-05-15 06:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46174",
                                "url": "https://ubuntu.com/security/CVE-2026-46174",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  x86/CPU/AMD: Prevent improper isolation of shared resources in Zen2's op cache  Make sure resources are not improperly shared in the op cache and cause instruction corruption this way.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46110",
                                "url": "https://ubuntu.com/security/CVE-2026-46110",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net: stmmac: Prevent NULL deref when RX memory exhausted  The CPU receives frames from the MAC through conventional DMA: the CPU allocates buffers for the MAC, then the MAC fills them and returns ownership to the CPU. For each hardware RX queue, the CPU and MAC coordinate through a shared ring array of DMA descriptors: one descriptor per DMA buffer. Each descriptor includes the buffer's physical address and a status flag (\"OWN\") indicating which side owns the buffer: OWN=0 for CPU, OWN=1 for MAC. The CPU is only allowed to set the flag and the MAC is only allowed to clear it, and both must move through the ring in sequence: thus the ring is used for both \"submissions\" and \"completions.\"  In the stmmac driver, stmmac_rx() bookmarks its position in the ring with the `cur_rx` index. The main receive loop in that function checks for rx_descs[cur_rx].own=0, gives the corresponding buffer to the network stack (NULLing the pointer), and increments `cur_rx` modulo the ring size. After the loop exits, stmmac_rx_refill(), which bookmarks its position with `dirty_rx`, allocates fresh buffers and rearms the descriptors (setting OWN=1). If it fails any allocation, it simply stops early (leaving OWN=0) and will retry where it left off when next called.  This means descriptors have a three-stage lifecycle (terms my own): - `empty` (OWN=1, buffer valid) - `full` (OWN=0, buffer valid and populated) - `dirty` (OWN=0, buffer NULL)  But because stmmac_rx() only checks OWN, it confuses `full`/`dirty`. In the past (see 'Fixes:'), there was a bug where the loop could cycle `cur_rx` all the way back to the first descriptor it dirtied, resulting in a NULL dereference when mistaken for `full`. The aforementioned commit resolved that *specific* failure by capping the loop's iteration limit at `dma_rx_size - 1`, but this is only a partial fix: if the previous stmmac_rx_refill() didn't complete, then there are leftover `dirty` descriptors that the loop might encounter without needing to cycle fully around. The current code therefore panics (see 'Closes:') when stmmac_rx_refill() is memory-starved long enough for `cur_rx` to catch up to `dirty_rx`.  Fix this by explicitly checking, before advancing `cur_rx`, if the next entry is dirty; exit the loop if so. This prevents processing of the final, used descriptor until stmmac_rx_refill() succeeds, but fully prevents the `cur_rx == dirty_rx` ambiguity as the previous bugfix intended: so remove the clamp as well. Since stmmac_rx_zc() is a copy-paste-and-tweak of stmmac_rx() and the code structure is identical, any fix to stmmac_rx() will also need a corresponding fix for stmmac_rx_zc(). Therefore, apply the same check there.  In stmmac_rx() (not stmmac_rx_zc()), a related bug remains: after the MAC sets OWN=0 on the final descriptor, it will be unable to send any further DMA-complete IRQs until it's given more `empty` descriptors. Currently, the driver simply *hopes* that the next stmmac_rx_refill() succeeds, risking an indefinite stall of the receive process if not. But this is not a regression, so it can be addressed in a future change.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46153",
                                "url": "https://ubuntu.com/security/CVE-2026-46153",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  8021q: delete cleared egress QoS mappings  vlan_dev_set_egress_priority() currently keeps cleared egress priority mappings in the hash as tombstones. Repeated set/clear cycles with distinct skb priorities therefore accumulate mapping nodes until device teardown and leak memory.  Delete mappings when vlan_prio is cleared instead of keeping tombstones. Now that the egress mapping lists are RCU protected, the node can be unlinked safely and freed after a grace period.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46169",
                                "url": "https://ubuntu.com/security/CVE-2026-46169",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  hfsplus: fix uninit-value by validating catalog record size  Syzbot reported a KMSAN uninit-value issue in hfsplus_strcasecmp(). The root cause is that hfs_brec_read() doesn't validate that the on-disk record size matches the expected size for the record type being read.  When mounting a corrupted filesystem, hfs_brec_read() may read less data than expected. For example, when reading a catalog thread record, the debug output showed:    HFSPLUS_BREC_READ: rec_len=520, fd->entrylength=26   HFSPLUS_BREC_READ: WARNING - entrylength (26) < rec_len (520) - PARTIAL READ!  hfs_brec_read() only validates that entrylength is not greater than the buffer size, but doesn't check if it's less than expected. It successfully reads 26 bytes into a 520-byte structure and returns success, leaving 494 bytes uninitialized.  This uninitialized data in tmp.thread.nodeName then gets copied by hfsplus_cat_build_key_uni() and used by hfsplus_strcasecmp(), triggering the KMSAN warning when the uninitialized bytes are used as array indices in case_fold().  Fix by introducing hfsplus_brec_read_cat() wrapper that: 1. Calls hfs_brec_read() to read the data 2. Validates the record size based on the type field:    - Fixed size for folder and file records    - Variable size for thread records (depends on string length) 3. Returns -EIO if size doesn't match expected  For thread records, check against HFSPLUS_MIN_THREAD_SZ before reading nodeName.length to avoid reading uninitialized data at call sites that don't zero-initialize the entry structure.  Also initialize the tmp variable in hfsplus_find_cat() as defensive programming to ensure no uninitialized data even if validation is bypassed.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46188",
                                "url": "https://ubuntu.com/security/CVE-2026-46188",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  octeon_ep_vf: add NULL check for napi_build_skb()  napi_build_skb() can return NULL on allocation failure. In __octep_vf_oq_process_rx(), the result is used directly without a NULL check in both the single-buffer and multi-fragment paths, leading to a NULL pointer dereference.  Add NULL checks after both napi_build_skb() calls, properly advancing descriptors and consuming remaining fragments on failure.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-45837",
                                "url": "https://ubuntu.com/security/CVE-2026-45837",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  bpf: Fix use-after-free in arena_vm_close on fork  arena_vm_open() only bumps vml->mmap_count but never registers the child VMA in arena->vma_list. The vml->vma always points at the parent VMA, so after parent munmap the pointer dangles. If the child then calls bpf_arena_free_pages(), zap_pages() reads the stale vml->vma triggering use-after-free.  Fix this by preventing the arena VMA from being inherited across fork with VM_DONTCOPY, and preventing VMA splits via the may_split callback.  Also reject mremap with a .mremap callback returning -EINVAL. A same-size mremap(MREMAP_FIXED) on the full arena VMA reaches copy_vma() through the following path:    check_prep_vma()       - returns 0 early: new_len == old_len                            skips VM_DONTEXPAND check   prep_move_vma()        - vm_start == old_addr and                            vm_end == old_addr + old_len                            so may_split is never called   move_vma()     copy_vma_and_data()       copy_vma()         vm_area_dup()    - copies vm_private_data (vml pointer)         vm_ops->open()   - bumps vml->mmap_count       vm_ops->mremap()   - returns -EINVAL, rollback unmaps new VMA  The refcount ensures the rollback's arena_vm_close does not free the vml shared with the original VMA.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-05-27 11:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46156",
                                "url": "https://ubuntu.com/security/CVE-2026-46156",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  LoongArch: Fix potential ADE in loongson_gpu_fixup_dma_hang()  The switch case in loongson_gpu_fixup_dma_hang() may not DC2 or DC3, and readl(crtc_reg) will access with random address, because the \"device\" is from \"base+PCI_DEVICE_ID\", \"base\" is from \"pdev->devfn+1\". This is wrong when my platform inserts a discrete GPU:  lspci -tv -[0000:00]-+-00.0  Loongson Technology LLC Hyper Transport Bridge Controller ...            +-06.0  Loongson Technology LLC LG100 GPU            +-06.2  Loongson Technology LLC Device 7a37 ...  Add a default switch case to fix the panic as below:   Kernel ade access[#1]:  CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.6.136-loong64-desktop-hwe+ #4  pc 90000000017e5534 ra 90000000017e54c0 tp 90000001002f8000 sp 90000001002fb6c0  a0 80000efe00003100 a1 0000000000003100 a2 0000000000000000 a3 0000000000000002  a4 90000001002fb6b4 a5 900000087cdb58fd a6 90000000027af000 a7 0000000000000001  t0 00000000000085b9 t1 000000000000ffff t2 0000000000000000 t3 0000000000000000  t4 fffffffffffffffd t5 00000000fffb6d9c t6 0000000000083b00 t7 00000000000070c0  t8 900000087cdb4d94 u0 900000087cdb58fd s9 90000001002fb826 s0 90000000031c12c8  s1 7fffffffffffff00 s2 90000000031c12d0 s3 0000000000002710 s4 0000000000000000  s5 0000000000000000 s6 9000000100053000 s7 7fffffffffffff00 s8 90000000030d4000     ra: 90000000017e54c0 loongson_gpu_fixup_dma_hang+0x40/0x210    ERA: 90000000017e5534 loongson_gpu_fixup_dma_hang+0xb4/0x210   CRMD: 000000b0 (PLV0 -IE -DA +PG DACF=CC DACM=CC -WE)   PRMD: 00000004 (PPLV0 +PIE -PWE)   EUEN: 00000000 (-FPE -SXE -ASXE -BTE)   ECFG: 00071c1d (LIE=0,2-4,10-12 VS=7)  ESTAT: 00480000 [ADEM] (IS= ECode=8 EsubCode=1)   BADV: 7fffffffffffff00   PRID: 0014d000 (Loongson-64bit, Loongson-3A6000-HV)  Modules linked in:  Process swapper/0 (pid: 1, threadinfo=(____ptrval____), task=(____ptrval____))  Stack : 0000000000000006 90000001002fb778 90000001002fb704 0000000000000007          0000000016a65700 90000000017e5690 000000000000ffff ffffffffffffffff          900000000209f7c0 9000000100053000 900000000209f7a8 9000000000eebc08          0000000000000000 0000000000000000 0000000000000006 90000001002fb778          90000001000530b8 90000000027af000 0000000000000000 9000000100054000          9000000100053000 9000000000ebb70c 9000000100004c00 9000000004000001          90000001002fb7e4 bae765461f31cb12 0000000000000000 0000000000000000          0000000000000006 90000000027af000 0000000000000030 90000000027af000          900000087cd6f800 9000000100053000 0000000000000000 9000000000ebc560          7a2500147cdaf720 bae765461f31cb12 0000000000000001 0000000000000030          ...  Call Trace:  [<90000000017e5534>] loongson_gpu_fixup_dma_hang+0xb4/0x210  [<9000000000eebc08>] pci_fixup_device+0x108/0x280  [<9000000000ebb70c>] pci_setup_device+0x24c/0x690  [<9000000000ebc560>] pci_scan_single_device+0xe0/0x140  [<9000000000ebc684>] pci_scan_slot+0xc4/0x280  [<9000000000ebdd00>] pci_scan_child_bus_extend+0x60/0x3f0  [<9000000000f5bc94>] acpi_pci_root_create+0x2b4/0x420  [<90000000017e5e74>] pci_acpi_scan_root+0x2d4/0x440  [<9000000000f5b02c>] acpi_pci_root_add+0x21c/0x3a0  [<9000000000f4ee54>] acpi_bus_attach+0x1a4/0x3c0  [<90000000010e200c>] device_for_each_child+0x6c/0xe0  [<9000000000f4bbf4>] acpi_dev_for_each_child+0x44/0x70  [<9000000000f4ef40>] acpi_bus_attach+0x290/0x3c0  [<90000000010e200c>] device_for_each_child+0x6c/0xe0  [<9000000000f4bbf4>] acpi_dev_for_each_child+0x44/0x70  [<9000000000f4ef40>] acpi_bus_attach+0x290/0x3c0  [<9000000000f5211c>] acpi_bus_scan+0x6c/0x280  [<900000000189c028>] acpi_scan_init+0x194/0x310  [<900000000189bc6c>] acpi_init+0xcc/0x140  [<9000000000220cdc>] do_one_initcall+0x4c/0x310  [<90000000018618fc>] kernel_init_freeable+0x258/0x2d4  [<900000000184326c>] kernel_init+0x28/0x13c  [<9000000000222008>] ret_from_kernel_thread+0xc/0xa4",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46147",
                                "url": "https://ubuntu.com/security/CVE-2026-46147",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  KVM: arm64: Fix pin leak and publication ordering in __pkvm_init_vcpu()  Two bugs exist in the vCPU initialisation path:  1. If a check fails after hyp_pin_shared_mem() succeeds, the cleanup    path jumps to 'unlock' without calling unpin_host_vcpu() or    unpin_host_sve_state(), permanently leaking pin references on the    host vCPU and SVE state pages.     Extract a register_hyp_vcpu() helper that performs the checks and    the store. When register_hyp_vcpu() returns an error, call    unpin_host_vcpu() and unpin_host_sve_state() inline before falling    through to the existing 'unlock' label.  2. register_hyp_vcpu() publishes the new vCPU pointer into    'hyp_vm->vcpus[]' with a bare store, allowing a concurrent caller    of pkvm_load_hyp_vcpu() to observe a partially initialised vCPU    object.     Ensure the store uses smp_store_release() and the load uses    smp_load_acquire(). While 'vm_table_lock' currently serialises the    store and the load, these barriers ensure the reader sees the fully    initialised 'hyp_vcpu' object even if there were a lockless path or    if the lock's own ordering guarantees were insufficient for nested    object initialization.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46175",
                                "url": "https://ubuntu.com/security/CVE-2026-46175",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  f2fs: fix fsck inconsistency caused by FGGC of node block  During FGGC node block migration, fsck may incorrectly treat the migrated node block as fsync-written data.  The reproduction scenario: root@vm:/mnt/f2fs# seq 1 2048 | xargs -n 1 ./test_sync // write inline inode and sync root@vm:/mnt/f2fs# rm -f 1 root@vm:/mnt/f2fs# sync root@vm:/mnt/f2fs# f2fs_io gc_range // move data block in sync mode and not write CP   SPO, \"fsck --dry-run\" find inode has already checkpointed but still   with DENT_BIT_SHIFT set  The root cause is that GC does not clear the dentry mark and fsync mark during node block migration, leading fsck to misinterpret them as user-issued fsync writes.  In BGGC mode, node block migration is handled by f2fs_sync_node_pages(), which guarantees the dentry and fsync marks are cleared before writing.  This patch move the set/clear of the fsync|dentry marks into __write_node_folio to make the logic clearer, and ensures the fsync|dentry mark is cleared in FGGC.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46194",
                                "url": "https://ubuntu.com/security/CVE-2026-46194",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  f2fs: fix node_cnt race between extent node destroy and writeback  f2fs_destroy_extent_node() does not set FI_NO_EXTENT before clearing extent nodes. When called from f2fs_drop_inode() with I_SYNC set, concurrent kworker writeback can insert new extent nodes into the same extent tree, racing with the destroy and triggering f2fs_bug_on() in __destroy_extent_node(). The scenario is as follows:  drop inode                            writeback  - iput   - f2fs_drop_inode  // I_SYNC set    - f2fs_destroy_extent_node     - __destroy_extent_node      - while (node_cnt) {         write_lock(&et->lock)         __free_extent_tree         write_unlock(&et->lock)                                        - __writeback_single_inode                                         - f2fs_outplace_write_data                                          - f2fs_update_read_extent_cache                                           - __update_extent_tree_range                                            // FI_NO_EXTENT not set,                                            // insert new extent node        } // node_cnt == 0, exit while      - f2fs_bug_on(node_cnt)  // node_cnt > 0  Additionally, __update_extent_tree_range() only checks FI_NO_EXTENT for EX_READ type, leaving EX_BLOCK_AGE updates completely unprotected.  This patch set FI_NO_EXTENT under et->lock in __destroy_extent_node(), consistent with other callers (__update_extent_tree_range and __drop_extent_tree) and check FI_NO_EXTENT for both EX_READ and EX_BLOCK_AGE tree.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46170",
                                "url": "https://ubuntu.com/security/CVE-2026-46170",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  mptcp: pm: ADD_ADDR rtx: free sk if last  When an ADD_ADDR is retransmitted, the sk is held in sk_reset_timer(), and released at the end.  If at that moment, it was the last reference being held, the sk would not be freed. sock_put() should then be called instead of __sock_put().  But that's not enough: if it is the last reference, sock_put() will call sk_free(), which will end up calling sk_stop_timer_sync() on the same timer, and waiting indefinitely to finish. So it is needed to mark that the timer is done at the end of the timer handler when it has not been rescheduled, not to call sk_stop_timer_sync() on \"itself\".",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46158",
                                "url": "https://ubuntu.com/security/CVE-2026-46158",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  mptcp: pm: ADD_ADDR rtx: always decrease sk refcount  When an ADD_ADDR is retransmitted, the sk is held in sk_reset_timer(). It should then be released in all cases at the end.  Some (unlikely) checks were returning directly instead of calling sock_put() to decrease the refcount. Jump to a new 'exit' label to call __sock_put() (which will become sock_put() in the next commit) to fix this potential leak.  While at it, drop the '!msk' check which cannot happen because it is never reset, and explicitly mark the remaining one as \"unlikely\".",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46168",
                                "url": "https://ubuntu.com/security/CVE-2026-46168",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  mptcp: fix scheduling with atomic in timestamp sockopt  Using lock_sock_fast() (atomic context) around sock_set_timestamp() and sock_set_timestamping() is unsafe, as both helpers can sleep.  Replace lock_sock_fast() with sleepable lock_sock()/release_sock() to avoid scheduling while atomic panic.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46189",
                                "url": "https://ubuntu.com/security/CVE-2026-46189",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/vmw_pvrdma: Fix double free on pvrdma_alloc_ucontext() error path  Sashiko points out that pvrdma_uar_free() is already called within pvrdma_dealloc_ucontext(), so calling it before triggers a double free.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46133",
                                "url": "https://ubuntu.com/security/CVE-2026-46133",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/rxe: Reject unknown opcodes before ICRC processing  Even after applying commit 7244491dab34 (\"RDMA/rxe: Validate pad and ICRC before payload_size() in rxe_rcv\"), a single unauthenticated UDP packet can still trigger panic.  That patch handled payload_size() underflow only for valid opcodes with short packets, not for packets carrying an unknown opcode.  The unknown-opcode OOB read described below predates that commit and reaches back to the initial Soft RoCE driver.  The check added there reads      pkt->paylen < header_size(pkt) + bth_pad(pkt) + RXE_ICRC_SIZE  where header_size(pkt) expands to rxe_opcode[pkt->opcode].length.  The rxe_opcode[] array has 256 entries but is only populated for defined IB opcodes; any other entry (for example opcode 0xff) is zero-initialized, so length == 0 and the check degenerates to      pkt->paylen < 0 + bth_pad(pkt) + RXE_ICRC_SIZE  which does not constrain pkt->paylen enough.  rxe_icrc_hdr() then computes      rxe_opcode[pkt->opcode].length - RXE_BTH_BYTES  which underflows when length == 0 and passes a huge value to rxe_crc32(), causing an out-of-bounds read of the skb payload.  Reproduced on v7.0-rc7 with that fix applied, QEMU/KVM with CONFIG_RDMA_RXE=y and CONFIG_KASAN=y, after      rdma link add rxe0 type rxe netdev eth0  A single 48-byte UDP packet to port 4791 with BTH opcode=0xff and QPN=IB_MULTICAST_QPN triggers:      BUG: KASAN: slab-out-of-bounds in crc32_le+0x115/0x170     Read of size 1 at addr ...     The buggy address is located 0 bytes to the right of      allocated 704-byte region     Call Trace:      crc32_le+0x115/0x170      rxe_icrc_hdr.isra.0+0x226/0x300      rxe_icrc_check+0x13f/0x3a0      rxe_rcv+0x6e1/0x16e0      rxe_udp_encap_recv+0x20a/0x320      udp_queue_rcv_one_skb+0x7ed/0x12c0  Subsequent packets with the same shape fault on unmapped memory and panic the kernel.  The trigger requires only module load and \"rdma link add\"; no QP, no connection, and no authentication.  Fix this by rejecting packets whose opcode has no rxe_opcode[] entry, detected via the zero mask or zero length, before any length arithmetic runs.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46114",
                                "url": "https://ubuntu.com/security/CVE-2026-46114",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/rxe: Reject non-8-byte ATOMIC_WRITE payloads  atomic_write_reply() at drivers/infiniband/sw/rxe/rxe_resp.c unconditionally dereferences 8 bytes at payload_addr(pkt):      value = *(u64 *)payload_addr(pkt);  check_rkey() previously accepted an ATOMIC_WRITE request with pktlen == resid == 0 because the length validation only compared pktlen against resid. A remote initiator that sets the RETH length to 0 therefore reaches atomic_write_reply() with a zero-byte logical payload, and the responder reads sizeof(u64) bytes from past the logical end of the packet into skb->head tailroom, then writes those 8 bytes into the attacker's MR via rxe_mr_do_atomic_write(). That is a remote disclosure of 4 bytes of kernel tailroom per probe (the other 4 bytes are the packet's own trailing ICRC).  IBA oA19-28 defines ATOMIC_WRITE as exactly 8 bytes. Anything else is protocol-invalid. Hoist a strict length check into check_rkey() so the responder never reaches the unchecked dereference, and keep the existing WRITE-family length logic for the normal RDMA WRITE path.  Reproduced on mainline with an unmodified rxe driver: a sustained zero-length ATOMIC_WRITE probe repeatedly leaks adjacent skb head-buffer bytes into the attacker's MR, including recognisable kernel strings and partial kernel-direct-map pointer words.  With this patch applied the responder rejects the PDU and the MR stays all-zero.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46127",
                                "url": "https://ubuntu.com/security/CVE-2026-46127",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/ocrdma: Don't NULL deref uctx on errors in ocrdma_copy_pd_uresp()  Sashiko points out that pd->uctx isn't initialized until late in the function so all these error flow references are NULL and will crash. Use the uctx that isn't NULL.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46176",
                                "url": "https://ubuntu.com/security/CVE-2026-46176",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/mlx5: Fix error path fall-through in mlx5_ib_dev_res_srq_init()  mlx5_ib_dev_res_srq_init() allocates two SRQs, s0 and s1. When ib_create_srq() fails for s1, the error branch destroys s0 but falls through and unconditionally assigns the freed s0 and the ERR_PTR s1 to devr->s0 and devr->s1.  This leads to several problems: the lock-free fast path checks \"if (devr->s1) return 0;\" and treats the ERR_PTR as already initialised; users in mlx5_ib_create_qp() dereference the freed SRQ or ERR_PTR via to_msrq(devr->s0)->msrq.srqn; and mlx5_ib_dev_res_cleanup() dereferences the ERR_PTR and double-frees s0 on teardown.  Fix by adding the same `goto unlock` in the s1 failure path.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46178",
                                "url": "https://ubuntu.com/security/CVE-2026-46178",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/mlx4: Fix resource leak on error in mlx4_ib_create_srq()  Sashiko points out that mlx4_srq_alloc() was not undone during error unwind, add the missing call to mlx4_srq_free().",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46181",
                                "url": "https://ubuntu.com/security/CVE-2026-46181",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/mlx4: Fix mis-use of RCU in mlx4_srq_event()  Sashiko points out the radix_tree itself is RCU safe, but nothing ever frees the mlx4_srq struct with RCU, and it isn't even accessed within the RCU critical section. It also will crash if an event is delivered before the srq object is finished initializing.  Use the spinlock since it isn't easy to make RCU work, use refcount_inc_not_zero() to protect against partially initialized objects, and order the refcount_set() to be after the srq is fully initialized.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46145",
                                "url": "https://ubuntu.com/security/CVE-2026-46145",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/mana: Validate rx_hash_key_len  Sashiko points out that rx_hash_key_len comes from a uAPI structure and is blindly passed to memcpy, allowing the userspace to trash kernel memory. Bounds check it so the memcpy cannot overflow.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46117",
                                "url": "https://ubuntu.com/security/CVE-2026-46117",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/mana: Remove user triggerable WARN_ON() in mana_ib_create_qp_rss()  Sashiko points out that the user can specify WQs sharing the same CQ as a part of the uAPI and this will trigger the WARN_ON() then go on to corrupt the kernel.  Just reject it outright and fail the QP creation.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46126",
                                "url": "https://ubuntu.com/security/CVE-2026-46126",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/mana: Fix mana_destroy_wq_obj() cleanup in mana_ib_create_qp_rss()  Sashiko points out there are two bugs here in the error unwind flow, both related to how the WQ table is unwound.  First there is a double i-- on the first failure path due to the while loop having a i--, remove it.  Second if mana_ib_install_cq_cb() fails then mana_create_wq_obj() is not undone due to the above i--.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46144",
                                "url": "https://ubuntu.com/security/CVE-2026-46144",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/mana: Fix error unwind in mana_ib_create_qp_rss()  Sashiko points out that mana_ib_cfg_vport_steering() is leaked, the normal destroy path cleans it up.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46141",
                                "url": "https://ubuntu.com/security/CVE-2026-46141",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  powerpc/xive: fix kmemleak caused by incorrect chip_data lookup  The kmemleak reports the following memory leak:  Unreferenced object 0xc0000002a7fbc640 (size 64):   comm \"kworker/8:1\", pid 540, jiffies 4294937872   hex dump (first 32 bytes):     01 00 00 00 00 00 00 00 00 00 09 04 00 04 00 00  ................     00 00 a7 81 00 00 0a c0 00 00 08 04 00 04 00 00  ................   backtrace (crc 177d48f6):     __kmalloc_cache_noprof+0x520/0x730     xive_irq_alloc_data.constprop.0+0x40/0xe0     xive_irq_domain_alloc+0xd0/0x1b0     irq_domain_alloc_irqs_parent+0x44/0x6c     pseries_irq_domain_alloc+0x1cc/0x354     irq_domain_alloc_irqs_parent+0x44/0x6c     msi_domain_alloc+0xb0/0x220     irq_domain_alloc_irqs_locked+0x138/0x4d0     __irq_domain_alloc_irqs+0x8c/0xfc     __msi_domain_alloc_irqs+0x214/0x4d8     msi_domain_alloc_irqs_all_locked+0x70/0xf8     pci_msi_setup_msi_irqs+0x60/0x78     __pci_enable_msix_range+0x54c/0x98c     pci_alloc_irq_vectors_affinity+0x16c/0x1d4     nvme_pci_enable+0xac/0x9c0 [nvme]     nvme_probe+0x340/0x764 [nvme]  This occurs when allocating MSI-X vectors for an NVMe device. During allocation the XIVE code creates a struct xive_irq_data and stores it in irq_data->chip_data.  When the MSI-X irqdomain is later freed, xive_irq_free_data() is responsible for retrieving this structure and freeing it. However, after commit cc0cc23babc9 (\"powerpc/xive: Untangle xive from child interrupt controller drivers\"), xive_irq_free_data() retrieves the chip_data using irq_get_chip_data(), which looks up the data through the child domain.  This is incorrect because the XIVE-specific irq data is associated with the XIVE (parent) domain. As a result the lookup fails and the allocated struct xive_irq_data is never freed, leading to the kmemleak report shown above.  Fix this by retrieving the irq_data from the correct domain using irq_domain_get_irq_data() and then accessing the chip_data via irq_data_get_irq_chip_data().",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46183",
                                "url": "https://ubuntu.com/security/CVE-2026-46183",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  mm/damon/sysfs-schemes: protect path kfree() with damon_sysfs_lock  damon_sysfs_quot_goal->path can be read and written by users, via DAMON sysfs 'path' file.  It can also be indirectly read, for the parameters {on,off}line committing to DAMON.  The reads for parameters committing are protected by damon_sysfs_lock to avoid the sysfs files being destroyed while any of the parameters are being read.  But the user-driven direct reads and writes are not protected by any lock, while the write is deallocating the path-pointing buffer.  As a result, the readers could read the already freed buffer (user-after-free).  Note that the user-reads don't race when the same open file is used by the writer, due to kernfs's open file locking.  Nonetheless, doing the reads and writes with separate open files would be common.  Fix it by protecting both the user-direct reads and writes with damon_sysfs_lock.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46121",
                                "url": "https://ubuntu.com/security/CVE-2026-46121",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  mm/damon/sysfs-schemes: protect memcg_path kfree() with damon_sysfs_lock  Patch series \"mm/damon/sysfs-schemes: fix use-after-free for [memcg_]path\".  Reads of 'memcg_path' and 'path' files in DAMON sysfs interface could race with their writes, results in use-after-free.  Fix those.   This patch (of 2):  damon_sysfs_scheme_filter->mmecg_path can be read and written by users, via DAMON sysfs memcg_path file.  It can also be indirectly read, for the parameters {on,off}line committing to DAMON.  The reads for parameters committing are protected by damon_sysfs_lock to avoid the sysfs files being destroyed while any of the parameters are being read.  But the user-driven direct reads and writes are not protected by any lock, while the write is deallocating the memcg_path-pointing buffer.  As a result, the readers could read the already freed buffer (user-after-free).  Note that the user-reads don't race when the same open file is used by the writer, due to kernfs's open file locking.  Nonetheless, doing the reads and writes with separate open files would be common.  Fix it by protecting both the user-direct reads and writes with damon_sysfs_lock.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46131",
                                "url": "https://ubuntu.com/security/CVE-2026-46131",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  KVM: x86: check for nEPT/nNPT in slow flush hypercalls  Checking is_guest_mode(vcpu) is incorrect, because translate_nested_gpa() is only valid if an L2 guest is running *with nested EPT/NPT enabled*. Instead use the same condition as translate_nested_gpa() itself.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46139",
                                "url": "https://ubuntu.com/security/CVE-2026-46139",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  smb: client: use kzalloc to zero-initialize security descriptor buffer  Commit 62e7dd0a39c2d (\"smb: common: change the data type of num_aces to le16\") split struct smb_acl's __le32 num_aces field into __le16 num_aces and __le16 reserved. The reserved field corresponds to Sbz2 in the MS-DTYP ACL wire format, which must be zero [1].  When building an ACL descriptor in build_sec_desc(), we are using a kmalloc()'ed descriptor buffer and writing the fields explicitly using le16() writes now. This never writes to the 2 byte reserved field, leaving it as uninitialized heap data.  When the reserved field happens to contain non-zero slab garbage, Samba rejects the security descriptor with \"ndr_pull_security_descriptor failed: Range Error\", causing chmod to fail with EINVAL.  Change kmalloc() to kzalloc() to ensure the entire buffer is zero-initialized.   [1] https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/20233ed8-a6c6-4097-aafa-dd545ed24428",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46105",
                                "url": "https://ubuntu.com/security/CVE-2026-46105",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  scsi: mpt3sas: Limit NVMe request size to 2 MiB  The HBA firmware reports NVMe MDTS values based on the underlying drive capability. However, because the driver allocates a fixed 4K buffer for the PRP list, accommodating at most 512 entries, the driver supports a maximum I/O transfer size of 2 MiB.  Limit max_hw_sectors to the smaller of the reported MDTS and the 2 MiB driver limit to prevent issuing oversized I/O that may lead to a kernel oops.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46171",
                                "url": "https://ubuntu.com/security/CVE-2026-46171",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  riscv: kvm: fix vector context allocation leak  When the second kzalloc (host_context.vector.datap) fails in kvm_riscv_vcpu_alloc_vector_context, the first allocation (guest_context.vector.datap) is leaked. Free it before returning.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46112",
                                "url": "https://ubuntu.com/security/CVE-2026-46112",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/hns: Fix unlocked call to hns_roce_qp_remove()  Sashiko points out that hns_roce_qp_remove() requires the caller to hold locks.  The error flow in hns_roce_create_qp_common() doesn't hold those locks for the error unwind so it risks corrupting memory.  Grab the same locks the other two callers use.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46165",
                                "url": "https://ubuntu.com/security/CVE-2026-46165",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  openvswitch: vport: fix self-deadlock on release of tunnel ports  vports are used concurrently and protected by RCU, so netdev_put() must happen after the RCU grace period.  So, either in an RCU call or after the synchronize_net().  The rtnl_delete_link() must happen under RTNL and so can't be executed in RCU context.  Calling synchronize_net() while holding RTNL is not a good idea for performance and system stability under load in general, so calling netdev_put() in RCU call is the right solution here.  However, when the device is deleted, rtnl_unlock() will call netdev_run_todo() and block until all the references are gone.  In the current code this means that we never reach the call_rcu() and the vport is never freed and the reference is never released, causing a self-deadlock on device removal.  Fix that by moving the rcu_call() before the rtnl_unlock(), so the scheduled RCU callback will be executed when synchronize_net() is called from the rtnl_unlock()->netdev_run_todo() while the RTNL itself is already released.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46161",
                                "url": "https://ubuntu.com/security/CVE-2026-46161",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  md/raid10: fix divide-by-zero in setup_geo() with zero far_copies  setup_geo() extracts near_copies (nc) and far_copies (fc) from the user-provided layout parameter without checking for zero. When fc=0 with the \"improved\" far set layout selected, 'geo->far_set_size = disks / fc' triggers a divide-by-zero.  Validate nc and fc immediately after extraction, returning -1 if either is zero.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-43492",
                                "url": "https://ubuntu.com/security/CVE-2026-43492",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  lib/crypto: mpi: Fix integer underflow in mpi_read_raw_from_sgl()  Yiming reports an integer underflow in mpi_read_raw_from_sgl() when subtracting \"lzeros\" from the unsigned \"nbytes\".  For this to happen, the scatterlist \"sgl\" needs to occupy more bytes than the \"nbytes\" parameter and the first \"nbytes + 1\" bytes of the scatterlist must be zero.  Under these conditions, the while loop iterating over the scatterlist will count more zeroes than \"nbytes\", subtract the number of zeroes from \"nbytes\" and cause the underflow.  When commit 2d4d1eea540b (\"lib/mpi: Add mpi sgl helpers\") originally introduced the bug, it couldn't be triggered because all callers of mpi_read_raw_from_sgl() passed a scatterlist whose length was equal to \"nbytes\".  However since commit 63ba4d67594a (\"KEYS: asymmetric: Use new crypto interface without scatterlists\"), the underflow can now actually be triggered.  When invoking a KEYCTL_PKEY_ENCRYPT system call with a larger \"out_len\" than \"in_len\" and filling the \"in\" buffer with zeroes, crypto_akcipher_sync_prep() will create an all-zero scatterlist used for both the \"src\" and \"dst\" member of struct akcipher_request and thereby fulfil the conditions to trigger the bug:    sys_keyctl()     keyctl_pkey_e_d_s()       asymmetric_key_eds_op()         software_key_eds_op()           crypto_akcipher_sync_encrypt()             crypto_akcipher_sync_prep()               crypto_akcipher_encrypt()                 rsa_enc()                   mpi_read_raw_from_sgl()  To the user this will be visible as a DoS as the kernel spins forever, causing soft lockup splats as a side effect.  Fix it.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-19 12:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46124",
                                "url": "https://ubuntu.com/security/CVE-2026-46124",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  isofs: validate block number from NFS file handle in isofs_export_iget  isofs_fh_to_dentry() and isofs_fh_to_parent() pass an attacker- controlled block number (ifid->block or ifid->parent_block) from the NFS file handle to isofs_export_iget(), which only rejects block == 0 before calling isofs_iget() and ultimately sb_bread(). A crafted file handle with fh_len sufficient to pass the check added by commit 0405d4b63d08 (\"isofs: Prevent the use of too small fid\") can still drive the server to read any in-range block on the backing device as if it were an iso_directory_record.  That earlier fix was assigned CVE-2025-37780.  sb_bread() on an out-of-range block returns NULL cleanly via the EIO path, so there is no memory-safety violation.  For in-range reads of adjacent-partition data on the same block device, the unrelated bytes end up in iso_inode_info fields that reach the NFS client as dentry metadata.  The deployment surface (isofs exported over NFS from loop-mounted images) is narrow and requires an authenticated NFS peer, but the malformed-file-handle class is reportable as hardening next to the existing CVE-2025-37780 fix.  Reject block >= ISOFS_SB(sb)->s_nzones in isofs_export_iget() so the check covers both isofs_fh_to_dentry() and isofs_fh_to_parent() call sites with a single line.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46130",
                                "url": "https://ubuntu.com/security/CVE-2026-46130",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  dm-verity-fec: fix reading parity bytes split across blocks (take 3)  fec_decode_bufs() assumes that the parity bytes of the first RS codeword it decodes are never split across parity blocks.  This assumption is false.  Consider v->fec->block_size == 4096 && v->fec->roots == 17 && fio->nbufs == 1, for example.  In that case, each call to fec_decode_bufs() consumes v->fec->roots * (fio->nbufs << DM_VERITY_FEC_BUF_RS_BITS) = 272 parity bytes.  Considering that the parity data for each message block starts on a block boundary, the byte alignment in the parity data will iterate through 272*i mod 4096 until the 3 parity blocks have been consumed.  On the 16th call (i=15), the alignment will be 4080 bytes into the first block.  Only 16 bytes remain in that block, but 17 parity bytes will be needed.  The code reads out-of-bounds from the parity block buffer.  Fortunately this doesn't normally happen, since it can occur only for certain non-default values of fec_roots *and* when the maximum number of buffers couldn't be allocated due to low memory.  For example with block_size=4096 only the following cases are affected:      fec_roots=17: nbufs in [1, 3, 5, 15]     fec_roots=19: nbufs in [1, 229]     fec_roots=21: nbufs in [1, 3, 5, 13, 15, 39, 65, 195]     fec_roots=23: nbufs in [1, 89]  Regardless, fix it by refactoring how the parity blocks are read.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46106",
                                "url": "https://ubuntu.com/security/CVE-2026-46106",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  eventfs: Hold eventfs_mutex and SRCU when remount walks events  Commit 340f0c7067a9 (\"eventfs: Update all the eventfs_inodes from the events descriptor\") had eventfs_set_attrs() recurse through ei->children on remount.  The walk only holds the rcu_read_lock() taken by tracefs_apply_options() over tracefs_inodes, which is wrong:    - list_for_each_entry over ei->children races with the list_del_rcu()     in eventfs_remove_rec() -- LIST_POISON1 deref, same shape as     d2603279c7d6.   - eventfs_inodes are freed via call_srcu(&eventfs_srcu, ...).     rcu_read_lock() does not extend an SRCU grace period, so ti->private     can be reclaimed under the walk.   - The writes to ei->attr race with eventfs_set_attr(), which holds     eventfs_mutex.  Reproducer:    while :; do mount -o remount,uid=$((RANDOM%1000)) /sys/kernel/tracing; done &   while :; do       echo \"p:kp submit_bio\" > /sys/kernel/tracing/kprobe_events       echo > /sys/kernel/tracing/kprobe_events   done  Wrap the events portion of tracefs_apply_options() in eventfs_remount_lock()/_unlock() that take eventfs_mutex and srcu_read_lock(&eventfs_srcu).  eventfs_set_attrs() doesn't sleep so the nested rcu_read_lock() is fine; lockdep_assert_held() pins the contract.  Comment in tracefs_drop_inode() said \"RCU cycle\" -- it is SRCU.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46107",
                                "url": "https://ubuntu.com/security/CVE-2026-46107",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  dm-thin: fix metadata refcount underflow  There's a bug in dm-thin in the function rebalance_children. If the internal btree node has one entry, the code tries to copy all btree entries from the node's child to the node itself and then decrement the child's reference count.  If the child node is shared (it has reference count > 1), we won't free it, so there would be two pointers to each of the grandchildren nodes. But the reference counts of the grandchildren is not increased, thus the reference count doesn't match the number of pointers that point to the grandchildren. This results in \"device mapper: space map common: unable to decrement block\" errors.  Fix this bug by incrementing reference counts on the grandchildren if the btree node is shared.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46160",
                                "url": "https://ubuntu.com/security/CVE-2026-46160",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  btrfs: fix missing last_unlink_trans update when removing a directory  When removing a directory we are not updating its last_unlink_trans field, which can result in incorrect fsync behaviour in case some one fsyncs the directory after it was removed because it's holding a file descriptor on it.  Example scenario:     mkdir /mnt/dir1    mkdir /mnt/dir1/dir2    mkdir /mnt/dir3     sync -f /mnt     # Do some change to the directory and fsync it.    chmod 700 /mnt/dir1    xfs_io -c fsync /mnt/dir1     # Move dir2 out of dir1 so that dir1 becomes empty.    mv /mnt/dir1/dir2 /mnt/dir3/     open fd on /mnt/dir1    call rmdir(2) on path \"/mnt/dir1\"    fsync fd     <trigger power failure>  When attempting to mount the filesystem, the log replay will fail with an -EIO error and dmesg/syslog has the following:     [445771.626482] BTRFS info (device dm-0): first mount of filesystem 0368bbea-6c5e-44b5-b409-09abe496e650    [445771.626486] BTRFS info (device dm-0): using crc32c checksum algorithm    [445771.627912] BTRFS info (device dm-0): start tree-log replay    [445771.628335] page: refcount:2 mapcount:0 mapping:0000000061443ddc index:0x1d00 pfn:0x7072a5    [445771.629453] memcg:ffff89f400351b00    [445771.629892] aops:btree_aops [btrfs] ino:1    [445771.630737] flags: 0x17fffc00000402a(uptodate|lru|private|writeback|node=0|zone=2|lastcpupid=0x1ffff)    [445771.632359] raw: 017fffc00000402a fffff47284d950c8 fffff472907b7c08 ffff89f458e412b8    [445771.633713] raw: 0000000000001d00 ffff89f6c51d1a90 00000002ffffffff ffff89f400351b00    [445771.635029] page dumped because: eb page dump    [445771.635825] BTRFS critical (device dm-0): corrupt leaf: root=5 block=30408704 slot=10 ino=258, invalid nlink: has 2 expect no more than 1 for dir    [445771.638088] BTRFS info (device dm-0): leaf 30408704 gen 10 total ptrs 17 free space 14878 owner 5    [445771.638091] BTRFS info (device dm-0): refs 4 lock_owner 0 current 3581087    [445771.638094] \titem 0 key (256 INODE_ITEM 0) itemoff 16123 itemsize 160    [445771.638097] \t\tinode generation 3 transid 9 size 16 nbytes 16384    [445771.638098] \t\tblock group 0 mode 40755 links 1 uid 0 gid 0    [445771.638100] \t\trdev 0 sequence 2 flags 0x0    [445771.638102] \t\tatime 1775744884.0    [445771.660056] \t\tctime 1775744885.645502983    [445771.660058] \t\tmtime 1775744885.645502983    [445771.660060] \t\totime 1775744884.0    [445771.660062] \titem 1 key (256 INODE_REF 256) itemoff 16111 itemsize 12    [445771.660064] \t\tindex 0 name_len 2    [445771.660066] \titem 2 key (256 DIR_ITEM 1843588421) itemoff 16077 itemsize 34    [445771.660068] \t\tlocation key (259 1 0) type 2    [445771.660070] \t\ttransid 9 data_len 0 name_len 4    [445771.660075] \titem 3 key (256 DIR_ITEM 2363071922) itemoff 16043 itemsize 34    [445771.660076] \t\tlocation key (257 1 0) type 2    [445771.660077] \t\ttransid 9 data_len 0 name_len 4    [445771.660078] \titem 4 key (256 DIR_INDEX 2) itemoff 16009 itemsize 34    [445771.660079] \t\tlocation key (257 1 0) type 2    [445771.660080] \t\ttransid 9 data_len 0 name_len 4    [445771.660081] \titem 5 key (256 DIR_INDEX 3) itemoff 15975 itemsize 34    [445771.660082] \t\tlocation key (259 1 0) type 2    [445771.660083] \t\ttransid 9 data_len 0 name_len 4    [445771.660084] \titem 6 key (257 INODE_ITEM 0) itemoff 15815 itemsize 160    [445771.660086] \t\tinode generation 9 transid 9 size 8 nbytes 0    [445771.660087] \t\tblock group 0 mode 40777 links 1 uid 0 gid 0    [445771.660088] \t\trdev 0 sequence 2 flags 0x0    [445771.660089] \t\tatime 1775744885.641174097    [445771.660090] \t\tctime 1775744885.645502983    [445771.660091] \t\tmtime 1775744885.645502983    [445771.660105] \t\totime 1775744885.641174097    [445771.660106] \titem 7 key (257 INODE_REF 256) itemoff 15801 itemsize 14    [445771.660107] \t\tindex 2 name_len 4    [445771.660108] \titem 8 key (257 DIR_ITEM 2676584006) itemoff 15767 itemsize 34    [445771.660109] \t\tlocation key (2 ---truncated---",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46164",
                                "url": "https://ubuntu.com/security/CVE-2026-46164",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  btrfs: fix double free in create_space_info_sub_group() error path  When kobject_init_and_add() fails, the call chain is:  create_space_info_sub_group() -> btrfs_sysfs_add_space_info_type() -> kobject_init_and_add() -> failure -> kobject_put(&sub_group->kobj) -> space_info_release() -> kfree(sub_group)  Then control returns to create_space_info_sub_group(), where:  btrfs_sysfs_add_space_info_type() returns error -> kfree(sub_group)  Thus, sub_group is freed twice.  Keep parent->sub_group[index] = NULL for the failure path, but after btrfs_sysfs_add_space_info_type() has called kobject_put(), let the kobject release callback handle the cleanup.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46129",
                                "url": "https://ubuntu.com/security/CVE-2026-46129",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  btrfs: fix double free in create_space_info() error path  When kobject_init_and_add() fails, the call chain is:  create_space_info() -> btrfs_sysfs_add_space_info_type() -> kobject_init_and_add() -> failure -> kobject_put(&space_info->kobj) -> space_info_release() -> kfree(space_info)  Then control returns to create_space_info():  btrfs_sysfs_add_space_info_type() returns error -> goto out_free -> kfree(space_info)  This causes a double free.  Keep the direct kfree(space_info) for the earlier failure path, but after btrfs_sysfs_add_space_info_type() has called kobject_put(), let the kobject release callback handle the cleanup.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46159",
                                "url": "https://ubuntu.com/security/CVE-2026-46159",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  btrfs: fix btrfs_ioctl_space_info() slot_count TOCTOU which can lead to info-leak  btrfs_ioctl_space_info() has a TOCTOU race between two passes over the block group RAID type lists. The first pass counts entries to determine the allocation size, then the second pass fills the buffer. The groups_sem rwlock is released between passes, allowing concurrent block group removal to reduce the entry count.  When the second pass fills fewer entries than the first pass counted, copy_to_user() copies the full alloc_size bytes including trailing uninitialized kmalloc bytes to userspace.  Fix by copying only total_spaces entries (the actually-filled count from the second pass) instead of alloc_size bytes, and switch to kzalloc so any future copy size mismatch cannot leak heap data.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46143",
                                "url": "https://ubuntu.com/security/CVE-2026-46143",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ASoC: qcom: q6apm-lpass-dai: Fix multiple graph opens  As prepare can be called mulitple times, this can result in multiple graph opens for playback path.  This will result in a memory leaks, fix this by adding a check before opening.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46148",
                                "url": "https://ubuntu.com/security/CVE-2026-46148",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: microchip-core-qspi: control built-in cs manually  The coreQSPI IP supports only a single chip select, which is automagically operated by the hardware - set low when the transmit buffer first gets written to and set high when the number of bytes written to the TOTALBYTES field of the FRAMES register have been sent on the bus. Additional devices must use GPIOs for their chip selects. It was reported to me that if there are two devices attached to this QSPI controller that the in-built chip select is set low while linux tries to access the device attached to the GPIO.  This went undetected as the boards that connected multiple devices to the SPI controller all exclusively used GPIOs for chip selects, not relying on the built-in chip select at all. It turns out that this was because the built-in chip select, when controlled automagically, is set low when active and high when inactive, thereby ruling out its use for active-high devices or devices that need to transmit with the chip select disabled.  Modify the driver so that it controls chip select directly, retaining the behaviour for mem_ops of setting the chip select active for the entire duration of the transfer in the exec_op callback. For regular transfers, implement the set_cs callback for the core to use.  As part of this, the existing setup callback, mchp_coreqspi_setup_op(), is removed. Modifying the CLKIDLE field is not safe to do during operation when there are multiple devices, so this code is removed entirely. Setting the MASTER and ENABLE fields is something that can be done once at probe, it doesn't need to be re-run for each device. Instead the new setup callback sets the built-in chip select to its inactive state for active-low devices, as the reset value of the chip select in software controlled mode is low.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46192",
                                "url": "https://ubuntu.com/security/CVE-2026-46192",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: microchip-core-qspi: don't attempt to transmit during emulated read-only dual/quad operations  The core will deal with reads by creating clock cycles itself, there's no need to generate clock cycles by transmitting garbage data at the driver level. Further, transmitting garbage data just bricks the transfer since QSPI doesn't have a dedicated master-out line like MOSI in regular SPI. I'm not entirely sure if the transfer is bricked because of the garbage data being transmitted on the bus or because the core loses track of whether it is supposed to be sending or receiving data.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46162",
                                "url": "https://ubuntu.com/security/CVE-2026-46162",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ice: fix double free in ice_sf_eth_activate() error path  When auxiliary_device_add() fails, ice_sf_eth_activate() jumps to aux_dev_uninit and calls auxiliary_device_uninit(&sf_dev->adev).  The device release callback ice_sf_dev_release() frees sf_dev, but the current error path falls through to sf_dev_free and calls kfree(sf_dev) again, causing a double free.  Keep kfree(sf_dev) for the auxiliary_device_init() failure path, but avoid falling through to sf_dev_free after auxiliary_device_uninit().",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46273",
                                "url": "https://ubuntu.com/security/CVE-2026-46273",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ibmveth: Disable GSO for packets with small MSS  Some physical adapters on Power systems do not support segmentation offload when the MSS is less than 224 bytes. Attempting to send such packets causes the adapter to freeze, stopping all traffic until manually reset.  Implement ndo_features_check to disable GSO for packets with small MSS values. The network stack will perform software segmentation instead.  The 224-byte minimum matches ibmvnic commit <f10b09ef687f> (\"ibmvnic: Enforce stronger sanity checks on GSO packets\") which uses the same physical adapters in SEA configurations.  The issue occurs specifically when the hardware attempts to perform segmentation (gso_segs > 1) with a small MSS. Single-segment GSO packets (gso_segs == 1) do not trigger the problematic LSO code path and are transmitted normally without segmentation.  Add an ndo_features_check callback to disable GSO when MSS < 224 bytes. Also call vlan_features_check() to ensure proper handling of VLAN packets, particularly QinQ (802.1ad) configurations where the hardware parser may not support certain offload features.  Validated using iptables to force small MSS values. Without the fix, the adapter freezes. With the fix, packets are segmented in software and transmission succeeds. Comprehensive regression testing completedd (MSS tests, performance, stability).",
                                "cve_priority": "high",
                                "cve_public_date": "2026-06-03 18:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46191",
                                "url": "https://ubuntu.com/security/CVE-2026-46191",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  fbcon: Avoid OOB font access if console rotation fails  Clear the font buffer if the reallocation during console rotation fails in fbcon_rotate_font(). The putcs implementations for the rotated buffer will return early in this case. See [1] for an example.  Currently, fbcon_rotate_font() keeps the old buffer, which is too small for the rotated font. Printing to the rotated console with a high-enough character code will overflow the font buffer.  v2: - fix typos in commit message",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46134",
                                "url": "https://ubuntu.com/security/CVE-2026-46134",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  platform/chrome: cros_ec_typec: Init mutex in Thunderbolt registration  cros_typec_register_thunderbolt() missed initializing the `adata->lock` mutex.  This leads to a NULL dereference when the mutex is later acquired (e.g. in cros_typec_altmode_work()).  Initialize the mutex in cros_typec_register_thunderbolt() to fix the issue.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-43495",
                                "url": "https://ubuntu.com/security/CVE-2026-43495",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net: wwan: t7xx: validate port_count against message length in t7xx_port_enum_msg_handler  t7xx_port_enum_msg_handler() uses the modem-supplied port_count field as a loop bound over port_msg->data[] without checking that the message buffer contains sufficient data. A modem sending port_count=65535 in a 12-byte buffer triggers a slab-out-of-bounds read of up to 262140 bytes.  Add a sizeof(*port_msg) check before accessing the port message header fields to guard against undersized messages.  Add a struct_size() check after extracting port_count and before the loop.  In t7xx_parse_host_rt_data(), guard the rt_feature header read with a remaining-buffer check before accessing data_len, validate feat_data_len against the actual remaining buffer to prevent OOB reads and signed integer overflow on offset.  Pass msg_len from both call sites: skb->len at the DPMAIF path after skb_pull(), and the validated feat_data_len at the handshake path.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-21 13:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-43502",
                                "url": "https://ubuntu.com/security/CVE-2026-43502",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net/rds: handle zerocopy send cleanup before the message is queued  A zerocopy send can fail after user pages have been pinned but before the message is attached to the sending socket.  The purge path currently infers zerocopy state from rm->m_rs, so an unqueued message can be cleaned up as if it owned normal payload pages. However, zerocopy ownership is really determined by the presence of op_mmp_znotifier, regardless of whether the message has reached the socket queue.  Capture op_mmp_znotifier up front in rds_message_purge() and use it as the cleanup discriminator. If the message is already associated with a socket, keep the existing completion path. Otherwise, drop the pinned page accounting directly and release the notifier before putting the payload pages.  This keeps early send failure cleanup consistent with the zerocopy lifetime rules without changing the normal queued completion path.",
                                "cve_priority": "high",
                                "cve_public_date": "2026-05-21 13:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46120",
                                "url": "https://ubuntu.com/security/CVE-2026-46120",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ip6_gre: Use cached t->net in ip6erspan_changelink().  After commit 5e72ce3e3980 (\"net: ipv6: Use link netns in newlink() of rtnl_link_ops\"), ip6erspan_newlink() correctly resolves the per-netns ip6gre hash via link_net. ip6erspan_changelink() was not converted in that series and still uses dev_net(dev), which diverges from the device's creation netns after IFLA_NET_NS_FD migration.  This re-inserts the tunnel into the wrong per-netns hash. The original netns keeps a stale entry. When that netns is later destroyed, ip6gre_exit_rtnl_net() walks the stale entry, producing a slab-use-after-free reported by KASAN, followed by a kernel BUG at net/core/dev.c (LIST_POISON1) in unregister_netdevice_many_notify().  Reachable from an unprivileged user namespace (unshare --user --map-root-user --net).  ip6gre_changelink() earlier in the same file already uses the cached t->net; only ip6erspan_changelink() has the wrong shape.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46142",
                                "url": "https://ubuntu.com/security/CVE-2026-46142",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net: libwx: fix VF illegal register access  Register WX_CFG_PORT_ST is a PF restricted register. When a VF is initialized, attempting to read this register triggers an illegal register access, which lead to a system hang.  When the device is VF, the bus function ID can be obtained directly from the PCI_FUNC(pdev->devfn).",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46118",
                                "url": "https://ubuntu.com/security/CVE-2026-46118",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  pseries/papr-hvpipe: Fix null ptr deref in papr_hvpipe_dev_create_handle()  commit 6d3789d347a7 (\"papr-hvpipe: convert papr_hvpipe_dev_create_handle() to FD_PREPARE()\"), changed the create handle to FD_PREPARE(), but it caused kernel null-ptr-deref because after call to retain_and_null_ptr(src_info), src_info is re-used for adding it to the global list.  Getting the following kernel panic in papr_hvpipe_dev_create_handle() when trying to add src_info to the list.  Kernel attempted to write user page (0) - exploit attempt? (uid: 0)  BUG: Kernel NULL pointer dereference on write at 0x00000000  Faulting instruction address: 0xc0000000001b44a0  Oops: Kernel access of bad area, sig: 11 [#1]  ...  Call Trace:  papr_hvpipe_dev_ioctl+0x1f4/0x48c (unreliable)  sys_ioctl+0x528/0x1064  system_call_exception+0x128/0x360  system_call_vectored_common+0x15c/0x2ec  Now, the error handling with FD_PREPARE's file cleanup and __free(kfree) auto cleanup is getting too convoluted. This is mainly because we need to ensure only 1 user get the srcID handle. To simplify this, we allocate prepare the src_info in the beginning and add it to the global list under a spinlock after checking that no duplicates exist.  This simplify the error handling where if the FD_ADD fails, we can simply remove the src_info from the list and consume any pending msg in hvpipe to be cleared, after src_info became visible in the global list.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46182",
                                "url": "https://ubuntu.com/security/CVE-2026-46182",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  pseries/papr-hvpipe: Prevent kernel stack memory leak to userspace  The hdr variable is allocated on the stack and only hdr.version and hdr.flags are initialized explicitly. Because the struct papr_hvpipe_hdr contains reserved padding bytes (reserved[3] and reserved2[40]), these could leak the uninitialized bytes to userspace after copy_to_user().  This patch fixes that by initializing the whole struct to 0.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46184",
                                "url": "https://ubuntu.com/security/CVE-2026-46184",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  sound: ua101: fix division by zero at probe  Add a missing sanity check for bNrChannels in detect_usb_format() to prevent a division by zero in playback_urb_complete() and capture_urb_complete().  USB core does not validate class-specific descriptor fields such as bNrChannels, so drivers must verify them before use. If a device provides bNrChannels = 0, frame_bytes becomes zero and is later used as a divisor in the URB completion handlers, leading to a kernel crash.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-43498",
                                "url": "https://ubuntu.com/security/CVE-2026-43498",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  accel/ivpu: Disallow re-exporting imported GEM objects  Prevent re-exporting of imported GEM buffers by adding a custom prime_handle_to_fd callback that checks if the object is imported and returns -EOPNOTSUPP if so.  Re-exporting imported GEM buffers causes loss of buffer flags settings, leading to incorrect device access and data corruption.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-21 13:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46132",
                                "url": "https://ubuntu.com/security/CVE-2026-46132",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net: rtnetlink: zero ifla_vf_broadcast to avoid stack infoleak in rtnl_fill_vfinfo  rtnl_fill_vfinfo() declares struct ifla_vf_broadcast on the stack without initialisation:  \tstruct ifla_vf_broadcast vf_broadcast;  The struct contains a single fixed 32-byte field:  \t/* include/uapi/linux/if_link.h */ \tstruct ifla_vf_broadcast { \t\t__u8 broadcast[32]; \t};  The function then copies dev->broadcast into it using dev->addr_len as the length:  \tmemcpy(vf_broadcast.broadcast, dev->broadcast, dev->addr_len);  On Ethernet devices (the overwhelming majority of SR-IOV NICs) dev->addr_len is 6, so only the first 6 bytes of broadcast[] are written. The remaining 26 bytes retain whatever was previously on the kernel stack. The full struct is then handed to userspace via:  \tnla_put(skb, IFLA_VF_BROADCAST, \t\tsizeof(vf_broadcast), &vf_broadcast)  leaking up to 26 bytes of uninitialised kernel stack per VF per RTM_GETLINK request, repeatable.  The other vf_* structs in the same function are explicitly zeroed for exactly this reason - see the memset() calls for ivi, vf_vlan_info, node_guid and port_guid a few lines above. vf_broadcast was simply missed when it was added.  Reachability: any unprivileged local process can open AF_NETLINK / NETLINK_ROUTE without capabilities and send RTM_GETLINK with an IFLA_EXT_MASK attribute carrying RTEXT_FILTER_VF. The kernel walks each VF and emits IFLA_VF_BROADCAST, leaking 26 bytes of stack per VF per request. Stack residue at this call site can include return addresses and transient sensitive data; KASAN with stack instrumentation, or KMSAN, will flag the nla_put() when reproduced.  Zero the on-stack struct before the partial memcpy, matching the existing pattern used for the other vf_* structs in the same function.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46190",
                                "url": "https://ubuntu.com/security/CVE-2026-46190",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  mtd: spi-nor: debugfs: fix out-of-bounds read in spi_nor_params_show()  Sashiko noticed an out-of-bounds read [1].  In spi_nor_params_show(), the snor_f_names array is passed to spi_nor_print_flags() using sizeof(snor_f_names).  Since snor_f_names is an array of pointers, sizeof() returns the total number of bytes occupied by the pointers \t(element_count * sizeof(void *)) rather than the element count itself. On 64-bit systems, this makes the passed length 8x larger than intended.  Inside spi_nor_print_flags(), the 'names_len' argument is used to bounds-check the 'names' array access. An out-of-bounds read occurs if a flag bit is set that exceeds the array's actual element count but is within the inflated byte-size count.  Correct this by using ARRAY_SIZE() to pass the actual number of string pointers in the array.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46150",
                                "url": "https://ubuntu.com/security/CVE-2026-46150",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  fanotify: fix false positive on permission events  fsnotify_get_mark_safe() may return false for a mark on an unrelated group, which results in bypassing the permission check.  Fix by skipping over detached marks that are not in the current group.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-45836",
                                "url": "https://ubuntu.com/security/CVE-2026-45836",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_get_sndtimeo_cb()  Add the same NULL guard already present in l2cap_sock_resume_cb() and l2cap_sock_ready_cb().",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-26 17:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-45834",
                                "url": "https://ubuntu.com/security/CVE-2026-45834",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_state_change_cb()  Add the same NULL guard already present in l2cap_sock_resume_cb() and l2cap_sock_ready_cb().",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-26 17:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-45835",
                                "url": "https://ubuntu.com/security/CVE-2026-45835",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_new_connection_cb()  Add the same NULL guard already present in l2cap_sock_resume_cb() and l2cap_sock_ready_cb().",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-26 17:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46138",
                                "url": "https://ubuntu.com/security/CVE-2026-46138",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Bluetooth: hci_event: Fix OOB read and infinite loop in hci_le_create_big_complete_evt  hci_le_create_big_complete_evt() iterates over BT_BOUND connections for a BIG handle using a while loop, accessing ev->bis_handle[i++] on each iteration.  However, there is no check that i stays within ev->num_bis before the array access.  When a controller sends a LE_Create_BIG_Complete event with fewer bis_handle entries than there are BT_BOUND connections for that BIG, or with num_bis=0, the loop reads beyond the valid bis_handle[] flex array into adjacent heap memory.  Since the out-of-bounds values typically exceed HCI_CONN_HANDLE_MAX (0x0EFF), hci_conn_set_handle() rejects them and the connection remains in BT_BOUND state.  The same connection is then found again by hci_conn_hash_lookup_big_state(), creating an infinite loop with hci_dev_lock held.  Fix this by terminating the BIG if in case not all BIS could be setup properly.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46111",
                                "url": "https://ubuntu.com/security/CVE-2026-46111",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Bluetooth: hci_conn: fix potential UAF in create_big_sync  Add hci_conn_valid() check in create_big_sync() to detect stale connections before proceeding with BIG creation. Handle the resulting -ECANCELED in create_big_complete() and re-validate the connection under hci_dev_lock() before dereferencing, matching the pattern used by create_le_conn_complete() and create_pa_complete().  Keep the hci_conn object alive across the async boundary by taking a reference via hci_conn_get() when queueing create_big_sync(), and dropping it in the completion callback. The refcount and the lock are complementary: the refcount keeps the object allocated, while hci_dev_lock() serializes hci_conn_hash_del()'s list_del_rcu() on hdev->conn_hash, as required by hci_conn_del().  hci_conn_put() is called outside hci_dev_unlock() so the final put (which resolves to kfree() via bt_link_release) does not run under hdev->lock, though the release path would be safe either way.  Without this, create_big_complete() would unconditionally dereference the conn pointer on error, causing a use-after-free via hci_connect_cfm() and hci_conn_del().",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46140",
                                "url": "https://ubuntu.com/security/CVE-2026-46140",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Bluetooth: btmtk: validate WMT event SKB length before struct access  btmtk_usb_hci_wmt_sync() casts the WMT event response SKB data to struct btmtk_hci_wmt_evt (7 bytes) and struct btmtk_hci_wmt_evt_funcc (9 bytes) without first checking that the SKB contains enough data. A short firmware response causes out-of-bounds reads from SKB tailroom.  Use skb_pull_data() to validate and advance past the base WMT event header. For the FUNC_CTRL case, pull the additional status field bytes before accessing them.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46186",
                                "url": "https://ubuntu.com/security/CVE-2026-46186",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Bluetooth: virtio_bt: validate rx pkt_type header length  virtbt_rx_handle() reads the leading pkt_type byte from the RX skb and forwards the remainder to hci_recv_frame() for every event/ACL/SCO/ISO type, without checking that the remaining payload is at least the fixed HCI header for that type.  After the preceding patch bounds the backend-supplied used.len to [1, VIRTBT_RX_BUF_SIZE], a one-byte completion still reaches hci_recv_frame() with skb->len already pulled to 0. If the byte happened to be HCI_ACLDATA_PKT, the ACL-vs-ISO classification fast-path in hci_dev_classify_pkt_type() dereferences hci_acl_hdr(skb)->handle whenever the HCI device has an active CIS_LINK, BIS_LINK, or PA_LINK connection, reading two bytes of uninitialized RX-buffer data. The same hazard exists for every packet type the driver accepts because none of the switch cases in virtbt_rx_handle() check skb->len against the per-type minimum HCI header size before handing the frame to the core.  After stripping pkt_type, require skb->len to cover the fixed header size for the selected type (event 2, ACL 4, SCO 3, ISO 4) before calling hci_recv_frame(); drop ratelimited otherwise. Unknown pkt_type values still take the original kfree_skb() default path.  Use bt_dev_err_ratelimited() because both the length and pkt_type values come from an untrusted backend that can otherwise flood the kernel log.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46123",
                                "url": "https://ubuntu.com/security/CVE-2026-46123",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Bluetooth: virtio_bt: clamp rx length before skb_put  virtbt_rx_work() calls skb_put(skb, len) where len comes directly from virtqueue_get_buf() with no validation against the buffer we posted to the device. The RX skb is allocated in virtbt_add_inbuf() and exposed to virtio as exactly 1000 bytes via sg_init_one().  Checking len against skb_tailroom(skb) is not sufficient because alloc_skb() can leave more tailroom than the 1000 bytes actually handed to the device. A malicious or buggy backend can therefore report used.len between 1001 and skb_tailroom(skb), causing skb_put() to include uninitialized kernel heap bytes that were never written by the device.  The same path also accepts len == 0, in which case skb_put(skb, 0) leaves the skb empty but virtbt_rx_handle() still reads the pkt_type byte from skb->data, consuming uninitialized memory.  Define VIRTBT_RX_BUF_SIZE once and reuse it in alloc_skb() and sg_init_one(), and gate virtbt_rx_work() on that same constant so the bound checked matches the buffer actually exposed to the device. Reject used.len == 0 in the same gate so an empty completion can no longer reach virtbt_rx_handle().  Use bt_dev_err_ratelimited() because the length value comes from an untrusted backend that can otherwise flood the kernel log.  Same class of bug as commit c04db81cd028 (\"net/9p: Fix buffer overflow in USB transport layer\"), which hardened the USB 9p transport against unchecked device-reported length.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46104",
                                "url": "https://ubuntu.com/security/CVE-2026-46104",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  selinux: use sk blob accessor in socket permission helpers  SELinux socket state lives in the composite LSM socket blob.  sock_has_perm() and nlmsg_sock_has_extended_perms() currently dereference sk->sk_security directly, which assumes the SELinux socket blob is at offset zero.  In stacked configurations that assumption does not hold. If another LSM allocates socket blob storage before SELinux, these helpers may read the wrong blob and feed invalid SID and class values into AVC checks.  Use selinux_sock() instead of accessing sk->sk_security directly.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46193",
                                "url": "https://ubuntu.com/security/CVE-2026-46193",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  xfrm: ah: account for ESN high bits in async callbacks  AH allocates its temporary auth/ICV layout differently when ESN is enabled: the async ahash setup appends a 4-byte seqhi slot before the ICV or auth_data area, but the async completion callbacks still reconstruct the temporary layout as if seqhi were absent.  With an async AH implementation selected, that makes AH copy or compare the wrong bytes on both the IPv4 and IPv6 paths. In UML repro on IPv4 AH with ESN and forced async hmac(sha1), ping fails with 100% packet loss, and the callback logs show the pre-fix drift:    ah4 output_done: esn=1 err=0 icv_off=20 expected_off=24   ah4 input_done: esn=1 auth_off=20 expected_auth_off=24 icv_off=32 expected_icv_off=36  Reconstruct the callback-side layout the same way the setup path built it by skipping the ESN seqhi slot before locating the saved auth_data or ICV. Per RFC 4302, the ESN high-order 32 bits participate in the AH ICV computation, so the async callbacks must account for the seqhi slot.  Post-fix, the same IPv4 AH+ESN+forced-async-hmac(sha1) UML repro shows the corrected offset (ah4 output_done: esn=1 err=0 icv_off=24 expected_off=24) and ping succeeds; net/ipv4/ah4.o and net/ipv6/ah6.o build clean at W=1. IPv6 AH+ESN was not exercised at runtime, and the change has not been tested against a real async hardware AH engine.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46172",
                                "url": "https://ubuntu.com/security/CVE-2026-46172",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ipv6: xfrm6: release dst on error in xfrm6_rcv_encap()  xfrm6_rcv_encap() performs an IPv6 route lookup when the skb does not already have a dst attached. ip6_route_input_lookup() returns a referenced dst entry even when the lookup resolves to an error route.  If dst->error is set, xfrm6_rcv_encap() drops the skb without attaching the dst to the skb and without releasing the reference returned by the lookup. Repeated packets hitting this path therefore leak dst entries.  Release the dst before jumping to the drop path.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46116",
                                "url": "https://ubuntu.com/security/CVE-2026-46116",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  xfrm: defensively unhash xfrm_state lists in __xfrm_state_delete  KASAN reproduces a slab-use-after-free in __xfrm_state_delete()'s hlist_del_rcu calls under syzkaller load on linux-6.12.y stable (reproduced on 6.12.47, also reachable via the same code path on torvalds/master and on the ipsec tree). Nine unique signatures cluster in the xfrm_state lifecycle, the load-bearing one being:    BUG: KASAN: slab-use-after-free in __hlist_del include/linux/list.h:990 [inline]   BUG: KASAN: slab-use-after-free in hlist_del_rcu include/linux/rculist.h:516 [inline]   BUG: KASAN: slab-use-after-free in __xfrm_state_delete net/xfrm/xfrm_state.c   Write of size 8 at addr ffff8881198bcb70 by task kworker/u8:9/435    Workqueue: netns cleanup_net   Call Trace:    __hlist_del / hlist_del_rcu    __xfrm_state_delete    xfrm_state_delete    xfrm_state_flush    xfrm_state_fini    ops_exit_list    cleanup_net  The other observed signatures hit the same slab object from __xfrm_state_lookup, xfrm_alloc_spi, __xfrm_state_insert and an OOB write variant of __xfrm_state_delete, all on the byseq/byspi hash chains.  __xfrm_state_delete() guards its byseq and byspi unhashes with value-based predicates:  \tif (x->km.seq) \t\thlist_del_rcu(&x->byseq); \tif (x->id.spi) \t\thlist_del_rcu(&x->byspi);  while everywhere else in the file (e.g. state_cache, state_cache_input) the safer hlist_unhashed() check is used. xfrm_alloc_spi() sets x->id.spi = newspi inside xfrm_state_lock and then immediately inserts into byspi, but a path that observes x->id.spi != 0 outside of xfrm_state_lock can still skip-or-hit the byspi unhash inconsistently with whether x is actually on the list. The same holds for x->km.seq versus byseq, and the bydst/bysrc unhashes have no predicate at all, so a second __xfrm_state_delete() on the same object writes through LIST_POISON pprev.  The defensive change here:    - Use hlist_del_init_rcu() instead of hlist_del_rcu() on bydst,     bysrc, byseq and byspi so a second deletion is a no-op rather     than a write through LIST_POISON pprev. The byseq/byspi nodes     are already initialised in xfrm_state_alloc().   - Test hlist_unhashed() rather than the value predicate for     byseq/byspi, so the unhash decision tracks list state rather than     mutable scalar fields.  Empirical verification: applied this patch on top of v6.12.47, rebuilt, and re-ran the same syzkaller harness for 1h16m on a previously-crashy configuration that produced ~100 hits each of slab-use-after-free Read in xfrm_alloc_spi / Read in __xfrm_state_lookup / Write in __xfrm_state_delete. After the patch, 7.1M execs across 32 VMs at ~1550 exec/sec produced zero xfrm_state UAF/OOB hits. /proc/slabinfo confirms the xfrm_state slab is actively allocated and freed during the run (~143 KiB resident), so the fuzzer is still exercising those code paths -- they just no longer crash.  Reproduction:    - Linux 6.12.47 x86_64 + KASAN_GENERIC + KASAN_INLINE + KCOV   - syzkaller @ 746545b8b1e4c3a128db8652b340d3df90ce61db   - 32 QEMU/KVM VMs x 2 vCPU on AWS c5.metal bare metal   - 9 unique signatures collected in ~9h, all within xfrm_state     lifecycle",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46154",
                                "url": "https://ubuntu.com/security/CVE-2026-46154",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  sched_ext: Read scx_root under scx_cgroup_ops_rwsem in cgroup setters  scx_group_set_{weight,idle,bandwidth}() cache scx_root before acquiring scx_cgroup_ops_rwsem, so the pointer can be stale by the time the op runs. If the loaded scheduler is disabled and freed (via RCU work) and another is enabled between the naked load and the rwsem acquire, the reader sees scx_cgroup_enabled=true (the new scheduler's) but dereferences the freed one - UAF on SCX_HAS_OP(sch, ...) / SCX_CALL_OP(sch, ...).  scx_cgroup_enabled is toggled only under scx_cgroup_ops_rwsem write (scx_cgroup_{init,exit}), so reading scx_root inside the rwsem read section correlates @sch with the enabled snapshot.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46157",
                                "url": "https://ubuntu.com/security/CVE-2026-46157",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ALSA: pcm: oss: Fix data race at accessing runtime.oss.trigger  Currently the runtime.oss.trigger field may be accessed concurrently without protection, which may lead to the data race.  And, in this case, it may lead to more severe problem because it's a bit field; as writing the data, it may overwrite other bit fields as well, which confuses the operation completely, as spotted by fuzzing.  Fix it by covering runtime.oss.trigger bit fled also with the existing params_lock mutex in both snd_pcm_oss_get_trigger() and snd_pcm_oss_poll().",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46109",
                                "url": "https://ubuntu.com/security/CVE-2026-46109",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  usb: ulpi: fix memory leak on ulpi_register() error paths  Commit 01af542392b5 (\"usb: ulpi: fix double free in ulpi_register_interface() error path\") removed kfree(ulpi) from ulpi_register_interface() to fix a double-free when device_register() fails.  But when ulpi_of_register() or ulpi_read_id() fail before device_register() is called, the ulpi allocation is leaked.  Add kfree(ulpi) on both error paths to properly clean up the allocation.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46146",
                                "url": "https://ubuntu.com/security/CVE-2026-46146",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ALSA: usb-audio: Avoid potential endless loop in convert_chmap_v3()  The convert_chmap_v3() has a loop with its increment size of cs_desc->wLength, but we forgot to validate cs_desc->wLength itself, which may lead to potential endless loop by a malformed descriptor.  Add a proper size check to abort the loop for plugging the hole.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46167",
                                "url": "https://ubuntu.com/security/CVE-2026-46167",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  usb: usblp: fix uninitialized heap leak via LPGETSTATUS ioctl  Just like in a previous problem in this driver, usblp_ctrl_msg() will collapse the usb_control_msg() return value to 0/-errno, discarding the actual number of bytes transferred.  Ideally that short command should be detected and error out, but many printers are known to send \"incorrect\" responses back so we can't just do that.  statusbuf is kmalloc(8) at probe time and never filled before the first LPGETSTATUS ioctl.  usblp_read_status() requests 1 byte. If a malicious printer responds with zero bytes, *statusbuf is one byte of stale kmalloc heap, sign-extended into the local int status, which the LPGETSTATUS path then copy_to_user()s directly to the ioctl caller.  Fix this all by just zapping out the memory buffer when allocated at probe time.  If a later call does a short read, the data will be identical to what the device sent it the last time, so there is no \"leak\" of information happening.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46151",
                                "url": "https://ubuntu.com/security/CVE-2026-46151",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  usb: usblp: fix heap leak in IEEE 1284 device ID via short response  usblp_ctrl_msg() collapses the usb_control_msg() return value to 0/-errno, discarding the actual number of bytes transferred.  A broken printer can complete the GET_DEVICE_ID control transfer short and the driver has no way to know.  usblp_cache_device_id_string() reads the 2-byte big-endian length prefix from the response and trusts it (clamped only to the buffer bounds). The buffer is kmalloc(1024) at probe time. A device that sends exactly two bytes (e.g. 0x03 0xFF, claiming a 1023-byte ID) leaves device_id_string[2..1022] holding stale kmalloc heap.  That stale data is then exposed:   - via the ieee1284_id sysfs attribute (sprintf(\"%s\", buf+2), truncated     at the first NUL in the stale heap), and   - via the IOCNR_GET_DEVICE_ID ioctl, which copy_to_user()s the full     claimed length regardless of NULs, up to 1021 bytes of uninitialized     heap, with the leak size chosen by the device.  Fix this up by just zapping the buffer with zeros before each request sent to the device.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46180",
                                "url": "https://ubuntu.com/security/CVE-2026-46180",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  wifi: brcmfmac: Fix potential use-after-free issue when stopping watchdog task  Watchdog task might end between send_sig() and kthread_stop() calls, what results in the use-after-free issue. Fix this by increasing watchdog task reference count before calling send_sig() and dropping it by switching to kthread_stop_put().",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46122",
                                "url": "https://ubuntu.com/security/CVE-2026-46122",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  wifi: b43: enforce bounds check on firmware key index in b43_rx()  The firmware-controlled key index in b43_rx() can exceed the dev->key[] array size (58 entries). The existing B43_WARN_ON is non-enforcing in production builds, allowing an out-of-bounds read.  Make the B43_WARN_ON check enforcing by dropping the frame when the firmware returns an invalid key index.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46125",
                                "url": "https://ubuntu.com/security/CVE-2026-46125",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  wifi: mac80211: remove station if connection prep fails  If connection preparation fails for MLO connections, then the interface is completely reset to non-MLD. In this case, we must not keep the station since it's related to the link of the vif being removed. Delete an existing station. Any \"new_sta\" is already being removed, so that doesn't need changes.  This fixes a use-after-free/double-free in debugfs if that's enabled, because a vif going from MLD (and to MLD, but that's not relevant here) recreates its entire debugfs.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46166",
                                "url": "https://ubuntu.com/security/CVE-2026-46166",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  wifi: mac80211: use safe list iteration in radar detect work  The call to ieee80211_dfs_cac_cancel can cause the iterated chanctx to be freed and removed from the list. Guard against this to avoid a slab-use-after-free error.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46187",
                                "url": "https://ubuntu.com/security/CVE-2026-46187",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  wifi: rsi: fix kthread lifetime race between self-exit and external-stop  RSI driver use both self-exit(kthread_complete_and_exit) and external-stop (kthread_stop) when killing a kthread. Generally, kthread_stop() is called first, and in this case, no particular issues occur.  However, in rare instances where kthread_complete_and_exit() is called first and then kthread_stop() is called, a UAF occurs because the kthread object, which has already exited and been freed, is accessed again.  Therefore, to prevent this with minimal modification, you must remove kthread_stop() and change the code to wait until the self-exit operation is completed.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46152",
                                "url": "https://ubuntu.com/security/CVE-2026-46152",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  wifi: mac80211: drop stray 'static' from fast-RX rx_result  ieee80211_invoke_fast_rx() is documented as safe for parallel RX, but its per-invocation rx_result is declared static. Concurrent callers then share one instance and can overwrite each other's result between ieee80211_rx_mesh_data() and the switch on res.  That can make a packet that was queued or consumed by ieee80211_rx_mesh_data() fall through into ieee80211_rx_8023(), or make a packet that should continue return as queued.  Make res an automatic variable so each invocation keeps its own result.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46163",
                                "url": "https://ubuntu.com/security/CVE-2026-46163",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  wifi: b43legacy: enforce bounds check on firmware key index in RX path  Same fix as b43: the firmware-controlled key index in b43legacy_rx() can exceed dev->max_nr_keys. The existing B43legacy_WARN_ON is non-enforcing in production builds, allowing an out-of-bounds read of dev->key[].  Make the check enforcing by dropping the frame for invalid indices.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46136",
                                "url": "https://ubuntu.com/security/CVE-2026-46136",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  wifi: mt76: mt7921: fix a potential clc buffer length underflow  The buf_len is used to limit the iterations for retrieving the country power setting and may underflow under certain conditions due to changes in the power table in CLC.  This underflow leads to an almost infinite loop or an invalid power setting resulting in driver initialization failure.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46173",
                                "url": "https://ubuntu.com/security/CVE-2026-46173",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  exit: prevent preemption of oopsing TASK_DEAD task  When an already-exiting task oopses, make_task_dead() currently calls do_task_dead() with preemption enabled.  That is forbidden: do_task_dead() calls __schedule(), which has a comment saying \"WARNING: must be called with preemption disabled!\".  If an oopsing task is preempted in do_task_dead(), between becoming TASK_DEAD and entering the scheduler explicitly, bad things happen: finish_task_switch() assumes that once the scheduler has switched away from a TASK_DEAD task, the task can never run again and its stack is no longer needed; but that assumption apparently doesn't hold if the dead task was preempted (the SM_PREEMPT case).  This means that the scheduler ends up repeatedly dropping references on the dead task's stack, which can lead to use-after-free or double-free of the entire task stack; in other words, two tasks can end up running on the same stack, resulting in various kinds of memory corruption.  (This does not just affect \"recursively oopsing\" tasks; it is enough to oops once during task exit, for example in a file_operations::release handler)",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-43496",
                                "url": "https://ubuntu.com/security/CVE-2026-43496",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net/sched: sch_red: Replace direct dequeue call with peek and qdisc_dequeue_peeked  When red qdisc has children (eg qfq qdisc) whose peek() callback is qdisc_peek_dequeued(), we could get a kernel panic. When the parent of such qdiscs (eg illustrated in patch #3 as tbf) wants to retrieve an skb from its child (red in this case), it will do the following:  1a. do a peek() - and when sensing there's an skb the child can offer, then      - the child in this case(red) calls its child's (qfq) peek.         qfq does the right thing and will return the gso_skb queue packet.         Note: if there wasnt a gso_skb entry then qfq will store it there.  1b. invoke a dequeue() on the child (red). And herein lies the problem.      - red will call the child's dequeue() which will essentially just        try to grab something of qfq's queue.  [   78.667668][  T363] KASAN: null-ptr-deref in range [0x0000000000000048-0x000000000000004f] [   78.667927][  T363] CPU: 1 UID: 0 PID: 363 Comm: ping Not tainted 7.1.0-rc1-00033-g46f74a3f7d57-dirty #790 PREEMPT(full) [   78.668263][  T363] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 [   78.668486][  T363] RIP: 0010:qfq_dequeue+0x446/0xc90 [sch_qfq] [   78.668718][  T363] Code: 54 c0 e8 dd 90 00 f1 48 c7 c7 e0 03 54 c0 48 89 de e8 ce 90 00 f1 48 8d 7b 48 b8 ff ff 37 00 48 89 fa 48 c1 e0 2a 48 c1 ea 03 <80> 3c 02 00 74 05 e8 ef a1 e1 f1 48 8b 7b 48 48 8d 54 24 58 48 8d [   78.669312][  T363] RSP: 0018:ffff88810de573e0 EFLAGS: 00010216 [   78.669533][  T363] RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000 [   78.669790][  T363] RDX: 0000000000000009 RSI: 0000000000000004 RDI: 0000000000000048 [   78.670044][  T363] RBP: ffff888110dc4000 R08: ffffffffb1b0885a R09: fffffbfff6ba9078 [   78.670297][  T363] R10: 0000000000000003 R11: ffff888110e31c80 R12: 0000001880000000 [   78.670560][  T363] R13: ffff888110dc4150 R14: ffff888110dc42b8 R15: 0000000000000200 [   78.670814][  T363] FS:  00007f66a8f09c40(0000) GS:ffff888163428000(0000) knlGS:0000000000000000 [   78.671110][  T363] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [   78.671324][  T363] CR2: 000055db4c6a30a8 CR3: 000000010da67000 CR4: 0000000000750ef0 [   78.671585][  T363] PKRU: 55555554 [   78.671713][  T363] Call Trace: [   78.671843][  T363]  <TASK> [   78.671936][  T363]  ? __pfx_qfq_dequeue+0x10/0x10 [sch_qfq] [   78.672148][  T363]  ? __pfx__printk+0x10/0x10 [   78.672322][  T363]  ? srso_alias_return_thunk+0x5/0xfbef5 [   78.672496][  T363]  ? lockdep_hardirqs_on_prepare+0xa8/0x1a0 [   78.672706][  T363]  ? srso_alias_return_thunk+0x5/0xfbef5 [   78.672875][  T363]  ? trace_hardirqs_on+0x19/0x1a0 [   78.673047][  T363]  red_dequeue+0x65/0x270 [sch_red] [   78.673217][  T363]  ? srso_alias_return_thunk+0x5/0xfbef5 [   78.673385][  T363]  tbf_dequeue.cold+0xb0/0x70c [sch_tbf] [   78.673566][  T363]  __qdisc_run+0x169/0x1900  The right thing to do in #1b is to grab the skb off gso_skb queue. This patchset fixes that issue by changing #1b to use qdisc_dequeue_peeked() method instead.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-21 13:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46113",
                                "url": "https://ubuntu.com/security/CVE-2026-46113",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  KVM: x86: Fix shadow paging use-after-free due to unexpected GFN  The shadow MMU computes GFNs for direct shadow pages using sp->gfn plus the SPTE index. This assumption breaks for shadow paging if the guest page tables are modified between VM entries (similar to commit aad885e77496, \"KVM: x86/mmu: Drop/zap existing present SPTE even when creating an MMIO SPTE\", 2026-03-27).  The flow is as follows:  - a PDE is installed for a 2MB mapping, and a page in that area is   accessed.  KVM creates a kvm_mmu_page consisting of 512 4KB pages;   the kvm_mmu_page is marked by FNAME(fetch) as direct-mapped because   the guest's mapping is a huge page (and thus contiguous).  - the PDE mapping is changed from outside the guest.  - the guest accesses another page in the same 2MB area.  KVM installs   a new leaf SPTE and rmap entry; the SPTE uses the \"correct\" GFN   (i.e. based on the new mapping, as changed in the previous step) but   that GFN is outside of the [sp->gfn, sp->gfn + 511] range; therefore   the rmap entry cannot be found and removed when the kvm_mmu_page   is zapped.  - the memslot that covers the first 2MB mapping is deleted, and the   kvm_mmu_page for the now-invalid GPA is zapped.  However, rmap_remove()   only looks at the [sp->gfn, sp->gfn + 511] range established in step 1,   and fails to find the rmap entry that was recorded by step 3.  - any operation that causes an rmap walk for the same page accessed   by step 3 then walks a stale rmap and dereferences a freed kvm_mmu_page.   This includes dirty logging or MMU notifier invalidations (e.g., from   MADV_DONTNEED).  The underlying issue is that KVM's walking of shadow PTEs assumes that if a SPTE is present when KVM wants to install a non-leaf SPTE, then the existing kvm_mmu_page must be for the correct gfn.  Because the only way for the gfn to be wrong is if KVM messed up and failed to zap a SPTE... which shouldn't happen, but *actually* only happens in response to a guest write.  That bug dates back literally forever, as even the first version of KVM assumes that the GFN matches and walks into the \"wrong\" shadow page. However, that was only an imprecision until 2032a93d66fa (\"KVM: MMU: Don't allocate gfns page for direct mmu pages\") came along.  Fix it by checking for a target gfn mismatch and zapping the existing SPTE.  That way the old SP and rmap entries are gone, KVM installs the rmap in the right location, and everyone is happy.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46179",
                                "url": "https://ubuntu.com/security/CVE-2026-46179",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ASoC: SOF: Don't allow pointer operations on unconfigured streams  When reporting the pointer for a compressed stream we report the current I/O frame position by dividing the position by the number of channels multiplied by the number of container bytes. These values default to 0 and are only configured as part of setting the stream parameters so this allows a divide by zero to be configured. Validate that they are non zero, returning an error if not",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46196",
                                "url": "https://ubuntu.com/security/CVE-2026-46196",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  tracepoint: balance regfunc() on func_add() failure in tracepoint_add_func()  When a tracepoint goes through the 0 -> 1 transition, tracepoint_add_func() invokes the subsystem's ext->regfunc() before attempting to install the new probe via func_add(). If func_add() then fails (for example, when allocate_probes() cannot allocate a new probe array under memory pressure and returns -ENOMEM), the function returns the error without calling the matching ext->unregfunc(), leaving the side effects of regfunc() behind with no installed probe to justify them.  For syscall tracepoints this is particularly unpleasant: syscall_regfunc() bumps sys_tracepoint_refcount and sets SYSCALL_TRACEPOINT on every task. After a leaked failure, the refcount is stuck at a non-zero value with no consumer, and every task continues paying the syscall trace entry/exit overhead until reboot. Other subsystems providing regfunc()/unregfunc() pairs exhibit similarly scoped persistent state.  Mirror the existing 1 -> 0 cleanup and call ext->unregfunc() in the func_add() error path, gated on the same condition used there so the unwind is symmetric with the registration.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-43497",
                                "url": "https://ubuntu.com/security/CVE-2026-43497",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  fbdev: udlfb: add vm_ops to dlfb_ops_mmap to prevent use-after-free  dlfb_ops_mmap() uses remap_pfn_range() to map vmalloc framebuffer pages to userspace but sets no vm_ops on the VMA. This means the kernel cannot track active mmaps. When dlfb_realloc_framebuffer() replaces the backing buffer via FBIOPUT_VSCREENINFO, existing mmap PTEs are not invalidated. On USB disconnect, dlfb_ops_destroy() calls vfree() on the old pages while userspace PTEs still reference them, resulting in a use-after-free: the process retains read/write access to freed kernel pages.  Add vm_operations_struct with open/close callbacks that maintain an atomic mmap_count on struct dlfb_data. In dlfb_realloc_framebuffer(), check mmap_count and return -EBUSY if the buffer is currently mapped, preventing buffer replacement while userspace holds stale PTEs.  Tested with PoC using dummy_hcd + raw_gadget USB device emulation.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-05-21 13:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46108",
                                "url": "https://ubuntu.com/security/CVE-2026-46108",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ipmi:si: Return state to normal if message allocation fails  There were places where nothing would get started if a message allocation failed, so the driver needs to return to normal state.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46128",
                                "url": "https://ubuntu.com/security/CVE-2026-46128",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ipmi: Check event message buffer response for bad data  The event message buffer response data size got checked later when processing, but check it right after the response comes back.  It appears some BMCs may return an empty message instead of an error when fetching events.  There are apparently some new BMCs that make this error, so we need to compensate.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46177",
                                "url": "https://ubuntu.com/security/CVE-2026-46177",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ipmi: Add limits to event and receive message requests  The driver would just fetch events and receive messages until the BMC said it was done.  To avoid issues with BMCs that never say they are done, add a limit of 10 fetches at a time.  In addition, an si interface has an attn state it can return from the hardware which is supposed to cause a flag fetch to see if the driver needs to fetch events or message or a few other things.  If the attn bit gets stuck, it's a similar problem.  So allow messages in between flag fetches so the driver itself doesn't get stuck.  This is a more general fix than the previous fix for the specific bad BMC, but should fix the more general issue of a BMC that won't stop saying it has data.  This has been there from the beginning of the driver.  It's not a bug per-se, but it is accounting for bugs in BMCs.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46149",
                                "url": "https://ubuntu.com/security/CVE-2026-46149",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  scsi: target: configfs: Bound snprintf() return in tg_pt_gp_members_show()  target_tg_pt_gp_members_show() formats LUN paths with snprintf() into a 256-byte stack buffer, then will memcpy() cur_len bytes from that buffer.  snprintf() returns the length the output would have had, which can exceed the buffer size when the fabric WWN is long because iSCSI IQN names can be up to 223 bytes.  The check at the memcpy() site only guards the destination page write, not the source read, so memcpy() will read past the stack buffer and copy adjacent stack contents to the sysfs reader, which when CONFIG_FORTIFY_SOURCE is enabled, fortify_panic() will be triggered.  Commit 27e06650a5ea (\"scsi: target: target_core_configfs: Add length check to avoid buffer overflow\") added the same bound to the target_lu_gp_members_show() but the tg_pt_gp variant was missed so resolve that here.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46244",
                                "url": "https://ubuntu.com/security/CVE-2026-46244",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  netfilter: nft_inner: Fix IPv6 inner_thoff desync  In nft_inner_parse_l2l3(), when processing inner IPv6 packets, ipv6_find_hdr() correctly computes the transport header offset traversing all extension headers, but the result is immediately overwritten with nhoff + sizeof(_ip6h) (40 bytes), which only accounts for the IPv6 base header. This creates a desync between inner_thoff (wrong — points to extension header start) and l4proto (correct — e.g., IPPROTO_TCP), enabling transport header forgery and potential firewall bypass. This issue affects stable versions from Linux 6.2.  For comparison, the normal (non-inner) IPv6 path correctly preserves ipv6_find_hdr()'s result. Removing the incorrect overwrite ensures that ipv6_find_hdr()'s calculated transport header offset is preserved, thereby fixing the desynchronization.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-03 18:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46137",
                                "url": "https://ubuntu.com/security/CVE-2026-46137",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  mptcp: pm: ADD_ADDR rtx: fix potential data-race  This mptcp_pm_add_timer() helper is executed as a timer callback in softirq context. To avoid any data races, the socket lock needs to be held with bh_lock_sock().  If the socket is in use, retry again soon after, similar to what is done with the keepalive timer.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46185",
                                "url": "https://ubuntu.com/security/CVE-2026-46185",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  smb/client: fix out-of-bounds read in symlink_data()  Since smb2_check_message() returns success without length validation for the symlink error response, in symlink_data() it is possible for iov->iov_len to be smaller than sizeof(struct smb2_err_rsp). If the buffer only contains the base SMB2 header (64 bytes), accessing err->ErrorContextCount (at offset 66) or err->ByteCount later in symlink_data() will cause an out-of-bounds read.",
                                "cve_priority": "high",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46195",
                                "url": "https://ubuntu.com/security/CVE-2026-46195",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  smb: client: validate dacloffset before building DACL pointers  parse_sec_desc(), build_sec_desc(), and the chown path in id_mode_to_cifs_acl() all add the server-supplied dacloffset to pntsd before proving a DACL header fits inside the returned security descriptor.  On 32-bit builds a malicious server can return dacloffset near U32_MAX, wrap the derived DACL pointer below end_of_acl, and then slip past the later pointer-based bounds checks. build_sec_desc() and id_mode_to_cifs_acl() can then dereference DACL fields from the wrapped pointer in the chmod/chown rewrite paths.  Validate dacloffset numerically before building any DACL pointer and reuse the same helper at the three DACL entry points.",
                                "cve_priority": "high",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46289",
                                "url": "https://ubuntu.com/security/CVE-2026-46289",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  lib/scatterlist: fix length calculations in extract_kvec_to_sg  Patch series \"Fix bugs in extract_iter_to_sg()\", v3.  Fix bugs in the kvec and user variants of extract_iter_to_sg.  This series is growing due to useful remarks made by sashiko.dev.  The main bugs are: - The length for an sglist entry when extracting from   a kvec can exceed the number of bytes in the page. This   is obviously not intended. - When extracting a user buffer the sglist is temporarily   used as a scratch buffer for extracted page pointers.   If the sglist already contains some elements this scratch   buffer could overlap with existing entries in the sglist.  The series adds test cases to the kunit_iov_iter test that demonstrate all of these bugs.  Additionally, there is a memory leak fix for the test itself.  The bugs were orignally introduced into kernel v6.3 where the function lived in fs/netfs/iterator.c.  It was later moved to lib/scatterlist.c in v6.5.  Thus the actual fix is only marked for backports to v6.5+.   This patch (of 5):  When extracting from a kvec to a scatterlist, do not cross page boundaries.  The required length was already calculated but not used as intended.  Adjust the copied length if the loop runs out of sglist entries without extracting everything.  While there, return immediately from extract_iter_to_sg if there are no sglist entries at all.  A subsequent commit will add kunit test cases that demonstrate that the patch is necessary.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-08 17:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46119",
                                "url": "https://ubuntu.com/security/CVE-2026-46119",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  libceph: Fix slab-out-of-bounds access in auth message processing  If a (potentially corrupted) message of type CEPH_MSG_AUTH_REPLY contains a positive value in its result field, it is treated as an error code by ceph_handle_auth_reply() and returned to handle_auth_reply(). Thereafter, an attempt is made to send the preallocated message of type CEPH_MSG_AUTH, where the returned value is interpreted as the size of the front segment to send. If the result value in the message is greater than the size of the memory buffer allocated for the front segment, an out-of-bounds access occurs, and the content of the memory region beyond this buffer is sent out.  This patch fixes the issue by treating only negative values in the result field as errors. Positive values are therefore treated as success in the same way as a zero value. Additionally, a BUG_ON is added to __send_prepared_auth_request() comparing the len parameter to front_alloc_len to prevent sending the message if it exceeds the bounds of the allocation and to make it easier to catch any logic flaws leading to this.",
                                "cve_priority": "high",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46135",
                                "url": "https://ubuntu.com/security/CVE-2026-46135",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  nvmet-tcp: fix race between ICReq handling and queue teardown  nvmet_tcp_handle_icreq() updates queue->state after sending an Initialization Connection Response (ICResp), but it does so without serializing against target-side queue teardown.  If an NVMe/TCP host sends an Initialization Connection Request (ICReq) and immediately closes the connection, target-side teardown may start in softirq context before io_work drains the already buffered ICReq. In that case, nvmet_tcp_schedule_release_queue() sets queue->state to NVMET_TCP_Q_DISCONNECTING and drops the queue reference under state_lock.  If io_work later processes that ICReq, nvmet_tcp_handle_icreq() can still overwrite the state back to NVMET_TCP_Q_LIVE. That defeats the DISCONNECTING-state guard in nvmet_tcp_schedule_release_queue() and allows a later socket state change to re-enter teardown and issue a second kref_put() on an already released queue.  The ICResp send failure path has the same problem. If teardown has already moved the queue to DISCONNECTING, a send error can still overwrite the state with NVMET_TCP_Q_FAILED, again reopening the window for a second teardown path to drop the queue reference.  Fix this by serializing both post-send state transitions with state_lock and bailing out if teardown has already started.  Use -ESHUTDOWN as an internal sentinel for that bail-out path rather than propagating it as a transport error like -ECONNRESET. Keep nvmet_tcp_socket_error() setting rcv_state to NVMET_TCP_RECV_ERR before honoring that sentinel so receive-side parsing stays quiesced until the existing release path completes.",
                                "cve_priority": "critical",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46155",
                                "url": "https://ubuntu.com/security/CVE-2026-46155",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  smb/client: fix out-of-bounds read in smb2_compound_op()  If a server sends a truncated response but a large OutputBufferLength, and terminates the EA list early, check_wsl_eas() returns success without validating that the entire OutputBufferLength fits within iov_len.  Then smb2_compound_op() does:     memcpy(idata->wsl.eas, data[0], size[0]);  Where size[0] is OutputBufferLength. If iov_len is smaller than size[0], memcpy can read beyond the end of the rsp_iov allocation and leak adjacent kernel heap memory.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46115",
                                "url": "https://ubuntu.com/security/CVE-2026-46115",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  block: add pgmap check to biovec_phys_mergeable  biovec_phys_mergeable() is used by the request merge, DMA mapping, and integrity merge paths to decide if two physically contiguous bvec segments can be coalesced into one. It currently has no check for whether the segments belong to different dev_pagemaps.  When zone device memory is registered in multiple chunks, each chunk gets its own dev_pagemap. A single bio can legitimately contain bvecs from different pgmaps -- iov_iter_extract_bvecs() breaks at pgmap boundaries but the outer loop in bio_iov_iter_get_pages() continues filling the same bio. If such bvecs are physically contiguous, biovec_phys_mergeable() will coalesce them, making it impossible to recover the correct pgmap for the merged segment via page_pgmap().  Add a zone_device_pages_have_same_pgmap() check to prevent merging bvec segments that span different pgmaps.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46243",
                                "url": "https://ubuntu.com/security/CVE-2026-46243",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  smb: client: reject userspace cifs.spnego descriptions  cifs.spnego key descriptions contain authority-bearing fields such as pid, uid, creduid, and upcall_target that cifs.upcall treats as kernel-originating inputs. However, userspace can also create keys of this type through request_key(2) or add_key(2), allowing those fields to be supplied without CIFS origin.  Only accept cifs.spnego descriptions while CIFS is using its private spnego_cred to request the key.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-01 17:17:00 UTC"
                            }
                        ],
                        "log": [
                            "",
                            "  * resolute/linux: 7.0.0-28.28 -proposed tracker (LP: #2157520)",
                            "",
                            "  * Backport ASoC SDCA, AMD SoundWire, and RT722 audio fixes (LP: #2154418)",
                            "    - ASoC: amd: acp-sdw-legacy: rename the dmic component name",
                            "    - SAUCE: ASoC: rt722-sdca: add FU06 Playback Switch for speaker mute",
                            "      control",
                            "",
                            "  * MIPI camera of a BBG809N3A_B sensor SKU of the DELL Pro 14 Premium PA14260",
                            "    renders upside-down (LP: #2155837)",
                            "    - SAUCE: media: ipu-bridge: correct platform handling for DELL Pro 14",
                            "      Premium PA14260",
                            "",
                            "  * resolute ubuntu_kernel_selftests:seccomp_build test compilation issue",
                            "    (LP: #2154174)",
                            "    - SAUCE: selftests/seccomp fix compilation issue for amd64",
                            "",
                            "  * [Ubuntu 26.04] Severe Performance Degradation on kernel 7.0.0-15",
                            "    (LP: #2154748)",
                            "    - s390: Remove GENERIC_LOCKBREAK Kconfig option",
                            "    - UBUNTU [Config]: Remove GENERIC_LOCKBREAK in s390x",
                            "",
                            "  * Fix no sound output device on Dell GhostRider PTL no camera SKU",
                            "    (LP: #2156559)",
                            "    - ASoC: Intel: sof_sdw: append dai type to dai link name unconditionally",
                            "",
                            "  * Fix no audio from right built-in speaker on HP ZBook with TAS2781",
                            "    amplifier (LP: #2156556)",
                            "    - ALSA: hda/tas2781: Fix device-0 reset issue and handle -EXDEV in block",
                            "      data processing",
                            "",
                            "  * Installer fails internally with a RSync error due to page fault",
                            "    (LP: #2150640)",
                            "    - ovl: keep err zero after successful ovl_cache_get()",
                            "",
                            "  * Internal display black screen on Intel Lunar Lake with eDP panel",
                            "    (LP: #2156312)",
                            "    - drm/i915/alpm: Allow LOBF only for platform that have Always on VRR TG",
                            "",
                            "  * Thunderbolt DP tunnel torn down during boot with LUKS Full Disk Encryption",
                            "    (LP: #2155096)",
                            "    - SAUCE: thunderbolt: Defer DP tunnel teardown until display driver is",
                            "      ready",
                            "",
                            "  * watchdog: lenovo_se10_wdt: Add SE10 Gen 2 support (LP: #2154715)",
                            "    - watchdog: lenovo_se10_wdt: Add support for SE10 Gen 2 platform",
                            "    - watchdog: lenovo_se10_wdt: Fix use-after-free and resource leak risk",
                            "",
                            "  * [Ubuntu 26.04] KVM: IBM Test Accelerator for Z (TAZ) not working properly",
                            "    (LP: #2153159)",
                            "    - KVM: s390: only deliver service interrupt with payload",
                            "    - KVM: s390: vsie: Allow non-zarch guests",
                            "    - KVM: s390: vsie: Disable some bits when in ESA mode",
                            "    - KVM: s390: vsie: Accommodate ESA prefix pages",
                            "    - KVM: s390: Add KVM capability for ESA mode guests",
                            "",
                            "  * ubuntu_bpf failed to build on Resolute (error: expected ‘:’, ‘,’, ‘;’, ‘}’",
                            "    or ‘__attribute__’ before ‘__counted_by’) (LP: #2150071)",
                            "    - tools/headers: Regenerate stddef.h to fix BPF selftests",
                            "",
                            "  * ubuntu_bpf: FTBFS with clang 23 / gcc 15 (LP: #2154343)",
                            "    - selftests/bpf: Fix const qualifier warning in fexit_bpf2bpf.c",
                            "",
                            "  * ALSA: hda/tas2781 Audio Fix for the front-right speacker (LP: #2149770)",
                            "    - ALSA: hda/tas2781: Fix sound abnormal issue on some SPI device",
                            "",
                            "  * Fix bad audio record quality when volume above 50% on Framework PTL",
                            "    (LP: #2153155)",
                            "    - ALSA: hda/realtek: fix mic boost on Framework PTL",
                            "",
                            "  * Patchset for TUXEDO devices (LP: #2152570)",
                            "    - drm/i915/vbt: Add edp pipe joiner enable/disable bits",
                            "    - drm/i915/dp: Avoid joiner for eDP if not enabled in VBT",
                            "    - drm/amd/display: Add Idle state manager(ISM)",
                            "    - drm/i915/backlight: Remove try_vesa_interface",
                            "    - drm/i915/backlight: Use intel_panel variable instead of intel_connector",
                            "    - drm/i915/backlight: Take luminance_set into account for VESA backlight",
                            "    - drm/i915/backlight: Check luminance_set when disabling PWM via AUX VESA",
                            "      backlight",
                            "    - drm/i915/backlight: Short circuit intel_dp_aux_supports_hdr_backlight",
                            "    - drm/i915/backlight: Update debug log during backlight setup",
                            "    - drm/i915/backlight: Check if VESA backlight is possible",
                            "    - drm/i915/backlight: Provide clear description on how backlight level is",
                            "      controlled",
                            "    - drm/i915/backlight: Fix VESA backlight possible check condition",
                            "",
                            "  * Resolute update: v7.0.12 upstream stable release (LP: #2156636)",
                            "    - Input: usbtouchscreen - clamp NEXIO data_len/x_len to URB buffer size",
                            "    - ACPI: button: Fix ACPI GPE handler leak during removal",
                            "    - ACPI: button: Enable wakeup GPEs for ACPI buttons at probe time",
                            "    - xfrm: move policy_bydst RCU sync from per-netns .exit to .pre_exit",
                            "    - net/sched: sch_sfb: Replace direct dequeue call with peek and",
                            "      qdisc_dequeue_peeked",
                            "    - bcache: fix uninitialized closure object",
                            "    - nfc: llcp: Fix use-after-free in llcp_sock_release()",
                            "    - nfc: llcp: Fix use-after-free race in nfc_llcp_recv_cc()",
                            "    - xfrm: Check for underflow in xfrm_state_mtu",
                            "    - nfc: nxp-nci: i2c: use rising-edge IRQ on ACPI systems",
                            "    - tools/bootconfig: Fix buf leaks in apply_xbc",
                            "    - HID: remove duplicate hid_warn_ratelimited definition",
                            "    - kunit: fix use-after-free in debugfs when using kunit.filter",
                            "    - accel/rocket: fix UAF via dangling GEM handle in create_bo",
                            "    - netfilter: synproxy: refresh tcphdr after skb_ensure_writable",
                            "    - netfilter: xt_cpu: prefer raw_smp_processor_id",
                            "    - netfilter: ebtables: fix OOB read in compat_mtw_from_user",
                            "    - netfilter: nf_tables: fix dst corruption in same register operation",
                            "    - vsock: keep poll shutdown state consistent",
                            "    - net: netlink: fix sending unassigned nsid after assigned one",
                            "    - net: netlink: don't set nsid on local notifications",
                            "    - net/smc: Do not re-initialize smc hashtables",
                            "    - net/iucv: fix locking in .getsockopt",
                            "    - scsi: core: Run queues for all non-SDEV_DEL devices from",
                            "      scsi_run_host_queues",
                            "    - scsi: scsi_debug: Add missing newline in scsi_debug_device_reset()",
                            "    - ipv4: free net->ipv4.sysctl_local_reserved_ports after",
                            "      unregister_net_sysctl_table()",
                            "    - ALSA: hda: cs35l56: Fix system name string leaks",
                            "    - ALSA: pcm: oss: Fix setup list UAF on proc write error",
                            "    - ASoC: Intel: bytcht_es8316: Fix MCLK leak on init errors",
                            "    - net/mlx5: HWS: Reject unsupported remove-header action",
                            "    - net: hsr: fix potential OOB access in supervision frame handling",
                            "    - accel/ivpu: prevent uninitialized data bug in debugfs",
                            "    - gpio: mxc: fix irq_high handling",
                            "    - drm/i915/aux: use polling when irqs are unavailable",
                            "    - net: Avoid checksumming unreadable skb tail on trim",
                            "    - ethtool: rss: avoid modifying the RSS context response",
                            "    - ethtool: rss: add missing errno on RSS context delete",
                            "    - ethtool: rss: fix falsely ignoring indir table updates",
                            "    - ethtool: rss: fix indir_table and hkey leak on get_rxfh failure",
                            "    - ethtool: rss: fix hkey leak when indir_size is 0",
                            "    - ethtool: rss: avoid device context leak on reply-build failure",
                            "    - ethtool: module: call ethnl_ops_complete() on module flash errors",
                            "    - ethtool: module: avoid leaking a netdev ref on module flash errors",
                            "    - ethtool: module: avoid racy updates to dev->ethtool bitfield",
                            "    - ethtool: module: check fw_flash_in_progress under rtnl_lock",
                            "    - ethtool: module: fix cleanup if socket used for flashing multiple",
                            "      devices",
                            "    - ethtool: cmis: require exact CDB reply length",
                            "    - ethtool: cmis: fix u16-to-u8 truncation of msleep_pre_rpl",
                            "    - ethtool: cmis: validate start_cmd_payload_size from module",
                            "    - ethtool: cmis: validate fw->size against start_cmd_payload_size",
                            "    - cxl/test: Update mock dev array before calling platform_device_add()",
                            "    - blk-mq: reinsert cached request to the list",
                            "    - tunnels: load network headers after skb_cow() in",
                            "      iptunnel_pmtud_build_icmp[v6]()",
                            "    - vxlan: do not reuse cached ip_hdr() value after skb_tunnel_check_pmtu()",
                            "    - tunnels: do not assume transport header in iptunnel_pmtud_check_icmp()",
                            "    - ksmbd: fix FSCTL permission bypass by adding a permission check for",
                            "      FSCTL_SET_SPARSE",
                            "    - ASoC: codecs: simple-mux: Fix enum control bounds check",
                            "    - drm/xe: Restore IDLEDLY regiter on engine reset",
                            "    - Bluetooth: 6lowpan: check skb_clone() return value in send_mcast_pkt()",
                            "    - bonding: refuse to enslave CAN devices",
                            "    - bridge: Fix sleep in atomic context in netlink path",
                            "    - bridge: Fix sleep in atomic context in sysfs path",
                            "    - ethtool: coalesce: cap profile updates at NET_DIM_PARAMS_NUM_PROFILES",
                            "    - ethtool: tsconfig: fix reply error handling",
                            "    - ethtool: linkstate: fix unbalanced ethnl_ops_complete() on PHY lookup",
                            "      error",
                            "    - ethtool: pse-pd: fix missing ethnl_ops_complete()",
                            "    - ethtool: tsconfig: fix missing ethnl_ops_complete()",
                            "    - ethtool: tsinfo: fix uninitialized stats on the by-PHC path",
                            "    - ethtool: tsinfo: don't pass ERR_PTR to genlmsg_cancel on prepare failure",
                            "    - ethtool: strset: fix header attribute index in ethnl_req_get_phydev()",
                            "    - ethtool: eeprom: add missing ethnl_ops_begin() / _complete() during",
                            "      fallback",
                            "    - ethtool: eeprom: add more safeties to EEPROM Netlink fallback",
                            "    - ipv6: rpl: fix hdrlen overflow in ipv6_rpl_srh_decompress()",
                            "    - net/sched: Revert \"net/sched: Restrict conditions for adding duplicating",
                            "      netems to qdisc tree\"",
                            "    - net/sched: fix packet loop on netem when duplicate is on",
                            "    - net: Introduce skb tc depth field to track packet loops",
                            "    - net/sched: Fix ethx:ingress -> ethy:egress -> ethx:ingress mirred loop",
                            "    - net/sched: act_mirred: Fix blockcast recursion bypass leading to stack",
                            "      overflow",
                            "    - net/sched: act_mirred: Fix return code in early mirred redirect error",
                            "      paths",
                            "    - net: hibmcge: disable Relaxed Ordering to fix RX packet corruption",
                            "    - net: hibmcge: move dma_rmb() after dma_sync_single_for_cpu() in RX path",
                            "    - net/handshake: Use spin_lock_bh for hn_lock",
                            "    - nvme-tcp: store negative errno in queue->tls_err",
                            "    - net/handshake: Pass negative errno through handshake_complete()",
                            "    - net/handshake: hand off the pinned file reference to accept_doit",
                            "    - net/handshake: Take a long-lived file reference at submit",
                            "    - net/handshake: Drain pending requests at net namespace exit",
                            "    - dpll: zl3073x: detect DPLL channel count from chip ID at runtime",
                            "    - dpll: zl3073x: add die temperature reporting for supported chips",
                            "    - dpll: export __dpll_device_change_ntf() for use under dpll_lock",
                            "    - dpll: zl3073x: use __dpll_device_change_ntf() and remove change_work",
                            "    - Bluetooth: l2cap: clear chan->ident on ECRED reconfiguration success",
                            "    - Bluetooth: L2CAP: Fix possible crash on l2cap_ecred_conn_rsp",
                            "    - Bluetooth: hci_sync: Set HCI_CMD_DRAIN_WORKQUEUE during device close",
                            "    - Bluetooth: hci_sync: Reset device counters in hci_dev_close_sync()",
                            "    - gpio: adnp: fix flow control regression caused by scoped_guard()",
                            "    - gpio: virtuser: Fix uninitialized data bug in",
                            "      gpio_virtuser_direction_do_write()",
                            "    - gpio: rockchip: convert bank->clk to devm_clk_get_enabled()",
                            "    - gpio: rockchip: teardown bugs and resource leaks",
                            "    - net: mana: Add NULL guards in teardown path to prevent panic on attach",
                            "      failure",
                            "    - net: mana: Skip redundant detach on already-detached port",
                            "    - sctp: fix race between sctp_wait_for_connect and peeloff",
                            "    - net: pcs: pcs-mtk-lynxi: fix bpi-r3 serdes configuration",
                            "    - vsock/virtio: bind uarg before filling zerocopy skb",
                            "    - ipv6: fix possible infinite loop in rt6_fill_node()",
                            "    - ipv6: fix possible infinite loop in fib6_select_path()",
                            "    - net: skbuff: fix pskb_carve leaking zcopy pages",
                            "    - Revert \"ipv6: preserve insertion order for same-scope addresses\"",
                            "    - Revert \"x86/fpu: Refine and simplify the magic number check during",
                            "      signal return\"",
                            "    - drm/i915/psr: Add defininitions for INTEL_WA_REGISTER_CAPS DPCD register",
                            "    - drm/i915/psr: Read Intel DPCD workaround register",
                            "    - drm/i915/psr: Apply Intel DPCD workaround when SDP on prior line used",
                            "    - iio: imu: st_lsm6dsx: fix stack leak in tagged FIFO buffer",
                            "    - iio: imu: adis16550: fix stack leak in trigger handler",
                            "    - iio: pressure: bmp280: fix stack leak in bmp580 trigger handler",
                            "    - usb: typec: ucsi: ccg: reject firmware images without a ':' record",
                            "      header",
                            "    - usb: typec: tcpm: validate VDO count in Discover Identity ACK handlers",
                            "    - usb: typec: tcpm: bound altmode_desc[] per iteration in",
                            "      svdm_consume_modes()",
                            "    - usb: typec: ucsi: displayport: NAK DP_CMD_CONFIGURE without a payload",
                            "      VDO",
                            "    - usb: typec: altmodes/displayport: validate count before reading Status",
                            "      Update VDO",
                            "    - usb: typec: wcove: don't write past struct pd_message in",
                            "      wcove_read_rx_buffer()",
                            "    - usb: typec: tcpm/tcpci_maxim: validate header NDO against RX_BYTE_CNT",
                            "    - usb: typec: ucsi: validate connector number in ucsi_connector_change()",
                            "    - USB: serial: safe_serial: fix memory corruption with small endpoint",
                            "    - media: rc: igorplugusb: fix control request setup packet",
                            "    - Input: ims-pcu - fix usb_free_coherent() size in ims_pcu_buffers_free()",
                            "    - USB: serial: cypress_m8: fix memory corruption with small endpoint",
                            "    - HID: quirks: Add ALWAYS_POLL quirk for SIGMACHIP USB mouse",
                            "    - Bluetooth: btusb: Allow firmware re-download when version matches",
                            "    - mm/vmalloc: do not trigger BUG() on BH disabled context",
                            "    - hpfs: fix a crash if hpfs_map_dnode_bitmap fails",
                            "    - mm/damon/sysfs-schemes: delete tried region in regions_rmdirs()",
                            "    - ipc: limit next_id allocation to the valid ID range",
                            "    - mm: memcontrol: propagate NMI slab stats to memcg vmstats",
                            "    - mm/migrate_device: fix pgtable leak in migrate_vma_insert_huge_pmd_page",
                            "    - memfd: deny writeable mappings when implying SEAL_WRITE",
                            "    - zram: fix use-after-free in zram_writeback_endio",
                            "    - mm/rmap: initialize nr_pages to 1 at loop start in try_to_unmap_one",
                            "    - auxdisplay: line-display: fix OOB read on zero-length message_store()",
                            "    - smb: client: fix uninitialized variable in smb2_writev_callback",
                            "    - Bluetooth: L2CAP: use chan timer to close channels in cleanup_listen()",
                            "    - Bluetooth: L2CAP: fix chan ref leak in l2cap_chan_timeout() on !conn",
                            "    - Bluetooth: HIDP: fix missing length checks in hidp_input_report()",
                            "    - Bluetooth: ISO: fix UAF in iso_recv_frame",
                            "    - Bluetooth: ISO: serialize iso_sock_clear_timer with socket lock",
                            "    - Bluetooth: hci_conn: Fix memory leak in hci_le_big_terminate()",
                            "    - Bluetooth: hci_qca: Use 100 ms SSR delay for rampatch and NVM loading",
                            "    - Bluetooth: hci_sync: fix UAF in hci_le_create_cis_sync",
                            "    - Input: xpad - fix out-of-bounds access for Share button",
                            "    - parport: Fix race between port and client registration",
                            "    - rust_binder: Avoid holding lock when dropping delivered_death",
                            "    - rust_binder: avoid calling pending_oneway_finished() on TF_UPDATE_TXN",
                            "    - USB: cdc-acm: Fix bit overlap and move quirk definitions to header",
                            "    - KVM: arm64: Correctly cap ZCR_EL2 provided by a guest hypervisor",
                            "    - KVM: arm64: PMU: Preserve AArch32 counter low bits",
                            "    - KVM: SVM: Flush the current TLB when transitioning from xAVIC => x2AVIC",
                            "    - KVM: SEV: Require in-GHCB scratch area if GHCB v2+ is in use",
                            "    - KVM: SEV: Ignore Port I/O requests of length '0'",
                            "    - KVM: SEV: Use the size of the PSC header as the minimum size for PSC",
                            "      requests",
                            "    - KVM: SEV: WARN if KVM attempts to setup scratch area with min_len==0",
                            "    - KVM: SEV: Compute the correct max length of the in-GHCB scratch area",
                            "    - KVM: SEV: Check PSC request indices against the actual size of the",
                            "      buffer",
                            "    - KVM: SEV: Use READ_ONCE() when reading entries/indices from PSC buffer",
                            "    - KVM: SEV: Don't explicitly pass PSC buffer to snp_begin_psc()",
                            "    - gpio: shared: undo the vote of the proxy on GPIO free",
                            "    - gpio: shared: fix deadlock on shared proxy's parent removal",
                            "    - gpio: shared: fix lockdep false positive by removing unneeded lock",
                            "    - Disable -Wattribute-alias for clang-23 and newer",
                            "    - iio: adc: xilinx-xadc: Fix sequencer mode in postdisable for dual mux",
                            "    - iio: adc: npcm: fix unbalanced clk_disable_unprepare()",
                            "    - iio: dac: ad3530r: Fix AD3531/AD3531R powerdown mode strings",
                            "    - iio: dac: max5821: fix return value check in powerdown sync",
                            "    - iio: dac: ad5686: fix ref bit initialization for single-channel parts",
                            "    - iio: dac: ad5686: fix input raw value check",
                            "    - iio: dac: ad5686: acquire lock when doing powerdown control",
                            "    - iio: dac: ad5686: fix powerdown control on dual-channel devices",
                            "    - iio: adc: mt6359: fix unchecked return value in mt6358_read_imp",
                            "    - iio: adc: viperboard: Fix error handling in vprbrd_iio_read_raw",
                            "    - iio: adc: ad4695: Fix call ordering in offload buffer postenable",
                            "    - iio: adc: nxp-sar-adc: fix division by zero in write_raw",
                            "    - iio: adc: nxp-sar-adc: Avoid division by zero",
                            "    - iio: adc: nxp-sar-adc: zero-initialize dma_slave_config",
                            "    - iio: gyro: itg3200: fix i2c read into the wrong stack location",
                            "    - iio: gyro: adis16260: fix division by zero in write_raw",
                            "    - iio: ssp_sensors: cancel delayed work_refresh on remove",
                            "    - iio: temperature: tsys01: fix broken PROM checksum validation",
                            "    - iio: magnetometer: st_magn: fix default DRDY pin selection for LIS2MDL",
                            "    - iio: light: veml6070: Fix resource leak in probe error path",
                            "    - iio: Fix iio_multiply_value use in iio_read_channel_processed_scale",
                            "    - iio: chemical: mhz19b: reject oversized serial replies",
                            "    - iio: chemical: scd30: fix division by zero in write_raw",
                            "    - iio: light: cm3323: fix reg_conf not being initialized correctly",
                            "    - iio: buffer: hw-consumer: fix use-after-free in error path",
                            "    - iio: buffer: Fix DMA fence leak in iio_buffer_enqueue_dmabuf()",
                            "    - USB: serial: omninet: fix memory corruption with small endpoint",
                            "    - usb: cdns3: gadget: fix request skipping after clearing halt",
                            "    - usb: cdns3: plat: fix leaked usb2_phy initialization on usb3_phy",
                            "      acquisition failure",
                            "    - usb: cdns3: plat: fix unbalanced pm_runtime_forbid() call permanently",
                            "      leaks the runtime PM usage counter across bind/unbind cycles",
                            "    - usb: dwc2: Fix use after free in debug code",
                            "    - Input: elan_i2c - validate firmware size before use",
                            "    - i2c: davinci: fix division by zero on missing clock-frequency",
                            "    - x86/ftrace: Relocate %rip-relative percpu refs in dynamic trampolines",
                            "    - wireguard: send: append trailer after expanding head",
                            "    - bpf: sockmap: fix tail fragment offset in bpf_msg_push_data",
                            "    - macsec: fix replay protection at XPN lower-PN wrap",
                            "    - ipv6: exthdrs: refresh nh pointer after ipv6_hop_jumbo()",
                            "    - ASoC: qcom: q6asm-dai: fix error handling in prepare and set_params",
                            "    - octeontx2-af: validate body pcifunc in rvu_mbox_handler_rep_event_notify",
                            "    - ipv6: exthdrs: refresh nh after handling HAO option",
                            "    - ip6: vti: Use ip6_tnl.net in vti6_siocdevprivate().",
                            "    - ipv6: validate extension header length before copying to cmsg",
                            "    - xfrm: input: hold netns during deferred transport reinjection",
                            "    - l2tp: use refcount_inc_not_zero in l2tp_session_get_by_ifname",
                            "    - ip6: vti: Use ip6_tnl.net in vti6_changelink().",
                            "    - net: skbuff: fix missing zerocopy reference in pskb_carve helpers",
                            "    - spi: spi-mem: avoid mutating op template in spi_mem_supports_op()",
                            "    - HID: wacom: Fix OOB write in wacom_hid_set_device_mode()",
                            "    - iommu, debugobjects: avoid gcc-16.1 section mismatch warnings",
                            "    - nfc: hci: fix out-of-bounds read in HCP header parsing",
                            "    - xfrm: route MIGRATE notifications to caller's netns",
                            "    - xfrm: ipcomp: Free destination pages on acomp errors",
                            "    - xfrm: ah: use skb_to_full_sk in async output callbacks",
                            "    - ALSA: scarlett2: Fix 2i2 Gen 4 direct monitor gain on firmware 2417",
                            "    - ALSA: firewire-motu: Protect register DSP event queue positions",
                            "    - netfilter: conntrack: tcp: do not force CLOSE on invalid-seq RST without",
                            "      direction check",
                            "    - ASoC: qcom: q6asm-dai: close stream only when running",
                            "    - ASoC: qcom: q6asm-dai: do not set stream state in event and trigger",
                            "      callbacks",
                            "    - xfrm: esp: restore combined single-frag length gate",
                            "    - ALSA: hda/realtek: Fix speaker output on ASUS ROG Strix G615LP",
                            "    - xfrm: iptfs: reset runtime state when cloning SAs",
                            "    - dma-buf: fix UAF in dma_buf_fd() tracepoint",
                            "    - Input: xpad - add \"Nova 2 Lite\" from GameSir",
                            "    - Input: xpad - add support for ASUS ROG RAIKIRI II",
                            "    - ksmbd: OOB read regression in smb_check_perm_dacl() ACE-walk loops",
                            "    - misc: rp1: Send IACK on IRQ activate to fix kdump/kexec",
                            "    - Input: atmel_mxt_ts - fix boundary check in mxt_prepare_cfg_mem",
                            "    - Input: synaptics - add LEN2058 to SMBus passlist for ThinkPad E490",
                            "    - dt-bindings: usb: Fix EIC7700 USB reset's issue",
                            "    - comedi: comedi_test: fix check for valid scan_begin_src in",
                            "      waveform_ai_cmdtest()",
                            "    - comedi: comedi_test: Fix limiting of convert_arg in",
                            "      waveform_ai_cmdtest()",
                            "    - counter: Fix refcount leak in counter_alloc() error path",
                            "    - tty: serial: pch_uart: add check for dma_alloc_coherent()",
                            "    - tty: serial: samsung: Remove redundant port lock acquisition in rx",
                            "      helpers",
                            "    - uio: uio_pci_generic_sva: fix double free of devm_kzalloc() memory",
                            "    - usb: chipidea: core: convert ci_role_switch to local variable",
                            "    - usb: core: Fix up Interrupt IN endpoints with bogus wBytesPerInterval",
                            "    - usb: dwc3: xilinx: fix error handling in zynqmp init error paths",
                            "    - usb: musb: omap2430: Fix use-after-free in omap2430_probe()",
                            "    - USB: quirks: add NO_LPM for Lenovo ThinkPad USB-C Dock Gen2 hub",
                            "      controllers",
                            "    - usb: storage: Add quirks for PNY Elite Portable SSD",
                            "    - usbip: vudc: Fix use after free bug in vudc_remove due to race condition",
                            "    - usb: usbtmc: check URB actual_length for interrupt-IN notifications",
                            "    - usb: usbtmc: reject interrupt endpoints with small wMaxPacketSize",
                            "    - usb: typec: tipd: Fix error code in tps6598x_probe()",
                            "    - usb: typec: tcpm: improve handling of DISCOVER_MODES failures",
                            "    - usb: typec: ucsi: Check if power role change actually happened before",
                            "      handling",
                            "    - usb: typec: ucsi: Don't update power_supply on power role change if not",
                            "      connected",
                            "    - USB: serial: option: add MeiG SRM813Q",
                            "    - USB: serial: option: add missing RSVD(5) flag for Rolling RW135R-GL",
                            "    - USB: serial: belkin_sa: validate interrupt status length",
                            "    - USB: serial: cypress_m8: validate interrupt packet headers",
                            "    - USB: serial: digi_acceleport: fix memory corruption with small endpoints",
                            "    - USB: serial: keyspan: fix missing indat transfer sanity check",
                            "    - USB: serial: mxuport: fix memory corruption with small endpoint",
                            "    - USB: serial: mct_u232: fix memory corruption with small endpoint",
                            "    - USB: serial: mct_u232: fix missing interrupt-in transfer sanity check",
                            "    - usb: gadget: uvc: hold opts->lock across XU walks in uvc_function_bind",
                            "    - usb: gadget: net2280: Fix double free in probe error path",
                            "    - usb: gadget: f_hid: fix device reference leak in hidg_alloc()",
                            "    - usb: gadget: composite: fix integer underflow in WebUSB GET_URL handling",
                            "    - usb: gadget: dummy_hcd: Reject hub port requests for non-existent ports",
                            "    - usb: gadget: f_fs: copy only received bytes on short ep0 read",
                            "    - usb: gadget: f_fs: serialize DMABUF cancel against request completion",
                            "    - thunderbolt: property: Reject u32 wrap in tb_property_entry_valid()",
                            "    - thunderbolt: property: Reject dir_len < 4 to prevent size_t underflow",
                            "    - thunderbolt: property: Cap recursion depth in __tb_property_parse_dir()",
                            "    - scsi: fcoe: Reject FIP descriptors with zero fip_dlen in CVL walker",
                            "    - scsi: scsi_transport_fc: Widen FPIN pname walker counter to u32",
                            "    - scsi: target: iscsi: Fix CRC overread and double-free in",
                            "      iscsit_handle_text_cmd()",
                            "    - scsi: target: iscsi: Bound iscsi_encode_text_output() appends to rsp_buf",
                            "    - scsi: target: iscsi: Validate CHAP_R length before base64 decode",
                            "    - drm/hyperv: validate resolution_count and fix WIN8 fallback",
                            "    - drm/hyperv: validate VMBus packet size in receive callback",
                            "    - drm/gem: fix race between change_handle and handle_delete",
                            "    - drm/i915/color: Fix HDR pre-CSC LUT programming loop",
                            "    - drm/i915/psr: Block DC states on vblank enable when Panel Replay",
                            "      supported",
                            "    - drm/i915/psr: Use DC_OFF wake reference to block DC6 on vblank enable",
                            "    - drm/i915: Fix potential UAF in TTM object purge",
                            "    - drm/amd/pm/si: Disregard vblank time when no displays are connected",
                            "    - serial: altera_jtaguart: handle uart_add_one_port() failures",
                            "    - serial: qcom-geni: fix UART_RX_PAR_EN bit position",
                            "    - serial: qcom_geni: fix kfifo underflow when flush precedes DMA",
                            "      completion IRQ",
                            "    - serial: sh-sci: fix memory region release in error path",
                            "    - serial: zs: Fix swapped RI/DSR modem line transition counting",
                            "    - serial: fsl_lpuart: fix rx buffer and DMA map leaks in start_rx_dma",
                            "    - drm/amdkfd: fix NULL pointer bug in svm_range_set_attr",
                            "    - drm/amdkfd: fix a vulnerability of integer overflow in kfd debugger",
                            "    - drm/amdkfd: Check for pdd drm file first in CRIU restore path",
                            "    - drm/amdgpu: fix lock leak on ENOMEM in AMDGPU_GEM_OP_GET_MAPPING_INFO",
                            "    - drm/amdgpu: fix calling VM invalidation in amdgpu_hmm_invalidate_gfx",
                            "    - drm/amdgpu: fix amdgpu_hmm_range_get_pages",
                            "    - drm/amdgpu: check num_entries in GEM_OP GET_MAPPING_INFO",
                            "    - serial: dz: Fix bootconsole message clobbering at chip reset",
                            "    - serial: dz: Fix bootconsole handover lockup",
                            "    - serial: dz: Convert to use a platform device",
                            "    - serial: zs: Fix bootconsole handover lockup",
                            "    - serial: zs: Switch to using channel reset",
                            "    - serial: zs: Convert to use a platform device",
                            "    - serial: core: introduce guard(uart_port_lock_check_sysrq_irqsave)",
                            "    - serial: 8250: dispatch SysRq character in serial8250_handle_irq()",
                            "    - serial: 8250_dw: dispatch SysRq character in dw8250_handle_irq()",
                            "    - platform/x86/intel/vsec: Refactor base_addr handling",
                            "    - platform/x86/intel/vsec: Make driver_data info const",
                            "    - platform/x86/intel/vsec: Fix enable_cnt imbalance on PCIe error recovery",
                            "    - rxrpc: Fix RESPONSE packet verification to extract skb to a linear",
                            "      buffer",
                            "    - ALSA: hda/realtek: Fix mute and mic-mute LEDs for HP Envy X360 15-fh0xxx",
                            "    - ALSA: hda/realtek: Fix mute and mic-mute LEDs for HP 16 Piston OmniBook",
                            "      X",
                            "    - arm64: tlb: Flush walk cache when unsharing PMD tables",
                            "    - i2c: tegra: make tegra_i2c_mutex_unlock() return void",
                            "    - hwmon: (pmbus) Add support for guarded PMBus lock",
                            "    - hwmon: (pmbus/adm1266) serialize sequencer_state debugfs read with",
                            "      pmbus_lock",
                            "    - hwmon: (pmbus/adm1266) serialize GPIO PMBus accesses with pmbus_lock",
                            "    - net: phy: micrel: fix LAN8814 QSGMII soft reset",
                            "    - xhci: tegra: Fix ghost USB device on dual-role port unplug",
                            "    - mailbox: Fix NULL message support in mbox_send_message()",
                            "    - usb: core: Fix SuperSpeed root hub wMaxPacketSize",
                            "    - tools: ynl: add scope qualifier for definitions",
                            "    - Linux 7.0.12",
                            "",
                            "  * Resolute update: v7.0.12 upstream stable release (LP: #2156636) //",
                            "    CVE-2026-46318",
                            "    - Revert \"mm/hugetlbfs: update hugetlbfs to use mmap_prepare\"",
                            "",
                            "  * Resolute update: v7.0.12 upstream stable release (LP: #2156636) //",
                            "    CVE-2026-46322",
                            "    - tun: free page on build_skb failure in tun_xdp_one()",
                            "",
                            "  * Resolute update: v7.0.12 upstream stable release (LP: #2156636) //",
                            "    CVE-2026-46320",
                            "    - tap: free page on error paths in tap_get_user_xdp()",
                            "",
                            "  * Resolute update: v7.0.12 upstream stable release (LP: #2156636) //",
                            "    CVE-2026-46321",
                            "    - tun: free page on short-frame rejection in tun_xdp_one()",
                            "",
                            "  * CVE-2026-46316 // CVE-2026-46317",
                            "    - KVM: arm64: Reassign nested_mmus array behind mmu_lock",
                            "",
                            "  * CVE-2026-46316",
                            "    - KVM: arm64: vgic-its: Drop the translation cache reference only for the",
                            "      erased entry",
                            "    - KVM: arm64: Take the SRCU lock for page table walks in fault injection",
                            "      and AT emulation",
                            "",
                            "  * Resolute update: v7.0.11 upstream stable release (LP: #2156390)",
                            "    - iommu/amd: Fix illegal cap/mmio access in IOMMU debugfs",
                            "    - iommu/amd: Remove latent out-of-bounds access in IOMMU debugfs",
                            "    - ksmbd: close durable scavenger races against m_fp_list lookups",
                            "    - ata: libata-scsi: improve readability of ata_scsi_qc_issue()",
                            "    - ata: libata-scsi: do not use the deferred QC feature for ATA_DEFER_PORT",
                            "    - ata: libata-scsi: do not use the deferred QC feature on PMPs with CBS",
                            "    - ata: libata-scsi: do not needlessly defer commands when using PMP with",
                            "      FBS",
                            "    - sysfs: don't remove existing directory on update failure",
                            "    - mm/damon/sysfs-schemes: call missing mem_cgroup_iter_break()",
                            "    - ksmbd: fix null pointer dereference in compare_guid_key()",
                            "    - ksmbd: fix null pointer dereference in proc_show_files()",
                            "    - ksmbd: fix SID memory leak in set_posix_acl_entries_dacl() on overflow",
                            "    - ksmbd: validate SID in parent security descriptor during ACL inheritance",
                            "    - regulator: tps65219: fix irq_data.rdev not being assigned",
                            "    - x86/mm: Disable broadcast TLB flush when PCID is disabled",
                            "    - scripts/gdb: mm: cast untyped symbols in x86_page_ops",
                            "    - smb: client: require net admin for CIFS SWN netlink",
                            "    - smb: client: protect tc_count increment in",
                            "      smb2_find_smb_sess_tcon_unlocked()",
                            "    - smb: client: use data_len for SMB2 READ encrypted folioq copy",
                            "    - smb/server: promote S_DEL_ON_CLS to S_DEL_PENDING when close",
                            "    - hwmon: (pmbus/adm1266) widen blackbox-info buffer to I2C_SMBUS_BLOCK_MAX",
                            "    - ALSA: ua101: Reject too-short USB descriptors",
                            "    - ALSA: pcm: Don't setup bogus iov_iter for silencing",
                            "    - ALSA: asihpi: Fix potential OOB array access at reading cache",
                            "    - ALSA: scarlett2: Allow flash writes ending at segment boundary",
                            "    - ACPI: battery: Fix system wakeup on critical battery status",
                            "    - efi: Allocate runtime workqueue before ACPI init",
                            "    - spi: amd: Set correct bus number in ACPI probe path",
                            "    - io_uring/waitid: clear waitid info before copying it to userspace",
                            "    - drivers/base/memory: fix memory block reference leak in poison",
                            "      accounting",
                            "    - ipv6: ioam: refresh hdr pointer before ioam6_event()",
                            "    - mm/memory: fix spurious warning when unmapping device-private/exclusive",
                            "      pages",
                            "    - mm: fix __vm_normal_page() to handle missing support for",
                            "      pmd_special()/pud_special()",
                            "    - mm/memory_hotplug: fix memory block reference leak on remove",
                            "    - mm/page_alloc: fix initialization of tags of the huge zero folio with",
                            "      init_on_free",
                            "    - mm/migrate_device: fix spinlock leak in migrate_vma_insert_huge_pmd_page",
                            "    - selftests/mm: run_vmtests.sh: fix destructive tests invocation",
                            "    - mm/damon: fix damos_stat tracepoint format for sz_applied",
                            "    - net: wwan: iosm: fix potential memory leaks in ipc_imem_init()",
                            "    - Bluetooth: fix UAF in l2cap_sock_cleanup_listen() vs l2cap_conn_del()",
                            "    - Bluetooth: ISO: drop ISO_END frames received without prior ISO_START",
                            "    - Bluetooth: bnep: Fix UAF read of dev->name",
                            "    - Bluetooth: hci_uart: fix UAFs and race conditions in close and init",
                            "      paths",
                            "    - Bluetooth: L2CAP: ecred_reconfigure: send packed pdu, not stack pointer",
                            "    - Bluetooth: hci_qca: Convert timeout from jiffies to ms",
                            "    - Bluetooth: MGMT: validate Add Extended Advertising Data length",
                            "    - Bluetooth: serialize accept_q access",
                            "    - phonet/pep: disable BH around forwarded sk_receive_skb()",
                            "    - net: bcmgenet: keep RBUF EEE/PM disabled",
                            "    - net: devmem: reject dma-buf bind with non-page-aligned size or SG length",
                            "    - net: phy: skip EEE advertisement write when autoneg is disabled",
                            "    - net: hsr: defer node table free until after RCU readers",
                            "    - net/mlx5e: Fix use-after-free in mlx5e_tx_reporter_timeout_recover",
                            "    - net: ifb: report ethtool stats over num_tx_queues",
                            "    - net: pse-pd: fix sign on -ENOENT check in of_load_pse_pis()",
                            "    - netfilter: ip6t_hbh: reject oversized option lists",
                            "    - netfilter: nf_queue: hold bridge skb->dev while queued",
                            "    - netfilter: ipset: stop hash:* range iteration at end",
                            "    - net: ethtool: fix NULL pointer dereference in phy_reply_size",
                            "    - net: ethtool: phy: avoid NULL deref when PHY driver is unbound",
                            "    - ACPI: driver: Check ACPI_COMPANION() against NULL during probe",
                            "    - sched_ext: Fix missing warning in scx_set_task_state() default case",
                            "    - sched_ext: Avoid UAF in scx_root_enable_workfn() init failure path",
                            "    - l2tp: use list_del_rcu in l2tp_session_unhash",
                            "    - qed: fix double free in qed_cxt_tables_alloc()",
                            "    - ring-buffer: Fix reporting of missed events in iterator",
                            "    - ring-buffer: Flush and stop persistent ring buffer on panic",
                            "    - wifi: mac80211: capture fast-RX rate before mesh reuses skb->cb",
                            "    - ipv6: ioam: add NULL check for idev in ipv6_hop_ioam()",
                            "    - selftests: mptcp: drop nanoseconds width specifier",
                            "    - mptcp: pm: fix ADD_ADDR timer infinite retry on option space",
                            "      insufficient",
                            "    - vsock/vmci: fix UAF when peer resets connection during handshake",
                            "    - vsock/virtio: reset connection on receiving queue overflow",
                            "    - ice: fix VF queue configuration with low MTU values",
                            "    - wifi: ath11k: clear shared SRNG pointer state on restart",
                            "    - wifi: iwlwifi: mvm: fix driver-set TX rates on old devices",
                            "    - wifi: iwlwifi: mld: stop TX during firmware restart",
                            "    - ipv4: raw: reject IP_HDRINCL packets with ihl < 5",
                            "    - ixgbevf: fix use-after-free in VEPA multicast source pruning",
                            "    - rbd: eliminate a race in lock_dwork draining on unmap",
                            "    - mptcp: do not drop partial packets",
                            "    - mptcp: reset rcv wnd on disconnect",
                            "    - lsm: hold cred_guard_mutex for lsm_set_self_attr()",
                            "    - octeontx2-af: CGX: add bounds check to cgx_speed_mbps index",
                            "    - octeontx2-pf: fix double free in rvu_rep_rsrc_init()",
                            "    - igc: fix potential skb leak in igc_fpe_xmit_smd_frame()",
                            "    - ice: fix locking around wait_event_interruptible_locked_irq",
                            "    - ice: fix setting promisc mode while adding VID filter",
                            "    - ice: restore PTP Rx timestamp config after ethtool set-channels",
                            "    - wifi: cfg80211: advance loop vars in cfg80211_merge_profile()",
                            "    - af_unix: Fix UAF read of tail->len in unix_stream_data_wait()",
                            "    - wifi: mac80211: consume only present negotiated TTLM maps",
                            "    - octeontx2-pf: avoid double free of pool->stack on AQ init failure",
                            "    - cifs: Fix busy dentry used after unmounting",
                            "    - tracing: Do not call map->ops->elt_free() if elt_alloc() fails",
                            "    - ASoC: codecs: pcm512x: fix null-ptr dereference in",
                            "      pcm512x_overclock_xxx_put()",
                            "    - arm64: probes: Handle probes on hinted conditional branch instructions",
                            "    - KVM: arm64: vgic-its: Reject restored DTE with out-of-range",
                            "      num_eventid_bits",
                            "    - KVM: arm64: vgic: Free private_irqs when init fails after allocation",
                            "    - KVM: SVM: Disable AVIC IPI virtualization on Hygon Family 18h (erratum",
                            "      #1235)",
                            "    - riscv: kvm: return SBI_ERR_FAILURE for pmu_snapshot_set_shmem() when OOM",
                            "    - riscv: kvm: return SBI_ERR_FAILURE for pmu_event_info() when OOM",
                            "    - virt: sev-guest: Explicitly leak pages in unknown state",
                            "    - i2c: tegra: fix pm_runtime leak on mutex_lock failure",
                            "    - drm/bridge: chipone-icn6211: use devm_drm_bridge_add in i2c probe",
                            "    - spi: qup: fix error pointer deref after DMA setup failure",
                            "    - phy: exynos5-usbdrd: fix USB 2.0 HS PHY tuning values for Exynos7870",
                            "    - phy: tegra: xusb: Fix per-pad high-speed termination calibration",
                            "    - phy: qcom-qmp-ufs: Fix kaanapali PHY PLL lock failure after SM8650 G4",
                            "      fix",
                            "    - phy: qcom: edp: Unify generic DP/eDP swing and pre-emphasis tables",
                            "    - phy: qcom: edp: Add eDP/DP mode switch support",
                            "    - phy: qcom: edp: Fix AUX_CFG8 programming for DP mode",
                            "    - scsi: isci: Fix use-after-free in device removal path",
                            "    - spi: ep93xx: fix error pointer deref after DMA setup failure",
                            "    - spi: sprd: fix error pointer deref after DMA setup failure",
                            "    - spi: ti-qspi: fix use-after-free after DMA setup failure",
                            "    - mm/slub: hold cpus_read_lock around flush_rcu_sheaves_on_cache()",
                            "    - RDMA/siw: Reject MPA FPDU length underflow before signed receive math",
                            "    - s390/cio: Restore GFP_DMA for CHSC allocation",
                            "    - s390/pai: Disable duplicate read of kernel PAI counter value",
                            "    - s390/pai: Fix missing PAI counter increments under heavy load",
                            "    - fwctl: pds: Validate RPC input size before parsing",
                            "    - LoongArch: kprobes: Use larch_insn_text_copy() to patch instructions",
                            "    - LoongArch: Remove unused code to avoid build warning",
                            "    - cpufreq: intel_pstate: Use correct scaling factor on Raptor Lake-E",
                            "    - device property: set fwnode->secondary to NULL in fwnode_init()",
                            "    - drm/i915/display: Copy color pipeline from plane in the primary joiner",
                            "      pipe",
                            "    - drm/msm: Fix shrinker deadlock",
                            "    - drm/v3d: Fix use-after-free of CPU job query arrays on error path",
                            "    - drm/v3d: Release indirect CSD GEM reference on CPU job free",
                            "    - drm/virtio: use uninterruptible resv lock for plane updates",
                            "    - drm/xe/multi_queue: Fix secondary queue error case",
                            "    - drm/amdgpu/vpe: Force collaborate sync after TRAP",
                            "    - drm/bridge: it66121: acquire reset GPIO in probe",
                            "    - drm/bridge: megachips: remove bridge when irq request fails",
                            "    - drm/amd/display: Fix integer overflow in bios_get_image()",
                            "    - drm/amd/display: Validate GPIO pin LUT table size before iterating",
                            "    - drm/amd/display: Validate payload length and link_index in",
                            "      dc_process_dmub_aux_transfer_async",
                            "    - batman-adv: v: stop OGMv2 on disabled interface",
                            "    - batman-adv: tvlv: abort OGM send on tvlv append failure",
                            "    - batman-adv: tvlv: reject oversized TVLV packets",
                            "    - batman-adv: iv: recover OGM scheduling after forward packet error",
                            "    - batman-adv: mcast: fix use-after-free in orig_node RCU release",
                            "    - batman-adv: clear current gateway during teardown",
                            "    - batman-adv: dat: handle forward allocation error",
                            "    - batman-adv: fix fragment reassembly length accounting",
                            "    - batman-adv: fix tp_meter counter underflow during shutdown",
                            "    - batman-adv: frag: disallow unicast fragment in fragment",
                            "    - batman-adv: bla: fix report_work leak on backbone_gw purge",
                            "    - batman-adv: bla: avoid double decrement of bla.num_requests",
                            "    - batman-adv: bla: avoid NULL-ptr deref for claim via dropped interface",
                            "    - batman-adv: tp_meter: avoid use of uninit sender vars",
                            "    - batman-adv: tp_meter: directly shut down timer on cleanup",
                            "    - batman-adv: tp_meter: fix tp_vars reference leak in receiver shutdown",
                            "    - batman-adv: tp_meter: fix race condition in send error reporting",
                            "    - batman-adv: tp_meter: avoid role confusion in tp_list",
                            "    - batman-adv: tt: fix TOCTOU race for reported vlans",
                            "    - batman-adv: tt: reject oversized local TVLV buffers",
                            "    - batman-adv: tt: avoid empty VLAN responses",
                            "    - batman-adv: tt: fix negative last_changeset_len",
                            "    - batman-adv: tt: fix negative tt_buff_len",
                            "    - batman-adv: tt: prevent TVLV entry number overflow",
                            "    - hwmon: (pmbus/adm1266) seed timestamp from the real-time clock",
                            "    - hwmon: (pmbus/adm1266) reject implausible blackbox record_count",
                            "    - hwmon: (pmbus/adm1266) include PEC byte in pmbus_block_xfer read buffer",
                            "    - hwmon: (pmbus/adm1266) bounce blackbox records through a protocol-sized",
                            "      buffer",
                            "    - hwmon: (pmbus/adm1266) cap PDIO scan in get_multiple at ADM1266_PDIO_NR",
                            "    - hwmon: (pmbus/adm1266) don't clobber GPIO bits before PDIO read in",
                            "      get_multiple",
                            "    - hwmon: (pmbus/adm1266) register the gpio_chip after pmbus_do_probe()",
                            "    - hwmon: (pmbus/adm1266) register the nvmem device after pmbus_do_probe()",
                            "    - hwmon: (pmbus/adm1266) reject short block-read responses in the GPIO",
                            "      accessors",
                            "    - pinctrl: mediatek: moore: implement gpio_chip::get_direction()",
                            "    - pinctrl: qcom: ipq4019: mark gpio as a GPIO pin function",
                            "    - arm64: dts: renesas: r8a78000: Fix SCIF brg_int clocks",
                            "    - ARM: dts: renesas: genmai: Drop superfluous cells",
                            "    - ARM: dts: renesas: rskrza1: Drop superfluous cells",
                            "    - pinctrl: renesas: rzg2l: Fix incorrect PUPD register offset for high",
                            "      pins during suspend/resume",
                            "    - pinctrl: renesas: rzg2l: Fix SMT register cache handling",
                            "    - pinctrl: meson: amlogic-a4: fix deadlock issue",
                            "    - pinctrl: qcom: Fix GPIO to PDC wake irq map for qcs615",
                            "    - kho: skip KHO for crash kernel",
                            "    - mm/memfd_luo: report error when restoring a folio fails mid-loop",
                            "    - HID: intel-thc-hid: Intel-quickspi: Fix some error codes",
                            "    - HID: uclogic: Fix regression of input name assignment",
                            "    - firmware: arm_ffa: Check for NULL FF-A ID table while driver",
                            "      registration",
                            "    - firmware: arm_ffa: Skip free_pages on RX buffer alloc failure",
                            "    - firmware: arm_ffa: Fix per-vcpu self notifications handling in workqueue",
                            "    - firmware: arm_ffa: Unregister bus notifier on teardown for FF-A v1.0",
                            "    - riscv: errata: Fix bitwise vs logical AND in MIPS errata patching",
                            "    - riscv: Fix register corruption from uninitialized cregs on error",
                            "    - riscv: mm: Fixup no5lvl failure when vaddr is invalid",
                            "    - kunit: config: Enable KUNIT_DEBUGFS by default",
                            "    - kunit: config: KUNIT_DEBUGFS should depend on DEBUG_FS",
                            "    - pinctrl: qcom: Fix wakeirq map by removing disconnected irqs for sm8150",
                            "    - firmware: arm_ffa: Bound PARTITION_INFO_GET_REGS copies",
                            "    - firmware: arm_ffa: Keep framework RX release under lock",
                            "    - firmware: arm_ffa: Validate framework notification message layout",
                            "    - firmware: arm_ffa: Align RxTx buffer size before mapping",
                            "    - firmware: arm_ffa: Snapshot notifier callbacks under lock",
                            "    - firmware: arm_ffa: Fix sched-recv callback partition lookup",
                            "    - ARM: integrator: Fix early initialization",
                            "    - ALSA: hda: cs35l56: Put ACPI device after setting companion",
                            "    - ALSA: hda: cs35l41: Put ACPI device on missing physical node",
                            "    - btrfs: tracepoints: fix sleep while in atomic context in",
                            "      btrfs_sync_file()",
                            "    - netfilter: x_tables: allow initial table replace without emitting audit",
                            "      log message",
                            "    - netfilter: x_tables: allocate hook ops while under mutex",
                            "    - netfilter: x_tables: unregister the templates first",
                            "    - netfilter: x_tables: add and use xt_unregister_table_pre_exit",
                            "    - netfilter: x_tables: add and use xtables_unregister_table_exit",
                            "    - netfilter: ebtables: move to two-stage removal scheme",
                            "    - netfilter: ebtables: close dangling table module init race",
                            "    - netfilter: x_tables: close dangling table module init race",
                            "    - netfilter: bridge: eb_tables: close module init race",
                            "    - netfilter: nf_conntrack_expect: restore helper propagation via",
                            "      expectation",
                            "    - kprobes: skip non-symbol addresses in kprobe_add_ksym_blacklist()",
                            "    - test_kprobes: clear kprobes between test runs",
                            "    - tcp: Fix imbalanced icsk_accept_queue count.",
                            "    - net: napi: Avoid gro timer misfiring at end of busypoll",
                            "    - net: shaper: Reject reparenting of existing nodes",
                            "    - idpf: fix read_dev_clk_lock spinlock init in idpf_ptp_init()",
                            "    - ice: fix setting RSS VSI hash for E830",
                            "    - ice: fix locking in ice_dcb_rebuild()",
                            "    - ice: dpll: fix rclk pin state get for E810",
                            "    - ice: dpll: fix misplaced header macros",
                            "    - net: lan966x: avoid unregistering netdev on register failure",
                            "    - net: ti: icssm-prueth: fix eth_ports_node leak in probe",
                            "    - phy: marvell: mvebu-a3700-utmi: fix incorrect USB2_PHY_CTRL register",
                            "      access",
                            "    - phy: spacemit: Remove incorrect clk_disable() in spacemit_usb2phy_init()",
                            "    - NFSD: Fix infinite loop in layout state revocation",
                            "    - ASoC: sdw_utils: Add quirk to ignore RT712 CODEC_MIC",
                            "    - ASoC: sdw_utils: Add quirk to ignore RT721 CODEC_MIC",
                            "    - fprobe: Fix unregister_fprobe() to wait for RCU grace period",
                            "    - fs/statmount: fix slab out-of-bounds write in statmount_mnt_idmap",
                            "    - fs: Fix return in jfs_mkdir and orangefs_mkdir",
                            "    - irqchip/ath79-cpu: Remove unused function",
                            "    - fs: fix forced iversion increment on lazytime timestamp updates",
                            "    - ublk: reject max_sectors smaller than PAGE_SECTORS in parameter",
                            "      validation",
                            "    - nsfs: fix wrong error code returned for pidns ioctls",
                            "    - irq_work: Fix use-after-free in irq_work_single() on PREEMPT_RT",
                            "    - nvme: fix bio leak on mapping failure",
                            "    - nvme-pci: fix use-after-free in nvme_free_host_mem()",
                            "    - zonefs: handle integer overflow in zonefs_fname_to_fno",
                            "    - tcp: Fix out-of-bounds access for twsk in tcp_ao_established_key().",
                            "    - ASoC: SOF: amd: Fix error code handling in psp_send_cmd()",
                            "    - powerpc: 82xx: fix uninitialized pointers with free attribute",
                            "    - powerpc: fix dead default for GUEST_STATE_BUFFER_TEST",
                            "    - powerpc/hv-gpci: fix preempt count leak in sysfs show paths",
                            "    - netfs: Fix cancellation of a DIO and single read subrequests",
                            "    - netfs: Fix missing locking around retry adding new subreqs",
                            "    - netfs: Fix missing barriers when accessing stream->subrequests",
                            "      locklessly",
                            "    - netfs: Fix netfs_read_to_pagecache() to pause on subreq failure",
                            "    - netfs: Fix potential for tearing in ->remote_i_size and ->zero_point",
                            "    - netfs: Fix zeropoint update where i_size > remote_i_size",
                            "    - netfs: fix VM_BUG_ON_FOLIO() issue in netfs_write_begin() call",
                            "    - netfs: Fix overrun check in netfs_extract_user_iter()",
                            "    - netfs: Fix netfs_invalidate_folio() to clear dirty bit if all changes",
                            "      gone",
                            "    - netfs: Defer the emission of trace_netfs_folio()",
                            "    - netfs: Fix streaming write being overwritten",
                            "    - netfs: Fix potential deadlock in write-through mode",
                            "    - netfs: Fix read-gaps to remove netfs_folio from filled folio",
                            "    - netfs: Fix write streaming disablement if fd open O_RDWR",
                            "    - netfs: Fix early put of sink folio in netfs_read_gaps()",
                            "    - netfs: Fix leak of request in netfs_write_begin() error handling",
                            "    - netfs: Fix potential UAF in netfs_unlock_abandoned_read_pages()",
                            "    - netfs: Fix partial invalidation of streaming-write folio",
                            "    - netfs: Fix folio->private handling in netfs_perform_write()",
                            "    - netfs: Fix netfs_read_folio() to wait on writeback",
                            "    - netfs, afs: Fix write skipping in dir/link writepages",
                            "    - afs: Fix the locking used by afs_get_link()",
                            "    - net: ethernet: cortina: Make RX SKB per-port",
                            "    - net: ethernet: cortina: Drop half-assembled SKB",
                            "    - net: ethernet: cortina: Carry over frag counter",
                            "    - net: ethernet: cs89x0: remove stale CONFIG_MACH_MX31ADS reference",
                            "    - wifi: ath11k: fix error path leaks in some WMI WOW calls",
                            "    - wifi: ath11k: fix error path leak in ath11k_tm_cmd_wmi_ftm()",
                            "    - wifi: ath10k: skip WMI and beacon transmission when device is wedged",
                            "    - net: shaper: flip the polarity of the valid flag",
                            "    - net: shaper: fix trivial ordering issue in net_shaper_commit()",
                            "    - net: shaper: reject duplicate leaves in GROUP request",
                            "    - net: shaper: set ret to -ENOMEM when genlmsg_new() fails in group_doit",
                            "    - net: shaper: fix undersized reply skb allocation in GROUP command",
                            "    - net: shaper: enforce singleton NETDEV scope with id 0",
                            "    - net: shaper: reject QUEUE scope handle with missing id",
                            "    - block: don't overwrite bip_vcnt in bio_integrity_copy_user()",
                            "    - block: recompute nr_integrity_segments in blk_insert_cloned_request",
                            "    - HID: quirks: really enable the intended work around for appledisplay",
                            "    - block: bio-integrity: Fix null-ptr-deref in bio_integrity_map_user()",
                            "    - accel/qaic: Add overflow check to remap_pfn_range during mmap",
                            "    - net/smc: avoid NULL deref of conn->lnk in smc_msg_event tracepoint",
                            "    - ethtool: fix ethnl_bitmap32_not_zero() bit interval semantics",
                            "    - drm/msm/dpu: fix UV scanlines calculation for YUV UBWC formats",
                            "    - drm/msm/dpu: Fix Kaanapali CWB register configuration",
                            "    - drm/msm/dsi: don't dump registers past the mapped region",
                            "    - drm/msm/dpu: don't mix devm and drmm functions",
                            "    - block: rename struct gendisk zone_wplugs_lock field",
                            "    - block: allow submitting all zone writes from a single context",
                            "    - block: fix handling of dead zone write plugs",
                            "    - selftests: ublk: cap nthreads to kernel's actual nr_hw_queues",
                            "    - x86/mce: Restore MCA polling interval halving",
                            "    - Documentation: intel_pstate: Fix description of asymmetric packing with",
                            "      SMT",
                            "    - drm/msm: Fix GMEM_BASE for A650",
                            "    - drm/msm/a6xx: Add soft fuse detection support",
                            "    - drm/msm/adreno: Fix a reference leak in a6xx_gpu_init()",
                            "    - drm/msm/adreno: fix userspace-triggered crash on a2xx-a4xx",
                            "    - drm/msm/a6xx: Restore sysprof_active",
                            "    - drm/msm: Fix iommu_map_sgtable() return value check and avoid WARN",
                            "    - drm/msm/a6xx: Check kzalloc return in a8xx_hfi_send_perf_table",
                            "    - ASoC: intel: sof_sdw: Prepare for configuration without a jack",
                            "    - ASoC: sdw_utils: cs42l43: allow spk component names to be combined",
                            "    - ASoC: sdw_utils: Check speaker component string allocation",
                            "    - riscv: Docs: fix unmatched quote warning",
                            "    - powerpc/time: Remove redundant preempt_disable|enable() calls from",
                            "      arch_irq_work_raise()",
                            "    - net/smc: reject CHID-0 ACCEPT that matches an empty ism_dev slot",
                            "    - net: tls: fix off-by-one in sg_chain entry count for wrapped sk_msg ring",
                            "    - net: tls: prevent chain-after-chain in plain text SG",
                            "    - net: phy: DP83TC811: add reading of abilities",
                            "    - ovpn: tcp - use cached peer pointer in ovpn_tcp_close()",
                            "    - ovpn: respect peer refcount in CMD_NEW_PEER error path",
                            "    - ovpn: fix race between deleting interface and adding new peer",
                            "    - cifs: client: stage smb3_reconfigure() updates and restore ctx on",
                            "      failure",
                            "    - phy: apple: atc: Fix typec switch/mux leak on unbind",
                            "    - gcc-plugins: Always define CONST_CAST_GIMPLE and CONST_CAST_TREE",
                            "    - x86/xen: Fix xen_e820_swap_entry_with_ram()",
                            "    - vfio/pci: Check BAR resources before exporting a DMABUF",
                            "    - ovpn: disable BHs when updating device stats",
                            "    - tls: Preserve sk_err across recvmsg() when data has been copied",
                            "    - net/mlx5: Do not restore destination-less TC rules",
                            "    - net/mlx5: Skip disabled vports when setting max TX speed",
                            "    - scsi: sd: Fix return code handling in sd_spinup_disk()",
                            "    - ASoC: codecs: fs210x: fix possible buffer overflow",
                            "    - iommupt: Directly call iommupt's unmap_range()",
                            "    - iommupt: Avoid rewalking during map",
                            "    - iommu: Fix loss of errno on map failure for classic ops",
                            "    - iommu: Fix up map/unmap debugging for iommupt domains",
                            "    - iommu: Handle unmap error when iommu_debug is enabled",
                            "    - iommupt: Check for missing PAGE_SIZE in the pgsize_bitmap",
                            "    - iommupt: Fix the end_index calculation in __map_range_leaf()",
                            "    - ALSA: scarlett2: Add missing error check when initialise Autogain Status",
                            "    - ALSA: hda/ca0132: Disable auto-detect on manual output select",
                            "    - cachefiles: Fix error return when vfs_mkdir() fails",
                            "    - io_uring/net: punt IORING_OP_BIND async if it needs file create",
                            "    - vsock/virtio: fix zerocopy completion for multi-skb sends",
                            "    - btrfs: check for subvolume before deleting squota qgroup",
                            "    - btrfs: fix squota accounting during enable generation",
                            "    - ASoC: amd: acp-sdw-legacy: check CPU DAI name before logging",
                            "    - spi: mtk-snfi: Fix resource leak in mtk_snand_read_page_cache()",
                            "    - netfilter: nft_inner: release local_lock before re-enabling softirqs",
                            "    - ALSA: hda/realtek: Use ALC287_FIXUP_TXNW2781_I2C for ASUS Strix Gxx5",
                            "    - drm/msm/snapshot: fix dumping of the unaligned regions",
                            "    - hwmon: (lm90) Stop work before releasing hwmon device",
                            "    - hwmon: (lm90) Add lock protection to lm90_alert",
                            "    - wifi: iwlwifi: mld: fix TSO segmentation explosion when AMSDU is",
                            "      disabled",
                            "    - wifi: iwlwifi: mld: don't dereference a pointer before NULL checking it",
                            "    - dma-mapping: move dma_map_resource() sanity check into debug code",
                            "    - drm/gem: Make the GEM LRU lock part of drm_device",
                            "    - drm/xe/gsc: Fix double-free of managed BO in error path",
                            "    - drm/xe/vf: Fix signature of print functions",
                            "    - drm/xe/pf: Fix CFI failure in debugfs access",
                            "    - drm/xe: Consolidate workaround entries for Wa_14019988906",
                            "    - drm/xe: Consolidate workaround entries for Wa_18033852989",
                            "    - drm/xe: Define and use MCR version of COMMON_SLICE_CHICKEN1",
                            "    - drm/xe/tuning: Apply windower hardware filtering setting on Xe3 and Xe3p",
                            "    - drm/xe: Define and use MCR version of COMMON_SLICE_CHICKEN4",
                            "    - wifi: ath11k: fix peer resolution on rx path when peer_id=0",
                            "    - wifi: ath12k: fix EHT TX MCS limitation due to wrong 20 MHz-only parsing",
                            "    - drm/mediatek: mtk_hdmi_ddc_v2: Fix non-static global variable",
                            "    - drm/mediatek: mtk_hdmi_v2: Fix non-static global variable",
                            "    - drm/mediatek: mtk_cec: Fix non-static global variable",
                            "    - drm/mediatek: mtk_hdmi_ddc: Fix non-static global variable",
                            "    - io_uring: propagate array_index_nospec opcode into req->opcode",
                            "    - srcu: Don't queue workqueue handlers to never-online CPUs",
                            "    - cgroup/rstat: validate cpu before css_rstat_cpu() access",
                            "    - net/mlx5e: xsk: Fix unlocked writing to ICOSQ",
                            "    - cifs: Fix undefined variables",
                            "    - ice: ptp: serialize E825 PHY timer start with PTP lock",
                            "    - ice: ptp: use primary NAC semaphore on E825",
                            "    - igc: set tx buffer type for SMD frames",
                            "    - drm/i915/dp: Fix readback for target_rr in Adaptive Sync SDP",
                            "    - phy: qcom: qmp-usbc: Fix out-of-bounds array access in dp swing config",
                            "    - kbuild: pacman-pkg: make \"rc\" releases adhere to pacman versioning",
                            "      scheme",
                            "    - net: dsa: mt7530: fix FDB entries not aging out with short timeout",
                            "    - net: dsa: mt7530: preserve VLAN tags on trapped link-local frames",
                            "    - net: mana: Fix TOCTOU double-fetch of hwc_msg_id from DMA buffer",
                            "    - platform/surface: aggregator_registry: omit battery & AC nodes on",
                            "      Surface Laptop 7",
                            "    - platform/x86: adv_swbutton: Check ACPI_HANDLE() against NULL",
                            "    - platform/x86: hp_accel: Check ACPI_COMPANION() against NULL",
                            "    - platform/x86: intel-hid: Check ACPI_HANDLE() against NULL",
                            "    - platform/x86: intel_sar: Check ACPI_HANDLE() against NULL",
                            "    - platform/x86: intel-vbtn: Check ACPI_HANDLE() against NULL",
                            "    - platform/x86: uniwill-laptop: Properly initialize charging threshold",
                            "    - platform/x86: uniwill-laptop: Accept charging threshold of 0",
                            "    - platform/x86: uniwill-laptop: Fix behavior of \"force\" module param",
                            "    - platform/x86: asus-armoury: fix mini-LED mode get/set on MODE2 devices",
                            "    - ASoC: soc-utils: Add missing va_end in snd_soc_ret()",
                            "    - drm/amdgpu: Align amdgpu_gtt_mgr entries to TLB size on Tahiti (v2)",
                            "    - drm/amdgpu/vce1: Check that the GPU address is < 128 MiB",
                            "    - drm/amdgpu/vce1: Fix VCE 1 firmware size and offsets",
                            "    - RDMA/mana_ib: Report max_msg_sz in mana_ib_query_port",
                            "    - RDMA/rtrs: Fix use-after-free in path file creation cleanup",
                            "    - bridge: mcast: Fix a possible use-after-free when removing a bridge port",
                            "    - net: phy: honor eee_disabled_modes in phy_support_eee()",
                            "    - net: phy: honor eee_disabled_modes in phy_advertise_eee_all()",
                            "    - net: airoha: Fix NPU RX DMA descriptor bits",
                            "    - pds_core: fix error handling in pdsc_devcmd_wait",
                            "    - pds_core: fix debugfs_lookup dentry leak and error handling",
                            "    - erofs: fix managed cache race for unaligned extents",
                            "    - erofs: harden h_shared_count in erofs_init_inode_xattrs()",
                            "    - erofs: fix metabuf leak in inode xattr initialization",
                            "    - wifi: mac80211: bounds-check link_id in ieee80211_ml_epcs",
                            "    - wifi: mac80211: fix MLE defragmentation",
                            "    - wifi: mac80211: fix multi-link element inheritance",
                            "    - wifi: wilc1000: fix dma_buffer leak on bus acquire failure",
                            "    - ALSA: seq: Serialize UMP output teardown with event_input",
                            "    - cgroup: rstat: relax NMI guard after switch to try_cmpxchg",
                            "    - tracing: Avoid NULL return from hist_field_name() on truncation",
                            "    - Bluetooth: hci_sync: Fix not setting mask for",
                            "      HCI_EVT_LE_ALL_REMOTE_FEATURES_COMPLETE",
                            "    - Bluetooth: btintel_pcie: Fix incorrect MAC access programming",
                            "    - Bluetooth: btmtk: fix urb->setup_packet leak in error paths",
                            "    - udp: gso: Fix handling checksum in __udp_gso_segment",
                            "    - udp: Fix UDP length on last GSO_PARTIAL segment",
                            "    - net/mlx5e: Fix eswitch mode block underflow on IPsec acquire SA",
                            "    - net: shaper: annotate the data races",
                            "    - net: shaper: rework the VALID marking (again)",
                            "    - crypto/krb5, rxrpc: Fix lack of pre-decrypt/pre-verify length checks",
                            "    - rxrpc: Fix DATA decrypt vs splice() by copying data to buffer in recvmsg",
                            "    - net: ag71xx: check error for platform_get_irq",
                            "    - bpf, skmsg: fix verdict sk_data_ready racing with ktls rx",
                            "    - tcp: fix stale per-CPU tcp_tw_isn leak enabling ISN prediction",
                            "    - net: stmmac: eswin: fix HSP CSR init ordering after clock enable",
                            "    - net: stmmac: eswin: clear TXD and RXD delay registers during",
                            "      initialization",
                            "    - net: stmmac: eswin: correct RGMII delay granularity to 20 ps",
                            "    - net: stmmac: eswin: validate RGMII delay values",
                            "    - gpio: cdev: check if uAPI v2 config attributes are correctly zeroed",
                            "    - gpio: aggregator: fix a potential use-after-free",
                            "    - gpio: aggregator: stop using dev-sync-probe",
                            "    - gpio: aggregator: remove the software node when deactivating the",
                            "      aggregator",
                            "    - gpio: aggregator: lock device when calling device_is_bound()",
                            "    - ASoC: cs35l56: Fix flushing of IRQ work in cs35l56_sdw_remove()",
                            "    - drm/xe/oa: Fix exec_queue leak on width check in stream open",
                            "    - ASoC: cs-amp-lib: Fix wrong sizeof() in",
                            "      _cs_amp_set_efi_calibration_data()",
                            "    - ASoC: cs-amp-lib: Fix missing dput() after debugfs_lookup()",
                            "    - selftests: net: Fix checksums in xdp_native",
                            "    - nvme-pci: fix dma_vecs leak on p2p memory",
                            "    - nvme-pci: fix dma mapping leak on data setup error",
                            "    - octeontx2-af: npc: Fix allmulticast skip logic for LBK and SDP VFs",
                            "    - net: mana: validate rx_req_idx to prevent out-of-bounds array access",
                            "    - tap: fix stack info leak in tap_ioctl() SIOCGIFHWADDR",
                            "    - net: airoha: Disable GDM2 forwarding before configuring GDM2 loopback",
                            "    - pds_core: ensure null-termination for firmware version strings",
                            "    - net: enetc: fix missing error code when pf->vf_state allocation fails",
                            "    - io_uring/nop: pass all errors to userspace",
                            "    - blk-mq: pop cached request if it is usable",
                            "    - ksmbd: fix durable reconnect error path file lifetime",
                            "    - LoongArch: kprobes: Fix handling of fatal unrecoverable recursions",
                            "    - block: avoid use-after-free in disk_free_zone_resources()",
                            "    - Documentation: laptops: Update documentation for uniwill laptops",
                            "    - platform/x86: uniwill-laptop: Do not enable the charging limit even when",
                            "      forced",
                            "    - drm/msm: Restore second parameter name in purge() and evict()",
                            "    - security/keys: fix missed RCU read section on lookup",
                            "    - Linux 7.0.11",
                            "",
                            "  * Resolute update: v7.0.10 upstream stable release (LP: #2156385)",
                            "    - blk-cgroup: wait for blkcg cleanup before initializing new disk",
                            "    - md: suppress spurious superblock update error message for dm-raid",
                            "    - fs/omfs: reject s_sys_blocksize smaller than OMFS_DIR_START",
                            "    - fs/mbcache: cancel shrink work before destroying the cache",
                            "    - md/raid1: fix the comparing region of interval tree",
                            "    - fs: fix archiecture-specific compat_ftruncate64",
                            "    - drbd: Balance RCU calls in drbd_adm_dump_devices()",
                            "    - loop: fix partition scan race between udev and loop_reread_partitions()",
                            "    - block: fix zones_cond memory leak on zone revalidation error paths",
                            "    - nilfs2: reject zero bd_oblocknr in nilfs_ioctl_mark_blocks_dirty()",
                            "    - blk-cgroup: fix disk reference leak in blkcg_maybe_throttle_current()",
                            "    - pstore/ram: fix resource leak when ioremap() fails",
                            "    - erofs: include the trailing NUL in FS_IOC_GETFSLABEL",
                            "    - md: fix array_state=clear sysfs deadlock",
                            "    - ublk: reset per-IO canceled flag on each fetch",
                            "    - blk-wbt: remove WARN_ON_ONCE from wbt_init_enable_default()",
                            "    - erofs: handle 48-bit blocks/uniaddr for extra devices",
                            "    - md: remove unused static md_wq workqueue",
                            "    - md: wake raid456 reshape waiters before suspend",
                            "    - dcache: permit dynamic_dname()s up to NAME_MAX",
                            "    - btrfs: fix the inline compressed extent check in inode_need_compress()",
                            "    - btrfs: fix deadlock between reflink and transaction commit when using",
                            "      flushoncommit",
                            "    - btrfs: do not reject a valid running dev-replace",
                            "    - OPP: debugfs: Use performance level if available to distinguish between",
                            "      rates",
                            "    - OPP: Move break out of scoped_guard in dev_pm_opp_xlate_required_opp()",
                            "    - ACPI: x86: cmos_rtc: Clean up address space handler driver",
                            "    - ACPI: x86: cmos_rtc: Improve coordination with ACPI TAD driver",
                            "    - devres: fix missing node debug info in devm_krealloc()",
                            "    - thermal/drivers/spear: Fix error condition for reading st,thermal-flags",
                            "    - debugfs: check for NULL pointer in debugfs_create_str()",
                            "    - debugfs: fix placement of EXPORT_SYMBOL_GPL for debugfs_create_str()",
                            "    - soundwire: debugfs: initialize firmware_file to empty string",
                            "    - amd-pstate: Fix memory leak in amd_pstate_epp_cpu_init()",
                            "    - amd-pstate: Update cppc_req_cached in fast_switch case",
                            "    - cpufreq: Pass the policy to cpufreq_driver->adjust_perf()",
                            "    - PCI: use generic driver_override infrastructure",
                            "    - platform/wmi: use generic driver_override infrastructure",
                            "    - vdpa: use generic driver_override infrastructure",
                            "    - s390/cio: use generic driver_override infrastructure",
                            "    - s390/ap: use generic driver_override infrastructure",
                            "    - bus: fsl-mc: use generic driver_override infrastructure",
                            "    - locking/mutex: Rename mutex_init_lockep()",
                            "    - locking/mutex: Fix wrong comment for CONFIG_DEBUG_LOCK_ALLOC",
                            "    - irqchip/irq-pic32-evic: Address warning related to wrong printf()",
                            "      formatter",
                            "    - hrtimer: Avoid pointless reprogramming in __hrtimer_start_range_ns()",
                            "    - hrtimer: Reduce trace noise in hrtimer_start()",
                            "    - locking: Fix rwlock and spinlock lock context annotations",
                            "    - signal: Fix the lock_task_sighand() annotation",
                            "    - ww-mutex: Fix the ww_acquire_ctx function annotations",
                            "    - perf/amd/ibs: Account interrupt for discarded samples",
                            "    - perf/amd/ibs: Preserve PhyAddrVal bit when clearing PhyAddr MSR",
                            "    - perf/amd/ibs: Avoid calling perf_allow_kernel() from the IBS NMI handler",
                            "    - x86/tdx: Fix the typo in TDX_ATTR_MIGRTABLE",
                            "    - rust: sync: atomic: Remove bound `T: Sync` for `Atomic::from_ptr()`",
                            "    - sparc64: vdso: Link with -z noexecstack",
                            "    - scripts/gdb: timerlist: Adapt to move of tk_core",
                            "    - locking: Fix rwlock support in <linux/spinlock_up.h>",
                            "    - sched/topology: Compute sd_weight considering cpuset partitions",
                            "    - x86/irqflags: Preemptively move include paravirt.h directive where it",
                            "      belongs",
                            "    - sched/topology: Fix sched_domain_span()",
                            "    - irqchip/renesas-rzg2l: Fix error path in rzg2l_irqc_common_probe()",
                            "    - ASoC: Intel: avs: Check maximum valid CPUID leaf",
                            "    - ASoC: Intel: avs: Include CPUID header at file scope",
                            "    - x86/vdso: Clean up remnants of VDSO32_NOTE_MASK",
                            "    - firmware: dmi: Correct an indexing error in dmi.h",
                            "    - fs/resctrl: Report invalid domain ID when parsing io_alloc_cbm",
                            "    - sched: Make class_schedulers avoid pushing current, and get rid of",
                            "      proxy_tag_curr()",
                            "    - sched/rt: Skip group schedulable check with rt_group_sched=0",
                            "    - wifi: ath11k: fix memory leaks in beacon template setup",
                            "    - wifi: mwifiex: Fix memory leak in mwifiex_11n_aggregate_pkt()",
                            "    - wifi: rtlwifi: pci: fix possible use-after-free caused by unfinished",
                            "      irq_prepare_bcn_tasklet",
                            "    - bpf: test_run: Fix the null pointer dereference issue in",
                            "      bpf_lwt_xmit_push_encap",
                            "    - wifi: ath12k: account TX stats only when ACK/BA status is present",
                            "    - wifi: ath12k: Fix legacy rate mapping for monitor mode capture",
                            "    - selftests/bpf: Handle !CONFIG_SMC in bpf_smc.c",
                            "    - wifi: ieee80211: fix definition of EHT-MCS 15 in MRU",
                            "    - dpaa2: add independent dependencies for FSL_DPAA2_SWITCH",
                            "    - [Config] Disable CONFIG_FSL_DPAA2_SWITCH on armhf and ppc64el",
                            "    - dpaa2: compile dpaa2 even CONFIG_FSL_DPAA2_ETH=n",
                            "    - s390/bpf: Zero-extend bpf prog return values and kfunc arguments",
                            "    - powerpc/pgtable-frag: Fix bad page state in pte_frag_destroy",
                            "    - powerpc/64s: Fix unmap race with PMD migration entries",
                            "    - module: Fix freeing of charp module parameters when CONFIG_SYSFS=n",
                            "    - wifi: libertas: use USB anchors for tracking in-flight URBs",
                            "    - wifi: libertas: don't kill URBs in interrupt context",
                            "    - bpf: Do not allow deleting local storage in NMI",
                            "    - selftests/nolibc: fix test_file_stream() on musl libc",
                            "    - selftests/nolibc: Fix build with host headers and libc",
                            "    - tools/nolibc/printf: Change variables 'c' to 'ch' and 'tmpbuf[]' to",
                            "      'outbuf[]'",
                            "    - tools/nolibc/printf: Move snprintf length check to callback",
                            "    - tools/nolibc: MIPS: fix clobbers of 'lo' and 'hi' registers on different",
                            "      ISAs",
                            "    - tools/nolibc: avoid -Wundef warning for __STDC_VERSION__",
                            "    - wifi: mt76: mt7996: fix the behavior of radar detection",
                            "    - wifi: mt76: mt7996: fix iface combination for different chipsets",
                            "    - wifi: mt76: mt7996: Set mtxq->wcid just for primary link",
                            "    - wifi: mt76: mt7996: Reset mtxq->idx if primary link is removed in",
                            "      mt7996_vif_link_remove()",
                            "    - wifi: mt76: mt7996: Switch to the secondary link if the default one is",
                            "      removed",
                            "    - wifi: mt76: mt7996: Clear wcid pointer in mt7996_mac_sta_deinit_link()",
                            "    - wifi: mt76: mt7996: Reset ampdu_state state in case of failure in",
                            "      mt7996_tx_check_aggr()",
                            "    - wifi: mt76: mt7921: Reset ampdu_state state in case of failure in",
                            "      mt76_connac2_tx_check_aggr()",
                            "    - wifi: mt76: mt7925: Fix incorrect MLO mode in firmware control",
                            "    - wifi: mt76: mt7615: fix use_cts_prot support",
                            "    - wifi: mt76: mt7915: fix use_cts_prot support",
                            "    - wifi: mt76: mt7925: prevent NULL pointer dereference in",
                            "      mt7925_tx_check_aggr()",
                            "    - wifi: mt76: mt7925: prevent NULL vif dereference in",
                            "      mt7925_mac_write_txwi",
                            "    - wifi: mt76: mt7996: fix FCS error flag check in RX descriptor",
                            "    - wifi: mt76: mt7921: Place upper limit on station AID",
                            "    - wifi: mt76: Fix memory leak destroying device",
                            "    - wifi: mt76: mt7996: Fix NPU stop procedure",
                            "    - wifi: mt76: npu: Add missing rx_token_size initialization",
                            "    - wifi: mt76: mt7925: drop puncturing handling from BSS change path",
                            "    - wifi: mt76: mt7925: fix potential deadlock in mt7925_roc_abort_sync",
                            "    - wifi: mt76: Fix memory leak after mt76_connac_mcu_alloc_sta_req()",
                            "    - wifi: mt76: mt7925: fix tx power setting failure after chip reset",
                            "    - wifi: mt76: mt7921: fix potential deadlock in mt7921_roc_abort_sync",
                            "    - wifi: mt76: fix deadlock in remain-on-channel",
                            "    - wifi: mt76: fix backoff fields and max_power calculation",
                            "    - arm64: cpufeature: Make PMUVer and PerfMon unsigned",
                            "    - bpf: Switch CONFIG_CFI_CLANG to CONFIG_CFI",
                            "    - wifi: mt76: mt7996: fix wrong DMAD length when using MAC TXP",
                            "    - wifi: mt76: mt7996: fix struct mt7996_mcu_uni_event",
                            "    - wifi: mt76: mt7915: fix use-after-free bugs in mt7915_mac_dump_work()",
                            "    - wifi: mt76: mt7996: fix use-after-free bugs in mt7996_mac_dump_work()",
                            "    - wifi: mt76: mt7921: fix 6GHz regulatory update on connection",
                            "    - wifi: mt76: mt7996: Add missing CHANCTX_STA_CSA property",
                            "    - wifi: mt76: mt7996: Remove link pointer dependency in",
                            "      mt7996_mac_sta_remove_links()",
                            "    - wifi: mt76: mt7996: Decrement sta counter removing the link in",
                            "      mt7996_mac_reset_sta_iter()",
                            "    - wifi: mt76: fix multi-radio on-channel scanning",
                            "    - wifi: mt76: support upgrading passive scans to active",
                            "    - wifi: mt76: mt7996: fix RRO EMU configuration",
                            "    - bpf: Fix refcount check in check_struct_ops_btf_id()",
                            "    - selftests/bpf: Fix sockmap_multi_channels reliability",
                            "    - bpf: Use RCU-safe iteration in dev_map_redirect_multi() SKB path",
                            "    - bpf: Fix variable length stack write over spilled pointers",
                            "    - arm_mpam: Ensure in_reset_state is false after applying configuration",
                            "    - arm_mpam: Reset when feature configuration bit unset",
                            "    - bpf,arc_jit: Fix missing newline in pr_err messages",
                            "    - wifi: rtw89: phy: fix uninitialized variable access in",
                            "      rtw89_phy_cfo_set_crystal_cap()",
                            "    - drivers/vfio_pci_core: Change PXD_ORDER check from switch case to",
                            "      if/else block",
                            "    - r8152: fix incorrect register write to USB_UPHY_XTAL",
                            "    - selftests/tracing: Fix to make --logdir option work again",
                            "    - selftests/tracing: Fix to check awk supports non POSIX strtonum()",
                            "    - powerpc/crash: fix backup region offset update to elfcorehdr",
                            "    - powerpc/crash: Update backup region offset in elfcorehdr on memory",
                            "      hotplug",
                            "    - bpf: Fix abuse of kprobe_write_ctx via freplace",
                            "    - macvlan: annotate data-races around port->bc_queue_len_used",
                            "    - bpf: Use copy_map_value_locked() in alloc_htab_elem() for BPF_F_LOCK",
                            "    - bpf: Fix stale offload->prog pointer after constant blinding",
                            "    - net: ethernet: ti-cpsw:: rename soft_reset() function",
                            "    - net: ethernet: ti-cpsw: fix linking built-in code to modules",
                            "    - wifi: brcmfmac: Fix error pointer dereference",
                            "    - wifi: mac80211: handle VHT EXT NSS in ieee80211_determine_our_sta_mode()",
                            "    - bpf: Drop task_to_inode and inet_conn_established from lsm sleepable",
                            "      hooks",
                            "    - bpf: Prefer vmlinux symbols over module symbols for unqualified kprobes",
                            "    - wifi: ath10k: fix station lookup failure during disconnect",
                            "    - bpf: Fix linked reg delta tracking when src_reg == dst_reg",
                            "    - net: dropreason: add SKB_DROP_REASON_RECURSION_LIMIT",
                            "    - net: plumb drop reasons to __dev_queue_xmit()",
                            "    - net: qdisc_pkt_len_segs_init() cleanup",
                            "    - net: pull headers in qdisc_pkt_len_segs_init()",
                            "    - arm64: entry: Don't preempt with SError or Debug masked",
                            "    - ACPI: AGDI: fix missing newline in error message",
                            "    - arm64: kexec: Remove duplicate allocation for trans_pgd",
                            "    - bpf: Propagate error from visit_tailcall_insn",
                            "    - bpf: Fix ld_{abs,ind} failure path analysis in subprogs",
                            "    - bpf: Remove static qualifier from local subprog pointer",
                            "    - mptcp: better mptcp-level RTT estimator",
                            "    - bpf: Fix use-after-free in offloaded map/prog info fill",
                            "    - macsec: Support VLAN-filtering lower devices",
                            "    - net: bcmgenet: fix off-by-one in bcmgenet_put_txcb",
                            "    - net: bcmgenet: fix leaking free_bds",
                            "    - net: bcmgenet: fix racing timeout handler",
                            "    - net: airoha: Add dma_rmb() and READ_ONCE() in airoha_qdma_rx_process()",
                            "    - eth: fbnic: Use wake instead of start",
                            "    - netfilter: xt_socket: enable defrag after all other checks",
                            "    - netfilter: nft_fwd_netdev: check ttl/hl before forwarding",
                            "    - bpf: fix mm lifecycle in open-coded task_vma iterator",
                            "    - bpf: switch task_vma iterator from mmap_lock to per-VMA locks",
                            "    - bpf: return VMA snapshot from task_vma iterator",
                            "    - bpf: Fix RCU stall in bpf_fd_array_map_clear()",
                            "    - net: hamradio: 6pack: fix uninit-value in sixpack_receive_buf",
                            "    - net: airoha: Fix FE_PSE_BUF_SET configuration if PPE2 is available",
                            "    - bpf: Enforce regsafe base id consistency for BPF_ADD_CONST scalars",
                            "    - selftests/bpf: fix __jited_unpriv tag name",
                            "    - net/sched: cls_fw: fix NULL dereference of \"old\" filters before change()",
                            "    - net/sched: act_ct: Only release RCU read lock after ct_ft",
                            "    - selftests: netfilter: nft_tproxy.sh: adjust to socat changes",
                            "    - net: mana: Use pci_name() for debugfs directory naming",
                            "    - net: mana: Move current_speed debugfs file to mana_init_port()",
                            "    - net: airoha: Add missing RX_CPU_IDX() configuration in",
                            "      airoha_qdma_cleanup_rx_queue()",
                            "    - net_sched: fix skb memory leak in deferred qdisc drops",
                            "    - bpf: Fix same-register dst/src OOB read and pointer leak in sock_ops",
                            "    - bpf: Allow instructions with arena source and non-arena dest registers",
                            "    - selftests/bpf: Fix reg_bounds to match new tnum-based refinement",
                            "    - net/rds: Optimize rds_ib_laddr_check",
                            "    - net/rds: Restrict use of RDS/IB to the initial network namespace",
                            "    - bpf: Fix OOB in pcpu_init_value",
                            "    - ppp: require CAP_NET_ADMIN in target netns for unattached ioctls",
                            "    - net: ipa: Fix programming of QTIME_TIMESTAMP_CFG",
                            "    - net: ipa: Fix decoding EV_PER_EE for IPA v5.0+",
                            "    - dt-bindings: net: dsa: nxp,sja1105: make spi-cpol optional for sja1110",
                            "    - net: phy: fix a return path in get_phy_c45_ids()",
                            "    - net/mlx5e: Fix features not applied during netdev registration",
                            "    - net/mlx5e: IPsec, fix ASO poll timeout with read_poll_timeout_atomic()",
                            "    - net: ethernet: mtk_eth_soc: initialize PPE per-tag-layer MTU registers",
                            "    - net: fix skb_ext_total_length() BUILD_BUG_ON with",
                            "      CONFIG_GCOV_PROFILE_ALL",
                            "    - bpf: reject short IPv4/IPv6 inputs in bpf_prog_test_run_skb",
                            "    - Bluetooth: L2CAP: Fix printing wrong information if SDU length exceeds",
                            "      MTU",
                            "    - Bluetooth: hci_ldisc: Clear HCI_UART_PROTO_INIT on error",
                            "    - Bluetooth: fix locking in hci_conn_request_evt() with HCI_PROTO_DEFER",
                            "    - Bluetooth: l2cap: Add missing chan lock in l2cap_ecred_reconf_rsp",
                            "    - Bluetooth: SCO: check for codecs->num_codecs == 1 before assigning to",
                            "      sco_pi(sk)->codec",
                            "    - net: phy: qcom: at803x: Use the correct bit to disable extended next",
                            "      page",
                            "    - udp: Force compute_score to always inline",
                            "    - tcp: Don't set treq->req_usec_ts in cookie_tcp_reqsk_init().",
                            "    - sctp: fix missing encap_port propagation for GSO fragments",
                            "    - sctp: disable BH before calling udp_tunnel_xmit_skb()",
                            "    - selftests/namespaces: remove unused utils.h include from",
                            "      listns_efault_test",
                            "    - net, bpf: fix null-ptr-deref in xdp_master_redirect() for down master",
                            "    - net: airoha: Fix VIP configuration for AN7583 SoC",
                            "    - net: airoha: Add missing PPE configurations in airoha_ppe_hw_init()",
                            "    - drm/panel: ilitek-ili9882t: Select DRM_DISPLAY_DSC_HELPER",
                            "    - selftests/futex: Fix incorrect result reporting of futex_requeue test",
                            "      item",
                            "    - drm/komeda: fix integer overflow in AFBC framebuffer size check",
                            "    - dma-fence: Fix sparse warnings due __rcu annotations",
                            "    - drm/gpusvm: Fix unbalanced unlock in drm_gpusvm_scan_mm()",
                            "    - drm/virtio: Allow importing prime buffers when 3D is enabled",
                            "    - ASoC: soc-compress: use function to clear symmetric params",
                            "    - PCI/TPH: Allow TPH enable for RCiEPs",
                            "    - PCI: endpoint: pci-epf-vntb: Fix MSI doorbell IRQ unwind",
                            "    - PCI: endpoint: pci-epf-test: Don't free doorbell IRQ unless requested",
                            "    - PCI: endpoint: pci-ep-msi: Fix error unwind and prevent double alloc",
                            "    - drm/sun4i: mixer: Fix layer init code",
                            "    - drm/sun4i: backend: fix error pointer dereference",
                            "    - drm/xe: Consolidate workaround entries for Wa_14019877138",
                            "    - drm/xe: Consolidate workaround entries for Wa_14019386621",
                            "    - drm/xe/xe2_hpg: Drop invalid workaround Wa_15010599737",
                            "    - gpu: nova-core: gsp: use empty slices instead of [0..0] ranges",
                            "    - gpu: nova-core: gsp: fix improper handling of empty slot in cmdq",
                            "    - drm/amdkfd: Removed commented line for MQD queue priority",
                            "    - PCI: imx6: Fix device node reference leak in imx_pcie_probe()",
                            "    - crypto: inside-secure/eip93 - fix register definition",
                            "    - ASoC: sti: Return errors from regmap_field_alloc()",
                            "    - ASoC: sti: use managed regmap_field allocations",
                            "    - dm cache: fix null-deref with concurrent writes in passthrough mode",
                            "    - dm cache: fix write path cache coherency in passthrough mode",
                            "    - dm cache: fix write hang in passthrough mode",
                            "    - dm cache policy smq: fix missing locks in invalidating cache blocks",
                            "    - dm cache: fix concurrent write failure in passthrough mode",
                            "    - dm cache: fix dirty mapping checking in passthrough mode switching",
                            "    - dm-mpath: don't stop probing paths at presuspend",
                            "    - drm/amd/ras: Fix type size of remainder argument",
                            "    - dt-bindings: mmc: dwcmshc-sdhci: Fix resets array validation",
                            "    - drm/amdgpu: GFX12.1 scratch memory limit up to 57-bit",
                            "    - platform/chrome: chromeos_tbmc: Drop wakeup source on remove",
                            "    - gpu: nova-core: use checked arithmetic in FWSEC firmware parsing",
                            "    - gpu: nova-core: create falcon firmware DMA objects lazily",
                            "    - gpu: nova-core: falcon: rename load parameters to reflect DMA dependency",
                            "    - gpu: nova-core: firmware: fix and explain v2 header offsets computations",
                            "    - PCI: dwc: ep: Fix MSI-X Table Size configuration in",
                            "      dw_pcie_ep_set_msix()",
                            "    - PCI: dwc: ep: Mirror the max link width and speed fields to all",
                            "      functions",
                            "    - PCI: dwc: Perform cleanup in the error path of dw_pcie_resume_noirq()",
                            "    - dm cache metadata: fix memory leak on metadata abort retry",
                            "    - dm log: fix out-of-bounds write due to region_count overflow",
                            "    - iopoll: fix function parameter names in read_poll_timeout_atomic()",
                            "    - drm/bridge: cadence: cdns-mhdp8546-core: Set the mhdp connector earlier",
                            "      in atomic_enable()",
                            "    - drm/bridge: cadence: cdns-mhdp8546-core: Add mode_valid hook to",
                            "      drm_bridge_funcs",
                            "    - drm/bridge: cadence: cdns-mhdp8546-core: Handle HDCP state in bridge",
                            "      atomic check",
                            "    - spi: nxp-xspi: Use reinit_completion() for repeated operations",
                            "    - spi: nxp-fspi: Use reinit_completion() for repeated operations",
                            "    - spi: fsl-qspi: Use reinit_completion() for repeated operations",
                            "    - spi: axiado: Remove redundant pm_runtime_mark_last_busy() call",
                            "    - media: i2c: og01a1b: Fix V4L2 subdevice data initialization on probe",
                            "    - media: synopsys: VIDEO_DW_MIPI_CSI2RX should depend on ARCH_ROCKCHIP",
                            "    - [Config] VIDEO_DW_MIPI_CSI2RX depends on ARCH_ROCKCHIP",
                            "    - drm/amd/pm: Fix xgmi max speed reporting",
                            "    - spi: atcspi200: fix mutex initialization order",
                            "    - selftests/sched_ext: Add missing error check for exit__load()",
                            "    - drm/v3d: Handle error from drm_sched_entity_init()",
                            "    - drm/sun4i: Fix resource leaks",
                            "    - crypto: inside-secure/eip93 - register hash before authenc algorithms",
                            "    - PCI: rzg3s-host: Fix reset handling in probe error path",
                            "    - PCI: rzg3s-host: Reorder reset assertion during suspend",
                            "    - dt-bindings: PCI: renesas,r9a08g045s33-pcie: Fix naming properties",
                            "    - iommu/riscv: Add IOTINVAL after updating DDT/PDT entries",
                            "    - iommu/riscv: Skip IRQ count check when using MSI interrupts",
                            "    - iommu/riscv: Add missing GENERIC_MSI_IRQ",
                            "    - iommu/riscv: Stop polling when CQCSR reports an error",
                            "    - drm/amdkfd: Update queue properties for metadata ring",
                            "    - drm/amd/ras: Fix NULL deref in ras_core_ras_interrupt_detected()",
                            "    - drm/amdgpu: Add default case in DVI mode validation",
                            "    - regulator: dt-bindings: fp9931: Make vin-supply property as required",
                            "    - regulator: fp9931: Fix handling of mandatory \"vin\" supply",
                            "    - drm/amd/ras: Fix NULL deref in ras_core_get_utc_second_timestamp()",
                            "    - drm/amdgpu: Drop redundant queue NULL check in hang detect worker",
                            "    - drm/amdgpu: Remove dead negative offset check in",
                            "      amdgpu_virt_init_critical_region()",
                            "    - dm init: ensure device probing has finished in dm-mod.waitfor=",
                            "    - fbdev: matroxfb: Mark variable with __maybe_unused to avoid W=1 build",
                            "      break",
                            "    - crypto: simd - reject compat registrations without __ prefixes",
                            "    - crypto: tegra - Disable softirqs before finalizing request",
                            "    - crypto: atmel-aes - guard unregister on error in atmel_aes_register_algs",
                            "    - padata: Remove cpu online check from cpu add and removal",
                            "    - padata: Put CPU offline callback in ONLINE section to allow failure",
                            "    - PCI: dwc: rcar-gen4: Change EPC BAR alignment to 4K as per the",
                            "      documentation",
                            "    - accel/amdxdna: fix missing newline in pr_err message",
                            "    - drm/amd/ras: Remove redundant NULL check in pending bad-bank list",
                            "      iteration",
                            "    - drm/amdgpu/gfx10: look at the right prop for gfx queue priority",
                            "    - drm/amdgpu/gfx11: look at the right prop for gfx queue priority",
                            "    - spi: hisi-kunpeng: prevent infinite while() loop in hisi_spi_flush_fifo",
                            "    - PCI: sky1: Fix missing cleanup of ECAM config on probe failure",
                            "    - drm/imagination: Switch reset_reason fields from enum to u32",
                            "    - iommu/tegra241-cmdqv: Set supports_cmd op in tegra241_vcmdq_hw_init()",
                            "    - iommu/tegra241-cmdqv: Update uAPI to clarify HYP_OWN requirement",
                            "    - drm/msm: add missing MODULE_DEVICE_ID definitions",
                            "    - drm/msm/dpu: fix mismatch between power and frequency",
                            "    - drm/msm/dsi: add the missing parameter description",
                            "    - drm/msm/dpu: don't try using 2 LMs if only one DSC is available",
                            "    - drm/msm/dsi: fix bits_per_pclk",
                            "    - drm/msm/dsi: fix hdisplay calculation for CMD mode panel",
                            "    - drm/msm/dsi: rename MSM8998 DSI version from V2_2_0 to V2_0_0",
                            "    - ASoC: rockchip: rockchip_sai: Set slot width for non-TDM mode",
                            "    - tools/sched_ext: scx_pair: fix pair_ctx indexing for CPU pairs",
                            "    - drm/panel: sharp-ls043t1le01: make use of prepare_prev_first",
                            "    - drm/panel: simple: Correct G190EAN01 prepare timing",
                            "    - PCI: qcom: Advertise Hotplug Slot Capability with no Command Completion",
                            "      support",
                            "    - PCI: Prevent shrinking bridge window from its required size",
                            "    - PCI: Fix premature removal from realloc_head list during resource",
                            "      assignment",
                            "    - crypto: hisilicon/sec2 - prevent req used-after-free for sec",
                            "    - PCI: Fix alignment calculation for resource size larger than align",
                            "    - iommu/riscv: Fix signedness bug",
                            "    - ALSA: core: Validate compress device numbers without dynamic minors",
                            "    - drm/amd/display: Avoid NULL dereference in dc_dmub_srv error paths",
                            "    - ASoC: amd: acp: update dmic_num logic for acp pdm dmic",
                            "    - drm/amd/pm/ci: Use highest MCLK on CI when MCLK DPM is disabled",
                            "    - drm/amd/pm/ci: Disable MCLK DPM on problematic CI ASICs",
                            "    - drm/amd/pm/smu7: Fix SMU7 voltage dependency on display clock",
                            "    - drm/amd/pm/ci: Fix powertune defaults for Hawaii 0x67B0",
                            "    - drm/amd/pm/ci: Clear EnabledForActivity field for memory levels",
                            "    - drm/amd/pm/ci: Fill DW8 fields from SMC",
                            "    - drm/amd/pm/smu7: Add SCLK cap for quirky Hawaii board",
                            "    - drm/amdgpu/uvd4.2: Don't initialize UVD 4.2 when DPM is disabled",
                            "    - PCI/DPC: Log AER error info for DPC/EDR uncorrectable errors",
                            "    - hwmon: (aspeed-g6-pwm-tach): remove redundant driver remove callback",
                            "    - ALSA: hda/realtek: fix bad indentation for alc269",
                            "    - ALSA: hda/realtek: fix code style (ERROR: else should follow close brace",
                            "      '}')",
                            "    - ASoC: SOF: Intel: hda: Place check before dereference",
                            "    - drm/msm/vma: Avoid lock in VM_BIND fence signaling path",
                            "    - drm/msm/a6xx: Add missing aperture_lock init",
                            "    - drm/msm: Reject fb creation from _NO_SHARE objs",
                            "    - drm/msm: Fix VM_BIND UNMAP locking",
                            "    - drm/msm/a6xx: Fix HLSQ register dumping",
                            "    - drm/msm/shrinker: Fix can_block() logic",
                            "    - drm/msm/a6xx: Fix dumping A650+ debugbus blocks",
                            "    - drm/msm/a6xx: Use barriers while updating HFI Q headers",
                            "    - drm/msm/a8xx: Fix the ticks used in submit traces",
                            "    - drm/msm/a6xx: Switch to preemption safe AO counter",
                            "    - drm/msm/a6xx: Correct OOB usage",
                            "    - drm/msm/adreno: Implement gx_is_on() for A8x",
                            "    - drm/msm/a6xx: Fix gpu init from secure world",
                            "    - ALSA: hda/cmedia: Remove duplicate pin configuration parsing",
                            "    - pmdomain: ti: omap_prm: Fix a reference leak on device node",
                            "    - pmdomain: imx: scu-pd: Fix device_node reference leak during ->probe()",
                            "    - PM: domains: De-constify fields in struct dev_pm_domain_attach_data",
                            "    - drm/msm/dpu: drop INTF_0 on MSM8953",
                            "    - ASoC: fsl_micfil: Add access property for \"VAD Detected\"",
                            "    - ASoC: fsl_micfil: Fix event generation in hwvad_put_enable()",
                            "    - ASoC: fsl_micfil: Fix event generation in hwvad_put_init_mode()",
                            "    - ASoC: fsl_micfil: Fix event generation in micfil_range_set()",
                            "    - ASoC: fsl_micfil: Fix event generation in micfil_put_dc_remover_state()",
                            "    - ASoC: fsl_micfil: Fix event generation in micfil_quality_set()",
                            "    - ASoC: fsl_xcvr: Fix event generation in fsl_xcvr_arc_mode_put()",
                            "    - ASoC: fsl_xcvr: Fix event generation in fsl_xcvr_mode_put()",
                            "    - ASoC: fsl_easrc: Check the variable range in fsl_easrc_iec958_put_bits()",
                            "    - ASoC: fsl_easrc: Fix value type in fsl_easrc_iec958_get_bits()",
                            "    - ASoC: fsl_easrc: Change the type for iec958 channel status controls",
                            "    - iommu/amd: Fix clone_alias() to use the original device's devid",
                            "    - iommu/riscv: Remove overflows on the invalidation path",
                            "    - ASoC: qcom: qdsp6: topology: check widget type before accessing data",
                            "    - PCI: dwc: Fix type mismatch for kstrtou32_from_user() return value",
                            "    - crypto: qat - disable 4xxx AE cluster when lead engine is fused off",
                            "    - crypto: qat - disable 420xx AE cluster when lead engine is fused off",
                            "    - crypto: qat - fix compression instance leak",
                            "    - crypto: qat - fix type mismatch in RAS sysfs show functions",
                            "    - crypto: iaa - fix per-node CPU counter reset in rebalance_wq_table()",
                            "    - crypto: qat - use swab32 macro",
                            "    - ALSA: hda: Notify IEC958 Default PCM switch state changes",
                            "    - ASoC: rsnd: Fix potential out-of-bounds access of component_dais[]",
                            "    - PCI: Enable AtomicOps only if Root Port supports them",
                            "    - PCI: imx6: Keep Root Port MSI capability with iMSI-RX to work around",
                            "      hardware bug",
                            "    - PCI: aspeed: Fix IRQ domain leak on platform_get_irq() failure",
                            "    - dt-bindings: PCI: imx6q-pcie: Fix maxItems of clocks and clock-names",
                            "    - PCI: mediatek-gen3: Prevent leaking IRQ domains when IRQ not found",
                            "    - gpu: nova-core: bitfield: fix broken Default implementation",
                            "    - selftests/mm: skip migration tests if NUMA is unavailable",
                            "    - Documentation: fix a hugetlbfs reservation statement",
                            "    - Docs/admin-guide/mm/damn/lru_sort: fix intervals autotune parameter name",
                            "    - Docs/mm/damon/index: fix typo: autoamted -> automated",
                            "    - zram: do not permit params change after init",
                            "    - selftest: memcg: skip memcg_sock test if address family not supported",
                            "    - gpu: nova-core: remove redundant `.as_ref()` for `dev_*` print",
                            "    - gpu: nova-core: fix missing colon in SEC2 boot debug message",
                            "    - ALSA: scarlett2: Add missing sentinel initializer field",
                            "    - ASoC: qcom: audioreach: explicitly enable speaker protection modules",
                            "    - ASoC: SOF: compress: return the configured codec from get_params",
                            "    - PCI/NPEM: Set LED_HW_PLUGGABLE for hotplug-capable ports",
                            "    - tools/sched_ext: Fix off-by-one in scx_sdt payload zeroing",
                            "    - ASoC: soc-component: re-add pcm_new()/pcm_free()",
                            "    - ASoC: amd: name back to pcm_new()/pcm_free()",
                            "    - ASoC: amd: ps: fix the pcm device numbering for acp pdm dmic",
                            "    - ALSA: usb-audio: qcom: Fix incorrect type in enable_audio_stream",
                            "    - PCI: tegra194: Fix polling delay for L2 state",
                            "    - PCI: tegra194: Increase LTSSM poll time on surprise link down",
                            "    - PCI: tegra194: Disable LTSSM after transition to Detect on surprise link",
                            "      down",
                            "    - PCI: tegra194: Don't force the device into the D0 state before L2",
                            "    - PCI: tegra194: Disable PERST# IRQ only in Endpoint mode",
                            "    - PCI: tegra194: Use devm_gpiod_get_optional() to parse \"nvidia,refclk-",
                            "      select\"",
                            "    - PCI: tegra194: Disable direct speed change for Endpoint mode",
                            "    - PCI: tegra194: Set LTR message request before PCIe link up in Endpoint",
                            "      mode",
                            "    - PCI: tegra194: Allow system suspend when the Endpoint link is not up",
                            "    - PCI: tegra194: Free up Endpoint resources during remove()",
                            "    - PCI: tegra194: Use DWC IP core version",
                            "    - PCI: dwc: Apply ECRC workaround to DesignWare 5.00a as well",
                            "    - PCI: tegra194: Disable L1.2 capability of Tegra234 EP",
                            "    - PCI: tegra194: Fix CBB timeout caused by DBI access before core power-on",
                            "    - drm/fb-helper: Fix a locking bug in an error path",
                            "    - PCI: cadence: Add flags for disabling ASPM capability for broken Root",
                            "      Ports",
                            "    - PCI: sg2042: Avoid L0s and L1 on Sophgo 2042 PCIe Root Ports",
                            "    - ASoC: SDCA: Fix cleanup inversion in class driver",
                            "    - spi: rzv2h-rspi: Fix invalid SPR=0/BRDV=0 clock configuration",
                            "    - spi: mtk-snfi: unregister ECC engine on probe failure and remove()",
                            "      callback",
                            "    - ALSA: sc6000: Keep the programmed board state in card-private data",
                            "    - dm cache: fix missing return in invalidate_committed's error path",
                            "    - sched_ext: Track @p's rq lock across set_cpus_allowed_scx ->",
                            "      ops.set_cpumask",
                            "    - sched_ext: Fix ops.cgroup_move() invocation kf_mask and rq tracking",
                            "    - spi: cadence-qspi: Revert the filtering of certain opcodes in ODTR",
                            "    - crypto: jitterentropy - replace long-held spinlock with mutex",
                            "    - ALSA: usb-audio: Exclude Scarlett 18i20 1st Gen from SKIP_IFACE_SETUP",
                            "    - ALSA: hda/realtek - fixed speaker no sound update",
                            "    - gfs2: Call unlock_new_inode before d_instantiate",
                            "    - fanotify: avoid/silence premature LSM capability checks",
                            "    - fanotify: call fanotify_events_supported() before path_permission() and",
                            "      security_path_notify()",
                            "    - fuse: fix uninit-value in fuse_dentry_revalidate()",
                            "    - ktest: Avoid undef warning when WARNINGS_FILE is unset",
                            "    - ktest: Honor empty per-test option overrides",
                            "    - ktest: Run POST_KTEST hooks on failure and cancellation",
                            "    - vfio: selftests: fix crash in vfio_dma_mapping_mmio_test",
                            "    - rtla/utils: Fix resource leak in set_comm_sched_attr()",
                            "    - tools/rtla: Generate optstring from long options",
                            "    - rtla: Fix segfault on multiple SIGINTs",
                            "    - vfio: selftests: Build tests on aarch64",
                            "    - gfs2: less aggressive low-memory log flushing",
                            "    - quota: Fix race of dquot_scan_active() with quota deactivation",
                            "    - vfio: unhide vdev->debug_root",
                            "    - gfs2: add some missing log locking",
                            "    - gfs2: prevent NULL pointer dereference during unmount",
                            "    - efi/capsule-loader: fix incorrect sizeof in phys array reallocation",
                            "    - ksmbd: fix use-after-free from async crypto on Qualcomm crypto engine",
                            "    - arm64: dts: mediatek: mt8365: Describe infracfg-nao as a pure syscon",
                            "    - ARM: dts: mediatek: mt7623: fix efuse fallback compatible",
                            "    - memory: tegra124-emc: Fix dll_change check",
                            "    - memory: tegra30-emc: Fix dll_change check",
                            "    - arm64: dts: imx8-apalis: Fix LEDs name collision",
                            "    - arm64: dts: imx91-11x11-evk: change usdhc tuning step for eMMC and SD",
                            "    - riscv: dts: spacemit: pcie: fix missing power regulator",
                            "    - arm64: dts: mediatek: mt7988a-bpi-r4pro: fix model string",
                            "    - arm64: dts: rockchip: Make Jaguar PCIe-refclk pin use pull-up config",
                            "    - arm64: dts: imx8mp-evk: Enable pull select bit for PCIe regulator GPIO",
                            "      (M.2 W_DISABLE1)",
                            "    - iommufd: vfio compatibility extension check for noiommu mode",
                            "    - arm64: dts: qcom: sm6125-xiaomi-ginkgo: Remove board-id",
                            "    - arm64: dts: qcom: sm6125-xiaomi-ginkgo: Correct reserved memory ranges",
                            "    - arm64: dts: qcom: sm6125-xiaomi-ginkgo: Remove extcon",
                            "    - arm64: dts: qcom: sm6125-xiaomi-ginkgo: Fix reserved gpio ranges",
                            "    - arm64: dts: qcom: qcs6490-rubikpi3: Use lt9611 DSI Port B",
                            "    - arm64: dts: qcom: talos: Add missing clock-names to GCC",
                            "    - arm64: dts: ti: k3-am62l: include WKUP_UART0 in wakeup peripheral window",
                            "    - arm64: dts: mediatek: mt6795: Fix gpio-ranges pin count",
                            "    - arm64: dts: mediatek: mt7981b: Fix gpio-ranges pin count",
                            "    - arm64: dts: mediatek: mt7986a: Fix gpio-ranges pin count",
                            "    - iommufd/selftest: Fix page leaks in mock_viommu_{init,destroy}",
                            "    - arm64: dts: imx8mp-kontron: Fix touch reset configuration on DL devices",
                            "    - arm64: dts: imx8mp-kontron: Drop vmmc-supply to fix SD card on SMARC",
                            "      eval carrier",
                            "    - arm64: dts: imx8mp-hummingboard-pulse/cubox-m: fix vmmc gpio polarity",
                            "    - arm64: dts: imx8mp-hummingboard-pulse: fix mini-hdmi dsi port reference",
                            "    - ARM: dts: BCM5301X: Drop extra NAND controller compatible",
                            "    - arm64: dts: qcom: msm8953-xiaomi-vince: correct wled ovp value",
                            "    - arm64: dts: qcom: msm8937-xiaomi-land: correct wled ovp value",
                            "    - arm64: dts: qcom: msm8953-xiaomi-daisy: fix backlight",
                            "    - firmware: qcom_scm: don't opencode kmemdup",
                            "    - soc: qcom: ubwc: disable bank swizzling for Glymur platform",
                            "    - arm64: dts: rockchip: Fix Bluetooth stability on LCKFB TaiShan Pi",
                            "    - Revert \"arm64: dts: rockchip: add SPDIF audio to Beelink A1\"",
                            "    - arm64: dts: rockchip: Correct Fan Supply for Gameforce Ace",
                            "    - arm64: dts: rockchip: Correct Joystick Axes on Gameforce Ace",
                            "    - soc: qcom: ocmem: make the core clock optional",
                            "    - soc: qcom: ocmem: register reasons for probe deferrals",
                            "    - soc: qcom: ocmem: return -EPROBE_DEFER is ocmem is not available",
                            "    - riscv: dts: spacemit: drop incorrect pinctrl for combo PHY",
                            "    - arm64: dts: rockchip: Fix RK3562 EVB2 model name",
                            "    - arm64: dts: rockchip: Add mphy reset to ufshc node",
                            "    - bus: rifsc: fix RIF configuration check for peripherals",
                            "    - arm64: dts: qcom: arduino-imola: fix faulty spidev node",
                            "    - Revert \"UBUNTU: SAUCE: arm64: dts: add missing denali-oled.dtb to",
                            "      Makefile\"",
                            "    - arm64: dts: qcom: add missing denali-oled.dtb to Makefile",
                            "    - arm64: dts: qcom: hamoa: correct Iris corners for the MXC rail",
                            "    - arm64: dts: qcom: lemans: correct Iris corners for the MXC rail",
                            "    - arm64: dts: qcom: monaco: correct Iris corners for the MXC rail",
                            "    - arm64: dts: qcom: sm8550: correct Iris corners for the MXC rail",
                            "    - arm64: dts: qcom: sm8650: correct Iris corners for the MXC rail",
                            "    - arm64: dts: qcom: sm8750: correct Iris corners for the MXC rail",
                            "    - arm64: dts: qcom: kaanapali: Fix GIC_ITS range length",
                            "    - arm64: dts: qcom: milos: Fix GIC_ITS range length",
                            "    - arm64: dts: qcom: sm8450: Fix GIC_ITS range length",
                            "    - arm64: dts: qcom: sm8550: Fix GIC_ITS range length",
                            "    - arm64: dts: qcom: sm8650: Fix GIC_ITS range length",
                            "    - arm64: dts: qcom: sm8750: Fix GIC_ITS range length",
                            "    - arm64: dts: qcom: sm8550: Fix xo clock supply of platform SD host",
                            "      controller",
                            "    - arm64: dts: qcom: sm8650: Fix xo clock supply of SD host controller",
                            "    - arm64: dts: qcom: hamoa: Fix xo clock supply of platform SD host",
                            "      controller",
                            "    - arm64: dts: qcom: sm8450: Enable UHS-I SDR50 and SDR104 SD card modes",
                            "    - arm64: dts: qcom: sm8550: Enable UHS-I SDR50 and SDR104 SD card modes",
                            "    - arm64: dts: qcom: sm8650: Enable UHS-I SDR50 and SDR104 SD card modes",
                            "    - arm64: dts: qcom: sm7225-fairphone-fp4: Fix conflicting bias pinctrl",
                            "    - arm64: dts: qcom: sdm845-xiaomi-beryllium: Mark l1a regulator as powered",
                            "      during boot",
                            "    - arm64: dts: qcom: msm8917-xiaomi-riva: Fix board-id for all bootloader",
                            "    - arm64: dts: ti: k3-am62p5-sk: Disable MMC1 internal pulls on data pins",
                            "    - arm64: dts: ti: k3-am62l3-evm: Disable MMC1 internal pulls on data pins",
                            "    - arm64: dts: ti: k3-am62-lp-sk: Enable internal pulls for MMC0 data pins",
                            "    - arm64: dts: ti: k3-am62-verdin: Fix SPI_1 GPIO CS pinctrl label",
                            "    - arm64: dts: freescale: imx8mp-tqma8mpql-mba8mp-ras314: fix UART1 RTS/CTS",
                            "      muxing",
                            "    - arm64: dts: imx91: Remove TMU's superfluous sensor ID",
                            "    - arm64: dts: imx8mp-kontron: Fix boot order for PMIC and RTC",
                            "    - arm64: dts: imx8dxl-evk: Use audio-graph-card2 for wm8960-2 and wm8960-3",
                            "    - arm64: dts: imx8mp-evk: Specify ADV7535 register addresses",
                            "    - arm64: dts: lx2160a: change i2c0 (iic1) pinmux mask to one bit",
                            "    - arm64: dts: lx2160a: remove duplicate pinmux nodes",
                            "    - arm64: dts: lx2160a: rename pinmux nodes for readability",
                            "    - arm64: dts: lx2160a: add sda gpio references for i2c bus recovery",
                            "    - arm64: dts: lx2160a: change zeros to hexadecimal in pinmux nodes",
                            "    - arm64: dts: lx2160a: complete pinmux for rcwsr12 configuration word",
                            "    - arm64: dts: imx8qm-mek: switch Type-C connector power-role to dual",
                            "    - arm64: dts: imx8qxp-mek: switch Type-C connector power-role to dual",
                            "    - soc/tegra: cbb: Set ERD on resume for err interrupt",
                            "    - soc/tegra: cbb: Fix incorrect ARRAY_SIZE in fabric lookup tables",
                            "    - soc/tegra: cbb: Fix cross-fabric target timeout lookup",
                            "    - arm64: tegra: Fix RTC aliases",
                            "    - soc/tegra: pmc: Add kerneldoc for reboot notifier",
                            "    - soc/tegra: pmc: Correct function names in kerneldoc",
                            "    - soc/tegra: pmc: Add kerneldoc for wake-up variables",
                            "    - unshare: fix nsproxy leak in ksys_unshare() on set_cred_ucounts()",
                            "      failure",
                            "    - ocfs2/dlm: validate qr_numregions in dlm_match_regions()",
                            "    - ocfs2/dlm: fix off-by-one in dlm_match_regions() region comparison",
                            "    - soc: qcom: llcc: fix v1 SB syndrome register offset",
                            "    - soc: qcom: aoss: compare against normalized cooling state",
                            "    - arm64: dts: qcom: milos: Add missing CX power domain to GCC",
                            "    - arm64: dts: qcom: sm8250: Add missing CPU7 3.09GHz OPP",
                            "    - ARM: OMAP1: Fix DEBUG_LL and earlyprintk on OMAP16XX",
                            "    - arm64/xor: fix conflicting attributes for xor_block_template",
                            "    - lib: kunit_iov_iter: fix memory leaks",
                            "    - ARM: dts: imx27-eukrea: replace interrupts with interrupts-extended",
                            "    - firmware: arm_ffa: Use the correct buffer size during RXTX_MAP",
                            "    - fwctl: Fix class init ordering to avoid NULL pointer dereference on",
                            "      device removal",
                            "    - ocfs2: fix listxattr handling when the buffer is full",
                            "    - ocfs2: validate bg_bits during freefrag scan",
                            "    - ocfs2: validate group add input before caching",
                            "    - dmaengine: dw-axi-dmac: fix Alignment should match open parenthesis",
                            "    - dmaengine: dw-axi-dmac: Remove unnecessary return statement from void",
                            "      function",
                            "    - phy: apple: apple: Use local variable for ioremap return value",
                            "    - soundwire: bus: demote UNATTACHED state warnings to dev_dbg()",
                            "    - soundwire: Intel: test bus.bpt_stream before assigning it",
                            "    - dmaengine: mxs-dma: Fix missing return value from",
                            "      of_dma_controller_register()",
                            "    - soundwire: cadence: Clear message complete before signaling waiting",
                            "      thread",
                            "    - tracing: move __printf() attribute on __ftrace_vbprintk()",
                            "    - tracing: Rebuild full_name on each hist_field_name() call",
                            "    - hte: tegra194: remove Kconfig dependency on Tegra194 SoC",
                            "    - [Config] Enable CONFIG_HTE_TEGRA194 on armhf",
                            "    - remoteproc: xlnx: Fix sram property parsing",
                            "    - stop_machine: Fix the documentation for a NULL cpus argument",
                            "    - remoteproc: imx_rproc: Check return value of regmap_attach_dev() in",
                            "      imx_rproc_mmio_detect_mode()",
                            "    - ima: check return value of crypto_shash_final() in boot aggregate",
                            "    - HID: asus: make asus_resume adhere to linux kernel coding standards",
                            "    - HID: asus: do not abort probe when not necessary",
                            "    - workqueue: devres: Add device-managed allocate workqueue",
                            "    - power: supply: max77705: Drop duplicated IRQ error message",
                            "    - power: supply: max77705: Free allocated workqueue and fix removal order",
                            "    - mtd: physmap_of_gemini: Fix disabled pinctrl state check",
                            "    - ima_fs: Correctly create securityfs files for unsupported hash algos",
                            "    - dt-bindings: interrupt-controller: arm,gic-v3: Fix EPPI range",
                            "    - mtd: spi-nor: core: correct the op.dummy.nbytes when check read",
                            "      operations",
                            "    - mtd: spi-nor: update spi_nor_fixups::post_sfdp() documentation",
                            "    - mtd: spi-nor: micron-st: add SNOR_CMD_PP_8_8_8_DTR sfdp fixup for",
                            "      mt35xu512aba",
                            "    - mtd: spi-nor: swp: check SR_TB flag when getting tb_mask",
                            "    - mtd: parsers: ofpart: call of_node_put() only in ofpart_fail path",
                            "    - mtd: parsers: ofpart: call of_node_get() for dedicated subpartitions",
                            "    - cxl/pci: Check memdev driver binding status in cxl_reset_done()",
                            "    - mtd: rawnand: sunxi: fix sunxi_nfc_hw_ecc_read_extra_oob",
                            "    - mtd: spinand: winbond: Clarify when to enable the HS bit",
                            "    - HID: usbhid: fix deadlock in hid_post_reset()",
                            "    - ext4: fix miss unlock 'sb->s_umount' in extents_kunit_init()",
                            "    - ext4: call deactivate_super() in extents_kunit_exit()",
                            "    - ext4: fix the error handling process in extents_kunit_init).",
                            "    - ext4: fix possible null-ptr-deref in extents_kunit_exit()",
                            "    - ext4: fix possible null-ptr-deref in mbt_kunit_exit()",
                            "    - bpf, arm64: Reject out-of-range B.cond targets",
                            "    - bpf, arm64: Fix off-by-one in check_imm signed range check",
                            "    - bpf, arm64: Remove redundant bpf_flush_icache() after pack allocator",
                            "      finalize",
                            "    - bpf, riscv: Remove redundant bpf_flush_icache() after pack allocator",
                            "      finalize",
                            "    - bpf, sockmap: Fix af_unix iter deadlock",
                            "    - bpf, sockmap: Fix af_unix null-ptr-deref in proto update",
                            "    - bpf, sockmap: Take state lock for af_unix iter",
                            "    - bpf: Fix precedence bug in convert_bpf_ld_abs alignment check",
                            "    - bpf: Fix NULL deref in map_kptr_match_type for scalar regs",
                            "    - bpf: allow UTF-8 literals in bpf_bprintf_prepare()",
                            "    - libbpf: Prevent double close and leak of btf objects",
                            "    - bpf: Validate node_id in arena_alloc_pages()",
                            "    - bpf, arm32: Reject BPF-to-BPF calls and callbacks in the JIT",
                            "    - perf trace: Fix IS_ERR() vs NULL check bug",
                            "    - dt-bindings: pinctrl: marvell,armada3710-xb-pinctrl: add missing items",
                            "      keyword",
                            "    - pinctrl: pinctrl-pic32: Fix resource leak",
                            "    - perf trace: Avoid an ERR_PTR in syscall_stats",
                            "    - pinctrl: microchip-mssio: Fix missing return in probe",
                            "    - perf test type profiling: Remote typedef on struct",
                            "    - pinctrl: cy8c95x0: remove duplicate error message",
                            "    - pinctrl: cy8c95x0: Unify messages with help of dev_err_probe()",
                            "    - pinctrl: cy8c95x0: Avoid returning positive values to user space",
                            "    - perf branch: Avoid incrementing NULL",
                            "    - perf: tools: cs-etm: Fix print issue for Coresight debug in ETE/TRBE",
                            "      trace",
                            "    - pinctrl: pinconf-generic: Fully validate 'pinmux' property",
                            "    - pinctrl: realtek: Fix function signature for config argument",
                            "    - pinctrl: abx500: Fix type of 'argument' variable",
                            "    - pinctrl: renesas: rzg2l: Fix save/restore of {IOLH,IEN,PUPD,SMT}",
                            "      registers",
                            "    - tools build: Correct link flags for libopenssl",
                            "    - perf lock: Fix option value type in parse_max_stack",
                            "    - perf stat: Fix opt->value type for parse_cache_level",
                            "    - memblock: reserve_mem: fix end caclulation in",
                            "      reserve_mem_release_by_name()",
                            "    - perf stat: Fix crash on arm64",
                            "    - perf tools: Fix module symbol resolution for non-zero .text sh_addr",
                            "    - perf test: Fix ratio_to_prev event parsing test",
                            "    - perf test: Skip perf data type profiling tests for s390",
                            "    - perf expr: Return -EINVAL for syntax error in expr__find_ids()",
                            "    - perf metrics: Make common stalled metrics conditional on having the",
                            "      event",
                            "    - ipmi: ssif_bmc: fix missing check for copy_to_user() partial failure",
                            "    - ipmi: ssif_bmc: fix message desynchronization after truncated response",
                            "    - ipmi: ssif_bmc: change log level to dbg in irq callback",
                            "    - perf cgroup: Update metric leader in evlist__expand_cgroup",
                            "    - pinctrl: sophgo: pinctrl-sg2042: Fix wrong module description",
                            "    - pinctrl: sophgo: pinctrl-sg2044: Fix wrong module description",
                            "    - perf maps: Fix fixup_overlap_and_insert that can break sorted by name",
                            "      order",
                            "    - perf maps: Fix copy_from that can break sorted by name order",
                            "    - perf util: Kill die() prototype, dead for a long time",
                            "    - i3c: master: dw-i3c: Fix missing reset assertion in remove() callback",
                            "    - i3c: master: dw-i3c: Balance PM runtime usage count on probe failure",
                            "    - i3c: master: renesas: Fix memory leak in renesas_i3c_i3c_xfers()",
                            "    - i3c: dw: Fix memory leak in dw_i3c_master_i3c_xfers()",
                            "    - i3c: master: adi: Fix error propagation for CCCs",
                            "    - i3c: mipi-i3c-hci: fix IBI payload length calculation for final status",
                            "    - fs/ntfs3: prevent uninitialized lcn caused by zero len",
                            "    - backlight: sky81452-backlight: Check return value of",
                            "      devm_gpiod_get_optional() in sky81452_bl_parse_dt()",
                            "    - platform/surface: surfacepro3_button: Drop wakeup source on remove",
                            "    - leds: lgm-sso: Remove duplicate assignments for priv->mmap",
                            "    - usb: typec: Fix error pointer dereference",
                            "    - tty: hvc_iucv: fix off-by-one in number of supported devices",
                            "    - usb: typec: ps883x: Fix Oops at unbind",
                            "    - platform/x86: panasonic-laptop: Fix OPTD notifier registration and",
                            "      cleanup",
                            "    - platform/x86: barco-p50-gpio: normalize return value of gpio_get",
                            "    - fs/ntfs3: fix missing run load for vcn0 in attr_data_get_block_locked()",
                            "    - mfd: mc13xxx-core: Fix memory leak in mc13xxx_add_subdevice_pdata()",
                            "    - nfs/blocklayout: Fix compilation error (`make W=1`) in",
                            "      bl_write_pagelist()",
                            "    - sunrpc: Kill RPC_IFDEBUG()",
                            "    - sunrpc: Fix compilation error (`make W=1`) when dprintk() is no-op",
                            "    - NFSD: fix nfs4_file access extra count in nfsd4_add_rdaccess_to_wrdeleg",
                            "    - nfsd: use dynamic allocation for oversized NFSv4.0 replay cache",
                            "    - RDMA/umem: Use consistent DMA attributes when unmapping entries",
                            "    - greybus: raw: fix use-after-free on cdev close",
                            "    - greybus: raw: fix use-after-free if write is called after disconnect",
                            "    - platform/x86: asus-wmi: adjust screenpad power/brightness handling",
                            "    - platform/x86: asus-wmi: fix screenpad brightness range",
                            "    - tty: serial: ip22zilog: Fix section mispatch warning",
                            "    - fs/ntfs3: terminate the cached volume label after UTF-8 conversion",
                            "    - platform/x86: hp-wmi: fix ignored return values in fan settings",
                            "    - platform/x86: hp-wmi: avoid cancel_delayed_work_sync from work handler",
                            "    - platform/x86: hp-wmi: use mod_delayed_work to reset keep-alive timer",
                            "    - platform/x86: hp-wmi: fix u8 underflow in gpu_delta calculation",
                            "    - platform/x86: hp-wmi: add locking for concurrent hwmon access",
                            "    - platform/x86: dell_rbu: avoid uninit value usage in packet_size_write()",
                            "    - platform/x86: dell-wmi-sysman: bound enumeration string aggregation",
                            "    - RDMA/core: Prefer NLA_NUL_STRING",
                            "    - platform/x86: hp-wmi: fix fan table parsing",
                            "    - dt-bindings: clock: qcom: Add GCC video axi reset clock for Glymur",
                            "    - clk: qcom: gcc-glymur: Add video axi clock resets for glymur",
                            "    - clk: qcom: dispcc-glymur: use RCG2 ops for DPTX1 AUX clock source",
                            "    - clk: qcom: dispcc-sm8450: use RCG2 ops for DPTX1 AUX clock source",
                            "    - clk: renesas: r9a09g057: Fix ordering of module clocks array",
                            "    - clk: renesas: r9a09g056: Fix ordering of module clocks array",
                            "    - clk: sunxi-ng: sun55i-a523-r: Add missing r-spi module clock",
                            "    - scsi: sg: Fix sysctl sg-big-buff register during sg_init()",
                            "    - scsi: sg: Resolve soft lockup issue when opening /dev/sgX",
                            "    - clk: qcom: dispcc-sc8280xp: remove CLK_SET_RATE_PARENT from",
                            "      byte_div_clk_src dividers",
                            "    - clk: qcom: dispcc-glymur: Fix DSI byte clock rate setting",
                            "    - clk: qcom: dispcc-kaanapali: Fix DSI byte clock rate setting",
                            "    - clk: qcom: dispcc-milos: Fix DSI byte clock rate setting",
                            "    - clk: qcom: dispcc-sm4450: Fix DSI byte clock rate setting",
                            "    - clk: qcom: dispcc[01]-sa8775p: Fix DSI byte clock rate setting",
                            "    - clk: renesas: r9a09g057: Remove entries for WDT{0,2,3}",
                            "    - scsi: target: core: Fix integer overflow in UNMAP bounds check",
                            "    - scsi: ufs: rockchip,rk3576-ufshc: dt-bindings: Add new mphy reset item",
                            "    - dt-bindings: clock: qcom,gcc-sc8180x: Add missing GDSCs",
                            "    - clk: qcom: gcc-sc8180x: Add missing GDSCs",
                            "    - clk: qcom: gcc-sc8180x: Use retention for USB power domains",
                            "    - clk: qcom: gcc-sc8180x: Use retention for PCIe power domains",
                            "    - clk: qcom: dispcc-sm8250: Use shared ops on the mdss vsync clk",
                            "    - clk: qcom: dispcc-sm8250: Enable parents for pixel clocks",
                            "    - clk: imx: imx6q: Fix device node reference leak in pll6_bypassed()",
                            "    - clk: imx: imx6q: Fix device node reference leak in",
                            "      of_assigned_ldb_sels()",
                            "    - clk: imx8mq: Correct the CSI PHY sels",
                            "    - um: Fix potential race condition in TLB sync",
                            "    - x86/um: fix vDSO installation",
                            "    - clk: qoriq: avoid format string warning",
                            "    - clk: xgene: Fix mapping leak in xgene_pllclk_init()",
                            "    - clk: spacemit: ccu_mix: fix inverted condition in ccu_mix_trigger_fc()",
                            "    - f2fs: avoid reading already updated pages during GC",
                            "    - printk_ringbuffer: Fix get_data() size sanity check",
                            "    - clk: qcom: gdsc: Fix error path on registration of multiple pm",
                            "      subdomains",
                            "    - lib/hexdump: print_hex_dump_bytes() calls print_hex_dump_debug()",
                            "    - f2fs: fix data loss caused by incorrect use of nat_entry flag",
                            "    - f2fs: fix to preserve previous reserve_{blocks,node} value when remount",
                            "    - scsi: hpsa: Enlarge controller and IRQ name buffers",
                            "    - drm/amd/display: Fix parameter mismatch in panel self-refresh helper",
                            "    - clk: qcom: gcc-x1e80100: Keep GCC USB QTB clock always ON",
                            "    - clk: visconti: pll: initialize clk_init_data to zero",
                            "    - f2fs: allow empty mount string for Opt_usr|grp|projjquota",
                            "    - f2fs: protect extension_list reading with sb_lock in f2fs_sbi_show()",
                            "    - drm/i915/wm: Verify the correct plane DDB entry",
                            "    - virt: arm-cca-guest: fix error check for RSI_INCOMPLETE",
                            "    - crypto: eip93 - fix hmac setkey algo selection",
                            "    - crypto: sa2ul - Fix AEAD fallback algorithm names",
                            "    - crypto: ccp - copy IV using skcipher ivsize",
                            "    - sh: Include <linux/io.h> in dac.h",
                            "    - erofs: unify lcn as u64 for 32-bit platforms",
                            "    - tools: hv: Fix cross-compilation",
                            "    - Drivers: hv: vmbus: fix hyperv_cpuhp_online variable shadowing",
                            "    - arm64: dts: imx8mp-debix-model-a: Correct PAD settings for PMIC_nINT",
                            "    - arm64: dts: imx8mp-debix-som-a: Correct PAD settings for PMIC_nINT",
                            "    - arm64: dts: imx8mp-navqp: Correct PAD settings for PMIC_nINT",
                            "    - arm64: dts: imx8mp-icore-mx8mp: Correct PAD settings for PMIC_nINT",
                            "    - arm64: dts: imx8mp-edm-g: Correct PAD settings for PMIC_nINT",
                            "    - arm64: dts: imx8mp-aristainetos3a-som-v1: Correct PAD settings for",
                            "      PMIC_nINT",
                            "    - arm64: dts: imx8mp-nitrogen-som: Correct PAD settings for PMIC_nINT",
                            "    - arm64: dts: imx8mp-sr-som: Correct PAD settings for PMIC_nINT",
                            "    - arm64: dts: imx8mp-ultra-mach-sbc: Correct PAD settings for PMIC_nINT",
                            "    - arm64: dts: imx8mp-dhcom-som: Correct PAD settings for PMIC_nINT",
                            "    - arm64: dts: imx8mp-data-modul-edm-sbc: Correct PAD settings for",
                            "      PMIC_nINT",
                            "    - PCMCIA: Fix garbled log messages for KERN_CONT",
                            "    - reset: amlogic: t7: Fix null reset ops",
                            "    - arm64: dts: imx8mm-emtop-som: Correct PAD settings for PMIC_nINT",
                            "    - arm64: dts: imx8mn-tqma8mqnl: Correct PAD settings for PMIC_nINT",
                            "    - arm64: dts: imx8mm-tqma8mqml: Correct PAD settings for PMIC_nINT",
                            "    - arm64: dts: marvell: armada-37xx: use 'usb2-phy' in USB3 controller's",
                            "      phy-names",
                            "    - pwm: stm32: Fix rounding issue for requests with inverted polarity",
                            "    - net/sched: act_mirred: fix wrong device for mac_header_xmit check in",
                            "      tcf_blockcast_redir",
                            "    - macvlan: fix macvlan_get_size() not reserving space for",
                            "      IFLA_MACVLAN_BC_CUTOFF",
                            "    - net/sched: sch_cake: fix NAT destination port not being updated in",
                            "      cake_update_flowkeys",
                            "    - nexthop: fix IPv6 route referencing IPv4 nexthop",
                            "    - net: airoha: Wait for NPU PPE configuration to complete in",
                            "      airoha_ppe_offload_setup()",
                            "    - net/sched: taprio: fix use-after-free in advance_sched() on schedule",
                            "      switch",
                            "    - net: dsa: remove redundant netdev_lock_ops() from conduit ethtool ops",
                            "    - net: enetc: correct the command BD ring consumer index",
                            "    - net: enetc: fix NTMP DMA use-after-free issue",
                            "    - ksmbd: fix use-after-free in smb2_open during durable reconnect",
                            "    - tcp: move tp->chrono_type next tp->chrono_stat[]",
                            "    - tcp: inline tcp_chrono_start()",
                            "    - tcp: annotate data-races in tcp_get_info_chrono_stats()",
                            "    - tcp: add data-race annotations around tp->data_segs_out and",
                            "      tp->total_retrans",
                            "    - tcp: add data-races annotations around tp->reordering, tp->snd_cwnd",
                            "    - tcp: annotate data-races around tp->snd_ssthresh",
                            "    - tcp: annotate data-races around tp->delivered and tp->delivered_ce",
                            "    - tcp: add data-race annotations for TCP_NLA_SNDQ_SIZE",
                            "    - tcp: annotate data-races around tp->bytes_sent",
                            "    - tcp: annotate data-races around tp->bytes_retrans",
                            "    - tcp: annotate data-races around tp->dsack_dups",
                            "    - tcp: annotate data-races around tp->reord_seen",
                            "    - tcp: annotate data-races around tp->srtt_us",
                            "    - tcp: annotate data-races around tp->timeout_rehash",
                            "    - tcp: annotate data-races around (tp->write_seq - tp->snd_nxt)",
                            "    - tcp: annotate data-races around tp->plb_rehash",
                            "    - ice: fix 'adjust' timer programming for E830 devices",
                            "    - ice: update PCS latency settings for E825 10G/25Gb modes",
                            "    - ice: fix double-free of tx_buf skb",
                            "    - ice: fix PHY config on media change with link-down-on-close",
                            "    - ice: fix ICE_AQ_LINK_SPEED_M for 200G",
                            "    - ice: fix race condition in TX timestamp ring cleanup",
                            "    - ice: fix potential NULL pointer deref in error path of",
                            "      ice_set_ringparam()",
                            "    - i40e: don't advertise IFF_SUPP_NOFCS",
                            "    - iavf: fix wrong VLAN mask for legacy Rx descriptors L2TAG2",
                            "    - e1000e: Unroll PTP in probe error handling",
                            "    - ipv6: fix possible UAF in icmpv6_rcv()",
                            "    - af_unix: Drop all SCM attributes for SOCKMAP.",
                            "    - sctp: fix OOB write to userspace in sctp_getsockopt_peer_auth_chunks",
                            "    - pppoe: drop PFC frames",
                            "    - net/mlx5: Fix HCA caps leak on notifier init failure",
                            "    - net: airoha: Fix possible TX queue stall in airoha_qdma_tx_napi_poll()",
                            "    - netfilter: nft_osf: restrict it to ipv4",
                            "    - netfilter: conntrack: remove sprintf usage",
                            "    - netfilter: xtables: restrict several matches to inet family",
                            "    - netfilter: nat: use kfree_rcu to release ops",
                            "    - ipvs: fix MTU check for GSO packets in tunnel mode",
                            "    - netfilter: nfnetlink_osf: fix out-of-bounds read on option matching",
                            "    - netfilter: nfnetlink_osf: fix potential NULL dereference in ttl check",
                            "    - net/sched: sch_dualpi2: drain both C-queue and L-queue in",
                            "      dualpi2_change()",
                            "    - arm64: dts: amlogic: meson-axg: Add missing cache information to cpu0",
                            "    - arm64: dts: meson-gxl-p230: fix ethernet PHY interrupt number",
                            "    - vfio/pci: Clean up DMABUFs before disabling function",
                            "    - pwm: atmel-tcb: Cache clock rates and mark chip as atomic",
                            "    - ksmbd: destroy tree_conn_ida in ksmbd_session_destroy()",
                            "    - ksmbd: destroy async_ida in ksmbd_conn_free()",
                            "    - ksmbd: fix durable fd leak on ClientGUID mismatch in durable v2 open",
                            "    - ksmbd: scope conn->binding slowpath to bound sessions only",
                            "    - net: validate skb->napi_id in RX tracepoints",
                            "    - bnge: fix initial HWRM sequence",
                            "    - bnge: remove unsupported backing store type",
                            "    - sctp: fix sockets_allocated imbalance after sk_clone()",
                            "    - net/rds: zero per-item info buffer before handing it to visitors",
                            "    - ice: fix timestamp interrupt configuration for E825C",
                            "    - ice: perform PHY soft reset for E825C ports at initialization",
                            "    - ice: fix ready bitmap check for non-E822 devices",
                            "    - ice: fix ice_ptp_read_tx_hwtstamp_status_eth56g",
                            "    - net_sched: sch_hhf: annotate data-races in hhf_dump_stats()",
                            "    - net/sched: sch_pie: annotate data-races in pie_dump_stats()",
                            "    - net/sched: sch_fq_codel: remove data-races from fq_codel_dump_stats()",
                            "    - net/sched: sch_red: annotate data-races in red_dump_stats()",
                            "    - net/sched: sch_sfb: annotate data-races in sfb_dump_stats()",
                            "    - net: airoha: Move ndesc initialization at end of airoha_qdma_init_tx()",
                            "    - net: airoha: Add missing bits in airoha_qdma_cleanup_tx_queue()",
                            "    - net: dsa: realtek: rtl8365mb: fix mode mask calculation",
                            "    - net: airoha: Move ndesc initialization at end of",
                            "      airoha_qdma_init_rx_queue()",
                            "    - net: airoha: Rework the code flow in airoha_remove() and in",
                            "      airoha_probe() error path",
                            "    - net: airoha: Add size check for TX NAPIs in airoha_qdma_cleanup()",
                            "    - net: mana: Init link_change_work before potential error paths in probe",
                            "    - net: mana: Init gf_stats_work before potential error paths in probe",
                            "    - net: mana: Guard mana_remove against double invocation",
                            "    - net: mana: Don't overwrite port probe error with add_adev result",
                            "    - net: mana: Fix EQ leak in mana_remove on NULL port",
                            "    - vsock/virtio: fix MSG_ZEROCOPY pinned-pages accounting",
                            "    - virtio_net: sync rss_trailer.max_tx_vq on queue_pairs change via",
                            "      VQ_PAIRS_SET",
                            "    - nfp: fix swapped arguments in nfp_encode_basic_qdr() calls",
                            "    - tcp: send a challenge ACK on SEG.ACK > SND.NXT",
                            "    - tipc: fix double-free in tipc_buf_append()",
                            "    - vhost_net: fix sleeping with preempt-disabled in vhost_net_busy_poll()",
                            "    - nstree: fix func. parameter kernel-doc warnings",
                            "    - eventpoll: use hlist_is_singular_node() in __ep_remove()",
                            "    - eventpoll: split __ep_remove()",
                            "    - eventpoll: kill __ep_remove()",
                            "    - eventpoll: drop vestigial __ prefix from ep_remove_{file,epi}()",
                            "    - eventpoll: move epi_fget() up",
                            "    - fs/adfs: validate nzones in adfs_validate_bblk()",
                            "    - rtc: abx80x: Disable alarm feature if no interrupt attached",
                            "    - kbuild: builddeb - avoid recompiles for non-cross-compiles",
                            "    - tools/power turbostat: Fix AMD RAPL regression on big systems",
                            "    - fbdev: offb: fix PCI device reference leak on probe failure",
                            "    - tools/power turbostat: Fix unrecognized option '-P'",
                            "    - tools/power turbostat: Fix --cpu-set 0 regression on HT systems",
                            "    - tools/power turbostat: Fix --cpu-set 1 regression on HT systems",
                            "    - kbuild: Never respect CONFIG_WERROR / W=e to fixdep",
                            "    - mailbox: mtk-vcp-mailbox: Fix the return value in mtk_vcp_mbox_xlate()",
                            "    - mailbox: mtk-cmdq: Fix CURR and END addr for task insert case",
                            "    - mailbox: mailbox-test: free channels on probe error",
                            "    - sched/psi: fix race between file release and pressure write",
                            "    - cgroup/rdma: fix integer overflow in rdmacg_try_charge()",
                            "    - cgroup/cpuset: record DL BW alloc CPU for attach rollback",
                            "    - mailbox: add sanity check for channel array",
                            "    - mailbox: mailbox-test: handle channel errors consistently",
                            "    - mailbox: mailbox-test: don't free the reused channel",
                            "    - mailbox: mailbox-test: initialize struct earlier",
                            "    - mailbox: mailbox-test: make data_ready a per-instance variable",
                            "    - fsnotify: fix inode reference leak in fsnotify_recalc_mask()",
                            "    - btrfs: fix bytes_may_use leak in move_existing_remap()",
                            "    - btrfs: fix bytes_may_use leak in do_remap_reloc_trans()",
                            "    - btrfs: don't clobber errors in add_remap_tree_entries()",
                            "    - btrfs: fix double-decrement of bytes_may_use in",
                            "      submit_one_async_extent()",
                            "    - tracing: branch: Fix inverted check on stat tracer registration",
                            "    - nvmet-tcp: propagate nvmet_tcp_build_pdu_iovec() errors to its callers",
                            "    - netfilter: nf_tables: use list_del_rcu for netlink hooks",
                            "    - rculist: add list_splice_rcu() for private lists",
                            "    - netfilter: nf_tables: join hook list via splice_list_rcu() in commit",
                            "      phase",
                            "    - netfilter: nf_tables: add hook transactions for device deletions",
                            "    - nvme-pci: fix missed admin queue sq doorbell write",
                            "    - drm/amdgpu: avoid double drm_exec_fini() in userq validate",
                            "    - drm/amdgpu/gmc: Fix AMDGPU_GART_PLACEMENT_LOW to not overlap with VRAM",
                            "    - drm/amd/pm: fix missing fine-grained dpm table flag on aldebaran",
                            "    - drm/amdgpu: fix AMDGPU_INFO_READ_MMR_REG",
                            "    - drm/amdgpu/uvd3.1: Don't validate the firmware when already validated",
                            "    - drm/amdgpu/gfx6: Support harvested SI chips with disabled TCCs (v2)",
                            "    - drm/amdgpu: Only send RMA CPER when threshold is exceeded",
                            "    - netfilter: xt_policy: fix strict mode inbound policy matching",
                            "    - netfilter: nf_conntrack_sip: don't use simple_strtoul",
                            "    - spi: rzv2h-rspi: Fix silent failure in clock setup error path",
                            "    - ASoC: amd: acp: Add DMI quirk for Valve Steam Deck OLED",
                            "    - ASoC: SOF: Intel: add an empty adr_link",
                            "    - spi: rockchip: Read ISR, not IMR, to detect cs-inactive IRQ",
                            "    - ASoC: tas2764: Mark die temp register as volatile",
                            "    - ASoC: tas2770: Fix order of operations for temperature calculation",
                            "    - drm/sysfb: ofdrm: fix PCI device reference leaks",
                            "    - drm/color-mgmt: Typo s/R332/RGB332/",
                            "    - arm64/scs: Fix potential sign extension issue of advance_loc4",
                            "    - spi: spi-mem: Add a packed command operation",
                            "    - mtd: spinand: Add support for packed read data ODTR commands",
                            "    - mtd: spinand: winbond: Set the packed page read flag to W35N02/04JW",
                            "    - mtd: spinand: winbond: Fix ODTR write VCR on W35NxxJW",
                            "    - ACPICA: Provide #defines for EINJV2 error types",
                            "    - ACPI: APEI: EINJ: Fix EINJV2 memory error injection",
                            "    - cdrom, scsi: sr: propagate read-only status to block layer via",
                            "      set_disk_ro()",
                            "    - spi: axiado: replace usleep_range() with udelay() in IRQ path",
                            "    - netdevsim: zero initialize struct iphdr in dummy sk_buff",
                            "    - net/sched: netem: fix probability gaps in 4-state loss model",
                            "    - net/sched: netem: fix queue limit check to include reordered packets",
                            "    - net/sched: netem: only reseed PRNG when seed is explicitly provided",
                            "    - net/sched: netem: validate slot configuration",
                            "    - net/sched: netem: fix slot delay calculation overflow",
                            "    - net/sched: netem: check for negative latency and jitter",
                            "    - net: airoha: fix BQL imbalance in TX path",
                            "    - net: airoha: stop net_device TX queue before updating CPU index",
                            "    - net: airoha: fix typo in function name",
                            "    - net: airoha: Do not wake all netdev TX queues in",
                            "      airoha_qdma_wake_netdev_txqs()",
                            "    - net: airoha: Do not read uninitialized fragment address in",
                            "      airoha_dev_xmit()",
                            "    - net/sched: sch_choke: annotate data-races in choke_dump_stats()",
                            "    - net/sched: sch_fq_pie: annotate data-races in fq_pie_dump_stats()",
                            "    - vrf: Fix a potential NPD when removing a port from a VRF",
                            "    - net: usb: rtl8150: fix use-after-free in rtl8150_start_xmit()",
                            "    - net: usb: rtl8150: free skb on usb_submit_urb() failure in xmit",
                            "    - spi: amlogic-spisg: initialize completion before requesting IRQ",
                            "    - NFC: trf7970a: Ignore antenna noise when checking for RF field",
                            "    - net: phonet: do not BUG_ON() in pn_socket_autobind() on failed bind",
                            "    - neigh: let neigh_xmit take skb ownership",
                            "    - tcp: make probe0 timer handle expired user timeout",
                            "    - netpoll: fix IPv6 local-address corruption",
                            "    - ALSA: usb-audio: Fix potential leak of pd at parsing UAC3 streams",
                            "    - sched/fair: Fix wakeup_preempt_fair() vs delayed dequeue",
                            "    - sched/fair: Clear rel_deadline when initializing forked entities",
                            "    - net: mctp i2c: check length before marking flow active",
                            "    - md/raid1,raid10: don't fail devices for invalid IO errors",
                            "    - md: add fallback to correct bitmap_ops on version mismatch",
                            "    - md: factor bitmap creation away from sysfs handling",
                            "    - md/md-bitmap: split bitmap sysfs groups",
                            "    - md/md-bitmap: add a none backend for bitmap grow",
                            "    - s390/mm: Fix phys_to_folio() usage in do_secure_storage_access()",
                            "    - net: phy: dp83869: fix setting CLK_O_SEL field.",
                            "    - drm/amd/display: properly handle family setting for early GC 11.5.4",
                            "    - drm/amdgpu/vcn: set no_user_fence for VCN v2.0 enc/dec rings",
                            "    - drm/amdgpu/vcn: set no_user_fence for VCN v2.5 enc/dec rings",
                            "    - drm/amdgpu/vcn: set no_user_fence for VCN v3.0 enc/dec rings",
                            "    - drm/amdgpu/vcn: set no_user_fence for VCN v4.0 enc ring",
                            "    - drm/amdgpu/vcn: set no_user_fence for VCN v4.0.3 enc ring",
                            "    - drm/amdgpu/vcn: set no_user_fence for VCN v4.0.5 enc ring",
                            "    - drm/amdgpu/vcn: set no_user_fence for VCN v5.0.0 enc ring",
                            "    - drm/amdgpu/vcn: set no_user_fence for VCN v5.0.1 enc ring",
                            "    - drm/amdgpu/jpeg: set no_user_fence for JPEG v2.0 ring",
                            "    - drm/amdgpu/jpeg: set no_user_fence for JPEG v2.5 ring",
                            "    - drm/amdgpu/jpeg: set no_user_fence for JPEG v3.0 ring",
                            "    - drm/amdgpu/jpeg: set no_user_fence for JPEG v4.0 ring",
                            "    - drm/amdgpu/jpeg: set no_user_fence for JPEG v4.0.3 ring",
                            "    - drm/amdgpu/jpeg: set no_user_fence for JPEG v4.0.5 ring",
                            "    - drm/amdgpu/jpeg: set no_user_fence for JPEG v5.0.0 ring",
                            "    - drm/amdgpu/jpeg: set no_user_fence for JPEG v5.0.1 ring",
                            "    - drm/amdgpu/jpeg: set no_user_fence for JPEG v5.3.0 ring",
                            "    - drm/amd/pm: Add fine grained flag to SMU v13.0.6",
                            "    - io_uring/napi: cap busy_poll_to 10 msec",
                            "    - ASoC: cs35l56: Fix illegal writes to OTP_MEM registers",
                            "    - net: psp: check for device unregister when creating assoc",
                            "    - net: psp: require admin permission for dev-set and key-rotate",
                            "    - ASoC: codecs: ab8500: Fix casting of private data",
                            "    - netfilter: skip recording stale or retransmitted INIT",
                            "    - sctp: discard stale INIT after handshake completion",
                            "    - net/sched: sch_cake: annotate data-races in cake_dump_stats() (I)",
                            "    - net/sched: sch_cake: annotate data-races in cake_dump_stats() (II)",
                            "    - net/sched: sch_cake: annotate data-races in cake_dump_stats() (III)",
                            "    - net/sched: sch_cake: annotate data-races in cake_dump_stats() (IV)",
                            "    - net/sched: sch_cake: annotate data-races in cake_dump_stats() (V)",
                            "    - netconsole: return count instead of strnlen(buf, count) from store",
                            "      callbacks",
                            "    - netconsole: avoid clobbering userdatum value on truncated write",
                            "    - netconsole: propagate device name truncation in dev_name_store()",
                            "    - netconsole: restore userdatum value on update_userdata() failure",
                            "    - ALSA: hda/conexant: Fix missing error check for jack detection",
                            "    - ALSA: hda: cs35l56: Fix uninitialized value in cs35l56_hda_read_acpi()",
                            "    - ALSA: hda/tas2781: Fix incorrect bit update for non-book-zero or book 0",
                            "      pages >1",
                            "    - futex: Prevent lockup in requeue-PI during signal/ timeout wakeup",
                            "    - drm/amd/display: Allow embedded connectors without DDC",
                            "    - drm/amd/display: Allow DCE link encoder without AUX registers",
                            "    - drm/amd/display: Allow constructing DCE6 link encoder without DDC",
                            "    - drm/amd/display: Allow constructing DCE8 link encoder without DDC",
                            "    - drm/amd/display: Read EDID from VBIOS embedded panel info",
                            "    - drm/amd/display: Use EDID from VBIOS embedded panel info",
                            "    - drm/xe: Use XE_WEDGED_MODE_UPON_ANY_HANG_NO_RESET enum instead of magic",
                            "      number",
                            "    - drm/xe: Drop registration of guc_submit_wedged_fini from",
                            "      xe_guc_submit_wedge()",
                            "    - drm/xe/debugfs: Correct printing of register whitelist ranges",
                            "    - drm/xe: Fix potential NULL deref in",
                            "      xe_exec_queue_tlb_inval_last_fence_put_unlocked",
                            "    - drm/xe: Fix error cleanup in xe_exec_queue_create_ioctl()",
                            "    - drm/xe/eustall: Fix drm_dev_put called before stream disable in close",
                            "    - drm/xe/gsc: Fix BO leak on error in query_compatibility_version()",
                            "    - drm/xe/xelp: Fix Wa_18022495364",
                            "    - net: airoha: Do not return err in ndo_stop() callback",
                            "    - bonding: print churn state via netlink",
                            "    - bonding: 3ad: implement proper RCU rules for port->aggregator",
                            "    - page_pool: fix memory-provider leak in page_pool_create_percpu() error",
                            "      path",
                            "    - iavf: rename IAVF_VLAN_IS_NEW to IAVF_VLAN_ADDING",
                            "    - iavf: stop removing VLAN filters from PF on interface down",
                            "    - iavf: wait for PF confirmation before removing VLAN filters",
                            "    - iavf: add VIRTCHNL_OP_ADD_VLAN to success completion handler",
                            "    - ice: fix NULL pointer dereference in ice_reset_all_vfs()",
                            "    - ice: fix infinite recursion in ice_cfg_tx_topo via ice_init_dev_hw",
                            "    - ice: fix missing SMA pin initialization in DPLL subsystem",
                            "    - ice: fix SMA and U.FL pin state changes affecting paired pin",
                            "    - ice: fix missing dpll notifications for SW pins",
                            "    - dpll: export __dpll_pin_change_ntf() for use under dpll_lock",
                            "    - ice: add dpll peer notification for paired SMA and U.FL pins",
                            "    - net: tls: fix strparser anchor skb leak on offload RX setup failure",
                            "    - sfc: fix error code in efx_devlink_info_running_versions()",
                            "    - net/sched: cls_flower: revert unintended changes",
                            "    - kselftest/arm64: Include <asm/ptrace.h> for user_gcs definition",
                            "    - arm64: Reserve an extra page for early kernel mapping",
                            "    - futex: Drop CLONE_THREAD requirement for private default hash alloc",
                            "    - PCI: Initialize temporary device in new_id_store()",
                            "    - workqueue: fix devm_alloc_workqueue() va_list misuse",
                            "    - net/sched: sch_pie: annotate more data-races in pie_dump_stats()",
                            "    - sched/fair: Fix wakeup_preempt_fair() for not waking up task",
                            "    - crypto: af_alg - Cap AEAD AD length to 0x80000000",
                            "    - i40e: Cleanup PTP pins on probe failure",
                            "    - workqueue: Fix wq->cpu_pwq leak in alloc_and_link_pwqs() WQ_UNBOUND path",
                            "    - net: ena: PHC: Fix potential use-after-free in get_timestamp",
                            "    - cgroup/cpuset: Reset DL migration state on can_attach() failure",
                            "    - netfilter: nf_conntrack_sip: get helper before allocating expectation",
                            "    - audit: fix incorrect inheritable capability in CAPSET records",
                            "    - net: ena: PHC: Check return code before setting timestamp output",
                            "    - cgroup/dmem: Return -ENOMEM on failed pool preallocation",
                            "    - idpf: fix double free and use-after-free in aux device error paths",
                            "    - cgroup/cpuset: Reserve DL bandwidth only for root-domain moves",
                            "    - Revert \"ACPI: CPPC: Adjust debug messages in amd_set_max_freq_ratio() to",
                            "      warn\"",
                            "    - netfilter: nft_ct: fix missing expect put in obj eval",
                            "    - net: atlantic: preserve PCI wake-from-D3 on shutdown when WOL enabled",
                            "    - audit: enforce AUDIT_LOCKED for AUDIT_TRIM and AUDIT_MAKE_EQUIV",
                            "    - cgroup/cpuset: Return only actually allocated CPUs during partition",
                            "      invalidation",
                            "    - KVM: x86: Swap the dst and src operand for MOVNTDQA",
                            "    - KVM: Reject wrapped offset in kvm_reset_dirty_gfn()",
                            "    - KVM: s390: pci: fix GAIT table indexing due to double-scaling pointer",
                            "      arithmetic",
                            "    - KVM: x86: Fix Xen hypercall tracepoint argument assignment",
                            "    - HID: pass the buffer size to hid_report_raw_event",
                            "    - HID: core: introduce hid_safe_input_report()",
                            "    - rseq: Revert to historical performance killing behaviour",
                            "    - rseq: Implement read only ABI enforcement for optimized RSEQ V2 mode",
                            "    - rseq: Reenable performance optimizations conditionally",
                            "    - HID: core: Fix size_t specifier in hid_report_raw_event()",
                            "    - ata: libata-scsi: fix requeue of deferred ATA PASS-THROUGH commands",
                            "    - media: staging: imx: configure src_mux in csi_start",
                            "    - Bluetooth: btmtk: accept too short WMT FUNC_CTRL events",
                            "    - nvme-apple: Reset q->sq_tail during queue init",
                            "    - smb/client: fix possible infinite loop and oob read in symlink_data()",
                            "    - drm/loongson: Use managed KMS polling",
                            "    - drm: Replace old pointer to new idr",
                            "    - drm/bridge: imx8qxp-pxl2dpi: avoid ERR_PTR with device_node cleanup",
                            "    - drm/i915/dp: Fix VSC dynamic range signaling for RGB formats",
                            "    - drm/amd/display: Wrap DCN32 phantom-plane allocation in",
                            "      DC_RUN_WITH_PREEMPTION_ENABLED",
                            "    - drm/ttm: Fix ttm_bo_swapout() infinite LRU walk on swapout failure",
                            "    - platform/x86: intel: Move debugfs register before creating devices",
                            "    - platform/x86: lenovo-wmi-helpers: Move gamezone enums to wmi-helpers",
                            "    - platform/x86: lenovo-wmi-helpers: Fix memory leak in",
                            "      lwmi_dev_evaluate_int()",
                            "    - platform/x86: lenovo-wmi-other: Balance IDA id allocation and free",
                            "    - platform/x86: lenovo-wmi-other: Balance component bind and unbind",
                            "    - platform/x86: lenovo-wmi-other: Zero initialize WMI arguments",
                            "    - platform/x86: lenovo-wmi-other: Fix tunable_attr_01 struct members",
                            "    - platform/x86: lenovo-wmi-other: Add Attribute ID helper functions",
                            "    - platform/x86: lenovo-wmi-other: Limit adding attributes to supported",
                            "      devices",
                            "    - accel/rocket: Fix prep_bo ioctl leaking positive return from",
                            "      dma_resv_wait_timeout()",
                            "    - ALSA: hda/realtek: Add mute LED quirk for HP Pavilion Laptop 16-ag0xxx",
                            "    - ALSA: hda/realtek: Add quirk for Samsung Galaxy Book5 360 headphone",
                            "    - ALSA: usb-audio: Bound MIDI 2.0 endpoint descriptor scans",
                            "    - ALSA: usb-audio: Bound MIDI endpoint descriptor scans",
                            "    - ALSA: usb-audio: qcom: Check offload mapping failures",
                            "    - btrfs: only release the dirty pages io tree after successful writes",
                            "    - ceph: fix a buffer leak in __ceph_setxattr()",
                            "    - ceph: fix BUG_ON in __ceph_build_xattrs_blob() due to stale blob size",
                            "    - ceph: put folios not suitable for writeback",
                            "    - io-wq: check that the predecessor is hashed in io_wq_remove_pending()",
                            "    - iommu/amd: Bounds-check devid in __rlookup_amd_iommu()",
                            "    - x86/kexec: Push kjump return address even for non-kjump kexec",
                            "    - xfs: fix memory leak on error in xfs_alloc_zone_info()",
                            "    - virt: sev-guest: Do not use host-controlled page order in cleanup path",
                            "    - powerpc/warp: Fix error handling in pika_dtm_thread",
                            "    - netfs: fix error handling in netfs_extract_user_iter()",
                            "    - nfsd: fix GET_DIR_DELEGATION when VFS leases are disabled",
                            "    - nfsd: fix file change detection in CB_GETATTR",
                            "    - nfsd: update mtime/ctime on CLONE in presense of delegated attributes",
                            "    - nfsd: update mtime/ctime on COPY in presence of delegated attributes",
                            "    - irqchip/riscv-imsic: Clear interrupt move state during CPU offlining",
                            "    - irqchip/meson-gpio: Use the correct register in",
                            "      meson_s4_gpio_irq_set_type()",
                            "    - irqchip/gic-v5: Move LPI allocation into the LPI domain",
                            "    - irqchip/gic-v5: Support range allocation for LPIs",
                            "    - irqchip/gic-v5: Allocate ITS parent LPIs as a range",
                            "    - libceph: Fix potential out-of-bounds access in osdmap_decode()",
                            "    - libceph: Fix potential null-ptr-deref in decode_choose_args()",
                            "    - libceph: Fix potential out-of-bounds access in __ceph_x_decrypt()",
                            "    - libceph: Fix potential out-of-bounds access in crush_decode()",
                            "    - libceph: handle rbtree insertion error in decode_choose_args()",
                            "    - iommu/vt-d: Disable DMAR for Intel Q35 IGFX",
                            "    - iommu/vt-d: Fix oops due to out of scope access",
                            "    - iommu/vt-d: Avoid NULL pointer dereference or refcount corruption",
                            "    - iommu: Fix NULL group->domain dereference in pci_dev_reset_iommu_done()",
                            "    - iommu: Replace per-group resetting_domain with per-gdev blocked flag",
                            "    - iommu: Fix WARN_ON in __iommu_group_set_domain_nofail() due to reset",
                            "    - iommu: Fix pasid attach in pci_dev_reset_iommu_prepare/done()",
                            "    - iommu: Fix nested pci_dev_reset_iommu_prepare/done()",
                            "    - iommu: Fix ATS invalidation timeouts during __iommu_remove_group_pasid()",
                            "    - drm/i915: skip __i915_request_skip() for already signaled requests",
                            "    - drm/panfrost: Fix wait_bo ioctl leaking positive return from",
                            "      dma_resv_wait_timeout()",
                            "    - drm/xe/dma-buf: handle empty bo and UAF races",
                            "    - drm/xe/dma-buf: fix UAF with retry loop",
                            "    - drm/ttm: Fix ttm_bo_shrink() infinite LRU walk on backup failure",
                            "    - drm/ttm: Convert -EAGAIN from dmem_cgroup_try_charge to -ENOSPC",
                            "    - drm/gma500/oaktrail_hdmi: fix i2c adapter leak on setup",
                            "    - drm/gma500/oaktrail_lvds: fix hang on init failure",
                            "    - drm/gma500/oaktrail_lvds: fix i2c adapter leaks on init",
                            "    - arm_mpam: Fix monitor instance selection when checking for hardware NRDY",
                            "    - arm_mpam: Pretend that NRDY is always hardware managed",
                            "    - arm_mpam: Improve check for whether or not NRDY is hardware managed",
                            "    - arm_mpam: Fix false positive assert failure during mpam_disable()",
                            "    - arm_mpam: Check whether the config array is allocated before destroying",
                            "      it",
                            "    - eventfs: Simplify code using guard()s",
                            "    - eventfs: Use list_add_tail_rcu() for SRCU-protected children list",
                            "    - smb: client: Use FullSessionKey for AES-256 encryption key derivation",
                            "    - spi: sifive: Simplify clock handling with devm_clk_get_enabled()",
                            "    - spi: sifive: fix controller deregistration",
                            "    - tracefs: Removed unused 'ret' variable in eventfs_iterate()",
                            "    - workqueue: Annotate alloc_workqueue_va() with __printf(1, 0)",
                            "    - selftests/bpf: Remove test_access_variable_array",
                            "    - netfs: Fix potential uninitialised var in netfs_extract_user_iter()",
                            "    - Linux 7.0.10",
                            "",
                            "  * Resolute update: v7.0.10 upstream stable release (LP: #2156385) //",
                            "    CVE-2026-45846",
                            "    - bareudp: fix NULL pointer dereference in bareudp_fill_metadata_dst()",
                            "",
                            "  * Resolute update: v7.0.10 upstream stable release (LP: #2156385) //",
                            "    CVE-2026-45845",
                            "    - net/sched: taprio: fix NULL pointer dereference in class dump",
                            "",
                            "  * Resolute update: v7.0.10 upstream stable release (LP: #2156385) //",
                            "    CVE-2026-45844",
                            "    - netfilter: arp_tables: fix IEEE1394 ARP payload parsing",
                            "",
                            "  * Resolute update: v7.0.10 upstream stable release (LP: #2156385) //",
                            "    CVE-2026-46242",
                            "    - eventpoll: fix ep_remove struct eventpoll / struct file UAF",
                            "",
                            "  * Resolute update: v7.0.10 upstream stable release (LP: #2156385) //",
                            "    CVE-2026-45843",
                            "    - slip: bound decode() reads against the compressed packet length",
                            "",
                            "  * Resolute update: v7.0.10 upstream stable release (LP: #2156385) //",
                            "    CVE-2026-45842",
                            "    - slip: reject VJ receive packets on instances with no rstate array",
                            "",
                            "  * Resolute update: v7.0.10 upstream stable release (LP: #2156385) //",
                            "    CVE-2026-45841",
                            "    - netfilter: nfnetlink_osf: fix divide-by-zero in OSF_WSS_MODULO",
                            "",
                            "  * Resolute update: v7.0.10 upstream stable release (LP: #2156385) //",
                            "    CVE-2026-45840",
                            "    - openvswitch: cap upcall PID array size and pre-size vport replies",
                            "",
                            "  * Resolute update: v7.0.10 upstream stable release (LP: #2156385) //",
                            "    CVE-2026-45839",
                            "    - bpf: reject negative CO-RE accessor indices in bpf_core_parse_spec()",
                            "",
                            "  * Resolute update: v7.0.10 upstream stable release (LP: #2156385) //",
                            "    CVE-2026-45838",
                            "    - bpf: fix end-of-list detection in cgroup_storage_get_next_key()",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006)",
                            "    - Linux 7.0.8",
                            "    - HID: pidff: Fix integer overflow in pidff_rescale",
                            "    - media: uvcvideo: Enable VB2_DMABUF for metadata stream",
                            "    - drm/msm/hdmi: Fix wrong CTRL1 register used in writing info frames",
                            "    - media: rzv2h-ivc: Avoid double job scheduling",
                            "    - media: nxp: imx8-isi: Reduce minimum queued buffers from 2 to 0",
                            "    - media: rzv2h-ivc: Write AXIRX_PIXFMT once",
                            "    - media: rzv2h-ivc: Fix FM_STOP register write",
                            "    - media: rzv2h-ivc: Fix concurrent buffer list access",
                            "    - media: mali-c55: Initialize the ISP in enable_streams()",
                            "    - media: mali-c55: Fix Iridix bypass macros",
                            "    - media: renesas: vsp1: Fix NULL pointer deref on module unload",
                            "    - media: renesas: vin: Fix RAW8 (again)",
                            "    - media: i2c: ov8856: free control handler on error in",
                            "      ov8856_init_controls()",
                            "    - media: dt-bindings: rockchip,vdec: Add alternative reg-names order for",
                            "      RK35{76,88}",
                            "    - media: dt-bindings: rockchip,vdec: Mark reg-names required for",
                            "      RK35{76,88}",
                            "    - media: chips-media: wave5: fix a potential memory leak in",
                            "      wave5_vdi_init()",
                            "    - media: chips-media: wave5: add missing spinlock protection for",
                            "      send_eos_event()",
                            "    - media: chips-media: wave5: add missing spinlock protection for",
                            "      handle_dynamic_resolution_change()",
                            "    - arm64: dts: freescale: imx95-toradex-smarc: fix PMIC_SD2_VSEL label",
                            "      position",
                            "    - drm/gpusvm: Allow device pages to be mapped in mixed mappings after",
                            "      system pages",
                            "    - drm/gpusvm: Force unmapping on error in drm_gpusvm_get_pages",
                            "    - spi: bcm63xx: fix controller deregistration",
                            "    - spi: atmel: fix controller deregistration",
                            "    - arm64: dts: lx2160a-cex7/lx2162a-sr-som: fix usd-cd & gpio pinmux",
                            "    - regulator: mt6357: fix OF node reference imbalance",
                            "    - spi: st-ssc4: fix controller deregistration",
                            "    - regulator: max77650: fix OF node reference imbalance",
                            "    - media: ti: vpe: Add missing v4l2_device_unregister in vip_remove()",
                            "    - media: rc: streamzap: Error handling in probe",
                            "    - media: i2c: imx283: Enter full standby when stopping streaming",
                            "    - regulator: bq257xx: fix OF node reference imbalance",
                            "    - regulator: rk808: fix OF node reference imbalance",
                            "    - media: videobuf2: Set vma_flags in vb2_dma_sg_mmap",
                            "    - media: mali-c55: Fully reset the ISP configuration",
                            "    - media: intel/ipu6: fix error pointer dereference",
                            "    - media: i2c: imx283: Fix hang when going from large to small resolution",
                            "    - regulator: act8945a: fix OF node reference imbalance",
                            "    - regulator: s2dos05: fix OF node reference imbalance",
                            "    - regulator: bd9571mwv: fix OF node reference imbalance",
                            "    - spi: lantiq-ssc: fix controller deregistration",
                            "    - spi: meson-spicc: fix controller deregistration",
                            "    - spi: qup: fix controller deregistration",
                            "    - arm64: dts: ti: k3-am69-aquila-clover: Fix DP regulator enable GPIO",
                            "    - spi: at91-usart: fix controller deregistration",
                            "    - media: ipu-bridge: Add upside-down sensor DMI quirk for Dell XPS 13 9340",
                            "      and XPS 14 9440",
                            "    - spi: amlogic-spisg: fix controller deregistration",
                            "    - spi: aspeed-smc: fix controller deregistration",
                            "    - drm/colorop: Preserve bypass value in duplicate_state()",
                            "    - drm/atomic: Add affected colorops with affected planes",
                            "    - platform/x86: hp-wmi: Ignore backlight and FnLock events",
                            "    - vsock/virtio: fix MSG_PEEK ignoring skb offset when calculating bytes to",
                            "      copy",
                            "    - arm64: dts: broadcom: bcm2712-d-rpi-5-b: add fixes for",
                            "      pinctrl/pinctrl_aon",
                            "    - arm64: dts: broadcom: bcm2712-d-rpi-5-b: update uart10 interrupt",
                            "    - media: pci: zoran: fix potential memory leak in zoran_probe()",
                            "    - media: dib8000: avoid division by 0 in dib8000_set_dds()",
                            "    - media: i2c: imx412: Assert reset GPIO during probe",
                            "    - media: staging: imx: request mbus_config in csi_start",
                            "    - media: i2c: ov08d10: fix image vertical start setting",
                            "    - media: i2c: ov08d10: fix runtime PM handling in probe",
                            "    - media: omap3isp: drop the use count of v4l2 pipeline",
                            "    - media: iris: fix QCOM_MDT_LOADER dependency",
                            "    - media: qcom: camss: Fix csid clock configuration for sa8775p",
                            "    - media: qcom: camss: Fix csid IRQ offset for sa8775p",
                            "    - media: qcom: iris: increase H265D_MAX_SLICE to fix H.265 decoding on",
                            "      SC7280",
                            "    - media: venus: fix QCOM_MDT_LOADER dependency",
                            "    - media: iris: Fix dma_free_attrs() size in iris_hfi_queues_init()",
                            "    - media: iris: switch to hardware mode after firmware boot",
                            "    - media: qcom: camss: Add missing clocks for VFE lite on sa8775p",
                            "    - spi: mxs: fix controller deregistration",
                            "    - spi: mt65xx: fix controller deregistration",
                            "    - spi: dln2: fix controller deregistration",
                            "    - spi: s3c64xx: fix controller deregistration",
                            "    - spi: fsl-espi: fix controller deregistration",
                            "    - spi: omap2-mcspi: fix controller deregistration",
                            "    - spi: pic32: fix controller deregistration",
                            "    - spi: ep93xx: fix controller deregistration",
                            "    - spi: mtk-nor: fix controller deregistration",
                            "    - spi: pl022: fix controller deregistration",
                            "    - spi: sh-hspi: fix controller deregistration",
                            "    - spi: bcmbca-hsspi: fix controller deregistration",
                            "    - spi: coldfire-qspi: fix controller deregistration",
                            "    - spi: npcm-pspi: fix controller deregistration",
                            "    - spi: cavium-thunderx: fix controller deregistration",
                            "    - spi: pic32-sqi: fix controller deregistration",
                            "    - spi: sprd: fix controller deregistration",
                            "    - spi: sh-msiof: fix controller deregistration",
                            "    - spi: slave-mt27xx: fix controller deregistration",
                            "    - spi: img-spfi: fix controller deregistration",
                            "    - spi: mpfs: fix controller deregistration",
                            "    - spi: octeon: fix controller deregistration",
                            "    - spi: imx: fix runtime pm leak on probe deferral",
                            "    - spi: mxic: fix controller deregistration",
                            "    - spi: orion: fix controller deregistration",
                            "    - spi: orion: fix runtime pm leak on unbind",
                            "    - spi: orion: fix clock imbalance on registration failure",
                            "    - spi: cadence: fix controller deregistration",
                            "    - spi: cadence-quadspi: fix controller deregistration",
                            "    - spi: cadence: fix unclocked access on unbind",
                            "    - spi: cadence: fix clock imbalance on probe failure",
                            "    - spi: cadence-quadspi: fix runtime pm disable imbalance on probe failure",
                            "    - spi: cadence-quadspi: fix clock imbalance on probe failure",
                            "    - spi: cadence-quadspi: fix runtime pm and clock imbalance on unbind",
                            "    - drm/colorop: Fix blob property reference tracking in state lifecycle",
                            "    - drm/imx: parallel-display: Prefer bus format set via legacy \"interface-",
                            "      pix-fmt\" DT property",
                            "    - drm/msm: always recover the gpu",
                            "    - drm/v3d: Reject empty multisync extension to prevent infinite loop",
                            "    - drm/i915/psr: Init variable to avoid early exit from et alignment loop",
                            "    - drm/amd/display: fix math_mod() using arg1 instead of arg2",
                            "    - drm/amd: Add missing firmware declaration for PSP v15.0.0",
                            "    - drm/amdgpu: Use NBIF offset for register RCC_STRAP0_RCC_DEV0_EPF0_STRAP0",
                            "      .",
                            "    - drm/amdgpu: Use SMUIO 15.0.0 offsets for TSC upper and lower count.",
                            "    - drm/amdgpu: gate VM CPU HDP flush on reset lock",
                            "    - drm/amd/pm: fix incorrect FeatureCtrlMask setting on smu v14.0.x",
                            "    - drm/amdkfd: Add upper bound check for num_of_nodes",
                            "    - drm/amdgpu/vce: Prevent partial address patches",
                            "    - drm/amd/display: Change dither policy for 10 bpc output back to",
                            "      dithering",
                            "    - drm/appletbdrm: Use kvzalloc for big allocations",
                            "    - drm/amdgpu: Avoid reset in AMDGPU unload path for APUs with GFX V11 and",
                            "      higher.",
                            "    - drm/udl: Increase GET_URB_TIMEOUT",
                            "    - drm/xe/bo: Fix bo leak on GGTT flag validation in xe_bo_init_locked()",
                            "    - drm/xe/bo: Fix bo leak on unaligned size validation in",
                            "      xe_bo_init_locked()",
                            "    - drm/xe/uapi: Reject coh_none PAT index for CPU cached memory in madvise",
                            "    - drm/radeon: add missing revision check for CI",
                            "    - drm/amdgpu: zero-initialize GART table on allocation",
                            "    - drm/exynos: remove bridge when component_add fails",
                            "    - drm/amdgpu/userq: fix access to stale wptr mapping",
                            "    - drm/panel: himax-hx83102: restore MODE_LPM after sending disable cmds",
                            "    - drm/amdgpu/gfx9: drop unnecessary 64-bit fence flag check in KIQ",
                            "    - drm/bridge: tda998x: Use __be32 for audio port OF property pointer",
                            "    - drm/sti: remove bridge when sti_hda component_add fails",
                            "    - drm/panel: boe-tv101wum-nl6: restore MODE_LPM after sending disable cmds",
                            "    - drm/amdkfd: Make all TLB-flushes heavy-weight",
                            "    - drm/amdgpu/pm: add missing revision check for CI",
                            "    - drm/amdgpu/pm: align Hawaii mclk workaround with radeon",
                            "    - arm64: dts: qcom: kodiak: Fix PCIe1 PHY ref clock voting",
                            "    - arm64: dts: qcom: lemans: Correct QUP interrupt numbers",
                            "    - arm64: dts: ti: k3-am62a7-sk: Fix pin name in comment from M19 to N22",
                            "    - arm64: dts: ti: k3-am69-aquila-dev: Fix DP regulator enable GPIO",
                            "    - batman-adv: tp_meter: fix tp_num leak on kmalloc failure",
                            "    - sched_ext: Use HK_TYPE_DOMAIN_BOOT to detect isolcpus= domain isolation",
                            "    - usb: typec: tcpm: reset internal port states on soft reset AMS",
                            "    - io_uring/zcrx: use guards for locking",
                            "    - io_uring/zcrx: warn on freelist violations",
                            "    - kho: fix error handling in kho_add_subtree()",
                            "    - EDAC/versalnet: Refactor memory controller initialization and cleanup",
                            "    - spi: uniphier: Simplify clock handling with devm_clk_get_enabled()",
                            "    - spi: uniphier: fix controller deregistration",
                            "    - cgroup: Increment nr_dying_subsys_* from rmdir context",
                            "    - sched_ext: Skip tasks with stale task_rq in bypass_lb_cpu()",
                            "    - perf build: fix \"argument list too long\" in second location",
                            "    - mm/vma: do not try to unmap a VMA if mmap_prepare() invoked from mmap()",
                            "    - vsock/virtio: fix length and offset in tap skb for split packets",
                            "    - drm/amdgpu/vcn3: Avoid overflow on msg bound check",
                            "    - drm/amdgpu/vcn4: Avoid overflow on msg bound check",
                            "    - Linux 7.0.9",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46214",
                            "    - vsock/virtio: fix accept queue count leak on transport mismatch",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46207",
                            "    - vsock/virtio: fix empty payload in tap skb for non-linear buffers",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46234",
                            "    - vsock: fix buffer size clamping order",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46223",
                            "    - cgroup: Defer css percpu_ref kill on rmdir until cgroup is depopulated",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46221",
                            "    - EDAC/versalnet: Fix device name memory leak",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46231",
                            "    - batman-adv: bla: put backbone reference on failed claim hash insert",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46233",
                            "    - batman-adv: bla: only purge non-released claims",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46212",
                            "    - batman-adv: bla: prevent use-after-free when deleting claims",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46238",
                            "    - batman-adv: stop caching unowned originator pointers in BAT IV",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46208",
                            "    - batman-adv: stop tp_meter sessions during mesh teardown",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46206",
                            "    - batman-adv: reject new tp_meter sessions during teardown",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46198",
                            "    - batman-adv: fix integer overflow on buff_pos",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46227",
                            "    - sctp: revalidate list cursor after sctp_sendmsg_to_asoc() in",
                            "      SCTP_SENDALL",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46220",
                            "    - drm/amdgpu/sdma4: replace BUG_ON with WARN_ON in fence emission",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46215",
                            "    - drm: Set old handle to NULL before prime swap in change_handle",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46201",
                            "    - drm/xe: Fix dma-buf attachment leak in xe_gem_prime_import()",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46224",
                            "    - drm/xe: Fix bo leak in xe_dma_buf_init_obj() on allocation failure",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46197",
                            "    - drm/amdkfd: validate SVM ioctl nattr against buffer size",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46209",
                            "    - drm/gem: Fix inconsistent plane dimension calculation in",
                            "      drm_gem_fb_init_with_funcs()",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46230",
                            "    - drm/amdgpu/vcn3: Prevent OOB reads when parsing dec msg",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46199",
                            "    - drm/amdgpu/vcn4: Prevent OOB reads when parsing dec msg",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46204",
                            "    - drm/amdgpu/vcn4: Prevent OOB reads when parsing IB",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46218",
                            "    - drm/amdgpu: Add bounds checking to ib_{get,set}_value",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46229",
                            "    - drm/amdkfd: Clear VRAM on allocation to prevent stale data exposure",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46211",
                            "    - drm/msm/gem: fix error handling in msm_ioctl_gem_info_get_metadata()",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46203",
                            "    - spi: cadence-quadspi: fix unclocked access on unbind",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46219",
                            "    - spi: mpc52xx: fix use-after-free on unbind",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46200",
                            "    - spi: mpc52xx: fix controller deregistration",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46241",
                            "    - spi: mpc52xx: fix use-after-free on registration failure",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46225",
                            "    - spi: rspi: fix controller deregistration",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46226",
                            "    - spi: fsl: fix controller deregistration",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46228",
                            "    - spi: ch341: fix devres lifetime",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46216",
                            "    - drm/xe/hdcp: Add NULL check for media_gt in",
                            "      intel_hdcp_gsc_check_status()",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46210",
                            "    - media: iris: fix use-after-free of fmt_src during MBPF check",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46240",
                            "    - media: iris: Fix use-after-free in iris_release_internal_buffers()",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46235",
                            "    - media: saa7164: add ioremap return checks and cleanups",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46222",
                            "    - media: rockchip: rkcif: Add missing MUST_CONNECT flag to pads",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46239",
                            "    - media: i2c: ov5647: Fix runtime PM refcount leak in s_ctrl",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46236",
                            "    - media: rc: xbox_remote: heed DMA restrictions",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46205",
                            "    - staging: media: atomisp: Disallow all private IOCTLs",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46202",
                            "    - HID: appletb-kbd: run inactivity autodim from workqueues",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46213",
                            "    - HID: appletb-kbd: fix UAF in inactivity-timer cleanup path",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46232",
                            "    - HID: playstation: Clamp num_touch_reports",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988)",
                            "    - ACPI: arm64: cpuidle: Tolerate platforms with no deep PSCI idle states",
                            "    - ACPI: scan: Use acpi_dev_put() in object add error paths",
                            "    - ACPI: video: Add backlight=native quirk for Dell OptiPlex 7770 AIO",
                            "    - ACPI: CPPC: Fix related_cpus inconsistency during CPU hotplug",
                            "    - ACPI: video: force native backlight on HP OMEN 16 (8A44)",
                            "    - iommufd: Fix a race with concurrent allocation and unmap",
                            "    - wifi: mt76: mt7925: fix incorrect TLV length in CLC command",
                            "    - spi: rockchip: fix controller deregistration",
                            "    - ksmbd: rewrite stop_sessions() with restartable iteration",
                            "    - flow_dissector: do not dissect PPPoE PFC frames",
                            "    - smb: client/smbdirect: fix MR registration for coalesced SG lists",
                            "    - wifi: mt76: mt7925: fix AMPDU state handling in mt7925_tx_check_aggr",
                            "    - wifi: mt76: mt7925: fix incorrect length field in txpower command",
                            "    - wifi: mt76: mt7921: fix ROC abort flow interruption in mt7921_roc_work",
                            "    - wifi: ath5k: do not access array OOB",
                            "    - ALSA: usb-audio: midi2: Restart output URBs on resume",
                            "    - ALSA: usb-audio: Fix UAC3 cluster descriptor size check",
                            "    - usb: dwc3: Move GUID programming after PHY initialization",
                            "    - USB: omap_udc: DMA: Don't enable burst 4 mode",
                            "    - USB: serial: option: add Telit Cinterion LE910Cx compositions",
                            "    - usb: typec: tcpm: fix debug accessory mode detection for sink ports",
                            "    - ALSA: hda: cs35l56: Propagate ASP TX source control errors",
                            "    - ALSA: hda/realtek: Fix speaker silence after S3 resume on Xiaomi Mi",
                            "      Laptop Pro 15",
                            "    - ALSA: firewire-tascam: Do not drop unread control events",
                            "    - ALSA: core: Serialize deferred fasync state checks",
                            "    - ALSA: seq: Fix UMP group 16 filtering",
                            "    - powerpc/kdump: fix KASAN sanitization flag for core_$(BITS).o",
                            "    - x86/efi: Restore IRQ state in EFI page fault handler",
                            "    - xfrm: provide message size for XFRM_MSG_MAPPING",
                            "    - selinux: fix avdcache auditing",
                            "    - selinux: don't reserve xattr slot when we won't fill it",
                            "    - selinux: shrink critical section in sel_write_load()",
                            "    - selinux: prune /sys/fs/selinux/checkreqprot",
                            "    - selinux: prune /sys/fs/selinux/disable",
                            "    - selinux: prune /sys/fs/selinux/user",
                            "    - selinux: allow multiple opens of /sys/fs/selinux/policy",
                            "    - io_uring/kbuf: support min length left for incremental buffers",
                            "    - io_uring/tw: serialize ctx->retry_llist with ->uring_lock",
                            "    - LoongArch: KVM: Fix missing EMULATE_FAIL in kvm_emu_mmio_read()",
                            "    - rust: drm: gem: clean up GEM state in init failure case",
                            "    - rust: allow `clippy::collapsible_match` globally",
                            "    - rust: allow `clippy::collapsible_if` globally",
                            "    - rust: pin-init: internal: move alignment check to `make_field_check`",
                            "    - spi: syncuacer: fix controller deregistration",
                            "    - spi: sun4i: fix controller deregistration",
                            "    - spi: zynq-qspi: fix controller deregistration",
                            "    - spi: ti-qspi: fix controller deregistration",
                            "    - spi: sun6i: fix controller deregistration",
                            "    - spi: tegra114: fix controller deregistration",
                            "    - spi: zynqmp-gqspi: fix controller deregistration",
                            "    - spi: tegra20-sflash: fix controller deregistration",
                            "    - spi: s3c64xx: fix NULL-deref on driver unbind",
                            "    - staging: rtl8723bs: os_dep: avoid NULL pointer dereference in",
                            "      rtw_cbuf_alloc",
                            "    - staging: vme_user: fix root device leak on init failure",
                            "    - KVM: arm64: Fix kvm_vcpu_initialized() macro parameter",
                            "    - arm64: signal: Preserve POR_EL0 if poe_context is missing",
                            "    - mm/hugetlb_cma: round up per_node before logging it",
                            "    - LoongArch: Fix SYM_SIGFUNC_START definition for 32BIT",
                            "    - LoongArch: KVM: Compile switch.S directly into the kernel",
                            "    - mptcp: pm: ADD_ADDR rtx: skip inactive subflows",
                            "    - perf/x86/intel: Improve validation and configuration of ACR masks",
                            "    - selftests/rseq: Don't run tests with runner scripts outside of the",
                            "      scripts",
                            "    - rseq: Set rseq::cpu_id_start to 0 on unregistration",
                            "    - rseq: Protect rseq_reset() against interrupts",
                            "    - rseq: Don't advertise time slice extensions if disabled",
                            "    - selftests/rseq: Make registration flexible for legacy and optimized mode",
                            "    - selftests/rseq: Skip tests if time slice extensions are not available",
                            "    - selftests/rseq: Validate legacy behavior",
                            "    - selftests/rseq: Expand for optimized RSEQ ABI v2",
                            "    - pseries/papr-hvpipe: Fix race with interrupt handler",
                            "    - pseries/papr-hvpipe: Fix & simplify error handling in papr_hvpipe_init()",
                            "    - pseries/papr-hvpipe: Fix the usage of copy_to_user()",
                            "    - net: libwx: use request_irq for VF misc interrupt",
                            "    - netpoll: pass buffer size to egress_dev() to avoid MAC truncation",
                            "    - ovl: fix verity lazy-load guard broken by fsverity_active() semantic",
                            "      change",
                            "    - parisc: Fix IRQ leak in LASI driver",
                            "    - x86/efi: Fix graceful fault handling after FPU softirq changes",
                            "    - hwmon: (ltc2992) Clamp threshold writes to hardware range",
                            "    - hwmon: (ltc2992) Fix u32 overflow in power read path",
                            "    - clk: rk808: fix OF node reference imbalance",
                            "    - hwmon: (corsair-psu) Close HID device on probe errors",
                            "    - af_unix: Reject SIOCATMARK on non-stream sockets",
                            "    - arm64/fpsimd: ptrace: zero target's fpsimd_state, not the tracer's",
                            "    - pmdomain: mediatek: fix use-after-free in",
                            "      scpsys_get_bus_protection_legacy()",
                            "    - block: fix zone write plug removal",
                            "    - block: only read from sqe on initial invocation of blkdev_uring_cmd()",
                            "    - cifs: abort open_cached_dir if we don't request leases",
                            "    - cifs: change_conf needs to be called for session setup",
                            "    - extcon: ptn5150: handle pending IRQ events during system resume",
                            "    - gpio: of: clear OF_POPULATED on hog nodes in remove path",
                            "    - hv: Select CONFIG_SYSFB only for CONFIG_HYPERV_VMBUS",
                            "    - hv_sock: fix ARM64 support",
                            "    - hv_sock: Report EOF instead of -EIO for FIN",
                            "    - hv_sock: Return -EIO for malformed/short packets",
                            "    - spi: microchip-core-qspi: fix controller deregistration",
                            "    - spi: microchip-core-spi: fix controller deregistration",
                            "    - tracefs: Fix default permissions not being applied on initial mount",
                            "    - udf: reject descriptors with oversized CRC length",
                            "    - x86/boot/e820: Re-enable BIOS fallback if e820 table is empty",
                            "    - thermal: core: Free thermal zone ID later during removal",
                            "    - thermal/drivers/sprd: Fix temperature clamping in",
                            "      sprd_thm_temp_to_rawdata",
                            "    - thermal/drivers/sprd: Fix raw temperature clamping in",
                            "      sprd_thm_rawdata_to_temp",
                            "    - spi: topcliff-pch: fix controller deregistration",
                            "    - spi: topcliff-pch: fix use-after-free on unbind",
                            "    - tracing/fprobe: Avoid kcalloc() in rcu_read_lock section",
                            "    - tracing/fprobe: Remove fprobe from hash in failure path",
                            "    - tracing/fprobe: Unregister fprobe even if memory allocation fails",
                            "    - tracing/probes: Limit size of event probe to 3K",
                            "    - tracing/fprobe: Check the same type fprobe on table as the unregistered",
                            "      one",
                            "    - clk: imx: imx8-acm: fix flags for acm clocks",
                            "    - clk: microchip: mpfs-ccc: fix out of bounds access during output",
                            "      registration",
                            "    - cpuidle: powerpc: avoid double clear when breaking snooze",
                            "    - ASoC: amd: yc: Add HP OMEN Gaming Laptop 16-ap0xxx product line in quirk",
                            "      table",
                            "    - ASoC: ES8389: convert to devm_clk_get_optional() to get clock",
                            "    - ASoC: fsl_easrc: fix comment typo",
                            "    - ASoC: Intel: bytcr_wm5102: Fix MCLK leak on platform_clock_control error",
                            "    - ASoC: qcom: q6apm-dai: reset queue ptr on trigger stop",
                            "    - ASoC: qcom: q6apm: remove child devices when apm is removed",
                            "    - btrfs: do not mark inode incompressible after inline attempt fails",
                            "    - dm: don't report warning when doing deferred remove",
                            "    - dm: fix a buffer overflow in ioctl processing",
                            "    - dm-verity-fec: correctly reject too-small FEC devices",
                            "    - dm-verity-fec: correctly reject too-small hash devices",
                            "    - dm-verity-fec: fix corrected block count stat",
                            "    - dm-verity-fec: fix the size of dm_verity_fec_io::erasures",
                            "    - isofs: validate Rock Ridge CE continuation extent against volume size",
                            "    - iommufd: Fix return value of iommufd_fault_fops_write()",
                            "    - iommu/vt-d: Block PASID attachment to nested domain with dirty tracking",
                            "    - iommu/arm-smmu-v3: Add a missing dma_wmb() for hitless STE update",
                            "    - lib/crc: tests: Make crc_kunit test only the enabled CRC variants",
                            "    - lib/scatterlist: fix temp buffer in extract_user_to_sg()",
                            "    - nvme-apple: drop invalid put of admin queue reference count",
                            "    - nvmet: avoid recursive nvmet-wq flush in nvmet_ctrl_free",
                            "    - pmdomain: core: Fix detach procedure for virtual devices in genpd",
                            "    - psp: strip variable-length PSP header in psp_dev_rcv()",
                            "    - s390/debug: Reject zero-length input in debug_input_flush_fn()",
                            "    - s390/debug: Reject zero-length input before trimming a newline",
                            "    - KVM: x86: Do IRR scan in __kvm_apic_update_irr even if PIR is empty",
                            "    - mm/damon/lru_sort: detect and use fresh enabled and kdamond_pid values",
                            "    - mm/damon/reclaim: detect and use fresh enabled and kdamond_pid values",
                            "    - mm/damon/stat: detect and use fresh enabled value",
                            "    - PCI: Update saved_config_space upon resource assignment",
                            "    - PCI/AER: Clear only error bits in PCIe Device Status",
                            "    - PCI/AER: Stop ruling out unbound devices as error source",
                            "    - PCI/ASPM: Fix pci_clear_and_set_config_dword() usage",
                            "    - power: supply: max17042: avoid overflow when determining health",
                            "    - perf/x86/intel: Always reprogram ACR events to prevent stale masks",
                            "    - perf/x86/intel: Disable PMI for self-reloaded ACR events",
                            "    - perf/x86/intel: Enable auto counter reload for DMR",
                            "    - RDMA/ionic: bound node_desc sysfs read with %.64s",
                            "    - RDMA/ionic: Fix typo in format string",
                            "    - remoteproc: imx_rproc: Fix NULL vs IS_ERR() bug in imx_rproc_addr_init()",
                            "    - remoteproc: k3: Fix NULL vs IS_ERR() bug in k3_reserved_mem_init()",
                            "    - sched_ext: idle: Recheck prev_cpu after narrowing allowed mask",
                            "    - sched_ext: Use dsq->first_task instead of list_empty() in",
                            "      dispatch_enqueue() FIFO-tail",
                            "    - selftests: mptcp: check output: catch cmd errors",
                            "    - selftests: mptcp: pm: restrict 'unknown' check to pm_nl_ctl",
                            "    - mptcp: fastclose msk when linger time is 0",
                            "    - mptcp: use MPJoinSynAckHMacFailure for SynAck HMAC failure",
                            "    - mptcp: use MPTCP_RST_EMPTCP for ACK HMAC validation failure",
                            "    - mptcp: sockopt: set timestamp flags on subflow socket, not msk",
                            "    - mptcp: sockopt: increase seq in mptcp_setsockopt_all_sf",
                            "    - mptcp: fix rx timestamp corruption on fastopen",
                            "    - mptcp: pm: prio: skip closed subflows",
                            "    - mptcp: pm: kernel: reset fullmesh counter after flush",
                            "    - mptcp: pm: kernel: correctly retransmit ADD_ADDR ID 0",
                            "    - mptcp: pm: ADD_ADDR rtx: resched blocked ADD_ADDR quicker",
                            "    - mptcp: pm: ADD_ADDR rtx: return early if no retrans",
                            "    - f2fs: add READ_ONCE() for i_blocks in f2fs_update_inode()",
                            "    - f2fs: fix false alarm of lockdep on cp_global_sem lock",
                            "    - f2fs: fix fiemap boundary handling when read extent cache is incomplete",
                            "    - f2fs: fix fsck inconsistency caused by incorrect nat_entry flag usage",
                            "    - f2fs: fix incorrect file address mapping when inline inode is unwritten",
                            "    - f2fs: fix incorrect multidevice info in trace_f2fs_map_blocks()",
                            "    - f2fs: fix uninitialized kobject put in f2fs_init_sysfs()",
                            "    - f2fs: refactor f2fs_move_node_folio function",
                            "    - f2fs: fix inline data not being written to disk in writeback path",
                            "    - KVM: arm64: Wake-up from WFI when iqrchip is in userspace",
                            "    - KVM: arm64: vgic: Fix IIDR revision field extracted from wrong value",
                            "    - KVM: arm64: Fix initialisation order in __pkvm_init_finalise()",
                            "    - KVM: arm64: Fix FEAT_SPE_FnE to use PMSIDR_EL1.FnE, not PMSVer",
                            "    - KVM: arm64: Fix FEAT_Debugv8p9 to check DebugVer, not PMUVer",
                            "    - LoongArch: KVM: Cap KVM_CAP_NR_VCPUS by KVM_CAP_MAX_VCPUS",
                            "    - LoongArch: KVM: Fix \"unreliable stack\" for kvm_exc_entry",
                            "    - LoongArch: KVM: Fix HW timer interrupt lost when inject interrupt by",
                            "      software",
                            "    - LoongArch: KVM: Move unconditional delay into timer clear scenery",
                            "    - LoongArch: KVM: Use kvm_set_pte() in kvm_flush_pte()",
                            "    - LoongArch: Use per-root-bridge PCIH flag to skip mem resource fixup",
                            "    - mmc: core: Adjust MDT beyond 2025",
                            "    - mmc: core: Add quirk for incorrect manufacturing date",
                            "    - mmc: core: Optimize time for secure erase/trim for some Kingston eMMCs",
                            "    - crypto: qat - fix indentation of macros in qat_hal.c",
                            "    - crypto: qat - fix firmware loading failure for GEN6 devices",
                            "    - hfsplus: fix held lock freed on hfsplus_fill_super()",
                            "    - 8021q: use RCU for egress QoS mappings",
                            "    - printk: add print_hex_dump_devel()",
                            "    - crypto: caam - guard HMAC key hex dumps in hash_digest_key",
                            "    - net: stmmac: rename STMMAC_GET_ENTRY() -> STMMAC_NEXT_ENTRY()",
                            "    - rust: pin-init: fix incorrect accessor reference lifetime",
                            "    - Linux 7.0.7",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-43490",
                            "    - ksmbd: validate inherited ACE SID length",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46174",
                            "    - x86/CPU/AMD: Prevent improper isolation of shared resources in Zen2's op",
                            "      cache",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46110",
                            "    - net: stmmac: Prevent NULL deref when RX memory exhausted",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46153",
                            "    - 8021q: delete cleared egress QoS mappings",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46169",
                            "    - hfsplus: fix uninit-value by validating catalog record size",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46188",
                            "    - octeon_ep_vf: add NULL check for napi_build_skb()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-45837",
                            "    - bpf: Fix use-after-free in arena_vm_close on fork",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46156",
                            "    - LoongArch: Fix potential ADE in loongson_gpu_fixup_dma_hang()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46147",
                            "    - KVM: arm64: Fix pin leak and publication ordering in __pkvm_init_vcpu()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46175",
                            "    - f2fs: fix fsck inconsistency caused by FGGC of node block",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46194",
                            "    - f2fs: fix node_cnt race between extent node destroy and writeback",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46170",
                            "    - mptcp: pm: ADD_ADDR rtx: free sk if last",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46158",
                            "    - mptcp: pm: ADD_ADDR rtx: always decrease sk refcount",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46168",
                            "    - mptcp: fix scheduling with atomic in timestamp sockopt",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46189",
                            "    - RDMA/vmw_pvrdma: Fix double free on pvrdma_alloc_ucontext() error path",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46133",
                            "    - RDMA/rxe: Reject unknown opcodes before ICRC processing",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46114",
                            "    - RDMA/rxe: Reject non-8-byte ATOMIC_WRITE payloads",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46127",
                            "    - RDMA/ocrdma: Don't NULL deref uctx on errors in ocrdma_copy_pd_uresp()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46176",
                            "    - RDMA/mlx5: Fix error path fall-through in mlx5_ib_dev_res_srq_init()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46178",
                            "    - RDMA/mlx4: Fix resource leak on error in mlx4_ib_create_srq()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46181",
                            "    - RDMA/mlx4: Fix mis-use of RCU in mlx4_srq_event()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46145",
                            "    - RDMA/mana: Validate rx_hash_key_len",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46117",
                            "    - RDMA/mana: Remove user triggerable WARN_ON() in mana_ib_create_qp_rss()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46126",
                            "    - RDMA/mana: Fix mana_destroy_wq_obj() cleanup in mana_ib_create_qp_rss()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46144",
                            "    - RDMA/mana: Fix error unwind in mana_ib_create_qp_rss()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46141",
                            "    - powerpc/xive: fix kmemleak caused by incorrect chip_data lookup",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46183",
                            "    - mm/damon/sysfs-schemes: protect path kfree() with damon_sysfs_lock",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46121",
                            "    - mm/damon/sysfs-schemes: protect memcg_path kfree() with damon_sysfs_lock",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46131",
                            "    - KVM: x86: check for nEPT/nNPT in slow flush hypercalls",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46139",
                            "    - smb: client: use kzalloc to zero-initialize security descriptor buffer",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46105",
                            "    - scsi: mpt3sas: Limit NVMe request size to 2 MiB",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46171",
                            "    - riscv: kvm: fix vector context allocation leak",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46112",
                            "    - RDMA/hns: Fix unlocked call to hns_roce_qp_remove()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46165",
                            "    - openvswitch: vport: fix self-deadlock on release of tunnel ports",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46161",
                            "    - md/raid10: fix divide-by-zero in setup_geo() with zero far_copies",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-43492",
                            "    - lib/crypto: mpi: Fix integer underflow in mpi_read_raw_from_sgl()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46124",
                            "    - isofs: validate block number from NFS file handle in isofs_export_iget",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46130",
                            "    - dm-verity-fec: fix reading parity bytes split across blocks (take 3)",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46106",
                            "    - eventfs: Hold eventfs_mutex and SRCU when remount walks events",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46107",
                            "    - dm-thin: fix metadata refcount underflow",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46160",
                            "    - btrfs: fix missing last_unlink_trans update when removing a directory",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46164",
                            "    - btrfs: fix double free in create_space_info_sub_group() error path",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46129",
                            "    - btrfs: fix double free in create_space_info() error path",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46159",
                            "    - btrfs: fix btrfs_ioctl_space_info() slot_count TOCTOU which can lead to",
                            "      info-leak",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46143",
                            "    - ASoC: qcom: q6apm-lpass-dai: Fix multiple graph opens",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46148",
                            "    - spi: microchip-core-qspi: control built-in cs manually",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46192",
                            "    - spi: microchip-core-qspi: don't attempt to transmit during emulated",
                            "      read-only dual/quad operations",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46162",
                            "    - ice: fix double free in ice_sf_eth_activate() error path",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46273",
                            "    - ibmveth: Disable GSO for packets with small MSS",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46191",
                            "    - fbcon: Avoid OOB font access if console rotation fails",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46134",
                            "    - platform/chrome: cros_ec_typec: Init mutex in Thunderbolt registration",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-43495",
                            "    - net: wwan: t7xx: validate port_count against message length in",
                            "      t7xx_port_enum_msg_handler",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-43502",
                            "    - net/rds: handle zerocopy send cleanup before the message is queued",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46120",
                            "    - ip6_gre: Use cached t->net in ip6erspan_changelink().",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46142",
                            "    - net: libwx: fix VF illegal register access",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46118",
                            "    - pseries/papr-hvpipe: Fix null ptr deref in",
                            "      papr_hvpipe_dev_create_handle()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46182",
                            "    - pseries/papr-hvpipe: Prevent kernel stack memory leak to userspace",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46184",
                            "    - sound: ua101: fix division by zero at probe",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-43498",
                            "    - accel/ivpu: Disallow re-exporting imported GEM objects",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46132",
                            "    - net: rtnetlink: zero ifla_vf_broadcast to avoid stack infoleak in",
                            "      rtnl_fill_vfinfo",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46190",
                            "    - mtd: spi-nor: debugfs: fix out-of-bounds read in spi_nor_params_show()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46150",
                            "    - fanotify: fix false positive on permission events",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-45836",
                            "    - Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_get_sndtimeo_cb()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-45834",
                            "    - Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_state_change_cb()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-45835",
                            "    - Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_new_connection_cb()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46138",
                            "    - Bluetooth: hci_event: Fix OOB read and infinite loop in",
                            "      hci_le_create_big_complete_evt",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46111",
                            "    - Bluetooth: hci_conn: fix potential UAF in create_big_sync",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46140",
                            "    - Bluetooth: btmtk: validate WMT event SKB length before struct access",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46186",
                            "    - Bluetooth: virtio_bt: validate rx pkt_type header length",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46123",
                            "    - Bluetooth: virtio_bt: clamp rx length before skb_put",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46104",
                            "    - selinux: use sk blob accessor in socket permission helpers",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46193",
                            "    - xfrm: ah: account for ESN high bits in async callbacks",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46172",
                            "    - ipv6: xfrm6: release dst on error in xfrm6_rcv_encap()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46116",
                            "    - xfrm: defensively unhash xfrm_state lists in __xfrm_state_delete",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46154",
                            "    - sched_ext: Read scx_root under scx_cgroup_ops_rwsem in cgroup setters",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46157",
                            "    - ALSA: pcm: oss: Fix data race at accessing runtime.oss.trigger",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46109",
                            "    - usb: ulpi: fix memory leak on ulpi_register() error paths",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46146",
                            "    - ALSA: usb-audio: Avoid potential endless loop in convert_chmap_v3()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46167",
                            "    - usb: usblp: fix uninitialized heap leak via LPGETSTATUS ioctl",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46151",
                            "    - usb: usblp: fix heap leak in IEEE 1284 device ID via short response",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46180",
                            "    - wifi: brcmfmac: Fix potential use-after-free issue when stopping",
                            "      watchdog task",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46122",
                            "    - wifi: b43: enforce bounds check on firmware key index in b43_rx()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46125",
                            "    - wifi: mac80211: remove station if connection prep fails",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46166",
                            "    - wifi: mac80211: use safe list iteration in radar detect work",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46187",
                            "    - wifi: rsi: fix kthread lifetime race between self-exit and external-stop",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46152",
                            "    - wifi: mac80211: drop stray 'static' from fast-RX rx_result",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46163",
                            "    - wifi: b43legacy: enforce bounds check on firmware key index in RX path",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46136",
                            "    - wifi: mt76: mt7921: fix a potential clc buffer length underflow",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46173",
                            "    - exit: prevent preemption of oopsing TASK_DEAD task",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-43496",
                            "    - net/sched: sch_red: Replace direct dequeue call with peek and",
                            "      qdisc_dequeue_peeked",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46113",
                            "    - KVM: x86: Fix shadow paging use-after-free due to unexpected GFN",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46179",
                            "    - ASoC: SOF: Don't allow pointer operations on unconfigured streams",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46196",
                            "    - tracepoint: balance regfunc() on func_add() failure in",
                            "      tracepoint_add_func()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-43497",
                            "    - fbdev: udlfb: add vm_ops to dlfb_ops_mmap to prevent use-after-free",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46108",
                            "    - ipmi:si: Return state to normal if message allocation fails",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46128",
                            "    - ipmi: Check event message buffer response for bad data",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46177",
                            "    - ipmi: Add limits to event and receive message requests",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46149",
                            "    - scsi: target: configfs: Bound snprintf() return in",
                            "      tg_pt_gp_members_show()",
                            "",
                            "  * Ubuntu 26.04 linux kernel has non-functional nova-core GPU driver enabled,",
                            "    conflicting with nouveau (LP: #2150845)",
                            "    - [Config] Disable NOVA_CORE",
                            "",
                            "  * CVE-2026-46244",
                            "    - netfilter: nft_inner: Fix IPv6 inner_thoff desync",
                            "",
                            "  * CVE-2026-46137",
                            "    - mptcp: pm: ADD_ADDR rtx: allow ID 0",
                            "    - mptcp: pm: ADD_ADDR rtx: fix potential data-race",
                            "",
                            "  * CVE-2026-46185",
                            "    - smb/client: fix out-of-bounds read in symlink_data()",
                            "",
                            "  * CVE-2026-46195",
                            "    - smb: client: validate dacloffset before building DACL pointers",
                            "",
                            "  * CVE-2026-46289",
                            "    - lib/scatterlist: fix length calculations in extract_kvec_to_sg",
                            "",
                            "  * CVE-2026-46119",
                            "    - libceph: Fix slab-out-of-bounds access in auth message processing",
                            "",
                            "  * CVE-2026-46135",
                            "    - nvmet-tcp: fix race between ICReq handling and queue teardown",
                            "",
                            "  * CVE-2026-46155",
                            "    - smb/client: fix out-of-bounds read in smb2_compound_op()",
                            "",
                            "  * CVE-2026-46115",
                            "    - block: add pgmap check to biovec_phys_mergeable",
                            "",
                            "  * CVE-2026-46243",
                            "    - smb: client: reject userspace cifs.spnego descriptions",
                            ""
                        ],
                        "package": "linux",
                        "version": "7.0.0-28.28",
                        "urgency": "medium",
                        "distributions": "resolute",
                        "launchpad_bugs_fixed": [
                            2157520,
                            2154418,
                            2155837,
                            2154174,
                            2154748,
                            2156559,
                            2156556,
                            2150640,
                            2156312,
                            2155096,
                            2154715,
                            2153159,
                            2150071,
                            2154343,
                            2149770,
                            2153155,
                            2152570,
                            2156636,
                            2156636,
                            2156636,
                            2156636,
                            2156636,
                            2156390,
                            2156385,
                            2156385,
                            2156385,
                            2156385,
                            2156385,
                            2156385,
                            2156385,
                            2156385,
                            2156385,
                            2156385,
                            2156385,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2150845
                        ],
                        "author": "Mehmet Basaran <mehmet.basaran@canonical.com>",
                        "date": "Sun, 21 Jun 2026 02:37:29 +0300"
                    }
                ],
                "notes": "linux-tools-7.0.0-28 version '7.0.0-28.28' (source package linux version '7.0.0-28.28') was added. linux-tools-7.0.0-28 version '7.0.0-28.28' has the same source package name, linux, as removed package linux-headers-7.0.0-27. As such we can use the source package version of the removed package, '7.0.0-27.27', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package.",
                "is_version_downgrade": false
            },
            {
                "name": "linux-tools-7.0.0-28-generic",
                "from_version": {
                    "source_package_name": "linux",
                    "source_package_version": "7.0.0-27.27",
                    "version": null
                },
                "to_version": {
                    "source_package_name": "linux",
                    "source_package_version": "7.0.0-28.28",
                    "version": "7.0.0-28.28"
                },
                "cves": [
                    {
                        "cve": "CVE-2026-46318",
                        "url": "https://ubuntu.com/security/CVE-2026-46318",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Revert \"mm/hugetlbfs: update hugetlbfs to use mmap_prepare\"  This reverts commit ea52cb24cd3f (\"mm/hugetlbfs: update hugetlbfs to use mmap_prepare\") with conflict resolution to account for changes in commit ea52cb24cd3f (\"mm/hugetlbfs: update hugetlbfs to use mmap_prepare\").  The patch incorrectly handled hugetlb VMA lock allocation at the mmap_prepare stage, where a failed allocation occurring after mmap_prepare is called might result in the lock leaking.  There is no risk of a merge causing a similar issues, as VMA_DONTEXPAND_BIT is set for hugetlb mappings.  As a first step in addressing this issue, simply revert the change so we can rework how we do this having corrected the underlying issues.  We maintain the VMA flags changes as best we can, accounting for the fact that we were working with a VMA descriptor previously and propagating like-for-like changes for this.  Note that we invoke vma_set_flags() and do not call vma_start_write() as vm_flags_set() does.  This is OK as it's being done in an .mmap hook where the VMA is not yet linked into the tree so nobody else can be accessing it.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-06-09 13:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46322",
                        "url": "https://ubuntu.com/security/CVE-2026-46322",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  tun: free page on build_skb failure in tun_xdp_one()  When build_skb() fails in tun_xdp_one(), the function sets ret to -ENOMEM and jumps to the out label, which returns without freeing the page that vhost_net_build_xdp() allocated for the frame. As with the short-frame rejection path, tun_sendmsg() discards the per-buffer error and still returns total_len, so vhost_tx_batch() takes the success path and never frees the page. Each build_skb() failure in a batch leaks one page-frag chunk.  Free the page before taking the error path, matching the put_page() the other error exits of tun_xdp_one() already perform.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-09 13:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46320",
                        "url": "https://ubuntu.com/security/CVE-2026-46320",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  tap: free page on error paths in tap_get_user_xdp()  tap_get_user_xdp() rejects a frame shorter than ETH_HLEN with -EINVAL, and returns -ENOMEM when build_skb() fails. Both paths jump to the err label without freeing the page that vhost_net_build_xdp() allocated for the frame. tap_sendmsg() discards the per-buffer return value and always returns 0, so vhost_tx_batch() takes the success path and never frees the page; each rejected frame in a batch leaks one page-frag chunk.  Free the page on both error paths, before the skb is built. This is the tap counterpart of the same leak in tun_xdp_one().",
                        "cve_priority": "high",
                        "cve_public_date": "2026-06-09 13:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46321",
                        "url": "https://ubuntu.com/security/CVE-2026-46321",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  tun: free page on short-frame rejection in tun_xdp_one()  tun_xdp_one() returns -EINVAL on a frame shorter than ETH_HLEN without freeing the page that vhost_net_build_xdp() allocated for it. tun_sendmsg() discards that -EINVAL and still returns total_len, so vhost_tx_batch() takes the success path and never frees the page; each short frame in a batch leaks one page-frag chunk.  A local process that can open /dev/net/tun and /dev/vhost-net can hit this path: it attaches a tun/tap device as the vhost-net backend and feeds TX descriptors whose length minus the virtio-net header is below ETH_HLEN. Each kick leaks the page-frag chunks for that batch, and a tight submission loop exhausts host memory and triggers an OOM panic. Free the page before returning -EINVAL, matching the XDP-program error path in the same function.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-09 13:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46316",
                        "url": "https://ubuntu.com/security/CVE-2026-46316",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  KVM: arm64: vgic-its: Drop the translation cache reference only for the erased entry  vgic_its_invalidate_cache() walks the per-ITS translation cache with xa_for_each() and drops the cache's reference on each entry with vgic_put_irq(). It puts the iterated pointer, though, rather than the value returned by xa_erase().  The function is called from contexts that do not exclude one another: the ITS command handlers hold its_lock, the GITS_CTLR write path holds cmd_lock, and the path that clears EnableLPIs in a redistributor's GICR_CTLR holds neither. Two or more of them can drain the same cache concurrently, and if each one observes the same entry, erases it and then puts it, the single reference the cache holds on that entry is dropped more than once. The entry can then be freed while an ITE still maps it.  xa_erase() is atomic and returns the previous entry, so put only the entry that this context actually removed. The cache reference is then dropped exactly once per entry even when the invalidations run concurrently, and the behavior is unchanged when only one context runs.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-09 13:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46317",
                        "url": "https://ubuntu.com/security/CVE-2026-46317",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  KVM: arm64: Reassign nested_mmus array behind mmu_lock  kvm->arch.nested_mmus[] is walked under kvm->mmu_lock, including from the MMU notifier path (kvm_unmap_gfn_range() -> kvm_nested_s2_unmap()), which can run at any time. kvm_vcpu_init_nested() reallocates the array and frees the old buffer while holding only kvm->arch.config_lock, so such a walker can reference the freed array.  Allocate the new array outside of mmu_lock, as the allocation can sleep. Under the lock, copy the existing entries, fix up the back pointers and reassign the array. Free the old buffer after dropping the lock, as kvfree() can sleep as well.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-09 13:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-45846",
                        "url": "https://ubuntu.com/security/CVE-2026-45846",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  bareudp: fix NULL pointer dereference in bareudp_fill_metadata_dst()  bareudp_fill_metadata_dst() passes bareudp->sock to udp_tunnel6_dst_lookup() in the IPv6 path without a NULL check. The socket is only created in bareudp_open() and NULLed in bareudp_stop(), so calling this function while the device is down triggers a NULL dereference via sock->sk.   BUG: kernel NULL pointer dereference, address: 0000000000000018  RIP: 0010:udp_tunnel6_dst_lookup (net/ipv6/ip6_udp_tunnel.c:160)  Call Trace:   <TASK>   bareudp_fill_metadata_dst (drivers/net/bareudp.c:532)   do_execute_actions (net/openvswitch/actions.c:901)   ovs_execute_actions (net/openvswitch/actions.c:1589)   ovs_packet_cmd_execute (net/openvswitch/datapath.c:700)   genl_family_rcv_msg_doit (net/netlink/genetlink.c:1114)   genl_rcv_msg (net/netlink/genetlink.c:1209)   netlink_rcv_skb (net/netlink/af_netlink.c:2550)   </TASK>  Add a NULL check returning -ESHUTDOWN, consistent with the xmit paths in the same driver.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-27 11:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-45845",
                        "url": "https://ubuntu.com/security/CVE-2026-45845",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net/sched: taprio: fix NULL pointer dereference in class dump  When a TAPRIO child qdisc is deleted via RTM_DELQDISC, taprio_graft() is called with new == NULL and stores NULL into q->qdiscs[cl - 1]. Subsequent RTM_GETTCLASS dump operations walk all classes via taprio_walk() and call taprio_dump_class(), which calls taprio_leaf() returning the NULL pointer, then dereferences it to read child->handle, causing a kernel NULL pointer dereference.  The bug is reachable with namespace-scoped CAP_NET_ADMIN on any kernel with CONFIG_NET_SCH_TAPRIO enabled. On systems with unprivileged user namespaces enabled, an unprivileged local user can trigger a kernel panic by creating a taprio qdisc inside a new network namespace, grafting an explicit child qdisc, deleting it, and requesting a class dump. The RTM_GETTCLASS dump itself requires no capability.   Oops: general protection fault, probably for non-canonical address 0xdffffc0000000007: 0000 [#1] SMP KASAN NOPTI  KASAN: null-ptr-deref in range [0x0000000000000038-0x000000000000003f]  RIP: 0010:taprio_dump_class (net/sched/sch_taprio.c:2478)  Call Trace:   <TASK>   tc_fill_tclass (net/sched/sch_api.c:1966)   qdisc_class_dump (net/sched/sch_api.c:2326)   taprio_walk (net/sched/sch_taprio.c:2514)   tc_dump_tclass_qdisc (net/sched/sch_api.c:2352)   tc_dump_tclass_root (net/sched/sch_api.c:2370)   tc_dump_tclass (net/sched/sch_api.c:2431)   rtnl_dumpit (net/core/rtnetlink.c:6864)   netlink_dump (net/netlink/af_netlink.c:2325)   rtnetlink_rcv_msg (net/core/rtnetlink.c:6959)   netlink_rcv_skb (net/netlink/af_netlink.c:2550)   </TASK>  Fix this by substituting &noop_qdisc when new is NULL in taprio_graft(), a common pattern used by other qdiscs (e.g., multiq_graft()) to ensure the q->qdiscs[] slots are never NULL. This makes control-plane dump paths safe without requiring individual NULL checks.  Since the data-plane paths (taprio_enqueue and taprio_dequeue_from_txq) previously had explicit NULL guards that would drop/skip the packet cleanly, update those checks to test for &noop_qdisc instead. Without this, packets would reach taprio_enqueue_one() which increments the root qdisc's qlen and backlog before calling the child's enqueue; noop_qdisc drops the packet but those counters are never rolled back, permanently inflating the root qdisc's statistics.  After this change *old can be a valid qdisc, NULL, or &noop_qdisc. Only call qdisc_put(*old) in the first case to avoid decreasing noop_qdisc's refcount, which was never increased.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-27 11:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-45844",
                        "url": "https://ubuntu.com/security/CVE-2026-45844",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  netfilter: arp_tables: fix IEEE1394 ARP payload parsing  Weiming Shi says:  \"arp_packet_match() unconditionally parses the ARP payload assuming two hardware addresses are present (source and target). However, IPv4-over-IEEE1394 ARP (RFC 2734) omits the target hardware address field, and arp_hdr_len() already accounts for this by returning a shorter length for ARPHRD_IEEE1394 devices.  As a result, on IEEE1394 interfaces arp_packet_match() advances past a nonexistent target hardware address and reads the wrong bytes for both the target device address comparison and the target IP address. This causes arptables rules to match against garbage data, leading to incorrect filtering decisions: packets that should be accepted may be dropped and vice versa.  The ARP stack in net/ipv4/arp.c (arp_create and arp_process) already handles this correctly by skipping the target hardware address for ARPHRD_IEEE1394. Apply the same pattern to arp_packet_match().\"  Mangle the original patch to always return 0 (no match) in case user matches on the target hardware address which is never present in IEEE1394.  Note that this returns 0 (no match) for either normal and inverse match because matching in the target hardware address in ARPHRD_IEEE1394 has never been supported by arptables. This is intentional, matching on the target hardware address should never evaluate true for ARPHRD_IEEE1394.  Moreover, adjust arpt_mangle to drop the packet too as AI suggests:  In arpt_mangle, the logic assumes a standard ARP layout. Because IEEE1394 (FireWire) omits the target hardware address, the linear pointer arithmetic miscalculates the offset for the target IP address. This causes mangling operations to write to the wrong location, leading to packet corruption. To ensure safety, this patch drops packets (NF_DROP) when mangling is requested for these fields on IEEE1394 devices, as the current implementation cannot correctly map the FireWire ARP payload.  This omits both mangling target hardware and IP address. Even if IP address mangling should be possible in IEEE1394, this would require to adjust arpt_mangle offset calculation, which has never been supported.  Based on patch from Weiming Shi <bestswngs@gmail.com>.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-05-27 11:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46242",
                        "url": "https://ubuntu.com/security/CVE-2026-46242",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  eventpoll: fix ep_remove struct eventpoll / struct file UAF  ep_remove() (via ep_remove_file()) cleared file->f_ep under file->f_lock but then kept using @file inside the critical section (is_file_epoll(), hlist_del_rcu() through the head, spin_unlock). A concurrent __fput() taking the eventpoll_release() fastpath in that window observed the transient NULL, skipped eventpoll_release_file() and ran to f_op->release / file_free().  For the epoll-watches-epoll case, f_op->release is ep_eventpoll_release() -> ep_clear_and_put() -> ep_free(), which kfree()s the watched struct eventpoll. Its embedded ->refs hlist_head is exactly where epi->fllink.pprev points, so the subsequent hlist_del_rcu()'s \"*pprev = next\" scribbles into freed kmalloc-192 memory.  In addition, struct file is SLAB_TYPESAFE_BY_RCU, so the slot backing @file could be recycled by alloc_empty_file() -- reinitializing f_lock and f_ep -- while ep_remove() is still nominally inside that lock. The upshot is an attacker-controllable kmem_cache_free() against the wrong slab cache.  Pin @file via epi_fget() at the top of ep_remove() and gate the critical section on the pin succeeding. With the pin held @file cannot reach refcount zero, which holds __fput() off and transitively keeps the watched struct eventpoll alive across the hlist_del_rcu() and the f_lock use, closing both UAFs.  If the pin fails @file has already reached refcount zero and its __fput() is in flight. Because we bailed before clearing f_ep, that path takes the eventpoll_release() slow path into eventpoll_release_file() and blocks on ep->mtx until the waiter side's ep_clear_and_put() drops it. The bailed epi's share of ep->refcount stays intact, so the trailing ep_refcount_dec_and_test() in ep_clear_and_put() cannot free the eventpoll out from under eventpoll_release_file(); the orphaned epi is then cleaned up there.  A successful pin also proves we are not racing eventpoll_release_file() on this epi, so drop the now-redundant re-check of epi->dying under f_lock. The cheap lockless READ_ONCE(epi->dying) fast-path bailout stays.",
                        "cve_priority": "high",
                        "cve_public_date": "2026-05-30 13:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-45843",
                        "url": "https://ubuntu.com/security/CVE-2026-45843",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  slip: bound decode() reads against the compressed packet length  slhc_uncompress() parses a VJ-compressed TCP header by advancing a pointer through the packet via decode() and pull16(). Neither helper bounds-checks against isize, and decode() masks its return with & 0xffff so it can never return the -1 that callers test for -- those error paths are dead code.  A short compressed frame whose change byte requests optional fields lets decode() read past the end of the packet. The over-read bytes are folded into the cached cstate and reflected into subsequent reconstructed packets.  Make decode() and pull16() take the packet end pointer and return -1 when exhausted. Add a bounds check before the TCP-checksum read. The existing == -1 tests now do what they were always meant to.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-27 11:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-45842",
                        "url": "https://ubuntu.com/security/CVE-2026-45842",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  slip: reject VJ receive packets on instances with no rstate array  slhc_init() accepts rslots == 0 as a valid configuration, with the documented meaning of 'no receive compression'. In that case the allocation loop in slhc_init() is skipped, so comp->rstate stays NULL and comp->rslot_limit stays 0 (from the kzalloc of struct slcompress).  The receive helpers do not defend against that configuration. slhc_uncompress() dereferences comp->rstate[x] when the VJ header carries an explicit connection ID, and slhc_remember() later assigns cs = &comp->rstate[...] after only comparing the packet's slot number to comp->rslot_limit. Because rslot_limit is 0, slot 0 passes the range check, and the code dereferences a NULL rstate.  The configuration is reachable in-tree through PPP. PPPIOCSMAXCID stores its argument in a signed int, and (val >> 16) uses arithmetic shift. Passing 0xffff0000 therefore sign-extends to -1, so val2 + 1 is 0 and ppp_generic.c ends up calling slhc_init(0, 1). Because /dev/ppp open is gated by ns_capable(CAP_NET_ADMIN), the whole path is reachable from an unprivileged user namespace. Once the malformed VJ state is installed, any inbound VJ-compressed or VJ-uncompressed frame that selects slot 0 crashes the kernel in softirq context:   Oops: general protection fault, probably for non-canonical        address 0xdffffc0000000000: 0000 [#1] SMP KASAN NOPTI  KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]  RIP: 0010:slhc_uncompress (drivers/net/slip/slhc.c:519)  Call Trace:   <TASK>   ppp_receive_nonmp_frame (drivers/net/ppp/ppp_generic.c:2466)   ppp_input (drivers/net/ppp/ppp_generic.c:2359)   ppp_async_process (drivers/net/ppp/ppp_async.c:492)   tasklet_action_common (kernel/softirq.c:926)   handle_softirqs (kernel/softirq.c:623)   run_ksoftirqd (kernel/softirq.c:1055)   smpboot_thread_fn (kernel/smpboot.c:160)   kthread (kernel/kthread.c:436)   ret_from_fork (arch/x86/kernel/process.c:164)   </TASK>  Reject the receive side on such instances instead of touching rstate. slhc_uncompress() falls through to its existing 'bad' label, which bumps sls_i_error and enters the toss state. slhc_remember() mirrors that with an explicit sls_i_error increment followed by slhc_toss(); the sls_i_runt counter is not used here because a missing rstate is an internal configuration state, not a runt packet.  The transmit path is unaffected: the only in-tree caller that picks rslots from userspace (ppp_generic.c) still supplies tslots >= 1, and slip.c always calls slhc_init(16, 16), so comp->tstate remains valid and slhc_compress() continues to work.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-27 11:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-45841",
                        "url": "https://ubuntu.com/security/CVE-2026-45841",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  netfilter: nfnetlink_osf: fix divide-by-zero in OSF_WSS_MODULO  nf_osf_match_one() computes ctx->window % f->wss.val in the OSF_WSS_MODULO branch with no guard for f->wss.val == 0. A CAP_NET_ADMIN user can add such a fingerprint via nfnetlink; a subsequent matching TCP SYN divides by zero and panics the kernel.  Reject the bogus fingerprint in nfnl_osf_add_callback() above the per-option for-loop. f->wss is per-fingerprint, not per-option, so the check must run regardless of f->opt_num (including 0). Also reject wss.wc >= OSF_WSS_MAX; nf_osf_match_one() already treats that as \"should not happen\".  Crash:  Oops: divide error: 0000 [#1] SMP KASAN NOPTI  RIP: 0010:nf_osf_match_one (net/netfilter/nfnetlink_osf.c:98)  Call Trace:  <IRQ>   nf_osf_match (net/netfilter/nfnetlink_osf.c:220)   xt_osf_match_packet (net/netfilter/xt_osf.c:32)   ipt_do_table (net/ipv4/netfilter/ip_tables.c:348)   nf_hook_slow (net/netfilter/core.c:622)   ip_local_deliver (net/ipv4/ip_input.c:265)   ip_rcv (include/linux/skbuff.h:1162)   __netif_receive_skb_one_core (net/core/dev.c:6181)   process_backlog (net/core/dev.c:6642)   __napi_poll (net/core/dev.c:7710)   net_rx_action (net/core/dev.c:7945)   handle_softirqs (kernel/softirq.c:622)",
                        "cve_priority": "low",
                        "cve_public_date": "2026-05-27 11:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-45840",
                        "url": "https://ubuntu.com/security/CVE-2026-45840",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  openvswitch: cap upcall PID array size and pre-size vport replies  The vport netlink reply helpers allocate a fixed-size skb with nlmsg_new(NLMSG_DEFAULT_SIZE, ...) but serialize the full upcall PID array via ovs_vport_get_upcall_portids().  Since ovs_vport_set_upcall_portids() accepts any non-zero multiple of sizeof(u32) with no upper bound, a CAP_NET_ADMIN user can install a PID array large enough to overflow the reply buffer, causing nla_put() to fail with -EMSGSIZE and hitting BUG_ON(err < 0).  On systems with unprivileged user namespaces enabled (e.g., Ubuntu default), this is reachable via unshare -Urn since OVS vport mutation operations use GENL_UNS_ADMIN_PERM.   kernel BUG at net/openvswitch/datapath.c:2414!  Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI  CPU: 1 UID: 0 PID: 65 Comm: poc Not tainted 7.0.0-rc7-00195-geb216e422044 #1  RIP: 0010:ovs_vport_cmd_set+0x34c/0x400  Call Trace:   <TASK>   genl_family_rcv_msg_doit (net/netlink/genetlink.c:1116)   genl_rcv_msg (net/netlink/genetlink.c:1194)   netlink_rcv_skb (net/netlink/af_netlink.c:2550)   genl_rcv (net/netlink/genetlink.c:1219)   netlink_unicast (net/netlink/af_netlink.c:1344)   netlink_sendmsg (net/netlink/af_netlink.c:1894)   __sys_sendto (net/socket.c:2206)   __x64_sys_sendto (net/socket.c:2209)   do_syscall_64 (arch/x86/entry/syscall_64.c:63)   entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)   </TASK>  Kernel panic - not syncing: Fatal exception  Reject attempts to set more PIDs than nr_cpu_ids in ovs_vport_set_upcall_portids(), and pre-compute the worst-case reply size in ovs_vport_cmd_msg_size() based on that bound, similar to the existing ovs_dp_cmd_msg_size().  nr_cpu_ids matches the cap already used by the per-CPU dispatch configuration on the datapath side (ovs_dp_cmd_fill_info() serialises at most nr_cpu_ids PIDs), so the two sides stay consistent.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-27 11:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-45839",
                        "url": "https://ubuntu.com/security/CVE-2026-45839",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  bpf: reject negative CO-RE accessor indices in bpf_core_parse_spec()  CO-RE accessor strings are colon-separated indices that describe a path from a root BTF type to a target field, e.g. \"0:1:2\" walks through nested struct members. bpf_core_parse_spec() parses each component with sscanf(\"%d\"), so negative values like -1 are silently accepted.  The subsequent bounds checks (access_idx >= btf_vlen(t)) only guard the upper bound and always pass for negative values because C integer promotion converts the __u16 btf_vlen result to int, making the comparison (int)(-1) >= (int)(N) false for any positive N.  When -1 reaches btf_member_bit_offset() it gets cast to u32 0xffffffff, producing an out-of-bounds read far past the members array.  A crafted BPF program with a negative CO-RE accessor on any struct that exists in vmlinux BTF (e.g. task_struct) crashes the kernel deterministically during BPF_PROG_LOAD on any system with CONFIG_DEBUG_INFO_BTF=y (default on major distributions).  The bug is reachable with CAP_BPF:   BUG: unable to handle page fault for address: ffffed11818b6626  #PF: supervisor read access in kernel mode  #PF: error_code(0x0000) - not-present page  Oops: Oops: 0000 [#1] SMP KASAN NOPTI  CPU: 0 UID: 0 PID: 85 Comm: poc Not tainted 7.0.0-rc6 #18 PREEMPT(full)  RIP: 0010:bpf_core_parse_spec (tools/lib/bpf/relo_core.c:354)  RAX: 00000000ffffffff  Call Trace:   <TASK>   bpf_core_calc_relo_insn (tools/lib/bpf/relo_core.c:1321)   bpf_core_apply (kernel/bpf/btf.c:9507)   check_core_relo (kernel/bpf/verifier.c:19475)   bpf_check (kernel/bpf/verifier.c:26031)   bpf_prog_load (kernel/bpf/syscall.c:3089)   __sys_bpf (kernel/bpf/syscall.c:6228)   </TASK>  CO-RE accessor indices are inherently non-negative (struct member index, array element index, or enumerator index), so reject them immediately after parsing.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-27 11:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-45838",
                        "url": "https://ubuntu.com/security/CVE-2026-45838",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  bpf: fix end-of-list detection in cgroup_storage_get_next_key()  list_next_entry() never returns NULL -- when the current element is the last entry it wraps to the list head via container_of(). The subsequent NULL check is therefore dead code and get_next_key() never returns -ENOENT for the last element, instead reading storage->key from a bogus pointer that aliases internal map fields and copying the result to userspace.  Replace it with list_entry_is_head() so the function correctly returns -ENOENT when there are no more entries.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-05-27 11:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46214",
                        "url": "https://ubuntu.com/security/CVE-2026-46214",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  vsock/virtio: fix accept queue count leak on transport mismatch  virtio_transport_recv_listen() calls sk_acceptq_added() before vsock_assign_transport(). If vsock_assign_transport() fails or selects a different transport, the error path returns without calling sk_acceptq_removed(), permanently incrementing sk_ack_backlog.  After approximately backlog+1 such failures, sk_acceptq_is_full() returns true, causing the listener to reject all new connections.  Fix by moving sk_acceptq_added() to after the transport validation, matching the pattern used by vmci_transport and hyperv_transport.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46207",
                        "url": "https://ubuntu.com/security/CVE-2026-46207",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  vsock/virtio: fix empty payload in tap skb for non-linear buffers  For non-linear skbs, virtio_transport_build_skb() goes through virtio_transport_copy_nonlinear_skb() to copy the original payload in the new skb to be delivered to the vsockmon tap device. This manually initializes an iov_iter but does not set iov_iter.count. Since the iov_iter is zero-initialized, the copy length is zero and no payload is actually copied to the monitor interface, leaving data un-initialized.  Fix this by removing the linear vs non-linear split and using skb_copy_datagram_iter() with iov_iter_kvec() for all cases, as vhost-vsock already does. This handles both linear and non-linear skbs, properly initializes the iov_iter, and removes the now unused virtio_transport_copy_nonlinear_skb().  While touching this code, let's also check the return value of skb_copy_datagram_iter(), even though it's unlikely to fail.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46234",
                        "url": "https://ubuntu.com/security/CVE-2026-46234",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  vsock: fix buffer size clamping order  In vsock_update_buffer_size(), the buffer size was being clamped to the maximum first, and then to the minimum. If a user sets a minimum buffer size larger than the maximum, the minimum check overrides the maximum check, inverting the constraint.  This breaks the intended socket memory boundaries by allowing the vsk->buffer_size to grow beyond the configured vsk->buffer_max_size.  Fix this by checking the minimum first, and then the maximum. This ensures the buffer size never exceeds the buffer_max_size.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46223",
                        "url": "https://ubuntu.com/security/CVE-2026-46223",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  cgroup: Defer css percpu_ref kill on rmdir until cgroup is depopulated  A chain of commits going back to v7.0 reworked rmdir to satisfy the controller invariant that a subsystem's ->css_offline() must not run while tasks are still doing kernel-side work in the cgroup.  [1] d245698d727a (\"cgroup: Defer task cgroup unlink until after the task is done switching out\") [2] a72f73c4dd9b (\"cgroup: Don't expose dead tasks in cgroup\") [3] 1b164b876c36 (\"cgroup: Wait for dying tasks to leave on rmdir\") [4] 4c56a8ac6869 (\"cgroup: Fix cgroup_drain_dying() testing the wrong condition\") [5] 13e786b64bd3 (\"cgroup: Increment nr_dying_subsys_* from rmdir context\")  [1] moved task cset unlink from do_exit() to finish_task_switch() so a task's cset link drops only after the task has fully stopped scheduling. That made tasks past exit_signals() linger on cset->tasks until their final context switch, which led to a series of problems as what userspace expected to see after rmdir diverged from what the kernel needs to wait for. [2]-[5] tried to bridge that divergence: [2] filtered the exiting tasks from cgroup.procs; [3] had rmdir(2) sleep in TASK_UNINTERRUPTIBLE for them; [4] fixed the wait's condition; [5] made nr_dying_subsys_* visible synchronously.  The cgroup_drain_dying() wait in [3] turned out to be a dead end. When the rmdir caller is also the reaper of a zombie that pins a pidns teardown (e.g. host PID 1 systemd reaping orphan pids that were re-parented to it during the same teardown), rmdir blocks in TASK_UNINTERRUPTIBLE waiting for those pids to free, the pids can't free because PID 1 is the reaper and it's stuck in rmdir, and the system A-A deadlocks. No internal lock ordering breaks this; the wait itself is the bug.  The css killing side that drove the original reorder, however, can be made cleanly asynchronous: ->css_offline() is already async, run from css_killed_work_fn() driven by percpu_ref_kill_and_confirm(). The fix is to make that chain start only after all tasks have left the cgroup. rmdir's user-visible side then returns as soon as cgroup.procs and friends are empty, while ->css_offline() still runs only after the cgroup is fully drained.  Verified by the original reproducer (pidns teardown + zombie reaper, runs under vng) which hangs vanilla and succeeds here, and by per-commit deterministic repros for [2], [3], [4], [5] with a boot parameter that widens the post-exit_signals() window so each state is reliably reachable. Some stress tests on top of that.  cgroup_apply_control_disable() has the same shape of pre-existing race: when a controller is disabled via subtree_control, kill_css() ran synchronously while tasks past exit_signals() could still be linked to the cgroup's csets, and ->css_offline() could fire before they drained. This patch preserves the existing synchronous behavior at that call site (kill_css_sync() + kill_css_finish() back-to-back) and a follow-up patch will defer kill_css_finish() there using a per-css trigger.  This seems like the right approach and I don't see problems with it. The changes are somewhat invasive but not excessively so, so backporting to -stable should be okay. If something does turn out to be wrong, the fallback is to revert the entire chain ([1]-[5]) and rework in the development branch instead.  v2: Pin cgrp across the deferred destroy work with explicit     cgroup_get()/cgroup_put() around queue_work() and the work_fn. v1     wasn't actually broken (ordered cgroup_offline_wq + queue_work order     in cgroup_task_dead() saved it) but the explicit ref removes the     dependency on those non-obvious invariants. Also note the     pre-existing cgroup_apply_control_disable() race in the description;     a follow-up will defer kill_css_finish() there.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46221",
                        "url": "https://ubuntu.com/security/CVE-2026-46221",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  EDAC/versalnet: Fix device name memory leak  The device name allocated via kzalloc() in init_one_mc() is assigned to dev->init_name but never freed on the normal removal path. device_register() copies init_name and then sets dev->init_name to NULL, so the name pointer becomes unreachable from the device. Thus leaking memory.  Use a stack-local char array instead of using kzalloc() for name.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46231",
                        "url": "https://ubuntu.com/security/CVE-2026-46231",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  batman-adv: bla: put backbone reference on failed claim hash insert  When batadv_bla_add_claim() fails to insert a new claim into the hash, it leaked a reference to the backbone_gw for which the claim was intended. Call batadv_backbone_gw_put() on the error path to release the reference and avoid leaking the backbone_gw object.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46233",
                        "url": "https://ubuntu.com/security/CVE-2026-46233",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  batman-adv: bla: only purge non-released claims  When batadv_bla_purge_claims() goes through the list of claims, it is only traversing the hash list with an rcu_read_lock(). Due to a potential parallel batadv_claim_put(), it can happen that it encounters a claim which was actually in the process of being released+freed by batadv_claim_release(). In this case, backbone_gw is set to NULL before the delayed RCU kfree is started. Calling batadv_bla_claim_get_backbone_gw() is then no longer allowed because it would cause a NULL-ptr derefence.  To avoid this, only claims with a valid reference counter must be purged. All others are already taken care of.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46212",
                        "url": "https://ubuntu.com/security/CVE-2026-46212",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  batman-adv: bla: prevent use-after-free when deleting claims  When batadv_bla_del_backbone_claims() removes all claims for a backbone, it does this by dropping the link entry in the hash list. This list entry itself was one of the references which need to be dropped at the same time via batadv_claim_put().  But the batadv_claim_put() must not be done before the last access to the claim object in this function. Otherwise the claim might be freed already by the batadv_claim_release() function before the list entry was dropped.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46238",
                        "url": "https://ubuntu.com/security/CVE-2026-46238",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  batman-adv: stop caching unowned originator pointers in BAT IV  BAT IV keeps the last-hop neighbor address in each neigh_node, but some paths also cache an originator pointer derived from a temporary lookup. That pointer is not owned by the neigh_node and may no longer refer to a live originator entry after purge handling runs.  Stop storing the auxiliary originator pointer in the BAT IV neighbor state. When BAT IV needs the neighbor originator data, resolve it from the stored neighbor address and drop the reference again after use.  [sven: avoid bonding logic for outgoing OGM]",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46208",
                        "url": "https://ubuntu.com/security/CVE-2026-46208",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  batman-adv: stop tp_meter sessions during mesh teardown  TP meter sessions remain linked on bat_priv->tp_list after the netlink request has already finished. When the mesh interface is removed, batadv_mesh_free() currently tears down the mesh without first draining these sessions.  A running sender thread or a late incoming tp_meter packet can then keep processing against a mesh instance which is already shutting down. Synchronize tp_meter with the mesh lifetime by stopping all active sessions from batadv_mesh_free() and waiting for sender threads to exit before teardown continues.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46206",
                        "url": "https://ubuntu.com/security/CVE-2026-46206",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  batman-adv: reject new tp_meter sessions during teardown  Prevent tp_meter from starting new sender or receiver sessions after mesh_state has left BATADV_MESH_ACTIVE.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46198",
                        "url": "https://ubuntu.com/security/CVE-2026-46198",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  batman-adv: fix integer overflow on buff_pos  Fixing an integer overflow present in batadv_iv_ogm_send_to_if. The size check is done using the int type in batadv_iv_ogm_aggr_packet whereas the buff_pos variable uses the s16 type. This could lead to an out-of-bound read.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46227",
                        "url": "https://ubuntu.com/security/CVE-2026-46227",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  sctp: revalidate list cursor after sctp_sendmsg_to_asoc() in SCTP_SENDALL  The SCTP_SENDALL path in sctp_sendmsg() iterates ep->asocs with list_for_each_entry_safe(), which caches the next entry in @tmp before the loop body runs.  The body calls sctp_sendmsg_to_asoc(), which may drop the socket lock inside sctp_wait_for_sndbuf().  While the lock is dropped, another thread can SCTP_SOCKOPT_PEELOFF the association cached in @tmp, migrating it to a new endpoint via sctp_sock_migrate() (list_del_init() + list_add_tail() to newep->asocs), and optionally close the new socket which frees the association via kfree_rcu().  The cached @tmp can also be freed by a network ABORT for that association, processed in softirq while the lock is dropped.  sctp_wait_for_sndbuf() revalidates @asoc (the current entry) on re-lock via the \"sk != asoc->base.sk\" and \"asoc->base.dead\" checks, but nothing revalidates @tmp.  After a successful return, the iterator advances to the stale @tmp, yielding either a use-after-free (if the peeled socket was closed) or a list-walk onto the new endpoint's list head (type confusion of &newep->asocs as a struct sctp_association *).  Both are reachable from CapEff=0; the type-confusion path gives controlled indirect call via the outqueue.sched->init_sid pointer.  Fix by re-deriving @tmp from @asoc after sctp_sendmsg_to_asoc() returns.  @asoc is known to still be on ep->asocs at that point: the only callers that list_del an association from ep->asocs are sctp_association_free() (which sets asoc->base.dead) and sctp_assoc_migrate() (which changes asoc->base.sk), and sctp_wait_for_sndbuf() checks both under the lock before any successful return; a tripped check propagates as err < 0 and the loop bails before the re-derive.  The SCTP_ABORT path in sctp_sendmsg_check_sflags() returns 0 and the loop hits 'continue' before sctp_sendmsg_to_asoc() is ever called, so the @tmp cached by list_for_each_entry_safe() still covers the lock-held free that ba59fb027307 (\"sctp: walk the list of asoc safely\") was added for.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46220",
                        "url": "https://ubuntu.com/security/CVE-2026-46220",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/amdgpu/sdma4: replace BUG_ON with WARN_ON in fence emission  sdma_v4_0_ring_emit_fence() contains two BUG_ON(addr & 0x3) assertions that verify fence writeback addresses are dword-aligned.  These assertions can be reached from unprivileged userspace via crafted DRM_IOCTL_AMDGPU_CS submissions, causing a fatal kernel panic in a scheduler worker thread.  Replace both BUG_ON() calls with WARN_ON() to log the condition without crashing the kernel.  A misaligned fence address at this point indicates a driver bug, but crashing the kernel is never the correct response when the assertion is reachable from userspace.  The CS IOCTL path is the correct place to filter invalid submissions; the ring emission callback is too late to do anything about it.  (cherry picked from commit b90250bd933afd1ba94d86d6b13821997b22b18e)",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46215",
                        "url": "https://ubuntu.com/security/CVE-2026-46215",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm: Set old handle to NULL before prime swap in change_handle  There was a potential race condition in change_handle. The ioctl briefly had a single object with two idr entries; a concurrent gem_close could delete the object and remove one of the handles while leaving the other one dangling, which could subsequently be dereferenced for a use-after-free.  To fix this, do the same dance that gem_close itself does. (f6cd7daecff5 drm: Release driver references to handle before making it available again) First idr_replace the old handle to NULL. Later, if the prime operations are successful, actually close it.  create_tail required a similar dance to avoid a similar problem. (bd46cece51a3 drm/gem: Fix race in drm_gem_handle_create_tail()) It idr_allocs the new handle with NULL, then swaps in the correct object later to avoid races. We don't need to do that here, since the only operations that could race are drm_prime, and change_handle holds the prime lock for the entire duration.  v2: cleanups of error paths",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46201",
                        "url": "https://ubuntu.com/security/CVE-2026-46201",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/xe: Fix dma-buf attachment leak in xe_gem_prime_import()  When xe_dma_buf_init_obj() fails, the attachment from dma_buf_dynamic_attach() is not detached. Add dma_buf_detach() before returning the error. Note: we cannot use goto out_err here because xe_dma_buf_init_obj() already frees bo on failure, and out_err would double-free it.  (cherry picked from commit a828eb185aac41800df8eae4b60501ccc0dbbe51)",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46224",
                        "url": "https://ubuntu.com/security/CVE-2026-46224",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/xe: Fix bo leak in xe_dma_buf_init_obj() on allocation failure  When drm_gpuvm_resv_object_alloc() fails, the pre-allocated storage bo is not freed. Add xe_bo_free(storage) before returning the error.  xe_dma_buf_init_obj() calls xe_bo_init_locked(), which frees the bo on error. Therefore, xe_dma_buf_init_obj() must also free the bo on its own error paths. Otherwise, since xe_gem_prime_import() cannot distinguish whether the failure originated from xe_dma_buf_init_obj() or from xe_bo_init_locked(), it cannot safely decide whether the bo should be freed.  Add comments documenting the ownership semantics: on success, ownership of storage is transferred to the returned drm_gem_object; on failure, storage is freed before returning.  v2: Add comments to explain the free logic.  (cherry picked from commit 78a6c5f899f22338bbf48b44fb8950409c5a69b9)",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46197",
                        "url": "https://ubuntu.com/security/CVE-2026-46197",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/amdkfd: validate SVM ioctl nattr against buffer size  Validate nattr field against the buffer size, preventing out-of-bounds buffer access via user-controlled attribute count.  (cherry picked from commit 5eca8bfdfa456c3304ca77523718fe24254c172f)",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46209",
                        "url": "https://ubuntu.com/security/CVE-2026-46209",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/gem: Fix inconsistent plane dimension calculation in drm_gem_fb_init_with_funcs()  drm_gem_fb_init_with_funcs() computes sub-sampled plane dimensions using plain integer division:    unsigned int width  = mode_cmd->width  / (i ? info->hsub : 1);   unsigned int height = mode_cmd->height / (i ? info->vsub : 1);  However, the ioctl-level framebuffer_check() in drm_framebuffer.c uses drm_format_info_plane_width/height() which round up dimensions via DIV_ROUND_UP(). This inconsistency corrupts the subsequent GEM object size check for certain pixel format and dimension combinations.  For example, with NV12 (vsub=2) and a 1-pixel-tall framebuffer the GEM size validation path sees height=0 instead of height=1. The expression (height - 1) then wraps to UINT_MAX as an unsigned int, causing min_size to overflow and wrap back to a small value. A tiny GEM object therefore passes the size guard, yet when the GPU accesses the chroma plane it will read or write memory beyond the object's bounds.  Fix by replacing the open-coded divisions with drm_format_info_plane_width() and drm_format_info_plane_height(), which use DIV_ROUND_UP() and match the calculation already used in framebuffer_check().",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46230",
                        "url": "https://ubuntu.com/security/CVE-2026-46230",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/amdgpu/vcn3: Prevent OOB reads when parsing dec msg  Check bounds against the end of the BO whenever we access the msg.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46199",
                        "url": "https://ubuntu.com/security/CVE-2026-46199",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/amdgpu/vcn4: Prevent OOB reads when parsing dec msg  Check bounds against the end of the BO whenever we access the msg.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46204",
                        "url": "https://ubuntu.com/security/CVE-2026-46204",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/amdgpu/vcn4: Prevent OOB reads when parsing IB  Rewrite the IB parsing to use amdgpu_ib_get_value() which handles the bounds checks.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46218",
                        "url": "https://ubuntu.com/security/CVE-2026-46218",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/amdgpu: Add bounds checking to ib_{get,set}_value  The uvd/vce/vcn code accesses the IB at predefined offsets without checking that the IB is large enough. Check the bounds here. The caller is responsible for making sure it can handle arbitrary return values.  Also make the idx a uint32_t to prevent overflows causing the condition to fail.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46229",
                        "url": "https://ubuntu.com/security/CVE-2026-46229",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/amdkfd: Clear VRAM on allocation to prevent stale data exposure  KFD VRAM allocations set AMDGPU_GEM_CREATE_VRAM_WIPE_ON_RELEASE but not AMDGPU_GEM_CREATE_VRAM_CLEARED, leaving freshly allocated VRAM with stale data from prior use observable by compute kernels.  The GEM ioctl path already sets VRAM_CLEARED for all userspace allocations via amdgpu_gem_create_ioctl() and amdgpu_mode_dumb_create(). The KFD path was missing this flag, allowing stale page table remnants to leak into user buffers.  This causes crashes in RCCL P2P transport where non-zero data in ptrExchange/head/tail fields corrupts the protocol handshake.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46211",
                        "url": "https://ubuntu.com/security/CVE-2026-46211",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/msm/gem: fix error handling in msm_ioctl_gem_info_get_metadata()  msm_ioctl_gem_info_get_metadata() always returns 0 regardless of errors. When copy_to_user() fails or the user buffer is too small, the error code stored in ret is ignored because the function unconditionally returns 0. This causes userspace to believe the ioctl succeeded when it did not.  Additionally, kmemdup() can return NULL on allocation failure, but the return value is not checked. This leads to a NULL pointer dereference in the subsequent copy_to_user() call.  Add the missing NULL check for kmemdup() and return ret instead of 0.  Note that the SET counterpart (msm_ioctl_gem_info_set_metadata) correctly returns ret.  Patchwork: https://patchwork.freedesktop.org/patch/714478/",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46203",
                        "url": "https://ubuntu.com/security/CVE-2026-46203",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: cadence-quadspi: fix unclocked access on unbind  Make sure that the controller is runtime resumed before disabling it during driver unbind to avoid an unclocked register access.  This issue was flagged by Sashiko when reviewing a controller deregistration fix.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46219",
                        "url": "https://ubuntu.com/security/CVE-2026-46219",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: mpc52xx: fix use-after-free on unbind  The state machine work is scheduled by the interrupt handler and therefore needs to be cancelled after disabling interrupts to avoid a potential use-after-free.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46200",
                        "url": "https://ubuntu.com/security/CVE-2026-46200",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: mpc52xx: fix controller deregistration  Make sure to deregister the controller before disabling and releasing underlying resources like interrupts and gpios during driver unbind.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46241",
                        "url": "https://ubuntu.com/security/CVE-2026-46241",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: mpc52xx: fix use-after-free on registration failure  Make sure to disable and free the interrupts in case controller registration fails to avoid a potential use-after-free and resource leak.  This issue was flagged by Sashiko when reviewing a controller deregistration fix.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46225",
                        "url": "https://ubuntu.com/security/CVE-2026-46225",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: rspi: fix controller deregistration  Make sure to deregister the controller before releasing underlying resources like DMA during driver unbind.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46226",
                        "url": "https://ubuntu.com/security/CVE-2026-46226",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: fsl: fix controller deregistration  Make sure to deregister the controller before releasing underlying resources like DMA during driver unbind.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46228",
                        "url": "https://ubuntu.com/security/CVE-2026-46228",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: ch341: fix devres lifetime  USB drivers bind to USB interfaces and any device managed resources should have their lifetime tied to the interface rather than parent USB device. This avoids issues like memory leaks when drivers are unbound without their devices being physically disconnected (e.g. on probe deferral or configuration changes).  Fix the controller and driver data lifetime so that they are released on driver unbind.  Note that this also makes sure that the SPI controller is placed correctly under the USB interface in the device tree.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46216",
                        "url": "https://ubuntu.com/security/CVE-2026-46216",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/xe/hdcp: Add NULL check for media_gt in intel_hdcp_gsc_check_status()  When media GT is disabled via configfs, there is no allocation for media_gt, which is kept as NULL.  In such scenario, intel_hdcp_gsc_check_status() results in a kernel pagefault error due to &gt->uc.gsc being evaluated as an invalid memory address.  Fix that by introducing a NULL check on media_gt and bailing out early if so.  While at it, also drop the NULL check for gsc, since it can't be NULL if media_gt is not NULL.  v2:   - Get address for gsc only after checking that gt is not NULL.     (Shuicheng)   - Drop the NULL check for gsc. (Shuicheng) v3:   - Add \"Fixes\" and \"Cc: <stable...>\" tags. (Matt)  (cherry picked from commit bfaf87e84ca3ca3f6e275f9ae56da47a8b55ffd1)",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46210",
                        "url": "https://ubuntu.com/security/CVE-2026-46210",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  media: iris: fix use-after-free of fmt_src during MBPF check  During concurrency testing, multiple instances can run in parallel, and each instance uses its own inst->lock while the core->lock protects the list of active instances. The race happens because these locks cover different scopes, inst->lock protects only the internals of a single instance, while the Macro Blocks Per Frame (MBPF) checker walks the core list under core->lock and reads fields like fmt_src->width and fmt_src->height. At the same time, iris_close() may free fmt_src and fmt_dst under inst->lock while the instance is still present in the core list. This allows a situation where the MBPF checker, still iterating through the core list, reaches an instance whose fmt_src was already freed by another thread and ends up dereferencing a dangling pointer, resulting in a use-after-free. This happens because the MBPF checker assumes that any instance in the core list is fully valid, but the freeing of fmt_src and fmt_dst without removing the instance from the core list is not correct.  The correct ordering is to defer freeing fmt_src and fmt_dst until after the instance has been removed from the core list and all teardown under the core lock has completed, ensuring that no dangling pointers are ever exposed during MBPF checks.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46240",
                        "url": "https://ubuntu.com/security/CVE-2026-46240",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  media: iris: Fix use-after-free in iris_release_internal_buffers()  The recent change in commit 1dabf00ee206 (\"media: iris: gen1: Destroy internal buffers after FW releases\") introduced a regression where session_release_buf() may free the buffer. The caller, iris_release_internal_buffers(), continued to access `buffer` after the call, leading to a potential use-after-free.  Fix this by setting BUF_ATTR_PENDING_RELEASE before calling session_release_buf(), and reverting the flag if the call fails. This ensures no dereference occurs after potential freeing.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46235",
                        "url": "https://ubuntu.com/security/CVE-2026-46235",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  media: saa7164: add ioremap return checks and cleanups  Add checks for ioremap return values in saa7164_dev_setup(). If ioremap for BAR0 or BAR2 fails, release the already allocated PCI memory regions, remove the device from the global list, decrement the device count, and return -ENODEV.  This prevents potential null pointer dereferences and ensures proper cleanup on memory mapping failures.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46222",
                        "url": "https://ubuntu.com/security/CVE-2026-46222",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  media: rockchip: rkcif: Add missing MUST_CONNECT flag to pads  The pads missed checks for connected devices which may a null dereference when the stream is enabled.  Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020 pc : rkcif_interface_enable_streams+0x48/0xf0 lr : rkcif_interface_enable_streams+0x44/0xf0 Call trace:  rkcif_interface_enable_streams+0x48/0xf0  v4l2_subdev_enable_streams+0x26c/0x3f0  rkcif_stream_start_streaming+0x140/0x278  vb2_start_streaming+0x74/0x188  vb2_core_streamon+0xe0/0x1d8  vb2_ioctl_streamon+0x60/0xa8  v4l_streamon+0x2c/0x40  __video_do_ioctl+0x34c/0x400  video_usercopy+0x2d0/0x800  video_ioctl2+0x20/0x60  v4l2_ioctl+0x48/0x78",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46239",
                        "url": "https://ubuntu.com/security/CVE-2026-46239",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  media: i2c: ov5647: Fix runtime PM refcount leak in s_ctrl  Three control cases (AUTOGAIN, EXPOSURE_AUTO, ANALOGUE_GAIN) directly return without calling pm_runtime_put(), causing runtime PM reference count leaks.  Change these cases from 'return' to 'ret = ... break' pattern to ensure pm_runtime_put() is always called before function exit.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46236",
                        "url": "https://ubuntu.com/security/CVE-2026-46236",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  media: rc: xbox_remote: heed DMA restrictions  The buffer for IO must not be part of the device structure because that violates the DMA coherency rules.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46205",
                        "url": "https://ubuntu.com/security/CVE-2026-46205",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  staging: media: atomisp: Disallow all private IOCTLs  Disallow all private IOCTLs. These aren't quite as safe as one could assume of IOCTL handlers; disable them for now. Instead of removing the code, return in the beginning of the function if cmd is non-zero in order to keep static checkers happy.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46202",
                        "url": "https://ubuntu.com/security/CVE-2026-46202",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  HID: appletb-kbd: run inactivity autodim from workqueues  The autodim code in hid-appletb-kbd takes backlight_device->ops_lock via backlight_device_set_brightness() -> mutex_lock() from two different atomic contexts:   * appletb_inactivity_timer() is a struct timer_list callback, so it    runs in softirq context.  Every expiry triggers       BUG: sleeping function called from invalid context at kernel/locking/mutex.c:591      Call Trace:       <IRQ>       __might_resched       __mutex_lock       backlight_device_set_brightness       appletb_inactivity_timer       call_timer_fn       run_timer_softirq   * reset_inactivity_timer() is called from appletb_kbd_hid_event() and    appletb_kbd_inp_event().  On real USB hardware these run in    softirq/IRQ context (URB completion and input-event dispatch).    When the Touch Bar has already been dimmed or turned off, the    reset path calls backlight_device_set_brightness() directly to    restore brightness, producing the same warning.  Both call sites hit the same mutex_lock()-from-atomic bug.  Fix them together by moving the blocking work onto the system workqueue:   * Convert the inactivity timer from struct timer_list to    struct delayed_work; the callback (appletb_inactivity_work) now    runs in process context where mutex_lock() is legal.  * Add a dedicated struct work_struct restore_brightness_work and have    reset_inactivity_timer() schedule it instead of calling    backlight_device_set_brightness() directly.  Cancel both works synchronously during driver tear-down alongside the existing backlight reference drop.  The semantics are unchanged (same delays, same state transitions on dim, turn-off and user activity); only the execution context of the sleeping call changes.  The timer field and callback are renamed to match their new type; reset_inactivity_timer() keeps its name because it is invoked from input event paths that read naturally as \"reset the inactivity timer\".",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46213",
                        "url": "https://ubuntu.com/security/CVE-2026-46213",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  HID: appletb-kbd: fix UAF in inactivity-timer cleanup path  Commit 38224c472a03 (\"HID: appletb-kbd: fix slab use-after-free bug in appletb_kbd_probe\") added timer_delete_sync(&kbd->inactivity_timer) to both the probe close_hw error path and appletb_kbd_remove(), but the way it was wired in left the inactivity timer reachable during driver tear-down via two distinct windows.  Window A -- put_device() before timer_delete_sync():  \tput_device(&kbd->backlight_dev->dev); \ttimer_delete_sync(&kbd->inactivity_timer);  The inactivity_timer softirq reads kbd->backlight_dev and calls backlight_device_set_brightness() -> mutex_lock(&ops_lock).  If a concurrent hid_appletb_bl unbind drops the last devm reference between these two calls, the backlight_device is freed and the mutex_lock() touches freed memory.  Window B -- backlight cleanup before hid_hw_stop():  \tif (kbd->backlight_dev) { \t\ttimer_delete_sync(...); \t\tput_device(...); \t} \thid_hw_close(hdev); \thid_hw_stop(hdev);  Even after Window A is closed, hid_hw_close()/hid_hw_stop() still run afterwards, so a late \".event\" callback from the HID core (USB URB completion on real Apple hardware) can arrive after timer_delete_sync() drained the softirq but before put_device() drops the reference.  That callback reaches reset_inactivity_timer(), which calls mod_timer() and re-arms the timer.  The freshly re-armed timer can then fire on the about-to-be-freed backlight_device.  Both windows produce the same KASAN slab-use-after-free:    BUG: KASAN: slab-use-after-free in __mutex_lock+0x1aab/0x21c0   Read of size 8 at addr ffff88803ee9a108 by task swapper/0/0   Call Trace:    <IRQ>    __mutex_lock    backlight_device_set_brightness    appletb_inactivity_timer    call_timer_fn    run_timer_softirq    handle_softirqs   Allocated by task N:    devm_backlight_device_register    appletb_bl_probe   Freed by task M:    (concurrent hid_appletb_bl unbind path)  Close both windows at once by reworking the tear-down in appletb_kbd_remove() and in the probe close_hw error path so that   1) hid_hw_close()/hid_hw_stop() run before the backlight cleanup,     guaranteeing no further .event callback can fire and re-arm the     timer, and  2) inside the \"if (kbd->backlight_dev)\" block, timer_delete_sync()     runs before put_device(), so the softirq is drained before the     final reference is dropped.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46232",
                        "url": "https://ubuntu.com/security/CVE-2026-46232",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  HID: playstation: Clamp num_touch_reports  A device would never lie about the number of touch reports would it?  If it does the loop in dualshock4_parse_report will read off the end of the touch_reports array, up to about 2 KiB for the maximum number of 256 loop iteraions. The data that is read is emitted via evdev if the DS4_TOUCH_POINT_INACTIVE bit happens to be set. Protect against this by clamping the num_touch_reports value provided by the device to the maximum size of the touch_reports array.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-43490",
                        "url": "https://ubuntu.com/security/CVE-2026-43490",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ksmbd: validate inherited ACE SID length  smb_inherit_dacl() walks the parent directory DACL loaded from the security descriptor xattr. It verifies that each ACE contains the fixed SID header before using it, but does not verify that the variable-length SID described by sid.num_subauth is fully contained in the ACE.  A malformed inheritable ACE can advertise more subauthorities than are present in the ACE. compare_sids() may then read past the ACE. smb_set_ace() also clamps the copied destination SID, but used the unchecked source SID count to compute the inherited ACE size. That could advance the temporary inherited ACE buffer pointer and nt_size accounting past the allocated buffer.  Fix this by validating the parent ACE SID count and SID length before using the SID during inheritance. Compute the inherited ACE size from the copied SID so the size matches the bounded destination SID. Reject the inherited DACL if size accumulation would overflow smb_acl.size or the security descriptor allocation size.",
                        "cve_priority": "high",
                        "cve_public_date": "2026-05-15 06:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46174",
                        "url": "https://ubuntu.com/security/CVE-2026-46174",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  x86/CPU/AMD: Prevent improper isolation of shared resources in Zen2's op cache  Make sure resources are not improperly shared in the op cache and cause instruction corruption this way.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46110",
                        "url": "https://ubuntu.com/security/CVE-2026-46110",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net: stmmac: Prevent NULL deref when RX memory exhausted  The CPU receives frames from the MAC through conventional DMA: the CPU allocates buffers for the MAC, then the MAC fills them and returns ownership to the CPU. For each hardware RX queue, the CPU and MAC coordinate through a shared ring array of DMA descriptors: one descriptor per DMA buffer. Each descriptor includes the buffer's physical address and a status flag (\"OWN\") indicating which side owns the buffer: OWN=0 for CPU, OWN=1 for MAC. The CPU is only allowed to set the flag and the MAC is only allowed to clear it, and both must move through the ring in sequence: thus the ring is used for both \"submissions\" and \"completions.\"  In the stmmac driver, stmmac_rx() bookmarks its position in the ring with the `cur_rx` index. The main receive loop in that function checks for rx_descs[cur_rx].own=0, gives the corresponding buffer to the network stack (NULLing the pointer), and increments `cur_rx` modulo the ring size. After the loop exits, stmmac_rx_refill(), which bookmarks its position with `dirty_rx`, allocates fresh buffers and rearms the descriptors (setting OWN=1). If it fails any allocation, it simply stops early (leaving OWN=0) and will retry where it left off when next called.  This means descriptors have a three-stage lifecycle (terms my own): - `empty` (OWN=1, buffer valid) - `full` (OWN=0, buffer valid and populated) - `dirty` (OWN=0, buffer NULL)  But because stmmac_rx() only checks OWN, it confuses `full`/`dirty`. In the past (see 'Fixes:'), there was a bug where the loop could cycle `cur_rx` all the way back to the first descriptor it dirtied, resulting in a NULL dereference when mistaken for `full`. The aforementioned commit resolved that *specific* failure by capping the loop's iteration limit at `dma_rx_size - 1`, but this is only a partial fix: if the previous stmmac_rx_refill() didn't complete, then there are leftover `dirty` descriptors that the loop might encounter without needing to cycle fully around. The current code therefore panics (see 'Closes:') when stmmac_rx_refill() is memory-starved long enough for `cur_rx` to catch up to `dirty_rx`.  Fix this by explicitly checking, before advancing `cur_rx`, if the next entry is dirty; exit the loop if so. This prevents processing of the final, used descriptor until stmmac_rx_refill() succeeds, but fully prevents the `cur_rx == dirty_rx` ambiguity as the previous bugfix intended: so remove the clamp as well. Since stmmac_rx_zc() is a copy-paste-and-tweak of stmmac_rx() and the code structure is identical, any fix to stmmac_rx() will also need a corresponding fix for stmmac_rx_zc(). Therefore, apply the same check there.  In stmmac_rx() (not stmmac_rx_zc()), a related bug remains: after the MAC sets OWN=0 on the final descriptor, it will be unable to send any further DMA-complete IRQs until it's given more `empty` descriptors. Currently, the driver simply *hopes* that the next stmmac_rx_refill() succeeds, risking an indefinite stall of the receive process if not. But this is not a regression, so it can be addressed in a future change.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46153",
                        "url": "https://ubuntu.com/security/CVE-2026-46153",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  8021q: delete cleared egress QoS mappings  vlan_dev_set_egress_priority() currently keeps cleared egress priority mappings in the hash as tombstones. Repeated set/clear cycles with distinct skb priorities therefore accumulate mapping nodes until device teardown and leak memory.  Delete mappings when vlan_prio is cleared instead of keeping tombstones. Now that the egress mapping lists are RCU protected, the node can be unlinked safely and freed after a grace period.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46169",
                        "url": "https://ubuntu.com/security/CVE-2026-46169",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  hfsplus: fix uninit-value by validating catalog record size  Syzbot reported a KMSAN uninit-value issue in hfsplus_strcasecmp(). The root cause is that hfs_brec_read() doesn't validate that the on-disk record size matches the expected size for the record type being read.  When mounting a corrupted filesystem, hfs_brec_read() may read less data than expected. For example, when reading a catalog thread record, the debug output showed:    HFSPLUS_BREC_READ: rec_len=520, fd->entrylength=26   HFSPLUS_BREC_READ: WARNING - entrylength (26) < rec_len (520) - PARTIAL READ!  hfs_brec_read() only validates that entrylength is not greater than the buffer size, but doesn't check if it's less than expected. It successfully reads 26 bytes into a 520-byte structure and returns success, leaving 494 bytes uninitialized.  This uninitialized data in tmp.thread.nodeName then gets copied by hfsplus_cat_build_key_uni() and used by hfsplus_strcasecmp(), triggering the KMSAN warning when the uninitialized bytes are used as array indices in case_fold().  Fix by introducing hfsplus_brec_read_cat() wrapper that: 1. Calls hfs_brec_read() to read the data 2. Validates the record size based on the type field:    - Fixed size for folder and file records    - Variable size for thread records (depends on string length) 3. Returns -EIO if size doesn't match expected  For thread records, check against HFSPLUS_MIN_THREAD_SZ before reading nodeName.length to avoid reading uninitialized data at call sites that don't zero-initialize the entry structure.  Also initialize the tmp variable in hfsplus_find_cat() as defensive programming to ensure no uninitialized data even if validation is bypassed.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46188",
                        "url": "https://ubuntu.com/security/CVE-2026-46188",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  octeon_ep_vf: add NULL check for napi_build_skb()  napi_build_skb() can return NULL on allocation failure. In __octep_vf_oq_process_rx(), the result is used directly without a NULL check in both the single-buffer and multi-fragment paths, leading to a NULL pointer dereference.  Add NULL checks after both napi_build_skb() calls, properly advancing descriptors and consuming remaining fragments on failure.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-45837",
                        "url": "https://ubuntu.com/security/CVE-2026-45837",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  bpf: Fix use-after-free in arena_vm_close on fork  arena_vm_open() only bumps vml->mmap_count but never registers the child VMA in arena->vma_list. The vml->vma always points at the parent VMA, so after parent munmap the pointer dangles. If the child then calls bpf_arena_free_pages(), zap_pages() reads the stale vml->vma triggering use-after-free.  Fix this by preventing the arena VMA from being inherited across fork with VM_DONTCOPY, and preventing VMA splits via the may_split callback.  Also reject mremap with a .mremap callback returning -EINVAL. A same-size mremap(MREMAP_FIXED) on the full arena VMA reaches copy_vma() through the following path:    check_prep_vma()       - returns 0 early: new_len == old_len                            skips VM_DONTEXPAND check   prep_move_vma()        - vm_start == old_addr and                            vm_end == old_addr + old_len                            so may_split is never called   move_vma()     copy_vma_and_data()       copy_vma()         vm_area_dup()    - copies vm_private_data (vml pointer)         vm_ops->open()   - bumps vml->mmap_count       vm_ops->mremap()   - returns -EINVAL, rollback unmaps new VMA  The refcount ensures the rollback's arena_vm_close does not free the vml shared with the original VMA.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-05-27 11:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46156",
                        "url": "https://ubuntu.com/security/CVE-2026-46156",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  LoongArch: Fix potential ADE in loongson_gpu_fixup_dma_hang()  The switch case in loongson_gpu_fixup_dma_hang() may not DC2 or DC3, and readl(crtc_reg) will access with random address, because the \"device\" is from \"base+PCI_DEVICE_ID\", \"base\" is from \"pdev->devfn+1\". This is wrong when my platform inserts a discrete GPU:  lspci -tv -[0000:00]-+-00.0  Loongson Technology LLC Hyper Transport Bridge Controller ...            +-06.0  Loongson Technology LLC LG100 GPU            +-06.2  Loongson Technology LLC Device 7a37 ...  Add a default switch case to fix the panic as below:   Kernel ade access[#1]:  CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.6.136-loong64-desktop-hwe+ #4  pc 90000000017e5534 ra 90000000017e54c0 tp 90000001002f8000 sp 90000001002fb6c0  a0 80000efe00003100 a1 0000000000003100 a2 0000000000000000 a3 0000000000000002  a4 90000001002fb6b4 a5 900000087cdb58fd a6 90000000027af000 a7 0000000000000001  t0 00000000000085b9 t1 000000000000ffff t2 0000000000000000 t3 0000000000000000  t4 fffffffffffffffd t5 00000000fffb6d9c t6 0000000000083b00 t7 00000000000070c0  t8 900000087cdb4d94 u0 900000087cdb58fd s9 90000001002fb826 s0 90000000031c12c8  s1 7fffffffffffff00 s2 90000000031c12d0 s3 0000000000002710 s4 0000000000000000  s5 0000000000000000 s6 9000000100053000 s7 7fffffffffffff00 s8 90000000030d4000     ra: 90000000017e54c0 loongson_gpu_fixup_dma_hang+0x40/0x210    ERA: 90000000017e5534 loongson_gpu_fixup_dma_hang+0xb4/0x210   CRMD: 000000b0 (PLV0 -IE -DA +PG DACF=CC DACM=CC -WE)   PRMD: 00000004 (PPLV0 +PIE -PWE)   EUEN: 00000000 (-FPE -SXE -ASXE -BTE)   ECFG: 00071c1d (LIE=0,2-4,10-12 VS=7)  ESTAT: 00480000 [ADEM] (IS= ECode=8 EsubCode=1)   BADV: 7fffffffffffff00   PRID: 0014d000 (Loongson-64bit, Loongson-3A6000-HV)  Modules linked in:  Process swapper/0 (pid: 1, threadinfo=(____ptrval____), task=(____ptrval____))  Stack : 0000000000000006 90000001002fb778 90000001002fb704 0000000000000007          0000000016a65700 90000000017e5690 000000000000ffff ffffffffffffffff          900000000209f7c0 9000000100053000 900000000209f7a8 9000000000eebc08          0000000000000000 0000000000000000 0000000000000006 90000001002fb778          90000001000530b8 90000000027af000 0000000000000000 9000000100054000          9000000100053000 9000000000ebb70c 9000000100004c00 9000000004000001          90000001002fb7e4 bae765461f31cb12 0000000000000000 0000000000000000          0000000000000006 90000000027af000 0000000000000030 90000000027af000          900000087cd6f800 9000000100053000 0000000000000000 9000000000ebc560          7a2500147cdaf720 bae765461f31cb12 0000000000000001 0000000000000030          ...  Call Trace:  [<90000000017e5534>] loongson_gpu_fixup_dma_hang+0xb4/0x210  [<9000000000eebc08>] pci_fixup_device+0x108/0x280  [<9000000000ebb70c>] pci_setup_device+0x24c/0x690  [<9000000000ebc560>] pci_scan_single_device+0xe0/0x140  [<9000000000ebc684>] pci_scan_slot+0xc4/0x280  [<9000000000ebdd00>] pci_scan_child_bus_extend+0x60/0x3f0  [<9000000000f5bc94>] acpi_pci_root_create+0x2b4/0x420  [<90000000017e5e74>] pci_acpi_scan_root+0x2d4/0x440  [<9000000000f5b02c>] acpi_pci_root_add+0x21c/0x3a0  [<9000000000f4ee54>] acpi_bus_attach+0x1a4/0x3c0  [<90000000010e200c>] device_for_each_child+0x6c/0xe0  [<9000000000f4bbf4>] acpi_dev_for_each_child+0x44/0x70  [<9000000000f4ef40>] acpi_bus_attach+0x290/0x3c0  [<90000000010e200c>] device_for_each_child+0x6c/0xe0  [<9000000000f4bbf4>] acpi_dev_for_each_child+0x44/0x70  [<9000000000f4ef40>] acpi_bus_attach+0x290/0x3c0  [<9000000000f5211c>] acpi_bus_scan+0x6c/0x280  [<900000000189c028>] acpi_scan_init+0x194/0x310  [<900000000189bc6c>] acpi_init+0xcc/0x140  [<9000000000220cdc>] do_one_initcall+0x4c/0x310  [<90000000018618fc>] kernel_init_freeable+0x258/0x2d4  [<900000000184326c>] kernel_init+0x28/0x13c  [<9000000000222008>] ret_from_kernel_thread+0xc/0xa4",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46147",
                        "url": "https://ubuntu.com/security/CVE-2026-46147",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  KVM: arm64: Fix pin leak and publication ordering in __pkvm_init_vcpu()  Two bugs exist in the vCPU initialisation path:  1. If a check fails after hyp_pin_shared_mem() succeeds, the cleanup    path jumps to 'unlock' without calling unpin_host_vcpu() or    unpin_host_sve_state(), permanently leaking pin references on the    host vCPU and SVE state pages.     Extract a register_hyp_vcpu() helper that performs the checks and    the store. When register_hyp_vcpu() returns an error, call    unpin_host_vcpu() and unpin_host_sve_state() inline before falling    through to the existing 'unlock' label.  2. register_hyp_vcpu() publishes the new vCPU pointer into    'hyp_vm->vcpus[]' with a bare store, allowing a concurrent caller    of pkvm_load_hyp_vcpu() to observe a partially initialised vCPU    object.     Ensure the store uses smp_store_release() and the load uses    smp_load_acquire(). While 'vm_table_lock' currently serialises the    store and the load, these barriers ensure the reader sees the fully    initialised 'hyp_vcpu' object even if there were a lockless path or    if the lock's own ordering guarantees were insufficient for nested    object initialization.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46175",
                        "url": "https://ubuntu.com/security/CVE-2026-46175",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  f2fs: fix fsck inconsistency caused by FGGC of node block  During FGGC node block migration, fsck may incorrectly treat the migrated node block as fsync-written data.  The reproduction scenario: root@vm:/mnt/f2fs# seq 1 2048 | xargs -n 1 ./test_sync // write inline inode and sync root@vm:/mnt/f2fs# rm -f 1 root@vm:/mnt/f2fs# sync root@vm:/mnt/f2fs# f2fs_io gc_range // move data block in sync mode and not write CP   SPO, \"fsck --dry-run\" find inode has already checkpointed but still   with DENT_BIT_SHIFT set  The root cause is that GC does not clear the dentry mark and fsync mark during node block migration, leading fsck to misinterpret them as user-issued fsync writes.  In BGGC mode, node block migration is handled by f2fs_sync_node_pages(), which guarantees the dentry and fsync marks are cleared before writing.  This patch move the set/clear of the fsync|dentry marks into __write_node_folio to make the logic clearer, and ensures the fsync|dentry mark is cleared in FGGC.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46194",
                        "url": "https://ubuntu.com/security/CVE-2026-46194",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  f2fs: fix node_cnt race between extent node destroy and writeback  f2fs_destroy_extent_node() does not set FI_NO_EXTENT before clearing extent nodes. When called from f2fs_drop_inode() with I_SYNC set, concurrent kworker writeback can insert new extent nodes into the same extent tree, racing with the destroy and triggering f2fs_bug_on() in __destroy_extent_node(). The scenario is as follows:  drop inode                            writeback  - iput   - f2fs_drop_inode  // I_SYNC set    - f2fs_destroy_extent_node     - __destroy_extent_node      - while (node_cnt) {         write_lock(&et->lock)         __free_extent_tree         write_unlock(&et->lock)                                        - __writeback_single_inode                                         - f2fs_outplace_write_data                                          - f2fs_update_read_extent_cache                                           - __update_extent_tree_range                                            // FI_NO_EXTENT not set,                                            // insert new extent node        } // node_cnt == 0, exit while      - f2fs_bug_on(node_cnt)  // node_cnt > 0  Additionally, __update_extent_tree_range() only checks FI_NO_EXTENT for EX_READ type, leaving EX_BLOCK_AGE updates completely unprotected.  This patch set FI_NO_EXTENT under et->lock in __destroy_extent_node(), consistent with other callers (__update_extent_tree_range and __drop_extent_tree) and check FI_NO_EXTENT for both EX_READ and EX_BLOCK_AGE tree.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46170",
                        "url": "https://ubuntu.com/security/CVE-2026-46170",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  mptcp: pm: ADD_ADDR rtx: free sk if last  When an ADD_ADDR is retransmitted, the sk is held in sk_reset_timer(), and released at the end.  If at that moment, it was the last reference being held, the sk would not be freed. sock_put() should then be called instead of __sock_put().  But that's not enough: if it is the last reference, sock_put() will call sk_free(), which will end up calling sk_stop_timer_sync() on the same timer, and waiting indefinitely to finish. So it is needed to mark that the timer is done at the end of the timer handler when it has not been rescheduled, not to call sk_stop_timer_sync() on \"itself\".",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46158",
                        "url": "https://ubuntu.com/security/CVE-2026-46158",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  mptcp: pm: ADD_ADDR rtx: always decrease sk refcount  When an ADD_ADDR is retransmitted, the sk is held in sk_reset_timer(). It should then be released in all cases at the end.  Some (unlikely) checks were returning directly instead of calling sock_put() to decrease the refcount. Jump to a new 'exit' label to call __sock_put() (which will become sock_put() in the next commit) to fix this potential leak.  While at it, drop the '!msk' check which cannot happen because it is never reset, and explicitly mark the remaining one as \"unlikely\".",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46168",
                        "url": "https://ubuntu.com/security/CVE-2026-46168",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  mptcp: fix scheduling with atomic in timestamp sockopt  Using lock_sock_fast() (atomic context) around sock_set_timestamp() and sock_set_timestamping() is unsafe, as both helpers can sleep.  Replace lock_sock_fast() with sleepable lock_sock()/release_sock() to avoid scheduling while atomic panic.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46189",
                        "url": "https://ubuntu.com/security/CVE-2026-46189",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/vmw_pvrdma: Fix double free on pvrdma_alloc_ucontext() error path  Sashiko points out that pvrdma_uar_free() is already called within pvrdma_dealloc_ucontext(), so calling it before triggers a double free.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46133",
                        "url": "https://ubuntu.com/security/CVE-2026-46133",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/rxe: Reject unknown opcodes before ICRC processing  Even after applying commit 7244491dab34 (\"RDMA/rxe: Validate pad and ICRC before payload_size() in rxe_rcv\"), a single unauthenticated UDP packet can still trigger panic.  That patch handled payload_size() underflow only for valid opcodes with short packets, not for packets carrying an unknown opcode.  The unknown-opcode OOB read described below predates that commit and reaches back to the initial Soft RoCE driver.  The check added there reads      pkt->paylen < header_size(pkt) + bth_pad(pkt) + RXE_ICRC_SIZE  where header_size(pkt) expands to rxe_opcode[pkt->opcode].length.  The rxe_opcode[] array has 256 entries but is only populated for defined IB opcodes; any other entry (for example opcode 0xff) is zero-initialized, so length == 0 and the check degenerates to      pkt->paylen < 0 + bth_pad(pkt) + RXE_ICRC_SIZE  which does not constrain pkt->paylen enough.  rxe_icrc_hdr() then computes      rxe_opcode[pkt->opcode].length - RXE_BTH_BYTES  which underflows when length == 0 and passes a huge value to rxe_crc32(), causing an out-of-bounds read of the skb payload.  Reproduced on v7.0-rc7 with that fix applied, QEMU/KVM with CONFIG_RDMA_RXE=y and CONFIG_KASAN=y, after      rdma link add rxe0 type rxe netdev eth0  A single 48-byte UDP packet to port 4791 with BTH opcode=0xff and QPN=IB_MULTICAST_QPN triggers:      BUG: KASAN: slab-out-of-bounds in crc32_le+0x115/0x170     Read of size 1 at addr ...     The buggy address is located 0 bytes to the right of      allocated 704-byte region     Call Trace:      crc32_le+0x115/0x170      rxe_icrc_hdr.isra.0+0x226/0x300      rxe_icrc_check+0x13f/0x3a0      rxe_rcv+0x6e1/0x16e0      rxe_udp_encap_recv+0x20a/0x320      udp_queue_rcv_one_skb+0x7ed/0x12c0  Subsequent packets with the same shape fault on unmapped memory and panic the kernel.  The trigger requires only module load and \"rdma link add\"; no QP, no connection, and no authentication.  Fix this by rejecting packets whose opcode has no rxe_opcode[] entry, detected via the zero mask or zero length, before any length arithmetic runs.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46114",
                        "url": "https://ubuntu.com/security/CVE-2026-46114",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/rxe: Reject non-8-byte ATOMIC_WRITE payloads  atomic_write_reply() at drivers/infiniband/sw/rxe/rxe_resp.c unconditionally dereferences 8 bytes at payload_addr(pkt):      value = *(u64 *)payload_addr(pkt);  check_rkey() previously accepted an ATOMIC_WRITE request with pktlen == resid == 0 because the length validation only compared pktlen against resid. A remote initiator that sets the RETH length to 0 therefore reaches atomic_write_reply() with a zero-byte logical payload, and the responder reads sizeof(u64) bytes from past the logical end of the packet into skb->head tailroom, then writes those 8 bytes into the attacker's MR via rxe_mr_do_atomic_write(). That is a remote disclosure of 4 bytes of kernel tailroom per probe (the other 4 bytes are the packet's own trailing ICRC).  IBA oA19-28 defines ATOMIC_WRITE as exactly 8 bytes. Anything else is protocol-invalid. Hoist a strict length check into check_rkey() so the responder never reaches the unchecked dereference, and keep the existing WRITE-family length logic for the normal RDMA WRITE path.  Reproduced on mainline with an unmodified rxe driver: a sustained zero-length ATOMIC_WRITE probe repeatedly leaks adjacent skb head-buffer bytes into the attacker's MR, including recognisable kernel strings and partial kernel-direct-map pointer words.  With this patch applied the responder rejects the PDU and the MR stays all-zero.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46127",
                        "url": "https://ubuntu.com/security/CVE-2026-46127",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/ocrdma: Don't NULL deref uctx on errors in ocrdma_copy_pd_uresp()  Sashiko points out that pd->uctx isn't initialized until late in the function so all these error flow references are NULL and will crash. Use the uctx that isn't NULL.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46176",
                        "url": "https://ubuntu.com/security/CVE-2026-46176",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/mlx5: Fix error path fall-through in mlx5_ib_dev_res_srq_init()  mlx5_ib_dev_res_srq_init() allocates two SRQs, s0 and s1. When ib_create_srq() fails for s1, the error branch destroys s0 but falls through and unconditionally assigns the freed s0 and the ERR_PTR s1 to devr->s0 and devr->s1.  This leads to several problems: the lock-free fast path checks \"if (devr->s1) return 0;\" and treats the ERR_PTR as already initialised; users in mlx5_ib_create_qp() dereference the freed SRQ or ERR_PTR via to_msrq(devr->s0)->msrq.srqn; and mlx5_ib_dev_res_cleanup() dereferences the ERR_PTR and double-frees s0 on teardown.  Fix by adding the same `goto unlock` in the s1 failure path.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46178",
                        "url": "https://ubuntu.com/security/CVE-2026-46178",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/mlx4: Fix resource leak on error in mlx4_ib_create_srq()  Sashiko points out that mlx4_srq_alloc() was not undone during error unwind, add the missing call to mlx4_srq_free().",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46181",
                        "url": "https://ubuntu.com/security/CVE-2026-46181",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/mlx4: Fix mis-use of RCU in mlx4_srq_event()  Sashiko points out the radix_tree itself is RCU safe, but nothing ever frees the mlx4_srq struct with RCU, and it isn't even accessed within the RCU critical section. It also will crash if an event is delivered before the srq object is finished initializing.  Use the spinlock since it isn't easy to make RCU work, use refcount_inc_not_zero() to protect against partially initialized objects, and order the refcount_set() to be after the srq is fully initialized.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46145",
                        "url": "https://ubuntu.com/security/CVE-2026-46145",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/mana: Validate rx_hash_key_len  Sashiko points out that rx_hash_key_len comes from a uAPI structure and is blindly passed to memcpy, allowing the userspace to trash kernel memory. Bounds check it so the memcpy cannot overflow.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46117",
                        "url": "https://ubuntu.com/security/CVE-2026-46117",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/mana: Remove user triggerable WARN_ON() in mana_ib_create_qp_rss()  Sashiko points out that the user can specify WQs sharing the same CQ as a part of the uAPI and this will trigger the WARN_ON() then go on to corrupt the kernel.  Just reject it outright and fail the QP creation.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46126",
                        "url": "https://ubuntu.com/security/CVE-2026-46126",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/mana: Fix mana_destroy_wq_obj() cleanup in mana_ib_create_qp_rss()  Sashiko points out there are two bugs here in the error unwind flow, both related to how the WQ table is unwound.  First there is a double i-- on the first failure path due to the while loop having a i--, remove it.  Second if mana_ib_install_cq_cb() fails then mana_create_wq_obj() is not undone due to the above i--.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46144",
                        "url": "https://ubuntu.com/security/CVE-2026-46144",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/mana: Fix error unwind in mana_ib_create_qp_rss()  Sashiko points out that mana_ib_cfg_vport_steering() is leaked, the normal destroy path cleans it up.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46141",
                        "url": "https://ubuntu.com/security/CVE-2026-46141",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  powerpc/xive: fix kmemleak caused by incorrect chip_data lookup  The kmemleak reports the following memory leak:  Unreferenced object 0xc0000002a7fbc640 (size 64):   comm \"kworker/8:1\", pid 540, jiffies 4294937872   hex dump (first 32 bytes):     01 00 00 00 00 00 00 00 00 00 09 04 00 04 00 00  ................     00 00 a7 81 00 00 0a c0 00 00 08 04 00 04 00 00  ................   backtrace (crc 177d48f6):     __kmalloc_cache_noprof+0x520/0x730     xive_irq_alloc_data.constprop.0+0x40/0xe0     xive_irq_domain_alloc+0xd0/0x1b0     irq_domain_alloc_irqs_parent+0x44/0x6c     pseries_irq_domain_alloc+0x1cc/0x354     irq_domain_alloc_irqs_parent+0x44/0x6c     msi_domain_alloc+0xb0/0x220     irq_domain_alloc_irqs_locked+0x138/0x4d0     __irq_domain_alloc_irqs+0x8c/0xfc     __msi_domain_alloc_irqs+0x214/0x4d8     msi_domain_alloc_irqs_all_locked+0x70/0xf8     pci_msi_setup_msi_irqs+0x60/0x78     __pci_enable_msix_range+0x54c/0x98c     pci_alloc_irq_vectors_affinity+0x16c/0x1d4     nvme_pci_enable+0xac/0x9c0 [nvme]     nvme_probe+0x340/0x764 [nvme]  This occurs when allocating MSI-X vectors for an NVMe device. During allocation the XIVE code creates a struct xive_irq_data and stores it in irq_data->chip_data.  When the MSI-X irqdomain is later freed, xive_irq_free_data() is responsible for retrieving this structure and freeing it. However, after commit cc0cc23babc9 (\"powerpc/xive: Untangle xive from child interrupt controller drivers\"), xive_irq_free_data() retrieves the chip_data using irq_get_chip_data(), which looks up the data through the child domain.  This is incorrect because the XIVE-specific irq data is associated with the XIVE (parent) domain. As a result the lookup fails and the allocated struct xive_irq_data is never freed, leading to the kmemleak report shown above.  Fix this by retrieving the irq_data from the correct domain using irq_domain_get_irq_data() and then accessing the chip_data via irq_data_get_irq_chip_data().",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46183",
                        "url": "https://ubuntu.com/security/CVE-2026-46183",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  mm/damon/sysfs-schemes: protect path kfree() with damon_sysfs_lock  damon_sysfs_quot_goal->path can be read and written by users, via DAMON sysfs 'path' file.  It can also be indirectly read, for the parameters {on,off}line committing to DAMON.  The reads for parameters committing are protected by damon_sysfs_lock to avoid the sysfs files being destroyed while any of the parameters are being read.  But the user-driven direct reads and writes are not protected by any lock, while the write is deallocating the path-pointing buffer.  As a result, the readers could read the already freed buffer (user-after-free).  Note that the user-reads don't race when the same open file is used by the writer, due to kernfs's open file locking.  Nonetheless, doing the reads and writes with separate open files would be common.  Fix it by protecting both the user-direct reads and writes with damon_sysfs_lock.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46121",
                        "url": "https://ubuntu.com/security/CVE-2026-46121",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  mm/damon/sysfs-schemes: protect memcg_path kfree() with damon_sysfs_lock  Patch series \"mm/damon/sysfs-schemes: fix use-after-free for [memcg_]path\".  Reads of 'memcg_path' and 'path' files in DAMON sysfs interface could race with their writes, results in use-after-free.  Fix those.   This patch (of 2):  damon_sysfs_scheme_filter->mmecg_path can be read and written by users, via DAMON sysfs memcg_path file.  It can also be indirectly read, for the parameters {on,off}line committing to DAMON.  The reads for parameters committing are protected by damon_sysfs_lock to avoid the sysfs files being destroyed while any of the parameters are being read.  But the user-driven direct reads and writes are not protected by any lock, while the write is deallocating the memcg_path-pointing buffer.  As a result, the readers could read the already freed buffer (user-after-free).  Note that the user-reads don't race when the same open file is used by the writer, due to kernfs's open file locking.  Nonetheless, doing the reads and writes with separate open files would be common.  Fix it by protecting both the user-direct reads and writes with damon_sysfs_lock.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46131",
                        "url": "https://ubuntu.com/security/CVE-2026-46131",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  KVM: x86: check for nEPT/nNPT in slow flush hypercalls  Checking is_guest_mode(vcpu) is incorrect, because translate_nested_gpa() is only valid if an L2 guest is running *with nested EPT/NPT enabled*. Instead use the same condition as translate_nested_gpa() itself.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46139",
                        "url": "https://ubuntu.com/security/CVE-2026-46139",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  smb: client: use kzalloc to zero-initialize security descriptor buffer  Commit 62e7dd0a39c2d (\"smb: common: change the data type of num_aces to le16\") split struct smb_acl's __le32 num_aces field into __le16 num_aces and __le16 reserved. The reserved field corresponds to Sbz2 in the MS-DTYP ACL wire format, which must be zero [1].  When building an ACL descriptor in build_sec_desc(), we are using a kmalloc()'ed descriptor buffer and writing the fields explicitly using le16() writes now. This never writes to the 2 byte reserved field, leaving it as uninitialized heap data.  When the reserved field happens to contain non-zero slab garbage, Samba rejects the security descriptor with \"ndr_pull_security_descriptor failed: Range Error\", causing chmod to fail with EINVAL.  Change kmalloc() to kzalloc() to ensure the entire buffer is zero-initialized.   [1] https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/20233ed8-a6c6-4097-aafa-dd545ed24428",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46105",
                        "url": "https://ubuntu.com/security/CVE-2026-46105",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  scsi: mpt3sas: Limit NVMe request size to 2 MiB  The HBA firmware reports NVMe MDTS values based on the underlying drive capability. However, because the driver allocates a fixed 4K buffer for the PRP list, accommodating at most 512 entries, the driver supports a maximum I/O transfer size of 2 MiB.  Limit max_hw_sectors to the smaller of the reported MDTS and the 2 MiB driver limit to prevent issuing oversized I/O that may lead to a kernel oops.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46171",
                        "url": "https://ubuntu.com/security/CVE-2026-46171",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  riscv: kvm: fix vector context allocation leak  When the second kzalloc (host_context.vector.datap) fails in kvm_riscv_vcpu_alloc_vector_context, the first allocation (guest_context.vector.datap) is leaked. Free it before returning.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46112",
                        "url": "https://ubuntu.com/security/CVE-2026-46112",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/hns: Fix unlocked call to hns_roce_qp_remove()  Sashiko points out that hns_roce_qp_remove() requires the caller to hold locks.  The error flow in hns_roce_create_qp_common() doesn't hold those locks for the error unwind so it risks corrupting memory.  Grab the same locks the other two callers use.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46165",
                        "url": "https://ubuntu.com/security/CVE-2026-46165",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  openvswitch: vport: fix self-deadlock on release of tunnel ports  vports are used concurrently and protected by RCU, so netdev_put() must happen after the RCU grace period.  So, either in an RCU call or after the synchronize_net().  The rtnl_delete_link() must happen under RTNL and so can't be executed in RCU context.  Calling synchronize_net() while holding RTNL is not a good idea for performance and system stability under load in general, so calling netdev_put() in RCU call is the right solution here.  However, when the device is deleted, rtnl_unlock() will call netdev_run_todo() and block until all the references are gone.  In the current code this means that we never reach the call_rcu() and the vport is never freed and the reference is never released, causing a self-deadlock on device removal.  Fix that by moving the rcu_call() before the rtnl_unlock(), so the scheduled RCU callback will be executed when synchronize_net() is called from the rtnl_unlock()->netdev_run_todo() while the RTNL itself is already released.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46161",
                        "url": "https://ubuntu.com/security/CVE-2026-46161",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  md/raid10: fix divide-by-zero in setup_geo() with zero far_copies  setup_geo() extracts near_copies (nc) and far_copies (fc) from the user-provided layout parameter without checking for zero. When fc=0 with the \"improved\" far set layout selected, 'geo->far_set_size = disks / fc' triggers a divide-by-zero.  Validate nc and fc immediately after extraction, returning -1 if either is zero.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-43492",
                        "url": "https://ubuntu.com/security/CVE-2026-43492",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  lib/crypto: mpi: Fix integer underflow in mpi_read_raw_from_sgl()  Yiming reports an integer underflow in mpi_read_raw_from_sgl() when subtracting \"lzeros\" from the unsigned \"nbytes\".  For this to happen, the scatterlist \"sgl\" needs to occupy more bytes than the \"nbytes\" parameter and the first \"nbytes + 1\" bytes of the scatterlist must be zero.  Under these conditions, the while loop iterating over the scatterlist will count more zeroes than \"nbytes\", subtract the number of zeroes from \"nbytes\" and cause the underflow.  When commit 2d4d1eea540b (\"lib/mpi: Add mpi sgl helpers\") originally introduced the bug, it couldn't be triggered because all callers of mpi_read_raw_from_sgl() passed a scatterlist whose length was equal to \"nbytes\".  However since commit 63ba4d67594a (\"KEYS: asymmetric: Use new crypto interface without scatterlists\"), the underflow can now actually be triggered.  When invoking a KEYCTL_PKEY_ENCRYPT system call with a larger \"out_len\" than \"in_len\" and filling the \"in\" buffer with zeroes, crypto_akcipher_sync_prep() will create an all-zero scatterlist used for both the \"src\" and \"dst\" member of struct akcipher_request and thereby fulfil the conditions to trigger the bug:    sys_keyctl()     keyctl_pkey_e_d_s()       asymmetric_key_eds_op()         software_key_eds_op()           crypto_akcipher_sync_encrypt()             crypto_akcipher_sync_prep()               crypto_akcipher_encrypt()                 rsa_enc()                   mpi_read_raw_from_sgl()  To the user this will be visible as a DoS as the kernel spins forever, causing soft lockup splats as a side effect.  Fix it.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-19 12:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46124",
                        "url": "https://ubuntu.com/security/CVE-2026-46124",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  isofs: validate block number from NFS file handle in isofs_export_iget  isofs_fh_to_dentry() and isofs_fh_to_parent() pass an attacker- controlled block number (ifid->block or ifid->parent_block) from the NFS file handle to isofs_export_iget(), which only rejects block == 0 before calling isofs_iget() and ultimately sb_bread(). A crafted file handle with fh_len sufficient to pass the check added by commit 0405d4b63d08 (\"isofs: Prevent the use of too small fid\") can still drive the server to read any in-range block on the backing device as if it were an iso_directory_record.  That earlier fix was assigned CVE-2025-37780.  sb_bread() on an out-of-range block returns NULL cleanly via the EIO path, so there is no memory-safety violation.  For in-range reads of adjacent-partition data on the same block device, the unrelated bytes end up in iso_inode_info fields that reach the NFS client as dentry metadata.  The deployment surface (isofs exported over NFS from loop-mounted images) is narrow and requires an authenticated NFS peer, but the malformed-file-handle class is reportable as hardening next to the existing CVE-2025-37780 fix.  Reject block >= ISOFS_SB(sb)->s_nzones in isofs_export_iget() so the check covers both isofs_fh_to_dentry() and isofs_fh_to_parent() call sites with a single line.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46130",
                        "url": "https://ubuntu.com/security/CVE-2026-46130",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  dm-verity-fec: fix reading parity bytes split across blocks (take 3)  fec_decode_bufs() assumes that the parity bytes of the first RS codeword it decodes are never split across parity blocks.  This assumption is false.  Consider v->fec->block_size == 4096 && v->fec->roots == 17 && fio->nbufs == 1, for example.  In that case, each call to fec_decode_bufs() consumes v->fec->roots * (fio->nbufs << DM_VERITY_FEC_BUF_RS_BITS) = 272 parity bytes.  Considering that the parity data for each message block starts on a block boundary, the byte alignment in the parity data will iterate through 272*i mod 4096 until the 3 parity blocks have been consumed.  On the 16th call (i=15), the alignment will be 4080 bytes into the first block.  Only 16 bytes remain in that block, but 17 parity bytes will be needed.  The code reads out-of-bounds from the parity block buffer.  Fortunately this doesn't normally happen, since it can occur only for certain non-default values of fec_roots *and* when the maximum number of buffers couldn't be allocated due to low memory.  For example with block_size=4096 only the following cases are affected:      fec_roots=17: nbufs in [1, 3, 5, 15]     fec_roots=19: nbufs in [1, 229]     fec_roots=21: nbufs in [1, 3, 5, 13, 15, 39, 65, 195]     fec_roots=23: nbufs in [1, 89]  Regardless, fix it by refactoring how the parity blocks are read.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46106",
                        "url": "https://ubuntu.com/security/CVE-2026-46106",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  eventfs: Hold eventfs_mutex and SRCU when remount walks events  Commit 340f0c7067a9 (\"eventfs: Update all the eventfs_inodes from the events descriptor\") had eventfs_set_attrs() recurse through ei->children on remount.  The walk only holds the rcu_read_lock() taken by tracefs_apply_options() over tracefs_inodes, which is wrong:    - list_for_each_entry over ei->children races with the list_del_rcu()     in eventfs_remove_rec() -- LIST_POISON1 deref, same shape as     d2603279c7d6.   - eventfs_inodes are freed via call_srcu(&eventfs_srcu, ...).     rcu_read_lock() does not extend an SRCU grace period, so ti->private     can be reclaimed under the walk.   - The writes to ei->attr race with eventfs_set_attr(), which holds     eventfs_mutex.  Reproducer:    while :; do mount -o remount,uid=$((RANDOM%1000)) /sys/kernel/tracing; done &   while :; do       echo \"p:kp submit_bio\" > /sys/kernel/tracing/kprobe_events       echo > /sys/kernel/tracing/kprobe_events   done  Wrap the events portion of tracefs_apply_options() in eventfs_remount_lock()/_unlock() that take eventfs_mutex and srcu_read_lock(&eventfs_srcu).  eventfs_set_attrs() doesn't sleep so the nested rcu_read_lock() is fine; lockdep_assert_held() pins the contract.  Comment in tracefs_drop_inode() said \"RCU cycle\" -- it is SRCU.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46107",
                        "url": "https://ubuntu.com/security/CVE-2026-46107",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  dm-thin: fix metadata refcount underflow  There's a bug in dm-thin in the function rebalance_children. If the internal btree node has one entry, the code tries to copy all btree entries from the node's child to the node itself and then decrement the child's reference count.  If the child node is shared (it has reference count > 1), we won't free it, so there would be two pointers to each of the grandchildren nodes. But the reference counts of the grandchildren is not increased, thus the reference count doesn't match the number of pointers that point to the grandchildren. This results in \"device mapper: space map common: unable to decrement block\" errors.  Fix this bug by incrementing reference counts on the grandchildren if the btree node is shared.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46160",
                        "url": "https://ubuntu.com/security/CVE-2026-46160",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  btrfs: fix missing last_unlink_trans update when removing a directory  When removing a directory we are not updating its last_unlink_trans field, which can result in incorrect fsync behaviour in case some one fsyncs the directory after it was removed because it's holding a file descriptor on it.  Example scenario:     mkdir /mnt/dir1    mkdir /mnt/dir1/dir2    mkdir /mnt/dir3     sync -f /mnt     # Do some change to the directory and fsync it.    chmod 700 /mnt/dir1    xfs_io -c fsync /mnt/dir1     # Move dir2 out of dir1 so that dir1 becomes empty.    mv /mnt/dir1/dir2 /mnt/dir3/     open fd on /mnt/dir1    call rmdir(2) on path \"/mnt/dir1\"    fsync fd     <trigger power failure>  When attempting to mount the filesystem, the log replay will fail with an -EIO error and dmesg/syslog has the following:     [445771.626482] BTRFS info (device dm-0): first mount of filesystem 0368bbea-6c5e-44b5-b409-09abe496e650    [445771.626486] BTRFS info (device dm-0): using crc32c checksum algorithm    [445771.627912] BTRFS info (device dm-0): start tree-log replay    [445771.628335] page: refcount:2 mapcount:0 mapping:0000000061443ddc index:0x1d00 pfn:0x7072a5    [445771.629453] memcg:ffff89f400351b00    [445771.629892] aops:btree_aops [btrfs] ino:1    [445771.630737] flags: 0x17fffc00000402a(uptodate|lru|private|writeback|node=0|zone=2|lastcpupid=0x1ffff)    [445771.632359] raw: 017fffc00000402a fffff47284d950c8 fffff472907b7c08 ffff89f458e412b8    [445771.633713] raw: 0000000000001d00 ffff89f6c51d1a90 00000002ffffffff ffff89f400351b00    [445771.635029] page dumped because: eb page dump    [445771.635825] BTRFS critical (device dm-0): corrupt leaf: root=5 block=30408704 slot=10 ino=258, invalid nlink: has 2 expect no more than 1 for dir    [445771.638088] BTRFS info (device dm-0): leaf 30408704 gen 10 total ptrs 17 free space 14878 owner 5    [445771.638091] BTRFS info (device dm-0): refs 4 lock_owner 0 current 3581087    [445771.638094] \titem 0 key (256 INODE_ITEM 0) itemoff 16123 itemsize 160    [445771.638097] \t\tinode generation 3 transid 9 size 16 nbytes 16384    [445771.638098] \t\tblock group 0 mode 40755 links 1 uid 0 gid 0    [445771.638100] \t\trdev 0 sequence 2 flags 0x0    [445771.638102] \t\tatime 1775744884.0    [445771.660056] \t\tctime 1775744885.645502983    [445771.660058] \t\tmtime 1775744885.645502983    [445771.660060] \t\totime 1775744884.0    [445771.660062] \titem 1 key (256 INODE_REF 256) itemoff 16111 itemsize 12    [445771.660064] \t\tindex 0 name_len 2    [445771.660066] \titem 2 key (256 DIR_ITEM 1843588421) itemoff 16077 itemsize 34    [445771.660068] \t\tlocation key (259 1 0) type 2    [445771.660070] \t\ttransid 9 data_len 0 name_len 4    [445771.660075] \titem 3 key (256 DIR_ITEM 2363071922) itemoff 16043 itemsize 34    [445771.660076] \t\tlocation key (257 1 0) type 2    [445771.660077] \t\ttransid 9 data_len 0 name_len 4    [445771.660078] \titem 4 key (256 DIR_INDEX 2) itemoff 16009 itemsize 34    [445771.660079] \t\tlocation key (257 1 0) type 2    [445771.660080] \t\ttransid 9 data_len 0 name_len 4    [445771.660081] \titem 5 key (256 DIR_INDEX 3) itemoff 15975 itemsize 34    [445771.660082] \t\tlocation key (259 1 0) type 2    [445771.660083] \t\ttransid 9 data_len 0 name_len 4    [445771.660084] \titem 6 key (257 INODE_ITEM 0) itemoff 15815 itemsize 160    [445771.660086] \t\tinode generation 9 transid 9 size 8 nbytes 0    [445771.660087] \t\tblock group 0 mode 40777 links 1 uid 0 gid 0    [445771.660088] \t\trdev 0 sequence 2 flags 0x0    [445771.660089] \t\tatime 1775744885.641174097    [445771.660090] \t\tctime 1775744885.645502983    [445771.660091] \t\tmtime 1775744885.645502983    [445771.660105] \t\totime 1775744885.641174097    [445771.660106] \titem 7 key (257 INODE_REF 256) itemoff 15801 itemsize 14    [445771.660107] \t\tindex 2 name_len 4    [445771.660108] \titem 8 key (257 DIR_ITEM 2676584006) itemoff 15767 itemsize 34    [445771.660109] \t\tlocation key (2 ---truncated---",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46164",
                        "url": "https://ubuntu.com/security/CVE-2026-46164",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  btrfs: fix double free in create_space_info_sub_group() error path  When kobject_init_and_add() fails, the call chain is:  create_space_info_sub_group() -> btrfs_sysfs_add_space_info_type() -> kobject_init_and_add() -> failure -> kobject_put(&sub_group->kobj) -> space_info_release() -> kfree(sub_group)  Then control returns to create_space_info_sub_group(), where:  btrfs_sysfs_add_space_info_type() returns error -> kfree(sub_group)  Thus, sub_group is freed twice.  Keep parent->sub_group[index] = NULL for the failure path, but after btrfs_sysfs_add_space_info_type() has called kobject_put(), let the kobject release callback handle the cleanup.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46129",
                        "url": "https://ubuntu.com/security/CVE-2026-46129",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  btrfs: fix double free in create_space_info() error path  When kobject_init_and_add() fails, the call chain is:  create_space_info() -> btrfs_sysfs_add_space_info_type() -> kobject_init_and_add() -> failure -> kobject_put(&space_info->kobj) -> space_info_release() -> kfree(space_info)  Then control returns to create_space_info():  btrfs_sysfs_add_space_info_type() returns error -> goto out_free -> kfree(space_info)  This causes a double free.  Keep the direct kfree(space_info) for the earlier failure path, but after btrfs_sysfs_add_space_info_type() has called kobject_put(), let the kobject release callback handle the cleanup.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46159",
                        "url": "https://ubuntu.com/security/CVE-2026-46159",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  btrfs: fix btrfs_ioctl_space_info() slot_count TOCTOU which can lead to info-leak  btrfs_ioctl_space_info() has a TOCTOU race between two passes over the block group RAID type lists. The first pass counts entries to determine the allocation size, then the second pass fills the buffer. The groups_sem rwlock is released between passes, allowing concurrent block group removal to reduce the entry count.  When the second pass fills fewer entries than the first pass counted, copy_to_user() copies the full alloc_size bytes including trailing uninitialized kmalloc bytes to userspace.  Fix by copying only total_spaces entries (the actually-filled count from the second pass) instead of alloc_size bytes, and switch to kzalloc so any future copy size mismatch cannot leak heap data.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46143",
                        "url": "https://ubuntu.com/security/CVE-2026-46143",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ASoC: qcom: q6apm-lpass-dai: Fix multiple graph opens  As prepare can be called mulitple times, this can result in multiple graph opens for playback path.  This will result in a memory leaks, fix this by adding a check before opening.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46148",
                        "url": "https://ubuntu.com/security/CVE-2026-46148",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: microchip-core-qspi: control built-in cs manually  The coreQSPI IP supports only a single chip select, which is automagically operated by the hardware - set low when the transmit buffer first gets written to and set high when the number of bytes written to the TOTALBYTES field of the FRAMES register have been sent on the bus. Additional devices must use GPIOs for their chip selects. It was reported to me that if there are two devices attached to this QSPI controller that the in-built chip select is set low while linux tries to access the device attached to the GPIO.  This went undetected as the boards that connected multiple devices to the SPI controller all exclusively used GPIOs for chip selects, not relying on the built-in chip select at all. It turns out that this was because the built-in chip select, when controlled automagically, is set low when active and high when inactive, thereby ruling out its use for active-high devices or devices that need to transmit with the chip select disabled.  Modify the driver so that it controls chip select directly, retaining the behaviour for mem_ops of setting the chip select active for the entire duration of the transfer in the exec_op callback. For regular transfers, implement the set_cs callback for the core to use.  As part of this, the existing setup callback, mchp_coreqspi_setup_op(), is removed. Modifying the CLKIDLE field is not safe to do during operation when there are multiple devices, so this code is removed entirely. Setting the MASTER and ENABLE fields is something that can be done once at probe, it doesn't need to be re-run for each device. Instead the new setup callback sets the built-in chip select to its inactive state for active-low devices, as the reset value of the chip select in software controlled mode is low.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46192",
                        "url": "https://ubuntu.com/security/CVE-2026-46192",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: microchip-core-qspi: don't attempt to transmit during emulated read-only dual/quad operations  The core will deal with reads by creating clock cycles itself, there's no need to generate clock cycles by transmitting garbage data at the driver level. Further, transmitting garbage data just bricks the transfer since QSPI doesn't have a dedicated master-out line like MOSI in regular SPI. I'm not entirely sure if the transfer is bricked because of the garbage data being transmitted on the bus or because the core loses track of whether it is supposed to be sending or receiving data.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46162",
                        "url": "https://ubuntu.com/security/CVE-2026-46162",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ice: fix double free in ice_sf_eth_activate() error path  When auxiliary_device_add() fails, ice_sf_eth_activate() jumps to aux_dev_uninit and calls auxiliary_device_uninit(&sf_dev->adev).  The device release callback ice_sf_dev_release() frees sf_dev, but the current error path falls through to sf_dev_free and calls kfree(sf_dev) again, causing a double free.  Keep kfree(sf_dev) for the auxiliary_device_init() failure path, but avoid falling through to sf_dev_free after auxiliary_device_uninit().",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46273",
                        "url": "https://ubuntu.com/security/CVE-2026-46273",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ibmveth: Disable GSO for packets with small MSS  Some physical adapters on Power systems do not support segmentation offload when the MSS is less than 224 bytes. Attempting to send such packets causes the adapter to freeze, stopping all traffic until manually reset.  Implement ndo_features_check to disable GSO for packets with small MSS values. The network stack will perform software segmentation instead.  The 224-byte minimum matches ibmvnic commit <f10b09ef687f> (\"ibmvnic: Enforce stronger sanity checks on GSO packets\") which uses the same physical adapters in SEA configurations.  The issue occurs specifically when the hardware attempts to perform segmentation (gso_segs > 1) with a small MSS. Single-segment GSO packets (gso_segs == 1) do not trigger the problematic LSO code path and are transmitted normally without segmentation.  Add an ndo_features_check callback to disable GSO when MSS < 224 bytes. Also call vlan_features_check() to ensure proper handling of VLAN packets, particularly QinQ (802.1ad) configurations where the hardware parser may not support certain offload features.  Validated using iptables to force small MSS values. Without the fix, the adapter freezes. With the fix, packets are segmented in software and transmission succeeds. Comprehensive regression testing completedd (MSS tests, performance, stability).",
                        "cve_priority": "high",
                        "cve_public_date": "2026-06-03 18:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46191",
                        "url": "https://ubuntu.com/security/CVE-2026-46191",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  fbcon: Avoid OOB font access if console rotation fails  Clear the font buffer if the reallocation during console rotation fails in fbcon_rotate_font(). The putcs implementations for the rotated buffer will return early in this case. See [1] for an example.  Currently, fbcon_rotate_font() keeps the old buffer, which is too small for the rotated font. Printing to the rotated console with a high-enough character code will overflow the font buffer.  v2: - fix typos in commit message",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46134",
                        "url": "https://ubuntu.com/security/CVE-2026-46134",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  platform/chrome: cros_ec_typec: Init mutex in Thunderbolt registration  cros_typec_register_thunderbolt() missed initializing the `adata->lock` mutex.  This leads to a NULL dereference when the mutex is later acquired (e.g. in cros_typec_altmode_work()).  Initialize the mutex in cros_typec_register_thunderbolt() to fix the issue.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-43495",
                        "url": "https://ubuntu.com/security/CVE-2026-43495",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net: wwan: t7xx: validate port_count against message length in t7xx_port_enum_msg_handler  t7xx_port_enum_msg_handler() uses the modem-supplied port_count field as a loop bound over port_msg->data[] without checking that the message buffer contains sufficient data. A modem sending port_count=65535 in a 12-byte buffer triggers a slab-out-of-bounds read of up to 262140 bytes.  Add a sizeof(*port_msg) check before accessing the port message header fields to guard against undersized messages.  Add a struct_size() check after extracting port_count and before the loop.  In t7xx_parse_host_rt_data(), guard the rt_feature header read with a remaining-buffer check before accessing data_len, validate feat_data_len against the actual remaining buffer to prevent OOB reads and signed integer overflow on offset.  Pass msg_len from both call sites: skb->len at the DPMAIF path after skb_pull(), and the validated feat_data_len at the handshake path.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-21 13:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-43502",
                        "url": "https://ubuntu.com/security/CVE-2026-43502",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net/rds: handle zerocopy send cleanup before the message is queued  A zerocopy send can fail after user pages have been pinned but before the message is attached to the sending socket.  The purge path currently infers zerocopy state from rm->m_rs, so an unqueued message can be cleaned up as if it owned normal payload pages. However, zerocopy ownership is really determined by the presence of op_mmp_znotifier, regardless of whether the message has reached the socket queue.  Capture op_mmp_znotifier up front in rds_message_purge() and use it as the cleanup discriminator. If the message is already associated with a socket, keep the existing completion path. Otherwise, drop the pinned page accounting directly and release the notifier before putting the payload pages.  This keeps early send failure cleanup consistent with the zerocopy lifetime rules without changing the normal queued completion path.",
                        "cve_priority": "high",
                        "cve_public_date": "2026-05-21 13:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46120",
                        "url": "https://ubuntu.com/security/CVE-2026-46120",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ip6_gre: Use cached t->net in ip6erspan_changelink().  After commit 5e72ce3e3980 (\"net: ipv6: Use link netns in newlink() of rtnl_link_ops\"), ip6erspan_newlink() correctly resolves the per-netns ip6gre hash via link_net. ip6erspan_changelink() was not converted in that series and still uses dev_net(dev), which diverges from the device's creation netns after IFLA_NET_NS_FD migration.  This re-inserts the tunnel into the wrong per-netns hash. The original netns keeps a stale entry. When that netns is later destroyed, ip6gre_exit_rtnl_net() walks the stale entry, producing a slab-use-after-free reported by KASAN, followed by a kernel BUG at net/core/dev.c (LIST_POISON1) in unregister_netdevice_many_notify().  Reachable from an unprivileged user namespace (unshare --user --map-root-user --net).  ip6gre_changelink() earlier in the same file already uses the cached t->net; only ip6erspan_changelink() has the wrong shape.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46142",
                        "url": "https://ubuntu.com/security/CVE-2026-46142",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net: libwx: fix VF illegal register access  Register WX_CFG_PORT_ST is a PF restricted register. When a VF is initialized, attempting to read this register triggers an illegal register access, which lead to a system hang.  When the device is VF, the bus function ID can be obtained directly from the PCI_FUNC(pdev->devfn).",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46118",
                        "url": "https://ubuntu.com/security/CVE-2026-46118",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  pseries/papr-hvpipe: Fix null ptr deref in papr_hvpipe_dev_create_handle()  commit 6d3789d347a7 (\"papr-hvpipe: convert papr_hvpipe_dev_create_handle() to FD_PREPARE()\"), changed the create handle to FD_PREPARE(), but it caused kernel null-ptr-deref because after call to retain_and_null_ptr(src_info), src_info is re-used for adding it to the global list.  Getting the following kernel panic in papr_hvpipe_dev_create_handle() when trying to add src_info to the list.  Kernel attempted to write user page (0) - exploit attempt? (uid: 0)  BUG: Kernel NULL pointer dereference on write at 0x00000000  Faulting instruction address: 0xc0000000001b44a0  Oops: Kernel access of bad area, sig: 11 [#1]  ...  Call Trace:  papr_hvpipe_dev_ioctl+0x1f4/0x48c (unreliable)  sys_ioctl+0x528/0x1064  system_call_exception+0x128/0x360  system_call_vectored_common+0x15c/0x2ec  Now, the error handling with FD_PREPARE's file cleanup and __free(kfree) auto cleanup is getting too convoluted. This is mainly because we need to ensure only 1 user get the srcID handle. To simplify this, we allocate prepare the src_info in the beginning and add it to the global list under a spinlock after checking that no duplicates exist.  This simplify the error handling where if the FD_ADD fails, we can simply remove the src_info from the list and consume any pending msg in hvpipe to be cleared, after src_info became visible in the global list.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46182",
                        "url": "https://ubuntu.com/security/CVE-2026-46182",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  pseries/papr-hvpipe: Prevent kernel stack memory leak to userspace  The hdr variable is allocated on the stack and only hdr.version and hdr.flags are initialized explicitly. Because the struct papr_hvpipe_hdr contains reserved padding bytes (reserved[3] and reserved2[40]), these could leak the uninitialized bytes to userspace after copy_to_user().  This patch fixes that by initializing the whole struct to 0.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46184",
                        "url": "https://ubuntu.com/security/CVE-2026-46184",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  sound: ua101: fix division by zero at probe  Add a missing sanity check for bNrChannels in detect_usb_format() to prevent a division by zero in playback_urb_complete() and capture_urb_complete().  USB core does not validate class-specific descriptor fields such as bNrChannels, so drivers must verify them before use. If a device provides bNrChannels = 0, frame_bytes becomes zero and is later used as a divisor in the URB completion handlers, leading to a kernel crash.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-43498",
                        "url": "https://ubuntu.com/security/CVE-2026-43498",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  accel/ivpu: Disallow re-exporting imported GEM objects  Prevent re-exporting of imported GEM buffers by adding a custom prime_handle_to_fd callback that checks if the object is imported and returns -EOPNOTSUPP if so.  Re-exporting imported GEM buffers causes loss of buffer flags settings, leading to incorrect device access and data corruption.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-21 13:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46132",
                        "url": "https://ubuntu.com/security/CVE-2026-46132",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net: rtnetlink: zero ifla_vf_broadcast to avoid stack infoleak in rtnl_fill_vfinfo  rtnl_fill_vfinfo() declares struct ifla_vf_broadcast on the stack without initialisation:  \tstruct ifla_vf_broadcast vf_broadcast;  The struct contains a single fixed 32-byte field:  \t/* include/uapi/linux/if_link.h */ \tstruct ifla_vf_broadcast { \t\t__u8 broadcast[32]; \t};  The function then copies dev->broadcast into it using dev->addr_len as the length:  \tmemcpy(vf_broadcast.broadcast, dev->broadcast, dev->addr_len);  On Ethernet devices (the overwhelming majority of SR-IOV NICs) dev->addr_len is 6, so only the first 6 bytes of broadcast[] are written. The remaining 26 bytes retain whatever was previously on the kernel stack. The full struct is then handed to userspace via:  \tnla_put(skb, IFLA_VF_BROADCAST, \t\tsizeof(vf_broadcast), &vf_broadcast)  leaking up to 26 bytes of uninitialised kernel stack per VF per RTM_GETLINK request, repeatable.  The other vf_* structs in the same function are explicitly zeroed for exactly this reason - see the memset() calls for ivi, vf_vlan_info, node_guid and port_guid a few lines above. vf_broadcast was simply missed when it was added.  Reachability: any unprivileged local process can open AF_NETLINK / NETLINK_ROUTE without capabilities and send RTM_GETLINK with an IFLA_EXT_MASK attribute carrying RTEXT_FILTER_VF. The kernel walks each VF and emits IFLA_VF_BROADCAST, leaking 26 bytes of stack per VF per request. Stack residue at this call site can include return addresses and transient sensitive data; KASAN with stack instrumentation, or KMSAN, will flag the nla_put() when reproduced.  Zero the on-stack struct before the partial memcpy, matching the existing pattern used for the other vf_* structs in the same function.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46190",
                        "url": "https://ubuntu.com/security/CVE-2026-46190",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  mtd: spi-nor: debugfs: fix out-of-bounds read in spi_nor_params_show()  Sashiko noticed an out-of-bounds read [1].  In spi_nor_params_show(), the snor_f_names array is passed to spi_nor_print_flags() using sizeof(snor_f_names).  Since snor_f_names is an array of pointers, sizeof() returns the total number of bytes occupied by the pointers \t(element_count * sizeof(void *)) rather than the element count itself. On 64-bit systems, this makes the passed length 8x larger than intended.  Inside spi_nor_print_flags(), the 'names_len' argument is used to bounds-check the 'names' array access. An out-of-bounds read occurs if a flag bit is set that exceeds the array's actual element count but is within the inflated byte-size count.  Correct this by using ARRAY_SIZE() to pass the actual number of string pointers in the array.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46150",
                        "url": "https://ubuntu.com/security/CVE-2026-46150",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  fanotify: fix false positive on permission events  fsnotify_get_mark_safe() may return false for a mark on an unrelated group, which results in bypassing the permission check.  Fix by skipping over detached marks that are not in the current group.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-45836",
                        "url": "https://ubuntu.com/security/CVE-2026-45836",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_get_sndtimeo_cb()  Add the same NULL guard already present in l2cap_sock_resume_cb() and l2cap_sock_ready_cb().",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-26 17:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-45834",
                        "url": "https://ubuntu.com/security/CVE-2026-45834",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_state_change_cb()  Add the same NULL guard already present in l2cap_sock_resume_cb() and l2cap_sock_ready_cb().",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-26 17:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-45835",
                        "url": "https://ubuntu.com/security/CVE-2026-45835",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_new_connection_cb()  Add the same NULL guard already present in l2cap_sock_resume_cb() and l2cap_sock_ready_cb().",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-26 17:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46138",
                        "url": "https://ubuntu.com/security/CVE-2026-46138",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Bluetooth: hci_event: Fix OOB read and infinite loop in hci_le_create_big_complete_evt  hci_le_create_big_complete_evt() iterates over BT_BOUND connections for a BIG handle using a while loop, accessing ev->bis_handle[i++] on each iteration.  However, there is no check that i stays within ev->num_bis before the array access.  When a controller sends a LE_Create_BIG_Complete event with fewer bis_handle entries than there are BT_BOUND connections for that BIG, or with num_bis=0, the loop reads beyond the valid bis_handle[] flex array into adjacent heap memory.  Since the out-of-bounds values typically exceed HCI_CONN_HANDLE_MAX (0x0EFF), hci_conn_set_handle() rejects them and the connection remains in BT_BOUND state.  The same connection is then found again by hci_conn_hash_lookup_big_state(), creating an infinite loop with hci_dev_lock held.  Fix this by terminating the BIG if in case not all BIS could be setup properly.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46111",
                        "url": "https://ubuntu.com/security/CVE-2026-46111",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Bluetooth: hci_conn: fix potential UAF in create_big_sync  Add hci_conn_valid() check in create_big_sync() to detect stale connections before proceeding with BIG creation. Handle the resulting -ECANCELED in create_big_complete() and re-validate the connection under hci_dev_lock() before dereferencing, matching the pattern used by create_le_conn_complete() and create_pa_complete().  Keep the hci_conn object alive across the async boundary by taking a reference via hci_conn_get() when queueing create_big_sync(), and dropping it in the completion callback. The refcount and the lock are complementary: the refcount keeps the object allocated, while hci_dev_lock() serializes hci_conn_hash_del()'s list_del_rcu() on hdev->conn_hash, as required by hci_conn_del().  hci_conn_put() is called outside hci_dev_unlock() so the final put (which resolves to kfree() via bt_link_release) does not run under hdev->lock, though the release path would be safe either way.  Without this, create_big_complete() would unconditionally dereference the conn pointer on error, causing a use-after-free via hci_connect_cfm() and hci_conn_del().",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46140",
                        "url": "https://ubuntu.com/security/CVE-2026-46140",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Bluetooth: btmtk: validate WMT event SKB length before struct access  btmtk_usb_hci_wmt_sync() casts the WMT event response SKB data to struct btmtk_hci_wmt_evt (7 bytes) and struct btmtk_hci_wmt_evt_funcc (9 bytes) without first checking that the SKB contains enough data. A short firmware response causes out-of-bounds reads from SKB tailroom.  Use skb_pull_data() to validate and advance past the base WMT event header. For the FUNC_CTRL case, pull the additional status field bytes before accessing them.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46186",
                        "url": "https://ubuntu.com/security/CVE-2026-46186",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Bluetooth: virtio_bt: validate rx pkt_type header length  virtbt_rx_handle() reads the leading pkt_type byte from the RX skb and forwards the remainder to hci_recv_frame() for every event/ACL/SCO/ISO type, without checking that the remaining payload is at least the fixed HCI header for that type.  After the preceding patch bounds the backend-supplied used.len to [1, VIRTBT_RX_BUF_SIZE], a one-byte completion still reaches hci_recv_frame() with skb->len already pulled to 0. If the byte happened to be HCI_ACLDATA_PKT, the ACL-vs-ISO classification fast-path in hci_dev_classify_pkt_type() dereferences hci_acl_hdr(skb)->handle whenever the HCI device has an active CIS_LINK, BIS_LINK, or PA_LINK connection, reading two bytes of uninitialized RX-buffer data. The same hazard exists for every packet type the driver accepts because none of the switch cases in virtbt_rx_handle() check skb->len against the per-type minimum HCI header size before handing the frame to the core.  After stripping pkt_type, require skb->len to cover the fixed header size for the selected type (event 2, ACL 4, SCO 3, ISO 4) before calling hci_recv_frame(); drop ratelimited otherwise. Unknown pkt_type values still take the original kfree_skb() default path.  Use bt_dev_err_ratelimited() because both the length and pkt_type values come from an untrusted backend that can otherwise flood the kernel log.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46123",
                        "url": "https://ubuntu.com/security/CVE-2026-46123",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Bluetooth: virtio_bt: clamp rx length before skb_put  virtbt_rx_work() calls skb_put(skb, len) where len comes directly from virtqueue_get_buf() with no validation against the buffer we posted to the device. The RX skb is allocated in virtbt_add_inbuf() and exposed to virtio as exactly 1000 bytes via sg_init_one().  Checking len against skb_tailroom(skb) is not sufficient because alloc_skb() can leave more tailroom than the 1000 bytes actually handed to the device. A malicious or buggy backend can therefore report used.len between 1001 and skb_tailroom(skb), causing skb_put() to include uninitialized kernel heap bytes that were never written by the device.  The same path also accepts len == 0, in which case skb_put(skb, 0) leaves the skb empty but virtbt_rx_handle() still reads the pkt_type byte from skb->data, consuming uninitialized memory.  Define VIRTBT_RX_BUF_SIZE once and reuse it in alloc_skb() and sg_init_one(), and gate virtbt_rx_work() on that same constant so the bound checked matches the buffer actually exposed to the device. Reject used.len == 0 in the same gate so an empty completion can no longer reach virtbt_rx_handle().  Use bt_dev_err_ratelimited() because the length value comes from an untrusted backend that can otherwise flood the kernel log.  Same class of bug as commit c04db81cd028 (\"net/9p: Fix buffer overflow in USB transport layer\"), which hardened the USB 9p transport against unchecked device-reported length.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46104",
                        "url": "https://ubuntu.com/security/CVE-2026-46104",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  selinux: use sk blob accessor in socket permission helpers  SELinux socket state lives in the composite LSM socket blob.  sock_has_perm() and nlmsg_sock_has_extended_perms() currently dereference sk->sk_security directly, which assumes the SELinux socket blob is at offset zero.  In stacked configurations that assumption does not hold. If another LSM allocates socket blob storage before SELinux, these helpers may read the wrong blob and feed invalid SID and class values into AVC checks.  Use selinux_sock() instead of accessing sk->sk_security directly.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46193",
                        "url": "https://ubuntu.com/security/CVE-2026-46193",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  xfrm: ah: account for ESN high bits in async callbacks  AH allocates its temporary auth/ICV layout differently when ESN is enabled: the async ahash setup appends a 4-byte seqhi slot before the ICV or auth_data area, but the async completion callbacks still reconstruct the temporary layout as if seqhi were absent.  With an async AH implementation selected, that makes AH copy or compare the wrong bytes on both the IPv4 and IPv6 paths. In UML repro on IPv4 AH with ESN and forced async hmac(sha1), ping fails with 100% packet loss, and the callback logs show the pre-fix drift:    ah4 output_done: esn=1 err=0 icv_off=20 expected_off=24   ah4 input_done: esn=1 auth_off=20 expected_auth_off=24 icv_off=32 expected_icv_off=36  Reconstruct the callback-side layout the same way the setup path built it by skipping the ESN seqhi slot before locating the saved auth_data or ICV. Per RFC 4302, the ESN high-order 32 bits participate in the AH ICV computation, so the async callbacks must account for the seqhi slot.  Post-fix, the same IPv4 AH+ESN+forced-async-hmac(sha1) UML repro shows the corrected offset (ah4 output_done: esn=1 err=0 icv_off=24 expected_off=24) and ping succeeds; net/ipv4/ah4.o and net/ipv6/ah6.o build clean at W=1. IPv6 AH+ESN was not exercised at runtime, and the change has not been tested against a real async hardware AH engine.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46172",
                        "url": "https://ubuntu.com/security/CVE-2026-46172",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ipv6: xfrm6: release dst on error in xfrm6_rcv_encap()  xfrm6_rcv_encap() performs an IPv6 route lookup when the skb does not already have a dst attached. ip6_route_input_lookup() returns a referenced dst entry even when the lookup resolves to an error route.  If dst->error is set, xfrm6_rcv_encap() drops the skb without attaching the dst to the skb and without releasing the reference returned by the lookup. Repeated packets hitting this path therefore leak dst entries.  Release the dst before jumping to the drop path.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46116",
                        "url": "https://ubuntu.com/security/CVE-2026-46116",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  xfrm: defensively unhash xfrm_state lists in __xfrm_state_delete  KASAN reproduces a slab-use-after-free in __xfrm_state_delete()'s hlist_del_rcu calls under syzkaller load on linux-6.12.y stable (reproduced on 6.12.47, also reachable via the same code path on torvalds/master and on the ipsec tree). Nine unique signatures cluster in the xfrm_state lifecycle, the load-bearing one being:    BUG: KASAN: slab-use-after-free in __hlist_del include/linux/list.h:990 [inline]   BUG: KASAN: slab-use-after-free in hlist_del_rcu include/linux/rculist.h:516 [inline]   BUG: KASAN: slab-use-after-free in __xfrm_state_delete net/xfrm/xfrm_state.c   Write of size 8 at addr ffff8881198bcb70 by task kworker/u8:9/435    Workqueue: netns cleanup_net   Call Trace:    __hlist_del / hlist_del_rcu    __xfrm_state_delete    xfrm_state_delete    xfrm_state_flush    xfrm_state_fini    ops_exit_list    cleanup_net  The other observed signatures hit the same slab object from __xfrm_state_lookup, xfrm_alloc_spi, __xfrm_state_insert and an OOB write variant of __xfrm_state_delete, all on the byseq/byspi hash chains.  __xfrm_state_delete() guards its byseq and byspi unhashes with value-based predicates:  \tif (x->km.seq) \t\thlist_del_rcu(&x->byseq); \tif (x->id.spi) \t\thlist_del_rcu(&x->byspi);  while everywhere else in the file (e.g. state_cache, state_cache_input) the safer hlist_unhashed() check is used. xfrm_alloc_spi() sets x->id.spi = newspi inside xfrm_state_lock and then immediately inserts into byspi, but a path that observes x->id.spi != 0 outside of xfrm_state_lock can still skip-or-hit the byspi unhash inconsistently with whether x is actually on the list. The same holds for x->km.seq versus byseq, and the bydst/bysrc unhashes have no predicate at all, so a second __xfrm_state_delete() on the same object writes through LIST_POISON pprev.  The defensive change here:    - Use hlist_del_init_rcu() instead of hlist_del_rcu() on bydst,     bysrc, byseq and byspi so a second deletion is a no-op rather     than a write through LIST_POISON pprev. The byseq/byspi nodes     are already initialised in xfrm_state_alloc().   - Test hlist_unhashed() rather than the value predicate for     byseq/byspi, so the unhash decision tracks list state rather than     mutable scalar fields.  Empirical verification: applied this patch on top of v6.12.47, rebuilt, and re-ran the same syzkaller harness for 1h16m on a previously-crashy configuration that produced ~100 hits each of slab-use-after-free Read in xfrm_alloc_spi / Read in __xfrm_state_lookup / Write in __xfrm_state_delete. After the patch, 7.1M execs across 32 VMs at ~1550 exec/sec produced zero xfrm_state UAF/OOB hits. /proc/slabinfo confirms the xfrm_state slab is actively allocated and freed during the run (~143 KiB resident), so the fuzzer is still exercising those code paths -- they just no longer crash.  Reproduction:    - Linux 6.12.47 x86_64 + KASAN_GENERIC + KASAN_INLINE + KCOV   - syzkaller @ 746545b8b1e4c3a128db8652b340d3df90ce61db   - 32 QEMU/KVM VMs x 2 vCPU on AWS c5.metal bare metal   - 9 unique signatures collected in ~9h, all within xfrm_state     lifecycle",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46154",
                        "url": "https://ubuntu.com/security/CVE-2026-46154",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  sched_ext: Read scx_root under scx_cgroup_ops_rwsem in cgroup setters  scx_group_set_{weight,idle,bandwidth}() cache scx_root before acquiring scx_cgroup_ops_rwsem, so the pointer can be stale by the time the op runs. If the loaded scheduler is disabled and freed (via RCU work) and another is enabled between the naked load and the rwsem acquire, the reader sees scx_cgroup_enabled=true (the new scheduler's) but dereferences the freed one - UAF on SCX_HAS_OP(sch, ...) / SCX_CALL_OP(sch, ...).  scx_cgroup_enabled is toggled only under scx_cgroup_ops_rwsem write (scx_cgroup_{init,exit}), so reading scx_root inside the rwsem read section correlates @sch with the enabled snapshot.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46157",
                        "url": "https://ubuntu.com/security/CVE-2026-46157",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ALSA: pcm: oss: Fix data race at accessing runtime.oss.trigger  Currently the runtime.oss.trigger field may be accessed concurrently without protection, which may lead to the data race.  And, in this case, it may lead to more severe problem because it's a bit field; as writing the data, it may overwrite other bit fields as well, which confuses the operation completely, as spotted by fuzzing.  Fix it by covering runtime.oss.trigger bit fled also with the existing params_lock mutex in both snd_pcm_oss_get_trigger() and snd_pcm_oss_poll().",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46109",
                        "url": "https://ubuntu.com/security/CVE-2026-46109",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  usb: ulpi: fix memory leak on ulpi_register() error paths  Commit 01af542392b5 (\"usb: ulpi: fix double free in ulpi_register_interface() error path\") removed kfree(ulpi) from ulpi_register_interface() to fix a double-free when device_register() fails.  But when ulpi_of_register() or ulpi_read_id() fail before device_register() is called, the ulpi allocation is leaked.  Add kfree(ulpi) on both error paths to properly clean up the allocation.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46146",
                        "url": "https://ubuntu.com/security/CVE-2026-46146",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ALSA: usb-audio: Avoid potential endless loop in convert_chmap_v3()  The convert_chmap_v3() has a loop with its increment size of cs_desc->wLength, but we forgot to validate cs_desc->wLength itself, which may lead to potential endless loop by a malformed descriptor.  Add a proper size check to abort the loop for plugging the hole.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46167",
                        "url": "https://ubuntu.com/security/CVE-2026-46167",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  usb: usblp: fix uninitialized heap leak via LPGETSTATUS ioctl  Just like in a previous problem in this driver, usblp_ctrl_msg() will collapse the usb_control_msg() return value to 0/-errno, discarding the actual number of bytes transferred.  Ideally that short command should be detected and error out, but many printers are known to send \"incorrect\" responses back so we can't just do that.  statusbuf is kmalloc(8) at probe time and never filled before the first LPGETSTATUS ioctl.  usblp_read_status() requests 1 byte. If a malicious printer responds with zero bytes, *statusbuf is one byte of stale kmalloc heap, sign-extended into the local int status, which the LPGETSTATUS path then copy_to_user()s directly to the ioctl caller.  Fix this all by just zapping out the memory buffer when allocated at probe time.  If a later call does a short read, the data will be identical to what the device sent it the last time, so there is no \"leak\" of information happening.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46151",
                        "url": "https://ubuntu.com/security/CVE-2026-46151",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  usb: usblp: fix heap leak in IEEE 1284 device ID via short response  usblp_ctrl_msg() collapses the usb_control_msg() return value to 0/-errno, discarding the actual number of bytes transferred.  A broken printer can complete the GET_DEVICE_ID control transfer short and the driver has no way to know.  usblp_cache_device_id_string() reads the 2-byte big-endian length prefix from the response and trusts it (clamped only to the buffer bounds). The buffer is kmalloc(1024) at probe time. A device that sends exactly two bytes (e.g. 0x03 0xFF, claiming a 1023-byte ID) leaves device_id_string[2..1022] holding stale kmalloc heap.  That stale data is then exposed:   - via the ieee1284_id sysfs attribute (sprintf(\"%s\", buf+2), truncated     at the first NUL in the stale heap), and   - via the IOCNR_GET_DEVICE_ID ioctl, which copy_to_user()s the full     claimed length regardless of NULs, up to 1021 bytes of uninitialized     heap, with the leak size chosen by the device.  Fix this up by just zapping the buffer with zeros before each request sent to the device.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46180",
                        "url": "https://ubuntu.com/security/CVE-2026-46180",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  wifi: brcmfmac: Fix potential use-after-free issue when stopping watchdog task  Watchdog task might end between send_sig() and kthread_stop() calls, what results in the use-after-free issue. Fix this by increasing watchdog task reference count before calling send_sig() and dropping it by switching to kthread_stop_put().",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46122",
                        "url": "https://ubuntu.com/security/CVE-2026-46122",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  wifi: b43: enforce bounds check on firmware key index in b43_rx()  The firmware-controlled key index in b43_rx() can exceed the dev->key[] array size (58 entries). The existing B43_WARN_ON is non-enforcing in production builds, allowing an out-of-bounds read.  Make the B43_WARN_ON check enforcing by dropping the frame when the firmware returns an invalid key index.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46125",
                        "url": "https://ubuntu.com/security/CVE-2026-46125",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  wifi: mac80211: remove station if connection prep fails  If connection preparation fails for MLO connections, then the interface is completely reset to non-MLD. In this case, we must not keep the station since it's related to the link of the vif being removed. Delete an existing station. Any \"new_sta\" is already being removed, so that doesn't need changes.  This fixes a use-after-free/double-free in debugfs if that's enabled, because a vif going from MLD (and to MLD, but that's not relevant here) recreates its entire debugfs.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46166",
                        "url": "https://ubuntu.com/security/CVE-2026-46166",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  wifi: mac80211: use safe list iteration in radar detect work  The call to ieee80211_dfs_cac_cancel can cause the iterated chanctx to be freed and removed from the list. Guard against this to avoid a slab-use-after-free error.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46187",
                        "url": "https://ubuntu.com/security/CVE-2026-46187",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  wifi: rsi: fix kthread lifetime race between self-exit and external-stop  RSI driver use both self-exit(kthread_complete_and_exit) and external-stop (kthread_stop) when killing a kthread. Generally, kthread_stop() is called first, and in this case, no particular issues occur.  However, in rare instances where kthread_complete_and_exit() is called first and then kthread_stop() is called, a UAF occurs because the kthread object, which has already exited and been freed, is accessed again.  Therefore, to prevent this with minimal modification, you must remove kthread_stop() and change the code to wait until the self-exit operation is completed.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46152",
                        "url": "https://ubuntu.com/security/CVE-2026-46152",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  wifi: mac80211: drop stray 'static' from fast-RX rx_result  ieee80211_invoke_fast_rx() is documented as safe for parallel RX, but its per-invocation rx_result is declared static. Concurrent callers then share one instance and can overwrite each other's result between ieee80211_rx_mesh_data() and the switch on res.  That can make a packet that was queued or consumed by ieee80211_rx_mesh_data() fall through into ieee80211_rx_8023(), or make a packet that should continue return as queued.  Make res an automatic variable so each invocation keeps its own result.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46163",
                        "url": "https://ubuntu.com/security/CVE-2026-46163",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  wifi: b43legacy: enforce bounds check on firmware key index in RX path  Same fix as b43: the firmware-controlled key index in b43legacy_rx() can exceed dev->max_nr_keys. The existing B43legacy_WARN_ON is non-enforcing in production builds, allowing an out-of-bounds read of dev->key[].  Make the check enforcing by dropping the frame for invalid indices.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46136",
                        "url": "https://ubuntu.com/security/CVE-2026-46136",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  wifi: mt76: mt7921: fix a potential clc buffer length underflow  The buf_len is used to limit the iterations for retrieving the country power setting and may underflow under certain conditions due to changes in the power table in CLC.  This underflow leads to an almost infinite loop or an invalid power setting resulting in driver initialization failure.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46173",
                        "url": "https://ubuntu.com/security/CVE-2026-46173",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  exit: prevent preemption of oopsing TASK_DEAD task  When an already-exiting task oopses, make_task_dead() currently calls do_task_dead() with preemption enabled.  That is forbidden: do_task_dead() calls __schedule(), which has a comment saying \"WARNING: must be called with preemption disabled!\".  If an oopsing task is preempted in do_task_dead(), between becoming TASK_DEAD and entering the scheduler explicitly, bad things happen: finish_task_switch() assumes that once the scheduler has switched away from a TASK_DEAD task, the task can never run again and its stack is no longer needed; but that assumption apparently doesn't hold if the dead task was preempted (the SM_PREEMPT case).  This means that the scheduler ends up repeatedly dropping references on the dead task's stack, which can lead to use-after-free or double-free of the entire task stack; in other words, two tasks can end up running on the same stack, resulting in various kinds of memory corruption.  (This does not just affect \"recursively oopsing\" tasks; it is enough to oops once during task exit, for example in a file_operations::release handler)",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-43496",
                        "url": "https://ubuntu.com/security/CVE-2026-43496",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net/sched: sch_red: Replace direct dequeue call with peek and qdisc_dequeue_peeked  When red qdisc has children (eg qfq qdisc) whose peek() callback is qdisc_peek_dequeued(), we could get a kernel panic. When the parent of such qdiscs (eg illustrated in patch #3 as tbf) wants to retrieve an skb from its child (red in this case), it will do the following:  1a. do a peek() - and when sensing there's an skb the child can offer, then      - the child in this case(red) calls its child's (qfq) peek.         qfq does the right thing and will return the gso_skb queue packet.         Note: if there wasnt a gso_skb entry then qfq will store it there.  1b. invoke a dequeue() on the child (red). And herein lies the problem.      - red will call the child's dequeue() which will essentially just        try to grab something of qfq's queue.  [   78.667668][  T363] KASAN: null-ptr-deref in range [0x0000000000000048-0x000000000000004f] [   78.667927][  T363] CPU: 1 UID: 0 PID: 363 Comm: ping Not tainted 7.1.0-rc1-00033-g46f74a3f7d57-dirty #790 PREEMPT(full) [   78.668263][  T363] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 [   78.668486][  T363] RIP: 0010:qfq_dequeue+0x446/0xc90 [sch_qfq] [   78.668718][  T363] Code: 54 c0 e8 dd 90 00 f1 48 c7 c7 e0 03 54 c0 48 89 de e8 ce 90 00 f1 48 8d 7b 48 b8 ff ff 37 00 48 89 fa 48 c1 e0 2a 48 c1 ea 03 <80> 3c 02 00 74 05 e8 ef a1 e1 f1 48 8b 7b 48 48 8d 54 24 58 48 8d [   78.669312][  T363] RSP: 0018:ffff88810de573e0 EFLAGS: 00010216 [   78.669533][  T363] RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000 [   78.669790][  T363] RDX: 0000000000000009 RSI: 0000000000000004 RDI: 0000000000000048 [   78.670044][  T363] RBP: ffff888110dc4000 R08: ffffffffb1b0885a R09: fffffbfff6ba9078 [   78.670297][  T363] R10: 0000000000000003 R11: ffff888110e31c80 R12: 0000001880000000 [   78.670560][  T363] R13: ffff888110dc4150 R14: ffff888110dc42b8 R15: 0000000000000200 [   78.670814][  T363] FS:  00007f66a8f09c40(0000) GS:ffff888163428000(0000) knlGS:0000000000000000 [   78.671110][  T363] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [   78.671324][  T363] CR2: 000055db4c6a30a8 CR3: 000000010da67000 CR4: 0000000000750ef0 [   78.671585][  T363] PKRU: 55555554 [   78.671713][  T363] Call Trace: [   78.671843][  T363]  <TASK> [   78.671936][  T363]  ? __pfx_qfq_dequeue+0x10/0x10 [sch_qfq] [   78.672148][  T363]  ? __pfx__printk+0x10/0x10 [   78.672322][  T363]  ? srso_alias_return_thunk+0x5/0xfbef5 [   78.672496][  T363]  ? lockdep_hardirqs_on_prepare+0xa8/0x1a0 [   78.672706][  T363]  ? srso_alias_return_thunk+0x5/0xfbef5 [   78.672875][  T363]  ? trace_hardirqs_on+0x19/0x1a0 [   78.673047][  T363]  red_dequeue+0x65/0x270 [sch_red] [   78.673217][  T363]  ? srso_alias_return_thunk+0x5/0xfbef5 [   78.673385][  T363]  tbf_dequeue.cold+0xb0/0x70c [sch_tbf] [   78.673566][  T363]  __qdisc_run+0x169/0x1900  The right thing to do in #1b is to grab the skb off gso_skb queue. This patchset fixes that issue by changing #1b to use qdisc_dequeue_peeked() method instead.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-21 13:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46113",
                        "url": "https://ubuntu.com/security/CVE-2026-46113",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  KVM: x86: Fix shadow paging use-after-free due to unexpected GFN  The shadow MMU computes GFNs for direct shadow pages using sp->gfn plus the SPTE index. This assumption breaks for shadow paging if the guest page tables are modified between VM entries (similar to commit aad885e77496, \"KVM: x86/mmu: Drop/zap existing present SPTE even when creating an MMIO SPTE\", 2026-03-27).  The flow is as follows:  - a PDE is installed for a 2MB mapping, and a page in that area is   accessed.  KVM creates a kvm_mmu_page consisting of 512 4KB pages;   the kvm_mmu_page is marked by FNAME(fetch) as direct-mapped because   the guest's mapping is a huge page (and thus contiguous).  - the PDE mapping is changed from outside the guest.  - the guest accesses another page in the same 2MB area.  KVM installs   a new leaf SPTE and rmap entry; the SPTE uses the \"correct\" GFN   (i.e. based on the new mapping, as changed in the previous step) but   that GFN is outside of the [sp->gfn, sp->gfn + 511] range; therefore   the rmap entry cannot be found and removed when the kvm_mmu_page   is zapped.  - the memslot that covers the first 2MB mapping is deleted, and the   kvm_mmu_page for the now-invalid GPA is zapped.  However, rmap_remove()   only looks at the [sp->gfn, sp->gfn + 511] range established in step 1,   and fails to find the rmap entry that was recorded by step 3.  - any operation that causes an rmap walk for the same page accessed   by step 3 then walks a stale rmap and dereferences a freed kvm_mmu_page.   This includes dirty logging or MMU notifier invalidations (e.g., from   MADV_DONTNEED).  The underlying issue is that KVM's walking of shadow PTEs assumes that if a SPTE is present when KVM wants to install a non-leaf SPTE, then the existing kvm_mmu_page must be for the correct gfn.  Because the only way for the gfn to be wrong is if KVM messed up and failed to zap a SPTE... which shouldn't happen, but *actually* only happens in response to a guest write.  That bug dates back literally forever, as even the first version of KVM assumes that the GFN matches and walks into the \"wrong\" shadow page. However, that was only an imprecision until 2032a93d66fa (\"KVM: MMU: Don't allocate gfns page for direct mmu pages\") came along.  Fix it by checking for a target gfn mismatch and zapping the existing SPTE.  That way the old SP and rmap entries are gone, KVM installs the rmap in the right location, and everyone is happy.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46179",
                        "url": "https://ubuntu.com/security/CVE-2026-46179",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ASoC: SOF: Don't allow pointer operations on unconfigured streams  When reporting the pointer for a compressed stream we report the current I/O frame position by dividing the position by the number of channels multiplied by the number of container bytes. These values default to 0 and are only configured as part of setting the stream parameters so this allows a divide by zero to be configured. Validate that they are non zero, returning an error if not",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46196",
                        "url": "https://ubuntu.com/security/CVE-2026-46196",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  tracepoint: balance regfunc() on func_add() failure in tracepoint_add_func()  When a tracepoint goes through the 0 -> 1 transition, tracepoint_add_func() invokes the subsystem's ext->regfunc() before attempting to install the new probe via func_add(). If func_add() then fails (for example, when allocate_probes() cannot allocate a new probe array under memory pressure and returns -ENOMEM), the function returns the error without calling the matching ext->unregfunc(), leaving the side effects of regfunc() behind with no installed probe to justify them.  For syscall tracepoints this is particularly unpleasant: syscall_regfunc() bumps sys_tracepoint_refcount and sets SYSCALL_TRACEPOINT on every task. After a leaked failure, the refcount is stuck at a non-zero value with no consumer, and every task continues paying the syscall trace entry/exit overhead until reboot. Other subsystems providing regfunc()/unregfunc() pairs exhibit similarly scoped persistent state.  Mirror the existing 1 -> 0 cleanup and call ext->unregfunc() in the func_add() error path, gated on the same condition used there so the unwind is symmetric with the registration.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-43497",
                        "url": "https://ubuntu.com/security/CVE-2026-43497",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  fbdev: udlfb: add vm_ops to dlfb_ops_mmap to prevent use-after-free  dlfb_ops_mmap() uses remap_pfn_range() to map vmalloc framebuffer pages to userspace but sets no vm_ops on the VMA. This means the kernel cannot track active mmaps. When dlfb_realloc_framebuffer() replaces the backing buffer via FBIOPUT_VSCREENINFO, existing mmap PTEs are not invalidated. On USB disconnect, dlfb_ops_destroy() calls vfree() on the old pages while userspace PTEs still reference them, resulting in a use-after-free: the process retains read/write access to freed kernel pages.  Add vm_operations_struct with open/close callbacks that maintain an atomic mmap_count on struct dlfb_data. In dlfb_realloc_framebuffer(), check mmap_count and return -EBUSY if the buffer is currently mapped, preventing buffer replacement while userspace holds stale PTEs.  Tested with PoC using dummy_hcd + raw_gadget USB device emulation.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-05-21 13:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46108",
                        "url": "https://ubuntu.com/security/CVE-2026-46108",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ipmi:si: Return state to normal if message allocation fails  There were places where nothing would get started if a message allocation failed, so the driver needs to return to normal state.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46128",
                        "url": "https://ubuntu.com/security/CVE-2026-46128",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ipmi: Check event message buffer response for bad data  The event message buffer response data size got checked later when processing, but check it right after the response comes back.  It appears some BMCs may return an empty message instead of an error when fetching events.  There are apparently some new BMCs that make this error, so we need to compensate.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46177",
                        "url": "https://ubuntu.com/security/CVE-2026-46177",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ipmi: Add limits to event and receive message requests  The driver would just fetch events and receive messages until the BMC said it was done.  To avoid issues with BMCs that never say they are done, add a limit of 10 fetches at a time.  In addition, an si interface has an attn state it can return from the hardware which is supposed to cause a flag fetch to see if the driver needs to fetch events or message or a few other things.  If the attn bit gets stuck, it's a similar problem.  So allow messages in between flag fetches so the driver itself doesn't get stuck.  This is a more general fix than the previous fix for the specific bad BMC, but should fix the more general issue of a BMC that won't stop saying it has data.  This has been there from the beginning of the driver.  It's not a bug per-se, but it is accounting for bugs in BMCs.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46149",
                        "url": "https://ubuntu.com/security/CVE-2026-46149",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  scsi: target: configfs: Bound snprintf() return in tg_pt_gp_members_show()  target_tg_pt_gp_members_show() formats LUN paths with snprintf() into a 256-byte stack buffer, then will memcpy() cur_len bytes from that buffer.  snprintf() returns the length the output would have had, which can exceed the buffer size when the fabric WWN is long because iSCSI IQN names can be up to 223 bytes.  The check at the memcpy() site only guards the destination page write, not the source read, so memcpy() will read past the stack buffer and copy adjacent stack contents to the sysfs reader, which when CONFIG_FORTIFY_SOURCE is enabled, fortify_panic() will be triggered.  Commit 27e06650a5ea (\"scsi: target: target_core_configfs: Add length check to avoid buffer overflow\") added the same bound to the target_lu_gp_members_show() but the tg_pt_gp variant was missed so resolve that here.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46244",
                        "url": "https://ubuntu.com/security/CVE-2026-46244",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  netfilter: nft_inner: Fix IPv6 inner_thoff desync  In nft_inner_parse_l2l3(), when processing inner IPv6 packets, ipv6_find_hdr() correctly computes the transport header offset traversing all extension headers, but the result is immediately overwritten with nhoff + sizeof(_ip6h) (40 bytes), which only accounts for the IPv6 base header. This creates a desync between inner_thoff (wrong — points to extension header start) and l4proto (correct — e.g., IPPROTO_TCP), enabling transport header forgery and potential firewall bypass. This issue affects stable versions from Linux 6.2.  For comparison, the normal (non-inner) IPv6 path correctly preserves ipv6_find_hdr()'s result. Removing the incorrect overwrite ensures that ipv6_find_hdr()'s calculated transport header offset is preserved, thereby fixing the desynchronization.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-03 18:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46137",
                        "url": "https://ubuntu.com/security/CVE-2026-46137",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  mptcp: pm: ADD_ADDR rtx: fix potential data-race  This mptcp_pm_add_timer() helper is executed as a timer callback in softirq context. To avoid any data races, the socket lock needs to be held with bh_lock_sock().  If the socket is in use, retry again soon after, similar to what is done with the keepalive timer.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46185",
                        "url": "https://ubuntu.com/security/CVE-2026-46185",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  smb/client: fix out-of-bounds read in symlink_data()  Since smb2_check_message() returns success without length validation for the symlink error response, in symlink_data() it is possible for iov->iov_len to be smaller than sizeof(struct smb2_err_rsp). If the buffer only contains the base SMB2 header (64 bytes), accessing err->ErrorContextCount (at offset 66) or err->ByteCount later in symlink_data() will cause an out-of-bounds read.",
                        "cve_priority": "high",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46195",
                        "url": "https://ubuntu.com/security/CVE-2026-46195",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  smb: client: validate dacloffset before building DACL pointers  parse_sec_desc(), build_sec_desc(), and the chown path in id_mode_to_cifs_acl() all add the server-supplied dacloffset to pntsd before proving a DACL header fits inside the returned security descriptor.  On 32-bit builds a malicious server can return dacloffset near U32_MAX, wrap the derived DACL pointer below end_of_acl, and then slip past the later pointer-based bounds checks. build_sec_desc() and id_mode_to_cifs_acl() can then dereference DACL fields from the wrapped pointer in the chmod/chown rewrite paths.  Validate dacloffset numerically before building any DACL pointer and reuse the same helper at the three DACL entry points.",
                        "cve_priority": "high",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46289",
                        "url": "https://ubuntu.com/security/CVE-2026-46289",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  lib/scatterlist: fix length calculations in extract_kvec_to_sg  Patch series \"Fix bugs in extract_iter_to_sg()\", v3.  Fix bugs in the kvec and user variants of extract_iter_to_sg.  This series is growing due to useful remarks made by sashiko.dev.  The main bugs are: - The length for an sglist entry when extracting from   a kvec can exceed the number of bytes in the page. This   is obviously not intended. - When extracting a user buffer the sglist is temporarily   used as a scratch buffer for extracted page pointers.   If the sglist already contains some elements this scratch   buffer could overlap with existing entries in the sglist.  The series adds test cases to the kunit_iov_iter test that demonstrate all of these bugs.  Additionally, there is a memory leak fix for the test itself.  The bugs were orignally introduced into kernel v6.3 where the function lived in fs/netfs/iterator.c.  It was later moved to lib/scatterlist.c in v6.5.  Thus the actual fix is only marked for backports to v6.5+.   This patch (of 5):  When extracting from a kvec to a scatterlist, do not cross page boundaries.  The required length was already calculated but not used as intended.  Adjust the copied length if the loop runs out of sglist entries without extracting everything.  While there, return immediately from extract_iter_to_sg if there are no sglist entries at all.  A subsequent commit will add kunit test cases that demonstrate that the patch is necessary.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-08 17:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46119",
                        "url": "https://ubuntu.com/security/CVE-2026-46119",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  libceph: Fix slab-out-of-bounds access in auth message processing  If a (potentially corrupted) message of type CEPH_MSG_AUTH_REPLY contains a positive value in its result field, it is treated as an error code by ceph_handle_auth_reply() and returned to handle_auth_reply(). Thereafter, an attempt is made to send the preallocated message of type CEPH_MSG_AUTH, where the returned value is interpreted as the size of the front segment to send. If the result value in the message is greater than the size of the memory buffer allocated for the front segment, an out-of-bounds access occurs, and the content of the memory region beyond this buffer is sent out.  This patch fixes the issue by treating only negative values in the result field as errors. Positive values are therefore treated as success in the same way as a zero value. Additionally, a BUG_ON is added to __send_prepared_auth_request() comparing the len parameter to front_alloc_len to prevent sending the message if it exceeds the bounds of the allocation and to make it easier to catch any logic flaws leading to this.",
                        "cve_priority": "high",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46135",
                        "url": "https://ubuntu.com/security/CVE-2026-46135",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  nvmet-tcp: fix race between ICReq handling and queue teardown  nvmet_tcp_handle_icreq() updates queue->state after sending an Initialization Connection Response (ICResp), but it does so without serializing against target-side queue teardown.  If an NVMe/TCP host sends an Initialization Connection Request (ICReq) and immediately closes the connection, target-side teardown may start in softirq context before io_work drains the already buffered ICReq. In that case, nvmet_tcp_schedule_release_queue() sets queue->state to NVMET_TCP_Q_DISCONNECTING and drops the queue reference under state_lock.  If io_work later processes that ICReq, nvmet_tcp_handle_icreq() can still overwrite the state back to NVMET_TCP_Q_LIVE. That defeats the DISCONNECTING-state guard in nvmet_tcp_schedule_release_queue() and allows a later socket state change to re-enter teardown and issue a second kref_put() on an already released queue.  The ICResp send failure path has the same problem. If teardown has already moved the queue to DISCONNECTING, a send error can still overwrite the state with NVMET_TCP_Q_FAILED, again reopening the window for a second teardown path to drop the queue reference.  Fix this by serializing both post-send state transitions with state_lock and bailing out if teardown has already started.  Use -ESHUTDOWN as an internal sentinel for that bail-out path rather than propagating it as a transport error like -ECONNRESET. Keep nvmet_tcp_socket_error() setting rcv_state to NVMET_TCP_RECV_ERR before honoring that sentinel so receive-side parsing stays quiesced until the existing release path completes.",
                        "cve_priority": "critical",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46155",
                        "url": "https://ubuntu.com/security/CVE-2026-46155",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  smb/client: fix out-of-bounds read in smb2_compound_op()  If a server sends a truncated response but a large OutputBufferLength, and terminates the EA list early, check_wsl_eas() returns success without validating that the entire OutputBufferLength fits within iov_len.  Then smb2_compound_op() does:     memcpy(idata->wsl.eas, data[0], size[0]);  Where size[0] is OutputBufferLength. If iov_len is smaller than size[0], memcpy can read beyond the end of the rsp_iov allocation and leak adjacent kernel heap memory.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46115",
                        "url": "https://ubuntu.com/security/CVE-2026-46115",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  block: add pgmap check to biovec_phys_mergeable  biovec_phys_mergeable() is used by the request merge, DMA mapping, and integrity merge paths to decide if two physically contiguous bvec segments can be coalesced into one. It currently has no check for whether the segments belong to different dev_pagemaps.  When zone device memory is registered in multiple chunks, each chunk gets its own dev_pagemap. A single bio can legitimately contain bvecs from different pgmaps -- iov_iter_extract_bvecs() breaks at pgmap boundaries but the outer loop in bio_iov_iter_get_pages() continues filling the same bio. If such bvecs are physically contiguous, biovec_phys_mergeable() will coalesce them, making it impossible to recover the correct pgmap for the merged segment via page_pgmap().  Add a zone_device_pages_have_same_pgmap() check to prevent merging bvec segments that span different pgmaps.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-28 10:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46243",
                        "url": "https://ubuntu.com/security/CVE-2026-46243",
                        "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  smb: client: reject userspace cifs.spnego descriptions  cifs.spnego key descriptions contain authority-bearing fields such as pid, uid, creduid, and upcall_target that cifs.upcall treats as kernel-originating inputs. However, userspace can also create keys of this type through request_key(2) or add_key(2), allowing those fields to be supplied without CIFS origin.  Only accept cifs.spnego descriptions while CIFS is using its private spnego_cred to request the key.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-01 17:17:00 UTC"
                    }
                ],
                "launchpad_bugs_fixed": [
                    2157520,
                    2154418,
                    2155837,
                    2154174,
                    2154748,
                    2156559,
                    2156556,
                    2150640,
                    2156312,
                    2155096,
                    2154715,
                    2153159,
                    2150071,
                    2154343,
                    2149770,
                    2153155,
                    2152570,
                    2156636,
                    2156636,
                    2156636,
                    2156636,
                    2156636,
                    2156390,
                    2156385,
                    2156385,
                    2156385,
                    2156385,
                    2156385,
                    2156385,
                    2156385,
                    2156385,
                    2156385,
                    2156385,
                    2156385,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2156006,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2155988,
                    2150845
                ],
                "changes": [
                    {
                        "cves": [
                            {
                                "cve": "CVE-2026-46318",
                                "url": "https://ubuntu.com/security/CVE-2026-46318",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Revert \"mm/hugetlbfs: update hugetlbfs to use mmap_prepare\"  This reverts commit ea52cb24cd3f (\"mm/hugetlbfs: update hugetlbfs to use mmap_prepare\") with conflict resolution to account for changes in commit ea52cb24cd3f (\"mm/hugetlbfs: update hugetlbfs to use mmap_prepare\").  The patch incorrectly handled hugetlb VMA lock allocation at the mmap_prepare stage, where a failed allocation occurring after mmap_prepare is called might result in the lock leaking.  There is no risk of a merge causing a similar issues, as VMA_DONTEXPAND_BIT is set for hugetlb mappings.  As a first step in addressing this issue, simply revert the change so we can rework how we do this having corrected the underlying issues.  We maintain the VMA flags changes as best we can, accounting for the fact that we were working with a VMA descriptor previously and propagating like-for-like changes for this.  Note that we invoke vma_set_flags() and do not call vma_start_write() as vm_flags_set() does.  This is OK as it's being done in an .mmap hook where the VMA is not yet linked into the tree so nobody else can be accessing it.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-06-09 13:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46322",
                                "url": "https://ubuntu.com/security/CVE-2026-46322",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  tun: free page on build_skb failure in tun_xdp_one()  When build_skb() fails in tun_xdp_one(), the function sets ret to -ENOMEM and jumps to the out label, which returns without freeing the page that vhost_net_build_xdp() allocated for the frame. As with the short-frame rejection path, tun_sendmsg() discards the per-buffer error and still returns total_len, so vhost_tx_batch() takes the success path and never frees the page. Each build_skb() failure in a batch leaks one page-frag chunk.  Free the page before taking the error path, matching the put_page() the other error exits of tun_xdp_one() already perform.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-09 13:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46320",
                                "url": "https://ubuntu.com/security/CVE-2026-46320",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  tap: free page on error paths in tap_get_user_xdp()  tap_get_user_xdp() rejects a frame shorter than ETH_HLEN with -EINVAL, and returns -ENOMEM when build_skb() fails. Both paths jump to the err label without freeing the page that vhost_net_build_xdp() allocated for the frame. tap_sendmsg() discards the per-buffer return value and always returns 0, so vhost_tx_batch() takes the success path and never frees the page; each rejected frame in a batch leaks one page-frag chunk.  Free the page on both error paths, before the skb is built. This is the tap counterpart of the same leak in tun_xdp_one().",
                                "cve_priority": "high",
                                "cve_public_date": "2026-06-09 13:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46321",
                                "url": "https://ubuntu.com/security/CVE-2026-46321",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  tun: free page on short-frame rejection in tun_xdp_one()  tun_xdp_one() returns -EINVAL on a frame shorter than ETH_HLEN without freeing the page that vhost_net_build_xdp() allocated for it. tun_sendmsg() discards that -EINVAL and still returns total_len, so vhost_tx_batch() takes the success path and never frees the page; each short frame in a batch leaks one page-frag chunk.  A local process that can open /dev/net/tun and /dev/vhost-net can hit this path: it attaches a tun/tap device as the vhost-net backend and feeds TX descriptors whose length minus the virtio-net header is below ETH_HLEN. Each kick leaks the page-frag chunks for that batch, and a tight submission loop exhausts host memory and triggers an OOM panic. Free the page before returning -EINVAL, matching the XDP-program error path in the same function.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-09 13:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46316",
                                "url": "https://ubuntu.com/security/CVE-2026-46316",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  KVM: arm64: vgic-its: Drop the translation cache reference only for the erased entry  vgic_its_invalidate_cache() walks the per-ITS translation cache with xa_for_each() and drops the cache's reference on each entry with vgic_put_irq(). It puts the iterated pointer, though, rather than the value returned by xa_erase().  The function is called from contexts that do not exclude one another: the ITS command handlers hold its_lock, the GITS_CTLR write path holds cmd_lock, and the path that clears EnableLPIs in a redistributor's GICR_CTLR holds neither. Two or more of them can drain the same cache concurrently, and if each one observes the same entry, erases it and then puts it, the single reference the cache holds on that entry is dropped more than once. The entry can then be freed while an ITE still maps it.  xa_erase() is atomic and returns the previous entry, so put only the entry that this context actually removed. The cache reference is then dropped exactly once per entry even when the invalidations run concurrently, and the behavior is unchanged when only one context runs.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-09 13:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46317",
                                "url": "https://ubuntu.com/security/CVE-2026-46317",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  KVM: arm64: Reassign nested_mmus array behind mmu_lock  kvm->arch.nested_mmus[] is walked under kvm->mmu_lock, including from the MMU notifier path (kvm_unmap_gfn_range() -> kvm_nested_s2_unmap()), which can run at any time. kvm_vcpu_init_nested() reallocates the array and frees the old buffer while holding only kvm->arch.config_lock, so such a walker can reference the freed array.  Allocate the new array outside of mmu_lock, as the allocation can sleep. Under the lock, copy the existing entries, fix up the back pointers and reassign the array. Free the old buffer after dropping the lock, as kvfree() can sleep as well.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-09 13:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-45846",
                                "url": "https://ubuntu.com/security/CVE-2026-45846",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  bareudp: fix NULL pointer dereference in bareudp_fill_metadata_dst()  bareudp_fill_metadata_dst() passes bareudp->sock to udp_tunnel6_dst_lookup() in the IPv6 path without a NULL check. The socket is only created in bareudp_open() and NULLed in bareudp_stop(), so calling this function while the device is down triggers a NULL dereference via sock->sk.   BUG: kernel NULL pointer dereference, address: 0000000000000018  RIP: 0010:udp_tunnel6_dst_lookup (net/ipv6/ip6_udp_tunnel.c:160)  Call Trace:   <TASK>   bareudp_fill_metadata_dst (drivers/net/bareudp.c:532)   do_execute_actions (net/openvswitch/actions.c:901)   ovs_execute_actions (net/openvswitch/actions.c:1589)   ovs_packet_cmd_execute (net/openvswitch/datapath.c:700)   genl_family_rcv_msg_doit (net/netlink/genetlink.c:1114)   genl_rcv_msg (net/netlink/genetlink.c:1209)   netlink_rcv_skb (net/netlink/af_netlink.c:2550)   </TASK>  Add a NULL check returning -ESHUTDOWN, consistent with the xmit paths in the same driver.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-27 11:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-45845",
                                "url": "https://ubuntu.com/security/CVE-2026-45845",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net/sched: taprio: fix NULL pointer dereference in class dump  When a TAPRIO child qdisc is deleted via RTM_DELQDISC, taprio_graft() is called with new == NULL and stores NULL into q->qdiscs[cl - 1]. Subsequent RTM_GETTCLASS dump operations walk all classes via taprio_walk() and call taprio_dump_class(), which calls taprio_leaf() returning the NULL pointer, then dereferences it to read child->handle, causing a kernel NULL pointer dereference.  The bug is reachable with namespace-scoped CAP_NET_ADMIN on any kernel with CONFIG_NET_SCH_TAPRIO enabled. On systems with unprivileged user namespaces enabled, an unprivileged local user can trigger a kernel panic by creating a taprio qdisc inside a new network namespace, grafting an explicit child qdisc, deleting it, and requesting a class dump. The RTM_GETTCLASS dump itself requires no capability.   Oops: general protection fault, probably for non-canonical address 0xdffffc0000000007: 0000 [#1] SMP KASAN NOPTI  KASAN: null-ptr-deref in range [0x0000000000000038-0x000000000000003f]  RIP: 0010:taprio_dump_class (net/sched/sch_taprio.c:2478)  Call Trace:   <TASK>   tc_fill_tclass (net/sched/sch_api.c:1966)   qdisc_class_dump (net/sched/sch_api.c:2326)   taprio_walk (net/sched/sch_taprio.c:2514)   tc_dump_tclass_qdisc (net/sched/sch_api.c:2352)   tc_dump_tclass_root (net/sched/sch_api.c:2370)   tc_dump_tclass (net/sched/sch_api.c:2431)   rtnl_dumpit (net/core/rtnetlink.c:6864)   netlink_dump (net/netlink/af_netlink.c:2325)   rtnetlink_rcv_msg (net/core/rtnetlink.c:6959)   netlink_rcv_skb (net/netlink/af_netlink.c:2550)   </TASK>  Fix this by substituting &noop_qdisc when new is NULL in taprio_graft(), a common pattern used by other qdiscs (e.g., multiq_graft()) to ensure the q->qdiscs[] slots are never NULL. This makes control-plane dump paths safe without requiring individual NULL checks.  Since the data-plane paths (taprio_enqueue and taprio_dequeue_from_txq) previously had explicit NULL guards that would drop/skip the packet cleanly, update those checks to test for &noop_qdisc instead. Without this, packets would reach taprio_enqueue_one() which increments the root qdisc's qlen and backlog before calling the child's enqueue; noop_qdisc drops the packet but those counters are never rolled back, permanently inflating the root qdisc's statistics.  After this change *old can be a valid qdisc, NULL, or &noop_qdisc. Only call qdisc_put(*old) in the first case to avoid decreasing noop_qdisc's refcount, which was never increased.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-27 11:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-45844",
                                "url": "https://ubuntu.com/security/CVE-2026-45844",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  netfilter: arp_tables: fix IEEE1394 ARP payload parsing  Weiming Shi says:  \"arp_packet_match() unconditionally parses the ARP payload assuming two hardware addresses are present (source and target). However, IPv4-over-IEEE1394 ARP (RFC 2734) omits the target hardware address field, and arp_hdr_len() already accounts for this by returning a shorter length for ARPHRD_IEEE1394 devices.  As a result, on IEEE1394 interfaces arp_packet_match() advances past a nonexistent target hardware address and reads the wrong bytes for both the target device address comparison and the target IP address. This causes arptables rules to match against garbage data, leading to incorrect filtering decisions: packets that should be accepted may be dropped and vice versa.  The ARP stack in net/ipv4/arp.c (arp_create and arp_process) already handles this correctly by skipping the target hardware address for ARPHRD_IEEE1394. Apply the same pattern to arp_packet_match().\"  Mangle the original patch to always return 0 (no match) in case user matches on the target hardware address which is never present in IEEE1394.  Note that this returns 0 (no match) for either normal and inverse match because matching in the target hardware address in ARPHRD_IEEE1394 has never been supported by arptables. This is intentional, matching on the target hardware address should never evaluate true for ARPHRD_IEEE1394.  Moreover, adjust arpt_mangle to drop the packet too as AI suggests:  In arpt_mangle, the logic assumes a standard ARP layout. Because IEEE1394 (FireWire) omits the target hardware address, the linear pointer arithmetic miscalculates the offset for the target IP address. This causes mangling operations to write to the wrong location, leading to packet corruption. To ensure safety, this patch drops packets (NF_DROP) when mangling is requested for these fields on IEEE1394 devices, as the current implementation cannot correctly map the FireWire ARP payload.  This omits both mangling target hardware and IP address. Even if IP address mangling should be possible in IEEE1394, this would require to adjust arpt_mangle offset calculation, which has never been supported.  Based on patch from Weiming Shi <bestswngs@gmail.com>.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-05-27 11:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46242",
                                "url": "https://ubuntu.com/security/CVE-2026-46242",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  eventpoll: fix ep_remove struct eventpoll / struct file UAF  ep_remove() (via ep_remove_file()) cleared file->f_ep under file->f_lock but then kept using @file inside the critical section (is_file_epoll(), hlist_del_rcu() through the head, spin_unlock). A concurrent __fput() taking the eventpoll_release() fastpath in that window observed the transient NULL, skipped eventpoll_release_file() and ran to f_op->release / file_free().  For the epoll-watches-epoll case, f_op->release is ep_eventpoll_release() -> ep_clear_and_put() -> ep_free(), which kfree()s the watched struct eventpoll. Its embedded ->refs hlist_head is exactly where epi->fllink.pprev points, so the subsequent hlist_del_rcu()'s \"*pprev = next\" scribbles into freed kmalloc-192 memory.  In addition, struct file is SLAB_TYPESAFE_BY_RCU, so the slot backing @file could be recycled by alloc_empty_file() -- reinitializing f_lock and f_ep -- while ep_remove() is still nominally inside that lock. The upshot is an attacker-controllable kmem_cache_free() against the wrong slab cache.  Pin @file via epi_fget() at the top of ep_remove() and gate the critical section on the pin succeeding. With the pin held @file cannot reach refcount zero, which holds __fput() off and transitively keeps the watched struct eventpoll alive across the hlist_del_rcu() and the f_lock use, closing both UAFs.  If the pin fails @file has already reached refcount zero and its __fput() is in flight. Because we bailed before clearing f_ep, that path takes the eventpoll_release() slow path into eventpoll_release_file() and blocks on ep->mtx until the waiter side's ep_clear_and_put() drops it. The bailed epi's share of ep->refcount stays intact, so the trailing ep_refcount_dec_and_test() in ep_clear_and_put() cannot free the eventpoll out from under eventpoll_release_file(); the orphaned epi is then cleaned up there.  A successful pin also proves we are not racing eventpoll_release_file() on this epi, so drop the now-redundant re-check of epi->dying under f_lock. The cheap lockless READ_ONCE(epi->dying) fast-path bailout stays.",
                                "cve_priority": "high",
                                "cve_public_date": "2026-05-30 13:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-45843",
                                "url": "https://ubuntu.com/security/CVE-2026-45843",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  slip: bound decode() reads against the compressed packet length  slhc_uncompress() parses a VJ-compressed TCP header by advancing a pointer through the packet via decode() and pull16(). Neither helper bounds-checks against isize, and decode() masks its return with & 0xffff so it can never return the -1 that callers test for -- those error paths are dead code.  A short compressed frame whose change byte requests optional fields lets decode() read past the end of the packet. The over-read bytes are folded into the cached cstate and reflected into subsequent reconstructed packets.  Make decode() and pull16() take the packet end pointer and return -1 when exhausted. Add a bounds check before the TCP-checksum read. The existing == -1 tests now do what they were always meant to.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-27 11:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-45842",
                                "url": "https://ubuntu.com/security/CVE-2026-45842",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  slip: reject VJ receive packets on instances with no rstate array  slhc_init() accepts rslots == 0 as a valid configuration, with the documented meaning of 'no receive compression'. In that case the allocation loop in slhc_init() is skipped, so comp->rstate stays NULL and comp->rslot_limit stays 0 (from the kzalloc of struct slcompress).  The receive helpers do not defend against that configuration. slhc_uncompress() dereferences comp->rstate[x] when the VJ header carries an explicit connection ID, and slhc_remember() later assigns cs = &comp->rstate[...] after only comparing the packet's slot number to comp->rslot_limit. Because rslot_limit is 0, slot 0 passes the range check, and the code dereferences a NULL rstate.  The configuration is reachable in-tree through PPP. PPPIOCSMAXCID stores its argument in a signed int, and (val >> 16) uses arithmetic shift. Passing 0xffff0000 therefore sign-extends to -1, so val2 + 1 is 0 and ppp_generic.c ends up calling slhc_init(0, 1). Because /dev/ppp open is gated by ns_capable(CAP_NET_ADMIN), the whole path is reachable from an unprivileged user namespace. Once the malformed VJ state is installed, any inbound VJ-compressed or VJ-uncompressed frame that selects slot 0 crashes the kernel in softirq context:   Oops: general protection fault, probably for non-canonical        address 0xdffffc0000000000: 0000 [#1] SMP KASAN NOPTI  KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]  RIP: 0010:slhc_uncompress (drivers/net/slip/slhc.c:519)  Call Trace:   <TASK>   ppp_receive_nonmp_frame (drivers/net/ppp/ppp_generic.c:2466)   ppp_input (drivers/net/ppp/ppp_generic.c:2359)   ppp_async_process (drivers/net/ppp/ppp_async.c:492)   tasklet_action_common (kernel/softirq.c:926)   handle_softirqs (kernel/softirq.c:623)   run_ksoftirqd (kernel/softirq.c:1055)   smpboot_thread_fn (kernel/smpboot.c:160)   kthread (kernel/kthread.c:436)   ret_from_fork (arch/x86/kernel/process.c:164)   </TASK>  Reject the receive side on such instances instead of touching rstate. slhc_uncompress() falls through to its existing 'bad' label, which bumps sls_i_error and enters the toss state. slhc_remember() mirrors that with an explicit sls_i_error increment followed by slhc_toss(); the sls_i_runt counter is not used here because a missing rstate is an internal configuration state, not a runt packet.  The transmit path is unaffected: the only in-tree caller that picks rslots from userspace (ppp_generic.c) still supplies tslots >= 1, and slip.c always calls slhc_init(16, 16), so comp->tstate remains valid and slhc_compress() continues to work.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-27 11:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-45841",
                                "url": "https://ubuntu.com/security/CVE-2026-45841",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  netfilter: nfnetlink_osf: fix divide-by-zero in OSF_WSS_MODULO  nf_osf_match_one() computes ctx->window % f->wss.val in the OSF_WSS_MODULO branch with no guard for f->wss.val == 0. A CAP_NET_ADMIN user can add such a fingerprint via nfnetlink; a subsequent matching TCP SYN divides by zero and panics the kernel.  Reject the bogus fingerprint in nfnl_osf_add_callback() above the per-option for-loop. f->wss is per-fingerprint, not per-option, so the check must run regardless of f->opt_num (including 0). Also reject wss.wc >= OSF_WSS_MAX; nf_osf_match_one() already treats that as \"should not happen\".  Crash:  Oops: divide error: 0000 [#1] SMP KASAN NOPTI  RIP: 0010:nf_osf_match_one (net/netfilter/nfnetlink_osf.c:98)  Call Trace:  <IRQ>   nf_osf_match (net/netfilter/nfnetlink_osf.c:220)   xt_osf_match_packet (net/netfilter/xt_osf.c:32)   ipt_do_table (net/ipv4/netfilter/ip_tables.c:348)   nf_hook_slow (net/netfilter/core.c:622)   ip_local_deliver (net/ipv4/ip_input.c:265)   ip_rcv (include/linux/skbuff.h:1162)   __netif_receive_skb_one_core (net/core/dev.c:6181)   process_backlog (net/core/dev.c:6642)   __napi_poll (net/core/dev.c:7710)   net_rx_action (net/core/dev.c:7945)   handle_softirqs (kernel/softirq.c:622)",
                                "cve_priority": "low",
                                "cve_public_date": "2026-05-27 11:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-45840",
                                "url": "https://ubuntu.com/security/CVE-2026-45840",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  openvswitch: cap upcall PID array size and pre-size vport replies  The vport netlink reply helpers allocate a fixed-size skb with nlmsg_new(NLMSG_DEFAULT_SIZE, ...) but serialize the full upcall PID array via ovs_vport_get_upcall_portids().  Since ovs_vport_set_upcall_portids() accepts any non-zero multiple of sizeof(u32) with no upper bound, a CAP_NET_ADMIN user can install a PID array large enough to overflow the reply buffer, causing nla_put() to fail with -EMSGSIZE and hitting BUG_ON(err < 0).  On systems with unprivileged user namespaces enabled (e.g., Ubuntu default), this is reachable via unshare -Urn since OVS vport mutation operations use GENL_UNS_ADMIN_PERM.   kernel BUG at net/openvswitch/datapath.c:2414!  Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI  CPU: 1 UID: 0 PID: 65 Comm: poc Not tainted 7.0.0-rc7-00195-geb216e422044 #1  RIP: 0010:ovs_vport_cmd_set+0x34c/0x400  Call Trace:   <TASK>   genl_family_rcv_msg_doit (net/netlink/genetlink.c:1116)   genl_rcv_msg (net/netlink/genetlink.c:1194)   netlink_rcv_skb (net/netlink/af_netlink.c:2550)   genl_rcv (net/netlink/genetlink.c:1219)   netlink_unicast (net/netlink/af_netlink.c:1344)   netlink_sendmsg (net/netlink/af_netlink.c:1894)   __sys_sendto (net/socket.c:2206)   __x64_sys_sendto (net/socket.c:2209)   do_syscall_64 (arch/x86/entry/syscall_64.c:63)   entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)   </TASK>  Kernel panic - not syncing: Fatal exception  Reject attempts to set more PIDs than nr_cpu_ids in ovs_vport_set_upcall_portids(), and pre-compute the worst-case reply size in ovs_vport_cmd_msg_size() based on that bound, similar to the existing ovs_dp_cmd_msg_size().  nr_cpu_ids matches the cap already used by the per-CPU dispatch configuration on the datapath side (ovs_dp_cmd_fill_info() serialises at most nr_cpu_ids PIDs), so the two sides stay consistent.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-27 11:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-45839",
                                "url": "https://ubuntu.com/security/CVE-2026-45839",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  bpf: reject negative CO-RE accessor indices in bpf_core_parse_spec()  CO-RE accessor strings are colon-separated indices that describe a path from a root BTF type to a target field, e.g. \"0:1:2\" walks through nested struct members. bpf_core_parse_spec() parses each component with sscanf(\"%d\"), so negative values like -1 are silently accepted.  The subsequent bounds checks (access_idx >= btf_vlen(t)) only guard the upper bound and always pass for negative values because C integer promotion converts the __u16 btf_vlen result to int, making the comparison (int)(-1) >= (int)(N) false for any positive N.  When -1 reaches btf_member_bit_offset() it gets cast to u32 0xffffffff, producing an out-of-bounds read far past the members array.  A crafted BPF program with a negative CO-RE accessor on any struct that exists in vmlinux BTF (e.g. task_struct) crashes the kernel deterministically during BPF_PROG_LOAD on any system with CONFIG_DEBUG_INFO_BTF=y (default on major distributions).  The bug is reachable with CAP_BPF:   BUG: unable to handle page fault for address: ffffed11818b6626  #PF: supervisor read access in kernel mode  #PF: error_code(0x0000) - not-present page  Oops: Oops: 0000 [#1] SMP KASAN NOPTI  CPU: 0 UID: 0 PID: 85 Comm: poc Not tainted 7.0.0-rc6 #18 PREEMPT(full)  RIP: 0010:bpf_core_parse_spec (tools/lib/bpf/relo_core.c:354)  RAX: 00000000ffffffff  Call Trace:   <TASK>   bpf_core_calc_relo_insn (tools/lib/bpf/relo_core.c:1321)   bpf_core_apply (kernel/bpf/btf.c:9507)   check_core_relo (kernel/bpf/verifier.c:19475)   bpf_check (kernel/bpf/verifier.c:26031)   bpf_prog_load (kernel/bpf/syscall.c:3089)   __sys_bpf (kernel/bpf/syscall.c:6228)   </TASK>  CO-RE accessor indices are inherently non-negative (struct member index, array element index, or enumerator index), so reject them immediately after parsing.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-27 11:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-45838",
                                "url": "https://ubuntu.com/security/CVE-2026-45838",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  bpf: fix end-of-list detection in cgroup_storage_get_next_key()  list_next_entry() never returns NULL -- when the current element is the last entry it wraps to the list head via container_of(). The subsequent NULL check is therefore dead code and get_next_key() never returns -ENOENT for the last element, instead reading storage->key from a bogus pointer that aliases internal map fields and copying the result to userspace.  Replace it with list_entry_is_head() so the function correctly returns -ENOENT when there are no more entries.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-05-27 11:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46214",
                                "url": "https://ubuntu.com/security/CVE-2026-46214",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  vsock/virtio: fix accept queue count leak on transport mismatch  virtio_transport_recv_listen() calls sk_acceptq_added() before vsock_assign_transport(). If vsock_assign_transport() fails or selects a different transport, the error path returns without calling sk_acceptq_removed(), permanently incrementing sk_ack_backlog.  After approximately backlog+1 such failures, sk_acceptq_is_full() returns true, causing the listener to reject all new connections.  Fix by moving sk_acceptq_added() to after the transport validation, matching the pattern used by vmci_transport and hyperv_transport.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46207",
                                "url": "https://ubuntu.com/security/CVE-2026-46207",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  vsock/virtio: fix empty payload in tap skb for non-linear buffers  For non-linear skbs, virtio_transport_build_skb() goes through virtio_transport_copy_nonlinear_skb() to copy the original payload in the new skb to be delivered to the vsockmon tap device. This manually initializes an iov_iter but does not set iov_iter.count. Since the iov_iter is zero-initialized, the copy length is zero and no payload is actually copied to the monitor interface, leaving data un-initialized.  Fix this by removing the linear vs non-linear split and using skb_copy_datagram_iter() with iov_iter_kvec() for all cases, as vhost-vsock already does. This handles both linear and non-linear skbs, properly initializes the iov_iter, and removes the now unused virtio_transport_copy_nonlinear_skb().  While touching this code, let's also check the return value of skb_copy_datagram_iter(), even though it's unlikely to fail.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46234",
                                "url": "https://ubuntu.com/security/CVE-2026-46234",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  vsock: fix buffer size clamping order  In vsock_update_buffer_size(), the buffer size was being clamped to the maximum first, and then to the minimum. If a user sets a minimum buffer size larger than the maximum, the minimum check overrides the maximum check, inverting the constraint.  This breaks the intended socket memory boundaries by allowing the vsk->buffer_size to grow beyond the configured vsk->buffer_max_size.  Fix this by checking the minimum first, and then the maximum. This ensures the buffer size never exceeds the buffer_max_size.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46223",
                                "url": "https://ubuntu.com/security/CVE-2026-46223",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  cgroup: Defer css percpu_ref kill on rmdir until cgroup is depopulated  A chain of commits going back to v7.0 reworked rmdir to satisfy the controller invariant that a subsystem's ->css_offline() must not run while tasks are still doing kernel-side work in the cgroup.  [1] d245698d727a (\"cgroup: Defer task cgroup unlink until after the task is done switching out\") [2] a72f73c4dd9b (\"cgroup: Don't expose dead tasks in cgroup\") [3] 1b164b876c36 (\"cgroup: Wait for dying tasks to leave on rmdir\") [4] 4c56a8ac6869 (\"cgroup: Fix cgroup_drain_dying() testing the wrong condition\") [5] 13e786b64bd3 (\"cgroup: Increment nr_dying_subsys_* from rmdir context\")  [1] moved task cset unlink from do_exit() to finish_task_switch() so a task's cset link drops only after the task has fully stopped scheduling. That made tasks past exit_signals() linger on cset->tasks until their final context switch, which led to a series of problems as what userspace expected to see after rmdir diverged from what the kernel needs to wait for. [2]-[5] tried to bridge that divergence: [2] filtered the exiting tasks from cgroup.procs; [3] had rmdir(2) sleep in TASK_UNINTERRUPTIBLE for them; [4] fixed the wait's condition; [5] made nr_dying_subsys_* visible synchronously.  The cgroup_drain_dying() wait in [3] turned out to be a dead end. When the rmdir caller is also the reaper of a zombie that pins a pidns teardown (e.g. host PID 1 systemd reaping orphan pids that were re-parented to it during the same teardown), rmdir blocks in TASK_UNINTERRUPTIBLE waiting for those pids to free, the pids can't free because PID 1 is the reaper and it's stuck in rmdir, and the system A-A deadlocks. No internal lock ordering breaks this; the wait itself is the bug.  The css killing side that drove the original reorder, however, can be made cleanly asynchronous: ->css_offline() is already async, run from css_killed_work_fn() driven by percpu_ref_kill_and_confirm(). The fix is to make that chain start only after all tasks have left the cgroup. rmdir's user-visible side then returns as soon as cgroup.procs and friends are empty, while ->css_offline() still runs only after the cgroup is fully drained.  Verified by the original reproducer (pidns teardown + zombie reaper, runs under vng) which hangs vanilla and succeeds here, and by per-commit deterministic repros for [2], [3], [4], [5] with a boot parameter that widens the post-exit_signals() window so each state is reliably reachable. Some stress tests on top of that.  cgroup_apply_control_disable() has the same shape of pre-existing race: when a controller is disabled via subtree_control, kill_css() ran synchronously while tasks past exit_signals() could still be linked to the cgroup's csets, and ->css_offline() could fire before they drained. This patch preserves the existing synchronous behavior at that call site (kill_css_sync() + kill_css_finish() back-to-back) and a follow-up patch will defer kill_css_finish() there using a per-css trigger.  This seems like the right approach and I don't see problems with it. The changes are somewhat invasive but not excessively so, so backporting to -stable should be okay. If something does turn out to be wrong, the fallback is to revert the entire chain ([1]-[5]) and rework in the development branch instead.  v2: Pin cgrp across the deferred destroy work with explicit     cgroup_get()/cgroup_put() around queue_work() and the work_fn. v1     wasn't actually broken (ordered cgroup_offline_wq + queue_work order     in cgroup_task_dead() saved it) but the explicit ref removes the     dependency on those non-obvious invariants. Also note the     pre-existing cgroup_apply_control_disable() race in the description;     a follow-up will defer kill_css_finish() there.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46221",
                                "url": "https://ubuntu.com/security/CVE-2026-46221",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  EDAC/versalnet: Fix device name memory leak  The device name allocated via kzalloc() in init_one_mc() is assigned to dev->init_name but never freed on the normal removal path. device_register() copies init_name and then sets dev->init_name to NULL, so the name pointer becomes unreachable from the device. Thus leaking memory.  Use a stack-local char array instead of using kzalloc() for name.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46231",
                                "url": "https://ubuntu.com/security/CVE-2026-46231",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  batman-adv: bla: put backbone reference on failed claim hash insert  When batadv_bla_add_claim() fails to insert a new claim into the hash, it leaked a reference to the backbone_gw for which the claim was intended. Call batadv_backbone_gw_put() on the error path to release the reference and avoid leaking the backbone_gw object.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46233",
                                "url": "https://ubuntu.com/security/CVE-2026-46233",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  batman-adv: bla: only purge non-released claims  When batadv_bla_purge_claims() goes through the list of claims, it is only traversing the hash list with an rcu_read_lock(). Due to a potential parallel batadv_claim_put(), it can happen that it encounters a claim which was actually in the process of being released+freed by batadv_claim_release(). In this case, backbone_gw is set to NULL before the delayed RCU kfree is started. Calling batadv_bla_claim_get_backbone_gw() is then no longer allowed because it would cause a NULL-ptr derefence.  To avoid this, only claims with a valid reference counter must be purged. All others are already taken care of.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46212",
                                "url": "https://ubuntu.com/security/CVE-2026-46212",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  batman-adv: bla: prevent use-after-free when deleting claims  When batadv_bla_del_backbone_claims() removes all claims for a backbone, it does this by dropping the link entry in the hash list. This list entry itself was one of the references which need to be dropped at the same time via batadv_claim_put().  But the batadv_claim_put() must not be done before the last access to the claim object in this function. Otherwise the claim might be freed already by the batadv_claim_release() function before the list entry was dropped.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46238",
                                "url": "https://ubuntu.com/security/CVE-2026-46238",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  batman-adv: stop caching unowned originator pointers in BAT IV  BAT IV keeps the last-hop neighbor address in each neigh_node, but some paths also cache an originator pointer derived from a temporary lookup. That pointer is not owned by the neigh_node and may no longer refer to a live originator entry after purge handling runs.  Stop storing the auxiliary originator pointer in the BAT IV neighbor state. When BAT IV needs the neighbor originator data, resolve it from the stored neighbor address and drop the reference again after use.  [sven: avoid bonding logic for outgoing OGM]",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46208",
                                "url": "https://ubuntu.com/security/CVE-2026-46208",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  batman-adv: stop tp_meter sessions during mesh teardown  TP meter sessions remain linked on bat_priv->tp_list after the netlink request has already finished. When the mesh interface is removed, batadv_mesh_free() currently tears down the mesh without first draining these sessions.  A running sender thread or a late incoming tp_meter packet can then keep processing against a mesh instance which is already shutting down. Synchronize tp_meter with the mesh lifetime by stopping all active sessions from batadv_mesh_free() and waiting for sender threads to exit before teardown continues.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46206",
                                "url": "https://ubuntu.com/security/CVE-2026-46206",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  batman-adv: reject new tp_meter sessions during teardown  Prevent tp_meter from starting new sender or receiver sessions after mesh_state has left BATADV_MESH_ACTIVE.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46198",
                                "url": "https://ubuntu.com/security/CVE-2026-46198",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  batman-adv: fix integer overflow on buff_pos  Fixing an integer overflow present in batadv_iv_ogm_send_to_if. The size check is done using the int type in batadv_iv_ogm_aggr_packet whereas the buff_pos variable uses the s16 type. This could lead to an out-of-bound read.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46227",
                                "url": "https://ubuntu.com/security/CVE-2026-46227",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  sctp: revalidate list cursor after sctp_sendmsg_to_asoc() in SCTP_SENDALL  The SCTP_SENDALL path in sctp_sendmsg() iterates ep->asocs with list_for_each_entry_safe(), which caches the next entry in @tmp before the loop body runs.  The body calls sctp_sendmsg_to_asoc(), which may drop the socket lock inside sctp_wait_for_sndbuf().  While the lock is dropped, another thread can SCTP_SOCKOPT_PEELOFF the association cached in @tmp, migrating it to a new endpoint via sctp_sock_migrate() (list_del_init() + list_add_tail() to newep->asocs), and optionally close the new socket which frees the association via kfree_rcu().  The cached @tmp can also be freed by a network ABORT for that association, processed in softirq while the lock is dropped.  sctp_wait_for_sndbuf() revalidates @asoc (the current entry) on re-lock via the \"sk != asoc->base.sk\" and \"asoc->base.dead\" checks, but nothing revalidates @tmp.  After a successful return, the iterator advances to the stale @tmp, yielding either a use-after-free (if the peeled socket was closed) or a list-walk onto the new endpoint's list head (type confusion of &newep->asocs as a struct sctp_association *).  Both are reachable from CapEff=0; the type-confusion path gives controlled indirect call via the outqueue.sched->init_sid pointer.  Fix by re-deriving @tmp from @asoc after sctp_sendmsg_to_asoc() returns.  @asoc is known to still be on ep->asocs at that point: the only callers that list_del an association from ep->asocs are sctp_association_free() (which sets asoc->base.dead) and sctp_assoc_migrate() (which changes asoc->base.sk), and sctp_wait_for_sndbuf() checks both under the lock before any successful return; a tripped check propagates as err < 0 and the loop bails before the re-derive.  The SCTP_ABORT path in sctp_sendmsg_check_sflags() returns 0 and the loop hits 'continue' before sctp_sendmsg_to_asoc() is ever called, so the @tmp cached by list_for_each_entry_safe() still covers the lock-held free that ba59fb027307 (\"sctp: walk the list of asoc safely\") was added for.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46220",
                                "url": "https://ubuntu.com/security/CVE-2026-46220",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/amdgpu/sdma4: replace BUG_ON with WARN_ON in fence emission  sdma_v4_0_ring_emit_fence() contains two BUG_ON(addr & 0x3) assertions that verify fence writeback addresses are dword-aligned.  These assertions can be reached from unprivileged userspace via crafted DRM_IOCTL_AMDGPU_CS submissions, causing a fatal kernel panic in a scheduler worker thread.  Replace both BUG_ON() calls with WARN_ON() to log the condition without crashing the kernel.  A misaligned fence address at this point indicates a driver bug, but crashing the kernel is never the correct response when the assertion is reachable from userspace.  The CS IOCTL path is the correct place to filter invalid submissions; the ring emission callback is too late to do anything about it.  (cherry picked from commit b90250bd933afd1ba94d86d6b13821997b22b18e)",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46215",
                                "url": "https://ubuntu.com/security/CVE-2026-46215",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm: Set old handle to NULL before prime swap in change_handle  There was a potential race condition in change_handle. The ioctl briefly had a single object with two idr entries; a concurrent gem_close could delete the object and remove one of the handles while leaving the other one dangling, which could subsequently be dereferenced for a use-after-free.  To fix this, do the same dance that gem_close itself does. (f6cd7daecff5 drm: Release driver references to handle before making it available again) First idr_replace the old handle to NULL. Later, if the prime operations are successful, actually close it.  create_tail required a similar dance to avoid a similar problem. (bd46cece51a3 drm/gem: Fix race in drm_gem_handle_create_tail()) It idr_allocs the new handle with NULL, then swaps in the correct object later to avoid races. We don't need to do that here, since the only operations that could race are drm_prime, and change_handle holds the prime lock for the entire duration.  v2: cleanups of error paths",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46201",
                                "url": "https://ubuntu.com/security/CVE-2026-46201",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/xe: Fix dma-buf attachment leak in xe_gem_prime_import()  When xe_dma_buf_init_obj() fails, the attachment from dma_buf_dynamic_attach() is not detached. Add dma_buf_detach() before returning the error. Note: we cannot use goto out_err here because xe_dma_buf_init_obj() already frees bo on failure, and out_err would double-free it.  (cherry picked from commit a828eb185aac41800df8eae4b60501ccc0dbbe51)",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46224",
                                "url": "https://ubuntu.com/security/CVE-2026-46224",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/xe: Fix bo leak in xe_dma_buf_init_obj() on allocation failure  When drm_gpuvm_resv_object_alloc() fails, the pre-allocated storage bo is not freed. Add xe_bo_free(storage) before returning the error.  xe_dma_buf_init_obj() calls xe_bo_init_locked(), which frees the bo on error. Therefore, xe_dma_buf_init_obj() must also free the bo on its own error paths. Otherwise, since xe_gem_prime_import() cannot distinguish whether the failure originated from xe_dma_buf_init_obj() or from xe_bo_init_locked(), it cannot safely decide whether the bo should be freed.  Add comments documenting the ownership semantics: on success, ownership of storage is transferred to the returned drm_gem_object; on failure, storage is freed before returning.  v2: Add comments to explain the free logic.  (cherry picked from commit 78a6c5f899f22338bbf48b44fb8950409c5a69b9)",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46197",
                                "url": "https://ubuntu.com/security/CVE-2026-46197",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/amdkfd: validate SVM ioctl nattr against buffer size  Validate nattr field against the buffer size, preventing out-of-bounds buffer access via user-controlled attribute count.  (cherry picked from commit 5eca8bfdfa456c3304ca77523718fe24254c172f)",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46209",
                                "url": "https://ubuntu.com/security/CVE-2026-46209",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/gem: Fix inconsistent plane dimension calculation in drm_gem_fb_init_with_funcs()  drm_gem_fb_init_with_funcs() computes sub-sampled plane dimensions using plain integer division:    unsigned int width  = mode_cmd->width  / (i ? info->hsub : 1);   unsigned int height = mode_cmd->height / (i ? info->vsub : 1);  However, the ioctl-level framebuffer_check() in drm_framebuffer.c uses drm_format_info_plane_width/height() which round up dimensions via DIV_ROUND_UP(). This inconsistency corrupts the subsequent GEM object size check for certain pixel format and dimension combinations.  For example, with NV12 (vsub=2) and a 1-pixel-tall framebuffer the GEM size validation path sees height=0 instead of height=1. The expression (height - 1) then wraps to UINT_MAX as an unsigned int, causing min_size to overflow and wrap back to a small value. A tiny GEM object therefore passes the size guard, yet when the GPU accesses the chroma plane it will read or write memory beyond the object's bounds.  Fix by replacing the open-coded divisions with drm_format_info_plane_width() and drm_format_info_plane_height(), which use DIV_ROUND_UP() and match the calculation already used in framebuffer_check().",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46230",
                                "url": "https://ubuntu.com/security/CVE-2026-46230",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/amdgpu/vcn3: Prevent OOB reads when parsing dec msg  Check bounds against the end of the BO whenever we access the msg.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46199",
                                "url": "https://ubuntu.com/security/CVE-2026-46199",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/amdgpu/vcn4: Prevent OOB reads when parsing dec msg  Check bounds against the end of the BO whenever we access the msg.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46204",
                                "url": "https://ubuntu.com/security/CVE-2026-46204",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/amdgpu/vcn4: Prevent OOB reads when parsing IB  Rewrite the IB parsing to use amdgpu_ib_get_value() which handles the bounds checks.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46218",
                                "url": "https://ubuntu.com/security/CVE-2026-46218",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/amdgpu: Add bounds checking to ib_{get,set}_value  The uvd/vce/vcn code accesses the IB at predefined offsets without checking that the IB is large enough. Check the bounds here. The caller is responsible for making sure it can handle arbitrary return values.  Also make the idx a uint32_t to prevent overflows causing the condition to fail.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46229",
                                "url": "https://ubuntu.com/security/CVE-2026-46229",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/amdkfd: Clear VRAM on allocation to prevent stale data exposure  KFD VRAM allocations set AMDGPU_GEM_CREATE_VRAM_WIPE_ON_RELEASE but not AMDGPU_GEM_CREATE_VRAM_CLEARED, leaving freshly allocated VRAM with stale data from prior use observable by compute kernels.  The GEM ioctl path already sets VRAM_CLEARED for all userspace allocations via amdgpu_gem_create_ioctl() and amdgpu_mode_dumb_create(). The KFD path was missing this flag, allowing stale page table remnants to leak into user buffers.  This causes crashes in RCCL P2P transport where non-zero data in ptrExchange/head/tail fields corrupts the protocol handshake.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46211",
                                "url": "https://ubuntu.com/security/CVE-2026-46211",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/msm/gem: fix error handling in msm_ioctl_gem_info_get_metadata()  msm_ioctl_gem_info_get_metadata() always returns 0 regardless of errors. When copy_to_user() fails or the user buffer is too small, the error code stored in ret is ignored because the function unconditionally returns 0. This causes userspace to believe the ioctl succeeded when it did not.  Additionally, kmemdup() can return NULL on allocation failure, but the return value is not checked. This leads to a NULL pointer dereference in the subsequent copy_to_user() call.  Add the missing NULL check for kmemdup() and return ret instead of 0.  Note that the SET counterpart (msm_ioctl_gem_info_set_metadata) correctly returns ret.  Patchwork: https://patchwork.freedesktop.org/patch/714478/",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46203",
                                "url": "https://ubuntu.com/security/CVE-2026-46203",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: cadence-quadspi: fix unclocked access on unbind  Make sure that the controller is runtime resumed before disabling it during driver unbind to avoid an unclocked register access.  This issue was flagged by Sashiko when reviewing a controller deregistration fix.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46219",
                                "url": "https://ubuntu.com/security/CVE-2026-46219",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: mpc52xx: fix use-after-free on unbind  The state machine work is scheduled by the interrupt handler and therefore needs to be cancelled after disabling interrupts to avoid a potential use-after-free.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46200",
                                "url": "https://ubuntu.com/security/CVE-2026-46200",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: mpc52xx: fix controller deregistration  Make sure to deregister the controller before disabling and releasing underlying resources like interrupts and gpios during driver unbind.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46241",
                                "url": "https://ubuntu.com/security/CVE-2026-46241",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: mpc52xx: fix use-after-free on registration failure  Make sure to disable and free the interrupts in case controller registration fails to avoid a potential use-after-free and resource leak.  This issue was flagged by Sashiko when reviewing a controller deregistration fix.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46225",
                                "url": "https://ubuntu.com/security/CVE-2026-46225",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: rspi: fix controller deregistration  Make sure to deregister the controller before releasing underlying resources like DMA during driver unbind.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46226",
                                "url": "https://ubuntu.com/security/CVE-2026-46226",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: fsl: fix controller deregistration  Make sure to deregister the controller before releasing underlying resources like DMA during driver unbind.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46228",
                                "url": "https://ubuntu.com/security/CVE-2026-46228",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: ch341: fix devres lifetime  USB drivers bind to USB interfaces and any device managed resources should have their lifetime tied to the interface rather than parent USB device. This avoids issues like memory leaks when drivers are unbound without their devices being physically disconnected (e.g. on probe deferral or configuration changes).  Fix the controller and driver data lifetime so that they are released on driver unbind.  Note that this also makes sure that the SPI controller is placed correctly under the USB interface in the device tree.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46216",
                                "url": "https://ubuntu.com/security/CVE-2026-46216",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  drm/xe/hdcp: Add NULL check for media_gt in intel_hdcp_gsc_check_status()  When media GT is disabled via configfs, there is no allocation for media_gt, which is kept as NULL.  In such scenario, intel_hdcp_gsc_check_status() results in a kernel pagefault error due to &gt->uc.gsc being evaluated as an invalid memory address.  Fix that by introducing a NULL check on media_gt and bailing out early if so.  While at it, also drop the NULL check for gsc, since it can't be NULL if media_gt is not NULL.  v2:   - Get address for gsc only after checking that gt is not NULL.     (Shuicheng)   - Drop the NULL check for gsc. (Shuicheng) v3:   - Add \"Fixes\" and \"Cc: <stable...>\" tags. (Matt)  (cherry picked from commit bfaf87e84ca3ca3f6e275f9ae56da47a8b55ffd1)",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46210",
                                "url": "https://ubuntu.com/security/CVE-2026-46210",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  media: iris: fix use-after-free of fmt_src during MBPF check  During concurrency testing, multiple instances can run in parallel, and each instance uses its own inst->lock while the core->lock protects the list of active instances. The race happens because these locks cover different scopes, inst->lock protects only the internals of a single instance, while the Macro Blocks Per Frame (MBPF) checker walks the core list under core->lock and reads fields like fmt_src->width and fmt_src->height. At the same time, iris_close() may free fmt_src and fmt_dst under inst->lock while the instance is still present in the core list. This allows a situation where the MBPF checker, still iterating through the core list, reaches an instance whose fmt_src was already freed by another thread and ends up dereferencing a dangling pointer, resulting in a use-after-free. This happens because the MBPF checker assumes that any instance in the core list is fully valid, but the freeing of fmt_src and fmt_dst without removing the instance from the core list is not correct.  The correct ordering is to defer freeing fmt_src and fmt_dst until after the instance has been removed from the core list and all teardown under the core lock has completed, ensuring that no dangling pointers are ever exposed during MBPF checks.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46240",
                                "url": "https://ubuntu.com/security/CVE-2026-46240",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  media: iris: Fix use-after-free in iris_release_internal_buffers()  The recent change in commit 1dabf00ee206 (\"media: iris: gen1: Destroy internal buffers after FW releases\") introduced a regression where session_release_buf() may free the buffer. The caller, iris_release_internal_buffers(), continued to access `buffer` after the call, leading to a potential use-after-free.  Fix this by setting BUF_ATTR_PENDING_RELEASE before calling session_release_buf(), and reverting the flag if the call fails. This ensures no dereference occurs after potential freeing.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46235",
                                "url": "https://ubuntu.com/security/CVE-2026-46235",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  media: saa7164: add ioremap return checks and cleanups  Add checks for ioremap return values in saa7164_dev_setup(). If ioremap for BAR0 or BAR2 fails, release the already allocated PCI memory regions, remove the device from the global list, decrement the device count, and return -ENODEV.  This prevents potential null pointer dereferences and ensures proper cleanup on memory mapping failures.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46222",
                                "url": "https://ubuntu.com/security/CVE-2026-46222",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  media: rockchip: rkcif: Add missing MUST_CONNECT flag to pads  The pads missed checks for connected devices which may a null dereference when the stream is enabled.  Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020 pc : rkcif_interface_enable_streams+0x48/0xf0 lr : rkcif_interface_enable_streams+0x44/0xf0 Call trace:  rkcif_interface_enable_streams+0x48/0xf0  v4l2_subdev_enable_streams+0x26c/0x3f0  rkcif_stream_start_streaming+0x140/0x278  vb2_start_streaming+0x74/0x188  vb2_core_streamon+0xe0/0x1d8  vb2_ioctl_streamon+0x60/0xa8  v4l_streamon+0x2c/0x40  __video_do_ioctl+0x34c/0x400  video_usercopy+0x2d0/0x800  video_ioctl2+0x20/0x60  v4l2_ioctl+0x48/0x78",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46239",
                                "url": "https://ubuntu.com/security/CVE-2026-46239",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  media: i2c: ov5647: Fix runtime PM refcount leak in s_ctrl  Three control cases (AUTOGAIN, EXPOSURE_AUTO, ANALOGUE_GAIN) directly return without calling pm_runtime_put(), causing runtime PM reference count leaks.  Change these cases from 'return' to 'ret = ... break' pattern to ensure pm_runtime_put() is always called before function exit.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46236",
                                "url": "https://ubuntu.com/security/CVE-2026-46236",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  media: rc: xbox_remote: heed DMA restrictions  The buffer for IO must not be part of the device structure because that violates the DMA coherency rules.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46205",
                                "url": "https://ubuntu.com/security/CVE-2026-46205",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  staging: media: atomisp: Disallow all private IOCTLs  Disallow all private IOCTLs. These aren't quite as safe as one could assume of IOCTL handlers; disable them for now. Instead of removing the code, return in the beginning of the function if cmd is non-zero in order to keep static checkers happy.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46202",
                                "url": "https://ubuntu.com/security/CVE-2026-46202",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  HID: appletb-kbd: run inactivity autodim from workqueues  The autodim code in hid-appletb-kbd takes backlight_device->ops_lock via backlight_device_set_brightness() -> mutex_lock() from two different atomic contexts:   * appletb_inactivity_timer() is a struct timer_list callback, so it    runs in softirq context.  Every expiry triggers       BUG: sleeping function called from invalid context at kernel/locking/mutex.c:591      Call Trace:       <IRQ>       __might_resched       __mutex_lock       backlight_device_set_brightness       appletb_inactivity_timer       call_timer_fn       run_timer_softirq   * reset_inactivity_timer() is called from appletb_kbd_hid_event() and    appletb_kbd_inp_event().  On real USB hardware these run in    softirq/IRQ context (URB completion and input-event dispatch).    When the Touch Bar has already been dimmed or turned off, the    reset path calls backlight_device_set_brightness() directly to    restore brightness, producing the same warning.  Both call sites hit the same mutex_lock()-from-atomic bug.  Fix them together by moving the blocking work onto the system workqueue:   * Convert the inactivity timer from struct timer_list to    struct delayed_work; the callback (appletb_inactivity_work) now    runs in process context where mutex_lock() is legal.  * Add a dedicated struct work_struct restore_brightness_work and have    reset_inactivity_timer() schedule it instead of calling    backlight_device_set_brightness() directly.  Cancel both works synchronously during driver tear-down alongside the existing backlight reference drop.  The semantics are unchanged (same delays, same state transitions on dim, turn-off and user activity); only the execution context of the sleeping call changes.  The timer field and callback are renamed to match their new type; reset_inactivity_timer() keeps its name because it is invoked from input event paths that read naturally as \"reset the inactivity timer\".",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46213",
                                "url": "https://ubuntu.com/security/CVE-2026-46213",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  HID: appletb-kbd: fix UAF in inactivity-timer cleanup path  Commit 38224c472a03 (\"HID: appletb-kbd: fix slab use-after-free bug in appletb_kbd_probe\") added timer_delete_sync(&kbd->inactivity_timer) to both the probe close_hw error path and appletb_kbd_remove(), but the way it was wired in left the inactivity timer reachable during driver tear-down via two distinct windows.  Window A -- put_device() before timer_delete_sync():  \tput_device(&kbd->backlight_dev->dev); \ttimer_delete_sync(&kbd->inactivity_timer);  The inactivity_timer softirq reads kbd->backlight_dev and calls backlight_device_set_brightness() -> mutex_lock(&ops_lock).  If a concurrent hid_appletb_bl unbind drops the last devm reference between these two calls, the backlight_device is freed and the mutex_lock() touches freed memory.  Window B -- backlight cleanup before hid_hw_stop():  \tif (kbd->backlight_dev) { \t\ttimer_delete_sync(...); \t\tput_device(...); \t} \thid_hw_close(hdev); \thid_hw_stop(hdev);  Even after Window A is closed, hid_hw_close()/hid_hw_stop() still run afterwards, so a late \".event\" callback from the HID core (USB URB completion on real Apple hardware) can arrive after timer_delete_sync() drained the softirq but before put_device() drops the reference.  That callback reaches reset_inactivity_timer(), which calls mod_timer() and re-arms the timer.  The freshly re-armed timer can then fire on the about-to-be-freed backlight_device.  Both windows produce the same KASAN slab-use-after-free:    BUG: KASAN: slab-use-after-free in __mutex_lock+0x1aab/0x21c0   Read of size 8 at addr ffff88803ee9a108 by task swapper/0/0   Call Trace:    <IRQ>    __mutex_lock    backlight_device_set_brightness    appletb_inactivity_timer    call_timer_fn    run_timer_softirq    handle_softirqs   Allocated by task N:    devm_backlight_device_register    appletb_bl_probe   Freed by task M:    (concurrent hid_appletb_bl unbind path)  Close both windows at once by reworking the tear-down in appletb_kbd_remove() and in the probe close_hw error path so that   1) hid_hw_close()/hid_hw_stop() run before the backlight cleanup,     guaranteeing no further .event callback can fire and re-arm the     timer, and  2) inside the \"if (kbd->backlight_dev)\" block, timer_delete_sync()     runs before put_device(), so the softirq is drained before the     final reference is dropped.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46232",
                                "url": "https://ubuntu.com/security/CVE-2026-46232",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  HID: playstation: Clamp num_touch_reports  A device would never lie about the number of touch reports would it?  If it does the loop in dualshock4_parse_report will read off the end of the touch_reports array, up to about 2 KiB for the maximum number of 256 loop iteraions. The data that is read is emitted via evdev if the DS4_TOUCH_POINT_INACTIVE bit happens to be set. Protect against this by clamping the num_touch_reports value provided by the device to the maximum size of the touch_reports array.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-43490",
                                "url": "https://ubuntu.com/security/CVE-2026-43490",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ksmbd: validate inherited ACE SID length  smb_inherit_dacl() walks the parent directory DACL loaded from the security descriptor xattr. It verifies that each ACE contains the fixed SID header before using it, but does not verify that the variable-length SID described by sid.num_subauth is fully contained in the ACE.  A malformed inheritable ACE can advertise more subauthorities than are present in the ACE. compare_sids() may then read past the ACE. smb_set_ace() also clamps the copied destination SID, but used the unchecked source SID count to compute the inherited ACE size. That could advance the temporary inherited ACE buffer pointer and nt_size accounting past the allocated buffer.  Fix this by validating the parent ACE SID count and SID length before using the SID during inheritance. Compute the inherited ACE size from the copied SID so the size matches the bounded destination SID. Reject the inherited DACL if size accumulation would overflow smb_acl.size or the security descriptor allocation size.",
                                "cve_priority": "high",
                                "cve_public_date": "2026-05-15 06:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46174",
                                "url": "https://ubuntu.com/security/CVE-2026-46174",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  x86/CPU/AMD: Prevent improper isolation of shared resources in Zen2's op cache  Make sure resources are not improperly shared in the op cache and cause instruction corruption this way.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46110",
                                "url": "https://ubuntu.com/security/CVE-2026-46110",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net: stmmac: Prevent NULL deref when RX memory exhausted  The CPU receives frames from the MAC through conventional DMA: the CPU allocates buffers for the MAC, then the MAC fills them and returns ownership to the CPU. For each hardware RX queue, the CPU and MAC coordinate through a shared ring array of DMA descriptors: one descriptor per DMA buffer. Each descriptor includes the buffer's physical address and a status flag (\"OWN\") indicating which side owns the buffer: OWN=0 for CPU, OWN=1 for MAC. The CPU is only allowed to set the flag and the MAC is only allowed to clear it, and both must move through the ring in sequence: thus the ring is used for both \"submissions\" and \"completions.\"  In the stmmac driver, stmmac_rx() bookmarks its position in the ring with the `cur_rx` index. The main receive loop in that function checks for rx_descs[cur_rx].own=0, gives the corresponding buffer to the network stack (NULLing the pointer), and increments `cur_rx` modulo the ring size. After the loop exits, stmmac_rx_refill(), which bookmarks its position with `dirty_rx`, allocates fresh buffers and rearms the descriptors (setting OWN=1). If it fails any allocation, it simply stops early (leaving OWN=0) and will retry where it left off when next called.  This means descriptors have a three-stage lifecycle (terms my own): - `empty` (OWN=1, buffer valid) - `full` (OWN=0, buffer valid and populated) - `dirty` (OWN=0, buffer NULL)  But because stmmac_rx() only checks OWN, it confuses `full`/`dirty`. In the past (see 'Fixes:'), there was a bug where the loop could cycle `cur_rx` all the way back to the first descriptor it dirtied, resulting in a NULL dereference when mistaken for `full`. The aforementioned commit resolved that *specific* failure by capping the loop's iteration limit at `dma_rx_size - 1`, but this is only a partial fix: if the previous stmmac_rx_refill() didn't complete, then there are leftover `dirty` descriptors that the loop might encounter without needing to cycle fully around. The current code therefore panics (see 'Closes:') when stmmac_rx_refill() is memory-starved long enough for `cur_rx` to catch up to `dirty_rx`.  Fix this by explicitly checking, before advancing `cur_rx`, if the next entry is dirty; exit the loop if so. This prevents processing of the final, used descriptor until stmmac_rx_refill() succeeds, but fully prevents the `cur_rx == dirty_rx` ambiguity as the previous bugfix intended: so remove the clamp as well. Since stmmac_rx_zc() is a copy-paste-and-tweak of stmmac_rx() and the code structure is identical, any fix to stmmac_rx() will also need a corresponding fix for stmmac_rx_zc(). Therefore, apply the same check there.  In stmmac_rx() (not stmmac_rx_zc()), a related bug remains: after the MAC sets OWN=0 on the final descriptor, it will be unable to send any further DMA-complete IRQs until it's given more `empty` descriptors. Currently, the driver simply *hopes* that the next stmmac_rx_refill() succeeds, risking an indefinite stall of the receive process if not. But this is not a regression, so it can be addressed in a future change.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46153",
                                "url": "https://ubuntu.com/security/CVE-2026-46153",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  8021q: delete cleared egress QoS mappings  vlan_dev_set_egress_priority() currently keeps cleared egress priority mappings in the hash as tombstones. Repeated set/clear cycles with distinct skb priorities therefore accumulate mapping nodes until device teardown and leak memory.  Delete mappings when vlan_prio is cleared instead of keeping tombstones. Now that the egress mapping lists are RCU protected, the node can be unlinked safely and freed after a grace period.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46169",
                                "url": "https://ubuntu.com/security/CVE-2026-46169",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  hfsplus: fix uninit-value by validating catalog record size  Syzbot reported a KMSAN uninit-value issue in hfsplus_strcasecmp(). The root cause is that hfs_brec_read() doesn't validate that the on-disk record size matches the expected size for the record type being read.  When mounting a corrupted filesystem, hfs_brec_read() may read less data than expected. For example, when reading a catalog thread record, the debug output showed:    HFSPLUS_BREC_READ: rec_len=520, fd->entrylength=26   HFSPLUS_BREC_READ: WARNING - entrylength (26) < rec_len (520) - PARTIAL READ!  hfs_brec_read() only validates that entrylength is not greater than the buffer size, but doesn't check if it's less than expected. It successfully reads 26 bytes into a 520-byte structure and returns success, leaving 494 bytes uninitialized.  This uninitialized data in tmp.thread.nodeName then gets copied by hfsplus_cat_build_key_uni() and used by hfsplus_strcasecmp(), triggering the KMSAN warning when the uninitialized bytes are used as array indices in case_fold().  Fix by introducing hfsplus_brec_read_cat() wrapper that: 1. Calls hfs_brec_read() to read the data 2. Validates the record size based on the type field:    - Fixed size for folder and file records    - Variable size for thread records (depends on string length) 3. Returns -EIO if size doesn't match expected  For thread records, check against HFSPLUS_MIN_THREAD_SZ before reading nodeName.length to avoid reading uninitialized data at call sites that don't zero-initialize the entry structure.  Also initialize the tmp variable in hfsplus_find_cat() as defensive programming to ensure no uninitialized data even if validation is bypassed.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46188",
                                "url": "https://ubuntu.com/security/CVE-2026-46188",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  octeon_ep_vf: add NULL check for napi_build_skb()  napi_build_skb() can return NULL on allocation failure. In __octep_vf_oq_process_rx(), the result is used directly without a NULL check in both the single-buffer and multi-fragment paths, leading to a NULL pointer dereference.  Add NULL checks after both napi_build_skb() calls, properly advancing descriptors and consuming remaining fragments on failure.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-45837",
                                "url": "https://ubuntu.com/security/CVE-2026-45837",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  bpf: Fix use-after-free in arena_vm_close on fork  arena_vm_open() only bumps vml->mmap_count but never registers the child VMA in arena->vma_list. The vml->vma always points at the parent VMA, so after parent munmap the pointer dangles. If the child then calls bpf_arena_free_pages(), zap_pages() reads the stale vml->vma triggering use-after-free.  Fix this by preventing the arena VMA from being inherited across fork with VM_DONTCOPY, and preventing VMA splits via the may_split callback.  Also reject mremap with a .mremap callback returning -EINVAL. A same-size mremap(MREMAP_FIXED) on the full arena VMA reaches copy_vma() through the following path:    check_prep_vma()       - returns 0 early: new_len == old_len                            skips VM_DONTEXPAND check   prep_move_vma()        - vm_start == old_addr and                            vm_end == old_addr + old_len                            so may_split is never called   move_vma()     copy_vma_and_data()       copy_vma()         vm_area_dup()    - copies vm_private_data (vml pointer)         vm_ops->open()   - bumps vml->mmap_count       vm_ops->mremap()   - returns -EINVAL, rollback unmaps new VMA  The refcount ensures the rollback's arena_vm_close does not free the vml shared with the original VMA.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-05-27 11:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46156",
                                "url": "https://ubuntu.com/security/CVE-2026-46156",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  LoongArch: Fix potential ADE in loongson_gpu_fixup_dma_hang()  The switch case in loongson_gpu_fixup_dma_hang() may not DC2 or DC3, and readl(crtc_reg) will access with random address, because the \"device\" is from \"base+PCI_DEVICE_ID\", \"base\" is from \"pdev->devfn+1\". This is wrong when my platform inserts a discrete GPU:  lspci -tv -[0000:00]-+-00.0  Loongson Technology LLC Hyper Transport Bridge Controller ...            +-06.0  Loongson Technology LLC LG100 GPU            +-06.2  Loongson Technology LLC Device 7a37 ...  Add a default switch case to fix the panic as below:   Kernel ade access[#1]:  CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.6.136-loong64-desktop-hwe+ #4  pc 90000000017e5534 ra 90000000017e54c0 tp 90000001002f8000 sp 90000001002fb6c0  a0 80000efe00003100 a1 0000000000003100 a2 0000000000000000 a3 0000000000000002  a4 90000001002fb6b4 a5 900000087cdb58fd a6 90000000027af000 a7 0000000000000001  t0 00000000000085b9 t1 000000000000ffff t2 0000000000000000 t3 0000000000000000  t4 fffffffffffffffd t5 00000000fffb6d9c t6 0000000000083b00 t7 00000000000070c0  t8 900000087cdb4d94 u0 900000087cdb58fd s9 90000001002fb826 s0 90000000031c12c8  s1 7fffffffffffff00 s2 90000000031c12d0 s3 0000000000002710 s4 0000000000000000  s5 0000000000000000 s6 9000000100053000 s7 7fffffffffffff00 s8 90000000030d4000     ra: 90000000017e54c0 loongson_gpu_fixup_dma_hang+0x40/0x210    ERA: 90000000017e5534 loongson_gpu_fixup_dma_hang+0xb4/0x210   CRMD: 000000b0 (PLV0 -IE -DA +PG DACF=CC DACM=CC -WE)   PRMD: 00000004 (PPLV0 +PIE -PWE)   EUEN: 00000000 (-FPE -SXE -ASXE -BTE)   ECFG: 00071c1d (LIE=0,2-4,10-12 VS=7)  ESTAT: 00480000 [ADEM] (IS= ECode=8 EsubCode=1)   BADV: 7fffffffffffff00   PRID: 0014d000 (Loongson-64bit, Loongson-3A6000-HV)  Modules linked in:  Process swapper/0 (pid: 1, threadinfo=(____ptrval____), task=(____ptrval____))  Stack : 0000000000000006 90000001002fb778 90000001002fb704 0000000000000007          0000000016a65700 90000000017e5690 000000000000ffff ffffffffffffffff          900000000209f7c0 9000000100053000 900000000209f7a8 9000000000eebc08          0000000000000000 0000000000000000 0000000000000006 90000001002fb778          90000001000530b8 90000000027af000 0000000000000000 9000000100054000          9000000100053000 9000000000ebb70c 9000000100004c00 9000000004000001          90000001002fb7e4 bae765461f31cb12 0000000000000000 0000000000000000          0000000000000006 90000000027af000 0000000000000030 90000000027af000          900000087cd6f800 9000000100053000 0000000000000000 9000000000ebc560          7a2500147cdaf720 bae765461f31cb12 0000000000000001 0000000000000030          ...  Call Trace:  [<90000000017e5534>] loongson_gpu_fixup_dma_hang+0xb4/0x210  [<9000000000eebc08>] pci_fixup_device+0x108/0x280  [<9000000000ebb70c>] pci_setup_device+0x24c/0x690  [<9000000000ebc560>] pci_scan_single_device+0xe0/0x140  [<9000000000ebc684>] pci_scan_slot+0xc4/0x280  [<9000000000ebdd00>] pci_scan_child_bus_extend+0x60/0x3f0  [<9000000000f5bc94>] acpi_pci_root_create+0x2b4/0x420  [<90000000017e5e74>] pci_acpi_scan_root+0x2d4/0x440  [<9000000000f5b02c>] acpi_pci_root_add+0x21c/0x3a0  [<9000000000f4ee54>] acpi_bus_attach+0x1a4/0x3c0  [<90000000010e200c>] device_for_each_child+0x6c/0xe0  [<9000000000f4bbf4>] acpi_dev_for_each_child+0x44/0x70  [<9000000000f4ef40>] acpi_bus_attach+0x290/0x3c0  [<90000000010e200c>] device_for_each_child+0x6c/0xe0  [<9000000000f4bbf4>] acpi_dev_for_each_child+0x44/0x70  [<9000000000f4ef40>] acpi_bus_attach+0x290/0x3c0  [<9000000000f5211c>] acpi_bus_scan+0x6c/0x280  [<900000000189c028>] acpi_scan_init+0x194/0x310  [<900000000189bc6c>] acpi_init+0xcc/0x140  [<9000000000220cdc>] do_one_initcall+0x4c/0x310  [<90000000018618fc>] kernel_init_freeable+0x258/0x2d4  [<900000000184326c>] kernel_init+0x28/0x13c  [<9000000000222008>] ret_from_kernel_thread+0xc/0xa4",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46147",
                                "url": "https://ubuntu.com/security/CVE-2026-46147",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  KVM: arm64: Fix pin leak and publication ordering in __pkvm_init_vcpu()  Two bugs exist in the vCPU initialisation path:  1. If a check fails after hyp_pin_shared_mem() succeeds, the cleanup    path jumps to 'unlock' without calling unpin_host_vcpu() or    unpin_host_sve_state(), permanently leaking pin references on the    host vCPU and SVE state pages.     Extract a register_hyp_vcpu() helper that performs the checks and    the store. When register_hyp_vcpu() returns an error, call    unpin_host_vcpu() and unpin_host_sve_state() inline before falling    through to the existing 'unlock' label.  2. register_hyp_vcpu() publishes the new vCPU pointer into    'hyp_vm->vcpus[]' with a bare store, allowing a concurrent caller    of pkvm_load_hyp_vcpu() to observe a partially initialised vCPU    object.     Ensure the store uses smp_store_release() and the load uses    smp_load_acquire(). While 'vm_table_lock' currently serialises the    store and the load, these barriers ensure the reader sees the fully    initialised 'hyp_vcpu' object even if there were a lockless path or    if the lock's own ordering guarantees were insufficient for nested    object initialization.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46175",
                                "url": "https://ubuntu.com/security/CVE-2026-46175",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  f2fs: fix fsck inconsistency caused by FGGC of node block  During FGGC node block migration, fsck may incorrectly treat the migrated node block as fsync-written data.  The reproduction scenario: root@vm:/mnt/f2fs# seq 1 2048 | xargs -n 1 ./test_sync // write inline inode and sync root@vm:/mnt/f2fs# rm -f 1 root@vm:/mnt/f2fs# sync root@vm:/mnt/f2fs# f2fs_io gc_range // move data block in sync mode and not write CP   SPO, \"fsck --dry-run\" find inode has already checkpointed but still   with DENT_BIT_SHIFT set  The root cause is that GC does not clear the dentry mark and fsync mark during node block migration, leading fsck to misinterpret them as user-issued fsync writes.  In BGGC mode, node block migration is handled by f2fs_sync_node_pages(), which guarantees the dentry and fsync marks are cleared before writing.  This patch move the set/clear of the fsync|dentry marks into __write_node_folio to make the logic clearer, and ensures the fsync|dentry mark is cleared in FGGC.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46194",
                                "url": "https://ubuntu.com/security/CVE-2026-46194",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  f2fs: fix node_cnt race between extent node destroy and writeback  f2fs_destroy_extent_node() does not set FI_NO_EXTENT before clearing extent nodes. When called from f2fs_drop_inode() with I_SYNC set, concurrent kworker writeback can insert new extent nodes into the same extent tree, racing with the destroy and triggering f2fs_bug_on() in __destroy_extent_node(). The scenario is as follows:  drop inode                            writeback  - iput   - f2fs_drop_inode  // I_SYNC set    - f2fs_destroy_extent_node     - __destroy_extent_node      - while (node_cnt) {         write_lock(&et->lock)         __free_extent_tree         write_unlock(&et->lock)                                        - __writeback_single_inode                                         - f2fs_outplace_write_data                                          - f2fs_update_read_extent_cache                                           - __update_extent_tree_range                                            // FI_NO_EXTENT not set,                                            // insert new extent node        } // node_cnt == 0, exit while      - f2fs_bug_on(node_cnt)  // node_cnt > 0  Additionally, __update_extent_tree_range() only checks FI_NO_EXTENT for EX_READ type, leaving EX_BLOCK_AGE updates completely unprotected.  This patch set FI_NO_EXTENT under et->lock in __destroy_extent_node(), consistent with other callers (__update_extent_tree_range and __drop_extent_tree) and check FI_NO_EXTENT for both EX_READ and EX_BLOCK_AGE tree.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46170",
                                "url": "https://ubuntu.com/security/CVE-2026-46170",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  mptcp: pm: ADD_ADDR rtx: free sk if last  When an ADD_ADDR is retransmitted, the sk is held in sk_reset_timer(), and released at the end.  If at that moment, it was the last reference being held, the sk would not be freed. sock_put() should then be called instead of __sock_put().  But that's not enough: if it is the last reference, sock_put() will call sk_free(), which will end up calling sk_stop_timer_sync() on the same timer, and waiting indefinitely to finish. So it is needed to mark that the timer is done at the end of the timer handler when it has not been rescheduled, not to call sk_stop_timer_sync() on \"itself\".",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46158",
                                "url": "https://ubuntu.com/security/CVE-2026-46158",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  mptcp: pm: ADD_ADDR rtx: always decrease sk refcount  When an ADD_ADDR is retransmitted, the sk is held in sk_reset_timer(). It should then be released in all cases at the end.  Some (unlikely) checks were returning directly instead of calling sock_put() to decrease the refcount. Jump to a new 'exit' label to call __sock_put() (which will become sock_put() in the next commit) to fix this potential leak.  While at it, drop the '!msk' check which cannot happen because it is never reset, and explicitly mark the remaining one as \"unlikely\".",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46168",
                                "url": "https://ubuntu.com/security/CVE-2026-46168",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  mptcp: fix scheduling with atomic in timestamp sockopt  Using lock_sock_fast() (atomic context) around sock_set_timestamp() and sock_set_timestamping() is unsafe, as both helpers can sleep.  Replace lock_sock_fast() with sleepable lock_sock()/release_sock() to avoid scheduling while atomic panic.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46189",
                                "url": "https://ubuntu.com/security/CVE-2026-46189",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/vmw_pvrdma: Fix double free on pvrdma_alloc_ucontext() error path  Sashiko points out that pvrdma_uar_free() is already called within pvrdma_dealloc_ucontext(), so calling it before triggers a double free.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46133",
                                "url": "https://ubuntu.com/security/CVE-2026-46133",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/rxe: Reject unknown opcodes before ICRC processing  Even after applying commit 7244491dab34 (\"RDMA/rxe: Validate pad and ICRC before payload_size() in rxe_rcv\"), a single unauthenticated UDP packet can still trigger panic.  That patch handled payload_size() underflow only for valid opcodes with short packets, not for packets carrying an unknown opcode.  The unknown-opcode OOB read described below predates that commit and reaches back to the initial Soft RoCE driver.  The check added there reads      pkt->paylen < header_size(pkt) + bth_pad(pkt) + RXE_ICRC_SIZE  where header_size(pkt) expands to rxe_opcode[pkt->opcode].length.  The rxe_opcode[] array has 256 entries but is only populated for defined IB opcodes; any other entry (for example opcode 0xff) is zero-initialized, so length == 0 and the check degenerates to      pkt->paylen < 0 + bth_pad(pkt) + RXE_ICRC_SIZE  which does not constrain pkt->paylen enough.  rxe_icrc_hdr() then computes      rxe_opcode[pkt->opcode].length - RXE_BTH_BYTES  which underflows when length == 0 and passes a huge value to rxe_crc32(), causing an out-of-bounds read of the skb payload.  Reproduced on v7.0-rc7 with that fix applied, QEMU/KVM with CONFIG_RDMA_RXE=y and CONFIG_KASAN=y, after      rdma link add rxe0 type rxe netdev eth0  A single 48-byte UDP packet to port 4791 with BTH opcode=0xff and QPN=IB_MULTICAST_QPN triggers:      BUG: KASAN: slab-out-of-bounds in crc32_le+0x115/0x170     Read of size 1 at addr ...     The buggy address is located 0 bytes to the right of      allocated 704-byte region     Call Trace:      crc32_le+0x115/0x170      rxe_icrc_hdr.isra.0+0x226/0x300      rxe_icrc_check+0x13f/0x3a0      rxe_rcv+0x6e1/0x16e0      rxe_udp_encap_recv+0x20a/0x320      udp_queue_rcv_one_skb+0x7ed/0x12c0  Subsequent packets with the same shape fault on unmapped memory and panic the kernel.  The trigger requires only module load and \"rdma link add\"; no QP, no connection, and no authentication.  Fix this by rejecting packets whose opcode has no rxe_opcode[] entry, detected via the zero mask or zero length, before any length arithmetic runs.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46114",
                                "url": "https://ubuntu.com/security/CVE-2026-46114",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/rxe: Reject non-8-byte ATOMIC_WRITE payloads  atomic_write_reply() at drivers/infiniband/sw/rxe/rxe_resp.c unconditionally dereferences 8 bytes at payload_addr(pkt):      value = *(u64 *)payload_addr(pkt);  check_rkey() previously accepted an ATOMIC_WRITE request with pktlen == resid == 0 because the length validation only compared pktlen against resid. A remote initiator that sets the RETH length to 0 therefore reaches atomic_write_reply() with a zero-byte logical payload, and the responder reads sizeof(u64) bytes from past the logical end of the packet into skb->head tailroom, then writes those 8 bytes into the attacker's MR via rxe_mr_do_atomic_write(). That is a remote disclosure of 4 bytes of kernel tailroom per probe (the other 4 bytes are the packet's own trailing ICRC).  IBA oA19-28 defines ATOMIC_WRITE as exactly 8 bytes. Anything else is protocol-invalid. Hoist a strict length check into check_rkey() so the responder never reaches the unchecked dereference, and keep the existing WRITE-family length logic for the normal RDMA WRITE path.  Reproduced on mainline with an unmodified rxe driver: a sustained zero-length ATOMIC_WRITE probe repeatedly leaks adjacent skb head-buffer bytes into the attacker's MR, including recognisable kernel strings and partial kernel-direct-map pointer words.  With this patch applied the responder rejects the PDU and the MR stays all-zero.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46127",
                                "url": "https://ubuntu.com/security/CVE-2026-46127",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/ocrdma: Don't NULL deref uctx on errors in ocrdma_copy_pd_uresp()  Sashiko points out that pd->uctx isn't initialized until late in the function so all these error flow references are NULL and will crash. Use the uctx that isn't NULL.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46176",
                                "url": "https://ubuntu.com/security/CVE-2026-46176",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/mlx5: Fix error path fall-through in mlx5_ib_dev_res_srq_init()  mlx5_ib_dev_res_srq_init() allocates two SRQs, s0 and s1. When ib_create_srq() fails for s1, the error branch destroys s0 but falls through and unconditionally assigns the freed s0 and the ERR_PTR s1 to devr->s0 and devr->s1.  This leads to several problems: the lock-free fast path checks \"if (devr->s1) return 0;\" and treats the ERR_PTR as already initialised; users in mlx5_ib_create_qp() dereference the freed SRQ or ERR_PTR via to_msrq(devr->s0)->msrq.srqn; and mlx5_ib_dev_res_cleanup() dereferences the ERR_PTR and double-frees s0 on teardown.  Fix by adding the same `goto unlock` in the s1 failure path.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46178",
                                "url": "https://ubuntu.com/security/CVE-2026-46178",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/mlx4: Fix resource leak on error in mlx4_ib_create_srq()  Sashiko points out that mlx4_srq_alloc() was not undone during error unwind, add the missing call to mlx4_srq_free().",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46181",
                                "url": "https://ubuntu.com/security/CVE-2026-46181",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/mlx4: Fix mis-use of RCU in mlx4_srq_event()  Sashiko points out the radix_tree itself is RCU safe, but nothing ever frees the mlx4_srq struct with RCU, and it isn't even accessed within the RCU critical section. It also will crash if an event is delivered before the srq object is finished initializing.  Use the spinlock since it isn't easy to make RCU work, use refcount_inc_not_zero() to protect against partially initialized objects, and order the refcount_set() to be after the srq is fully initialized.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46145",
                                "url": "https://ubuntu.com/security/CVE-2026-46145",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/mana: Validate rx_hash_key_len  Sashiko points out that rx_hash_key_len comes from a uAPI structure and is blindly passed to memcpy, allowing the userspace to trash kernel memory. Bounds check it so the memcpy cannot overflow.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46117",
                                "url": "https://ubuntu.com/security/CVE-2026-46117",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/mana: Remove user triggerable WARN_ON() in mana_ib_create_qp_rss()  Sashiko points out that the user can specify WQs sharing the same CQ as a part of the uAPI and this will trigger the WARN_ON() then go on to corrupt the kernel.  Just reject it outright and fail the QP creation.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46126",
                                "url": "https://ubuntu.com/security/CVE-2026-46126",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/mana: Fix mana_destroy_wq_obj() cleanup in mana_ib_create_qp_rss()  Sashiko points out there are two bugs here in the error unwind flow, both related to how the WQ table is unwound.  First there is a double i-- on the first failure path due to the while loop having a i--, remove it.  Second if mana_ib_install_cq_cb() fails then mana_create_wq_obj() is not undone due to the above i--.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46144",
                                "url": "https://ubuntu.com/security/CVE-2026-46144",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/mana: Fix error unwind in mana_ib_create_qp_rss()  Sashiko points out that mana_ib_cfg_vport_steering() is leaked, the normal destroy path cleans it up.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46141",
                                "url": "https://ubuntu.com/security/CVE-2026-46141",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  powerpc/xive: fix kmemleak caused by incorrect chip_data lookup  The kmemleak reports the following memory leak:  Unreferenced object 0xc0000002a7fbc640 (size 64):   comm \"kworker/8:1\", pid 540, jiffies 4294937872   hex dump (first 32 bytes):     01 00 00 00 00 00 00 00 00 00 09 04 00 04 00 00  ................     00 00 a7 81 00 00 0a c0 00 00 08 04 00 04 00 00  ................   backtrace (crc 177d48f6):     __kmalloc_cache_noprof+0x520/0x730     xive_irq_alloc_data.constprop.0+0x40/0xe0     xive_irq_domain_alloc+0xd0/0x1b0     irq_domain_alloc_irqs_parent+0x44/0x6c     pseries_irq_domain_alloc+0x1cc/0x354     irq_domain_alloc_irqs_parent+0x44/0x6c     msi_domain_alloc+0xb0/0x220     irq_domain_alloc_irqs_locked+0x138/0x4d0     __irq_domain_alloc_irqs+0x8c/0xfc     __msi_domain_alloc_irqs+0x214/0x4d8     msi_domain_alloc_irqs_all_locked+0x70/0xf8     pci_msi_setup_msi_irqs+0x60/0x78     __pci_enable_msix_range+0x54c/0x98c     pci_alloc_irq_vectors_affinity+0x16c/0x1d4     nvme_pci_enable+0xac/0x9c0 [nvme]     nvme_probe+0x340/0x764 [nvme]  This occurs when allocating MSI-X vectors for an NVMe device. During allocation the XIVE code creates a struct xive_irq_data and stores it in irq_data->chip_data.  When the MSI-X irqdomain is later freed, xive_irq_free_data() is responsible for retrieving this structure and freeing it. However, after commit cc0cc23babc9 (\"powerpc/xive: Untangle xive from child interrupt controller drivers\"), xive_irq_free_data() retrieves the chip_data using irq_get_chip_data(), which looks up the data through the child domain.  This is incorrect because the XIVE-specific irq data is associated with the XIVE (parent) domain. As a result the lookup fails and the allocated struct xive_irq_data is never freed, leading to the kmemleak report shown above.  Fix this by retrieving the irq_data from the correct domain using irq_domain_get_irq_data() and then accessing the chip_data via irq_data_get_irq_chip_data().",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46183",
                                "url": "https://ubuntu.com/security/CVE-2026-46183",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  mm/damon/sysfs-schemes: protect path kfree() with damon_sysfs_lock  damon_sysfs_quot_goal->path can be read and written by users, via DAMON sysfs 'path' file.  It can also be indirectly read, for the parameters {on,off}line committing to DAMON.  The reads for parameters committing are protected by damon_sysfs_lock to avoid the sysfs files being destroyed while any of the parameters are being read.  But the user-driven direct reads and writes are not protected by any lock, while the write is deallocating the path-pointing buffer.  As a result, the readers could read the already freed buffer (user-after-free).  Note that the user-reads don't race when the same open file is used by the writer, due to kernfs's open file locking.  Nonetheless, doing the reads and writes with separate open files would be common.  Fix it by protecting both the user-direct reads and writes with damon_sysfs_lock.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46121",
                                "url": "https://ubuntu.com/security/CVE-2026-46121",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  mm/damon/sysfs-schemes: protect memcg_path kfree() with damon_sysfs_lock  Patch series \"mm/damon/sysfs-schemes: fix use-after-free for [memcg_]path\".  Reads of 'memcg_path' and 'path' files in DAMON sysfs interface could race with their writes, results in use-after-free.  Fix those.   This patch (of 2):  damon_sysfs_scheme_filter->mmecg_path can be read and written by users, via DAMON sysfs memcg_path file.  It can also be indirectly read, for the parameters {on,off}line committing to DAMON.  The reads for parameters committing are protected by damon_sysfs_lock to avoid the sysfs files being destroyed while any of the parameters are being read.  But the user-driven direct reads and writes are not protected by any lock, while the write is deallocating the memcg_path-pointing buffer.  As a result, the readers could read the already freed buffer (user-after-free).  Note that the user-reads don't race when the same open file is used by the writer, due to kernfs's open file locking.  Nonetheless, doing the reads and writes with separate open files would be common.  Fix it by protecting both the user-direct reads and writes with damon_sysfs_lock.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46131",
                                "url": "https://ubuntu.com/security/CVE-2026-46131",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  KVM: x86: check for nEPT/nNPT in slow flush hypercalls  Checking is_guest_mode(vcpu) is incorrect, because translate_nested_gpa() is only valid if an L2 guest is running *with nested EPT/NPT enabled*. Instead use the same condition as translate_nested_gpa() itself.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46139",
                                "url": "https://ubuntu.com/security/CVE-2026-46139",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  smb: client: use kzalloc to zero-initialize security descriptor buffer  Commit 62e7dd0a39c2d (\"smb: common: change the data type of num_aces to le16\") split struct smb_acl's __le32 num_aces field into __le16 num_aces and __le16 reserved. The reserved field corresponds to Sbz2 in the MS-DTYP ACL wire format, which must be zero [1].  When building an ACL descriptor in build_sec_desc(), we are using a kmalloc()'ed descriptor buffer and writing the fields explicitly using le16() writes now. This never writes to the 2 byte reserved field, leaving it as uninitialized heap data.  When the reserved field happens to contain non-zero slab garbage, Samba rejects the security descriptor with \"ndr_pull_security_descriptor failed: Range Error\", causing chmod to fail with EINVAL.  Change kmalloc() to kzalloc() to ensure the entire buffer is zero-initialized.   [1] https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/20233ed8-a6c6-4097-aafa-dd545ed24428",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46105",
                                "url": "https://ubuntu.com/security/CVE-2026-46105",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  scsi: mpt3sas: Limit NVMe request size to 2 MiB  The HBA firmware reports NVMe MDTS values based on the underlying drive capability. However, because the driver allocates a fixed 4K buffer for the PRP list, accommodating at most 512 entries, the driver supports a maximum I/O transfer size of 2 MiB.  Limit max_hw_sectors to the smaller of the reported MDTS and the 2 MiB driver limit to prevent issuing oversized I/O that may lead to a kernel oops.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46171",
                                "url": "https://ubuntu.com/security/CVE-2026-46171",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  riscv: kvm: fix vector context allocation leak  When the second kzalloc (host_context.vector.datap) fails in kvm_riscv_vcpu_alloc_vector_context, the first allocation (guest_context.vector.datap) is leaked. Free it before returning.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46112",
                                "url": "https://ubuntu.com/security/CVE-2026-46112",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  RDMA/hns: Fix unlocked call to hns_roce_qp_remove()  Sashiko points out that hns_roce_qp_remove() requires the caller to hold locks.  The error flow in hns_roce_create_qp_common() doesn't hold those locks for the error unwind so it risks corrupting memory.  Grab the same locks the other two callers use.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46165",
                                "url": "https://ubuntu.com/security/CVE-2026-46165",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  openvswitch: vport: fix self-deadlock on release of tunnel ports  vports are used concurrently and protected by RCU, so netdev_put() must happen after the RCU grace period.  So, either in an RCU call or after the synchronize_net().  The rtnl_delete_link() must happen under RTNL and so can't be executed in RCU context.  Calling synchronize_net() while holding RTNL is not a good idea for performance and system stability under load in general, so calling netdev_put() in RCU call is the right solution here.  However, when the device is deleted, rtnl_unlock() will call netdev_run_todo() and block until all the references are gone.  In the current code this means that we never reach the call_rcu() and the vport is never freed and the reference is never released, causing a self-deadlock on device removal.  Fix that by moving the rcu_call() before the rtnl_unlock(), so the scheduled RCU callback will be executed when synchronize_net() is called from the rtnl_unlock()->netdev_run_todo() while the RTNL itself is already released.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46161",
                                "url": "https://ubuntu.com/security/CVE-2026-46161",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  md/raid10: fix divide-by-zero in setup_geo() with zero far_copies  setup_geo() extracts near_copies (nc) and far_copies (fc) from the user-provided layout parameter without checking for zero. When fc=0 with the \"improved\" far set layout selected, 'geo->far_set_size = disks / fc' triggers a divide-by-zero.  Validate nc and fc immediately after extraction, returning -1 if either is zero.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-43492",
                                "url": "https://ubuntu.com/security/CVE-2026-43492",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  lib/crypto: mpi: Fix integer underflow in mpi_read_raw_from_sgl()  Yiming reports an integer underflow in mpi_read_raw_from_sgl() when subtracting \"lzeros\" from the unsigned \"nbytes\".  For this to happen, the scatterlist \"sgl\" needs to occupy more bytes than the \"nbytes\" parameter and the first \"nbytes + 1\" bytes of the scatterlist must be zero.  Under these conditions, the while loop iterating over the scatterlist will count more zeroes than \"nbytes\", subtract the number of zeroes from \"nbytes\" and cause the underflow.  When commit 2d4d1eea540b (\"lib/mpi: Add mpi sgl helpers\") originally introduced the bug, it couldn't be triggered because all callers of mpi_read_raw_from_sgl() passed a scatterlist whose length was equal to \"nbytes\".  However since commit 63ba4d67594a (\"KEYS: asymmetric: Use new crypto interface without scatterlists\"), the underflow can now actually be triggered.  When invoking a KEYCTL_PKEY_ENCRYPT system call with a larger \"out_len\" than \"in_len\" and filling the \"in\" buffer with zeroes, crypto_akcipher_sync_prep() will create an all-zero scatterlist used for both the \"src\" and \"dst\" member of struct akcipher_request and thereby fulfil the conditions to trigger the bug:    sys_keyctl()     keyctl_pkey_e_d_s()       asymmetric_key_eds_op()         software_key_eds_op()           crypto_akcipher_sync_encrypt()             crypto_akcipher_sync_prep()               crypto_akcipher_encrypt()                 rsa_enc()                   mpi_read_raw_from_sgl()  To the user this will be visible as a DoS as the kernel spins forever, causing soft lockup splats as a side effect.  Fix it.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-19 12:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46124",
                                "url": "https://ubuntu.com/security/CVE-2026-46124",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  isofs: validate block number from NFS file handle in isofs_export_iget  isofs_fh_to_dentry() and isofs_fh_to_parent() pass an attacker- controlled block number (ifid->block or ifid->parent_block) from the NFS file handle to isofs_export_iget(), which only rejects block == 0 before calling isofs_iget() and ultimately sb_bread(). A crafted file handle with fh_len sufficient to pass the check added by commit 0405d4b63d08 (\"isofs: Prevent the use of too small fid\") can still drive the server to read any in-range block on the backing device as if it were an iso_directory_record.  That earlier fix was assigned CVE-2025-37780.  sb_bread() on an out-of-range block returns NULL cleanly via the EIO path, so there is no memory-safety violation.  For in-range reads of adjacent-partition data on the same block device, the unrelated bytes end up in iso_inode_info fields that reach the NFS client as dentry metadata.  The deployment surface (isofs exported over NFS from loop-mounted images) is narrow and requires an authenticated NFS peer, but the malformed-file-handle class is reportable as hardening next to the existing CVE-2025-37780 fix.  Reject block >= ISOFS_SB(sb)->s_nzones in isofs_export_iget() so the check covers both isofs_fh_to_dentry() and isofs_fh_to_parent() call sites with a single line.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46130",
                                "url": "https://ubuntu.com/security/CVE-2026-46130",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  dm-verity-fec: fix reading parity bytes split across blocks (take 3)  fec_decode_bufs() assumes that the parity bytes of the first RS codeword it decodes are never split across parity blocks.  This assumption is false.  Consider v->fec->block_size == 4096 && v->fec->roots == 17 && fio->nbufs == 1, for example.  In that case, each call to fec_decode_bufs() consumes v->fec->roots * (fio->nbufs << DM_VERITY_FEC_BUF_RS_BITS) = 272 parity bytes.  Considering that the parity data for each message block starts on a block boundary, the byte alignment in the parity data will iterate through 272*i mod 4096 until the 3 parity blocks have been consumed.  On the 16th call (i=15), the alignment will be 4080 bytes into the first block.  Only 16 bytes remain in that block, but 17 parity bytes will be needed.  The code reads out-of-bounds from the parity block buffer.  Fortunately this doesn't normally happen, since it can occur only for certain non-default values of fec_roots *and* when the maximum number of buffers couldn't be allocated due to low memory.  For example with block_size=4096 only the following cases are affected:      fec_roots=17: nbufs in [1, 3, 5, 15]     fec_roots=19: nbufs in [1, 229]     fec_roots=21: nbufs in [1, 3, 5, 13, 15, 39, 65, 195]     fec_roots=23: nbufs in [1, 89]  Regardless, fix it by refactoring how the parity blocks are read.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46106",
                                "url": "https://ubuntu.com/security/CVE-2026-46106",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  eventfs: Hold eventfs_mutex and SRCU when remount walks events  Commit 340f0c7067a9 (\"eventfs: Update all the eventfs_inodes from the events descriptor\") had eventfs_set_attrs() recurse through ei->children on remount.  The walk only holds the rcu_read_lock() taken by tracefs_apply_options() over tracefs_inodes, which is wrong:    - list_for_each_entry over ei->children races with the list_del_rcu()     in eventfs_remove_rec() -- LIST_POISON1 deref, same shape as     d2603279c7d6.   - eventfs_inodes are freed via call_srcu(&eventfs_srcu, ...).     rcu_read_lock() does not extend an SRCU grace period, so ti->private     can be reclaimed under the walk.   - The writes to ei->attr race with eventfs_set_attr(), which holds     eventfs_mutex.  Reproducer:    while :; do mount -o remount,uid=$((RANDOM%1000)) /sys/kernel/tracing; done &   while :; do       echo \"p:kp submit_bio\" > /sys/kernel/tracing/kprobe_events       echo > /sys/kernel/tracing/kprobe_events   done  Wrap the events portion of tracefs_apply_options() in eventfs_remount_lock()/_unlock() that take eventfs_mutex and srcu_read_lock(&eventfs_srcu).  eventfs_set_attrs() doesn't sleep so the nested rcu_read_lock() is fine; lockdep_assert_held() pins the contract.  Comment in tracefs_drop_inode() said \"RCU cycle\" -- it is SRCU.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46107",
                                "url": "https://ubuntu.com/security/CVE-2026-46107",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  dm-thin: fix metadata refcount underflow  There's a bug in dm-thin in the function rebalance_children. If the internal btree node has one entry, the code tries to copy all btree entries from the node's child to the node itself and then decrement the child's reference count.  If the child node is shared (it has reference count > 1), we won't free it, so there would be two pointers to each of the grandchildren nodes. But the reference counts of the grandchildren is not increased, thus the reference count doesn't match the number of pointers that point to the grandchildren. This results in \"device mapper: space map common: unable to decrement block\" errors.  Fix this bug by incrementing reference counts on the grandchildren if the btree node is shared.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46160",
                                "url": "https://ubuntu.com/security/CVE-2026-46160",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  btrfs: fix missing last_unlink_trans update when removing a directory  When removing a directory we are not updating its last_unlink_trans field, which can result in incorrect fsync behaviour in case some one fsyncs the directory after it was removed because it's holding a file descriptor on it.  Example scenario:     mkdir /mnt/dir1    mkdir /mnt/dir1/dir2    mkdir /mnt/dir3     sync -f /mnt     # Do some change to the directory and fsync it.    chmod 700 /mnt/dir1    xfs_io -c fsync /mnt/dir1     # Move dir2 out of dir1 so that dir1 becomes empty.    mv /mnt/dir1/dir2 /mnt/dir3/     open fd on /mnt/dir1    call rmdir(2) on path \"/mnt/dir1\"    fsync fd     <trigger power failure>  When attempting to mount the filesystem, the log replay will fail with an -EIO error and dmesg/syslog has the following:     [445771.626482] BTRFS info (device dm-0): first mount of filesystem 0368bbea-6c5e-44b5-b409-09abe496e650    [445771.626486] BTRFS info (device dm-0): using crc32c checksum algorithm    [445771.627912] BTRFS info (device dm-0): start tree-log replay    [445771.628335] page: refcount:2 mapcount:0 mapping:0000000061443ddc index:0x1d00 pfn:0x7072a5    [445771.629453] memcg:ffff89f400351b00    [445771.629892] aops:btree_aops [btrfs] ino:1    [445771.630737] flags: 0x17fffc00000402a(uptodate|lru|private|writeback|node=0|zone=2|lastcpupid=0x1ffff)    [445771.632359] raw: 017fffc00000402a fffff47284d950c8 fffff472907b7c08 ffff89f458e412b8    [445771.633713] raw: 0000000000001d00 ffff89f6c51d1a90 00000002ffffffff ffff89f400351b00    [445771.635029] page dumped because: eb page dump    [445771.635825] BTRFS critical (device dm-0): corrupt leaf: root=5 block=30408704 slot=10 ino=258, invalid nlink: has 2 expect no more than 1 for dir    [445771.638088] BTRFS info (device dm-0): leaf 30408704 gen 10 total ptrs 17 free space 14878 owner 5    [445771.638091] BTRFS info (device dm-0): refs 4 lock_owner 0 current 3581087    [445771.638094] \titem 0 key (256 INODE_ITEM 0) itemoff 16123 itemsize 160    [445771.638097] \t\tinode generation 3 transid 9 size 16 nbytes 16384    [445771.638098] \t\tblock group 0 mode 40755 links 1 uid 0 gid 0    [445771.638100] \t\trdev 0 sequence 2 flags 0x0    [445771.638102] \t\tatime 1775744884.0    [445771.660056] \t\tctime 1775744885.645502983    [445771.660058] \t\tmtime 1775744885.645502983    [445771.660060] \t\totime 1775744884.0    [445771.660062] \titem 1 key (256 INODE_REF 256) itemoff 16111 itemsize 12    [445771.660064] \t\tindex 0 name_len 2    [445771.660066] \titem 2 key (256 DIR_ITEM 1843588421) itemoff 16077 itemsize 34    [445771.660068] \t\tlocation key (259 1 0) type 2    [445771.660070] \t\ttransid 9 data_len 0 name_len 4    [445771.660075] \titem 3 key (256 DIR_ITEM 2363071922) itemoff 16043 itemsize 34    [445771.660076] \t\tlocation key (257 1 0) type 2    [445771.660077] \t\ttransid 9 data_len 0 name_len 4    [445771.660078] \titem 4 key (256 DIR_INDEX 2) itemoff 16009 itemsize 34    [445771.660079] \t\tlocation key (257 1 0) type 2    [445771.660080] \t\ttransid 9 data_len 0 name_len 4    [445771.660081] \titem 5 key (256 DIR_INDEX 3) itemoff 15975 itemsize 34    [445771.660082] \t\tlocation key (259 1 0) type 2    [445771.660083] \t\ttransid 9 data_len 0 name_len 4    [445771.660084] \titem 6 key (257 INODE_ITEM 0) itemoff 15815 itemsize 160    [445771.660086] \t\tinode generation 9 transid 9 size 8 nbytes 0    [445771.660087] \t\tblock group 0 mode 40777 links 1 uid 0 gid 0    [445771.660088] \t\trdev 0 sequence 2 flags 0x0    [445771.660089] \t\tatime 1775744885.641174097    [445771.660090] \t\tctime 1775744885.645502983    [445771.660091] \t\tmtime 1775744885.645502983    [445771.660105] \t\totime 1775744885.641174097    [445771.660106] \titem 7 key (257 INODE_REF 256) itemoff 15801 itemsize 14    [445771.660107] \t\tindex 2 name_len 4    [445771.660108] \titem 8 key (257 DIR_ITEM 2676584006) itemoff 15767 itemsize 34    [445771.660109] \t\tlocation key (2 ---truncated---",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46164",
                                "url": "https://ubuntu.com/security/CVE-2026-46164",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  btrfs: fix double free in create_space_info_sub_group() error path  When kobject_init_and_add() fails, the call chain is:  create_space_info_sub_group() -> btrfs_sysfs_add_space_info_type() -> kobject_init_and_add() -> failure -> kobject_put(&sub_group->kobj) -> space_info_release() -> kfree(sub_group)  Then control returns to create_space_info_sub_group(), where:  btrfs_sysfs_add_space_info_type() returns error -> kfree(sub_group)  Thus, sub_group is freed twice.  Keep parent->sub_group[index] = NULL for the failure path, but after btrfs_sysfs_add_space_info_type() has called kobject_put(), let the kobject release callback handle the cleanup.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46129",
                                "url": "https://ubuntu.com/security/CVE-2026-46129",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  btrfs: fix double free in create_space_info() error path  When kobject_init_and_add() fails, the call chain is:  create_space_info() -> btrfs_sysfs_add_space_info_type() -> kobject_init_and_add() -> failure -> kobject_put(&space_info->kobj) -> space_info_release() -> kfree(space_info)  Then control returns to create_space_info():  btrfs_sysfs_add_space_info_type() returns error -> goto out_free -> kfree(space_info)  This causes a double free.  Keep the direct kfree(space_info) for the earlier failure path, but after btrfs_sysfs_add_space_info_type() has called kobject_put(), let the kobject release callback handle the cleanup.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46159",
                                "url": "https://ubuntu.com/security/CVE-2026-46159",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  btrfs: fix btrfs_ioctl_space_info() slot_count TOCTOU which can lead to info-leak  btrfs_ioctl_space_info() has a TOCTOU race between two passes over the block group RAID type lists. The first pass counts entries to determine the allocation size, then the second pass fills the buffer. The groups_sem rwlock is released between passes, allowing concurrent block group removal to reduce the entry count.  When the second pass fills fewer entries than the first pass counted, copy_to_user() copies the full alloc_size bytes including trailing uninitialized kmalloc bytes to userspace.  Fix by copying only total_spaces entries (the actually-filled count from the second pass) instead of alloc_size bytes, and switch to kzalloc so any future copy size mismatch cannot leak heap data.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46143",
                                "url": "https://ubuntu.com/security/CVE-2026-46143",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ASoC: qcom: q6apm-lpass-dai: Fix multiple graph opens  As prepare can be called mulitple times, this can result in multiple graph opens for playback path.  This will result in a memory leaks, fix this by adding a check before opening.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46148",
                                "url": "https://ubuntu.com/security/CVE-2026-46148",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: microchip-core-qspi: control built-in cs manually  The coreQSPI IP supports only a single chip select, which is automagically operated by the hardware - set low when the transmit buffer first gets written to and set high when the number of bytes written to the TOTALBYTES field of the FRAMES register have been sent on the bus. Additional devices must use GPIOs for their chip selects. It was reported to me that if there are two devices attached to this QSPI controller that the in-built chip select is set low while linux tries to access the device attached to the GPIO.  This went undetected as the boards that connected multiple devices to the SPI controller all exclusively used GPIOs for chip selects, not relying on the built-in chip select at all. It turns out that this was because the built-in chip select, when controlled automagically, is set low when active and high when inactive, thereby ruling out its use for active-high devices or devices that need to transmit with the chip select disabled.  Modify the driver so that it controls chip select directly, retaining the behaviour for mem_ops of setting the chip select active for the entire duration of the transfer in the exec_op callback. For regular transfers, implement the set_cs callback for the core to use.  As part of this, the existing setup callback, mchp_coreqspi_setup_op(), is removed. Modifying the CLKIDLE field is not safe to do during operation when there are multiple devices, so this code is removed entirely. Setting the MASTER and ENABLE fields is something that can be done once at probe, it doesn't need to be re-run for each device. Instead the new setup callback sets the built-in chip select to its inactive state for active-low devices, as the reset value of the chip select in software controlled mode is low.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46192",
                                "url": "https://ubuntu.com/security/CVE-2026-46192",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  spi: microchip-core-qspi: don't attempt to transmit during emulated read-only dual/quad operations  The core will deal with reads by creating clock cycles itself, there's no need to generate clock cycles by transmitting garbage data at the driver level. Further, transmitting garbage data just bricks the transfer since QSPI doesn't have a dedicated master-out line like MOSI in regular SPI. I'm not entirely sure if the transfer is bricked because of the garbage data being transmitted on the bus or because the core loses track of whether it is supposed to be sending or receiving data.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46162",
                                "url": "https://ubuntu.com/security/CVE-2026-46162",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ice: fix double free in ice_sf_eth_activate() error path  When auxiliary_device_add() fails, ice_sf_eth_activate() jumps to aux_dev_uninit and calls auxiliary_device_uninit(&sf_dev->adev).  The device release callback ice_sf_dev_release() frees sf_dev, but the current error path falls through to sf_dev_free and calls kfree(sf_dev) again, causing a double free.  Keep kfree(sf_dev) for the auxiliary_device_init() failure path, but avoid falling through to sf_dev_free after auxiliary_device_uninit().",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46273",
                                "url": "https://ubuntu.com/security/CVE-2026-46273",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ibmveth: Disable GSO for packets with small MSS  Some physical adapters on Power systems do not support segmentation offload when the MSS is less than 224 bytes. Attempting to send such packets causes the adapter to freeze, stopping all traffic until manually reset.  Implement ndo_features_check to disable GSO for packets with small MSS values. The network stack will perform software segmentation instead.  The 224-byte minimum matches ibmvnic commit <f10b09ef687f> (\"ibmvnic: Enforce stronger sanity checks on GSO packets\") which uses the same physical adapters in SEA configurations.  The issue occurs specifically when the hardware attempts to perform segmentation (gso_segs > 1) with a small MSS. Single-segment GSO packets (gso_segs == 1) do not trigger the problematic LSO code path and are transmitted normally without segmentation.  Add an ndo_features_check callback to disable GSO when MSS < 224 bytes. Also call vlan_features_check() to ensure proper handling of VLAN packets, particularly QinQ (802.1ad) configurations where the hardware parser may not support certain offload features.  Validated using iptables to force small MSS values. Without the fix, the adapter freezes. With the fix, packets are segmented in software and transmission succeeds. Comprehensive regression testing completedd (MSS tests, performance, stability).",
                                "cve_priority": "high",
                                "cve_public_date": "2026-06-03 18:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46191",
                                "url": "https://ubuntu.com/security/CVE-2026-46191",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  fbcon: Avoid OOB font access if console rotation fails  Clear the font buffer if the reallocation during console rotation fails in fbcon_rotate_font(). The putcs implementations for the rotated buffer will return early in this case. See [1] for an example.  Currently, fbcon_rotate_font() keeps the old buffer, which is too small for the rotated font. Printing to the rotated console with a high-enough character code will overflow the font buffer.  v2: - fix typos in commit message",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46134",
                                "url": "https://ubuntu.com/security/CVE-2026-46134",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  platform/chrome: cros_ec_typec: Init mutex in Thunderbolt registration  cros_typec_register_thunderbolt() missed initializing the `adata->lock` mutex.  This leads to a NULL dereference when the mutex is later acquired (e.g. in cros_typec_altmode_work()).  Initialize the mutex in cros_typec_register_thunderbolt() to fix the issue.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-43495",
                                "url": "https://ubuntu.com/security/CVE-2026-43495",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net: wwan: t7xx: validate port_count against message length in t7xx_port_enum_msg_handler  t7xx_port_enum_msg_handler() uses the modem-supplied port_count field as a loop bound over port_msg->data[] without checking that the message buffer contains sufficient data. A modem sending port_count=65535 in a 12-byte buffer triggers a slab-out-of-bounds read of up to 262140 bytes.  Add a sizeof(*port_msg) check before accessing the port message header fields to guard against undersized messages.  Add a struct_size() check after extracting port_count and before the loop.  In t7xx_parse_host_rt_data(), guard the rt_feature header read with a remaining-buffer check before accessing data_len, validate feat_data_len against the actual remaining buffer to prevent OOB reads and signed integer overflow on offset.  Pass msg_len from both call sites: skb->len at the DPMAIF path after skb_pull(), and the validated feat_data_len at the handshake path.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-21 13:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-43502",
                                "url": "https://ubuntu.com/security/CVE-2026-43502",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net/rds: handle zerocopy send cleanup before the message is queued  A zerocopy send can fail after user pages have been pinned but before the message is attached to the sending socket.  The purge path currently infers zerocopy state from rm->m_rs, so an unqueued message can be cleaned up as if it owned normal payload pages. However, zerocopy ownership is really determined by the presence of op_mmp_znotifier, regardless of whether the message has reached the socket queue.  Capture op_mmp_znotifier up front in rds_message_purge() and use it as the cleanup discriminator. If the message is already associated with a socket, keep the existing completion path. Otherwise, drop the pinned page accounting directly and release the notifier before putting the payload pages.  This keeps early send failure cleanup consistent with the zerocopy lifetime rules without changing the normal queued completion path.",
                                "cve_priority": "high",
                                "cve_public_date": "2026-05-21 13:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46120",
                                "url": "https://ubuntu.com/security/CVE-2026-46120",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ip6_gre: Use cached t->net in ip6erspan_changelink().  After commit 5e72ce3e3980 (\"net: ipv6: Use link netns in newlink() of rtnl_link_ops\"), ip6erspan_newlink() correctly resolves the per-netns ip6gre hash via link_net. ip6erspan_changelink() was not converted in that series and still uses dev_net(dev), which diverges from the device's creation netns after IFLA_NET_NS_FD migration.  This re-inserts the tunnel into the wrong per-netns hash. The original netns keeps a stale entry. When that netns is later destroyed, ip6gre_exit_rtnl_net() walks the stale entry, producing a slab-use-after-free reported by KASAN, followed by a kernel BUG at net/core/dev.c (LIST_POISON1) in unregister_netdevice_many_notify().  Reachable from an unprivileged user namespace (unshare --user --map-root-user --net).  ip6gre_changelink() earlier in the same file already uses the cached t->net; only ip6erspan_changelink() has the wrong shape.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46142",
                                "url": "https://ubuntu.com/security/CVE-2026-46142",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net: libwx: fix VF illegal register access  Register WX_CFG_PORT_ST is a PF restricted register. When a VF is initialized, attempting to read this register triggers an illegal register access, which lead to a system hang.  When the device is VF, the bus function ID can be obtained directly from the PCI_FUNC(pdev->devfn).",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46118",
                                "url": "https://ubuntu.com/security/CVE-2026-46118",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  pseries/papr-hvpipe: Fix null ptr deref in papr_hvpipe_dev_create_handle()  commit 6d3789d347a7 (\"papr-hvpipe: convert papr_hvpipe_dev_create_handle() to FD_PREPARE()\"), changed the create handle to FD_PREPARE(), but it caused kernel null-ptr-deref because after call to retain_and_null_ptr(src_info), src_info is re-used for adding it to the global list.  Getting the following kernel panic in papr_hvpipe_dev_create_handle() when trying to add src_info to the list.  Kernel attempted to write user page (0) - exploit attempt? (uid: 0)  BUG: Kernel NULL pointer dereference on write at 0x00000000  Faulting instruction address: 0xc0000000001b44a0  Oops: Kernel access of bad area, sig: 11 [#1]  ...  Call Trace:  papr_hvpipe_dev_ioctl+0x1f4/0x48c (unreliable)  sys_ioctl+0x528/0x1064  system_call_exception+0x128/0x360  system_call_vectored_common+0x15c/0x2ec  Now, the error handling with FD_PREPARE's file cleanup and __free(kfree) auto cleanup is getting too convoluted. This is mainly because we need to ensure only 1 user get the srcID handle. To simplify this, we allocate prepare the src_info in the beginning and add it to the global list under a spinlock after checking that no duplicates exist.  This simplify the error handling where if the FD_ADD fails, we can simply remove the src_info from the list and consume any pending msg in hvpipe to be cleared, after src_info became visible in the global list.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46182",
                                "url": "https://ubuntu.com/security/CVE-2026-46182",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  pseries/papr-hvpipe: Prevent kernel stack memory leak to userspace  The hdr variable is allocated on the stack and only hdr.version and hdr.flags are initialized explicitly. Because the struct papr_hvpipe_hdr contains reserved padding bytes (reserved[3] and reserved2[40]), these could leak the uninitialized bytes to userspace after copy_to_user().  This patch fixes that by initializing the whole struct to 0.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46184",
                                "url": "https://ubuntu.com/security/CVE-2026-46184",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  sound: ua101: fix division by zero at probe  Add a missing sanity check for bNrChannels in detect_usb_format() to prevent a division by zero in playback_urb_complete() and capture_urb_complete().  USB core does not validate class-specific descriptor fields such as bNrChannels, so drivers must verify them before use. If a device provides bNrChannels = 0, frame_bytes becomes zero and is later used as a divisor in the URB completion handlers, leading to a kernel crash.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-43498",
                                "url": "https://ubuntu.com/security/CVE-2026-43498",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  accel/ivpu: Disallow re-exporting imported GEM objects  Prevent re-exporting of imported GEM buffers by adding a custom prime_handle_to_fd callback that checks if the object is imported and returns -EOPNOTSUPP if so.  Re-exporting imported GEM buffers causes loss of buffer flags settings, leading to incorrect device access and data corruption.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-21 13:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46132",
                                "url": "https://ubuntu.com/security/CVE-2026-46132",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net: rtnetlink: zero ifla_vf_broadcast to avoid stack infoleak in rtnl_fill_vfinfo  rtnl_fill_vfinfo() declares struct ifla_vf_broadcast on the stack without initialisation:  \tstruct ifla_vf_broadcast vf_broadcast;  The struct contains a single fixed 32-byte field:  \t/* include/uapi/linux/if_link.h */ \tstruct ifla_vf_broadcast { \t\t__u8 broadcast[32]; \t};  The function then copies dev->broadcast into it using dev->addr_len as the length:  \tmemcpy(vf_broadcast.broadcast, dev->broadcast, dev->addr_len);  On Ethernet devices (the overwhelming majority of SR-IOV NICs) dev->addr_len is 6, so only the first 6 bytes of broadcast[] are written. The remaining 26 bytes retain whatever was previously on the kernel stack. The full struct is then handed to userspace via:  \tnla_put(skb, IFLA_VF_BROADCAST, \t\tsizeof(vf_broadcast), &vf_broadcast)  leaking up to 26 bytes of uninitialised kernel stack per VF per RTM_GETLINK request, repeatable.  The other vf_* structs in the same function are explicitly zeroed for exactly this reason - see the memset() calls for ivi, vf_vlan_info, node_guid and port_guid a few lines above. vf_broadcast was simply missed when it was added.  Reachability: any unprivileged local process can open AF_NETLINK / NETLINK_ROUTE without capabilities and send RTM_GETLINK with an IFLA_EXT_MASK attribute carrying RTEXT_FILTER_VF. The kernel walks each VF and emits IFLA_VF_BROADCAST, leaking 26 bytes of stack per VF per request. Stack residue at this call site can include return addresses and transient sensitive data; KASAN with stack instrumentation, or KMSAN, will flag the nla_put() when reproduced.  Zero the on-stack struct before the partial memcpy, matching the existing pattern used for the other vf_* structs in the same function.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46190",
                                "url": "https://ubuntu.com/security/CVE-2026-46190",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  mtd: spi-nor: debugfs: fix out-of-bounds read in spi_nor_params_show()  Sashiko noticed an out-of-bounds read [1].  In spi_nor_params_show(), the snor_f_names array is passed to spi_nor_print_flags() using sizeof(snor_f_names).  Since snor_f_names is an array of pointers, sizeof() returns the total number of bytes occupied by the pointers \t(element_count * sizeof(void *)) rather than the element count itself. On 64-bit systems, this makes the passed length 8x larger than intended.  Inside spi_nor_print_flags(), the 'names_len' argument is used to bounds-check the 'names' array access. An out-of-bounds read occurs if a flag bit is set that exceeds the array's actual element count but is within the inflated byte-size count.  Correct this by using ARRAY_SIZE() to pass the actual number of string pointers in the array.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46150",
                                "url": "https://ubuntu.com/security/CVE-2026-46150",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  fanotify: fix false positive on permission events  fsnotify_get_mark_safe() may return false for a mark on an unrelated group, which results in bypassing the permission check.  Fix by skipping over detached marks that are not in the current group.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-45836",
                                "url": "https://ubuntu.com/security/CVE-2026-45836",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_get_sndtimeo_cb()  Add the same NULL guard already present in l2cap_sock_resume_cb() and l2cap_sock_ready_cb().",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-26 17:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-45834",
                                "url": "https://ubuntu.com/security/CVE-2026-45834",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_state_change_cb()  Add the same NULL guard already present in l2cap_sock_resume_cb() and l2cap_sock_ready_cb().",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-26 17:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-45835",
                                "url": "https://ubuntu.com/security/CVE-2026-45835",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_new_connection_cb()  Add the same NULL guard already present in l2cap_sock_resume_cb() and l2cap_sock_ready_cb().",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-26 17:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46138",
                                "url": "https://ubuntu.com/security/CVE-2026-46138",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Bluetooth: hci_event: Fix OOB read and infinite loop in hci_le_create_big_complete_evt  hci_le_create_big_complete_evt() iterates over BT_BOUND connections for a BIG handle using a while loop, accessing ev->bis_handle[i++] on each iteration.  However, there is no check that i stays within ev->num_bis before the array access.  When a controller sends a LE_Create_BIG_Complete event with fewer bis_handle entries than there are BT_BOUND connections for that BIG, or with num_bis=0, the loop reads beyond the valid bis_handle[] flex array into adjacent heap memory.  Since the out-of-bounds values typically exceed HCI_CONN_HANDLE_MAX (0x0EFF), hci_conn_set_handle() rejects them and the connection remains in BT_BOUND state.  The same connection is then found again by hci_conn_hash_lookup_big_state(), creating an infinite loop with hci_dev_lock held.  Fix this by terminating the BIG if in case not all BIS could be setup properly.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46111",
                                "url": "https://ubuntu.com/security/CVE-2026-46111",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Bluetooth: hci_conn: fix potential UAF in create_big_sync  Add hci_conn_valid() check in create_big_sync() to detect stale connections before proceeding with BIG creation. Handle the resulting -ECANCELED in create_big_complete() and re-validate the connection under hci_dev_lock() before dereferencing, matching the pattern used by create_le_conn_complete() and create_pa_complete().  Keep the hci_conn object alive across the async boundary by taking a reference via hci_conn_get() when queueing create_big_sync(), and dropping it in the completion callback. The refcount and the lock are complementary: the refcount keeps the object allocated, while hci_dev_lock() serializes hci_conn_hash_del()'s list_del_rcu() on hdev->conn_hash, as required by hci_conn_del().  hci_conn_put() is called outside hci_dev_unlock() so the final put (which resolves to kfree() via bt_link_release) does not run under hdev->lock, though the release path would be safe either way.  Without this, create_big_complete() would unconditionally dereference the conn pointer on error, causing a use-after-free via hci_connect_cfm() and hci_conn_del().",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46140",
                                "url": "https://ubuntu.com/security/CVE-2026-46140",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Bluetooth: btmtk: validate WMT event SKB length before struct access  btmtk_usb_hci_wmt_sync() casts the WMT event response SKB data to struct btmtk_hci_wmt_evt (7 bytes) and struct btmtk_hci_wmt_evt_funcc (9 bytes) without first checking that the SKB contains enough data. A short firmware response causes out-of-bounds reads from SKB tailroom.  Use skb_pull_data() to validate and advance past the base WMT event header. For the FUNC_CTRL case, pull the additional status field bytes before accessing them.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46186",
                                "url": "https://ubuntu.com/security/CVE-2026-46186",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Bluetooth: virtio_bt: validate rx pkt_type header length  virtbt_rx_handle() reads the leading pkt_type byte from the RX skb and forwards the remainder to hci_recv_frame() for every event/ACL/SCO/ISO type, without checking that the remaining payload is at least the fixed HCI header for that type.  After the preceding patch bounds the backend-supplied used.len to [1, VIRTBT_RX_BUF_SIZE], a one-byte completion still reaches hci_recv_frame() with skb->len already pulled to 0. If the byte happened to be HCI_ACLDATA_PKT, the ACL-vs-ISO classification fast-path in hci_dev_classify_pkt_type() dereferences hci_acl_hdr(skb)->handle whenever the HCI device has an active CIS_LINK, BIS_LINK, or PA_LINK connection, reading two bytes of uninitialized RX-buffer data. The same hazard exists for every packet type the driver accepts because none of the switch cases in virtbt_rx_handle() check skb->len against the per-type minimum HCI header size before handing the frame to the core.  After stripping pkt_type, require skb->len to cover the fixed header size for the selected type (event 2, ACL 4, SCO 3, ISO 4) before calling hci_recv_frame(); drop ratelimited otherwise. Unknown pkt_type values still take the original kfree_skb() default path.  Use bt_dev_err_ratelimited() because both the length and pkt_type values come from an untrusted backend that can otherwise flood the kernel log.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46123",
                                "url": "https://ubuntu.com/security/CVE-2026-46123",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  Bluetooth: virtio_bt: clamp rx length before skb_put  virtbt_rx_work() calls skb_put(skb, len) where len comes directly from virtqueue_get_buf() with no validation against the buffer we posted to the device. The RX skb is allocated in virtbt_add_inbuf() and exposed to virtio as exactly 1000 bytes via sg_init_one().  Checking len against skb_tailroom(skb) is not sufficient because alloc_skb() can leave more tailroom than the 1000 bytes actually handed to the device. A malicious or buggy backend can therefore report used.len between 1001 and skb_tailroom(skb), causing skb_put() to include uninitialized kernel heap bytes that were never written by the device.  The same path also accepts len == 0, in which case skb_put(skb, 0) leaves the skb empty but virtbt_rx_handle() still reads the pkt_type byte from skb->data, consuming uninitialized memory.  Define VIRTBT_RX_BUF_SIZE once and reuse it in alloc_skb() and sg_init_one(), and gate virtbt_rx_work() on that same constant so the bound checked matches the buffer actually exposed to the device. Reject used.len == 0 in the same gate so an empty completion can no longer reach virtbt_rx_handle().  Use bt_dev_err_ratelimited() because the length value comes from an untrusted backend that can otherwise flood the kernel log.  Same class of bug as commit c04db81cd028 (\"net/9p: Fix buffer overflow in USB transport layer\"), which hardened the USB 9p transport against unchecked device-reported length.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46104",
                                "url": "https://ubuntu.com/security/CVE-2026-46104",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  selinux: use sk blob accessor in socket permission helpers  SELinux socket state lives in the composite LSM socket blob.  sock_has_perm() and nlmsg_sock_has_extended_perms() currently dereference sk->sk_security directly, which assumes the SELinux socket blob is at offset zero.  In stacked configurations that assumption does not hold. If another LSM allocates socket blob storage before SELinux, these helpers may read the wrong blob and feed invalid SID and class values into AVC checks.  Use selinux_sock() instead of accessing sk->sk_security directly.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46193",
                                "url": "https://ubuntu.com/security/CVE-2026-46193",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  xfrm: ah: account for ESN high bits in async callbacks  AH allocates its temporary auth/ICV layout differently when ESN is enabled: the async ahash setup appends a 4-byte seqhi slot before the ICV or auth_data area, but the async completion callbacks still reconstruct the temporary layout as if seqhi were absent.  With an async AH implementation selected, that makes AH copy or compare the wrong bytes on both the IPv4 and IPv6 paths. In UML repro on IPv4 AH with ESN and forced async hmac(sha1), ping fails with 100% packet loss, and the callback logs show the pre-fix drift:    ah4 output_done: esn=1 err=0 icv_off=20 expected_off=24   ah4 input_done: esn=1 auth_off=20 expected_auth_off=24 icv_off=32 expected_icv_off=36  Reconstruct the callback-side layout the same way the setup path built it by skipping the ESN seqhi slot before locating the saved auth_data or ICV. Per RFC 4302, the ESN high-order 32 bits participate in the AH ICV computation, so the async callbacks must account for the seqhi slot.  Post-fix, the same IPv4 AH+ESN+forced-async-hmac(sha1) UML repro shows the corrected offset (ah4 output_done: esn=1 err=0 icv_off=24 expected_off=24) and ping succeeds; net/ipv4/ah4.o and net/ipv6/ah6.o build clean at W=1. IPv6 AH+ESN was not exercised at runtime, and the change has not been tested against a real async hardware AH engine.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46172",
                                "url": "https://ubuntu.com/security/CVE-2026-46172",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ipv6: xfrm6: release dst on error in xfrm6_rcv_encap()  xfrm6_rcv_encap() performs an IPv6 route lookup when the skb does not already have a dst attached. ip6_route_input_lookup() returns a referenced dst entry even when the lookup resolves to an error route.  If dst->error is set, xfrm6_rcv_encap() drops the skb without attaching the dst to the skb and without releasing the reference returned by the lookup. Repeated packets hitting this path therefore leak dst entries.  Release the dst before jumping to the drop path.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46116",
                                "url": "https://ubuntu.com/security/CVE-2026-46116",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  xfrm: defensively unhash xfrm_state lists in __xfrm_state_delete  KASAN reproduces a slab-use-after-free in __xfrm_state_delete()'s hlist_del_rcu calls under syzkaller load on linux-6.12.y stable (reproduced on 6.12.47, also reachable via the same code path on torvalds/master and on the ipsec tree). Nine unique signatures cluster in the xfrm_state lifecycle, the load-bearing one being:    BUG: KASAN: slab-use-after-free in __hlist_del include/linux/list.h:990 [inline]   BUG: KASAN: slab-use-after-free in hlist_del_rcu include/linux/rculist.h:516 [inline]   BUG: KASAN: slab-use-after-free in __xfrm_state_delete net/xfrm/xfrm_state.c   Write of size 8 at addr ffff8881198bcb70 by task kworker/u8:9/435    Workqueue: netns cleanup_net   Call Trace:    __hlist_del / hlist_del_rcu    __xfrm_state_delete    xfrm_state_delete    xfrm_state_flush    xfrm_state_fini    ops_exit_list    cleanup_net  The other observed signatures hit the same slab object from __xfrm_state_lookup, xfrm_alloc_spi, __xfrm_state_insert and an OOB write variant of __xfrm_state_delete, all on the byseq/byspi hash chains.  __xfrm_state_delete() guards its byseq and byspi unhashes with value-based predicates:  \tif (x->km.seq) \t\thlist_del_rcu(&x->byseq); \tif (x->id.spi) \t\thlist_del_rcu(&x->byspi);  while everywhere else in the file (e.g. state_cache, state_cache_input) the safer hlist_unhashed() check is used. xfrm_alloc_spi() sets x->id.spi = newspi inside xfrm_state_lock and then immediately inserts into byspi, but a path that observes x->id.spi != 0 outside of xfrm_state_lock can still skip-or-hit the byspi unhash inconsistently with whether x is actually on the list. The same holds for x->km.seq versus byseq, and the bydst/bysrc unhashes have no predicate at all, so a second __xfrm_state_delete() on the same object writes through LIST_POISON pprev.  The defensive change here:    - Use hlist_del_init_rcu() instead of hlist_del_rcu() on bydst,     bysrc, byseq and byspi so a second deletion is a no-op rather     than a write through LIST_POISON pprev. The byseq/byspi nodes     are already initialised in xfrm_state_alloc().   - Test hlist_unhashed() rather than the value predicate for     byseq/byspi, so the unhash decision tracks list state rather than     mutable scalar fields.  Empirical verification: applied this patch on top of v6.12.47, rebuilt, and re-ran the same syzkaller harness for 1h16m on a previously-crashy configuration that produced ~100 hits each of slab-use-after-free Read in xfrm_alloc_spi / Read in __xfrm_state_lookup / Write in __xfrm_state_delete. After the patch, 7.1M execs across 32 VMs at ~1550 exec/sec produced zero xfrm_state UAF/OOB hits. /proc/slabinfo confirms the xfrm_state slab is actively allocated and freed during the run (~143 KiB resident), so the fuzzer is still exercising those code paths -- they just no longer crash.  Reproduction:    - Linux 6.12.47 x86_64 + KASAN_GENERIC + KASAN_INLINE + KCOV   - syzkaller @ 746545b8b1e4c3a128db8652b340d3df90ce61db   - 32 QEMU/KVM VMs x 2 vCPU on AWS c5.metal bare metal   - 9 unique signatures collected in ~9h, all within xfrm_state     lifecycle",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46154",
                                "url": "https://ubuntu.com/security/CVE-2026-46154",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  sched_ext: Read scx_root under scx_cgroup_ops_rwsem in cgroup setters  scx_group_set_{weight,idle,bandwidth}() cache scx_root before acquiring scx_cgroup_ops_rwsem, so the pointer can be stale by the time the op runs. If the loaded scheduler is disabled and freed (via RCU work) and another is enabled between the naked load and the rwsem acquire, the reader sees scx_cgroup_enabled=true (the new scheduler's) but dereferences the freed one - UAF on SCX_HAS_OP(sch, ...) / SCX_CALL_OP(sch, ...).  scx_cgroup_enabled is toggled only under scx_cgroup_ops_rwsem write (scx_cgroup_{init,exit}), so reading scx_root inside the rwsem read section correlates @sch with the enabled snapshot.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46157",
                                "url": "https://ubuntu.com/security/CVE-2026-46157",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ALSA: pcm: oss: Fix data race at accessing runtime.oss.trigger  Currently the runtime.oss.trigger field may be accessed concurrently without protection, which may lead to the data race.  And, in this case, it may lead to more severe problem because it's a bit field; as writing the data, it may overwrite other bit fields as well, which confuses the operation completely, as spotted by fuzzing.  Fix it by covering runtime.oss.trigger bit fled also with the existing params_lock mutex in both snd_pcm_oss_get_trigger() and snd_pcm_oss_poll().",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46109",
                                "url": "https://ubuntu.com/security/CVE-2026-46109",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  usb: ulpi: fix memory leak on ulpi_register() error paths  Commit 01af542392b5 (\"usb: ulpi: fix double free in ulpi_register_interface() error path\") removed kfree(ulpi) from ulpi_register_interface() to fix a double-free when device_register() fails.  But when ulpi_of_register() or ulpi_read_id() fail before device_register() is called, the ulpi allocation is leaked.  Add kfree(ulpi) on both error paths to properly clean up the allocation.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46146",
                                "url": "https://ubuntu.com/security/CVE-2026-46146",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ALSA: usb-audio: Avoid potential endless loop in convert_chmap_v3()  The convert_chmap_v3() has a loop with its increment size of cs_desc->wLength, but we forgot to validate cs_desc->wLength itself, which may lead to potential endless loop by a malformed descriptor.  Add a proper size check to abort the loop for plugging the hole.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46167",
                                "url": "https://ubuntu.com/security/CVE-2026-46167",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  usb: usblp: fix uninitialized heap leak via LPGETSTATUS ioctl  Just like in a previous problem in this driver, usblp_ctrl_msg() will collapse the usb_control_msg() return value to 0/-errno, discarding the actual number of bytes transferred.  Ideally that short command should be detected and error out, but many printers are known to send \"incorrect\" responses back so we can't just do that.  statusbuf is kmalloc(8) at probe time and never filled before the first LPGETSTATUS ioctl.  usblp_read_status() requests 1 byte. If a malicious printer responds with zero bytes, *statusbuf is one byte of stale kmalloc heap, sign-extended into the local int status, which the LPGETSTATUS path then copy_to_user()s directly to the ioctl caller.  Fix this all by just zapping out the memory buffer when allocated at probe time.  If a later call does a short read, the data will be identical to what the device sent it the last time, so there is no \"leak\" of information happening.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46151",
                                "url": "https://ubuntu.com/security/CVE-2026-46151",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  usb: usblp: fix heap leak in IEEE 1284 device ID via short response  usblp_ctrl_msg() collapses the usb_control_msg() return value to 0/-errno, discarding the actual number of bytes transferred.  A broken printer can complete the GET_DEVICE_ID control transfer short and the driver has no way to know.  usblp_cache_device_id_string() reads the 2-byte big-endian length prefix from the response and trusts it (clamped only to the buffer bounds). The buffer is kmalloc(1024) at probe time. A device that sends exactly two bytes (e.g. 0x03 0xFF, claiming a 1023-byte ID) leaves device_id_string[2..1022] holding stale kmalloc heap.  That stale data is then exposed:   - via the ieee1284_id sysfs attribute (sprintf(\"%s\", buf+2), truncated     at the first NUL in the stale heap), and   - via the IOCNR_GET_DEVICE_ID ioctl, which copy_to_user()s the full     claimed length regardless of NULs, up to 1021 bytes of uninitialized     heap, with the leak size chosen by the device.  Fix this up by just zapping the buffer with zeros before each request sent to the device.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46180",
                                "url": "https://ubuntu.com/security/CVE-2026-46180",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  wifi: brcmfmac: Fix potential use-after-free issue when stopping watchdog task  Watchdog task might end between send_sig() and kthread_stop() calls, what results in the use-after-free issue. Fix this by increasing watchdog task reference count before calling send_sig() and dropping it by switching to kthread_stop_put().",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46122",
                                "url": "https://ubuntu.com/security/CVE-2026-46122",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  wifi: b43: enforce bounds check on firmware key index in b43_rx()  The firmware-controlled key index in b43_rx() can exceed the dev->key[] array size (58 entries). The existing B43_WARN_ON is non-enforcing in production builds, allowing an out-of-bounds read.  Make the B43_WARN_ON check enforcing by dropping the frame when the firmware returns an invalid key index.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46125",
                                "url": "https://ubuntu.com/security/CVE-2026-46125",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  wifi: mac80211: remove station if connection prep fails  If connection preparation fails for MLO connections, then the interface is completely reset to non-MLD. In this case, we must not keep the station since it's related to the link of the vif being removed. Delete an existing station. Any \"new_sta\" is already being removed, so that doesn't need changes.  This fixes a use-after-free/double-free in debugfs if that's enabled, because a vif going from MLD (and to MLD, but that's not relevant here) recreates its entire debugfs.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46166",
                                "url": "https://ubuntu.com/security/CVE-2026-46166",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  wifi: mac80211: use safe list iteration in radar detect work  The call to ieee80211_dfs_cac_cancel can cause the iterated chanctx to be freed and removed from the list. Guard against this to avoid a slab-use-after-free error.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46187",
                                "url": "https://ubuntu.com/security/CVE-2026-46187",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  wifi: rsi: fix kthread lifetime race between self-exit and external-stop  RSI driver use both self-exit(kthread_complete_and_exit) and external-stop (kthread_stop) when killing a kthread. Generally, kthread_stop() is called first, and in this case, no particular issues occur.  However, in rare instances where kthread_complete_and_exit() is called first and then kthread_stop() is called, a UAF occurs because the kthread object, which has already exited and been freed, is accessed again.  Therefore, to prevent this with minimal modification, you must remove kthread_stop() and change the code to wait until the self-exit operation is completed.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46152",
                                "url": "https://ubuntu.com/security/CVE-2026-46152",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  wifi: mac80211: drop stray 'static' from fast-RX rx_result  ieee80211_invoke_fast_rx() is documented as safe for parallel RX, but its per-invocation rx_result is declared static. Concurrent callers then share one instance and can overwrite each other's result between ieee80211_rx_mesh_data() and the switch on res.  That can make a packet that was queued or consumed by ieee80211_rx_mesh_data() fall through into ieee80211_rx_8023(), or make a packet that should continue return as queued.  Make res an automatic variable so each invocation keeps its own result.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46163",
                                "url": "https://ubuntu.com/security/CVE-2026-46163",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  wifi: b43legacy: enforce bounds check on firmware key index in RX path  Same fix as b43: the firmware-controlled key index in b43legacy_rx() can exceed dev->max_nr_keys. The existing B43legacy_WARN_ON is non-enforcing in production builds, allowing an out-of-bounds read of dev->key[].  Make the check enforcing by dropping the frame for invalid indices.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46136",
                                "url": "https://ubuntu.com/security/CVE-2026-46136",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  wifi: mt76: mt7921: fix a potential clc buffer length underflow  The buf_len is used to limit the iterations for retrieving the country power setting and may underflow under certain conditions due to changes in the power table in CLC.  This underflow leads to an almost infinite loop or an invalid power setting resulting in driver initialization failure.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46173",
                                "url": "https://ubuntu.com/security/CVE-2026-46173",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  exit: prevent preemption of oopsing TASK_DEAD task  When an already-exiting task oopses, make_task_dead() currently calls do_task_dead() with preemption enabled.  That is forbidden: do_task_dead() calls __schedule(), which has a comment saying \"WARNING: must be called with preemption disabled!\".  If an oopsing task is preempted in do_task_dead(), between becoming TASK_DEAD and entering the scheduler explicitly, bad things happen: finish_task_switch() assumes that once the scheduler has switched away from a TASK_DEAD task, the task can never run again and its stack is no longer needed; but that assumption apparently doesn't hold if the dead task was preempted (the SM_PREEMPT case).  This means that the scheduler ends up repeatedly dropping references on the dead task's stack, which can lead to use-after-free or double-free of the entire task stack; in other words, two tasks can end up running on the same stack, resulting in various kinds of memory corruption.  (This does not just affect \"recursively oopsing\" tasks; it is enough to oops once during task exit, for example in a file_operations::release handler)",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-43496",
                                "url": "https://ubuntu.com/security/CVE-2026-43496",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  net/sched: sch_red: Replace direct dequeue call with peek and qdisc_dequeue_peeked  When red qdisc has children (eg qfq qdisc) whose peek() callback is qdisc_peek_dequeued(), we could get a kernel panic. When the parent of such qdiscs (eg illustrated in patch #3 as tbf) wants to retrieve an skb from its child (red in this case), it will do the following:  1a. do a peek() - and when sensing there's an skb the child can offer, then      - the child in this case(red) calls its child's (qfq) peek.         qfq does the right thing and will return the gso_skb queue packet.         Note: if there wasnt a gso_skb entry then qfq will store it there.  1b. invoke a dequeue() on the child (red). And herein lies the problem.      - red will call the child's dequeue() which will essentially just        try to grab something of qfq's queue.  [   78.667668][  T363] KASAN: null-ptr-deref in range [0x0000000000000048-0x000000000000004f] [   78.667927][  T363] CPU: 1 UID: 0 PID: 363 Comm: ping Not tainted 7.1.0-rc1-00033-g46f74a3f7d57-dirty #790 PREEMPT(full) [   78.668263][  T363] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 [   78.668486][  T363] RIP: 0010:qfq_dequeue+0x446/0xc90 [sch_qfq] [   78.668718][  T363] Code: 54 c0 e8 dd 90 00 f1 48 c7 c7 e0 03 54 c0 48 89 de e8 ce 90 00 f1 48 8d 7b 48 b8 ff ff 37 00 48 89 fa 48 c1 e0 2a 48 c1 ea 03 <80> 3c 02 00 74 05 e8 ef a1 e1 f1 48 8b 7b 48 48 8d 54 24 58 48 8d [   78.669312][  T363] RSP: 0018:ffff88810de573e0 EFLAGS: 00010216 [   78.669533][  T363] RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000 [   78.669790][  T363] RDX: 0000000000000009 RSI: 0000000000000004 RDI: 0000000000000048 [   78.670044][  T363] RBP: ffff888110dc4000 R08: ffffffffb1b0885a R09: fffffbfff6ba9078 [   78.670297][  T363] R10: 0000000000000003 R11: ffff888110e31c80 R12: 0000001880000000 [   78.670560][  T363] R13: ffff888110dc4150 R14: ffff888110dc42b8 R15: 0000000000000200 [   78.670814][  T363] FS:  00007f66a8f09c40(0000) GS:ffff888163428000(0000) knlGS:0000000000000000 [   78.671110][  T363] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [   78.671324][  T363] CR2: 000055db4c6a30a8 CR3: 000000010da67000 CR4: 0000000000750ef0 [   78.671585][  T363] PKRU: 55555554 [   78.671713][  T363] Call Trace: [   78.671843][  T363]  <TASK> [   78.671936][  T363]  ? __pfx_qfq_dequeue+0x10/0x10 [sch_qfq] [   78.672148][  T363]  ? __pfx__printk+0x10/0x10 [   78.672322][  T363]  ? srso_alias_return_thunk+0x5/0xfbef5 [   78.672496][  T363]  ? lockdep_hardirqs_on_prepare+0xa8/0x1a0 [   78.672706][  T363]  ? srso_alias_return_thunk+0x5/0xfbef5 [   78.672875][  T363]  ? trace_hardirqs_on+0x19/0x1a0 [   78.673047][  T363]  red_dequeue+0x65/0x270 [sch_red] [   78.673217][  T363]  ? srso_alias_return_thunk+0x5/0xfbef5 [   78.673385][  T363]  tbf_dequeue.cold+0xb0/0x70c [sch_tbf] [   78.673566][  T363]  __qdisc_run+0x169/0x1900  The right thing to do in #1b is to grab the skb off gso_skb queue. This patchset fixes that issue by changing #1b to use qdisc_dequeue_peeked() method instead.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-21 13:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46113",
                                "url": "https://ubuntu.com/security/CVE-2026-46113",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  KVM: x86: Fix shadow paging use-after-free due to unexpected GFN  The shadow MMU computes GFNs for direct shadow pages using sp->gfn plus the SPTE index. This assumption breaks for shadow paging if the guest page tables are modified between VM entries (similar to commit aad885e77496, \"KVM: x86/mmu: Drop/zap existing present SPTE even when creating an MMIO SPTE\", 2026-03-27).  The flow is as follows:  - a PDE is installed for a 2MB mapping, and a page in that area is   accessed.  KVM creates a kvm_mmu_page consisting of 512 4KB pages;   the kvm_mmu_page is marked by FNAME(fetch) as direct-mapped because   the guest's mapping is a huge page (and thus contiguous).  - the PDE mapping is changed from outside the guest.  - the guest accesses another page in the same 2MB area.  KVM installs   a new leaf SPTE and rmap entry; the SPTE uses the \"correct\" GFN   (i.e. based on the new mapping, as changed in the previous step) but   that GFN is outside of the [sp->gfn, sp->gfn + 511] range; therefore   the rmap entry cannot be found and removed when the kvm_mmu_page   is zapped.  - the memslot that covers the first 2MB mapping is deleted, and the   kvm_mmu_page for the now-invalid GPA is zapped.  However, rmap_remove()   only looks at the [sp->gfn, sp->gfn + 511] range established in step 1,   and fails to find the rmap entry that was recorded by step 3.  - any operation that causes an rmap walk for the same page accessed   by step 3 then walks a stale rmap and dereferences a freed kvm_mmu_page.   This includes dirty logging or MMU notifier invalidations (e.g., from   MADV_DONTNEED).  The underlying issue is that KVM's walking of shadow PTEs assumes that if a SPTE is present when KVM wants to install a non-leaf SPTE, then the existing kvm_mmu_page must be for the correct gfn.  Because the only way for the gfn to be wrong is if KVM messed up and failed to zap a SPTE... which shouldn't happen, but *actually* only happens in response to a guest write.  That bug dates back literally forever, as even the first version of KVM assumes that the GFN matches and walks into the \"wrong\" shadow page. However, that was only an imprecision until 2032a93d66fa (\"KVM: MMU: Don't allocate gfns page for direct mmu pages\") came along.  Fix it by checking for a target gfn mismatch and zapping the existing SPTE.  That way the old SP and rmap entries are gone, KVM installs the rmap in the right location, and everyone is happy.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46179",
                                "url": "https://ubuntu.com/security/CVE-2026-46179",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ASoC: SOF: Don't allow pointer operations on unconfigured streams  When reporting the pointer for a compressed stream we report the current I/O frame position by dividing the position by the number of channels multiplied by the number of container bytes. These values default to 0 and are only configured as part of setting the stream parameters so this allows a divide by zero to be configured. Validate that they are non zero, returning an error if not",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46196",
                                "url": "https://ubuntu.com/security/CVE-2026-46196",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  tracepoint: balance regfunc() on func_add() failure in tracepoint_add_func()  When a tracepoint goes through the 0 -> 1 transition, tracepoint_add_func() invokes the subsystem's ext->regfunc() before attempting to install the new probe via func_add(). If func_add() then fails (for example, when allocate_probes() cannot allocate a new probe array under memory pressure and returns -ENOMEM), the function returns the error without calling the matching ext->unregfunc(), leaving the side effects of regfunc() behind with no installed probe to justify them.  For syscall tracepoints this is particularly unpleasant: syscall_regfunc() bumps sys_tracepoint_refcount and sets SYSCALL_TRACEPOINT on every task. After a leaked failure, the refcount is stuck at a non-zero value with no consumer, and every task continues paying the syscall trace entry/exit overhead until reboot. Other subsystems providing regfunc()/unregfunc() pairs exhibit similarly scoped persistent state.  Mirror the existing 1 -> 0 cleanup and call ext->unregfunc() in the func_add() error path, gated on the same condition used there so the unwind is symmetric with the registration.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-43497",
                                "url": "https://ubuntu.com/security/CVE-2026-43497",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  fbdev: udlfb: add vm_ops to dlfb_ops_mmap to prevent use-after-free  dlfb_ops_mmap() uses remap_pfn_range() to map vmalloc framebuffer pages to userspace but sets no vm_ops on the VMA. This means the kernel cannot track active mmaps. When dlfb_realloc_framebuffer() replaces the backing buffer via FBIOPUT_VSCREENINFO, existing mmap PTEs are not invalidated. On USB disconnect, dlfb_ops_destroy() calls vfree() on the old pages while userspace PTEs still reference them, resulting in a use-after-free: the process retains read/write access to freed kernel pages.  Add vm_operations_struct with open/close callbacks that maintain an atomic mmap_count on struct dlfb_data. In dlfb_realloc_framebuffer(), check mmap_count and return -EBUSY if the buffer is currently mapped, preventing buffer replacement while userspace holds stale PTEs.  Tested with PoC using dummy_hcd + raw_gadget USB device emulation.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-05-21 13:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46108",
                                "url": "https://ubuntu.com/security/CVE-2026-46108",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ipmi:si: Return state to normal if message allocation fails  There were places where nothing would get started if a message allocation failed, so the driver needs to return to normal state.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46128",
                                "url": "https://ubuntu.com/security/CVE-2026-46128",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ipmi: Check event message buffer response for bad data  The event message buffer response data size got checked later when processing, but check it right after the response comes back.  It appears some BMCs may return an empty message instead of an error when fetching events.  There are apparently some new BMCs that make this error, so we need to compensate.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46177",
                                "url": "https://ubuntu.com/security/CVE-2026-46177",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  ipmi: Add limits to event and receive message requests  The driver would just fetch events and receive messages until the BMC said it was done.  To avoid issues with BMCs that never say they are done, add a limit of 10 fetches at a time.  In addition, an si interface has an attn state it can return from the hardware which is supposed to cause a flag fetch to see if the driver needs to fetch events or message or a few other things.  If the attn bit gets stuck, it's a similar problem.  So allow messages in between flag fetches so the driver itself doesn't get stuck.  This is a more general fix than the previous fix for the specific bad BMC, but should fix the more general issue of a BMC that won't stop saying it has data.  This has been there from the beginning of the driver.  It's not a bug per-se, but it is accounting for bugs in BMCs.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46149",
                                "url": "https://ubuntu.com/security/CVE-2026-46149",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  scsi: target: configfs: Bound snprintf() return in tg_pt_gp_members_show()  target_tg_pt_gp_members_show() formats LUN paths with snprintf() into a 256-byte stack buffer, then will memcpy() cur_len bytes from that buffer.  snprintf() returns the length the output would have had, which can exceed the buffer size when the fabric WWN is long because iSCSI IQN names can be up to 223 bytes.  The check at the memcpy() site only guards the destination page write, not the source read, so memcpy() will read past the stack buffer and copy adjacent stack contents to the sysfs reader, which when CONFIG_FORTIFY_SOURCE is enabled, fortify_panic() will be triggered.  Commit 27e06650a5ea (\"scsi: target: target_core_configfs: Add length check to avoid buffer overflow\") added the same bound to the target_lu_gp_members_show() but the tg_pt_gp variant was missed so resolve that here.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46244",
                                "url": "https://ubuntu.com/security/CVE-2026-46244",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  netfilter: nft_inner: Fix IPv6 inner_thoff desync  In nft_inner_parse_l2l3(), when processing inner IPv6 packets, ipv6_find_hdr() correctly computes the transport header offset traversing all extension headers, but the result is immediately overwritten with nhoff + sizeof(_ip6h) (40 bytes), which only accounts for the IPv6 base header. This creates a desync between inner_thoff (wrong — points to extension header start) and l4proto (correct — e.g., IPPROTO_TCP), enabling transport header forgery and potential firewall bypass. This issue affects stable versions from Linux 6.2.  For comparison, the normal (non-inner) IPv6 path correctly preserves ipv6_find_hdr()'s result. Removing the incorrect overwrite ensures that ipv6_find_hdr()'s calculated transport header offset is preserved, thereby fixing the desynchronization.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-03 18:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46137",
                                "url": "https://ubuntu.com/security/CVE-2026-46137",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  mptcp: pm: ADD_ADDR rtx: fix potential data-race  This mptcp_pm_add_timer() helper is executed as a timer callback in softirq context. To avoid any data races, the socket lock needs to be held with bh_lock_sock().  If the socket is in use, retry again soon after, similar to what is done with the keepalive timer.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46185",
                                "url": "https://ubuntu.com/security/CVE-2026-46185",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  smb/client: fix out-of-bounds read in symlink_data()  Since smb2_check_message() returns success without length validation for the symlink error response, in symlink_data() it is possible for iov->iov_len to be smaller than sizeof(struct smb2_err_rsp). If the buffer only contains the base SMB2 header (64 bytes), accessing err->ErrorContextCount (at offset 66) or err->ByteCount later in symlink_data() will cause an out-of-bounds read.",
                                "cve_priority": "high",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46195",
                                "url": "https://ubuntu.com/security/CVE-2026-46195",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  smb: client: validate dacloffset before building DACL pointers  parse_sec_desc(), build_sec_desc(), and the chown path in id_mode_to_cifs_acl() all add the server-supplied dacloffset to pntsd before proving a DACL header fits inside the returned security descriptor.  On 32-bit builds a malicious server can return dacloffset near U32_MAX, wrap the derived DACL pointer below end_of_acl, and then slip past the later pointer-based bounds checks. build_sec_desc() and id_mode_to_cifs_acl() can then dereference DACL fields from the wrapped pointer in the chmod/chown rewrite paths.  Validate dacloffset numerically before building any DACL pointer and reuse the same helper at the three DACL entry points.",
                                "cve_priority": "high",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46289",
                                "url": "https://ubuntu.com/security/CVE-2026-46289",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  lib/scatterlist: fix length calculations in extract_kvec_to_sg  Patch series \"Fix bugs in extract_iter_to_sg()\", v3.  Fix bugs in the kvec and user variants of extract_iter_to_sg.  This series is growing due to useful remarks made by sashiko.dev.  The main bugs are: - The length for an sglist entry when extracting from   a kvec can exceed the number of bytes in the page. This   is obviously not intended. - When extracting a user buffer the sglist is temporarily   used as a scratch buffer for extracted page pointers.   If the sglist already contains some elements this scratch   buffer could overlap with existing entries in the sglist.  The series adds test cases to the kunit_iov_iter test that demonstrate all of these bugs.  Additionally, there is a memory leak fix for the test itself.  The bugs were orignally introduced into kernel v6.3 where the function lived in fs/netfs/iterator.c.  It was later moved to lib/scatterlist.c in v6.5.  Thus the actual fix is only marked for backports to v6.5+.   This patch (of 5):  When extracting from a kvec to a scatterlist, do not cross page boundaries.  The required length was already calculated but not used as intended.  Adjust the copied length if the loop runs out of sglist entries without extracting everything.  While there, return immediately from extract_iter_to_sg if there are no sglist entries at all.  A subsequent commit will add kunit test cases that demonstrate that the patch is necessary.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-08 17:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46119",
                                "url": "https://ubuntu.com/security/CVE-2026-46119",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  libceph: Fix slab-out-of-bounds access in auth message processing  If a (potentially corrupted) message of type CEPH_MSG_AUTH_REPLY contains a positive value in its result field, it is treated as an error code by ceph_handle_auth_reply() and returned to handle_auth_reply(). Thereafter, an attempt is made to send the preallocated message of type CEPH_MSG_AUTH, where the returned value is interpreted as the size of the front segment to send. If the result value in the message is greater than the size of the memory buffer allocated for the front segment, an out-of-bounds access occurs, and the content of the memory region beyond this buffer is sent out.  This patch fixes the issue by treating only negative values in the result field as errors. Positive values are therefore treated as success in the same way as a zero value. Additionally, a BUG_ON is added to __send_prepared_auth_request() comparing the len parameter to front_alloc_len to prevent sending the message if it exceeds the bounds of the allocation and to make it easier to catch any logic flaws leading to this.",
                                "cve_priority": "high",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46135",
                                "url": "https://ubuntu.com/security/CVE-2026-46135",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  nvmet-tcp: fix race between ICReq handling and queue teardown  nvmet_tcp_handle_icreq() updates queue->state after sending an Initialization Connection Response (ICResp), but it does so without serializing against target-side queue teardown.  If an NVMe/TCP host sends an Initialization Connection Request (ICReq) and immediately closes the connection, target-side teardown may start in softirq context before io_work drains the already buffered ICReq. In that case, nvmet_tcp_schedule_release_queue() sets queue->state to NVMET_TCP_Q_DISCONNECTING and drops the queue reference under state_lock.  If io_work later processes that ICReq, nvmet_tcp_handle_icreq() can still overwrite the state back to NVMET_TCP_Q_LIVE. That defeats the DISCONNECTING-state guard in nvmet_tcp_schedule_release_queue() and allows a later socket state change to re-enter teardown and issue a second kref_put() on an already released queue.  The ICResp send failure path has the same problem. If teardown has already moved the queue to DISCONNECTING, a send error can still overwrite the state with NVMET_TCP_Q_FAILED, again reopening the window for a second teardown path to drop the queue reference.  Fix this by serializing both post-send state transitions with state_lock and bailing out if teardown has already started.  Use -ESHUTDOWN as an internal sentinel for that bail-out path rather than propagating it as a transport error like -ECONNRESET. Keep nvmet_tcp_socket_error() setting rcv_state to NVMET_TCP_RECV_ERR before honoring that sentinel so receive-side parsing stays quiesced until the existing release path completes.",
                                "cve_priority": "critical",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46155",
                                "url": "https://ubuntu.com/security/CVE-2026-46155",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  smb/client: fix out-of-bounds read in smb2_compound_op()  If a server sends a truncated response but a large OutputBufferLength, and terminates the EA list early, check_wsl_eas() returns success without validating that the entire OutputBufferLength fits within iov_len.  Then smb2_compound_op() does:     memcpy(idata->wsl.eas, data[0], size[0]);  Where size[0] is OutputBufferLength. If iov_len is smaller than size[0], memcpy can read beyond the end of the rsp_iov allocation and leak adjacent kernel heap memory.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46115",
                                "url": "https://ubuntu.com/security/CVE-2026-46115",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  block: add pgmap check to biovec_phys_mergeable  biovec_phys_mergeable() is used by the request merge, DMA mapping, and integrity merge paths to decide if two physically contiguous bvec segments can be coalesced into one. It currently has no check for whether the segments belong to different dev_pagemaps.  When zone device memory is registered in multiple chunks, each chunk gets its own dev_pagemap. A single bio can legitimately contain bvecs from different pgmaps -- iov_iter_extract_bvecs() breaks at pgmap boundaries but the outer loop in bio_iov_iter_get_pages() continues filling the same bio. If such bvecs are physically contiguous, biovec_phys_mergeable() will coalesce them, making it impossible to recover the correct pgmap for the merged segment via page_pgmap().  Add a zone_device_pages_have_same_pgmap() check to prevent merging bvec segments that span different pgmaps.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-28 10:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46243",
                                "url": "https://ubuntu.com/security/CVE-2026-46243",
                                "cve_description": "In the Linux kernel, the following vulnerability has been resolved:  smb: client: reject userspace cifs.spnego descriptions  cifs.spnego key descriptions contain authority-bearing fields such as pid, uid, creduid, and upcall_target that cifs.upcall treats as kernel-originating inputs. However, userspace can also create keys of this type through request_key(2) or add_key(2), allowing those fields to be supplied without CIFS origin.  Only accept cifs.spnego descriptions while CIFS is using its private spnego_cred to request the key.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-01 17:17:00 UTC"
                            }
                        ],
                        "log": [
                            "",
                            "  * resolute/linux: 7.0.0-28.28 -proposed tracker (LP: #2157520)",
                            "",
                            "  * Backport ASoC SDCA, AMD SoundWire, and RT722 audio fixes (LP: #2154418)",
                            "    - ASoC: amd: acp-sdw-legacy: rename the dmic component name",
                            "    - SAUCE: ASoC: rt722-sdca: add FU06 Playback Switch for speaker mute",
                            "      control",
                            "",
                            "  * MIPI camera of a BBG809N3A_B sensor SKU of the DELL Pro 14 Premium PA14260",
                            "    renders upside-down (LP: #2155837)",
                            "    - SAUCE: media: ipu-bridge: correct platform handling for DELL Pro 14",
                            "      Premium PA14260",
                            "",
                            "  * resolute ubuntu_kernel_selftests:seccomp_build test compilation issue",
                            "    (LP: #2154174)",
                            "    - SAUCE: selftests/seccomp fix compilation issue for amd64",
                            "",
                            "  * [Ubuntu 26.04] Severe Performance Degradation on kernel 7.0.0-15",
                            "    (LP: #2154748)",
                            "    - s390: Remove GENERIC_LOCKBREAK Kconfig option",
                            "    - UBUNTU [Config]: Remove GENERIC_LOCKBREAK in s390x",
                            "",
                            "  * Fix no sound output device on Dell GhostRider PTL no camera SKU",
                            "    (LP: #2156559)",
                            "    - ASoC: Intel: sof_sdw: append dai type to dai link name unconditionally",
                            "",
                            "  * Fix no audio from right built-in speaker on HP ZBook with TAS2781",
                            "    amplifier (LP: #2156556)",
                            "    - ALSA: hda/tas2781: Fix device-0 reset issue and handle -EXDEV in block",
                            "      data processing",
                            "",
                            "  * Installer fails internally with a RSync error due to page fault",
                            "    (LP: #2150640)",
                            "    - ovl: keep err zero after successful ovl_cache_get()",
                            "",
                            "  * Internal display black screen on Intel Lunar Lake with eDP panel",
                            "    (LP: #2156312)",
                            "    - drm/i915/alpm: Allow LOBF only for platform that have Always on VRR TG",
                            "",
                            "  * Thunderbolt DP tunnel torn down during boot with LUKS Full Disk Encryption",
                            "    (LP: #2155096)",
                            "    - SAUCE: thunderbolt: Defer DP tunnel teardown until display driver is",
                            "      ready",
                            "",
                            "  * watchdog: lenovo_se10_wdt: Add SE10 Gen 2 support (LP: #2154715)",
                            "    - watchdog: lenovo_se10_wdt: Add support for SE10 Gen 2 platform",
                            "    - watchdog: lenovo_se10_wdt: Fix use-after-free and resource leak risk",
                            "",
                            "  * [Ubuntu 26.04] KVM: IBM Test Accelerator for Z (TAZ) not working properly",
                            "    (LP: #2153159)",
                            "    - KVM: s390: only deliver service interrupt with payload",
                            "    - KVM: s390: vsie: Allow non-zarch guests",
                            "    - KVM: s390: vsie: Disable some bits when in ESA mode",
                            "    - KVM: s390: vsie: Accommodate ESA prefix pages",
                            "    - KVM: s390: Add KVM capability for ESA mode guests",
                            "",
                            "  * ubuntu_bpf failed to build on Resolute (error: expected ‘:’, ‘,’, ‘;’, ‘}’",
                            "    or ‘__attribute__’ before ‘__counted_by’) (LP: #2150071)",
                            "    - tools/headers: Regenerate stddef.h to fix BPF selftests",
                            "",
                            "  * ubuntu_bpf: FTBFS with clang 23 / gcc 15 (LP: #2154343)",
                            "    - selftests/bpf: Fix const qualifier warning in fexit_bpf2bpf.c",
                            "",
                            "  * ALSA: hda/tas2781 Audio Fix for the front-right speacker (LP: #2149770)",
                            "    - ALSA: hda/tas2781: Fix sound abnormal issue on some SPI device",
                            "",
                            "  * Fix bad audio record quality when volume above 50% on Framework PTL",
                            "    (LP: #2153155)",
                            "    - ALSA: hda/realtek: fix mic boost on Framework PTL",
                            "",
                            "  * Patchset for TUXEDO devices (LP: #2152570)",
                            "    - drm/i915/vbt: Add edp pipe joiner enable/disable bits",
                            "    - drm/i915/dp: Avoid joiner for eDP if not enabled in VBT",
                            "    - drm/amd/display: Add Idle state manager(ISM)",
                            "    - drm/i915/backlight: Remove try_vesa_interface",
                            "    - drm/i915/backlight: Use intel_panel variable instead of intel_connector",
                            "    - drm/i915/backlight: Take luminance_set into account for VESA backlight",
                            "    - drm/i915/backlight: Check luminance_set when disabling PWM via AUX VESA",
                            "      backlight",
                            "    - drm/i915/backlight: Short circuit intel_dp_aux_supports_hdr_backlight",
                            "    - drm/i915/backlight: Update debug log during backlight setup",
                            "    - drm/i915/backlight: Check if VESA backlight is possible",
                            "    - drm/i915/backlight: Provide clear description on how backlight level is",
                            "      controlled",
                            "    - drm/i915/backlight: Fix VESA backlight possible check condition",
                            "",
                            "  * Resolute update: v7.0.12 upstream stable release (LP: #2156636)",
                            "    - Input: usbtouchscreen - clamp NEXIO data_len/x_len to URB buffer size",
                            "    - ACPI: button: Fix ACPI GPE handler leak during removal",
                            "    - ACPI: button: Enable wakeup GPEs for ACPI buttons at probe time",
                            "    - xfrm: move policy_bydst RCU sync from per-netns .exit to .pre_exit",
                            "    - net/sched: sch_sfb: Replace direct dequeue call with peek and",
                            "      qdisc_dequeue_peeked",
                            "    - bcache: fix uninitialized closure object",
                            "    - nfc: llcp: Fix use-after-free in llcp_sock_release()",
                            "    - nfc: llcp: Fix use-after-free race in nfc_llcp_recv_cc()",
                            "    - xfrm: Check for underflow in xfrm_state_mtu",
                            "    - nfc: nxp-nci: i2c: use rising-edge IRQ on ACPI systems",
                            "    - tools/bootconfig: Fix buf leaks in apply_xbc",
                            "    - HID: remove duplicate hid_warn_ratelimited definition",
                            "    - kunit: fix use-after-free in debugfs when using kunit.filter",
                            "    - accel/rocket: fix UAF via dangling GEM handle in create_bo",
                            "    - netfilter: synproxy: refresh tcphdr after skb_ensure_writable",
                            "    - netfilter: xt_cpu: prefer raw_smp_processor_id",
                            "    - netfilter: ebtables: fix OOB read in compat_mtw_from_user",
                            "    - netfilter: nf_tables: fix dst corruption in same register operation",
                            "    - vsock: keep poll shutdown state consistent",
                            "    - net: netlink: fix sending unassigned nsid after assigned one",
                            "    - net: netlink: don't set nsid on local notifications",
                            "    - net/smc: Do not re-initialize smc hashtables",
                            "    - net/iucv: fix locking in .getsockopt",
                            "    - scsi: core: Run queues for all non-SDEV_DEL devices from",
                            "      scsi_run_host_queues",
                            "    - scsi: scsi_debug: Add missing newline in scsi_debug_device_reset()",
                            "    - ipv4: free net->ipv4.sysctl_local_reserved_ports after",
                            "      unregister_net_sysctl_table()",
                            "    - ALSA: hda: cs35l56: Fix system name string leaks",
                            "    - ALSA: pcm: oss: Fix setup list UAF on proc write error",
                            "    - ASoC: Intel: bytcht_es8316: Fix MCLK leak on init errors",
                            "    - net/mlx5: HWS: Reject unsupported remove-header action",
                            "    - net: hsr: fix potential OOB access in supervision frame handling",
                            "    - accel/ivpu: prevent uninitialized data bug in debugfs",
                            "    - gpio: mxc: fix irq_high handling",
                            "    - drm/i915/aux: use polling when irqs are unavailable",
                            "    - net: Avoid checksumming unreadable skb tail on trim",
                            "    - ethtool: rss: avoid modifying the RSS context response",
                            "    - ethtool: rss: add missing errno on RSS context delete",
                            "    - ethtool: rss: fix falsely ignoring indir table updates",
                            "    - ethtool: rss: fix indir_table and hkey leak on get_rxfh failure",
                            "    - ethtool: rss: fix hkey leak when indir_size is 0",
                            "    - ethtool: rss: avoid device context leak on reply-build failure",
                            "    - ethtool: module: call ethnl_ops_complete() on module flash errors",
                            "    - ethtool: module: avoid leaking a netdev ref on module flash errors",
                            "    - ethtool: module: avoid racy updates to dev->ethtool bitfield",
                            "    - ethtool: module: check fw_flash_in_progress under rtnl_lock",
                            "    - ethtool: module: fix cleanup if socket used for flashing multiple",
                            "      devices",
                            "    - ethtool: cmis: require exact CDB reply length",
                            "    - ethtool: cmis: fix u16-to-u8 truncation of msleep_pre_rpl",
                            "    - ethtool: cmis: validate start_cmd_payload_size from module",
                            "    - ethtool: cmis: validate fw->size against start_cmd_payload_size",
                            "    - cxl/test: Update mock dev array before calling platform_device_add()",
                            "    - blk-mq: reinsert cached request to the list",
                            "    - tunnels: load network headers after skb_cow() in",
                            "      iptunnel_pmtud_build_icmp[v6]()",
                            "    - vxlan: do not reuse cached ip_hdr() value after skb_tunnel_check_pmtu()",
                            "    - tunnels: do not assume transport header in iptunnel_pmtud_check_icmp()",
                            "    - ksmbd: fix FSCTL permission bypass by adding a permission check for",
                            "      FSCTL_SET_SPARSE",
                            "    - ASoC: codecs: simple-mux: Fix enum control bounds check",
                            "    - drm/xe: Restore IDLEDLY regiter on engine reset",
                            "    - Bluetooth: 6lowpan: check skb_clone() return value in send_mcast_pkt()",
                            "    - bonding: refuse to enslave CAN devices",
                            "    - bridge: Fix sleep in atomic context in netlink path",
                            "    - bridge: Fix sleep in atomic context in sysfs path",
                            "    - ethtool: coalesce: cap profile updates at NET_DIM_PARAMS_NUM_PROFILES",
                            "    - ethtool: tsconfig: fix reply error handling",
                            "    - ethtool: linkstate: fix unbalanced ethnl_ops_complete() on PHY lookup",
                            "      error",
                            "    - ethtool: pse-pd: fix missing ethnl_ops_complete()",
                            "    - ethtool: tsconfig: fix missing ethnl_ops_complete()",
                            "    - ethtool: tsinfo: fix uninitialized stats on the by-PHC path",
                            "    - ethtool: tsinfo: don't pass ERR_PTR to genlmsg_cancel on prepare failure",
                            "    - ethtool: strset: fix header attribute index in ethnl_req_get_phydev()",
                            "    - ethtool: eeprom: add missing ethnl_ops_begin() / _complete() during",
                            "      fallback",
                            "    - ethtool: eeprom: add more safeties to EEPROM Netlink fallback",
                            "    - ipv6: rpl: fix hdrlen overflow in ipv6_rpl_srh_decompress()",
                            "    - net/sched: Revert \"net/sched: Restrict conditions for adding duplicating",
                            "      netems to qdisc tree\"",
                            "    - net/sched: fix packet loop on netem when duplicate is on",
                            "    - net: Introduce skb tc depth field to track packet loops",
                            "    - net/sched: Fix ethx:ingress -> ethy:egress -> ethx:ingress mirred loop",
                            "    - net/sched: act_mirred: Fix blockcast recursion bypass leading to stack",
                            "      overflow",
                            "    - net/sched: act_mirred: Fix return code in early mirred redirect error",
                            "      paths",
                            "    - net: hibmcge: disable Relaxed Ordering to fix RX packet corruption",
                            "    - net: hibmcge: move dma_rmb() after dma_sync_single_for_cpu() in RX path",
                            "    - net/handshake: Use spin_lock_bh for hn_lock",
                            "    - nvme-tcp: store negative errno in queue->tls_err",
                            "    - net/handshake: Pass negative errno through handshake_complete()",
                            "    - net/handshake: hand off the pinned file reference to accept_doit",
                            "    - net/handshake: Take a long-lived file reference at submit",
                            "    - net/handshake: Drain pending requests at net namespace exit",
                            "    - dpll: zl3073x: detect DPLL channel count from chip ID at runtime",
                            "    - dpll: zl3073x: add die temperature reporting for supported chips",
                            "    - dpll: export __dpll_device_change_ntf() for use under dpll_lock",
                            "    - dpll: zl3073x: use __dpll_device_change_ntf() and remove change_work",
                            "    - Bluetooth: l2cap: clear chan->ident on ECRED reconfiguration success",
                            "    - Bluetooth: L2CAP: Fix possible crash on l2cap_ecred_conn_rsp",
                            "    - Bluetooth: hci_sync: Set HCI_CMD_DRAIN_WORKQUEUE during device close",
                            "    - Bluetooth: hci_sync: Reset device counters in hci_dev_close_sync()",
                            "    - gpio: adnp: fix flow control regression caused by scoped_guard()",
                            "    - gpio: virtuser: Fix uninitialized data bug in",
                            "      gpio_virtuser_direction_do_write()",
                            "    - gpio: rockchip: convert bank->clk to devm_clk_get_enabled()",
                            "    - gpio: rockchip: teardown bugs and resource leaks",
                            "    - net: mana: Add NULL guards in teardown path to prevent panic on attach",
                            "      failure",
                            "    - net: mana: Skip redundant detach on already-detached port",
                            "    - sctp: fix race between sctp_wait_for_connect and peeloff",
                            "    - net: pcs: pcs-mtk-lynxi: fix bpi-r3 serdes configuration",
                            "    - vsock/virtio: bind uarg before filling zerocopy skb",
                            "    - ipv6: fix possible infinite loop in rt6_fill_node()",
                            "    - ipv6: fix possible infinite loop in fib6_select_path()",
                            "    - net: skbuff: fix pskb_carve leaking zcopy pages",
                            "    - Revert \"ipv6: preserve insertion order for same-scope addresses\"",
                            "    - Revert \"x86/fpu: Refine and simplify the magic number check during",
                            "      signal return\"",
                            "    - drm/i915/psr: Add defininitions for INTEL_WA_REGISTER_CAPS DPCD register",
                            "    - drm/i915/psr: Read Intel DPCD workaround register",
                            "    - drm/i915/psr: Apply Intel DPCD workaround when SDP on prior line used",
                            "    - iio: imu: st_lsm6dsx: fix stack leak in tagged FIFO buffer",
                            "    - iio: imu: adis16550: fix stack leak in trigger handler",
                            "    - iio: pressure: bmp280: fix stack leak in bmp580 trigger handler",
                            "    - usb: typec: ucsi: ccg: reject firmware images without a ':' record",
                            "      header",
                            "    - usb: typec: tcpm: validate VDO count in Discover Identity ACK handlers",
                            "    - usb: typec: tcpm: bound altmode_desc[] per iteration in",
                            "      svdm_consume_modes()",
                            "    - usb: typec: ucsi: displayport: NAK DP_CMD_CONFIGURE without a payload",
                            "      VDO",
                            "    - usb: typec: altmodes/displayport: validate count before reading Status",
                            "      Update VDO",
                            "    - usb: typec: wcove: don't write past struct pd_message in",
                            "      wcove_read_rx_buffer()",
                            "    - usb: typec: tcpm/tcpci_maxim: validate header NDO against RX_BYTE_CNT",
                            "    - usb: typec: ucsi: validate connector number in ucsi_connector_change()",
                            "    - USB: serial: safe_serial: fix memory corruption with small endpoint",
                            "    - media: rc: igorplugusb: fix control request setup packet",
                            "    - Input: ims-pcu - fix usb_free_coherent() size in ims_pcu_buffers_free()",
                            "    - USB: serial: cypress_m8: fix memory corruption with small endpoint",
                            "    - HID: quirks: Add ALWAYS_POLL quirk for SIGMACHIP USB mouse",
                            "    - Bluetooth: btusb: Allow firmware re-download when version matches",
                            "    - mm/vmalloc: do not trigger BUG() on BH disabled context",
                            "    - hpfs: fix a crash if hpfs_map_dnode_bitmap fails",
                            "    - mm/damon/sysfs-schemes: delete tried region in regions_rmdirs()",
                            "    - ipc: limit next_id allocation to the valid ID range",
                            "    - mm: memcontrol: propagate NMI slab stats to memcg vmstats",
                            "    - mm/migrate_device: fix pgtable leak in migrate_vma_insert_huge_pmd_page",
                            "    - memfd: deny writeable mappings when implying SEAL_WRITE",
                            "    - zram: fix use-after-free in zram_writeback_endio",
                            "    - mm/rmap: initialize nr_pages to 1 at loop start in try_to_unmap_one",
                            "    - auxdisplay: line-display: fix OOB read on zero-length message_store()",
                            "    - smb: client: fix uninitialized variable in smb2_writev_callback",
                            "    - Bluetooth: L2CAP: use chan timer to close channels in cleanup_listen()",
                            "    - Bluetooth: L2CAP: fix chan ref leak in l2cap_chan_timeout() on !conn",
                            "    - Bluetooth: HIDP: fix missing length checks in hidp_input_report()",
                            "    - Bluetooth: ISO: fix UAF in iso_recv_frame",
                            "    - Bluetooth: ISO: serialize iso_sock_clear_timer with socket lock",
                            "    - Bluetooth: hci_conn: Fix memory leak in hci_le_big_terminate()",
                            "    - Bluetooth: hci_qca: Use 100 ms SSR delay for rampatch and NVM loading",
                            "    - Bluetooth: hci_sync: fix UAF in hci_le_create_cis_sync",
                            "    - Input: xpad - fix out-of-bounds access for Share button",
                            "    - parport: Fix race between port and client registration",
                            "    - rust_binder: Avoid holding lock when dropping delivered_death",
                            "    - rust_binder: avoid calling pending_oneway_finished() on TF_UPDATE_TXN",
                            "    - USB: cdc-acm: Fix bit overlap and move quirk definitions to header",
                            "    - KVM: arm64: Correctly cap ZCR_EL2 provided by a guest hypervisor",
                            "    - KVM: arm64: PMU: Preserve AArch32 counter low bits",
                            "    - KVM: SVM: Flush the current TLB when transitioning from xAVIC => x2AVIC",
                            "    - KVM: SEV: Require in-GHCB scratch area if GHCB v2+ is in use",
                            "    - KVM: SEV: Ignore Port I/O requests of length '0'",
                            "    - KVM: SEV: Use the size of the PSC header as the minimum size for PSC",
                            "      requests",
                            "    - KVM: SEV: WARN if KVM attempts to setup scratch area with min_len==0",
                            "    - KVM: SEV: Compute the correct max length of the in-GHCB scratch area",
                            "    - KVM: SEV: Check PSC request indices against the actual size of the",
                            "      buffer",
                            "    - KVM: SEV: Use READ_ONCE() when reading entries/indices from PSC buffer",
                            "    - KVM: SEV: Don't explicitly pass PSC buffer to snp_begin_psc()",
                            "    - gpio: shared: undo the vote of the proxy on GPIO free",
                            "    - gpio: shared: fix deadlock on shared proxy's parent removal",
                            "    - gpio: shared: fix lockdep false positive by removing unneeded lock",
                            "    - Disable -Wattribute-alias for clang-23 and newer",
                            "    - iio: adc: xilinx-xadc: Fix sequencer mode in postdisable for dual mux",
                            "    - iio: adc: npcm: fix unbalanced clk_disable_unprepare()",
                            "    - iio: dac: ad3530r: Fix AD3531/AD3531R powerdown mode strings",
                            "    - iio: dac: max5821: fix return value check in powerdown sync",
                            "    - iio: dac: ad5686: fix ref bit initialization for single-channel parts",
                            "    - iio: dac: ad5686: fix input raw value check",
                            "    - iio: dac: ad5686: acquire lock when doing powerdown control",
                            "    - iio: dac: ad5686: fix powerdown control on dual-channel devices",
                            "    - iio: adc: mt6359: fix unchecked return value in mt6358_read_imp",
                            "    - iio: adc: viperboard: Fix error handling in vprbrd_iio_read_raw",
                            "    - iio: adc: ad4695: Fix call ordering in offload buffer postenable",
                            "    - iio: adc: nxp-sar-adc: fix division by zero in write_raw",
                            "    - iio: adc: nxp-sar-adc: Avoid division by zero",
                            "    - iio: adc: nxp-sar-adc: zero-initialize dma_slave_config",
                            "    - iio: gyro: itg3200: fix i2c read into the wrong stack location",
                            "    - iio: gyro: adis16260: fix division by zero in write_raw",
                            "    - iio: ssp_sensors: cancel delayed work_refresh on remove",
                            "    - iio: temperature: tsys01: fix broken PROM checksum validation",
                            "    - iio: magnetometer: st_magn: fix default DRDY pin selection for LIS2MDL",
                            "    - iio: light: veml6070: Fix resource leak in probe error path",
                            "    - iio: Fix iio_multiply_value use in iio_read_channel_processed_scale",
                            "    - iio: chemical: mhz19b: reject oversized serial replies",
                            "    - iio: chemical: scd30: fix division by zero in write_raw",
                            "    - iio: light: cm3323: fix reg_conf not being initialized correctly",
                            "    - iio: buffer: hw-consumer: fix use-after-free in error path",
                            "    - iio: buffer: Fix DMA fence leak in iio_buffer_enqueue_dmabuf()",
                            "    - USB: serial: omninet: fix memory corruption with small endpoint",
                            "    - usb: cdns3: gadget: fix request skipping after clearing halt",
                            "    - usb: cdns3: plat: fix leaked usb2_phy initialization on usb3_phy",
                            "      acquisition failure",
                            "    - usb: cdns3: plat: fix unbalanced pm_runtime_forbid() call permanently",
                            "      leaks the runtime PM usage counter across bind/unbind cycles",
                            "    - usb: dwc2: Fix use after free in debug code",
                            "    - Input: elan_i2c - validate firmware size before use",
                            "    - i2c: davinci: fix division by zero on missing clock-frequency",
                            "    - x86/ftrace: Relocate %rip-relative percpu refs in dynamic trampolines",
                            "    - wireguard: send: append trailer after expanding head",
                            "    - bpf: sockmap: fix tail fragment offset in bpf_msg_push_data",
                            "    - macsec: fix replay protection at XPN lower-PN wrap",
                            "    - ipv6: exthdrs: refresh nh pointer after ipv6_hop_jumbo()",
                            "    - ASoC: qcom: q6asm-dai: fix error handling in prepare and set_params",
                            "    - octeontx2-af: validate body pcifunc in rvu_mbox_handler_rep_event_notify",
                            "    - ipv6: exthdrs: refresh nh after handling HAO option",
                            "    - ip6: vti: Use ip6_tnl.net in vti6_siocdevprivate().",
                            "    - ipv6: validate extension header length before copying to cmsg",
                            "    - xfrm: input: hold netns during deferred transport reinjection",
                            "    - l2tp: use refcount_inc_not_zero in l2tp_session_get_by_ifname",
                            "    - ip6: vti: Use ip6_tnl.net in vti6_changelink().",
                            "    - net: skbuff: fix missing zerocopy reference in pskb_carve helpers",
                            "    - spi: spi-mem: avoid mutating op template in spi_mem_supports_op()",
                            "    - HID: wacom: Fix OOB write in wacom_hid_set_device_mode()",
                            "    - iommu, debugobjects: avoid gcc-16.1 section mismatch warnings",
                            "    - nfc: hci: fix out-of-bounds read in HCP header parsing",
                            "    - xfrm: route MIGRATE notifications to caller's netns",
                            "    - xfrm: ipcomp: Free destination pages on acomp errors",
                            "    - xfrm: ah: use skb_to_full_sk in async output callbacks",
                            "    - ALSA: scarlett2: Fix 2i2 Gen 4 direct monitor gain on firmware 2417",
                            "    - ALSA: firewire-motu: Protect register DSP event queue positions",
                            "    - netfilter: conntrack: tcp: do not force CLOSE on invalid-seq RST without",
                            "      direction check",
                            "    - ASoC: qcom: q6asm-dai: close stream only when running",
                            "    - ASoC: qcom: q6asm-dai: do not set stream state in event and trigger",
                            "      callbacks",
                            "    - xfrm: esp: restore combined single-frag length gate",
                            "    - ALSA: hda/realtek: Fix speaker output on ASUS ROG Strix G615LP",
                            "    - xfrm: iptfs: reset runtime state when cloning SAs",
                            "    - dma-buf: fix UAF in dma_buf_fd() tracepoint",
                            "    - Input: xpad - add \"Nova 2 Lite\" from GameSir",
                            "    - Input: xpad - add support for ASUS ROG RAIKIRI II",
                            "    - ksmbd: OOB read regression in smb_check_perm_dacl() ACE-walk loops",
                            "    - misc: rp1: Send IACK on IRQ activate to fix kdump/kexec",
                            "    - Input: atmel_mxt_ts - fix boundary check in mxt_prepare_cfg_mem",
                            "    - Input: synaptics - add LEN2058 to SMBus passlist for ThinkPad E490",
                            "    - dt-bindings: usb: Fix EIC7700 USB reset's issue",
                            "    - comedi: comedi_test: fix check for valid scan_begin_src in",
                            "      waveform_ai_cmdtest()",
                            "    - comedi: comedi_test: Fix limiting of convert_arg in",
                            "      waveform_ai_cmdtest()",
                            "    - counter: Fix refcount leak in counter_alloc() error path",
                            "    - tty: serial: pch_uart: add check for dma_alloc_coherent()",
                            "    - tty: serial: samsung: Remove redundant port lock acquisition in rx",
                            "      helpers",
                            "    - uio: uio_pci_generic_sva: fix double free of devm_kzalloc() memory",
                            "    - usb: chipidea: core: convert ci_role_switch to local variable",
                            "    - usb: core: Fix up Interrupt IN endpoints with bogus wBytesPerInterval",
                            "    - usb: dwc3: xilinx: fix error handling in zynqmp init error paths",
                            "    - usb: musb: omap2430: Fix use-after-free in omap2430_probe()",
                            "    - USB: quirks: add NO_LPM for Lenovo ThinkPad USB-C Dock Gen2 hub",
                            "      controllers",
                            "    - usb: storage: Add quirks for PNY Elite Portable SSD",
                            "    - usbip: vudc: Fix use after free bug in vudc_remove due to race condition",
                            "    - usb: usbtmc: check URB actual_length for interrupt-IN notifications",
                            "    - usb: usbtmc: reject interrupt endpoints with small wMaxPacketSize",
                            "    - usb: typec: tipd: Fix error code in tps6598x_probe()",
                            "    - usb: typec: tcpm: improve handling of DISCOVER_MODES failures",
                            "    - usb: typec: ucsi: Check if power role change actually happened before",
                            "      handling",
                            "    - usb: typec: ucsi: Don't update power_supply on power role change if not",
                            "      connected",
                            "    - USB: serial: option: add MeiG SRM813Q",
                            "    - USB: serial: option: add missing RSVD(5) flag for Rolling RW135R-GL",
                            "    - USB: serial: belkin_sa: validate interrupt status length",
                            "    - USB: serial: cypress_m8: validate interrupt packet headers",
                            "    - USB: serial: digi_acceleport: fix memory corruption with small endpoints",
                            "    - USB: serial: keyspan: fix missing indat transfer sanity check",
                            "    - USB: serial: mxuport: fix memory corruption with small endpoint",
                            "    - USB: serial: mct_u232: fix memory corruption with small endpoint",
                            "    - USB: serial: mct_u232: fix missing interrupt-in transfer sanity check",
                            "    - usb: gadget: uvc: hold opts->lock across XU walks in uvc_function_bind",
                            "    - usb: gadget: net2280: Fix double free in probe error path",
                            "    - usb: gadget: f_hid: fix device reference leak in hidg_alloc()",
                            "    - usb: gadget: composite: fix integer underflow in WebUSB GET_URL handling",
                            "    - usb: gadget: dummy_hcd: Reject hub port requests for non-existent ports",
                            "    - usb: gadget: f_fs: copy only received bytes on short ep0 read",
                            "    - usb: gadget: f_fs: serialize DMABUF cancel against request completion",
                            "    - thunderbolt: property: Reject u32 wrap in tb_property_entry_valid()",
                            "    - thunderbolt: property: Reject dir_len < 4 to prevent size_t underflow",
                            "    - thunderbolt: property: Cap recursion depth in __tb_property_parse_dir()",
                            "    - scsi: fcoe: Reject FIP descriptors with zero fip_dlen in CVL walker",
                            "    - scsi: scsi_transport_fc: Widen FPIN pname walker counter to u32",
                            "    - scsi: target: iscsi: Fix CRC overread and double-free in",
                            "      iscsit_handle_text_cmd()",
                            "    - scsi: target: iscsi: Bound iscsi_encode_text_output() appends to rsp_buf",
                            "    - scsi: target: iscsi: Validate CHAP_R length before base64 decode",
                            "    - drm/hyperv: validate resolution_count and fix WIN8 fallback",
                            "    - drm/hyperv: validate VMBus packet size in receive callback",
                            "    - drm/gem: fix race between change_handle and handle_delete",
                            "    - drm/i915/color: Fix HDR pre-CSC LUT programming loop",
                            "    - drm/i915/psr: Block DC states on vblank enable when Panel Replay",
                            "      supported",
                            "    - drm/i915/psr: Use DC_OFF wake reference to block DC6 on vblank enable",
                            "    - drm/i915: Fix potential UAF in TTM object purge",
                            "    - drm/amd/pm/si: Disregard vblank time when no displays are connected",
                            "    - serial: altera_jtaguart: handle uart_add_one_port() failures",
                            "    - serial: qcom-geni: fix UART_RX_PAR_EN bit position",
                            "    - serial: qcom_geni: fix kfifo underflow when flush precedes DMA",
                            "      completion IRQ",
                            "    - serial: sh-sci: fix memory region release in error path",
                            "    - serial: zs: Fix swapped RI/DSR modem line transition counting",
                            "    - serial: fsl_lpuart: fix rx buffer and DMA map leaks in start_rx_dma",
                            "    - drm/amdkfd: fix NULL pointer bug in svm_range_set_attr",
                            "    - drm/amdkfd: fix a vulnerability of integer overflow in kfd debugger",
                            "    - drm/amdkfd: Check for pdd drm file first in CRIU restore path",
                            "    - drm/amdgpu: fix lock leak on ENOMEM in AMDGPU_GEM_OP_GET_MAPPING_INFO",
                            "    - drm/amdgpu: fix calling VM invalidation in amdgpu_hmm_invalidate_gfx",
                            "    - drm/amdgpu: fix amdgpu_hmm_range_get_pages",
                            "    - drm/amdgpu: check num_entries in GEM_OP GET_MAPPING_INFO",
                            "    - serial: dz: Fix bootconsole message clobbering at chip reset",
                            "    - serial: dz: Fix bootconsole handover lockup",
                            "    - serial: dz: Convert to use a platform device",
                            "    - serial: zs: Fix bootconsole handover lockup",
                            "    - serial: zs: Switch to using channel reset",
                            "    - serial: zs: Convert to use a platform device",
                            "    - serial: core: introduce guard(uart_port_lock_check_sysrq_irqsave)",
                            "    - serial: 8250: dispatch SysRq character in serial8250_handle_irq()",
                            "    - serial: 8250_dw: dispatch SysRq character in dw8250_handle_irq()",
                            "    - platform/x86/intel/vsec: Refactor base_addr handling",
                            "    - platform/x86/intel/vsec: Make driver_data info const",
                            "    - platform/x86/intel/vsec: Fix enable_cnt imbalance on PCIe error recovery",
                            "    - rxrpc: Fix RESPONSE packet verification to extract skb to a linear",
                            "      buffer",
                            "    - ALSA: hda/realtek: Fix mute and mic-mute LEDs for HP Envy X360 15-fh0xxx",
                            "    - ALSA: hda/realtek: Fix mute and mic-mute LEDs for HP 16 Piston OmniBook",
                            "      X",
                            "    - arm64: tlb: Flush walk cache when unsharing PMD tables",
                            "    - i2c: tegra: make tegra_i2c_mutex_unlock() return void",
                            "    - hwmon: (pmbus) Add support for guarded PMBus lock",
                            "    - hwmon: (pmbus/adm1266) serialize sequencer_state debugfs read with",
                            "      pmbus_lock",
                            "    - hwmon: (pmbus/adm1266) serialize GPIO PMBus accesses with pmbus_lock",
                            "    - net: phy: micrel: fix LAN8814 QSGMII soft reset",
                            "    - xhci: tegra: Fix ghost USB device on dual-role port unplug",
                            "    - mailbox: Fix NULL message support in mbox_send_message()",
                            "    - usb: core: Fix SuperSpeed root hub wMaxPacketSize",
                            "    - tools: ynl: add scope qualifier for definitions",
                            "    - Linux 7.0.12",
                            "",
                            "  * Resolute update: v7.0.12 upstream stable release (LP: #2156636) //",
                            "    CVE-2026-46318",
                            "    - Revert \"mm/hugetlbfs: update hugetlbfs to use mmap_prepare\"",
                            "",
                            "  * Resolute update: v7.0.12 upstream stable release (LP: #2156636) //",
                            "    CVE-2026-46322",
                            "    - tun: free page on build_skb failure in tun_xdp_one()",
                            "",
                            "  * Resolute update: v7.0.12 upstream stable release (LP: #2156636) //",
                            "    CVE-2026-46320",
                            "    - tap: free page on error paths in tap_get_user_xdp()",
                            "",
                            "  * Resolute update: v7.0.12 upstream stable release (LP: #2156636) //",
                            "    CVE-2026-46321",
                            "    - tun: free page on short-frame rejection in tun_xdp_one()",
                            "",
                            "  * CVE-2026-46316 // CVE-2026-46317",
                            "    - KVM: arm64: Reassign nested_mmus array behind mmu_lock",
                            "",
                            "  * CVE-2026-46316",
                            "    - KVM: arm64: vgic-its: Drop the translation cache reference only for the",
                            "      erased entry",
                            "    - KVM: arm64: Take the SRCU lock for page table walks in fault injection",
                            "      and AT emulation",
                            "",
                            "  * Resolute update: v7.0.11 upstream stable release (LP: #2156390)",
                            "    - iommu/amd: Fix illegal cap/mmio access in IOMMU debugfs",
                            "    - iommu/amd: Remove latent out-of-bounds access in IOMMU debugfs",
                            "    - ksmbd: close durable scavenger races against m_fp_list lookups",
                            "    - ata: libata-scsi: improve readability of ata_scsi_qc_issue()",
                            "    - ata: libata-scsi: do not use the deferred QC feature for ATA_DEFER_PORT",
                            "    - ata: libata-scsi: do not use the deferred QC feature on PMPs with CBS",
                            "    - ata: libata-scsi: do not needlessly defer commands when using PMP with",
                            "      FBS",
                            "    - sysfs: don't remove existing directory on update failure",
                            "    - mm/damon/sysfs-schemes: call missing mem_cgroup_iter_break()",
                            "    - ksmbd: fix null pointer dereference in compare_guid_key()",
                            "    - ksmbd: fix null pointer dereference in proc_show_files()",
                            "    - ksmbd: fix SID memory leak in set_posix_acl_entries_dacl() on overflow",
                            "    - ksmbd: validate SID in parent security descriptor during ACL inheritance",
                            "    - regulator: tps65219: fix irq_data.rdev not being assigned",
                            "    - x86/mm: Disable broadcast TLB flush when PCID is disabled",
                            "    - scripts/gdb: mm: cast untyped symbols in x86_page_ops",
                            "    - smb: client: require net admin for CIFS SWN netlink",
                            "    - smb: client: protect tc_count increment in",
                            "      smb2_find_smb_sess_tcon_unlocked()",
                            "    - smb: client: use data_len for SMB2 READ encrypted folioq copy",
                            "    - smb/server: promote S_DEL_ON_CLS to S_DEL_PENDING when close",
                            "    - hwmon: (pmbus/adm1266) widen blackbox-info buffer to I2C_SMBUS_BLOCK_MAX",
                            "    - ALSA: ua101: Reject too-short USB descriptors",
                            "    - ALSA: pcm: Don't setup bogus iov_iter for silencing",
                            "    - ALSA: asihpi: Fix potential OOB array access at reading cache",
                            "    - ALSA: scarlett2: Allow flash writes ending at segment boundary",
                            "    - ACPI: battery: Fix system wakeup on critical battery status",
                            "    - efi: Allocate runtime workqueue before ACPI init",
                            "    - spi: amd: Set correct bus number in ACPI probe path",
                            "    - io_uring/waitid: clear waitid info before copying it to userspace",
                            "    - drivers/base/memory: fix memory block reference leak in poison",
                            "      accounting",
                            "    - ipv6: ioam: refresh hdr pointer before ioam6_event()",
                            "    - mm/memory: fix spurious warning when unmapping device-private/exclusive",
                            "      pages",
                            "    - mm: fix __vm_normal_page() to handle missing support for",
                            "      pmd_special()/pud_special()",
                            "    - mm/memory_hotplug: fix memory block reference leak on remove",
                            "    - mm/page_alloc: fix initialization of tags of the huge zero folio with",
                            "      init_on_free",
                            "    - mm/migrate_device: fix spinlock leak in migrate_vma_insert_huge_pmd_page",
                            "    - selftests/mm: run_vmtests.sh: fix destructive tests invocation",
                            "    - mm/damon: fix damos_stat tracepoint format for sz_applied",
                            "    - net: wwan: iosm: fix potential memory leaks in ipc_imem_init()",
                            "    - Bluetooth: fix UAF in l2cap_sock_cleanup_listen() vs l2cap_conn_del()",
                            "    - Bluetooth: ISO: drop ISO_END frames received without prior ISO_START",
                            "    - Bluetooth: bnep: Fix UAF read of dev->name",
                            "    - Bluetooth: hci_uart: fix UAFs and race conditions in close and init",
                            "      paths",
                            "    - Bluetooth: L2CAP: ecred_reconfigure: send packed pdu, not stack pointer",
                            "    - Bluetooth: hci_qca: Convert timeout from jiffies to ms",
                            "    - Bluetooth: MGMT: validate Add Extended Advertising Data length",
                            "    - Bluetooth: serialize accept_q access",
                            "    - phonet/pep: disable BH around forwarded sk_receive_skb()",
                            "    - net: bcmgenet: keep RBUF EEE/PM disabled",
                            "    - net: devmem: reject dma-buf bind with non-page-aligned size or SG length",
                            "    - net: phy: skip EEE advertisement write when autoneg is disabled",
                            "    - net: hsr: defer node table free until after RCU readers",
                            "    - net/mlx5e: Fix use-after-free in mlx5e_tx_reporter_timeout_recover",
                            "    - net: ifb: report ethtool stats over num_tx_queues",
                            "    - net: pse-pd: fix sign on -ENOENT check in of_load_pse_pis()",
                            "    - netfilter: ip6t_hbh: reject oversized option lists",
                            "    - netfilter: nf_queue: hold bridge skb->dev while queued",
                            "    - netfilter: ipset: stop hash:* range iteration at end",
                            "    - net: ethtool: fix NULL pointer dereference in phy_reply_size",
                            "    - net: ethtool: phy: avoid NULL deref when PHY driver is unbound",
                            "    - ACPI: driver: Check ACPI_COMPANION() against NULL during probe",
                            "    - sched_ext: Fix missing warning in scx_set_task_state() default case",
                            "    - sched_ext: Avoid UAF in scx_root_enable_workfn() init failure path",
                            "    - l2tp: use list_del_rcu in l2tp_session_unhash",
                            "    - qed: fix double free in qed_cxt_tables_alloc()",
                            "    - ring-buffer: Fix reporting of missed events in iterator",
                            "    - ring-buffer: Flush and stop persistent ring buffer on panic",
                            "    - wifi: mac80211: capture fast-RX rate before mesh reuses skb->cb",
                            "    - ipv6: ioam: add NULL check for idev in ipv6_hop_ioam()",
                            "    - selftests: mptcp: drop nanoseconds width specifier",
                            "    - mptcp: pm: fix ADD_ADDR timer infinite retry on option space",
                            "      insufficient",
                            "    - vsock/vmci: fix UAF when peer resets connection during handshake",
                            "    - vsock/virtio: reset connection on receiving queue overflow",
                            "    - ice: fix VF queue configuration with low MTU values",
                            "    - wifi: ath11k: clear shared SRNG pointer state on restart",
                            "    - wifi: iwlwifi: mvm: fix driver-set TX rates on old devices",
                            "    - wifi: iwlwifi: mld: stop TX during firmware restart",
                            "    - ipv4: raw: reject IP_HDRINCL packets with ihl < 5",
                            "    - ixgbevf: fix use-after-free in VEPA multicast source pruning",
                            "    - rbd: eliminate a race in lock_dwork draining on unmap",
                            "    - mptcp: do not drop partial packets",
                            "    - mptcp: reset rcv wnd on disconnect",
                            "    - lsm: hold cred_guard_mutex for lsm_set_self_attr()",
                            "    - octeontx2-af: CGX: add bounds check to cgx_speed_mbps index",
                            "    - octeontx2-pf: fix double free in rvu_rep_rsrc_init()",
                            "    - igc: fix potential skb leak in igc_fpe_xmit_smd_frame()",
                            "    - ice: fix locking around wait_event_interruptible_locked_irq",
                            "    - ice: fix setting promisc mode while adding VID filter",
                            "    - ice: restore PTP Rx timestamp config after ethtool set-channels",
                            "    - wifi: cfg80211: advance loop vars in cfg80211_merge_profile()",
                            "    - af_unix: Fix UAF read of tail->len in unix_stream_data_wait()",
                            "    - wifi: mac80211: consume only present negotiated TTLM maps",
                            "    - octeontx2-pf: avoid double free of pool->stack on AQ init failure",
                            "    - cifs: Fix busy dentry used after unmounting",
                            "    - tracing: Do not call map->ops->elt_free() if elt_alloc() fails",
                            "    - ASoC: codecs: pcm512x: fix null-ptr dereference in",
                            "      pcm512x_overclock_xxx_put()",
                            "    - arm64: probes: Handle probes on hinted conditional branch instructions",
                            "    - KVM: arm64: vgic-its: Reject restored DTE with out-of-range",
                            "      num_eventid_bits",
                            "    - KVM: arm64: vgic: Free private_irqs when init fails after allocation",
                            "    - KVM: SVM: Disable AVIC IPI virtualization on Hygon Family 18h (erratum",
                            "      #1235)",
                            "    - riscv: kvm: return SBI_ERR_FAILURE for pmu_snapshot_set_shmem() when OOM",
                            "    - riscv: kvm: return SBI_ERR_FAILURE for pmu_event_info() when OOM",
                            "    - virt: sev-guest: Explicitly leak pages in unknown state",
                            "    - i2c: tegra: fix pm_runtime leak on mutex_lock failure",
                            "    - drm/bridge: chipone-icn6211: use devm_drm_bridge_add in i2c probe",
                            "    - spi: qup: fix error pointer deref after DMA setup failure",
                            "    - phy: exynos5-usbdrd: fix USB 2.0 HS PHY tuning values for Exynos7870",
                            "    - phy: tegra: xusb: Fix per-pad high-speed termination calibration",
                            "    - phy: qcom-qmp-ufs: Fix kaanapali PHY PLL lock failure after SM8650 G4",
                            "      fix",
                            "    - phy: qcom: edp: Unify generic DP/eDP swing and pre-emphasis tables",
                            "    - phy: qcom: edp: Add eDP/DP mode switch support",
                            "    - phy: qcom: edp: Fix AUX_CFG8 programming for DP mode",
                            "    - scsi: isci: Fix use-after-free in device removal path",
                            "    - spi: ep93xx: fix error pointer deref after DMA setup failure",
                            "    - spi: sprd: fix error pointer deref after DMA setup failure",
                            "    - spi: ti-qspi: fix use-after-free after DMA setup failure",
                            "    - mm/slub: hold cpus_read_lock around flush_rcu_sheaves_on_cache()",
                            "    - RDMA/siw: Reject MPA FPDU length underflow before signed receive math",
                            "    - s390/cio: Restore GFP_DMA for CHSC allocation",
                            "    - s390/pai: Disable duplicate read of kernel PAI counter value",
                            "    - s390/pai: Fix missing PAI counter increments under heavy load",
                            "    - fwctl: pds: Validate RPC input size before parsing",
                            "    - LoongArch: kprobes: Use larch_insn_text_copy() to patch instructions",
                            "    - LoongArch: Remove unused code to avoid build warning",
                            "    - cpufreq: intel_pstate: Use correct scaling factor on Raptor Lake-E",
                            "    - device property: set fwnode->secondary to NULL in fwnode_init()",
                            "    - drm/i915/display: Copy color pipeline from plane in the primary joiner",
                            "      pipe",
                            "    - drm/msm: Fix shrinker deadlock",
                            "    - drm/v3d: Fix use-after-free of CPU job query arrays on error path",
                            "    - drm/v3d: Release indirect CSD GEM reference on CPU job free",
                            "    - drm/virtio: use uninterruptible resv lock for plane updates",
                            "    - drm/xe/multi_queue: Fix secondary queue error case",
                            "    - drm/amdgpu/vpe: Force collaborate sync after TRAP",
                            "    - drm/bridge: it66121: acquire reset GPIO in probe",
                            "    - drm/bridge: megachips: remove bridge when irq request fails",
                            "    - drm/amd/display: Fix integer overflow in bios_get_image()",
                            "    - drm/amd/display: Validate GPIO pin LUT table size before iterating",
                            "    - drm/amd/display: Validate payload length and link_index in",
                            "      dc_process_dmub_aux_transfer_async",
                            "    - batman-adv: v: stop OGMv2 on disabled interface",
                            "    - batman-adv: tvlv: abort OGM send on tvlv append failure",
                            "    - batman-adv: tvlv: reject oversized TVLV packets",
                            "    - batman-adv: iv: recover OGM scheduling after forward packet error",
                            "    - batman-adv: mcast: fix use-after-free in orig_node RCU release",
                            "    - batman-adv: clear current gateway during teardown",
                            "    - batman-adv: dat: handle forward allocation error",
                            "    - batman-adv: fix fragment reassembly length accounting",
                            "    - batman-adv: fix tp_meter counter underflow during shutdown",
                            "    - batman-adv: frag: disallow unicast fragment in fragment",
                            "    - batman-adv: bla: fix report_work leak on backbone_gw purge",
                            "    - batman-adv: bla: avoid double decrement of bla.num_requests",
                            "    - batman-adv: bla: avoid NULL-ptr deref for claim via dropped interface",
                            "    - batman-adv: tp_meter: avoid use of uninit sender vars",
                            "    - batman-adv: tp_meter: directly shut down timer on cleanup",
                            "    - batman-adv: tp_meter: fix tp_vars reference leak in receiver shutdown",
                            "    - batman-adv: tp_meter: fix race condition in send error reporting",
                            "    - batman-adv: tp_meter: avoid role confusion in tp_list",
                            "    - batman-adv: tt: fix TOCTOU race for reported vlans",
                            "    - batman-adv: tt: reject oversized local TVLV buffers",
                            "    - batman-adv: tt: avoid empty VLAN responses",
                            "    - batman-adv: tt: fix negative last_changeset_len",
                            "    - batman-adv: tt: fix negative tt_buff_len",
                            "    - batman-adv: tt: prevent TVLV entry number overflow",
                            "    - hwmon: (pmbus/adm1266) seed timestamp from the real-time clock",
                            "    - hwmon: (pmbus/adm1266) reject implausible blackbox record_count",
                            "    - hwmon: (pmbus/adm1266) include PEC byte in pmbus_block_xfer read buffer",
                            "    - hwmon: (pmbus/adm1266) bounce blackbox records through a protocol-sized",
                            "      buffer",
                            "    - hwmon: (pmbus/adm1266) cap PDIO scan in get_multiple at ADM1266_PDIO_NR",
                            "    - hwmon: (pmbus/adm1266) don't clobber GPIO bits before PDIO read in",
                            "      get_multiple",
                            "    - hwmon: (pmbus/adm1266) register the gpio_chip after pmbus_do_probe()",
                            "    - hwmon: (pmbus/adm1266) register the nvmem device after pmbus_do_probe()",
                            "    - hwmon: (pmbus/adm1266) reject short block-read responses in the GPIO",
                            "      accessors",
                            "    - pinctrl: mediatek: moore: implement gpio_chip::get_direction()",
                            "    - pinctrl: qcom: ipq4019: mark gpio as a GPIO pin function",
                            "    - arm64: dts: renesas: r8a78000: Fix SCIF brg_int clocks",
                            "    - ARM: dts: renesas: genmai: Drop superfluous cells",
                            "    - ARM: dts: renesas: rskrza1: Drop superfluous cells",
                            "    - pinctrl: renesas: rzg2l: Fix incorrect PUPD register offset for high",
                            "      pins during suspend/resume",
                            "    - pinctrl: renesas: rzg2l: Fix SMT register cache handling",
                            "    - pinctrl: meson: amlogic-a4: fix deadlock issue",
                            "    - pinctrl: qcom: Fix GPIO to PDC wake irq map for qcs615",
                            "    - kho: skip KHO for crash kernel",
                            "    - mm/memfd_luo: report error when restoring a folio fails mid-loop",
                            "    - HID: intel-thc-hid: Intel-quickspi: Fix some error codes",
                            "    - HID: uclogic: Fix regression of input name assignment",
                            "    - firmware: arm_ffa: Check for NULL FF-A ID table while driver",
                            "      registration",
                            "    - firmware: arm_ffa: Skip free_pages on RX buffer alloc failure",
                            "    - firmware: arm_ffa: Fix per-vcpu self notifications handling in workqueue",
                            "    - firmware: arm_ffa: Unregister bus notifier on teardown for FF-A v1.0",
                            "    - riscv: errata: Fix bitwise vs logical AND in MIPS errata patching",
                            "    - riscv: Fix register corruption from uninitialized cregs on error",
                            "    - riscv: mm: Fixup no5lvl failure when vaddr is invalid",
                            "    - kunit: config: Enable KUNIT_DEBUGFS by default",
                            "    - kunit: config: KUNIT_DEBUGFS should depend on DEBUG_FS",
                            "    - pinctrl: qcom: Fix wakeirq map by removing disconnected irqs for sm8150",
                            "    - firmware: arm_ffa: Bound PARTITION_INFO_GET_REGS copies",
                            "    - firmware: arm_ffa: Keep framework RX release under lock",
                            "    - firmware: arm_ffa: Validate framework notification message layout",
                            "    - firmware: arm_ffa: Align RxTx buffer size before mapping",
                            "    - firmware: arm_ffa: Snapshot notifier callbacks under lock",
                            "    - firmware: arm_ffa: Fix sched-recv callback partition lookup",
                            "    - ARM: integrator: Fix early initialization",
                            "    - ALSA: hda: cs35l56: Put ACPI device after setting companion",
                            "    - ALSA: hda: cs35l41: Put ACPI device on missing physical node",
                            "    - btrfs: tracepoints: fix sleep while in atomic context in",
                            "      btrfs_sync_file()",
                            "    - netfilter: x_tables: allow initial table replace without emitting audit",
                            "      log message",
                            "    - netfilter: x_tables: allocate hook ops while under mutex",
                            "    - netfilter: x_tables: unregister the templates first",
                            "    - netfilter: x_tables: add and use xt_unregister_table_pre_exit",
                            "    - netfilter: x_tables: add and use xtables_unregister_table_exit",
                            "    - netfilter: ebtables: move to two-stage removal scheme",
                            "    - netfilter: ebtables: close dangling table module init race",
                            "    - netfilter: x_tables: close dangling table module init race",
                            "    - netfilter: bridge: eb_tables: close module init race",
                            "    - netfilter: nf_conntrack_expect: restore helper propagation via",
                            "      expectation",
                            "    - kprobes: skip non-symbol addresses in kprobe_add_ksym_blacklist()",
                            "    - test_kprobes: clear kprobes between test runs",
                            "    - tcp: Fix imbalanced icsk_accept_queue count.",
                            "    - net: napi: Avoid gro timer misfiring at end of busypoll",
                            "    - net: shaper: Reject reparenting of existing nodes",
                            "    - idpf: fix read_dev_clk_lock spinlock init in idpf_ptp_init()",
                            "    - ice: fix setting RSS VSI hash for E830",
                            "    - ice: fix locking in ice_dcb_rebuild()",
                            "    - ice: dpll: fix rclk pin state get for E810",
                            "    - ice: dpll: fix misplaced header macros",
                            "    - net: lan966x: avoid unregistering netdev on register failure",
                            "    - net: ti: icssm-prueth: fix eth_ports_node leak in probe",
                            "    - phy: marvell: mvebu-a3700-utmi: fix incorrect USB2_PHY_CTRL register",
                            "      access",
                            "    - phy: spacemit: Remove incorrect clk_disable() in spacemit_usb2phy_init()",
                            "    - NFSD: Fix infinite loop in layout state revocation",
                            "    - ASoC: sdw_utils: Add quirk to ignore RT712 CODEC_MIC",
                            "    - ASoC: sdw_utils: Add quirk to ignore RT721 CODEC_MIC",
                            "    - fprobe: Fix unregister_fprobe() to wait for RCU grace period",
                            "    - fs/statmount: fix slab out-of-bounds write in statmount_mnt_idmap",
                            "    - fs: Fix return in jfs_mkdir and orangefs_mkdir",
                            "    - irqchip/ath79-cpu: Remove unused function",
                            "    - fs: fix forced iversion increment on lazytime timestamp updates",
                            "    - ublk: reject max_sectors smaller than PAGE_SECTORS in parameter",
                            "      validation",
                            "    - nsfs: fix wrong error code returned for pidns ioctls",
                            "    - irq_work: Fix use-after-free in irq_work_single() on PREEMPT_RT",
                            "    - nvme: fix bio leak on mapping failure",
                            "    - nvme-pci: fix use-after-free in nvme_free_host_mem()",
                            "    - zonefs: handle integer overflow in zonefs_fname_to_fno",
                            "    - tcp: Fix out-of-bounds access for twsk in tcp_ao_established_key().",
                            "    - ASoC: SOF: amd: Fix error code handling in psp_send_cmd()",
                            "    - powerpc: 82xx: fix uninitialized pointers with free attribute",
                            "    - powerpc: fix dead default for GUEST_STATE_BUFFER_TEST",
                            "    - powerpc/hv-gpci: fix preempt count leak in sysfs show paths",
                            "    - netfs: Fix cancellation of a DIO and single read subrequests",
                            "    - netfs: Fix missing locking around retry adding new subreqs",
                            "    - netfs: Fix missing barriers when accessing stream->subrequests",
                            "      locklessly",
                            "    - netfs: Fix netfs_read_to_pagecache() to pause on subreq failure",
                            "    - netfs: Fix potential for tearing in ->remote_i_size and ->zero_point",
                            "    - netfs: Fix zeropoint update where i_size > remote_i_size",
                            "    - netfs: fix VM_BUG_ON_FOLIO() issue in netfs_write_begin() call",
                            "    - netfs: Fix overrun check in netfs_extract_user_iter()",
                            "    - netfs: Fix netfs_invalidate_folio() to clear dirty bit if all changes",
                            "      gone",
                            "    - netfs: Defer the emission of trace_netfs_folio()",
                            "    - netfs: Fix streaming write being overwritten",
                            "    - netfs: Fix potential deadlock in write-through mode",
                            "    - netfs: Fix read-gaps to remove netfs_folio from filled folio",
                            "    - netfs: Fix write streaming disablement if fd open O_RDWR",
                            "    - netfs: Fix early put of sink folio in netfs_read_gaps()",
                            "    - netfs: Fix leak of request in netfs_write_begin() error handling",
                            "    - netfs: Fix potential UAF in netfs_unlock_abandoned_read_pages()",
                            "    - netfs: Fix partial invalidation of streaming-write folio",
                            "    - netfs: Fix folio->private handling in netfs_perform_write()",
                            "    - netfs: Fix netfs_read_folio() to wait on writeback",
                            "    - netfs, afs: Fix write skipping in dir/link writepages",
                            "    - afs: Fix the locking used by afs_get_link()",
                            "    - net: ethernet: cortina: Make RX SKB per-port",
                            "    - net: ethernet: cortina: Drop half-assembled SKB",
                            "    - net: ethernet: cortina: Carry over frag counter",
                            "    - net: ethernet: cs89x0: remove stale CONFIG_MACH_MX31ADS reference",
                            "    - wifi: ath11k: fix error path leaks in some WMI WOW calls",
                            "    - wifi: ath11k: fix error path leak in ath11k_tm_cmd_wmi_ftm()",
                            "    - wifi: ath10k: skip WMI and beacon transmission when device is wedged",
                            "    - net: shaper: flip the polarity of the valid flag",
                            "    - net: shaper: fix trivial ordering issue in net_shaper_commit()",
                            "    - net: shaper: reject duplicate leaves in GROUP request",
                            "    - net: shaper: set ret to -ENOMEM when genlmsg_new() fails in group_doit",
                            "    - net: shaper: fix undersized reply skb allocation in GROUP command",
                            "    - net: shaper: enforce singleton NETDEV scope with id 0",
                            "    - net: shaper: reject QUEUE scope handle with missing id",
                            "    - block: don't overwrite bip_vcnt in bio_integrity_copy_user()",
                            "    - block: recompute nr_integrity_segments in blk_insert_cloned_request",
                            "    - HID: quirks: really enable the intended work around for appledisplay",
                            "    - block: bio-integrity: Fix null-ptr-deref in bio_integrity_map_user()",
                            "    - accel/qaic: Add overflow check to remap_pfn_range during mmap",
                            "    - net/smc: avoid NULL deref of conn->lnk in smc_msg_event tracepoint",
                            "    - ethtool: fix ethnl_bitmap32_not_zero() bit interval semantics",
                            "    - drm/msm/dpu: fix UV scanlines calculation for YUV UBWC formats",
                            "    - drm/msm/dpu: Fix Kaanapali CWB register configuration",
                            "    - drm/msm/dsi: don't dump registers past the mapped region",
                            "    - drm/msm/dpu: don't mix devm and drmm functions",
                            "    - block: rename struct gendisk zone_wplugs_lock field",
                            "    - block: allow submitting all zone writes from a single context",
                            "    - block: fix handling of dead zone write plugs",
                            "    - selftests: ublk: cap nthreads to kernel's actual nr_hw_queues",
                            "    - x86/mce: Restore MCA polling interval halving",
                            "    - Documentation: intel_pstate: Fix description of asymmetric packing with",
                            "      SMT",
                            "    - drm/msm: Fix GMEM_BASE for A650",
                            "    - drm/msm/a6xx: Add soft fuse detection support",
                            "    - drm/msm/adreno: Fix a reference leak in a6xx_gpu_init()",
                            "    - drm/msm/adreno: fix userspace-triggered crash on a2xx-a4xx",
                            "    - drm/msm/a6xx: Restore sysprof_active",
                            "    - drm/msm: Fix iommu_map_sgtable() return value check and avoid WARN",
                            "    - drm/msm/a6xx: Check kzalloc return in a8xx_hfi_send_perf_table",
                            "    - ASoC: intel: sof_sdw: Prepare for configuration without a jack",
                            "    - ASoC: sdw_utils: cs42l43: allow spk component names to be combined",
                            "    - ASoC: sdw_utils: Check speaker component string allocation",
                            "    - riscv: Docs: fix unmatched quote warning",
                            "    - powerpc/time: Remove redundant preempt_disable|enable() calls from",
                            "      arch_irq_work_raise()",
                            "    - net/smc: reject CHID-0 ACCEPT that matches an empty ism_dev slot",
                            "    - net: tls: fix off-by-one in sg_chain entry count for wrapped sk_msg ring",
                            "    - net: tls: prevent chain-after-chain in plain text SG",
                            "    - net: phy: DP83TC811: add reading of abilities",
                            "    - ovpn: tcp - use cached peer pointer in ovpn_tcp_close()",
                            "    - ovpn: respect peer refcount in CMD_NEW_PEER error path",
                            "    - ovpn: fix race between deleting interface and adding new peer",
                            "    - cifs: client: stage smb3_reconfigure() updates and restore ctx on",
                            "      failure",
                            "    - phy: apple: atc: Fix typec switch/mux leak on unbind",
                            "    - gcc-plugins: Always define CONST_CAST_GIMPLE and CONST_CAST_TREE",
                            "    - x86/xen: Fix xen_e820_swap_entry_with_ram()",
                            "    - vfio/pci: Check BAR resources before exporting a DMABUF",
                            "    - ovpn: disable BHs when updating device stats",
                            "    - tls: Preserve sk_err across recvmsg() when data has been copied",
                            "    - net/mlx5: Do not restore destination-less TC rules",
                            "    - net/mlx5: Skip disabled vports when setting max TX speed",
                            "    - scsi: sd: Fix return code handling in sd_spinup_disk()",
                            "    - ASoC: codecs: fs210x: fix possible buffer overflow",
                            "    - iommupt: Directly call iommupt's unmap_range()",
                            "    - iommupt: Avoid rewalking during map",
                            "    - iommu: Fix loss of errno on map failure for classic ops",
                            "    - iommu: Fix up map/unmap debugging for iommupt domains",
                            "    - iommu: Handle unmap error when iommu_debug is enabled",
                            "    - iommupt: Check for missing PAGE_SIZE in the pgsize_bitmap",
                            "    - iommupt: Fix the end_index calculation in __map_range_leaf()",
                            "    - ALSA: scarlett2: Add missing error check when initialise Autogain Status",
                            "    - ALSA: hda/ca0132: Disable auto-detect on manual output select",
                            "    - cachefiles: Fix error return when vfs_mkdir() fails",
                            "    - io_uring/net: punt IORING_OP_BIND async if it needs file create",
                            "    - vsock/virtio: fix zerocopy completion for multi-skb sends",
                            "    - btrfs: check for subvolume before deleting squota qgroup",
                            "    - btrfs: fix squota accounting during enable generation",
                            "    - ASoC: amd: acp-sdw-legacy: check CPU DAI name before logging",
                            "    - spi: mtk-snfi: Fix resource leak in mtk_snand_read_page_cache()",
                            "    - netfilter: nft_inner: release local_lock before re-enabling softirqs",
                            "    - ALSA: hda/realtek: Use ALC287_FIXUP_TXNW2781_I2C for ASUS Strix Gxx5",
                            "    - drm/msm/snapshot: fix dumping of the unaligned regions",
                            "    - hwmon: (lm90) Stop work before releasing hwmon device",
                            "    - hwmon: (lm90) Add lock protection to lm90_alert",
                            "    - wifi: iwlwifi: mld: fix TSO segmentation explosion when AMSDU is",
                            "      disabled",
                            "    - wifi: iwlwifi: mld: don't dereference a pointer before NULL checking it",
                            "    - dma-mapping: move dma_map_resource() sanity check into debug code",
                            "    - drm/gem: Make the GEM LRU lock part of drm_device",
                            "    - drm/xe/gsc: Fix double-free of managed BO in error path",
                            "    - drm/xe/vf: Fix signature of print functions",
                            "    - drm/xe/pf: Fix CFI failure in debugfs access",
                            "    - drm/xe: Consolidate workaround entries for Wa_14019988906",
                            "    - drm/xe: Consolidate workaround entries for Wa_18033852989",
                            "    - drm/xe: Define and use MCR version of COMMON_SLICE_CHICKEN1",
                            "    - drm/xe/tuning: Apply windower hardware filtering setting on Xe3 and Xe3p",
                            "    - drm/xe: Define and use MCR version of COMMON_SLICE_CHICKEN4",
                            "    - wifi: ath11k: fix peer resolution on rx path when peer_id=0",
                            "    - wifi: ath12k: fix EHT TX MCS limitation due to wrong 20 MHz-only parsing",
                            "    - drm/mediatek: mtk_hdmi_ddc_v2: Fix non-static global variable",
                            "    - drm/mediatek: mtk_hdmi_v2: Fix non-static global variable",
                            "    - drm/mediatek: mtk_cec: Fix non-static global variable",
                            "    - drm/mediatek: mtk_hdmi_ddc: Fix non-static global variable",
                            "    - io_uring: propagate array_index_nospec opcode into req->opcode",
                            "    - srcu: Don't queue workqueue handlers to never-online CPUs",
                            "    - cgroup/rstat: validate cpu before css_rstat_cpu() access",
                            "    - net/mlx5e: xsk: Fix unlocked writing to ICOSQ",
                            "    - cifs: Fix undefined variables",
                            "    - ice: ptp: serialize E825 PHY timer start with PTP lock",
                            "    - ice: ptp: use primary NAC semaphore on E825",
                            "    - igc: set tx buffer type for SMD frames",
                            "    - drm/i915/dp: Fix readback for target_rr in Adaptive Sync SDP",
                            "    - phy: qcom: qmp-usbc: Fix out-of-bounds array access in dp swing config",
                            "    - kbuild: pacman-pkg: make \"rc\" releases adhere to pacman versioning",
                            "      scheme",
                            "    - net: dsa: mt7530: fix FDB entries not aging out with short timeout",
                            "    - net: dsa: mt7530: preserve VLAN tags on trapped link-local frames",
                            "    - net: mana: Fix TOCTOU double-fetch of hwc_msg_id from DMA buffer",
                            "    - platform/surface: aggregator_registry: omit battery & AC nodes on",
                            "      Surface Laptop 7",
                            "    - platform/x86: adv_swbutton: Check ACPI_HANDLE() against NULL",
                            "    - platform/x86: hp_accel: Check ACPI_COMPANION() against NULL",
                            "    - platform/x86: intel-hid: Check ACPI_HANDLE() against NULL",
                            "    - platform/x86: intel_sar: Check ACPI_HANDLE() against NULL",
                            "    - platform/x86: intel-vbtn: Check ACPI_HANDLE() against NULL",
                            "    - platform/x86: uniwill-laptop: Properly initialize charging threshold",
                            "    - platform/x86: uniwill-laptop: Accept charging threshold of 0",
                            "    - platform/x86: uniwill-laptop: Fix behavior of \"force\" module param",
                            "    - platform/x86: asus-armoury: fix mini-LED mode get/set on MODE2 devices",
                            "    - ASoC: soc-utils: Add missing va_end in snd_soc_ret()",
                            "    - drm/amdgpu: Align amdgpu_gtt_mgr entries to TLB size on Tahiti (v2)",
                            "    - drm/amdgpu/vce1: Check that the GPU address is < 128 MiB",
                            "    - drm/amdgpu/vce1: Fix VCE 1 firmware size and offsets",
                            "    - RDMA/mana_ib: Report max_msg_sz in mana_ib_query_port",
                            "    - RDMA/rtrs: Fix use-after-free in path file creation cleanup",
                            "    - bridge: mcast: Fix a possible use-after-free when removing a bridge port",
                            "    - net: phy: honor eee_disabled_modes in phy_support_eee()",
                            "    - net: phy: honor eee_disabled_modes in phy_advertise_eee_all()",
                            "    - net: airoha: Fix NPU RX DMA descriptor bits",
                            "    - pds_core: fix error handling in pdsc_devcmd_wait",
                            "    - pds_core: fix debugfs_lookup dentry leak and error handling",
                            "    - erofs: fix managed cache race for unaligned extents",
                            "    - erofs: harden h_shared_count in erofs_init_inode_xattrs()",
                            "    - erofs: fix metabuf leak in inode xattr initialization",
                            "    - wifi: mac80211: bounds-check link_id in ieee80211_ml_epcs",
                            "    - wifi: mac80211: fix MLE defragmentation",
                            "    - wifi: mac80211: fix multi-link element inheritance",
                            "    - wifi: wilc1000: fix dma_buffer leak on bus acquire failure",
                            "    - ALSA: seq: Serialize UMP output teardown with event_input",
                            "    - cgroup: rstat: relax NMI guard after switch to try_cmpxchg",
                            "    - tracing: Avoid NULL return from hist_field_name() on truncation",
                            "    - Bluetooth: hci_sync: Fix not setting mask for",
                            "      HCI_EVT_LE_ALL_REMOTE_FEATURES_COMPLETE",
                            "    - Bluetooth: btintel_pcie: Fix incorrect MAC access programming",
                            "    - Bluetooth: btmtk: fix urb->setup_packet leak in error paths",
                            "    - udp: gso: Fix handling checksum in __udp_gso_segment",
                            "    - udp: Fix UDP length on last GSO_PARTIAL segment",
                            "    - net/mlx5e: Fix eswitch mode block underflow on IPsec acquire SA",
                            "    - net: shaper: annotate the data races",
                            "    - net: shaper: rework the VALID marking (again)",
                            "    - crypto/krb5, rxrpc: Fix lack of pre-decrypt/pre-verify length checks",
                            "    - rxrpc: Fix DATA decrypt vs splice() by copying data to buffer in recvmsg",
                            "    - net: ag71xx: check error for platform_get_irq",
                            "    - bpf, skmsg: fix verdict sk_data_ready racing with ktls rx",
                            "    - tcp: fix stale per-CPU tcp_tw_isn leak enabling ISN prediction",
                            "    - net: stmmac: eswin: fix HSP CSR init ordering after clock enable",
                            "    - net: stmmac: eswin: clear TXD and RXD delay registers during",
                            "      initialization",
                            "    - net: stmmac: eswin: correct RGMII delay granularity to 20 ps",
                            "    - net: stmmac: eswin: validate RGMII delay values",
                            "    - gpio: cdev: check if uAPI v2 config attributes are correctly zeroed",
                            "    - gpio: aggregator: fix a potential use-after-free",
                            "    - gpio: aggregator: stop using dev-sync-probe",
                            "    - gpio: aggregator: remove the software node when deactivating the",
                            "      aggregator",
                            "    - gpio: aggregator: lock device when calling device_is_bound()",
                            "    - ASoC: cs35l56: Fix flushing of IRQ work in cs35l56_sdw_remove()",
                            "    - drm/xe/oa: Fix exec_queue leak on width check in stream open",
                            "    - ASoC: cs-amp-lib: Fix wrong sizeof() in",
                            "      _cs_amp_set_efi_calibration_data()",
                            "    - ASoC: cs-amp-lib: Fix missing dput() after debugfs_lookup()",
                            "    - selftests: net: Fix checksums in xdp_native",
                            "    - nvme-pci: fix dma_vecs leak on p2p memory",
                            "    - nvme-pci: fix dma mapping leak on data setup error",
                            "    - octeontx2-af: npc: Fix allmulticast skip logic for LBK and SDP VFs",
                            "    - net: mana: validate rx_req_idx to prevent out-of-bounds array access",
                            "    - tap: fix stack info leak in tap_ioctl() SIOCGIFHWADDR",
                            "    - net: airoha: Disable GDM2 forwarding before configuring GDM2 loopback",
                            "    - pds_core: ensure null-termination for firmware version strings",
                            "    - net: enetc: fix missing error code when pf->vf_state allocation fails",
                            "    - io_uring/nop: pass all errors to userspace",
                            "    - blk-mq: pop cached request if it is usable",
                            "    - ksmbd: fix durable reconnect error path file lifetime",
                            "    - LoongArch: kprobes: Fix handling of fatal unrecoverable recursions",
                            "    - block: avoid use-after-free in disk_free_zone_resources()",
                            "    - Documentation: laptops: Update documentation for uniwill laptops",
                            "    - platform/x86: uniwill-laptop: Do not enable the charging limit even when",
                            "      forced",
                            "    - drm/msm: Restore second parameter name in purge() and evict()",
                            "    - security/keys: fix missed RCU read section on lookup",
                            "    - Linux 7.0.11",
                            "",
                            "  * Resolute update: v7.0.10 upstream stable release (LP: #2156385)",
                            "    - blk-cgroup: wait for blkcg cleanup before initializing new disk",
                            "    - md: suppress spurious superblock update error message for dm-raid",
                            "    - fs/omfs: reject s_sys_blocksize smaller than OMFS_DIR_START",
                            "    - fs/mbcache: cancel shrink work before destroying the cache",
                            "    - md/raid1: fix the comparing region of interval tree",
                            "    - fs: fix archiecture-specific compat_ftruncate64",
                            "    - drbd: Balance RCU calls in drbd_adm_dump_devices()",
                            "    - loop: fix partition scan race between udev and loop_reread_partitions()",
                            "    - block: fix zones_cond memory leak on zone revalidation error paths",
                            "    - nilfs2: reject zero bd_oblocknr in nilfs_ioctl_mark_blocks_dirty()",
                            "    - blk-cgroup: fix disk reference leak in blkcg_maybe_throttle_current()",
                            "    - pstore/ram: fix resource leak when ioremap() fails",
                            "    - erofs: include the trailing NUL in FS_IOC_GETFSLABEL",
                            "    - md: fix array_state=clear sysfs deadlock",
                            "    - ublk: reset per-IO canceled flag on each fetch",
                            "    - blk-wbt: remove WARN_ON_ONCE from wbt_init_enable_default()",
                            "    - erofs: handle 48-bit blocks/uniaddr for extra devices",
                            "    - md: remove unused static md_wq workqueue",
                            "    - md: wake raid456 reshape waiters before suspend",
                            "    - dcache: permit dynamic_dname()s up to NAME_MAX",
                            "    - btrfs: fix the inline compressed extent check in inode_need_compress()",
                            "    - btrfs: fix deadlock between reflink and transaction commit when using",
                            "      flushoncommit",
                            "    - btrfs: do not reject a valid running dev-replace",
                            "    - OPP: debugfs: Use performance level if available to distinguish between",
                            "      rates",
                            "    - OPP: Move break out of scoped_guard in dev_pm_opp_xlate_required_opp()",
                            "    - ACPI: x86: cmos_rtc: Clean up address space handler driver",
                            "    - ACPI: x86: cmos_rtc: Improve coordination with ACPI TAD driver",
                            "    - devres: fix missing node debug info in devm_krealloc()",
                            "    - thermal/drivers/spear: Fix error condition for reading st,thermal-flags",
                            "    - debugfs: check for NULL pointer in debugfs_create_str()",
                            "    - debugfs: fix placement of EXPORT_SYMBOL_GPL for debugfs_create_str()",
                            "    - soundwire: debugfs: initialize firmware_file to empty string",
                            "    - amd-pstate: Fix memory leak in amd_pstate_epp_cpu_init()",
                            "    - amd-pstate: Update cppc_req_cached in fast_switch case",
                            "    - cpufreq: Pass the policy to cpufreq_driver->adjust_perf()",
                            "    - PCI: use generic driver_override infrastructure",
                            "    - platform/wmi: use generic driver_override infrastructure",
                            "    - vdpa: use generic driver_override infrastructure",
                            "    - s390/cio: use generic driver_override infrastructure",
                            "    - s390/ap: use generic driver_override infrastructure",
                            "    - bus: fsl-mc: use generic driver_override infrastructure",
                            "    - locking/mutex: Rename mutex_init_lockep()",
                            "    - locking/mutex: Fix wrong comment for CONFIG_DEBUG_LOCK_ALLOC",
                            "    - irqchip/irq-pic32-evic: Address warning related to wrong printf()",
                            "      formatter",
                            "    - hrtimer: Avoid pointless reprogramming in __hrtimer_start_range_ns()",
                            "    - hrtimer: Reduce trace noise in hrtimer_start()",
                            "    - locking: Fix rwlock and spinlock lock context annotations",
                            "    - signal: Fix the lock_task_sighand() annotation",
                            "    - ww-mutex: Fix the ww_acquire_ctx function annotations",
                            "    - perf/amd/ibs: Account interrupt for discarded samples",
                            "    - perf/amd/ibs: Preserve PhyAddrVal bit when clearing PhyAddr MSR",
                            "    - perf/amd/ibs: Avoid calling perf_allow_kernel() from the IBS NMI handler",
                            "    - x86/tdx: Fix the typo in TDX_ATTR_MIGRTABLE",
                            "    - rust: sync: atomic: Remove bound `T: Sync` for `Atomic::from_ptr()`",
                            "    - sparc64: vdso: Link with -z noexecstack",
                            "    - scripts/gdb: timerlist: Adapt to move of tk_core",
                            "    - locking: Fix rwlock support in <linux/spinlock_up.h>",
                            "    - sched/topology: Compute sd_weight considering cpuset partitions",
                            "    - x86/irqflags: Preemptively move include paravirt.h directive where it",
                            "      belongs",
                            "    - sched/topology: Fix sched_domain_span()",
                            "    - irqchip/renesas-rzg2l: Fix error path in rzg2l_irqc_common_probe()",
                            "    - ASoC: Intel: avs: Check maximum valid CPUID leaf",
                            "    - ASoC: Intel: avs: Include CPUID header at file scope",
                            "    - x86/vdso: Clean up remnants of VDSO32_NOTE_MASK",
                            "    - firmware: dmi: Correct an indexing error in dmi.h",
                            "    - fs/resctrl: Report invalid domain ID when parsing io_alloc_cbm",
                            "    - sched: Make class_schedulers avoid pushing current, and get rid of",
                            "      proxy_tag_curr()",
                            "    - sched/rt: Skip group schedulable check with rt_group_sched=0",
                            "    - wifi: ath11k: fix memory leaks in beacon template setup",
                            "    - wifi: mwifiex: Fix memory leak in mwifiex_11n_aggregate_pkt()",
                            "    - wifi: rtlwifi: pci: fix possible use-after-free caused by unfinished",
                            "      irq_prepare_bcn_tasklet",
                            "    - bpf: test_run: Fix the null pointer dereference issue in",
                            "      bpf_lwt_xmit_push_encap",
                            "    - wifi: ath12k: account TX stats only when ACK/BA status is present",
                            "    - wifi: ath12k: Fix legacy rate mapping for monitor mode capture",
                            "    - selftests/bpf: Handle !CONFIG_SMC in bpf_smc.c",
                            "    - wifi: ieee80211: fix definition of EHT-MCS 15 in MRU",
                            "    - dpaa2: add independent dependencies for FSL_DPAA2_SWITCH",
                            "    - [Config] Disable CONFIG_FSL_DPAA2_SWITCH on armhf and ppc64el",
                            "    - dpaa2: compile dpaa2 even CONFIG_FSL_DPAA2_ETH=n",
                            "    - s390/bpf: Zero-extend bpf prog return values and kfunc arguments",
                            "    - powerpc/pgtable-frag: Fix bad page state in pte_frag_destroy",
                            "    - powerpc/64s: Fix unmap race with PMD migration entries",
                            "    - module: Fix freeing of charp module parameters when CONFIG_SYSFS=n",
                            "    - wifi: libertas: use USB anchors for tracking in-flight URBs",
                            "    - wifi: libertas: don't kill URBs in interrupt context",
                            "    - bpf: Do not allow deleting local storage in NMI",
                            "    - selftests/nolibc: fix test_file_stream() on musl libc",
                            "    - selftests/nolibc: Fix build with host headers and libc",
                            "    - tools/nolibc/printf: Change variables 'c' to 'ch' and 'tmpbuf[]' to",
                            "      'outbuf[]'",
                            "    - tools/nolibc/printf: Move snprintf length check to callback",
                            "    - tools/nolibc: MIPS: fix clobbers of 'lo' and 'hi' registers on different",
                            "      ISAs",
                            "    - tools/nolibc: avoid -Wundef warning for __STDC_VERSION__",
                            "    - wifi: mt76: mt7996: fix the behavior of radar detection",
                            "    - wifi: mt76: mt7996: fix iface combination for different chipsets",
                            "    - wifi: mt76: mt7996: Set mtxq->wcid just for primary link",
                            "    - wifi: mt76: mt7996: Reset mtxq->idx if primary link is removed in",
                            "      mt7996_vif_link_remove()",
                            "    - wifi: mt76: mt7996: Switch to the secondary link if the default one is",
                            "      removed",
                            "    - wifi: mt76: mt7996: Clear wcid pointer in mt7996_mac_sta_deinit_link()",
                            "    - wifi: mt76: mt7996: Reset ampdu_state state in case of failure in",
                            "      mt7996_tx_check_aggr()",
                            "    - wifi: mt76: mt7921: Reset ampdu_state state in case of failure in",
                            "      mt76_connac2_tx_check_aggr()",
                            "    - wifi: mt76: mt7925: Fix incorrect MLO mode in firmware control",
                            "    - wifi: mt76: mt7615: fix use_cts_prot support",
                            "    - wifi: mt76: mt7915: fix use_cts_prot support",
                            "    - wifi: mt76: mt7925: prevent NULL pointer dereference in",
                            "      mt7925_tx_check_aggr()",
                            "    - wifi: mt76: mt7925: prevent NULL vif dereference in",
                            "      mt7925_mac_write_txwi",
                            "    - wifi: mt76: mt7996: fix FCS error flag check in RX descriptor",
                            "    - wifi: mt76: mt7921: Place upper limit on station AID",
                            "    - wifi: mt76: Fix memory leak destroying device",
                            "    - wifi: mt76: mt7996: Fix NPU stop procedure",
                            "    - wifi: mt76: npu: Add missing rx_token_size initialization",
                            "    - wifi: mt76: mt7925: drop puncturing handling from BSS change path",
                            "    - wifi: mt76: mt7925: fix potential deadlock in mt7925_roc_abort_sync",
                            "    - wifi: mt76: Fix memory leak after mt76_connac_mcu_alloc_sta_req()",
                            "    - wifi: mt76: mt7925: fix tx power setting failure after chip reset",
                            "    - wifi: mt76: mt7921: fix potential deadlock in mt7921_roc_abort_sync",
                            "    - wifi: mt76: fix deadlock in remain-on-channel",
                            "    - wifi: mt76: fix backoff fields and max_power calculation",
                            "    - arm64: cpufeature: Make PMUVer and PerfMon unsigned",
                            "    - bpf: Switch CONFIG_CFI_CLANG to CONFIG_CFI",
                            "    - wifi: mt76: mt7996: fix wrong DMAD length when using MAC TXP",
                            "    - wifi: mt76: mt7996: fix struct mt7996_mcu_uni_event",
                            "    - wifi: mt76: mt7915: fix use-after-free bugs in mt7915_mac_dump_work()",
                            "    - wifi: mt76: mt7996: fix use-after-free bugs in mt7996_mac_dump_work()",
                            "    - wifi: mt76: mt7921: fix 6GHz regulatory update on connection",
                            "    - wifi: mt76: mt7996: Add missing CHANCTX_STA_CSA property",
                            "    - wifi: mt76: mt7996: Remove link pointer dependency in",
                            "      mt7996_mac_sta_remove_links()",
                            "    - wifi: mt76: mt7996: Decrement sta counter removing the link in",
                            "      mt7996_mac_reset_sta_iter()",
                            "    - wifi: mt76: fix multi-radio on-channel scanning",
                            "    - wifi: mt76: support upgrading passive scans to active",
                            "    - wifi: mt76: mt7996: fix RRO EMU configuration",
                            "    - bpf: Fix refcount check in check_struct_ops_btf_id()",
                            "    - selftests/bpf: Fix sockmap_multi_channels reliability",
                            "    - bpf: Use RCU-safe iteration in dev_map_redirect_multi() SKB path",
                            "    - bpf: Fix variable length stack write over spilled pointers",
                            "    - arm_mpam: Ensure in_reset_state is false after applying configuration",
                            "    - arm_mpam: Reset when feature configuration bit unset",
                            "    - bpf,arc_jit: Fix missing newline in pr_err messages",
                            "    - wifi: rtw89: phy: fix uninitialized variable access in",
                            "      rtw89_phy_cfo_set_crystal_cap()",
                            "    - drivers/vfio_pci_core: Change PXD_ORDER check from switch case to",
                            "      if/else block",
                            "    - r8152: fix incorrect register write to USB_UPHY_XTAL",
                            "    - selftests/tracing: Fix to make --logdir option work again",
                            "    - selftests/tracing: Fix to check awk supports non POSIX strtonum()",
                            "    - powerpc/crash: fix backup region offset update to elfcorehdr",
                            "    - powerpc/crash: Update backup region offset in elfcorehdr on memory",
                            "      hotplug",
                            "    - bpf: Fix abuse of kprobe_write_ctx via freplace",
                            "    - macvlan: annotate data-races around port->bc_queue_len_used",
                            "    - bpf: Use copy_map_value_locked() in alloc_htab_elem() for BPF_F_LOCK",
                            "    - bpf: Fix stale offload->prog pointer after constant blinding",
                            "    - net: ethernet: ti-cpsw:: rename soft_reset() function",
                            "    - net: ethernet: ti-cpsw: fix linking built-in code to modules",
                            "    - wifi: brcmfmac: Fix error pointer dereference",
                            "    - wifi: mac80211: handle VHT EXT NSS in ieee80211_determine_our_sta_mode()",
                            "    - bpf: Drop task_to_inode and inet_conn_established from lsm sleepable",
                            "      hooks",
                            "    - bpf: Prefer vmlinux symbols over module symbols for unqualified kprobes",
                            "    - wifi: ath10k: fix station lookup failure during disconnect",
                            "    - bpf: Fix linked reg delta tracking when src_reg == dst_reg",
                            "    - net: dropreason: add SKB_DROP_REASON_RECURSION_LIMIT",
                            "    - net: plumb drop reasons to __dev_queue_xmit()",
                            "    - net: qdisc_pkt_len_segs_init() cleanup",
                            "    - net: pull headers in qdisc_pkt_len_segs_init()",
                            "    - arm64: entry: Don't preempt with SError or Debug masked",
                            "    - ACPI: AGDI: fix missing newline in error message",
                            "    - arm64: kexec: Remove duplicate allocation for trans_pgd",
                            "    - bpf: Propagate error from visit_tailcall_insn",
                            "    - bpf: Fix ld_{abs,ind} failure path analysis in subprogs",
                            "    - bpf: Remove static qualifier from local subprog pointer",
                            "    - mptcp: better mptcp-level RTT estimator",
                            "    - bpf: Fix use-after-free in offloaded map/prog info fill",
                            "    - macsec: Support VLAN-filtering lower devices",
                            "    - net: bcmgenet: fix off-by-one in bcmgenet_put_txcb",
                            "    - net: bcmgenet: fix leaking free_bds",
                            "    - net: bcmgenet: fix racing timeout handler",
                            "    - net: airoha: Add dma_rmb() and READ_ONCE() in airoha_qdma_rx_process()",
                            "    - eth: fbnic: Use wake instead of start",
                            "    - netfilter: xt_socket: enable defrag after all other checks",
                            "    - netfilter: nft_fwd_netdev: check ttl/hl before forwarding",
                            "    - bpf: fix mm lifecycle in open-coded task_vma iterator",
                            "    - bpf: switch task_vma iterator from mmap_lock to per-VMA locks",
                            "    - bpf: return VMA snapshot from task_vma iterator",
                            "    - bpf: Fix RCU stall in bpf_fd_array_map_clear()",
                            "    - net: hamradio: 6pack: fix uninit-value in sixpack_receive_buf",
                            "    - net: airoha: Fix FE_PSE_BUF_SET configuration if PPE2 is available",
                            "    - bpf: Enforce regsafe base id consistency for BPF_ADD_CONST scalars",
                            "    - selftests/bpf: fix __jited_unpriv tag name",
                            "    - net/sched: cls_fw: fix NULL dereference of \"old\" filters before change()",
                            "    - net/sched: act_ct: Only release RCU read lock after ct_ft",
                            "    - selftests: netfilter: nft_tproxy.sh: adjust to socat changes",
                            "    - net: mana: Use pci_name() for debugfs directory naming",
                            "    - net: mana: Move current_speed debugfs file to mana_init_port()",
                            "    - net: airoha: Add missing RX_CPU_IDX() configuration in",
                            "      airoha_qdma_cleanup_rx_queue()",
                            "    - net_sched: fix skb memory leak in deferred qdisc drops",
                            "    - bpf: Fix same-register dst/src OOB read and pointer leak in sock_ops",
                            "    - bpf: Allow instructions with arena source and non-arena dest registers",
                            "    - selftests/bpf: Fix reg_bounds to match new tnum-based refinement",
                            "    - net/rds: Optimize rds_ib_laddr_check",
                            "    - net/rds: Restrict use of RDS/IB to the initial network namespace",
                            "    - bpf: Fix OOB in pcpu_init_value",
                            "    - ppp: require CAP_NET_ADMIN in target netns for unattached ioctls",
                            "    - net: ipa: Fix programming of QTIME_TIMESTAMP_CFG",
                            "    - net: ipa: Fix decoding EV_PER_EE for IPA v5.0+",
                            "    - dt-bindings: net: dsa: nxp,sja1105: make spi-cpol optional for sja1110",
                            "    - net: phy: fix a return path in get_phy_c45_ids()",
                            "    - net/mlx5e: Fix features not applied during netdev registration",
                            "    - net/mlx5e: IPsec, fix ASO poll timeout with read_poll_timeout_atomic()",
                            "    - net: ethernet: mtk_eth_soc: initialize PPE per-tag-layer MTU registers",
                            "    - net: fix skb_ext_total_length() BUILD_BUG_ON with",
                            "      CONFIG_GCOV_PROFILE_ALL",
                            "    - bpf: reject short IPv4/IPv6 inputs in bpf_prog_test_run_skb",
                            "    - Bluetooth: L2CAP: Fix printing wrong information if SDU length exceeds",
                            "      MTU",
                            "    - Bluetooth: hci_ldisc: Clear HCI_UART_PROTO_INIT on error",
                            "    - Bluetooth: fix locking in hci_conn_request_evt() with HCI_PROTO_DEFER",
                            "    - Bluetooth: l2cap: Add missing chan lock in l2cap_ecred_reconf_rsp",
                            "    - Bluetooth: SCO: check for codecs->num_codecs == 1 before assigning to",
                            "      sco_pi(sk)->codec",
                            "    - net: phy: qcom: at803x: Use the correct bit to disable extended next",
                            "      page",
                            "    - udp: Force compute_score to always inline",
                            "    - tcp: Don't set treq->req_usec_ts in cookie_tcp_reqsk_init().",
                            "    - sctp: fix missing encap_port propagation for GSO fragments",
                            "    - sctp: disable BH before calling udp_tunnel_xmit_skb()",
                            "    - selftests/namespaces: remove unused utils.h include from",
                            "      listns_efault_test",
                            "    - net, bpf: fix null-ptr-deref in xdp_master_redirect() for down master",
                            "    - net: airoha: Fix VIP configuration for AN7583 SoC",
                            "    - net: airoha: Add missing PPE configurations in airoha_ppe_hw_init()",
                            "    - drm/panel: ilitek-ili9882t: Select DRM_DISPLAY_DSC_HELPER",
                            "    - selftests/futex: Fix incorrect result reporting of futex_requeue test",
                            "      item",
                            "    - drm/komeda: fix integer overflow in AFBC framebuffer size check",
                            "    - dma-fence: Fix sparse warnings due __rcu annotations",
                            "    - drm/gpusvm: Fix unbalanced unlock in drm_gpusvm_scan_mm()",
                            "    - drm/virtio: Allow importing prime buffers when 3D is enabled",
                            "    - ASoC: soc-compress: use function to clear symmetric params",
                            "    - PCI/TPH: Allow TPH enable for RCiEPs",
                            "    - PCI: endpoint: pci-epf-vntb: Fix MSI doorbell IRQ unwind",
                            "    - PCI: endpoint: pci-epf-test: Don't free doorbell IRQ unless requested",
                            "    - PCI: endpoint: pci-ep-msi: Fix error unwind and prevent double alloc",
                            "    - drm/sun4i: mixer: Fix layer init code",
                            "    - drm/sun4i: backend: fix error pointer dereference",
                            "    - drm/xe: Consolidate workaround entries for Wa_14019877138",
                            "    - drm/xe: Consolidate workaround entries for Wa_14019386621",
                            "    - drm/xe/xe2_hpg: Drop invalid workaround Wa_15010599737",
                            "    - gpu: nova-core: gsp: use empty slices instead of [0..0] ranges",
                            "    - gpu: nova-core: gsp: fix improper handling of empty slot in cmdq",
                            "    - drm/amdkfd: Removed commented line for MQD queue priority",
                            "    - PCI: imx6: Fix device node reference leak in imx_pcie_probe()",
                            "    - crypto: inside-secure/eip93 - fix register definition",
                            "    - ASoC: sti: Return errors from regmap_field_alloc()",
                            "    - ASoC: sti: use managed regmap_field allocations",
                            "    - dm cache: fix null-deref with concurrent writes in passthrough mode",
                            "    - dm cache: fix write path cache coherency in passthrough mode",
                            "    - dm cache: fix write hang in passthrough mode",
                            "    - dm cache policy smq: fix missing locks in invalidating cache blocks",
                            "    - dm cache: fix concurrent write failure in passthrough mode",
                            "    - dm cache: fix dirty mapping checking in passthrough mode switching",
                            "    - dm-mpath: don't stop probing paths at presuspend",
                            "    - drm/amd/ras: Fix type size of remainder argument",
                            "    - dt-bindings: mmc: dwcmshc-sdhci: Fix resets array validation",
                            "    - drm/amdgpu: GFX12.1 scratch memory limit up to 57-bit",
                            "    - platform/chrome: chromeos_tbmc: Drop wakeup source on remove",
                            "    - gpu: nova-core: use checked arithmetic in FWSEC firmware parsing",
                            "    - gpu: nova-core: create falcon firmware DMA objects lazily",
                            "    - gpu: nova-core: falcon: rename load parameters to reflect DMA dependency",
                            "    - gpu: nova-core: firmware: fix and explain v2 header offsets computations",
                            "    - PCI: dwc: ep: Fix MSI-X Table Size configuration in",
                            "      dw_pcie_ep_set_msix()",
                            "    - PCI: dwc: ep: Mirror the max link width and speed fields to all",
                            "      functions",
                            "    - PCI: dwc: Perform cleanup in the error path of dw_pcie_resume_noirq()",
                            "    - dm cache metadata: fix memory leak on metadata abort retry",
                            "    - dm log: fix out-of-bounds write due to region_count overflow",
                            "    - iopoll: fix function parameter names in read_poll_timeout_atomic()",
                            "    - drm/bridge: cadence: cdns-mhdp8546-core: Set the mhdp connector earlier",
                            "      in atomic_enable()",
                            "    - drm/bridge: cadence: cdns-mhdp8546-core: Add mode_valid hook to",
                            "      drm_bridge_funcs",
                            "    - drm/bridge: cadence: cdns-mhdp8546-core: Handle HDCP state in bridge",
                            "      atomic check",
                            "    - spi: nxp-xspi: Use reinit_completion() for repeated operations",
                            "    - spi: nxp-fspi: Use reinit_completion() for repeated operations",
                            "    - spi: fsl-qspi: Use reinit_completion() for repeated operations",
                            "    - spi: axiado: Remove redundant pm_runtime_mark_last_busy() call",
                            "    - media: i2c: og01a1b: Fix V4L2 subdevice data initialization on probe",
                            "    - media: synopsys: VIDEO_DW_MIPI_CSI2RX should depend on ARCH_ROCKCHIP",
                            "    - [Config] VIDEO_DW_MIPI_CSI2RX depends on ARCH_ROCKCHIP",
                            "    - drm/amd/pm: Fix xgmi max speed reporting",
                            "    - spi: atcspi200: fix mutex initialization order",
                            "    - selftests/sched_ext: Add missing error check for exit__load()",
                            "    - drm/v3d: Handle error from drm_sched_entity_init()",
                            "    - drm/sun4i: Fix resource leaks",
                            "    - crypto: inside-secure/eip93 - register hash before authenc algorithms",
                            "    - PCI: rzg3s-host: Fix reset handling in probe error path",
                            "    - PCI: rzg3s-host: Reorder reset assertion during suspend",
                            "    - dt-bindings: PCI: renesas,r9a08g045s33-pcie: Fix naming properties",
                            "    - iommu/riscv: Add IOTINVAL after updating DDT/PDT entries",
                            "    - iommu/riscv: Skip IRQ count check when using MSI interrupts",
                            "    - iommu/riscv: Add missing GENERIC_MSI_IRQ",
                            "    - iommu/riscv: Stop polling when CQCSR reports an error",
                            "    - drm/amdkfd: Update queue properties for metadata ring",
                            "    - drm/amd/ras: Fix NULL deref in ras_core_ras_interrupt_detected()",
                            "    - drm/amdgpu: Add default case in DVI mode validation",
                            "    - regulator: dt-bindings: fp9931: Make vin-supply property as required",
                            "    - regulator: fp9931: Fix handling of mandatory \"vin\" supply",
                            "    - drm/amd/ras: Fix NULL deref in ras_core_get_utc_second_timestamp()",
                            "    - drm/amdgpu: Drop redundant queue NULL check in hang detect worker",
                            "    - drm/amdgpu: Remove dead negative offset check in",
                            "      amdgpu_virt_init_critical_region()",
                            "    - dm init: ensure device probing has finished in dm-mod.waitfor=",
                            "    - fbdev: matroxfb: Mark variable with __maybe_unused to avoid W=1 build",
                            "      break",
                            "    - crypto: simd - reject compat registrations without __ prefixes",
                            "    - crypto: tegra - Disable softirqs before finalizing request",
                            "    - crypto: atmel-aes - guard unregister on error in atmel_aes_register_algs",
                            "    - padata: Remove cpu online check from cpu add and removal",
                            "    - padata: Put CPU offline callback in ONLINE section to allow failure",
                            "    - PCI: dwc: rcar-gen4: Change EPC BAR alignment to 4K as per the",
                            "      documentation",
                            "    - accel/amdxdna: fix missing newline in pr_err message",
                            "    - drm/amd/ras: Remove redundant NULL check in pending bad-bank list",
                            "      iteration",
                            "    - drm/amdgpu/gfx10: look at the right prop for gfx queue priority",
                            "    - drm/amdgpu/gfx11: look at the right prop for gfx queue priority",
                            "    - spi: hisi-kunpeng: prevent infinite while() loop in hisi_spi_flush_fifo",
                            "    - PCI: sky1: Fix missing cleanup of ECAM config on probe failure",
                            "    - drm/imagination: Switch reset_reason fields from enum to u32",
                            "    - iommu/tegra241-cmdqv: Set supports_cmd op in tegra241_vcmdq_hw_init()",
                            "    - iommu/tegra241-cmdqv: Update uAPI to clarify HYP_OWN requirement",
                            "    - drm/msm: add missing MODULE_DEVICE_ID definitions",
                            "    - drm/msm/dpu: fix mismatch between power and frequency",
                            "    - drm/msm/dsi: add the missing parameter description",
                            "    - drm/msm/dpu: don't try using 2 LMs if only one DSC is available",
                            "    - drm/msm/dsi: fix bits_per_pclk",
                            "    - drm/msm/dsi: fix hdisplay calculation for CMD mode panel",
                            "    - drm/msm/dsi: rename MSM8998 DSI version from V2_2_0 to V2_0_0",
                            "    - ASoC: rockchip: rockchip_sai: Set slot width for non-TDM mode",
                            "    - tools/sched_ext: scx_pair: fix pair_ctx indexing for CPU pairs",
                            "    - drm/panel: sharp-ls043t1le01: make use of prepare_prev_first",
                            "    - drm/panel: simple: Correct G190EAN01 prepare timing",
                            "    - PCI: qcom: Advertise Hotplug Slot Capability with no Command Completion",
                            "      support",
                            "    - PCI: Prevent shrinking bridge window from its required size",
                            "    - PCI: Fix premature removal from realloc_head list during resource",
                            "      assignment",
                            "    - crypto: hisilicon/sec2 - prevent req used-after-free for sec",
                            "    - PCI: Fix alignment calculation for resource size larger than align",
                            "    - iommu/riscv: Fix signedness bug",
                            "    - ALSA: core: Validate compress device numbers without dynamic minors",
                            "    - drm/amd/display: Avoid NULL dereference in dc_dmub_srv error paths",
                            "    - ASoC: amd: acp: update dmic_num logic for acp pdm dmic",
                            "    - drm/amd/pm/ci: Use highest MCLK on CI when MCLK DPM is disabled",
                            "    - drm/amd/pm/ci: Disable MCLK DPM on problematic CI ASICs",
                            "    - drm/amd/pm/smu7: Fix SMU7 voltage dependency on display clock",
                            "    - drm/amd/pm/ci: Fix powertune defaults for Hawaii 0x67B0",
                            "    - drm/amd/pm/ci: Clear EnabledForActivity field for memory levels",
                            "    - drm/amd/pm/ci: Fill DW8 fields from SMC",
                            "    - drm/amd/pm/smu7: Add SCLK cap for quirky Hawaii board",
                            "    - drm/amdgpu/uvd4.2: Don't initialize UVD 4.2 when DPM is disabled",
                            "    - PCI/DPC: Log AER error info for DPC/EDR uncorrectable errors",
                            "    - hwmon: (aspeed-g6-pwm-tach): remove redundant driver remove callback",
                            "    - ALSA: hda/realtek: fix bad indentation for alc269",
                            "    - ALSA: hda/realtek: fix code style (ERROR: else should follow close brace",
                            "      '}')",
                            "    - ASoC: SOF: Intel: hda: Place check before dereference",
                            "    - drm/msm/vma: Avoid lock in VM_BIND fence signaling path",
                            "    - drm/msm/a6xx: Add missing aperture_lock init",
                            "    - drm/msm: Reject fb creation from _NO_SHARE objs",
                            "    - drm/msm: Fix VM_BIND UNMAP locking",
                            "    - drm/msm/a6xx: Fix HLSQ register dumping",
                            "    - drm/msm/shrinker: Fix can_block() logic",
                            "    - drm/msm/a6xx: Fix dumping A650+ debugbus blocks",
                            "    - drm/msm/a6xx: Use barriers while updating HFI Q headers",
                            "    - drm/msm/a8xx: Fix the ticks used in submit traces",
                            "    - drm/msm/a6xx: Switch to preemption safe AO counter",
                            "    - drm/msm/a6xx: Correct OOB usage",
                            "    - drm/msm/adreno: Implement gx_is_on() for A8x",
                            "    - drm/msm/a6xx: Fix gpu init from secure world",
                            "    - ALSA: hda/cmedia: Remove duplicate pin configuration parsing",
                            "    - pmdomain: ti: omap_prm: Fix a reference leak on device node",
                            "    - pmdomain: imx: scu-pd: Fix device_node reference leak during ->probe()",
                            "    - PM: domains: De-constify fields in struct dev_pm_domain_attach_data",
                            "    - drm/msm/dpu: drop INTF_0 on MSM8953",
                            "    - ASoC: fsl_micfil: Add access property for \"VAD Detected\"",
                            "    - ASoC: fsl_micfil: Fix event generation in hwvad_put_enable()",
                            "    - ASoC: fsl_micfil: Fix event generation in hwvad_put_init_mode()",
                            "    - ASoC: fsl_micfil: Fix event generation in micfil_range_set()",
                            "    - ASoC: fsl_micfil: Fix event generation in micfil_put_dc_remover_state()",
                            "    - ASoC: fsl_micfil: Fix event generation in micfil_quality_set()",
                            "    - ASoC: fsl_xcvr: Fix event generation in fsl_xcvr_arc_mode_put()",
                            "    - ASoC: fsl_xcvr: Fix event generation in fsl_xcvr_mode_put()",
                            "    - ASoC: fsl_easrc: Check the variable range in fsl_easrc_iec958_put_bits()",
                            "    - ASoC: fsl_easrc: Fix value type in fsl_easrc_iec958_get_bits()",
                            "    - ASoC: fsl_easrc: Change the type for iec958 channel status controls",
                            "    - iommu/amd: Fix clone_alias() to use the original device's devid",
                            "    - iommu/riscv: Remove overflows on the invalidation path",
                            "    - ASoC: qcom: qdsp6: topology: check widget type before accessing data",
                            "    - PCI: dwc: Fix type mismatch for kstrtou32_from_user() return value",
                            "    - crypto: qat - disable 4xxx AE cluster when lead engine is fused off",
                            "    - crypto: qat - disable 420xx AE cluster when lead engine is fused off",
                            "    - crypto: qat - fix compression instance leak",
                            "    - crypto: qat - fix type mismatch in RAS sysfs show functions",
                            "    - crypto: iaa - fix per-node CPU counter reset in rebalance_wq_table()",
                            "    - crypto: qat - use swab32 macro",
                            "    - ALSA: hda: Notify IEC958 Default PCM switch state changes",
                            "    - ASoC: rsnd: Fix potential out-of-bounds access of component_dais[]",
                            "    - PCI: Enable AtomicOps only if Root Port supports them",
                            "    - PCI: imx6: Keep Root Port MSI capability with iMSI-RX to work around",
                            "      hardware bug",
                            "    - PCI: aspeed: Fix IRQ domain leak on platform_get_irq() failure",
                            "    - dt-bindings: PCI: imx6q-pcie: Fix maxItems of clocks and clock-names",
                            "    - PCI: mediatek-gen3: Prevent leaking IRQ domains when IRQ not found",
                            "    - gpu: nova-core: bitfield: fix broken Default implementation",
                            "    - selftests/mm: skip migration tests if NUMA is unavailable",
                            "    - Documentation: fix a hugetlbfs reservation statement",
                            "    - Docs/admin-guide/mm/damn/lru_sort: fix intervals autotune parameter name",
                            "    - Docs/mm/damon/index: fix typo: autoamted -> automated",
                            "    - zram: do not permit params change after init",
                            "    - selftest: memcg: skip memcg_sock test if address family not supported",
                            "    - gpu: nova-core: remove redundant `.as_ref()` for `dev_*` print",
                            "    - gpu: nova-core: fix missing colon in SEC2 boot debug message",
                            "    - ALSA: scarlett2: Add missing sentinel initializer field",
                            "    - ASoC: qcom: audioreach: explicitly enable speaker protection modules",
                            "    - ASoC: SOF: compress: return the configured codec from get_params",
                            "    - PCI/NPEM: Set LED_HW_PLUGGABLE for hotplug-capable ports",
                            "    - tools/sched_ext: Fix off-by-one in scx_sdt payload zeroing",
                            "    - ASoC: soc-component: re-add pcm_new()/pcm_free()",
                            "    - ASoC: amd: name back to pcm_new()/pcm_free()",
                            "    - ASoC: amd: ps: fix the pcm device numbering for acp pdm dmic",
                            "    - ALSA: usb-audio: qcom: Fix incorrect type in enable_audio_stream",
                            "    - PCI: tegra194: Fix polling delay for L2 state",
                            "    - PCI: tegra194: Increase LTSSM poll time on surprise link down",
                            "    - PCI: tegra194: Disable LTSSM after transition to Detect on surprise link",
                            "      down",
                            "    - PCI: tegra194: Don't force the device into the D0 state before L2",
                            "    - PCI: tegra194: Disable PERST# IRQ only in Endpoint mode",
                            "    - PCI: tegra194: Use devm_gpiod_get_optional() to parse \"nvidia,refclk-",
                            "      select\"",
                            "    - PCI: tegra194: Disable direct speed change for Endpoint mode",
                            "    - PCI: tegra194: Set LTR message request before PCIe link up in Endpoint",
                            "      mode",
                            "    - PCI: tegra194: Allow system suspend when the Endpoint link is not up",
                            "    - PCI: tegra194: Free up Endpoint resources during remove()",
                            "    - PCI: tegra194: Use DWC IP core version",
                            "    - PCI: dwc: Apply ECRC workaround to DesignWare 5.00a as well",
                            "    - PCI: tegra194: Disable L1.2 capability of Tegra234 EP",
                            "    - PCI: tegra194: Fix CBB timeout caused by DBI access before core power-on",
                            "    - drm/fb-helper: Fix a locking bug in an error path",
                            "    - PCI: cadence: Add flags for disabling ASPM capability for broken Root",
                            "      Ports",
                            "    - PCI: sg2042: Avoid L0s and L1 on Sophgo 2042 PCIe Root Ports",
                            "    - ASoC: SDCA: Fix cleanup inversion in class driver",
                            "    - spi: rzv2h-rspi: Fix invalid SPR=0/BRDV=0 clock configuration",
                            "    - spi: mtk-snfi: unregister ECC engine on probe failure and remove()",
                            "      callback",
                            "    - ALSA: sc6000: Keep the programmed board state in card-private data",
                            "    - dm cache: fix missing return in invalidate_committed's error path",
                            "    - sched_ext: Track @p's rq lock across set_cpus_allowed_scx ->",
                            "      ops.set_cpumask",
                            "    - sched_ext: Fix ops.cgroup_move() invocation kf_mask and rq tracking",
                            "    - spi: cadence-qspi: Revert the filtering of certain opcodes in ODTR",
                            "    - crypto: jitterentropy - replace long-held spinlock with mutex",
                            "    - ALSA: usb-audio: Exclude Scarlett 18i20 1st Gen from SKIP_IFACE_SETUP",
                            "    - ALSA: hda/realtek - fixed speaker no sound update",
                            "    - gfs2: Call unlock_new_inode before d_instantiate",
                            "    - fanotify: avoid/silence premature LSM capability checks",
                            "    - fanotify: call fanotify_events_supported() before path_permission() and",
                            "      security_path_notify()",
                            "    - fuse: fix uninit-value in fuse_dentry_revalidate()",
                            "    - ktest: Avoid undef warning when WARNINGS_FILE is unset",
                            "    - ktest: Honor empty per-test option overrides",
                            "    - ktest: Run POST_KTEST hooks on failure and cancellation",
                            "    - vfio: selftests: fix crash in vfio_dma_mapping_mmio_test",
                            "    - rtla/utils: Fix resource leak in set_comm_sched_attr()",
                            "    - tools/rtla: Generate optstring from long options",
                            "    - rtla: Fix segfault on multiple SIGINTs",
                            "    - vfio: selftests: Build tests on aarch64",
                            "    - gfs2: less aggressive low-memory log flushing",
                            "    - quota: Fix race of dquot_scan_active() with quota deactivation",
                            "    - vfio: unhide vdev->debug_root",
                            "    - gfs2: add some missing log locking",
                            "    - gfs2: prevent NULL pointer dereference during unmount",
                            "    - efi/capsule-loader: fix incorrect sizeof in phys array reallocation",
                            "    - ksmbd: fix use-after-free from async crypto on Qualcomm crypto engine",
                            "    - arm64: dts: mediatek: mt8365: Describe infracfg-nao as a pure syscon",
                            "    - ARM: dts: mediatek: mt7623: fix efuse fallback compatible",
                            "    - memory: tegra124-emc: Fix dll_change check",
                            "    - memory: tegra30-emc: Fix dll_change check",
                            "    - arm64: dts: imx8-apalis: Fix LEDs name collision",
                            "    - arm64: dts: imx91-11x11-evk: change usdhc tuning step for eMMC and SD",
                            "    - riscv: dts: spacemit: pcie: fix missing power regulator",
                            "    - arm64: dts: mediatek: mt7988a-bpi-r4pro: fix model string",
                            "    - arm64: dts: rockchip: Make Jaguar PCIe-refclk pin use pull-up config",
                            "    - arm64: dts: imx8mp-evk: Enable pull select bit for PCIe regulator GPIO",
                            "      (M.2 W_DISABLE1)",
                            "    - iommufd: vfio compatibility extension check for noiommu mode",
                            "    - arm64: dts: qcom: sm6125-xiaomi-ginkgo: Remove board-id",
                            "    - arm64: dts: qcom: sm6125-xiaomi-ginkgo: Correct reserved memory ranges",
                            "    - arm64: dts: qcom: sm6125-xiaomi-ginkgo: Remove extcon",
                            "    - arm64: dts: qcom: sm6125-xiaomi-ginkgo: Fix reserved gpio ranges",
                            "    - arm64: dts: qcom: qcs6490-rubikpi3: Use lt9611 DSI Port B",
                            "    - arm64: dts: qcom: talos: Add missing clock-names to GCC",
                            "    - arm64: dts: ti: k3-am62l: include WKUP_UART0 in wakeup peripheral window",
                            "    - arm64: dts: mediatek: mt6795: Fix gpio-ranges pin count",
                            "    - arm64: dts: mediatek: mt7981b: Fix gpio-ranges pin count",
                            "    - arm64: dts: mediatek: mt7986a: Fix gpio-ranges pin count",
                            "    - iommufd/selftest: Fix page leaks in mock_viommu_{init,destroy}",
                            "    - arm64: dts: imx8mp-kontron: Fix touch reset configuration on DL devices",
                            "    - arm64: dts: imx8mp-kontron: Drop vmmc-supply to fix SD card on SMARC",
                            "      eval carrier",
                            "    - arm64: dts: imx8mp-hummingboard-pulse/cubox-m: fix vmmc gpio polarity",
                            "    - arm64: dts: imx8mp-hummingboard-pulse: fix mini-hdmi dsi port reference",
                            "    - ARM: dts: BCM5301X: Drop extra NAND controller compatible",
                            "    - arm64: dts: qcom: msm8953-xiaomi-vince: correct wled ovp value",
                            "    - arm64: dts: qcom: msm8937-xiaomi-land: correct wled ovp value",
                            "    - arm64: dts: qcom: msm8953-xiaomi-daisy: fix backlight",
                            "    - firmware: qcom_scm: don't opencode kmemdup",
                            "    - soc: qcom: ubwc: disable bank swizzling for Glymur platform",
                            "    - arm64: dts: rockchip: Fix Bluetooth stability on LCKFB TaiShan Pi",
                            "    - Revert \"arm64: dts: rockchip: add SPDIF audio to Beelink A1\"",
                            "    - arm64: dts: rockchip: Correct Fan Supply for Gameforce Ace",
                            "    - arm64: dts: rockchip: Correct Joystick Axes on Gameforce Ace",
                            "    - soc: qcom: ocmem: make the core clock optional",
                            "    - soc: qcom: ocmem: register reasons for probe deferrals",
                            "    - soc: qcom: ocmem: return -EPROBE_DEFER is ocmem is not available",
                            "    - riscv: dts: spacemit: drop incorrect pinctrl for combo PHY",
                            "    - arm64: dts: rockchip: Fix RK3562 EVB2 model name",
                            "    - arm64: dts: rockchip: Add mphy reset to ufshc node",
                            "    - bus: rifsc: fix RIF configuration check for peripherals",
                            "    - arm64: dts: qcom: arduino-imola: fix faulty spidev node",
                            "    - Revert \"UBUNTU: SAUCE: arm64: dts: add missing denali-oled.dtb to",
                            "      Makefile\"",
                            "    - arm64: dts: qcom: add missing denali-oled.dtb to Makefile",
                            "    - arm64: dts: qcom: hamoa: correct Iris corners for the MXC rail",
                            "    - arm64: dts: qcom: lemans: correct Iris corners for the MXC rail",
                            "    - arm64: dts: qcom: monaco: correct Iris corners for the MXC rail",
                            "    - arm64: dts: qcom: sm8550: correct Iris corners for the MXC rail",
                            "    - arm64: dts: qcom: sm8650: correct Iris corners for the MXC rail",
                            "    - arm64: dts: qcom: sm8750: correct Iris corners for the MXC rail",
                            "    - arm64: dts: qcom: kaanapali: Fix GIC_ITS range length",
                            "    - arm64: dts: qcom: milos: Fix GIC_ITS range length",
                            "    - arm64: dts: qcom: sm8450: Fix GIC_ITS range length",
                            "    - arm64: dts: qcom: sm8550: Fix GIC_ITS range length",
                            "    - arm64: dts: qcom: sm8650: Fix GIC_ITS range length",
                            "    - arm64: dts: qcom: sm8750: Fix GIC_ITS range length",
                            "    - arm64: dts: qcom: sm8550: Fix xo clock supply of platform SD host",
                            "      controller",
                            "    - arm64: dts: qcom: sm8650: Fix xo clock supply of SD host controller",
                            "    - arm64: dts: qcom: hamoa: Fix xo clock supply of platform SD host",
                            "      controller",
                            "    - arm64: dts: qcom: sm8450: Enable UHS-I SDR50 and SDR104 SD card modes",
                            "    - arm64: dts: qcom: sm8550: Enable UHS-I SDR50 and SDR104 SD card modes",
                            "    - arm64: dts: qcom: sm8650: Enable UHS-I SDR50 and SDR104 SD card modes",
                            "    - arm64: dts: qcom: sm7225-fairphone-fp4: Fix conflicting bias pinctrl",
                            "    - arm64: dts: qcom: sdm845-xiaomi-beryllium: Mark l1a regulator as powered",
                            "      during boot",
                            "    - arm64: dts: qcom: msm8917-xiaomi-riva: Fix board-id for all bootloader",
                            "    - arm64: dts: ti: k3-am62p5-sk: Disable MMC1 internal pulls on data pins",
                            "    - arm64: dts: ti: k3-am62l3-evm: Disable MMC1 internal pulls on data pins",
                            "    - arm64: dts: ti: k3-am62-lp-sk: Enable internal pulls for MMC0 data pins",
                            "    - arm64: dts: ti: k3-am62-verdin: Fix SPI_1 GPIO CS pinctrl label",
                            "    - arm64: dts: freescale: imx8mp-tqma8mpql-mba8mp-ras314: fix UART1 RTS/CTS",
                            "      muxing",
                            "    - arm64: dts: imx91: Remove TMU's superfluous sensor ID",
                            "    - arm64: dts: imx8mp-kontron: Fix boot order for PMIC and RTC",
                            "    - arm64: dts: imx8dxl-evk: Use audio-graph-card2 for wm8960-2 and wm8960-3",
                            "    - arm64: dts: imx8mp-evk: Specify ADV7535 register addresses",
                            "    - arm64: dts: lx2160a: change i2c0 (iic1) pinmux mask to one bit",
                            "    - arm64: dts: lx2160a: remove duplicate pinmux nodes",
                            "    - arm64: dts: lx2160a: rename pinmux nodes for readability",
                            "    - arm64: dts: lx2160a: add sda gpio references for i2c bus recovery",
                            "    - arm64: dts: lx2160a: change zeros to hexadecimal in pinmux nodes",
                            "    - arm64: dts: lx2160a: complete pinmux for rcwsr12 configuration word",
                            "    - arm64: dts: imx8qm-mek: switch Type-C connector power-role to dual",
                            "    - arm64: dts: imx8qxp-mek: switch Type-C connector power-role to dual",
                            "    - soc/tegra: cbb: Set ERD on resume for err interrupt",
                            "    - soc/tegra: cbb: Fix incorrect ARRAY_SIZE in fabric lookup tables",
                            "    - soc/tegra: cbb: Fix cross-fabric target timeout lookup",
                            "    - arm64: tegra: Fix RTC aliases",
                            "    - soc/tegra: pmc: Add kerneldoc for reboot notifier",
                            "    - soc/tegra: pmc: Correct function names in kerneldoc",
                            "    - soc/tegra: pmc: Add kerneldoc for wake-up variables",
                            "    - unshare: fix nsproxy leak in ksys_unshare() on set_cred_ucounts()",
                            "      failure",
                            "    - ocfs2/dlm: validate qr_numregions in dlm_match_regions()",
                            "    - ocfs2/dlm: fix off-by-one in dlm_match_regions() region comparison",
                            "    - soc: qcom: llcc: fix v1 SB syndrome register offset",
                            "    - soc: qcom: aoss: compare against normalized cooling state",
                            "    - arm64: dts: qcom: milos: Add missing CX power domain to GCC",
                            "    - arm64: dts: qcom: sm8250: Add missing CPU7 3.09GHz OPP",
                            "    - ARM: OMAP1: Fix DEBUG_LL and earlyprintk on OMAP16XX",
                            "    - arm64/xor: fix conflicting attributes for xor_block_template",
                            "    - lib: kunit_iov_iter: fix memory leaks",
                            "    - ARM: dts: imx27-eukrea: replace interrupts with interrupts-extended",
                            "    - firmware: arm_ffa: Use the correct buffer size during RXTX_MAP",
                            "    - fwctl: Fix class init ordering to avoid NULL pointer dereference on",
                            "      device removal",
                            "    - ocfs2: fix listxattr handling when the buffer is full",
                            "    - ocfs2: validate bg_bits during freefrag scan",
                            "    - ocfs2: validate group add input before caching",
                            "    - dmaengine: dw-axi-dmac: fix Alignment should match open parenthesis",
                            "    - dmaengine: dw-axi-dmac: Remove unnecessary return statement from void",
                            "      function",
                            "    - phy: apple: apple: Use local variable for ioremap return value",
                            "    - soundwire: bus: demote UNATTACHED state warnings to dev_dbg()",
                            "    - soundwire: Intel: test bus.bpt_stream before assigning it",
                            "    - dmaengine: mxs-dma: Fix missing return value from",
                            "      of_dma_controller_register()",
                            "    - soundwire: cadence: Clear message complete before signaling waiting",
                            "      thread",
                            "    - tracing: move __printf() attribute on __ftrace_vbprintk()",
                            "    - tracing: Rebuild full_name on each hist_field_name() call",
                            "    - hte: tegra194: remove Kconfig dependency on Tegra194 SoC",
                            "    - [Config] Enable CONFIG_HTE_TEGRA194 on armhf",
                            "    - remoteproc: xlnx: Fix sram property parsing",
                            "    - stop_machine: Fix the documentation for a NULL cpus argument",
                            "    - remoteproc: imx_rproc: Check return value of regmap_attach_dev() in",
                            "      imx_rproc_mmio_detect_mode()",
                            "    - ima: check return value of crypto_shash_final() in boot aggregate",
                            "    - HID: asus: make asus_resume adhere to linux kernel coding standards",
                            "    - HID: asus: do not abort probe when not necessary",
                            "    - workqueue: devres: Add device-managed allocate workqueue",
                            "    - power: supply: max77705: Drop duplicated IRQ error message",
                            "    - power: supply: max77705: Free allocated workqueue and fix removal order",
                            "    - mtd: physmap_of_gemini: Fix disabled pinctrl state check",
                            "    - ima_fs: Correctly create securityfs files for unsupported hash algos",
                            "    - dt-bindings: interrupt-controller: arm,gic-v3: Fix EPPI range",
                            "    - mtd: spi-nor: core: correct the op.dummy.nbytes when check read",
                            "      operations",
                            "    - mtd: spi-nor: update spi_nor_fixups::post_sfdp() documentation",
                            "    - mtd: spi-nor: micron-st: add SNOR_CMD_PP_8_8_8_DTR sfdp fixup for",
                            "      mt35xu512aba",
                            "    - mtd: spi-nor: swp: check SR_TB flag when getting tb_mask",
                            "    - mtd: parsers: ofpart: call of_node_put() only in ofpart_fail path",
                            "    - mtd: parsers: ofpart: call of_node_get() for dedicated subpartitions",
                            "    - cxl/pci: Check memdev driver binding status in cxl_reset_done()",
                            "    - mtd: rawnand: sunxi: fix sunxi_nfc_hw_ecc_read_extra_oob",
                            "    - mtd: spinand: winbond: Clarify when to enable the HS bit",
                            "    - HID: usbhid: fix deadlock in hid_post_reset()",
                            "    - ext4: fix miss unlock 'sb->s_umount' in extents_kunit_init()",
                            "    - ext4: call deactivate_super() in extents_kunit_exit()",
                            "    - ext4: fix the error handling process in extents_kunit_init).",
                            "    - ext4: fix possible null-ptr-deref in extents_kunit_exit()",
                            "    - ext4: fix possible null-ptr-deref in mbt_kunit_exit()",
                            "    - bpf, arm64: Reject out-of-range B.cond targets",
                            "    - bpf, arm64: Fix off-by-one in check_imm signed range check",
                            "    - bpf, arm64: Remove redundant bpf_flush_icache() after pack allocator",
                            "      finalize",
                            "    - bpf, riscv: Remove redundant bpf_flush_icache() after pack allocator",
                            "      finalize",
                            "    - bpf, sockmap: Fix af_unix iter deadlock",
                            "    - bpf, sockmap: Fix af_unix null-ptr-deref in proto update",
                            "    - bpf, sockmap: Take state lock for af_unix iter",
                            "    - bpf: Fix precedence bug in convert_bpf_ld_abs alignment check",
                            "    - bpf: Fix NULL deref in map_kptr_match_type for scalar regs",
                            "    - bpf: allow UTF-8 literals in bpf_bprintf_prepare()",
                            "    - libbpf: Prevent double close and leak of btf objects",
                            "    - bpf: Validate node_id in arena_alloc_pages()",
                            "    - bpf, arm32: Reject BPF-to-BPF calls and callbacks in the JIT",
                            "    - perf trace: Fix IS_ERR() vs NULL check bug",
                            "    - dt-bindings: pinctrl: marvell,armada3710-xb-pinctrl: add missing items",
                            "      keyword",
                            "    - pinctrl: pinctrl-pic32: Fix resource leak",
                            "    - perf trace: Avoid an ERR_PTR in syscall_stats",
                            "    - pinctrl: microchip-mssio: Fix missing return in probe",
                            "    - perf test type profiling: Remote typedef on struct",
                            "    - pinctrl: cy8c95x0: remove duplicate error message",
                            "    - pinctrl: cy8c95x0: Unify messages with help of dev_err_probe()",
                            "    - pinctrl: cy8c95x0: Avoid returning positive values to user space",
                            "    - perf branch: Avoid incrementing NULL",
                            "    - perf: tools: cs-etm: Fix print issue for Coresight debug in ETE/TRBE",
                            "      trace",
                            "    - pinctrl: pinconf-generic: Fully validate 'pinmux' property",
                            "    - pinctrl: realtek: Fix function signature for config argument",
                            "    - pinctrl: abx500: Fix type of 'argument' variable",
                            "    - pinctrl: renesas: rzg2l: Fix save/restore of {IOLH,IEN,PUPD,SMT}",
                            "      registers",
                            "    - tools build: Correct link flags for libopenssl",
                            "    - perf lock: Fix option value type in parse_max_stack",
                            "    - perf stat: Fix opt->value type for parse_cache_level",
                            "    - memblock: reserve_mem: fix end caclulation in",
                            "      reserve_mem_release_by_name()",
                            "    - perf stat: Fix crash on arm64",
                            "    - perf tools: Fix module symbol resolution for non-zero .text sh_addr",
                            "    - perf test: Fix ratio_to_prev event parsing test",
                            "    - perf test: Skip perf data type profiling tests for s390",
                            "    - perf expr: Return -EINVAL for syntax error in expr__find_ids()",
                            "    - perf metrics: Make common stalled metrics conditional on having the",
                            "      event",
                            "    - ipmi: ssif_bmc: fix missing check for copy_to_user() partial failure",
                            "    - ipmi: ssif_bmc: fix message desynchronization after truncated response",
                            "    - ipmi: ssif_bmc: change log level to dbg in irq callback",
                            "    - perf cgroup: Update metric leader in evlist__expand_cgroup",
                            "    - pinctrl: sophgo: pinctrl-sg2042: Fix wrong module description",
                            "    - pinctrl: sophgo: pinctrl-sg2044: Fix wrong module description",
                            "    - perf maps: Fix fixup_overlap_and_insert that can break sorted by name",
                            "      order",
                            "    - perf maps: Fix copy_from that can break sorted by name order",
                            "    - perf util: Kill die() prototype, dead for a long time",
                            "    - i3c: master: dw-i3c: Fix missing reset assertion in remove() callback",
                            "    - i3c: master: dw-i3c: Balance PM runtime usage count on probe failure",
                            "    - i3c: master: renesas: Fix memory leak in renesas_i3c_i3c_xfers()",
                            "    - i3c: dw: Fix memory leak in dw_i3c_master_i3c_xfers()",
                            "    - i3c: master: adi: Fix error propagation for CCCs",
                            "    - i3c: mipi-i3c-hci: fix IBI payload length calculation for final status",
                            "    - fs/ntfs3: prevent uninitialized lcn caused by zero len",
                            "    - backlight: sky81452-backlight: Check return value of",
                            "      devm_gpiod_get_optional() in sky81452_bl_parse_dt()",
                            "    - platform/surface: surfacepro3_button: Drop wakeup source on remove",
                            "    - leds: lgm-sso: Remove duplicate assignments for priv->mmap",
                            "    - usb: typec: Fix error pointer dereference",
                            "    - tty: hvc_iucv: fix off-by-one in number of supported devices",
                            "    - usb: typec: ps883x: Fix Oops at unbind",
                            "    - platform/x86: panasonic-laptop: Fix OPTD notifier registration and",
                            "      cleanup",
                            "    - platform/x86: barco-p50-gpio: normalize return value of gpio_get",
                            "    - fs/ntfs3: fix missing run load for vcn0 in attr_data_get_block_locked()",
                            "    - mfd: mc13xxx-core: Fix memory leak in mc13xxx_add_subdevice_pdata()",
                            "    - nfs/blocklayout: Fix compilation error (`make W=1`) in",
                            "      bl_write_pagelist()",
                            "    - sunrpc: Kill RPC_IFDEBUG()",
                            "    - sunrpc: Fix compilation error (`make W=1`) when dprintk() is no-op",
                            "    - NFSD: fix nfs4_file access extra count in nfsd4_add_rdaccess_to_wrdeleg",
                            "    - nfsd: use dynamic allocation for oversized NFSv4.0 replay cache",
                            "    - RDMA/umem: Use consistent DMA attributes when unmapping entries",
                            "    - greybus: raw: fix use-after-free on cdev close",
                            "    - greybus: raw: fix use-after-free if write is called after disconnect",
                            "    - platform/x86: asus-wmi: adjust screenpad power/brightness handling",
                            "    - platform/x86: asus-wmi: fix screenpad brightness range",
                            "    - tty: serial: ip22zilog: Fix section mispatch warning",
                            "    - fs/ntfs3: terminate the cached volume label after UTF-8 conversion",
                            "    - platform/x86: hp-wmi: fix ignored return values in fan settings",
                            "    - platform/x86: hp-wmi: avoid cancel_delayed_work_sync from work handler",
                            "    - platform/x86: hp-wmi: use mod_delayed_work to reset keep-alive timer",
                            "    - platform/x86: hp-wmi: fix u8 underflow in gpu_delta calculation",
                            "    - platform/x86: hp-wmi: add locking for concurrent hwmon access",
                            "    - platform/x86: dell_rbu: avoid uninit value usage in packet_size_write()",
                            "    - platform/x86: dell-wmi-sysman: bound enumeration string aggregation",
                            "    - RDMA/core: Prefer NLA_NUL_STRING",
                            "    - platform/x86: hp-wmi: fix fan table parsing",
                            "    - dt-bindings: clock: qcom: Add GCC video axi reset clock for Glymur",
                            "    - clk: qcom: gcc-glymur: Add video axi clock resets for glymur",
                            "    - clk: qcom: dispcc-glymur: use RCG2 ops for DPTX1 AUX clock source",
                            "    - clk: qcom: dispcc-sm8450: use RCG2 ops for DPTX1 AUX clock source",
                            "    - clk: renesas: r9a09g057: Fix ordering of module clocks array",
                            "    - clk: renesas: r9a09g056: Fix ordering of module clocks array",
                            "    - clk: sunxi-ng: sun55i-a523-r: Add missing r-spi module clock",
                            "    - scsi: sg: Fix sysctl sg-big-buff register during sg_init()",
                            "    - scsi: sg: Resolve soft lockup issue when opening /dev/sgX",
                            "    - clk: qcom: dispcc-sc8280xp: remove CLK_SET_RATE_PARENT from",
                            "      byte_div_clk_src dividers",
                            "    - clk: qcom: dispcc-glymur: Fix DSI byte clock rate setting",
                            "    - clk: qcom: dispcc-kaanapali: Fix DSI byte clock rate setting",
                            "    - clk: qcom: dispcc-milos: Fix DSI byte clock rate setting",
                            "    - clk: qcom: dispcc-sm4450: Fix DSI byte clock rate setting",
                            "    - clk: qcom: dispcc[01]-sa8775p: Fix DSI byte clock rate setting",
                            "    - clk: renesas: r9a09g057: Remove entries for WDT{0,2,3}",
                            "    - scsi: target: core: Fix integer overflow in UNMAP bounds check",
                            "    - scsi: ufs: rockchip,rk3576-ufshc: dt-bindings: Add new mphy reset item",
                            "    - dt-bindings: clock: qcom,gcc-sc8180x: Add missing GDSCs",
                            "    - clk: qcom: gcc-sc8180x: Add missing GDSCs",
                            "    - clk: qcom: gcc-sc8180x: Use retention for USB power domains",
                            "    - clk: qcom: gcc-sc8180x: Use retention for PCIe power domains",
                            "    - clk: qcom: dispcc-sm8250: Use shared ops on the mdss vsync clk",
                            "    - clk: qcom: dispcc-sm8250: Enable parents for pixel clocks",
                            "    - clk: imx: imx6q: Fix device node reference leak in pll6_bypassed()",
                            "    - clk: imx: imx6q: Fix device node reference leak in",
                            "      of_assigned_ldb_sels()",
                            "    - clk: imx8mq: Correct the CSI PHY sels",
                            "    - um: Fix potential race condition in TLB sync",
                            "    - x86/um: fix vDSO installation",
                            "    - clk: qoriq: avoid format string warning",
                            "    - clk: xgene: Fix mapping leak in xgene_pllclk_init()",
                            "    - clk: spacemit: ccu_mix: fix inverted condition in ccu_mix_trigger_fc()",
                            "    - f2fs: avoid reading already updated pages during GC",
                            "    - printk_ringbuffer: Fix get_data() size sanity check",
                            "    - clk: qcom: gdsc: Fix error path on registration of multiple pm",
                            "      subdomains",
                            "    - lib/hexdump: print_hex_dump_bytes() calls print_hex_dump_debug()",
                            "    - f2fs: fix data loss caused by incorrect use of nat_entry flag",
                            "    - f2fs: fix to preserve previous reserve_{blocks,node} value when remount",
                            "    - scsi: hpsa: Enlarge controller and IRQ name buffers",
                            "    - drm/amd/display: Fix parameter mismatch in panel self-refresh helper",
                            "    - clk: qcom: gcc-x1e80100: Keep GCC USB QTB clock always ON",
                            "    - clk: visconti: pll: initialize clk_init_data to zero",
                            "    - f2fs: allow empty mount string for Opt_usr|grp|projjquota",
                            "    - f2fs: protect extension_list reading with sb_lock in f2fs_sbi_show()",
                            "    - drm/i915/wm: Verify the correct plane DDB entry",
                            "    - virt: arm-cca-guest: fix error check for RSI_INCOMPLETE",
                            "    - crypto: eip93 - fix hmac setkey algo selection",
                            "    - crypto: sa2ul - Fix AEAD fallback algorithm names",
                            "    - crypto: ccp - copy IV using skcipher ivsize",
                            "    - sh: Include <linux/io.h> in dac.h",
                            "    - erofs: unify lcn as u64 for 32-bit platforms",
                            "    - tools: hv: Fix cross-compilation",
                            "    - Drivers: hv: vmbus: fix hyperv_cpuhp_online variable shadowing",
                            "    - arm64: dts: imx8mp-debix-model-a: Correct PAD settings for PMIC_nINT",
                            "    - arm64: dts: imx8mp-debix-som-a: Correct PAD settings for PMIC_nINT",
                            "    - arm64: dts: imx8mp-navqp: Correct PAD settings for PMIC_nINT",
                            "    - arm64: dts: imx8mp-icore-mx8mp: Correct PAD settings for PMIC_nINT",
                            "    - arm64: dts: imx8mp-edm-g: Correct PAD settings for PMIC_nINT",
                            "    - arm64: dts: imx8mp-aristainetos3a-som-v1: Correct PAD settings for",
                            "      PMIC_nINT",
                            "    - arm64: dts: imx8mp-nitrogen-som: Correct PAD settings for PMIC_nINT",
                            "    - arm64: dts: imx8mp-sr-som: Correct PAD settings for PMIC_nINT",
                            "    - arm64: dts: imx8mp-ultra-mach-sbc: Correct PAD settings for PMIC_nINT",
                            "    - arm64: dts: imx8mp-dhcom-som: Correct PAD settings for PMIC_nINT",
                            "    - arm64: dts: imx8mp-data-modul-edm-sbc: Correct PAD settings for",
                            "      PMIC_nINT",
                            "    - PCMCIA: Fix garbled log messages for KERN_CONT",
                            "    - reset: amlogic: t7: Fix null reset ops",
                            "    - arm64: dts: imx8mm-emtop-som: Correct PAD settings for PMIC_nINT",
                            "    - arm64: dts: imx8mn-tqma8mqnl: Correct PAD settings for PMIC_nINT",
                            "    - arm64: dts: imx8mm-tqma8mqml: Correct PAD settings for PMIC_nINT",
                            "    - arm64: dts: marvell: armada-37xx: use 'usb2-phy' in USB3 controller's",
                            "      phy-names",
                            "    - pwm: stm32: Fix rounding issue for requests with inverted polarity",
                            "    - net/sched: act_mirred: fix wrong device for mac_header_xmit check in",
                            "      tcf_blockcast_redir",
                            "    - macvlan: fix macvlan_get_size() not reserving space for",
                            "      IFLA_MACVLAN_BC_CUTOFF",
                            "    - net/sched: sch_cake: fix NAT destination port not being updated in",
                            "      cake_update_flowkeys",
                            "    - nexthop: fix IPv6 route referencing IPv4 nexthop",
                            "    - net: airoha: Wait for NPU PPE configuration to complete in",
                            "      airoha_ppe_offload_setup()",
                            "    - net/sched: taprio: fix use-after-free in advance_sched() on schedule",
                            "      switch",
                            "    - net: dsa: remove redundant netdev_lock_ops() from conduit ethtool ops",
                            "    - net: enetc: correct the command BD ring consumer index",
                            "    - net: enetc: fix NTMP DMA use-after-free issue",
                            "    - ksmbd: fix use-after-free in smb2_open during durable reconnect",
                            "    - tcp: move tp->chrono_type next tp->chrono_stat[]",
                            "    - tcp: inline tcp_chrono_start()",
                            "    - tcp: annotate data-races in tcp_get_info_chrono_stats()",
                            "    - tcp: add data-race annotations around tp->data_segs_out and",
                            "      tp->total_retrans",
                            "    - tcp: add data-races annotations around tp->reordering, tp->snd_cwnd",
                            "    - tcp: annotate data-races around tp->snd_ssthresh",
                            "    - tcp: annotate data-races around tp->delivered and tp->delivered_ce",
                            "    - tcp: add data-race annotations for TCP_NLA_SNDQ_SIZE",
                            "    - tcp: annotate data-races around tp->bytes_sent",
                            "    - tcp: annotate data-races around tp->bytes_retrans",
                            "    - tcp: annotate data-races around tp->dsack_dups",
                            "    - tcp: annotate data-races around tp->reord_seen",
                            "    - tcp: annotate data-races around tp->srtt_us",
                            "    - tcp: annotate data-races around tp->timeout_rehash",
                            "    - tcp: annotate data-races around (tp->write_seq - tp->snd_nxt)",
                            "    - tcp: annotate data-races around tp->plb_rehash",
                            "    - ice: fix 'adjust' timer programming for E830 devices",
                            "    - ice: update PCS latency settings for E825 10G/25Gb modes",
                            "    - ice: fix double-free of tx_buf skb",
                            "    - ice: fix PHY config on media change with link-down-on-close",
                            "    - ice: fix ICE_AQ_LINK_SPEED_M for 200G",
                            "    - ice: fix race condition in TX timestamp ring cleanup",
                            "    - ice: fix potential NULL pointer deref in error path of",
                            "      ice_set_ringparam()",
                            "    - i40e: don't advertise IFF_SUPP_NOFCS",
                            "    - iavf: fix wrong VLAN mask for legacy Rx descriptors L2TAG2",
                            "    - e1000e: Unroll PTP in probe error handling",
                            "    - ipv6: fix possible UAF in icmpv6_rcv()",
                            "    - af_unix: Drop all SCM attributes for SOCKMAP.",
                            "    - sctp: fix OOB write to userspace in sctp_getsockopt_peer_auth_chunks",
                            "    - pppoe: drop PFC frames",
                            "    - net/mlx5: Fix HCA caps leak on notifier init failure",
                            "    - net: airoha: Fix possible TX queue stall in airoha_qdma_tx_napi_poll()",
                            "    - netfilter: nft_osf: restrict it to ipv4",
                            "    - netfilter: conntrack: remove sprintf usage",
                            "    - netfilter: xtables: restrict several matches to inet family",
                            "    - netfilter: nat: use kfree_rcu to release ops",
                            "    - ipvs: fix MTU check for GSO packets in tunnel mode",
                            "    - netfilter: nfnetlink_osf: fix out-of-bounds read on option matching",
                            "    - netfilter: nfnetlink_osf: fix potential NULL dereference in ttl check",
                            "    - net/sched: sch_dualpi2: drain both C-queue and L-queue in",
                            "      dualpi2_change()",
                            "    - arm64: dts: amlogic: meson-axg: Add missing cache information to cpu0",
                            "    - arm64: dts: meson-gxl-p230: fix ethernet PHY interrupt number",
                            "    - vfio/pci: Clean up DMABUFs before disabling function",
                            "    - pwm: atmel-tcb: Cache clock rates and mark chip as atomic",
                            "    - ksmbd: destroy tree_conn_ida in ksmbd_session_destroy()",
                            "    - ksmbd: destroy async_ida in ksmbd_conn_free()",
                            "    - ksmbd: fix durable fd leak on ClientGUID mismatch in durable v2 open",
                            "    - ksmbd: scope conn->binding slowpath to bound sessions only",
                            "    - net: validate skb->napi_id in RX tracepoints",
                            "    - bnge: fix initial HWRM sequence",
                            "    - bnge: remove unsupported backing store type",
                            "    - sctp: fix sockets_allocated imbalance after sk_clone()",
                            "    - net/rds: zero per-item info buffer before handing it to visitors",
                            "    - ice: fix timestamp interrupt configuration for E825C",
                            "    - ice: perform PHY soft reset for E825C ports at initialization",
                            "    - ice: fix ready bitmap check for non-E822 devices",
                            "    - ice: fix ice_ptp_read_tx_hwtstamp_status_eth56g",
                            "    - net_sched: sch_hhf: annotate data-races in hhf_dump_stats()",
                            "    - net/sched: sch_pie: annotate data-races in pie_dump_stats()",
                            "    - net/sched: sch_fq_codel: remove data-races from fq_codel_dump_stats()",
                            "    - net/sched: sch_red: annotate data-races in red_dump_stats()",
                            "    - net/sched: sch_sfb: annotate data-races in sfb_dump_stats()",
                            "    - net: airoha: Move ndesc initialization at end of airoha_qdma_init_tx()",
                            "    - net: airoha: Add missing bits in airoha_qdma_cleanup_tx_queue()",
                            "    - net: dsa: realtek: rtl8365mb: fix mode mask calculation",
                            "    - net: airoha: Move ndesc initialization at end of",
                            "      airoha_qdma_init_rx_queue()",
                            "    - net: airoha: Rework the code flow in airoha_remove() and in",
                            "      airoha_probe() error path",
                            "    - net: airoha: Add size check for TX NAPIs in airoha_qdma_cleanup()",
                            "    - net: mana: Init link_change_work before potential error paths in probe",
                            "    - net: mana: Init gf_stats_work before potential error paths in probe",
                            "    - net: mana: Guard mana_remove against double invocation",
                            "    - net: mana: Don't overwrite port probe error with add_adev result",
                            "    - net: mana: Fix EQ leak in mana_remove on NULL port",
                            "    - vsock/virtio: fix MSG_ZEROCOPY pinned-pages accounting",
                            "    - virtio_net: sync rss_trailer.max_tx_vq on queue_pairs change via",
                            "      VQ_PAIRS_SET",
                            "    - nfp: fix swapped arguments in nfp_encode_basic_qdr() calls",
                            "    - tcp: send a challenge ACK on SEG.ACK > SND.NXT",
                            "    - tipc: fix double-free in tipc_buf_append()",
                            "    - vhost_net: fix sleeping with preempt-disabled in vhost_net_busy_poll()",
                            "    - nstree: fix func. parameter kernel-doc warnings",
                            "    - eventpoll: use hlist_is_singular_node() in __ep_remove()",
                            "    - eventpoll: split __ep_remove()",
                            "    - eventpoll: kill __ep_remove()",
                            "    - eventpoll: drop vestigial __ prefix from ep_remove_{file,epi}()",
                            "    - eventpoll: move epi_fget() up",
                            "    - fs/adfs: validate nzones in adfs_validate_bblk()",
                            "    - rtc: abx80x: Disable alarm feature if no interrupt attached",
                            "    - kbuild: builddeb - avoid recompiles for non-cross-compiles",
                            "    - tools/power turbostat: Fix AMD RAPL regression on big systems",
                            "    - fbdev: offb: fix PCI device reference leak on probe failure",
                            "    - tools/power turbostat: Fix unrecognized option '-P'",
                            "    - tools/power turbostat: Fix --cpu-set 0 regression on HT systems",
                            "    - tools/power turbostat: Fix --cpu-set 1 regression on HT systems",
                            "    - kbuild: Never respect CONFIG_WERROR / W=e to fixdep",
                            "    - mailbox: mtk-vcp-mailbox: Fix the return value in mtk_vcp_mbox_xlate()",
                            "    - mailbox: mtk-cmdq: Fix CURR and END addr for task insert case",
                            "    - mailbox: mailbox-test: free channels on probe error",
                            "    - sched/psi: fix race between file release and pressure write",
                            "    - cgroup/rdma: fix integer overflow in rdmacg_try_charge()",
                            "    - cgroup/cpuset: record DL BW alloc CPU for attach rollback",
                            "    - mailbox: add sanity check for channel array",
                            "    - mailbox: mailbox-test: handle channel errors consistently",
                            "    - mailbox: mailbox-test: don't free the reused channel",
                            "    - mailbox: mailbox-test: initialize struct earlier",
                            "    - mailbox: mailbox-test: make data_ready a per-instance variable",
                            "    - fsnotify: fix inode reference leak in fsnotify_recalc_mask()",
                            "    - btrfs: fix bytes_may_use leak in move_existing_remap()",
                            "    - btrfs: fix bytes_may_use leak in do_remap_reloc_trans()",
                            "    - btrfs: don't clobber errors in add_remap_tree_entries()",
                            "    - btrfs: fix double-decrement of bytes_may_use in",
                            "      submit_one_async_extent()",
                            "    - tracing: branch: Fix inverted check on stat tracer registration",
                            "    - nvmet-tcp: propagate nvmet_tcp_build_pdu_iovec() errors to its callers",
                            "    - netfilter: nf_tables: use list_del_rcu for netlink hooks",
                            "    - rculist: add list_splice_rcu() for private lists",
                            "    - netfilter: nf_tables: join hook list via splice_list_rcu() in commit",
                            "      phase",
                            "    - netfilter: nf_tables: add hook transactions for device deletions",
                            "    - nvme-pci: fix missed admin queue sq doorbell write",
                            "    - drm/amdgpu: avoid double drm_exec_fini() in userq validate",
                            "    - drm/amdgpu/gmc: Fix AMDGPU_GART_PLACEMENT_LOW to not overlap with VRAM",
                            "    - drm/amd/pm: fix missing fine-grained dpm table flag on aldebaran",
                            "    - drm/amdgpu: fix AMDGPU_INFO_READ_MMR_REG",
                            "    - drm/amdgpu/uvd3.1: Don't validate the firmware when already validated",
                            "    - drm/amdgpu/gfx6: Support harvested SI chips with disabled TCCs (v2)",
                            "    - drm/amdgpu: Only send RMA CPER when threshold is exceeded",
                            "    - netfilter: xt_policy: fix strict mode inbound policy matching",
                            "    - netfilter: nf_conntrack_sip: don't use simple_strtoul",
                            "    - spi: rzv2h-rspi: Fix silent failure in clock setup error path",
                            "    - ASoC: amd: acp: Add DMI quirk for Valve Steam Deck OLED",
                            "    - ASoC: SOF: Intel: add an empty adr_link",
                            "    - spi: rockchip: Read ISR, not IMR, to detect cs-inactive IRQ",
                            "    - ASoC: tas2764: Mark die temp register as volatile",
                            "    - ASoC: tas2770: Fix order of operations for temperature calculation",
                            "    - drm/sysfb: ofdrm: fix PCI device reference leaks",
                            "    - drm/color-mgmt: Typo s/R332/RGB332/",
                            "    - arm64/scs: Fix potential sign extension issue of advance_loc4",
                            "    - spi: spi-mem: Add a packed command operation",
                            "    - mtd: spinand: Add support for packed read data ODTR commands",
                            "    - mtd: spinand: winbond: Set the packed page read flag to W35N02/04JW",
                            "    - mtd: spinand: winbond: Fix ODTR write VCR on W35NxxJW",
                            "    - ACPICA: Provide #defines for EINJV2 error types",
                            "    - ACPI: APEI: EINJ: Fix EINJV2 memory error injection",
                            "    - cdrom, scsi: sr: propagate read-only status to block layer via",
                            "      set_disk_ro()",
                            "    - spi: axiado: replace usleep_range() with udelay() in IRQ path",
                            "    - netdevsim: zero initialize struct iphdr in dummy sk_buff",
                            "    - net/sched: netem: fix probability gaps in 4-state loss model",
                            "    - net/sched: netem: fix queue limit check to include reordered packets",
                            "    - net/sched: netem: only reseed PRNG when seed is explicitly provided",
                            "    - net/sched: netem: validate slot configuration",
                            "    - net/sched: netem: fix slot delay calculation overflow",
                            "    - net/sched: netem: check for negative latency and jitter",
                            "    - net: airoha: fix BQL imbalance in TX path",
                            "    - net: airoha: stop net_device TX queue before updating CPU index",
                            "    - net: airoha: fix typo in function name",
                            "    - net: airoha: Do not wake all netdev TX queues in",
                            "      airoha_qdma_wake_netdev_txqs()",
                            "    - net: airoha: Do not read uninitialized fragment address in",
                            "      airoha_dev_xmit()",
                            "    - net/sched: sch_choke: annotate data-races in choke_dump_stats()",
                            "    - net/sched: sch_fq_pie: annotate data-races in fq_pie_dump_stats()",
                            "    - vrf: Fix a potential NPD when removing a port from a VRF",
                            "    - net: usb: rtl8150: fix use-after-free in rtl8150_start_xmit()",
                            "    - net: usb: rtl8150: free skb on usb_submit_urb() failure in xmit",
                            "    - spi: amlogic-spisg: initialize completion before requesting IRQ",
                            "    - NFC: trf7970a: Ignore antenna noise when checking for RF field",
                            "    - net: phonet: do not BUG_ON() in pn_socket_autobind() on failed bind",
                            "    - neigh: let neigh_xmit take skb ownership",
                            "    - tcp: make probe0 timer handle expired user timeout",
                            "    - netpoll: fix IPv6 local-address corruption",
                            "    - ALSA: usb-audio: Fix potential leak of pd at parsing UAC3 streams",
                            "    - sched/fair: Fix wakeup_preempt_fair() vs delayed dequeue",
                            "    - sched/fair: Clear rel_deadline when initializing forked entities",
                            "    - net: mctp i2c: check length before marking flow active",
                            "    - md/raid1,raid10: don't fail devices for invalid IO errors",
                            "    - md: add fallback to correct bitmap_ops on version mismatch",
                            "    - md: factor bitmap creation away from sysfs handling",
                            "    - md/md-bitmap: split bitmap sysfs groups",
                            "    - md/md-bitmap: add a none backend for bitmap grow",
                            "    - s390/mm: Fix phys_to_folio() usage in do_secure_storage_access()",
                            "    - net: phy: dp83869: fix setting CLK_O_SEL field.",
                            "    - drm/amd/display: properly handle family setting for early GC 11.5.4",
                            "    - drm/amdgpu/vcn: set no_user_fence for VCN v2.0 enc/dec rings",
                            "    - drm/amdgpu/vcn: set no_user_fence for VCN v2.5 enc/dec rings",
                            "    - drm/amdgpu/vcn: set no_user_fence for VCN v3.0 enc/dec rings",
                            "    - drm/amdgpu/vcn: set no_user_fence for VCN v4.0 enc ring",
                            "    - drm/amdgpu/vcn: set no_user_fence for VCN v4.0.3 enc ring",
                            "    - drm/amdgpu/vcn: set no_user_fence for VCN v4.0.5 enc ring",
                            "    - drm/amdgpu/vcn: set no_user_fence for VCN v5.0.0 enc ring",
                            "    - drm/amdgpu/vcn: set no_user_fence for VCN v5.0.1 enc ring",
                            "    - drm/amdgpu/jpeg: set no_user_fence for JPEG v2.0 ring",
                            "    - drm/amdgpu/jpeg: set no_user_fence for JPEG v2.5 ring",
                            "    - drm/amdgpu/jpeg: set no_user_fence for JPEG v3.0 ring",
                            "    - drm/amdgpu/jpeg: set no_user_fence for JPEG v4.0 ring",
                            "    - drm/amdgpu/jpeg: set no_user_fence for JPEG v4.0.3 ring",
                            "    - drm/amdgpu/jpeg: set no_user_fence for JPEG v4.0.5 ring",
                            "    - drm/amdgpu/jpeg: set no_user_fence for JPEG v5.0.0 ring",
                            "    - drm/amdgpu/jpeg: set no_user_fence for JPEG v5.0.1 ring",
                            "    - drm/amdgpu/jpeg: set no_user_fence for JPEG v5.3.0 ring",
                            "    - drm/amd/pm: Add fine grained flag to SMU v13.0.6",
                            "    - io_uring/napi: cap busy_poll_to 10 msec",
                            "    - ASoC: cs35l56: Fix illegal writes to OTP_MEM registers",
                            "    - net: psp: check for device unregister when creating assoc",
                            "    - net: psp: require admin permission for dev-set and key-rotate",
                            "    - ASoC: codecs: ab8500: Fix casting of private data",
                            "    - netfilter: skip recording stale or retransmitted INIT",
                            "    - sctp: discard stale INIT after handshake completion",
                            "    - net/sched: sch_cake: annotate data-races in cake_dump_stats() (I)",
                            "    - net/sched: sch_cake: annotate data-races in cake_dump_stats() (II)",
                            "    - net/sched: sch_cake: annotate data-races in cake_dump_stats() (III)",
                            "    - net/sched: sch_cake: annotate data-races in cake_dump_stats() (IV)",
                            "    - net/sched: sch_cake: annotate data-races in cake_dump_stats() (V)",
                            "    - netconsole: return count instead of strnlen(buf, count) from store",
                            "      callbacks",
                            "    - netconsole: avoid clobbering userdatum value on truncated write",
                            "    - netconsole: propagate device name truncation in dev_name_store()",
                            "    - netconsole: restore userdatum value on update_userdata() failure",
                            "    - ALSA: hda/conexant: Fix missing error check for jack detection",
                            "    - ALSA: hda: cs35l56: Fix uninitialized value in cs35l56_hda_read_acpi()",
                            "    - ALSA: hda/tas2781: Fix incorrect bit update for non-book-zero or book 0",
                            "      pages >1",
                            "    - futex: Prevent lockup in requeue-PI during signal/ timeout wakeup",
                            "    - drm/amd/display: Allow embedded connectors without DDC",
                            "    - drm/amd/display: Allow DCE link encoder without AUX registers",
                            "    - drm/amd/display: Allow constructing DCE6 link encoder without DDC",
                            "    - drm/amd/display: Allow constructing DCE8 link encoder without DDC",
                            "    - drm/amd/display: Read EDID from VBIOS embedded panel info",
                            "    - drm/amd/display: Use EDID from VBIOS embedded panel info",
                            "    - drm/xe: Use XE_WEDGED_MODE_UPON_ANY_HANG_NO_RESET enum instead of magic",
                            "      number",
                            "    - drm/xe: Drop registration of guc_submit_wedged_fini from",
                            "      xe_guc_submit_wedge()",
                            "    - drm/xe/debugfs: Correct printing of register whitelist ranges",
                            "    - drm/xe: Fix potential NULL deref in",
                            "      xe_exec_queue_tlb_inval_last_fence_put_unlocked",
                            "    - drm/xe: Fix error cleanup in xe_exec_queue_create_ioctl()",
                            "    - drm/xe/eustall: Fix drm_dev_put called before stream disable in close",
                            "    - drm/xe/gsc: Fix BO leak on error in query_compatibility_version()",
                            "    - drm/xe/xelp: Fix Wa_18022495364",
                            "    - net: airoha: Do not return err in ndo_stop() callback",
                            "    - bonding: print churn state via netlink",
                            "    - bonding: 3ad: implement proper RCU rules for port->aggregator",
                            "    - page_pool: fix memory-provider leak in page_pool_create_percpu() error",
                            "      path",
                            "    - iavf: rename IAVF_VLAN_IS_NEW to IAVF_VLAN_ADDING",
                            "    - iavf: stop removing VLAN filters from PF on interface down",
                            "    - iavf: wait for PF confirmation before removing VLAN filters",
                            "    - iavf: add VIRTCHNL_OP_ADD_VLAN to success completion handler",
                            "    - ice: fix NULL pointer dereference in ice_reset_all_vfs()",
                            "    - ice: fix infinite recursion in ice_cfg_tx_topo via ice_init_dev_hw",
                            "    - ice: fix missing SMA pin initialization in DPLL subsystem",
                            "    - ice: fix SMA and U.FL pin state changes affecting paired pin",
                            "    - ice: fix missing dpll notifications for SW pins",
                            "    - dpll: export __dpll_pin_change_ntf() for use under dpll_lock",
                            "    - ice: add dpll peer notification for paired SMA and U.FL pins",
                            "    - net: tls: fix strparser anchor skb leak on offload RX setup failure",
                            "    - sfc: fix error code in efx_devlink_info_running_versions()",
                            "    - net/sched: cls_flower: revert unintended changes",
                            "    - kselftest/arm64: Include <asm/ptrace.h> for user_gcs definition",
                            "    - arm64: Reserve an extra page for early kernel mapping",
                            "    - futex: Drop CLONE_THREAD requirement for private default hash alloc",
                            "    - PCI: Initialize temporary device in new_id_store()",
                            "    - workqueue: fix devm_alloc_workqueue() va_list misuse",
                            "    - net/sched: sch_pie: annotate more data-races in pie_dump_stats()",
                            "    - sched/fair: Fix wakeup_preempt_fair() for not waking up task",
                            "    - crypto: af_alg - Cap AEAD AD length to 0x80000000",
                            "    - i40e: Cleanup PTP pins on probe failure",
                            "    - workqueue: Fix wq->cpu_pwq leak in alloc_and_link_pwqs() WQ_UNBOUND path",
                            "    - net: ena: PHC: Fix potential use-after-free in get_timestamp",
                            "    - cgroup/cpuset: Reset DL migration state on can_attach() failure",
                            "    - netfilter: nf_conntrack_sip: get helper before allocating expectation",
                            "    - audit: fix incorrect inheritable capability in CAPSET records",
                            "    - net: ena: PHC: Check return code before setting timestamp output",
                            "    - cgroup/dmem: Return -ENOMEM on failed pool preallocation",
                            "    - idpf: fix double free and use-after-free in aux device error paths",
                            "    - cgroup/cpuset: Reserve DL bandwidth only for root-domain moves",
                            "    - Revert \"ACPI: CPPC: Adjust debug messages in amd_set_max_freq_ratio() to",
                            "      warn\"",
                            "    - netfilter: nft_ct: fix missing expect put in obj eval",
                            "    - net: atlantic: preserve PCI wake-from-D3 on shutdown when WOL enabled",
                            "    - audit: enforce AUDIT_LOCKED for AUDIT_TRIM and AUDIT_MAKE_EQUIV",
                            "    - cgroup/cpuset: Return only actually allocated CPUs during partition",
                            "      invalidation",
                            "    - KVM: x86: Swap the dst and src operand for MOVNTDQA",
                            "    - KVM: Reject wrapped offset in kvm_reset_dirty_gfn()",
                            "    - KVM: s390: pci: fix GAIT table indexing due to double-scaling pointer",
                            "      arithmetic",
                            "    - KVM: x86: Fix Xen hypercall tracepoint argument assignment",
                            "    - HID: pass the buffer size to hid_report_raw_event",
                            "    - HID: core: introduce hid_safe_input_report()",
                            "    - rseq: Revert to historical performance killing behaviour",
                            "    - rseq: Implement read only ABI enforcement for optimized RSEQ V2 mode",
                            "    - rseq: Reenable performance optimizations conditionally",
                            "    - HID: core: Fix size_t specifier in hid_report_raw_event()",
                            "    - ata: libata-scsi: fix requeue of deferred ATA PASS-THROUGH commands",
                            "    - media: staging: imx: configure src_mux in csi_start",
                            "    - Bluetooth: btmtk: accept too short WMT FUNC_CTRL events",
                            "    - nvme-apple: Reset q->sq_tail during queue init",
                            "    - smb/client: fix possible infinite loop and oob read in symlink_data()",
                            "    - drm/loongson: Use managed KMS polling",
                            "    - drm: Replace old pointer to new idr",
                            "    - drm/bridge: imx8qxp-pxl2dpi: avoid ERR_PTR with device_node cleanup",
                            "    - drm/i915/dp: Fix VSC dynamic range signaling for RGB formats",
                            "    - drm/amd/display: Wrap DCN32 phantom-plane allocation in",
                            "      DC_RUN_WITH_PREEMPTION_ENABLED",
                            "    - drm/ttm: Fix ttm_bo_swapout() infinite LRU walk on swapout failure",
                            "    - platform/x86: intel: Move debugfs register before creating devices",
                            "    - platform/x86: lenovo-wmi-helpers: Move gamezone enums to wmi-helpers",
                            "    - platform/x86: lenovo-wmi-helpers: Fix memory leak in",
                            "      lwmi_dev_evaluate_int()",
                            "    - platform/x86: lenovo-wmi-other: Balance IDA id allocation and free",
                            "    - platform/x86: lenovo-wmi-other: Balance component bind and unbind",
                            "    - platform/x86: lenovo-wmi-other: Zero initialize WMI arguments",
                            "    - platform/x86: lenovo-wmi-other: Fix tunable_attr_01 struct members",
                            "    - platform/x86: lenovo-wmi-other: Add Attribute ID helper functions",
                            "    - platform/x86: lenovo-wmi-other: Limit adding attributes to supported",
                            "      devices",
                            "    - accel/rocket: Fix prep_bo ioctl leaking positive return from",
                            "      dma_resv_wait_timeout()",
                            "    - ALSA: hda/realtek: Add mute LED quirk for HP Pavilion Laptop 16-ag0xxx",
                            "    - ALSA: hda/realtek: Add quirk for Samsung Galaxy Book5 360 headphone",
                            "    - ALSA: usb-audio: Bound MIDI 2.0 endpoint descriptor scans",
                            "    - ALSA: usb-audio: Bound MIDI endpoint descriptor scans",
                            "    - ALSA: usb-audio: qcom: Check offload mapping failures",
                            "    - btrfs: only release the dirty pages io tree after successful writes",
                            "    - ceph: fix a buffer leak in __ceph_setxattr()",
                            "    - ceph: fix BUG_ON in __ceph_build_xattrs_blob() due to stale blob size",
                            "    - ceph: put folios not suitable for writeback",
                            "    - io-wq: check that the predecessor is hashed in io_wq_remove_pending()",
                            "    - iommu/amd: Bounds-check devid in __rlookup_amd_iommu()",
                            "    - x86/kexec: Push kjump return address even for non-kjump kexec",
                            "    - xfs: fix memory leak on error in xfs_alloc_zone_info()",
                            "    - virt: sev-guest: Do not use host-controlled page order in cleanup path",
                            "    - powerpc/warp: Fix error handling in pika_dtm_thread",
                            "    - netfs: fix error handling in netfs_extract_user_iter()",
                            "    - nfsd: fix GET_DIR_DELEGATION when VFS leases are disabled",
                            "    - nfsd: fix file change detection in CB_GETATTR",
                            "    - nfsd: update mtime/ctime on CLONE in presense of delegated attributes",
                            "    - nfsd: update mtime/ctime on COPY in presence of delegated attributes",
                            "    - irqchip/riscv-imsic: Clear interrupt move state during CPU offlining",
                            "    - irqchip/meson-gpio: Use the correct register in",
                            "      meson_s4_gpio_irq_set_type()",
                            "    - irqchip/gic-v5: Move LPI allocation into the LPI domain",
                            "    - irqchip/gic-v5: Support range allocation for LPIs",
                            "    - irqchip/gic-v5: Allocate ITS parent LPIs as a range",
                            "    - libceph: Fix potential out-of-bounds access in osdmap_decode()",
                            "    - libceph: Fix potential null-ptr-deref in decode_choose_args()",
                            "    - libceph: Fix potential out-of-bounds access in __ceph_x_decrypt()",
                            "    - libceph: Fix potential out-of-bounds access in crush_decode()",
                            "    - libceph: handle rbtree insertion error in decode_choose_args()",
                            "    - iommu/vt-d: Disable DMAR for Intel Q35 IGFX",
                            "    - iommu/vt-d: Fix oops due to out of scope access",
                            "    - iommu/vt-d: Avoid NULL pointer dereference or refcount corruption",
                            "    - iommu: Fix NULL group->domain dereference in pci_dev_reset_iommu_done()",
                            "    - iommu: Replace per-group resetting_domain with per-gdev blocked flag",
                            "    - iommu: Fix WARN_ON in __iommu_group_set_domain_nofail() due to reset",
                            "    - iommu: Fix pasid attach in pci_dev_reset_iommu_prepare/done()",
                            "    - iommu: Fix nested pci_dev_reset_iommu_prepare/done()",
                            "    - iommu: Fix ATS invalidation timeouts during __iommu_remove_group_pasid()",
                            "    - drm/i915: skip __i915_request_skip() for already signaled requests",
                            "    - drm/panfrost: Fix wait_bo ioctl leaking positive return from",
                            "      dma_resv_wait_timeout()",
                            "    - drm/xe/dma-buf: handle empty bo and UAF races",
                            "    - drm/xe/dma-buf: fix UAF with retry loop",
                            "    - drm/ttm: Fix ttm_bo_shrink() infinite LRU walk on backup failure",
                            "    - drm/ttm: Convert -EAGAIN from dmem_cgroup_try_charge to -ENOSPC",
                            "    - drm/gma500/oaktrail_hdmi: fix i2c adapter leak on setup",
                            "    - drm/gma500/oaktrail_lvds: fix hang on init failure",
                            "    - drm/gma500/oaktrail_lvds: fix i2c adapter leaks on init",
                            "    - arm_mpam: Fix monitor instance selection when checking for hardware NRDY",
                            "    - arm_mpam: Pretend that NRDY is always hardware managed",
                            "    - arm_mpam: Improve check for whether or not NRDY is hardware managed",
                            "    - arm_mpam: Fix false positive assert failure during mpam_disable()",
                            "    - arm_mpam: Check whether the config array is allocated before destroying",
                            "      it",
                            "    - eventfs: Simplify code using guard()s",
                            "    - eventfs: Use list_add_tail_rcu() for SRCU-protected children list",
                            "    - smb: client: Use FullSessionKey for AES-256 encryption key derivation",
                            "    - spi: sifive: Simplify clock handling with devm_clk_get_enabled()",
                            "    - spi: sifive: fix controller deregistration",
                            "    - tracefs: Removed unused 'ret' variable in eventfs_iterate()",
                            "    - workqueue: Annotate alloc_workqueue_va() with __printf(1, 0)",
                            "    - selftests/bpf: Remove test_access_variable_array",
                            "    - netfs: Fix potential uninitialised var in netfs_extract_user_iter()",
                            "    - Linux 7.0.10",
                            "",
                            "  * Resolute update: v7.0.10 upstream stable release (LP: #2156385) //",
                            "    CVE-2026-45846",
                            "    - bareudp: fix NULL pointer dereference in bareudp_fill_metadata_dst()",
                            "",
                            "  * Resolute update: v7.0.10 upstream stable release (LP: #2156385) //",
                            "    CVE-2026-45845",
                            "    - net/sched: taprio: fix NULL pointer dereference in class dump",
                            "",
                            "  * Resolute update: v7.0.10 upstream stable release (LP: #2156385) //",
                            "    CVE-2026-45844",
                            "    - netfilter: arp_tables: fix IEEE1394 ARP payload parsing",
                            "",
                            "  * Resolute update: v7.0.10 upstream stable release (LP: #2156385) //",
                            "    CVE-2026-46242",
                            "    - eventpoll: fix ep_remove struct eventpoll / struct file UAF",
                            "",
                            "  * Resolute update: v7.0.10 upstream stable release (LP: #2156385) //",
                            "    CVE-2026-45843",
                            "    - slip: bound decode() reads against the compressed packet length",
                            "",
                            "  * Resolute update: v7.0.10 upstream stable release (LP: #2156385) //",
                            "    CVE-2026-45842",
                            "    - slip: reject VJ receive packets on instances with no rstate array",
                            "",
                            "  * Resolute update: v7.0.10 upstream stable release (LP: #2156385) //",
                            "    CVE-2026-45841",
                            "    - netfilter: nfnetlink_osf: fix divide-by-zero in OSF_WSS_MODULO",
                            "",
                            "  * Resolute update: v7.0.10 upstream stable release (LP: #2156385) //",
                            "    CVE-2026-45840",
                            "    - openvswitch: cap upcall PID array size and pre-size vport replies",
                            "",
                            "  * Resolute update: v7.0.10 upstream stable release (LP: #2156385) //",
                            "    CVE-2026-45839",
                            "    - bpf: reject negative CO-RE accessor indices in bpf_core_parse_spec()",
                            "",
                            "  * Resolute update: v7.0.10 upstream stable release (LP: #2156385) //",
                            "    CVE-2026-45838",
                            "    - bpf: fix end-of-list detection in cgroup_storage_get_next_key()",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006)",
                            "    - Linux 7.0.8",
                            "    - HID: pidff: Fix integer overflow in pidff_rescale",
                            "    - media: uvcvideo: Enable VB2_DMABUF for metadata stream",
                            "    - drm/msm/hdmi: Fix wrong CTRL1 register used in writing info frames",
                            "    - media: rzv2h-ivc: Avoid double job scheduling",
                            "    - media: nxp: imx8-isi: Reduce minimum queued buffers from 2 to 0",
                            "    - media: rzv2h-ivc: Write AXIRX_PIXFMT once",
                            "    - media: rzv2h-ivc: Fix FM_STOP register write",
                            "    - media: rzv2h-ivc: Fix concurrent buffer list access",
                            "    - media: mali-c55: Initialize the ISP in enable_streams()",
                            "    - media: mali-c55: Fix Iridix bypass macros",
                            "    - media: renesas: vsp1: Fix NULL pointer deref on module unload",
                            "    - media: renesas: vin: Fix RAW8 (again)",
                            "    - media: i2c: ov8856: free control handler on error in",
                            "      ov8856_init_controls()",
                            "    - media: dt-bindings: rockchip,vdec: Add alternative reg-names order for",
                            "      RK35{76,88}",
                            "    - media: dt-bindings: rockchip,vdec: Mark reg-names required for",
                            "      RK35{76,88}",
                            "    - media: chips-media: wave5: fix a potential memory leak in",
                            "      wave5_vdi_init()",
                            "    - media: chips-media: wave5: add missing spinlock protection for",
                            "      send_eos_event()",
                            "    - media: chips-media: wave5: add missing spinlock protection for",
                            "      handle_dynamic_resolution_change()",
                            "    - arm64: dts: freescale: imx95-toradex-smarc: fix PMIC_SD2_VSEL label",
                            "      position",
                            "    - drm/gpusvm: Allow device pages to be mapped in mixed mappings after",
                            "      system pages",
                            "    - drm/gpusvm: Force unmapping on error in drm_gpusvm_get_pages",
                            "    - spi: bcm63xx: fix controller deregistration",
                            "    - spi: atmel: fix controller deregistration",
                            "    - arm64: dts: lx2160a-cex7/lx2162a-sr-som: fix usd-cd & gpio pinmux",
                            "    - regulator: mt6357: fix OF node reference imbalance",
                            "    - spi: st-ssc4: fix controller deregistration",
                            "    - regulator: max77650: fix OF node reference imbalance",
                            "    - media: ti: vpe: Add missing v4l2_device_unregister in vip_remove()",
                            "    - media: rc: streamzap: Error handling in probe",
                            "    - media: i2c: imx283: Enter full standby when stopping streaming",
                            "    - regulator: bq257xx: fix OF node reference imbalance",
                            "    - regulator: rk808: fix OF node reference imbalance",
                            "    - media: videobuf2: Set vma_flags in vb2_dma_sg_mmap",
                            "    - media: mali-c55: Fully reset the ISP configuration",
                            "    - media: intel/ipu6: fix error pointer dereference",
                            "    - media: i2c: imx283: Fix hang when going from large to small resolution",
                            "    - regulator: act8945a: fix OF node reference imbalance",
                            "    - regulator: s2dos05: fix OF node reference imbalance",
                            "    - regulator: bd9571mwv: fix OF node reference imbalance",
                            "    - spi: lantiq-ssc: fix controller deregistration",
                            "    - spi: meson-spicc: fix controller deregistration",
                            "    - spi: qup: fix controller deregistration",
                            "    - arm64: dts: ti: k3-am69-aquila-clover: Fix DP regulator enable GPIO",
                            "    - spi: at91-usart: fix controller deregistration",
                            "    - media: ipu-bridge: Add upside-down sensor DMI quirk for Dell XPS 13 9340",
                            "      and XPS 14 9440",
                            "    - spi: amlogic-spisg: fix controller deregistration",
                            "    - spi: aspeed-smc: fix controller deregistration",
                            "    - drm/colorop: Preserve bypass value in duplicate_state()",
                            "    - drm/atomic: Add affected colorops with affected planes",
                            "    - platform/x86: hp-wmi: Ignore backlight and FnLock events",
                            "    - vsock/virtio: fix MSG_PEEK ignoring skb offset when calculating bytes to",
                            "      copy",
                            "    - arm64: dts: broadcom: bcm2712-d-rpi-5-b: add fixes for",
                            "      pinctrl/pinctrl_aon",
                            "    - arm64: dts: broadcom: bcm2712-d-rpi-5-b: update uart10 interrupt",
                            "    - media: pci: zoran: fix potential memory leak in zoran_probe()",
                            "    - media: dib8000: avoid division by 0 in dib8000_set_dds()",
                            "    - media: i2c: imx412: Assert reset GPIO during probe",
                            "    - media: staging: imx: request mbus_config in csi_start",
                            "    - media: i2c: ov08d10: fix image vertical start setting",
                            "    - media: i2c: ov08d10: fix runtime PM handling in probe",
                            "    - media: omap3isp: drop the use count of v4l2 pipeline",
                            "    - media: iris: fix QCOM_MDT_LOADER dependency",
                            "    - media: qcom: camss: Fix csid clock configuration for sa8775p",
                            "    - media: qcom: camss: Fix csid IRQ offset for sa8775p",
                            "    - media: qcom: iris: increase H265D_MAX_SLICE to fix H.265 decoding on",
                            "      SC7280",
                            "    - media: venus: fix QCOM_MDT_LOADER dependency",
                            "    - media: iris: Fix dma_free_attrs() size in iris_hfi_queues_init()",
                            "    - media: iris: switch to hardware mode after firmware boot",
                            "    - media: qcom: camss: Add missing clocks for VFE lite on sa8775p",
                            "    - spi: mxs: fix controller deregistration",
                            "    - spi: mt65xx: fix controller deregistration",
                            "    - spi: dln2: fix controller deregistration",
                            "    - spi: s3c64xx: fix controller deregistration",
                            "    - spi: fsl-espi: fix controller deregistration",
                            "    - spi: omap2-mcspi: fix controller deregistration",
                            "    - spi: pic32: fix controller deregistration",
                            "    - spi: ep93xx: fix controller deregistration",
                            "    - spi: mtk-nor: fix controller deregistration",
                            "    - spi: pl022: fix controller deregistration",
                            "    - spi: sh-hspi: fix controller deregistration",
                            "    - spi: bcmbca-hsspi: fix controller deregistration",
                            "    - spi: coldfire-qspi: fix controller deregistration",
                            "    - spi: npcm-pspi: fix controller deregistration",
                            "    - spi: cavium-thunderx: fix controller deregistration",
                            "    - spi: pic32-sqi: fix controller deregistration",
                            "    - spi: sprd: fix controller deregistration",
                            "    - spi: sh-msiof: fix controller deregistration",
                            "    - spi: slave-mt27xx: fix controller deregistration",
                            "    - spi: img-spfi: fix controller deregistration",
                            "    - spi: mpfs: fix controller deregistration",
                            "    - spi: octeon: fix controller deregistration",
                            "    - spi: imx: fix runtime pm leak on probe deferral",
                            "    - spi: mxic: fix controller deregistration",
                            "    - spi: orion: fix controller deregistration",
                            "    - spi: orion: fix runtime pm leak on unbind",
                            "    - spi: orion: fix clock imbalance on registration failure",
                            "    - spi: cadence: fix controller deregistration",
                            "    - spi: cadence-quadspi: fix controller deregistration",
                            "    - spi: cadence: fix unclocked access on unbind",
                            "    - spi: cadence: fix clock imbalance on probe failure",
                            "    - spi: cadence-quadspi: fix runtime pm disable imbalance on probe failure",
                            "    - spi: cadence-quadspi: fix clock imbalance on probe failure",
                            "    - spi: cadence-quadspi: fix runtime pm and clock imbalance on unbind",
                            "    - drm/colorop: Fix blob property reference tracking in state lifecycle",
                            "    - drm/imx: parallel-display: Prefer bus format set via legacy \"interface-",
                            "      pix-fmt\" DT property",
                            "    - drm/msm: always recover the gpu",
                            "    - drm/v3d: Reject empty multisync extension to prevent infinite loop",
                            "    - drm/i915/psr: Init variable to avoid early exit from et alignment loop",
                            "    - drm/amd/display: fix math_mod() using arg1 instead of arg2",
                            "    - drm/amd: Add missing firmware declaration for PSP v15.0.0",
                            "    - drm/amdgpu: Use NBIF offset for register RCC_STRAP0_RCC_DEV0_EPF0_STRAP0",
                            "      .",
                            "    - drm/amdgpu: Use SMUIO 15.0.0 offsets for TSC upper and lower count.",
                            "    - drm/amdgpu: gate VM CPU HDP flush on reset lock",
                            "    - drm/amd/pm: fix incorrect FeatureCtrlMask setting on smu v14.0.x",
                            "    - drm/amdkfd: Add upper bound check for num_of_nodes",
                            "    - drm/amdgpu/vce: Prevent partial address patches",
                            "    - drm/amd/display: Change dither policy for 10 bpc output back to",
                            "      dithering",
                            "    - drm/appletbdrm: Use kvzalloc for big allocations",
                            "    - drm/amdgpu: Avoid reset in AMDGPU unload path for APUs with GFX V11 and",
                            "      higher.",
                            "    - drm/udl: Increase GET_URB_TIMEOUT",
                            "    - drm/xe/bo: Fix bo leak on GGTT flag validation in xe_bo_init_locked()",
                            "    - drm/xe/bo: Fix bo leak on unaligned size validation in",
                            "      xe_bo_init_locked()",
                            "    - drm/xe/uapi: Reject coh_none PAT index for CPU cached memory in madvise",
                            "    - drm/radeon: add missing revision check for CI",
                            "    - drm/amdgpu: zero-initialize GART table on allocation",
                            "    - drm/exynos: remove bridge when component_add fails",
                            "    - drm/amdgpu/userq: fix access to stale wptr mapping",
                            "    - drm/panel: himax-hx83102: restore MODE_LPM after sending disable cmds",
                            "    - drm/amdgpu/gfx9: drop unnecessary 64-bit fence flag check in KIQ",
                            "    - drm/bridge: tda998x: Use __be32 for audio port OF property pointer",
                            "    - drm/sti: remove bridge when sti_hda component_add fails",
                            "    - drm/panel: boe-tv101wum-nl6: restore MODE_LPM after sending disable cmds",
                            "    - drm/amdkfd: Make all TLB-flushes heavy-weight",
                            "    - drm/amdgpu/pm: add missing revision check for CI",
                            "    - drm/amdgpu/pm: align Hawaii mclk workaround with radeon",
                            "    - arm64: dts: qcom: kodiak: Fix PCIe1 PHY ref clock voting",
                            "    - arm64: dts: qcom: lemans: Correct QUP interrupt numbers",
                            "    - arm64: dts: ti: k3-am62a7-sk: Fix pin name in comment from M19 to N22",
                            "    - arm64: dts: ti: k3-am69-aquila-dev: Fix DP regulator enable GPIO",
                            "    - batman-adv: tp_meter: fix tp_num leak on kmalloc failure",
                            "    - sched_ext: Use HK_TYPE_DOMAIN_BOOT to detect isolcpus= domain isolation",
                            "    - usb: typec: tcpm: reset internal port states on soft reset AMS",
                            "    - io_uring/zcrx: use guards for locking",
                            "    - io_uring/zcrx: warn on freelist violations",
                            "    - kho: fix error handling in kho_add_subtree()",
                            "    - EDAC/versalnet: Refactor memory controller initialization and cleanup",
                            "    - spi: uniphier: Simplify clock handling with devm_clk_get_enabled()",
                            "    - spi: uniphier: fix controller deregistration",
                            "    - cgroup: Increment nr_dying_subsys_* from rmdir context",
                            "    - sched_ext: Skip tasks with stale task_rq in bypass_lb_cpu()",
                            "    - perf build: fix \"argument list too long\" in second location",
                            "    - mm/vma: do not try to unmap a VMA if mmap_prepare() invoked from mmap()",
                            "    - vsock/virtio: fix length and offset in tap skb for split packets",
                            "    - drm/amdgpu/vcn3: Avoid overflow on msg bound check",
                            "    - drm/amdgpu/vcn4: Avoid overflow on msg bound check",
                            "    - Linux 7.0.9",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46214",
                            "    - vsock/virtio: fix accept queue count leak on transport mismatch",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46207",
                            "    - vsock/virtio: fix empty payload in tap skb for non-linear buffers",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46234",
                            "    - vsock: fix buffer size clamping order",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46223",
                            "    - cgroup: Defer css percpu_ref kill on rmdir until cgroup is depopulated",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46221",
                            "    - EDAC/versalnet: Fix device name memory leak",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46231",
                            "    - batman-adv: bla: put backbone reference on failed claim hash insert",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46233",
                            "    - batman-adv: bla: only purge non-released claims",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46212",
                            "    - batman-adv: bla: prevent use-after-free when deleting claims",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46238",
                            "    - batman-adv: stop caching unowned originator pointers in BAT IV",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46208",
                            "    - batman-adv: stop tp_meter sessions during mesh teardown",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46206",
                            "    - batman-adv: reject new tp_meter sessions during teardown",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46198",
                            "    - batman-adv: fix integer overflow on buff_pos",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46227",
                            "    - sctp: revalidate list cursor after sctp_sendmsg_to_asoc() in",
                            "      SCTP_SENDALL",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46220",
                            "    - drm/amdgpu/sdma4: replace BUG_ON with WARN_ON in fence emission",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46215",
                            "    - drm: Set old handle to NULL before prime swap in change_handle",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46201",
                            "    - drm/xe: Fix dma-buf attachment leak in xe_gem_prime_import()",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46224",
                            "    - drm/xe: Fix bo leak in xe_dma_buf_init_obj() on allocation failure",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46197",
                            "    - drm/amdkfd: validate SVM ioctl nattr against buffer size",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46209",
                            "    - drm/gem: Fix inconsistent plane dimension calculation in",
                            "      drm_gem_fb_init_with_funcs()",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46230",
                            "    - drm/amdgpu/vcn3: Prevent OOB reads when parsing dec msg",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46199",
                            "    - drm/amdgpu/vcn4: Prevent OOB reads when parsing dec msg",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46204",
                            "    - drm/amdgpu/vcn4: Prevent OOB reads when parsing IB",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46218",
                            "    - drm/amdgpu: Add bounds checking to ib_{get,set}_value",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46229",
                            "    - drm/amdkfd: Clear VRAM on allocation to prevent stale data exposure",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46211",
                            "    - drm/msm/gem: fix error handling in msm_ioctl_gem_info_get_metadata()",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46203",
                            "    - spi: cadence-quadspi: fix unclocked access on unbind",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46219",
                            "    - spi: mpc52xx: fix use-after-free on unbind",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46200",
                            "    - spi: mpc52xx: fix controller deregistration",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46241",
                            "    - spi: mpc52xx: fix use-after-free on registration failure",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46225",
                            "    - spi: rspi: fix controller deregistration",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46226",
                            "    - spi: fsl: fix controller deregistration",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46228",
                            "    - spi: ch341: fix devres lifetime",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46216",
                            "    - drm/xe/hdcp: Add NULL check for media_gt in",
                            "      intel_hdcp_gsc_check_status()",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46210",
                            "    - media: iris: fix use-after-free of fmt_src during MBPF check",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46240",
                            "    - media: iris: Fix use-after-free in iris_release_internal_buffers()",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46235",
                            "    - media: saa7164: add ioremap return checks and cleanups",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46222",
                            "    - media: rockchip: rkcif: Add missing MUST_CONNECT flag to pads",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46239",
                            "    - media: i2c: ov5647: Fix runtime PM refcount leak in s_ctrl",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46236",
                            "    - media: rc: xbox_remote: heed DMA restrictions",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46205",
                            "    - staging: media: atomisp: Disallow all private IOCTLs",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46202",
                            "    - HID: appletb-kbd: run inactivity autodim from workqueues",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46213",
                            "    - HID: appletb-kbd: fix UAF in inactivity-timer cleanup path",
                            "",
                            "  * Resolute update: v7.0.9 upstream stable release (LP: #2156006) //",
                            "    CVE-2026-46232",
                            "    - HID: playstation: Clamp num_touch_reports",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988)",
                            "    - ACPI: arm64: cpuidle: Tolerate platforms with no deep PSCI idle states",
                            "    - ACPI: scan: Use acpi_dev_put() in object add error paths",
                            "    - ACPI: video: Add backlight=native quirk for Dell OptiPlex 7770 AIO",
                            "    - ACPI: CPPC: Fix related_cpus inconsistency during CPU hotplug",
                            "    - ACPI: video: force native backlight on HP OMEN 16 (8A44)",
                            "    - iommufd: Fix a race with concurrent allocation and unmap",
                            "    - wifi: mt76: mt7925: fix incorrect TLV length in CLC command",
                            "    - spi: rockchip: fix controller deregistration",
                            "    - ksmbd: rewrite stop_sessions() with restartable iteration",
                            "    - flow_dissector: do not dissect PPPoE PFC frames",
                            "    - smb: client/smbdirect: fix MR registration for coalesced SG lists",
                            "    - wifi: mt76: mt7925: fix AMPDU state handling in mt7925_tx_check_aggr",
                            "    - wifi: mt76: mt7925: fix incorrect length field in txpower command",
                            "    - wifi: mt76: mt7921: fix ROC abort flow interruption in mt7921_roc_work",
                            "    - wifi: ath5k: do not access array OOB",
                            "    - ALSA: usb-audio: midi2: Restart output URBs on resume",
                            "    - ALSA: usb-audio: Fix UAC3 cluster descriptor size check",
                            "    - usb: dwc3: Move GUID programming after PHY initialization",
                            "    - USB: omap_udc: DMA: Don't enable burst 4 mode",
                            "    - USB: serial: option: add Telit Cinterion LE910Cx compositions",
                            "    - usb: typec: tcpm: fix debug accessory mode detection for sink ports",
                            "    - ALSA: hda: cs35l56: Propagate ASP TX source control errors",
                            "    - ALSA: hda/realtek: Fix speaker silence after S3 resume on Xiaomi Mi",
                            "      Laptop Pro 15",
                            "    - ALSA: firewire-tascam: Do not drop unread control events",
                            "    - ALSA: core: Serialize deferred fasync state checks",
                            "    - ALSA: seq: Fix UMP group 16 filtering",
                            "    - powerpc/kdump: fix KASAN sanitization flag for core_$(BITS).o",
                            "    - x86/efi: Restore IRQ state in EFI page fault handler",
                            "    - xfrm: provide message size for XFRM_MSG_MAPPING",
                            "    - selinux: fix avdcache auditing",
                            "    - selinux: don't reserve xattr slot when we won't fill it",
                            "    - selinux: shrink critical section in sel_write_load()",
                            "    - selinux: prune /sys/fs/selinux/checkreqprot",
                            "    - selinux: prune /sys/fs/selinux/disable",
                            "    - selinux: prune /sys/fs/selinux/user",
                            "    - selinux: allow multiple opens of /sys/fs/selinux/policy",
                            "    - io_uring/kbuf: support min length left for incremental buffers",
                            "    - io_uring/tw: serialize ctx->retry_llist with ->uring_lock",
                            "    - LoongArch: KVM: Fix missing EMULATE_FAIL in kvm_emu_mmio_read()",
                            "    - rust: drm: gem: clean up GEM state in init failure case",
                            "    - rust: allow `clippy::collapsible_match` globally",
                            "    - rust: allow `clippy::collapsible_if` globally",
                            "    - rust: pin-init: internal: move alignment check to `make_field_check`",
                            "    - spi: syncuacer: fix controller deregistration",
                            "    - spi: sun4i: fix controller deregistration",
                            "    - spi: zynq-qspi: fix controller deregistration",
                            "    - spi: ti-qspi: fix controller deregistration",
                            "    - spi: sun6i: fix controller deregistration",
                            "    - spi: tegra114: fix controller deregistration",
                            "    - spi: zynqmp-gqspi: fix controller deregistration",
                            "    - spi: tegra20-sflash: fix controller deregistration",
                            "    - spi: s3c64xx: fix NULL-deref on driver unbind",
                            "    - staging: rtl8723bs: os_dep: avoid NULL pointer dereference in",
                            "      rtw_cbuf_alloc",
                            "    - staging: vme_user: fix root device leak on init failure",
                            "    - KVM: arm64: Fix kvm_vcpu_initialized() macro parameter",
                            "    - arm64: signal: Preserve POR_EL0 if poe_context is missing",
                            "    - mm/hugetlb_cma: round up per_node before logging it",
                            "    - LoongArch: Fix SYM_SIGFUNC_START definition for 32BIT",
                            "    - LoongArch: KVM: Compile switch.S directly into the kernel",
                            "    - mptcp: pm: ADD_ADDR rtx: skip inactive subflows",
                            "    - perf/x86/intel: Improve validation and configuration of ACR masks",
                            "    - selftests/rseq: Don't run tests with runner scripts outside of the",
                            "      scripts",
                            "    - rseq: Set rseq::cpu_id_start to 0 on unregistration",
                            "    - rseq: Protect rseq_reset() against interrupts",
                            "    - rseq: Don't advertise time slice extensions if disabled",
                            "    - selftests/rseq: Make registration flexible for legacy and optimized mode",
                            "    - selftests/rseq: Skip tests if time slice extensions are not available",
                            "    - selftests/rseq: Validate legacy behavior",
                            "    - selftests/rseq: Expand for optimized RSEQ ABI v2",
                            "    - pseries/papr-hvpipe: Fix race with interrupt handler",
                            "    - pseries/papr-hvpipe: Fix & simplify error handling in papr_hvpipe_init()",
                            "    - pseries/papr-hvpipe: Fix the usage of copy_to_user()",
                            "    - net: libwx: use request_irq for VF misc interrupt",
                            "    - netpoll: pass buffer size to egress_dev() to avoid MAC truncation",
                            "    - ovl: fix verity lazy-load guard broken by fsverity_active() semantic",
                            "      change",
                            "    - parisc: Fix IRQ leak in LASI driver",
                            "    - x86/efi: Fix graceful fault handling after FPU softirq changes",
                            "    - hwmon: (ltc2992) Clamp threshold writes to hardware range",
                            "    - hwmon: (ltc2992) Fix u32 overflow in power read path",
                            "    - clk: rk808: fix OF node reference imbalance",
                            "    - hwmon: (corsair-psu) Close HID device on probe errors",
                            "    - af_unix: Reject SIOCATMARK on non-stream sockets",
                            "    - arm64/fpsimd: ptrace: zero target's fpsimd_state, not the tracer's",
                            "    - pmdomain: mediatek: fix use-after-free in",
                            "      scpsys_get_bus_protection_legacy()",
                            "    - block: fix zone write plug removal",
                            "    - block: only read from sqe on initial invocation of blkdev_uring_cmd()",
                            "    - cifs: abort open_cached_dir if we don't request leases",
                            "    - cifs: change_conf needs to be called for session setup",
                            "    - extcon: ptn5150: handle pending IRQ events during system resume",
                            "    - gpio: of: clear OF_POPULATED on hog nodes in remove path",
                            "    - hv: Select CONFIG_SYSFB only for CONFIG_HYPERV_VMBUS",
                            "    - hv_sock: fix ARM64 support",
                            "    - hv_sock: Report EOF instead of -EIO for FIN",
                            "    - hv_sock: Return -EIO for malformed/short packets",
                            "    - spi: microchip-core-qspi: fix controller deregistration",
                            "    - spi: microchip-core-spi: fix controller deregistration",
                            "    - tracefs: Fix default permissions not being applied on initial mount",
                            "    - udf: reject descriptors with oversized CRC length",
                            "    - x86/boot/e820: Re-enable BIOS fallback if e820 table is empty",
                            "    - thermal: core: Free thermal zone ID later during removal",
                            "    - thermal/drivers/sprd: Fix temperature clamping in",
                            "      sprd_thm_temp_to_rawdata",
                            "    - thermal/drivers/sprd: Fix raw temperature clamping in",
                            "      sprd_thm_rawdata_to_temp",
                            "    - spi: topcliff-pch: fix controller deregistration",
                            "    - spi: topcliff-pch: fix use-after-free on unbind",
                            "    - tracing/fprobe: Avoid kcalloc() in rcu_read_lock section",
                            "    - tracing/fprobe: Remove fprobe from hash in failure path",
                            "    - tracing/fprobe: Unregister fprobe even if memory allocation fails",
                            "    - tracing/probes: Limit size of event probe to 3K",
                            "    - tracing/fprobe: Check the same type fprobe on table as the unregistered",
                            "      one",
                            "    - clk: imx: imx8-acm: fix flags for acm clocks",
                            "    - clk: microchip: mpfs-ccc: fix out of bounds access during output",
                            "      registration",
                            "    - cpuidle: powerpc: avoid double clear when breaking snooze",
                            "    - ASoC: amd: yc: Add HP OMEN Gaming Laptop 16-ap0xxx product line in quirk",
                            "      table",
                            "    - ASoC: ES8389: convert to devm_clk_get_optional() to get clock",
                            "    - ASoC: fsl_easrc: fix comment typo",
                            "    - ASoC: Intel: bytcr_wm5102: Fix MCLK leak on platform_clock_control error",
                            "    - ASoC: qcom: q6apm-dai: reset queue ptr on trigger stop",
                            "    - ASoC: qcom: q6apm: remove child devices when apm is removed",
                            "    - btrfs: do not mark inode incompressible after inline attempt fails",
                            "    - dm: don't report warning when doing deferred remove",
                            "    - dm: fix a buffer overflow in ioctl processing",
                            "    - dm-verity-fec: correctly reject too-small FEC devices",
                            "    - dm-verity-fec: correctly reject too-small hash devices",
                            "    - dm-verity-fec: fix corrected block count stat",
                            "    - dm-verity-fec: fix the size of dm_verity_fec_io::erasures",
                            "    - isofs: validate Rock Ridge CE continuation extent against volume size",
                            "    - iommufd: Fix return value of iommufd_fault_fops_write()",
                            "    - iommu/vt-d: Block PASID attachment to nested domain with dirty tracking",
                            "    - iommu/arm-smmu-v3: Add a missing dma_wmb() for hitless STE update",
                            "    - lib/crc: tests: Make crc_kunit test only the enabled CRC variants",
                            "    - lib/scatterlist: fix temp buffer in extract_user_to_sg()",
                            "    - nvme-apple: drop invalid put of admin queue reference count",
                            "    - nvmet: avoid recursive nvmet-wq flush in nvmet_ctrl_free",
                            "    - pmdomain: core: Fix detach procedure for virtual devices in genpd",
                            "    - psp: strip variable-length PSP header in psp_dev_rcv()",
                            "    - s390/debug: Reject zero-length input in debug_input_flush_fn()",
                            "    - s390/debug: Reject zero-length input before trimming a newline",
                            "    - KVM: x86: Do IRR scan in __kvm_apic_update_irr even if PIR is empty",
                            "    - mm/damon/lru_sort: detect and use fresh enabled and kdamond_pid values",
                            "    - mm/damon/reclaim: detect and use fresh enabled and kdamond_pid values",
                            "    - mm/damon/stat: detect and use fresh enabled value",
                            "    - PCI: Update saved_config_space upon resource assignment",
                            "    - PCI/AER: Clear only error bits in PCIe Device Status",
                            "    - PCI/AER: Stop ruling out unbound devices as error source",
                            "    - PCI/ASPM: Fix pci_clear_and_set_config_dword() usage",
                            "    - power: supply: max17042: avoid overflow when determining health",
                            "    - perf/x86/intel: Always reprogram ACR events to prevent stale masks",
                            "    - perf/x86/intel: Disable PMI for self-reloaded ACR events",
                            "    - perf/x86/intel: Enable auto counter reload for DMR",
                            "    - RDMA/ionic: bound node_desc sysfs read with %.64s",
                            "    - RDMA/ionic: Fix typo in format string",
                            "    - remoteproc: imx_rproc: Fix NULL vs IS_ERR() bug in imx_rproc_addr_init()",
                            "    - remoteproc: k3: Fix NULL vs IS_ERR() bug in k3_reserved_mem_init()",
                            "    - sched_ext: idle: Recheck prev_cpu after narrowing allowed mask",
                            "    - sched_ext: Use dsq->first_task instead of list_empty() in",
                            "      dispatch_enqueue() FIFO-tail",
                            "    - selftests: mptcp: check output: catch cmd errors",
                            "    - selftests: mptcp: pm: restrict 'unknown' check to pm_nl_ctl",
                            "    - mptcp: fastclose msk when linger time is 0",
                            "    - mptcp: use MPJoinSynAckHMacFailure for SynAck HMAC failure",
                            "    - mptcp: use MPTCP_RST_EMPTCP for ACK HMAC validation failure",
                            "    - mptcp: sockopt: set timestamp flags on subflow socket, not msk",
                            "    - mptcp: sockopt: increase seq in mptcp_setsockopt_all_sf",
                            "    - mptcp: fix rx timestamp corruption on fastopen",
                            "    - mptcp: pm: prio: skip closed subflows",
                            "    - mptcp: pm: kernel: reset fullmesh counter after flush",
                            "    - mptcp: pm: kernel: correctly retransmit ADD_ADDR ID 0",
                            "    - mptcp: pm: ADD_ADDR rtx: resched blocked ADD_ADDR quicker",
                            "    - mptcp: pm: ADD_ADDR rtx: return early if no retrans",
                            "    - f2fs: add READ_ONCE() for i_blocks in f2fs_update_inode()",
                            "    - f2fs: fix false alarm of lockdep on cp_global_sem lock",
                            "    - f2fs: fix fiemap boundary handling when read extent cache is incomplete",
                            "    - f2fs: fix fsck inconsistency caused by incorrect nat_entry flag usage",
                            "    - f2fs: fix incorrect file address mapping when inline inode is unwritten",
                            "    - f2fs: fix incorrect multidevice info in trace_f2fs_map_blocks()",
                            "    - f2fs: fix uninitialized kobject put in f2fs_init_sysfs()",
                            "    - f2fs: refactor f2fs_move_node_folio function",
                            "    - f2fs: fix inline data not being written to disk in writeback path",
                            "    - KVM: arm64: Wake-up from WFI when iqrchip is in userspace",
                            "    - KVM: arm64: vgic: Fix IIDR revision field extracted from wrong value",
                            "    - KVM: arm64: Fix initialisation order in __pkvm_init_finalise()",
                            "    - KVM: arm64: Fix FEAT_SPE_FnE to use PMSIDR_EL1.FnE, not PMSVer",
                            "    - KVM: arm64: Fix FEAT_Debugv8p9 to check DebugVer, not PMUVer",
                            "    - LoongArch: KVM: Cap KVM_CAP_NR_VCPUS by KVM_CAP_MAX_VCPUS",
                            "    - LoongArch: KVM: Fix \"unreliable stack\" for kvm_exc_entry",
                            "    - LoongArch: KVM: Fix HW timer interrupt lost when inject interrupt by",
                            "      software",
                            "    - LoongArch: KVM: Move unconditional delay into timer clear scenery",
                            "    - LoongArch: KVM: Use kvm_set_pte() in kvm_flush_pte()",
                            "    - LoongArch: Use per-root-bridge PCIH flag to skip mem resource fixup",
                            "    - mmc: core: Adjust MDT beyond 2025",
                            "    - mmc: core: Add quirk for incorrect manufacturing date",
                            "    - mmc: core: Optimize time for secure erase/trim for some Kingston eMMCs",
                            "    - crypto: qat - fix indentation of macros in qat_hal.c",
                            "    - crypto: qat - fix firmware loading failure for GEN6 devices",
                            "    - hfsplus: fix held lock freed on hfsplus_fill_super()",
                            "    - 8021q: use RCU for egress QoS mappings",
                            "    - printk: add print_hex_dump_devel()",
                            "    - crypto: caam - guard HMAC key hex dumps in hash_digest_key",
                            "    - net: stmmac: rename STMMAC_GET_ENTRY() -> STMMAC_NEXT_ENTRY()",
                            "    - rust: pin-init: fix incorrect accessor reference lifetime",
                            "    - Linux 7.0.7",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-43490",
                            "    - ksmbd: validate inherited ACE SID length",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46174",
                            "    - x86/CPU/AMD: Prevent improper isolation of shared resources in Zen2's op",
                            "      cache",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46110",
                            "    - net: stmmac: Prevent NULL deref when RX memory exhausted",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46153",
                            "    - 8021q: delete cleared egress QoS mappings",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46169",
                            "    - hfsplus: fix uninit-value by validating catalog record size",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46188",
                            "    - octeon_ep_vf: add NULL check for napi_build_skb()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-45837",
                            "    - bpf: Fix use-after-free in arena_vm_close on fork",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46156",
                            "    - LoongArch: Fix potential ADE in loongson_gpu_fixup_dma_hang()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46147",
                            "    - KVM: arm64: Fix pin leak and publication ordering in __pkvm_init_vcpu()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46175",
                            "    - f2fs: fix fsck inconsistency caused by FGGC of node block",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46194",
                            "    - f2fs: fix node_cnt race between extent node destroy and writeback",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46170",
                            "    - mptcp: pm: ADD_ADDR rtx: free sk if last",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46158",
                            "    - mptcp: pm: ADD_ADDR rtx: always decrease sk refcount",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46168",
                            "    - mptcp: fix scheduling with atomic in timestamp sockopt",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46189",
                            "    - RDMA/vmw_pvrdma: Fix double free on pvrdma_alloc_ucontext() error path",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46133",
                            "    - RDMA/rxe: Reject unknown opcodes before ICRC processing",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46114",
                            "    - RDMA/rxe: Reject non-8-byte ATOMIC_WRITE payloads",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46127",
                            "    - RDMA/ocrdma: Don't NULL deref uctx on errors in ocrdma_copy_pd_uresp()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46176",
                            "    - RDMA/mlx5: Fix error path fall-through in mlx5_ib_dev_res_srq_init()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46178",
                            "    - RDMA/mlx4: Fix resource leak on error in mlx4_ib_create_srq()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46181",
                            "    - RDMA/mlx4: Fix mis-use of RCU in mlx4_srq_event()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46145",
                            "    - RDMA/mana: Validate rx_hash_key_len",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46117",
                            "    - RDMA/mana: Remove user triggerable WARN_ON() in mana_ib_create_qp_rss()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46126",
                            "    - RDMA/mana: Fix mana_destroy_wq_obj() cleanup in mana_ib_create_qp_rss()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46144",
                            "    - RDMA/mana: Fix error unwind in mana_ib_create_qp_rss()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46141",
                            "    - powerpc/xive: fix kmemleak caused by incorrect chip_data lookup",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46183",
                            "    - mm/damon/sysfs-schemes: protect path kfree() with damon_sysfs_lock",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46121",
                            "    - mm/damon/sysfs-schemes: protect memcg_path kfree() with damon_sysfs_lock",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46131",
                            "    - KVM: x86: check for nEPT/nNPT in slow flush hypercalls",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46139",
                            "    - smb: client: use kzalloc to zero-initialize security descriptor buffer",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46105",
                            "    - scsi: mpt3sas: Limit NVMe request size to 2 MiB",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46171",
                            "    - riscv: kvm: fix vector context allocation leak",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46112",
                            "    - RDMA/hns: Fix unlocked call to hns_roce_qp_remove()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46165",
                            "    - openvswitch: vport: fix self-deadlock on release of tunnel ports",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46161",
                            "    - md/raid10: fix divide-by-zero in setup_geo() with zero far_copies",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-43492",
                            "    - lib/crypto: mpi: Fix integer underflow in mpi_read_raw_from_sgl()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46124",
                            "    - isofs: validate block number from NFS file handle in isofs_export_iget",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46130",
                            "    - dm-verity-fec: fix reading parity bytes split across blocks (take 3)",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46106",
                            "    - eventfs: Hold eventfs_mutex and SRCU when remount walks events",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46107",
                            "    - dm-thin: fix metadata refcount underflow",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46160",
                            "    - btrfs: fix missing last_unlink_trans update when removing a directory",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46164",
                            "    - btrfs: fix double free in create_space_info_sub_group() error path",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46129",
                            "    - btrfs: fix double free in create_space_info() error path",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46159",
                            "    - btrfs: fix btrfs_ioctl_space_info() slot_count TOCTOU which can lead to",
                            "      info-leak",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46143",
                            "    - ASoC: qcom: q6apm-lpass-dai: Fix multiple graph opens",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46148",
                            "    - spi: microchip-core-qspi: control built-in cs manually",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46192",
                            "    - spi: microchip-core-qspi: don't attempt to transmit during emulated",
                            "      read-only dual/quad operations",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46162",
                            "    - ice: fix double free in ice_sf_eth_activate() error path",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46273",
                            "    - ibmveth: Disable GSO for packets with small MSS",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46191",
                            "    - fbcon: Avoid OOB font access if console rotation fails",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46134",
                            "    - platform/chrome: cros_ec_typec: Init mutex in Thunderbolt registration",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-43495",
                            "    - net: wwan: t7xx: validate port_count against message length in",
                            "      t7xx_port_enum_msg_handler",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-43502",
                            "    - net/rds: handle zerocopy send cleanup before the message is queued",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46120",
                            "    - ip6_gre: Use cached t->net in ip6erspan_changelink().",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46142",
                            "    - net: libwx: fix VF illegal register access",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46118",
                            "    - pseries/papr-hvpipe: Fix null ptr deref in",
                            "      papr_hvpipe_dev_create_handle()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46182",
                            "    - pseries/papr-hvpipe: Prevent kernel stack memory leak to userspace",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46184",
                            "    - sound: ua101: fix division by zero at probe",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-43498",
                            "    - accel/ivpu: Disallow re-exporting imported GEM objects",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46132",
                            "    - net: rtnetlink: zero ifla_vf_broadcast to avoid stack infoleak in",
                            "      rtnl_fill_vfinfo",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46190",
                            "    - mtd: spi-nor: debugfs: fix out-of-bounds read in spi_nor_params_show()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46150",
                            "    - fanotify: fix false positive on permission events",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-45836",
                            "    - Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_get_sndtimeo_cb()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-45834",
                            "    - Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_state_change_cb()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-45835",
                            "    - Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_new_connection_cb()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46138",
                            "    - Bluetooth: hci_event: Fix OOB read and infinite loop in",
                            "      hci_le_create_big_complete_evt",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46111",
                            "    - Bluetooth: hci_conn: fix potential UAF in create_big_sync",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46140",
                            "    - Bluetooth: btmtk: validate WMT event SKB length before struct access",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46186",
                            "    - Bluetooth: virtio_bt: validate rx pkt_type header length",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46123",
                            "    - Bluetooth: virtio_bt: clamp rx length before skb_put",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46104",
                            "    - selinux: use sk blob accessor in socket permission helpers",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46193",
                            "    - xfrm: ah: account for ESN high bits in async callbacks",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46172",
                            "    - ipv6: xfrm6: release dst on error in xfrm6_rcv_encap()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46116",
                            "    - xfrm: defensively unhash xfrm_state lists in __xfrm_state_delete",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46154",
                            "    - sched_ext: Read scx_root under scx_cgroup_ops_rwsem in cgroup setters",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46157",
                            "    - ALSA: pcm: oss: Fix data race at accessing runtime.oss.trigger",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46109",
                            "    - usb: ulpi: fix memory leak on ulpi_register() error paths",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46146",
                            "    - ALSA: usb-audio: Avoid potential endless loop in convert_chmap_v3()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46167",
                            "    - usb: usblp: fix uninitialized heap leak via LPGETSTATUS ioctl",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46151",
                            "    - usb: usblp: fix heap leak in IEEE 1284 device ID via short response",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46180",
                            "    - wifi: brcmfmac: Fix potential use-after-free issue when stopping",
                            "      watchdog task",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46122",
                            "    - wifi: b43: enforce bounds check on firmware key index in b43_rx()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46125",
                            "    - wifi: mac80211: remove station if connection prep fails",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46166",
                            "    - wifi: mac80211: use safe list iteration in radar detect work",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46187",
                            "    - wifi: rsi: fix kthread lifetime race between self-exit and external-stop",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46152",
                            "    - wifi: mac80211: drop stray 'static' from fast-RX rx_result",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46163",
                            "    - wifi: b43legacy: enforce bounds check on firmware key index in RX path",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46136",
                            "    - wifi: mt76: mt7921: fix a potential clc buffer length underflow",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46173",
                            "    - exit: prevent preemption of oopsing TASK_DEAD task",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-43496",
                            "    - net/sched: sch_red: Replace direct dequeue call with peek and",
                            "      qdisc_dequeue_peeked",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46113",
                            "    - KVM: x86: Fix shadow paging use-after-free due to unexpected GFN",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46179",
                            "    - ASoC: SOF: Don't allow pointer operations on unconfigured streams",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46196",
                            "    - tracepoint: balance regfunc() on func_add() failure in",
                            "      tracepoint_add_func()",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-43497",
                            "    - fbdev: udlfb: add vm_ops to dlfb_ops_mmap to prevent use-after-free",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46108",
                            "    - ipmi:si: Return state to normal if message allocation fails",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46128",
                            "    - ipmi: Check event message buffer response for bad data",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46177",
                            "    - ipmi: Add limits to event and receive message requests",
                            "",
                            "  * Resolute update: v7.0.7 upstream stable release (LP: #2155988) //",
                            "    CVE-2026-46149",
                            "    - scsi: target: configfs: Bound snprintf() return in",
                            "      tg_pt_gp_members_show()",
                            "",
                            "  * Ubuntu 26.04 linux kernel has non-functional nova-core GPU driver enabled,",
                            "    conflicting with nouveau (LP: #2150845)",
                            "    - [Config] Disable NOVA_CORE",
                            "",
                            "  * CVE-2026-46244",
                            "    - netfilter: nft_inner: Fix IPv6 inner_thoff desync",
                            "",
                            "  * CVE-2026-46137",
                            "    - mptcp: pm: ADD_ADDR rtx: allow ID 0",
                            "    - mptcp: pm: ADD_ADDR rtx: fix potential data-race",
                            "",
                            "  * CVE-2026-46185",
                            "    - smb/client: fix out-of-bounds read in symlink_data()",
                            "",
                            "  * CVE-2026-46195",
                            "    - smb: client: validate dacloffset before building DACL pointers",
                            "",
                            "  * CVE-2026-46289",
                            "    - lib/scatterlist: fix length calculations in extract_kvec_to_sg",
                            "",
                            "  * CVE-2026-46119",
                            "    - libceph: Fix slab-out-of-bounds access in auth message processing",
                            "",
                            "  * CVE-2026-46135",
                            "    - nvmet-tcp: fix race between ICReq handling and queue teardown",
                            "",
                            "  * CVE-2026-46155",
                            "    - smb/client: fix out-of-bounds read in smb2_compound_op()",
                            "",
                            "  * CVE-2026-46115",
                            "    - block: add pgmap check to biovec_phys_mergeable",
                            "",
                            "  * CVE-2026-46243",
                            "    - smb: client: reject userspace cifs.spnego descriptions",
                            ""
                        ],
                        "package": "linux",
                        "version": "7.0.0-28.28",
                        "urgency": "medium",
                        "distributions": "resolute",
                        "launchpad_bugs_fixed": [
                            2157520,
                            2154418,
                            2155837,
                            2154174,
                            2154748,
                            2156559,
                            2156556,
                            2150640,
                            2156312,
                            2155096,
                            2154715,
                            2153159,
                            2150071,
                            2154343,
                            2149770,
                            2153155,
                            2152570,
                            2156636,
                            2156636,
                            2156636,
                            2156636,
                            2156636,
                            2156390,
                            2156385,
                            2156385,
                            2156385,
                            2156385,
                            2156385,
                            2156385,
                            2156385,
                            2156385,
                            2156385,
                            2156385,
                            2156385,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2156006,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2155988,
                            2150845
                        ],
                        "author": "Mehmet Basaran <mehmet.basaran@canonical.com>",
                        "date": "Sun, 21 Jun 2026 02:37:29 +0300"
                    }
                ],
                "notes": "linux-tools-7.0.0-28-generic version '7.0.0-28.28' (source package linux version '7.0.0-28.28') was added. linux-tools-7.0.0-28-generic version '7.0.0-28.28' has the same source package name, linux, as removed package linux-headers-7.0.0-27. As such we can use the source package version of the removed package, '7.0.0-27.27', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package.",
                "is_version_downgrade": false
            }
        ],
        "snap": []
    },
    "removed": {
        "deb": [
            {
                "name": "linux-headers-7.0.0-27",
                "from_version": {
                    "source_package_name": "linux",
                    "source_package_version": "7.0.0-27.27",
                    "version": "7.0.0-27.27"
                },
                "to_version": {
                    "source_package_name": null,
                    "source_package_version": null,
                    "version": null
                },
                "cves": [],
                "launchpad_bugs_fixed": [],
                "changes": [],
                "notes": null,
                "is_version_downgrade": false
            },
            {
                "name": "linux-headers-7.0.0-27-generic",
                "from_version": {
                    "source_package_name": "linux",
                    "source_package_version": "7.0.0-27.27",
                    "version": "7.0.0-27.27"
                },
                "to_version": {
                    "source_package_name": null,
                    "source_package_version": null,
                    "version": null
                },
                "cves": [],
                "launchpad_bugs_fixed": [],
                "changes": [],
                "notes": null,
                "is_version_downgrade": false
            },
            {
                "name": "linux-image-7.0.0-27-generic",
                "from_version": {
                    "source_package_name": "linux-signed",
                    "source_package_version": "7.0.0-27.27",
                    "version": "7.0.0-27.27"
                },
                "to_version": {
                    "source_package_name": null,
                    "source_package_version": null,
                    "version": null
                },
                "cves": [],
                "launchpad_bugs_fixed": [],
                "changes": [],
                "notes": null,
                "is_version_downgrade": false
            },
            {
                "name": "linux-main-modules-zfs-7.0.0-27-generic",
                "from_version": {
                    "source_package_name": "linux-main-signed",
                    "source_package_version": "7.0.0-27.27",
                    "version": "7.0.0-27.27"
                },
                "to_version": {
                    "source_package_name": null,
                    "source_package_version": null,
                    "version": null
                },
                "cves": [],
                "launchpad_bugs_fixed": [],
                "changes": [],
                "notes": null,
                "is_version_downgrade": false
            },
            {
                "name": "linux-modules-7.0.0-27-generic",
                "from_version": {
                    "source_package_name": "linux",
                    "source_package_version": "7.0.0-27.27",
                    "version": "7.0.0-27.27"
                },
                "to_version": {
                    "source_package_name": null,
                    "source_package_version": null,
                    "version": null
                },
                "cves": [],
                "launchpad_bugs_fixed": [],
                "changes": [],
                "notes": null,
                "is_version_downgrade": false
            },
            {
                "name": "linux-tools-7.0.0-27",
                "from_version": {
                    "source_package_name": "linux",
                    "source_package_version": "7.0.0-27.27",
                    "version": "7.0.0-27.27"
                },
                "to_version": {
                    "source_package_name": null,
                    "source_package_version": null,
                    "version": null
                },
                "cves": [],
                "launchpad_bugs_fixed": [],
                "changes": [],
                "notes": null,
                "is_version_downgrade": false
            },
            {
                "name": "linux-tools-7.0.0-27-generic",
                "from_version": {
                    "source_package_name": "linux",
                    "source_package_version": "7.0.0-27.27",
                    "version": "7.0.0-27.27"
                },
                "to_version": {
                    "source_package_name": null,
                    "source_package_version": null,
                    "version": null
                },
                "cves": [],
                "launchpad_bugs_fixed": [],
                "changes": [],
                "notes": null,
                "is_version_downgrade": false
            }
        ],
        "snap": []
    },
    "notes": "Changelog diff for Ubuntu 26.04 resolute image from release image serial 20260713 to 20260717",
    "from_series": "resolute",
    "to_series": "resolute",
    "from_serial": "20260713",
    "to_serial": "20260717",
    "from_manifest_filename": "release_manifest.previous",
    "to_manifest_filename": "manifest.current"
}